Veterans Affairs: Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses

GAO-08-918 July 31, 2008
Highlights Page (PDF)   Full Report (PDF, 52 pages)   Accessible Text   Recommendations (HTML)

Summary

In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and effective inventory policies and procedures. In July 2007, GAO reported that continuing internal control weaknesses over IT equipment at four case study locations at VA resulted in an increased risk of theft, loss, and misappropriation of IT equipment assets. GAO's two reports included 18 recommendations to improve internal control over IT equipment. GAO was asked to perform a follow-up audit to determine (1) whether VA has made progress in implementing GAO's prior recommendations for improving internal control over IT equipment and (2) the effectiveness of VA's current internal controls to prevent theft, loss, or misappropriation of IT equipment. GAO reviewed policies and other pertinent documentation, statistically tested IT equipment inventory controls at four geographically disparate locations, and interviewed VA officials.

VA has made significant progress in addressing prior GAO recommendations to improve controls over IT equipment. Of the 18 recommendations GAO made in its two earlier reports, VA completed action on 14 recommendations, partially implemented action on 2 recommendations, and is working to address the 2 remaining open recommendations. These recommendations focused on strengthening policies and procedures to establish a framework for accountability and control of IT equipment. If effectively implemented, VA's July 2008 policy changes would address many of the control weaknesses GAO identified. Mandated early implementation of this new policy addresses user-level accountability and requirements for strengthening physical security. In addition, to determine the extent of inventory control weaknesses over its IT equipment, VA performed a departmentwide physical inventory in 2007. However, as of May 15, 2008, VA reported that it could not locate about 62,800 IT equipment items, of which 9,800 could have stored sensitive information. Because VA does not know what, if any, sensitive information resided on the equipment, potentially affected individuals could not be notified. GAO's statistical tests of IT equipment inventory controls from February through May 2008 at four locations identified continuing control weaknesses, including missing items, lack of accountability, and errors in IT equipment inventory records. Although these control weaknesses may be addressed through early implementation of the July 2008 policies, the fact that GAO identified missing items only a few months after these locations had completed their physical inventories is an indication that underlying weaknesses in accountability over IT equipment have not yet been corrected. GAO's tests identified 50 missing items, of which 34 could have stored sensitive data, but again, notifications to individuals could not be made. Further, the lack of user-level accountability and inaccurate records on status, location, and item description of IT equipment items at the four case study locations make it difficult to determine the extent to which actual theft, loss, or misappropriation of IT equipment may have occurred. In addition, the four locations had weaknesses in controls over hard drives in the property disposal process as well as physical security weaknesses at IT storage facilities. These control weaknesses present a risk that VA could lose control over new, used, and excess IT equipment and that any sensitive personal and medical information residing on hard drives in this equipment could be compromised.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
Kay L. Daly
Government Accountability Office: Financial Management and Assurance
(202) 512-9312


Recommendations for Executive Action


Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to review property inventory records and confirm that all IT equipment, regardless of the organizational equipment inventory listing, is identified in the property system.

Agency Affected: Department of Veterans Affairs

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to establish and implement a policy requiring development of standardized naming classifications for IT equipment--including item name, manufacturer, and model--for recording IT equipment into local property inventory systems.

Agency Affected: Department of Veterans Affairs

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purpose

Agency Affected: Department of Veterans Affairs

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to develop a procedure for identifying hard drive serial numbers with both the property identification numbers and serial numbers of host computers.

Agency Affected: Department of Veterans Affairs

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to revise the definition of IT storage locations in VA's Handbook 0730/1, Security and Law Enforcement, to include informal IT storage locations, such as OIT work rooms, and require these locations to be included in physical security inspections.

Agency Affected: Department of Veterans Affairs

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.