[Cover: Pillar] PENSION BENEFIT GUARANTY CORPORATION OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT TO CONGRESS OCTOBER 1, 2004 TO MARCH 31, 2005 [Graphic: OIG Seal] [Inside Cover] MISSION The Office of Inspector General is an independent and objective voice that helps Congress, the Board of Directors and PBGC protect the pension benefits of American workers by promoting positive change, accountability and integrity VISION We will be recognized by our stakeholders as the primary source of objective & independent information for their key decisions VALUES Respect We will treat others as we would like them to treat us Integrity We will be a role model of ethical behavior Excellence We will constantly innovate & improve the quality and value of our work [graphic: OIG Seal] Pension Benefit Guaranty Corporation Office of Inspector General 1200 K Street, NW, Washington, DC 20005-4026 April 30, 2005 The Honorable Elaine Chao Chairman, PBGC Board of Directors On behalf of the Office of Inspector General for the Pension Benefit Guaranty Corporation, I am pleased to submit this Semiannual Report to the U.S. Congress. The report summarizes OIG activities for the six-month period ending March 31, 2005. It details our efforts to improve the economy and efficiency of PBGC operations, our efforts to prevent fraud, waste and misconduct, and fulfills our reporting requirements under the Inspector General Act. A priority for my office during this reporting period was accelerated financial reporting. This was the first year that federal agencies were required to issue financial statements by November 15, and at this time last year, I believed that there was significant risk that PBGC would not meet the accelerated reporting requirement. Despite many obstacles, the Corporation met the reporting deadline with a team effort on the part of the Board, PBGC management, PricewaterhouseCoopers LLP and my office. This is particularly impressive when you consider that PBGC received its 12th consecutive unqualified opinion and is one of a handful of federal agencies that have received an audit opinion on internal controls since 1992. Another priority for my office was establishing independent contract audit oversight. PBGC contracting activity doubled from 1999 to 2003, and now represents more than sixty percent of the annual operating budget. We have devoted a significant portion of OIG resources to contract audits to assist PBGC in controlling contract costs and improving contract management. Until recently, the responsibility and resources for contract audit was under the direct supervision of the Chief Financial Officer. OIG assumed responsibility for contract audits in 2004, and we are building the needed infrastructure. We have also used a risk-based approach to focus our audits on contracts with the highest risk potential and are working closely with the Procurement and the Contracts and Controls Review Departments to ensure a smooth transition. We also are proud of our success in obtaining indictments, convictions and monetary recoveries in our investigations, aimed at protecting the pension benefits of participants and safeguarding PBGC assets. PBGC reported the largest financial losses in its 30-year history in 2004. Completed and probable pension plan terminations required the single-employer insurance program to record losses totaling $14.7 billion, doubling the program deficit to $23.3 billion. PBGC has sufficient assets to continue paying participants guaranteed benefits for a number of years, but with $62.3 billion in total liabilities and $39 billion in total assets, the single employer program lacks the funds to pay a significant portion the future benefits for which it is obligated. PBGC’s growing deficit has focused attention on the agency, and many are questioning the viability of defined benefit pension plans. The Administration has submitted a proposal for legislative reform. OIG agrees that comprehensive reform is needed to protect the pensions of workers and retirees, and the viability of the pension insurance system. I am grateful for your support of my office, as well as PBGC management’s cooperation and responsiveness to our work. We are proud to be part of PBGC, and are striving to keep its programs efficient, effective and free from fraud, waste and abuse. Robert L. Emmons Inspector General PENSION BENEFIT GUARANTY CORPORATION Table of Contents Letter to the Chairman Executive Summary 1 Introduction 3 Audits 5 Overview Audit Activity Governance Financial Management Information Technology Security Procurement and Contracting Program Performance Other Audit Activity Access to Information Management Decisions Investigations 17 Overview Activity This Period Significant Investigations Summary of Investigative Activities Other Office of Inspector General Activities 21 Review of Proposed Statutory and Regulatory Changes Internal PBGC Activities Internal OIG Activities External Activities Appendix 25 Cross-Reference to Reporting Requirements of the Inspector General Act Reports Issued with Questioned Costs and Funds Put to Better Use Significant Open Recommendations Glossary 28 Executive Summary This Semiannual Report to Congress summarizes the activities and accomplishments of the Pension Benefit Guaranty Corporation (PBGC) Office of Inspector General (OIG) for the period October 1, 2004, through March 31, 2005. When accomplishing audit and investigative work, we ensure that it accords with our mission to be an “independent and objective voice for Congress, the Board of Directors, and PBGC.” We want to focus our work on the challenges facing PBGC and to be a primary source of timely and objective information for the organization. We will accomplish our work demonstrating our values of respect, excellence, and integrity. During this period, we conducted work in all areas designated as Management Challenges, focusing much of our audit effort on the financial statement audit and its related reports, and contract audits. • Governance— The Board of Directors, PBGC executives and the OIG have taken many positive steps to strengthen the oversight of PBGC, but additional improvements are needed (see page 5). • Financial management—we issued the 12th consecutive unqualified audit opinion, internal control opinion and report on laws and regulations compliance, related financial reports required by the Department of Treasury, a management letter for financial issues and one for information technology issues, and sponsored lessons learned sessions after the financial statement audit was completed (see page 6). • Information technology —we continued our work with PBGC in areas to improve for Federal Information Security Management Act (FISMA) reporting and continuity of operations, and provided to management a benchmarking study of other agencies’ e-mail retention policies (see page 10). • Procurement and contracting—we audited contracts with a total cost of $13.3 million and identified about $663,000 of questioned and unsupported costs, initiated a multi-phase contract audit and began an audit of PBGC’s procurement function (see page 12). • Program performance—we completed field work for evaluations of the purchase card program and accounts payable (see page 14). In the investigative area, we received a large number of allegations, many or which we were able to close during the inquiry stage. We opened 11 new cases, and closed 20 cases and 40 inquiries. Significant investigative work this period included: • Stolen PBGC laptop computers were recovered, resulting in three convictions (see page 17); • PBGC contractors were disciplined for misusing PBGC computers and e-mail to view and share pornography (see page 17); • Persons who engaged in pension benefit fraud were convicted and ordered to pay restitution, and