UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL September 21, 2005 CONTROL NUMBER ED-OIG/A19F0003 Michell C. Clark Acting Chief Information Officer Office of the Chief Information Officer U.S. Department of Education 400 Maryland Avenue, SW Washington, DC 20202 Dear Mr. Clark: This Final Audit Report (Control Number ED-OIG/A19F0003) presents the results of our audit of the Audit Followup Process for Office of Inspector General Internal Audits in the Office of the Chief Information Officer. The objective of our audit was to verify whether adequate documentation was maintained to support that corrective action items have been implemented as stated in the Department of Education’s (Department) corrective action plans (CAP). This audit is a part of a review of the Department’s internal audit followup process being performed in four principal offices (POs). A summary report will be provided to the Department’s Chief Financial Officer upon completion of the audits in individual offices. BACKGROUND Office of Management and Budget (OMB) Circular A-50, entitled “Audit Followup,” provides the requirements for establishing systems to assure prompt and proper resolution and implementation of audit recommendations. The Department established a Post Audit User Guide (Guide) to provide policy and procedures for the audit followup process. Section I, “Overview,” of the Guide states, The effectiveness of the post audit process depends upon taking appropriate, timely action to resolve audit findings and their underlying causes, as well as providing an effective system for audit close-out, record maintenance, and follow- up on corrective actions. 400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510 Our mission is to ensure equal access to education and to promote educational excellence Mr. Clark Page 2 of 8 While overall responsibility for the audit followup process is assigned to the Office of the Chief Financial Officer (OCFO), Post Audit Group (PAG), each Assistant Secretary (or equivalent office head) is responsible for ensuring that the overall audit followup process operates efficiently and consistently. The Guide defines further responsibilities of the Action Official (AO), generally the Assistant Secretary (or equivalent office head), to include: • Determining the action to be taken and the financial adjustments to be made in resolving findings in audit reports concerning respective program areas of responsibility, • Maintaining formal, documented systems of cooperative audit resolution and follow-up to ensure that audit recommendations are implemented, completion dates captured, and appropriate documentation maintained to support completed corrective actions. The Department tracks audit resolution and the completion of corrective action items through the Audit Accountability and Resolution Tracking System (AARTS). For each audit, AARTS stores detailed information on audit resolution, proposed corrective action items, Office of Inspector General (OIG) concurrence with these action items, responsible individuals, and completion and closure data. When a PO has completed all corrective action items for an internal OIG audit, the PO certifies this fact to PAG and requests closure of the audit in AARTS. PAG staff perform a review of the documentation in the audit resolution file maintained by the PO to determine whether implementation of corrective action items is supported. Once PAG is satisfied that implementation of the corrective action items reviewed is supported, the audit is closed in AARTS. PAG staff stated that until sometime in Fiscal Year 2004, only a sample of corrective action items was evaluated and that PO staff did not necessarily know that all corrective action items were not reviewed. PAG staff stated that currently all corrective action items are evaluated in these reviews. AUDIT RESULTS We found improvements are needed in the Office of the Chief Information Officer’s (OCIO) internal control over its audit followup process. Our audit revealed that OCIO’s audit followup process did not support the completion of all corrective action items, and audit resolution files were not maintained for all audits included in this review. In addition, this process did not always support completion of corrective action items by the date reported as completed in AARTS. OCIO audit resolution staff were aware of the Department’s documentation requirements for audit resolution files, and stated the PO has implemented changes over the past two years to improve their audit followup process. While we noted some improvements in the process, further improvements are needed. We found OCIO did not maintain separate audit resolution files for three of the five audits reviewed. In addition, we found documentation did not support completion of 17 of the 57 corrective action items included in our review. As a result, OCIO does not have assurance that corrective action items were implemented. In