Audit of Controls Over IT Equipment OIG Report No. 2005-03-PROP Purpose of Audit A recent OIG Investigation revealed that information technology (IT) equipment was missing from EEOC headquarters and that no EEOC Form 629 Reports of Loss, Theft, or Incident had been filed at the time of the OIG inquiry. The investigation revealed that further missing items of computer and electronic equipment valued at $92,233.45 were stolen from the Headquarters building between May 2004 and February 2005. The purpose of this audit was to evaluate the adequacy of controls over IT equipment, and other electronic equipment at Headquarters EEOC. Specifically, we evaluated the various cycles relating to IT equipment including the procurement, receipt, inventory, distribution, and disposition of excess and obsolete IT equipment. Scope and Methodology The audit fieldwork was conducted from January 2005 through April, 2005. We interviewed Office of Information Technology (OIT) managers and staff in Headquarters to obtain an understanding of the controls in place over the management of IT property. Additionally, we met with various Headquarters managers and staff having responsibility for the management and control of IT property including the Office of Human Resources, Office of General Counsel, Office of Inspector General and the Office of Field Programs (OFP). We also reviewed guidance issued by the Office of the Chief Financial Officer and Administrative Services (OCFOAS) and discussed Agency policies dealing with the management and control of accountable personal property. Additionally, OIG visited various storage locations throughout Headquarters and at the off-site storage facility, where OIG inventoried the IT equipment and photographed storage conditions. The audit was conducted in accordance with Generally Accepted Government Auditing Standards, as published in the Comptroller General’s Government Auditing Standards, June 2003 Revision. What We Found We found that controls relating to the procurement of IT equipment and other electronic equipment were adequate, however controls needed to be strengthened over the receipt, inventory, distribution, and disposition of excess and obsolete IT equipment.Office of Information Technology managers failed to maintain inventory records relating to the IT equipment stored throughout Headquarters wherever space was available. IT equipment was usually stored in closets, hallways, offices, and at workstations. Additionally, the Fixed Asset Subsystem (FAS) was not reliable since information was not accurate or current. During our tests we found instances where IT equipment was not in the FAS, and where offices had reported changes to their inventories, the information in the FAS was not updated. Further, IT equipment purchased on September 30, 2004 by the Office of Field Programs for Fair Employment Practices Agencies (FEPAs) had not been accounted for. The equipment ordered by OFP was shipped directly from the vendor to FEPAs which were located throughout the country.Our audit disclosed that no follow up was conducted with the FEPAs to ensure that the property ordered in September 2004 was actually received. While staff entered serial numbers found on vendor invoices, and barcodes for the property into the agency’s FAS as of April 2005; the barcodes had not been affixed to the actual IT equipment because the location of the equipment had not been verified. Finally, we noted that missing and/or stolen property was not reported in the 2004 assurance statements submitted by HQ directors in accordance with the agency’s Federal Managers Financial Integrity Act (FMFIA) process. A full discussion of each of these findings, along with recommendations, management comments and OIG’s response is provided in the following section. Controls Over IT Equipment Stored At Headquarters EEOC Were Weak OIT managers did not know the number of items or the total value of IT equipment stored at Headquarters EEOC. They had not developed an inventory system that accounts for the acquisition, issuance, and identification of damaged or obsolete equipment. Due to the lack of a system to account for stored IT equipment and an organized methodology for storing such equipment, OIT managers were unable to provide a detailed inventory of IT equipment stored in EEOC Headquarters. Further, they could not provide reasonable assurance that stored IT equipment was safeguarded from theft or misuse. Criteria Statement of Federal Financial Accounting Standard No. 3 Accounting for Inventory and Related Property provides guidance on the accounting for an inventory of operating materials and supplies. The statement also requires that operating materials and supplies be valued on the basis of historical costs. Some of the methods used to arrive at the historical cost basis are the first in first out (FIFO), weighted average, or the moving average cost flow assumptions. The GAO/PCIE Financial Audit Manual discusses controls that should be in place to protect assets and records