A PUBLICATION OF THE INSPECTORS GENERAL OF THE UNITED … · Wendy Zenker, Office of Management and Budget Staff Editor David C. Williams, Social Security Administration OIG Editorial

A PUBLICATION OF THE INSPECTORS GENERAL OF THE UNITED STATES

THIS CARD MY BE KEPT

UNTIL NEEDED OR SOLD

GET OUT OF JAIL

FREE

Agree to take Departmentemployee who would make" an excellent investigator"

Pay $300 for$500,000 Personal Liability

Policy for yourself

OM

B P

assb

ack

Ret

urn

your

$50

0bi

lls to

the

bank

Secretary of Defenseannounces that unissued

IG investigation hascleared him

Go Directly to Jail,do not pass "Go"

Your Executive Assistantis observed doing lunch

with Mike Wallaceand Leslie Stahl

Accept GuyanaSabbatical, miss turn

The Chairman of SenateGovernmental Affairswants to chat and thePress wants to attend

Remove piece fromboard

AIGI gives pre-engagement ring to

confidential informant

Go back 3 spacesand roll again

Sem

iann

ual h

as to

om

any

colo

r ph

otos

and

is o

n gl

ossy

pap

er

Lose

20%

of n

ext

appr

opria

tion

You

rece

ive

aP

resi

dent

ial A

ppoi

ntm

ent

Mis

s 5

turn

s du

ring

back

grou

nd in

vest

igat

ion.

Take

a C

hanc

e C

ard

Cha

irman

of H

ouse

Gov

ernm

ent R

efor

m a

ndO

vers

ight

Com

mitt

ee a

ndyo

ur D

ept S

ecre

tary

bot

has

sure

you

that

"no

har

mw

ill c

ome

to y

ou if

you

sim

ply

tell

the

trut

h"R

emov

e pi

ece

from

boa

rd

GA

O a

rriv

es to

“he

lp”

with

you

r fin

anci

al a

udit

Pay

$40

0,00

0 fo

rad

ditio

nal a

udito

rs to

assi

st in

acc

eptin

gth

e he

lp

Your agents nailthe Budget Chief

Advance to Go, butdo not collect $200

Whistleblower set self onfire at Town Meeting withyour semiannual report

Take a ride onthe IG Line

You are a star witnessin the House Oversight

Hearing regardingDepartment scandal

Remove houses andhotels from board

Your Testimonycompares Sarajevoto Salina, Kansas

Lose 3 turns meeting withCongressional Delegation

from Kansas

IG Counsel does yourReal Estate Closing

Go Directly to Jail,do not pass Go anddo not collect $200.Take a Chance Card

FB

I, OS

C, O

GE

, GA

O,

PC

IE, A

FG

E and

FLE

OA

wish to discuss

a complaint against you

Go back 6 spacesand m

iss a turn

Secretary of Labor calls

from Team

ster Lear jetto m

ake sure "there isno problem

with it"

Go back to "G

o"

You are named

PC

IE V

ice Chair

Go back 1 space

and miss 2 turns

Vice P

resident gives your H

otlinenum

ber overN

ational Television

Go back 3 spacesand m

iss turn

CF

O thanks you

for being a "TeamP

layer" during Senate

Oversight H

earing

Reduce IG

appropriationin am

ount of 3 times roll

of dice times 1,000,000

Ch

an

ce

ADVANCE TO GO

(COLLECT $200)

Co

mm

un i

ty

Ch

es

t

Collec

t $20

0 gift

but d

eclar

e it!

GoDirectly toJail....

Free P

arkin

g

Do Not PassGo!

Visiting

IN JAIL

IG-O

POLY

(Danbury)

Just

SUMMER 1997

Editorial BoardAletha L. Brown, Equal Employment Opportunity Commission OIGRaymond J. DeCarli, Department of Transportation OIGStuart C. Gilman, Office of Government EthicsMaryann Grodin, Council of Counsels to the Inspectors GeneralDonald Mancuso, Department of Defense OIGThomas D. Roslewicz, Department of Health and Human Services OIGRobert S. Terjesen, Department of State OIGDavid C. Williams, Social Security Administration OIGWendy Zenker, Office of Management and Budget

Staff

EditorDavid C. Williams, Social Security Administration OIG

Editorial ServicesKaren M. Shaffer, Social Security Administration OIGAgapi Doulaveris, Social Security Administration OIG

PrintingFrederick Watson, Department of Defense OIG

Public AffairsRobert S. Terjesen, Department of State OIG

Design & LayoutAutomated Graphic Services, Nuclear Regulatory Commission OIG

Invitation to Contribute ArticlesThe Journal of Public Inquiry is a publication of the Inspectors General of the United States.We are soliciting articles from participating professionals and scholars on topics importantto the President’s Council on Integrity and Efficiency and the Executive Councilon Integrity and Efficiency. Articles should be approximately 3–5 pages, single-spaced, andshould be submitted to Agapi Doulaveris, Office of the Inspector General, Social Secu-rity Administration, Altmeyer Building, Suite 300, 6401 Security Blvd., Baltimore, MD 21235.

Please note that the journal reserves the right to edit submissions. The journal is a publication ofthe United States Government. As such, The Journal of Public Inquiry is not copyrightedand may be reprinted without permission.

iii

The Journal of Public Inquiry

IG Gate— Investigating Major Scandals:

Climate That Leads to IG Handling

Author: Michael R. Bromwich ...................................................................................................................................................1

Customer Dissatisfaction

Author: Sherman M. Funk .........................................................................................................................................................5

Statement of John A. Koskinen Before the House Committee on Government Reform and Oversight, February 12, 1997

Author: John A. Koskinen. .........................................................................................................................................................................9

GPRA: A Catalyst for Enhanced Federal Management Processes

Authors: Thomas G. Kessler, DBA and Thomas G. McWeeney, PhD .....................................................................................................13

Congressional Oversight: The Ten Do’s for Inspectors General

Author: Lorraine Pratte Lewis. ...............................................................................................................................................................17

The Truth About Cats and Dogs: The Auditors and the Investigators

Author: David C. Williams ......................................................................................................................................................................19

Professional Note:

Constructing Compliance Agreements

Author: John C. Martin ...........................................................................................................................................................................21

The Urge to Merge: OIG Semiannual Report/Agency Accountability Report

Authors: Pamela J. Gardiner and Steven L. Schaeffer ............................................................................................................................23

The Art of the Referral: Presenting Cases to United States Attorneys

Authors: Kelly A. Sisario, Bruce Sackman and Jerry A. Lawson ............................................................................................................27

The Near Horizon: Evaluation of Emerging Issues

Author: William C. Moran .......................................................................................................................................................................33

Multidisciplinary Approach to Teamwork

Author: Paul J. Coleman .........................................................................................................................................................................35

Cyber-Crackers: Computer Fraud and Vulnerabilities

Author: Alan Boulanger ..........................................................................................................................................................................39

Table of Contents

A PUBLICATION OF THE INSPECTORS GENERAL OF THE UNITED STATES

1


In the following article, the first of a two-part series, Inspector General Michael R. Bromwich discusses the growing role of IGs ininvestigating major scandals. In the next issue of the Journal, Mr. Bromwich will discuss the dynamics and mechanics of conduct-ing a major scandal investigation in an article entitled, “Investigating Major Scandals: The Nuts and Bolts.”

IG Gate –Investigating Major Scandals:The role of the Inspector General (IG) has evolved in a variety of ways over the past 20 years. Although the media hasfocused on the Independent Counsel’s role in investigating major scandals, IGs are playing an expansive and importantpart in these cases.

(continued on page 2)

Climate That Leads to IG Handlingby Michael R. Bromwich

Michael R. Bromwich,Inspector General,Department of Justice

S ince the Ethics in GovernmentAct was passed in 1978, as one

of the lasting legacies of Watergate,Independent Counsels have become

an accepted part of our political and legal culture. Iran-Contra, HUD, Whitewater — Independent Counselsappointed over the past 10 years have become synonymouswith major investigative efforts undertaken in response toserious allegations of misconduct against high Governmentofficials. Independent Counsels have become an importantpart of the institutional context within which seriousallegations of misconduct are addressed. Indeed, one suresign that allegations of misconduct have reached a criticalmass or velocity is when the more general call for aninvestigation becomes a demand for the appointment of anIndependent Counsel. This is the case whether or not theallegations bear any resemblance to the relatively narrowclass of allegations that trigger the process by which anIndependent Counsel is appointed.

Also in 1978, the Inspector General Act created Officesof Inspector General (OIGs) throughout the executivebranch to promote the efficiency of the Government and toinvestigate allegations of waste, fraud and abuse. IGs havecome to be relied on by their respective agencies andincreasingly by the Congress to deal with a wide range of

alleged misconduct, including misconduct by high-rankingagency officials. With the Inspector General Act Amend-ments of 1988, statutory IGs were created in, among otherplaces, the Departments of Justice and the Treasury, whichare the homes to the best known and most powerful lawenforcement agencies in the country. In the last severalyears, some of the matters that have drawn the most publicattention have dealt with the actions of law enforcementagencies. Ruby Ridge, Waco, Good Ol’ Boy Roundup,Federal Bureau of Investigation (FBI) Laboratory — theneed for aggressive and reliable executive branch oversightover powerful law enforcement agencies has been high-lighted by such matters. Some of these matters have beenhandled by IGs; some have not. But the overall trend isplainly in the direction of having IGs conduct inquiries ofthis kind.

Over the course of the last 20 years, the two institutions— Independent Counsels and Inspectors General — havecoexisted, each going about its own business. There hasbeen much misinformation and confusion over the Offices ofInspector General, about what they do and about whatmatters they investigate. This confusion has been deepenedby the sheer number of OIGs and the different kinds ofactivities — investigations, audits, inspections — that theyconduct. Over the course of the past several years, variousOIGs have conducted the kinds of high-profile mattersnormally associated with Independent Counsels. In myagency alone, in the past 2 years, we have conducted or areconducting eight such investigations, the details of whichwill be described in the next issue. I know that this is

2


Climate That Leads to IG Handling (continued)

not a development restricted to my own agency, becausefour of the eight have been coordinated with or related toinvestigations conducted by other OIGs. Having servedin Lawrence Walsh’s Office of Independent Counsel:Iran-Contra, I have given some thought to what hascaused the growing number of major OIG investigationsand to the differences between OIG and IndependentCounsel investigations.

Inspectors General and IndependentCounsel: Convergence?

The fact that OIGs are conducting the kind of high-profile investigations normally associated with IndependentCounsels suggests a convergence between the two institu-tions. While the strongest evidence of this convergence isthe number and character of the investigations beingundertaken by OIGs, in fact this supposed convergencebetween OIG and Independent Counsel investigations ismore apparent than real. Despite public perception to thecontrary, not every allegation of major scandal in anadministration or in an agency is subject to the mechanismby which an Independent Counsel is appointed. Instead, thecircumstances in which an Independent Counsel may beappointed are quite limited: 1) when there are specific andcredible criminal allegations against so-called “coveredpersons” — i.e., high-ranking officials in the White Houseand in various departments and agencies of the executivebranch; and 2) when the Justice Department’s handling ofsuch an investigation would result in a “personal, financial,or political conflict of interest.”1 Three of the four Indepen-dent Counsels appointed during the Clinton Administrationhave been appointed under the “covered persons” provisionof the statute — those investigating allegations againstformer Secretary of Agriculture Mike Espy, former HUDSecretary Henry Cisneros, and the late former CommerceSecretary Ron Brown. The only Independent Counselappointed under the conflict-of-interest prong relates to theWhitewater investigation.

There are various institutional and policy reasons whyInspectors General, as currently constituted, could not fullyreplace Independent Counsels. First, while OIGs have powerto investigate many of the same matters that cause theappointment of an Independent Counsel, they have no powerto prosecute. OIGs have to take their cases to prosecutors inthe United States Attorneys’ Offices throughout the country,to the Department of Justice’s Criminal Division, or to theCriminal Section of the Department’s Civil Rights Division,who make the ultimate decisions whether to bring criminalcharges. The Independent Counsel statute is designed to shiftresponsibility for prosecutive decisions in a limited number

of cases from the Justice Department to another institutionhaving no personal or political connections to the officialsunder investigation. Having OIGs investigate such mattersdoes not address the problem the Independent Counsel statutewas designed to solve — the identity of the official makingthe ultimate decision whether to prosecute.

Second, because of the ongoing responsibilities ofOIGs, it is difficult for them to juggle multiple resource-intensive investigations while at the same time successfullydischarge their other responsibilities. While in the midst ofseveral of these investigations at the same time, I havestruggled with the conflict of wanting to make sure Idevoted the resources necessary to conduct them well whileat the same time making sure we do the other importantwork we were created to do. Special investigations are anenormous drain on scarce resources. In many cases itwould not be possible for an OIG to ensure that the investi-gation be done as quickly or as fully as may be necessary.There are expectations both inside and outside of one’sagency that OIGs will provide broad investigative and auditcoverage of their departments; it is the rare case in whichdisplacing resources from such continuing responsibilities isuniformly acceptable to the OIG’s own agency, the Con-gress, or the public.

Finally, the jurisdiction of each OIG is limited topersonnel in its agency as well as outsiders associated withits programs and operations. Many high-profile investiga-tions are not neatly contained within an agency or depart-ment; they may involve allegations that cross agencyboundaries and that involve non-governmental personnelwho have nothing to do with the programs and operations ofthe agency. While we have had generally good experiencescoordinating our investigations with other OIGs, it is plainlymore difficult to conduct an investigation that exceeds theboundaries of one’s own agency. In addition, the absence oftestimonial subpoena power limits the ability of an OIG togather evidence from witnesses outside the agency.

Increasing Resort to InspectorsGeneral: The Reasons

Even though OIGs are not institutionally capable ofdisplacing Independent Counsels, the undeniable fact is thatmany high-profile matters are being handled by OIGs.There are several reasons for this development. First, thereis a greater recognition in the Congress that InspectorsGeneral have the professional staff capable of undertakingsuch investigations and the objectivity and independence toensure that the facts and nothing else drive the investigativeresults. To meet the demand for conducting complexinvestigations, I have recruited experienced former prosecu-tors to play key roles. This is both because of their experi-ence as prosecutors in conducting lengthy and difficultinvestigations and also to enhance the written investigativereport that is their final product. No matter how talentedOIG investigators and other personnel may be, I believe thatlawyers who are trained to synthesize large amounts ofinformation and present it in a persuasive way constitute a

1 The 1994 version of the legislation also authorized the appoint-ment of an Independent Counsel when there are criminal allega-tions against a Member of Congress and when the AttorneyGeneral determines that it would be in the “public interest” for anIndependent Counsel rather than the Justice Department to conductthe investigation. No Independent Counsel has been appointedunder this provision.

3



of investigative results to please a congressional audience,an OIG’s long-terms interests will be to temper responsive-ness to Congress with a dedication to calling them as theysee (and find) them, regardless of Congressional reaction.

Inherent Strengths of InspectorGeneral Investigations

In addition to the explanations offered above for thegrowing resort to OIGs to conduct sensitive and complexinvestigations, other factors make it likely that this trendwill continue.

First, OIGs have a very substantial advantage inconducting investigations within their agencies based ontheir strong working knowledge of those agencies. Overtime, as an institutional matter, OIGs accumulate a substan-tial store of institutional knowledge about the way theiragencies operate. This knowledge includes the way theagencies’ programs work, the way its components workwith each other, and the management weaknesses that mayalready have been studied. When we conducted an investi-gation into allegations that INS managers deceived adelegation from the Congressional Task Force on Immigra-tion Reform during a fact-finding trip to Miami in June1995, we could deploy a group of agents and auditors withan extremely strong working knowledge of INS. Thisknowledge facilitated our investigation in countless ways.

Second, OIGs have employees with varied skills andbackgrounds who can contribute to the investigative effort.Investigators, auditors, inspectors, and program analystsmay all be capable of making distinctive contributions to acomplicated investigation. This can be an enormousadvantage when compared, for example, to the need forIndependent Counsels to build their staffs from scratch. Incomplex white-collar investigations, prosecutors frequentlyseek to obtain the assistance of Internal Revenue Service(IRS) agents to get sophisticated documentary and financialanalysis. In my experience, auditors, inspectors, andprogram analysts have many of the same strengths as IRSagents in being able to comb through and make sense oflarge numbers of complex documents. Although investiga-tors, auditors, and inspectors have different training, I havefound the marriage of their different skills and experiencesto be extremely valuable in conducting special investiga-tions. This also provides excellent team-building opportuni-ties for employees who may never have worked withpersonnel from other parts of the OIG.

Third, OIGs are able to conduct their investigations inways that ensure that Congress and the public receive thefull story of the investigations and the facts found. Thepurpose of criminal investigations is to determine whetheranyone has committed a crime and to bring prosecutionswhere there is adequate evidence to prove guilt beyond areasonable doubt. The criminal charges that may resultfrom an investigation may involve only a small percentageof the information that is collected during the investigation.

vital resource in conducting such investigations. In ourcontacts with Congress, it has become clear that bothMembers and their staff are comforted by the fact that weare relying on experienced prosecutors to play significantroles in major investigations.

Second, the size of congressional staffs has generallydeclined over the past 4 years, while the amount of work tobe done by both the House and the Senate has not. As aconsequence, there has been a general decline in the abilityboth in the House and Senate to devote scarce congressionalstaff resources to undertaking major investigations. Inaddition, the number of personnel detailed from the executivebranch to Capitol Hill who can assist in conducting legisla-tive inquiries has dropped as the executive branch has shrunk.While there are obviously allegations of scandal — such asthe current allegations of improper campaign fundraisingpractices in the 1996 election campaign — that causeCongress to mobilize its investigative machinery, the numberof such congressional investigations has declined. The morethat the Congress develops confidence in the ability of OIGsto conduct such investigations, the more comfortable it willbe with monitoring the progress of such investigations ratherthan seeking to conduct parallel inquiries.

Third, Congress has seen the difficulties created byparallel executive branch and congressional investigations.In Iran-Contra, the grant of immunity by the select congres-sional committees to central figures including Admiral JohnPoindexter and Lt. Col. Oliver North ultimately doomedcriminal cases brought by Independent Counsel LawrenceWalsh. That vivid memory has led Congress in variousinstances to stay its hand and to delay the commencementof a congressional inquiry, condense its scope, or both.When we investigated allegations that high-ranking Immi-gration and Naturalization Service officials deceived adelegation from the Congressional Task Force on Immigra-tion Reform on a fact-finding trip to Miami in June 1995,we had to deal with Congress’s desire to hold hearings onthe same subject while our investigation was still inprogress. Ultimately, Congress agreed to delay hearingsthat would have greatly complicated our investigation, eventhough our investigation took nearly a year to complete.Because of the thoroughness and power of our investigativereport, Congress ultimately held only a brief hearing atwhich we reported our investigative results.

Fourth, Congress has recognized that InspectorsGeneral, unlike Independent Counsels, are accountable toCongress. OIGs depend on Congress for funding and aresubject to its oversight. This ongoing relationship withCongress means that OIGs must take account of theircongressional audience. Many of the major investigationsundertaken by my office over the past 2 years have been theresult of congressional requests. In other cases, even whenthe initiation of the investigations has had a different cause,as in our Federal Bureau of Investigation Laboratoryinvestigation, congressional committees have expressedsubstantial interest in them, have monitored their progress,and in some cases have held hearings when they arecompleted. Although this relationship between OIGs andCongress could in unscrupulous hands lead to the slanting

4


Introduction of evidence at any trial may be deemedirrelevant to proving specific charges against specificdefendants — and yet such evidence may be extremelyimportant in telling the story that puts the activities of thedefendant(s) in context. In addition, prosecutors maydecide not to pursue certain lines of inquiry because theyhold no prospect for developing admissible evidence. Yetthose lines of inquiry may be extremely important indrawing a complete picture of the events that gave rise tothe request for the investigation. Although IndependentCounsels are required to file periodic reports and a substan-tive final report, the final report is necessarily focused onthe path of the criminal investigation, which may notpresent the full picture of relevant facts.

By contrast, Inspectors General are free to structure anddirect their investigations as they deem appropriate and totake an exhaustive look at relevant facts rather than limitingthemselves to evidence that can be used in a criminalprosecution. This greater flexibility is extremely useful inproviding an accounting of what occurred to agency heads,Congress, and the public. When we were asked to reviewthe role of Justice Department personnel in the Good Ol’ BoyRoundup, it was clear that the likelihood that any JusticeDepartment personnel committed any crimes in connectionwith attending the event was slim. The primary concern ofthe Attorney General and the Senate Judiciary Committeewas whether Justice Department employees engaged in anyincidents of racial and other misconduct. Our lengthy reporttold the story of the Good Ol’ Boy Roundup over 16 years, anarrative of historical reconstruction that no criminalprosecution could have accomplished.

Fourth, in the face of allegations of serious misconduct,OIGs may investigate the conduct of personnel rangingfrom the head of the department or agency down throughthe ranks to include any employee. OIG jurisdictionincludes within its purview misconduct at every level.While the net of Independent Counsel investigations can becast quite broadly — as the Iran-Contra and Whitewaterinvestigations have been, to provide two examples — itfrequently is limited to a single named individual. Moreimportantly, the scope of the Independent Counsel’sinvestigation is framed by the court order appointing theIndependent Counsel and the Independent Counsel’sconstruction of that order. Generally, such orders areframed broadly enough to enable the investigation toinclude not only the named individual or individuals butalso those who were involved in the alleged misconduct, butmuch is left to the discretion of the Independent Counsel.Because ultimately the Independent Counsel is not account-able in any meaningful way to the agency in which themisconduct took place or to the Congress, there is littleleverage to ensure that the investigation is framed broadlyenough to serve the oversight interests of the Congress andthe management interests of the agency.

Fifth, OIG investigations are able to help ensure thatagency personnel are held accountable by their continuingpresence within the agency. When prosecutors investigatethe conduct of agency personnel, their interest frequentlybegins and ends with their investigation. Prosecutors have

no continuing oversight responsibilities over an agency or apart of an agency. It is no part of their mission to improvethe operation of Government programs and operations,except insofar as removing corrupt officials accomplishesthat purpose as a by-product of the investigation. And incases where prosecutors develop some evidence of miscon-duct but not enough to indict those who engaged in it, theability to take appropriate administrative action is handi-capped by the lack of interest prosecutors generally have inthe agency administrative process. This general propositionis even more true of Independent Counsels than it is of otherprosecutors. They are created for one mission and onemission only; the institution is then disassembled and ceasesto exist. Continuing oversight, to the extent it is provided atall, must come from Congress or the agency within whichthe scandal occurred.

OIGs are quite different in this respect. Although mostof the Justice OIG’s cases begin as criminal investigations,the distinct minority go forward as criminal prosecutions.A substantial percentage of our caseload is made up ofadministrative matters that are ultimately referred back tothe employing agency for appropriate administrative action.Because of the continuing mission and presence of the OIG,and its broad responsibilities for oversight within theagency, it has an interest in making sure that misconductinvestigations are taken seriously by the managers respon-sible for imposing discipline. If they are not, OIGs have theability to expose the failure to take appropriate administra-tive action and to report the failure to Congress and thepublic. Thus, even where an investigation does not lead toprosecutions, it can serve to ensure that a broad range ofagency employees are held accountable. Moreover, IGsmake important recommendations for improving theoperation of their agencies based on an individual investiga-tion or a series of investigations that has revealed vulner-abilities in the agency’s programs or operations. Thebusiness of Independent Counsels is limited to taking ordeclining to take prosecutive action.

ConclusionThe adversary culture that exists in Washington virtually

guarantees that allegations of misconduct and gross misman-agement will be directed with great regularity against high-ranking Government officials and controversial Governmentprograms. This is particularly true given the larger trendstowards downsizing of Government and the continuing searchfor wasteful and expensive programs — and in some casesentire agencies — to abolish. Nothing can end a programfaster than an investigation that finds it riddled with corrup-tion and characterized by waste and inefficiency.

Because of our independence, autonomy, and otherunique institutional advantages, OIGs will continue toreceive requests from the Congress and the public toundertake major investigative efforts in high-profilematters. The irony is that the better we acquit ourselves inconducting such investigations, the more likely we are tounleash a torrent of similar work that we may lack theresources to do.❏

Climate That Leads to IG Handling (continued)

5


Customer Dissatisfactionby: Sherman M. Funk

Sherman M. Funk, FormerInspector General, Departmentof State and Arms Control andDisarmament Agency

T he normal run of InspectorGeneral (IG) investigative

work deals with the detritus ofbureaucracy: abuse of power by

mid-level officials, false statements on forms, theft ofGovernment money or equipment, fraudulent billings,fraudulent use of Government payments, Hatch Act viola-tions (referred back by the Special Counsel), misuse ofGovernment vehicles or other Government equipment, fraudagainst the Government by contractors and grantees, etc.Few of these crimes, misdemeanors, and administrativeabuses attract significant attention by the media, or on theHill, or even by senior agency management.

IGs are always irritated when those matters thatshould generate “outside” interest rarely do so, such asaudit, inspection or investigative reports citing wasteful orbadly managed programs and operations which cost thetaxpayers millions of unnecessary dollars. To be sure,there are a few dogged reporters and a handful of legisla-tors who regularly read or are briefed on IG reports, buttheir accounts or speeches about waste tend to be ignored.And yet, IGs are frequently used to crack down harder oncorrupt Government employees.

The dirty little secret of IGs, however, is that the vastmajority of Federal workers are honest, want to do a goodjob and, as a group, generally are no less efficient thattheir counterparts in the private sector — despite theirhaving to live with a number of silly and nitpickingregulations which corporate America would not tolerateinternally for a moment.

When they have time to think about it, IGs viewthemselves as conscientious doers of good deeds, dealingdaily with what is, in effect, a small but persistent Federal

underworld. Their successes usually elicit no glory and fewplaudits. It is little wonder, then, that IGs (who, popularconceptions to the contrary, are quite human) dream oftaking on a major scandal. They know that the hugepublicity arising from such an event will catapult them intotheir 15 minutes of fame; more important, it will boost themorale of their staffs. They also sense, assuming no repealof the Law of Averages, that sooner or later this Big Scandalwill erupt in their agencies. What they don’t know is thatwhen it does, and they have to investigate it, their work willbear out Clare Booth Luce’s classic dictum, “No good deedgoes unpunished.”

The blunt truth is that a truly major scandal in aGovernment agency which attracts wide media attention,both print and TV, is likely to incorporate political aspectswhich also attract congressional attention. That, in thenature of things, generates partisan political attention.Given sufficient media and partisan heat, and the involve-ment of an EX-2 or higher level appointee, the distinctpossibility exists that an Independent Counsel will bereviewing the investigation at a later date.

What does all this mean to the IGs? Some of the answerdepends on how the relevant investigation was initiated.

Often, an agency head faced with a public outcry orunofficial congressional request (both usually arising froma media story, which in turn usually derives from a leakwithin the agency), refers the matter to the IG. Becausethe agency’s spokesperson, anxious to deflect heat fromhis or her boss, is quick to inform the media of thisreferral, reporters now focus their quest for informationon the OIG. In other cases, the IG may have opened aninvestigation as soon as the potential problem surfaced inmedia accounts, or earlier, on the basis of internal infor-mation obtained by the OIG; in either situation, theagency’s spokesperson or the OIG press officer can simplyconfirm that an investigation is already underway. Also, itis not unlikely that the IG may have had an investigationof this or ancillary matters ongoing for some time, but did


IG Gate –Investigating Major Scandals:

6


not recognize its Major Scandal potential until the mediastorm broke. Here too, the appropriate procedure wouldbe a simple acknowledgment that the investigation is inprogress — although it might not be injudicious to addthat the review had begun some time earlier. An occasion-ally implied boast is not always out of order.

Regardless of how or when the investigation origi-nated, certain measures should be taken as soon as it isrecognized that the OIG has a Major Sandal on its hands.The IG must immediately assume that every bit of datarelated to the investigation will be microscopicallyanalyzed before long by reporters, congressional staff,legal experts, and eventually the public. This includesinterview notes, investigative procedures, methods ofreview, possible referrals to Justice — everything. All ofthis may never surface, but it should be assumed that itwill and care taken accordingly.

What this means in practice is that only the very bestinvestigative talent should be assigned to the case. If thematter had been initially handled, when it was opened, byagents not in the first rank (and quality is the issue here, notseniority), they should be supplemented by others. Whereappropriate, it is a good idea to add top-notch auditors andinspectors to the team; they provide a useful dimension thatmay prove invaluable if financial analysis or knowledge ofprograms is a requisite component of the investigation.

Accept as a given that reporters will try to findout what your team finds out, while they arefinding it out, if not immediately after. They willinterview, or attempt to interview, all of theIG sources; they will obtain, or try toobtain, all of the documents the teamobtains. Inasmuch as they lack subpoenapower, they will do this through persua-sion, appeals to patriotism, bold-facedintimidation and, in the case of sometabloids, appeals to greed. Never underes-timate the quality of reporters. Many ofthem, particularly from the major newspa-pers and wire services, will be knowledge-able, smart, and tough. And neverunderestimate the impact of a TV reporterand a cameraman appearing at the officedesk or home front door of a source. If thelatter is torn between fear of responding toquestions on camera and the prospect of beingseen nationally on network news, have little doubtof the decision. Thus, whatever transpires between OIGagents and subjects or sources may well be known publiclybefore it even reaches the IG.

It goes without saying, but it should be said anyway:investigative team members should be cautioned not todiscuss the case with anyone outside the OIG. Anyone,including family and friends. The author is not aware ofany investigative leak ever coming from an OIG, althoughwhen leaks do appear (usually from sources), most peoplewill automatically accuse the OIG. All the OIG can doabout such accusations is hunker down and circle thewagons. It comes with the territory.

IGs, no less than other Government officials in this ageof reinvention, must strive for customer satisfaction. Thespecial problem facing IGs is that while it is easy to identifywho their customers are, it may be hellishly difficult todetermine what information should be available to them.On a narrow basis, all personnel in the OIG’s agency, fromthe Secretary/Administrator on down, are IG customers.They have a right, regardless of grade or position, to expectcourteous, respectful, and professional conduct from allOIG employees. They have a right to expect searching,independent, objective, professionally competent, and yes,tough audits, inspections, and investigations. That much isbeyond question.

But the IG’s customer base is wider than the agency. Itincludes the Department of Justice, other Federal, state, andlocal law enforcement agencies, other OIGs, the Office ofSpecial Counsel, Office of Government Ethics, professionalorganizations (e.g., Association of Government Accountants,Federal Investigators Association, American Institute ofCertified Public Accountants, Institute of Internal Auditors).Because we live in a democracy where the people and thepeople’s representatives have a basic right to know, it alsovery much includes the print and TV media, the Congress,

including congressional staff and the GAO, and thepublic at large.

It is this wider customer base which poses thespecial problem. Obviously, unclassified pub-lished audit and inspection reports should beavailable to anyone who wants a copy, subject

only to possible deletion of some procurement-sensitive material. Obviously too, completed investiga-

tive reports, suitably redacted for privacy reasons, arereleasable. But IGs have an obligation to maintain

confidentiality of certain investigative proce-dures, and to protect sources, especiallywhistleblowers. When the media are deniedfull access to all data, or when a congressionalstaffer is told he or she cannot receive copiesof raw interview notes, the IG will havedissatisfied customers. When a senator orrepresentative is told that a particular requestmust come from a full committee chair, theIG will have another dissatisfied customer.When citizens submit requests for privilegeddata and are denied, there will be moredissatisfied customers. Such dissatisfaction

is the price of being an IG, whose objective should be togather and report facts, not to be widely loved, or to giveaway the store trying to placate a vociferous few. Indeed,if either of the latter two is true, the IG is the wrongperson for the job.

But it gets worse. If the scandal reaches majorproportions, the heat will intensify, particularly if it has(apparently) a political dimension. During the investiga-tion of the Clinton passport matter, the author was calledby several Democratic Hill staffers, and by at least twoDemocratic Members, all of whom issued stern warningsthat he should not try to cover up misconduct by the BushAdministration. After he held a press conference upon

Customer Dissatisfaction (continued)

7


publication of the report, during which he said that thepassport search was not an organized effort by the WhiteHouse to uncover dirt on Clinton, Democratic Membersaccused him flatly of a sell out to protect his job. One yearlater, ironically, when the author’s staff investigated a casewhere mid-level Clinton appointees rummaged through filesof senior Bush Administration appointees and leakedinformation from them, public accusations were made byRepublican Members that he had sold out to the ClintonAdministration to keep his job, even though the reportrecommended, and the Secretary approved, dismissal of theoffending officials. No apologies were made in either casewhen the validity of both reports became apparent. Norwere apologies made by newspapers that had editorializedin error about the author’s alleged surrender first toRepublican and then to Democratic demands that aninvestigation should have preordained conclusions.