matters were referred to PBGC for collection activities (see page 18); and • More than $8,000 was recovered as a result of criminal prosecutions (see page 19). Introduction The Pension Benefit Guaranty Corporation The Pension Benefit Guaranty Corporation (PBGC, or the Corporation) was established under Title IV of the Employee Retirement Income Security Act of 1974 (ERISA), as amended (29 U.S.C. §§ 1301-1461), as a self-financing, wholly owned federal government Corporation to administer the pension insurance program. ERISA requires that PBGC (1) encourage the continuation and maintenance of voluntary private pension plans, (2) provide for the timely and uninterrupted payment of pension benefits to participants and beneficiaries and (3) maintain premiums at the lowest level consistent with carrying out PBGC’s obligations. For about 44 million Americans, PBGC provides assurance that their retirement benefits will be paid, up to a statutory limit. PBGC protects the pensions of participants in certain defined benefit pension plans (i.e., plans that promise to pay definitely determinable retirement benefits). Such defined benefit pension plans may be sponsored individually or jointly by employers and unions. PBGC paid more than $3 billion in benefits during 2004 to more than 518,000 people. At the end of 2004, PBGC was responsible for the pensions of more than 1 million people, including 443,000 who will receive benefits when they retire in the future. The Office of Inspector General The mission of the Office of Inspector General (OIG) is to be an independent and objective voice that helps the Congress, the Board of Directors and PBGC protect the pension benefits of American workers by promoting positive change, accountability and integrity. To accomplish this goal, the OIG conducts agency audits, inspections and investigations to provide our stakeholders with information they need to make decisions. OIG staff consists of 20 employees; two are investigators and one is an administrative assistant. We are currently recruiting to fill five vacant positions. To provide value, OIG focuses work on the challenges that PBGC is facing, whether we are issuing audit, evaluation and investigative reports or consulting with PBGC and participating on various teams and in working groups. We are committed to our values of respect, excellence and integrity in all we do. [pull quote] PBGC paid more than $3 billion in benefits during 2004 to more than 518,000 people. [end pull quote] [graph: Annual Benefit Payments from 1995-2004] Our approach to audit planning concentrates our efforts on identifying issues that are important to PBGC. We maintain an inventory of suggested audits that we receive from a variety of sources, including the Board of Directors and PBGC’s senior managers. Each year, we assess risk in terms of materiality, impact on operations and potential for adverse publicity for the Corporation. Based on this risk assessment, we identify the most important challenges on which to focus our work. The final step is to plan and conduct audits that address those challenges. Following are the major questions on which we will focus in the coming year: • Does PBGC have a governance model that ensures reliable and complete financial reporting, effective customer service and ethical business dealings? • Does PBGC have strong financial controls that are needed to protect assets and minimize costs? • Does PBGC effectively balance operational efficiency with optimal customer service? • Do PBGC contractors provide quality products and services at a reasonable price? • Do PBGC’s information systems maximize customer service while protecting the privacy and integrity of information? We have scheduled audits in 2005 to address each of these challenges. As required by the Chief Financial Officers Act, we continue to audit PBGC’s financial statements. The OIG contracts with an independent public accountant (IPA) to perform this work. In our attempt to maximize limited resources, our approach to investigations is to apply strict criteria in evaluating the quality of the allegations received. For example, we evaluate allegations against the potential criminal and civil violations, the statute of limitations, the potential for negative publicity for PBGC and the total assets involved. This allows us to concentrate on investigative issues that are most important to PBGC. The OIG follows the standards contained in the Quality Standards for Federal Offices of Inspector General, published by the President’s Council on Integrity and Efficiency (PCIE) and the Executive Council on Integrity and Efficiency (ECIE). These standards require audits to be conducted in accordance with Government Auditing Standards, issued by the Government Accountability Office. Our investigations comply with Quality Standards for Investigations, which have been accepted by the PCIE and ECIE. [pull quote] We follow quality standards established by the IG community and the Government Accountability Office. [end pull quote] Audits Overview Our approach to audits of the Corporation is to focus our work on those areas that present significant management challenges to PBGC. Using our past work and input from the Board of Directors and senior managers, we focused our work this semi-annual period primarily on financial management, information technology, procurement and contracts, and overall program performance. In addition to conducting traditional audits and evaluations in these areas, the OIG staff participated on corporate-wide teams addressing various issues of joint concern and looked for opportunities to provide consultation. Our goal is to have a positive impact on the decision-making process of the Board of Directors and PBGC management. The following paragraphs summarize the work of our auditors for each major management challenge. 1. Governance Governance is a major challenge of the Corporation because oversight of the Corporation’s financial reporting process is critical to effective corporate governance. The Board of Directors, PBGC management and the Office of Inspector General are committed to a governance model that ensures reliable and complete financial reporting, effective customer service and ethical business dealings. Over the last two years, Secretary Chao has implemented major improvements in oversight of PBGC programs and operations. The Board of Directors—the Secretaries of Labor, Treasury and Commerce- -now meets regularly, and responsibilities of the Board, management and the OIG are better defined. Financial oversight has also improved with Board review of annual reports and investment policy, and separate sessions with the Executive Director and Inspector General at each of their meetings. Significant progress has been made, but the Board and PBGC management should continue their efforts to clarify roles and responsibilities. PBGC contracted with KPMG LLP to assist in their 2004 internal control assessment. In their report, KPMG identified the lack of clarity in roles and responsibilities of the Board and management as a control gap. OIG will continue to work with the Board and management to better define roles and responsibilities. [pull quote] The Board and management have made significant progress in improving oversight of PBGC programs and operations. [end pull quote] PBGC’s management has also made major strides in improving financial controls. Although not required to do so, PBGC management has aggressively implemented several initiatives to identify key controls and assess the overall control environment. These efforts are among the first in the federal government to comprehensively identify, document, test and report on significant financial controls. PBGC is one of a handful of federal agencies that has received an audit opinion on internal controls since 1992. 