against physical harm, theft, loss, misuse, or unauthorized alteration. Typical access control includes secured facilities (i.e. locked rooms, fenced areas) and access limited to authorized personnel. Background During our audit, we requested a listing of all IT equipment stored throughout Headquarters EEOC. We were told by OIT managers that no listing existed that would include all IT equipment stored at Headquarters. Each OIT Division Director is supposed to maintain an listing of IT equipment they are responsible for purchasing. Once OIG began questioning the existence of an listing, some directors took steps to inventory their equipment. (Note: Between fiscal year 2003 and January 2005, the Office of Information Technology purchased IT equipment costing about $8.1 million. Approximately $15.2 million of EEOC’s FY 2004 budget is for technology which includes purchases of IT equipment.) Throughout Headquarters EEOC, OIT uses various offices, conference rooms, meeting rooms, closets and cabinets on each floor to store its inventory of IT equipment. In fact, some OIT managers maintained small inventories of IT equipment in their individual offices (e.g. hard drives, memory, and software). OIG auditors visited each storage location and inventoried its contents. Some of the common items found in the various locations included Dell D-Family Monitor stands, various types of Dell Monitors, Port Replicators, switches, switch cards, printers, laptop computers, and desktop computers. In most cases, unopened IT equipment and supplies were stored from floor to ceiling. Also, it should be noted that OIT did not attempt to store this equipment by type. Equipment appeared to have been stored according to the availability of space. Given the fact that IT equipment is outdated within a few years, OIG questions the need to maintain an inventory of monitors, monitor stands, and computers. Exhibit 1- pictures of IT equipment stored in overhead bins and cabinets in or near managers’ workstations. Exhibit 1 - Supplies stored in overhead bins and storage cabinets in OIT Exhibits 2 through 5 show storage conditions throughout Headquarters. Exhibit 2- Headquarters Room 3114 –Dell D Family Monitors and Dell D/ Port Advanced Port Replicators Exhibit 3-Headquarters Room 3114- Additional Dell D-Family Monitor Stands stacked to ceiling Exhibit 4- 4th floor DSSD Storage Room- Flat Panel Monitors And Dell Central Processing units. Exhibit 5- 5th floor LAN Room- Dell Port Replicators, Dell Monitors Recommendations OIG recommends that the Director of the Office of Information Technology: Develop an inventory control system to account for IT items stored at the EEOC Headquarters.The system should be able to provide on hand quantities and a total value of the inventory on demand. Also, the system should require that all like items be stored together. Ensure that an inventory is taken of all OIT stored equipment in Headquarters EEOC by September 30 of each fiscal year. This should include determining the value of this equipment and an evaluation of the usefulness of the equipment. Ensure that the results of the inventory are entered into the Fixed Asset Subsystem (FAS). Determine the need to maintain an inventory of stored IT equipment. Management’s Comments: OIT would like to point out that we have been following OCFOAS guidance in tracking IT equipment, which requires us to record in the agency’s inventory system, Fixed Asset Subsystem (FAS), any equipment that is over $1000 in value. Equipment that meets this criteria is recorded and maintained in the FAS, regardless of whether the equipment is being used in the employee’s workstation or located in storage spaces. In addition, due to inadequate space made available to store IT equipment, when large shipments arrive, we must put them wherever we can find space. This results in items being stored in any available space including closets, hallways, offices, and workstations. We also used our conference room as a work space to configure computers and our locked offices for temporary storage. For years, OIT has been requesting storage space for safekeeping IT equipment as well as space for performing equipment setup, configuration and testing. However, adequate storage space has not been provided. The OIG report failed to mention that the closets are kept locked and keys are restricted to specific personnel. Similarly, equipment kept in managers’ offices are locked with only the manager possessing a key to it. For instance, Figure 1 on Page 4 of the OIG report reflects the overhead compartment in a manager’s locked office, which included a few computer books, memory chips, and other computer supplies. This very same manager informed the OIG investigator that he keeps a log on his computer to track when someone takes these items from his office. This manager is an operations manager and equipment in his office is composed of primarily small components and computer supplies. We are concerned that the OIG report did not mention or address any