^EDSX * JL \ US&J \pB0/ U.S. Environmental Protection Agency Office of Inspector General At a Glance 12-P-0328 March 9, 2012 Why We Did This Review We initiated this project to determine whether sufficient controls exist over credential management in accordance with U.S. Environmental Protection Agency (EPA) Order 3510, "EPA Federal Credentials for Inspections and Enforcement of Federal Environmental Statutes." Background The Office of Administration and Resources Management (OARM) and the Office of Enforcement and Compliance Assurance (OECA) manage credentialing of EPA and non-EPA employees. The order sets forth procedures for use by compliance employees in issuing EPA credentials. The order will be revised in fiscal year 2012. Improvement Required to Safeguard Enforcement and Inspection Credentials What We Found Some internal controls over credentials were not being implemented. In Region 3, where we conducted an in-depth review, we initially found that the required annual 10 percent inventory of credentials had not been completed for EPA personnel and was not being documented for non-EPA personnel. As of February 15, 2012, OARM personnel informed us that all regions, with the exception of Region 5, have completed their EPA employee credential inventory for 2011. The credential-holder signature upon receipt of a new credential was also not being collected for all EPA employees. Also, safeguards for EPA's enforcement credential program could be improved. • There is no timeline requirement for EPA employees to report the loss/theft of a credential. Failing to report this information in a timely manner could put the integrity of the credential at risk. • On the credential justification form used by EPA employees, requesting officials are only required to provide a signature, and not their title or any contact information. Approving officials must provide a signature and title, but not their printed name or contact information. Illegible signatures make identifying the parties on the form difficult. • EPA Order 3510 does not identify what level of authority is required to approve a request for a credential. This creates a security vulnerability by allowing individuals at any level to approve requests for credentials. What We Recommend We recommend that the Assistant Administrators for OARM and OECA comply with the internal controls of EPA Order 3510 and revise EPA Order 3510 to include certain provisions that will improve enforcement and inspection For further information, contact credentialing. EPA agreed with all our recommendations and provided milestone our Office of Congressional and dates for all recommendations. Public Affairs at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2012/ 20120309-12-P-0328.pdf ------- |