This is the accessible text file for GAO report number GAO-11-157 entitled 'Department Of Labor: Further Management Improvements Needed to Address Information Technology and Financial Controls' which was released on March 16, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Ranking Member, Committee on Education and the Workforce, House of Representatives: March 2011: Department Of Labor: Further Management Improvements Needed to Address Information Technology and Financial Controls: GAO-11-157: GAO Highlights: Highlights of GAO-11-157, a report to the Ranking Member, Committee on Education and the Workforce, House of Representatives. Why GAO Did This Study: The Department of Labor (Labor) plays a vital role in promoting the welfare of American workers through administering and enforcing more than 180 federal laws that cover some 10 million employers and 125 million workers. Since the recent economic downturn, Labor’s role has become even more critical as its programs provide additional employment and training supports. As such, GAO was asked to determine how well Labor is currently adhering to best management practices departmentwide to ensure that its programs are operating effectively. Specifically, this report assesses Labor’s (1) strategic workforce management, (2) management controls to manage and modernize its information technology, and (3) accountability over its discretionary grants. To do this, GAO collected and reviewed Labor documents related to workforce and information technology planning, as well as grants management information, and conducted interviews with Labor’s national and regional staff. What GAO Found: Labor strategically manages its current and future workforce needs by (1) collecting, analyzing, and disseminating workforce data to its program agencies; (2) leading the development of departmentwide human capital planning documents; (3) conducting workforce gap analyses departmentwide and working with its program agencies to remedy these gaps; and (4) monitoring its program agencies’ human capital programs. Labor has taken steps to understand its employees’ skills and develop competencies to inform its succession planning and, according to Labor’ s workforce data, has maintained sufficient leadership strength in recent years. Several program agencies were also developing future leaders in various ways, such as providing training or mentoring opportunities. To monitor agencies’ activities, Labor employs an accountability review to determine their compliance with federal and department human capital activities and, more recently, expanded this review to include an evaluation of their strategic workforce planning. While Labor has established a process to oversee, manage, and modernize the department’s IT investments, it has not fully developed certain management controls, which may hinder its systems’ ability to maximize mission performance and expected IT benefits. Specifically, Labor has (1) established an IT governance structure and system development processes, but needs better representation from program managers with expertise of business operations; (2) provided guidance to its program agencies and offices on developing performance measurements, but system performance measures for selected investments did not comprehensively link to mission and expected outcomes; (3) established an investment management process that tracks cost and schedule variances for IT investments, but did not ensure that a major IT investment had sufficient business representation and adequate testing before departmentwide implementation; and (4) implemented a security program. However, Labor faces challenges in keeping current with certain security requirements and ensuring appropriate user access controls. Labor’s Employment and Training Administration (ETA) has designed policies and procedures to ensure accountability over its discretionary grants management process. However, ETA has not developed supervisory review procedures nor enhanced its guidance to ensure that (1) competitive grant award documentation is properly maintained, (2) monitoring activities results are properly and consistently documented in its Grants Electronic Management System, and (3) Single Audit results are fully integrated as part of discretionary grantee monitoring activities. Inadequate guidance and quality assurance procedures over discretionary grants may diminish ETA's ability to show that competitive grants were properly awarded and adequately assess the results of its key monitoring activities. ETA's discretionary budget accounted for $11.4 billion, approximately 80 percent of Labor's estimated discretionary budget in fiscal year 2010, which includes discretionary grants. What GAO Recommends: GAO recommends that Labor strengthen its information technology planning and discretionary grant management by further developing guidance, procedures, and processes. Labor generally agreed with GAO’s findings and six recommendations, providing additional perspective concerning the portrayal of its security controls and grant monitoring procedures. GAO clarified two recommendations in response, as discussed in the report. View GAO-11-157 or key components. For more information, contact Andrew Sherrill at (202) 512-7215 or sherrilla@gao.gov. [End of section] Contents: Letter: Background: Labor Integrates Workforce Planning Principles Departmentwide and Monitors Its Program Agencies' Human Capital Activities through Accountability Reviews: Labor Established an IT Oversight Process, but Has Not Fully Developed Management Controls That Could Improve Mission Performance: Labor Has Established Policies for Grants Accountability, but Weaknesses Exist in Documentation and Monitoring: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluations: Appendix I: Scope and Methodology: Appendix II: Select Financial Management Deficiencies Identified at the Department of Labor, Fiscal Year 2010: Appendix III: Department of Labor Workforce Trends: Appendix IV: Comments from the Department of Labor: Appendix V: Contact and Acknowledgments: Related GAO Products: Figures: Figure 1: Labor's IT Governance Structure: Figure 2: Capital Planning and Investment Control Process: Figure 3: Labor's Competency Assessment Process: Figure 4: Retirement Eligibility Rates for Labor's Overall Workforce and in Selected Program Agencies from Fiscal Year 2005 through 2009: Figure 5: Attrition Rates for Labor and Select Program Agencies, Fiscal Years 2005-2009: Figure 6: Percent of Separations by Type for Labor, Fiscal Years 2005- 2009: Figure 7: Percent of Employees Eligible to Retire for Labor and Select Program Agencies, Fiscal Years 2005-2009: Figure 8: Percent of Employees Eligible to Retire for Mission Critical Occupations in Select Program Agencies, Fiscal Year 2009: Figure 9: Federal Tenure Rates for Labor, Fiscal Years 2005-2009: Figure 10: Percent of New Hires for Labor and Select Program Agencies, Fiscal Years 2005-2009: Figure 11: Number of New Hires and Separations for Labor, Fiscal Years 2005-2009: Figure 12: Percent of Special Versus Ordinary Hires for Labor, Fiscal Years 2005-2009: Abbreviations: BLS: Bureau of Labor Statistics: CIO: Chief Information Officer: CPDF: Central Personnel Data File: CPIC: capital planning and investment control: EBSA: Employee Benefits Security Administration: ESA: Employment Standards Administration: ETA: Employment and Training Administration: FISMA: Federal Information Security Management Act of 2008: FPO: federal project officer: FSIO: Financial Systems Integration Office: GEMS: Grants Electronic Management System: HRC: Human Resource Center: IT: Information Technology: Labor: Department of Labor: MSHA: Mine Safety and Health Administration: NCFMS: New Core Financial Management System: NIST: National Institute of Standards and Technology: OASAM: Office of the Assistant Secretary for Administration and Management: OCFO: Office of the Chief Financial Officer: OCIO: Office of the Chief Information Officer: OIG: Office of Inspector General: OMB: Office of Management and Budget: OPM: Office of Personnel Management: OSHA: Occupational Safety and Health Administration: Recovery Act: American Recovery and Reinvestment Act of 2009: SOL: Office of the Solicitor: TRB: Technical Review Board: WHD: Wage and Hour Division: [End of section] United States Government Accountability Office: Washington, DC 20548: March 16, 2011: The Honorable George Miller: Ranking Member: Committee on Education and the Workforce: House of Representatives: The Department of Labor (Labor) plays a vital role in promoting the welfare of American job seekers, wage earners, and retirees by administering and enforcing more than 180 federal labor laws that cover some 10 million employers and 125 million workers. Since the recent economic downturn, the department's financial and employment programs have become even more critical. Labor has a key role to play in efforts under the American Recovery and Reinvestment Act of 2009 (Recovery Act)[Footnote 1] by providing worker training as well as assistance and education regarding unemployment and health benefits. While Labor is taking steps to manage these expanded responsibilities and increased workloads, the department's strategic management of its resources--such as agency personnel, information technology systems, and financial resources--is even more essential in order to accomplish its goals. In recent years, we, along with Labor's Office of Inspector General (OIG), have identified challenges with Labor's departmental management related to its workforce, information technology, and financial resources. In light of these challenges, coupled with planned departmentwide initiatives, we were asked to determine how well the department is currently adhering to best management practices across the department. Specifically, this report assesses the extent to which (1) Labor is strategically managing its current and future workforce needs, (2) Labor has established management controls needed to manage and modernize its information technology (IT) in order to support its mission, and (3) the design of Labor's key internal control activities helps ensure accountability over its discretionary grants. To identify the steps that Labor has taken to strategically manage and plan for its current and future workforce needs, we reviewed the department's planning documents and interviewed Labor officials. We selected three of Labor's program agencies--the Employee Benefits Security Administration (EBSA), the Occupational Safety and Health Administration (OSHA), and the Employment and Training Administration (ETA)--in part, due to their authorization to hire additional staff in fiscal year 2010. We reviewed their workforce planning efforts and compared them to our key workforce planning principles and the Office of Personnel Management's (OPM) human capital framework. To identify workforce trends, we analyzed data from OPM's Central Personnel Data File (CPDF) on Labor's program agencies' mission critical occupations from fiscal years 2005 to 2009. To assess the reliability of OPM's CPDF, we reviewed our prior data reliability work on the CPDF data file as well as updated information about the data. While we concluded that the CPDF information was sufficiently reliable to provide information on Labor's recent workforce trends, we did not independently verify the data as part of this review. To assess whether Labor has established management controls needed to manage and modernize its IT resources to support its mission, we reviewed the department's governance structure, interviewed key information technology officials, and obtained and reviewed relevant documents. We focused on guidelines to manage IT investments, including the capital planning and investment control process. For this study, we selected and reviewed information technology and guidance related to six Labor program agencies--OSHA, ETA, the Office of Workers' Compensation Programs, the Office of the Assistant Secretary for Administration and Management (OASAM), Bureau of Labor Statistics, and the Wage and Hour Division. In total, these agencies comprised about 83 percent of Labor's fiscal year 2010 IT budget. We also reviewed Labor's approach in implementing a departmentwide IT investment--the New Core Financial Management System--to assess adherence to select and control guidelines and the adequacy of testing. Further, we reviewed federal statutes and requirements pertaining to IT planning, E-Government guidelines, and security requirements, as well as our and OMB's frameworks for IT system design, implementation, and management. To determine the extent to which the design of Labor's key internal control activities ensure accountability over the department's discretionary grant processes, we reviewed our prior and Labor's OIG reports and relevant policies and procedures. We also interviewed key financial management officials, including the Office of the Chief Financial Officer (OCFO). We performed our internal control review of discretionary grants at ETA because the agency's discretionary budget accounted for $11.4 billion, or approximately 80 percent, of Labor's overall estimated discretionary budget in fiscal year 2010, which includes discretionary grants. In addition, in prior years, challenges have been reported on ETA's management of its discretionary grants. Specifically, we assessed (1) whether the design of ETA's controls is adequate to help ensure accountability over its award, monitoring, and closeout of discretionary grants and (2) the extent to which ETA uses the Single Audit to help the agency in performing oversight functions over its grantees. We conducted in-depth reviews of key controls designed for its grant management process, which includes its award, monitoring, and closeout process. We also selected, as case studies, a nongeneralizable sample of 30 ETA discretionary grants that were active or closed in fiscal year 2009. For these grants, we reviewed documentation in the corresponding grant case files and information in ETA's Grants Electronic Management System. For each objective, we reviewed relevant federal laws and regulations. We conducted this performance audit from August 2009 to March 2011 in accordance with generally accepted government auditing standards. The standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for findings and conclusions based on our audit objectives. Appendix I discusses our scope and methodology in further detail. Background: Established as a cabinet-level department in 1913, Labor has primary responsibility for overseeing the nation's job training programs and for enforcing a variety of federal labor laws. Labor defines its mission as fostering, promoting, and developing the welfare of the wage earners, job seekers, and retirees of the United States; improving working conditions; advancing opportunities for profitable employment; and assuring work-related benefits and rights. Labor administers its various responsibilities through 21 agencies and offices with a total staff of approximately 16,500 federal employees distributed across the United States. Many of these agencies and offices operate through a network of regional, field, district, and area offices, and in some cases, local grantees and contractors. Historically, Labor has operated as a set of individual agencies, each largely working independently with limited centralized control. For example, many of the larger agencies--such as OSHA and ETA--manage their own administrative needs at the national office level, including human capital. As we have previously reported, this organizational structure may allow Labor more flexibility to meet a variety of needs and focus resources in particular areas, but it may also limit Labor in adopting better management practices, such as central planning and performance oriented measures.[Footnote 2] To ensure continuity across program agencies, Labor's OASAM is responsible for developing departmentwide policies, standards, and guidance for the department's program agencies related to its human resource and administrative management. Strategic Human Capital Management: Strategic workforce planning, an integral part of human capital management, addresses two critical needs: (1) aligning an organization's human capital program with its current and emerging mission and programmatic goals and (2) developing long-term strategies for acquiring, developing, and retaining staff to achieve programmatic goals.[Footnote 3] Agency approaches to such planning can vary with each agency's particular needs and mission. However, our previous work suggests that the workforce planning process incorporate several principles, including involving top management, employees, and other stakeholders in developing, communicating, and implementing the strategic workforce plan; determining skills and competencies needed in the future workforce to meet the organization's goals and identifying gaps in skills and competencies that an organization needs to address; selecting and implementing human capital strategies that are targeted toward addressing these skill gaps; and monitoring and evaluating the agency's progress toward its human capital goals. Workforce planning efforts, including succession planning, can enable an agency to remain aware of and be prepared for its current and future needs as an organization. When effectively conducted, this planning entails the collection of valid and reliable data on such indicators as distribution of employee skills and competencies, attrition rates, or projected retirement rates and retirement eligibility by occupation and organizational unit. Agencies can use an organizationwide knowledge and skills inventory and industry benchmarks to identify current problems in their workforces and plan for future improvements. IT Management: Labor maintains a large inventory of IT assets supporting mission- critical program operations. In fiscal year 2010, the department estimated its IT portfolio was worth approximately $466 million, of which approximately $401 million was dedicated to maintaining systems and $65 million was for modernization and enhancement initiatives, including office automation across program agencies and common management systems, security, and E-Government.[Footnote 4] The Office of the Chief Information Officer is responsible for establishing and maintaining each aspect of IT management, including the department's IT System Development Life Cycle Management, capital planning and investment control, security, and enterprise architecture processes. [Footnote 5] Labor's Chief Information Officer (CIO) has also established an IT governance structure for the review and management of IT investments within the department (see figure 1). The structure consists of the CIO, Deputy CIO, and Technical Review Board (TRB). [Footnote 6] The TRB serves as a forum to identify and resolve departmentwide IT-related issues. The TRB members work together with three program offices--Enterprise Architecture, Capital Planning, and Security--that report to the Deputy CIO. The Enterprise Architecture Program Office reviews IT investments to ensure that they are consistent and compliant with departmental standards. The Capital Planning Office reviews existing IT investments and makes recommendations for new initiatives to the CIO. Further, the Security Program Office's role is to identify potential risks and help ensure that the department and agency information is adequately safeguarded. Labor's IT governance structure also includes five subcommittees--the Enterprise Architecture, Capital Planning, IT Architecture, IT Security, and Configuration and Control subcommittees. The subcommittees meet regularly to review and discuss major IT investment projects, issues, and plans across the department and within program agencies. The subcommittees identify, manage, and resolve departmentwide IT investment issues in their respective areas, and each provides recommendations from their respective areas to the TRB. Figure 1: Labor's IT Governance Structure: [Refer to PDF for image: illustration] Top level: CIO. Second level, reporting to CIO: Deputy CIO. Third level, reporting to Deputy CIO: OCIO Enterprise Architecture Program Office: OCIO Capital Planning Office: OCIO Security Office. All three offices provide advise, counsel,and support to the Technical Review Board subcommittees, listed below. Set aside from the structure, reporting to both CIO and Deputy CIO: Technical Review Board. Reporting to the Technical Review Board: Enterprise Architecture Subcommittee: Capital Planning Subcommittee: IT Security Subcommittee: * Configuration and Control Subcommittee; Configuration and Control Subcommittee. Source: DOL. [End of figure] When properly implemented, an agency's IT investments should help streamline business processes to create efficiencies in day-to-day operations. Congress recognized the need for added diligence in IT investment management with the enactment of the Clinger-Cohen Act of 1996.[Footnote 7] The Act requires that federal agencies define their IT investments and follow a capital planning and investment control approach. Our IT investment management framework defines three phases-- select, control, and evaluate (see figure 2).[Footnote 8] In the select phase, the costs and benefits of all available projects are assessed and the optimal portfolio of projects is selected. During the control phase, the project costs and risks are monitored and corrective action is applied where needed. In the evaluate phase, implemented projects are reviewed to assure that they are producing the benefits expected and adjustments are made where appropriate. Within an organization, all phases may be underway at once, as they may be applied to projects at different stages of their lifecycle. [Footnote 9] Figure 2: Capital Planning and Investment Control Process: [Refer to PDF for image: illustration of a continuous circular process] Evaluate existing portfolio: Select: Control: * Reselect (return to Select step); Implement modules/systems: [Repeat process from beginning] Source: GAO. [End of figure] The security of the information stored in IT systems is also a critical management area for federal agencies. Concerned by reports of significant weaknesses in the security of federal computing systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which requires agencies to develop and implement an information security program, independent annual evaluation process, and annual report.[Footnote 10] To help implement the provisions of FISMA, the National Institute of Standards and Technology (NIST) developed a risk management framework for agencies to follow in developing information security programs.[Footnote 11] One NIST publication related to risk management provides guidelines for selecting and specifying security controls for information systems. [Footnote 12] Financial Management: Labor's strategic management of its annual budget--totaling about $206 billion in fiscal year 2010, including an increase in grant funding provided by the Recovery Act--is essential to conducting its mission effectively and efficiently. Labor's OCFO is charged with the overall responsibility for the financial leadership throughout the department. The OCFO's primary duty is to uphold strong financial management and accountability while providing timely, accurate, and reliable financial information and enhancing internal control. Labor's Chief Financial Officer's responsibilities also include leading the department's implementation of key governmentwide financial management reform legislation, including the Chief Financial Officers Act of 1990 [Footnote 13] and the Federal Managers' Financial Integrity Act [Footnote 14] (along with OMB's implementing guidance in OMB Circular No. A-123). Labor's management of its discretionary grants has been identified by the department's OIG as one of its top management challenges from fiscal years 2007 through 2009.