physical security issues in the headquarters building as it is critical to inventory control process. Despite the presence of guards and video cameras, a thief was able to remove AV and IT equipment from the headquarters building over a period of several months. If the purpose of the Report was to identify gaps in inventory control, then this one large gap should be recognized and addressed. OIG’s Response: We maintain that OIT should inventory and account for its inventory of “smaller computer components and supplies”. These items may cost less than $1,000 individually, however on an aggregate basis, we believe the value will far exceed the $1,000 threshold referred to by OIT in its comments. Also, we question the validity of OIT’s comment relating to the high turnover rate on some stored items given as a reason for not warranting an inventory of all items. We found many items such as Dell D-Family Monitor stands, Battery Cartridges, and monitors in unopened boxes, and other various computer related items that, in our opinion, should be inventoried and evaluated to determine their usefulness at EEOC. Because the life expectancy of IT equipment is usually a few years, we believe that OIT will find that some of the equipment referred to as “smaller computer components and supplies” are outdated and should be excessed. OIT also included in their comments remarks relating to storage space and the fact that adequate storage space has not been provided. Further, they state that OIG failed to acknowledge this as the true source of the problem. We disagree. In our opinion the bigger issue is not where the equipment was stored but the fact that controls relating to keeping track of what was stored were weak. Evaluating the adequacy of storage space and requirements were never an objective of this audit. In regards to OIT’s comment that IT equipment is stored in locked rooms or closets that have keys in the hands of a very few IT staff, we found that a complete listing of key holders for all OIT storage locations did not exist. We found three instances where keys that were issued could not be accounted for. OIT makes mention of a manager who has been maintaining a log to keep track of his inventory of computer supplies. During our initial inquiry this manager indicated that he did not maintain any logs. Subsequent to the receipt of OIT’s comments to our draft report, we revisited this manager and obtained a copy of his log. He maintains an entry in his personal data assistant (PDA) described as Hard Drive Disbursement- 80 GB. In our opinion, this log is not adequate since it does not include a beginning or ending balance and doesn’t always show the quantities disbursed or when they were disbursed. Further, we note that all of the entries provided were after our initial interview of March 4, 2005. In their comments, OIT provides a discussion relating our audit issues with the recent thefts and loss of equipment. OIG never reported or discussed in this report how the thefts occurred or identified any evidence that OIT may have to show how the thief gained access to equipment stored in locked locations. Finally, OIT states they are concerned that OIG did not mention or address any physical security issues in the headquarters building. Evaluating physical security and evaluating the adequacy of and requirements for storage space were never objectives of this audit and was not included in our scope. During the entrance conference, we indicated that the purpose of our audit was to evaluate the adequacy of controls over IT equipment at Headquarters EEOC. Specifically, we planned to evaluate the various cycles relating to IT equipment including the procurement, receipt, inventory, distribution, and disposition of excess and obsolete IT equipment. Accuracy of the Fixed Asset Subsystem Needs to be Improved The Fixed Asset Subsystem (FAS) needed to be updated to capture all IT property. During our testing, we noted that 22 of 147 items randomly selected were not included in the FAS system’s EEC 453 Reports – Detailed Subsidiary for Accountable/Sensitive Property. Further, 13 (59%) of the 22 items not found in the EEC 453 reports were not in the FAS system. We also noted that the FAS was not updated to reflect changes submitted by property custodians. We found instances where property custodians submitted required forms to report changes in their property inventory but the changes were not made in subsequent FAS reports. Because of these weaknesses, we question the validity of the 12,370 items valued at $14,364,202.11 reported in the FAS system’s reports as of January 31, 2005. Criteria EEOC Order 320.001, Management and Control of Accountable Personal Property provides specific guidance pertaining to the general area of personal property management. Ten days after receipt of new property items, custodial property officers are required to submit EEOC Form 574, Physical Inventory Reporting Form to the Resource Management Division. The Resource Management Division is responsible