Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC's Controls Over Destruction of Archived Paper Records

This is the accessible text file for FDIC OIG report number EVAL-15-002 entitled 'The FDIC’s Controls Over Destruction of Archived Paper Records'

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file is an exact electronic replica of the printed version.

FDIC Office of Inspector General

Office of Audits and Evaluations

Report No. EVAL-15-002

The FDIC’s Controls Over Destruction of Archived Paper Records

Executive Summary

The FDIC’s Controls Over Destruction of Archived Paper Records

Report No. EVAL-15-002

February 2015

Why We Did The Evaluation

Effective records management is critical for ensuring that sufficient documentation is created; that agencies can efficiently locate and retrieve records needed in the daily performance of their missions; and that records of historical significance are identified, preserved, and made available to the public. Therefore, it is fundamental that the FDIC properly maintain and protect from damage, misuse, or improper disposition all business records created or collected in the course of conducting business, including those acquired from failed insured depository institutions. Internal control is a major part of managing an organization. It comprises the plans, methods, and procedures used to meet missions, goals, and objectives, and serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. Internal control should provide reasonable assurance that the objectives of the agency are being achieved through effective and efficient operations, reliable reporting, and compliance with applicable laws and regulations.

Our evaluation objective was to determine the extent to which controls in the FDIC’s Records and Information Management program provided reasonable assurance that paper records stored off-site are being properly destroyed. We performed work to determine whether controls exist and are working as intended to ensure that (1) record destruction decisions are properly authorized and communicated to the FDIC’s records management contractor, Iron Mountain, Inc.; (2) the FDIC’s records management databases are updated and properly reflect destruction dates as supported by destruction certificates; and (3) Iron Mountain’s destruction process works as described. We conducted this evaluation in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

Background

Most federal agencies are required by the Federal Records Act (44 U.S.C. § 3101) to make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities. The FDIC has determined that the Corporation is not covered, but FDIC policy reflects the spirit of the Act.

The FDIC’s Division of Administration (DOA) Records and Information Management Unit (RIMU) developed a consolidated FDIC Records and Information Management (RIM) Policy Manual as the central mechanism to assist FDIC employees and contractors with their records management responsibilities. The Chief, RIMU, oversees the disposition of paper records in accordance with the FDIC’s retention guidelines, and in compliance with any applicable legal holds, which suspends the routine disposal of records that may be potentially relevant to litigation or other matters in which those records must be produced. RIMU staff oversee the maintenance of archived paper records and manage the disposal of inactive paper records that are no longer subject to retention requirements under the record retention schedule (RRS) and are not subject to legal hold. Division, office, and regional record liaisons facilitate the timely disposal of inactive business records (paper and electronic) and non-record material. RIMU’s standard operating procedure (SOP) describes the steps that RIMU completes for the FDIC’s archived paper records destruction process. The FDIC uses the Automated Records Management System (ARMS) to account for and manage the location of paper records.

The FDIC contracts with Iron Mountain, Inc., for a range of records management and storage services, including records destruction. Iron Mountain uses Iron Mountain ConnectTM to support its records management and billing under the FDIC’s contract. RIMU and other FDIC staff access Iron Mountain Connect, which Iron Mountain provides as a gateway for control of customers’ off-site records.

Evaluation Results

We concluded that the FDIC lacks adequate controls to ensure that archived paper records are properly destroyed. Because of control weaknesses with the records management process and ARMS, we could not confirm that record destruction decisions were properly authorized, and we observed significant FDIC records inventory discrepancies. We concluded that Iron Mountain has a robust control structure for records destruction that mitigates the risk that records could be destroyed without FDIC authorization. We identified a need for the FDIC to conduct a program risk assessment, and strengthen its procedures, implement stronger record inventory controls, and enhance controls for reconciling destruction certificates.

Risk Assessment and Procedures. FDIC management needs to conduct a comprehensive risk assessment and improve procedures to establish effective controls over archived paper records. While the RIM Policy Manual established recordkeeping policy, RIMU lacked sufficient implementing procedures for identifying, managing, and destroying paper records. We identified a need for greater management attention in this regard. For instance, it appears that operational events such as bank failures and FDIC office closings led to records being sent to Iron Mountain without first being entered into ARMS, creating inventory discrepancies. A comprehensive risk assessment should identify operational risks to effective records management and then DOA should develop procedures and controls to address those risks.

Inventory Controls. The FDIC needs to inventory and accurately account for its archived paper records. We identified significant inventory discrepancies during our evaluation. As of June 30, 2014, ARMS recorded 431,372 fewer boxes of archived records than Iron Mountain Connect, or nearly 33 percent of the total FDIC boxes recorded in Iron Mountain Connect. Only 249,750 ARMS box identifiers (28 percent) directly matched Iron Mountain Connect records and at least 501,640 Iron Mountain Connect box identifiers (38 percent) did not match ARMS records. Following our field work, DOA identified about 58 percent of the unmatched boxes, though further work was needed to verify box contents and enter information into ARMS. These discrepancies occurred, in part, because RIMU does not have adequate procedures to establish and maintain its records inventory. The inventory discrepancies impair the FDIC’s ability to adhere to its records retention schedule, identify records subject to legal holds and legal demands, and effectively review contractor costs for records storage. In addition, the FDIC risks records being misplaced or lost.

Reconciling Destruction Requests. RIMU should strengthen procedures and controls to help ensure the FDIC can account for archived paper records that are destroyed. We were not always able to reconcile the FDIC’s requests to destroy records with Iron Mountain’s documentation certifying destruction. We concluded that RIMU’s records destruction procedures needed improvement, contributed to inventory discrepancies, and created risk that records could become misplaced or lost. RIMU updated its SOP during our field work in November 2014. The update includes steps for reconciling Iron Mountain destruction certificates with FDIC record destruction requests and updating ARMS.

DOA began further corrective actions immediately following our field work, before we issued this report.

Recommendations and Corporation Comments

We made six recommendations for the FDIC intended to improve the program and strengthen associated controls and procedures to ensure the FDIC’s archived paper records are inventoried and properly destroyed. We addressed five recommendations to DOA and one recommendation to the Legal Division. Both DOA and the Legal Division concurred with their respective recommendations and outlined corrective actions to be completed between June 30, 2015 and December 31, 2015. We consider management’s response sufficient to resolve the recommendations.