[Footnote 15] Labor's OCFO also identified this area as a challenge during its fiscal year 2009 assessment of the department's internal controls over its grants process.[Footnote 16] In addition, we and Labor have previously identified challenges related to the department's ability to ensure discretionary grants are properly awarded and monitored.[Footnote 17] Labor relies heavily on ETA for awarding, monitoring, and closing out ETA grants. ETA may award discretionary funding through formula or competitive grant processes.[Footnote 18] ETA's grant management process consists of four key phases: preaward, award, monitoring, and closeout.[Footnote 19] ETA's award phase involves evaluating grant applications, awarding new grants, and making continuation awards for existing Labor grants. ETA's monitoring phase consists of reviews of the grantee's performance, including the grantees' financial and administrative compliance, by ETA's federal project officers.[Footnote 20] ETA monitors most grants in their period-of-performance through a risk-based strategy,[Footnote 21] which is described in its Core Monitoring Guide and Grant Management Desk Reference Guide.[Footnote 22] ETA's closeout phase is aimed at ensuring that the agency has received all required financial, programmatic, and audit reports and has accounted for all federal funds. ETA's Office of Grants Management has the responsibility for discretionary grant awards and closeouts, while ETA's Office of Regional Management oversees the monitoring activities performed by the federal project officers. Further, entities receiving Labor grants may also be subject to the provisions of the Single Audit Act of 1984, as amended, if certain conditions are met.[Footnote 23] The Act established the option of the Single Audit for grantees by replacing multiple grant audits as required by each individual grant agreement with one audit of a recipient as a whole. As such, a Single Audit is an independent organizationwide financial audit that covers, among other things, the recipient's financial statements, internal controls, and its compliance with applicable provisions of laws, regulations, contracts, and grant agreements. In addition to a continuing management challenge related to discretionary grants, Labor was also confronted with a new management challenge in 2010 related to its core financial management system. For 13 consecutive years, until fiscal year 2010, Labor had received clean audit opinions on its financial statements.[Footnote 24] In fiscal year 2010, Labor's independent auditor was unable to issue an opinion on the department's financial statements due to deficiencies related to its January 2010 implementation of the New Core Financial Management System (NCFMS).[Footnote 25] Labor's auditor also identified four material weaknesses[Footnote 26] in internal controls related to the preparation of financial statements, accounting for budgetary resources, preparation and review of journal entries, and access to key financial and support systems. (See appendix II for examples of financial management deficiencies resulting from the implementation of NCFMS as identified by Labor's auditor in fiscal year 2010.) In response to the identified deficiencies by the auditors, Labor reported in its fiscal year 2010 Agency Financial Report on plans to prioritize its resources to focus, in part, on updating existing quality assurance documentation, data quality, and training, as well as formally documenting NCFMS financial reporting processes by September 30, 2011. Labor Integrates Workforce Planning Principles Departmentwide and Monitors Its Program Agencies' Human Capital Activities through Accountability Reviews: To manage its current and future workforce needs strategically, Labor's Human Resource Center (HRC)--an office of the Office of the Assistant Secretary for Administration and Management--analyzes and disseminates workforce data and incorporates several key principles into its departmentwide strategic workforce planning. HRC uses data to inform Labor's workforce decisions, leads the development of key departmentwide workforce documents, communicates regularly with its program agencies about human capital policies and procedures, and supports and assists program agencies' efforts in their own strategic workforce planning. Labor has taken steps to understand its employees' skills and develop competencies to measure their abilities and has maintained sufficient leadership strength in recent years, according to departmentwide workforce data. In addition, several program agencies were taking various steps to prepare their employees to transition into leadership roles. To monitor each agency's human resources activities and workforce planning efforts, HRC uses an accountability review mechanism. Labor Leads Departmentwide Workforce Planning and Provides Guidance to Its Program Agencies: To inform its departmentwide strategic workforce planning decisions, HRC systematically collects and analyzes workforce data--such as hiring and separation rates, employee tenure, and demographic information--necessary to develop an overall workforce profile. Our prior work has found that collecting and analyzing workforce data are fundamental to measuring the effectiveness of an organization's human capital approach in support of its mission and goals.[Footnote 27] HRC has used these workforce data--such as retirement eligibility rates and supervisory ratio data--to assess and inform its overall departmental workforce plans and strategies. HRC is also responsible for leading the development of key departmentwide workforce planning documents, such as the strategic human capital plan. In 2003, we reported that these documents should be linked to federal agencies' overall strategic goals and outline a framework of human capital strategies to ensure that it is well- positioned to meet its current and future mission needs.[Footnote 28] While the current strategic human capital plan for fiscal years 2008 through 2011 outlines Labor's framework, officials said it reflects the prior administration's human capital goals and no longer guides the department.[Footnote 29] Senior Labor officials said that rather than revising the multi-year departmentwide strategic human capital plan, they required each agency to develop an operating plan for fiscal year 2011 that outlines their programmatic priorities, key activities, and strategies, as well as links to the department's overall strategic plan. In addition to providing leadership, HRC actively engages top management and program agencies in the department's human capital initiatives by meeting with Labor's senior managers and regional human resources staff regularly to discuss human resources policy, process, and implementation issues. During these meetings, HRC provides agencies with departmentwide guidance on federal hiring initiatives and workforce planning strategies and shares progress towards annual hiring goals. According to the HRC Director, these meetings serve different purposes. The monthly meetings with regional human resource officers are used to share best practices, obtain feedback on predecisional human capital issues, and discuss cross-cutting issues that affect the entire department. The issues discussed at the biweekly meetings with administrative officers are broader than human capital, but allow HRC to share information with and obtain input from senior program agency management on human capital issues, as needed. Several program agency officials reported that these biweekly, departmentwide management meetings serve as an opportunity to interact and share information with HRC officials and other program managers. [Footnote 30] HRC provides assistance to agencies within Labor to support their workforce planning efforts, including distributing workforce data to its agencies, providing guidance on federal human capital policies, and developing tools to help agencies implement these policies. For example, as of September 2010, HRC published workforce data on a regular basis that highlighted key demographic information about Labor's overall workforce.[Footnote 31] Several program agency officials we interviewed said that they generally found these workforce data to be useful, and some noted that they rely on them to inform their own workforce planning efforts. For example, one OSHA regional official said he used the data to track progress towards their regional hiring goals. In addition to the regularly published data reports, other senior program agency officials noted that key workforce data specific to their own agency was readily available from HRC upon request. To help its agencies implement the department's human capital initiatives, HRC has developed several workforce planning templates to guide their strategic discussions with Labor's program agencies and assist these agencies in devising their individual workforce strategies. These templates are worksheets used to assist program agencies in compiling information they need for particular management activities. HRC has identified the need to develop these templates in response to the administration's priorities or enacted legislation. For example, in fiscal year 2009, Labor developed a template to assist some program agencies--including ETA, EBSA, and OSHA--in their efforts to hire large numbers of short-term staff in response to the passage of the Recovery Act. HRC's template helped to ensure that program agencies analyzed information--such as the program agency's mission, programmatic needs, and employee skills--and allowed the agencies to describe their recruitment and staffing plans to hire for key positions. Subsequently, these documents guided HRC and program agency discussions and helped tailor program agency planning to their specific recruiting and hiring strategies. For instance, as a result of these discussions, EBSA and HRC worked together to determine that the Student Career Employment Program was the best option to hire student workers to address EBSA's Recovery Act workload demands. According to EBSA, this strategy was effective because the agency was able to identify high caliber applicants and more easily convert Student Career Employment Program employees to full-time positions within the department, as needed. In another example, HRC developed a template to assist each program agency in outlining its action plan to meet its diversity goals. The template asked program agencies to include elements such as a list of positions in which the agency was underrepresented and a recruitment strategy for those positions. Several senior program agency officials said these types of workforce planning templates were helpful in guiding their thinking about how best to meet agency and administration goals. In fact, senior ETA officials said they plan to continue to develop written staffing plans based on the Recovery Act template. An HRC official said these templates are typically developed as needed and have not historically been used on a regular basis to inform ongoing strategic workforce planning discussions. However, in recognition of the need to conduct more proactive, routine strategic workforce planning with its program agencies, HRC recently developed additional templates--including a recruitment checklist and a document to guide strategic workforce conversations--to facilitate routine workforce planning discussions with program agencies. HRC and some program agency officials reported that these additional templates have led to productive discussions about human capital planning. For example, OSHA officials said that HRC's recruitment checklist greatly assisted their recruiting efforts. While HRC provides guidance and acts as a resource, Labor's program agencies have ultimate responsibility for conducting their own workforce analysis and planning.[Footnote 32] In addition to responding to periodic guidance and completing templates from HRC about strategic workforce planning, officials in each of the three agencies we reviewed also considered workload data in analyzing their workforce needs, which is another critical component of strategically managing a federal agency's workforce.[Footnote 33] For example, OSHA regional officials said they used data on the number of workplace fatalities and the number of employers in high-risk industries to determine how to distribute full-time employees among their district and area offices and to identify worksites for inspections. ETA regional officials stated that they prioritized regional workforce needs based on factors such as dollar values and risk levels of grants assigned to them. EBSA regional offices are all required to annually submit a regional program operating plan to the national office that prioritizes workforce needs, taking into consideration workload data, such as the number of regulated financial institutions in their region and number of inquiries received by their benefit advisors. Labor Uses Employee Competency Assessments to Determine Its Workforce Needs and Has a Mechanism to Monitor Its Program Agencies' Human Capital Activities: To ensure that it is hiring and developing its employees to meet the needs of the department, Labor has taken steps to identify and assess its employees' critical skills and competencies. Our prior work has noted that a federal agency needs to identify, develop, and select appropriate leaders, managers, and staff to meet its future challenges.[Footnote 34] One critical step is effective succession planning and management that is focused on strengthening both current and future organizational capacity, rather than simply replacing individuals. HRC has taken steps to strengthen Labor's organizational capacity by identifying core competencies for the department's mission critical occupations[Footnote 35] and worked with its program agencies to develop strategies to reduce employee skill gaps.[Footnote 36] This process, which began at Labor in fiscal year 2002, is cyclical (see figure 3). From 2002 through 2003, Labor first developed its mission critical occupation models, including (1) general competencies that could be applied across the department, such as writing or problem solving, and (2) technical competencies for each occupation, such as workforce development program knowledge for ETA employees, or occupational safety knowledge for OSHA investigators. Subsequently, in fiscal year 2004, HRC led a departmentwide process to assess the critical skills and competencies of its mission critical employees and worked with its agencies to develop agencywide action plans to reduce any skill gaps that existed. This online assessment process involved managers rating each mission critical employee's competency level in the department's Learning Link system, followed by the development of summary reports. Agency management reviewed these summary reports to identify if skills gaps existed in any of their agency's mission critical occupations and, if so, developed an action plan accordingly. Figure 3: Labor's Competency Assessment Process: [Refer to PDF for image: illustration] Circular process: 1) Identify core competencies and assign to agency’s mission critical occupations. 2) Assess agency mission critical employees’ competency levels. 3) Develop agency action plans to address existing skill gaps. 4) Agencies implement action plans to address skill gaps. [Repeat process beginning with step 1] Source: GAO analysis of Labor’s process. [End of figure] In fiscal year 2008, the department conducted its second assessment of its mission critical employees' skills and asked its program agencies to revise their action plans in light of those findings. Then, in fiscal year 2010, HRC reviewed and updated its mission critical occupations and related competency models that were initially developed in 2002 and 2003. Using panels of program agency representatives and subject matter experts,[Footnote 37] HRC led this departmentwide effort to determine what competencies, if any, should be modified in light of changes to individual program agencies' mission, goals, and anticipated needs. For example, Labor revised its "investigator" mission critical occupation at the Office of Labor Management Standards into two separate occupations--Labor Investigator and Criminal Investigator--to reflect the program agency's non-law enforcement and law enforcement work, respectively. Labor also added a new "workforce analyst" mission critical occupation at ETA based on input from subject matter experts. Labor intends to use this revised list to conduct another assessment of its mission critical employees' skills in fiscal year 2011. Agencies will subsequently be asked to update their action plans to address any skills gaps. According to OPM's official Labor liaison, the department is ahead of other federal agencies in conducting this type of competency assessment process. This competency assessment process is routinely used to support workforce analysis and planning at the department and its program agencies, and HRC annually reports its efforts to reduce employee skill gaps to OPM.[Footnote 38] For example, in fiscal year 2008, OSHA identified skill gaps in its safety and occupational specialist workforce in the areas of oral communication, interpersonal skills, and inspection. To address these gaps, OSHA developed an action plan, including revising OSHA's Training Institute curriculum for employees in these areas. Results from the fiscal year 2008 assessment showed that OSHA exceeded its target competency levels for these employees. In another example, EBSA targeted its employee benefits law specialists for improvement in the areas of individual and interpersonal effectiveness. The action plan outlined by EBSA included offering a comprehensive training program for newly hired specialists, and encouraging more experienced specialists to make use of other available Web-based or headquarters training courses provided by the department, such as effective presentations, problem solving and decision making, and customer service. Additionally, EBSA asked that each regional office director adopt training plans that would specifically assist in maintaining or increasing competency levels in these areas. HRC determined that competency levels for EBSA's employee benefits law specialists remained constant between fiscal years 2008 and 2009, and will again target them for improvement in the next assessment process. Beyond the departmental efforts to work with its program agencies to identify and address employee skill gaps, program agencies we reviewed took additional steps to assess employee skill gaps in various ways. For example, OSHA officials have developed a model that identifies the core components of its mission critical inspectors' knowledge base above and beyond those identified in the departmentwide process, such as promoting compliance and conducting walk-around inspections. To ensure that employees obtain these skills, OSHA's Training Institute provides relevant training and monitors its employees' developmental progress. Senior officials in two of the OSHA regional offices we visited said they require employees to utilize individual development plans so they can identify current and future skill needs and provide training as needed. In another OSHA regional office, a senior official said that she identifies and assesses skill gaps through informal, regular discussions with her managers. EBSA regional officials said that they annually monitored skill gaps during employee performance reviews and have identified both individual and group training needs to address these gaps. ETA completed a training needs assessment in 2009 to inform the development of its fiscal year 2010 training programs, and noted that the agency is currently planning to improve its automated system to maintain data on employee skills and training and allow its managers to access this information in real time. Building on its skills and competencies data, Labor established a succession plan in 2007 and implemented several departmentwide programs in subsequent years. However, HRC reported that the plan no longer guides the department's efforts. In its fiscal year 2009 report to OPM, Labor noted that it had cultivated sufficient leadership strength for its future needs, and therefore had placed these succession planning programs on hold.[Footnote 39] For example, as of December 2009, Labor estimated that it had prepared more than twice the number of mid-level staff with the skills necessary to cover anticipated attrition of its managers and supervisors. Senior Labor officials said they are considering ways to further assess and develop portions of their workforce that could assume leadership positions in the future and had recently opened a Senior Executive Service Candidate program class.[Footnote 40] Given Labor's projected leadership capacity, however, officials said that they did not intend to revise the 2007 succession plan at this time. Although Labor has maintained sufficient leadership strength in recent years, more and more of its employees are becoming eligible to retire, which could leave critical gaps in leadership and institutional knowledge. Between fiscal year 2005 and 2009, the retirement eligibility rate of Labor's workforce continued to rise departmentwide as well as in two of our three selected program agencies (see figure 4). Figure 4: Retirement Eligibility Rates for Labor's Overall Workforce and in Selected Program Agencies from Fiscal Year 2005 through 2009: [Refer to PDF for image: combination vertical bar and line graph] Percentage of retirement eligibility: Fiscal year: 2005; OSHA: 15.9%; ETA: 23.6%; EBSA: 9.8%; Overall labor: 16.4%. Fiscal year: 2006; OSHA: 17.4%; ETA: 21.1%; EBSA: 9.8%; Overall labor: 16.2%. Fiscal year: 2007; OSHA: 19.1%; ETA: 20.7%; EBSA: 11.2%; Overall labor: 17%. Fiscal year: 2008; OSHA: 19.3%; ETA: 20.4%; EBSA: 11.8%; Overall labor: 17.9%. Fiscal year: 2009; OSHA: 19.5%; ETA: 21%; EBSA: 11.8%; Overall labor: 18.5%. Source: GAO analysis of CPDF data. [End of figure] These retirement eligibility data indicate that nearly 20 percent of Labor's workforce was eligible to retire in fiscal year 2009, of which approximately half of those staff were designated as mission critical. Likewise, our review found that 35.5 percent of Labor's workforce had 21 or more years of federal experience as of fiscal year 2009, suggesting that a greater portion of Labor's workforce will be eligible to retire over the next decade. In addition to the potential loss of talent and knowledge, the percentage of Labor's workforce with less than 3 years of federal experience has steadily increased from about 9 percent in fiscal year 2005 to more than 13 percent in fiscal year 2009 (see appendix III).