Interestingly, the first press conference ever held bythe author as IG concerned an investigation about the leak

of economic indicators in advance of their official release.By any definition, this was far more significant than eitherof the above cases. Billions of dollars on the bond marketmoved within hours of the leaks; unless the leakers could beidentified quickly, the very integrity of Federal statistics wasat issue. An all-out investigation, conducted jointly with theSecurities and Exchange Commission, resolved the prob-lem. No politics, no senior appointees involved, no “sex”appeal and, at the press conference, virtually no questions.But that was only a scandal, not a Big Scandal. If IGsencounter the latter, with all its hue and cry, the authorsuggests that their attitude--assuming they are satisfied thatthey have conducted a comprehensive and professionalinvestigation--should be, to paraphrase Shakespeare, “If thisbe customer dissatisfaction, make the most of it.”

Or, if they are unable to withstand the extent of thedissatisfaction, adhere to Harry Truman’s immortal “If youcan’t take the heat, get out of the kitchen.”❏

8


9


Statement of John A. KoskinenBefore the House Committee on GovernmentReform and Oversight, February 12, 1997

The Government Performance and Results Act (GPRA) of 1993 requires agencies to develop and institutionalize processes toplan for and measure mission performance. GPRA was enacted 3 1/2 years ago as the result of a bipartisan effort in theCongress, with the support of the Administration, to increase the focus on the results from Government programs and activities.At its simplest, GPRA can be reduced into a single question: What are we getting for the money we are spending?To make GPRA more directly relevant for the thousands of Federal officials who manage programs and activities acrossGovernment, GPRA expands this one question into three: What is your program or organization trying to achieve? How willits effectiveness be determined? How is it actually doing? One measure of GPRA’s success will be when any Federal manageranywhere can respond knowledgeably to all three questions.

On February 12, 1997, John A. Koskinen, Deputy Director for Management, Office of Management and Budget (OMB) testifiedbefore the House Committee on Government Reform and Oversight on the Administration’s progress to date in meeting therequirements of the GPRA. The Journal is providing the text of Mr. Koskinen’s testimony for Federal managers information.

M r. Chairman, I am pleasedto appear before the

Committee this morning todiscuss the importance to the

Government and the public of the Government Perfor-mance and Results Act of 1993 (GPRA) and to provide anassessment of our progress to date in meeting its majorrequirements. GPRA was enacted 3 1/2 years ago as theresult of a bipartisan effort in the Congress, with thesupport of the Administration, to increase our focus on theresults from Government programs and activities. ThisCommittee was one of the leaders in the passage of the Actand we look forward to continuing to work with you andthe Congress as we implement this significant legislation.

At its simplest, GPRA can be reduced to a singlequestion: What are we getting for the money we arespending? To make GPRA more directly relevant for thethousands of Federal officials who manage programs andactivities across the government, GPRA expands this onequestion into three: What is your program or organizationtrying to achieve? How will its effectiveness be deter-mined? How is it actually doing? One measure of GPRA’ssuccess will be when any Federal manager anywhere canrespond knowledgeably to all three questions.

But having answers to these questions is of greatinterest to the public as well. As a Government, we facemajor challenges. This is a time of great fiscal constraint.Tight budget resources demand that every dollar count.During a period of much public skepticism about theGovernment’s ability to do things right, the Governmentmust not only work better, but be shown as working better,if we are to regain public confidence in this institution. Wemust chart a course that not only sustains our delivery ofservices to the public, but improves on that delivery whilemeeting the rightful expectations of its citizens to be treatedfairly, responsively, and with good effect. GPRA, ifsuccessfully implemented, will support such a result.

Let me now briefly summarize those aspects of GPRAimplementation that are our most immediate focus.

Basic Requirements and Timetable

Strategic plans

The basic foundation for what agencies do underGPRA is the agency strategic plan. Agencies are requiredto send their strategic plans to Congress and OMB by thisSeptember 30. When developing its strategic plan, anagency is to consult with Congress and solicit and con-sider the views of those parties interested in or potentiallyaffected by a plan. OMB has encouraged agencies tobegin this consultation soon.


John A. Koskinen,Deputy Director for Management,Office of Management and Budget

10


Our guidance to the agencies on preparing and submit-ting strategic plans notes that the agency letter transmittingthe plan to Congress and OMB should describe the consul-tation that was done, as well as summarizing any views ofthose outside the Executive branch that present a contraryview to the basic direction of the plan as completed.

The strategic plan spans a multi-year time frame, and isrequired to include a mission statement, a set of generalgoals and objectives, and a description of the linkagebetween these general goals and objectives and the perfor-mance goals that will appear in the annual performanceplan. The mission statement sets forth the basic purpose forwhat an agency does programmatically and operationally.The long-term general goals and objectives define what theagency intends to achieve over the time period of the plan,to further its overall mission. The linkage between long-term goals and annual goals is important because the annualgoals are commonly used to measure progress in achievingthe general goals and objectives.

OMB issued guidance to the agencies in September 1995on the preparation and submission of strategic plans. Thisguidance resulted from an OMB/agency collaborationduring the Spring and Summer of 1995. In the Summer of1996, OMB conducted a comprehensive review of theagency strategic planning efforts and the status of theirplans. The review’s objective was to gauge agency progressin preparing their strategic plans and to identify anyconcerns with the plans themselves or the process beingfollowed. Agencies provided OMB with certain key partsof their plan for this review which were in a draft ordevelopmental state.

Generally, the agency plans reflected a serious effortand allowed us to conclude that agencies should be able toproduce useful and informative strategic plans by this Fall.The review also revealed several challenges. Last summer,most agencies were only beginning to link the general goalsand objectives of their plans with the annual performancegoals they would be including in their annual performanceplan. Further inter-agency coordination on programs oractivities that are cross-cutting in nature was necessary andthe senior leadership in some agencies had yet to becomefully involved in the planning process.

Since then, OMB staff have continued to interact withthe agencies as these strategic plans have evolved and wewill undertake another systematic review of the agencystrategic plans this spring.

Annual Performance Plans

Pursuant to the statute, the first of the agency annualperformance plans will be sent to OMB this September.These plans will be for Fiscal Year 1999, and will besubmitted with the agency’s budget request for that year.The annual performance plans will contain the specificperformance goals that the agency intends to achieve in thefiscal year. The statute provides that a subsequent iterationof the annual performance plan is to be sent to Congressconcurrently with release of the President’s budget.

The agencies and OMB gained valuable experience inpreparing annual performance plans through the pilotproject phase of GPRA. The statute wisely provided anopportunity for all 14 Cabinet Departments and an equalnumber of independent agencies to experiment with theimplementation of the statute. Over 70 individual pilotprojects were established, ranging in size from the entireInternal Revenue Service to small offices and programswithin a larger bureau. The performance measurementpilot project phase of GPRA concluded in FY 1996. OMB’sMay 1997 Report to Congress on GPRA will describe thispilot project phase in greater detail.

In September 1996, OMB initiated a special review ofthe performance goals that agencies proposed to include intheir annual performance plans for FY 1999. This review isstill ongoing. The agencies are providing OMB with descrip-tions of their proposed performance goals, illustrating whatwill be measured and the nature and type of measurement.

The timing and sequence of these two reviews, one inthe Summer of 1996 and the other in the Fall, was bydesign. The Summer Review concentrated on strategicplans, which are the starting point for annual performanceplans. A strategic plan is like a compass pointing to what anagency seeks to achieve over the long-term. Without such acompass, it is difficult to judge whether the annual perfor-mance goals are appropriate.

Our experience with the pilot projects and with SummerReview underscored the importance of having a reviewfocused on the annual performance goals. Gaining an earlyconsensus on these goals will not only help assure that theyare appropriate and relevant but will allow agencies tomeasure current performance, creating a baseline from whichto set future performance levels or targets.

In another joint collaboration with the agencies, OMBis preparing guidance on the preparation and submission ofannual performance plans for FY 1999. The drafting of thisguidance is largely complete and the guidance will beissued soon and we expect agencies to produce useful andinformative annual performance plans for FY 1999.

Government-wide performance plan

GPRA requires that a Government-wide performanceplan be annually prepared and made part of the President’sbudget. The Government-wide performance plan is based onthe agency annual performance plans. The first Government-wide plan will be sent to Congress in February 1998, andcover FY 1999. We will soon begin an effort to design thisdocument, determining what should be included and how itshould be presented. In this regard, we would welcome yourviews on those features that you believe would make thisdocument informative and useful to the Congress.

Program Performance Reports

The agency’s program performance report is the annualconcluding element of GPRA. These reports are requiredwithin 6 months of the end of a fiscal year, and compare

Statement of John A. Koskinen (continued)

11


actual performance with the performance goal target levelsin the annual performance plan. Where a goal was not met,the agency explains why and describes the actions beingtaken to achieve the goal in the future. The first programperformance reports, for FY 1999, are to be sent to thePresident and Congress by March 31, 2000.

The performance measurement pilot projects are beingused as a test of the program performance reports, and theability of agencies to generate timely and accurate actualperformance data. OMB is considering integrating theGPRA program performance report with each agency’saudited financial statement and several other periodicreports to create a single agency accountability report.We expect that the OMB Report to Congress in May willfurther outline proposals for such a single report.

OMB’s GPRA EffortThe OMB-led reviews I have previously outlined are

part of the Administration’s overall effort to ensure success-ful implementation of GPRA and indicate the great impor-tance we attach to this effort. Two OMB-wide forumsdedicated to performance and GPRA preceded the Govern-ment-wide reviews begun last summer. These forums wereused to familiarize all OMB staff with the statute and itsrequirements and to draw upon their experience andsuggestions for how it might be successfully implemented.The magnitude of GPRA, its encompassing scope, and itsintegration with the budget dictate that every major organi-zational component within OMB have some role in itsimplementation. To advance the concept of OMB-wideresponsibility for GPRA, OMB established a GPRAImplementation Group, whose members are from everyOMB office and comprise nearly 10 percent of our totalprofessional staff. The Implementation Group meetsregularly to discuss and review GPRA implementation tasksand policies.

In many ways, the best training is having to do ityourself. OMB has been working on its own strategic planfor nearly a year, an effort that has involved all parts andlevels of the organization. Later this month, OMB willhave a day-long “stand-down” in which all staff will focuson our strategic plan and the goals we propose to establishfor our organization.

Valuable help for our Government-wide implementa-tion effort is also coming from several interagencycouncils which I chair. These are the President’s Manage-ment Council, whose members are the agency ChiefOperating Officers (generally the Deputy Secretary); theChief Financial Officers’ Council; and the President’sCouncil on Integrity and Efficiency, comprised of theagency Inspectors General. Each of these councils hastaken leadership for one or more aspects of GPRAimplementation, and have developed and disseminateduseful techniques and practices to assist the agencies.They are also helping us to develop a unifying frameworkfor bringing together the various laws and initiativesthat focus on performance. These include GPRA, the

Government Management Reform Act, the Chief FinancialOfficers Act, the Federal Acquisition Simplification Act,the Federal Managers’ Financial Integrity Act, the Inspec-tor General Act, the Clinger-Cohen Act, as well as initia-tives originating from the National Performance Review,such as development of customer service standards andperformance-based organizations. There is consensus thatthis integration must be done, and, to the extent practi-cable, must be meshed into the processes supportingbudget preparation, decisions, and execution.

To do this will be a formidable task. But we have noreal choice. If managed separately, these various endeavorswill lose the synergy and economy of effort that wouldresult from their being fitted together. Failure to coordinateand integrate these laws and initiatives can undercut theireffectiveness, create confusion, and introduce frustrationand ultimately disinterest among all parties. Put starkly andsimply, there are not enough resources within the executivebranch to even try carrying out these activities in a non-integrated way.

Sorting through the complexity of these varyingperformance initiatives has been difficult, but we are makingprogress in defining a framework for this integration.

Expectations

As noted earlier, we expect agencies to provide usefuland informative strategic and annual performance planswithin the timeline specified by the Act. However, prepar-ing a good GPRA plan is not an easy task. Indeed, a planeasily prepared is likely to be a superficial plan. Therefore,no one should expect the first plans to be perfect. Weshould view these first plans as the beginning of a processof improvement and refinement that will evolve overseveral years. Measures will be modified, better and moreappropriate goals will be defined, and performance data willincrease in both volume and quality.

Even as performance measures become more refined,we should always bear in mind that using performancemeasures in the budgeting process will never be an exactscience, or even a science at all. Often, an under-perform-ing program will benefit from additional resources, notfewer. Comparing results across program lines will alwaysrequire political judgments about the relative priorities, forexample, of programs for highways and education. And weshould not lose sight of the fact that performance informa-tion will often be used to adjust the way programs aremanaged rather than to change the resources provided.Accurate, timely performance information is important inall these situations and this is why the Administration iscommitted to the successful implementation of GPRA.

As I have said on other occasions, if we are successful,over time, GPRA should disappear. Some may think such adeclaration flies in the face of the enthusiasm of thisAdministration for GPRA. However, if GPRA works as


12


envisioned, Government managers will absorb it into day-to-day agency administration and program management.For this to happen, we must guard against creating aseparate GPRA bureaucracy in each agency that providesthe documents and information required by the statute in aneffort that is divorced from this day-to-day management ofthe agency. That’s why I suggest that the true measure ofthe success of GPRA will be the extent to which theconcepts of management and good business practices set

out in this law become the accepted way that the Govern-ment works without reference to any particular statutoryframework or requirements.

ConclusionThis concludes my statement, Mr. Chairman. I’d be

pleased to take any questions you may have.❏

Statement of John A. Koskinen (continued)

13


GPRA: A Catalyst for Enhanced FederalManagement Processesby Thomas G. Kessler and Thomas G. McWeeney

For decades, the Federal Government has relied on theannual budget process as its principal means of resource

forecasting, allocation, and control. Although this long-revered process has been mildly criticized over the years, itcontinues to serve as the “cornerstone” of agency planningand management processes. The Government Performanceand Results Act of 1993 (GPRA), however, is intended tosubstantially change Federal management and accountabil-ity processes and practices by requiring agencies todevelop strategic plans, link them to budgets, and identify,measure, and report on results. Expectations for thisimportant legislative reform are high: it is anticipated thatGPRA will dramatically transform the managementoperations of most Federal agencies. Consequently, theannual budget process, as an integral component of agencyplanning and management processes, will undoubtedly besubjected to significant scrutiny and revision as GPRAimplementation proceeds.

In order to understand the rationale driving the reformmovement, we must analyze traditional Federal planning,budgeting, and performance reporting processes to under-stand their deficiencies and impetus for reforming them.The purpose of this article is to present an assessment ofthose processes, outline intended GPRA reforms, andclearly show how they will lead to improved Governmentoperations. Offices of Inspector General can benefit byexamining their constituent agency processes and their owninternal processes to determine how these reforms willimpact activities and operations and take steps to plan andincorporate necessary changes.

The Planning ProcessMost Federal agencies and programs engage in some

form of strategic planning. To do otherwise would subjectthem to potential ridicule and criticism for lacking long-range focus and direction. The plans describe external andinternal influences, outline mission requirements, list goals

Thomas G. Kessler, DBA, Associate Professor for CentralMichigan University’s College of Extended Learning

Thomas G. McWeeney, PhD, Executive Director of the Centerfor Strategic Management

and objectives, and identify actions and assignmentsnecessary to meet the goals and objectives.

Research and experience suggests, however, thatstrategic plans typically are not linked to tactical plans orbudgets and do not drive day-to-day organizational activi-ties. Strategic goals and objectives are significantlydifferent from tactical ones, and do not have the same levelof urgency or pressure. Tactical activities quickly overtakemanagers and staff and long-range strategies and tasks areput on hold until there is more time to focus on them. Alltoo often, that time is never available.

Performance MeasuresManagers and supervisors are paid to remove obstacles

to success, ensure that productivity is high, and “get the jobdone.” They coordinate resources, oversee activities, andproduce outputs. Their focus is on managing inputs (laborhours, contractors, travel funds, training, etc.), ensuring thatactivities are accomplished (projects, initiatives, investiga-tions, audits, processes, etc.), and producing outputs(briefings, reports, regulations, memoranda, arrests,indictments, loans, patents, etc.). Success is measured interms of meeting planned milestones, using resourcesoptimally, producing a high number of outputs, and produc-ing “high-impact” outputs.

Although these foci seem natural and rational, they lacksufficient emphasis on outcomes and impact. Recentemphasis has been placed on determining if Federal programoutputs are achieving their desired impact. For example,Federal efforts to address violations of drug and narcoticslaws have resulted in a steady increase in the number ofarrests and convictions. Yet the substance abuse problem hasnot been solved and, in fact, has worsened in recent years. Iscontinued Federal attention warranted? Outcome-basedperformance measures enable this problem to be examinedfrom many angles. Are the current strategies effective orshould they be adjusted? Are Federal programs focused onthe correct core issues? Could the problems be moreeffectively addressed at the state and local governmentlevel? This example demonstrates that output-basedperformance measures do not provide adequate informationfor such analysis.


14


Budget-Based ManagementAgencies rely on the annual budget process to forecast,

allocate, and control resources. Budget requests arecarefully scrutinized by budget analysts, challenged forvalidity and rigor, and sent forward for senior managementconsideration only after questions have been adequatelyaddressed. Agency decision-makers review individualprogram budgets and assess the aggregate budget package.Adjustments are made and the final package is sent to theOffice of Management and Budget and, eventually, to thecongressional appropriations subcommittee.

Managers use past experience, knowledge of programsubject matter, and expectation that workload will remainthe same or change, to formulate their budget request.Budget forecasting, however, given the long lead-timerequired for review and deliberation in the public sector, isdecision-making under conditions of uncertainty. Conse-quently, managers mitigate budget-related program risks byanticipating discretionary funding categories that can beused for unexpected contingencies. As unexpected de-mands are placed on program resources, budget “games”are used to ensure that program priorities are addressed.

Budget “games” involve shifting funds from object/sub-object classes that have excess funds to those that donot have adequate funding. For example, when staffresign and their positions are vacant the salary that is notexpended is accumulated. These lapsed salary funds cansubsequently be shifted to cover shortfalls in other areassuch as contractual funding, travel, or training. Thisshifting continues throughout the fiscal year. As the endof the fiscal year approaches, managers ensure that theiraccounts are entirely expended by acquiring items such asfurniture and equipment, computers and software, ortraining. Year-end spending is necessary to avoid theappearance of having requested too much funding andsuffering a future budget reduction.

So What’s Wrong With This Picture?In summary, an assessment of Federal management

processes suggests that strategic planning does not driveday-to-day activities, Federal performance measuresemphasize activities and outputs rather than outcomes andimpact, and the budget process is “gamed” to accommodateunexpected requirements and contingencies. This fairlybleak portrayal of public sector management contrasts withthe track record that career civil servants have compiled forgetting the job done; and that, after all, is the “bottom line.”Examples of Federal success stories are plentiful: men havewalked on the moon, tens of thousands have visited Federalparks, the United States military is seen as the best in theworld, and air traffic controllers ensure our safety travelevery day of the year. If agencies are successful in spite ofweak strategic planning processes, performance measuresthat emphasizes activity rather than results, and budgets thatare juggled to meet emergencies and contingencies, imaginewhat they might accomplish with relevant managementtools and processes!

Managing For ResultsThe National Performance Review concluded that

Federal Government operations could be significantlyenhanced by promoting entrepreneurial practices, innova-tive and creative solutions to problems, less red tape, andgreater responsiveness and efficiency. Several of theseprinciples were incorporated into GPRA which requiresagencies to use the strategic planning process to: (1) stategoals as benefits to the U.S. taxpayer, (2) describe strategiesto accomplish those goals, and (3) state the program cost foreach strategy. The GPRA also requires program perfor-mance measures that show how agencies will assessprogress in achieving the goals and development andimplementation of a formal performance reporting process.This shift in emphasis to cost-benefit analysis is expectedto create an atmosphere where managers and staff ap-proach their duties and responsibilities with increasedurgency regarding the need to ensure that taxpayersreceive excellent benefits for their tax dollar investmentin Federal Government.

In order to accomplish this fundamental change,agencies must make significant enhancements to theirtraditional management and oversight processes. Strategicplans must be linked to tactical activities through theannual budget process. Progress must be accuratelyassessed using outcome-based performance measures.Most important, an annual performance report must beused to alter strategies, make tough funding trade-offs, andeven “pull the plug” on programs that are not achievingdesired results. This is a significant cultural change andwill require senior management and congressional atten-tion and support in order to succeed.

But the changes will not be easy. The GPRA offers nosolution for the impact of politics on Federal programsincluding the political appointment process and congres-sional changes in priorities and emphasis. It also does notaddress the impact of unexpected crises and emergenciessuch as domestic terrorism or natural disasters on programactivities. The greatest threat to GPRA success, however, isthe very premise upon which it is based — that agenciesand managers should be subject to greater accountabilitythan ever before. Agencies recognize that the Congressmight use strategic plans and performance reports to makepremature program decreases or to even eliminate entireprograms. Managers recognize that they have much lesscontrol over outcomes than outputs. In the substance abuseexample cited above, managers can use various strategies toinfluence arrests, but they cannot change many of the socialand economic conditions that contribute to substance abuse.

Implications For Offices ofInspector General

The preceding discussion has significant implicationsfor the Inspector General community. What is the OIG rolein assessing GPRA compliance and when is an appropriatetime to schedule a review? In some cases, agencies will failto link strategic planning and budget processes or report

GPRA (continued)

15


performance accurately, and in other cases agencies willsimply ignore the GPRA requirements. Without OIG“encouragement,” GPRA may be inadequately implementedby many agencies.

The OIG must also consider implications for its owninternal operations and funding requests. OIG strategicplans, like their agency counterparts, must clearly describehow resources will be used to support agency benefits totaxpayers. This requirement will be especially difficult foraudit and investigative functions to implement. Will theOIG successfully establish performance measures based onoutcomes to supplement their legislatively mandatedrequirement to report outputs to the Congress? Will theCongress continue to fund large OIG budgets if return-on-investment cannot be demonstrated? Serious considerationmust be given to these questions lest OIG organizationssuffer reductions similar to those recently imposed on theU.S. General Accounting Office.

The following suggestions, if implemented, willcontribute to improved management and accountabilityprocesses and practices:

1. Develop Relevant Strategic Plans.

a. Conduct a rigorous assessment of every agencyprogram and determine how that program can bechanged to provide maximum benefit at least costto U.S. taxpayers.

b. Use the assessment to develop clear, measurablegoals and objectives for each major program.Ensure that the goals focus on specific futureaccomplishments for the programs, such as a30 percent reduction in illiteracy, a 12 percentincrease in small business survival rate, etc.Without clear goals, it is difficult to measureprogress and success and, as noted by Behn(1993), it is “difficult to accomplish much.”

c. Establish near-term, mid-term, and long-termstrategies to achieve program goals and objec-tives. This technique will more closely linkstrategies and tactics and make goal/objectivesuccess seem less formidable.

d. Define performance measures and targets that canbe used to assess progress in achieving the goalsand objectives. Complement traditional perfor-mance measures with output-based performancemeasures and targets.

2. Link Planning and Budgeting Processes.

Develop a financial strategy consistent with the near-term, mid-term, and long-term strategies describedin the strategic plan and use the financial strategy asthe basis for budget formulation and review. Price-Waterhouse observed that “the measurement systemneeds to directly impact the infrastructure of an

organization — budgeting, personnel appraisal, etc.— or risk being ignored by managers and employeesand inevitably ‘die’ of neglect.”

3. Develop and Review Performance Reports.

Require program managers to develop and presentquarterly and annual performance reports which useperformance measures and targets to describeprogram and financial progress in achieving goalsand objectives. Use performance reports to adjustprogram strategies and funding emphasis.

ConclusionOsborne and Gaebler (1992) suggested that the central

problem of Governments today is “not what they do, buthow they operate.” Fundamentally, Government does nothave to work towards a “bottom line.” Yet the GPRA isdesigned to move agencies in that direction. It expects cleargoals that demonstrate taxpayer return on investment.

If Government’s goals are to seek productivityincreases consistent with U.S. macro-economic goals(2-4 percent productivity increase per year), maintain lowtaxes and fees, and deliver excellent public services, itmust manage using three basic business principles: long-range planning, performance budgeting, and performanceauditing/program evaluations (Chan, 1994). Theserevised management processes, if successfully imple-mented, will contribute significantly to the public percep-tion that the Federal Government is effective, efficient, andwell-managed.

ReferencesBehn, Robert (1993). Bottom-line government. TheGovernors Center at Duke University, Durham, N.C.Internet: http://192.156.133.18/Alliance/clusters/op/bookrevw.6a.html

Chan, Amy (1994). Managing a government like a busi-ness: The Sunnyvale system. Government Finance Review,Chicago, Illinois: Government Finance Officers Associa-tion, April.

Osborne, D., and Gaebler T. (1992). Reinventing Govern-ment, Addison-Wesley Publishing Company, Inc.

Price-Waterhouse (1993). Performance measurement: Thekey to accelerating organizational improvement. ContactPrice-Watehouse at 202-822-8507.

Southern Growth Policies Board (1995). Public sectoraccountability literature review: measure-by-measure:benchmarking and performance measurement in the South.PO Box 12293, Research Triangle Park, NC, 27709,919-941-5145. ❏

16


17


Congressional Oversight:The Ten “Do’s” for Inspectors Generalby Lorraine Pratte Lewis1

Lorraine Pratte Lewis,General Counsel, U.S. Office ofPersonnel Management

1 General Counsel, Office of Personnel Management. FormerlyGeneral Counsel, Senate Committee on Governmental Affairs.The views expressed in this article are the author’s own, and do notrepresent those of the Office of Personnel Management, theCommittee on Governmental Affairs, or any other Federal agency.

I n the life of every InspectorGeneral (IG) there will come a

time when he or she is invited totestify before a congressionalcommittee or subcommittee as

part of an oversight hearing. Typically, the IG will presentfindings, conclusions and recommendations based on theOffice’s audit or investigative work. In many cases, thework will have been ongoing for years. The IG’s testimonywill likely precede the testimony of the agency’s designatedrepresentative and may be accompanied by testimonyfrom a representative of the General AccountingOffice (GAO).

In my experience working for a CommitteeChairman who frequently sought out IGs as wit-nesses for oversight hearings, there are a numberof steps an IG can take to make the congressionaltestimony experience a positive one.I call these the ten “Do’s.”

(1) Lay the Proper Ground-work. Preparation for over-sight testimony should takeplace long before an IG isactually called to testify ona particular matter. The IGshould appoint a Congres-sional Liaison Officer forthe Office of InspectorGeneral (OIG). This personwill be the office’s eyes and earson the Hill and will be readily available and known to Hillstaff. In large Inspector General offices, this should be amain job responsibility.

(2) Do Courtesy Calls in Advance. Equally importantto becoming acquainted with the Hill players, and becomingknown to them, the IG should pay courtesy calls on keyMembers and staffs of applicable authorizing, appropria-tions, and Governmental Affairs/Government ReformCommittees. This includes both the Senate and House,Majority and Minority, full committee and subcommittee.These visits should occur soon after the IG’s appointment.Of course, some IGs will be able to accomplish this duringthe Senate confirmation process.

(3) Know What the Hearing is About. At the time theIG is first contacted, his or her Congressional LiaisonOfficer should sit down with Committee staff to learn asmuch as possible about the nature and scope of the hearingbeing planned, before the testimony is written. Some

hearings are called because the Member is trulyinterested, others are staff driven. Talking to the staff

about specifics will clarify this. In addition, manyletters of invitation are vague or broadly worded.It is always a good idea to try and determinewhether the Members and staffs have specificexpectations regarding the IG’s testimony. Ifthose expectations are misguided, the IG needs

to know and correct that right away in orderto avoid later misunderstandings.

The IG should provide thecommittee staff with thosekey background docu-ments that are relevant tothe testimony.If it is clear that there are

significant disagreementswith management, it is useful

to provide a summary ofmanagement’s point of view as well.

(4) Treat Majority and Minority Alike. The IGshould always make sure the Majority and Minority havethe same information throughout the preparation for thehearing. Although “Majority rules” on the Hill, and thefocus of any oversight hearing is likely to reflect mainly theconcerns of the Majority Members and staffs, you shouldnever neglect providing the Minority with the same infor-mation. The Minority can be the source of helpful ques-tions at the hearing, and as recent history shows, theMinority can become the Majority.


18


(5) Like the Boy Scouts, Be Prepared. This is themost crucial step of all. The IG should ensure the mostcurrent and accurate information is available about theparticular matter which is the subject of the hearing. Forexample, management may have acted on some recommen-dations since an IG report was issued months ago. The IGmust be aware of this and acknowledge it in testimony. TheIG must also practice the testimony before members of hisstaff to get ready. Dress rehearsal, moot court, murderboard -- whatever you call it -- there is no substitute.Nothing kills good material quicker than bad preparation.

(6) Take It to the Top. Most of the preparatory workwill occur with the committee staff. However, if for anyreason the IG believes something must be discussed with orbrought to the attention of a Member before the hearing, theIG should not hesitate to call or schedule a meeting with theMember directly. If the IG is not able to talk to the Mem-ber, be sure to set forth the concerns in writing and deliverthis document to the Committee.

(7) Agency Heads Up. It is often a good idea for the IGto give the agency’s Office of Congressional Relations acourtesy “heads up” that the IG has been invited to testify,subject to the caveat that this should only be done if it doesnot compromise the IG’s preparation for the hearing. TheIG is not required to clear testimony with the agency. Acourtesy copy should be given to the agency’s Office ofCongressional Relations at the time the Committee receivesit. Both the “heads up” and the courtesy copy help to ensure

against the possibility that the IG’s and agency represen-tative’s testimony will be like two ships passing in the night.

(8) Write Long, Deliver Short. Write a long, detailedversion of the testimony for the record. Deliver a second,much shorter version. At the hearing, Members want to getto their questions. The IG can work the necessary details intoanswers during the question and answer periods. Be sure tooffer any and all relevant documents, like IG reports, for thehearing record. The presiding Member invariably admits itall. Bring extra copies of those documents to the hearing forpress, members of the audience, and staff and Members.

(9) Correct the Record. After the hearing, alwaysreview and edit the transcript for accuracy. Otherwise, youwill usually end up sounding less articulate than you meantto be. If it turns out that you were just plain mistakenduring an answer, offer a written correction and request thatit be inserted in the record at that point.

(10) Back at the Agency. Whether the hearing pro-duces consensus, or highlights continuing disagreementsbetween the IG and management, it is a good idea for theOIG to offer to meet with agency representatives immedi-ately following a public hearing. After the bright lights goout, it shows that the IG is ready to continue working on thebusiness at hand.

In the end, I can’t guarantee that even if you followthese ten IG “Do’s,” every oversight hearing will gosmoothly, but they should help you avoid some of the mostcommon pitfalls. ❏

Congressional Oversight (continued)

19


The Truth About Cats and Dogs:The Auditors and the Investigatorsby David C. Williams

See if you can pick out theaudit report title from the

investigative report title, keepingin mind that the inquiries lookedinto the same event.

“Budget Officer Nabbed In Massive Embezzlement.”

“Department Fiscal Controls Are Substantial, But MustBe Improved.”

Very good! Do you know how you did it? Why doprogram managers brood passively at the news of beingaudited, and yet throw up a coin theyswallowed when they were 2 yearsold, upon being advised that they areunder investigation?

To new Inspectors General(IGs), the mission of theauditors and the investiga-tors may appear decep-tively similar andinexplicably different.Both conduct inquiriesinto Government prob-lems and failures. Theirfield work can appear verysimilar — collecting docu-ments, conducting interviews, analyzing findings anddelivering their findings in summary reports. The manner inwhich these vital, but different resources are deployed will inmany ways define the character of the office an IG developsand the manner in which the IG relates to the Department.

Why are these fact-finders so different? Let’s do wordcontrasting associations next. See if you agree with theseword contrast associations with auditors and investigators.

• Congressional requesters like investigations;program managers prefer audits.

• Auditors report on the donut; investigators reporton the hole.

• Auditors are bomber pilots; investigators arefighter pilots.

David C. Williams,Inspector General,Social Security Administration

• Auditors deliver artillery barrages; investigatorsengage in hand-to-hand combat.

The beginning of the differences between auditorsand investigators might be in what they are expecting tofind in their inquiries. The professions seem to embracewidely divergent world views. In antiquity there weretwo views of sin. The Greeks, like auditors, viewed sinas evidence of incompleteness. The Romans, likeinvestigators, viewed sin as evil. The auditors are lookingfor processes to make whole. The investigators arelooking for evidence of intentional wrongdoing to assureproper handling by criminal courts.

Audits are broad comprehensive reviews that leavebehind neatly plowed plots of land. Investigations areoften narrow little trails that furrow through any number

of programs or processes. The riskfor auditors in their approach is thatthey sometimes find it irresistible toignore leads that run off theirdefined game boards. The risk forthe investigators is that in thenarrowness of their pursuit, they can

miss the context inwhich their evidenceis discovered. Con-

tract provisions are anotorious area in which

investigators believe theyhave clear evidence of theftonly to discover that the

money was taken in compli-ance with a provision of the contract that the investigatorfailed to study and understand.

Audits are inquiries concerning programs andprocesses. Investigations are examinations about peopleand events. Audits focus on system failures and regulatoryoversights that defeat controls. Investigations concernwillful acts that are directed at defeating controls.

