U.S. Equal Employment Opportunity Commission Office of Inspector General Semiannual Report to the October 1, 2015–March 31, 2016 U.S. Congress Milton A. Mayo Jr. Inspector General EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT THIS PAGE INTENTIONALLY LEFT BLANK 2 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT OIG VISION Effective, efficient, and accountable management of Agency programs, operations, and personnel. OIG MISSION To detect and prevent waste, fraud, and abuse, and promote economy, efficiency, and effectiveness in the programs and operations of the Equal Employment Opportunity Commission. 3 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT CONTENTS Message from the Inspector General ………………………………………….......6 Executive Summary ……………………………………………………………….7 Introduction ………………………………………………………………………..8 The Audit and Evaluation Program ………………………………………….……11 Completed Projects New and Ongoing Audit and Evaluation Projects Audit Follow-up The Investigation Program …………………………………………………………28 Investigative Inquiries Completed Investigative Activities Ongoing Investigative Activities Appendixes…………………………………………………………………………..30 Appendix I. Final OIG Audit and Evaluation Reports Appendix II. Index of Reporting Requirements Appendix III. Single Audit Act Reports 4 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT THIS PAGE INTENTIONALLY LEFT BLANK 5 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Message from the Inspector General In accordance with the Inspector General Act of 1978, as amended, I herewith submit the semiannual report for the period October 1, 2015, through March 31, 2016, which summarizes the major activities of our office for the reporting period. Section 5 of the Inspector General Act requires the Chair to transmit this report to the appropriate committees or subcommittees of Congress within 30 days of its receipt. During this reporting period the OIG commenced its first formal review of the Office of General Counsel’s (OGC) litigation program in an effort, primarily, to better understand its goals, operations, and the culture of that office. Additionally, we seek to provide the OGC with data that may be useful in shaping its strategic and operational planning in the near term. We plan to report our findings in the third quarter of FY 2016. We took note of the Agency’s efforts to implement Chair Jenny R. Yang’s vision for improving organizational accountability through the Agency’s March 2016 three-day Senior Leadership Summit premised on the OZ Principle. In the words of the 35th President of the United States, John F. Kennedy: “Leadership and learning are indispensable to each other.” Additionally, we took note of the Agency’s commitment to better utilize technology to improve organizational performance as evidenced by the activities of its recently hired Chief Information Officer. While we plan to evaluate these initiatives in the future, it is our opinion that a continuous sustained commitment to the goals of improving accountability and its use of technology will likely improve the Agency’s success in achieving its mission to Stop and Remedy Unlawful Employment Discrimination. During this period, the OIG issued 4 final audit/evaluation reports, completed 1 investigation, and received 246 hotline inquiries, of which 102 were charge processing issues, 73 were Title VII complaints, and 71 were other investigative allegations. Among the recommendations emphasized in the audit of the EEOC’s FY 2015 Financial Statements conducted by the certified public accounting firm of Harper, Rains, Knight & Company, P.A. (HRK), was the need for improving the Agency’s process for compiling the annual Performance and Accountability Report (PAR). We echo HRK’s recommendations to ensure that all OMB submission deadlines are met and to minimize the potential for edits required close to the final PAR submission deadline. As always, we appreciate the support and cooperation extended to us by Chair Jenny Yang and agency staff. Regards, Milton A. Mayo Jr Inspector General 6 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT EXECUTIVE SUMMARY This semiannual report is issued by the Equal Employment Opportunity Commission’s (EEOC’s) Office of Inspector General (OIG) pursuant to the Inspector General Act of 1978, as amended. It summarizes the OIG’s activities and accomplishments for October 1, 2015, through March 31, 2016. During this period, the OIG issued 4 final audit/evaluation reports, completed 1 investigation, and received 246 hotline inquiries, of which 102 were charge processing issues, 73 were Title VII complaints, and 71 were other investigative allegations. The OIG’s completed, newly initiated, and ongoing audit, evaluation, and investigative projects include the following: The Government Charge Card Abuse Prevention Act of 2012 requires inspectors general of executive agencies to conduct periodic assessments of audits of purchase card and travel card programs to identify and analyze the risks of illegal, improper, or erroneous purchases and payments. Based on our risk assessment, we determined that the risk of illegal, improper, or erroneous use in the EEOC’s purchase card program is low. The OIG received a congressional request to review a Commissioner’s charge (a charge filed by an EEOC Commissioner against a private sector respondent). We will report our findings in the third quarter of FY 2016. The OIG received an allegation of someone impersonating a charging party during the mediation of a charge of discrimination, and wrongfully accepting $5,000 from the respondent as a settlement in the charge of discrimination. The OIG investigation established there was no criminal intent by the party involved in the mediation hearing. The OIG contracted with Brown & Company CPAs, PLLC (Brown & Company), to conduct an independent evaluation of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014 (FISMA). Based on the results of the evaluation, Brown & Company concluded that the agency has made positive strides in addressing information security weaknesses, but that it still faces challenges to fully implementing information security requirements as stipulated in various federal guidelines and mandates. 7 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT INTRODUCTION The Equal Employment Opportunity Commission The Equal Employment Opportunity Commission (EEOC) is the Federal agency responsible for enforcement of Title VII of the Civil Rights Act of 1964, as amended; the Equal Pay Act of 1963; the Age Discrimination in Employment Act of 1967; Sections 501 and 505 of the Rehabilitation Act of 1973 (in the Federal sector only); Title I of the Americans with Disabilities Act of 1990 and the Americans with Disabilities Act Amendments Act of 2008; Sections 102 and 103 of the Civil Rights Act of 1991; the Lilly Ledbetter Fair Pay Act of 2009; and the Genetic Information Nondiscrimination Act of 2008 (P.L. 110-233 Stat. 881), also referred to as GINA. These statutes prohibit employment discrimination based on race, sex, color, religion, national origin, age, disability, or genetic information. EEOC is also responsible for carrying out Executive Order 12067, which promotes coordination and minimizes conflict and duplication among Federal agencies that administer statutes or regulations involving employment discrimination. EEOC is a bipartisan commission composed of five presidentially appointed members, including a Chair, a Vice Chair, and three Commissioners. The Chair is responsible for the administration and implementation of policy and for the Commission’s financial management and organizational development. The Vice Chair and the Commissioners equally participate in developing and approving EEOC policies, issuing charges of discrimination where appropriate, and authorizing the filing of lawsuits. In addition, the President appoints a General Counsel, who is responsible for conducting litigation under the laws enforced by the Commission. An Accountability Driven Culture During the reporting period, senior Agency leaders took significant steps toward achieving an effective, efficient, and accountable environment. Accountability was the focus of a three-day Senior Leadership Summit in March 2016 and the impetus of Chair Yang’s Agency-wide initiative to create a culture of accountability. The overarching goal of the summit was to begin to align the Agency’s leadership team around a culture of accountability. Partners in Leadership facilitated the meeting, which laid out the foundation for developing a culture of accountability across the Agency using the OZ Principle outlined in The OZ Principle, by Roger Connors, Tom Smith, and Craig Hickman, which presents a straightforward approach to attaining individual and organizational accountability. The training focused on steps to accountability that employees at all levels can utilize in their work every day. Agency leaders learned strategies for staying “above the line,” where the focus is on reality, ownership, commitment, solutions to problems, and determined action, and also learned how to avoid languishing “below the line,” where people employ a variety of tactics to sidestep accountability. Leaders were tasked with committing to developing accountability plans for themselves and their organizations. The culture-of-accountability initiative will be introduced to the Agency workforce early in the third quarter. 8 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Additionally, the Office of the Chief Human Capital Officer (OCHCO) made significant strides in addressing strategic human capital management challenges previously identified by OIG and the Office of Personnel Management in connection with the Agency’s succession planning efforts and leadership development. Technology and Innovation During the semiannual reporting period, the Agency hired a new chief information officer (CIO), Mr. Bryan Burnett. He was previously the CIO at the National Labor Relations Board. Upon joining the EEOC, Mr. Burnett found an Agency committed to implementing digital case processing from intake to resolution. Efforts were underway to transform the way the EEOC serves the public by making its charge, complaint, and appeal processes transparent and providing information to its constituents online and on demand. During his short time with the EEOC, the new CIO has moved quickly and innovatively to modernize Agency resources intended to increase the likelihood of success of these new and evolving critical digital case processing initiatives. His actions include, in part: Procuring and deploying newer enabling tools such as Office 365, Microsoft Exchange Online, and Outlook to replace outmoded systems that the Agency currently supports as part of its infrastructure Procuring new digital-capable devices to replace eight-year-old laptops and further enhance digital workflows Planning for the deployment of enterprise wireless throughout the Agency to allow for greater worker mobility The CIO’s efforts in soliciting input from the EEOC stakeholders and implementing industry best practices should position the EEOC to better capitalize on the highest and best use of 21st century digital services. While the OIG has not conducted any formal assessments to evaluate this technological innovation, it is our opinion that the EEOC appears to be on the path toward addressing the critical information technology needs and issues that have been repeatedly raised by customers, internal stakeholders (employees), external stakeholders (the public), and the Congress. 9 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT The Office of Inspector General The U.S. Congress established the Office of Inspector General (OIG) at EEOC through the 1988 amendments to the Inspector General Act of 1978; these amendments expanded the authority of designated Federal entities to create independent and objective OIGs. Under the direction of the Inspector General (IG), the OIG meets this statutory responsibility by conducting and supervising audits, evaluations, and investigations relating to Agency programs and operations; providing leadership and coordination; and recommending policies for activities designed to promote economy, efficiency, and effectiveness in administering programs and operations. In October 2008, Congress passed the Inspector General Reform Act of 2008, which generally buttressed the independence of IGs, increased their resources, and held them more accountable for their performance. The OIG is under the supervision of the IG, an independent EEOC official subject to the general supervision of the Chair. The IG must not be prevented or prohibited by the Chair or any other EEOC official from initiating, carrying out, or completing any audit, investigation, evaluation, or other inquiry, or from issuing any report. The IG provides overall direction, coordination, and leadership to the OIG; is the principal advisor to the Chair in connection with all audit and investigative matters relating to the prevention, identification, and elimination of waste in any EEOC program or operation; and recommends the proper boundaries of audit and investigation jurisdiction between the OIG and other EEOC organizations. The IG also develops a separate and independent annual budget for the OIG; responds directly to inquiries from the public, Congress, or the news media; and prepares press releases, statements, and other information about the OIG’s activities. The Deputy Inspector General serves as the IG’s alter ego and participates fully in policy development and in management of the OIG’s diverse audit, investigation, evaluation, and support operations. The Counsel to the Inspector General is the sole legal advisor in the OIG, providing day-to-day guidance to the OIG’s investigation team, and is the primary liaison with Agency legal components and the Department of Justice. In addition to these positions, the OIG staff includes a chief technology officer, an evaluator, two auditors, two criminal investigators, an administrative specialist, and a confidential support assistant. 