Contents

Background

Evaluation Results

The FDIC Should Assess Risks and Establish Effective Controls Over Archived Paper Records

Recommendations 1 and 2

The FDIC Needs to Inventory and Accurately Account for Its Archived Paper Records

Recommendations 3, 4, and 5

RIMU Procedures Should Ensure the FDIC Can Account for Archived Paper Records that Are Destroyed

Recommendation 6

Other Matter

Corporation Comments and OIG Evaluation

Appendices

1. Objective, Scope, and Methodology

2. Acronyms and Abbreviations 3. Corporation Comments

4. Summary of the Corporation’s Corrective Actions

[End of section]

[FDIC letterhead]

Federal Deposit Insurance Corporation, Office of Audits and Evaluations, Office of Inspector General, 3501 Fairfax Drive, Arlington, Virginia 22226

[End of letterhead]

DATE: February 26, 2015

MEMORANDUM TO: Arleas Upton Kea, Director, Division of Administration

Charles C. Yi, General Counsel, Legal Division

FROM: E. Marshall Gentry /Signed/ Assistant Inspector General for Evaluations

SUBJECT: The FDIC’s Controls Over Destruction of Archived Paper Records (Report No. EVAL-15-002)

Effective records management is critical for ensuring that sufficient documentation is created; that agencies can efficiently locate and retrieve records needed in the daily performance of their missions; and that records of historical significance are identified, preserved, and made available to the public. Therefore, it is fundamental that all business records, created or collected by the FDIC in the course of conducting business, are properly maintained and protected from damage, misuse, or improper disposition.

Internal control is a major part of managing an organization. It comprises the plans, methods, and procedures used to meet missions, goals, and objectives, and serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. Internal control should provide reasonable assurance that the objectives of the agency are being achieved through effective and efficient operations, including the use of the entity’s resources, reliable reporting, and compliance with applicable laws and regulations.

Our evaluation objective was to determine the extent to which controls in the FDIC’s Records and Information Management (RIM) program provided reasonable assurance that paper records stored off-site are being properly destroyed. To answer that objective, we performed work to determine whether controls exist and work as intended to ensure that (1) record destruction decisions are properly authorized and communicated to Iron Mountain, the FDIC’s records management contractor; (2) FDIC’s records management databases are updated and properly reflect destruction dates as supported by destruction certificates; and (3) Iron Mountain’s destruction process works as described.

We conducted this evaluation in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. Appendix 1 of this report includes additional details on our objective, scope, and methodology. Appendix 2 contains a list of acronyms and abbreviations. Appendix 3 contains the Corporation’s comments on this report.

Background

Documents within the FDIC's possession, custody, or control that reflect the Corporation's actions, activities, decisions, operations, or transactions are its business records. These include documents obtained by the FDIC as Receiver for failed insured depository institutions. In August 2014, the FDIC had more than 1.3 million boxes of such records stored outside FDIC facilities.

Most federal agencies are required by the Federal Records Act (44 U.S.C. § 3101) to make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities. The FDIC has determined that the Corporation is not covered, but FDIC policy reflects the spirit of the Act.1

Footnote 1: The FDIC Legal Division determined that the FDIC is not subject to the Federal Records Act 44 U.S.C. Chapter 31 (FRA), as amended in 1976. FRA incorporates the agency definitions set forth in 40 U.S.C. § 102(4) and § 102(5), formerly codified at 40 U.S.C. § 472(a) and § 472(b). The Legal Division’s longstanding analysis of these provisions is that “federal agency” is defined as any executive agency or any establishment in the legislative or judicial branch of the Government under 40 U.S.C. § 102(5). Under FRA, an executive agency includes any executive department or independent establishment in the executive branch, including wholly owned government corporations. While the FDIC is a government corporation, it is a mixed-ownership corporation, not a wholly owned one. Further, the FDIC is not part of the legislative or judicial branches. Therefore, the Legal Division concluded that the FDIC is not covered by FRA. [End of footnote]

The FDIC’s Division of Administration (DOA) Records and Information Management Unit (RIMU) developed a consolidated FDIC Records and Information Management (RIM) Policy Manual2 as the central mechanism to assist FDIC employees and contractors with their records management responsibilities. The RIM Policy Manual addresses, among other things, RIM responsibilities inherent in specific FDIC positions and roles, the purpose and application of the FDIC Records Retention Schedule (RRS), and guidance regarding the retention and disposition of records, management of paper records archived off-site, and procedures for paper records disposition.

Footnote 2: Circular 1210.1, FDIC Records and Information Management (RIM) Policy Manual, dated July 2, 2012, was effective at the onset of this evaluation. The Director, DOA, issued an updated Circular effective October 27, 2014. The update introduced new guidelines for retention of paper and electronic records following the departure or transfer of an employee, and updated and clarified FDIC policy guidance regarding the retention and disposition of electronic records. [End of footnote]

Division, office, and regional record liaisons facilitate the timely disposal of inactive business records.

At the onset of our evaluation, RIMU had a 3-page standard operating procedure (SOP) updated March 20, 2014, which described steps for the FDIC’s archived paper records destruction process. Primarily, one RIMU lead program analyst, who understands and follows the SOP, has been responsible for implementing that process. The FDIC uses the Automated Records Management System (ARMS) to account for and manage the location of paper records.

The FDIC established its current contract with Iron Mountain, Inc., effective August 1, 2010 for a range of records management and storage services, including records destruction. The FDIC has exercised its final option to extend the contract’s period of performance through July 31, 2015. Iron Mountain uses its Iron Mountain ConnectTM system to support its records management and billing under the FDIC’s contract. RIMU and other FDIC staff access Iron Mountain Connect, which Iron Mountain provides as the gateway for control of customers’ off-site records.

[End of section]

Evaluation Results

We concluded that the FDIC lacks adequate controls to ensure that archived paper records are properly destroyed. Because of control weaknesses with the records management process and ARMS, we could not confirm that record destruction decisions were properly authorized and we observed significant FDIC records inventory discrepancies. We concluded that Iron Mountain has a robust control structure for records destruction that mitigates the risk that records could be destroyed without FDIC authorization. We identified a need for a program risk assessment and strengthened procedures, stronger record inventory controls, and enhanced controls for reconciling destruction certificates.

