U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE FEDERAL INVESTIGATIVE SERVICES' CASE REVIEW PROCESS OVER BACKGROUND INVESTIGATIONS Report No. 4A-IS-00-13-062 Date: June 4, 2014 --CAU TIONThis audit repor t has been distiib uted to Federal officials who are 1·esponsible for the administration of the audited pr ogram . This audit repor t m ay contain pr oprietar y data which is protected by Federal law (18 U.S.C. 1905). Therefor e, while t his audit repo11 is available under the Fr eedom of Inform ation Act and m ade available to the public on the OIG webpage, caution needs to be exer cised befor e r eleasing the 1·epo11 to the gener al p ublic as it may contain pr optietary infor m ation that was 1·ed acted from the p ublicly distributed copy. AUDIT REPORT AUDIT OF THE FEDERAL INVESTIGATIVE SERVICES’ CASE REVIEW PROCESS OVER BACKGROUND INVESTIGATIONS Report No. 4A-IS-00-13-062 06/06/14 Date: ____________ ___________________________ Michael R. Esser Assistant Inspector General for Audits --CAUTION-This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY AUDIT OF THE FEDERAL INVESTIGATIVE SERVICES’ CASE REVIEW PROCESS OVER BACKGROUND INVESTIGATIONS Report No. 4A-IS-00-13-062 06/04/14 Date: __________ The Office of the Inspector General (OIG) has completed a performance audit of the Federal Investigative Services’ (FIS) Case Review Process over Background Investigations. The objectives of our audit were to determine if: (1) FIS has adequate oversight controls in place to ensure that US Investigations Services (USIS); CACI International Inc. (CACI); and KeyPoint Governmental Solutions, Inc. (KGS), hereafter referred to as the “Contractors,” are meeting their contract requirements; (2) the Contractors’ background review process meets its contract requirements; (3) FIS has controls in place to ensure the Federally-conducted background investigations are reviewed; and (4) FIS and its Contractors have controls in place to ensure that their review personnel are trained to perform their duties. Our audit fieldwork was conducted from August 26, 2013 through December 2, 2013, at the U.S. Office of Personnel Management’s (OPM) headquarters located in Washington, D.C.; FIS’s headquarters in Boyers, Pennsylvania; and contractor sites located in Slippery Rock and Grove City, Pennsylvania, and Chantilly, Virginia. We determined that OPM needs to strengthen its controls over its Contractors and the background investigation review process. Our audit identified five areas requiring improvement, as follows: A. General Observations 1. We identified two areas of improvement that could have a positive impact on the background review process. The areas include:   B. Procedural Personnel Investigation Processing System (PIPS) events The PIPS event indicators Display, Modify, and Print are weak controls to ensure all investigative items have been reviewed. Auto-released Reports of Investigations (ROI) - FIS does not have a control in place to verify that the Contractors are conducting a review on auto-released ROIs. Case Review Process 1. Abnormal Number of Reviews Procedural Two USIS reviewers completed an abnormally high number of reviews on background investigations in a short timeframe. For example, one of the reviewers completed 15,152 background investigations reviews during a one month timeframe, with most of these occurring within minutes of each other on multiple days. 2. Report of Investigations (ROI) Not Reviewed Procedural Seventeen ROIs in our sample were not reviewed by USIS, CACI, and KGS prior to submitting them to OPM. C. Training 1. Reviewer Training Documentation Lacking USIS and KGS were unable to provide support to show that 29 out of 100 reviewers and support personnel we reviewed met training requirements. Twenty-four of the 29 were USIS employees. ii Procedural D. Federal Investigative Services’ Oversight of Contractors 1. Oversight Controls over the Contractors Need Strengthening Based on our audit findings, we have concluded that FIS needs to strengthen their controls over USIS, CACI, and KGS’s background investigation case review processes. iii Procedural TABLE OF CONTENTS Page EXECUTIVE SUMMARY…………………………………….…….. i I. INTRODUCTION AND BACKGROUND ........................................ 1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ............................ 5 III. AUDIT FINDINGS AND RECOMMENDATIONS ......................... 9 A. General Observations……………………………...…………….. 9 B. Case Review Process……………………………………..……… 11 1. Abnormal Number of Reviews…….………..………………… 11 2. Reports of Investigations Not Reviewed……..……………….. 13 C. Training…………………………………………...………………. 15 1. Reviewer Training Documentation Lacking……………..…… 15 D. Federal Investigative Services’ Oversight of Contractors…….… 17 1. Oversight Controls Over the Contractors Need Strengthening.. 17 IV. MAJOR CONTRIBUTORS TO THIS REPORT ............................. APPENDIX 19 (Federal Investigative Services’ response to our draft report, received March 20, 2014) I. INTRODUCTION AND BACKGROUND Introduction This final audit report details the findings, conclusions, and recommendations resulting from our performance audit of the Federal Investigative Services’ Case Review Process over Background Investigations. The audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as authorized by the Inspector General act of 1978, as amended. Background OPM’s Federal Investigative Services (FIS) is responsible for conducting background investigations on Federal applicants, employees, and contractor personnel for customer agencies on a reimbursable basis to determine the eligibility of these individuals to hold security clearances or to be employed in positions with national security sensitivity, eligibility for accession or retention in the Armed Forces, eligibility for an identity credential, or suitability or fitness for employment for or on behalf of the Government. FIS also conducts investigations for other purposes. During fiscal year 2013 FIS contracted with three companies: US Investigations Services (USIS), CACI International Inc. (CACI), and KeyPoint Governmental Solutions, Inc. (KGS), hereafter referred to as the “Contractors,” to assist with completing background investigations. During fiscal year 2013 and at the time the audit was conducted FIS had an additional contract with USIS to provide support services. The support services contract covered some of the following areas that were involved in the review process:  Preparing background investigations for the closing process and ensuring all background investigation data is present (e.g., entering closing codes, placing closing forms in background investigations folders, and processing system-closed background investigations);  Assessing automated background investigation closing (e.g., by entering appropriate closing actions in the Personnel Investigation Processing System1 (PIPS)); and,  Ensuring the appropriate review staff looks at the PIPS closed cases, backs out the closing when appropriate, and schedules additional item(s) for the System Closed Kick Out process, which is a part of the System Closing process. 1 PIPS is a computer system which maintains a repository containing background investigation records of Federal employees, military personnel, and contractors. 1 Background Investigations Process The background investigations process begins with a request from a customer agency to conduct a background investigation on an individual, who then completes the FIS electronic form through the Electronic Questionnaires for Investigations Processing (eQIP) system. For background investigation types (e.g., Top Secret) requiring fieldwork2 [based on predefined criteria within PIPS], PIPS assigns the case to a Federal background investigator or to a Contractor. FIS assigns each background investigation a critical date. The critical date is the deadline for all investigative items to be submitted back to FIS. When all assigned fieldwork in PIPS is completed by the Contractors’ background investigator(s), they will submit the Report of Investigation(s) (ROI) in PIPS and the status is updated to “Ready to Review” automatically by PIPS. Once the ROI has been through the fieldwork Contractors’ review process, the ROI’s status will be updated to “Review Complete.” At that time, PIPS will update the items to the “Complete Status.” For the Federal background investigator, once complete the ROI’s status is updated to “Report Transmitted” and then automatically updated to “Complete Status” in PIPS. When all the items that are in the ROIs for a background investigation are in “Complete Status,” it will go through the FIS background investigation review and closing process located under FIS’s Quality and Support Services Group. Fieldwork Contractors’ Background Review Process for ROIs Each Contractor is required to have a process in place to conduct a 100 percent pre-submission quality review of all investigative work products to ensure compliance with contract requirements and national investigative and adjudicative standards. Once an ROI is marked “Ready to Review” in PIPS, the reviewer can conduct their review. The Contractors’ reviewers are responsible for reviewing all ROIs in PIPS. Once the review is completed, the ROI’s status should be updated to “Review Complete” by the reviewer. FIS utilizes the lack of the events listed below in PIPS-Reporting as indicators of potential fraud or non-compliance with contract requirements since these PIPS-Reporting functions should occur before the “Review Complete” event.    