addition, reporting ED-OIG/A19F0003 Mr. Clark Page 3 of 8 corrective action items as completed before the actions have actually been taken compromises the integrity of the data included in AARTS, understates internal management reports and reports to Congress on corrective action items that have not yet been completed, and may negatively impact the Department’s credibility. In its response to the draft audit report, OCIO concurred with the finding and provided corrective actions to address each of the recommendations included in our report. The complete text of OCIO’s response is included as Attachment 2 to this report. Finding 1 OCIO Audit Followup Was Not Always Effective We found OCIO’s audit followup process was not always effective. While OCIO certified that corrective action items were completed, we found they were unable to support completion of 17 of the 57 corrective action items reviewed (30 percent). We were able to validate closure dates for 36 of the 40 supported corrective actions through OCIO provided documentation.1 We found OCIO reported 17 of these 36 action items (47 percent) as completed in the Department’s audit tracking system prior to dates reflected by supporting documentation. Documentation Did Not Support Completion of Corrective Action Items OCIO audit resolution file documentation did not initially support completion of 32 of the 57 corrective action items reviewed (56 percent). In response to an OIG request, OCIO provided additional documentation not originally included in the audit resolution files that supported completion of 15 additional corrective action items. Ultimately, OCIO could not provide documentation to support completion of 17 of the 57 corrective action items (30 percent). Unsupported action items noted during this audit included the following: • In one audit, the corrective action item stated an annual training program for the Resource Officer, Records Liaison Officer (RLO), and Contracting Officer Representatives (COR) would be developed.2 OCIO’s audit resolution file included a Records Management Pilot Evaluation Plan and Hummingbird PCDOCs and Cyber DOCS Evaluation Report. In response to our request for additional documentation, OCIO indicated the corrective action item had not been completed by stating, “The implementation of annual training programs for RLOs and CORs was postponed because of One-ED.” • In another audit, the corrective action item stated that with the publication of the modified directive, OCIO would publish calling card policies in ED Notebook and send 1 In four cases, we could not validate closure dates because of limitations in the supporting documentation provided by OCIO. 2 Audit Control Number (ACN) A11-A0011: “Audit of the Department’s Records Management Program,” issued September 27, 2001, Corrective Action Item 1.1.1. ED-OIG/A19F0003 Mr. Clark Page 4 of 8 email notices to all employees.3 OCIO provided a printed page, initialed by the CIO, stating an ED Notebook Announcement was sent to all Department employees on June 23, 2003. It continued to say the announcement was posted on the ConnectED ED Notebook page. However, there were no copies of this announcement or the email notices in the audit resolution file. In response to our request for additional information, OCIO responded stating, “No copy of the particular ED Notebook entry that announced the publication of the directive is now available.” PAG issued Audit Closure Memos for four of the five audits included in this review. These four audits contained 42 of the 57 corrective action items we reviewed. We noted 20 of these 42 corrective action items were identified as reviewed by PAG prior to issuance of the Audit Closure Memos. We determined 12 of the 20 corrective action items reviewed by PAG were adequately supported by documentation provided by OCIO. The results of our analysis of the effectiveness of PAG’s review process will be included in the audit followup summary report issued to the Chief Financial Officer upon completion of the audits in individual offices. Documentation Did Not Support Reported Completion Dates For the 36 corrective action items for which completion dates could be verified, OCIO reported 17 corrective action items as completed in AARTS prior to dates reflected by supporting documentation (47 percent). These items were reported as completed from 1 day to 16 months before dates reflected on supporting documentation. Fourteen of the 17 actions were reported as completed two or more months before dates noted on supporting documentation (82 percent). For example, OCIO provided us slides, dated June 17, 2003, from an online records management training course as supporting documentation for a corrective action item reported in AARTS as completed on April 19, 2002.4 We reviewed this documentation and determined it did not support the reported completion date in AARTS. Requirements for Audit Followup OMB Circular A-50, entitled “Audit Followup,” provides the requirements for establishing systems to assure prompt and proper resolution and implementation of audit recommendations. The Circular states— Audit followup is an integral part of good management, and is a shared responsibility of agency management officials and auditors. Corrective action taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of Government operations. Each agency shall establish systems to assure the prompt and proper resolution and implementation of audit recommendations. These systems shall provide for a 3 ACN A19-B0011: “Audit of Controls over Government Calling Cards,” issued October 24, 2002, Corrective Action Item 1.2.1. 