oversight

Report 2005-003-PROP - Audit of Controls Over IT Equipment OIG

Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2005-05-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

  Audit of Controls Over IT Equipment OIG
          Report No. 2005-03-PROP
                                       Purpose of Audit

A recent OIG Investigation revealed that information technology (IT) equipment was missing
from EEOC headquarters and that no EEOC Form 629 Reports of Loss, Theft, or Incident had
been filed at the time of the OIG inquiry. The investigation revealed that further missing items of
computer and electronic equipment valued at $92,233.45 were stolen from the Headquarters
building between May 2004 and February 2005.

The purpose of this audit was to evaluate the adequacy of controls over IT equipment, and other
electronic equipment at Headquarters EEOC. Specifically, we evaluated the various cycles
relating to IT equipment including the procurement, receipt, inventory, distribution, and
disposition of excess and obsolete IT equipment.

                                   Scope and Methodology

The audit fieldwork was conducted from January 2005 through April, 2005. We interviewed
Office of Information Technology (OIT) managers and staff in Headquarters to obtain an
understanding of the controls in place over the management of IT property. Additionally, we met
with various Headquarters managers and staff having responsibility for the management and
control of IT property including the Office of Human Resources, Office of General Counsel,
Office of Inspector General and the Office of Field Programs (OFP). We also reviewed guidance
issued by the Office of the Chief Financial Officer and Administrative Services (OCFOAS) and
discussed Agency policies dealing with the management and control of accountable personal
property. Additionally, OIG visited various storage locations throughout Headquarters and at the
off-site storage facility, where OIG inventoried the IT equipment and photographed storage
conditions.

The audit was conducted in accordance with Generally Accepted Government Auditing
Standards, as published in the Comptroller General’s Government Auditing Standards, June
2003 Revision.

What We Found

We found that controls relating to the procurement of IT equipment and other electronic
equipment were adequate, however controls needed to be strengthened over the receipt,
inventory, distribution, and disposition of excess and obsolete IT equipment.Office of
Information Technology managers failed to maintain inventory records relating to the IT
equipment stored throughout Headquarters wherever space was available. IT equipment was
usually stored in closets, hallways, offices, and at workstations. Additionally, the Fixed Asset
Subsystem (FAS) was not reliable since information was not accurate or current. During our tests
we found instances where IT equipment was not in the FAS, and where offices had reported
changes to their inventories, the information in the FAS was not updated.

Further, IT equipment purchased on September 30, 2004 by the Office of Field Programs for Fair
Employment Practices Agencies (FEPAs) had not been accounted for. The equipment ordered by
OFP was shipped directly from the vendor to FEPAs which were located throughout the
country.Our audit disclosed that no follow up was conducted with the FEPAs to ensure that the
property ordered in September 2004 was actually received. While staff entered serial numbers
found on vendor invoices, and barcodes for the property into the agency’s FAS as of April 2005;
the barcodes had not been affixed to the actual IT equipment because the location of the
equipment had not been verified.

Finally, we noted that missing and/or stolen property was not reported in the 2004 assurance
statements submitted by HQ directors in accordance with the agency’s Federal Managers
Financial Integrity Act (FMFIA) process.

A full discussion of each of these findings, along with recommendations, management comments
and OIG’s response is provided in the following section.

Controls Over IT Equipment Stored At Headquarters
EEOC Were Weak
OIT managers did not know the number of items or the total value of IT equipment stored at
Headquarters EEOC. They had not developed an inventory system that accounts for the
acquisition, issuance, and identification of damaged or obsolete equipment. Due to the lack of a
system to account for stored IT equipment and an organized methodology for storing such
equipment, OIT managers were unable to provide a detailed inventory of IT equipment stored in
EEOC Headquarters. Further, they could not provide reasonable assurance that stored IT
equipment was safeguarded from theft or misuse.

Criteria

Statement of Federal Financial Accounting Standard No. 3 Accounting for Inventory and Related
Property provides guidance on the accounting for an inventory of operating materials and
supplies. The statement also requires that operating materials and supplies be valued on the basis
of historical costs. Some of the methods used to arrive at the historical cost basis are the first in
first out (FIFO), weighted average, or the moving average cost flow assumptions.

The GAO/PCIE Financial Audit Manual discusses controls that should be in place to protect
assets and records against physical harm, theft, loss, misuse, or unauthorized alteration. Typical
access control includes secured facilities (i.e. locked rooms, fenced areas) and access limited to
authorized personnel.

Background
During our audit, we requested a listing of all IT equipment stored throughout Headquarters
EEOC. We were told by OIT managers that no listing existed that would include all IT
equipment stored at Headquarters. Each OIT Division Director is supposed to maintain an
listing of IT equipment they are responsible for purchasing. Once OIG began questioning the
existence of an listing, some directors took steps to inventory their equipment. (Note: Between
fiscal year 2003 and January 2005, the Office of Information Technology purchased IT
equipment costing about $8.1 million. Approximately $15.2 million of EEOC’s FY 2004 budget
is for technology which includes purchases of IT equipment.)

Throughout Headquarters EEOC, OIT uses various offices, conference rooms, meeting rooms,
closets and cabinets on each floor to store its inventory of IT equipment. In fact, some OIT
managers maintained small inventories of IT equipment in their individual offices (e.g. hard
drives, memory, and software). OIG auditors visited each storage location and inventoried its
contents. Some of the common items found in the various locations included Dell D-Family
Monitor stands, various types of Dell Monitors, Port Replicators, switches, switch cards, printers,
laptop computers, and desktop computers. In most cases, unopened IT equipment and supplies
were stored from floor to ceiling. Also, it should be noted that OIT did not attempt to store this
equipment by type. Equipment appeared to have been stored according to the availability of
space. Given the fact that IT equipment is outdated within a few years, OIG questions the need
to maintain an inventory of monitors, monitor stands, and computers.

Exhibit 1- pictures of IT equipment stored in overhead bins and cabinets in or near
managers’ workstations.




            Exhibit 1 - Supplies stored in overhead bins and storage cabinets in OIT
Exhibits 2 through 5 show storage conditions throughout Headquarters.




Exhibit 2- Headquarters Room 3114 –Dell D Family Monitors and Dell D/ Port Advanced Port
Replicators
Exhibit 3-Headquarters Room 3114- Additional Dell D-Family Monitor Stands stacked to ceiling




Exhibit 4- 4th floor DSSD Storage Room- Flat Panel Monitors And Dell Central Processing
units.




Exhibit 5- 5th floor LAN Room- Dell Port Replicators, Dell Monitors

Recommendations

OIG recommends that the Director of the Office of Information Technology:

      Develop an inventory control system to account for IT items stored at the EEOC
       Headquarters.The system should be able to provide on hand quantities and a total value
       of the inventory on demand. Also, the system should require that all like items be stored
       together.
      Ensure that an inventory is taken of all OIT stored equipment in Headquarters EEOC by
       September 30 of each fiscal year. This should include determining the value of this
       equipment and an evaluation of the usefulness of the equipment.
      Ensure that the results of the inventory are entered into the Fixed Asset Subsystem
       (FAS).
      Determine the need to maintain an inventory of stored IT equipment.

Management’s Comments:

OIT would like to point out that we have been following OCFOAS guidance in tracking IT
equipment, which requires us to record in the agency’s inventory system, Fixed Asset Subsystem
(FAS), any equipment that is over $1000 in value. Equipment that meets this criteria is recorded
and maintained in the FAS, regardless of whether the equipment is being used in the employee’s
workstation or located in storage spaces.

In addition, due to inadequate space made available to store IT equipment, when large shipments
arrive, we must put them wherever we can find space. This results in items being stored in any
available space including closets, hallways, offices, and workstations. We also used our
conference room as a work space to configure computers and our locked offices for temporary
storage. For years, OIT has been requesting storage space for safekeeping IT equipment as well
as space for performing equipment setup, configuration and testing. However, adequate storage
space has not been provided.

The OIG report failed to mention that the closets are kept locked and keys are restricted to
specific personnel. Similarly, equipment kept in managers’ offices are locked with only the
manager possessing a key to it. For instance, Figure 1 on Page 4 of the OIG report reflects the
overhead compartment in a manager’s locked office, which included a few computer books,
memory chips, and other computer supplies. This very same manager informed the OIG
investigator that he keeps a log on his computer to track when someone takes these items from
his office. This manager is an operations manager and equipment in his office is composed of
primarily small components and computer supplies.

We are concerned that the OIG report did not mention or address any physical security issues in
the headquarters building as it is critical to inventory control process. Despite the presence of
guards and video cameras, a thief was able to remove AV and IT equipment from the
headquarters building over a period of several months. If the purpose of the Report was to
identify gaps in inventory control, then this one large gap should be recognized and addressed.