2. Financial Management PBGC is a major government enterprise that manages assets of more than $40 billion. In FY 2004, the Corporation paid out about $3 billion in benefit payments to retirees. Strong financial management controls are needed to protect assets and minimize costs. OIG continues to focus much of its work on financial management issues to help management address this challenge. [graph: Net Position Single-Employer Program 1995-2004] PBGC reported the largest financial losses in its 30-year history in 2004. Completed and probable pension plan terminations required the single-employer insurance program to record losses totaling $14.7 billion, doubling the program deficit to $23.3 billion. The multiemployer program reported a net income of $25 million, reducing the program’s deficit to $236 million. PBGC has sufficient assets to continue paying participants guaranteed benefits for a number of years, but with $62.3 billion in total liabilities and $39 billion in total assets, the single employer program lacks the funds to pay a significant portion of the future benefits for which it is obligated. 2004 was the first year that federal agencies were required to issue their audited financial statements by November 15. Despite many obstacles, PBGC was able to issue audited financial statements on time. This was made possible by a team effort of the Board Representatives, PBGC management, PricewaterhouseCoopers and the OIG. Much of our success was due to the Herculean efforts of this team. Improved systems and processes are needed because existing financial systems limit PBGC’s ability to make last minute adjustments to the financial statements. Audit Of The Pension Benefit Guaranty Corporation’s Fiscal Years 2004 And 2003 Financial Statements (2005-1/23182-1 And 2005-2/23182-2) We contracted with the independent certified public accounting firm of PricewaterhouseCoopers LLP to audit the financial statements of Single-Employer and Multiemployer Program Funds administered by PBGC as of the Fiscal Years 2004 and 2003. The audit is performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards issued by the Comptroller General of the United States and the GAO/PCIE Financial Audit Manual. In its audit of the financial statements of Single-Employer and Multiemployer Program Funds administered by PBGC, PricewaterhouseCoopers found: • The financial statements were fairly presented, in all material respects, in conformity with accounting principles generally accepted in the United States of America; • PBGC’s assertion about internal controls over financial reporting and compliance with laws and regulations is fairly stated; [pull quote] PBGC is one of the few Federal agencies that has had an audit opinion on internal controls since 1992. [end pull quote] • There are five reportable conditions relating to financial management systems integration, information security, singleemployer premiums, contingent liabilities for the Single- Employer Program Fund,and identifying and classifying probable Multiemployer plans; and • No reportable noncompliance with laws and regulations it tested. Despite the unprecedented financial losses in 2004, PBGC continues to make good progress in improving financial management. This is the 12th consecutive year PBGC has received an unqualified opinion on its financial statements. PBGC also made significant progress in correcting internal control weaknesses. Two conditions that we reported last year were corrected — a material weakness in estimating the value of liabilities for multiemployer plans and a reportable condition for estimating singleemployer reserves. While we are encouraged by the Corporation’s efforts to improve financial management, PBGC management understands that further improvement is needed. The Corporation still has five reportable conditions related to its financial reporting that were reported in prior years. While all of these issues are important, systems integration is the biggest challenge facing the Corporation because it addresses many of the control weaknesses in the remaining reportable conditions. Integrated systems will also help PBGC meet accelerated reporting requirements by reducing the time required to prepare interim financial statements. [pull quote] Systems integration is the biggest internal control challenge facing the Corporation. [end pull quote] The most important ingredient to correcting the remaining reportable conditions is a strong commitment on the part of management to implement corrective actions. The Executive Director has taken a keen interest in, and emphasized the importance of, correcting all of the reportable conditions. OIG is meeting routinely with Senior Executives and Department Directors to discuss reportable conditions and assist in developing corrective action plans. Fiscal Year 2004 Financial Statement – Management Letters 2005-10/23182-6 and 2005-9/23182-5 During the financial audit, PricewaterhouseCoopers identified internal control weaknesses related to financial reporting and information technology that were not included in their audit reports. We issued two management letters to summarize these findings and recommendations—one for financial reporting and one for information technology. Recommendations were presented to PBGC management to improve internal controls. Each of the recommendations was thoroughly discussed with PBGC management, and they agreed to take corrective actions. After extensive discussion with the Chief Financial Officer, OIG changed the audit follow-up process for management letter recommendations in 2004 to focus attention on reportable conditions that are included in the Internal Control Report. OIG will continue to monitor and track corrective actions for reportable conditions, but we have shifted responsibility for tracking management letter recommendations to PBGC management. This means that PBGC will monitor and track corrective action plans to eliminate redundancy and streamline the process. [pull quote] OIG revised Management Letter follow-up to eliminate redundancy and streamline the process [end pull quote] Changes to the follow-up process do not mean that management letter issues are not important, or that correcting management letter items is not a priority. On the contrary, OIG will ask for evidence of corrective actions each year during the financial audit, and we will follow-up on the management letter recommendations each year. Independent Auditors’ Report on Special Purpose Financial Statements & Closing Package Documentation (2005-3/23182-3) At the conclusion of the financial statement audit, PBGC must submit financial information to the U.S. Department of Treasury and the GAO to use in preparing and auditing the Financial Report of the U.S. Government. The Department of the Treasury requires agencies to prepare audited special purpose financial statements and a specific closing package. We retained PricewaterhouseCoopers LLP to perform an audit of PBGC’s reclassified balance sheet as of September 30, 2004, and the related reclassified statements of net cost and changes in net position (special purpose financial statements) contained in the special-purpose closing package. PricewaterhouseCoopers concluded that the special-purpose financial statements present fairly, in all material respects, the reclassified financial position of PBGC as of September 30, 2004, and its reclassified changes in net position in conformity with accounting principles and Treasury requirements. Independent Accountants’ Report on Applying Agreed Upon Procedures for Federal Intragovernmental Activity and Balances (2005-6/23182-4) The Department of Treasury also requires that OIG review the Chief Financial Officer’s representations regarding trading partner data for