oversight

Audit Followup Process for Office of Inspector General Internal Audits in the Office of the Chief Information Officer.

Published by the Department of Education, Office of Inspector General on 2005-09-21.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                      UNITED STATES DEPARTMENT OF EDUCATION

                                      OFFICE OF INSPECTOR GENERAL




                                            September 21, 2005
                                                                                             CONTROL NUMBER
                                                                                            ED-OIG/A19F0003

Michell C. Clark
Acting Chief Information Officer
Office of the Chief Information Officer
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202

Dear Mr. Clark:

This Final Audit Report (Control Number ED-OIG/A19F0003) presents the results of our audit
of the Audit Followup Process for Office of Inspector General Internal Audits in the Office of the
Chief Information Officer. The objective of our audit was to verify whether adequate
documentation was maintained to support that corrective action items have been implemented as
stated in the Department of Education’s (Department) corrective action plans (CAP). This audit
is a part of a review of the Department’s internal audit followup process being performed in four
principal offices (POs). A summary report will be provided to the Department’s Chief Financial
Officer upon completion of the audits in individual offices.


                                           BACKGROUND
Office of Management and Budget (OMB) Circular A-50, entitled “Audit Followup,” provides
the requirements for establishing systems to assure prompt and proper resolution and
implementation of audit recommendations. The Department established a Post Audit User Guide
(Guide) to provide policy and procedures for the audit followup process. Section I, “Overview,”
of the Guide states,

       The effectiveness of the post audit process depends upon taking appropriate,
       timely action to resolve audit findings and their underlying causes, as well as
       providing an effective system for audit close-out, record maintenance, and follow-
       up on corrective actions.




                           400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510

           Our mission is to ensure equal access to education and to promote educational excellence
Mr. Clark	                                                                        Page 2 of 8



While overall responsibility for the audit followup process is assigned to the Office of the Chief
Financial Officer (OCFO), Post Audit Group (PAG), each Assistant Secretary (or equivalent
office head) is responsible for ensuring that the overall audit followup process operates
efficiently and consistently. The Guide defines further responsibilities of the Action Official
(AO), generally the Assistant Secretary (or equivalent office head), to include:

    • 	 Determining the action to be taken and the financial adjustments to be made in resolving
        findings in audit reports concerning respective program areas of responsibility,
    • 	 Maintaining formal, documented systems of cooperative audit resolution and follow-up
        to ensure that audit recommendations are implemented, completion dates captured, and
        appropriate documentation maintained to support completed corrective actions.

The Department tracks audit resolution and the completion of corrective action items through the
Audit Accountability and Resolution Tracking System (AARTS). For each audit, AARTS stores
detailed information on audit resolution, proposed corrective action items, Office of Inspector
General (OIG) concurrence with these action items, responsible individuals, and completion and
closure data.

When a PO has completed all corrective action items for an internal OIG audit, the PO certifies
this fact to PAG and requests closure of the audit in AARTS. PAG staff perform a review of the
documentation in the audit resolution file maintained by the PO to determine whether
implementation of corrective action items is supported. Once PAG is satisfied that
implementation of the corrective action items reviewed is supported, the audit is closed in
AARTS. PAG staff stated that until sometime in Fiscal Year 2004, only a sample of corrective
action items was evaluated and that PO staff did not necessarily know that all corrective action
items were not reviewed. PAG staff stated that currently all corrective action items are evaluated
in these reviews.


                                     AUDIT RESULTS
We found improvements are needed in the Office of the Chief Information Officer’s (OCIO)
internal control over its audit followup process. Our audit revealed that OCIO’s audit followup
process did not support the completion of all corrective action items, and audit resolution files
were not maintained for all audits included in this review. In addition, this process did not
always support completion of corrective action items by the date reported as completed in
AARTS.

OCIO audit resolution staff were aware of the Department’s documentation requirements for
audit resolution files, and stated the PO has implemented changes over the past two years to
improve their audit followup process. While we noted some improvements in the process,
further improvements are needed. We found OCIO did not maintain separate audit resolution
files for three of the five audits reviewed. In addition, we found documentation did not support
completion of 17 of the 57 corrective action items included in our review. As a result, OCIO
does not have assurance that corrective action items were implemented. In addition, reporting

                                         ED-OIG/A19F0003

Mr. Clark	                                                                                       Page 3 of 8



corrective action items as completed before the actions have actually been taken compromises
the integrity of the data included in AARTS, understates internal management reports and reports
to Congress on corrective action items that have not yet been completed, and may negatively
impact the Department’s credibility.