The FDIC Should Assess Risks and Establish Effective Controls Over Archived Paper Records

FDIC management needs to conduct a comprehensive risk assessment and improve procedures to establish effective controls over archived paper records. While the RIM Policy Manual established recordkeeping policy, RIMU lacked sufficient implementing procedures for identifying, managing, and destroying paper records. These control and procedure deficiencies led to records information not being properly entered into ARMS.

The United States Government Accountability Office (GAO) Standards for Internal Control in the Federal Government3 identifies five standards for internal control that define the minimum level of quality acceptable for internal control in government and provide the basis to evaluate an agency’s internal controls. Among the GAO standards criteria are the following:

- Management needs to comprehensively identify and analyze risks, and should consider all significant interactions between the entity and other parties as well as internal factors at both the entity-wide and activity level.

- Control activities, which are the policies, procedures, techniques, and mechanisms that enforce management’s directives, should be effective and efficient in accomplishing control objectives, which for records destruction are that an agency must:

- establish physical control to secure and safeguard vulnerable assets, and that such assets should be periodically counted and compared to control records;

- record transactions promptly to maintain their relevance and value to management in controlling operations and making decisions to help ensure all transactions are completely and accurately recorded; and

- generally design internal controls to assure that ongoing monitoring occurs in the course of normal operations, including regular comparisons and reconciliations.

Footnote 3: The November 1999 edition (GAO/AIMD-00-21.3.1) is applicable to this evaluation. GAO updated the document in September 2014 (GAO-14-704G). That edition becomes effective beginning with fiscal year 2016, though management may adopt the updated standards earlier. [End of footnote]

The FDIC established policies governing the records management and destruction process through the RIM Policy Manual. This manual states that it is fundamental that all business records, created or collected by the FDIC in the course of conducting business, are properly maintained and protected from damage, misuse, or improper disposition. It is the FDIC’s policy to maintain proper documentation of its operations to, among other things:

- provide current and historical data pertaining to actions taken by the FDIC;

- comply with applicable laws, rules, regulations, and federal standards relating to the retention of business records on a corporate-wide basis;

- protect the legal and financial rights of the Corporation and of individuals directly affected by its activities, including protection of privileged, confidential, and proprietary information; and

- manage record-keeping costs by providing for retention and timely destruction of records and information in accordance with the RRS and any applicable legal holds.

RIMU’s implementing SOP dated March 20, 2014 summarized 10 steps that RIMU followed to identify and destroy eligible archived paper records; however, it did not include steps to:

- require or establish ARMS system controls to ensure an FDIC box identifier be unique;

- establish a mechanism to prevent or to identify and resolve flawed data in either ARMS or Iron Mountain Connect, such as receipt dates of 1915 through 1919 or duplicate box identifiers;

- include any periodic inventory or require reconciling ARMS with Iron Mountain Connect, which would help to ensure the FDIC applies its RRS to all of its records;

- compare information the FDIC sends to Iron Mountain requesting records be destroyed with documentation that Iron Mountain returns to the FDIC to confirm records destruction;

- provide for assessing the effectiveness of Iron Mountain’s shredding controls; or

- include oversight of the final records destruction stage of pulping, which occurs after shredding at non-Iron Mountain facilities.

DOA updated the SOP in November 2014 to include steps to compare FDIC records destruction requests with Iron Mountain’s record destruction documentation.

Because program controls and procedures were not adequate, according to DOA, operational events such as bank failures and FDIC office closings led to records being sent to Iron Mountain without first being entered into ARMS, creating inventory discrepancies.

Greater management attention and oversight of the FDIC’s records management program could have helped the FDIC identify program risks and develop controls to address those risks. The Chief, RIMU position was vacant for about 18 months until August 2014. Over the Chief, RIMU, the Assistant Director, Support Services Section (SSS), manages three units in addition to RIMU. In addition to those responsibilities, the Assistant Director, SSS, temporarily filled the vacant Deputy Director, Corporate Services Branch (CSB), position from October 2014 until mid-November 2014. The Deputy Director, CSB, position had been vacant since October 2013 and CSB assistant directors temporarily filled that role until the position was permanently filled in November 2014. Therefore, it was not until the end of field work for this assignment that the FDIC filled vacant supervisory and management positions over RIMU.

The lack of comprehensive procedures for destruction of FDIC archived paper has resulted in inadequate controls to ensure that the FDIC has an accurate inventory of paper records, and the FDIC does not have reasonable assurance that such records are being properly destroyed. As discussed further below, there are significant discrepancies between the FDIC’s and Iron Mountain’s records management databases.

Recommendations

We recommend that the Director, DOA:

1. Review the paper records identification, management and destruction process to identify risks.

2. Establish sufficiently comprehensive procedures and devote needed management attention to effectively mitigate identified risks and establish controls that provide reasonable assurance such records are being properly managed and destroyed.

The FDIC Needs to Inventory and Accurately Account for Its Archived Paper Records

We identified significant inventory differences between the FDIC’s ARMS and Iron Mountain Connect. As of June 30, 2014, ARMS recorded 876,4574 boxes of archived records and Iron Mountain Connect reflected 1,307,829 boxes of FDIC records5 stored at Iron Mountain facilities, a difference of 431,372 boxes of archived records or nearly 33 percent of the archived boxes of records that Iron Mountain indicated the FDIC had stored at its facilities.

Footnote 4: The ARMS data includes a relatively small number of database records created between July 1, 2014 and the date that OIG extracted the ARMS data. The quantity is small enough to not affect the overall analysis. [End of footnote]

Footnote 5: The Iron Mountain Connect data includes a relatively small number of boxes classified as containing both paper and other media records. The quantity is small enough to not affect the overall analysis. [End of footnote]

As discussed earlier, the GAO Standards for Internal Control in the Federal Government require that agencies establish control activities, such as policies and procedures, to physically control and safeguard assets and periodically inventory assets against control records.

