| yyj/" jj U.S. ENVIRONMENTAL PROTECTION AGENCY
%% ^ OFFICE OF INSPECTOR GENERAL
Improvement Required to
Safeguard Enforcement and
Inspection Credentials
Report No. 12-P-0328
March 9, 2012
-------�
Report Contributors:
Allison Dutton
Christine El-Zoghbi
Eric Lewis
Ryan Patterson
Abbreviations
EPA U.S. Environmental Protection Agency
OARM Office of Administration and Resources Management
OECA Office of Enforcement and Compliance Assurance
OIG Office of Inspector General
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
e-mail: OIG Hotline@epa.gov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue NW
fax: 202-566-2599 Mailcode 2431T
online:
http://www.epa.gov/oiq/hotline.htm
Washington, DC 20460
-------�
^EDSX
* JL \
US&J
\pB0/
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
12-P-0328
March 9, 2012
Why We Did This Review
We initiated this project to
determine whether sufficient
controls exist over credential
management in accordance
with U.S. Environmental
Protection Agency (EPA)
Order 3510, "EPA Federal
Credentials for Inspections and
Enforcement of Federal
Environmental Statutes."
Background
The Office of Administration
and Resources Management
(OARM) and the Office of
Enforcement and Compliance
Assurance (OECA) manage
credentialing of EPA and
non-EPA employees. The order
sets forth procedures for use by
compliance employees in
issuing EPA credentials. The
order will be revised in fiscal
year 2012.
Improvement Required to Safeguard
Enforcement and Inspection Credentials
What We Found
Some internal controls over credentials were not being implemented. In
Region 3, where we conducted an in-depth review, we initially found that the
required annual 10 percent inventory of credentials had not been completed for
EPA personnel and was not being documented for non-EPA personnel. As of
February 15, 2012, OARM personnel informed us that all regions, with the
exception of Region 5, have completed their EPA employee credential inventory
for 2011. The credential-holder signature upon receipt of a new credential was
also not being collected for all EPA employees.
Also, safeguards for EPA's enforcement credential program could be improved.
There is no timeline requirement for EPA employees to report the
loss/theft of a credential. Failing to report this information in a timely
manner could put the integrity of the credential at risk.
On the credential justification form used by EPA employees, requesting
officials are only required to provide a signature, and not their title or any
contact information. Approving officials must provide a signature and
title, but not their printed name or contact information. Illegible
signatures make identifying the parties on the form difficult.
EPA Order 3510 does not identify what level of authority is required to
approve a request for a credential. This creates a security vulnerability by
allowing individuals at any level to approve requests for credentials.
What We Recommend
We recommend that the Assistant Administrators for OARM and OECA comply
with the internal controls of EPA Order 3510 and revise EPA Order 3510 to
include certain provisions that will improve enforcement and inspection
For further information, contact credentialing. EPA agreed with all our recommendations and provided milestone
our Office of Congressional and dates for all recommendations.
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2012/
20120309-12-P-0328.pdf
-------�
<
33
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
March 9, 2012
MEMORANDUM
SUBJECT: Improvement Required to Safeguard Enforcement and Inspection Credentials
Report No. 12-P-0328
Assistant Administrator
Office of Administration and Resources Management
Cynthia Giles
Assistant Administrator
Office of Enforcement and Compliance Assurance
This is our report on the subject evaluation conducted by the Office of Inspector General (OIG)
of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe
the problems the OIG has identified and corrective actions the OIG recommends. This report
represents the opinion of the OIG and does not necessarily represent the final EPA position.
Final determinations on matters in this report will be made by EPA managers in accordance with
established audit resolution procedures.
Action Required
As noted in the report, the Agency has agreed with our recommendation and provided
satisfactory completion dates for remaining actions. Therefore, this report is considered closed,
and a corrective action plan is not necessary. However, the outstanding required actions will
remain open until completed.
We have no objections to the further release of this report to the public. We will post this report
to our website at http://www.epa.gov/oig.
FROM
Arthur A. Elkins, Jr.