Display - ROI opened in PIPS; Modify - Minor edits made to the ROI; and, Print - ROI printed for review. An exception to this process occurs when ROIs are auto-released. Auto-release is a process that FIS has designed in PIPS to ensure ROIs do not sit idle in the Contractors queue for a substantial period of time. The reviewer has 30 days from the “Ready to Review” date to review the ROI. After 30 days, PIPS will auto-release the ROI and mark it “Review Complete”; thereafter, the 2 Fieldwork can be defined as investigative coverage obtained primarily through human interactions and can include personal interviews, communications with record providers, and human searches of databases. 2 Contractors can only display, modify, or print the ROIs. A review of auto-released ROIs should be conducted by a reviewer prior to submission to FIS, even though they are marked “Review Complete” in PIPS. Once the final ROI’s status on a background investigation has been updated to “Review Complete” and all fieldwork items have updated on the PIPS Case Assignment Tracking screen to “Complete Status,” the background investigation is then submitted to FIS and considered fieldwork finished. Background Investigation Closing Process Using predetermined criteria, PIPS will assign the background investigation case to be reviewed by either a Federal reviewer or USIS’s support services personnel. The Federal staff and USIS support services personnel will conduct their review to determine if the case meets the Investigator Handbook requirements and the Operating Procedures Standards. Once their review has been completed, they will mark the background investigation closed in PIPS and it is ready to send to the customer agency for their adjudication. If the case does not meet standards it is sent back for re-work. Subsequent to our audit, effective February 24, 2014, USIS is no longer involved in the final quality review process as described above. Only Federal employees will be conducting the final quality review before the investigative product is sent to the agency for review and adjudication. Training Each contract outlines the training, experience, and educational qualifications that an individual must meet in order to hold a position as a reviewer or support personnel. FIS’s Oversight over Its Contractors FIS’s Capacity Development and Oversight Group is responsible for the oversight and monitoring of its Contractors. Some of their responsibilities include:     Monitoring the Contractor’s integrity, quality, and timeliness; Monitoring compliance with contract requirements through a review of work performed; Inspecting and testing the services called for in the contract to the extent practicable at all times and places during the terms of the contracts; and, Assessing the Contractor’s performance based on customer satisfaction, statistically valid sampling, random inspections or 100 percent inspection of all cases. 3 The Capacity Development and Oversight Group uses a variety of internal reports and conducts inspections to ensure the Contractors’ background review processes are in compliance with the contract. FIS's Contractor Adjudications Branch is responsible for scheduling required investigations and for adjudicating fitness and national security (or exercising reciprocity when appropriate) for all individuals before they may begin work on the OPM contracts. The Contractor Adjudications Branch also schedules and adjudicates required reinvestigations for those individuals currently working on the OPM contracts. 4 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives The objectives of our audit were to determine if: 1. FIS has adequate oversight controls in place to ensure that its Contractors are meeting their contract requirements. 2. The Contractors’ background review process meets its contract requirements. 3. FIS has controls in place to ensure the Federally-conducted background investigations are reviewed. 4. FIS and its Contractors have controls in place to ensure that their review personnel are trained to perform their duties. The recommendations included in this final report address these objectives. Scope and Methodology Our performance audit was conducted in accordance with generally accepted government auditing standards as established by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. The scope of our audit covered background investigations closed from October 1, 2012 to August 31, 2013. We performed our audit fieldwork from August 26, 2013 through December 2, 2013 at OPM’s headquarters located in Washington, D.C.; FIS’s headquarters located in Boyers, Pennsylvania; and Contractor sites located in Slippery Rock and Grove City, Pennsylvania, and Chantilly, Virginia. To accomplish the audit objectives noted above, we:   Reviewed inspections and various PIPS reports (i.e., Excessive Number of PIPS Transactions Report, Report of Review Complete prior to Review Action, Anatomy of Case Query, and Deficient Case Query) to ensure FIS is providing adequate oversight over its Contractors; Reviewed the Random and Closing Authorization and Support Team audits performed by the Quality Assurance Group3; 3 The Quality Assurance Group, which is under Quality and Support Services, is responsible for providing quality assurance for all background investigations by conducting random reviews. 5     Interviewed FIS and the Contractors’ employees to obtain an understanding of the background investigation process; Performed analytical testing of the Contractors’ reviewers’ “Review Complete” events; Sampled background investigations and reviewed PIPS Basic Display and Investigative Display screen prints, Case Review Transmittals, and other internal documents to ensure the background investigations were reviewed; and, Reviewed résumés, training certificates, and other documentation provided to ensure the training qualifications were met for the sampled Contractors’ reviewers, USIS’s support services personnel, and FIS’s reviewers. In planning our work and gaining an understanding of the case review process over background investigations, we considered, but did not rely on, FIS and the Contractors’ internal control structures to the extent necessary to develop our audit procedures. These procedures were analytical and substantive in nature. We gained an understanding of management procedures and controls to the extent necessary to develop our audit objectives. The purpose of our audit was not to provide an opinion on internal controls, but merely to evaluate controls over the processes that were included in the scope of our audit. Our audit included such tests of FIS and the Contractors’ records and other procedures as we considered necessary under the circumstances. The results of our tests indicate that with respect to the items tested, FIS and its Contractors need to strengthen controls over the case review process over background investigations. In conducting the audit we relied to varying degrees on computer-generated data. Due to the nature of the audit, we did not verify the reliability of the data generated by the system involved. However, nothing came to our attention during our audit testing utilizing the computer-generated data to cause us to doubt its reliability. We believe that the data was sufficient to achieve our audit objectives. In order to accomplish our audit objectives, we selected a number of samples from the universe of closed background investigation cases from October 1, 2012 to August 31, 2013. Sample sizes were designed to verify adherence to the various processes tested, not to project outcomes from the processes. Our audit universe consisted of background investigation cases closed by Federal reviewers and USIS’s support services personnel. We determined that the closed background investigation cases from the Federal reviews consisted of 419,409 cases completed by the Contractor background investigators and 79,704 cases completed by the Federal background investigators. The closed background investigation cases from the USIS support service’s review consisted of 789,636 closed background investigation cases. 