We concluded that the FDIC needs to improve procedures surrounding the inventorying of archived paper records. The FDIC assigns boxes of archived paper records an FDIC identifying number through ARMS, which is the ARMS record number. FDIC procedures do not address the need for, nor does ARMS require, the FDIC box identifier to be unique, thus allowing multiple boxes to carry the same identifier. Iron Mountain assigns its own identifying number to each box of records the FDIC transfers to its facilities, a Safekeeper PLUS® (SKP) number that should be unique.6

Footnote 6: There were 118 duplicate SKP numbers among the 1,307,829 database records (0.01 percent), which we considered de minimus. [End of footnote]

We compared ARMS and Iron Mountain Connect to determine the extent to which ARMS database records matched Iron Mountain Connect database records based on the FDIC’s and Iron Mountain’s box identifiers. Only 249,750 ARMS database records (28 percent) matched Iron Mountain Connect database records based on both the same FDIC and Iron Mountain box identifiers, and at least 501,640 Iron Mountain Connect database records (38 percent) did not match an ARMS database record based on either the same FDIC or Iron Mountain box identifier.

Following our field work, DOA began to identify some of the boxes associated with the unmatched database records between ARMS and Iron Mountain Connect. As of December 9, 2014, DOA had identified 290,530 boxes of the 501,640 unmatched records, though further work was needed to verify box contents and enter the information into ARMS.

The data included other flaws as well. ARMS contained 46,422 database records (5 percent) with duplicate SKP numbers. Iron Mountain Connect also contained data that appeared to be invalid. For example, 44,024 database records reflected a Receipt Date, indicating when boxes were placed in storage, for years 1915 through 1919. Further, 24,925 database records reflected a Receipt Date from the 1980s. None of the Iron Mountain Connect database records with Receipt Dates from the 1980’s matched any of the ARMS database records.

We concluded that the inventory discrepancies occurred, in part, because RIMU does not have adequate procedures to establish and maintain an inventory of the FDIC’s archived paper records. RIMU does not have the following procedures that would enhance the FDIC’s ability to maintain effective archived paper records inventory:

- a consistent, reliable method for establishing unique FDIC box identifiers in ARMS, and

- a process for periodically reconciling ARMS and Iron Mountain Connect.

In addition, RIMU attributed some of the inventory discrepancies to events that occurred many years ago, including the FDIC’s consolidation from regional records management databases to a single centralized records management database and the transfer of data from a prior contractor database to Iron Mountain Connect, as well as the migration of failed financial institutions’ legacy Iron Mountain accounts to the FDIC Iron Mountain account. In consolidating from regional records management databases, and with the acquisition of failed financial institutions’ records already located in Iron Mountain facilities, some inventory that is stored at Iron Mountain might not have been added to ARMS. Both in consolidating from regional records management databases and in transferring data from a prior contractor database to Iron Mountain Connect, there may have been some duplicate FDIC box identifiers that were not amended to become a unique FDIC box identifier or were not transferred to Iron Mountain Connect.

DOA also attributed some of the discrepancies to failed institution records obtained at closing during the most recent financial crisis that were transferred directly to Iron Mountain without being entered into ARMS, records that pre-date the FDIC’s electronic records systems that were never captured in ARMS’s predecessor system and thus not converted to ARMS when the FDIC introduced it in 1999, and database records in ARMS that were inadvertently filtered from the OIG’s download created in August.

The discrepancies between ARMS and Iron Mountain Connect impairs the FDIC’s ability to:

- adhere to its RRS, because that process starts by identifying in ARMS records eligible for destruction and ARMS does not have a record of nearly one-third of the boxes the FDIC stores at Iron Mountain;

- identify records subject to legal holds, though the primary risk is of not appropriately destroying records eligible for destruction;

- identify records subject to legal demands that require the FDIC to produce records related to the FDIC’s litigation, creating potential liabilities for not appropriately identifying and disclosing records the FDIC had in its possession;7

- effectively respond to Freedom of Information Act and Privacy Act requests that could make the FDIC non-compliant with the law and non-responsive to the public; and

- review effectively contractor costs associated with the storage of FDIC archived boxes, because Iron Mountain Connect is Iron Mountain’s basis for billing the FDIC for storage services provided under the Iron Mountain records management contract. In this regard, it is possible that the FDIC is continuing to pay record storage cost for records that should be destroyed.

Footnote 7: The existence of previously unknown records may trigger disclosure obligations for attorneys and their clients. For example, Rule 26(e) of the Federal Rules of Civil Procedure, which governs federal civil litigation, requires parties, under certain conditions, to supplement or correct disclosures and discovery responses in pending litigation. [End of footnote]

In addition, without reasonable assurance of knowing what paper records the FDIC has archived, the FDIC risks boxes of records being misplaced, lost, or otherwise unaccounted for. The FDIC needs a reliable understanding of its records in Iron Mountain’s custody to prevent unintentional disclosure or loss of that information, which could include privileged and confidential information or sensitive and other personally identifiable information.

Recommendations

We recommend that the Director, DOA:

3. Determine the inventory of the FDIC’s archived paper records; and

4. Establish controls and procedures that will provide reasonable assurance that the FDIC is able to account for its archived paper records on an ongoing basis.

We recommend the General Counsel:

5. Assess the impact and take action, as necessary, in connection with any open matter to respond to requests for documents or subpoenas in legal proceedings or other legal demands for documents, including clarifying any prior responses provided in connection with such requests, subpoenas or demands, in light of newly identified records.

RIMU Procedures Should Ensure the FDIC Can Account for Archived Paper Records that Are Destroyed

We were not always able to reconcile the FDIC’s requests to destroy records with Iron Mountain’s documentation certifying destruction. We concluded that these discrepancies were related to the FDIC ARMS database and documentation issues.

As mentioned earlier, the GAO’s Standards for Internal Control in the Federal Government requires agencies to establish control activities, such as procedures and processes, to ensure that transactions are completely and accurately recorded.

For our testing scope of January 1, 2013 through June 30, 2014, RIMU provided the OIG documents showing that the FDIC requested that Iron Mountain destroy 210,845 boxes of records in that period. RIMU also provided the OIG documentation it received from Iron Mountain that certified the contractor destroyed 214,313 boxes of records in that period, 3,468 more boxes than the FDIC documented that it requested to be destroyed. After we completed our field work for this evaluation, DOA obtained support from Iron Mountain of RIMU’s authorizations, which resolved that issue.

In addition, we identified discrepancies within the documentation Iron Mountain provided to the FDIC for one of the seven destructions that occurred from January 2013 through June 2014. For that destruction in early 2013, Iron Mountain’s destruction certificate certified it had destroyed 65,317 boxes of records; however, Iron Mountain’s supporting documentation did not reconcile to the destruction certificate, which it should have. The FDIC contributed to the problem because ARMS should have reflected that the FDIC had withdrawn from Iron Mountain more than 400 boxes of records that RIMU later asked Iron Mountain to destroy.

RIMU’s record destruction procedures effective March 20, 2014 did not include comparing the information the FDIC sends to Iron Mountain requesting records be destroyed with the documentation that Iron Mountain returns to the FDIC to confirm records destruction. Further, those procedures did not include reconciling the Iron Mountain destruction certificates with the additional supporting documentation that Iron Mountain provides to support its destruction certificates.

Upon fulfilling FDIC records destruction requests, Iron Mountain sends the FDIC Oversight Manager a destruction certificate and supporting documentation that includes a list of boxes of records destroyed based on the request submitted, boxes of records withdrawn from Iron Mountain or that Iron Mountain had previously destroyed, and boxes of records that Iron Mountain could not locate. Under the March 20, 2014 procedures, the Oversight Manager only forwards to the RIMU lead program analyst responsible for updating ARMS a list of boxes of records the FDIC requested to be destroyed that Iron Mountain could not destroy. The RIMU lead program analyst deletes ARMS records for everything RIMU requested to be destroyed except the boxes of records on the list that Iron Mountain could not destroy. The Oversight Manager retains the destruction certificates and additional supporting documentation that Iron Mountain sends to the FDIC.

RIMU updated its SOP in November 10, 2014 to include a step for RIMU to review Iron Mountain’s destruction certificate and the supporting documentation for all records the FDIC requested to be destroyed, as well as confirming ARMS updates based on Iron Mountain documentation detailing boxes of records destroyed.

Without adequately reconciling records destruction requests with documentation showing records destroyed, the FDIC could have deleted records from ARMS assuming boxes of records had been destroyed when Iron Mountain had not destroyed them. Further, the FDIC might not be removing records from ARMS that the FDIC should delete because Iron Mountain has destroyed them. In either case, ARMS would not accurately account for the FDIC’s records.

Inadequate control over inventoried boxes of records creates risk that boxes of records become misplaced, lost, or otherwise unaccounted for. Some FDIC records include privileged and confidential information, or sensitive and other personally identifiable information. Without a working and reliable knowledge of the boxes FDIC has placed in Iron Mountain’s custody, the FDIC risks unintentional disclosure or loss of such sensitive information. Inadequate control over inventoried boxes of records also increases risk of discrepancies between the FDIC’s and Iron Mountain’s records management databases, such as those detailed above.

Recommendation

We recommend that the Director, DOA:

6. Ensure that records management controls can provide reasonable assurance that the FDIC can accurately account for archived paper records that are destroyed.

[End of section]

Other Matter

The FDIC’s contract with Iron Mountain specifies that records “disposal shall include strip shredding and pulping…and shall ensure that information contained in the records [cannot] be reconstructed.” RIMU’s procedures do not address the final records destruction stage of pulping that occurs after shredding. While RIMU periodically visits Iron Mountain shred facilities to confirm Iron Mountain’s control structure for shredding paper records, FDIC procedures neither assess the effectiveness of Iron Mountain’s controls nor oversee or evaluate Iron Mountain’s controls or procedures for pulping shredded records. Iron Mountain does not certify to the FDIC that shredded FDIC records are pulped. DOA should address this matter in conjunction with the first two recommendations in this report, to identify risks in the paper records identification, management, and destruction process and establish sufficiently comprehensive procedures to address those risks.

[End of section]

Corporation Comments and OIG Evaluation

The Director, DOA, and General Counsel jointly responded to a draft of this report on February 20, 2015. In the response, DOA affirmed its commitment to ensuring proper and accurate records inventory control, adherence to records retention policies, and compliance with records destruction procedures. The response also outlined some of the program improvements DOA made and other efforts it began as we identified and communicated our preliminary observations before we issued the draft report.

DOA and the Legal Division concurred with the six recommendations in this report as they relate to each division. The corrective actions outlined in management’s response, which is included as Appendix 3 of this report, should address the root causes of the conditions detailed in this report. The Corporation’s corrective actions, summarized in Appendix 4 of this report, should be completed between June 30, 2015 and December 31, 2015.

We consider management’s response sufficient to resolve the recommendations.

[End of section]

Appendix 1

Objective, Scope, and Methodology

Objective

Our evaluation objective was to determine the extent to which controls in the FDIC’s Records and Information Management program provided reasonable assurance that paper records stored off-site are being properly destroyed. To that end, we performed work to determine whether controls exist and are working as intended to ensure that (1) record destruction decisions are properly authorized and communicated to Iron Mountain, the FDIC’s records management contractor; (2) the FDIC’s records management databases are updated and properly reflect destruction dates as supported by destruction certificates; and (3) Iron Mountain’s destruction process works as described.

Scope and Methodology

To address our evaluation objective, we gained an understanding of FDIC policies and procedures for destruction of paper records stored off-site, including internal controls for identifying and destroying FDIC records; FDIC Circular 1210.1, FDIC Records and Information Management (RIM) Policy Manual, dated July 2, 2012; and Standard Operating Procedures for RIMU-initiated archived Corporate records destruction. We reviewed the FDIC’s contract with Iron Mountain and the contractor’s controls over its process to destroy paper records. We evaluated the FDIC’s controls against GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999) and considered the updated version of that document (GAO-14-704G, September 2014). In addition, we interviewed DOA officials, particularly the RIMU lead management analyst and lead analyst, and contractor officials to obtain information on their knowledge of destruction controls and processes. Also, we interviewed an official at another federal financial regulatory agency about that entity’s records destruction controls and procedures.

We performed our evaluation from April 2014 through December 2014 at the FDIC’s offices in Arlington, Virginia, and at contractor facilities in Springfield, Virginia, and Richmond, Virginia, in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

Records Destruction Decisions. To determine if the FDIC properly authorized and communicated records destruction decisions to Iron Mountain, for the period January 1, 2013 through June 30, 2014, we:

- obtained from RIMU copies of its requests sent to Iron Mountain to destroy records and the corresponding documentation Iron Mountain sent to the FDIC to confirm it destroyed such records;

- verified compliance with the SOP by ensuring that the FDIC’s destruction process complied with FDIC policies and procedures; and

- observed Iron Mountain’s scheduled destruction of 12 boxes of OIG paper records that RIMU arranged for us to witness, and reviewed record destruction request documentation.

FDIC Records Management Databases. To determine if FDIC records management databases were up-to-date and properly reflected and supported destruction dates reported on the contractor’s destruction certificates, we:

- extracted from ARMS 876,457 database records and obtained from Iron Mountain an extract of 1,307,829 Iron Mountain Connect database records that each represented the population of boxes of archived FDIC records in those respective databases as of June 30, 2014;

- analyzed the two databases for unique FDIC and Iron Mountain box identifiers and triedto reconcile database records with either an FDIC or Iron Mountain unique identifier thatwas not in the other system or database records reflecting duplicate FDIC or Iron Mountain unique identifiers; and

- reviewed the FDIC’s procedures used to update ARMS and Iron Mountain Connect to determine if they would provide reasonable assurance of the accuracy of the FDIC’s records inventory

Iron Mountain’s Records Destruction Process. To determine if Iron Mountain’s records destruction process works as described, we first confirmed that the contractor had a robust control structure for paper records destruction. To do this, we:

- reviewed the contractor’s procedures for paper records destruction;

- reviewed eight DOA visitation reports of the contractor’s storage and shred facilities for the period January 1, 2013 through June 30, 2014;

- reviewed Iron Mountain’s 2012 and 2013 annual stockholder’s reports;

- considered the National Association of Information Destruction (NAID) certification process;

- tried to identify any other government reviews of the contractor’s process and controls over paper records destruction through outreach to the Federal Audit Executive Council of the Council of the Inspectors General on Integrity and Efficiency; and

- arranged through RIMU to witness destruction of FDIC archived paper records at the contractor’s facilities.

The on-site witnessed destruction involved coordinating with DOA and the contractor for the location, dates, and times of the visit. We visited Iron Mountain’s records storage facility in Springfield, Virginia, to observe preparation of the boxes of records for transportation to the destruction facility in Richmond, Virginia. We viewed the boxes of records secured on an Iron Mountain truck and we traveled to Richmond, Virginia, to witness the destruction of the boxes of records at Iron Mountain’s Richmond shred facility.

To assess how Iron Mountain ensures its paper records controls destruction process works as intended, we obtained from Iron Mountain and reviewed:

- two Iron Mountain geographic area internal audit report executive summaries that covered those facilities;

- Iron Mountain’s semi-annual field audit scoring summaries for each of its 17 shreddingfacilities that Iron Mountain used to destroy FDIC paper records from January 1, 2013 through June 30, 2014, for a total of 51 summary scores, and information explaining exceptions related to Iron Mountain’s secure destruction activity identified in those field audits; and

- 17 reports of the NAID compliance reviews conducted at those facilities from January 1, 2013 through June 30, 2014.

We confirmed that Iron Mountain has a robust control structure for records destruction, including a multi-level audit and compliance mechanism to help ensure its records destruction processes work as intended.

[End of section]

Appendix 2

Acronyms and Abbreviations

ARMS Automated Records Management System

CSB Corporate Services Branch

DOA Division of Administration

FRA Federal Records Act

GAO U.S. Government Accountability Office

NAID National Association for Information Destruction

OIG Office of Inspector General

RIM Records and Information Management

RIMU Records and Information Management Unit

RRS Records Retention Schedule

SKP SafeKeeper PLUS®

SOP Standard Operating Procedure

SSS Support Services Section

U.S.C. United States Code

[End of section]

Appendix 3

Corporation Comments

[FDIC DOA letterhead, Federal Deposit Insurance Corporation, Division of Administration, 3501Fairfax Drive, Arlington, VA 22226]

DATE: February 20, 2015

MEMORANDUM TO: E. Marshall Gentry, Assistant Inspector General for Evaluations

FROM: Arleas Upton Kea, Director \Signed\, Division of Administration

Charles C. Yi \Signed\, General Counsel

SUBJECT: Management Response to the Office of Inspector General Draft Evaluation Report Entitled, The FDIC’s Controls Over Destruction of Archived Paper Records (Assignment No. 2014-026)

The Division of Administration (DOA) and Legal Division (Legal) have completed their review of the subject Office of Inspector General (OIG) Draft Audit Report dated January 20, 2015. We greatly appreciate the OIG’s observations and the opportunity to improve the Agency’s records management program. Effectively storing and managing, and properly destroying, paper records are critical components of FDIC’s overall operations. DOA and Legal clearly understand the importance of this responsibility and the risks associated with not having proper controls in place throughout all phases of the records management lifecycle.

Discrepancies noted in the OIG’s report were partly related to the FDIC’s efforts during the recent financial crisis that began in 2008, spanned multiple years, and resulted in FDIC closing over 500 financial institutions. During that time, the DOA acquired and shipped thousands of failed bank records from hundreds of bank branches to nearly 200 offsite Iron Mountain (IM) storage facilities nationwide. This aggressive level of activity often occurred under stringent timeframes commonplace during a weekend bank closing. Adequately tracking and controlling this unusually high volume of activity from so many disparate locations proved extremely challenging. In addition to failed bank records, FDIC shipped thousands of Agency records to offsite storage facilities as part of the normal course of business operations during this general timeframe. In total, and at the peak of activity, FDIC had nearly 3.2 million boxes of paper records stored at Iron Mountain which included records from many bank failures that occurred prior to 2008. DOA acknowledges that a few key control weaknesses that pre-dated the recent financial crisis contributed to current records discrepancies.

As discussed in the OIG’s report, the volume of records being acquired and shipped to Iron Mountain exceeded DOA’s capacity to adequately ensure full and timely reconciliation of all items. Other conditions such as DOA’s earlier transition to a new records management database and bank records that were already stored at Iron Mountain facilities contributed to unresolved discrepancies as well. Consequently, the OIG’s report appropriately highlighted the need to strengthen current procedures and implement stronger controls over DOA’s records management program to both reconcile existing inventories and ensure DOA’s readiness to properly manage any future surges in activity.

DOA is committed to ensuring proper and accurate records inventory control, adherence to records retention policies, and compliance with records destruction procedures. As part of that commitment, DOA and Legal concur in full with the OIG’s six recommendations (insofar as they relate to their respective divisions) and have already initiated a number of efforts to address the OIG’s findings. These efforts are described below along with our response to each of the OIG’s six recommendations.

Immediate Efforts to Reconcile Inventories and Improve Controls

Throughout its review, the OIG identified significant discrepancies between ARMS (FDIC’s records management system) and IM Connect (Iron Mountain’s records management system) regarding the inventory of boxes stored and destroyed in both systems. As the OIG identified and communicated these discrepancies, DOA officials began to contain the risk by researching and reconciling the differences.

The process of reconciling the two systems led DOA to identify several factors that contributed to the discrepancies including:

1) FDIC did not always receive complete or accurate inventory numbers when boxes from newly failed institutions were transitioned from the institution’s own Iron Mountain account to FDIC’s Iron Mountain account. As a result, it was not always feasible to properly update ARMS.

2) FDIC occasionally transferred records from failed institutions directly to Iron Mountain without first recording box information into ARMS or consulting with a designated DOA records liaison specialist.

3) Some failed institution and FDIC corporate records had been captured in a previous records management database system (REMATS)1 but were never entered into ARMS

Footnote 1: REMATS was the predecessor corporate records management system to ARMS. [End of footnote]

DOA has taken a number of steps to significantly improve the overall control environment and techniques within the records management program. These improvements will help prevent future discrepancies and provide assurances that stored records are properly identified, maintained, tracked, and ultimately properly destroyed in accordance with prescribed policies and procedures. Improvements and actions-in-process include:

Improvements:

- Selected a permanent Deputy Director, Corporate Services Branch;

- Hired a new Records and Information Management (RIM) Unit (RIMU) Chief to directly supervise and manage activities in RIMU;

- Updated the Standard Operating Procedures (SOP) for Paper Records Destruction;

- Updated the SOP for New Box Inventory that standardizes the process for authorizing and entering box information into ARMS; and

- Centralized RIMU destruction authorization files on DOA’s SharePoint site.

Actions-in-Process:

- Recruiting a RIM Specialist with expertise in HP TRIM to join the RIMU staff;

- Pursuing the creation of permanent record liaisons and adding a position to the RIMU staff to support the records management program;

- Standardizing unique box identifiers in ARMS;

- Awarding a contract for an HP TRIM consultant to conduct an overall systems “health check” of ARMS; the consultant will also recommend business process solutions to ensure that inventory discrepancies are quickly identified and corrected;

- Working with the Division of Information Technology on an ARMS systems upgrade;

- Performing a comprehensive review of ARMS user accounts, permissions, and access controls;

- Reviewing the current business processes for updating, retrieving and refiling of box inventory in ARMS;

- Standardizing box inventory information in ARMS;

- Working with the Division of Resolutions and Receiverships to incorporate RIMU in the notification process for bank closings;

- Working with Legal to ensure that RIMU is notified when Outside Counsel records are entered into ARMS before being sent to Iron Mountain; and

- Incorporating the records management program into DOA’s annual risk management and compliance review program.

Five of the six recommendations mentioned in the OIG report were addressed to DOA and one recommendation was made to Legal. Both DOA and Legal concur with their respective recommendations and have provided the following management responses along with the planned corrective actions.

Recommendation 1: Recommend that the Director, DOA review the paper records identification, management, and destruction process to identify risks.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA acknowledges the importance of mapping key aspects of the records management process in order to (1) identify and test the effectiveness of existing control techniques as well as (2) highlight control gaps and techniques that are not working as intended. Consequently, DOA will review the business processes for records identification, management and destruction, and develop/implement appropriate risk mitigation strategies to better control archived paper records. This effort will involve feedback and recommendations from an independent consultant and HP Trim expert along with assistance from DOA’s Management Services Branch. Moreover, this process will be ongoing to account for changes in technology, workload, and business priorities.

Completion Date: June 30, 2015

Recommendation 2: Recommend that the Director, DOA establish sufficiently comprehensive procedures and devote needed management attention to effectively mitigate identified risks and establish controls that provide reasonable assurance such records are being properly managed and destroyed.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA appreciates the OIG highlighting the need for greater management attention and oversight of FDIC’s records management program. The OIG appropriately identified prolonged vacancies in key management positions within the Corporate Services Branch as a contributing factor to less than optimum program oversight. DOA is pleased to report that it has recently filled key management and staff positions within the records management area that will significantly improve program oversight and performance.

In addition, upon completion of DOA’s review of existing business processes for records identification, management and destruction, RIMU will develop comprehensive procedures that will incorporate control activities to mitigate program risks and ensure records are being managed and properly destroyed. Revised procedures will include the additional steps mentioned in the OIG’s report that are not already included in DOA’s records management procedures dated March 20, 2014. Completion Date: September 30, 2015

Recommendation 3: Recommend that the Director, DOA determine the inventory of the FDIC’s archived paper records.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA/RIMU will continue to research inventory differences between IM Connect and ARMS. As discrepancies are resolved, DOA will update ARMS to accurately reflect all boxes physically stored at Iron Mountain facilities. Effective immediately, DOA will review and compare monthly “New Box” reports from Iron Mountain to FDIC’s ARMS to ensure that both systems reconcile and that all stored boxes are accounted for. As an added control feature, new procedures require that no new boxes be sent to Iron Mountain without first being evaluated for accuracy and completeness by appropriately trained DOA records management officials located at headquarters and the Dallas Regional Office. DOA/RIMU will also evaluate and implement business process and reconciliation improvements recommended by the HP TRIM consultant.

Already, DOA has successfully reconciled approximately 66 percent of the discrepancies identified by the OIG in its report. Specifically, DOA recently updated ARMS to include a significant number of records that were: (1) already stored at Iron Mountain under failed institutions’ account numbers, (2) shipped to Iron Mountain during a bank closing without first being entered into ARMS, (3) not properly transferred from a previous records management system (REMATS) to ARMS, and (4) awaiting destruction in a separate component of the ARMS database. This effort is ongoing and will involve DOA using an HP Trim contractor to fully resolve all remaining discrepancies.