OIG’s Response:

We maintain that OIT should inventory and account for its inventory of “smaller computer
components and supplies”. These items may cost less than $1,000 individually, however on an
aggregate basis, we believe the value will far exceed the $1,000 threshold referred to by OIT in
its comments. Also, we question the validity of OIT’s comment relating to the high turnover rate
on some stored items given as a reason for not warranting an inventory of all items. We found
many items such as Dell D-Family Monitor stands, Battery Cartridges, and monitors in unopened
boxes, and other various computer related items that, in our opinion, should be inventoried and
evaluated to determine their usefulness at EEOC. Because the life expectancy of IT equipment is
usually a few years, we believe that OIT will find that some of the equipment referred to as
“smaller computer components and supplies” are outdated and should be excessed.
OIT also included in their comments remarks relating to storage space and the fact that adequate
storage space has not been provided. Further, they state that OIG failed to acknowledge this as
the true source of the problem. We disagree. In our opinion the bigger issue is not where the
equipment was stored but the fact that controls relating to keeping track of what was stored were
weak. Evaluating the adequacy of storage space and requirements were never an objective of this
audit.

In regards to OIT’s comment that IT equipment is stored in locked rooms or closets that have
keys in the hands of a very few IT staff, we found that a complete listing of key holders for all
OIT storage locations did not exist. We found three instances where keys that were issued could
not be accounted for.

OIT makes mention of a manager who has been maintaining a log to keep track of his inventory
of computer supplies. During our initial inquiry this manager indicated that he did not maintain
any logs. Subsequent to the receipt of OIT’s comments to our draft report, we revisited this
manager and obtained a copy of his log. He maintains an entry in his personal data assistant
(PDA) described as Hard Drive Disbursement- 80 GB. In our opinion, this log is not adequate
since it does not include a beginning or ending balance and doesn’t always show the quantities
disbursed or when they were disbursed. Further, we note that all of the entries provided were
after our initial interview of March 4, 2005.

In their comments, OIT provides a discussion relating our audit issues with the recent thefts and
loss of equipment. OIG never reported or discussed in this report how the thefts occurred or
identified any evidence that OIT may have to show how the thief gained access to equipment
stored in locked locations.

Finally, OIT states they are concerned that OIG did not mention or address any physical security
issues in the headquarters building. Evaluating physical security and evaluating the adequacy of
and requirements for storage space were never objectives of this audit and was not included in
our scope. During the entrance conference, we indicated that the purpose of our audit was to
evaluate the adequacy of controls over IT equipment at Headquarters EEOC. Specifically, we
planned to evaluate the various cycles relating to IT equipment including the procurement,
receipt, inventory, distribution, and disposition of excess and obsolete IT equipment.

Accuracy of the Fixed Asset Subsystem Needs to be Improved

The Fixed Asset Subsystem (FAS) needed to be updated to capture all IT property. During our
testing, we noted that 22 of 147 items randomly selected were not included in the FAS system’s
EEC 453 Reports – Detailed Subsidiary for Accountable/Sensitive Property. Further, 13 (59%)
of the 22 items not found in the EEC 453 reports were not in the FAS system. We also noted
that the FAS was not updated to reflect changes submitted by property custodians. We found
instances where property custodians submitted required forms to report changes in their property
inventory but the changes were not made in subsequent FAS reports. Because of these
weaknesses, we question the validity of the 12,370 items valued at $14,364,202.11 reported in
the FAS system’s reports as of January 31, 2005.
      Criteria

      EEOC Order 320.001, Management and Control of Accountable Personal Property provides
      specific guidance pertaining to the general area of personal property management. Ten days after
      receipt of new property items, custodial property officers are required to submit EEOC Form
      574, Physical Inventory Reporting Form to the Resource Management Division. The Resource
      Management Division is responsible for entering this information into the Fixed Asset
      Subsystem (FAS). Additionally, Standard Form (SF) 120 Report of Excess Personal Property
      and SF 122 Transfer Order Excess Personal Property are used to report changes in excess
      property and property transfers between agencies.

      Background

      During our audit, we requested an inventory listing of all Headquarters information technology
      property. We were provided copies of EEC Report 453-Detailed Subsidiary for
      Accountable/Sensitive Property from the Fixed Asset System (FAS) as of 1/31/05 and 3/31/05.
      The EEC Report 453 is separated by each Headquarters’ office and includes EEOC’s catalog
      code, serial number, description, bar code number, property custodian, purchase order number,
      date placed in service, useful life, cost, and book value. OIG randomly selected IT equipment in
      Headquarters’ offices to test the accuracy of the EEC Report 453. OIG compared actual
      barcodes and serial numbers found on selected IT equipment by office locations to information
      in the EEC Report 453. This test was completed in the: Office of Inspector General (OIG),
      Office of Field Programs (OFP), Office of Human Resources (OHR), and the Office of General
      Counsel (OGC). Our testing revealed that 22 (15%) of the 147 items randomly selected were not
      listed in the Fixed Asset System. The results of our testing are summarized in the Table-1
      below:

      Table -1 Results of Test of Fixed Asset Subsystem

                                                          Total Items included in      Items not in FAS/
                 Office                 # Items Tested
                                                                FAS System                Exceptions
Office of Inspector General (OIG)             22                    46                         4
Office of Field Programs (OFP)                 37                   340                        7
Office of Human Resources (OHR)                26                   187                        5
Office of General Counsel (OGC)                62                   262                        6
                                              147                                             22

      For the 22 items located in Headquarters but not included in the EEC 453 report, OIG contacted
      Fiscal Management Coordinating Staff in the Office of the Chief Financial Officer and
      Administrative Services (OCFO/AS) for assistance in determining why these items were not in
      the EEC 453 report. They were able to query the FAS system using barcodes and in nine (9)
      cases found information relating to the IT property in question. However, they were not able to
      determine where the property was located because that information was never entered into the
      system. Thirteen (59%) of the 22 items were not in the FAS system. These 13 items were not in
the EEC 453 Report nor could they be located by barcode through a FAS inquiry. The results of
the FAS inquiry of property not found in the EEC453 report are summarized in Table-2 below:

Table -2 – Results of FAS Inquiry of Property Not In EEC 453 Report

           Type of                                 Included in      Per Fixed Asset
                            Office Bar Code #
          Equipment                              EEC453, 3/31/2005 Summary Inquiry
           Monitor          OFP       213602           No                 Yes
             CPU            OFP       133669           No                 Yes
             CPU            OFP       208403           No                 Yes
           Monitor          OFP       212402           No                 No
           Monitor          OFP       211794           No                 No
           Monitor          OFP       212405           No                 No
           Monitor          OFP       211982           No                 No
             CPU            OHR       122730           No                 Yes
             CPU            OHR       125930           No                 Yes
             CPU            OHR       133842           No                 Yes
           Monitor          OHR       212019           No                 Yes
            Printer         OHR       121154           No                 No
             CPU            OIG       131169           No                 Yes
             CPU            OIG       134239           No                 No
             CPU            OIG       136302           No                 Yes
           Monitor          OIG       213940           No                 No
             CPU            OGC       137901           No                 No
           Monitor          OGC       208812           No                 No
           Monitor          OGC       214578           No                 No
             CPU            OGC       137890           No                 No
            Printer         OGC       133937           No                 No
             CPU            OGC         328            No                 No

Additional examples of FAS inaccuracy were found in our review of the EEC Report 453 dated
1/31/05, for the Office of Inspector General. The report included six (6) non-OIG employees as
property custodians along with OIG’s official property custodian. We noted that this was
corrected in the EEC Report 453 dated 3/31/05. Also, the 1/31/05 report only contained eight (8)
of the twelve central processing units and eleven of the twelve monitors assigned to OIG. The
3/31/05 EEC Report 453 had been updated to reflect some of the additions made by OIG’s
property custodian in January 2005 but still missed three (3) of the twelve CPUs and one monitor
assigned to OIG.

                                     Recommendations

OIG recommends that the Director, Office of the Chief Financial Officer and Administrative
Services (OCFOAS):
   1. Conduct a 100% inventory of all EEOC Headquarters non- IT property, in accordance
      with EEOC Order 320.001 Management and Control of Accountable Personal Property,
      during the 1st and 3rd quarter of each fiscal year to ensure that property records are
      accurate by the end of the fiscal year.
   2. Prior to conducting the semi annual physical inventories consider using electronic
      prompts periodically to reiterate to property custodians the importance of reviewing their
      FAS Report 453s periodically and identifying any changes since the last inventory so that
      information can be entered into the Fixed Asset Subsystem (FAS).

Management’s Comments:

 All non-IT changes, for headquarters and field offices, are processed through FAS by Office of
Chief Financial Officer and Administrative Services (OCFOAS) staff. IT-related changes are
processed for field offices by the local IT Specialist. IT-related changes at headquarters are
processed by the Office of Information Technology (OIT). OCFOAS is aware of only a few
instances where non-IT changes were not properly processed and these were corrected as soon as
the appropriate property custodian provided notification.