6 Background Investigations Review Process In order to verify that USIS’s support services personnel were adhering to their background investigations review process, we used Interactive Data Extraction Analysis (IDEA) software to select the following random samples:    50 out of 29,102 background investigation cases closed by USIS’s Closing Authorization and Support Team’s (CAST) Cursory review process4 from July 1, 2013 to August 31, 2013; 50 out of 39,915 Automated5 closed background investigation cases from July 1, 2013 to August 31, 2013; and, 50 out of 380,025 System6 closed background investigation cases from October 1, 2012 to August 29, 2013. Federal Background Investigations Review Process We randomly sampled 15 out of 79,704 closed background investigation cases completed by the Federal investigators to ensure that FIS has controls in place over the Federally-conducted background investigation cases. In addition, to test the Federal review process over the Contractors’ background investigation cases, we judgmentally selected 45 out of 328 Contractor background investigation cases sampled in Finding B2: No Reviews of Reports of Investigations. For each Contractor, using Microsoft Excel, we sorted the background investigation cases by case type. Then, we excluded ANACI7 and NACLC8 case types because they include limited or no fieldwork. The resulting number of case types varied per Contractor. For each case type, using Excel, we took the total number of cases and divided by three to select the sample. For example, USIS had 19 SSBI9 cases, so we divided by three and selected every sixth case. Reviewer Training We used IDEA to test a random sample of 25 out of 277 FIS reviewers to determine if training requirements were met to perform their duties. 4 Cases are presorted to identify those targeted for full review and sent to Federal Review. The remaining cases are reviewed by USIS during the Cursory review process and separated into cases that are ready to close or cases that need correction, Federal Review, or have other issues. 5 Cases subject to Automated Closing are those where investigations have limited or no fieldwork. The investigations are mostly National Agency Check searches, inquiries, and limited fieldwork (record checks and special interviews). 6 System Closings are cases that are closed by PIPS. These are cases that are complete and do not contain any issues and/or derogatory information. 7 ANACI is an Access National Agency Check and Inquiries background case. 8 NACLC is a National Agency Check with Law and Credit background case. 9 SSBI is a Single Scope Background Investigation case. 7 FIS’s Oversight over the Contractors In order to verify that FIS conducted oversight inspections of the Contractors’ background investigation review processes, we selected the following random samples:       25 cases from each of the following monthly Closing Authorization and Support Team’s audit reports: November 2012; March 2013; June 2013; and August 2013; 6 out of 67 quality inspections performed over CACI; 7 out of 75 quality inspections performed over KGS; 7 out of 127 quality inspections performed over USIS’s fieldwork; 11 out of 63 quality inspections performed over USIS’s support services; and, 11 out of 723 timeliness inspections performed over USIS’s support services. In addition,   We judgmentally selected 75 out of 1,790 cases from the quarterly random review reports performed by FIS’s Quality Assurance from October 1, 2012 through September 30, 2013. Using the quarterly reports, we selected the months (March 2013, April 2013 and July 2013) that had the highest percentage of cases that were below standards. Then we selected 25 cases from each month: March 2013 by selecting every 15 th case; April 2013 by selecting every 20 th case; and July 2013 by selecting every 10 th case. We randomly selected 15 out of 328 cases from our selected sample of background investigations completed by the Contractors to determine if FIS’s oversight controls over the auto-released ROIs were effective. For each Contractor, we selected five background investigation cases that contained auto-released ROIs. The remainder of our samples are discussed in the body of our findings. The results from the various samples were not projected to the population. 8 III. AUDIT FINDINGS AND RECOMMENDATIONS The areas requiring improvements are described below. For those Contractors not specifically identified in a finding below, it was determined that their process was adequate for that particular issue. A. General Observations During our audit we identified two areas of improvement that we feel could have a positive impact on the background review process. The areas that came to our attention include: PIPS events and auto-released ROIs. The Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government states that management is responsible for developing control activities, which are the policies, procedures, techniques and mechanisms that enforce management’s directives. Control activities occur at all levels and functions of an entity and include a wide range of activities, such as approvals, authorizations, verifications, reconciliations, performance review, and the creation and maintenance of related records which provide evidence of execution of these activities, as well as appropriate documentation. Some examples of control activities are: reviews by management at the functional or activity levels, controls over information processing, proper execution of transactions and events, and appropriate documentation. PIPS Events are Weak Controls We consider the PIPS events used by the Contractors (the Display, Modify, and Print indicators in the system) to be weak controls over determining if an investigative item has been reviewed. The reliance on these PIPS events is not sufficient to show that a review actually occurred on the investigative items. For example, if an authorized user logs into PIPS to research a case, PIPS will mark the item “Display.” In this example the user is only doing research and not performing a review; however, under the current control that action would constitute a review. We believe requiring the Contractors’ reviewers to mark all investigative items as “Review Complete” in PIPS will help solidify that an actual review occurred. In addition, this action would document that the reviewer is taking ownership that the review took place . Recommendation 1 We recommend that FIS require the Contractors to mark all investigative items as “Review Complete” in PIPS to indicate when they have completed their review. 9 FIS’s Response: “OPM FIS partially concurs with this recommendation. OPM FIS concurs that the process to document the contractors’ pre-submission quality review needs improvement and is currently exploring multiple options to remedy this involving system changes and contract changes. OPM FIS does not concur that requiring the contractors to mark all investigative items RC [Review Complete] in PIPS is the best avenue for improving this process. See response for Recommendation #2 for OPM FIS’ plan of action.” OIG Comment: We are pleased that FIS agrees that the process to document the Contractors’ presubmission quality review needs improvement. FIS has communicated in its response to recommendation 2 the options that they are considering to make these improvements; however, we are concerned that not all of the options may provide adequate assurance that a pre-submission quality review has occurred. Controls Over Auto-Released Reports of Investigations are Weak FIS does not have a control in place to verify that the Contractors are conducting a review of the auto-released ROIs. We identified ROIs where no review occurred prior to submission to OPM. See Finding B2: Reports of Investigations Not Reviewed for the details. In this finding, we determined that 15 out of the 17 ROIs not reviewed were auto-released. Therefore, it is clear to us that the Contractors are not conducting a prereview of all investigative items as required by the OPM contract. FIS stated that they are working with their Information Technology department to enhance the PIPS Report of Review Complete Prior to Review Action to capture the autoreleased ROIs. We believe if the enhancements are made to include the auto-released ROIs in the Report of Review Complete Prior to Review Action and they use this report consistently to monitor the ROIs, it will increase FIS’s effectiveness in ensuring the Contractors are conducting a review of all investigative items. Recommendation 2 We recommend that FIS implement an internal control to ensure the Contractors are reviewing the auto-released ROIs and that they document a review took place. FIS’s Response: “OPM FIS concurs with this recommendation. OPM FIS concurs that the process to document the contractors’ pre-submission quality review needs improvement and is 10 currently exploring multiple options to remedy this involving system changes and contract changes, which will allow for enhancement of the oversight of the contractors’ review process as necessary.” FIS states that it is exploring four options and they plan to make a decision by May 1, 2014; however, they are unable to give a date as to when the selected option will be implemented due to the complexities with changing the IT systems. OIG Comment: We will evaluate FIS's decision of May 1, 2014 to determine the adequacy of the corrective action that they select. B. Case Review Process 1. Abnormal Number of Reviews We found that two USIS reviewers completed an abnormal number of background investigation case reviews in a short timeframe. For our audit, we concluded that an abnormal review of a background investigation case is when the reviewer signs off with the “Review Complete” code on multiple cases in a very short timeframe. While we understand it is possible for a reviewer to “Review Complete” cases in bulk, we find the rate at which these reviewers reviewed the cases to be abnormal. For example, one reviewer completed 15,152 case reviews during a one month timeframe, with most of these occurring within minutes of each other on multiple days. Details of our review were provided to FIS separate from this report. We obtained the Federal review audit universe of 419,409 closed background investigation cases from October 1, 2012 through August 31, 2013. We analyzed the audit universe of closed background investigation cases where there was a “Review Complete” event in PIPS by the Contractors. Specifically, we looked for trends where reviewers completed reviews on multiple cases in an abnormally short timeframe. We noted that FIS was aware that abnormal reviews were being completed by USIS reviewers and had previously identified one of the two reviewers as completing abnormal reviews. FIS had taken administrative action on the one reviewer identified prior to this final audit report. FIS’s contract with USIS, Section C.7 (a) of OPM15-11-C-0015, states that “The Contractor shall conduct a pre-submission quality review by a qualified reviewer of all OPM-FIS products and shall maintain an inspection and evaluation system to ensure that all investigative work products and other deliverables submitted to OPM conform to contract requirements, [and] national investigative and adjudicative standards. The 11 Contractor shall not submit for payment any case that does not meet the requirements of this contract.” GAO’s Standards for Internal Control in the Federal Government states that “Control activities are the policies, procedures, techniques and mechanisms that enforce management’s directives … Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliation, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation.” Examples of control activities are: reviews by management at the functional or activity level, controls over information processing, proper execution of transactions and events, and appropriate documentation of transactions and internal control. Allowing the Contractors’ reviewers to sign off on multiple background cases at the same time could result in background investigation cases being processed as reviewed when no substantive review occurred. Recommendation 3 We recommend that FIS require USIS to strengthen their internal controls over reviewers to prevent them from designating a large numbers of cases as being reviewed in a short timeframe. FIS’s Response: “OPM FIS concurs that USIS’ internal controls to catch abnormal reviews have not always provided the desired results. Because the methods by which contractors will provide oversight and quality assurance of contract requirements are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company might improve its oversight of its reviewers, and will request that USIS identify its remedial action plans for any substandard performance. FIS will also assess whether a change to its requirements such as specifying the number of cases that may be RC’d [Review Complete] within a specified timeframe, would improve the results if modified into the contract. Because this is a Performance Based Contract, USIS must devise the methods in which it will ensure compliance with contract requirements and how to achieve the performance standards.” 12 2. Reports of Investigations Not Reviewed We found 3 ROIs from USIS, 4 ROIs from CACI, and 10 ROIs from KGS that were not reviewed by the Contractors prior to submitting the background investigations to OPM. Details of our review were provided to FIS separate from this final audit report. We obtained FIS’s Federal review of 419,409 background investigations closed from October 1, 2013 through August 31, 2013. We selected a sample of 328 background investigation cases to verify a review occurred on each ROI prior to submission to OPM. Specifically, we selected:    108 out of 221,673 background investigation cases reviewed by USIS; 110 out of 126,091 background investigation cases reviewed by CACI; and, 110 out of 135,436 background investigation cases reviewed by KGS. CACI confirmed that their four ROIs in question were not reviewed and stated that they do not know why no review took place. KGS stated that their 10 ROIs in question are law check (e.g., criminal history) ROIs and if a background investigator codes an ROI as “Completed No Record” or “Completed Referred,” then the reviewer does not expect to see an ROI for review and will allow PIPS to auto-release the ROI. USIS stated that a Review Workload Leader10 may have marked “Review Complete” by accident for one of their three ROIs; however, they were unable to provide a cause for the remaining ROIs in question. FIS’s three contracts, Section C.7 (a) of OPM15-11-C-0015 (USIS); OPM15-11-C-0016 (KeyPoint); and OPM15-11-C-0017 (CACI) each state that “The Contractor shall conduct a pre-submission quality review by a qualified reviewer of all OPM-FIS products and shall maintain an inspection and evaluation system to ensure that all investigative work products and other deliverables submitted to OPM conform to contract requirements, [and] national investigative and adjudicative standards. The Contractor shall not submit for payment any case that does not meet the requirements of this contract.” GAO’s Standards for Internal Control in the Federal Government states that “Control activities are the policies, procedures, techniques and mechanisms that enforce management’s directives. Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliation, performance reviews, maintenance of security, and the A Review Workload Leader uses information from USIS’s workload management system to assess reviewer availability and existing individual workload levels, and assigns new cases to reviewers. 10 13 creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation.” Some examples of control activities are: reviews by management at the functional or activity level, controls over information processing, proper execution of transactions and events, and appropriate documentation of transactions and internal control. As a result of no reviews occurring on these ROIs prior to submission to OPM, the Contractors have not complied with contract requirements and have been paid for work that was not reviewed. In addition, the lack of reviews can lead to inadequate work being performed and background investigation cases being potentially compromised. Recommendation 4 We recommend that FIS require the Contractors to implement internal controls to ensure that all ROIs within a case have been reviewed prior to submission to OPM. FIS’s Response: FIS partially concurs with this recommendation. “Because the methods by which contractors provide oversight, internal controls, and quality assurance are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company might improve its compliance with ROI review requirements, and will request that USIS identify its remedial action plans for any substandard performance. … OPM FIS has required each of the fieldwork contractors to update quality control plans to further ensure that this contractual review is conducted on each product submitted and a certification from the program director of each contract company that the review of each product submitted has occurred on a monthly basis. These quality control plans are currently being reviewed and coordinated with the Contractors. OPM FIS has also created a new inspection team whose focus is to oversee contractual compliance including this area of the contract. Further, OPM FIS clarifies that the Fieldwork contractors’ review is one part of OPM’s quality assurance process. In addition to the required fieldwork contractual review, all cases were reviewed by either federal review staff or the support contractor review with federal oversight of that process prior to being sent to the customer agencies. As of February 24, 2014, all cases will receive a review by Federal staff. Therefore, the effect of the contractors’ lack of reviews does not lead to background investigations being potentially compromised.” 