4 ACN A11-A0011, Corrective Action Item 1.1.3. ED-OIG/A19F0003 Mr. Clark Page 5 of 8 complete record of action taken on both monetary and non-monetary findings and recommendations. The Department’s Post Audit User Guide, Section IV, “Internal Audits,” Chapter 1, “ED Office of Inspector General (ED-OIG) Audit Reports and Alternative Products,” Part G, “Corrective Actions,” states: Each AO must maintain documentation to support implementation of each corrective action in accordance with the Guidelines for Establishing File Folders and Maintaining Documentation. The documentation must be specifically identifiable to a corrective action to withstand any post audit closure review by PAG/OCFO, ED-OIG, [Government Accountability Office] GAO and/or OMB. All ED-OIG audit records must be retained by an AO for at least five years after ED-OIG is notified that all corrective actions have been completed. The Department’s Guidelines for Establishing File Folders and Maintaining Documentation states: A file folder should be established for each audit report beginning with the draft report. Each folder should contain . . .Documentation to support implementation of corrective actions or specific notes that indicate where said documents are located . . .Explanation of how such documentation supports the corrective action, if not readily understood or evident. The Guidelines for Establishing File Folders and Maintaining Documentation also provides examples of supporting documentation to include memos of understanding, final regulations, Dear Colleague Letters, records from databases, and policies and procedures. OCIO acknowledged that before the prior CIO took office in 2003, the PO was not adequately maintaining documentation to support completion of corrective action items. OCIO’s former Audit Liaison Officer did not require evidence to show that a corrective action had been implemented. The only requirement was an email stating the corrective action item was completed. OCIO staff stated their internal audit followup process has improved and changes have been made within the past two years. They stated their process is more centralized, allowing only one staff member to close corrective action items in AARTS. In addition, OCIO staff stated corrective action items are not reported as completed until the CIO and the Chief of Staff have reviewed the documentation to ensure it supports completion of the action item. OCIO also indicated that all supporting documentation is currently filed and tabbed in binders for each audit. While we acknowledge OCIO has implemented changes to their internal audit followup system, further improvements are needed. During our review, we noted the percentage of completion dates correctly reported in AARTS was better under OCIO’s newly implemented process. ED-OIG/A19F0003 Mr. Clark Page 6 of 8 However, the percentage of unsupported corrective action items did not improve with the applied changes. Without appropriate documentation, OCIO does not have assurance that identified deficiencies were corrected. As such, the risk remains that related programs may not be effectively managed. By reporting corrective action items as completed when they have not been, or in advance of the actual completion date, OCIO compromises the integrity of the data included in AARTS and may negatively impact the Department’s credibility. Management reports on corrective action items due for completion may be understated. In addition, the Department’s Semiannual Report to Congress on Audit Followup may also under report the audits for which corrective action items have not been completed. Recommendations: We recommend that the Acting Chief Information Officer: 1.1 Ensure audit followup documentation clearly supports completion of the stated action item as it is worded in the CAP. 1.2 Ensure completion dates reported in AARTS are consistent with dates reflected in supporting documentation. 1.3 Update AARTS to reflect the actual completion dates for the action items noted in the audit with discrepancies in the reported completion dates. OCIO Response: In its response to the draft audit report, OCIO concurred with the finding and provided corrective actions to address each of the recommendations included in our report. OCIO stated all post audit documentation is maintained centrally within individual audit notebooks. In addition, a template for the OCIO audit notebook cover sheet has been developed to standardize quality post audit documentation. Corrective actions will not be marked as complete until the CIO has approved the supporting documentation. This will provide independent verification and validation that the corrective action has been completed and the completed dates entered into AARTS are supported by documentation. OCIO also indicated it would work with PAG to update the completion dates for the actions listed in the table in Attachment B of its response, however, OCIO noted it believed it had documentation supporting the existing completion date for one of the actions cited. ED-OIG/A19F0003 Mr. Clark Page 7 of 8 OIG Comments: When OCIO submitted its draft report response to OIG, it asked for insight on what other documentation should be used to support the closure of the action item noted above. OIG responded and OCIO subsequently concurred with the information provided, stating it would work with PAG to update the completion date for this action item as well. OBJECTIVE, SCOPE, AND METHODOLOGY The objective of our audit was to verify whether adequate documentation was maintained to support that corrective action items have been implemented as stated in the Department’s CAPs. To accomplish our objective, we performed a review of internal control applicable to OCIO’s audit followup process. We reviewed applicable laws and regulations, and Department policies and procedures. We conducted interviews with OCFO/PAG staff regarding Department policy and procedures, and AARTS operation. We conducted interviews with OCIO staff responsible for resolving and following up on corrective action items for the audits selected. We also reviewed documentation provided by OCIO staff to support completion of corrective action items for the recommendations included in our review. The scope of our audit was limited to corrective action items developed in response to internal OIG audits of OCIO processes and programs. Our scope included only those corrective action items reported as “completed” in AARTS during the period July 1, 2002, through September 30, 2004. We excluded from our review corrective action items for recurring audits, such as annual financial statement audits, information security audits, or those with prior or planned followup audits, so as not to duplicate audit effort. Overall, we selected a total of 57 corrective action items from 5 OCIO related audits. The selected audits and corrective action items reviewed are listed in Attachment 1 to this report. We relied on computer-processed data initially obtained from AARTS to identify action items applicable to the scope period. An alternative data source is not available to directly test the completeness of the corrective action items as reported in AARTS. However, we tested the accuracy of AARTS data by comparing AARTS data to supporting documentation. We also conducted a limited review of AARTS data controls and relied on feedback from resolution staff to gain additional assurance relating to the completeness and accuracy of AARTS data. Based on these tests and assessments, we determined that the computer-processed data was sufficiently reliable for the purpose of our audit. Our review was based on the corrective action items defined by OCIO in its CAPs and agreed upon by OIG in the audit resolution process. We reviewed and analyzed documentation in OCIO’s audit resolution files to determine whether completion of each selected corrective action item was supported. In cases where documentation in the file did not support completion of the action item, we provided OCIO with an opportunity to provide additional documentation from other sources. We reviewed any additional documentation subsequently provided to make a final ED-OIG/A19F0003 Mr. Clark Page 8 of 8 determination as to whether completion of the corrective action items was then supported. In addition, we verified the reported completion dates in AARTS against the supporting documentation provided, where possible, for those corrective action items that were supported. We conducted fieldwork at OCIO offices in Washington, DC, during the period December 2004 through July 2005. We held an exit conference with OCIO staff on July 18, 2005. Our audit was performed in accordance with generally accepted government auditing standards appropriate to the scope of the review described above. ADMINISTRATIVE MATTERS Corrective actions proposed (resolution phase) and implemented (closure phase) by your office will be monitored and tracked through the Department’s Audit Accountability and Resolution Tracking System. Department policy requires that you develop a final CAP for our review in the automated system within 30 days of the issuance of this report. The CAP should set forth the specific action items, and targeted