[Footnote 41] This workforce composition could present Labor with challenges in the future as more and more of its experienced workforce becomes eligible for retirement. While the timing of an eligible employee's retirement may be difficult to predict, we found that, on average, a quarter of retirement-eligible Labor employees did so each year between fiscal years 2005 and 2009. However, Labor officials said that given their leadership capacity and recent hiring activity the department will have the staff available to replace many of these employees as they retire. In addition to HRC assessing ways to develop future leaders across the department, program agencies we reviewed were taking various steps to develop leaders within their own agency. For example, OSHA's regional offices' succession planning activities ranged from informal mentoring, providing management training, and using data to track retirement-eligible employees. Senior OSHA national office officials noted that they planned to further develop agencywide succession planning programs in fiscal year 2011. EBSA officials reported that they examine the retirement eligibility data of their top management at least twice a year and had several programs in place to address the retirement of its employees, such as rotational assignments with senior executives to provide national and regional office supervisory and nonsupervisory employees a broader perspective of the agency's work. We also found that ETA's fiscal year 2011 operating plan noted agencywide succession planning as a goal, and several ETA regional officials said they provided prospective management staff with challenging assignments or training opportunities to prepare them for advancement. To facilitate management of Labor's human capital, HRC developed an accountability review mechanism to monitor aspects of their human capital activities and plans to broaden the review to include a focus on strategic elements of agencies' human capital programs.[Footnote 42] During these reviews, an HRC audit team uses a survey instrument to evaluate a sample of personnel case files, and conducts focus groups with agencies' human resources staff, managers, and other employees. Once completed, HRC issues a report to the audited office with required and recommended actions, and subsequently, determines if there are departmentwide issues that require continued action. [Footnote 43] According to the Director of HRC's Performance and Accountability Office, these accountability reviews historically focused on agencies' compliance with relevant OPM and Labor hiring regulations. However, in fiscal year 2009, HRC expanded the program to align with OPM's Human Capital Assessment and Accountability Framework.[Footnote 44] At this time, HRC also added a section on the strategic alignment of human capital plans and goals to ensure that program agencies develop and document human capital and succession plans that are linked to their mission, goals, and objectives. As of November 2010, HRC had not yet implemented this part of the review, but planned to do so during fiscal year 2011.[Footnote 45] Labor Established an IT Oversight Process, but Has Not Fully Developed Management Controls That Could Improve Mission Performance: Management controls are essential to effectively develop and maintain systems. An important control element includes ensuring that sufficient representation by business units is obtained to understand information needs and how IT supports those needs.[Footnote 46] Further, measuring performance is critical to describing how effectively IT investments are supporting mission requirements, and performing post-implementation reviews of deployed systems provides additional opportunities to improve system processes.[Footnote 47] Security requirements are also critical controls that need to be in place to help prevent unauthorized access. While Labor has established controls to oversee, manage, and modernize the department's IT investments, it has not fully developed certain management processes that could aid in improving mission performance and maximize expected IT benefits. Specifically, Labor: * established an IT governance structure and system development processes, but its structure does not include comprehensive business stakeholder representation; * required program agencies and offices to develop performance measures and provided guidance on developing them, but the performance measures for the systems we reviewed varied in quality and often did not comprehensively link to productivity and expected outcomes; * established an investment management process that tracks cost and schedule variances for IT investments, but did not ensure adequate stakeholder representation or sufficient testing of a major project prior to deployment, and it did not conduct post-implementation reviews to assess IT investments; and: * implemented a security program, but has been challenged with keeping current with NIST requirements; the department also has not ensured appropriate user access controls for separated employees or conducted periodic reviews to ensure that system access privileges were still appropriate and necessary. Labor's IT Governance Structure and System Development Efforts Lack Adequate Business Unit Representation: Because information needs are derived from the business mission goals and requirements, business needs are the foundation of any IT investment. Sufficient representation from business units is essential to understanding information needs and priorities and how these needs can best be supported by IT. In 2009, we reported that, unlike 22 of the other major federal agencies, Labor did not include business unit (i.e., mission) representation on its investment review board[Footnote 48] as called for in IT investment management best practices.[Footnote 49] As we noted in that report, IT investments require fundamental trade-offs among a multitude of business objectives and are dependent on both IT and business units (representing the program agencies that perform mission critical work) for defining and implementing the department's IT investments. On the basis of these findings, we recommended that Labor expand its investment review board to include senior business executive representation to ensure that each investment meets its respective mission needs. In response, the department reported that the senior IT and administrative executives who served on the investment review board had in-depth detailed and expert knowledge and were capable of representing their units' missions and business objectives. However, we have previously reported that IT and administrative executives responsible for mission support functions do not constitute sufficient business representation because, by virtue of their responsibilities, they are not in the best position to make business decisions.[Footnote 50] While Labor has established an IT governance structure that consists of a CIO, a Deputy CIO, and a TRB that have technical knowledge, according to Office of the Chief Information Officer (OCIO) officials, this board does not have members representing mission-related business units. As such, the department's IT governance structure continues to lack comprehensive business unit representation to oversee its IT investments.[Footnote 51] During our current review, selected program managers in the department's business units and system users across the department noted an ongoing need for representation in IT investments, such as the need to consult both agency management and system users in the development of system requirements. Otherwise, systems run the risk of not meeting the needs of their intended users. For example, an ETA business manager noted that it would be important to bring together regional, IT, and business units to discuss current and long-term IT issues and that, among other things, they should prioritize systems' enhancements and determine how those enhancements should be developed over the next few years. Further, ETA regional officials expressed concerns that they were not involved in defining business and system requirements. Those officials stated that the systems did not fully support their grant management process and mission needs. Financial managers also indicated that the needs of the business units were not comprehensively assessed before Labor deployed NCFMS. Additionally, the Wage and Hour Division (WHD) investigators in three regions noted that the information system intended to support its business processes and manage investigative case findings was outdated and difficult to use, requiring an excessive number of screens to navigate and also requiring investigators to enter unneeded data to avoid system errors. During our review, the Deputy CIO agreed that business unit representation was important. Further, the official believed that Labor has an IT governance process in place that includes the key elements of oversight, but that it strives to maintain a balance between providing the benefits of oversight and control to agencies without being burdensome in resource or administrative requirements. The official noted that the department is researching alternative approaches to developing a new governance structure that would incorporate business unit representation without becoming cumbersome. The official added that for two major IT investments, Labor had recently established governance bodies to improve business unit representation. For example, Labor established a steering committee to meet biweekly with administrative officers to obtain their input on a new human resource IT system. According to the Deputy CIO, this steering committee included representatives from major agencies such as Bureau of Labor Statistics (BLS), ETA, and OIG, and has provided direction for the human resource initiative. The Deputy CIO acknowledged that the department is applying lessons learned from issues caused by insufficient business input for NCFMS and, as such, would not want to develop another system that did not have adequate stakeholder involvement. The official added that now there is an increased awareness of the need for better business representation in systems development. While this steering committee has provided additional business representation to Labor's governance structure for the human resources project managed by OCIO, it does not support other IT projects initiated and managed by other program offices and the Deputy CIO noted that Labor's governance structure has not changed. As of December 2010, OCIO officials noted that Labor's TRB continued to lack business unit representation. Until the department defines and implements a comprehensive governance structure that includes adequate business representation and involves end users in all major system development efforts across the department, it is at risk of updating or replacing its outdated systems with new systems capabilities that do not fully meet the business goals and needs of the department. Labor Requires Agencies to Develop Performance Measures, But Measures Vary in Quality and Do Not Comprehensively Link to Expected Benefits of IT Investments: Comprehensive performance measures are essential to determine if an investment is achieving the expected benefits and efficiently and effectively supporting an agency's mission. According to the Paperwork Reduction Act, agencies are required to establish performance measures that depict how effectively systems are supporting mission needs. [Footnote 52] OMB provides agencies guidance on developing IT performance measures that cover four management areas: (1) mission and business results, (2) processes and activities, (3) customer results, and (4) technology.[Footnote 53] While Labor has developed guidance and requires its agencies and program offices to follow this guidance, we found that these measures varied in quality and were not comprehensive in assessing each investment's expected benefits. [Footnote 54] Specifically, BLS established performance measures to assess its consumer price index system and effectively addressed expected benefits to support mission performance. For example, one measure described that the system intends to provide statistically sound, reliable, timely, relevant, and impartial statistical information concerning trends in consumer prices and inflation in the United States. Further, BLS provided a baseline, target, and actual results for this measure. However, measures for four other systems (representing three program agencies--OSHA, WHD, and ETA--and one office, the OCFO) did not adhere to Labor's guidance to develop comprehensive performance measures, limiting Labor's ability to assess each investment's expected benefits and determine whether it is targeting appropriate resources to improve overall mission goals. [Footnote 55] Examples of how performance measures were addressed in the four management areas follow: Mission and business results. IT investments are designed to support the mission and improve business processes. However, comprehensive measures to determine whether mission and business results were achieved had not been established for the four systems. For example, OSHA did not have performance measures that clearly linked its existing investigator's case file management system to the agency's mission outcomes for securing safe and healthy workplaces.[Footnote 56] This existing case management system provides OSHA program managers with critical mission information, including accident summaries, injury inspection data, and workplace health assessments. However, the system's technology is outdated and Labor lacks comprehensive system performance measures. OSHA's program manager stated that the agency is in the process of replacing part of this system and intends to develop and track more specific performance measures[Footnote 57] when the new system[Footnote 58] is deployed to more effectively support mission needs and business results. Processes and activities measurements. Processes and activities are the basic functions that the IT investment is intended to perform. However, comprehensive processes and activities measures had not been established for the four systems. For example, while WHD's investigative system (1) provides support for managing and reporting on business' compliance with labor laws, including the minimum wage, overtime, and child labor provisions; and (2) enables investigators, managers, and assistants to process complaints; assign, manage, and investigate cases; assist with outreach; and record and monitor investigator time, a WHD official acknowledged a need for more comprehensive performance measures. WHD has defined certain measures for this investigative system (to support the tracking of cases), but it had not developed comprehensive performance measures for several other intended functions, such as processing complaints, assigning and investigating cases, and managing case findings and case outcomes. Customer results. To be effective, IT investments need to support the customer. However, for the four systems, Labor did not comprehensively address all five categories of measurement within the customer results area as defined by OMB.[Footnote 59] For example, while ETA had developed measures corresponding to one category--service coverage-- the agency had not developed measures for customer benefit, timeliness and responsiveness, service quality, and service availability. ETA's system provides the federal project officers' information regarding preaward, award, and closeout of grants, and integrates separate systems that are used to track the grants process. According to the Chief of the Division of Application Systems, the grant management process system has more than 100,000 active system users distributed nationwide and, as such, customer performance measures are important. The official acknowledged that the agency does not have comprehensive customer results performance measurements and that, given the magnitude of the system, such measures would be useful. The official added that the agency does have a dedicated technical support staff that provides system users the opportunity to give feedback on system speed, accessibility, and availability. Technology. OMB defines six measurement categories that are intended to capture key elements of performance that directly relate to an IT initiative.[Footnote 60] We found that, for the four systems, measures within this category were not comprehensively developed. For example, OCFO defined two performance measures for NCFMS--(1) reliability and availability and (2) quality assurance--but had not developed measures for the remaining four categories: technology costs, efficiency, information and data, and effectiveness. Labor's Chief Enterprise Architect, responsible for providing agencies' guidance on performance measures, told us that the department requires IT performance measures that describe how systems will improve mission performance. The official stated that OCIO has developed and implemented an outreach program to advise program agencies on how to develop specific quality measures that link systems' performance to mission outcomes. However, the department relies on the program agencies to establish these measures and ensure they are related to the systems' intended goals. The Chief Enterprise Architect acknowledged that measures were not comprehensive and added that establishing effective performance measures require frequent data collection using survey instruments and identification of specific, measurable, achievable, realistic, and time-based measures. Labor's Deputy CIO also stated that the agencies' measures were not comprehensive and that the department could provide better oversight to the agencies to ensure more relevant and comprehensive measures are formulated, but that doing so is a challenge. According to the Deputy CIO, IT staff at the agencies are responsible for developing IT performance measures specific to the system, such as assessing the time that systems are available for data processing, and the business units should also develop measures that determine how well the systems are supporting mission needs. Given the magnitude of Labor's IT systems and the diversity of users, defining comprehensive performance measures that reflect business managers and IT representatives' perspectives is important. A BLS financial manager stated that, for NCFMS, the department tracked errors but did not (1) determine how the system affected business unit productivity or (2) link measures to financial management performance. If the department does not require comprehensive measures to be developed for all systems, it will lack the ability to determine whether systems are achieving business outcomes and improving mission performance. Additionally, if program agencies do not measure actual-versus-expected performance results for their IT systems, Labor will lack the information it needs to determine whether it is targeting appropriate resources to improve overall mission goals. Labor Has Established an Investment Management Process, but Has Not Always Fully Evaluated the Development and Implementation of IT Investments: If managed effectively, IT investments can have a positive impact on an agency's performance and accountability. A central tenet of the federal approach to IT investment management is the capital planning and investment control (CPIC) process, which includes three phases: select, control, and evaluate (see figure 2).[Footnote 61] Labor has established an investment management process that includes a CPIC approach to managing its IT investments. However, we identified instances where Labor had not followed selected aspects of the select and control phases of this approach to monitor the development and implementation of a major IT investment--NCFMS. It also had not performed post-implementation reviews of its IT projects as required in the evaluate phase, limiting the department's ability to maximize the expected benefits of IT investments and increasing the risk of not effectively supporting mission needs. Labor Did Not Adhere to Certain Aspects of its Select and Control Guidelines: For the select phase, Labor has established a process to screen and score proposed IT investments, consistent with best practices. [Footnote 62] As part of its selection methodology, Labor evaluates an investment proposal by determining if the project supports the department's mission. This includes checking to ensure proper stakeholder identification and involvement was performed as part of the initial requirements development. It also assesses whether the investment needs to be undertaken by Labor or whether some other source can better support the need. In addition, it reviews the potential for sharing information across the department to avoid redundancy in systems. During the control phase, the organization should ensure that, as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk. If the project is not meeting expectations or if problems have arisen, steps should be taken to address the deficiencies. Labor has established processes to assess projects during the control phase. These processes, for example, include system testing to provide a reasonable assurance that the IT investment will perform as expected. The department also has processes to (1) track cost and schedule variances and (2) review systems' compliance with architecture, security, cost benefit analysis, and risk management requirements. These processes are consistent with best practices. Nonetheless, we found that Labor had not adhered to certain aspects of its select and control guidelines for a departmentwide investment-- NCFMS--deployed in January 2010.[Footnote 63] Effective system development requires (1) adequate stakeholder representation to support thorough systems requirements and (2) sufficient testing prior to deployment.[Footnote 64] During the select phase, Labor's OCFO officials did not obtain adequate stakeholder input prior to the development and implementation of NCFMS. As we have noted earlier in this report, stakeholders should be involved in helping to develop the requirements for the system to help define what functions the system needs to perform.[Footnote 65] The systems development teams should perform an analysis of these requirements and the OCIO, as part of the final CPIC select phase, should review the analysis. However, Labor IT personnel and system users from six program agencies and four regional offices told us that users were not adequately involved in developing NCFMS requirements prior to system deployment. According to a BLS program manager, only two individuals representing business units were involved in the initial NCFMS team; all other representatives were from OCFO. While the Associate Deputy Chief Financial Officer for Financial Systems and an official from OCIO stated that the department reached out to the program agencies, many agencies decided not to engage. In the department's comments on this report, Labor officials stated that the department consulted agency representatives prior to NCFMS' deployment and that many of the system's issues were attributed to relearning basic processes, rather than to lack of stakeholder involvement. The officials stated that the financial system changed the business practice and impacted every financial activity performed in the department. Labor officials also stated that NCFMS requirements were based on the Financial Systems Integration Office (FSIO) and were the result of common requirements developed by experts from throughout the federal government. While we agree that relearning basic processes can be challenging for users, it does not account for the range of system problems experienced nor the volume or types of engineering changes required after NCFMS implementation. Further, while FSIO requirements provide the functional capabilities, these do not address accounting policy or procedures. As such, adequate stakeholder involvement is essential to implement these functional requirements, configure the system to meet its needs, and adequately test the software to ensure that the system has properly implemented the FSIO requirements.[Footnote 66] Labor also did not comprehensively test NCFMS prior to its deployment. This step, which is generally part of the control phase, is intended to help demonstrate through testing that the system can function in its target environment and to provide reasonable assurances that new or modified systems process information correctly.[Footnote 67] Effective testing requires organizations to plan and conduct testing activities in a structured and disciplined fashion. This includes different levels of testing, such as system and user acceptance testing.