UNITED STATES GOVERNMENT
National Labor Relations Board
Office of Inspector General
March 12, 2003
To: Eugene Lott, Jr.,
Security Branch Chief
From: Jane E. Altenhofen
Subject: Inspection Report No. OIG-INS-25-03-03: Review of Agency Procedures for Control of Identification Badges
We initiated this inspection on January 3, 2003 to determine whether the National Labor Relations Board (NLRB or Agency) has implemented adequate controls over identification badges (IDs) issued to employees and contractors. The Agency has no written policy concerning the control and issuance of IDs. The Agency has not mandated the display of IDs and, therefore, does not meet the recommended minimum standard for security in Federal properties. ID numbers for many employees are duplicates. One employee and 10 paid student assistants were not issued IDs, up to 96 employees had expired IDs, 28 separated employees did not return their IDs prior to receiving their final paycheck, and 4 contractor employees did not return their IDs after ceasing work on Agency contracts. IDs were issued to retired employees without an expiration date, and an inventory of the IDs issued to retired employees was not maintained. The database used to track IDs disagreed with other information sources.
We interviewed personnel in the Security Branch (Security), Finance Branch (Finance), Human Resources Branch (Human Resources), and Information Technology Branch (ITB) to identify Agency policies and procedures and obtain information regarding employees and contractors. We reviewed applicable guidance in the NLRB Administrative Policies and Procedures Manual, Directory of Administrative Services, and instructions provided to the security guards. We also reviewed guidance from the Department of Justice (Justice), General Accounting Office (GAO), and General Services Administration (GSA) to identify Government-wide practices.
Security issued executive identification cards to Presidential appointees and a limited number of other officials as credentials. Executive identification cards were not included in this inspection.
We obtained electronic databases maintained by Security and compared them to security control cards (hardcopy employee data maintained by Security), records provided by Human Resources, and information provided by personnel managing contracts to determine whether the databases were complete and accurate. We also reviewed the electronic databases to determine whether IDs had duplicate numbers or were expired.
We reviewed IDs provided to new employees in FY 2002 to determine whether sufficient documentation existed and that they were issued in accordance with Agency described practices. We obtained a list of separated employees from the Payroll/ Personnel Systems Unit (Payroll) and determined whether NLRB Form 4197, Certification for Release of Final Salary Check, was prepared for employees separated between October 1, 2001 and September 21, 2002, and whether final salary checks had been disbursed prior to the Form 4197 being completed. We determined whether contractor employees returned IDs that were no longer needed.
We reviewed the sign-in logs maintained at Headquarters guard stations for the period July 10, 2002 through December 17, 2002 to determine whether Agency employees were signing in on a frequent basis. We selected a sample of Headquarters employees to determine whether the information on the ID matched the information in the Security database and whether the employee had possession of the ID.
We conducted this review in January and February 2003. The review was conducted in accordance with the Quality Standards for Inspections issued by the President's Council on Integrity and Efficiency.
Security is responsible for ensuring that all employees have an ID issued at entry on duty. All processing of IDs occurs at Headquarters. A new Headquarters employee is escorted to Security by a person from Human Resources. In the field offices, the Office Manager takes a picture of the employee, which is mailed to Headquarters and processed. Security stated that all full-time employees and paid student employees should receive an ID. Student volunteers may or may not receive IDs, depending on whether the office requests one.
Employee IDs remain valid for approximately 5 years. The expiration date coincides with the birth month of the employee, with Headquarters IDs expiring on the 1st of the month and field office IDs expiring on the 15th of the month. When employment ends, the employee is required to complete NLRB Form 4197, part of which includes returning the ID to Security. A contractor employee receives an ID when escorted by a representative of the program office to Security. The expiration date for a contractor employee ID is 1 year after issuance. When a contractor employee ceases work on a NLRB contract, the ID is returned to the project manager, who returns the ID to Security.
All employees, except for Presidential appointees and the Director of Administration, are required to show their ID to be admitted to the Headquarters building.
The Justice report, Vulnerability Assessment of Federal Agencies, dated June 28, 1995, was developed "to establish recommended minimum security standards, and to apply them to the different security levels into which Federal buildings fall." The report divides Federal properties into five security levels. The Security Branch Chief said the Franklin Court Building (NLRB Headquarters) is classified between a Level III and Level IV, but that it is operated at a Level IV except for when constrained by the building's features.
The Justice report states that a Level IV facility has over 450 Federal employees, more than 150,000 square feet, high volume public contact, and tenant agencies that may include high-risk law enforcement and intelligence agencies, courts, judicial offices, and highly sensitive Government records. NLRB Headquarters has approximately 550 NLRB employees and 207,184 square feet, clearly exceeding the first two criteria. Also, Headquarters includes the Board, Division of Judges, Washington Resident Office, and other Federal tenants, arguably meeting the second two criteria. The other Federal tenants include the Environmental Protection Agency Office of Administrative Law Judges, Department of Treasury Financial Crimes Enforcement Network, and Internal Revenue Service National Appeals Office. Field office facilities cover the spectrum from being in shopping centers to large Federal buildings and range from Level I to Level IV facilities.