14 OIG Comment: While we agree that the fieldwork Contractors’ review is only one part of OPM’s Quality Assurance (QA) process, we believe in order for a QA process to be effective, all parts of that QA process must work as designed. Since the fieldwork Contractors’ review is a part of the overall QA process and it is not working as designed, there is a potential risk that a background investigation could be compromised. C. Training 1. Reviewer Training Documentation Lacking We were unable to verify that 5 KGS and 24 USIS reviewers and support personnel met training requirements. The names of the reviewers and support personnel were provided to FIS separately from this report. We randomly selected a total of 100 Contractor reviewers and support personnel to determine if they met the qualifications to perform their duties. Specifically, we selected:     25 out of 80 CACI Reviewers; 25 out of 323 USIS Fieldwork Reviewers; 25 out of 54 USIS Support Personnel; and, 25 out of 78 KGS Reviewers. Based on the results of our review it is clear that USIS lacks internal controls over the retention of training documentation, as they could not provide the required training documentation for almost half of the personnel we reviewed (24 of 50). In addition, KGS did not have any formal records of their reviewers’ initial training. FIS’s contracts with USIS and KGS, Section C.3(c) of OPM15-11-C-0015 (USIS) and OPM15-11-C-0016 (KGS), each state that “OPM requires that certain personnel performing work under this contract possess minimum qualifications and training, as specified in Attachment 2 (Attachment 2-Résumé Format, Qualifications, and Training Requirements), and reserves the right to review these qualifications, determine if the minimum requirements are met, and whether the individual shall be permitted to perform work on the contract.” Attachment 2 of the contracts includes the following training topics: 1. 2. 3. 4. Investigators Handbook Training EPIC Training Mock Interviews Supervised Live Work 15 5. 6. 7. 8. Mock Case Reviews Security Briefing (Includes proper Handling/Storage of Case Materials) Professional Conflict Issue Resolution FIS’s Support Services contract, Section C.3 (3.1) of OPM15-11-C-0004, states that “the Contractor shall develop and implement an OPM approved program for initial, periodic, and update training to ensure staff proficiency. It must include initial and yearly refresher training to identify and correct problems in proficiency by its personnel working under this Contract, training for any changes in technology, policies, procedures, Investigator’s Handbook, and the Annual IT Security and Privacy Awareness training.” GAO’s Standards for Internal Control in the Federal Government states that “Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination.” GAO’s Standards for Internal Control in the Federal Government also states that “All personnel need to possess and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal control. Management needs to identify appropriate knowledge and skills needed for various jobs and provide needed training. . . . Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs.” The absence of documentation to support that all reviewers and support personnel have been trained increases the risk that there are reviewers and support personnel who have not been properly trained to perform their duties. Individuals that are not properly trained to review background investigations can lead to deficient cases being forwarded to FIS. Recommendation 5 We recommend that FIS require all the Contractors to implement internal controls to ensure that all reviewers have the required training. FIS’s Response: FIS partially concurs with the recommendation. “Because the methods by which contractors provide oversight, internal controls, and quality assurance are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company will validate that its 16 reviewers have received the required training, and will request that USIS identify its remedial action plans for any substandard performance identified. In addition, OPM FIS is preparing change documents for the contracts to ensure that the Contractors maintain formal, complete training records and require that full documentation be provided within 24 hours of an OPM request. OPM FIS plans to submit a final modification to OPM Contracting for implementation for fiscal year 2015, which should occur no later than September 30, 2014 for all contracts.” D. Federal Investigative Services’ Oversight of Contractors 1. Oversight Controls over the Contractors Need Strengthening Based upon the results of this audit, we have concluded that FIS needs to strengthen their controls over the Contractors’ background investigation case review process. We found the following as a result of our testing the Contractors’ background review processes: (1) two USIS reviewers performed an abnormal number of reviews in a short timeframe, only one of which was identified by FIS’s oversight control; (2) support was not provided to show that the Contractor reviewers and support personnel met training requirements; and (3) not all ROIs were reviewed by the Contractor reviewers prior to submitting cases to OPM. FIS’s three contracts, Section C.6 of OPM15-11-C-0017 (CACI); OPM15-11-C-016 (KGS); and OPM15-11-C-0015 (USIS), each state that “OPM will initiate a contract performance assessment program that evaluates the quality and timely performance of the contract requirements and require corrective measures as appropriate. OPM will ensure compliance with contract requirements through various means such as a review of administrative and managerial processes and investigative practices, on-site inspections, an assessment of employees while conducting work (check rides), and a quality review of completed fieldwork investigations.” FIS’s Support Services contract, Section C.5 (5.1) of OPM15-11-C-0004, states that “OPM may inspect and test the services called for by the Contract to the extent practicable at all times and places during the term of the Contract. OPM may vary the levels of surveillance depending on the Contractor’s conformance to the Performance Standards (Attachment 3). This may include, but is not limited to, assessment of the Contractor’s performance based on customer satisfaction, statistically valid sampling, or 100% inspections. OPM will monitor the Contractor’s Integrity, Quality, and Timeliness.” Section C.5 (5.3) of the contract also states that “OPM will monitor compliance with Contract requirements through a review of work performed. Any 17 reports OPM relies on for purposes of evaluating the Contractor’s performance under this Contract may be shared with the Contractor as they are produced. OPM may modify existing or develop new reports as necessary to operate and enhance OPM’s oversight of Contractor performance. Quality standards are listed in Attachment 3.” GAO’s Standards for Internal Control in the Federal Government states that “Control activities are the policies, procedures, techniques and mechanisms that enforce management’s directives. Control activities occur at all levels and functions of the entity.” Some examples of control activities are: reviews by management at the functional or activity level, controls over information processing and appropriate documentation of transactions and internal control. Weak controls over the Contractors’ background investigation case review processes increases the risk of background investigations being compromised. Recommendation 6 We recommend that FIS strengthen their oversight controls over the Contractors’ review processes to ensure the contract requirements are being met. FIS’s Response: “OPM FIS concurs with the recommendation. As of February 2014, OPM FIS has realigned the Capacity Development and Oversight (CDO) office to strengthen the focus on oversight and inspecting for compliance. The restructure of CDO has allowed us to identify high risk areas to ensure we are focusing our efforts on those most important areas for the background investigation process. We have streamlined our processes and strengthened our methodologies. We have also provided 19 individuals with auditor training. OPM FIS will continuously evaluate the oversight controls to reasonably ensure the contractors are in compliance with the contracts.” 