[Footnote 68] Our examination of the test steps for one script--procure to pay[Footnote 69]--revealed characteristics of an undisciplined testing process.[Footnote 70] As a result, Labor's testing efforts did not accomplish a key objective--to obtain reasonable assurance that NCFMS would perform as expected. Specifically, system testing prior to deployment was inadequate in three areas: * Quality. The scripts[Footnote 71] used to conduct the testing for this process did not include expected results to measure against, which would allow errors to be readily identified and corrected. Instead, Labor personnel involved in testing the system had to rely on their own knowledge in evaluating whether the test results were accurate. As we have noted, relying on testers to assess system quality without identifying expected results is inadequate because it is difficult for the testers to remember all the items needed for evaluating whether the system is operating as expected.[Footnote 72] In addition, Labor did not set adequate boundary conditions for testing.[Footnote 73] For example, one test was to determine whether the system would reject more than 100 items, as intended. To adequately test this, the department should have determined whether the system would accept a quantity just below 100 items, such as 99, yet reject a quantity of 101. We found that the department did not test these quantities and, as a result, did not have reasonable assurance that the system would accurately detect and reject quantities beyond established limits.[Footnote 74] * Documentation. Adequate documentation of tests performed helps obtain reasonable assurance that the tests produce expected results, however, Labor did not adequately document test results. For the 26 steps of the procure to pay script that we reviewed, Labor could not provide adequate documentation for 17 steps.[Footnote 75] Test documentation provided did not document whether the testing had identified any defects. While Labor officials stated that errors had been identified and corrected, the test documentation did not identify errors or the testing performed to ensure that the defects had been corrected. As a result, Labor was limited in its ability to understand whether the testing process was effectively implemented and produced expected results. * Scope. Labor did not test certain aspects of the standardized payment processing functions applicable to systems used by federal agencies.[Footnote 76] For example, rules such as rejecting the delivery of goods at locations other than the appropriate receiving site, rejecting invoices, and properly processing a payment were not tested. In commenting on these findings, Labor noted that the OCIO engaged an independent verification and validation contractor with specific knowledge of the financial system and that the contractor verified the system testing and performed its own independent testing of each system segment. Nonetheless, as discussed above, our review of the documentation provided by the department to support its testing activities indicated that these processes had not been effectively implemented. We found that disciplined testing activities had not taken place and, as a result of these weaknesses, Labor's testing efforts did not provide reasonable assurance that the system would perform as expected. Before NCFMS' deployment, Labor's OIG also identified inadequate system testing, a lack of user acceptance testing and related documentation, and a lack of end-to-end testing.[Footnote 77] The OIG reported that: * not all real-time interface requirements were appropriately tested during the user acceptance test phase,[Footnote 78] * evidence could not be obtained to determine if failed system test cases were corrected and retested, and: * a completeness and accuracy validation was not performed between real-time interfaces and NCFMS.[Footnote 79] According to the OIG report, Labor conducted data interface and system testing of the NCFMS system just prior to departmentwide implementation. Consequently, Labor may not have allowed sufficient time for its personnel to assess the test results and correct errors. Labor's systems development guidance requires that user acceptance tests be planned and implemented. However, the NCFMS program manager acknowledged that to meet project implementation milestones, Labor had not appropriately performed user acceptance testing and had not adequately documented the testing that was performed. Inadequate testing coupled with the premature implementation of NCFMS contributed to the department being unable to perform basic accounting functions once the system was implemented. Officials at four regional offices and five program agencies told us that in NCFMS' first year of deployment, the system was cumbersome, time consuming, and caused inefficiencies in basic daily operations. Further, according to the OIG's December 7, 2010, testimony, inadequate testing, among other issues, caused the department to issue a disclaimer of an opinion on its fiscal year 2010 financial statements.[Footnote 80] Until Labor develops an effective selection and control process that ensures key stakeholders are involved and adequate requirements analysis and testing has been performed, it risks investing in projects that do not effectively meet mission needs. Labor Has Not Performed Post-implementation Reviews: In addition to not following certain aspects of the CPIC process for the select and control phase, Labor has not conducted post- implementation reviews of its IT projects as part of its project evaluations. Post-implementation reviews are conducted during the evaluate phase and actual-versus-expected results are compared after an agency fully implements a project. This step is done to (1) assess the project's impact on mission performance, (2) identify any changes or modifications to the project that may be needed, and (3) revise the investment management process based on lessons learned. Post- implementation reviews are used to evaluate whether the estimated return on investment was actually achieved and to identify how effectively the system has supported stakeholders and met baseline goals in terms of cost, schedule, and performance. OMB and Labor require such reviews in order to assess what the agency achieved with the investment. According to Labor's system development guidelines, a post-implementation review should be performed within 6-9 months of deployment to assess the system's performance and ability to meet expected benefits.[Footnote 81] The CPIC program manager said that the department has not performed post-implementation reviews of its systems because it has devoted resources to the select and control CPIC processes and, that, until recently Labor did not have the structured guidance available to conduct these reviews. The program manager added that the department is in the process of developing post- implementation review guidance and plans to conduct reviews on investments in the future. Without such reviews, Labor may not be able to revise its investment management process on the basis of lessons learned or identify opportunities to improve system performance. Labor Has Implemented a Security Program but Information Security Risks Remain: Labor has established an information security program and policies that address the key requirements of FISMA, but the department faces weaknesses in several areas, such as not fully complying with select security requirements and ensuring appropriate user access. Specifically, Labor has taken the following steps to establish its information security program: * periodically assessed the risk and magnitude of harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems; * developed risk-based policies and procedures that cost-effectively reduce information security risks; * developed plans for providing adequate information security for networks, facilities, and systems; * provided security awareness training for agency personnel and contractors; * performed periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency based on risk level, but not less than annually; * implemented a process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies identified in the agency's information security policies, procedures, and practices; * developed procedures for detecting, reporting, and responding to security incidents; and: * developed plans and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. Nonetheless, Labor faces several security risks. For example, it is challenged with updating its IT operations in accordance with current NIST requirements and ensuring appropriate user access. Until Labor strengthens its controls over these security weaknesses, its systems and the information they store are at increased risk of security breaches. Labor Has Not Fully Implemented Current Security Requirements: Labor is not fully meeting current security requirements for IT operations as defined in NIST Special Publication 800-53, guidelines that apply to all components of an information system that processes, stores, or transmits federal information.[Footnote 82] These guidelines set forth security controls that are intended to prevent unauthorized access and detect any inappropriate modifications of data. This is essential to protect and safeguard information processed in systems. Federal agencies are required to follow NIST special publications and implement the requirements within one year.[Footnote 83] However, Labor's Chief Information Security Officer stated that as of November 3, 2010, not all program agencies were fully in compliance with NIST 800-53 revision 2, which was to be implemented by December 2008. Further, Labor has not fully implemented the most recent requirement, NIST 800-53 revision 3, which was to be implemented by August 2010. According to NIST documentation, NIST 800-53 revision 3 controls are a significant improvement over revision 2 and earlier versions, because when implemented they will, among other things, provide for organizationwide and continuous security risk assessments instead of periodic, isolated system reviews as provided for in earlier versions.[Footnote 84] The Chief Information Security Officer stated, early in 2010, that Labor planned to have all agencies compliant with revision 3 by the end of fiscal year 2011. In subsequent comments on a draft of this report, Labor officials stated that the department plans to have agencies compliant with revision 3 by December 2011, and noted that this revised implementation schedule was supported by a risk-based analysis of both revisions 2 and 3 and a determination that the risks associated with delayed implementation of the new controls were low to moderate. Labor officials further noted that the controls that were not fully compliant have been documented and the department has developed plans for corrective actions. We are encouraged by the department's assertions to take action; however, the current plans to fully implement revision 3 are about one and a half years behind schedule. Until the department fully implements the revised controls, Labor will continue to face potential security risks. Further, under FISMA, agencies are required to classify their systems according to three risk levels--low, moderate, and high. The risk classification serves as a basis for determining the level of security applied to the system to ensure that information resources are adequately protected. Risk classifications are based on the confidentiality, integrity, and availability of the information. Labor has classified all of its 72 operational systems at the moderate risk level since fiscal year 2008, but according to the Deputy CIO and Chief Information Security Officer, the department was re-evaluating these systems' risk levels. The Chief Information Security Officer stated that given the significance of NCFMS on the department's financial activities, this system may not be appropriately assessed at a moderate risk level. Further, this official also noted two other systems that may be misclassified. According to the Deputy CIO, the systems' risk levels may be misclassified because the systems have matured and evolved over time. As such, in November 2010, Labor officials said that they intended to re-evaluate the risk classification of agency systems. In January 2011, Labor's Chief Information Security Officer stated that the department had, consistent with FISMA requirements, conducted its annual review of systems' classifications.[Footnote 85] This official stated that the department re-evaluated the systems and determined that all 72 operational IT systems will continue to be assessed at the moderate risk level. Nonetheless, while the department stated that it has completed its annual evaluation of system risks and indicated that it is focusing on risk-based analyses in prioritizing security controls, we remain concerned that there are substantive issues with IT controls and the condition of information security at the department. As part of our work in our high-risk reporting, Labor has been downgraded from a significant deficiency in department financial controls in 2009 to a material weakness in 2010 based on vulnerabilities with overall security management and access controls. The department is 1 of 8 organizations (out of 24 total) designated with material IT security weaknesses in its financial and information systems.[Footnote 86] Labor Has Not Completely Implemented Effective Controls to Ensure Appropriate User Access: Labor has not always limited systems access to appropriate personnel. In particular, Labor guidance states that employee system access should be terminated at the time an employee separates from the department. However, headquarters and regional personnel we interviewed said that inappropriate access by former employees had been an issue in their respective regions. In addition, the OIG reported in November 2010 that Labor had recurring access issues and vulnerabilities associated with user access privileges to information systems.[Footnote 87] For example, the OIG found that: * five of seven information systems tested did not have processes or procedures in place for conducting periodic reviews to ensure that user system access privileges were still appropriate and necessary, creating the risk of unauthorized individuals having access to view, update, or delete data in the information system, and: * four of seven information systems tested contained active user accounts for employees that had separated from the department. Specifically, former employees accessed their user accounts in three of the four information systems subsequent to separation. Labor officials said that inappropriate access to systems occurred because systems personnel were not notified of an employee's separation. Labor's policy states that a human resources manager is to initiate and terminate access to all systems and facilities for federal and contractor personnel upon their entry and prior to their exit from the department. The Deputy CIO acknowledged that such inappropriate access had occurred, however, he said that the department was taking corrective action to prevent inappropriate access in the future by incorporating this requirement into its new human resources management system. Further, Labor stated in its response to the IG report that it is taking aggressive steps to strengthen IT security and noted increased emphasis on prioritizing IT security issues. Labor Has Established Policies for Grants Accountability, but Weaknesses Exist in Documentation and Monitoring: Our review of one of Labor's top management challenges--the discretionary grant management process--showed that although ETA had designed overall policies intended to provide accountability over its discretionary grants award and monitoring processes, it did not have sufficient procedures and guidance to help ensure that award and monitoring internal control activities are conducted and properly documented and that the results of single audits are fully integrated with monitoring activities. In its Fiscal Year 2009 Performance and Accountability Report,[Footnote 88] Labor acknowledged that the large increase in grant funding provided by the enactment of the Recovery Act[Footnote 89] exacerbated the challenge facing the department in the grants area with respect to ensuring that grant funds are appropriately spent on activities that will yield the desired training and employment outcomes. Specifically, our review of ETA's grant management process showed that ETA did not always have sufficient quality assurance procedures and comprehensive guidance with respect to (1) maintaining and retaining discretionary competitive grant award documentation, (2) properly and consistently conducting and documenting federal project officer (FPO) monitoring activities, and (3) fully integrating the results of single audits in its discretionary grantee monitoring activities. From our review of 30 grant files, we identified instances[Footnote 90] in which these design deficiencies resulted in ETA's inability to locate essential documentation needed to verify that key discretionary award processes were performed and instances where evidence supporting key monitoring activities were not consistently retained in a central location to facilitate management oversight. Weaknesses in ETA's Procedures for Retaining Documentation for Competitive Discretionary Grant Awards: While ETA's discretionary grant management procedures provide guidance on key control activities intended to help provide assurance that grants are appropriately justified and awarded, these procedures did not specify where and how long to retain documentation of grant award reviews and results.[Footnote 91] According to ETA's Grant Management Desk Reference Guide, the award process for discretionary competitive grants requires the preparation of documentation such as conflict of interest and nondisclosure statements signed by the members of the review panel, and a scoring and written report of the panel's evaluation of grantee's response to the solicitation of grant awards. In addition, the Employment and Training Order No. 1-08 requires a preaward clearance to be performed and documented for prospective grantees, which is performed by Labor's Office of Special Programs and Emergency Preparedness.[Footnote 92] However, we found that ETA did not have guidance with respect to where these required documents were to be centrally filed and how long they are to be retained to facilitate management oversight. Inadequate documentation of these key award activities increases the risk that ETA may not have support to show that grantees selected were the best for meeting the government's requirement or that in conducting award activities, its members were free of any conflicts that would hinder their ability to perform fair and objective assessments of discretionary grant applicants. For example, our review found instances related to competitive grants [Footnote 93] in which agency staff could not locate key discretionary grant award documentation including: * seven grant files that did not include conflict of interest and nondisclosure statements signed by the members of the preaward review panel, * five grant files that did not include the review panel's preaward scoring and related written reports, and: * nine grant files that did not include results of preaward clearance, such as results of investigations, audit resolution, and other matters. Of the ten competitive grant files we reviewed, some files were missing multiple documents. For five grants, the files did not contain any of the key discretionary grant award documentation--a conflict of interest nondisclosure statement, review panel's preaward scoring, and related written reports and results of preaward clearance. Our Standards for Internal Control in the Federal Government provides that internal control and all transactions and other significant events should be clearly documented and readily available for examination.[Footnote 94] The standards also provide that records should be properly managed and maintained, and documentation should appear in management directives, administrative polices, or operating manuals. According to ETA officials, as of December 2010, the agency was in the process of developing standard operating procedures to address centralizing the location and retention of award documents. Weakness in Properly and Consistently Conducting and Documenting ETA's Quality Assurance Monitoring Activities: While ETA's grant management procedures require performing and documenting the results of its monitoring activities, they did not specify quality assurance steps, such as supervisory reviews, necessary to ensure that required grant monitoring activities are consistently and properly conducted and documented. To monitor grantees' compliance with administrative, financial, and performance regulations, ETA's guidance requires FPOs to perform a combination of office-based reviews referred to as "desk reviews" and, for new and "at-risk" grantees, conduct on-site visits at grantees' locations. Through desk reviews, FPOs are to analyze grantees' program and financial reports, as well as any other related information available to identify current risk areas and problems related to grantee performance, noncompliance with federal requirements, or mismanagement of funds. FPOs are to conduct on-site visits at the grantee's work site to observe and review work being done under the provision of the grant. FPOs begin the grant monitoring process by performing an initial risk assessment of the grantee using ETA's Grants Electronic Management System (GEMS).[Footnote 95] The initial risk assessment consists of the FPOs answering a series of standard questions about the grantee in GEMS to determine the risk level. The result of this initial risk assessment is then used to determine the type of monitoring activities that an FPO will perform on the grantee. For example, monitoring activities for new grantees and those rated "at-risk" grantees will require an on-site visit, while low-or medium-risk grantees will be monitored at the office through desk reviews. Throughout this process, FPOs in the regional offices are required to document the results of these activities in GEMS, such as documenting deficiencies observed and areas of concern relating to the administration and performance of each grant. According to key ETA officials, GEMS is also intended to be the central repository for data on grant monitoring activities to provide information on all grantees that can be shared agencywide. ETA's Grant Management Desk Reference Guide provides that GEMS grant monitoring records are considered an integral part of the official grant file. However, ETA's procedures did not specify quality assurance steps necessary to help assure that required FPOs' monitoring procedures were properly and consistently carried out and documented in GEMS. Such quality assurance procedures should be the responsibility of an ETA organizational component with an FPO quality assurance role, such as ETA's regional management. Without quality assurance procedures, such as supervisory reviews, to ensure that complete and consistent monitoring is conducted and data results are recorded in GEMS, ETA is hampered in its ability to effectively and efficiently account for its discretionary grants. For example, as summarized in the following bullets, our review found instances in which (1) risk assessments were not documented or were changed without proper justification, (2) desk reviews of financial and performance information were not documented, (3) on-site monitoring activities were not recorded, and (4) final desk reviews were not documented.