Inspector General
TO
Craig Hooks
If you or your staff have any questions regarding this report, please contact Eric Lewis, Director
for Special Reviews, at (202) 566-2664 or eric.lewis@epa.gov.
-------�
Improvement Required to Safeguard 12-P-0328
Enforcement and Inspection Credentials
Table of C
Purpose 1
Background 1
Scope and Methodology 2
Results of Review 3
Some EPA Order 3510 Internal Controls Are Not Being Implemented 3
Safeguards for EPA's Enforcement Credential Program Could Be Improved 4
Recommendation 5
Agency Comments on Draft Report 5
Status of Recommendations and Potential Monetary Benefits 6
Appendices
A Agency Comments on Draft Report 7
B Distribution 10
-------�
Purpose
The Office of Inspector General (OIG) evaluated the U.S. Environmental
Protection Agency's (EPA's) controls over its enforcement and inspection
credentials program.
Background
Certain EPA organizations are responsible for issuing and managing federal
credentials provided to employees of EPA, states, tribes, territories, contractors,
and grantees, as well as employees of other federal agencies. These credential-
holders are authorized by EPA to conduct inspections or investigations and take
samples on EPA's behalf under various federal environmental statutes. EPA
federal credentials provide the credential holder broad access to establishments,
facilities, and other properties for the purpose of:
Inspecting relevant activities and components, including records,
processes, equipment, and products;
Taking photographs/videos; and
Collecting documentary and physical samples.
EPA Order 3510, "EPA Federal Credentials for Inspections and Enforcement of
Federal Environmental Statutes," sets forth procedures for use by compliance
employees in issuing EPA credentials. The order will be revised in fiscal year 2012.
The Office of Enforcement and Compliance Assurance (OECA) is responsible for
maintaining EPA Order 3510. Under the Order, the Office of Administration and
Resources Management (OARM) and OECA divide responsibilities for credential
management. Per EPA Order 3510, OECA has primary responsibility for the
credentials program, including establishing policy, procedures, and guidance for
issuing credentials to EPA and non-EPA employees, and establishing training
requirements for employees. OARM has administrative responsibility for
credentials issued to EPA employees.
To request a new credential, the sponsoring office must submit a Credential
Justification Form for EPA Employees or the form titled "Required Form for
Requesting Credentials from Headquarters," commonly referred to as
"Appendix B" in the case of non-EPA employees. These request forms indicate the
supervisor's requirement for the individual to have a credential and confirm that the
individual has completed all required training. Once the form is signed by the
applicant, the requesting official, and the senior manager such as the Assistant
Administrator or Regional Administrator, the form is sent along with a photo of the
applicant to headquarters for approval and processing. Once received, the form is
approved by OARM for EPA employees or by OECA for non-EPA employees and
the credential is produced. EPA employee credentials are valid for up to 3 years.
Non-EPA employee credentials bear an expiration date consistent with the time
frame mentioned in their cooperative agreement, but no longer than 3 years.
12-P-0328
1
-------�
EPA Order 3510 provides some guidelines on how to safeguard the credentials.
The order requires that credential holders report a lost/stolen credential to EPA.
The order requires OARM to conduct an inventory verifying that the employee
issued the credential has the credential in his/her possession. The order also
requires OECA to maintain an inventory of unissued state/tribal credentials and
develop procedures for an annual inventory. According to EPA Order 3510,
10 percent of the active credentials must be inventoried annually.
Scope and Methodology
We conducted this evaluation from June to December 2011 in accordance with
generally accepted government auditing standards. Those standards require that
we plan and perform the evaluation to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our
evaluation objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our evaluation
objectives.
We limited our scope to EPA's federal enforcement and inspection credentials.
We did not examine EPA's management of its law enforcement credentials or
credentials issued by the OIG.
We identified and described EPA's infrastructure for managing and controlling
credentials, the personnel, guidance, training, procedures, and electronic systems
involved. We reviewed databases for both OARM, and OECA. This review
included documentation of credential management at a national level and in
Regions 1, 3, 8, and 10. We also conducted interviews with personnel from
OARM and OECA regarding national practices in credential management.