Investigators just love surprises. It is sometimestheir only chance of gathering evidence of actions that arecloaked in falsehoods. To disclose the direction of theirquestioning is to compromise their effort to penetrate thecloak. Auditors hate surprise. For them it mostly meansdelay, because their interviewees have come unprepared


20


to cover an unannounced topic. They are looking for thefully prepared witness. Department officials being ques-tioned resent surprise and trickery too. When the interviewtechnique is used inappropriately, hard feelings result andmay last forever.

Auditors have a bias toward using documents asevidence. Investigators have a bias for witnesses. Auditors’final products are reports to which documents can be easilyappended. Investigators are preparing for trial with livewitnesses. Any documents gathered by investigators haveto be introduced and interpreted by a witness that must bedetermined and readied. Documents are an extra inconve-nience. Investigators are often skeptical of documents.They are very common instruments for constructing falsealibis and nonexistent authorities for actions otherwiseillegal. Auditors have a different view of documents.Auditors favor documents over witnesses. Documents areoften well thought out and logically structured. Documentsspeak for themselves. Witness statements are illogicalstreams of consciousness and wholly at the mercy of thewitness’ memory at that moment. Witnesses recant anddocuments are nearly indisputable stubborn little things.

Audits make recommendations that flow from conclu-sions. The recommendations are intended to make incom-plete sinners whole. Investigations avoid even reachingjudgments and do not make recommendations. That job isfor the courts and for jurors. Their task is to present cleanevidence upon which conclusions can be drawn by others.

Audit reports are exactly the sum of their parts, and as aresult, are rather easy to review for standard compliance andcan be easily indexed and referenced. Investigative reportsoften conclude that the matter under investigation is greaterthan the sum of its visible parts. These conclusions oftencannot be scientifically determined and are matters forjudges and juries to conclude, not with absolute certainty,but only beyond a reasonable doubt. Inspections ofinvestigations and the use of indexing and referencing whilesometimes helpful is ultimately limited for investigations.

Big Finish!Audit reports can be disappointing to customers

outraged by the activity under investigation. These custom-ers often include Congress, victims and public interestgroups. Alternatively, investigations can be frustrating for a

customer seeking the root cause of a failure or charged withusing the report to fix broken programs. Obviouslyprogram managers and the Department heads often findaudits more useful and less volatile.

The biases associated with audits ultimately result inrisks and blind spots. Investigative biases have exactly thesame result. There is a fairly sharp contrast between poorinvestigators and poor auditors. Excellent investigators andexcellent auditors are much more like one another. Theyhave overcome their biases and mastered skills that areunfamiliar and engaged the new skills to strengthen theireffectiveness. They have reduced the risks that come fromtunnel vision and borrowed the best skills from one another’sprofessions. Like any other diverse group, Offices ofInspector General can be very powerful resources if you cankeep the auditors and investigators focused on the dynamicsof interchange instead of confrontation and petty jealousy.

Decisions by IGs on how to staff sensitive work willultimately define the results the IGs achieve and define theirrelationships to their agencies. Responding to congres-sional requests and charges of agency scandal with auditswill generally please the Department and disappoint thecongressional requester. A criminal investigation of agencyscandal will predictably respond well to congressionalcustomers, while terrifying agency officials and limitingtheir choices as to how to fix the problem. For an entitywith dual reporting responsibilities, this choice is daunting.In searching for an objective beacon for making suchdecisions, IGs should probably focus on what solution isneeded to resolve the question. It is also helpful to remem-ber the limits of the two disciplines — audits do not catchbad guys, investigations do not fix broken systems.

I am pleased to have both auditors and investigators inour Offices of Inspector General. It would be very awkwardto have only one of the two disciplines in conducting ourmission. Although decisions for staffing sensitive workrequire thought, the answer usually becomes apparent uponreflection. Although I do not believe the disciplines shouldever be merged, I believe that auditors and investigatorshave much to learn from one another. Auditors shouldstrengthen their interview skills and be comfortable withconfrontation. Investigators should strengthen their abilityto analyze documents and study the missions for theprogram areas of their departments. The best of theprofessionals will do just that and make the Offices ofInspector General uniquely strong entities.❏

The Truth About Cats and Dogs (continued)

21


Professional Note:Constructing Compliance Agreementsby John C. Martin

T his article discusses two different approaches tocompliance programs; one is proactive and the other is

reactive. When business entities violate the law, theyusually attempt to settle at one time all the criminal, civiland administrative actions that could be brought againstthem. This is known as a global settlement and is thereactive approach. An important part of this global settle-ment is the compliance agreement which pledges thecompany to actions that seek to prevent violations fromhappening again.

The Environmental Protection Agency (EPA) has usedcompliance agreements for many years as part of its efforts toensure honesty and fair dealing in its contract process. Onesuch agreement with a major Government contractor whichwas part of a global settlement involved the following pro-visions which are typical of the issues EPA has emphasized:

Training – The contractor’s employees were to receivedetailed training in time charging practices which wereacceptable to the Government. To ensure consistency in thetraining, a videotape was prepared as the main teachingdevice. Every employee had to certify that he or sheattended the training and was fully aware of the timecharging policy.

Business Ethics Review Committee – In addition tostandard ethics oversight responsibility, this Committeewas obliged to issue semiannual announcements “reinforc-ing the firm’s Government contracts compliance programand reminding employees of the jeopardy for noncompli-ance for themselves and the firm.” The Committee alsoundertook responsibility for monitoring the company’shotline program.

Ethics Hotline – The company formalized a toll-freeworldwide hotline for its employees to make inquiriesregarding ethics matters and to report noncompliance. Theemployees could remain anonymous when they called orwere ensured confidentiality and safeguarded from retalia-tion. Posters announcing the hotline were to be prominentlydisplayed in all company locations.

President’s Memo – The company president wasobligated to send memoranda to each employee at leastannually emphasizing the company’s expectations of honestbusiness practices.

John C. Martin, former Inspector General,Environmental Protection Agency

Personnel – Certain company employees were reas-signed to non-government business activities pending thecompletion of the Government investigation. Employeeswho were subsequently suspended, debarred, indicted orconvicted of wrongdoing were to face appropriate disciplin-ary action by the company.

Audits – The company agreed to EPA reviews of itscompliance with this agreement and pledged access to itsfacilities, personnel and records. The company also agreedto reimburse the costs of such reviews up to a pre-deter-mined amount.

It is obvious from the detailed and sometimes rigidnature of agreements like this that the contractor has madeserious commitments to the Government and even sufferedsubstantial intrusion into its business operations. As ameans to taking control of their own destiny and gettingahead of the situation created by ethics violations, manycompanies are establishing proactive ethics programs beforeproblems develop.

These more aggressive programs were spurred on bythe actions taken by Congress beginning in 1984 to alterFederal sentencing practices in criminal matters. In thatyear Congress passed the Compliance Crime Control Actwhich included a plan to bring uniformity to sentencesimposed on convicted offenders and eliminate what wasseen as widespread disparity in sentencing, which bredcontempt for the law. To implement this change, Congresscreated the U.S. Sentencing Commission. The Commissionfirst issued sentencing guidelines for individual defendantsin 1987 and corporate defendants in 1991.

According to these guidelines, a base fine is eitherreduced or multiplied according to a fairly objective setof factors. When all is said and done, the fine can swingover an 80:1 ratio thus offering a very strong incentivefor defendants to accentuate those elements that reduce afine and to eliminate those elements that increase a fine.The initial fine range, before any multipliers or reducers areadded, is $5,000 to $72,500,00, and is the greater of the losssuffered by the victim, the gain received by the defendant ora penalty taken from the offense level fine table.

Once the base fine is established, it is increased ordecreased by calculating a defendant’s culpability score.


22


The fine will be increased (by maximum multiplier of400 percent) by considering the size of the organization,involvement of its top officials in the crime, prior violationsand any obstruction of justice. The fine will be decreased(by a minimum multiplier of .05 percent) by considering the“4C’s” - Comply, Contact, Cooperate, and be Contrite.Varying levels of fine reduction are applied for differentcombinations of these elements. The first element “Comply”,will be discussed after a brief review of the other elements.

Contact means that a corporation will self-reportwrongdoing after conducting a thorough review of thematter at issue. Cooperative corporations work with thelaw enforcement organization investigating the matter anda Contrite entity accepts responsibility for the wrongdoingand expresses remorse for it.

Of the 4C’s, Comply is the one that allows corpora-tions to be proactive by setting up an effective complianceprogram in advance of any indication of wrongdoing inorder to prevent violations from occurring. It is thiselement that has had a dramatic effect on raising theawareness of corporate ethics issues throughout the businesscommunity that deals with the Federal Government. That isbecause an effective program starts at the top of an organi-zation with the CEO and Board of Directors and touches allof its employees.

The sentencing guidelines outline seven elementswhich a compliance program must have. The first is a setof compliance standards that employees must follow andprocedures that help the company live up to those standards.These standards and procedures need to be tailored to theparticular company and industry so that all potential riskareas can be covered. The second involves oversightresponsibilities. Specific high-level individuals within theorganization must be assigned overall responsibility tooversee compliance with the standards and procedures.

Third, the organization must use due care not todelegate “substantial discretionary authority” to anyonewith a “propensity to engage in illegal activity.” This

requires that prospective employees and independentcontractors must be carefully screened.

Fourth, the company must have taken steps to effec-tively communicate its standards and procedure to all itsemployees and “agents” such as by requiring participationin training programs or by distributing publications thatexplain in a practical way what is required of them.

Fifth, the organization must use monitoring andauditing systems which are designed to ferret out criminalconduct by its employees and independent contractors. Asystem should be provided to make it easy for these personsto report misconduct without fear of retribution.

Sixth, the organization’s standards must be consistentlyenforced through appropriate disciplinary action againstthose who commit or fail to detect an offense.

Seventh, after an offense has been detected, the organiza-tion must respond appropriately and take any additionalmeasures necessary to prevent future similar violations.

While these seven elements are required in anyeffective compliance program, there is a great advantage tocompanies to set up their programs in advance and use theirown good judgment about a program’s details. The alterna-tive is to be placed in the situation of negotiating with theFederal Government over the same plan after a problemsurfaces and perhaps being forced to accept detailedprocedures that go well beyond what would have otherwisebeen required. There is also the very great advantage ofkeeping the company’s reputation intact, without thedamage suffered from criminal conviction. As one executive said, “ the cost of being indicted andthe related fallout is beyond measure...”

Compliance programs of the type just described canclearly be a powerful tool to promote high ethical stan-dards. If they are developed proactively they have theadded advantage of preventing problems before theydevelop and help ensure honesty and fair dealing inFederal contract programs. ❏

Professional Note (continued)

23


The Urge to Merge - OIG Semiannual Report/Agency Accountability Reportby Pamela J. Gardiner and Steven L. Schaeffer

Pamela J. Gardiner,Assistant Inspector General for Audit,Office of the Inspector General,Social Security Administration

The Social Security Administration (SSA) and its Officeof the Inspector General (OIG) did something that no

other Federal agency has ever done before -- it issued ajoint, streamlined, accountability report covering FiscalYear 1996. The Social Security Accountability Report ForFiscal Year 1996 was published on November 22, 1996,less than 7 weeks following the close of the fiscal year, and5 days ahead of the Agency’s own scheduled completiondate. In addition to the Agency’s financial statements andperformance measures for Fiscal Year 1996, it also includedthe Inspector General’s report on SSA’s financial state-ments, plus the equivalent of two Semiannual Reports.

In these times of downsizing and reduced budgets, theCongress and Government managers now, more than ever,are seeking timely information on Agency performance thatis useful for decision making. For SSA in particular, severalcongressional committees need information for fundingdecisions about Agency programs. The public is alsoseeking a candid appraisal of the manner in which their taxesare spent. Integrating OIG and Agency results provides abalanced, comprehensive presentation of this information.Also, by producing a single report, SSA’s and the OIG’smessages are not lost among the multitude of reports deliv-ered daily to both Congress and management officials.

This joint effort between SSA and the OIG waspossible for a number of reasons. First, SSA is one of eightpilot agencies authorized by the Office of Management and

Budget (OMB) to streamline and consolidate the statutoryreporting requirements of the Chief Financial Officers Act,Government Performance and Results Act, Prompt PaymentAct, Debt Collection Act, and the Federal Managers’Financial Integrity Act into a single accountability report.The Government Management and Reform Act of 1994(GMRA) encouraged experimentation in reporting such asSSA’s accountability report. Second, OMB with supportfrom the Congress approved the OIG’s proposal to expandthe scope of the Semiannual Report to include an overviewof OIG results for the entire fiscal year. Third, theinitiative succeeded because it was well-planned, theindividuals assigned were dedicated and experienced, andthe Agency and the OIG cooperated with each other andsupported the initiative.

Obtaining ApprovalSSA was the first of six pilot agencies to issue an

accountability report for FY 1995 and the first of eight toissue its FY 1996 report. Over the past 6 years, SSAaccelerated the issue date of its annual accountabilityreport to the President and Congress from March 31, 1992(SSA’s first Annual Financial Statement for FY 1991) toNovember 22, 1996 (SSA’s Accountability Report forFY 1996) — more than 4 months earlier. One of the mainreasons for accelerating the report was to assist the Congressas it appropriates funds to finance the Agency’s programs.

SSA’s Inspector General (IG), David Williams, and theChief Financial Officer (CFO) expressed interest in mergingthe Office of the Inspector General’s Semiannual Report tothe Congress with SSA’s Accountability Report. To go fromidea to action, the OIG staff first solicited OMB’s topofficials’ interest and support for a merged report. Manyissues had to be resolved such as ensuring the independenceof the OIG’s reporting. After receiving positive feedbackfrom OMB’s Chief, Management Integrity Branch, WendyZenker, staff from the CFO and OIG developed an imple-mentation plan to produce a merged report and meet theNovember 27, 1996, publication deadline. With the imple-mentation plan in place, SSA’s Acting CFO, Dale Sopper,and IG, David Williams, wrote John Koskinen, OMB’sDeputy Director for Management, in March 1996 andofficially received OMB’s support to pilot a merged report.


Steven L. Schaeffer,Director of the Office ofFinancial Policy and System Design,Social Security Administration

24


The Urge to Merge (continued)

SSA’s Timeline for Fiscal Year 1996 Accountability Report

Activity Component Target Dates

1. Develop and obtain approval for FY 1996 CFO March 8, 1996Accountability Report timeline.

2. Request all data needed to complete CFO June 3, 1996FY 1996 Accountability Report.

3. Formally transmit financial statements and CFO October 25, 1996footnotes to OIG for audit.

4. Provide draft Report on Internal Controls OIG November 1, 1996and Compliance with Laws and Regulationsand Annual Inspector General Report(known as Semiannual Report) to SSAfor comments.

5. Distribute draft FY 1996 Accountability Report CFO November 12, 1996for review and comments to appropriate SSAexecutives and OIG.

6. Receive and incorporate senior staff CFO November 15, 1996comments into Accountability Report.

7. Provide OIG with management representation CFO/OIG November 27, 1996letter and legal liability letters; provide CFOwith Report on SSA’s Financial Statements(Opinion on Financial Statements) andAnnual Inspector General Report.

8. Release Accountability Report to President, CFO December 2, 1996President of the Senate, Speaker of the House,OMB and congressional Appropriations Committees.

9. Distribute Accountability Report to other CFO December 6, 1996congressional committees.

The next step was to secure congressional support forthe joint venture. Responsibility for contacting the variouscongressional staffs was shared by OMB and SSA’s OIG,Office of Budget, and Office of Congressional and Legisla-tive Affairs. Staff from these offices met with specificcommittees to discuss how the proposal would benefit them.All of the Committees were receptive and supportive.

Coordination, Cooperation,and Timeliness

Instead of seeing the timely preparation of SSA’sAccountability Report as an insurmountable task with manycomplex variables, we regarded it as a systematic series ofdistinct and achievable tasks. Cooperation, coordination,and adhering to timeliness provided the keys to success.

Planning was critical to expediting publication of theAccountability Report. This was accomplished by buildingon the prior year’s experiences and developing and adheringstrictly to a viable timeline with key milestones and target

dates for both the CFO and OIG staff. Some of the keymilestones are shown in the table.

Another key factor was the mutual support of theinitiative by SSA’s CFO and OIG staff. Annually, SSAmeets with Office of the Inspector General staff to critiquethe year that just ended and to help each other overcomeimpediments to doing the job better the following year.Concurrence by the OIG with SSA’s accelerated timelinewas paramount to expediting the publication date of theAccountability Report.

Requests for financial and program data were sent toSSA components in early summer to allow time to incorpo-rate the requests into their work plans. Messages to beincluded in the Accountability Report from the Commis-sioner, CFO, and Deputy CFO as well as draft transmittalletters and distribution lists of congressional committees,SSA senior staff, and other Agencies who receive the reportwere approved by SSA executives in advance.

Drawing on our auditors’ vast experience with perform-ing audits of SSA’s financial statements also increased ourchances for success. They were able to plan the audit

25


Agency Pub. Date Contact Phone Internet

Social Security 12/95 Steven L. Schaeffer 410/965-3927 http://www.ssa.gov/finance/finance_intro.htmlAdmin.

General Services 12/95 Claudia Bogard 202/501-0332 http://www.finance.gsa.gov/cfopage/Admin. 95finstm/index.htm

National Aeronautics 3/96 Lew Lauria 202/358-2495 http://hq.nasa.gov/office/codeb/welcome.htmland Space Admin.

Nuclear Regulatory 4/96 Sharon Connelly 301/415-5646 http://www.nrc.gov/NRC/news.htmlCommission

Dept. of Veterans 4/96 Jack Gartner 202/273-5528 http://www.va.gov/corpdata/Affairs publications/ar/index.htm

Dept. of the Treasury 9/96 Jack Blair 202/622-1450 http://www.cais.com/treasury-p+g/annrep.htm

Fiscal Year 1995 Accountability Reports

Six agencies participated in the Chief Financial Officers Council’s Accountability Report pilot project in Fiscal Year (FY) 1995.Copies of the reports can be obtained by contacting the individuals listed below. Reports are also posted on the Internet.

within the Agency’s ambitious timeline. Each team memberwas assigned audit steps with specific due dates ensuringcomplete audit coverage. The audit team understood thatthe dates were fixed and had to be met regardless of theextra hours of work involved.

In addition, we used lessons learned from past experi-ence performing these annual audits. For example, the auditteam members issued memorandums requesting informationto SSA managers without going through the normal formalcorrespondence writing and review process. Also, SSAofficials understood the importance of our deadlines and werevery cooperative in providing needed information promptly.For example, SSA provided its response to the draft auditreport on Internal Controls and Compliance with Laws andRegulations in just 7 days. Finally, we analyzed our auditwork from prior years to determine how we could furtherimprove our annual audit. Our analysis identified duplicationof effort between our benefits’ cycle and our cash cycle, andinefficiencies in our financial reporting cycle, which we wereable to avoid in the most recent audit.

As we were approaching completion in October, wefound it necessary to further “divide and conquer.” TheOIG’s plan was to have one OIG product that incorporated amessage from the Inspector General, the results of the OIGaudit of SSA’s financial statements, and an annual report tothe Congress. We had hoped the annual report to theCongress would be very short, preferably 20 pages, and

rather than including all of the required tables, we wouldmake them available upon request. We learned in Octoberthat the requirements of the Inspector General Act of1978, as amended, were still in place and we could notdiscontinue publishing the required tables. The narrativesections of the annual report could provide information onaccomplishments for the entire year, but we had to includetables showing 6-month accomplishments.

Within the Office of the Inspector General it was veryimportant to have two teams working on the Accountabil-ity Report. While one group compiled the OIGs Accom-plishments for the annual report, the audit team wasworking to complete the audit of the financial statements.

The draft Accountability Report was crafted anddistributed to appropriate SSA executives and the IGfor comment. Once finalized, SSA’s financial manage-ment staff coordinated approvals from the Office of theGeneral Counsel and the Office of Hearings andAppeals for legal liability letters to the IG. The laststep was to obtain the Commissioner’s signature onfinal transmittal letters and management’s representa-tion letter to the IG. On November 22, 1996, 5 daysahead of schedule, it was ready for release to thePresident, President of the Senate, Speaker of theHouse, OMB, and Appropriations Committees.


The CFO Council conducted an evaluation of the FY 1995 Accountability Reports. The document, which was issued inNovember 1996, can be found on the Internet at the following address:

http://www.financenet.gov/financenet/fed/cfo/streamln/streamln.htm

26


ConclusionWe hope to further improve the process through the

Office of Management and Budget’s permanent approval toissue just one annual report to Congress rather than twosemiannual reports. We would also prefer not to include thetables required by the Inspector General Act in the report,but rather have them available upon request.

The Urge to Merge (continued)

We believe that issuing a consolidated AccountabilityReport with both the Agency’s and OIG’s accomplishmentsand perspectives is a simpler and more expeditious way toprovide a comprehensive assessment of SSA programs andoperations. Old news is of no value to management or toCongress as it appropriates funds to finance the Agency’sprograms. Timely and full disclosure of performance givesnot only credibility but also the ability to discuss theimplications of alternative funding levels.❏

27


The Art of the Referral:Presenting Cases to United States Attorneysby Kelly A. Sisario, Bruce Sackman, and Jerry A. Lawson

Kelly A. Sisario, Inspector General,National Archives and RecordsAdministration

Two nearly identical audits orinvestigations may result in

opposite decisions by the AssistantUnited States Attorney (AUSA).

In many cases, the difference is that one auditor or investi-gator understood how to present a case to the AUSA, andthe other did not. This article emphasizes techniques to usewhen you believe you have a strong case that deserves to beprosecuted by indictment or civil recovery action. Let’s setthe stage for successful referrals by taking a few minutes toconsider things from an AUSA’s perspective.

The AUSA’s PerspectiveThere are 96 Federal judicial districts in the United

States. Each district has a U.S. District Court, and a UnitedStates Attorney. Each U.S. Attorney employs AUSAs whohandle most of the day-to-day work. For our purposes, themost important thing these AUSAs have in common is thatthey are busy. They see more meritorious cases than theycan possibly prosecute.

Bruce Sackman,Special Agent in Charge,Northeast Field Office,Office of Inspector GeneralDepartment of Veterans Affairs

Jerry A. Lawson, Counsel tothe Inspector General,National Archives and RecordsAdministration

AUSAs decide whether a judicial action should proceedbased not just on their assessment, but on policies of theDepartment of Justice and their local U.S. Attorney.Although few AUSAs are political appointees, they can beexposed to politically-motivated criticism.

The quality of case presentation to AUSAs is uneven.Many Office of Inspector General (OIG) employees areill-prepared for presenting cases. Some do not fullyunderstand how the government programs they investigateactually work. Written reports are frequently poor. Somereports include no information as to how the AUSA cancontact other individuals in the case such as expert wit-nesses or auditors. A few agents even fail to include anyinformation on how the AUSA could contact them forfollow-up questions.

Practical ConsequencesThe high volume of cases means that AUSAs can be, in

fact, must be, highly selective. Understanding that this is a“buyer’s market,” a wise auditor or investigator who wantsthe AUSA to proceed with his or her case will make it asattractive as possible. Your cases compete for the attentionof the AUSA against many other matters. If you arepresenting a case where judicial action is desirable, it isyour responsibility to show the AUSA why your case willbe a good place to invest time and energy.

Try to learn professional preferences of the AUSAs youare going to work with. For example, some prefer to seeonly a case file, and don’t want to meet with investigators orauditors in every case. They figure they can read a well-written summary faster than you could explain it, and theycan call you if they have any questions.

Other AUSAs are offended by merely receiving a filein the mail, and scornfully refer to this as the “Crime in aBox” approach to presenting a case. They feel that if thecase is important enough to be prosecuted, it’s importantenough that someone should bring it in and explain it.Especially if you will be having repeated dealings with aparticular AUSA, find out what he or she prefers, andhandle the case his or her way.

Your presentation to the AUSA is in one sense a trialrun or audition of the case:


28


• If your case seems poorly organized to the AUSA,then imagine how it will strike a judge who hears it.

• If your case seems confusing to the AUSA, thenimagine how hard it will be for a jury to makesense of it.

Finally, when presenting a case, remember that theAUSA is evaluating not just your paperwork and theobjective strength of your case, they are evaluating you.What kind of impression would you make on a judge or juryif you have to be called as a witness?

Initial ContactThe preferred timing for the initial contact will vary

from case to case, from district to district and from AUSAto AUSA. In general, if there’s any doubt, it’s better tocontact the AUSA earlier rather than later. Get an informaltake on a case, especially before investing a great deal oftime on it. Finding out early what the AUSA views aspotential stumbling blocks may help you focus yourenergies where they will do the most good.

You must decide whether to contact the Department ofJustice (most often the Public Integrity section) or one of theU.S. Attorney offices. If you are contacting the latter, findout if there is a designated AUSA for case intake, or even oneassigned to handle cases from your particular agency.

The initial contact can usually be by telephone.Identify yourself and your agency, briefly summarize thecase and explain why it is important. When the case is farenough along, request a meeting in person to talk about thereferral if you think the case merits it.

Report WritingWrite your reports so that anyone can understand them

quickly and easily:

• Include a brief overview of the case to orientsomeone reviewing the file. Consider the use ofproof charts, as explained below.

• Avoid unexplained acronyms. Everyone in youragency may know what VARO, DCSAR andNAVSEA are, but don’t assume the AUSA does.

• Include the full name and identity of all agents,witnesses, auditors, experts, etc., and contactinformation.

• Include a full criminal history of the targets, andcivil record checks, if relevant, such as Dun &Bradstreet reports. It’s self defeating to find outafter you have presented a case and possiblyreceived a declination that a target had a significantcriminal record that would have been relevant.

List any relevant statutes that you are aware of. MostAUSAs normally have about 15 to 20 statutes that they dealwith frequently and feel comfortable with. The closer yourcase is to one of these laws the happier the prosecutor islikely to be. If you have a choice of statutes, try to stay

with the common ones like mail fraud that are most likely tobe familiar to the AUSA (not to mention the judge and jury,if the case goes that far). However, you should also includeany special criminal statutes relevant to your Agency thatare usually not known to most AUSAs, such as Departmentof Veterans Affairs (VA) pension fraud, 38 U.S.C. 3501.Coordinate with your IG counsel.

While it is not required that you do so, considerattaching a copy of a complaint, indictment or arrestwarrant that was used successfully in a similar investiga-tion. Even better, provide the same material on computerdiskette for easy editing by the AUSA.

In a complex case, instead of including just thestandard diary-like chronological recitation of what theauditor or investigator on the case did, consider includinga reconstructed chronology of the alleged wrongdoing.This will be more useful in helping the AUSA make senseof the matter.

At least one AUSA prefers files that have pictures ofthe key people, places and things involved in the case.“This is suspect Jones.” “This is the warehouse where thestolen merchandise was stored.” “This is the seized contra-band.” He believes that well selected photos make theissues seem less abstract, and help persuade him so he willbe able to convince a jury or judge.

Proof Charts: A CaseOrganizing Tool

For an important case, using “proof charts” is anoption. A proof chart looks like a very simple spreadsheet.Attorneys are frequently taught to construct these in lawschool, so there is a good chance yours will look familiar tothe AUSA. You could make up a proof chart for each crimein the file that you think should be prosecuted, or for eachcivil claim that you think should be brought.

In complex cases, doing “proof charts” can be a valuabletool for use inside an Inspector General’s office. They canhelp keep auditors and investigators focused on the criticalissues, instead of avoid wasting time on irrelevancies.

Speaking with the AUSARemember that you are “auditioning” for the role of

witness in a Federal court proceeding. Dress and behaveprofessionally.

Peter Vigeland, a former Deputy Chief of the CriminalDivision of the U.S. Attorney’s Office for the SouthernDistrict of New York, used to advise agents presenting casesto be “Certain in their Certainty and Certain in theirUncertainty.” He felt strongly that agents should never statesomething as a fact unless they knew it to be correct. Theyshould never guess at an answer. Once an AUSA deter-mines that an agent’s information is unreliable, they will notbe eager to continue working with that agent.

Tom Dworschak, formerly a Special AUSA for theEastern District of Virginia, suggests that it’s a good idea to

The Art of the Referral (continued)

29



A Sample Proof Chart

Bribery: 18 U.S.C. 201 (b): Whoever ... directly or indirectly, corruptly gives, offers or promises anything of value to anypublic official ... to influence any official act [shall be guilty of bribery].

Summary of this case: On June 21, 1999, John Smith offered to pay Tom Jones, a clerk at the Office of Personnel Man-agement, $5,000 for a copy of the personnel file of George Thomas, who was a candidate for political office.

Element Facts Evidence Evidence Location

directly or indirectly, At the Tiffany Tavern Statement of Jones Tab Acorruptly gives, offers on June 21, Suspector promises anything (John Smith)of value conditionally promised

to pay Jones $5000

to any public official Jones is a clerk at Statements of Jones Tabs A and EOPM and his supervisor,

Bill Johnson

to influence any Smith told Jones he Statement of Jones Tab Aofficial act would be paid only on

receipt of Thomas’spersonnel file

approach cases “backwards.” In other words, figure outearly on what is the realistic expected sentence if you get aconviction. He believes everyone presenting cases toAUSAs needs to have a working knowledge of the sentenc-ing guidelines, as it usually makes little sense to ask theAUSA to spend months on a case where little punishment islikely even if you are successful.

Agreeing to proceed with a case resulting from youraudit or investigation can mean a time commitment ofweeks, months or even years from the AUSA. No prosecu-tor wants to work with someone who is poorly organized orhard to deal with. Use this opportunity to show the AUSAthat you are on top of things and they will be that muchmore willing to proceed on your cases.

It’s also a good idea to let the prosecutor know that thecase is important to you and your Agency and that even if itdrags on for months or years, you will continue to providethe support that will be necessary to bring the case to asuccessful conclusion.

Why, Why, Why?Regardless of whether you are putting a case file

together or meeting the AUSA in person, if you don’t thinka case should proceed, tell the AUSA up front, and tell themwhy. For example, “Jones is our main witness, and he’s notcredible. We’ll probably lose this case if it goes to trial.”

On the other hand, if you are working on a case youthink deserves prosecution, you should do whatever you can

to highlight the reasons why. Make it very easy forthe AUSA to see why your case should be prosecuted.For example:

• Will prosecution produce a good deterrent effect?

• Was a significant amount of money involved?

• Was this offense particularly egregious?

• Did the offense create unusual obstacles to theeffective operation of your agency?

• Is there a history of corruption at the particularGovernment facility or in the program involved?

• Are there few or no disputed evidentiary issuesthat could prevent a conviction if the case goes totrial?

Frauds that affect more than one agency areattractive to prosecutors. Particularly in a benefit fraudcase, check with your counterparts in other agencies tosee if the target has defrauded others as well. SomeAUSAs will be more likely to prosecute someone whohas defrauded several Government agencies, even if thetotal dollar amount is small. Another red flag is theexistence of a good confession from the target. This isusually the strongest possible sort of proof, and makes acase that much more attractive from the prosecutor’spoint of view.

30


A 1989 President’s Council on Integrity andEfficiency (PCIE) study found that the cited reason in9 percent of declinations was “lack of criminal intent.”Many perpetrators of sophisticated white collar fraud areclever, articulate and have no prior criminal convictions.After hearing the evidence against them, they can fre-quently come up with a cover story that convinces a juryit was all an innocent mistake. For this reason, you shouldbe alert for what one former AUSA referred to as the“big fat dirty filthy stinking rotten lie.” He uses this jokingexpression to make a serious point. It is a major help to aprosecutor in white collar cases if the file has proof ofsome untrue statement made by a suspect that proves hisconduct was not merely an honest business error. Such astatement makes a case more attractive not just becauseit shows the suspect deserves criminal punishment, butbecause it makes it easier to convince a jury of guilt,especially if the untruth was memorialized in writing.The prosecutor can tell the jury, “The defendant lied toyou, just like he lied previously.”

If you have reason to believe that politicians or high-ranking officials of your agency would be interested in acase, let the AUSA know so that factor can be weighed.While presenting an important case on behalf of a largeState agency, one of the authors even arranged for theAgency head to attend a meeting with the prosecutor.It’s hard to imagine a more effective way of showing theprosecutor, “This case is significant.”

Often auditors or investigators are acutely aware offactors like these or others that should influence theprosecution decision, but we fail to highlight them. Some-times we never tell the AUSA about them at all. You couldtalk about factors like this in a cover letter, in a phone call,or in a face-to-face conference with the AUSA. Just makesure that whatever method you choose, the AUSA doesknow about them.

A good auditor or investigator should not automaticallyrefuse to present a case to the U.S. Attorney because it fallsoutside prosecutorial policies. These policies are usuallyjust guidelines. If there is a compelling reason, don’t beafraid to ask for an exception to the policy.

One of the authors investigated a case involvingthe theft of about $8,000 in Government funds from a VAMedical Center. The Federal Bureau of Investigation (FBI)was not interested in the case because the local U.S.Attorney’s office had a threshold of $10,000. When theauthor presented the case to the AUSA, he explained thatthe particular facility had a history of numerous frauds andthefts, that employees there felt they could commit crimeswith impunity and that arresting the targets could helpdevelop information on other unsolved crimes at the facility.Much to the surprise of the local FBI office, the AUSAaccepted the case.

Sometimes you can make several cases that individu-ally would be poor candidates for action more attractive bypresenting them to the AUSA as a package. One fraud caseof $5,000 may not be enough, but three or more such casesgrouped together often will.

Is There Life After Declination?Suppose that the AUSA declines to proceed on a case

you have presented. Is that the end of the matter? In manycases administrative sanctions, or even no action at all aremore in society’s interest than a criminal prosecution.However, if you have a good reason to believe that ajudicial action is appropriate, you can try again.

Don’t re-present a case without substantial justification.This is not something to do on a whim, or out of pique.However, if you have a strong reason, don’t be afraid to tryit. The AUSA does not want to see a miscarriage of justiceany more than you do.

Even if you have mounds of justification, you shouldbe careful about how you re-present a case. Don’t antago-nize the AUSA, by, for example, trying to find some otherAUSA and re-presenting the case as if it had never beenrejected previously. Occasionally it might be appropriate totry going over the head of the AUSA by talking to thesupervisor, but you should not do this without consideringthe possible adverse consequences.

Your best opportunity will usually be re-presenting thecase to the first AUSA. Diplomacy is in order. Try to findsome relevant facts that were omitted or underemphasizedduring the initial presentation. When you re-present thecase, preface it with an explanation of the missing informa-tion, and why giving it proper consideration should result ina different decision. This way, you give the AUSA a way ofreversing the previous decision without losing face.

Whose Job Is It, Anyway?A few auditors and investigators will probably react

negatively to some of the suggestions in this article, such asthe notion that they should prepare proof charts, or offer theAUSA copies of successful old complaints, and so on:

“But this would be a lot of work. Why should I do theAUSA’s job?”

Partly, it’s a question of efficiency. It may only take anauditor or investigator who has lived with a case for weeksor months a short time to prepare a case summary. Theauditor’s or investigator’s investment may save days oreven weeks of time to an AUSA who would otherwise bestarting at ground zero.

Partly, it’s a question of seeking justice. Is the caseimportant to you? Do you want to see it prosecuted? If so,then you should be happy to do whatever it takes to help italong. The conclusion of an audit or an investigation is notthe end of the auditor’s or investigator’s role in helping seethat justice is done in a particular matter.

Investing the time and effort that is needed to win acourt case by preparing charts, tables, and anything else thatwill make your case easier for the AUSA to understand andprepare for prosecution can reap better rewards in the longterm. Ideally, your commitment to justice will come to theattention of other AUSAs, who will then be more inclined toaccept your other cases.

The Art of the Referral (continued)

31


ConclusionMisunderstandings and communications failures can

cause less-than-optimal relationships between prosecutorsand Inspector General personnel.

Auditors and investigators are sometimes dissatisfiedwith the time it takes AUSAs to reach decisions. Theyseldom realize that in many cases, their own poor presenta-tion of a case contributes to the delay.

Declinations are another source of friction. Some caseswith strong substantive merit are declined because very realreasons to proceed were obscured by an auditor’s orinvestigator’s poor organization. It is not enough to mailthe AUSA a file with hundreds or thousands of confusingdocuments and expect him or her to sort it out.

OIG personnel sometimes perceive AUSAs as arrogantbecause they refuse to take cases that are significant fromthe OIG perspective. In many cases, the perceived arrogantattitude is caused by inadequate explanation of why a caseis significant. The auditor or investigator handling the caseshould make it easy for the AUSA to understand why a caseis important.

OIG personnel can and should help AUSAs identifythose cases which are most deserving of prosecution byindictment or civil action. By improving the way in whichyou present cases to the U.S. Attorney’s office, you mayimprove not just the speed with which decisions are made,but your satisfaction with the substance of those decisions.❏

32


33


The Near Horizon: Evaluation ofEmerging Issuesby William C. Moran

IntroductionThe Air Force uses AWACS totrack airspace for hostile move-

ment; the Navy relies on sonar to warn its ships aboutforeign vessels; and the Army utilizes reconnaissance forcesto probe enemy lines. At the Department of Health andHuman Services, the Office of Inspector General (OIG) hasits own early warning device. This device, called“emerging issue reviews,” helps to alert us tosituations that could potentially become bigproblems down the road.

The purpose of this article isto tell you what emerging issuereviews are by explaining twosuch studies. These twoexamples will tell you how weidentified the topic, how weconducted the review, andwhat the outcome was.Basically, these reviewsare forward-looking,anticipating problems beforethey occur. They look forcauses behind symptoms and for incentives that encourageunwanted behavior. The scope is the broader system, notthe individual provider.

Public Cholesterol ScreeningIn the mid-to-late 1980s, there was a flurry of activity

around cholesterol testing. Not only was the AmericanMedical Association encouraging people to be tested bytheir personal physicians, but the U.S. Public HealthService was advising the public to “know your cholesterolnumber” by being tested.

This led to some creative marketing practices on thepart of hospitals, drug stores, health clubs, shopping mallsand independent entrepreneurs. Ads began to appear that

William C. Moran,Regional Inspector General,Office of Evaluations andInspections, Department ofHealth and Human Services

invited people to show up for “public health fairs” athospitals and “testing days” at drug stores, health clubs andin shopping malls where, for free or a low price, you couldlearn what your cholesterol number was.

Having completed an OIG study on physician officelaboratories in early 1989, we asked ourselves somequestions about cholesterol screening in more publicsettings. Who was performing the tests? What kind ofequipment was used? What quality control measures werein place? What educational information was there to informthe person of the significance of the cholesterol number?Were referrals being made?

In order to get a better handle on this emerging issue,we decided, in the spring of 1989, to ask OIG staff in 10

major cities to seek out five to ten public screening siteswhere they would be tested. Staff would carry with

them, to the test, a list of 13 specific qualitycontrol items to check on. They would not

identify themselves as OIGpersonnel at the site, but wouldsimply go through the processand observe the 13 itemswhich they would recordshortly after completing the

procedure.

The results from thetests were informative. Inroughly half of the cases,the persons performing the

tests either did not wear glovesor did not change gloves with each new screenee. This wasat a time when the HIV/AIDS epidemic was growing rapidly.Other rules of infection control, sample collection techniques,and counseling were not being observed.

In addition to the on-site testing, we telephoned everyState to determine if they had any State regulation of thistype of testing. We found that only 16 States regulatedpublic cholesterol screening, with the type and extent ofregulation varying widely. Federal regulation of this type ofscreening did not exist at the time of our review; however,there was a 1988 law that was to go into effect in 1990 thatcould possibly cover this type of screening, but manyknowledgeable observers felt that it probably would beexempt from the law.


34


Armed with these findings, we provided our results tothe U.S. Public Health Service in the fall of 1989. We toldthem that in our probe sample across the country we foundnumerous shortcomings that compromised the safety andeffectiveness of public screenings. We pointed out thatscreening staff may be placing themselves, as well asscreenees, at risk due to marginal observation of the basicrules of hygiene and infection control procedures.

We recommended that the Department of Health andHuman Services should discourage public cholesterolscreenings that are unregulated and lack strong education,counseling, and referral components. We also recommendedthat this type of testing be covered by the 1988 law. By 1990,both of our recommendations had been implemented.

As a result of some good environmental scanning, wewere able to nip in the bud the inappropriate growth of anindustry around inferior testing for cholesterol. This notonly helped prevent the spread of unclean and probablyinaccurate testing, but also prevented the unnecessaryexpenditure of public and private health care funds.

Rural Health ClinicsWhile conducting field work on a home health agency

study, OIG staff noted that a for-profit home health providerwas buying up rural health clinics across the State. Sincerural health clinics (RHC) had been in existence since thelate 1970s, why would a profit-making company beinterested in them now? Were there enough of them tomake a difference in profits? Was this phenomenonoccurring in other States?

During the summer and fall of 1995, OIG staff at-tempted to get an answer to these questions. We started bylooking at a year-by-year listing of the number of RHCs ineach State. It was quite obvious from looking at the listingthat RHCs were growing, but the growth was very unevenacross the States.

Not only were they growing, but when we looked at thenumber of applications that were in the pipeline, it appearedthat the growth could be exponential over the next fewyears. We also noticed clusters in some States that werehard to understand in terms of rural areas.

We decided that we should visit three States that hadexperienced rapid growth and that had clusters of RHCs inparts of their State. We ended up visiting 27 RHCs in thesethree States.

We found that in addition to wanting to increaseaccess to care, there were three other interrelated factorsthat appeared to be driving the growth of RHCs: reim-bursement policies, the certification process and managedcare pressures.

RHCs receive reimbursement from a variety of sources,but two of the major sources are Medicare and Medicaid. In1995, RHCs were paid, conservatively, $500 million fromthese two sources alone. They were paid an “enhanced rate”

on a cost-reimbursement basis for every encounter that theyhad with a patient. There is little incentive for efficiencyand there are opportunities for inflated and inappropriatepayments. It is a system that requires close oversight.

How difficult is it to become an RHC? Not very. If you provide health care in an area that has less than50,000 people, there is a good chance you can become anRHC. Each State has Federally designated areas thatqualify as RHC territory. In addition, a Governor candesignate an area.

If you are in the designated area and meet some minimalcriteria, such as employing mid-level practitioners (nursepractitioners, physician assistants, and certified nursemidwives), you can become an RHC, regardless of howmany other RHCs may be located in your area. Evenhospitals can be designated RHCs. Once you are designatedas an RHC, you will always receive enhanced reimburse-ment, regardless of the changing population.

So, if I can receive an enhanced rate for services, whichcould be double the regular rate, and if the paymentmechanism is provided on a cost reimbursement basis,won’t I be better off in a managed care environment bygetting certified as an RHC? Of course. Thus, it is not hardto understand why a for-profit company was buying upRHCs in that State.

In late 1995, we presented these findings to the HealthCare Financing Administration, which is responsible for thecertification of RHCs, and to the Health Resource ServicesAdministration, which is responsible for designating thegeographic areas.

We recommended that they modify the certificationprocess to ensure more strategic placement of rural healthclinics. We also recommended that they take steps toimprove the oversight and functioning of the current costsystem, with the long term goal of implementing adifferent payment method. They agreed with our basicfindings and recommendations.

By conducting an emerging issue review when we did,we were able to catch the proliferation early on and betterunderstand the reasons behind the growth. We were thenable to provide the program policymakers with the informa-tion they needed to take action.

SummaryThese two emerging issue reviews provide insights into

the characteristics of these type of studies. They areforward looking, anticipating problems before they occur.They look for causes behind symptoms and for incentivesthat encourage unwanted behavior. The scope is the broadersystem, not the individual provider.

The outcome and impact of our use of emerging issuereviews has convinced us that they are a much needed andindispensable tool in our arsenal of OIG weapons.❏

The Near Horizon (continued)

35


Multidisciplinary Approach to Teamworkby Paul J. Coleman

Paul J. Coleman,Special Agent in Charge,Investigations Section,Office of the Inspector General,National Science Foundation

With the growing complexityof today’s technology,

Federal agents often need innova-tive approaches to resolve

complex issues arising during fraud investigations. Agentsmay find that their training and expertise in the gatheringof documentary and testimonial evidence are not sufficientto accomplish the analysis of evidence involving scientificor technological issues. The National Science Foundation(NSF) Office of the Inspector General (OIG) developedmultidisciplinary teams of agents, scientists, and attorneysthat led to the successful resolution of complex casesinvolving Federally-funded scientific research projects.This article discusses NSF OIG’s experience with themultidisciplinary teams.

Several years ago, the NSF’s OIG identified the SmallBusiness Innovation Research (SBIR) program as a programthat was vulnerable to fraud. The SBIR program is de-signed to stimulate technological innovation in the privatesector, strengthen the role of small businesses in meetingFederal research and development needs, and increase thecommercial application of the results of Federally-supportedresearch. Eleven Federal agencies, including NSF, providefunds to SBIR companies. To receive funding, a qualifiedsmall business must submit a highly technical, scientificproposal to a SBIR program office at one of the fundingagencies. The proposal describes the research that thecompany will conduct to develop an innovative product thatthe company could eventually commercialize. In theproposal, the company must certify whether the companyhas submitted, or received an award for, the same or similarproposal from another agency. The proposals are peer-reviewed by scientific experts to determine which proposalswill be funded.

Since 1995, the Department of Justice has resolvedthree of the cases we investigated involving companies thatapplied for and received duplicate funding for similarresearch from multiple agencies by submitting falsestatements that concealed the original SBIR award. These

investigations have resulted in two felony pleas, three civilsettlements with total monetary recoveries of $4.1 million,the termination of $2.5 million in SBIR grants and con-tracts, and the debarment of three companies and fiveindividuals. In addition, these investigations have producedGovernmentwide changes in the SBIR program that willlimit and prevent fraud in this program. The successfulresolution of these cases and the important changes in theSBIR program were the result of teamwork, the cooperativeefforts of Federal special agents, scientists, and attorneyswho used their expertise to resolve the evidentiary, legal,and scientific issues that arose in analyzing and prosecutingthese cases involving Federally-funded science programs.

The investigative teams initially consisted of specialagents from NSF’s OIG; the National Aeronautics andSpace Administration’s (NASA) OIG; and the Departmentof Defense (DoD), which included agents from the DefenseCriminal Investigative Service, the Air Force’s Office ofSpecial Investigations, the Army’s Criminal InvestigationDivision, and the Naval Criminal Investigative Service. Asthese cases progressed, we received assistance from theU.S. Marshals Service, the U.S. Customs Service, and theU.S. Immigration and Naturalization Service. Initially,teams of agents gathered and analyzed the documentaryevidence needed to support criminal and civil actions. Thisincluded finding and sifting through hundreds of SBIRresearch proposals, grant and contract documents, and finalresearch reports that the SBIR companies had submitted toFederal agencies.

Early in this process, we determined that, while agentshave the training and expertise to gather evidence andtestimony, they lack the technical expertise to distinguishlegitimate scientific differences in the SBIR researchproposals and final reports from cosmetic differences thatare meant to conceal duplicate proposals and previouslyconducted research. To compensate for this lack of techni-cal expertise, we recruited Government scientists to workwith agents to scrutinize the documentary evidence. Theaddition of scientists to the investigative teams was invalu-able. They identified the legitimate scientific differencesin proposals and allowed the agents to focus on the docu-mentary evidence that established intentional efforts toreceive duplicate SBIR awards from multiple agencies. Byworking directly with the scientists, the agents gained an


36


understanding of the technical material. This was later usedsuccessfully to interview witnesses and obtain admissionsof guilt from the subjects of the investigations.

In one case, the owner of two small companies admit-ted to agents that his companies submitted “some identicalproposals and final reports,” but he “submitted theseproposals and final reports, with the intention of extendingthe research findings and [that] SBIR award money wasinvested in the company to grow the business.” However,continued investigation found that the companies performedlittle, and in most cases none, of the research detailed intheir SBIR final reports. We determined that the researchreported by the companies was conducted by postdoctoralresearchers and graduate students at two universities.Teams of agents as well as NSF and DoD scientists tracedthe research results and graphs in the companies’ SBIRreports to specific experiments conducted at the universi-ties. They did this by reviewing and analyzing laboratorynotebooks; research results; drafts of research publications;and dissertations that had been subpoenaed from theuniversities and their former researchers. We found thatvirtually all of the substantiveresearch that was reported bythe two companies had beenconducted at the universitiesas much as two years beforethe companies’ reports weresubmitted to the Federalagencies, and the researchhad been previously sub-mitted for publication asresearch articles and disser-tations by the graduatestudents. Assistant U.S.Attorneys from the Eastern District of Virginia used thisevidence during negotiations with defense attorneys, andthe evidence was key to the quick settlement of this case.

On several occasions during this case, teams ofattorneys, agents, and scientists worked together to analyzeand discuss the relevance of the evidence. This includedone meeting at a DoD research laboratory where scientistsdemonstrated the technology and equipment pertinent in thecase. The scientists provided explanations of the technicalmaterial and how it related to specific documentary evi-dence that was understandable to the agents and attorneys.The attorneys used this information to rebut technicalarguments raised by the defense counsel. This lead tosettlement of the case, which included a guilty plea to afelony charge of mail fraud, criminal and civil restitutionand fines totaling $3.47 million, and the termination of$908,556 in government contracts.

NSF OIG and Department of Justice attorneys routinelyassisted the investigative teams by drafting subpoenas,reviewing reports, and negotiating administrative settle-ments with the defense counsel. NSF OIG attorneys addedto the teams by providing detailed legal analysis andexpertise in the interpretation of science program rules andthe peer review process which NSF and other agencies use

to evaluate scientific proposals. Most NSF OIG attorneyshave doctorate degrees in scientific fields and therefore areuniquely qualified to assist in these investigations. In a caseprosecuted by the U.S. Attorney’s Office for the CentralDistrict of California, NSF OIG attorneys and agentsassisted with drafting and filing a $4.2 million complaintand motion to freeze the defendants’ assets under theFederal Debt Collection Procedures Act of 1990. In one ofthe first of such actions brought under the Act, the U.S.District Court found that the complaint demonstrated thatthe defendants were attempting to sell their properties andtransfer their money overseas, and the Court ordered theFederal seizure of the defendants’ property and bankaccounts. The seized assets were later transferred to theGovernment as part of a civil settlement.

In another SBIR case, attorneys from the NSF andNASA OIGs drafted an administrative agreement in whichthe company and its owner accepted a 3-year exclusionfrom the SBIR program but allowed the owner, who is ascientist, to work on a limited basis on Federally fundedresearch. This complex administrative agreement was part

of a global settlement negotiated by the U.S.Attorney’s Office for the District of Columbia. The

settlement also included a felony guilty pleaby the company for submitting false statements

in SBIR proposals and a civil settlementof $115,000.

Besides resolving specificcases, our attorneys andagents collaborated to

recommend systemicchanges to the SBIRprogram. VicePresident Gore’s

National Performance Review recommended that InspectorsGeneral use the results of investigations to “help improvesystems to prevent waste, fraud and abuse, and ensureefficient and effective service.” Based on the NationalPerformance Review, the President’s Council on Integrityand Efficiency urged all Inspectors General to “enhance theeffectiveness of an investigation in facilitating positivechange” and “examine the underlying causes of fraud ...and recommend ways that program vulnerabilities can bereduced.” Consistent with that advice, our attorneys andagents analyzed systemic issues that arose as a result of ourinvestigations involving the SBIR program. We made anumber of systemic recommendations that were designed toreduce the potential for fraud and abuse of this program.Many of our recommendations focused on the concealmentof duplicative proposals submitted to various agencies andthe acceptance of funding from different agencies for thesame or overlapping research.

After we issued our recommendations, the GeneralAccounting Office (GAO) reviewed the SBIR program.In its 1995 report, Interim Report on the Small BusinessInnovation Research Program, GAO adopted our recom-mendation that the Small Business Administration create aSBIR program-wide database to reduce the potential that

Multidisciplinary Approach to Teamwork (continued)

NSF OIGAGENTS

ATTORNEYS

SCIENTISTS

37


different agencies could fund duplicate proposals. GAOalso agreed that duplicate funding is a problem and recom-mended that the Small Business Administration considerrevising the SBIR proposal certification form and developsubstantive definitions and guidelines for agencies andcompanies regarding “duplicate research.” These recom-mendations have been accepted, and the changes will limitfraud and abuse of the SBIR program.

We continue to build on the team concept that devel-oped during these investigations. In a recent case in whichthe owner of a SBIR company was indicted for wire fraudand submitting false statements under a NSF SBIR grant,we added auditors to our team of agents, scientists, and

attorneys. We have identified two other companies thathave received duplicate funding from multiple agencies forthe same proposed research. Our investigative teams areworking with the Department of Justice to resolve thesenew cases. We anticipate that these and future cases will beinvestigated and resolved quicker because we are buildingon our team experiences. The initial SBIR cases weresuccessfully investigated and resolved quickly because ofthe cooperative efforts of Federal agents, scientists, andattorneys who used their expertise to resolve the eviden-tiary, legal and scientific issues that arose, and the creativitythat comes from teamwork.❏

38


39


Cyber-Crackers: Computer Fraudand Vulnerabilitiesby Alan Boulanger

hreats?!? What Threats?”- Anonymous IS Manager

In 1994 the Computer Emergency Response Term, orCERT as it’s known within the computer security commu-nity, reported over 40,000 intrusions into network computersystems. CERT’s 1995 figures show an increase in“cracker”/“hacker” activity. In 1995, the Federal Bureau ofInvestigation (FBI) disclosed the results of their computersecurity survey that showed 40% of the surveyed sites hadexperienced at least one unauthorized access.

As organizations become increasingly dependent oncomputer network technology, they are also becomingincreasingly vulnerable to losses, both financial andreputation, resulting from security breaches within theircomputer and communications infrastructure. The mediahad reported many recent attacks on high-profile sites:

Dec 1996 - U.S. Air Force home-page defaced and replacedwith pornography.

Sep 1996 - Denial of service attack on panix.com; effec-tively shut them down.

Sep 1996 - Central Intelligence Agency (CIA) home-pagedefaced and replaced with pornographyand graffiti

Aug 1996 - U.S. Dept. of Justice (DOJ) home-page defacedwith pornography and graffiti.

1995 - Russian accountant hacks Citibank computersfor $10 million.

1995 - MGM/UA Movie “Hackers” home-page alteredwith graffiti.

1994 - British teen penetrates ROME labs computersystems.

These successful attacks represent a small percentageof the actual attacks that have occurred. The “computer-underground” is very active and is wreaking havoc oncomputer systems around the world. The majority ofsuccessful attacks go unnoticed. The intruders will attack asystem, gain entry, install backdoors, and remove all of their

Alan Boulanger, Global Security Analysis Laboratory,T.J. Watson Research Center, International BusinessMachines Corporation

traces from the systems logs and accounting files longbefore anyone notices they have been attacked. Once theback doors have been installed, the intruders can then returnat their leisure. By activating the backdoor, the intruderswill have unlogged administrative access to the entiresystem. Even if the intruders fail to remove evidence oftheir presence and activity from the systems logs, there is anexcellent chance that their activities will go completelyunnoticed. When a system has been compromised it isdifficult to tell from a user’s viewpoint that the system hasbeen violated. Most systems administrators are surprisedwhen they learn that their systems have been broken into.

During the penetration tests that we have conducted atthe request of our clients, on systems ranging from smallhome-pages to large enterprise-wide systems, our activitieshave been detected on less that 1 percent of the total numberof systems we have attacked. We are usually able to breachthe system security, leave a calling card, and cover ourtracks, completely undetected by any of the system’s usersand administrators. These scenarios are played out daily inthe computer underground and by the legitimate “tiger-teams”1 tasked with testing the security of a network. Ourtiger-team experience confirms what the intruders haveknown for years; most systems are vulnerable and only afew systems are being watched.

It should not be surprising then that the number ofsecurity-related incidents have been steadily growing. Asmore people flock to the Internet, and other on-line services,a certain percentage of them will become interested in“cracking” and seek to obtain the technical skills required tobreach the security of many computer systems. By search-ing the Internet and underground bulletin board systems(or BBS’s as they are known) any person can obtain enoughinformation about computer networks and telephonesystems to become an effective cracker. Much of this canbe attributed to the fact that, while more vulnerabilities aresurfacing and being corrected, many sites are still vulner-able to old, well-known, bugs and configuration errors.In short, the old techniques can still be effectively applied.

T“


1 These are groups of individuals from reputable firms thatattempt to violate a firm’s automated security system to determinethe strength of the system. This activity is authorized by thecompany to test their security system.

40


Along with information about old vulnerabilities, theunderground hacker community offers a rich source ofsophisticated tool-kits that are designed to penetrate intocomputer networks. Most of the operators of these tool-kits will lack the technical background to fully understandwhat functions the tools are performing. However, manyof the tools are so well-written that any user with aminimum technical understanding will be able to effec-tively wield them.

Like the street gangs of our urban landscape, “cyber-gangs” are emerging on our networks. A cyber-gangconsists of a group of people that share expertise andresources within the group. They are known to each otherby their nickname, or handle, and their capabilities andinterests. Often the membersof these groups have not evermet in person and only com-municate with other membersthrough the telephone, voice-bridge, or chat-services. Agrowing number of thesegroups are becoming involvedin computer-terrorism,vandalism and fraud. Thegroups responsible for the CIAand DOJ home-page attacks areclearly seen as vandals. Theirmain goal is to make the news andgain notoriety. Other, moredangerous groups strive to remaininvisible. These groups are interestedin making money through bank,credit card, and telephone relatedfraud. The groups interested incredit card fraud will use acomputer to steal, or generate,credit card numbers and either use them to make cashadvances and purchases or wholesale them to others.

Telephone related fraud consists of acquiring tele-phone calling card numbers and cellular telephone ESN/MIN 2 pairs. The calling cards can then either be sold inthe street or used to call long distance.

The ESN/MIN pairs can also be wholesaled on thestreet and then used to “clone” cellular phones (calls madeon the “cloned” phone will be charged to the subscriberassigned the ESN/MIN pair). Cracking into computersystems has become a very profitable endeavor.

Threat Analysis - What are thethreats to network security:

The threats to our computer systems come from avariety of sources. These can be broken down into thefollowing categories: Inside/outside, physical, administra-tive and technical.

Inside/Outside Threats:

The traditional, and most feared, scenario of a com-puter intrusion consists of an outside attack. An outsideattack is an attack perpetrated by a person having noprevious association with the organization and no legitimateaccess to the system. While there are many intrusions fromoutside sources, the majority of the successful, and profit-able attacks are conducted by someone on the inside. Aperson on the inside, especially one with technical skills,has an excellent chance of being able to break into theorganization’s computer systems and then covering up theiractivities. Serious crackers know this and attempt tobecome hired by the companies they wish to attack. Themost notable targets are the various telephone companiesand Internet service providers where crackers attempt to getthemselves hired as system administrators, technical supportpersonnel or even janitors. The computer undergroundpublishes texts to help get them hired and they tradecompany hiring information amongst themselves. Some

crackers will even attack anorganization’s computer system,and then contact the organizationwith the results of the attack andget hired on, as consultants, toperform more security testing.Occasionally a cracker will manageto get themselves hired at a levelwhere they can then hire theirfriends on as consultants. Severallarge companies have experienced

this and some are still workingat containing the damage. Thebest way to address this threat is

to develop policies that focus on reducing the risk of hiringsomeone who is likely to compromise your systems.

Physical Threats:

The physical threat is closely related to the inside/outside threat. If an organization has a sensitive system,it needs to take steps in physically securing their systems.A competent systems administrator will be able to gainadministrative privileges on most computer systems veryeasily if he or she is given physical access.

If a cracker is hired as a cleaning person and hasphysical access to the facility and to the system, he or shecan reboot the system in “single-user” mode granting him orher administrator privileges. He or she can also boot thesystem from a floppy disk or tape smuggled in. Anotherpossibility is where the cracker smuggles in a computer and“clips-on” to the organizations’ networks and records thenetwork traffic. This traffic will provide the cracker validuser accounts and passwords to other systems connected tothe network. Should the above methods fail, the crackercould easily swap the mass storage device and boot his orher own system; thus allowing the cracker access to thesensitive information residing on the original device.

These few simple techniques, available to anyone witha minimal amount of technical expertise, can be deployed

2 ESN/MIN—Electronic Serial Number and Mobile IdentificationNumber. These codes are needed to use cellular phones.

Cyber-Crackers (continued)

41


and bypass all the firewalls and other security counter-measures used to protect the systems. One defense againstthe physical threat is to develop and implement an effectivephysical security policy.

Administrative Threats:

Administrative threats are defined as the threatsresulting from the use and policies of the computernetwork’s users and administrators. The largest singleadministrative threat results in a systems vulnerability topassword-based attacks. A password attack consists of asuccessful intrusion as the result of a password failure. Thefailure can be attributed to accounts that are protected bywell-known default passwords, blank passwords and weakpasswords. Many computer systems are shipped with a setof default accounts. The accounts are used by the adminis-trator to set up and configure the system; however, manysystems administrators forget to either remove the accountsor change the password. The cracker community maintainsa list of all the computer vendors and what default pass-words are shipped with their systems. Some vendors shipsystems that contain default accounts without passwords.A cracker, again using the list, can probe the system andcheck to see if any of the unprotected accounts exist. If thecracker is unable to compromise a system using the defaultpasswords or unprotected accounts, he or she can thenattempt to gain entry using weak passwords. If the intruderis able to obtain a password file from the targeted systems,using any one of a variety of techniques, the next step is toattempt to obtain a valid username/password pair by“cracking” the password file. To help minimize thevulnerability to password attacks, the site should developand implement a password policy that will prevent usersfrom selecting weak passwords and administrators frompermitting default passwords on their systems.

Many administrators and users have lax security viewsbecause they think, “Who would want to break in here? Wedon’t have anything!” A good cracker will find a use forevery site he or she gains entry to. The compromised systemcan be used to stage attacks on other systems (runningpassword crackers, monitoring the network traffic, storingtool-kits, etc.). Recently, during a successful tiger-teampenetration test, we discovered the systems administrator hadbeen using the company’s computers to crack password filesfrom other sites. Many system crackers will maintain a list ofthe sites they have compromised and will use those systemsto leapfrog into other systems. Crackers know the system canbe configured to monitor and record user and networkactivity. As a result, it is now common practice to launchattacks through a series of compromised systems making itmore difficult to trace the origin of the attack.

Technical Threats:

Technical threats are the security exposures directlyrelated to the computer systems themselves. These vulner-abilities are due to problems in system configurations aswell as mistakes, or bugs, contained within the software of

the computer systems. A security threat caused by animproperly configured system can allow an intruder accessto the system without an existing account. The configura-tion error could also allow a regular user the ability tobecome a privileged user. A privileged user is able toaccess and modify any file on the system and to monitornetwork traffic from other systems. A security exposureattributed to a software bug will enable an intruder access tothe systems without first having a legitimate account on thetargeted system.

During our penetration testing, we have discovered thatif we are able to obtain access to the system as a regularuser, we will, the majority of the time, be able to promoteourselves to the level of administrator using either configu-ration errors or software bugs. System logs recovered fromsites that have been attacked also confirmed that once anintruder has a toehold into a network, they can rapidlyobtain administrator privileges and therefore control theentire system.

Much of the technical information on system vulner-abilities is publicly available. As computer vendors learnof new software vulnerabilities, they respond by issuing analert that contains a description of the problem and thesteps to take to correct it. It is important for the systemadministrators to keep abreast of the latest alerts andpromptly apply the vendor patches to help ensure theirsystems security.

Information Warfare Implications:Cracking into computer and telephone systems is no

longer just a game for teenagers. There is an increasingnumber of reports of attacks targeting specific types ofcomputer networks. The attacks are not conducted byteenagers roaming through a random computer network forfun. These attacks are conducted by professionals againsttargets that have been selected for the valuable informationthey are believed to possess. This information can beobtained and used for industrial espionage, Governmentespionage or even gaining tactical advantage in a time ofwar. Defense contractors can be targeted by groups seekinginformation on classified Government information andweapons systems. Regular businesses can be targeted forindustrial espionage by domestic and foreign concernsseeking economic advantage. It is known that thesesystems are vulnerable and the chances are good an intruderwill be able to breach the organization’s security measures.

Some of the “cyber-gangs” are hackers-for-hire and offertheir services to the highest bidder. They will break into thetarget’s systems and report their findings to their clients.Professional crackers could also launch denial-of-serviceattacks against the targeted systems, effectively shuttingthem down, while their competitor works to draw the targetsnow disgruntled customers. An example of this occurredrecently in New Jersey when a service-provider had anemployee shut down a competitor’s system, and then directedthe competitor’s clientele to their “more stable” system.


42


Another recent example occurred in Connecticut when theowner of a plumbing business had the telephone calls of acompetitor forwarded to his own business phones.

While the above examples involve civilian systems, thesame techniques can be applied towards military objectives.An attack on a telephone switching system through thecomputer network could be used to disrupt an adversary’scommand, control and communication systems and be justas effective as an air strike. Cracking into a nation’s C3Isystem could be just as, if not more, effective than deploy-ing a network of field agents in gaining reliable intelligence.Cracking into a nation’s financial institutions could possiblydestabilize that country’s economy though the modificationor destruction of vital transaction records. In short, the

Cyber-Crackers (continued)

ability to break into computer systems, has become a veryvaluable weapon in today’s military arsenals.

It is very important to address the issues of electronicand computer security. Previously, most organizations wouldbuild a system and, if it worked, would install securityprecautions as an afterthought. Security concerns need to betaken seriously and addressed throughout the developmentand maintenance phases of each project. The need for this isevident in Information Week’s annual survey results, pub-lished in October 1996, where, of the organizations respond-ing to the survey; 78 percent had reported financial lossesresulting from security breaches. If we fail to adequatelyaddress these security issues today, then our national andeconomic security will be placed in jeopardy tomorrow.❏