In some cases, property was not on the 453 dated March 31, 2005, however, the property was
located in (FAS). We researched this and determined that this was a timing issue. All of the
property that appeared in FAS was on the EEC 453 report dated April 29, 2005. The EEC 453 is
monthly report. Apparently, these items were entered in the system during the month of April.

The FAS system became operational in 2002. Since then, per EEOC Order 320.00l, we have
relied on Headquarters and Field Office Directors to serve as Accountable Property Managers
(APO’s) who are responsible for their respective office’s accountable personal property,
including computer equipment.

In order to spot check property reported by headquarters and field offices for inclusion, change,
or deletion in FAS, OCFOAS will conduct periodic random sampling of inventories. The results
of the random sampling will be reported to the applicable office and, if any deficiencies are
noted, they will be included in the FMIA submission.

OIG’s recommendation to send out periodic reminders to offices that they should monitor FAS
reports and send in Form 574’s to note changes will be implemented.

OIG’s Response:

The Office of the Chief Financial Officer generally agreed with our finding and
recommendations. The CFO stated that they will begin to spot check property reported by
headquarters and field offices for inclusion, change, or deletion in FAS and will conduct periodic
random sampling of inventories. The results of which will be reported to the applicable office
and, if any deficiencies are noted, they will be included in the FMFIA submissions. In addition
to taking these steps to verify information reported, the CFO should also consider randomly
selecting property items and testing to see if they have been included in the Fixed Asset
Subsystem and informing offices of any such deficiencies for inclusion in FMFIA submissions.
OIG recommends that the Director Office of Information Technology:

      Conduct a 100% inventory of all EEOC Headquarters IT property to ensure that property
       records are accurate by the end of the fiscal year.

Management’s Comments:

Although the IT inventory information for headquarters is being entered into FAS by an OIT
staff and field information is being entered by field staff, Appendix A of EEOC Order 320.001,
Management and Control of Accountable Personal Property, states that OCFOAS will be
responsible for data entry of all inventory (See Page A-3, lc under Chapter II of the Order).
Accordingly, the OCFOAS is the owner of FAS and is responsible for inventory data within
FAS. Therefore, we believe that it is more appropriate for the OIG recommendation to be
directed to OCFOAS instead of OIT.

Nevertheless, we do agree with OIG that accuracy of the Fixed Asset Subsystem needs to be
improved… We plan to establish additional controls to periodically review FAS reports as well
as conducting physical inventory checks against FAS reports.

OIG’s Response:

The Office of Information Technology agrees that the accuracy of the FAS needs to be improved
and plans to establish additional controls to periodically review the FAS reports, as well as
conduct physical inventory checks against FAS reports. However, OIT maintains that since
OCFOAS is the owner of the FAS, they are responsible for inventory data within FAS. OIG
disagrees with OIT’s logic and finds ensuring that the results of the IT inventory are entered into
the FAS is a shared responsibility between OCFOAS and OIT. This is especially true since the
OCFOAS relies upon offices to submit complete and accurate personal property certification
reports of all accountable property.

Lack of Controls Over IT Purchases for Fair Employment
Practices Agencies
The Office of Field Programs (OFP) failed to verify that IT equipment purchased and shipped
directly from the vendor to various Fair Employment Practices Agencies (FEPAs)(1) was
received. Additionally, OFP failed to follow the agency’s bar coding policy for accountable
property which requires that all accountable property be bar coded within ten (10) days. As a
result, there are no assurances that property valued at $161,300 was received and is being
properly accounted for at this time.

Criteria

EEOC Order Number 320.001, Personal Property and Supply Management, Accountability and
Control provides Agency policies and procedures pertaining to the general area of personal
property management. This order also introduces an Integrated Financial Management System
and the Fixed Asset Subsystem (FAS), for the accountability and physical control of all EEOC-
owned personal property. On March 31, 2004, the CFO issued a Memorandum to Administrative
Officers and Budget Analysts which updated business processes at the EEOC. This CFO memo
requires that an EEOC Form 112-Delivery Receipt be prepared for all IT equipment, software,
supplies, and services that have been shipped directly to the field by the vendor, where the
purchase order originated in the Office of Information Technology (OIT).


