U.S. RAILROAD RETIREMENT BOARD OFFICE OF INSPECTOR GENERAL This report summary presents the abbreviated results of the subject audit. The full report includes information protected from disclosure and has been designated for limited distribution pursuant to 5 U. S. C. § 552. Selected General Information System Controls at the Railroad Retirement Board Were Not Always Adequate Report No. 19-07 May 14, 2019 OFFICE OF INSPECTOR GENERAL U.S. RAILROAD RETIREMENT BOARD Selected General Information System Controls at the Railroad Retirement Board Were Not Always Adequate What We Found What We Did Our audit determined that the selected information system controls were not always adequate. We determined that the agency did not update all The Federal Information System management control review documentation for the change to the Controls Audit Manual (FISCAM) Headquarters (HQ) Voice over Internet Protocol (VoIP) system, controls did provides guidance to auditors in not ensure that the assessable unit documentation was updated timely, budget allocation prevented necessary reinvestigations, and personal evaluating internal controls over identity verification replacement policy and procedures were not the integrity, confidentiality, and comprehensive and were not implemented. The agency employed a field availability of data maintained in VoIP system that had vendor support limited after fiscal year 2018. information systems. What We Recommend The objective of this audit was to assess the adequacy of selected In total, we made four detailed recommendations to Railroad Retirement information system controls using Board (RRB) management related to: audit procedures from the updating the management control review documentation for the Government Accountability Office headquarters voice telecommunications assessable unit to ensure it FISCAM. The FISCAM control areas accurately reflects the RRB's current Headquarters Voice over assessed were security Internet Protocol environment; management, access controls, implementing controls to ensure that assessable unit configuration management, and documentation is updated timely when changes occur and consider segregation of duties, with whether an acceleration of the assessable unit’s control test should be performed; selected controls identified from each area. The selected controls reallocating budget dollars to implement reinvestigations based on Title 5, Code of Federal Regulations, Part 731, Suitability;1 and were assessed in regards to four technology systems at RRB that documenting and implementing personal identity verification include wireless, HQ VoIP, Field replacement card policies and procedures that have been approved by management to address control weaknesses that were VoIP, and virtual private network. identified. The scope of the audit was control Management concurred with two recommendations, to update HQ voice telecommunications documentation, and to document policy and information that was in effect for procedures for personal identity verification card replacement. They did not the four technology systems during concur with two recommendations. They stated that due to revised agency fiscal year 2018. policy, controls on assessable unit documentation updates were not necessary. For our recommendation regarding reinvestigations, they stated that these responsibilities will be transferred to another agency. 1 5 Code of Federal Regulations (C.F.R.) § 731. Report Summary May 14, 2019 Report No. 19-07
Selected General Information System Controls at the Railroad Retirement Board Were Not Always Adequate
Published by the Railroad Retirement Board, Office of Inspector General on 2019-05-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)