18 IV. MAJOR CONTRIBUTORS TO THIS REPORT Internal Audits Group , Auditor , Auditor , Auditor , Auditor , Auditor , Lead Auditor , Lead Auditor , Auditor-in-Charge , Senior Team Leader Chief 19 APPENDIX Received response on March 20, 2014 MEMORANDUM FOR CHIEF, INTERNAL AUDITS GROUP FROM: MERTON W. MILLER ASSOCIATE DIRECTOR, FEDERAL INVESTIGATIVE SERVICES Subject: Draft Report on the Audit of the Federal Investigative Services' Case Review Process over Background Investigations (Report No. 4A-IS-00-13-062) Summary of OPM Position We have reviewed your draft audit report on OPM’s Federal Investigative Services’ (FIS) Case Review Process over Background Investigations program and are in concurrence with the findings and recommendations identified in the report. While OPM FIS is in concurrence with the findings and recommendations, it should be noted that effective February 24 th, only federal employees are conducting the final quality review before the investigative product is sent to the agency for review and adjudication. The action to federalize the final quality review process is part of Director Archuleta's ongoing effort to strengthen the background investigation process. We recognize that even the most well run programs can benefit from an external evaluation and we appreciate the input of the Office of the Inspector General as we continue to work to enhance our Case Review Process over Background Investigations program. Specific responses to your recommendations are provided below Response to Recommendations Finding #A1: General Observations/PIPS Events We consider the PIPS events used by the Contractors (Displayed, Modified, and Printed) to be weak controls over determining if an investigative item has been reviewed. The reliance on these PIPS events is not sufficient to show that a review occurred on the investigative items. For example, if an authorized user logs into PIPS to research a case PIPS will mark the item "Displayed". In this example the user is only doing research and not performing a review; however, under the current control that action would constitute a review. We believe requiring the Contractors' reviewers to mark all investigative items RC in PIPS will help solidify that the review occurred. In addition, it documents that the reviewer is taking ownership that the review took place. RECOMMENDATION #1: We recommend that FIS require the Contractors to mark all investigative items RC in PIPS. MANAGEMENT RESPONSE: OPM FIS partially concurs with this recommendation. OPM FIS concurs that the process to document the contractors’ pre-submission quality review needs improvement and is currently exploring multiple options to remedy this involving system changes and contract changes. OPM FIS does not concur that requiring the contractors to mark all investigative items RC in PIPS is the best avenue for improving this process. See response for Recommendation #2 for OPM FIS’ plan of action. For clarification, it should be noted that there is only one PIPS event that indicates that the review of the report occurred and it is Review Complete (RC). The other functions noted: Display (DR), Print (PR), or Modify (MO) are PIPS-R methods for access to a report. We utilize the lack of these events in PIPS-R as indicators of potential fraud or non-compliance with contract requirements since the PIPS-R functions mentioned above should occur before the RC event. FINDING #A2: General Observations/Auto-Released Reports of Investigations FIS does not have a control in place to verify that the Contractors are conducting a review of the auto-released ROIs. We identified ROIs where no review occurred prior to submission to OPM. See Finding B2: No Reviews of Reports of Investigations for the details. We determined that 15 out of the 17 ROIs were auto-released. Therefore, the Contractors are not conducting a pre-review of all investigative items as required by the OPM contract. FIS' stated that they are working with their Information Technology department to enhance the Report of "RC" prior to Review Action to capture the auto-released ROIs. We believe if the enhancements are made to include the auto-released ROIs in the Report of "RC" prior to Review Action and they use this report consistently to monitor the ROIs, it will increase FIS' effectiveness in ensuring the Contractors are conducting a review of all investigative items. RECOMMENDATION #2: We recommend that FIS implement an internal control to ensure the Contractors are reviewing the auto-released ROIs and that they document a review took place. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT MANAGEMENT RESPONSE: OPM FIS concurs with this recommendation. OPM FIS concurs that the process to document the contractors’ pre-submission quality review needs improvement and is currently exploring multiple options to remedy this involving system changes and contract changes, which will allow for enhancement of the oversight of the contractors’ review process as necessary. There are currently 4 options being explored. Option #1: OPM FIS is exploring the capability of enhancing our automated system to allow for it to accept an additional RC event after the ROI is auto-released and then requiring the contractor to enter this event after the review of the ROI. This change would then allow the contractors to record in our system that a pre-submission quality review had been conducted even after the ROI had auto-released. Our oversight staff could then more easily monitor reports to apply penalties for those cases that contain ROIs that did not have an RC event by the contractor. Option #2: OPM FIS is also exploring a separate enhancement that will allow for the whole case review, inclusive of all contractor ROIs. This enhancement would identify when all ROIs have been completed and will place the case in status that allows for the contractor’s review of the entire case instead of individual ROIs. This would ensure accountability of the contractors and provide the visibility needed for OPM FIS to conduct proper oversight at the case level rather than the individual ROI level. Option #3: OPM FIS is also exploring the increase of the auto-release time constraints from 30 days to 99 days for each ROI which would allow the contractor more than adequate time to review each ROI and should virtually eliminate any auto-release. Of course, we need to carefully consider this option so as to not have an adverse impact on meeting the congressionally mandated timeliness requirements. Option #4: With OPM FIS’ recent decision to federalize all final quality review under the support services contract, we are conducting an assessment of the cost and value added of the contract requirement of the pre-submission quality review. Many other Federal agencies that contract out similar work do not require a pre-submission quality review. OPM FIS acknowledges that this requirement may provide added value to our process, but this needs to be carefully weighed with the cost of this requirement, the oversight that is needed to monitor this requirement, the system changes to support this requirement, the federal review process we have in place, and the ultimate benefit that is received. The removal of this requirement does not alleviate the contractor from submitting a product to OPM FIS that is compliant with contract requirements, nor does it prevent a contractor from using its own internal quality control and quality assurance processes and procedures to meet or exceed such contract requirements. . OPM FIS will assess all of these options above and any additional options to render a decision by May 1, 2014. OPM FIS is unable to give a date as to when the selected option will be implemented due to the complexities with changing the IT systems. OPM FIS also provides further clarification regarding the auto-release function. In February of 2008 new system functionality was added to our workflow to facilitate better contractor management of quality review. This system adjustment assigned codes to track when portions of the investigative case are transmitted by investigator(s) and ready for contractor quality review (RV), and when the quality review is completed (RC). This adjustment enhanced the ability of the contractor supervisors and reviewers to manage their quality review workload, and also provided data points supporting more robust system reports for management purposes. The adjustment included a feature to automatically change the status code of a report from "RV" (Ready for Review) to "RC" (Review Complete) at a pre-determined time in the event the report has not been released in a timely manner. The feature (termed auto-release) was a necessary fail-safe to eliminate workflow backlogs and move work along