10 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT THE AUDIT AND EVALUATION PROGRAM The Audit and Evaluation Program supports the OIG’s strategic goal of improving the economy, efficiency, and effectiveness of EEOC programs, operations, and activities. COMPLETED PROJECTS Independent Evaluation: FY 2015 Federal Information Security Modernization Act For fiscal year (FY) 2015, the U.S. Equal Employment Opportunity Commission (EEOC) Office of Inspector General (OIG) contracted with Brown & Company CPAs, PLLC (Brown & Company), to conduct an independent evaluation of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Based on the results of the evaluation, Brown & Company concluded that the agency has made positive strides in addressing information security weaknesses, but that it still faces challenges to fully implementing information security requirements as stipulated in various federal guidelines and mandates. This report contains seven FISMA findings and seven corresponding recommendations. The findings are as follows: 1. EEOC has no organization-wide information security program that documents and enforces implementation of common and hybrid controls among all EEOC information technology (IT) assets. 2. EEOC has not developed an organization-wide risk management strategy and processes. 3. EEOC should strengthen its work sharing agreement with Fair Employment Practices Agencies (FEPAs) to include a statement that requires FEPAs to implement information security controls to ensure that data and access to data are secured. 4. EEOC should prepare special security controls for its district, field, and area offices to ensure that information systems and information located at these offices are protected. 5. EEOC did not fully implement multifactor authentication to allow remote access to EEOC systems. 6. The enterprise-wide IT continuity/disaster recovery program that is established and operational at EEOC headquarters is not implemented and enforced at the EEOC field offices. 11 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT 7. EEOC configuration management policy and procedures are not currently supported by automated tools and procedures to accurately and completely detect, identify, and account for changes to the information system component inventory. Audit of the EEOC’s FY 2015 Financial Statements (OIG Report No. 2015-01-FIN) The independent certified public accounting firm of Harper, Rains, Knight & Company, P.A. (HRK), audited the financial statements of the EEOC for FY 2015 and issued an unmodified opinion. HRK reported that EEOC’s fiscal year 2015 financial statements and notes were fairly presented, in all material respects, in accordance with accounting principles generally accepted in the United States of America. With regard to internal control over financial reporting, HRK noted one (1) material weakness relating to the lack of sufficient controls over financial management. Additionally, the lack of sufficient controls over supporting documentation for personnel expenses was identified as a significant deficiency. HRK noted no instances of noncompliance or other matters that were required to be reported under Government Auditing Standards or the Office of Management and Budget (OMB) Bulletin 15-02. The report was issued by OIG on November 16, 2015. Management Letter Report for FY 2015 Financial Statement Audit (OIG Report No. 2015-02-FIN) The management letter report issued by HRK in connection with the FY 2015 financial statement audit provides additional information about the material weakness and significant deficiency contained in the financial statement audit report dated November 16, 2015, as well as other identified control weaknesses. The management letter report identifies internal control deficiencies in the following areas: Appendix A. Material Weaknesses Existence of expense items Potential of noncompliance with Anti-Deficiency Act Potential of noncompliance with Prompt Payment Act Ineffective internal control Missing prepared-by-client documentation Appendix B. Significant Deficiency Lack of sufficient controls over supporting documentation for personnel expenses Appendix C. Control Deficiencies Budget object class misclassifications Internal controls over financial reporting and noncompliance with OMB Circular A-136 12 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT HRK made the following recommendations: EEOC maintain all documentation associated with its transactions. EEOC should review the retention procedures of its new service provider, and develop and document retention procedures over each type of transaction entered into its financial system. EEOC perform all assessments over their internal controls surrounding retention and accuracy of obligating supporting documentation in order to ensure compliance with the Anti-Deficiency Act. EEOC perform an assessment over their internal controls surrounding payment support retention and the payment of interest on late payments in order to comply with the Prompt Payment Act. Developing an assessment of EEOC’s internal control process in order to proactively manage and update internal controls. This should minimally consist of EEOC documenting what controls are performed by their shared service provider and what controls are performed at EEOC to ensure management has a clear understanding of their responsibilities. EEOC update its controls over the maintenance of its accounting records to ensuring that all documentation, whether held by EEOC or its shared service providers, is readily available. EEOC should coordinate with its service providers to identify the type of documentation that is available for each financial transaction, where that information is located, and how long the data is available for review. This information should be clearly documented in EEOC’s policies and procedures. Additionally, management should perform a thorough review of its files to ensure that documentation exists, is accurate, and is available for review. EEOC update its controls over the maintenance of its official personnel files. The controls currently in place are not capturing all changes to employee personnel files. EEOC should initiate new procedures to sample and review employee personnel files at least semi-annually to ensure that current documentation is included in the files. The EEOC office accountable for compiling the Performance and Accountability Report (PAR) create and enforce internal deliverable milestones to ensure tall OMB submission deadlines are met. These internal deliverable milestones should extend to all EEOC offices and require these offices to provide their content to EEOC’s accountable office prior to the established milestones. Additionally, EEOC’s Office of the Chief Financial Officer (OCFO) should thoroughly review the final draft of the PAR prior to the submission to OMB and the auditors in order to minimize edits required close to the PARs final submission deadline. This review should include a review of the financial statements against various federal reporting guidelines and checklists, such as the 2020 checklist for federal reporting and disclosures found in the Government Accountability Office’s Financial Audit Manual. EEOC should develop a more effective internal control process over financial reporting. This should minimally consist of EEOC documenting what controls are performed by the various departments and contractors utilized in the preparation of the PAR, a timeline of due dates for each department and contractor, and identification of overall responsibility of the completed PAR. 13 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT EEOC strongly consider converting their annual reporting from a PAR to an Agency Financial Report (AFR). This move would separate the financial reporting from the program reporting and potentially alleviate the identified issues above. FY 2016 audit procedures will determine whether the corrective actions have been implemented and are operating effectively. The report was issued by the OIG on January 15, 2016. Report to OMB on Agency Progress in Implementing the Government Charge Card Abuse Prevention Act of 2012 In accordance with the audit and reporting requirements of the Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act), EEOC provided a status report on open purchase and travel card audit recommendations to the OMB. To date, 8 of the 10 recommendations contained in our March 26, 2013, report (OIG Report No. 2012-08-PURCH) remain open. These recommendations are aimed at strengthening the Agency’s internal controls over the charge card program. In response to these recommendations, the Agency’s Chief Financial Officer concurred with the recommendations and provided a corrective action plan. We intend to conduct additional testing during our FY 2016 financial statement audit and will continue to work with our Agency’s audit follow-up official to address these remaining open recommendations. The report was issued on February 5, 2016. FY 2015 Risk Assessment of the EEOC’s Purchase Card Program The Charge Card Act requires inspectors general of executive agencies to conduct periodic assessments of audits of purchase card and travel card programs to identify and analyze the risks of illegal, improper, or erroneous purchases and payments. OMB Memorandum M-13-21, Implementation of the Government Charge Card Abuse Prevention Act of 2012, requires inspectors general to conduct annual risk assessments. Based on our risk assessment, we determined that the risk of illegal, improper, or erroneous use in the EEOC’s purchase card program is low. As a result, we will not include an audit of the purchase card program in OIG’s 2016 annual audit plan. We issued the report to the Chair on February 4, 2016. Agency Compliance with the Federal Managers’ Financial Integrity Act (OIG Report No. 2015-01-FMFIA) Agency policy directive EEOC Order 195.001 Management Accountability and Controls requires the OIG to annually provide a written advisory to the head of the Agency regarding whether the management control evaluation process complied with OMB guidelines. The OIG issued its annual report to the Chair on November 13, 2015, validating the Agency’s compliance with the Federal Managers’ Financial Integrity Act (FMFIA). To make this determination, the OIG reviewed the following: Assurance statements submitted by headquarters and district office directors attesting that their systems of management accountability and control were effective and that use of resources under their control was consistent with the Agency’s mission and in compliance with the laws and regulations set out in FMFIA 14 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT All functional area summary tables and functional area reports submitted by headquarters and field offices The FY 2015 FMFIA Assurance Statement and Assurance Statement Letter, with supporting documents, from the Office of Research, Information, and Planning (ORIP) The OIG concluded that the Agency’s management control evaluation was conducted in accordance with OMB’s standards and concurred with ORIP’s assertion that the Agency had one material weakness during the reporting cycle. NEW AND ONGOING AUDIT AND EVALUATION PROJECTS FY 2016 Audit of the Consolidated EEOC Financial Statements The OIG exercised the first option year of its contract with the public accounting firm of Harper, Rains, Knight & Co., P.A. (HRK), to perform the 2016 financial statement audit of the EEOC, which is required by the Accountability of Tax Dollars Act of 2002. To ensure that the OIG meets its mandated reporting deadline requirements, fieldwork is underway and the audit opinion will be included in the Agency’s 2016 Performance and Accountability Report. Shortly thereafter, the auditor will issue a management letter report identifying any internal control weaknesses. Peer Review of the International Trade Commission The EEOC OIG audit staff is conducting a Council of Inspectors General on Integrity and Efficiency external peer review of the audit operations of the International Trade Commission (ITC). The objectives of the external peer review are to determine whether, for the period under review, the ITC Office of Inspector General’s system of audit quality control was suitably designed, and whether the organization is complying with its system of quality control in order to provide it with reasonable assurance of conforming with applicable professional standards in all material respects. Fieldwork is expected to be completed early in the third quarter, after which a system review report will be issued to the ITC OIG. Improper Payments Reporting for FY 2015 The OIG has requested information from EEOC management to assist in identifying and reporting erroneous or improper payments relating to FY 2015. The Improper Payment Information Act (IPIA) of 2002, as amended by the Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) and the Improper Payments Elimination and Recovery Act of 2010 (IPERA), requires agencies to estimate and report on improper payments, and agency actions to reduce them, to the President and Congress. This year, IPERIA requires the OIG to determine and report, by May 15, 2016, whether the Agency is in compliance with IPIA. 15 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Evaluation of Litigation The OIG contracted with the Urban Institute to conduct an evaluation that assesses the Agency’s litigation