In its response to the draft audit report, OCIO concurred with the finding and provided corrective
actions to address each of the recommendations included in our report. The complete text of
OCIO’s response is included as Attachment 2 to this report.


Finding 1         OCIO Audit Followup Was Not Always Effective
We found OCIO’s audit followup process was not always effective. While OCIO certified that
corrective action items were completed, we found they were unable to support completion of 17
of the 57 corrective action items reviewed (30 percent). We were able to validate closure dates
for 36 of the 40 supported corrective actions through OCIO provided documentation.1 We found
OCIO reported 17 of these 36 action items (47 percent) as completed in the Department’s audit
tracking system prior to dates reflected by supporting documentation.

Documentation Did Not Support Completion of Corrective Action Items

OCIO audit resolution file documentation did not initially support completion of 32 of the 57
corrective action items reviewed (56 percent). In response to an OIG request, OCIO provided
additional documentation not originally included in the audit resolution files that supported
completion of 15 additional corrective action items. Ultimately, OCIO could not provide
documentation to support completion of 17 of the 57 corrective action items (30 percent).
Unsupported action items noted during this audit included the following:

    • 	 In one audit, the corrective action item stated an annual training program for the
        Resource Officer, Records Liaison Officer (RLO), and Contracting Officer
        Representatives (COR) would be developed.2 OCIO’s audit resolution file included a
        Records Management Pilot Evaluation Plan and Hummingbird PCDOCs and Cyber
        DOCS Evaluation Report. In response to our request for additional documentation,
        OCIO indicated the corrective action item had not been completed by stating, “The
        implementation of annual training programs for RLOs and CORs was postponed because
        of One-ED.”

    • 	 In another audit, the corrective action item stated that with the publication of the
        modified directive, OCIO would publish calling card policies in ED Notebook and send



1
  In four cases, we could not validate closure dates because of limitations in the supporting documentation provided 

by OCIO. 

2
  Audit Control Number (ACN) A11-A0011: “Audit of the Department’s Records Management Program,” issued 

September 27, 2001, Corrective Action Item 1.1.1. 


                                                ED-OIG/A19F0003

Mr. Clark                                                                                 Page 4 of 8



        email notices to all employees.3 OCIO provided a printed page, initialed by the CIO,
        stating an ED Notebook Announcement was sent to all Department employees on June
        23, 2003. It continued to say the announcement was posted on the ConnectED ED
        Notebook page. However, there were no copies of this announcement or the email
        notices in the audit resolution file. In response to our request for additional information,
        OCIO responded stating, “No copy of the particular ED Notebook entry that announced
        the publication of the directive is now available.”

PAG issued Audit Closure Memos for four of the five audits included in this review. These four
audits contained 42 of the 57 corrective action items we reviewed. We noted 20 of these 42
corrective action items were identified as reviewed by PAG prior to issuance of the Audit
Closure Memos. We determined 12 of the 20 corrective action items reviewed by PAG were
adequately supported by documentation provided by OCIO. The results of our analysis of the
effectiveness of PAG’s review process will be included in the audit followup summary report
issued to the Chief Financial Officer upon completion of the audits in individual offices.

Documentation Did Not Support Reported Completion Dates

For the 36 corrective action items for which completion dates could be verified, OCIO reported
17 corrective action items as completed in AARTS prior to dates reflected by supporting
documentation (47 percent). These items were reported as completed from 1 day to 16 months
before dates reflected on supporting documentation. Fourteen of the 17 actions were reported as
completed two or more months before dates noted on supporting documentation (82 percent).

For example, OCIO provided us slides, dated June 17, 2003, from an online records management
training course as supporting documentation for a corrective action item reported in AARTS as
completed on April 19, 2002.4 We reviewed this documentation and determined it did not
support the reported completion date in AARTS.

Requirements for Audit Followup

OMB Circular A-50, entitled “Audit Followup,” provides the requirements for establishing
systems to assure prompt and proper resolution and implementation of audit recommendations.
The Circular states—

        Audit followup is an integral part of good management, and is a shared
        responsibility of agency management officials and auditors. Corrective action
        taken by management on resolved findings and recommendations is essential to
        improving the effectiveness and efficiency of Government operations. Each
        agency shall establish systems to assure the prompt and proper resolution and
        implementation of audit recommendations. These systems shall provide for a


3
  ACN A19-B0011: “Audit of Controls over Government Calling Cards,” issued October 24, 2002, Corrective 

Action Item 1.2.1. 

4
  ACN A11-A0011, Corrective Action Item 1.1.3. 


                                             ED-OIG/A19F0003

Mr. Clark                                                                       Page 5 of 8



        complete record of action taken on both monetary and non-monetary findings and
        recommendations.

The Department’s Post Audit User Guide, Section IV, “Internal Audits,” Chapter 1, “ED Office
of Inspector General (ED-OIG) Audit Reports and Alternative Products,” Part G, “Corrective
Actions,” states:

        Each AO must maintain documentation to support implementation of each
        corrective action in accordance with the Guidelines for Establishing File Folders
        and Maintaining Documentation. The documentation must be specifically
        identifiable to a corrective action to withstand any post audit closure review by
        PAG/OCFO, ED-OIG, [Government Accountability Office] GAO and/or OMB.
        All ED-OIG audit records must be retained by an AO for at least five years after
        ED-OIG is notified that all corrective actions have been completed.

The Department’s Guidelines for Establishing File Folders and Maintaining
Documentation states:

        A file folder should be established for each audit report beginning with the draft
        report. Each folder should contain . . .Documentation to support implementation
        of corrective actions or specific notes that indicate where said documents are
        located . . .Explanation of how such documentation supports the corrective action,
        if not readily understood or evident.

The Guidelines for Establishing File Folders and Maintaining Documentation also provides
examples of supporting documentation to include memos of understanding, final regulations,
Dear Colleague Letters, records from databases, and policies and procedures.

OCIO acknowledged that before the prior CIO took office in 2003, the PO was not adequately
maintaining documentation to support completion of corrective action items. OCIO’s former
Audit Liaison Officer did not require evidence to show that a corrective action had been
implemented. The only requirement was an email stating the corrective action item was
completed.

OCIO staff stated their internal audit followup process has improved and changes have been
made within the past two years. They stated their process is more centralized, allowing only one
staff member to close corrective action items in AARTS. In addition, OCIO staff stated
corrective action items are not reported as completed until the CIO and the Chief of Staff have
reviewed the documentation to ensure it supports completion of the action item. OCIO also
indicated that all supporting documentation is currently filed and tabbed in binders for each
audit.

While we acknowledge OCIO has implemented changes to their internal audit followup system,
further improvements are needed. During our review, we noted the percentage of completion
dates correctly reported in AARTS was better under OCIO’s newly implemented process.

                                        ED-OIG/A19F0003

Mr. Clark	                                                                       Page 6 of 8



However, the percentage of unsupported corrective action items did not improve with the applied
changes.

Without appropriate documentation, OCIO does not have assurance that identified deficiencies
were corrected. As such, the risk remains that related programs may not be effectively managed.

By reporting corrective action items as completed when they have not been, or in advance of the
actual completion date, OCIO compromises the integrity of the data included in AARTS and
may negatively impact the Department’s credibility. Management reports on corrective action
items due for completion may be understated. In addition, the Department’s Semiannual Report
to Congress on Audit Followup may also under report the audits for which corrective action
items have not been completed.


Recommendations:

We recommend that the Acting Chief Information Officer:

    1.1 	    Ensure audit followup documentation clearly supports completion of the stated action
             item as it is worded in the CAP.

    1.2 	    Ensure completion dates reported in AARTS are consistent with dates reflected in
             supporting documentation.

    1.3 	    Update AARTS to reflect the actual completion dates for the action items noted in the
             audit with discrepancies in the reported completion dates.


OCIO Response:

In its response to the draft audit report, OCIO concurred with the finding and provided corrective
actions to address each of the recommendations included in our report. OCIO stated all post
audit documentation is maintained centrally within individual audit notebooks. In addition, a
template for the OCIO audit notebook cover sheet has been developed to standardize quality post
audit documentation. Corrective actions will not be marked as complete until the CIO has
approved the supporting documentation. This will provide independent verification and
validation that the corrective action has been completed and the completed dates entered into
AARTS are supported by documentation. OCIO also indicated it would work with PAG to
update the completion dates for the actions listed in the table in Attachment B of its response,
however, OCIO noted it believed it had documentation supporting the existing completion date
for one of the actions cited.