We conducted an in-depth review of credential management in one region
Region 3. According to EPA Order 3510, regions have identical responsibilities
with regard to credentials. Region 3 manages approximately 10 percent of all
EPA and non-EPA employee credentials. We looked in detail at each individual
credential in Region 3. This review included request for credential forms and
electronic databases detailing credential numbers, statutes, and expiration dates.
For each credential in Region 3, we sought to find documentation of:
Request for credential with appropriate signatures,
Completion of required training, and
Accurate credential number and expiration date on all paperwork and
electronic databases.
12-P-0328
2
-------�
Results of Review
Some internal controls over credential management were not being implemented.
EPA Order 3510 assigns responsibilities for managing credentials, including
specific procedures for issuing credentials, tracking existing credentials,
organizing and conducting training, and safeguarding credentials. In Region 3,
where we conducted an in-depth review, we initially found that the required
annual 10 percent inventory of credentials had not been completed for EPA
personnel for 2011 and was not being documented for non-EPA personnel.
According to OARM, most regions have completed their EPA employee
credential inventory for 2011. Also, safeguards for EPA's enforcement credential
program could be improved. For example, EPA Order 3510 includes no timeline
for EPA employees to report lost/stolen credentials. Therefore, some EPA
employees are reporting their credentials lost/stolen months after last seen. Also,
the credential justification form requires a signature but not a printed name, title,
or contact information for requesting officials. The form requires a signature and
title but not printed name or contact information for approving officials. Illegible
signatures make identifying the parties on the form difficult.
Some EPA Order 3510 Internal Controls Are Not Being Implemented
According to the Office of Management and Budget, internal controls should be
designed to provide reasonable assurance regarding prevention or prompt
detection of unauthorized acquisition, use, or disposition of an agency's assets.
EPA Order 3510 includes at least two procedures designed to prevent
unauthorized use of EPA federal credentials. These include the annual 10 percent
inventory of credentials and the signature required from each credential holder
acknowledging acceptance of the credential.
In August, 2011, Region 3 personnel informed us that they had not yet conducted
the 2011 annual inventory for EPA employees and had not received official
guidance for the inventory. We also found that Region 3 reported conducting an
annual inventory for non-EPA employees, but there was no documentation to
support this. While the regions have been contacted in the past regarding the
inventory for EPA employees, they had not been given specific instructions from
OARM on how to conduct it. EPA Order 3510 requires OARM to develop a
protocol for the annual inventory. Given the EPA Order 3510 requirement, we
were planning to recommend that OARM provide direction to complete and
document the inventory. Before this report was issued, OARM issued guidance to
complete and document the inventory. The inventory was required to be
completed by December 31, 2011. OARM personnel informed us that, as of
February 15, 2012, all regions with the exception of Region 5 have completed
their credential inventory.
A second internal control, the credential holder signature on the acknowledgment
statement, was not always being collected as required for EPA employees. The
12-P-0328
3
-------�
acknowledgment statement indicates that the credential holder agrees to comply
with the provisions of the order, including those which require safeguarding the
credential. For Region 3 EPA employees, we found that the region and
headquarters were missing 31 of 223 (14 percent) acknowledgment signatures.
The credential holder signature internal control seeks to guarantee an accurate
inventory of credentials and ensure that personnel agree to comply with credential
provisions, including safeguarding of the credential. The lack of approximately
14 percent of the required signatures compromises this internal control.
Safeguards for EPA's Enforcement Credential Program Could Be
Improved
According to OARM and OECA, approximately 2,000 credentials are currently
issued to EPA employees and 600 to non-EPA employees. EPA Order 3510
requires that non-EPA employees report the loss/theft of a credential within
72 hours. There is no timeline requirement for EPA employees to report the
loss/theft of a credential. We found that some EPA employees were reporting
their credentials lost/stolen months after last seen. Failing to report this
information in a timely manner could put the integrity of the credential at risk.
The order should require that EPA employees report credential loss/theft within
72 hours.
On the credential justification form used by EPA employees, requesting officials
must provide a signature, but they do not need to print their name, title, or any
contact information. Approving officials must provide a signature and title, but
not their printed name or contact information. Illegible signatures make
identifying the parties on the form difficult. Such information might be needed to
confirm the validity of the credential and the holder. Also, contact information
can be used to confirm that the credential holder meets training requirements and
certify the need for the credential, as specified in the order. Therefore, the order
should ensure that the credential request form contains the requesting and
approving officials' printed name, title, and contact information.
EPA Order 3510 indicates that the individual who approves a request for
credential is "usually the Division Director, Regional Administrator, or Lab
Director." The use of the term "usually" to identify the level of authority required
to approve a request for credentials is unclear. This vague statement allows
individuals at any level of authority throughout the Agency to approve requests
for credentials. To ensure management approval at a standard level throughout the
Agency, the order should specifically identify what level of authority is required
to approve a request for a credential.
12-P-0328
4
-------�
Recommendation
We recommend that the Assistant Administrator for Administration and
Resources Management and the Assistant Administrator for Enforcement and
Compliance Assurance:
1. Comply with the internal controls of EPA Order 3510 to ensure
credential safeguards, including collection of the credential holder
signature, and revise the order to include the following provisions:
a. Require EPA employees to report credential loss/theft within
72 hours.
b. Require that requesting and approving officials provide their
printed name, title, and contact information on the request for
credential form.
c. Specify the level of management required to approve a request
for credential.
Agency Comments on Draft Report
In its response to the draft report, the Agency agreed with our findings and
indicated it will work to resolve the issues immediately. The Agency's response is
included in its entirety in appendix A. In addition, the Agency provided us with an
email indicating it will contact the regions by February 16, 2012, to remind them
of the importance of being compliant with the credential holder signature
requirement. The Agency also plans to capture the 31 missing signatures from
Region 3 EPA employees.
We are satisfied with the Agency's actions to date to address our
recommendation, and concur with the proposed dates of completion for remaining
actions. As this report is now closed, a corrective action plan is not necessary.
However, the outstanding required actions will remain open until completed,
including completion of the 2011 annual inventory for all regions.
12-P-0328
5
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
5 Comply with the internal controls of EPA Order
3510 to ensure credential safeguards, including the
collection of the credential holder signature, and
revise the order to include the following provisions:
Require EPA employees to report credential
loss/theft within 72 hours.
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
Assistant Administrator for
Administration and
Resources Management
and
Assistant Administrator for
Enforcement and
Compliance Assurance
9/30/2012
9/30/2012
b. Require that requesting and approving O 9/30/2012
officials provide their printed name, title,
and contact information on the request for
credential form.
c. Specify the level of management required O 9/30/2012
to approve a request for credential.
1 O = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
12-P-0328
6
-------�
Appendix A
Agency Comments on Draft Report
MEMORANDUM
SUBJECT: Response to Draft Report: Improvement Required to Safeguard Enforcement and
Inspection Credentials, OPE-FY11-0014
FROM: Cynthia Giles
Assistant Administrator
Office of Enforcement and Compliance Assurance
Craig Hooks
Assistant Administrator
Office of Administration and Resources Management
TO: Liz Grossman
Acting Assistant Inspector General
Office of Program Evaluation
Office of Inspector General
This memorandum responds to the subject draft report issued on December 19, 2011. We agree with
the report's findings and will work to resolve the issues immediately.
We have one minor clarification regarding OECA and OARM's responsibilities for the credential
program. Page 1 of the draft report states: "OARM manages EPA employee credentials while OECA
manages credentialing of non-EPA employees" (p. 1). The draft report should state "Per EPA Order
3510, OECA has primary responsibility for the credential program, including establishing policy,
procedures and guidance for issuing credentials to EPA and non-EPA employees and establishing
training requirements for employees. OARM has administrative responsibility for credentials issued
to EPA employees".
Our comments and planned actions for resolving the issues are detailed as follows in response to
each recommendation.
12-P-0328
7
-------�
Draft Report Recommendations
1. Issue guidance for the conduct of the 10 percent annual inventory of credentials:
a. Draft Report Recommendation: Issue guidance for the conduct of the 10 percent
annual inventory of credentials (for EPA employees).
i. OARM comments and planned actions to address recommendation: On
October 4, 2011, OARM sent each Regional Security Manager guidance on
conducting the 10% annual inventory of credentials and a reminder to
complete the inventory. The draft report states: "Before this report was
issued, OARM issued guidance to complete and document the inventory" (p.
3). Timeline: The recommended action has been completed.
OIG Response: During this evaluation, OIG was planning to recommend that the
Agency issue guidance for the conduct of the 10 percent annual inventory of credentials
for EPA employees. Before the issuance of the draft report, EPA did issue this guidance,
so we did not include the recommendation in the draft report. However, EPA has chosen
to address this issue as a recommendation in its response to the draft report.
2. Comply with the internal controls of EPA Order 3510 to ensure credential safeguards,
including collection of the credential holder signature, and revise the Order to include
the following provisions:
a. Draft Report Recommendation: Require EPA employees to report credential
loss/theft within 72 hours.
i. OARM and OECA comments and planned actions to address
recommendation: OARM and OECA will work together to develop and add
appropriate language to EPA Order 3510 which requires EPA employees to
report lost or stolen credentials to the designated OARM contact immediately,
or no later than 72 hours. Also, will work to revise EPA Order 3510 to
include the new language. Timeline: September 30, 2012.
b. Draft Report Recommendation: Require that requesting officials provide their
printed title and contact information on the request for credential form (for EPA
employees).
i. OARM and OECA comments and planned actions to address
recommendation: OARM and OECA will work together to develop and add
appropriate language to EPA Order 3510 which requires the signature, title,
and contact information of the requesting official on the credential request
form used for EPA employees. Also, will work to revise EPA Order 3510 to
include the new language. Timeline: Fiscal year 2012. With regard to the
credential request form used for EPA employees, OARM will revise the form
to add lines for the requestor's printed name, title, and contact information.
12-P-0328
8
-------�
Timeline: OARM will submit a draft revised credential form for management
approval by March 1, 2012.
c. Draft Report Recommendation: Specify the level of management required to
approve a request for a credential.
i. OARM and OECA comments and planned actions to address
recommendation: OARM and OECA will work together to develop and add
appropriate language to EPA Order 3510 which specifies the management
level required to approve a credential request for EPA employees. Also, will
work to revise EPA Order 3510 to include the new language. Timeline:
September 30, 2012.
Please direct any questions or comments to Julie Tankersley, OECA at (202) 564-7002, or
Tankerslev.iulie@epa.gov; or Tami Franklin, OARM at (202) 564-9218, or
Franklin.tami@epa.gov.
cc: Lisa Lund, Director, OECA/OC
Betsy Smidinger, Acting Deputy Director, OECA/OC
Mamie Miller, Associate Director, OECA/OC
Gwendolyn Spriggs, OECA/OAP
Ed Messina, Acting Director, OC/MAMPD
Rick Duffy, Deputy Director, OC/MAMPD
Ann Pontius, Deputy Director, OC/MAMPD
A1 Havinga, Director, OC/CPS
Renee Page, Director, OARM/OA
Dennis Bushta, Deputy Director, OARM/OA
Kelly Glazier, Deputy Director, OA/SMD
Diane Dixon, Chief, OA/SMD/SOB
Tiye Houston, OA/SMD/SOB
Sandy Womack, OARM
Bernie Davis-Ray, OARM
Jacob Jenzen, OARM
Christine El-Zoghbi, OIG
Eric Lewis, OIG
Ryan Patterson, OIG
12-P-0328
9
-------�
Appendix B
Distribution
Office of the Administrator
Assistant Administrator for Enforcement and Compliance Assurance
Assistant Administrator for Administration and Resources Management
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Director, Office of Regional Operations
Audit Follow-Up Coordinator, Office of Enforcement and Compliance Assurance
Audit Follow-Up Coordinator, Office of Administration and Resources Management
12-P-0328
10
-------� |