program. The Urban Institute is assessing the Agency’s litigation efforts, focusing on areas where gains in efficiency and effectiveness may be obtained. The draft and final reports will be completed in the third quarter of FY 2016. Congressional Request In December 2015, we received a formal written request from a Congressional delegation to review the EEOC’s use of a Commissioner’s charge in manner the delegation believes to be a questionable enforcement tactic. The OIG is conducting a limited program review of Commissioner charges and will report its findings to the delegation in the third quarter of FY 2016. AUDIT FOLLOW-UP Audit follow-up is an integral part of good management and is a shared responsibility of Agency management officials and auditors. Corrective action taken by management to resolve findings and recommendations is essential to improving the effectiveness and efficiency of Agency operations. Section 5(a)(1) of the Inspector General Act of 1978, as amended, requires that semiannual reports include a summary description of significant problems, abuses, and deficiencies relating to the Agency’s administration of programs and operations disclosed by the OIG during the reporting period. Six new reports were issued during this reporting period (October 1, 2015– March 31, 2016); three of those reports contained findings. Reports Issued During This Reporting Period Fiscal Year Report Number Report Title Date Issued 2016 2015-01-FMFIA FY 2015 Agency 11/13/15 Compliance with Federal Managers’ Financial Integrity Act 2016 2015-01-FIN Audit of the EEOC’s FY 11/16/15 2015 Financial Statements 2016 2015-03-EOIG FY 2015 Federal 12/16/15 Information Security Modernization Act Report 2016 2015-02-FIN FY 2015 Financial 1/15/16 Statement Audit Management Letter 16 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT 2016 Fiscal Year 2015 Risk 2/4/16 Assessment of EEOC’s Purchase Card Program 2016 Report to OMB on Agency 2/5/16 Progress in Implementing the Government Charge Card Abuse Prevention Act of 2012 As required by Section 5(a)(3) of the Inspector General Act of 1978, as amended, semiannual reports shall provide an identification of each significant recommendation described in previous semiannual reports on which corrective action has not been completed. OIG staff met with Agency follow-up officials in March 2016. The OIG is reporting a total of 15 reviews with a total of 89 open recommendations for this reporting period. The following table shows those recommendations for which corrective actions have not been completed. Recommendations for Which Corrective Actions Have Not Been Completed Fiscal Year Report Number Report Title Date Issued 2015 2014-03-OE Evaluation of EEOC’s Outreach and 5/8/15 Education Program EEOC should consider a more centralized operation for outreach and education. EEOC should consider ways to alleviate the administrative workload of program analysts. EEOC should rely on the strengths of the Fair Employment Practices Agencies (FEPAs) in their outreach and education efforts. EEOC should also consider an initiative that would provide regular opportunities to evoke news stories, also known as “earned media” opportunities that would support its outreach goals. EEOC’s website needs to be updated when important events occur, perhaps in accordance with guidelines that EEOC’s Office of Communication and Legislative Affairs sets for itself. 17 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT EEOC needs some process for obtaining feedback about what key constituents think regarding its outreach and education effort. A brand evaluation is one way to solicit and act on systematic feedback. EEOC should consider creating a “clearinghouse” for outreach and education materials. EEOC should provide analytical help to each district office to examine charge data related to its own geographic area in order to identify potential trends, opportunities, and priorities. The Office of Field Programs (OFP) and Office of Federal Operations should survey (by mail or electronically) all or samples of former participants to assess the extent to which participants found the information provided to be useful—if so, in what way, and if not, why not. EEOC should regularly, perhaps quarterly, review website analytics. EEOC and its district and field offices should routinely conduct follow-up through surveys with partners, perhaps three months after events. As suggested by FEPA officials, district and field offices should consider asking complainants to identify how they heard about the agency and who recommended the agency to them. EEOC should provide resources for the regular analysis of OFP charges to provide evidence of outreach and education success—both for district and field offices and nationally. EEOC should change the position title of “program analyst” (only for those doing outreach and education) to something like “outreach and education coordinator.” Fiscal Year Report Number Report Title Date Issued 2015 2014-01-FIN FY 2014 Financial Statement Audit 11/17/14 EEOC should update its controls over the maintenance of its official personnel files. Additionally, management should perform a thorough review of its employees’ personnel files to ensure that documentation is current and complete. EEOC should implement procedures to ensure that it has a complete understanding of its service providers’ policies and procedures. 18 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Fiscal Year Report Number Report Title Date Issued 2015 2014-02-FIN FY 2014 Financial Statement Audit 1/13/15 Management Letter Report EEOC should monitor and enforce its policies and procedures over sensitive property. EEOC should monitor these controls to ensure that the controls remain adequate and continue to operate effectively. EEOC should update its policies and procedures to correctly state its current process. EEOC should monitor and enforce its policies and procedures over record retention for purchase and travel card transactions. EEOC should monitor these controls to ensure that the controls remain adequate and continue to operate effectively. Additionally, management should enforce penalties, such as disciplinary action, including restitution to the government and/or dismissal. EEOC should implement and monitor controls to ensure approving officials’ review and approval is documented for each purchase and travel card transaction. The policy or procedure should establish an appropriate period of time for retention of records, monitoring by the purchase card program manager, and appropriate disciplinary actions for noncompliance. EEOC should follow its guidelines for all expense transactions. We also recommend developing an assessment of EEOC’s internal control process in order to proactively manage internal controls and get the most from them. EEOC should implement procedures to ensure that it has read and implemented all Federal guidance issued through the year. EEOC should work with its service provider to implement internal controls that will catch all transactions with a zero object class. A monthly review of expense transactions will identify those with a zero object class. Fiscal Year Report Number Report Title Date Issued 2015 2014-08-EOIG FY 2014 Federal Information Security 12/16/14 Management Act Report Development of a risk assessment at the organization and mission/business level, to include field offices 19 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Update to system-level risk assessment report Improvement to Bring Your Own Device program Improvement to privacy notifications on the EEOC official website and alerts when visitors are directed to nongovernment websites Improvement to virtual private network configuration settings for password length Implementation of encryption to protect digital backup media during transport Update to policies and procedures to include EEOC’s response time for security alerts Update to policies and procedures to include a file integrity process for detecting unauthorized changes to software, firmware, and information Improved monitoring of laptops issued to employees for disaster recovery through ensuring that patches and updates are installed for operating systems, antivirus software, and other security applications Implementation of background checks for student interns to ensure that international visas are current Improvement to the security awareness training program to ensure that all personnel in field offices that use information systems receive annual training Development of policies and procedures to properly manage physical security access cards Implementation of full device encryption or container-based encryption for mobile laptops Development of Continuity of Operations plans for field offices Development of a telecommuting policy that meets the requirements of the Federal Information Security Management Act of 2002 Development of policies and procedures for managing shared group accounts Improvement to account management procedures, including disabling inactive accounts as required Improved control over physical access to the data center and technology storage room 20 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Resolution of high and medium vulnerabilities identified in the internal vulnerability assessment Fiscal Year Report Number Report Title Date Issued 2014 2013-08-PSA Performance Audit of the Agency’s 9/4/14 Personnel Security Program Identify all headquarters and field offices where classified national security information is safeguarded, handled, processed, reproduced, transmitted, transported, or destroyed Identify all EEOC employees with o current or prior access to classified national security information; o a current adjudicated security clearance and the sponsoring agency, if applicable; and o special access or interim clearance and the sponsoring agency, if applicable Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for memorandums of understanding (MOUs) between agencies. Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU. Perform and document an assessment/evaluation of current classified information practices and safeguarding at headquarters and field offices to determine any noncompliance. Take immediate corrective action to address any noncompliance noted. Incorporate a review of controls over classified information in EEOC’s annual FMFIA process Complete risk designations for the remaining estimated 194 EEOC covered positions Complete and begin any outstanding reinvestigations as required by the Code of Federal Regulation 21 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Adhere to EEOC policy and federal requirements pertaining to reinvestigations. EEOC should follow its internal policy until further guidance is provided by the Office of Personnel Management (OPM). Update the policy for the Federal Personnel/Payroll System (FPPS) with a timeline, and implement the revised standard. Review all employee electronic official personnel folders to ensure proper inclusion of the employee’s conflict of interest (COI) disclosure, and in instances where the documentation is missing, insert it Report any outstanding EEOC adjudication decisions to OPM and, going forward, adhere to the 90-day timeline Develop and implement a procedure to maintain relevant evidence documenting that the EEOC has informed OPM of the adjudication decisions it has made Explore using alternative staffing options, such as contract employees, part-time employees, or employees on detail in order to become current on risk designations, reinvestigations, the FPPS, COIs, and adjudication reporting. Document the process of deciding what type of employees to use for this work. Update and implement comprehensive policies and procedures for physical security. These policies and procedures should include but not be limited to the following: o Providing training for the Federal Supply Class member or designee at each field office location at least annually o Developing and implementing an on-site field office security assessment program that includes performing assessments and/or spot checks of field office security measures by the OCFO on a rotational basis as it relates to Interagency Security Committee requirements o Assisting field offices and ensuring that they correct noted security weaknesses or document acceptance of risk where EEOC has determined corrective action will not be taken Revise the field office self-assessment checklist to include facility security and credentialing information Immediately correct any known weaknesses. If EEOC decides not to correct a noted weakness, it should document this analysis and its acceptance of the associated risk. Increase coordination between OCFO and OFP to improve field office security posture, awareness, and training to ensure compliance with applicable EEOC orders and guides; 22 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT with Facility Security Committees: An Interagency Security Committee (ISC) Standard, second edition, dated January 1, 2012; and with other applicable ISC standards. Fiscal Year Report Number Report Title Date Issued 2014 2013-FIN-01 FY 2013 Financial Statement Audit 12/16/13 Open Recommendations: EEOC should update and revise the manner in which it controls the maintenance of its official personnel files. Additionally, management should perform a thorough review of its employees’ personnel files to ensure that documentation is current and complete. (Repeat finding from 2012) Fiscal Year Report Number Report Title Date Issued 2014 2013-02-FIN FY 2013 Financial Statement Management 1/31/14 Letter Report Open Recommendations: EEOC should work toward prompt resolution of these differences because this is an essential component of financial data integrity, and its