[Footnote 96] * Risk assessment. We found one grant where the initial risk assessment calculated in GEMS was overridden by the FPOs without explanation. In addition, we found seven grants where the quarterly risk assessment changed from one quarter to another without explanations for the change.[Footnote 97] GEMS data entry forms provide a comment box where narrative information regarding the results of the risk assessments can be entered; however, we found that it was not consistently used by the FPOs.[Footnote 98] The grant risk assessment determines the extent of subsequent monitoring activities such as site visits, and the lack of narrative to address the overriding of the initial risk assessments prevents management from understanding the rationale used to change the risk levels. Therefore, unexplained risk level changes may place the agency at risk of not performing the required level of monitoring for its grants. * Quarterly desk reviews. We found three grants where desk reviews were not documented for specific quarters during the life of the grant. Desk reviews conducted by the FPOs assess information provided by the grantee such as financial reports, statements of work, program narratives and performance reports, and budget information. The results of quarterly desk reviews may also change the risk level of a grantee and affect monitoring strategies. ETA's guidance requires the performance of desk reviews every quarter while the grant is active. Without clear documentation on the results of quarterly desk reviews, the agency cannot determine whether the grantee has complied with legal requirements of the grant agreement. Further, the failure to perform quarterly desk reviews could result in ETA's inability to identify issues of nonconformance that would require corrective actions by the grantee or issues that require an on-site visit. * On-site reports. We found 19 grants where the grantees were either new or deemed as "at-risk" and required on-site visits to be performed by the FPOs. Of these 19 grants, we found four instances where on-site reports were not uploaded into GEMS and three instances where the FPOs did not separately enter the findings from the on-site visits. ETA's guidance requires FPOs to upload a copy of a report summarizing the results of the on-site visit in GEMS. Additionally, this guidance requires the FPOs to enter separately all findings from the on-site visits into GEMS. Site visits provide FPOs a unique opportunity to have a close inspection into the grantee's use of federal funds and document whether the project is proceeding according to the grant's requirements or whether action must be taken to resolve identified issues. Also, on-site visits allow FPOs to identify issues, which they normally would not identify while performing a desk review. For example, as a result of on-site visits, FPOs have identified instances where fiscal agents were writing and depositing checks to themselves and timesheets were incomplete. In other instances, FPOs found that grantees did not have adequate internal controls to protect government assets, invoices were not approved, and reporting activities lacked supporting information. The absence of on-site monitoring data in GEMS limits the information readily available to share with other staff, supervisors, and program managers about issues that may require immediate attention. * Final desk review. We found three closed grants and one active grant where a final desk review had not been documented in GEMS. In addition, we found that for eight grants, the required final review narrative was not included. ETA's guidance requires FPOs to make a final desk review and also include a narrative on the results in GEMS. The final desk review provides a documented assessment of the performance of the grantee during the period of performance and provides important information for future solicitations in which prior performance is a criterion. Without timely and adequate documentation of the grantee's performance assessment, supervisors and program managers are not able to fully assess the grantee's overall performance and could place future discretionary funding at risk. Standards for Internal Control in the Federal Government requires that entities are to provide continuous supervision to provide reasonable assurance that internal control objectives are achieved. In addition, the standards provide that transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Moreover, ETA management will not be able to effectively obtain and share complete and consistent information on the results of grantees' overall performance, including the grantees compliance with legal requirements of the grant agreement. Weaknesses in Fully Integrating Single Audit Results into Discretionary Grant Monitoring: The results of Single Audits provide important information for the oversight and monitoring of discretionary grant recipients' use of federal awards. Our review of ETA's Single Audit process showed that while ETA has implemented a resolution process, it has not established procedures for using the results of Single Audits in FPOs' monitoring activities documented in GEMS.[Footnote 99] ETA officials stated that the Single Audit findings and information on their resolution process may not always be shared with the FPOs in charge of monitoring the grantees. While Labor has procedures for resolving Single Audit findings, its procedures did not require that Single Audit results be consistently submitted to the FPOs and considered as part of their discretionary grant monitoring procedures. Specifically, Labor has a centralized process in place to resolve audit findings reported in Single Audits through coordination with the regional offices and Labor's OIG. Further, ETA requires FPOs, as part of the Core Monitoring Guide, to ask their grantees during on-site visits whether a Single Audit has been performed and if so, to obtain a copy. However, the Guide does not require FPOs to use the information from the Single Audits when conducting risk assessments or to document any relevant findings in GEMS. According to ETA officials, FPOs may be aware of the Single Audit findings for their grantees if during the resolution process the FPOs are consulted to obtain information or documents to support the corrective action plans prepared by the grantee. Not requiring such information to be obtained and retained in GEMS may hinder the FPOs' ability to effectively assess risks related to a grantees' performance. For example, we identified five grantees with Single Audits for which the grant files in GEMS did not contain any documentation that the results of the Single Audit findings were entered in GEMS. Standards for Internal Control in the Federal Government provides that agency officials, program managers, and others responsible for managing and controlling program operations should receive relevant, reliable, and timely information to make operating decisions, monitor performance, and allocate resources. Because Single Audit results could help identify problems with grantees financial management and program operations, it is important for the FPOs to have results of Single Audits when performing risk assessments of grantees to determine the level of monitoring activities that FPOs will perform on the grantees. Conclusions: Labor has made strides over the last decade in establishing a departmentwide framework for managing its information technology and developing an internal control structure for monitoring its financial resources. However, opportunities remain for Labor to improve their management of these areas. While the department has taken steps to ensure mission unit representation in selected IT investments, its IT governance structure continues to lack necessary input from business units to ensure that projects meet mission needs, and performance measures do not always reflect actual productivity and benefits of systems. The department also does not consistently apply elements for adequately evaluating its IT investments, such as implementing best practices for project selection and oversight and performing post-implementation reviews. Until Labor develops an effective selection and control process that ensures key stakeholders are involved and adequate requirements analysis is performed, it risks investing in projects that do not effectively meet the department or its program agencies' mission needs. In this regard, Labor can apply lessons learned from its implementation of NFCMS. If Labor does not consistently implement its IT investment guidelines and adequately test systems prior to deployment, it may run the risk of deploying systems that do not support users and operate less effectively, potentially wasting limited resources. In addition, risks remain in Labor's implementation of its information security program. These include not keeping current with security requirements and implementing adequate access controls. As a result, Labor has increased vulnerability to security threats, such as destruction of and inappropriate access to systems and databases. Labor should also take steps to strengthen its grant management processes. Specifically, ETA's ability to adequately assess the results of its monitoring activities for billions in discretionary grant funds is diminished, in part, due to its staff not collecting and maintaining all needed documentation for performing key monitoring activities. By strengthening its policies and procedures for the documentation and maintenance of information, ETA would be better positioned to determine whether its grantees are using federal dollars as intended. Recommendations for Executive Action: To further strengthen Labor's IT planning and oversight process and financial management, we recommend that the Secretary of Labor direct the Chief Information Officer to: * ensure that the department-level investment review boards and governance structure incorporate business unit (i.e., mission) representation to effectively define business system requirements; * ensure that program agencies implement Labor's guidance to develop comprehensive performance measures for their respective systems in order to provide reasonable assurance that new systems will provide expected functionality and benefits; * further refine Labor's IT investment management oversight process in the select and control phases to apply lessons learned from its implementation of NCFMS to ensure adequate stakeholder involvement and comprehensive testing is performed throughout the systems development process; * conduct post-implementation reviews, where appropriate, to determine if the investments are meeting stakeholder needs and realizing expected benefits; and: * ensure systems fully comply with NIST 800-53 revision 3 guidance and, if not, take appropriate steps to meet these requirements. We also recommend that the Secretary of Labor direct the Assistant Secretary of the Employment and Training Administration to: * establish procedures for retaining grant award-related documentation, including location and retention period; * establish quality assurance procedures, such as supervisory reviews, to ensure that grant monitoring activities are performed and documented in GEMS. Procedures should identify how the review is to be conducted, the regional-level official responsible for reviewing grant documentation in GEMS, and the frequency of the reviews, and: * establish procedures addressing the communication and incorporation of Single Audit findings and related corrective actions as part of the ETA's grantee's monitoring activities to be documented in GEMS. Agency Comments and Our Evaluations: We obtained written comments on a draft of this report from Labor's Assistant Secretary for Administration and Management, which are reproduced in appendix IV. Labor also provided technical comments that we incorporated in the report as appropriate. Labor generally agreed with our findings. In response to our five recommendations to further strengthen the department's IT planning and oversight process, Labor stated, in general, the portrayals of their information management controls are substantiated. However, Labor raised concerns about how we presented the IT security references. For example, Labor stated that the report implies that program agencies did not place priority on implementing current security requirements and that this is not completely accurate. In response to Labor's comments, we revised the wording of the fifth recommendation to highlight the need to fully implement current security requirements. Labor provided additional clarifying information in its technical comments regarding its information technology controls, and we incorporated this information as appropriate. With respect to discretionary grant management, ETA agreed with our recommendation to establish procedures for retaining competitive grant award documentation. However, in response to our recommendation to establish quality assurance procedures--such as supervisory reviews-- to ensure that grant monitoring activities are performed and documented in GEMS, ETA stated that the recommendation suggests that such steps are not in place and that this is not the case. ETA added that they have a broad range of grants management and monitoring practices and procedures in place to ensure effective grants management review. For example, ETA discussed having performance agreements established for regional administrators, managers, and FPOs, which include standards that address grant monitoring and other grant management responsibilities. However, as evidenced by our findings, these standards and procedures do not specify steps necessary to assure that required FPOs' monitoring procedures are properly and consistently documented in GEMS. As ETA transitions from a largely paper-based federal grant management system to electronic filing using GEMS, it is important that its main monitoring documentation storage system be consistently updated and reviewed to reflect the current status and results of its grant monitoring activities. By doing so, management will have one central repository, where they can effectively obtain and share complete and consistent information on the results of grantees' overall performance, including the grantees' compliance with legal requirements of the grant agreement. In response to Labor's comments, we revised the wording of the recommendation to make more clear that the focus is on specifying the steps needed to ensure that grant monitoring activities are performed and documented in GEMS. In response to our recommendation to establish procedures to document Single Audit results in GEMS, ETA stated that it recognizes the importance of various Labor offices and staff in communicating and incorporating Single Audit findings and will continue to further strengthen this critical monitoring process. ETA noted that its Core Monitoring Guide already requires reviewers to ascertain the status of the Single Audit and any open issue as part of their on-site review. However, as our report indicates, there is no requirement that the results of the Single Audit be documented in GEMS. Not requiring such information to be retained in GEMS may hinder the reviewer's ability to effectively assess risks related to a grantee's performance. Because Single Audit results could help identify problems with grantees' financial management and program operations, it is important for the reviewers to have these results readily available when performing risk assessments of grantees to help determine the level of monitoring activities that they will perform on the grantees. We are sending copies of this report to the Secretary of Labor, the Office of Management and Budget, and other interested parties. We will also make copies available to others on request. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. Please contact me at (202) 512-7215 or sherrilla@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix V. Sincerely yours, Andrew Sherrill: Director, Education, Workforce and Income Security Issues: [End of section] Appendix I: Scope and Methodology: To identify the steps that the Department of Labor (Labor) had taken to strategically manage and plan for its current and future workforce needs, we reviewed our previous work on strategic human capital management and our prior work on the department's management challenges. We also reviewed Labor's planning documents, such as strategic, human capital, and succession plans, and Labor's annual report to the Office of Personnel Management (OPM). Moreover, we reviewed our reports and OPM's reports on human capital to identify criteria for Labor's workforce and succession planning efforts. [Footnote 100] On the basis of this information, we assessed Labor's planning documents, such as the human capital strategic plan and succession plan, and human capital management practices against our key workforce planning principles and OPM's Human Capital Assessment and Accountability Framework for federal agencies to determine if any areas were in need of improvement. We also obtained and reviewed workforce planning documents and data for Labor departmentwide and selected program agencies and compared it to our key workforce planning principles and OPM's human capital framework. In addition, we selected three of Labor's program agencies-- Employee Benefits Security Administration (EBSA), Occupational Safety and Health Administration (OSHA), and Employment and Training Administration (ETA)--and reviewed their strategic workforce planning efforts in more detail. We selected these agencies based on the following criteria: * their differing organizational structure within Labor; * their overall fiscal year 2010 budget and full-time equivalent (FTE) levels; and: * their authorization to each hire more than 150 additional staff in fiscal year 2010. At each of these program agencies, we reviewed workforce planning documents and data from the national and regional offices, and interviewed officials responsible for strategic workforce planning, recruitment, hiring, and succession planning. To determine Labor's workforce trends, Labor's human capital office identified the department's mission-critical occupations. We then analyzed data from OPM's Central Personnel Data File (CPDF) on Labor's program agencies' from fiscal years 2005 to 2009. To assess the reliability of CPDF, we reviewed our prior data reliability work on CPDF data and updated information about the data.[Footnote 101] We determined that the data were sufficiently reliable to provide information on Labor's recent workforce trends. While we concluded that the CPDF information was sufficiently reliable for the purposes of our review, we did not independently verify the data as part of this review. However, to corroborate these data, we requested workforce trend data from Labor and compared it to the CPDF data. No material differences were found. The following describes the steps that we took to identify selected workforce trends in CPDF for Labor's employees positioned across the department: * Hiring. We identified all new hires for fiscal years 2005-2009 by using personnel action codes in CPDF for individuals accepting career or career conditional positions. These included new hires to Labor (both new hires to the government and transfers from other agencies) and hires of individuals returning to the government. To put Labor's hiring into context, we used attrition data to compare the numbers of staff hired with the number of staff leaving. Additionally, we used Labor's time-to-hire data from 2009 to describe how quickly Labor fills its job vacancies. * Attrition rates. To determine the overall attrition rates, we analyzed data from the CPDF for fiscal years 2005 through 2009. For each fiscal year, we counted the number of permanent (career) employees with personnel actions indicating they had separated from Labor. Separation data for new hires included resignations, retirements, terminations, transfers to other agencies,[Footnote 102] and deaths. We did not include a small percentage of individuals with inconsistent data such as multiple or different hiring or separation dates. The small percentage of employees with inconsistent data is similar to the generally reliable data in the CPDF we have reported previously. We then divided the total number of separations for each fiscal year by the average of the number of these employees in the CPDF as of the last pay period of the fiscal year before the fiscal year of the separations and the number of these employees in the CPDF as of the last pay period of the fiscal year of separation. To determine the attrition rates for new hires, we used CPDF data to identify the newly hired staff and followed them over time to see how many left Labor. We identified all new hires for fiscal years 2005- 2009 by using personnel action codes for accessions to career or career conditional positions. Next, we determined whether these individuals had personnel actions indicating they had separated from Labor. By subtracting the hire date from the separation date, we determined how long individuals worked before separating. We calculated the attrition rates for a specific time period by dividing the number of individuals who left within that time period by the total number of new hires tracked for that time period. * Separations. To identify the ways staff separated from Labor from 2005 through 2009, we used the CPDF codes that identify how employees separated; including resignations from federal employment, retirement, transferred to another federal agency, or separated in another way, such as a reduction in force. * Retirement eligibility rates. To determine retirement eligibility for Labor's employees employed as of the end of September 2009 we used CPDF information on service computation date, birth date, and retirement plan coverage to calculate the date of eligibility to retire with an immediate, unreduced annuity. The rules stipulating the number of years of service in conjunction with the age when a person would be eligible to retire were used for the retirement plan of which the employee was a member. In particular, we calculated retirement eligibility for Labor overall, for the selected program agencies, and for Labor's overall mission critical versus nonmission critical occupations, including the specific mission critical occupations within the selected program agencies for fiscal year 2009. * Federal tenure rates. To determine federal tenure rates, we examined CPDF information on number of years of federal service for overall Labor employees between fiscal years 2005 and 2009. We report years of federal service rather than years of service with Labor or in a particular occupation because the CPDF records the service computation date of entry into federal employment rather than date of entry to an agency or occupation (the service computation date is adjusted whenever an employee leaves federal employment and then returns to federal employment). To evaluate Labor's controls related to managing and modernizing its information technology (IT) investments, we interviewed Labor and component agency officials including the Office of the Chief Information Officer's (OCIO) capital planning team, enterprise architecture team, security team, component agency IT managers, and system users. We reviewed relevant provisions in the Clinger-Cohen Act, the Paperwork Reduction Act, the Federal Information Security Management Act (FISMA),[Footnote 103] Office of Management and Budget, and Financial Systems Integration Office[Footnote 104] guidance related to defining IT goals and plans, assessing progress toward achieving IT goals, and measuring performance of IT operations. To assess Labor's ability to manage its IT portfolio we used our guidance and Labor guidance to determine the extent to which the department's investment management process is effective in evaluating investments throughout the development life cycle.