Our audit objectives were to review application controls, select general controls, and assess the reliability of the Prisoner Tracking System (PTS) data. The audit work, which occurred between June and December 2003, was performed in accordance with the Government Auditing Standards. We conducted fieldwork at the United States Marshals Service (USMS) headquarters in Arlington, Virginia, and 8 of the 94 USMS district offices (DOs). The eight DOs were: Alexandria, Virginia; Washington, D.C.; New York, New York; Houston, Texas; Philadelphia, Pennsylvania; Chicago, Illinois; Miami, Florida; and Phoenix, Arizona. The DOs were selected because their location, detainee processing volume, or USMS headquarters identified them as "model sites."

Although our primary objectives were to review application controls and perform data integrity testing, our audit criteria for evaluating application controls included certain select general control areas. Those steps involved obtaining an overview of the application's user population (access controls), developing an understanding of the operational workflow process (entity-wide security program planning and management and segregation of duties), and developing an understanding of the hardware and software environment (system software, application software development, and service continuity). Therefore, this report contains findings from select general control areas required to assess the effectiveness of PTS's application controls.

The Marshals Network (MNET) serves as the PTS's system environment because PTS users must login to MNET to gain access to PTS servers. The OIG performed an audit of MNET's general controls during its fiscal year 2003 Federal Information Security Management Act (FISMA) review. We therefore relied on audit findings disclosed during the FISMA review as an assessment of the PTS application's system environment and reported on those select general controls we reviewed as required by the application controls audit criteria.

To accomplish our audit objectives, we conducted over 50 interviews and visited the 8 DOs represented on the map in Appendix 2. We interviewed USMS headquarters officials from the Prisoner Services Division, Planning and Analysis Branch, and Information Technology Services Division to assess select general controls, such as entity-wide security program planning and management of the PTS and service continuity. From these interviews, we were able to gain an understanding of the application's user population, operational workflow process, and hardware and software environment. Additionally, we obtained information from deputy marshals, administrative officers, criminal clerks, detention enforcement officers, and system administrators at each DO visited to evaluate the overall effectiveness of application controls for protecting the PTS's data. We specifically reviewed authorization, completeness, accuracy, and integrity of processing controls.

Our visits to the selected DOs included observing operational activities and performing data integrity testing. Our observation of operational activities allowed us to assess the USMS's compliance with the Federal Information System Controls Audit Manual (FISCAM), USMS's PTS User Manual, and USMS's Policy Directive No. 99-47 (Cellblock Operations). To perform data integrity testing, we judgmentally selected a total of 200 prisoners' file folders (25 file folders at each of the 8 sites visited). We reviewed these prisoners' records for completeness of information and manually compared source documents to the PTS output to determine accuracy of information as recommended in the General Accounting Office's (GAO) guidance for Assessing the Reliability of Computer-Processed Data.

Additionally, we reviewed the certification and accreditation documentation for the PTS, the Department's information technology management policies and procedures, the USMS's organizational structures, and information contained within individual prisoner file folders.