absence compromises the integrity of the financial reporting. EEOC management should consistently review and approve all documents as prescribed by its policies and procedures. Policies and procedures should be reviewed and updated to ensure they reflect the most current protocol. EEOC should ensure that its property records contain accurate and complete property information. A review of property records and property inventory should be conducted at least annually, but preferably semiannually. EEOC should establish and implement controls to prevent waste, fraud, and misuse in the credit card program. On an annual basis, EEOC should review and update the Charge Card Program Guide for substantial changes. Additionally, EEOC should monitor the controls to ensure that they are working effectively. Fiscal Year Report Number Report Title Date Issued 2014 2013-05- FY 2013 Federal Information Security 12/10/13 FISMA Management Act Report Open Recommendations: 23 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT The OIG recommends that the EEOC Office of Information Technology (OIT) define the configuration items (hardware/software inventory) for the information system within the configuration management plan. The OIG recommends that the OIT document the hardware/software inventory in the configuration management plan or provide a direct reference to where the current hardware/software inventory lists are located. The OIG recommends that the EEOC OIT implement multifactor authentication for remote access. The OIG further recommends that the multifactor authentication use one factor provided by a device separate from the computer gaining access. (Repeat finding from 2008) The OIG recommends that the OIT ensure that all configuration change request forms are signed in order to document review and approval. The OIG recommends that the EEOC OIT include in its change request forms an option box or check box to indicate an emergency change, so that the Change Configuration Board approvers have enough information pertaining to the type of change request. The OIG recommends that the EEOC Office of Chief Human Capital Officer work with EEOC headquarters’ administrative officers and district directors regarding (1) implementing procedures to ensure compliance with EEOC Order 501.006 Clearance Procedures, and (2) implementing procedures to ensure that all separated/terminated EEOC employees complete the exit questionnaire and EEOC Form 470, Contractor and Employee Clearance Record. Fiscal Year Report Number Report Title Date Issued 2013 2012-09-REV Review of Evaluations 04/09/2013 Open Recommendations: EEOC should further standardize intake procedures across field offices. EEOC should document criteria for determining Category C charges. EEOC should continue efforts to develop a national approach for addressing and eliminating systemic discrimination. EEOC should continue to review the range of information obtained during intake interviews and review the manner in which the intake information is stored in the Integrated Mission System. EEOC should investigate the merits of expanding the information it obtains related to employee hiring and terminations. 24 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Fiscal Year Report Number Report Title Date Issued 2013 2012-01-FIN FY 2012 Financial Statement Audit Report 11/16/2012 Open Recommendations: EEOC should document and monitor implementation of all complementary user control considerations. (Repeat finding from 2010) Fiscal Year Report Number Report Title Date Issued 2013 2012-03- FY 2012 Federal Information Security 11/14/2012 FISMA Management Act Report Open Recommendations: EEOC management should revise the Agency’s policy to correctly reflect the entire severity rating list published by the United States Computer Emergency Readiness Team (US-CERT). Fiscal Year Report Number Report Title Date Issued 2013 2012-02-FIN FY 2012 Financial Statement Management 12/19/2012 Letter Report Open Recommendations: EEOC should implement stringent reconciliation and resolution procedures for reconciliation of management reports and subledgers to Financial Control System (FCS) general ledger data. Fiscal Year Report Number Report Title Date Issued 2013 2012-10-PMEV Evaluation of EEOC’s Performance 03/21/2013 Measures Open Recommendations: EEOC should expand the new Strategic Enforcement Plan requirement for quarterly reviews. EEOC management would likely benefit considerably from the implementation of quarterly data-driven reviews such as those required by large Federal agencies. EEOC should provide its Commissioners and managers with easy access to relevant disaggregation of outcome values. Outcome data should be broken out by such characteristics as priority level, industry, and key characteristics of charging parties. 25 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT Fiscal Year Report Number Report Title Date Issued 2013 2012-08- Performance Audit of EEOC Charge Card 03/28/2013 PURCH Program Open Recommendations: EEOC should perform further analysis on its government charge card operations to identify the controls to be implemented in compliance with OMB directives. Specifically, the EEOC must review and update the identification of procedures performed using the new accounting system (FCS) as well as the current duties of personnel interacting with the system. The EEOC should meet with all process lead personnel to determine what controls are or should be in place to ensure that fraud, waste, abuse, and misuse are not present in the charge card program. The EEOC should identify all requirements in OMB Circular A-123, Appendix B, and determine the procedures necessary to comply with the requirements and ensure that policies and procedures are reviewed on an annual basis, or more frequently if substantial changes have occurred in EEOC’s systems or if laws and regulations have been issued. This will help to ensure that policies and procedures are appropriate for the current environment. EEOC should develop a system to (1) identify and track all charge card activity, including open accounts, closed accounts, cardholder approver levels, and cardholder training; (2) perform an evaluation of service providers’ controls over the charge card program to ensure that controls are appropriate and operating effectively; and (3) monitor all controls, whether performed at EEOC or at a service provider, at least annually, to ensure that controls remain adequate and continue to operate effectively. EEOC should develop policies and procedures to identify and track all required training of cardholders. Documentation should be maintained following National Archives and Records Administration requirements for cardholders who have successfully completed training requirements. EEOC should develop controls over the retention of application documents for charge card accounts. EEOC should monitor controls over transaction approval, whether performed at EEOC or at a service provider. EEOC should implement policies and procedures regarding record retention for purchase and travel card transactions. EEOC should develop and implement policies to require reviews of total cardholder activity to ensure compliance with monthly spending authority for all cardholders. Management should maintain documentation of authority to exceed cardholders’ spending limits. Penalties for exceeding authorized spending limits should be established and enforced. 26 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT EEOC should develop and implement policies and procedures to use data mining to monitor charge card activity. Fiscal Report Year Number Report Title Date Issued 2008 2008-03-AMR Oversight of Federal Agency Reporting 09/26/2008 Management Directive 715 (MD-715) and Related Topics Open Recommendations: EEOC should require Federal agencies to submit Part G of their Equal Employment Opportunity assessment with their annual EEOC Management Directive MD-715 submissions. As required by Section 5(a)(10) of the Inspector General Act of 1978, as amended, semiannual reports must include a summary of each audit report issued before the start of the reporting period for which no management decision has been made by the end of the reporting period. The OIG has no audit or evaluation reports that were issued before the reporting period began for which no management decision has been made. 27 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT THE INVESTIGATION PROGRAM The Investigation Program supports the OIG’s strategic goal to focus limited investigative resources on issues that represent the greatest risk and offer the maximum opportunity to detect and prevent fraud, waste, and abuse in EEOC programs and operations. INVESTIGATIVE INQUIRIES Investigative Inquires Received October 1, 2015–March 31, 2016 Allegations Number 102 Charge processing Other statutes 46 Title VII 73 Mismanagement 8 Ethics violations 5 Backgrounds 7 Theft 0 Threats 1 Fraud 2 Other criminal allegations 1 Congressional inquiries 1 Total 246 28 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT COMPLETED INVESTIGATIVE ACTIVITIES Fraud/Theft The OIG investigated an allegation of fraud involving a respondent employer who, based upon information provided by a mediator under contract with the EEOC, issued a settlement payment of $5,000 to the wrong person. The investigation disclosed that the contract mediator (mediator) conducted a telephonic mediation with the parties in an effort to resolve the allegations of discrimination contained in the complaint brought by the charging party. The mediator had not received written authorization to conduct the telephonic mediation. Further, he failed to exercise appropriate due diligence by confirming the identity of the individual he believed to be the charging party. The evidence establishes the two people with the same last name both had discrimination charges with the EEOC against the respondent employer. As a result of the mediator’s failure to confirm the identity of the charging party, he conducted the mediation with the wrong charging party. The mediation resulted in a resolution of the charges that included a payment in the amount of $5000. Subsequent to the settlement, the respondent’s counsel, who participated in the mediation, discovered the discrepancy and alleged that fraudulent activity had occurred in the mediation. There is no evidence of any criminal intent on the part of the individual who received the payment, and no evidence of any collusion between the mediator and the recipient of the payment. No further action was warranted by the OIG and the matter was closed. ONGOING INVESTIGATIVE ACTIVITIES The OIG has ongoing investigations in several field offices involving ethics violations, conflicts of interest, fraud, falsification of government records, misuse of travel and purchase cards, misuse of position, and threats against the Agency. 29 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT APPENDIX I. FINAL OIG AUDIT AND EVALUATION REPORTS Funds Questioned Put to Unsupported Report Title Date Issued Costs Better Costs Use FY 2015 Agency Compliance with the Federal Managers’ 11/13/15 $0 $0 $0 Financial Integrity Act Audit of the EEOC’s FY 2015 Financial Statements 11/16/15 $0 $0 $0 FY 2015 Federal Information Security Modernization Act 12/16/15 $0 $0 $0 Report FY 2015 Financial Statement Audit Management Letter 1/15/16 $0 $0 $0 Report FY 2015 Risk Assessment of EEOC’s Purchase Card 2/4/16 $0 $0 $0 Program Report to OMB on Agency Progress in Implementing the 2/5/16 $0 $0 $0 Government Charge Card Abuse Prevention Act of 2012 30 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT APPENDIX II. INDEX OF REPORTING REQUIREMENTS Inspector General Act Reporting Requirements Page Citation Section 4(a)(2) Review of legislation and regulations N/A Section 5(a)(1) Significant problems, abuses, and deficiencies 11–29 Recommendations with respect to significant problems, Section 5(a)(2) 11-15 abuses, and deficiencies Significant recommendations included in previous reports Section 5(a)(3) 17–27 on which corrective action has not been completed Section 5(a)(4) Matters referred to prosecutorial authorities N/A Section 5(a)(5) Summary of instances where information was refused N/A Section 5(a)(6) List of audit reports 16-17 Section 5(a)(7) Summary of significant reports 11–15 Section 5(a)(8) Questioned and unsupported costs 30 Section 5(a)(9) Recommendations that funds be put to better use 30 Summary of audit reports issued before the commencement Section 5(a)(10) of the reporting period for which no management decision 27 has been made Significant management decisions that were revised during Section 5(a)(11) N/A the reporting period Significant management decisions with which the office of Section 5(a)(12) N/A inspector general disagreed 31 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT APPENDIX III. SINGLE AUDIT ACT REPORTS The Single Audit Act of 1984 requires recipients of Federal funds to arrange for audits of their activities. Federal agencies that award these funds must receive annual audit reports to determine whether prompt and appropriate corrective action has been taken in response to audit findings. During the reporting period, the OIG received one audit report issued by a public accounting firm concerning a Fair Employment Practice Agency (FEPA) that has a work-sharing agreement with EEOC. Thus, no audit findings for the FEPA involved EEOC funds. 32 OIG Semiannual Report October 1, 2015–March 31, 2016 EEOC OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT 33 OIG Semiannual Report October 1, 2015–March 31, 2016
Semiannual Report: Oct-Mar 2016
Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2016-05-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)