Recommendations

Ensure that Momentum® user administration guidance and procedures are updated to reflect current processes and controls, including timelines for removing roles and deactivating access resulting from recertification responses and personnel separation actions, and processes for approving both new accounts and roles and modifications to existing access to the system.

Require, document, and maintain approvals for Momentum® access modifications in addition to original account provisioning actions.

We recommend that the AOC develop and publish a discipline policy for exempt personnel, for transparency and consistency with other employee groups.

Ensure that AOC staff responsible for evaluating SOC 1® reports adequately understand the impact of controls performed by subservice organizations on AOC’s financial systems and consider whether the absence of SOC 1® testing of these controls requires implementation of additional Complementary User Entity Controls (CUEC).

Determine whether the NFC, IPP, and subservice provider SOC 1® reports will be delivered in a timely manner and contain the following information required for an effective review and analysis.

Complete an IPP/TWAI-specific risk assessment to ensure implementation of key controls relevant to the AP financial statement assertion (e.g., through complete and timely SOC 1® reports and/or internal AOC CUECs). If the AOC becomes aware that the content of IPP/TWAI-related SOC 1® reports will continue to be provided in an untimely manner or presented in redacted format, AOC management should implement, through its risk assessment, a process to separately identify and assess mitigating and compensating controls to its environment. Additionally, for known control deficiencies at the service and key subservice providers, the AOC should identify compensating control(s) to mitigate the risks within the AOC control environment.

Complete an NFC-specific risk assessment to ensure implementation of key controls relevant to the Payroll financial statement assertion (e.g., through complete and timely SOC 1® reports and/or internal AOC CUECs). If the AOC becomes aware that the content of NFC-related SOC 1® reports will continue to be provided in an untimely manner, AOC management should implement, through its risk assessment, a process to separately identify and assess mitigating and compensating controls to its environment. Additionally, for known control deficiencies at the service and key subservice providers, the AOC should identify compensating control(s) to mitigate the risks within the AOC control environment.

We recommend the AOC coordinate with legislative stakeholders to draft legislation that would incorporate the following:
• Add the Office of Chief Security Officer to an advisory or consultative role to assist in the plans and execution of securing the Capitol campus for large public gatherings, and
• require communication, coordination and collaboration between the AOC, Capitol Police Board, and U.S. Capitol Police.

We recommend the AOC Office of the Chief Security Officer coordinate with U.S. Capitol Police to draft a memorandum of agreement to support the roles and responsibilities and services required for preparation and execution of the perimeter security plans for large public events.

We recommend the AOC Office of the Chief Security Officer establish well-defined policies and procedures with a preparation checklist for jurisdictions based on the severity of threat that provides clear guidance on execution of support activities related to coordination, mobilization, de-mobilization, asset protection and reporting of activities associated with special events across the Capitol campus.

We recommend the AOC coordinate with the U.S. Capitol Police Board and legislative stakeholders to evaluate the overall focus on campus security, and reevaluate the responsibilities for design, installation and maintenance of the Capitol campus security systems and determine who should execute those responsibilities.

We recommend the AOC Office of the Chief Security Officer hold a security briefing with AOC senior leadership for each event, which highlights the security threats and risks identified during their monitoring and received from coordinating agencies along with AOC’s approach to manage such risks and instructions for jurisdictions to execute the developed preparation checklist.

We recommend the AOC inform the U.S. Capitol Police of the deferred security maintenance work elements prior to large public gatherings and events on the Capitol campus.

We are questioning $286,933 in insufficiently supported costs. We recommend that the CHOBr Project team review these costs and, to the extent legally and administratively possible, recover any amounts for which the CMc cannot provide support. If applicable, the CHOBr Project team should also recover any additional amounts resulting from the application of items such as overhead and fees to the unsupported costs.

We recommend that AOC review and properly closeout the following dormant unliquidated obligations (ULOs):
• 68 invalid ULOs valued at $479,907.61;
• Nine unsupported questioned ULOs valued at $90,109.58;
• Nine valid ULOs valued at $8,230 that have not received a final invoice; and
• 231 ULOs with balances less than $50.

Funds put to better use: $479,907.61 and Questioned costs: $90,109.58

We recommend that AOC ensure supporting documentation for unliquidated obligations is maintained and readily available.

We recommend that AOC:
• Finalize the new Quarterly Financial Review SharePoint application and ensure this new application addresses the current and prior year audit findings; and
• Revise the AOC’s policies and procedures to align with the new application.

We recommend that:
1. The Chief Administrative Officer develop and implement additional policies and procedures that:
a. ensure adherence to vehicle utilization reporting,
b. include a more formal scheduled vehicle maintenance program,
c. collect, track, monitor and analyze fleet costs throughout the vehicle lifecycle at the vehicle level;

The Chief Administrative Officer review jurisdiction-level fleet policies and standardize jurisdictional best practices across the AOC where appropriate;

The Chief Administrative Officer procure an AOC-wide fleet management information system with best-in-class fleet management capabilities, to include vehicle inventory, acquisition, disposal, utilization, cost, mileage and fuel use information for each vehicle, and automatic notification to fleet managers of maintenance due;

The Chief Administrative Officer conduct a feasibility study to develop and implement centralized vehicle maintenance contract(s) for routine (and non-routine) maintenance to standardize AOC’s maintenance processes and realize efficiencies resulting from centralized contract(s);

The Chief Administrative Officer, in coordination with AOC organization leaders, review and revise AOC-wide and jurisdictional policies to include standards for vehicle utilization, and guidance for implementing these standards while maintaining jurisdiction-level operational flexibility.

The Chief Administrative Officer procure a fleet management information system with fleet management capabilities, to include vehicle utilization information for each vehicle.

To the extent legally and administratively possible, the CHOBr Project team recover the $38,529 of unallowable costs reimbursed and, if applicable, any additional, unallowable amounts resulting from the application of items such as overhead and fees to the unallowable costs.

To the extent legally and administratively possible, the CHOBr Project team review questioned costs of $55,235 and, recover any amounts for which the Construction Manager as Constructor cannot provide support. If applicable, the CHOBr Project team should also recover any additional amounts resulting from the application of items such as overhead and fees to the unsupported costs.

We recommend the AOC create and/or update existing policies and/or procedures for periodically evaluating the effectiveness of the controls detailed in the LBFMS SOC 1 report or performed by LOC as well as document the relevant local IT controls that address CUECs included in the LBFMS SOC 1 report and evaluate their effectiveness annually.

We recommend that AOC management implement the existing, documented procedures over the review of SOC reports, establish procedures to transfer responsibilities for control operations to other team members upon an employee’s separation, and monitor internal controls to assess their effectiveness.

We recommend that AOC management should design an appropriate control to identify, analyze, and respond to risks related to non-GAAP practices and policies.

Develop and implement a control to complete a retrospective review of the Environmental Liability annually. That review should be used to validate the cost factors used and make appropriate adjustments when needed.

Develop and implement a more precise accounts payable accrual by re-considering the results of the quarterly Accounts Payable validations and the impact on the existing accrual methodology and considering an adjustment to its accrual percentage to capture periods not covered by the current accrual model.

We recommend the Office of the Chief Security Officer develop and implement a suitability policy for AOC employees and consolidate and implement revisions, as appropriate, to the current contractor suitability policy. Additionally, develop and implement a standardized timeline for policy revision and update within the current Fiscal Year.

We recommend that the Office of the Chief Security Officer, in coordination with the United States Capitol Police and the House Sergeant at Arms, perform a joint feasibility study to consider:
a) Re-assigning signature authority for the CP-491 for the House of Representatives Sergeant at Arms-issued contractor badges from the OCSO to Contracting Officer Representatives, eliminating the hand carry of the CP-491 to USCP/Fairchild for Fingerprinting, and implementing the use of approval buttons or pdf secure signatures in place of manual signatures.
b) Identification, development or acquisition of a badge management software solution that uses notification-based processes that ensures secure, efficient execution, monitoring and tracking of badging actions.

We recommend that the Office of the Chief Security Officer develop and implement suitability policy language to include clear lines of responsibility and processes. Improvements should include:
• In the contractor suitability policy, assign the responsibility for the centralized recordkeeping of intra-agency badging agreement Memorandums of Understanding or Agreements to the OCSO; and
• In both policies, guidance and requirements for secure badge return and protection and oversight of Personally Identifiable Information.

We recommend that the Office of the Chief Security Officer in coordination with the U.S. Capitol Police and the House Sergeant at Arms, perform a joint feasibility study to develop and implement a centralized security badge management process through the use of shared software that allows for secure and efficient issuance, monitoring and tracking of badging actions, to include tracking and reporting of lost/stolen badges and follow-up actions.

The Chief Information Officer update ITD’s current policy for accountable IT property, to include the incorporation of defined program personnel roles, requirements aligned with the property management lifecycle and all current program procedures.

The Chief Information Officer continue pursuit of transitioning to a single asset management system that addresses its program needs to track accountable and consumable IT property and establish a detailed implementation plan with target dates to transition to a single asset management system for accountable and consumable IT property as currently captured in Cireson and Jumpstock.

The AOC revise the Board of Survey Process with codified punitive actions to act as a deterrent against future instances of employee negligence and misconduct regarding the loss of AOC property, including both IT mobile devices and personal property.

The Chief Information Officer, establish internal controls in addition to the current Annual Telecom Memorandum requirement, to identify indications of a mobile device being lost, damaged or stolen and have processes in place to act accordingly.

We recommend that the Architect of the Capitol (AOC) consider structuring future Guaranteed Maximum Price contracts as 1) fixed-price amounts for general conditions and general requirements and 2) cost reimbursement for subcontracts that are fixed-price amounts between the general contractor and subcontractors, to assist in alleviating the AOC’s administrative burden in properly administering the contract.

We recommend that the Architect of the Capitol (AOC) issue contract modifications for the sampled contracts to include any applicable clauses that the AOC did not include in the contract at the time of award or in any modifications already issued, if the AOC determines that it is feasible to do so.

We recommend that the Architect of the Capitol (AOC) update the format of the Matrix Checklist to allow Contracting Officers to more easily filter, sort and select applicable construction contract clauses.

We recommend when the Architect of the Capitol (AOC) revises its contract formulation requirements, it formalize its process for updating existing contracts, including documenting its rationale for cases in which it determines that new contractual requirements are not applicable to existing contracts.

We recommend that the Architect of the Capitol (AOC) issue contract modifications to remove the inapplicable clauses included in the contract, if the AOC determines that it is beneficial and feasible to do so.

As a part of the Architect of the Capitol (AOC) annual review of active contracts to determine whether any contract modifications are necessary, we recommend that the AOC incorporate a review to identify (1) applicable clauses erroneously omitted during the formulation of the contract, (2) applicable contract clauses issued after contract award, and (3) inapplicable contract clauses.

We recommend that the Architect of the Capitol (AOC) consider requiring its contractors to carry builder’s risk policies on a project-by-project basis, based on an evaluation of the risks that each project poses to the AOC.