completion dates, necessary to implement final corrective actions on the finding and recommendations contained in this final audit report. In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is required to report to Congress twice a year on the audits that remain unresolved after six months from the date of issuance. Statements that managerial practices need improvements, as well as other conclusions and recommendations in this report, represent the opinions of the Office of Inspector General. Determinations of corrective action to be taken will be made by the appropriate Department of Education officials. In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. We appreciate the cooperation provided to us during this review. Should you have any questions concerning this report, please call Michele Weaver-Dugan at (202) 245-6941. Sincerely, Helen Lew /s/ Assistant Inspector General for Audit Services cc: Nina Aten, Audit Liaison Officer, OCIO Charles Miller, Supervisor, PAG/OCFO ED-OIG/A19F0003 ATTACHMENT 1 – Audits and Corrective Action Items Reviewed Number Audit Title Issue Corrective Unsupported Unsupported Control Date Action Items Action Items Completion Number Reviewed Dates 1 A11- Audit of the 9/27/01 1.1.1, 1.1.2, 1.1.1, 2.5.2 1.1.3, 1.2.1, A0011 Department’s Records 1.1.3, 1.1.4, 2.2.1, 2.2.2, Management Program 1.2.1, 1.2.2, 2.3.1 1.2.3, 2.1.1, 2.2.1, 2.2.2, 2.3.1, 2.4.1, 2.5.1, 2.5.2 2 A11- Phase II Audit of the 3/28/03 1.1.1, 1.1.2, 1.5.2, 1.6.3 1.3.2, 1.4.2, D0001 Department’s Critical 1.2.1, 1.2.2, 1.5.1 Infrastructure 1.3.1, 1.3.2, Protection Program 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.2 3 A11- Implementation of the 9/30/02 1.1.1, 1.1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4 C0009 Government Paperwork 1.2.1, 1.2.2, 1.2.5, 1.2.6 Elimination Act 1.2.3, 1.2.4, 1.2.5, 1.2.6 4 A19- Audit of Controls over 10/24/02 1.1.1, 1.2.1, 1.2.1, 1.4.1, 1.2.2, 1.3.1, B0011 Government Calling 1.2.2, 1.3.1, 2.4.1, 3.2.1 2.1.1, 2.2.1, Cards 1.4.1, 1.5.1, 2.3.1, 3.1.1 2.1.1, 2.2.1, 2.3.1, 2.4.1, 2.5.1, 3.1.1, 3.2.1 5 A07- Audit of Capital 9/12/03 1.1.1, 1.2.1, 1.2.1, 2.1.1, 1.1.1 C0033 Planning and 2.1.1, 2.2.1, 2.2.1, 2.3.1, Investment 2.3.1, 2.4.1, 2.4.1 Management 3.1.1 TOTAL 57 17 17 Attachment 2 UNITED STATES DEPARTMENT OF EDUCATION OPPICE OP MANAGEMENT ASS ISTANT SE;CRETARY September 7, 2005 TO: Helen Lew Assistant In spector General for Audit Office of Inspector General FROM: Michell C. Clark Acting Assistant Secre».rrror-j<;Jant<getflent and C hi ef lnfonn ation Officer SUBJECT: DRAFT AUDIT REPORT: Audit Followup Process for Office ofInspector General Intemal Audits in the Office of the Chieflnfomlation Officer, Control Number ED-OIGIAI9F0003 Thank you for your draft audit report, Audit FollolVup Process for Office 0/ Inspector General Internal Audits in the Office o/the e llie/In/ormation Officer, ED-OIG/A19-F0003 dated August 9,2005. The Office o f tb e Chief lnformation Officer (OCrO) concurs with the sin gle findin g, speci fically: Finding # 1- OCIO Audit Followup Was Not Always Effective The following is Ollr proposed correcti ve action to add ress the three recom mendations yo ur office has pro vided related to the above finding. Recommendation 1.1 Ensure audit followup documentation clearly supports compl etion of the stated action item as it is worded in the CAP. Proposed Corrective Action: All post audit documentati o n for OCI0 audits is maintained centrall y within indi vid ual audit notebooks. A template for the OCIO audit notebook cover sheet has been developed to standardi ze quality post audit documentation. This cover sheet is now mai ntained at the front of all audit no tebooks. A space is provided to cheek off each requirement, as we ll as record the initials oftbe staff perso n validating that the requirement has been met. The templ ate stipul ates in point 2e that all CAP actions speci fi ca ll y identify req uired doc umentati on or ev idence to support marking the CAP as comp leted in AARTS. The template includes an addi ti onal checkpoint for tbi s action in poi nt nine. This template is included in Attachment A. The ocro Audit Official Liaison wi ll not mark any corrective acti on as compl ete until the Chief In formati o n Officer has approved th e submitted supporting documentation. This will provide ind epend ent verifi cation and va lidat ion that the corrective action has been compl eted. A copy of the temp late will be kept in the audit noteboo k. Co mpleted: September 7, 2005 400 M AR YLAN D AV E. , S. W ., WASHINGT ON , DC. 20202 -4500 wv.'Vo' cd .go\' Ou r I1USSW rl IS 10 ensure equal access [0 edUCQHOII and 10 promote edu.catlonal excellence throughout cite Natioll. Response to Draft Audit Report ED-OlG/A19F0003 Page 2 Recommendation 1.2 Ensure completion dates reported in AARTS are consistent with dates reflected in supporting documentation. Proposed Corrective Action: The audit notebook cover template referenced in corrective action 1/1 /1 stipulates that all completed dates reported in AARTS are substantiated by the documentation cited in the CAP. Please see point 9 of the template in Attachment A. The ocro Audit Official Liaison will ensure that the completed dates for all corrective actions match the dates of the submitted supporting documentation, as approved by the Chief Information Officer. This will provide independent veri fication and validation that the completed dates entered into AARTS are supported by documentation. A copy of the template will be kept in the audit notebook. Completed: September 7,2005 Recommendation 1.3 Update AARTS to reflect the actual completion dates for the action items noted in the audit with discrepancies in the reported completion dates. Proposed Corrective Action: ocro will work with Post Audit Group to update the completion dates for the actions listed in the table in Attac1mlent B. A copy of this table, as well as the updated CAPS from AARTS for each of the referenced audits, will be kept in the audit notebook. Please note that ocro believes it has documentation to support the existing completion date of 3/1 3/04 for CAP 07-C0033 / 1111l. Proposed Completion Date: September 30, 2005. If you have any questions, please contact Nina Aten on my staff at 401-5846. ATT ACHMENTS ATTACHMENT A - OCI0 Audit Notebook Cover Template AUDIT CONTROL # (ACN): AUDIT: ISSUE DATE: DATE CLOSED: ARcmVE RETENTIION DATE (5 years following official closure) : Initials of Audit Notebook Content Checklist Checked Validator 1. OIG Draft Audit Report 2. OM or OCIO Response to Draft Audit Report a. Contact Name provided for each corrective action b. Proposed Completion Date for each corrective action c. Clear description of corrective action, including identification of supporting documentation that will provide evidence of corrective action completion is included in draft response. EXAMPLE: "This action will be completed when the ACS directive is signed. A copy of the signed ACS directive will be maintained in the Audit notebook ." OR: This action will be completed when the working group holds its first meeting. A copy of the meeting invitation and the agenda will be maintained in the audit notebook ." 3. Final Audit Report 4. First Corrective Action Plan submitted to OIG via AARTS 5. OfG-s response to first Corrective Action Plan (see Reports menu in AARTS) 6. Audit Clearance Document (ACD) 7. TABS for each corrective action 8. Documentation supporting completion of each action as specifically identified in Corrective Action Plan 9. Completion Dates match dates of included supporting documentation 10. Final Corrective Action Plan 11. Comprehensive OIG Response (see Reports menu in AARTS) 12. Post Audit Group Response (see Reports menu in AARTS) 13. Request for Closure/Certification Memorandum 14. Closure Memo from Post Audit Group OM/DC IO Audit Notebook Cover Template v 1.0917105 Response to Draft Audit Report ED-OIG/A 19F0003 Attachment B Page 1 ATTACHMENT B - TABLE OF CORRECTED COMPLETION DATES Corrective Actions That Need Updated Completion Dates Current Proposed Documentation Audit Date Action Corrective Supporting Proposed Listed in Date Date AARTS 1.1.3 Develop prototype A copy of the CD containing computer based records the computer based training. 4/19/02 6/3/03 management training The CD files are all dated module. 6/3/03 . 1.2.1 Publish Department of Education Copy of ACS Directive policies for records management. Include the ocro: I-I 03 on Departmental 4/19/02 12116/02 Records and Information requirement that each Management Program dated Principal Office develop 12116/02 office-specific policies and procedures. 2.2.1 Develop a records management inventory AI1-AOO11 system that enables Principal Offices to Copy of Training Slides and Audit of the identify electronic and Workshops schedule indicating Department's paper format records they 5/2/03 6/3/03 first class to be held on 6/3/03 Record create and maintain. in the 1G conference room in Management Require Principal Offices MES. Program to use the records management inventory system. 2.2.2 OCIO provide technical assistance to Copy of the Department's Principal Offices in submission to NARA that updating Records 5/2/03 11126/0 3 contains the results of their Retention and Disposition technical assistance. Schedules in the records management invento!y. Copy of the Department's 2.3.1 Provide technical submission to NARA, assistance to Principal including unscheduled Offices in determining 5/2/03 11126/03 dispositions, contains the which federal records are results of their technical unscheduled. assistance. .' Response to Draft Audit Report ED-OIG/AI9F0003 Page 2 Corrective Actions That Need Updated Completion Dates Current Proposed Documentation Audit Date Action Corrective Supporting Proposed Listed in Date Date AARTS 1.3.2 Establish a regular meeting of CIP and COOP program leaders to specificaUyaddress coordination. This Copy of Security Coordination meeting will supplement 7/24/03 5115/03 Commi ttee Meeting Agenda the coordination efforts of dated 5/ \ 5/03 the monthly Security Coordination Committee tbat addresses aU areas of security. AII-DOOOI 1.4.2 Establish a regular Phase IT Audit meeting of CIP and of the COOP program leaders to Department's specifically address Printout of the fina l POA&M coordination. This action for Mission Critical Critical meeting will supplement 7/24/03 1115/04 Sys tems that was entered into lnfrastructure the coordination efforts of the PIP Portal on 11 15104 Protection the monthly Security FSA-DLCS-4 Program Coordination Committee tilat addresses all areas of security. 1.5.1 Make security requirements and costs for MEl assets and for agency-wide CIP Copy of the lA Bus iness Case activities (contained in the 1012/03 10/3/03 dated 10/3/03 Information Assurance business case) explicit in IT business cases and IRB presentations. 1.2.3 Coordinate with OneED to analyze Copy of GPEA Strategy posted business processes for the on ED.gov (under Department's major lines policy/genlleg/gpea/index.html) of business. Identify and a copy of the properties for additional opportunities to 2/26/03 5/6/03 tlus posted document showing All-COOO9 provide electronic that it was created on ED.gov lnlplementation alternatives to current on 5/6/03. oflhe business transactions, as Government appropriate. Paperwork 1.2.4 Coordinate with Copy of GPEA Strategy posted Elimination Act PBDMI to identify on ED.gov (u nder additional opportunities to policy/gen/leg/gpea/index. html) consolidate data and a copy of the properties for 2126/03 5/6/03 collections and to provide tius posted document showing electronic altematjves to that it was created on ED.gov current business on 5/6/03. transactions. .' Response to Draft Audit Report ED-OlGt A 19F0003 Page 3 Corrective Actions That Need Updated Completion Dates Current Proposed Documentation Date Audit Action Corrective Supporting Proposed Listed in Date Date AARTS 1.2.2 Concurrently with publication of the modified ACS Directive Copy of ACS Directive publish the calling card 6/23/03 3/9/04 OCIO:2-1 02 Wireless policies in ED Notebook Telecommunications Services and send email notices to all emplovees. 1.3.1 Update the calling card foml and automate it through the Copy of ACS Directive Telecommunications OCIO:2-102 Wireless Automated Tracking 6/12/03 3/9/04 Telecommunications Services System (TATS), the foml is included in Customer Service Request Attachment A of the Directive Module (CSRM). Add a section for supervisory approval. 2.1.1 Employees with calling cards and those ordering new calling cards Copy of ACS Directive will be required to sign an OCIO:2- 102 Wireless A19-BOOll Employee Certification of Audit of 6/ 12/03 3/9/04 Telecommunications Services Responsibi lities fOfDL Tbe the form is included in Controls over form will re Ference Attachment A of the Directive Govemment discipijnary actions for Calling Cards unauthorized use of government property. 2.2.1 Include the prohibition ou sharing calling cards and guidance that each employee or Copy of ACS Directive contra.ctor in need of a 6/ 12/03 3/9/04 OCIO:2-102 Wireless calling card should apply Telecommunications Services for one. and not use another~s card, in the updated Wireless Services Directive. 2.3.1 Include guidance that emplo yees use tbeir calling cards for autllOrized personnel calls Copy of ACS Directive while on travel, ratber 6112/03 3/9/04 OCIO:2-102 Wireless tllan claiming the Telecommunications Services expenses on their travel vouchers, in the updated Wireless Services Directive. · .' Response to Draft Audit Report ED -O lG/A I 9F0003 Page 4 Corrective Actions That Need Updated Completion Dates Current Proposed Documentation Date Audit Action Corrective Supporting Proposed Listed in Date Date AARTS 3.1.1 An'ange for timely notification of employee AI9-BOOll status change, through Audit of transfer or departure from Copy of ACS Directive Controls over the Department. Use the 6/12/03 3/9/04 OCIO:2-102 Wire less Government informa tion to cancel Telecommunications Services Calling Cards accounts or reallocate them to the appropriate Principal Office. A07-C0033 1.1.1 Develop and use in Audit of Capital tile FY 2004 Select Phase, Planning and a set of written procedures that formalizes the Copy of two emails dated Investment Department's review 3/31 /04 (one for FSA and one Management process for IT investment 3/31/04 3/31/04 for non-FSA) distributing select co mpliance with the phase instTuctions, including Enterprise Architecture. EA review and responsibilities. The written procedures will delineate review responsibilities.
Audit Followup Process for Office of Inspector General Internal Audits in the Office of the Chief Information Officer.
Published by the Department of Education, Office of Inspector General on 2005-09-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)