A Fair Employment Practices Agency is a state or local authority that investigates and resolves
charges of employment discrimination filed under Title VII, ADA, and/or the ADEA and
compatible state and /or local ordinances in partnership with the EEOC. There were a total of 92
FEPAs as of March 31, 2003. All FEPAs received PCs from the EEOC.

Background

Between September 2004 and October 2004, the Office of Field Programs purchased 96
computers at a cost of $161,300.00 for use in FEPA offices. Of the 96 computers, 92 were
shipped directly from the vendor to the FEPA with the remaining four (4) being shipped to
Headquarters, EEOC. OFP personnel provided OIG a copy of the consolidated invoice from the
vendor identifying where the vendor had shipped the goods. However, they were unable to show
proof that the various FEPAs had actually received the equipment. Also, there were no attempts
made by OFP to contact the FEPA offices to verify that the purchased equipment had been
received. Over two (2) months passed before OFP entered manufacturer’s serial numbers
relating to this equipment purchase into the Fixed Asset System (FAS) and assigned bar code
stickers for each computer. However, as of April 2005, the bar code stickers were still in
Headquarters and had not been applied to the equipment because they were not certain that the
computers having the serial numbers identified on the vendor invoice were actually located at the
FEPA listed on the invoice.

Recommendations

OIG Recommends that the Director of Office of Field Programs:

      Verify the receipt of IT equipment (purchased September – October 2004) shipped
       directly to the Fair Employment Practices Agencies (FEPAs) from the Vendor.
      Prepare and submit the required Form 112- Delivery Receipt and Form 574 Physical
       Inventory Reporting/Acknowledgement Form in accordance with the March 31, 2004
       CFO Memo to Administrative Officers and Budget Analysts.
      Apply bar codes to the EEOC property issued to the FEPAs, once the locations and
       manufacturer’s serial numbers have been verified.
      Require FEPA Coordinators in field offices to report periodically on the condition and
       use of the EEOC IT equipment purchased for the FEPAs to ensure that the Fixed Asset
       System accurately accounts for all EEOC-owned equipment.

Management’s Comments:
Regarding the purchase of IT equipment for the FEPAs, there were some questions initially
deciding ownership for the equipment. Until those questions were resolved, it was not
appropriate to assign barcodes and put the equipment into our inventory. When the questions
were resolved, a process was put into place to both assign and affix the barcodes and enter the
information for the equipment in the Fixed Asset System (FAS).

With regard to entering the information into FAS, since OIT normally enters all serial numbers
for computer equipment in the FAS for Headquarters, OFP did not have access to the system and
members of the staff had not received training in the use of the system. However, after resolving
the issue of ownership, OFP agreed to enter the information in FAS, but encountered a delay
while obtaining access to the system and adequate training to ensure that we were entering the
information correctly. Once we received access and completed the training, we immediately
entered the information into FAS.

In furtherance of the recommendations in your draft report, we propose the following procedures
for purposes of tracking subject equipment, which we believe address the issues contained in this
report:

   1. We will send a Form 112- Delivery Report to each FEPA and request that they complete
      them and return them to OFP, State and Local Programs, We will include information on
      the location, barcodes and serial number of each item. We will maintain a copy of these
      documents in OFP.
   2. We will develop a process for periodically checking and reporting on the condition and
      use of the equipment purchased for the FEPAs either as part of our regular technical
      assistance visits to the field, by requesting that State and Local Coordinators make onsite
      visits to the FEPAs, as resources allow, or by a combination of the two.

OIG’s Response:

OIG Concurs.

IT Property Losses Not Included In FY 2004 FMFIA
Reports to the Chair
FMFIA reports submitted to the Chair by Office Directors did not include information about
deficiencies in controls that allowed IT equipment to be removed or stolen from EEOC
Headquarters during FY 2004. As was noted earlier, IT property with an estimated value of
$51,083 was reported missing/stolen between April 29, 2004 and September 28, 2004 on EEOC
Form 629s, Report of Loss, Theft, or Incident, reviewed by OIG. Even though the EEOC Form
629s were completed, Office Directors made no mention of these property losses in their FY
2004 FMFIA submissions or identified steps they would take in the future to prevent such
occurrences. As a result, the Chair was not provided reasonable assurance that management
controls were effective in detecting losses or thefts of IT equipment in FY 2004. Further,
although the dollar amount of the losses was not material and the failure to disclose the thefts
    may not have been intentional, the accuracy of the Agency’s report to the President and Congress
    is compromised.

    Criteria

    Agency heads are required to establish controls that reasonably ensure that (i) obligations and
    costs comply with applicable laws; (ii) assets are safeguarded against waste, loss, unauthorized
    use or misappropriation and (iii) revenues and expenditures are properly recorded and accounted
    for. Each year, agency heads must evaluate and report on the effectiveness of their management
    control program to the President and Congress.

    EEOC Order 240.005- EEOC Information Security Program clearly states that agency employees
    are responsible for protecting IT resources from unauthorized use or theft. Office Directors and
    the office’s designated System Security Officer are responsible for defining and establishing the
    appropriate levels of control needed to safeguard their office’s information systems and IT
    resources.

    Additionally, EEOC’s Chief Operating Officer issued a memo to Headquarters and Field
    Directors reminding them of their responsibilities for ensuring the security and accountability of
    IT equipment, in May 2004. Further, examples of specific internal controls were provided along
    with the requirement to report missing, lost or stolen IT equipment through the use of EEOC
    Form 629-Report of Loss, Theft, or Incident. In October 2004, the Chief Financial Officer
    followed up with a memo providing a refresher on timely reporting of loss, theft or incidents
    involving property, as well as staffs responsibility to ensure effective internal controls are in
    place to safeguard the agency’s IT equipment.

    Background

    During FY 2004, there were four (4) incidents reported involving missing or stolen IT
    equipment. The chart below provides specific details relating to these incidents. Also, as
    indicated in the chart, none of the incidents were reported as deficiencies in the functional area
    reports submitted to support the Chair’s FY 2004 Assurance Statement to the President and
    Congress.

    Chart 1- Summary of EEOC Forms 629- Reports of Loss, Theft or Incident Relating to IT
    Equipment Submitted During FY 2004

                                                                                                     Item
                         Date Item      Item        Office
   Item Reported                                                  Estimated                         Noted in
                         Reported      Missing     Reporting                       Serial #No.
      Missing                                                       Value                           FY 2004
                          Missing        by:         Loss
                                                                                                    FMFIA
(1) Ikegami HL-V75W
    Digital Camera
                     9/10/2004          Theft         OIT        $25,000.00          LB1433              NO
 Recorder and Travel
         Case
  (1) View Sonic 17" 9/23/2004           Loss         OIT          $519.00      AZW 642401713            NO
    LCD Monitor
   w/Speakers &
  Removable Stand,
  Model # VG710.
                                                                                FOC0828X24A
                                                                                FOC0825X22G
                                                                                FOC0825X23J
 (13) Cisco Catalyst
                                                                               FOC0825W1ZG
 2950C-24 Network
                                                                               FOC0825W1ZF
  Switch, 24 (port)
                                                                               FOC0825W1Y7
10/100 and 2 (ports)
                        9/28/2004       Loss         OIT        $17,500.00      FOC0825X22T          NO
100 Base_FX uplink,
                                                                                FOC0825X22T
  Cisco Part # WS-
                                                                               FOC0825W1Z7
2950C-24 (est. Value
                                                                               FOC0825W1Z1
   $1,326.41 each)
                                                                               FOC0825W1Z8
                                                                               FOC0825W1Z6
                                                                               FOC0825X23W
(4) Dell Latitude D600                                                         1- S/N: 6J86L31,
 Laptop Computers &                                                            2-S/N:HF27L31,
                       4/29/2004        Theft        OFP         $8,064.00                           NO
  (4) Optical Mouse                                                            3-S/N:CV17L31,
       Devices                                                                  4-S/N:5J86L31.

    In reviewing the EEOC Forms 629-Report of Loss, Theft, or Incident submitted during FY 2004
    relating to missing/stolen IT equipment, we noted that two of the four forms submitted did not
    indicate that an administrative officer, supervisor or management official had been notified of the
    incident. These two incidents involved property having estimated combined values of $42,500.
    This may be an indication that supervisors/managers are not being informed of property losses
    and/or that internal controls are not being evaluated periodically by staff to support Office
    Director’s annual assurance statements to the Chair.

    OIG compared the EEOC Forms 629-Report of Loss, Theft or Incident submitted during FY
    2004 to the FY 2004 annual FMFIA reporting packages submitted by Office Directors to
    determine if any internal control weaknesses or deficiencies relating to the management of IT
    property had been disclosed. None of the FMFIA reporting packages submitted by Office
    Directors contained any details relating to lost, missing, or stolen IT property. However, the
    Chief Financial Officer (CFO) whose office has primary responsibility for property management
    did note that reported thefts in Headquarters and in some field offices were being investigated
    and that the adequacy of controls would be evaluated for improvement during FY 2005.
    However, the FMFIA report to the Chair clearly stated that “No deficiencies were identified” by
    Headquarters Offices or District Offices.

    Recommendation:

    We recommend that all EEOC Office Directors for the FY 2006 FMFIA reporting cycle:
      Perform formal internal control reviews specifically for IT equipment by documenting
       the controls in place and the extent of testing of these controls (i.e. physical inventory,
       need to excess equipment, access to equipment). All weaknesses should be reported along
       with action plans to correct them.

Management’s Comments:

OCFOAS concurs with OIG’s recommendation that all EEOC Office Directors perform internal
control reviews for IT equipment.

OIT agrees with the OIG on FMFIA reporting and that offices should report missing or stolen
equipment on FMFIA reports. Even though OIT reported equipment missing they failed to
include this information in their FMFIA reports for FY 2004. EEOC Order 195.001,
Management Accountability and Controls section 8(e)(4) Identifying Deficiencies and Material
weaknesses in Controls states:

“EEOC managers and staff are encouraged to identify and report deficiencies in management
controls. Reporting deficiencies reflect positively in the agency’s commitment to recognize and
address management areas of concern. In contrast, failure to report a known deficiency reflects
adversely on offices and the agency as a whole."

The Office of Research, Information, and Planning (ORIP) comments:

Regarding, “IT Property Losses Not Included in FY 2004 FMFIA Reports to the Chair”, you
indicate that the 2004 losses were not material and the loss may not have been intentional. Since
the losses were not material, I do not believe that it necessarily follows that the Agency’s report
to the President and Congress is compromised. Because the Chair probably would not have
determined that this controls issue was material, even if it had been reported she would not have
reported it to the President and Congress anyhow. Her report would therefore not have been
“compromised’ by the absence of this information in the first place. I think that the nexus made
in the report should be removed.

OIG’s Response:

OIG disagrees and believes that the Chair should have at least been informed of the property
losses and given an opportunity to make the decision on her own whether or not the information
should be reported to the President and Congress. OMB Circular A-123, Management’s
Responsibility for Internal Controls, section IV(B) Identification of Deficiencies states that
agency employees and managers shall report control deficiencies to the next supervisory level,
which will allow the chain of command structure to determine the relative importance of each
deficiency.

The Office of Field Programs comments:

Regarding the four Dell Latitude D600 Laptop Computers and four Optical Mouse Devices,
which we did not report as deficiencies in the functional area reports submitted in support of the
Chair’s FY 2004 Assurance Statement to the President and Congress, this equipment was not
part of OFP’s equipment inventory. The equipment was OlT’s and was set up by them for OFP’s
use in the OCLA conference room. The theft was reported to OlT.

OIG’s Response:

In OIG’s opinion it would have been a good business practice for OFP to have included the
stolen computer equipment in their FY 2004 functional area reports, especially since they were
responsible for safekeeping of the equipment when the thefts occurred.

Other General Comments

In their comments, OIT makes the statement “Had the OIG conducted an exit interview with OIT
prior to the distribution of the draft report, many of the inaccuracies could have been discussed
and issues clarified, Instead a meeting was conducted after the distribution of the draft report, at
the request of OIT.”

OIG’s Response:

OIG disagrees that there are many inaccuracies and stands by the information contained in this
report. Further, OIG’s Senior Auditor met with the Director, Office of Information Technology
on August 5, 2005 prior to releasing the Draft Report to the Chair. At that meeting, each finding
was discussed with the OIT Director and OIG invited the OIT Director to contact our office if
additional questions arose later or if they had issues with information in the report. OIT
contacted OIG requesting a meeting to clarify a few issues in the report a few days later. A
meeting was held on August 11, 2005 between OIT staff and OIG’s Senior Auditor. To ensure
better communications OIG will provide draft reports to auditees in advance of formal Exit
Conferences where affected Office Directors or their representatives must attend.

                                       Audit Follow Up

The Office of Management and Budget issued Circular Number A-50, Audit Follow up, to
ensure that corrective action on audit findings and recommendations proceed as rapidly as
possible. EEOC Order 192.002, Audit Follow up Program, implements Circular Number A-50
and requires that for resolved recommendations, a corrective action work plan should be
submitted within 30 days of the final evaluation report date describing specific tasks and
completion dates necessary to implement audit recommendations. Circular Number A-50
requires prompt resolution and corrective action on audit recommendations. Resolutions should
be made within six months of final report issuance.