The Justice report states that agencies should "develop procedures and establish authority for issuing employee and visitor IDs." The GAO Standards for Internal Control in the Federal Government state that "internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination." Examples are management directives, administrative policies, and operating manuals.
The Agency has no written policy concerning the control and issuance of IDs. Security has issued memoranda to the guards to establish procedures, but these memoranda do not fully address issuing and controlling IDs.
The Justice report stated that agency photo IDs for all personnel should be displayed at all times. We found that employees were issued IDs with duplicate numbers and did not have to display IDs while in the Headquarters building. A few employees were not issued IDs and a significant number had expired IDs.
The Justice report states that a Level IV facility should mandate that agency photo identification cards be displayed at all times. In addition, GSA, in its pamphlet Making Federal Buildings Safe, states as common sense advice for Federal employees to "wear your identification badges" and to "challenge people not wearing ID badges."
Agency employees are not required to wear or display IDs. Both Security and ITB purchased items, such as lanyards and retractable clips, and have distributed them to some Agency employees to encourage them to display IDs, but wearing or displaying IDs has not been adopted as policy.
The GAO Standards for Internal Control in the Federal Government recommend that as a control in information processing, transactions should be accounted for in numerical sequences. In a May 2002 report, GAO stated, "when government agencies display the Social Security Number (SSN) on documents, such as employee identification badges and benefit eligibility cards, that are viewed by others who may not have a need for this personal information, the agency displaying the SSN increases the risk that the number may be improperly obtained and misused."
Security uses the last four digits of an employee's SSN as the ID number. Since the ID number is based on an employee trait rather than something unique to the ID, two or more employees can have the same ID number. We examined current employees in Security's database and found that 366 of 1,962 employees (18.6%) had duplicate ID numbers. For those employees, there were 178 ID numbers that were duplicated, with a maximum of 4 employees sharing the same ID number.
The Security Branch Chief stated that Security will develop a numbering system to remedy the issue of duplicate numbers. Beginning on March 1, 2003 all new IDs and renewed IDs are to reflect the new numbering system.
Security is made aware of new employees by a copy of the SF-50, Notification of Personnel Action. Security sends a memo to the program office regarding background checks and enters the new employee into the database. According to Security's database, 159 employees began employment with the NLRB in FY 2002. Of these 159 employees, 117 received IDs and 42 did not. Of the 42 employees, 1 individual declined employment, 30 were volunteers, 10 were paid student assistants, and 1 was a full-time employee. Based on the earlier statements by Security, the 11 employees in the latter two categories should have received an ID but did not. The full-time employee was located in a field office where an ID was not required to enter the building. Security stated that they do not issue IDs to field office employees unless a request is made and they do not have the manpower to follow-up when a request is not made.
An Agency employee who does not have an ID at Headquarters is required to sign in at the security guard desk. Until a recent change in procedures, any NLRB employee could sign for an employee to enter the building. Guards monitor the sign-in logs and refer an employee who signs in frequently to Security. Our review of the sign-in logs from July 10, 2002 through December 17, 2002 found that there were 33 instances, involving 24 employees, when an employee signed in. Only four employees had multiple entries, with the most being one employee with five entries.
Security said that the sign-in logs are maintained for only 1 year before Security disposes of them. According to the NLRB Records Disposition Standards, the Agency should maintain visitor control files for a minimum of 2 years after the date of the document.
Concurrent with our review, Security changed the policy for signing in at the security guard's station. The new policy requires that someone from the employee's office or from Security verify the employee. We believe that this change represents an improvement over the previous policy.
Up to 96 IDs were expired. Security's database and security control cards identified 91 field office IDs that were expired. A physical inspection showed that five Headquarters IDs were expired.
Security routinely reviews the files to identify expired IDs. If the ID is expired, Security sends an e-mail to the employee to either stop by Security or to go to the Office Manager for renewal of their ID. Security contacted 80 employees with expired IDs between September 2002 and January 2003, but only 17 responded to Security. The Security Branch Chief stated that supervisors at Headquarters and Office Managers in field offices will be copied on future renewal notices.
Security also relies on the security guards to catch expired IDs. However, our physical examination of the IDs showed that employees with expired IDs were still able to gain access to the building. On March 5, 2003, the Security Branch Chief issued a new procedure for security guards to confiscate expired IDs and notify Security so that the employee can be escorted to Security for ID renewal processing.
