At a Glance: Improvement Required to Safeguard Enforcement and Inspection Credentials

^EDSX
* JL \
US&J
\pB0/
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
12-P-0328
March 9, 2012
Why We Did This Review
We initiated this project to
determine whether sufficient
controls exist over credential
management in accordance
with U.S. Environmental
Protection Agency (EPA)
Order 3510, "EPA Federal
Credentials for Inspections and
Enforcement of Federal
Environmental Statutes."
Background
The Office of Administration
and Resources Management
(OARM) and the Office of
Enforcement and Compliance
Assurance (OECA) manage
credentialing of EPA and
non-EPA employees. The order
sets forth procedures for use by
compliance employees in
issuing EPA credentials. The
order will be revised in fiscal
year 2012.
Improvement Required to Safeguard
Enforcement and Inspection Credentials
What We Found
Some internal controls over credentials were not being implemented. In
Region 3, where we conducted an in-depth review, we initially found that the
required annual 10 percent inventory of credentials had not been completed for
EPA personnel and was not being documented for non-EPA personnel. As of
February 15, 2012, OARM personnel informed us that all regions, with the
exception of Region 5, have completed their EPA employee credential inventory
for 2011. The credential-holder signature upon receipt of a new credential was
also not being collected for all EPA employees.
Also, safeguards for EPA's enforcement credential program could be improved.
• There is no timeline requirement for EPA employees to report the
loss/theft of a credential. Failing to report this information in a timely
manner could put the integrity of the credential at risk.
• On the credential justification form used by EPA employees, requesting
officials are only required to provide a signature, and not their title or any
contact information. Approving officials must provide a signature and
title, but not their printed name or contact information. Illegible
signatures make identifying the parties on the form difficult.
• EPA Order 3510 does not identify what level of authority is required to
approve a request for a credential. This creates a security vulnerability by
allowing individuals at any level to approve requests for credentials.
What We Recommend
We recommend that the Assistant Administrators for OARM and OECA comply
with the internal controls of EPA Order 3510 and revise EPA Order 3510 to
include certain provisions that will improve enforcement and inspection
For further information, contact credentialing. EPA agreed with all our recommendations and provided milestone
our Office of Congressional and dates for all recommendations.
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2012/
20120309-12-P-0328.pdf

-------