intragovernmental activity and balances. We retained PricewaterhouseCoopers LLP to perform these agreed upon procedures that assure accurate reporting. The Government Accountability Office relies on this work when auditing the U.S. Government’s consolidated financial statements. Lessons Learned from FY 2004 Financial Statement Audit (2005-12/23193) In 2004, PBGC achieved a major milestone by meeting the government-wide accelerated reporting deadline of November 15 and achieved an unqualified opinion for the 12th consecutive year. To build on this year’s success, OIG hosted a series of “lessons learned” sessions with key players in the financial reporting process. In addition, these sessions provided a forum to discuss reportable conditions identified during the audit and corrective action plans. All participants agreed that PBGC has made significant progress in correcting internal control weaknesses this year. While encouraged at the progress, we all understand that further improvement is needed. The Corporation still has five reportable conditions that were reported in previous years. From the sessions, we identified several recurring themes: • Management needs to continue its strong commitment to and support of the financial reporting process; • While communications during planning, execution and follow-up improved this year, there are opportunities to make further improvements. • Most of the recommendations for reportable conditions and management letter issues relate to documentation of processes and procedures. • Better internal dissemination of plan data. [pull quote] Lessons Learned From the Financial Statement Audit • Commitment by Management • Frequent Communications • Better Documentation • Improved Dissemination of Plan Data [end pull quote] While all of these lessons are important, there are two challenges that need to be addressed strategically to have the November 15 deadline become a routine business practice, rather than an extraordinary task; [pull quote] Closing financial records more often will reduce pressure on management and auditors atyear-end. [end pull quote] • Close the financial records, including conducting the processes that support the financial statements, more often during the year to reduce the pressure on management and auditors at year-end, and • Improve financial controls by integrating financial systems. By addressing both of these challenges, management will not only streamline financial reporting but will improve its financial and performance management with more timely and accurate information. Based on the discussions at the sessions we hosted, one thing is crystal clear—the lessons learned sessions were valuable because they encouraged a constructive dialogue between all of the players. We plan to continue this practice after the audited financial statements are issued in 2005. 3. Information Technology PBGC has major initiatives to enhance customer service by providing access to information through Web-based applications. Protecting the privacy and integrity of customer information is a major challenge for PBGC. The OIG continues to perform work to assist the Corporation in meeting this challenge. Federal Information Security Management Act (FISMA) Report [pull quote] PBGC’s systems security infrastructure continues to improve. [end pull quote] PBGC continues to improve its system security infrastructure and posture in compliance with the Federal Information Security Management Act of 2002, as reported to the Office of Management and Budget (OMB). During FY 2004, PBGC continued to take significant steps to identify levels of security required to control and protect its assets and information and further improve its security program. The following are examples of the progress at PBGC: • Improving the monitoring and auditing process; • Reviewing and updating security plans; • Performing semi-annual certifications of system servers to ensure implementation of current security updates; • Improving security awareness training by implementing computer-based training and briefings with awareness videos for annual and newly hired personnel; • Improving security awareness for detecting, reporting and responding to security incidents; • Conducting exercises to test continuity of operations for general support and major business systems; and • Establishing policy and procedures based on risk assessments that reduce information security costs using the System Life Cycle Management process. In the past, PBGC’s information security internal control was a reportable condition. Though information security remains a reportable condition, we are encouraged by progress in areas such as organizational responsibility and system monitoring. However, a major area of concern is the lack of progress on the certification and accreditation of major business and general support systems. We have previously reported this issue in our FISMA report and OMB has increased its focus on certification and accreditation. PBGC has developed and implemented a plan to evaluate its major business and general support systems over a three-year period. Although this generally complies with OMB A-130 guidance, PBGC has not fully complied with requirements to formally document the certification and accreditation process and produce letters supporting the accreditation of its business and general support systems. Management agrees that its process requires significant improvement. [pull quote] PBGC has made little progress on certification and accreditation of its major systems. [end pull quote] We are encouraged that management continues its work on another reportable condition—integrating its financial systems to improve operational efficiency and effectiveness as well as data security. Significant progress was made in developing a plan for addressing this issue during FY 2004, and we anticipate further progress in FY 2005. Continuity of Operations PBGC continues to improve its efforts to prepare for an unexpected interruption in normal business activities. A goal to hold two tests a year has been proposed. Unfortunately, the test scheduled for February 2005 was cancelled due to technical problems. It is rescheduled for April 2005 and will focus on testing those elements of the previous test that failed to operate as expected. Additionally, PBGC required all departments to update their Continuity of Operation Plan (COOP) plans by March 31 as part of the annual process. This update required a greater level of detailed planning related to criticality of functions, time frame for functions to be operational, standard operating procedures associated with defined functions, staff responsibility and accountability, and information technology requirements. By documenting this information, PBGC is making each COOP more granular and promoting the practice of thinking about decisions prior to an event occurring, rather than during a recovery of business operations, thereby reducing the risk of failure. The OIG will continue to monitor COOP testing and provide feedback to help management achieve their goal of having a reliable plan for recovery of operations in an emergency. E-mail Policies and Procedures In response to a request from the Executive Director, we initiated a benchmarking project with other federal agencies to compare PBGC’s policies and procedures for controlling the size of employee e-mail accounts. Our objective was to determine if PBGC’s policy allows excessive e-mail storage. Excessive storage can increase the costs of operations and adversely impact the Corporation’s information networks. [pull quote] Excessive storage of employee e-mails can increase cost and adversely impact information networks. [end pull quote] We contacted eight federal agencies regarding their e-mail retention policies. As expected, there was a wide variety of policies and procedures, but there were generally two approaches for managing e-mail. Some agencies use a voluntary approach, relying on individual employees to monitor and control the volume of e-mails that are kept on the system. PBGC’s policy uses this approach. However, most agencies we contacted used a more proactive approach and limited the amount of e-mail storage space that each of its employees is allowed. In January 2005, we reported the results of our benchmarking project to the Executive Director. Based on the results of our work, we concluded that taking a more proactive approach improves an agency’s ability to better manage resources and costs, and reduces the risk of having employees with excessive demands of their electronic information systems. 