                                         ED-OIG/A19F0003

Mr. Clark                                                                       Page 7 of 8



OIG Comments:

When OCIO submitted its draft report response to OIG, it asked for insight on what other
documentation should be used to support the closure of the action item noted above. OIG
responded and OCIO subsequently concurred with the information provided, stating it would
work with PAG to update the completion date for this action item as well.


                  OBJECTIVE, SCOPE, AND METHODOLOGY
The objective of our audit was to verify whether adequate documentation was maintained to
support that corrective action items have been implemented as stated in the Department’s CAPs.

To accomplish our objective, we performed a review of internal control applicable to OCIO’s
audit followup process. We reviewed applicable laws and regulations, and Department policies
and procedures. We conducted interviews with OCFO/PAG staff regarding Department policy
and procedures, and AARTS operation. We conducted interviews with OCIO staff responsible
for resolving and following up on corrective action items for the audits selected. We also
reviewed documentation provided by OCIO staff to support completion of corrective action
items for the recommendations included in our review.

The scope of our audit was limited to corrective action items developed in response to internal
OIG audits of OCIO processes and programs. Our scope included only those corrective action
items reported as “completed” in AARTS during the period July 1, 2002, through September 30,
2004. We excluded from our review corrective action items for recurring audits, such as annual
financial statement audits, information security audits, or those with prior or planned followup
audits, so as not to duplicate audit effort. Overall, we selected a total of 57 corrective action
items from 5 OCIO related audits. The selected audits and corrective action items reviewed are
listed in Attachment 1 to this report.

We relied on computer-processed data initially obtained from AARTS to identify action items
applicable to the scope period. An alternative data source is not available to directly test the
completeness of the corrective action items as reported in AARTS. However, we tested the
accuracy of AARTS data by comparing AARTS data to supporting documentation. We also
conducted a limited review of AARTS data controls and relied on feedback from resolution staff
to gain additional assurance relating to the completeness and accuracy of AARTS data. Based on
these tests and assessments, we determined that the computer-processed data was sufficiently
reliable for the purpose of our audit.

Our review was based on the corrective action items defined by OCIO in its CAPs and agreed
upon by OIG in the audit resolution process. We reviewed and analyzed documentation in
OCIO’s audit resolution files to determine whether completion of each selected corrective action
item was supported. In cases where documentation in the file did not support completion of the
action item, we provided OCIO with an opportunity to provide additional documentation from
other sources. We reviewed any additional documentation subsequently provided to make a final

                                        ED-OIG/A19F0003

Mr. Clark	                                                                       Page 8 of 8



determination as to whether completion of the corrective action items was then supported. In
addition, we verified the reported completion dates in AARTS against the supporting
documentation provided, where possible, for those corrective action items that were supported.

We conducted fieldwork at OCIO offices in Washington, DC, during the period December 2004
through July 2005. We held an exit conference with OCIO staff on July 18, 2005. Our audit was
performed in accordance with generally accepted government auditing standards appropriate to
the scope of the review described above.


                            ADMINISTRATIVE MATTERS
Corrective actions proposed (resolution phase) and implemented (closure phase) by your office
will be monitored and tracked through the Department’s Audit Accountability and Resolution
Tracking System. Department policy requires that you develop a final CAP for our review in the
automated system within 30 days of the issuance of this report. The CAP should set forth the
specific action items, and targeted completion dates, necessary to implement final corrective
actions on the finding and recommendations contained in this final audit report.

In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector
General is required to report to Congress twice a year on the audits that remain unresolved after
six months from the date of issuance.

Statements that managerial practices need improvements, as well as other conclusions and
recommendations in this report, represent the opinions of the Office of Inspector General.
Determinations of corrective action to be taken will be made by the appropriate Department of
Education officials.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office
of Inspector General are available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the Act.

We appreciate the cooperation provided to us during this review. Should you have any questions
concerning this report, please call Michele Weaver-Dugan at (202) 245-6941.

                                             Sincerely, 



                                             Helen Lew /s/        

                                             Assistant Inspector General for Audit Services 



cc: 	   Nina Aten, Audit Liaison Officer, OCIO
        Charles Miller, Supervisor, PAG/OCFO


                                        ED-OIG/A19F0003

          ATTACHMENT 1 – Audits and Corrective Action Items Reviewed

Number Audit          Title            Issue     Corrective     Unsupported Unsupported
      Control                          Date     Action Items    Action Items Completion
      Number                                     Reviewed                        Dates
  1    A11- Audit of the              9/27/01   1.1.1, 1.1.2,    1.1.1, 2.5.2 1.1.3, 1.2.1,
       A0011 Department’s Records               1.1.3, 1.1.4,                 2.2.1, 2.2.2,
              Management Program                1.2.1, 1.2.2,                     2.3.1
                                                1.2.3, 2.1.1,
                                                2.2.1, 2.2.2,
                                                2.3.1, 2.4.1,
                                                 2.5.1, 2.5.2
   2    A11- Phase II Audit of the    3/28/03   1.1.1, 1.1.2,   1.5.2, 1.6.3     1.3.2, 1.4.2,
        D0001 Department’s Critical             1.2.1, 1.2.2,                        1.5.1
              Infrastructure                    1.3.1, 1.3.2,
              Protection Program                1.4.1, 1.4.2,
                                                1.5.1, 1.5.2,
                                                1.6.1, 1.6.2,
                                                1.6.3, 1.6.4,
                                                    1.7.2
   3    A11- Implementation of the 9/30/02      1.1.1, 1.1.2,    1.2.1, 1.2.2,   1.2.3, 1.2.4
        C0009 Government Paperwork              1.2.1, 1.2.2,    1.2.5, 1.2.6
              Elimination Act                   1.2.3, 1.2.4,
                                                 1.2.5, 1.2.6
   4    A19- Audit of Controls over 10/24/02    1.1.1, 1.2.1,    1.2.1, 1.4.1,   1.2.2, 1.3.1,
        B0011 Government Calling                1.2.2, 1.3.1,    2.4.1, 3.2.1    2.1.1, 2.2.1,
              Cards                             1.4.1, 1.5.1,                    2.3.1, 3.1.1
                                                2.1.1, 2.2.1,
                                                2.3.1, 2.4.1,
                                                2.5.1, 3.1.1,
                                                    3.2.1
   5    A07- Audit of Capital         9/12/03   1.1.1, 1.2.1,    1.2.1, 2.1.1,      1.1.1
        C0033 Planning and                      2.1.1, 2.2.1,    2.2.1, 2.3.1,
              Investment                        2.3.1, 2.4.1,        2.4.1
              Management                            3.1.1
TOTAL                                                 57              17              17
                                                                                                                         Attachment 2


                                 UNITED STATES DEPARTMENT OF EDUCATION

                                                          OPPICE OP MANAGEMENT

                                                                                                                        ASS ISTANT SE;CRETARY


                                                        September 7, 2005


TO: 	          Helen Lew
               Assistant In spector General for Audit
               Office of Inspector General

FROM: 	        Michell C. Clark
               Acting Assistant Secre».rrror-j<;Jant<getflent and C hi ef lnfonn ation Officer

SUBJECT: 	     DRAFT AUDIT REPORT: Audit Followup Process for Office ofInspector
               General Intemal Audits in the Office of the Chieflnfomlation Officer, Control
               Number ED-OIGIAI9F0003


Thank you for your draft audit report, Audit FollolVup Process for Office 0/ Inspector General
Internal Audits in the Office o/the e llie/In/ormation Officer, ED-OIG/A19-F0003 dated August
9,2005. The Office o f tb e Chief lnformation Officer (OCrO) concurs with the sin gle findin g,
speci fically:

            Finding # 1- OCIO Audit Followup Was Not Always Effective

The following is Ollr proposed correcti ve action to add ress the three recom mendations yo ur
office has pro vided related to the above finding.

Recommendation 1.1 Ensure audit followup documentation clearly supports compl etion of the
stated action item as it is worded in the CAP.
Proposed Corrective Action: All post audit documentati o n for OCI0 audits is maintained
centrall y within indi vid ual audit notebooks. A template for the OCIO audit notebook cover sheet
has been developed to standardi ze quality post audit documentation. This cover sheet is now
mai ntained at the front of all audit no tebooks. A space is provided to cheek off each
requirement, as we ll as record the initials oftbe staff perso n validating that the requirement has
been met. The templ ate stipul ates in point 2e that all CAP actions speci fi ca ll y identify req uired
doc umentati on or ev idence to support marking the CAP as comp leted in AARTS. The template
includes an addi ti onal checkpoint for tbi s action in poi nt nine. This template is included in
Attachment A. The ocro Audit Official Liaison wi ll not mark any corrective acti on as
compl ete until the Chief In formati o n Officer has approved th e submitted supporting
documentation. This will provide ind epend ent verifi cation and va lidat ion that the corrective
action has been compl eted. A copy of the temp late will be kept in the audit noteboo k.
Co mpleted: September 7, 2005




                                              400 M AR YLAN D AV E. , S. W ., WASHINGT ON , DC. 20202 -4500
                                                                         wv.'Vo'   cd .go\'

               Ou r I1USSW rl   IS 10   ensure equal access   [0 edUCQHOII   and 10 promote edu.catlonal excellence throughout cite   Natioll.
Response to Draft Audit Report ED-OlG/A19F0003                                           Page 2


Recommendation 1.2 Ensure completion dates reported in AARTS are consistent with dates 

reflected in supporting documentation. 

Proposed Corrective Action: The audit notebook cover template referenced in corrective 

action 1/1 /1 stipulates that all completed dates reported in AARTS are substantiated by the 

documentation cited in the CAP. Please see point 9 of the template in Attachment A. The ocro         

Audit Official Liaison will ensure that the completed dates for all corrective actions match the 

dates of the submitted supporting documentation, as approved by the Chief Information Officer. 

This will provide independent veri fication and validation that the completed dates entered into 

AARTS are supported by documentation. A copy of the template will be kept in the audit 

notebook. 

Completed: September 7,2005 


Recommendation 1.3 Update AARTS to reflect the actual completion dates for the action items 

noted in the audit with discrepancies in the reported completion dates. 

Proposed Corrective Action: ocro will work with Post Audit Group to update the completion 

dates for the actions listed in the table in Attac1mlent B. A copy of this table, as well as the 

updated CAPS from AARTS for each of the referenced audits, will be kept in the audit notebook. 


Please note that ocro believes it has documentation to support the existing completion date of 

3/1 3/04 for CAP 07-C0033 / 1111l. 


Proposed Completion Date: September 30, 2005. 


If you have any questions, please contact Nina Aten on my staff at 401-5846. 


ATT ACHMENTS 

                      ATTACHMENT A - OCI0 Audit Notebook Cover Template


AUDIT CONTROL # (ACN): 

AUDIT: 


ISSUE DATE: 


DATE CLOSED: 


ARcmVE RETENTIION DATE (5 years following official closure) :


                                                                                     Initials of
                       Audit Notebook Content Checklist                      Checked Validator
1. 	 OIG Draft Audit Report
2. 	 OM or OCIO Response to Draft Audit Report
         a. 	 Contact Name provided for each corrective action
         b. 	 Proposed Completion Date for each corrective action
         c. 	 Clear description of corrective action, including
              identification of supporting documentation that will
              provide evidence of corrective action completion is
              included in draft response. EXAMPLE: "This action will be
              completed when the ACS directive is signed. A copy of the
              signed ACS directive will be maintained in the Audit
              notebook ." OR: This action will be completed when the
              working group holds its first meeting. A copy of the meeting
              invitation and the agenda will be maintained in the audit
              notebook ."
3. 	 Final Audit Report
4. 	 First Corrective Action Plan submitted to OIG via AARTS
5. 	 OfG-s response to first Corrective Action Plan (see Reports menu in 

     AARTS) 

6. 	 Audit Clearance Document (ACD)
7. 	 TABS for each corrective action
8. 	 Documentation supporting completion of each action as specifically 

     identified in Corrective Action Plan 

9. 	 Completion Dates match dates of included supporting documentation
 10. Final Corrective Action Plan
 11. Comprehensive OIG Response (see Reports menu in AARTS)
 12. Post Audit Group Response (see Reports menu in AARTS)
 13. Request for Closure/Certification Memorandum
 14. Closure Memo from Post Audit Group



OM/DC IO Audit Notebook Cover Template 	                                           v   1.0917105
Response to Draft Audit Report ED-OIG/A 19F0003 Attachment B                               Page 1


            ATTACHMENT B - TABLE OF CORRECTED COMPLETION DATES

                   Corrective Actions That Need Updated Completion Dates 

                                            Current 

                                                      Proposed        Documentation
     Audit                                    Date
                            Action                    Corrective   Supporting Proposed
                                            Listed in
                                                        Date                  Date
                                            AARTS
                    1.1.3 Develop prototype                      A copy of the CD containing
                    computer based records                                 the computer based training.
                                                 4/19/02        6/3/03
                    management training                                    The CD files are all dated
                    module.                                                6/3/03 .
                    1.2.1 Publish 

                    Department of Education 

                                                                           Copy of ACS Directive
                    policies for records
                    management. Include the
                                                                           ocro: I-I 03 on Departmental
                                                 4/19/02       12116/02    Records and Information
                    requirement that each
                                                                           Management Program dated
                    Principal Office develop
                                                                           12116/02
                    office-specific policies 

                    and procedures. 

                    2.2.1 Develop a records 

                    management inventory 

AI1-AOO11           system that enables
                    Principal Offices to                                   Copy of Training Slides and
Audit of the
                    identify electronic and                                Workshops schedule indicating
Department's        paper format records they    5/2/03         6/3/03     first class to be held on 6/3/03
Record              create and maintain.                                   in the 1G conference room in
Management          Require Principal Offices                              MES.
Program             to use the records
                    management inventory
                    system.
                    2.2.2 OCIO provide 

                    technical assistance to 

                                                                           Copy of the Department's
                    Principal Offices in
                                                                           submission to NARA that
                    updating Records             5/2/03        11126/0 3
                                                                           contains the results of their
                    Retention and Disposition
                                                                           technical assistance.
                    Schedules in the records
                    management invento!y.
                                                                           Copy of the Department's
                    2.3.1 Provide technical
                                                                           submission to NARA,
                    assistance to Principal
                                                                           including unscheduled
                    Offices in determining       5/2/03        11126/03
                                                                           dispositions, contains the
                    which federal records are
                                                                           results of their technical
                    unscheduled.
                                                                           assistance.
.'

     Response to Draft Audit Report ED-OIG/AI9F0003                                               Page 2


                        Corrective Actions That Need Updated Completion Dates 

                                                   Current 

                                                             Proposed     Documentation
          Audit                                      Date
                                 Action                      Corrective Supporting Proposed
                                                   Listed in
                                                               Date             Date
                                                   AARTS
                         1.3.2 Establish a regular
                         meeting of CIP and
                         COOP program leaders to
                         specificaUyaddress
                         coordination. This                                 Copy of Security Coordination
                         meeting will supplement        7/24/03   5115/03   Commi ttee Meeting Agenda
                         the coordination efforts of                        dated 5/ \ 5/03
                         the monthly Security
                         Coordination Committee
                         tbat addresses aU areas of
                         security.
     AII-DOOOI           1.4.2 Establish a regular
     Phase IT Audit      meeting of CIP and
     of the              COOP program leaders to
     Department's        specifically address                               Printout of the fina l POA&M
                         coordination. This                                 action for Mission Critical
     Critical
                         meeting will supplement        7/24/03   1115/04   Sys tems that was entered into
     lnfrastructure      the coordination efforts of                        the PIP Portal on 11 15104 ­
     Protection          the monthly Security                               FSA-DLCS-4
     Program             Coordination Committee
                         tilat addresses all areas of
                         security.
                         1.5.1 Make security
                         requirements and costs for
                         MEl assets and for
                         agency-wide CIP
                                                                            Copy of the lA Bus iness Case
                         activities (contained in the   1012/03   10/3/03
                                                                            dated 10/3/03
                         Information Assurance
                         business case) explicit in
                         IT business cases and IRB
                         presentations.
                         1.2.3 Coordinate with
                         OneED to analyze                                   Copy of GPEA Strategy posted
                         business processes for the                         on ED.gov (under
                         Department's major lines                           policy/genlleg/gpea/index.html)
                         of business. Identify                              and a copy of the properties for
                         additional opportunities to
                                                        2/26/03   5/6/03
                                                                            tlus posted document showing
     All-COOO9
                         provide electronic                                 that it was created on ED.gov
     lnlplementation     alternatives to current                            on 5/6/03.
     oflhe               business transactions, as
     Government          appropriate.
     Paperwork           1.2.4 Coordinate with                              Copy of GPEA Strategy posted
     Elimination Act     PBDMI to identify                                  on ED.gov (u nder
                         additional opportunities to                        policy/gen/leg/gpea/index. html)
                         consolidate data                                   and a copy of the properties for
                                                        2126/03   5/6/03
                         collections and to provide                         tius posted document showing
                         electronic altematjves to                          that it was created on ED.gov
                         current business                                   on 5/6/03.
                         transactions.
.'

     Response to Draft Audit Report ED-OlGt A 19F0003                                           Page 3


                         Corrective Actions That Need Updated Completion Dates
                                                  Current
                                                            Proposed       Documentation
                                                    Date
           Audit                 Action                     Corrective  Supporting Proposed
                                                  Listed in
                                                              Date             Date
                                                  AARTS
                          1.2.2 Concurrently with
                          publication of the
                          modified ACS Directive                            Copy of ACS Directive
                          publish the calling card      6/23/03    3/9/04   OCIO:2-1 02 Wireless
                          policies in ED Notebook                           Telecommunications Services
                          and send email notices to
                          all emplovees.
                          1.3.1 Update the calling
                          card foml and automate it
                          through the                                       Copy of ACS Directive
                          Telecommunications                                OCIO:2-102 Wireless
                          Automated Tracking
                                                        6/12/03    3/9/04   Telecommunications Services ­
                          System (TATS),
                                                                            the foml is included in
                          Customer Service Request
                                                                            Attachment A of the Directive
                          Module (CSRM). Add a
                          section for supervisory
                          approval.
                          2.1.1 Employees with
                          calling cards and those
                          ordering new calling cards                        Copy of ACS Directive
                          will be required to sign an                       OCIO:2- 102 Wireless
     A19-BOOll            Employee Certification of
     Audit of                                           6/ 12/03   3/9/04   Telecommunications Services ­
                          Responsibi lities fOfDL Tbe                       the form is included in
     Controls over         form will re Ference                             Attachment A of the Directive
     Govemment            discipijnary actions for
     Calling Cards        unauthorized use of
                          government property.
                          2.2.1 Include the
                          prohibition ou sharing
                          calling cards and guidance
                          that each employee or                             Copy of ACS Directive
                          contra.ctor in need of a
                                                        6/ 12/03   3/9/04   OCIO:2-102 Wireless
                          calling card should apply                         Telecommunications Services
                          for one. and not use
                          another~s card, in the
                          updated Wireless Services
                          Directive.
                          2.3.1 Include guidance
                          that emplo yees use tbeir
                          calling cards for
                          autllOrized personnel calls                       Copy of ACS Directive
                          while on travel, ratber
                                                        6112/03    3/9/04   OCIO:2-102 Wireless
                          tllan claiming the                                Telecommunications Services
                          expenses on their travel
                          vouchers, in the updated
                          Wireless Services
                          Directive.
· .'
       Response to Draft Audit Report ED -O lG/A I 9F0003                                             Page 4


                           Corrective Actions That Need Updated Completion Dates 

                                                       Current 

                                                                 Proposed     Documentation
                                                         Date
             Audit                 Action                        Corrective Supporting Proposed
                                                       Listed in
                                                                   Date            Date
                                                       AARTS
                            3.1.1 An'ange for timely 

                             notification of employee

       AI9-BOOll             status change, through
       Audit of              transfer or departure from                          Copy of ACS Directive
       Controls over         the Department. Use the         6/12/03   3/9/04    OCIO:2-102 Wire less
       Government            informa tion to cancel 
                            Telecommunications Services
       Calling Cards         accounts or reallocate 

                             them to the appropriate 

                             Principal Office. 

       A07-C0033             1.1.1 Develop and use in
       Audit of Capital      tile FY 2004 Select Phase, 

       Planning and          a set of written procedures 

                             that formalizes the                                 Copy of two emails dated
       Investment            Department's review                                 3/31 /04 (one for FSA and one
       Management            process for IT investment       3/31/04   3/31/04   for non-FSA) distributing select
                             co mpliance with the                                phase instTuctions, including
                             Enterprise Architecture.                            EA review and responsibilities.
                             The written procedures
                             will delineate review
                             responsibilities.