for entering this information into the Fixed Asset Subsystem (FAS). Additionally, Standard Form (SF) 120 Report of Excess Personal Property and SF 122 Transfer Order Excess Personal Property are used to report changes in excess property and property transfers between agencies. Background During our audit, we requested an inventory listing of all Headquarters information technology property. We were provided copies of EEC Report 453-Detailed Subsidiary for Accountable/Sensitive Property from the Fixed Asset System (FAS) as of 1/31/05 and 3/31/05. The EEC Report 453 is separated by each Headquarters’ office and includes EEOC’s catalog code, serial number, description, bar code number, property custodian, purchase order number, date placed in service, useful life, cost, and book value. OIG randomly selected IT equipment in Headquarters’ offices to test the accuracy of the EEC Report 453. OIG compared actual barcodes and serial numbers found on selected IT equipment by office locations to information in the EEC Report 453. This test was completed in the: Office of Inspector General (OIG), Office of Field Programs (OFP), Office of Human Resources (OHR), and the Office of General Counsel (OGC). Our testing revealed that 22 (15%) of the 147 items randomly selected were not listed in the Fixed Asset System. The results of our testing are summarized in the Table-1 below: Table -1 Results of Test of Fixed Asset Subsystem Total Items included in Items not in FAS/ Office # Items Tested FAS System Exceptions Office of Inspector General (OIG) 22 46 4 Office of Field Programs (OFP) 37 340 7 Office of Human Resources (OHR) 26 187 5 Office of General Counsel (OGC) 62 262 6 147 22 For the 22 items located in Headquarters but not included in the EEC 453 report, OIG contacted Fiscal Management Coordinating Staff in the Office of the Chief Financial Officer and Administrative Services (OCFO/AS) for assistance in determining why these items were not in the EEC 453 report. They were able to query the FAS system using barcodes and in nine (9) cases found information relating to the IT property in question. However, they were not able to determine where the property was located because that information was never entered into the system. Thirteen (59%) of the 22 items were not in the FAS system. These 13 items were not in the EEC 453 Report nor could they be located by barcode through a FAS inquiry. The results of the FAS inquiry of property not found in the EEC453 report are summarized in Table-2 below: Table -2 – Results of FAS Inquiry of Property Not In EEC 453 Report Type of Included in Per Fixed Asset Office Bar Code # Equipment EEC453, 3/31/2005 Summary Inquiry Monitor OFP 213602 No Yes CPU OFP 133669 No Yes CPU OFP 208403 No Yes Monitor OFP 212402 No No Monitor OFP 211794 No No Monitor OFP 212405 No No Monitor OFP 211982 No No CPU OHR 122730 No Yes CPU OHR 125930 No Yes CPU OHR 133842 No Yes Monitor OHR 212019 No Yes Printer OHR 121154 No No CPU OIG 131169 No Yes CPU OIG 134239 No No CPU OIG 136302 No Yes Monitor OIG 213940 No No CPU OGC 137901 No No Monitor OGC 208812 No No Monitor OGC 214578 No No CPU OGC 137890 No No Printer OGC 133937 No No CPU OGC 328 No No Additional examples of FAS inaccuracy were found in our review of the EEC Report 453 dated 1/31/05, for the Office of Inspector General. The report included six (6) non-OIG employees as property custodians along with OIG’s official property custodian. We noted that this was corrected in the EEC Report 453 dated 3/31/05. Also, the 1/31/05 report only contained eight (8) of the twelve central processing units and eleven of the twelve monitors assigned to OIG. The 3/31/05 EEC Report 453 had been updated to reflect some of the additions made by OIG’s property custodian in January 2005 but still missed three (3) of the twelve CPUs and one monitor assigned to OIG. Recommendations OIG recommends that the Director, Office of the Chief Financial Officer and Administrative Services (OCFOAS): 1. Conduct a 100% inventory of all EEOC Headquarters non- IT property, in accordance with EEOC Order 320.001 Management and Control of Accountable Personal Property, during the 1st and 3rd quarter of each fiscal year to ensure that property records are accurate by the end of the fiscal year. 2. Prior to conducting the semi annual physical inventories consider using electronic prompts periodically to reiterate to property custodians the importance of reviewing their FAS Report 453s periodically and identifying any changes since the last inventory so that information can be entered into the Fixed Asset Subsystem (FAS). Management’s Comments: All non-IT changes, for headquarters and field offices, are processed through FAS by Office of Chief Financial Officer and Administrative Services (OCFOAS) staff. IT-related changes are processed for field offices by the local IT Specialist. IT-related changes at headquarters are processed by the Office of Information Technology (OIT). OCFOAS is aware of only a few instances where non-IT changes were not properly processed and these were corrected as soon as the appropriate property custodian provided notification. In some cases, property was not on the 453 dated March 31, 2005, however, the property was located in (FAS). We researched this and determined that this was a timing issue. All of the property that appeared in FAS was on the EEC 453 report dated April 29, 2005. The EEC 453 is monthly report. Apparently, these items were entered in the system during the month of April. The FAS system became operational in 2002. Since then, per EEOC Order 320.00l, we have relied on Headquarters and Field Office Directors to serve as Accountable Property Managers (APO’s) who are responsible for their respective office’s accountable personal property, including computer equipment. In order to spot check property reported by headquarters and field offices for inclusion, change, or deletion in FAS, OCFOAS will conduct periodic random sampling of inventories. The results of the random sampling will be reported to the applicable office and, if any deficiencies are noted, they will be included in the FMIA submission. OIG’s recommendation to send out periodic reminders to offices that they should monitor FAS reports and send in Form 574’s to note changes will be implemented. OIG’s Response: The Office of the Chief Financial Officer generally agreed with our finding and recommendations. The CFO stated that they will begin to spot check property reported by headquarters and field offices for inclusion, change, or deletion in FAS and will conduct periodic random sampling of inventories. The results of which will be reported to the applicable office and, if any deficiencies are noted, they will be included in the FMFIA submissions. In addition to taking these steps to verify information reported, the CFO should also consider randomly selecting property items and testing to see if they have been included in the Fixed Asset Subsystem and informing offices of any such deficiencies for inclusion in FMFIA submissions. OIG recommends that the Director Office of Information Technology: Conduct a 100% inventory of all EEOC Headquarters IT property to ensure that property records are accurate by the end of the fiscal year. Management’s Comments: Although the IT inventory information for headquarters is being entered into FAS by an OIT staff and field information is being entered by field staff, Appendix A of EEOC Order 320.001, Management and Control of Accountable Personal Property, states that OCFOAS will be responsible for data entry of all inventory (See Page A-3, lc under Chapter II of the Order). Accordingly, the OCFOAS is the owner of FAS and is responsible for inventory data within FAS. Therefore, we believe that it is more appropriate for the OIG recommendation to be directed to OCFOAS instead of OIT. Nevertheless, we do agree with OIG that accuracy of the Fixed Asset Subsystem needs to be improved… We plan to establish additional controls to periodically review FAS reports as well as conducting physical inventory checks against FAS reports. OIG’s Response: The Office of Information Technology agrees that the accuracy of the FAS needs to be improved and plans to establish additional controls to periodically review the FAS reports, as well as conduct physical inventory checks against FAS reports. However, OIT maintains that since OCFOAS is the owner of the FAS, they are responsible for inventory data within FAS. OIG disagrees with OIT’s logic and finds ensuring that the results of the IT inventory are entered into the FAS is a shared responsibility between OCFOAS and OIT. This is especially true since the OCFOAS relies upon offices to submit complete and accurate personal property certification reports of all accountable property. Lack of Controls Over IT Purchases for Fair Employment Practices Agencies The Office of Field Programs (OFP) failed to verify that IT equipment purchased and shipped directly from the vendor to various Fair Employment Practices Agencies (FEPAs)(1) was received. Additionally, OFP failed to follow the agency’s bar coding policy for accountable property which requires that all accountable property be bar coded within ten (10) days. As a result, there are no assurances that property valued at $161,300 was received and is being properly accounted for at this time. Criteria EEOC Order Number 320.001, Personal Property and Supply Management, Accountability and Control provides Agency policies and procedures pertaining to the general area of personal property management. This order also introduces an Integrated Financial Management System and the Fixed Asset Subsystem (FAS), for the accountability and physical control of all EEOC- owned personal property. On March 31, 2004, the CFO issued a Memorandum to Administrative Officers and Budget Analysts which updated business processes at the EEOC. This CFO memo requires that an EEOC Form 112-Delivery Receipt be prepared for all IT equipment, software, supplies, and services that have been shipped directly to the field by the vendor, where the purchase order originated in the Office of Information Technology (OIT). A Fair Employment Practices Agency is a state or local authority that investigates and resolves charges of employment discrimination filed under Title VII, ADA, and/or the ADEA and compatible state and /or local ordinances in partnership with the EEOC. There were a total of 92 FEPAs as of March 31, 2003. All FEPAs received PCs from the EEOC. Background Between September 2004 and October 2004, the Office of Field Programs purchased 96 computers at a cost of $161,300.00 for use in FEPA offices. Of the 96 computers, 92 were shipped directly from the vendor to the FEPA with the remaining four (4) being shipped to Headquarters, EEOC. OFP personnel provided OIG a copy of the consolidated invoice from the vendor identifying where the vendor had shipped the goods. However, they were unable to show proof that the various FEPAs had actually received the equipment. Also, there were no attempts made by OFP to contact the FEPA offices to verify that the purchased equipment had been received. Over two (2) months passed before OFP entered manufacturer’s serial numbers relating to this equipment purchase into the Fixed Asset System (FAS) and assigned bar code stickers for each computer. However, as of April 2005, the bar code stickers were still in Headquarters and had not been applied to the equipment because they were not certain that the computers having the serial numbers identified on the vendor invoice were actually located at the FEPA listed on the invoice. Recommendations OIG Recommends that the Director of Office of Field Programs: Verify the receipt of IT equipment (purchased September – October 2004) shipped directly to the Fair Employment Practices Agencies (FEPAs) from the Vendor. Prepare and submit the required Form 112- Delivery Receipt and Form 574 Physical Inventory Reporting/Acknowledgement Form in accordance with the March 31, 2004 CFO Memo to Administrative Officers and Budget Analysts. Apply bar codes to the EEOC property issued to the FEPAs, once the locations and manufacturer’s serial numbers have been verified. Require FEPA Coordinators in field offices to report periodically on the condition and use of the EEOC IT equipment purchased for the FEPAs to ensure that the Fixed Asset System accurately accounts for all EEOC-owned equipment. Management’s Comments: Regarding the purchase of IT equipment for the FEPAs, there were some questions initially deciding ownership for the equipment. Until those questions were resolved, it was not appropriate to assign barcodes and put the equipment into our inventory. When the questions were resolved, a process was put into place to both assign and affix the barcodes and enter the information for the equipment in the Fixed Asset System (FAS). With regard to entering the information into FAS, since OIT normally enters all serial numbers for computer equipment in the FAS for Headquarters, OFP did not have access to the system and members of the staff had not received training in the use of the system. However, after resolving the issue of ownership, OFP agreed to enter the information in FAS, but encountered a delay while obtaining access to the system and adequate training to ensure that we were entering the information correctly. Once we received access and completed the training, we immediately entered the information into FAS. In furtherance of the recommendations in your draft report, we propose the following procedures for purposes of tracking subject equipment, which we believe address the issues contained in this report: 1. We will send a Form 112- Delivery Report to each FEPA and request that they complete them and return them to OFP, State and Local Programs, We will include information on the location, barcodes and serial number of each item. We will maintain a copy of these documents in OFP. 2. We will develop a process for periodically checking and reporting on the condition and use of the equipment purchased for the FEPAs either as part of our regular technical assistance visits to the field, by requesting that State and Local Coordinators make onsite visits to the FEPAs, as resources allow, or by a combination of the two. OIG’s Response: OIG Concurs. IT Property Losses Not Included In FY 2004 FMFIA Reports to the Chair FMFIA reports submitted to the Chair by Office Directors did not include information about deficiencies in controls that allowed IT equipment to be removed or stolen from EEOC Headquarters during FY 2004. As was noted earlier, IT property with an estimated value of $51,083 was reported missing/stolen between April 29, 2004 and September 28, 2004 on EEOC Form 629s, Report of Loss, Theft, or Incident, reviewed by OIG. Even though the EEOC Form 629s were completed, Office Directors made no mention of these property losses in their FY 2004 FMFIA submissions or identified steps they would take in the future to prevent such occurrences. As a result, the Chair was not provided reasonable assurance that management controls were effective in detecting losses or thefts of IT equipment in FY 2004. Further, although the dollar amount of the losses was not material and the failure to disclose the thefts may not have been intentional, the accuracy of the Agency’s report to the President and Congress is compromised. Criteria Agency heads are required to establish controls that reasonably ensure that (i) obligations and costs comply with applicable laws; (ii) assets are safeguarded against waste, loss, unauthorized use or misappropriation and (iii) revenues and expenditures are properly recorded and accounted for. Each year, agency heads must evaluate and report on the effectiveness of their management control program to the President and Congress. EEOC Order 240.005- EEOC Information Security Program clearly states that agency employees are responsible for protecting IT resources from unauthorized use or theft. Office Directors and the office’s designated System Security Officer are responsible for defining and establishing the appropriate levels of control needed to safeguard their office’s information systems and IT resources. Additionally, EEOC’s Chief Operating Officer issued a memo to Headquarters and Field Directors reminding them of their responsibilities for ensuring the security and accountability of IT equipment, in May 2004. Further, examples of specific internal controls were provided along with the requirement to report missing, lost or stolen IT equipment through the use of EEOC Form 629-Report of Loss, Theft, or Incident. In October 2004, the Chief Financial Officer followed up with a memo providing a refresher on timely reporting of loss, theft or incidents involving property, as well as staffs responsibility to ensure effective internal controls are in place to safeguard the agency’s IT equipment. Background During FY 2004, there were four (4) incidents reported involving missing or stolen IT equipment. The chart below provides specific details relating to these incidents. Also, as indicated in the chart, none of the incidents were reported as deficiencies in the functional area reports submitted to support the Chair’s FY 2004 Assurance Statement to the President and Congress. Chart 1- Summary of EEOC Forms 629- Reports of Loss, Theft or Incident Relating to IT Equipment Submitted During FY 2004 Item Date Item Item Office Item Reported Estimated Noted in Reported Missing Reporting Serial #No. Missing Value FY 2004 Missing by: Loss FMFIA (1) Ikegami HL-V75W Digital Camera 9/10/2004 Theft OIT $25,000.00 LB1433 NO Recorder and Travel Case (1) View Sonic 17" 9/23/2004 Loss OIT $519.00 AZW 642401713 NO LCD Monitor w/Speakers & Removable Stand, Model # VG710. FOC0828X24A FOC0825X22G FOC0825X23J (13) Cisco Catalyst FOC0825W1ZG 2950C-24 Network FOC0825W1ZF Switch, 24 (port) FOC0825W1Y7 10/100 and 2 (ports) 9/28/2004 Loss OIT $17,500.00 FOC0825X22T NO 100 Base_FX uplink, FOC0825X22T Cisco Part # WS- FOC0825W1Z7 2950C-24 (est. Value FOC0825W1Z1 $1,326.41 each) FOC0825W1Z8 FOC0825W1Z6 FOC0825X23W (4) Dell Latitude D600 1- S/N: 6J86L31, Laptop Computers & 2-S/N:HF27L31, 4/29/2004 Theft OFP $8,064.00 NO (4) Optical Mouse 3-S/N:CV17L31, Devices 4-S/N:5J86L31. In reviewing the EEOC Forms 629-Report of Loss, Theft, or Incident submitted during FY 2004 relating to missing/stolen IT equipment, we noted that two of the four forms submitted did not indicate that an administrative officer, supervisor or management official had been notified of the incident. These two incidents involved property having estimated combined values of $42,500. This may be an indication that supervisors/managers are not being informed of property losses and/or that internal controls are not being evaluated periodically by staff to support Office Director’s annual assurance statements to the Chair. OIG compared the EEOC Forms 629-Report of Loss, Theft or Incident submitted during FY 2004 to the FY 2004 annual FMFIA reporting packages submitted by Office Directors to determine if any internal control weaknesses or deficiencies relating to the management of IT property had been disclosed. None of the FMFIA reporting packages submitted by Office Directors contained any details relating to lost, missing, or stolen IT property. However, the Chief Financial Officer (CFO) whose office has primary responsibility for property management did note that reported thefts in Headquarters and in some field offices were being investigated and that the adequacy of controls would be evaluated for improvement during FY 2005. However, the FMFIA report to the Chair clearly stated that “No deficiencies were identified” by Headquarters Offices or District Offices. Recommendation: We recommend that all EEOC Office Directors for the FY 2006 FMFIA reporting cycle: Perform formal internal control reviews specifically for IT equipment by documenting the controls in place and the extent of testing of these controls (i.e. physical inventory, need to excess equipment, access to equipment). All weaknesses should be reported along with action plans to correct them. Management’s Comments: OCFOAS concurs with OIG’s recommendation that all EEOC Office Directors perform internal control reviews for IT equipment. OIT agrees with the OIG on FMFIA reporting and that offices should report missing or stolen equipment on FMFIA reports. Even though OIT reported equipment missing they failed to include this information in their FMFIA reports for FY 2004. EEOC Order 195.001, Management Accountability and Controls section 8(e)(4) Identifying Deficiencies and Material weaknesses in Controls states: “EEOC managers and staff are encouraged to identify and report deficiencies in management controls. Reporting deficiencies reflect positively in the agency’s commitment to recognize and address management areas of concern. In contrast, failure to report a known deficiency reflects adversely on offices and the agency as a whole." The Office of Research, Information, and Planning (ORIP) comments: Regarding, “IT Property Losses Not Included in FY 2004 FMFIA Reports to the Chair”, you indicate that the 2004 losses were not material and the loss may not have been intentional. Since the losses were not material, I do not believe that it necessarily follows that the Agency’s report to the President and Congress is compromised. Because the Chair probably would not have determined that this controls issue was material, even if it had been reported she would not have reported it to the President and Congress anyhow. Her report would therefore not have been “compromised’ by the absence of this information in the first place. I think that the nexus made in the report should be removed. OIG’s Response: OIG disagrees and believes that the Chair should have at least been informed of the property losses and given an opportunity to make the decision on her own whether or not the information should be reported to the President and Congress. OMB Circular A-123, Management’s Responsibility for Internal Controls, section IV(B) Identification of Deficiencies states that agency employees and managers shall report control deficiencies to the next supervisory level, which will allow the chain of command structure to determine the relative importance of each deficiency. The Office of Field Programs comments: Regarding the four Dell Latitude D600 Laptop Computers and four Optical Mouse Devices, which we did not report as deficiencies in the functional area reports submitted in support of the Chair’s FY 2004 Assurance Statement to the President and Congress, this equipment was not part of OFP’s equipment inventory. The equipment was OlT’s and was set up by them for OFP’s use in the OCLA conference room. The theft was reported to OlT. OIG’s Response: In OIG’s opinion it would have been a good business practice for OFP to have included the stolen computer equipment in their FY 2004 functional area reports, especially since they were responsible for safekeeping of the equipment when the thefts occurred. Other General Comments In their comments, OIT makes the statement “Had the OIG conducted an exit interview with OIT prior to the distribution of the draft report, many of the inaccuracies could have been discussed and issues clarified, Instead a meeting was conducted after the distribution of the draft report, at the request of OIT.” OIG’s Response: OIG disagrees that there are many inaccuracies and stands by the information contained in this report. Further, OIG’s Senior Auditor met with the Director, Office of Information Technology on August 5, 2005 prior to releasing the Draft Report to the Chair. At that meeting, each finding was discussed with the OIT Director and OIG invited the OIT Director to contact our office if additional questions arose later or if they had issues with information in the report. OIT contacted OIG requesting a meeting to clarify a few issues in the report a few days later. A meeting was held on August 11, 2005 between OIT staff and OIG’s Senior Auditor. To ensure better communications OIG will provide draft reports to auditees in advance of formal Exit Conferences where affected Office Directors or their representatives must attend. Audit Follow Up The Office of Management and Budget issued Circular Number A-50, Audit Follow up, to ensure that corrective action on audit findings and recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit Follow up Program, implements Circular Number A-50 and requires that for resolved recommendations, a corrective action work plan should be submitted within 30 days of the final evaluation report date describing specific tasks and completion dates necessary to implement audit recommendations. Circular Number A-50 requires prompt resolution and corrective action on audit recommendations. Resolutions should be made within six months of final report issuance.
Report 2005-003-PROP - Audit of Controls Over IT Equipment OIG
Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2005-05-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)