4. Procurement and Contracting PBGC contracting activity doubled from 1999 to 2003, and the Corporation now spends more than 60 percent of its annual budget through contracts. Consequently, we consider contract management a major management challenge, and we are devoting a significant portion of our audit resources to contract audits. [pull quote] OIG assumed responsibility for contract audits in September 2004. [end pull quote] Until recently, the responsibility and resources for contract audits was under the direct supervision of the Chief Financial Officer. OIG assumed responsibility for contract audits in September 2004. Our initial efforts have been focused on establishing the infrastructure needed for independent contract oversight. We have worked closely with the Procurement and the Contracts and Controls Review Departments to ensure a smooth transition. With their assistance, we used a risk-based approach to focus our audits on contracts and processes with the highest potential return for PBGC. PBGC had 137 active contracts with total obligations since their award date of $668 million. Our audits have focused on two areas: • Identifying improvements to PBGC’s procurement process, and • Verifying that contractor billings were allowable, reasonable, supported and consistent with the terms of contracts. Audit of PBGC’s Procurement Process We contracted with an Independent Public Accountant (IPA) to perform an audit of PBGC’s procurement process. In the first phase, they gained an understanding of the entire procurement process including: • Applicable laws, regulations, policies and procedures, • Interfaces with other business cycles and automated systems, and • Major control systems. The IPA also made a preliminary assessment of significant inherent and control risks within the process. In December 2004, we briefed the Contracting Officer on these results. [graph: PBGC Contracts (Millions)] The second phase of the audit was started in late January 2005. The objective of this phase is to determine whether PBGC is complying with its policies and procedures and related laws and regulations, in particular the Federal Acquisition Regulations, when acquiring goods and services in excess of $2,500. The audit covered FY 2004 procurement activities. This work will concentrate on those significant inherent and control risks identified in the first phase. The audit will be completed during the next reporting period. Contract Audits We also completed several contract audits. Four audits were conducted by the Defense Contract Audit Agency (DCAA) and one by an IPA firm. The report numbers, without identifying contractor information, are included in the list of Inspector General Audit Reports in the Appendix. We accomplished these audits to: • Verify the accuracy of direct labor hours and labor classifications billed for two contractors, • Verify that invoices submitted by a contractor were properly supported, and • Verify that costs incurred by contractors were allowable, reasonable and consistent with contractual provisions. [graph: Questioned and Unsupported Costs] In five reports, we audited contracts with a total cost of $13.3 million and identified $662,819 of questioned and unsupported costs. PBGC’s Contracting Officer will determine the allowability of the questioned and unsupported costs and initiate necessary collection actions. The OIG will provide additional assistance to the Contracting Officer if needed. We also initiated another audit to: • Verify the accuracy of direct labor hours and labor classifications billed for two contractors, • Determine if contract monitoring and oversight ensures that contractors meet contract requirements. • Evaluate compliance with federal regulations and PBGC’s policies and procedures. The audit reports will be issued during the next reporting period. 5. Program Performance Purchase Card Program Review As a follow-up to the Management Advisory Letter issued in August 2001, the OIG conducted a survey of PBGC’s purchase card program. This review was performed using a risk-based approach to evaluate the controls related to the purchase card program. This is a high-risk program, not due to its materiality in dollars, but in its potential for fraud or abuse, high-profile public interest, and heightened congressional scrutiny. For the twelve month period included in our review, there were 53 cardholders, with combined purchase authority of $15 million, who purchased about $2.2 million of goods and services. To provide PBGC management with information concerning the effectiveness and efficiency of the operational system of controls, our objectives were to determine if the program controls were in place and operating as intended. Because the purchase card program has grown since its inception, we will work with PBGC to reassess the policies and procedures governing card use and strengthen its training and oversight related to the program to reduce the risk of fraud or misuse. We will be meeting with management to discuss our findings and a report will be issued in the next reporting period. Accounts Payable Review The OIG conducted a preliminary review of the PBGC Accounts Payable process to assess the adequacy of controls associated with making vendor payments for goods and services. We initiated this review because erroneous payments is a component of the President’s Management Agenda, and is a long-standing, widespread and significant problem in the federal government. Our review statistically sampled 4,360 payments for goods and services totalling $150 million over a 3 year period. Improper and erroneous payments are payments that should not have been made or were made for incorrect amounts because of errors, poor business practices, or intentional fraud or abuse. A joint workgroup composed of members from the Chief Financial Officers Council and the President’s Council on Integrity and Efficiency identified a number of significant problems that increase the risk of such payments, such as: a weak or incomplete program control environment; risks inherent in the regulatory and policy structure; and a lack of attention toward, as well as restrictions on, Government-wide coordination and information-sharing. While there are no reporting requirements for PBGC with respect to improper payments, we are committed to helping PBGC implement the intent of the President’s initiative. The audit will provide PBGC with valuable information on controls that can be considered when the existing accounts payable system is replaced as part of its financial systems integration project. We have completed our work and will be meeting with management to discuss our findings. A report will be issued in the next reporting period. Other Audit Activity Peer Review of the Federal Reserve Board’s Office of Inspector General We initiated a quality control review of the audit operations of the Office of Inspector General at the Federal Reserve Board. External peer reviews are conducted within the OIG community once every three years. This review will be conducted during the next reporting period. Planned Audit Projects Premium and Practitioner System Pre-implementation Review To correct identified deficiencies in the current Premium Accounting System and help meet a portion of the requirements in its financial systems integration project, PBGC is developing a new system to process premium payments and plan sponsor accounts. The Executive Director asked OIG to provide an independent assessment of the development project to: • Verify adherence to PBGC’s Systems Life Cycle Management, • Assess PBGC’s ability to maintain the new system, if there is pension reform, and • Make recommendations on future development. The OIG has contracted with an IPA firm to help with this work and will issue a report in the next reporting period. Access to Information Under the Inspector General Act, the Inspector General is to have unfettered access to all agency records, information, or assistance when engaged in an investigation or audit. Whenever access to requested records, information, or assistance is unreasonably refused or not provided, the Inspector General must promptly report the denial to the agency head. [pull quote] Under the Inspector General Act, the Inspector General has unfettered access to all agency records and information [end pull quote] During this six month reporting period, the Inspector General’s access to information was not restricted. Management Decisions The Inspector General is required to report the following about management decisions on audit reports that occurred during this six-month period: • There were no audit reports for which there was not a management decision. • There were no significant revised management decisions. • There were no management decisions with which the Inspector General disagreed. Investigations Overview A major responsibility of the Inspector General is to receive and investigate complaints from PBGC employees, the public and other sources concerning violations of law, rule, or regulation; mismanagement; gross waste of funds; abuse of authority; or a substantial and specific danger to the public health and safety. Individuals may disclose information or make complaints to the Inspector General through the OIG Hotline (see announcement on back cover page). The Inspector General protects the legal rights of whistle-blowers and complainants and takes great care to not disclose their identity without their consent. OIG Hotline The OIG operates a separate toll-free Hotline telephone number and a confidential Hotline post office box. The OIG Hotline telephone is answered by an investigative staff assistant for a two-hour period, Monday through Friday. At all other times, a recorded message provides information about the Hotline service and refers callers to our main telephone number. [pull quote] The OIG does not disclose the identity of complainants without their consent. [end pull quote] Activity This Period Significant Investigations Theft Of Government Computer In our last semiannual report, we reported the arrest and indictment of four individuals who were charged in the San Diego County court with theft of U.S. Government property (PBGC laptops), destroying and altering data on a government computer, child pornography, identity theft, credit card theft and the possession, sale and distribution of controlled substances. To date, three of those individuals have been convicted and sentenced. [pull quote] Three people who were involved in stealing a PBGC computer were convicted and sentenced. [end pull quote] PBGC’s E-systems Used For Offensive Material During our last semiannual period, we issued multiple Reports of Investigation concerning federal employees and contractors who were using U.S. Government computers and the PBGC e-mail system to view, share and store pornographic and other inappropriate material. We identified 30 federal and contractor employees who were involved in viewing and sharing the offensive materials. The contractor terminated 8 of its employees and counseled 3 others. Management action on the federal employees is still pending. Subsequent to issuing those reports, other contractor employees were referred to the OIG. With minimal investigation we determined that these contractor employees were engaging in similar misconduct and referred the matter to the contractor management and appropriate PBGC officials. The contractor took swift action by terminating 4 employees and suspending 4 other employees. Pension Fraud An individual who stole a participant’s $4,000 pension check in Chattanooga, TN was convicted. She received a three year sentence in the Chattanooga Correctional Facility and was ordered to pay $4,000 restitution to the participant. [pull quote] An individual who stole a participant’s check was sentenced to three years. [end pull quote] Significant investigative and criminal prosecutive action occurred in a matter involving a man who opened an account in a Florida credit union and illegally deposited a participant’s check. This individual also created checks that appeared to be PBGC pension checks by using PBGC’s logo and account number, and the bank logo and authorizing signature. Coordination with the Florida credit union and local law enforcement authorities resulted in the individual’s arrest, with his court date pending. During this period we closed 14 cases and/or inquiries that raised issues of fraud relating to pension plans and benefits, including: • PBGC referred a fraud involving the son of a participant who claimed his father was still alive and always provided a reason why PBGC representatives could not speak with the participant. The PBGC verified that the participant died in 2001. The son cashed sixteen checks for a total amount of $7,845. This matter was referred to the U.S. Attorney’s Office for the Central District of Florida and subsequently to PBGC management for administrative collection of $7,845. • A very alert Pension Law Specialist (PLS) with the PBGC Insurance Operations Department notified the OIG when she noted that a participant’s file showed numerous phone calls to the PBGC customer service center, with a flurry of changes of address and stop payments on checks. The situation seemed very unusual because different people appeared to be calling to change the mailing address of the pension check. With the PLS’ assistance, we determined that the son of a participant was re-directing his father’s pension checks and cashing them. The son cashed more than $4,890 in checks. The son subsequently admitted to the PLS that he had fraudulently changed the address and was cashing his father’s pension checks for his personal use. The case was referred for possible criminal prosecution, which was declined by the U.S. Attorney’s Office for the Northern District of Illinois. The individual was referred back to PBGC management for administrative collection of $4,890. SUMMARY OF INVESTIGATIVE ACTIVITIES For The Six-month Period Ending March 31, 2005 Investigations Pending beginning of period 44 Opened 11 Closed 20 Pending end of period 35 Inquiries Pending beginning of period 23 Opened 31 Closed 40 Pending end of period 14 Financial Recoveries* Theft of Funds Recovered 0 Court Ordered Fines, Penalties and Restitution $6,668 U.S. Government Property Recovered $2,000 Criminal Actions* Arrests 1 Indictments 0 Convictions 4 Administrative Actions* For Prosecution: Department of Justice 34 Declined 34 Various States’ Attorney Offices 1 Declined 0 For Other Action: PBGC Management for Corrective Action 19 * Results reported for Financial Recoveries, Criminal and Administrative Actions include both open and closed cases. Other Office of Inspector General Activities Review of Proposed Statutory and Regulatory Changes Statutes [pull quote] OIG consults with managers to improve operations and promote fraud prevention. [end pull quote] A major responsibility of the OIG under the IG Act is to independently review changes to laws and regulations that are proposed by PBGC. In January 2005, the Administration proposed major pension law reform to provide simplicity, flexibility, accuracy, stability and transparency in the single employer defined benefit pension insurance program. The reforms are in three categories: • Better funding of pension plans – a single, accurate measure of liability, adjusted to reflect risk of plan termination; funding targets based on risk of plan termination and a reasonable period of time to reach the target; and flexibility to contribute more in good economic times. • Revised premiums paid to PBGC — a flat-rate per-participant charge, increased and indexed for wage growth; and a risk-based premium incorporating both risk of plan termination and plan underfunding, adjusted by the Board of Directors to maintain program solvency. • More transparent information on plan health — participants receive more accurate and more understandable plan financial data, including trend data on plan assets relative to the plan’s funding target; PBGC receives more timely reporting. These reforms were a joint Administration effort, including the Departments of Labor, Commerce and Treasury as well as PBGC. We were briefed by PBGC officials on the proposals. We believe these reforms will help to protect the pensions of more than 34 million workers and retirees by improving disclosure to workers, investors and regulators, and protecting the financial health of PBGC. Regulations PBGC has engaged in a major effort to streamline its regulations and to improve administration of the pension insurance program, with a focus on making pension-related information more accurate, complete and transparent. The Corporation issued proposed and final rules in a number of areas, including assessment of and relief from statutory penalties. This would require pension plan sponsors to electronically submit premium filings and other required actuarial and financial information, provide an alternate method to compute the liability of a certain employer who withdraws from a multiple employer plan, and change what a pension plan must report to PBGC (“reportable events”) and how it is reported. Upon review, we believe the regulatory changes are reasonable. [pull quote] Reform is needed to provide simplicity, flexibility, accuracy, stability and transparency in the defined benefit pension insurance program. [end pull quote] Internal PBGC Activities OIG staff members have engaged in several activities within PBGC to promote fraud prevention, improve relationships between the OIG and PBGC, and provide consultations to managers to improve agency operations. Among these activities are the following: • An investigator briefed employees on the OIG’s functions and potential fraud pitfalls relating to travel in a Traveler’s Workshop. We also provided a card with OIG contact information, including our hotline telephone number and post office box address to receive complaints. • An OIG auditor received a PBGC Corporate Recognition Award for the OIG’s participation on the Program Assessment Rating Tool (PART) team. The award recognizes the thorough and realistic assessment of PBGC’s performance, including identifying and gathering all necessary documentation and coordination with the Office of Management and Budget. • Multiple members of the OIG are participating in a special leadership mentoring program, “Building Your Leadership Toolbox.” This nine-month program gives a small group of employees the opportunity to work directly with senior PBGC managers, discussing best practices and completing developmental assignments. An OIG auditor was selected as one of seven PBGC employees in this program. In addition, both the Deputy IG and the Assistant IG for Audit are senior mentors, leading sessions in Oral Communications and Leadership. • The Inspector General and Deputy IG continue their involvement in PBGC’s structured mentoring programs through one-on-one mentor pairings with PBGC employees who are not in the OIG. Internal OIG Technology initiatives Certification and Accreditation of OIG Local Area Network (LAN) In June 2004, the OIG began to consider its own compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. We determined that the network system used for OIG communications and access to PBGC applications was a significant system that required compliance. [pull quote] OIG is certifiying and accrediting its major business system. [end pull quote] As such, the following steps were taken between October 2004 and February 2005 to certify and accredit the OIG LAN: • Identified an individual as the owner of the system. This person has day-to-day responsibility for the operation of the system and must be a federal employee. • Identified an individual as the accrediting official. This person is a senior official within the organization having budget and decision-making authority that would affect the system and must be a federal employee. • Determined whether each system is a general support or a major application. • Performed a system risk assessment. • Based on the assessment, categorized the system as high impact. • Developed and documented a security plan for the system. • Contracted with a systems review specialist to perform an independent review of the system security resulting in a certification. • Developed a corrective action plan for identified weaknesses and began correcting items immediately. • Presented accreditation package including certification (security assessment report), system security plan and plan of action and milestones to the accreditation official for signature. • Signed Interim Authority to Operate on February 1, 2005, for a period of 6 months. We anticipate that all deficiencies will be corrected well before the end of the 6 month period and the Inspector General will grant a full accreditation for 3 years. OIG COOP Support to Wilmington, DE The OIG is completing a move of its backup equipment, including all servers to support access to applications and e-mail, to Wilmington, Delaware, as part of its Continuity of Operations Plan. With this move, the OIG joins PBGC in relocating its backup support to a hot-site outside of the immediate Washington, DC area. This enables the OIG to provide continued support to its staff in the event its headquarters offices are not available. Once all equipment is in place and functional, the OIG will join PBGC in testing the COOP at least twice a year. External Activities Various staff members participated in external professional activities, including the following: • The Inspector General chairs the PCIE/ECIE Human Resources Committee’s “Core Competency” Working Group project. Looking at best practices in the private and public sectors, the Core Competency Working Group has identified core competencies for auditors, inspectors and criminal investigators as well as crosscutting competencies (i.e., leadership, management and team skills). Further work will: • Identify a curriculum that addresses crosscutting competencies (i.e., leadership, management and team skills), including recommending a process for continuous assessment of core competency training. • Assess training institutes and academy abilities to support the training need of the IG community, including the pros and cons of combining training currently offered at the three IG academies. The Inspector General has briefed numerous stakeholders, including the PCIE/ECIE audit and investigative committees. The results will be published in August 2005. • An OIG auditor is participating in a government-wide working group to improve the overall