in deference to timeliness mandates. When a report nears the time it will move out of review status, the contractor receives multiple notices to complete the review. Reports that move automatically out of RV to RC can still be reviewed by the contractor. The work stays available for contractor review until the last item of the case is identified as RC. At that point, the entire case status changes and the case is removed from contractor control by indicating it is complete and ready for OPM FIS’ federal review. If the contractor entity allows a completed case with auto-released ROI's to go to OPM's Federal review process, and the case is determined to not meet quality standards, the work is returned to the contracting entity for rework and penalties are applied. FINDING B1: Case Review Process/Abnormal Reviews We found that two USIS reviewers completed abnormal BIC reviews in a short timeframe. For our review, we concluded that an abnormal review of BIC is when the reviewer signs off as RC on multiple cases in a very short timeframe. While we understand it is possible for a reviewer to RC in bulk, we find that the rate at which these reviewer RC'd the cases to be abnormal. For example, one reviewer completed 15,152 case reviews during a one month timeframe, with most of these occurring within minutes of each other on multiple days. Details of our review were provided to FIS separate from this report. We obtained the Federal review audit universe of 483,200 CBIC from October 1, 2012 through August 31, 2013. We analyzed the audit universe of CBICs where there was a RC event in PIPS by the Contractors. Specifically, we looked for trends where reviewers completed reviews on multiple cases in an abnormal timeframe. We noted that FIS was aware that abnormal reviews were being completed by USIS reviewers and had previously identified one of the two reviewers as completing abnormal reviews. FIS had taken administrative action prior to this draft report. FIS' contract with USIS, Section C.7 (a) of OPM15-11-C-0015 states that "The Contractor shall conduct a pre-submission quality review by a qualified reviewer of all OPM-FIS products and shall maintain an inspection and evaluation system to ensure that all investigative work products and other deliverables submitted to OPM conform to contract requirements, national investigative and adjudicative standards. The Contractor shall not submit for payment any case that does not meet the requirements of this contract." GAO's Standards for Internal Control in the Federal Government states that "Control activities are the policies, procedures, techniques and mechanisms that enforce management's directives,…Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliation, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation. Examples of control activities are: reviews by management at the functional or activity level, controls over information processing, proper execution of transactions and events, and appropriate documentation of transactions and internal control." Allowing the Contractor' reviewers to sign off on multiple background cases at the same time could result in being BIC being processed as reviewed when no review occurred. RECOMMENDATION 3: We recommend that FIS require USIS to strengthen their internal controls over reviewers to prevent them from RC'ing large numbers of cases in a short timeframe. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT MANAGEMENT RESPONSE: OPM FIS concurs that USIS’ internal controls to catch abnormal reviews have not always provided the desired results. Because the methods by which contractors will provide oversight and quality assurance of contract requirements are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company might improve its oversight of its reviewers, and will request that USIS identify its remedial action plans for any substandard performance. FIS will also assess whether a change to its requirements such as specifying the number of cases that may be RC’d within a specified timeframe, would improve the results if modified into the contract. Because this is a Performance Based Contract, USIS must devise the methods in which it will ensure compliance with contract requirements and how to achieve the performance standards. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT OPM FIS will assess all of the options noted in response to Recommendation #2 and any additional options to render a decision by May 1, 2014. OPM FIS is unable to give a date as to when the selected option will be implemented due to the complexities with changing the IT systems. However, 60 days after the option is implemented, OPM FIS will design oversight mechanisms to monitor these functions and require our contractors to detail to OPM FIS the internal controls they will implement as a result of this change as warranted. FINDING B2: Case Review Process/ No Reviews of Reports of Investigations We found 3 ROIs from USIS, 4 ROIs from CACI and 10 ROIs from KGS that were not reviewed by the Contractors prior to submitting the background investigations to OPM. Details of our review were provided to FIS separate from this report. We obtained FIS' Federal review of 483,200 background investigations closed from October 1, 2013 through August 31, 2013. We selected a sample of 328 background investigation cases to verify a review occurred on each ROI prior to submission to OPM. Specifically, we selected: • 108 out of 221,673 BIC reviewed by USIS. • 110 out of 126,091 BIC reviewed by CACI. • 110 out of 135,436 BIC reviewed by KGS. CACI confirmed that the ROIs were not reviewed and stated that they do not know why no review took place. KGS stated that the ROIs in question are law check ROIs. If an investigator codes a ROI as "Completed No Record" or "Completed Referred", then the reviewer does not expect to see a ROI for review and will allow PIPS to auto-release the ROI. USIS stated that a work leader may have marked RC by accident for one of the ROIs; however, they were unable to provide a cause for the remaining ROIs in question. FIS's three contracts, Section C.7 (a) of OPM15-11-C-0015 (USIS); OPM15-11-C-0016 (KeyPoint); and OPM15-1 l-C-0017 (CACI) each state that "The Contractor shall conduct a presubmission quality review by a qualified reviewer of all OPM-FIS products and shall maintain an inspection and evaluation system to ensure that all investigative work products and other deliverables submitted to OPM conform to contract requirements, national investigative and adjudicative standards. The Contractor shall not submit for payment any case that does not meet the requirements of this contract." GAO's Standards for Internal Control in the Federal Government states that "Control activities are the policies, procedures, techniques and mechanisms that enforce management's directives. Control activities occur at all levels and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliation, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation. Some examples of control activities are: reviews by management at the functional or activity level, controls over information processing, proper execution of transactions and events, and appropriate documentation of transactions and internal control." As a result of no reviews occurring on the ROIs prior to submission to OPM, the Contractors have been paid for work that was not reviewed. In addition, the lack of reviews can lead to inadequate work being performed and BIC being potentially compromised. RECOMMENDATION 4: We recommend that FIS require the Contractors to implement internal controls to ensure that all ROIs within a case have been reviewed prior to submission to OPM. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT MANAGEMENT RESPONSE: Following a discussion with the OPM Senior Procurement Executive OPM FIS partially concurs with this recommendation. Because the methods by which contractors provide oversight, internal controls, and quality assurance are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company might improve its compliance with ROI review requirements, and will request that USIS identify its remedial action plans for any substandard performance. OPM FIS had already identified this area as an issue based upon routine inspections of the contractors’ review process. OPM FIS has required each of the fieldwork contractors to update quality control plans to further ensure that this contractual review is conducted on each product submitted and a certification from the program director of each contract company that the review of each product submitted has occurred on a monthly basis. These quality control plans are currently being reviewed and coordinated with the Contractors. OPM FIS has also created a new inspection team whose focus is to oversee contractual compliance including this area of the contract. Further, OPM FIS clarifies that the Fieldwork contractors’ review is one part of OPM’s quality assurance process. In addition to the required fieldwork contractual review, all cases were reviewed by either federal review staff or the support contractor review with federal oversight of that process prior to being sent to the customer agencies. As of February 24, 2014, all cases will receive a review by Federal staff. Therefore, the effect of the contractors’ lack of reviews does not lead to background investigations being potentially compromised. For clarification, it should be noted that there is only one PIPS event that indicates that the review of the report occurred and it is Review Complete (RC). The other functions noted: Display (DR), Print (PR), or Modify (MO) are PIPS-R methods for access to a report. We utilize the lack of these events in PIPS-R as indicators of potential fraud or non-compliance with contract requirements since the PIPS-R functions mentioned above should occur before the RC event. FINDING C1: Training/Reviewer Training We were unable to verify that 5 KGS and 24 USIS' reviewers and support personnel met training requirements. The names of the reviewers and support personnel were provided to FIS separately from this report. We randomly selected a total of 100 Contractors' reviewers and support personnel to determine if they met the qualifications to perform their duties. Specifically, we selected: • 25 out of 80 CACI Reviewers. • 25 out of 323 USIS Fieldwork Reviewers. • 25 out of 54 USIS Support Personnel. • 25 out of 78 KGS Reviewers. USIS lacks internal controls over the retention of training documentation. KGS did not have any formal records of the reviewers' initial training. FIS' two contracts, Section C.3(c) of OPM15-11-C-0015 (USIS) and OPM15-11-C-0016 (KGS); each state that "OPM requires that certain personnel performing work under this contract possess minimum qualifications and training, as specified in Attachment 2 (Attachment 2-Resume, Format, Qualifications, and Training Requirements), and reserves the right to review these qualifications, determine if f the minimum requirements are met, and whether the individual shall be permitted to perform work on the contract." Attachment 2 of the contracts includes the following training topics: 1. Investigators Handbook Training 2. EPIC Training 3. Mock Interviews 4. Supervised Live Work 5. Mock Case Reviews 6. Security Briefing (Includes proper Handling/Storage of Case Materials) 7. Professional Conflict 8. Issue Resolution FIS' Support Services contract, Section C.3 (3.1) of OPM15-11-C-0004 states that "the Contractor shall develop and implement an OPM approved program for initial, periodic, and update training to ensure staff proficiency. It must include initial and yearly refresher training to identify and correct problems in proficiency by its personnel working under this Contract, training for any changes in technology, policies, procedures, Investigator's Handbook, and the Annual IT Security and Privacy Awareness training." GAO's Standards for Internal Control in the Federal Government states that "Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination." GAO's Standards for Internal Control in the Federal Government also states that "All personnel need to possess and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal control. Management needs to identify appropriate knowledge and skills needed for various jobs and provide needed training. . . . Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs." The absence of documentation to support that all reviewers and support personnel have been trained increases the risk that there are reviewers and support personnel who have not been properly trained to perform their duties. Individuals that are not properly trained to review background investigations can lead to deficient cases being forwarded to FIS. RECOMMENDATION 5: We recommend that FIS require all the Contractors to implement internal controls to ensure that all reviewers have the required training. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT MANAGEMENT RESPONSE: Following a discussion with the OPM Senior Procurement Executive OPM FIS partially concurs with the recommendation. Because the methods by which contractors provide oversight, internal controls, and quality assurance are determined by the contractor and not the Government, FIS will recommend to USIS that it consider reevaluating its internal controls to determine how the company will validate that its reviewers have received the required training, and will request that USIS identify its remedial action plans for any substandard performance identified. In addition, OPM FIS is preparing change documents for the contracts to ensure that the Contractors maintain formal, complete training records and require that full documentation be provided within 24 hours of an OPM request. OPM FIS plans to submit a final modification to OPM Contracting for implementation for fiscal year 2015, which should occur no later than September 30, 2014 for all contracts. FINDING D1: FIS Oversight of the Contractors/ Oversight Controls over the Contractors FIS needs to strengthen their controls over the Contractors' BIC review process. We found the following as a result of our testing the Contractors' background review processes: (1) A USIS reviewer performed abnormal reviews in a short timeframe; (2) support was not provided to show that the Contractors' reviewers and support personnel met training requirements; and (3) all ROIs were not reviewed by the Contractors' reviewers prior to submitting cases to OPM. FIS' three contracts, Section C.6 of OPM15-11-C-0017 (CACI); OPM15-11-C-016 (KGS); and OPM 15-1 l-C-0015 (USIS) each state that "OPM will initiate a contract performance assessment program that evaluates the quality and timely performance of the contract requirements and require corrective measures as appropriate. OPM will ensure compliance with contract requirements through various means such as a review of administrative and managerial processes and investigative practices, on-site inspections, an assessment of employees while conducting work (check rides), and a quality review of completed fieldwork investigation." FIS' Support Services contract, Section C.5 (5.1) of OPM15-1 l-C-0004 states that "OPM may inspect and test the services called for by the Contract to the extent practicable at all times and places during the term of the Contract. OPM may vary the levels of surveillance depending on the Contractor's conformance to the Performance Standards (Attachment 3). This may include, but is not limited to, assessment of the Contractor's performance based on customer satisfaction, statistically valid sampling, or 100% inspections. OPM will monitor the Contractor's Integrity, Quality, and Timeliness." Section C.5 (5.3) of the contract also states that "OPM will monitor compliance with Contract requirements through a review of work performed. Any reports OPM relies on for purposes of evaluating the Contractor's performance under this Contract may be shared with the Contractor as they are produced. OPM may modify existing or develop new reports as necessary to operate and enhance OPM's oversight of Contractor performance. Quality standards are listed in Attachment 3." GAO's Standards for Internal Control in the Federal Government states that "Control activities are the policies, procedures, techniques and mechanisms that enforce management's directives. Control activities occur at all levels and functions of the entity. Some examples of control activities are: reviews by management at the functional or activity level, controls over information processing and appropriate documentation of transactions and internal control." Weak controls over the Contractors' BIC review processes, increases the risk of being compromised. RECOMMENDATION 6: We recommend that FIS strengthen their oversight controls over the Contractors to ensure the contract requirements are being met. DELETED BY OPM-OIG NOT RELEVANT TO THE AUDIT REPORT MANAGEMENT RESPONSE: OPM FIS concurs with the recommendation. As of February 2014, OPM FIS has realigned the Capacity Development and Oversight (CDO) office to strengthen the focus on oversight and inspecting for compliance. The restructure of CDO has allowed us to identify high risk areas to ensure we are focusing our efforts on those most important areas for the background investigation process. We have streamlined our processes and strengthened our methodologies. We have also provided 19 individuals with auditor training. OPM FIS will continuously evaluate the oversight controls to reasonably ensure the contractors are in compliance with the contracts. cc: IOC