[Footnote 105] To conduct our assessment, we reviewed relevant Labor policies, processes, guidance, and documentation including the department's IT Capital Planning Guide, investment board meeting minutes, budget documents, cost benefit analyses, and project reviews to identify the department's processes in managing IT investments throughout the systems development lifecycle. We also: * reviewed agency documentation, including select and control reviews, submitted to the OCIO for their evaluation of IT investments; * reviewed requirements and testing artifacts for the procure to pay and trust fund functions to determine adequacy of testing for the New Core Financial Management System (NCFMS); * interviewed Labor's program agency IT directors and program managers; and: * interviewed relevant OCIO agency officials to determine the extent to which Labor has established responsibility and accountability for modernization management. To evaluate Labor's IT security program we reviewed the departmentwide IT security program and evaluated them against criteria in FISMA and other related sources, such as National Institute of Standards and Technology (NIST) special publication 800-53, revisions 2 and 3. We compared Labor IT security documentation to FISMA criteria to determine the quality of compliance with FISMA requirements. We also interviewed relevant Labor OCIO, Office of Inspector General (OIG), and component agency staff with responsibility for managing IT security and obtained relevant support for further analysis from them. While we assessed Labor's IT security program and policies, we did not perform system security reviews nor evaluate the effectiveness of the department's implementation of security controls or NIST requirements. We also did not independently assess the assigned risk levels of Labor's systems. We selected six program agencies--OSHA, ETA, Office of Workers' Compensation Programs, Office of the Assistant Secretary for Administration and Management (OASAM), Bureau of Labor Statistics (BLS), and the Wage and Hour Division--which comprise about 83 percent of Labor's fiscal year 2010 IT budget to perform case studies in order to determine strengths and weaknesses in the department's ability to manage IT investments. Within these agencies we identified systems under development and in operation to review. We also reviewed the NCFMS modernization effort to assess the department's adherence to select and control guidelines. To understand the testing conducted for NCFMS, we reviewed 2--procure to pay and trust fund--of 23 test scripts to assess the adequacy of testing Labor's financial management requirements. For the procure to pay test script we performed analyses on 26 of 159 test steps to assess the quality, scope, and adequacy of test documentation. Additionally, we met with other program agencies as necessary to assess IT management controls. In the area of financial management, our objective was to determine the extent to which the design of Labor's key internal control activities help ensure accountability over one of Labor's top management challenges, discretionary grants. Our review of the design of internal control over discretionary grants was performed at ETA because it accounts for $11.4 billion--approximately 80 percent--of Labor's overall estimated discretionary budget in fiscal year 2010, which includes discretionary grants. In addition, in prior years challenges have been reported on ETA's management of its discretionary grants. We assessed the extent to which the design of ETA's controls is adequate to help ensure accountability over its award, monitoring, and closeout of discretionary grants,[Footnote 106] including the extent to which ETA uses the Single Audits to help oversee its grantees. To assess the design of key controls over ETA's discretionary grant management process, we obtained and reviewed relevant ETA policies and procedures, interviewed key Labor and ETA officials, and compared these policies, procedures, and practices with internal control standards. To understand the design of controls over monitoring activities to be conducted during the period-of-performance for the grantees, we reviewed documentation requirements for key activities such as initial risk assessments, quarterly desk reviews, and on-site visit reports recorded in Labor's Grants Electronic Management System (GEMS). To further understand the possible effect of identified control design flaws, we selected a nongeneralizable sample of 30 (15 active and 15 closed) discretionary grants from the E-Grants system, Labor's main grant obligation and cost subsidiary system. Such a sample cannot be used to draw conclusions on the extent to which there are problems in the universe of discretionary grants. To select our sample of discretionary grants in fiscal year 2009,[Footnote 107] we stratified the population of discretionary grants data by ETA programs that had awarded discretionary grants and identified the top five programs that disbursed the largest discretionary grants during fiscal year 2009. For these programs, we sorted the grants from the highest to the lowest total disbursement and categorized the disbursements in three tiers--high, medium, and low dollar value. We selected the grants with the highest disbursement dollar value from each of the three tiers for our sample. For these grants we reviewed documentation in the grant files for key activities conducted during the award and close out process, such as grant agreement approvals, modification approvals, and close out checklists. To determine the extent to which ETA has controls designed to use the Single Audit process to help the agency in performing oversight and monitoring functions over its grantees, we reviewed ETA's procedures for coordinating Single Audit reviews and its process for correcting identified Single Audit deficiencies. We also interviewed ETA officials to better understand the extent to which they have controls to use Single Audits to perform oversight functions. In addition to further our understanding of the effect of identified control design flaws in this area, for the nongeneralizable sample of 30 grant files discussed previously, we inquired whether a Single Audit had been performed, and if performed, we reviewed documentation and spoke to ETA officials to determine if ETA conducted the required resolution process for correcting identified Single Audit deficiencies. We conducted our review at Labor's national office as well as four regional locations: Atlanta, Georgia; Chicago, Illinois; Philadelphia, Pennsylvania; and San Francisco, California. These regional offices were selected to ensure geographical representation and because Labor's OASAM was located in each of these offices. In addition to interviewing Labor program agency officials, we also interviewed officials from Labor's OIG, OMB, and OPM, as well as representatives from Labor's employee unions to better understand Labor's management practices. Moreover, for each objective, we reviewed relevant federal laws and regulations. We conducted this performance audit from August 2009 to March 2011 in accordance with generally accepted government auditing standards. The standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for findings and conclusions based on our audit objectives. [End of section] Appendix II: Select Financial Management Deficiencies Identified at the Department of Labor, Fiscal Year 2010: Challenge or issue: Incomplete and inaccurate data from Labor's Accounting and Related Systems or subsidiary systems to NCFMS, which were caused by coding, configuration, migration, and interface issues; Impact on financial reporting: * Significant differences were noted in general ledger accounts and subsidiary records for the payroll, trust fund, and property accounts; * Certain obligations were not transmitted from Labor's system to the U.S. Department of Health and Human Services Payment Management System in order for grantees to drawdown funds; Status as of fiscal year 2010: * The auditors reported that Labor has made progress in addressing some of these issues. However, as of the end of fiscal year 2010, not all differences had been resolved; * The auditors acknowledged Labor had addressed the majority of these issues by June 2010. Challenge or issue: Incomplete and unresolved reconciliations with the Department of the Treasury accounts and intragovernmental transaction; Impact on financial reporting: * Difference of $1.7 billion difference was noted between Labor's general ledger accounts and the fund balance with the Department of the Treasury account; * Unexplained differences were found in intragovernmental transactions. For example, the Unemployment Trust Fund's interest receivable, investments, and interest revenue accounts had unexplained differences of $158 million, $7.2 billion, and $345 million, respectively; Status as of fiscal year 2010: * According to Labor's auditors, as of September 30, 2010, Labor was still unable to reconcile the net differences that were identified in its fund balance with the Department of the Treasury accounts and had not resolved all errors related to intergovernmental transactions. Challenge or issue: Inadequate financial processes and incomplete financial statement information; Impact on financial reporting: * Processes needed to record current year apportionments, evaluate the accuracy of the grant accrual, and record property, plant, and equipment additions and deletions that were not fully implemented and documented for a significant part of the year. Also, significant difficulties pertaining to data migration prevented the OCFO from finalizing and recording the adjusting entries needed to begin preparation of the financial statements; * Financial statement drafts received by the auditor contained numerous errors. For example, (1) balances between financial statement amounts and notes to the financial statements did not reconcile; (2) financial information contained large errors that were not corrected or adjusted prior to submission, such as similar balances that should be repeated in different report areas did not agree and were not corrected; and (3) the year end statement reported a liability of approximately $13 billion when the amount should have been reported as approximately $20 billion; Status as of fiscal year 2010: * Beginning in fiscal year 2011, Labor reported it plans to prioritize the OCFO resources to focus on updating existing quality assurance documentation and to formally document NCFMS financial reporting processes. Labor anticipates these efforts to be completed by September 30, 2011; * The auditors reported that Labor subsequently corrected the errors identified by the auditors on the financial statement drafts; however, financial statement preparation has been a longstanding deficiency for Labor. Source: Department of Labor, Agency Financial Report, fiscal year 2010. Note: We did not independently evaluate the status of the corrective actions identified in Labor's fiscal year 2009 Performance Accountability Report and its fiscal year 2010 Agency Financial Report. [End of table] [End of section] Appendix III: Department of Labor Workforce Trends: The following data illustrates Labor's workforce trends between fiscal years 2005 and 2009 for eight of the department's program agencies. We selected these agencies because they had 500 or more full-time equivalent employees. The agencies are BLS, EBSA, Employment Standards Administration (ESA),[Footnote 108] ETA, Mine Safety and Health Administration (MSHA), OASAM, OSHA, and Office of the Solicitor (SOL). We obtained the data from CPDF. See appendix I for an overview of the CPDF data reliability and our methodology for calculating workforce trends. Attrition within Labor's Workforce: Labor averaged an attrition rate[Footnote 109] of about 11 percent between fiscal years 2006 and 2008. Attrition was consistently lower for mission critical employees.[Footnote 110] Attrition rates within the eight selected program agencies varied; for example, SOL ranged from about 5 to 8 percent attrition per year, while OASAM ranged from about 14 to 17 percent attrition per year (see figure 5). Figure 5: Attrition Rates for Labor and Select Program Agencies, Fiscal Years 2005-2009: [Refer to PDF for image: illustrated table] Year: 2005; Overall labor: 9.3%; Overall mission critical: 6.7%; Overall nonmission critical: 13.7%; Overall attrition by agency: BLS: 8.0%; EBSA: 11.2%; ESA: 9.1%; ETA: 11.2%; MSHA: 7.5%; OASAM: 13.7%; OSHA: 6.1%; SOL: 5.2%. Year: 2006; Overall labor: 11.6%; Overall mission critical: 9.3%; Overall nonmission critical: 15.5%; Overall attrition by agency: BLS: 10.2%; EBSA: 11.9%; ESA: 10.6%; ETA: 17.9%; MSHA: 9.9%; OASAM: 14.7%; OSHA: 7.9%; SOL: 8.3%. Year: 2007; Overall labor: 11.0%; Overall mission critical: 8.3%; Overall nonmission critical: 15.6%; Overall attrition by agency: BLS: 10.0%; EBSA: 14.2%; ESA: 10.3%; ETA: 10.9%; MSHA: 9.2%; OASAM: 17.2%; OSHA: 9.0%; SOL: 7.1%. Year: 2008; Overall labor: 11.2%; Overall mission critical: 9.1%; Overall nonmission critical: 14.8%; Overall attrition by agency: BLS: 9.5%; EBSA: 10.7%; ESA: 10.4%; ETA: 11.7%; MSHA: 10.3%; OASAM: 16.2%; OSHA: 9.8%; SOL: 8.3%. Year: 2009; Overall labor: 9.2%; Overall mission critical: 6.9%; Overall nonmission critical: 13.6%; Overall attrition by agency: BLS: 7.1%; EBSA: 10.0%; ESA: 8.4%; ETA: 8.9%; MSHA: 7.4%; OASAM: 17.0%; OSHA: 9.5%; SOL: 5.8%. Source: GAO analysis of CPDF data. [End of figure] Types of Separations within Labor's Workforce: Of those leaving the department, resignations and retirements comprised approximately 70-76 percent of Labor's separations each year between fiscal years 2005 and 2009. The proportion of transfers to other federal agencies increased each year from about 12 percent in fiscal year 2005 to almost 19 percent by fiscal year 2009 (see figure 6). Figure 6: Percent of Separations by Type for Labor, Fiscal Years 2005- 2009: [Refer to PDF for image: stacked horizontal bar graph] Percentage of separation by type: 2005; Resigned: 31.2%; Retired: 40.9%; Transfer[A]: 12.1%; Other[B]: 15.8%. Percentage of separation by type: 2006; Resigned: 33%; Retired: 43.1%; Transfer[A]: 12.4%; Other[B]: 11.5%. Percentage of separation by type: 2007; Resigned: 38%; Retired: 36.6%; Transfer[A]: 14.8%; Other[B]: 10.6%. Percentage of separation by type: 2008; Resigned: 32.4%; Retired: 38.6%; Transfer[A]: 18.5%; Other[B]: 10.5%. Percentage of separation by type: 2009; Resigned: 35.7%; Retired: 34.1%; Transfer[A]: 18.9%; Other[B]: 11.3%. Source: GAO analysis of CPDF data. [A] "Transfer" is when an individual employee accepts a position in a different federal agency. [B] "Other" includes expired appointments, death, failed probations, fires, reductions in force, and unknown. [End of figure] Retirement Eligibility of Labor's Workforce: The retirement eligibility of Labor's workforce has generally been increasing between fiscal years 2005 and 2009, with its lowest rate at 16.2 percent in 2006 and its highest rate at 18.5 percent in 2009 (see figure 7). As of 2009, retirement eligibility rates ranged from 11.8 percent for EBSA to 21 percent for ETA. The average of the 2009 retirement eligibility rates at the eight selected program agencies was 18 percent. Figure 7: Percent of Employees Eligible to Retire for Labor and Select Program Agencies, Fiscal Years 2005-2009: [Refer to PDF for image: illustrated table] Year: 2005; Overall labor: 16,4%; Overall mission critical: 17.7%; Overall nonmission critical: 15.6%; Overall retirement eligibility per agency: BLS: 14.1%; EBSA: 9.8%; ESA: 15.5%; ETA: 23.6%; MSHA: 18.9%; OASAM: 18.0%; OSHA: 15.9%; SOL: 16.1%. Year: 2006; Overall labor: 16.2%; Overall mission critical: 17.7%; Overall nonmission critical: 15.3%; Overall retirement eligibility per agency: BLS: 14.0%; EBSA: 9.8%; ESA: 15.7%; ETA: 21.1%; MSHA: 17.2%; OASAM: 18.9%; OSHA: 17.4%; SOL: 17.8%. Year: 2007; Overall labor: 17.0%; Overall mission critical: 18.5%; Overall nonmission critical: 16.1%; Overall retirement eligibility per agency: BLS: 15.7%; EBSA: 11.2%; ESA: 16.5%; ETA: 20.7%; MSHA: 16.6%; OASAM: 18.9%; OSHA: 19.1%; SOL: 18.2%. Year: 2008; Overall labor: 17.9%; Overall mission critical: 19.3%; Overall nonmission critical: 17.1%; Overall retirement eligibility per agency: BLS: 17.0%; EBSA: 11.8%; ESA: 18.0%; ETA: 20.4%; MSHA: 17.6%; OASAM: 20.3%; OSHA: 19.3%; SOL: 18.3%. Year: 2009; Overall labor: 18.5%; Overall mission critical: 20.4%; Overall nonmission critical: 17.4%; Overall retirement eligibility per agency: BLS: 17.7%; EBSA: 11.8%; ESA: 18.0%; ETA: 21.0%; MSHA: 18.7%; OASAM: 19.4%; OSHA: 19.5%; SOL: 18.8%. Source: GAO analysis of CPDF data. [End of figure] Of Labor's retirement-eligible employees each year between 2005 and 2009, about 4 to 5 percent were supervisors. The percentage of retirement-eligible employees in nonsupervisory positions ranged between 11.8 percent in fiscal year 2006 to 13.5 percent in fiscal year 2009. Specifically, in seven of the selected program agencies in fiscal year 2009, there were a larger percentage of mission critical employees eligible for retirement than nonmission critical employees. In OASAM, however, the reverse was true. Of the approximately 19 percent of employees who were retirement eligible as of fiscal year 2009, about 14 percent were in nonmission critical positions compared to 5 percent in mission critical positions (see figure 8). Figure 8: Percent of Employees Eligible to Retire for Mission Critical Occupations in Select Program Agencies, Fiscal Year 2009: [Refer to PDF for image: illustrated table] Agency: BLS; Overall retirement eligibility: 17.7%; Overall retirement eligibility by mission critical occupation: Economist: 13.7%; Mathematical statistician–1529: 19.6%; Mathematical statistician–1530: 30.0%; Computer specialist: 14.6%; Nonmission critical occupations: 25.7%. Agency: EBSA; Overall retirement eligibility: 11.8%; Overall retirement eligibility by mission critical occupation: Benefit advisor: 7.2%; Auditor: 15.4%; Pension law specialist: 16.9%; Investigator: 10.9%; Nonmission critical occupations: 14.8%. Agency: ESA; Overall retirement eligibility: 18.0%; Overall retirement eligibility by mission critical occupation: Wage and hour compliance investigator–0249: 18.8%; Wage and hour investigator–1849: 9.5%; Equal opportunity specialist: 19.9%; Workmens compensation claims examiner: 15.8%; Investigator: 15.6%; Nonmission critical occupations: 21.8%. Agency: ETA; Overall retirement eligibility: 21.0%; Overall retirement eligibility by mission critical occupation: Unemployment insurance program specialist: 28.4%; Workforce analyst: 7.0%; Workforce development specialist–0142: 18.6%; Workforce development specialist–0301: 12.8%; Apprentice and training representative: 27.8%; Grant management: 29.6%; Nonmission critical occupations: 24.1%. Agency: MSHA; Overall retirement eligibility: 18.7%; Overall retirement eligibility by mission critical occupation: Mining engineer: 18.7%; Mine inspector: 16.9%; Nonmission critical occupations: 22.7%. Agency: OASAM; Overall retirement eligibility: 19.4%; Overall retirement eligibility by mission critical occupation: Human resource specialist: 19.6%; Computer specialist: 16.9%; Nonmission critical occupations: 22.7%. Agency: OSHA; Overall retirement eligibility: 19.5%; Overall retirement eligibility by mission critical occupation: Safety specialist–0018: 20.2%; Industrial hygenist–0690: 15.6%; Nonmission critical occupations: 20.9%. Agency: SOL; Overall retirement eligibility: 18.8%; Overall retirement eligibility by mission critical occupation: Attorney: 18.8%; Nonmission critical occupations: 18.7%. Source: GAO analysis of CPDF data. [End of figure] Federal Tenure Rates of Labor's Workforce: The proportion of employees with fewer years of federal experience has increased while the proportion of those with more experience has decreased. As of fiscal year 2009, 13.5 percent of Labor's employees had less than 3 years of federal experience, up 4 percent from fiscal year 2005. The proportion of those with 11 or more years of federal experience has generally decreased each year between fiscal years 2005 and 2009, with 35.5 percent of Labor's workforce having 21 or more years of federal experience in fiscal year 2009. In fiscal year 2009, about half of Labor's workforce had less than 3 years or more than 21 years of federal experience; approximately one-quarter had 3-11 years of federal experience (see figure 9). Figure 9: Federal Tenure Rates for Labor, Fiscal Years 2005-2009: [Refer to PDF for image: vertical bar graph] Federal tenure rates: Year: 2005; 0 to less than 3 years of federal experience: 9.1%; 3 to less than 6 years of federal experience: 10.3%; 6 to less than 11 years of federal experience: 13.7%; 11 to less than 21 years of federal experience: 29.6%; 21 or more years of federal experience: 37.4%. Year: 2006; 0 to less than 3 years of federal experience: 10.1%; 3 to less than 6 years of federal experience: 10.3%; 6 to less than 11 years of federal experience: 14.5%; 11 to less than 21 years of federal experience: 28.8%; 21 or more years of federal experience: 36.3%. Year: 2007; 0 to less than 3 years of federal experience: 11.9%; 3 to less than 6 years of federal experience: 8.9%; 6 to less than 11 years of federal experience: 16.7%; 11 to less than 21 years of federal experience: 27%; 21 or more years of federal experience: 35.4%. Year: 2008; 0 to less than 3 years of federal experience: 12.4%; 3 to less than 6 years of federal experience: 9.4%; 6 to less than 11 years of federal experience: 16.3%; 11 to less than 21 years of federal experience: 26.4%; 21 or more years of federal experience: 35.5%. Year: 2009; 0 to less than 3 years of federal experience: 13.5%; 3 to less than 6 years of federal experience: 10%; 6 to less than 11 years of federal experience: 16.5%; 11 to less than 21 years of federal experience: 24.5%; 21 or more years of federal experience: 35.5%. Source: GAO analysis of CPDF data. [End of figure] Hires within Labor's Workforce: Labor hired[Footnote 111] approximately 9-14 percent of its workforce per year between fiscal years 2005 and 2009, averaging about 11 percent per year in fiscal years 2006 to 2008 (see figure 10). [Footnote 112] Labor's hires ranged from almost 1,300 employees in fiscal year 2005 to more than 2,100 employees in fiscal year 2009, averaging about 1,700 employees each year (see figure 11). For each of those years, there were approximately equal proportions of mission critical and nonmission critical hires. The eight selected program agencies varied in their proportions of new hires between fiscal years 2005 and 2009. For example, in OASAM, approximately 15 to 21 percent of its employees each year were new hires, while in SOL approximately 2.7 to 15.1 percent of its employees were new hires in each of those years (see figure 10). Figure 10: Percent of New Hires for Labor and Select Program Agencies, Fiscal Years 2005-2009: [Refer to PDF for image: illustrated table] Year: 2005; All labor: 8.6%; Overall hiring by agency: BLS: 8.4%; EBSA: 13.6%; ESA: 7.7%; ETA: 6.1%; MSHA: 9.3%; OASAM: 15.3%; OSHA: 4.3%; SOL: 2.7%. Year: 2006; All labor: 11.2%; Overall hiring by agency: BLS: 12.6%; EBSA: 14.1%; ESA: 13.3%; ETA: 14.2%; MSHA: 7.7%; OASAM: 16.5%; OSHA: 4.8%; SOL: 3.4%. Year: 2007; All labor: 11.0%; Overall hiring by agency: BLS: 6.6%; EBSA: 12.1%; ESA: 10.3%; ETA: 11.1%; MSHA: 15.8%; OASAM: 14.9%; OSHA: 8.7%; SOL: 5.1%. Year: 2008; All labor: 10.6%; Overall hiring by agency: BLS: 4.7%; EBSA: 9.7%; ESA: 