Background

The mission of the U.S. Postal Inspection Service is to support and protect the U.S. Postal Service and its employees, infrastructure, and customers. One of the ways it accomplishes its mission is by providing technological support and risk management tools as well as strategy services designed to mitigate risk and prevent criminal attacks.

What We Did

Our objective was to assess the efficiency and effectiveness of the Postal Service’s and the Postal Inspection Service's oversight of the Vulnerability Risk Assessment Tool (VRAT) process and resolution of identified deficiencies. The VRAT is a risk-based model to identify security deficiencies at postal facilities. For this audit, we judgmentally selected samples of three Postal Inspection Service divisions and 12 Postal Service facilities nationwide for review based on VRAT survey and deficiency data. Additionally, we reviewed VRAT processes, procedures, training, and applicable guidance.

What We Found

The Postal Inspection Service did not effectively oversee the VRAT process. Many surveys were not started or incomplete, deficiencies remained unresolved, and the status for resolved deficiencies was not reported in the system. Additionally, while facility security training included a VRAT component, the Postal Inspection Service and Postal Service did not ensure that all facility management received this training prior to performing VRAT surveys. Lastly, there were instances where personnel from both the Postal Inspection Service and Postal Service duplicated efforts by completing separate VRAT surveys in the same fiscal year at Tier 1 (most critical) and Tier 2 (critical) facilities.

Recommendations and Management Comments

We made six recommendations to strengthen VRAT oversight by improving monitoring and follow-up processes, policies and procedures, and reporting and resolution practices; bolstering facility security training and guidance; and reducing the redundancy of VRAT surveys. Postal Service management agreed with all six recommendations. Management’s comments and our evaluation are at the end of each finding and recommendation.