Completion Date: December 31, 2015

Recommendation 4: Recommend that the Director, DOA establish controls and procedures that will provide reasonable assurance that the FDIC is able to account for its archived paper records on an ongoing basis.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: Once DOA completes its review of existing business processes for records identification, management and destruction, RIMU will develop comprehensive procedures to ensure that control techniques are incorporated into the records management processes. These procedures and control techniques will provide reasonable assurance that archived paper records are accounted for and managed appropriately. In addition to developing comprehensive procedures, RIMU will review and revise FDIC Circular 1210.1 entitled Records and Information Management Policy Manual to standardize processes and incorporate controls within the records management program.

Completion Date: September 30, 2015

Recommendation 5: Recommend that the General Counsel assess the impact and take action, as necessary, in connection with any open matter to respond to requests for documents or subpoenas in legal proceedings or other legal demands for documents, including clarifying any prior responses provided in connection with such requests, subpoenas or demands, in light of newly identified records.

Legal Management Response: Legal concurs with this recommendation.

Corrective Action: As DOA staff categorize and inventory the boxes at issue, Legal Division attorneys are assessing the impact of such boxes on open matters and will take further action as necessary. While DOA staff have not completed the categorization and inventory effort, information available to date indicates that the overwhelming majority of the boxes at issue were sent to Iron Mountain storage facilities before any relevant time frame involving, or under circumstances that would have no bearing or effect on, open matters.

Legal has formed a task force of managers and staff attorneys who are actively assessing the impact of the boxes at issue on matters currently open. This entails determining what various sets of boxes relate to (in terms of institutions and/or subject matter involved, and the timeframe covered) and assessing their relevance to any open matter of the FDIC. Legal staff is in the process of assessing records indices to determine whether the boxes contain information relevant to any pending matter and what, if any, further action may be necessary.

Completion Date: December 31, 2015

Recommendation 6: Recommend that the Director, DOA ensure that records management controls can provide reasonable assurance that the FDIC can accurately account for archived paper records that are destroyed.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action:

DOA management is strongly committed to protecting privileged and confidential information as well as sensitive and other personally identifiable information. That commitment requires adequate control over inventoried boxes and the destruction process to avoid misplaced or lost records. As such, DOA management will establish and document a process for RIMU staff to follow when conducting validation checks. These checks will help ensure that records identified for destruction on FDIC’s “Records Destruction Request Forms” are consistently cross-referenced to Iron Mountain’s “Certificate of Destruction”. In addition, this reconciliation process will ensure that records identified and scheduled for destruction are in fact properly destroyed. DOA/RIMU will also change the corporate records destruction process from an annual occurrence to quarterly to make the process more manageable.

Completion Date: June 30, 2015

Questions regarding this response should be directed to Dan Bendler 703-562-2123 or Andrew Nickle at 703-562-2126.

cc: Barbara A. Ryan, Deputy to the Chairman and Chief Operating Officer

Steven O. App, Deputy to the Chairman and Chief Financial Officer

Elaine Stankiewicz, Senior Advisor, Deputy to the Chairman and CFO

Ronald T. Bell, Deputy Director, DOA, Corporate Services Branch

Daniel H. Bendler, Assistant Director, DOA, Management Services Branch

Andrew Nickle, Senior Management Analyst, DOA, Management Services Branch

Rochelle Myles Galloway, Assistant Director, DOA, CSB, Support Services Section

John V. Thomas, Deputy General Counsel

Henry R. F. Griffin, Assistant General Counsel

[End of section]

Appendix 4

Summary of the Corporation’s Corrective Actions

This table presents corrective actions taken or planned by the Corporation in response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1; Rec. Number: 1; Corrective Action; Taken or Planned: DOA will review the business processes for records identification, management and destruction, including considering feedback from an independent electronic records and management system consultant and assistance from its Management Services Branch, and develop and implement appropriate risk mitigation strategies to better control archived paper records.; Expected Completion Date: June 30, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open;

Row 2; Rec. Number: 2; Corrective Action; Taken or Planned: Upon completion of DOA’s review of existing business processes for records identification, management and destruction, RIMU will develop comprehensive procedures that will incorporate control activities to mitigate program risks and ensure records are being managed and properly destroyed.; Expected Completion Date: September 30, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open ;

Row 3; Rec. Number: 3; Corrective Action; Taken or Planned: RIMU will continue to research inventory differences between Iron Mountain Connect and ARMS and will update ARMS to accurately reflect all boxes physically stored at Iron Mountain facilities. Also, DOA will: - review and compare monthly “New Box” reports from Iron Mountain to FDIC’s ARMS to ensure that both systems reconcile and that all stored boxes are accounted for;

- require that no new boxes be sent to Iron Mountain without first being evaluated for accuracy and completeness; and

- evaluate and implement business process and reconciliation improvements. Expected Completion Date: December 31, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open ;

Row 4; Rec. Number: 4; Corrective Action; Taken or Planned: RIMU will develop comprehensive procedures to ensure that control techniques are incorporated into the records management processes and will review and revise FDIC Circular 1210.1, Records and Information Management Policy Manual, to standardize processes and incorporate controls within the records management program.; Expected Completion Date: September 30, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open ;

Row 5; Rec. Number: 5; Corrective Action; Taken or Planned: As DOA staff categorize and inventory the boxes at issue, a Legal Division task force of managers and staff attorneys will actively assess the impact of the boxes at issue on matters currently open and will take further action as necessary. Expected Completion Date: December 31, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open;

Row 6; Rec. Number: 6; Corrective Action; Taken or Planned: DOA management will establish and document a process for RIMU staff to follow when conducting validation checks, and RIMU will change the corporate records destruction process from an annual occurrence to quarterly to make the process more manageable.; Expected Completion Date: June 30, 2015; Monetary Benefits: $0 ; Resolved;a Yes or No: Yes; Open or Closedb: Open;

a Resolved – (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation, but alternative action meets the intent of the recommendation.

(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount. b Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions are complete or (b) in the case of recommendations that the OIG determines to be particularly significant, when the OIG confirms that corrective actions have been completed and are responsive.

[End of table]

[End of section]

[End of report]

Print Print
Close