APPENDIX I
OBJECTIVES, SCOPE, AND METHODOLOGY
The objective of our work was to evaluate the GSA building security upgrade program. Specifically, we were to determine (1) what criteria GSA used to assess security risks and prioritize security upgrades for its buildings, (2) the implementation and operational status of GSA's security upgrade program and the costs GSA has incurred by both funding source and type of security upgrade, and (3) whether any problems have hindered GSA's implementation of the security upgrade program.
To meet our first objective of determining the criteria GSA used to assess building security risks and prioritize its security upgrade implementation, we held discussions with GSA personnel; reviewed relevant correspondence, guidance, and other documentation on program implementation; reviewed building risk assessment files; and obtained and reviewed copies of GSA's security upgrade tracking system database as of June 27, August 29, October 3, and December 30, 1997. We also had discussions with a member of the DOJ report task force at the U.S. Marshals Service, as well with security personnel at the Social Security Administration and Department of Health and Human Services, to obtain more insight into how the minimum standards were developed and how they were being implemented by GSA.
To meet our objective of determining the security upgrade program's implementation and operational status and costs, we reviewed the security upgrade tracking system database; compiled data on security upgrades requested, approved, completed, and voided; and compared our results with those compiled by GSA. We judgmentally selected and reviewed GSA building files for 53 buildings in 4 regions and visited 43 of these buildings to determine whether the upgrades were operational. We selected these files to provide a cross section of different risk level buildings with either high or low dollar upgrade cost estimates. We chose not to include level-I buildings in this sample because most upgrades were going into buildings at the higher risk levels. During our review, the GSA OIG's Office of Audits also began a review of the GSA security upgrade program. We maintained contact with the OIG audit staff and coordinated our work. The GSA OIG audit staff shared with us three alert reports issued to and discussed with GSA management in October 1997, December 1997, and February 1998, concerning problems with erroneous upgrade completion data in the upgrade tracking system and instances of inefficient and ineffective use of security equipment in one or more of the four GSA regions reviewed. We referred to their findings in our report.
Further, we obtained and reviewed GSA budget information and actual obligations data from accounting reports generated from the NEAR system and from data compiled for us by GSA headquarters for fiscal year 1996 through the second quarter of fiscal year 1998. We also reviewed upgrade cost estimates contained in GSA's security upgrade tracking system as well as documentation on GSA headquarters' efforts during late August to October 1997 to correlate upgrade cost estimates recorded in the security upgrade tracking system with upgrade obligations data recorded in the accounting system for the purpose of reallocating unneeded upgrade funds among GSA regions.
To determine any problems that may have hindered GSA's implementation of the security upgrade program, we had discussions with GSA headquarters and regional staff in four regions; reviewed GSA correspondence and building files; performed analyses of the security upgrade tracking system databases; and made contacts with 22 of 26 selected building security committees that, according to GSA records, had not requested security upgrades. We also reviewed the results of GSA headquarters' analyses made during late August to October 1997 of the security upgrade tracking system and accounting system that identified data errors and unreliable upgrade cost estimates. Further, we held discussions with responsible GSA and OMB staff to understand the concerns and ongoing debate related to the future funding of the GSA building security program at the enhanced levels.
Finally, we discussed with FPS staff what procedures were in place for monitoring security operations and what efforts had been made to evaluate the security upgrade program, including actions taken on recommendations in an October 1995 internal FPS "lesson learned" report concerning its experiences following the Oklahoma City bombing incident. We also reviewed GSA's 1997 strategic plan and 1999 annual performance plan required under the Results Act to determine the goals, performance measures, and outcomes that GSA had established for the building security program.
We did our work primarily at GSA headquarters in Washington, D.C., and four GSA regional offices in Atlanta, GA--GSA Region 4; Denver, CO--GSA Region 8; Fort Worth, TX--GSA Region 7; and Washington, D.C.--GSA Region 11 (National Capital Region), between July 1997 and May 1998, in accordance with generally accepted government auditing standards. Because the various samples we used in our work were judgmentally selected, the results of the samples cannot be projected to the universes from which they were taken. We also did not evaluate the DOJ security standards or the effectiveness of GSA's building security upgrade program or any other agency's building security program.