efficiency and effectiveness of FISMA reporting. The working group is comprised of members from the OIG community, GAO and the Office of Management and Budget (OMB). The working group is discussing, among other issues: [pull quote] OIG is participating in a governmentwide working group to improve FISMA reporting [end pull quote] • Establishing a uniform cut-off date for the completion of audit work and reporting. • The OMB defining its overall conclusion as a result of the government-wide combined FISMA reporting. • The GAO is revising its Federal Information System Controls Audit Manual (FISCAM), in particular developing conclusions about agencies’ Information Security programs. • OIG audit staff received two PCIE/ECIE “Awards for Excellence” for an evaluation of PBGC’s Field Benefit Administrators and participation in the agency’s PART team. • The Inspector General continues to represent government auditors as a member of the International Seminars Committee of the Institute of Internal Auditors. This committee focuses on identifying emerging trends in auditing and on training courses and seminars to address these trends. Appendix CROSS-REFERENCE TO REPORTING REQUIREMENTS OF THE INSPECTOR GENERAL ACT The table below cross-references the reporting requirements prescribed by the Inspector General Act of 1978, as amended, to the specific pages in the report where they are addressed. Inspector General Act Reference Reporting Requirements Page Section 4(a)(2) Review of legislation and regulations. 21 Section 5(a)(1) Significant problems, abuses and deficiencies. 5-15 Section 5(a)(2) Recommendations with respect to significant 27 problems, abuses and deficiencies. Section 5(a)(3) Prior significant recommendations on which 27 corrective action has not been completed. Section 5(a)(4) Matters referred to prosecutorial authorities. 17-19 Section 5(a)(5) Summary of instances in which information None was refused. Section 5(a)(6) List of audit reports by subject matter,showing 26-27 dollar value of questioned costs and recommendations that funds be put to better use. Section 5(a)(7) Summary of each particularly significant report. 5-15 Section 5(a)(8) Statistical table showing number of reports and 26 dollar value of questioned costs. Section 5(a)(9) Statistical table showing number of reports and 26 dollar value of recommendations that funds be put to better use. Section 5(a)(10) Summary of each audit issued before this None reporting period for which no management decision was made by end of reporting period. Section 5(a)(11) Significant revised management decisions. None Section 5(a)(12) Significant management decisions with which None the Inspector General disagrees. REPORTS ISSUED WITH QUESTIONED COSTS* AND FUNDS PUT TO BETTER USE For the Six-Month Period Ending March 31, 2005 Number of Reports Questioned Costs Unsupported Costs Funds put to Better Use A. For which no management decision had been made by the commencement of the reporting period. 2** $1,251,019 $752,812 -0- B. Which were issued during the reporting period 5 $198,764*** $624,342 -0- Subtotal (Add A. & B.) 7 $1,449,783 $1,377,154 -0- C. For which a management decision was made during the reporting period. 0 -0- -0- -0- (i) dollar value of disallowed costs 0 -0- -0- -0- (ii) dollar value of costs not disallowed 0 -0- -0- -0- D. For which no management decision had been made by the end of the reporting period. 7 $1,449,783 $1,377,154 -0- E. For which no management decision was made within six months of issuance. 2 $1,251,019 $752,812 -0- *This statistical information is required by Section 5(a)(6)(8) and (9) of the Inspector General Act of 1978, as amended. **Reviews were conducted by the OIG and PBGC’s Contracts and Control Review Department (CCRD). CCRD is an internal management office that conducts reviews of PBGC contracts. *** Includes questioned costs of $160,288 reported by CCRD and $38,476 reported by OIG. SIGNIFICANT PROBLEMS, DEFICIENCIES AND RECOMMENDATIONS Report Number, Report Title and Date Issued Number of Significant Recommendations Significant Problems and Deficiencies Summary of Significant Recommendations 98-3/23126-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 1997 - 1996 Financial Statements 03/23/1998 1** Reportable Condition: Integrating Financial Management Systems PBGC needs to complete the integration of its financial management systems. 2003-3/23168-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 2001 - 2000 Financial Statements 01/30/2003 2** Reportable Condition: Implementing & Enforcing Information Security Program PBGC needs to complete its efforts to fully implement and enforce an effective information security program. 2005-2/23182-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 2004 - 2003 Financial Statements 11/15/2004 5 Reportable Condition: Improving Single- Employer Premium Accounting System PBGC needs to improve controls related to singleemployer premiums. 2005-2/23182-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 2004 - 2003 Financial Statements 11/15/2004 7 Reportable Condition: Identifying & Classifying Contingent Liabilities for Single- Employer Program PBGC needs to continue to improve its controls over the identification and measurement of the single-employer contingent liabilities. 2004-2/23176-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 2003 - 2002 Financial Statements 1/15/2004 2005-2/23182-2 Audit of the Pension Benefit Guaranty Corporation’s Fiscal Years 2004 - 2003 Financial Statements 11/15/2004 6** Reportable Condition: Identifying & Classifying Probable Multi-Employer Plans PBGC needs to strengthen controls over the identification and classification of multiemployer plans probable of receiving financial assistance. * This chart complies with Section 5(a)(1)(2)(3) and (6) of the Inspector General Act of 1978, as Amended. ** Includes Significant Recommendations from previous semi-annual reports on which corrective action has not been completed. Glossary Questioned Cost A cost the OIG has questioned because of an alleged violation of law, regulations, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; because such cost is not supported by adequate documentation; or because the expenditure of funds for the intended purpose is unnecessary or unreasonable. Unsupported Cost A cost the OIG has questioned because of a lack of adequate documentation at the time of the audit. Disallowed Cost A questioned cost that management, in a management decision, has sustained or agreed should not be charged to the government. Funds to Be Put to Better Use Funds the OIG has identified in an audit recommendation that could be used more efficiently by reducing outlays, deobligating program or operational funds, avoiding unnecessary expenditures, or taking other efficiency measures. Management Decision Management’s evaluation of audit findings and recommendations and issuance of a final decision concerning management’s response to such findings and recommendations. Final Action The completion of all management actions described in a management decision with respect to audit findings and recommendations. If management concluded that no actions were necessary, final action occurs when a management decision is issued. Misconduct Action of employees or contractors that violates laws, rules, or regulations and for which corrective action is warranted. If you want to report or discuss confidentially any instance of misconduct, fraud, waste, abuse, or mismanagement, please contact the Office of Inspector General. Telephone: The Inspector General’s HOTLINE 1-800-303-9737 For deaf or hard of hearing people, dial FRS (800) 877-8339 and give the Hotline number to the agent. Or write: Pension Benefit Guaranty Corporation Office of Inspector General PO Box 34177 Washington, DC 20043-4177