2001 - Audit Report

U.S. Department of Labor
Office of Inspector General
Office of Audit

PWBA EFAST GENERAL CONTROLS

Information obtained from the Internet may not be in the same format as a hard copy obtained from the Office. Depending on the requester, the quantity of information provided may also vary. In order to appeal any deleted information received via the Internet, you must make a formal written request for the same material. Further, some of the audit reports issued prior to FY 1998 may no longer be available. They may have been destroyed in accordance with our records retnetion schedule. However, any request for audit reports or other audit materials should be sent to the OIG, Disclosure Officer, Room S1303, 200 Constitution Avenue, N.W., Washington, D. C. 20210.

Unless otherwise stated, the audit reports provided on this web page reflect the findings of the OIG at the time that the audit report was issued. The auditee may have more current information available as a result of audit resolution activities.

The OIG is using Adobe Acrobat 4.0 to prepare its audit reports for the internet. If you experience problems accessing the PDF files, you may want to download the latest version of the Adobe Acrobat Reader by clicking on the link provided.

[ Link to Acrobat 4.0 Reader ]

The Employee Retirement Income Security Act of 1974 (ERISA) and provisions of the Internal Revenue Code assign oversight responsibility for employee benefit plans to the DOL Pension and Welfare Benefits Administration (PWBA). These laws also require the plans to submit specific information which certain Federal agencies utilize to meet their specific oversight and enforcement responsibilities. The benefit plans meet this reporting requirement by annually submitting the Form 5500 Series. ERISA plan filers cover 150 million participants and employee benefit plan assets of $4.3 trillion. In August 2000, PWBA implemented an Electronic Filing Acceptance System (EFAST) to process the paper and electronic Form 5500 Series filings into computer-readable format for the purpose of providing the Federal agencies with accurate and timely data.

The OIG conducted an audit to determine if EFAST has general controls to physically protect filings, prevent unauthorized modification or disclosure of data, and prevent disruption or denial of critical services. Overall, we concluded that PWBA management had devoted substantial resources and made significant progress in developing the necessary security plans, performing risk assessments and security reviews, and coordinating complex security requirements. However, EFAST does have security weaknesses which require PWBA management action.

We found improvement is needed in both the implementation and testing of the EFAST Risk Assessment procedures. The procedures do not cover unprocessed filings, planned controls were not implemented, and some of those implemented were not tested. We also found the EFAST Continuity of Operations Plan was not fully developed and implemented. Accordingly, EFAST lacks an emergency processing site and does not provide adequate protection for unprocessed Form 5500 Series reports. The fact that the EFAST Information Security Officer has not received formal training is compounded by the lack of a job description and written security procedures. As a result of these weaknesses, the EFAST is operating above the maximum acceptable risk level established by PWBA.

PWBA generally concurred with the findings and recommendations. PWBA has requested and received an engineering change proposal that addressed the implementation and testing of the EFAST security controls. PWBA also stated it was on track to strengthen the ISO position and overhaul and test the Continuity of Operations Plan.

(OA Report No. 09-01-001-12-001, issued March 27, 2001)

[ Get Complete Report PDF ]

REPORTS BY FISCAL YEAR

[ 2001 Reports ]

[ 2000 Reports ]

[ 1999 Reports ]

[ 1998 Reports ]

[ Prior to 1998 ]

GO TO --

[ Audit Reports ]

[ FOIA ]

[ Semiannual Reports ]