10.5%; ETA: 8.9%; MSHA: 12.9%; OASAM: 17.4%; OSHA: 9.4%; SOL: 10.3%. Year: 2009; All labor: 14.2%; Overall hiring by agency: BLS: 10.4%; EBSA: 17.0%; ESA: 14.7%; ETA: 26.3%; MSHA: 10.1%; OASAM: 20.8%; OSHA: 12.6%; SOL: 15.1%. Source: GAO analysis of CPDF data. [End of figure] Figure 11: Number of New Hires and Separations for Labor, Fiscal Years 2005-2009: [Refer to PDF for image: combination vertical bar and line graph] Year: 2005; Hires: 1,295; Separations: 1,528. Year: 2006; Hires: 1,665; Separations: 1,754. Year: 2007; Hires: 1,645; Separations: 1,654. Year: 2008; Hires: 1,578; Separations: 1,711. Year: 2009; Hires: 2,177; Separations: 1,426. Source: GAO analysis of CPDF data. [End of figure] Special Hires versus Ordinary Hires within Labor's Workforce: Between fiscal years 2005 and 2009, Labor's ordinary hires have generally remained at approximately 60 percent, with the remaining being special hires. In fiscal year 2009, ordinary and special hires had a greater proportion of mission critical positions (see figure 12). Figure 12: Percent of Special Versus Ordinary Hires for Labor, Fiscal Years 2005-2009: [Refer to PDF for image: stacked horizontal bar graph] Percentage of overall Labor: Year: 2005; Special Hires: Mission critical: 13.4%; Special Hires: Nonmission critical: 25.3%; Special Hires: Overall: 38.7%; Ordinary Hires: Mission critical: 36.5%; Ordinary Hires: Nonmission critical: 24.9%; Ordinary Hires: Overall: 61.3%. Year: 2006; Special Hires: Mission critical: 17.1%; Special Hires: Nonmission critical: 24.4%; Special Hires: Overall: 41.5%; Ordinary Hires: Mission critical: 36.1%; Ordinary Hires: Nonmission critical: 22.4%; Ordinary Hires: Overall: 58.5%. Year: 2007; Special Hires: Mission critical: 26.8%; Special Hires: Nonmission critical: 21.4%; Special Hires: Overall: 48.2%; Ordinary Hires: Mission critical: 28.2%; Ordinary Hires: Nonmission critical: 23.7%; Ordinary Hires: Overall: 51.8%. Year: 2008; Special Hires: Mission critical: 18%; Special Hires: Nonmission critical: 19.5%; Special Hires: Overall: 37.5%; Ordinary Hires: Mission critical: 32.3%; Ordinary Hires: Nonmission critical: 30.2%; Ordinary Hires: Overall: 62.5%. Year: 2009; Special Hires: Mission critical: 21.7%; Special Hires: Nonmission critical: 16.7%; Special Hires: Overall: 38.4%; Ordinary Hires: Mission critical: 33.8%; Ordinary Hires: Nonmission critical: 27.8%; Ordinary Hires: Overall: 61.6%. Source: GAO analysis of CPDF data. [End of figure] [End of section] Appendix IV: Comments from the Department of Labor: U.S. Department of Labor: Office of the Assistant Secretary for Administration: Administration and Management: Washington, D.C. 20210: February 25, 2011: Mr. Andrew Sherrill: Director, Education, Workforce, and Income Security Issues: Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Sherrill: This letter is provided in response to the draft report GAO-11-157, Further Management Improvements Needed to Address Information Technology and Financial Controls, dated February 2011. The Department of Labor (DOL) appreciates the opportunity to provide comments on this far-reaching review of our management controls. Recommendations #1 - 5, directed to the Chief Information Officer (CIO): DOL response: In general, the portrayals of our information technology management controls are substantiated. However, we have concerns regarding how the security references throughout the report were presented. For example, the report implies that program agencies within DOL, as a whole, did not place priority on implementing current security requirements. This is not completely accurate and it is one example of a misleading conclusion about our security program. We have expressed our comments specific to page references in an enclosure accompanying this response. We request the Government Accountability Office (GAO) review our comments and consider adjusting the report accordingly. Recommendation #6 — 8, directed to the Assistant Secretary for Employment and Training (ETA): Recommendation #6: Establish procedures for retaining grant award- related documentation, including location and retention period. DOL response: ETA concurs with the recommendation to establish procedures for retaining pre-award documentation. The agency is in the process of developing and disseminating standard operating procedures for grant applications and related documents. The procedures will provide guidance on the retention of competitive grant applications and relevant documentation associated with solicitations for grant applications. Recommendation #7: Establish quality assurance steps to be performed, such as supervisory reviews, and documented in GEMS with respect to grantee monitoring activities, including how such procedures are to be conducted, how often, and identifying the regional-level responsible agency official to perform these duties. DOL response: ETA supports continuous improvement of the stewardship of its discretionary grants with respect to supervisory reviews and documentation of grantee monitoring activities-—including how such procedures are to be conducted, and how often the personnel responsible to perform those duties-—and our management of discretionary grants reflects this principle. However, the recommendations suggest that quality assurance steps and supervisory review procedures are not currently in place. This is not the case. ETA has a broad range of grants management and monitoring practices and procedures in place. Over the years, ETA has developed a broad set of tools to support effective grants management, including the Core Monitoring Guide, the ETA Desk Reference Tool, and the electronic GEMS system, among other critical tools to ensure the effective management of Federal grants. It should be noted that GEMS is a tool for grants management and not the grants management system. However, since the creation of GEMS, ETA has continued to upgrade the tool and expand its utility. For example, in 2008, ETA established a policy that required the use of the GEMS system for the storage of documents from grant monitoring and follow-up procurement activities. Further, during a grants period of performance, Regional Administrators and their managers in ETA's six Regional Offices have the primary responsibility for management and oversight of grant monitoring and grants management activities, which is performed by Federal Project Officers. The performance agreements established for Regional Administrators, managers, and Federal Project Officers include standards that address grant monitoring and other grants management responsibilities for which these staff are accountable. Management reports also are retrieved from GEMS on at least a quarterly basis, and more often as necessary, and are reviewed by managers during regular team meetings where requirements and monitoring findings of significance are addressed. We continue to build on ETA's quality assurance procedures, training and guidance to staff to use the GEMS system effectively as one of our grant management system tools. In fact, the GEMS system has proven useful in transitioning from a largely paper-based federal grant management system to electronic filing and ETA views this as a positive approach that continues to make substantial improvements to its overall federal grants management activities. Recommendation #8: Establish procedures addressing the communication and incorporation of Single Audit findings and related corrective actions as part of the ETA's grantees' monitoring activities to be documented in GEMS. DOL Response: ETA's Core Monitoring Guide (and the Financial Supplement to the guide) already requires reviewers to ascertain the status of the single audit and any open issues as part of onsite reviews. It is important to note that agency fiscal staff are ultimately responsible for single audit resolutions. ETA involves all appropriate individuals, who vary depending upon the audit findings, to resolve A-133 and Office of Inspector General audits. All final determinations resulting from audit resolutions are forwarded to the appropriate national program or regional office for their dissemination to the appropriate staff in their respective offices. ETA recognizes the importance of the program office, Regional Administrators, and their fiscal and program management staff in the communication and incorporation of Single Audit findings and will continue to further strengthen this critical monitoring process. Additional Comments: Additional page-specific comments are enclosed. Conclusion: Thank you again for the opportunity to comment on the draft report. If you have any questions or you require further discussion about our comments, please have your staff contact Edward C. Hugler, Deputy Assistant Secretary, at hugler.edward@dol.gov. or 202-693-4040. Sincerely, Signed by: T. Michael Kerr: Assistant Secretary for Administration and Management: Enclosure: [End of section] Appendix V: Contact and Acknowledgments: GAO Contact: Andrew Sherrill, (202) 512-7215 or sherrilla@gao.gov: Acknowledgments: The following staff members made key contributions to this report: Directors Kay Daly and Valerie Melvin; Assistant Directors Sara Schibanoff Kelly, Gale Harris, Elizabeth Martinez, and Christie Motley; Jason Holsclaw, Analyst-in-Charge; and Nora Boretti, Rathi Bose, Susannah Compton, Melinda Cordero, Pamela Davidson, Peter Del Toro, Neil Doherty, Aimee Elivert, Rebecca E. Eyler, Kenrick Isaac, Franklin Jackson, Pierre Kamga, Jason Kirwan, Judy Lee, Steven Lozano, Chris Martin, Jean McSween, Mimi Nguyen, Scott Pettis, James Rebbe, Susan Sachs, Melissa Schermerhorn, Amber Yancey Carroll, and Gregory Wilmoth. [End of section] Related GAO Products: Department of Labor: Whistleblower Protection: Sustained Management Attention Needed to Address Long-standing Program Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-10-722]. Washington, D.C.: August 17, 2010. Employment and Training Administration: Increased Authority and Accountability Could Improve Research Program. [hyperlink, http://www.gao.gov/products/GAO-10-243]. Washington, D.C.: January 29, 2010. Employee Benefits Security Administration: Enforcement Improvements Made but Additional Actions Could Further Enhance Pension Plan Oversight. [hyperlink, http://www.gao.gov/products/GAO-07-22]. Washington, D.C.: January 18, 2007. National Emergency Grants: Labor Has Improved Its Grant Award Timeliness and Data Collection, but Further Steps Can Improve Process. [hyperlink, http://www.gao.gov/products/GAO-06-870]. Washington, D.C.: September 5, 2006. Major Management Challenges and Program Risks: Department of Labor. [hyperlink, http://www.gao.gov/products/GAO-03-106]. Washington, D.C.: January 1, 2003. Major Management Challenges and Program Risks: Department of Labor. [hyperlink, http://www.gao.gov/products/GAO/OCG-99-11]. Washington, D.C.: January 1, 1999. Strategic Workforce Planning and Human Capital Management: Workforce Planning: Interior, EPA, and the Forest Service Should Strengthen Linkages to Their Strategic Plans and Improve Evaluation. [hyperlink, http://www.gao.gov/products/GAO-10-413]. Washington, D.C.: March 31, 2010. Human Capital: Selected Agencies Have Opportunities to Enhance Existing Succession Planning and Management Efforts. [hyperlink, http://www.gao.gov/products/GAO-05-585]. Washington, D.C.: June 30, 2005. Human Capital: Selected Agencies' Statutory Authorities Could Offer Options in Developing a Framework for Governmentwide Reform. [hyperlink, http://www.gao.gov/products/GAO-05-398R]. Washington, D.C.: April 21, 2005. Diversity Management: Expert-Identified Leading Practices and Agency Examples. [hyperlink, http://www.gao.gov/products/GAO-05-90]. Washington, D.C.: January 14, 2005. Human Capital: Principles, Criteria, and Processes for Governmentwide Federal Human Capital Reform. [hyperlink, http://www.gao.gov/products/GAO-05-69SP]. Washington, D.C.: December 1, 2004. Human Capital: A Guide for Assessing Strategic Training and Development Efforts in the Federal Government. [hyperlink, http://www.gao.gov/products/GAO-04-546G]. Washington, D.C.: March 1, 2004. Human Capital: Selected Agencies' Experiences and Lessons Learned in Designing Training and Development Programs. [hyperlink, http://www.gao.gov/products/GAO-04-291]. Washington, D.C.: January 30, 2004. Human Capital: Key Principles for Effective Strategic Workforce Planning. [hyperlink, http://www.gao.gov/products/GAO-04-39]. Washington, D.C.: December 11, 2003. Human Capital: Succession Planning and Management Is Critical Driver of Organizational Transformation. [hyperlink, http://www.gao.gov/products/GAO-04-127T]. Washington, D.C.: October 1, 2003. Human Capital: A Guide for Assessing Strategic Training and Development Efforts in the Federal Government (Exposure Draft). [hyperlink, http://www.gao.gov/products/GAO-03-893G]. Washington, D.C.: July 1, 2003. A Model of Strategic Human Capital Management (Exposure Draft). [hyperlink, http://www.gao.gov/products/GAO-02-373SP]. Washington, D.C.: March 15, 2002. Information Technology Management: Information Technology: Federal Agencies Need to Strengthen Investment Board Oversight of Poorly Planned and Performing Projects. [hyperlink, http://www.gao.gov/products/GAO-09-566]. Washington, D.C.: June 2009. Information Technology: HHS Has Several Investment Management Capabilities in Place, but Needs to Address Key Weaknesses. [hyperlink, http://www.gao.gov/products/GAO-06-11]. Washington, D.C.: October 28, 2005. Information Technology: DOD's Acquisition Policies and Guidance Need to Incorporate Additional Best Practices and Controls. [hyperlink, http://www.gao.gov/products/GAO-04-722]. Washington, D.C.: July 2004. Information Technology Management: Governmentwide Strategic Planning, Performance Measurements, and Investment Management Can Be Further Improved. [hyperlink, http://www.gao.gov/products/GAO-04-49]. Washington, D.C.: January 12, 2004. Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1). [hyperlink, http://www.gao.gov/products/GAO-03-584G]. Washington, D.C.: April 1, 2003. Financial Management: Financial Management: Persistent Financial Management Systems Issues Remain for CFO Act Agencies. [hyperlink, http://www.gao.gov/products/GAO-08-1018]. Washington, D.C.: September 30, 2008. Financial Management: Improvements Under Way but Serious Financial Systems Problems Persist. [hyperlink, http://www.gao.gov/products/GAO-06-970]. Washington, D.C.: September 26, 2006. [End of section] Footnotes: [1] Pub. L. No. 111-5, 123 Stat. 115. [2] GAO, Department of Labor: Strategic Planning and Information Management Challenges Facing the Department, [hyperlink, http://www.gao.gov/products/GAO/T-HEHS-98-88] (Washington, D.C.: Feb. 5, 1998). [3] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11, 2003). [4] The E-Government Act of 2002 (Pub. L. No. 107-347, 116 Stat. 2899) was enacted to promote the use of the Internet and other information technologies to improve government services for citizens, internal government operations, and opportunities for citizen participation in government. [5] An enterprise architecture is a blueprint for organizational change defined in models that describe (in both business and technology terms) how the entity operates today and how it intends to operate in the future; it also includes a plan for transitioning to this future state. [6] The TRB consists of the Deputy CIO, who serves as the chair and manager, and technical representation from the department's program agencies. [7] Pub. L. No. 104-106, 110 Stat. 679. [8] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, version 1.1, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington D.C.: Mar. 1, 2004). [9] According to the Paperwork Reduction Act, each agency shall assume responsibility for maximizing the value and assessing and managing the risks of major information systems initiatives through a select, control, and evaluate process. [10] FISMA was enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946. [11] NIST, Guide for Applying the Risk Management Framework to Federal Information Systems, Special Publication 800-37, revision 1 (Gaithersburg, Md., February 2010). [12] NIST, Recommended Security Controls for Federal Information Systems and Organizations, Special Publication 800-53, revision 3 (Gaithersburg, Md., August 2009). [13] Pub. L. No. 101-576, 104 Stat. 2838. [14] 31 U.S.C. § 3512(c), (d). [15] U.S. Department of Labor, Fiscal Year 2007 Performance and Accountability Report (Washington, D.C., Nov. 15, 2007); Fiscal Year 2008 Performance and Accountability Report (Nov. 17, 2008); and Fiscal Year 2009 Performance and Accountability Report (Nov. 16, 2009). [16] U.S. Department of Labor, Office of the Chief Financial Officer, Fiscal Year 2009 OMB Circular A-123, Appendix A, Assessment of Internal Control Over Financial Reporting July 1, 2008 through June 30, 2009 (Nov. 15, 2009). Appendix A of OMB Circular A-123, Management's Responsibility for Internal Control, provides a methodology for agency management to assess, document, and report on the internal controls over financial reporting. Labor's fiscal year 2009 A-123, appendix A assessment included an internal control assessment and testing for grants management among other significant business processes. Labor's fiscal year 2009 OMB Circular A-123 assessment identified deficiencies over monitoring of ETA's grantees. [17] GAO, Employment and Training Program Grants: Evaluating Impact and Enhancing Monitoring Would Improve Accountability, GAO-08-486 (Washington, D.C.: May 7, 2008). U.S. Department of Labor, Office of Inspector General-Office of Audit, High Growth Job Training Initiative: Decisions for Non-competitive Awards Not Adequately Justified, 02-08-201-03-390 (Washington, D.C., Nov. 2, 2007) and Selected High Growth Job Training Initiative Grants: Value Not Demonstrated, 02-08-204-03-390 (Washington, D.C., Apr. 29, 2008). [18] Discretionary competitive grants are awarded through a solicitation process. Labor issues two types of discretionary grants: limited-competition and competitive grants. Limited-competition grants are awards for programs where funds are made available through a defined application process to members of a defined eligible applicant group, who meet specific requirements and offer a program designed to deliver acceptable results. Competitive grants are awards for programs where available funds are announced in the Federal Register and through a Solicitation for Grant Application. A Technical Review Panel is required to be convened for competitive grants to select grantees with the best technical approach for meeting the government's requirements; or the organization that best provides for the requirements specified in the Solicitation for Grant Application. In addition to competitive grants, Labor also issues formula grants. Formula funded grants are awarded under programs where the distribution of funds is prescribed by formula contained in federal statute or established by departmental regulation or administrative policy. Formula programs are typically funded through an annual funding agreement and operate pursuant to an approved annual or multi- year plan. [19] Our review excluded the preaward phase because this phase does not involve grantee related activities. [20] Federal project officers have overall responsibility for monitoring the conduct and progress of grantees, including conducting on-site visits. Specifically, they are responsible for collaborating with the grantees--both in the planning and implementation of the program and in the evaluation of activities--and making recommendations regarding program continuance. [21] Labor's risk-based approach focuses on the readiness and capacity of the grantee to administer the grant, including complying with applicable laws and regulations and specific program requirements. [22] The Core Monitoring Guide and the Grant Management Desk Reference Guide are ETA's basic references of policies and procedures that the federal project officer relies on to evaluate the administration of grants. [23] Single Audits are prepared to meet the requirements of the Single Audit Act, as amended, (codified at 31 U.S.C. §§7501-7507) and provide a source of information on internal control and compliance findings and the underlying causes and risks. The Single Audit Act requires states, local governments, and nonprofit organizations expending $500,000 or more in federal awards in a year to obtain an audit in accordance with the requirements in the Act. A Single Audit consists of (1) an audit and opinions on the fair presentation of the financial statements and the Schedule of Expenditures of Federal Awards; (2) gaining an understanding of and testing internal control over financial reporting and the entity's compliance with laws, regulations, and contract or grant provisions that have a direct and material effect on certain federal programs (that is, the program requirements); and (3) an audit and an opinion on compliance with applicable program requirements for certain federal programs. [24] A clean audit opinion provides independent confirmation that the department's financial statements are presented fairly and in conformity with generally accepted accounting principles. [25] In January 2010, Labor implemented NCFMS, a new financial accounting and reporting system, in an effort to modernize its legacy accounting and reporting system, called the Department of Labor Accounting and Related Systems. NCFMS is intended to enhance Labor's ability to provide greater financial efficiency, transparency, and accountability. [26] A material weakness is a deficiency, or combination of deficiencies, in an internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. [27] GAO, A Model for Strategic Human Capital Management, [hyperlink, http://www.gao.gov/products/GAO-02-373SP] (Washington, D.C.: Mar. 15, 2002). [28] [hyperlink, http://www.gao.gov/products/GAO-04-39]. [29] U.S. Department of Labor, Sustaining a Model Workforce for the 21ST Century: Human Capital Strategic Plan 2008-2011 (Washington, D.C.). [30] In addition to these OASAM-led meetings, the HRC director is a participant at the weekly Management Review Board meeting led by Labor's Deputy Secretary. During these meetings, HRC officials brief the Deputy Secretary on key human capital initiatives, as appropriate, and gather his input on strategic human capital management for the department. [31] These data include information such as hiring and separation rates, grade level and occupational distribution, retirement eligibility, tenure, diversity, and frequency of use of recruitment and retention incentives. [32] While HRC maintains departmentwide information, certain program agencies manage their own human capital initiatives at the national level, in part, due to program agencies' different missions, budgets, and workforce needs. Further, in each of the three program agencies where we reviewed human capital operations, the national office delegated some of the human capital decision-making to the regional administrators, such as determining where to distribute staff among their respective programs and suboffices. [33] [hyperlink, http://www.gao.gov/products/GAO-02-373SP]. [34] GAO, Human Capital: Succession Planning and Management Is Critical Driver of Organizational Transformation, [hyperlink, http://www.gao.gov/products/GAO-04-127T] (Washington, D.C.: Oct. 1, 2003). [35] Mission critical occupations are those which an agency considers core to carrying out its mission. Such occupations usually reflect the primary work of the organization without which mission-critical work cannot be completed. [36] This type of analysis is used to identify critical skills and competencies currently needed by a federal agency's workforce and those that will be needed in the future. By conducting such analyses, federal agencies are able to better inform and appropriately focus their succession planning efforts. See GAO, Human Capital: Selected Agencies Have Opportunities to Enhance Existing Succession Planning and Management Efforts, [hyperlink, http://www.gao.gov/products/GAO-05-585] (Washington, D.C.: June 30, 2005). [37] HRC assembled a team of 15 subject matter experts from 12 program agencies to provide input into this process. [38] U.S. Department of Labor, Fiscal Year 2009 Annual Human Capital Management Report (Washington, D.C., December 2009). This report is required of all federal agencies and must include details such as human capital goals and objectives, workforce analysis, performance measures and milestones, and human capital accountability systems. See 5 C.F.R. § 250.203. [39] U.S. Department of Labor, Fiscal Year 2009 Annual Human Capital Management Report (Washington, D.C., December 2009). [40] According to Labor's workforce data, close to 42 percent of the department's senior executives were eligible to retire as of January 10, 2011. [41] According to Labor's data, in fiscal year 2010, Labor hired approximately 1,700 permanent employees (including new hires and conversions), of which more than 1,200 employees had less than 3 years of federal experience. [42] According to Labor, its accountability review program was developed, in part, in response to regulatory requirements. HRC evaluates each of the department's human resource offices every 2 years on a rotating schedule. [43] In fiscal year 2010, HRC identified departmentwide problems with (1) outdated and inaccurate position descriptions, (2) insufficient hiring documentation and personnel actions in their automated system, and (3) untimely applicant notifications. HRC uses these summary findings to inform discussion topics for its monthly manager meetings and issues advisories to all Labor agencies to correct or clarify their policies. [44] HRC expanded the survey instrument to include reviews of each program agencies' recruiting and hiring initiatives, performance management, knowledge management, and personnel security. [45] In fiscal year 2010, Labor conducted six reviews, and has scheduled seven for fiscal year 2011. [46] [hyperlink, http://www.gao.gov/products/GAO-04-394G]. This framework emphasizes the importance of management controls, including the need for business unit representation. As described in the framework, an IT governance structure should be comprised of senior executives representing the heads of business units and supporting units, such as financial management. The purpose is to ensure buy-in from senior executives and users representing various departments. [47] The Clinger-Cohen Act requires agencies to establish performance measures to identify how IT contributes to program productivity; OMB circular A-130 requires agencies to conduct post-implementation reviews to assess the project's impact on mission performance and document lessons learned. [48] Labor's investment review board is known as their technical review board. [49] GAO, Information Technology: Federal Agencies Need to Strengthen Investment Board Oversight of Poorly Planned and Performing Projects, [hyperlink, http://www.gao.gov/products/GAO-09-566] (Washington, D.C.: June 30, 2009). [50] GAO, Information Technology: HHS Has Several Investment Management Capabilities in Place, but Needs to Address Key Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-06-11] (Washington, D.C.: Oct. 28, 2005). [51] The TRB members represent information technology management from the program agencies. The TRB members have support from five subcommittees, which are responsible for major IT issues, such as security capital planning and enterprise architecture functions. See figure 1 for a detailed description of Labor's IT governance structure. [52] The Clinger-Cohen Act requires agencies to establish a variety of performance measures, such as those related to how IT contributes to program productivity, efficiency, and effectiveness, and to monitor the actual-versus-expected performance of those measures. Further, to be effective, as part of the federal enterprise architecture, agencies should include a performance reference model in order to provide a means for using an agency's enterprise architecture to measure the success of IT investments and their impact on strategic outcomes. [53] Executive Office of the President of the United States, Federal Enterprise Architecture: Consolidated Reference Model Document, version 2.3 (October 2007). [54] U.S. Department of Labor Enterprise Architecture Program Management Office, DEAMS Requirements and Guidance Reference Manual, version 2.5 (January 2010). [55] The four systems that did not comprehensively adhere to Labor guidance on performance measures were OSHA's information system, WHD's Wage and Hour Investigative Support and Reporting Database, ETA's grants management system (eGrants), and OCFO's NCFMS. [56] This type of measurement could have included determining if consistent data inputs provided accurate names and addresses of the worksites assessed for violations. For example, if there was an explosion at one business site the metric would assess the system accuracy in identifying other site locations and associated inspections. Another metric would be to identify if the name of the worksite was consistent across all inspections. [57] An example of a performance measure that will support mission needs and business results that OSHA intends to track with the new system includes capturing information on fatalities and gathering data on fatalities to non-English-speaking individuals. [58] The new system, OSHA Information System, is intended to replace part of the existing legacy systems that have obsolete technology and to provide support for the agency's mission needs. According to OSHA officials, Labor is scheduled to begin field deployment during the 3rd quarter of fiscal year 2011. Initially, the new Web-based system will include enforcement, consultation, health sampling, and establishment processing modules. [59] The five categories for the customer results measurement area are: (1) customer benefit, (2) service coverage, (3) timeliness and responsiveness, (4) service quality, and (5) service availability. [60] The six categories for the technology measurement areas are: (1) technology costs, (2) quality assurance, (3) efficiency, (4) information and data, (5) reliability and availability, and (6) effectiveness. An IT initiative, according to OMB, can include applications, infrastructure, or services provided in support of a process or program. [61] According to the Paperwork Reduction Act, with respect to federal information technology, each agency shall assume responsibility for maximizing the value and assessing and managing the risks of major information systems initiatives through a process that is used to select, control, and evaluate the results of major information systems initiatives. [62] GAO, Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decision-making, [hyperlink, http://www.gao.gov/products/GAO/AIMD-10.1.13] (Washington, D.C.: Feb. 3, 1997). This guidance states that the starting point for the selection phase is the screening process and that assurances should be provided that all necessary project proposal and justification steps have been performed. Also, the costs, benefits, and risks of all IT projects--such as proposed, under development, and operational--are then assessed. Finally, a senior management decision-making body should make decisions about which projects to select for funding based on mission needs and organizational priorities. The systems and projects that are selected for funding make up the portfolio of IT investments. [63] NCFMS is critical for the effective operation of the department and is the financial system that supports all Labor agencies and offices. NCFMS is intended to process and report financial transactions and support administrative functions, such as travel and vendor invoices, as well as interface with other major departmental systems, such as Labor's grants management system. [64] The Information Technology Investment Management framework states that the starting point for the selection phase is the screening process, and that assurances should be provided that all necessary project proposal and justification steps have been performed. This includes checking to ensure that stakeholders were involved. Also, the costs, benefits, and risks of all IT projects--such as proposed, under development, and operational--are then assessed. Finally, a senior management decision-making body should make decisions about which projects to select for funding based on mission needs and organizational priorities. The systems and projects that are selected for funding make up the portfolio of IT investments. [65] GAO, Information Technology: DOD's Acquisition Policies and Guidance Need to Incorporate Additional Best Practices and Controls, [hyperlink, http://www.gao.gov/products/GAO-04-722] (Washington, D.C.: July 30, 2004). [66] We found that systems problems reported by Labor in part related to improperly testing system user requirements to determine if FSIO requirements had been effectively implemented. For example, Labor reported that it was unable to properly perform the Treasury confirmation process on some payments, even though FSIO has requirements for performing this function. [67] According to the Institute of Electrical and Electronics Engineers, the key components of ensuring that systems will perform as intended include, but are not limited to, (1) preparing selected test requirements, test cases, and test specifications for analyzing test results; (2) testing the software product as appropriate in selected areas of the target environment; and (3) testing that representative users can successfully achieve their intended tasks using the software product. [68] User acceptance testing involves evaluating system interoperability, all documentation, system reliability, and the level to which the system meets user requirements. [69] As defined by Labor, the "procure to pay" process is the process used to obtain and pay for goods. The process begins with the receipt of the invoice from a vendor. The Labor Finance Center records the invoice information in the system based on the invoice received. Once data are entered, the invoice is routed for the necessary approvals and certified by the authorized certifying officer. Once certified, payment schedules are created and sent to Treasury for payment. [70] To understand the testing conducted for NCFMS, we reviewed 2 (procure to pay and trust fund) of the 23 test scripts to assess the adequacy of testing Labor's financial management requirements. The procure to pay test scripts were intended to provide the essential standardized set of financial management activities and the trust fund scripts were intended to, among other actions, test the processing of billions in unemployment dollars annually. After reviewing the two test scripts, we interviewed Labor officials on 26 of the 159 procure to pay test steps. Of the 26 test steps, 17 did not have sufficient documentation to show they were tested adequately. The department did not comprehensively document the expected test results, actual results, identified errors, or any corrections, if performed. As we have previously reported in our testing guide, test results should be fully documented so that the information can be used to (1) validate that test criteria have been met and (2) assist in assessing and correcting defects. GAO, Year 2000 Computing Crisis: A Testing Guide, [hyperlink, http://www.gao.gov/products/GAO/AIMD-10.1.21] (Washington, D.C.: Nov. 1, 1998). [71] A test script is a list of sequential actions that testers follow when executing a test. If a test requires that special setup activities be performed, these actions are identified in the test script. [72] GAO, Business Modernization: Improvements Needed in Management of NASA's Integrated Financial Management Program, [hyperlink, http://www.gao.gov/products/GAO-03-507] (Washington, D.C.: Apr. 30, 2003). [73] Boundary condition testing is the boundary or limit conditions of the software being tested. [74] Instead of testing quantities just below and above the established limit of 100, such as 99 and 101; Labor tested the quantities of 40, 50, 100, and 110, potentially not identifying system errors. [75] For example, one of the tests required that certain accounting entries be posted to the general ledger; however, Labor did not have documentation available to show that the general ledger was posted. [76] Financial Systems Integration Office, Financial Management Systems Standard Business Process for U.S. Government Agencies, Standard Business Processes (September 2009). [77] U.S. Department of Labor, Office of Inspector General-Office of Audit, Department of Labor (DOL) New Core Financial Management System (NCFMS) Pre-Implementation Performance Audit Report, 22-10-014-13-001 (Jan. 13, 2010). Also, end-to-end testing refers to user-level testing that verifies that the integrated component works correctly as part of the overall system, and that the existing components of the system work as before. [78] According to the OIG, integration testing includes the real-time interfaces that connect with NCFMS. The purpose of real-time interface testing is to evaluate and verify the exchange of data, transmission and control, and processing times. [79] According to the OIG, without testing the completeness and accuracy of data being transferred between the batch interfaces and NCFMS, errors may occur that limit the system's ability to process financial data properly and meet Labor's financial reporting requirements. [80] A disclaimer of opinion is an auditor's statement disclaiming any opinion regarding an entity's financial condition due to an inability to gather certain relevant facts. [81] U.S. Department of Labor, Office of the Chief Information Officer, System Development Life Cycle Management (SDLCM) Manual, version 2.2 (Washington, D.C., November 2006). [82] U.S. Department of Commerce, National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems and Organizations, Special Publication 800-53 revision 3 (Gaithersburg, Md., August 2009). [83] Office of Management and Budget, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (Washington, D.C., Apr. 21, 2010). [84] Patricia Toth, Computer Security Division, Information Technology Laboratory, NIST Next Generation Risk Management: Information Security Transformation for the Federal Government (May 11, 2010); Dr. Ron Ross, Computer Security Division, Information Technology Laboratory, NIST, State of Transformation: Next Generation Risk Management for the Federal Government, (Mar. 24, 2010). [85] Under FISMA, agencies perform an annual independent evaluation of their information security program and practices, and report assessments of risk of their IT systems, using determinations of high, moderate, and low risk, as described in NIST FIPS pub. 199. [86] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: Feb.16, 2011). [87] U.S. Department of Labor, Office of Inspector General, FY 2010 Independent Auditors' Report, 22-11-002-13-001 (Nov. 15, 2010) and Semiannual Report To Congress, Volume 64 (October 2010). [88] U.S. Department of Labor, Fiscal Year 2009 Performance and Accountability Report (Nov. 16, 2009). [89] With the enactment of the Recovery Act, Congress increased Labor's grant funding by an additional $45 billion, of which $4.8 billion was budgeted through 2009 for discretionary funds. [90] The purpose of our testing was not to determine the extent to which there were deficiencies in the documentation systems of ETA's discretionary grants process, but rather to illustrate the possible effect of identified control design flaws. For this purpose, we selected a nongeneralizable sample of 30 (15 active and 15 closed) discretionary grants. For additional information about our sample methodology, see appendix I. [91] ETA, Employment and Training Order No. 1-08--Grant Management Policies and Responsibilities within the Employment and Training Administration (June 18, 2008), and Grant Management Desk Reference (February 2009). [92] As part of this procedure, the Office of Special Programs and Emergency Preparedness is required to conduct a preaward clearance that includes a review of documents obtained from official grant files, reflecting financial accountability, incident reports, investigations, audit resolutions, and outstanding debt. The preaward clearance also includes consultation with Labor's OIG to identify debarment issues and audit findings that could affect the award process. [93] Our nongeneralizable sample included 10 competitive grants where this documentation would have been required. [94] GAO, Internal Control: Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [95] In 2008, GEMS was designated as ETA's primary electronic grant monitoring system. It is intended to be the repository for grant documentation related to risk assessment, monitoring, on-site visits, quarterly desk reviews, technical assistance, and any other monitoring documentation created in the period of performance. [96] To understand the possible effect of identified control design flaws, we selected a nongeneralizable sample of 30 (15 active and 15 closed) discretionary grants. For additional information about our sample, see appendix I. Of the 30 selected grant files, we found 2 that were closed in fiscal year 2009 but did not include monitoring activities in GEMS. According to ETA officials, one of the grant files selected was awarded prior to 2006 and therefore, was not managed in GEMS. For the other grant, ETA officials stated that the information was incorrectly filed under another project number and they have now corrected this error. [97] For the majority of the seven grants, the quarterly risk assessments changed from medium-risk to low-risk but no explanations were provided to justify such changes. [98] According to ETA officials, GEMS was upgraded to include a notification box that prompts the FPOs to provide an explanation when they overrode an initial and quarterly risk assessment. For initial risk assessment, the upgrade went into affect for all grants that were active as of April 2010. The upgrade for quarterly risk assessment applied to all desk reviews for the period ending March 31, 2010, and forward. If properly implemented, these changes should address the design deficiency noted in our sampled grants, which were issued prior to the GEMS upgrade. [99] ETA's Single Audit resolution process, which is primarily conducted at ETA headquarters, includes reviewing a grantee's audit report and corrective action plans to determine whether the corrective action plans address the findings, contacting a grantee for follow-up questions, and issuing a final determination letter after OIG's approval. The final determination (also called a management decision) is the process through which the grant officer determines if appropriate actions required to correct audit deficiencies have been met. Once the grant officer approves the actions to correct the audit deficiencies, a final determination letter is issued, which is approved by Labor's OIG. [100] [hyperlink, http://www.gao.gov/products/GAO-04-39], [hyperlink, http://www.gao.gov/products/GAO-05-585], and [hyperlink, http://www.gao.gov/products/GAO-02-373SP]. OPM, Human Capital Standards for Success: Human Capital Assessment and Accountability Framework. [101] GAO, OPM's Central Personnel Data File: Data Appear Sufficiently Reliable to Meet Most Customer Needs, [hyperlink, http://www.gao.gov/products/GAO/GGD-98-199] (Washington, D.C.: Sept. 30, 1998) and Human Capital: Diversity in the Federal SES and Senior Levels of the U.S. Postal Service and Processes for Selecting New Executives, [hyperlink, http://www.gao.gov/products/GAO-08-609T] (Washington, D.C.: Apr. 3, 2008.) [102] A mass transfer is when a unit or function along with its employees of an agency is transferred to a different agency. A voluntary transfer is when an individual employee accepts a position in a different agency. [103] The Clinger-Cohen Act of 1996, Pub. L. No. 104-106, 110 Stat. 186 (1996). U.S. Department of Commerce, National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems and Organizations, Special Publication 800-53 revision 3 (Gaithersburg, MD, August 2009); Office of Management and Budget, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (Washington, D.C.: Apr. 21, 2010); and the Federal Information Security Management Act of 2002, enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946. [104] Executive Office of the President of the United States, Federal Enterprise Architecture: Consolidated Reference Model Document, version 2.3 (Washington, D.C., October 2007) and U.S. General Services Administration, Financial Systems Integration Office, Financial Management Systems Standard Business Process for U.S. Government Agencies, Standard Business Processes (Washington, D.C., September 2009). [105] [hyperlink, http://www.gao.gov/products/GAO-04-394G]; Information Technology Management: Governmentwide Strategic Planning, Performance Measurements, and Investment Management Can Be Further Improved, [hyperlink, http://www.gao.gov/products/GAO-04-49] (Washington, D.C.: Jan. 12, 2004); [hyperlink, http://www.gao.gov/products/GAO-03-584G]; [hyperlink, http://www.gao.gov/products/GAO/AIMD-98-89]; and [hyperlink, http://www.gao.gov/products/GAO/AIMD-10.1.13]. [106] Our review did not include the preaward phase because it does not involve grantee related activities. [107] The E-grants system included 1,357 discretionary grants that were active as of September 30, 2009, and 374 discretionary grants that were closed during fiscal year 2009. [108] In November 2009, ESA was reorganized into four stand-alone program agencies that report directly to the Secretary of Labor--the Wage and Hour Division, Office of Federal Contracts Compliance Programs, Office of Workers' Compensation Programs, and Office of Labor Management Standards. CPDF data presented in this report uses data from ESA overall, prior to this reorganization. [109] We calculated attrition by dividing the total number of separations for each fiscal year by the average of the number of these employees in the CPDF as of the last pay period of the fiscal year before the fiscal year of the separations and the number of these employees in the CPDF as of the last pay period of the fiscal year of separation. [110] Throughout this appendix, references to mission critical occupations include those that Labor considered mission critical as of fiscal year 2008. [111] We identified all Labor hires for fiscal years 2005-2009 by using personnel action codes in CPDF for accessions to career or career conditional positions within each of these years. Accessions include new hires to the agency and hires of individuals returning to the government. [112] Hiring data for each fiscal year may not reflect employees who were hired and did not stay through the end of the fiscal year. [113] We refer to "ordinary" federal hires as those hired through the competitive process. We refer to "special hire" as those employees hired under certain flexible hiring authorities. OPM has established many flexible hiring authorities for critical occupations, hard-to- fill occupations, populations of applicants targeted by law or executive order, occupations for which examining and ranking are not feasible, and selected other situations. Special hires include, for example, those hired through the Presidential Management Fellowship Program and the Veterans Recruitment Appointment. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: