This document is a summary of a printed document. The printed document may contain charts and photographs which are not reproduced in this electronic version. If you require the printed version of this document, contact the Freedom of Information Act Officer, Office of Inspector General, U.S. Department of Labor, Washington, DC 20210, or call (202) 693-5116.
This report reflects the findings of the Office of Inspector General at the time that the audit report was issued. More current information may be available as a result of the resolution of this audit by the Department of Labor program agency and the auditee. For further information concerning the resolution of this report's findings, please contact the program agency.
OIG has started using Acrobat 4.0 to prepare it's latest Audit reports. If you are experiencing problems downloading some of the larger PDF files, you may want to download the latest version of the Adobe Acrobat Reader by clicking the link provided below.
The Employee Retirement Income Security Act of 1974 (ERISA) and provisions of the Internal Revenue Code assign oversight responsibility for employee benefit plans to the DOL Pension and Welfare Benefits Administration (PWBA). These laws also require the plans to submit specific information which certain Federal agencies utilize to meet their specific oversight and enforcement responsibilities. The benefit plans meet this reporting requirement by annually submitting the Form 5500 Series. ERISA plan filers cover 150 million participants and employee benefit plan assets of $4.3 trillion. In August 2000, PWBA implemented an Electronic Filing Acceptance System (EFAST) to process the paper and electronic Form 5500 Series filings into computer-readable format for the purpose of providing the Federal agencies with accurate and timely data.
The OIG conducted an audit to determine if EFAST has general controls to physically protect filings, prevent unauthorized modification or disclosure of data, and prevent disruption or denial of critical services. Overall, we concluded that PWBA management had devoted substantial resources and made significant progress in developing the necessary security plans, performing risk assessments and security reviews, and coordinating complex security requirements. However, EFAST does have security weaknesses which require PWBA management action.
We found improvement is needed in both the implementation and testing of the EFAST Risk Assessment procedures. The procedures do not cover unprocessed filings, planned controls were not implemented, and some of those implemented were not tested. We also found the EFAST Continuity of Operations Plan was not fully developed and implemented. Accordingly, EFAST lacks an emergency processing site and does not provide adequate protection for unprocessed Form 5500 Series reports. The fact that the EFAST Information Security Officer has not received formal training is compounded by the lack of a job description and written security procedures. As a result of these weaknesses, the EFAST is operating above the maximum acceptable risk level established by PWBA.
PWBA generally concurred with the findings and recommendations. PWBA has requested and received an engineering change proposal that addressed the implementation and testing of the EFAST security controls. PWBA also stated it was on track to strengthen the ISO position and overhaul and test the Continuity of Operations Plan.
(OA Report No. 09-01-001-12-001, issued March 27, 2001)
Get Complete Report
