The Bureau of Alcohol, Tobacco, Firearms and Explosives’ Controls Over Its Weapons, Laptop Computers, and Other Sensitive Property

Audit Report 08-29
September 2008
Office of the Inspector General


Appendix XV
Office of the Inspector General Analysis and Summary of
Actions Necessary to Close the Report

We provided the draft report to ATF for review and requested written comments. ATF’s written response is included as Appendix XIV of this report. ATF stated that it agreed with 10 of our recommendations, partially agreed with 3 recommendations, and disagreed with 1 recommendation. All of the recommendations are resolved because ATF either agreed with the recommendations or, for the one recommendation with which it disagreed, proposed sufficient corrective action to address the recommendation. We provide below our analysis of ATF’s response to the recommendations. Based on discussions with the ATF staff after the issuance of our draft report, we have made minor technical revisions to the final report. These revisions have no material effect on our results.

  1. Resolved. We recommended that ATF ensure that its staff notifies the Materiel Management Branch of all weapon and laptop computer losses and maintains copies of all supporting documentation. This recommendation is resolved based on ATF’s agreement and its plan to notify the Internal Affairs Division (IAD), Materiel Management Branch (MMB), and the ATF Joint Support Operations Center (JSOC) when accountable property is lost or stolen. However, it is not clear to us how the planned corrective action will both require and verify the proper reporting of these items to IAD, MMB, and JSOC. It is also not clear whether the planned corrective action will include accountable property identified as missing during periodic inventories, as we believe it should.

    Given that the corrective action plan requires staff to report each loss to three separate entities, ATF may choose to consider having its staff report these incidents only to the JSOC with the JSOC then reporting the incidents to IAD, MMB, the Department of Justice Computer Emergency Response Team (DOJCERT), and the National Crime Information Center (NCIC), if appropriate. This approach would simplify reporting for the staff and allow the JSOC to ensure that all other reports are properly made. It also has the potential to simplify the corrective actions proposed for Recommendations 2, 3, and 11.

    This recommendation can be closed when we receive ATF’s procedures for notifying IAD, MMB, ATF JSOC, DOJCERT, and NCIC, if appropriate, when accountable property is lost, stolen, or identified as missing during periodic inventories. The procedures should specify the requirement for the reporting and how proper reporting will be verified. The procedures should also include accountable property identified as missing during periodic inventories.

  2. Resolved. We recommended that ATF ensure that for each loss, Materiel Management provides Internal Affairs with the Report of Survey Information needed to conduct an investigation. This recommendation is resolved based on ATF’s agreement with it.

    Similar to Recommendation 1, it is not clear to us how the planned corrective action will both require and verify that Reports of Survey and other necessary information are provided to Internal Affairs. It is also not clear whether the planned corrective action will include accountable property identified as missing during periodic inventories, as we believe is appropriate.

    This recommendation can be closed when we receive ATF’s procedures for ensuring that the Materiel Management Branch provides Internal Affairs with the Report of Survey and other needed information for each loss. The procedures should specify the requirements for providing documentation to Internal Affairs and verifying the documents were provided. The procedures should also include accountable property identified as missing during periodic inventories.

  3. Resolved. We recommended that ATF implement a written policy for reporting losses of ammunition to Internal Affairs for investigation. This recommendation is resolved based on ATF’s agreement with it.

    ATF stated that it is revising reporting procedures and requiring new inventories to establish a baseline for perpetual inventories. However, it is not clear to us whether the corrective action plan will include procedures for reporting ammunition identified as missing during an inventory, which we believe should be included.

    We have separately received revised procedures requiring the reporting of ammunition losses resulting from break-ins or thefts. This recommendation can be closed when we receive ATF’s revised procedures for reporting losses of ammunition to Internal Affairs that include ammunition identified as missing during an inventory.

  4. Resolved. We recommended that ATF implement procedures to determine the contents of lost, stolen, and missing laptop computers. This recommendation is resolved based on ATF’s agreement with it.

    ATF stated that its current procedures require employees to provide reports summarizing the loss of an ATF laptop computer, the type of information it contained, whether the information was sensitive or personally identifiable information, and whether the laptop computer was encrypted. ATF stated that those reports are submitted to the Help Desk and subsequently reported to DOJCERT. This procedure is available to all ATF employees through the ATF Intra-web and is referenced in a March 2007 letter that we reviewed during our audit from the ATF Chief Information Officer (CIO). However, it is not clear to us who at ATF will determine the contents of the laptop computers and how the contents will be documented.

    This recommendation can be closed when we receive ATF’s procedures for determining and documenting the contents of lost, stolen, or missing laptop computers. These procedures should contain sufficient detail to identify and protect any information on lost or stolen laptop computers. In addition, the procedures should specify who is responsible for completing the required actions and who will determine and document the contents of the computers. We also request a copy of the procedure as posted on the ATF Intra-web.

  5. Resolved. We recommended that ATF require that lost, stolen, or missing weapons and laptop computers are appropriately entered into NCIC. This recommendation is resolved based on ATF’s partial agreement with it.

    ATF implied that our results included some items not reported to NCIC because those items were recovered shortly after being reported lost or stolen. This is incorrect. We clearly reported that seven weapons did not require an NCIC entry because ATF recovered those weapons shortly after the reported loss. We also identified five weapons not reported to NCIC and never subsequently recovered or recovered after a period of years.

    ATF’s response stated that ATF plans to revise its reporting procedures and will rely on its JSOC to ensure that all lost or stolen weapons and laptop computers are recorded timely in NCIC. Although ATF plans to revise its reporting procedures to include all lost and stolen weapons and laptop computers, it is not clear to us that the procedures will also apply to weapons and laptop computers identified as missing during an inventory, as we believe is appropriate. This recommendation can be closed when we receive ATF’s revised procedures requiring that all lost, stolen, or missing weapons and laptop computers be reported to NCIC, including weapons and laptop computers that are identified as missing during an inventory.

  6. Resolved. We recommended that ATF develop procedures for updating the property management system to ensure accurate and complete weapon and laptop computer records are maintained. Although ATF stated that it disagreed with the recommendation, it also identified plans for corrective action intended to ensure the accuracy of property management data. Despite its stated disagreement, this recommendation is resolved based on ATF’s planned corrective action as discussed below.

    ATF noted that it disagrees with the recommendation because current procedures are sufficient to address the recommended corrective action. However, ATF also identified additional plans to remind all employees to enter, update, and maintain accurate data; develop and implement standardized on-line training for property custodians; and revise procedures to require that property custodians be designated, at a minimum, at the level of branch or field office. In its response, ATF notes that “A fuller contingent of property custodians will enhance ATF’s ability to manage property and ensure accurate and complete computer records.” Given that all these actions, and particularly the one pertaining to property custodians, appear sufficient to address the clear intent of our recommendation, we believe the appropriate status for this recommendation is “resolved” based on the corrective action proposed by ATF.

    This recommendation can be closed when we receive documentation that: (1) employees have been reminded to enter, update, and maintain accurate property data; (2) standardized training has been developed and implemented for property custodians; and (3) procedures have been revised to require that property custodians be designated, at a minimum, at the branch or field office level. ATF’s next update on these recommendations should provide information about when each of the three actions is expected to be completed.

  7. Resolved. We recommended that ATF locate or report as missing the sampled items not found during the audit. This recommendation is resolved based on ATF’s partial agreement with it.

    We agree with ATF’s corrective action plan to improve the accountability of assets by appointing additional staff and establishing procedures to oversee the contractor that provides laptop computers to ATF staff. However, we disagree with ATF’s characterization of the 4 weapons and 23 laptop computers not located or verified during our audit.

    ATF stated that “Those items not physically inspected were characterized as lost by the audit team. Subsequently to that, ATF employees participated in an exhaustive effort with the audit team in faxing laptop verification certificates to the Atlanta Regional Audit Office.” In fact, during our on-site work at ATF offices we did not characterize as “lost” those items that were not available for physical inspection, and we do not characterize those items as “lost” in the audit report. For items that were not available for us to inspect personally during site visits, we requested signed confirmation memoranda for the weapons and laptop computers in our sample. Each confirmation memorandum was to include identifying information about each item and was to be signed by two people attesting to the identifying information. We did not accept as verified any property that we could not physically inspect and for which ATF could not produce a complete and properly signed confirmation memorandum.

    This recommendation can be closed when ATF provides documentation that each of the 27 items has been either located or reported as lost, stolen, or missing. Documentation should consist of an acceptable confirmation memorandum, signed by two people attesting to the identifying information on each item; documentation that the item has been reported as lost, stolen, or missing; or other documentation showing the item is accounted for.

  8. Resolved. We recommended that ATF ensure that all laptop computers are encrypted. This recommendation is resolved based on ATF’s agreement and its plan to complete encryption for networked laptop computers. However, ATF did not address laptop computers that are not networked. In its next update on these recommendations, ATF should provide further information about how and when the non-networked laptop computers will be encrypted, or provide the justification for not encrypting some of those laptop computers. The recommendation can be closed when we receive documentation that all of ATF’s laptop computers have been encrypted or justified as exempt from encryption.

  9. Resolved. We recommended that ATF ensure complete, accurate, and timely reports are submitted to the DOJ CIO containing all appropriate ATF laptop computers authorized to process classified information. This recommendation is resolved based on ATF’s agreement and its plan to review its procedures to determine how the prior omission occurred and make the necessary adjustments to prevent future occurrences. This recommendation can be closed when we receive the results of ATF’s review regarding how the omission occurred and a copy of the adjustments to the procedures ATF determines are appropriate to prevent future occurrences. If this is not completed prior to ATF’s next update on these recommendations, we request a planned completion date for this action.

  10. Resolved. We recommended that ATF ensure that complete, accurate, and timely semiannual reports identifying lost, stolen, or missing weapons and laptop computers are submitted to the DOJ Security Office and Justice Management Division. This recommendation is resolved based on ATF’s agreement and its plan to prepare semiannual reports based on recent modifications to its property management system. The recommendation can be closed when we receive a copy of the report due to the Department in September 2008.

  11. Resolved. We recommended that ATF develop procedures to ensure it completes accurate and timely incident reports summarizing the loss of ATF laptop computers and submits those reports to DOJCERT, as required by DOJ policy. This recommendation is resolved based on ATF’s agreement and its plan to revise its reporting process, which is specified in the response to recommendations 1 and 2. This recommendation can be closed when we receive the revised procedures outlined for recommendations 1 and 2.

  12. Resolved. We recommended that ATF maintain documentation for all disposed property, document data clearing of disposed laptop computers, and update active and disposed property records, as necessary. This recommendation is resolved based on ATF’s partial agreement.

    We are concerned that ATF’s response indicates only that it retains records in accordance with various standards and implies that we are requesting corrective action for records handled in accordance with those standards. ATF should note that we specifically excluded from our audit findings any records of property disposition that were outside ATF’s record retention period. Our audit found that there were no disposition records for 5 weapons and 21 laptop computers that were disposed of during the then-current and two prior fiscal years (2005, 2006, and 2007). In its next response to these recommendations, we request that ATF provide a plan to prevent these deficiencies in current records.

    Also, ATF’s response does not address the portion of the recommendation pertaining to documenting data clearing of disposed laptop computers. Our audit tested 116 of the 149 laptop computer disposals documented during the then-current and two prior fiscal years (2005, 2006, and 2007). Of the 116 laptops we tested, ATF provided certificates of data clearing for only 4 (3 percent). In its next response to these recommendations, we request that ATF provide a plan to document that data has been cleared from laptop computers prior to disposition.

    Finally, in its response to this recommendation ATF did not address the issue of updating active and disposed property records. However, we believe this action is adequately addressed in ATF’s response to recommendation 6.

    This recommendation can be closed when recommendation 6 is closed and when ATF provides evidence for how it will maintain documentation for all disposed property and document data clearing of disposed laptop computers.

  13. Resolved. We recommended that ATF develop procedures and maintain documentation to ensure that separated employees return all weapons, laptop computers, and other accountable property before they separate from ATF. This recommendation is resolved based on ATF’s agreement with it.

    We are concerned that ATF’s response focuses on reviewing the internal control process to ensure that returns of property are documented by supervisors and entered into the property management system. We found during our audit that it was not possible to identify property items in the system by employee name after the person had separated. Therefore, revisions to the process should include an alternate record of the serial and property identification numbers of accountable items returned by separating employees.

    This recommendation can be closed when we receive the results of the review of internal controls and revised procedures that will ensure ATF can identify the specific items returned by each separated employee.

  14. Resolved. We recommended that ATF enforce current requirements to perform annual inventories of ammunition and maintain a perpetual inventory system at all ammunition storage locations to ensure accurate and complete records. The recommendation is resolved based on ATF’s agreement with it.

    ATF’s response indicates that it will conduct an inventory by October 15, 2008, and that the ATF Office of Inspection will add the inspection of ammunition control logs to its office review process. We understand that inspections occur every 3 years for each office. We are concerned that the response does not specify how ATF will enforce its policy that annual ammunition inventories be performed, and does not specify how it will ensure that a perpetual inventory is maintained.

    This recommendation can be closed when we receive documentation demonstrating how ATF will ensure annual inventories of ammunition are performed and perpetual inventory records are maintained.

 


« Previous Table of Contents Next »