Selected General Information System Controls at the Railroad Retirement Board Were Not Always Adequate

Published by the Railroad Retirement Board, Office of Inspector General on 2019-05-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)


               This report summary presents the abbreviated results of
                 the subject audit. The full report includes information
                protected from disclosure and has been designated for
                    limited distribution pursuant to 5 U. S. C. § 552.

  Selected General Information
  System Controls at the Railroad
  Retirement Board Were Not
  Always Adequate

  Report No. 19-07                                             May 14, 2019
Selected General Information System Controls at the Railroad
Retirement Board Were Not Always Adequate

What We Found
                                                                                  What We Did
Our audit determined that the selected information system controls were
not always adequate. We determined that the agency did not update all             The Federal Information System
management control review documentation for the change to the                     Controls Audit Manual (FISCAM)
Headquarters (HQ) Voice over Internet Protocol (VoIP) system, controls did
                                                                                  provides guidance to auditors in
not ensure that the assessable unit documentation was updated timely,
budget allocation prevented necessary reinvestigations, and personal              evaluating internal controls over
identity verification replacement policy and procedures were not                  the integrity, confidentiality, and
comprehensive and were not implemented. The agency employed a field               availability of data maintained in
VoIP system that had vendor support limited after fiscal year 2018.               information systems.

What We Recommend                                                                 The objective of this audit was to
                                                                                  assess the adequacy of selected
In total, we made four detailed recommendations to Railroad Retirement
                                                                                  information system controls using
Board (RRB) management related to:
                                                                                  audit procedures from the
          updating the management control review documentation for the           Government Accountability Office
           headquarters voice telecommunications assessable unit to ensure it     FISCAM. The FISCAM control areas
           accurately reflects the RRB's current Headquarters Voice over          assessed were security
           Internet Protocol environment;
                                                                                  management, access controls,
          implementing controls to ensure that assessable unit                   configuration management, and
           documentation is updated timely when changes occur and consider
                                                                                  segregation of duties, with
           whether an acceleration of the assessable unit’s control test should
           be performed;                                                          selected controls identified from
                                                                                  each area. The selected controls
          reallocating budget dollars to implement reinvestigations based on
           Title 5, Code of Federal Regulations, Part 731, Suitability;1 and
                                                                                  were assessed in regards to four
                                                                                  technology systems at RRB that
          documenting and implementing personal identity verification
                                                                                  include wireless, HQ VoIP, Field
           replacement card policies and procedures that have been approved
           by management to address control weaknesses that were                  VoIP, and virtual private network.
                                                                                  The scope of the audit was control
Management concurred with two recommendations, to update HQ voice
telecommunications documentation, and to document policy and
                                                                                  information that was in effect for
procedures for personal identity verification card replacement. They did not      the four technology systems during
concur with two recommendations. They stated that due to revised agency           fiscal year 2018.
policy, controls on assessable unit documentation updates were not
necessary. For our recommendation regarding reinvestigations, they stated
that these responsibilities will be transferred to another agency.

    5 Code of Federal Regulations (C.F.R.) § 731.
Report Summary                                         May 14, 2019                           Report No. 19-07