Security maintains a separate database of contractor IDs. The list of contractor IDs is periodically reviewed and if a contractor employee is no longer working on Agency contracts, a letter is sent to the contractor requesting the return of the ID.
In comparing the list of 61 contractor IDs from Security with the list of 62 contractors that are currently working at Headquarters from the contracting officer's technical representatives (COTRs), we found that 7 contractor employees who were on Security's list were not on the lists obtained from the contracting officers. Four of these contractor employees are no longer with the Agency, one returned his ID, and two are no longer on-site, but come in occasionally for meetings.
Security stated that project managers who may not be on-site are allowed to maintain IDs. ITB and the Procurement and Facilities Branch stated that the contracts do not have clauses in writing mandating the return of IDs, but that there is an understanding that the IDs should be returned at the end of employment, and that the COTRs would know that the contractor employee is leaving.
The NLRB Administrative Policies and Procedures Manual requires that when an employee is separated, the employee's ID must be returned prior to issuing a final paycheck. If an ID is not returned, Security will not forward the Form 4197 to the next office for processing until either the ID is returned or an acceptable explanation is given.
Return of IDs
A final salary check should not be issued until a completed Form 4197 is received by Payroll. A final salary check is leverage used to get a departing employee to return Government property and satisfy liabilities of the departing employee. Nevertheless, Payroll issued final salary checks prior to the completion of Form 4197. Security does not control the routing of Forms 4197 and can only process those that are submitted. The payroll system used prior to September 2002 only flagged separated employees who had indebtedness to the Agency (such as a negative leave balance). According to Payroll, under the old payroll system an employee could receive a final paycheck prior to a Form 4197 being processed. Under the new payroll system, the notification that an employee had separated would be forwarded electronically, mitigating the likelihood of issuing a final salary check before the Form 4197 is processed.
Human Resources identified 241 employees who separated between October 1, 2001 and September 21, 2002. We compared the 241 employee names to a list of Forms 4197 processed by Security, and found no record of a Form 4197 for 84 employees. Of the 84 employees, 64 employees were issued IDs, and there was no record that 41 IDs were returned.
For the 41 employees for whom there was no record of an ID being returned, we selected a sample of 17 employees. We looked at the records in Payroll to determine whether a 4197 had been processed, since Payroll would need to be aware that the proper steps were completed prior to issuance of the final check, including a badge being returned. We found that in 15 cases, Payroll did not have any record of a Form 4197 being processed. In the other two cases, we found that a Form 4197 had been properly processed.
In 13 cases, more than one month passed between when the employee separated and when the Form 4197 was completed. We examined the payroll records and determined that in 11 cases, the final paycheck date was prior to the processing of the Form 4197 by Security. We also selected a sample of 10 employees whose Form 4197 was processed within one month of separation and determined that in 2 cases the final paycheck was sent prior to the Form 4197 being processed.
In total, of the 40 employees in our 3 samples, 15 employees did not have a Form 4197 processed prior to their final paycheck. Of the 25 employees who had a Form 4197 processed, 13 employees received their final paycheck prior to the Form 4197 being processed.
Form 4197 was last updated in July 2001, but the instructions regarding the routing of Form 4197 reflect an earlier version of the instructions from 1973 and are out-of-date. The NLRB Administrative Policies and Procedures Manual and the instructions on Form 4197 state that the final salary check will be issued by Finance. However, payroll operations are no longer part of Finance, but are part of Human Resources. Finance walks the Form 4197 to Payroll after certifying the Form 4197, but the instructions should be updated to state that the forms go to Payroll.
Security stated that retired employees are eligible to obtain "retiree IDs." A retiree ID is available to any Headquarters or field office employee who is officially retired, as opposed to separated, and requests an ID from Security. The ID has no expiration date and states on the ID that the holder is retired. Security does not keep a list of IDs issued to retirees. The issuance of a retiree ID means that an individual who no longer has business at the Agency still can access Agency facilities and possibly other buildings controlled by Government IDs.
The Security Branch Chief could not cite any authority for issuing IDs to retirees, who are non-employees. He said IDs are a way to honor employees for their Government service and that future practices would include a tracking system of employees issued a retirement ID. We believe this action is insufficient.
SECURITY DATABASE ACCURACY
The GAO Standards for Internal Control in the Federal Government states "transactions should be promptly recorded to maintain their relevance and value to management" and "control activities help to ensure that all transactions are completely and accurately recorded."
In the reviews we performed, we found disagreements between the information in the Security database and other information sources:
Security stated that some of these differences might be due to lost information when a previous database was converted to MS Access in July 2001. However, this cannot explain all of them, such as the incorrect expiration dates. In response to our draft report the Security Branch Chief stated that Security will coordinate with Human Resources to update the database.
We suggest that the Security Branch Chief: