Exhibit 1 - Supplies stored in overhead bins and storage cabinets in OIT
A recent OIG Investigation revealed that information technology (IT) equipment was missing from EEOC headquarters and that no EEOC Form 629 Reports of Loss, Theft, or Incident had been filed at the time of the OIG inquiry. The investigation revealed that further missing items of computer and electronic equipment valued at $92,233.45 were stolen from the Headquarters building between May 2004 and February 2005.
The purpose of this audit was to evaluate the adequacy of controls over IT equipment, and other electronic equipment at Headquarters EEOC. Specifically, we evaluated the various cycles relating to IT equipment including the procurement, receipt, inventory, distribution, and disposition of excess and obsolete IT equipment.
The audit fieldwork was conducted from January 2005 through April, 2005. We interviewed Office of Information Technology (OIT) managers and staff in Headquarters to obtain an understanding of the controls in place over the management of IT property. Additionally, we met with various Headquarters managers and staff having responsibility for the management and control of IT property including the Office of Human Resources, Office of General Counsel, Office of Inspector General and the Office of Field Programs (OFP). We also reviewed guidance issued by the Office of the Chief Financial Officer and Administrative Services (OCFOAS) and discussed Agency policies dealing with the management and control of accountable personal property. Additionally, OIG visited various storage locations throughout Headquarters and at the off-site storage facility, where OIG inventoried the IT equipment and photographed storage conditions.
The audit was conducted in accordance with Generally Accepted Government Auditing Standards, as published in the Comptroller General’s Government Auditing Standards, June 2003 Revision.
We found that controls relating to the procurement of IT equipment and other electronic equipment were adequate, however controls needed to be strengthened over the receipt, inventory, distribution, and disposition of excess and obsolete IT equipment.Office of Information Technology managers failed to maintain inventory records relating to the IT equipment stored throughout Headquarters wherever space was available. IT equipment was usually stored in closets, hallways, offices, and at workstations. Additionally, the Fixed Asset Subsystem (FAS) was not reliable since information was not accurate or current. During our tests we found instances where IT equipment was not in the FAS, and where offices had reported changes to their inventories, the information in the FAS was not updated.
Further, IT equipment purchased on September 30, 2004 by the Office of Field Programs for Fair Employment Practices Agencies (FEPAs) had not been accounted for. The equipment ordered by OFP was shipped directly from the vendor to FEPAs which were located throughout the country.Our audit disclosed that no follow up was conducted with the FEPAs to ensure that the property ordered in September 2004 was actually received. While staff entered serial numbers found on vendor invoices, and barcodes for the property into the agency’s FAS as of April 2005; the barcodes had not been affixed to the actual IT equipment because the location of the equipment had not been verified.
Finally, we noted that missing and/or stolen property was not reported in the 2004 assurance statements submitted by HQ directors in accordance with the agency’s Federal Managers Financial Integrity Act (FMFIA) process.
A full discussion of each of these findings, along with recommendations, management comments and OIG’s response is provided in the following section.
OIT managers did not know the number of items or the total value of IT equipment stored at Headquarters EEOC. They had not developed an inventory system that accounts for the acquisition, issuance, and identification of damaged or obsolete equipment. Due to the lack of a system to account for stored IT equipment and an organized methodology for storing such equipment, OIT managers were unable to provide a detailed inventory of IT equipment stored in EEOC Headquarters. Further, they could not provide reasonable assurance that stored IT equipment was safeguarded from theft or misuse.
Statement of Federal Financial Accounting Standard No. 3 Accounting for Inventory and Related Property provides guidance on the accounting for an inventory of operating materials and supplies. The statement also requires that operating materials and supplies be valued on the basis of historical costs. Some of the methods used to arrive at the historical cost basis are the first in first out (FIFO), weighted average, or the moving average cost flow assumptions.
The GAO/PCIE Financial Audit Manual discusses controls that should be in place to protect assets and records against physical harm, theft, loss, misuse, or unauthorized alteration. Typical access control includes secured facilities (i.e. locked rooms, fenced areas) and access limited to authorized personnel.
During our audit, we requested a listing of all IT equipment stored throughout Headquarters EEOC. We were told by OIT managers that no listing existed that would include all IT equipment stored at Headquarters. Each OIT Division Director is supposed to maintain an listing of IT equipment they are responsible for purchasing. Once OIG began questioning the existence of an listing, some directors took steps to inventory their equipment. (Note: Between fiscal year 2003 and January 2005, the Office of Information Technology purchased IT equipment costing about $8.1 million. Approximately $15.2 million of EEOC’s FY 2004 budget is for technology which includes purchases of IT equipment.)
Throughout Headquarters EEOC, OIT uses various offices, conference rooms, meeting rooms, closets and cabinets on each floor to store its inventory of IT equipment. In fact, some OIT managers maintained small inventories of IT equipment in their individual offices (e.g. hard drives, memory, and software). OIG auditors visited each storage location and inventoried its contents. Some of the common items found in the various locations included Dell D-Family Monitor stands, various types of Dell Monitors, Port Replicators, switches, switch cards, printers, laptop computers, and desktop computers. In most cases, unopened IT equipment and supplies were stored from floor to ceiling. Also, it should be noted that OIT did not attempt to store this equipment by type. Equipment appeared to have been stored according to the availability of space. Given the fact that IT equipment is outdated within a few years, OIG questions the need to maintain an inventory of monitors, monitor stands, and computers.
Exhibit 1- pictures of IT equipment stored in overhead bins and cabinets in or near managers’ workstations.
Exhibit 1 - Supplies stored in overhead bins and storage cabinets in OIT
Exhibits 2 through 5 show storage conditions throughout Headquarters.
Exhibit 2- Headquarters Room 3114 –Dell D Family Monitors and Dell D/ Port Advanced Port Replicators
Exhibit 3-Headquarters Room 3114- Additional Dell D-Family Monitor Stands stacked to ceiling
Exhibit 4- 4th floor DSSD Storage Room- Flat Panel Monitors And Dell Central Processing units.
Exhibit 5- 5th floor LAN Room- Dell Port Replicators, Dell Monitors
OIG recommends that the Director of the Office of Information Technology:
OIT would like to point out that we have been following OCFOAS guidance in tracking IT equipment, which requires us to record in the agency’s inventory system, Fixed Asset Subsystem (FAS), any equipment that is over $1000 in value. Equipment that meets this criteria is recorded and maintained in the FAS, regardless of whether the equipment is being used in the employee’s workstation or located in storage spaces.
In addition, due to inadequate space made available to store IT equipment, when large shipments arrive, we must put them wherever we can find space. This results in items being stored in any available space including closets, hallways, offices, and workstations. We also used our conference room as a work space to configure computers and our locked offices for temporary storage. For years, OIT has been requesting storage space for safekeeping IT equipment as well as space for performing equipment setup, configuration and testing. However, adequate storage space has not been provided.
The OIG report failed to mention that the closets are kept locked and keys are restricted to specific personnel. Similarly, equipment kept in managers’ offices are locked with only the manager possessing a key to it. For instance, Figure 1 on Page 4 of the OIG report reflects the overhead compartment in a manager’s locked office, which included a few computer books, memory chips, and other computer supplies. This very same manager informed the OIG investigator that he keeps a log on his computer to track when someone takes these items from his office. This manager is an operations manager and equipment in his office is composed of primarily small components and computer supplies.
We are concerned that the OIG report did not mention or address any physical security issues in the headquarters building as it is critical to inventory control process. Despite the presence of guards and video cameras, a thief was able to remove AV and IT equipment from the headquarters building over a period of several months. If the purpose of the Report was to identify gaps in inventory control, then this one large gap should be recognized and addressed.
We maintain that OIT should inventory and account for its inventory of “smaller computer components and supplies”. These items may cost less than $1,000 individually, however on an aggregate basis, we believe the value will far exceed the $1,000 threshold referred to by OIT in its comments. Also, we question the validity of OIT’s comment relating to the high turnover rate on some stored items given as a reason for not warranting an inventory of all items. We found many items such as Dell D-Family Monitor stands, Battery Cartridges, and monitors in unopened boxes, and other various computer related items that, in our opinion, should be inventoried and evaluated to determine their usefulness at EEOC. Because the life expectancy of IT equipment is usually a few years, we believe that OIT will find that some of the equipment referred to as “smaller computer components and supplies” are outdated and should be excessed.
OIT also included in their comments remarks relating to storage space and the fact that adequate storage space has not been provided. Further, they state that OIG failed to acknowledge this as the true source of the problem. We disagree. In our opinion the bigger issue is not where the equipment was stored but the fact that controls relating to keeping track of what was stored were weak. Evaluating the adequacy of storage space and requirements were never an objective of this audit.
In regards to OIT’s comment that IT equipment is stored in locked rooms or closets that have keys in the hands of a very few IT staff, we found that a complete listing of key holders for all OIT storage locations did not exist. We found three instances where keys that were issued could not be accounted for.
OIT makes mention of a manager who has been maintaining a log to keep track of his inventory of computer supplies. During our initial inquiry this manager indicated that he did not maintain any logs. Subsequent to the receipt of OIT’s comments to our draft report, we revisited this manager and obtained a copy of his log. He maintains an entry in his personal data assistant (PDA) described as Hard Drive Disbursement- 80 GB. In our opinion, this log is not adequate since it does not include a beginning or ending balance and doesn’t always show the quantities disbursed or when they were disbursed. Further, we note that all of the entries provided were after our initial interview of March 4, 2005.
In their comments, OIT provides a discussion relating our audit issues with the recent thefts and loss of equipment. OIG never reported or discussed in this report how the thefts occurred or identified any evidence that OIT may have to show how the thief gained access to equipment stored in locked locations.
Finally, OIT states they are concerned that OIG did not mention or address any physical security issues in the headquarters building. Evaluating physical security and evaluating the adequacy of and requirements for storage space were never objectives of this audit and was not included in our scope. During the entrance conference, we indicated that the purpose of our audit was to evaluate the adequacy of controls over IT equipment at Headquarters EEOC. Specifically, we planned to evaluate the various cycles relating to IT equipment including the procurement, receipt, inventory, distribution, and disposition of excess and obsolete IT equipment.
The Fixed Asset Subsystem (FAS) needed to be updated to capture all IT property. During our testing, we noted that 22 of 147 items randomly selected were not included in the FAS system’s EEC 453 Reports – Detailed Subsidiary for Accountable/Sensitive Property. Further, 13 (59%) of the 22 items not found in the EEC 453 reports were not in the FAS system. We also noted that the FAS was not updated to reflect changes submitted by property custodians. We found instances where property custodians submitted required forms to report changes in their property inventory but the changes were not made in subsequent FAS reports. Because of these weaknesses, we question the validity of the 12,370 items valued at $14,364,202.11 reported in the FAS system’s reports as of January 31, 2005.
EEOC Order 320.001, Management and Control of Accountable Personal Property provides specific guidance pertaining to the general area of personal property management. Ten days after receipt of new property items, custodial property officers are required to submit EEOC Form 574, Physical Inventory Reporting Form to the Resource Management Division. The Resource Management Division is responsible for entering this information into the Fixed Asset Subsystem (FAS). Additionally, Standard Form (SF) 120 Report of Excess Personal Property and SF 122 Transfer Order Excess Personal Property are used to report changes in excess property and property transfers between agencies.
During our audit, we requested an inventory listing of all Headquarters information technology property. We were provided copies of EEC Report 453-Detailed Subsidiary for Accountable/Sensitive Property from the Fixed Asset System (FAS) as of 1/31/05 and 3/31/05. The EEC Report 453 is separated by each Headquarters’ office and includes EEOC’s catalog code, serial number, description, bar code number, property custodian, purchase order number, date placed in service, useful life, cost, and book value. OIG randomly selected IT equipment in Headquarters’ offices to test the accuracy of the EEC Report 453. OIG compared actual barcodes and serial numbers found on selected IT equipment by office locations to information in the EEC Report 453. This test was completed in the: Office of Inspector General (OIG), Office of Field Programs (OFP), Office of Human Resources (OHR), and the Office of General Counsel (OGC). Our testing revealed that 22 (15%) of the 147 items randomly selected were not listed in the Fixed Asset System. The results of our testing are summarized in the Table-1 below:
Table -1 Results of Test of Fixed Asset Subsystem
| Office | # Items Tested | Total Items included in FAS System | Items not in FAS/ Exceptions |
|---|---|---|---|
Office of Inspector General (OIG) |
22 |
46 |
4 |
Office of Field Programs (OFP) |
37 |
340 |
7 |
Office of Human Resources (OHR) |
26 |
187 |
5 |
Office of General Counsel (OGC) |
62 |
262 |
6 |
|
147 |
|
22 |
For the 22 items located in Headquarters but not included in the EEC 453 report, OIG contacted Fiscal Management Coordinating Staff in the Office of the Chief Financial Officer and Administrative Services (OCFO/AS) for assistance in determining why these items were not in the EEC 453 report. They were able to query the FAS system using barcodes and in nine (9) cases found information relating to the IT property in question. However, they were not able to determine where the property was located because that information was never entered into the system. Thirteen (59%) of the 22 items were not in the FAS system. These 13 items were not in the EEC 453 Report nor could they be located by barcode through a FAS inquiry. The results of the FAS inquiry of property not found in the EEC453 report are summarized in Table-2 below:
Table -2 – Results of FAS Inquiry of Property Not In EEC 453 Report
| Type of Equipment | Office | Bar Code # | Included in EEC453, 3/31/2005 | Per Fixed Asset Summary Inquiry |
|---|---|---|---|---|
Monitor |
OFP |
213602 |
No |
Yes |
CPU |
OFP |
133669 |
No |
Yes |
CPU |
OFP |
208403 |
No |
Yes |
Monitor |
OFP |
212402 |
No |
No |
Monitor |
OFP |
211794 |
No |
No |
Monitor |
OFP |
212405 |
No |
No |
Monitor |
OFP |
211982 |
No |
No |
CPU |
OHR |
122730 |
No |
Yes |
CPU |
OHR |
125930 |
No |
Yes |
CPU |
OHR |
133842 |
No |
Yes |
Monitor |
OHR |
212019 |
No |
Yes |
Printer |
OHR |
121154 |
No |
No |
CPU |
OIG |
131169 |
No |
Yes |
CPU |
OIG |
134239 |
No |
No |
CPU |
OIG |
136302 |
No |
Yes |
Monitor |
OIG |
213940 |
No |
No |
CPU |
OGC |
137901 |
No |
No |
Monitor |
OGC |
208812 |
No |
No |
Monitor |
OGC |
214578 |
No |
No |
CPU |
OGC |
137890 |
No |
No |
Printer |
OGC |
133937 |
No |
No |
CPU |
OGC |
328 |
No |
No |
Additional examples of FAS inaccuracy were found in our review of the EEC Report 453 dated 1/31/05, for the Office of Inspector General. The report included six (6) non-OIG employees as property custodians along with OIG’s official property custodian. We noted that this was corrected in the EEC Report 453 dated 3/31/05. Also, the 1/31/05 report only contained eight (8) of the twelve central processing units and eleven of the twelve monitors assigned to OIG. The 3/31/05 EEC Report 453 had been updated to reflect some of the additions made by OIG’s property custodian in January 2005 but still missed three (3) of the twelve CPUs and one monitor assigned to OIG.
OIG recommends that the Director, Office of the Chief Financial Officer and Administrative Services (OCFOAS):
All non-IT changes, for headquarters and field offices, are processed through FAS by Office of Chief Financial Officer and Administrative Services (OCFOAS) staff. IT-related changes are processed for field offices by the local IT Specialist. IT-related changes at headquarters are processed by the Office of Information Technology (OIT). OCFOAS is aware of only a few instances where non-IT changes were not properly processed and these were corrected as soon as the appropriate property custodian provided notification.
In some cases, property was not on the 453 dated March 31, 2005, however, the property was located in (FAS). We researched this and determined that this was a timing issue. All of the property that appeared in FAS was on the EEC 453 report dated April 29, 2005. The EEC 453 is monthly report. Apparently, these items were entered in the system during the month of April.
The FAS system became operational in 2002. Since then, per EEOC Order 320.00l, we have relied on Headquarters and Field Office Directors to serve as Accountable Property Managers (APO’s) who are responsible for their respective office’s accountable personal property, including computer equipment.
In order to spot check property reported by headquarters and field offices for inclusion, change, or deletion in FAS, OCFOAS will conduct periodic random sampling of inventories. The results of the random sampling will be reported to the applicable office and, if any deficiencies are noted, they will be included in the FMIA submission.
OIG’s recommendation to send out periodic reminders to offices that they should monitor FAS reports and send in Form 574’s to note changes will be implemented.
The Office of the Chief Financial Officer generally agreed with our finding and recommendations. The CFO stated that they will begin to spot check property reported by headquarters and field offices for inclusion, change, or deletion in FAS and will conduct periodic random sampling of inventories. The results of which will be reported to the applicable office and, if any deficiencies are noted, they will be included in the FMFIA submissions. In addition to taking these steps to verify information reported, the CFO should also consider randomly selecting property items and testing to see if they have been included in the Fixed Asset Subsystem and informing offices of any such deficiencies for inclusion in FMFIA submissions.
OIG recommends that the Director Office of Information Technology:
Although the IT inventory information for headquarters is being entered into FAS by an OIT staff and field information is being entered by field staff, Appendix A of EEOC Order 320.001, Management and Control of Accountable Personal Property, states that OCFOAS will be responsible for data entry of all inventory (See Page A-3, lc under Chapter II of the Order). Accordingly, the OCFOAS is the owner of FAS and is responsible for inventory data within FAS. Therefore, we believe that it is more appropriate for the OIG recommendation to be directed to OCFOAS instead of OIT.
Nevertheless, we do agree with OIG that accuracy of the Fixed Asset Subsystem needs to be improved… We plan to establish additional controls to periodically review FAS reports as well as conducting physical inventory checks against FAS reports.
The Office of Information Technology agrees that the accuracy of the FAS needs to be improved and plans to establish additional controls to periodically review the FAS reports, as well as conduct physical inventory checks against FAS reports. However, OIT maintains that since OCFOAS is the owner of the FAS, they are responsible for inventory data within FAS. OIG disagrees with OIT’s logic and finds ensuring that the results of the IT inventory are entered into the FAS is a shared responsibility between OCFOAS and OIT. This is especially true since the OCFOAS relies upon offices to submit complete and accurate personal property certification reports of all accountable property.
The Office of Field Programs (OFP) failed to verify that IT equipment purchased and shipped directly from the vendor to various Fair Employment Practices Agencies (FEPAs)(1) was received. Additionally, OFP failed to follow the agency’s bar coding policy for accountable property which requires that all accountable property be bar coded within ten (10) days. As a result, there are no assurances that property valued at $161,300 was received and is being properly accounted for at this time.
EEOC Order Number 320.001, Personal Property and Supply Management, Accountability and Control provides Agency policies and procedures pertaining to the general area of personal property management. This order also introduces an Integrated Financial Management System and the Fixed Asset Subsystem (FAS), for the accountability and physical control of all EEOC-owned personal property. On March 31, 2004, the CFO issued a Memorandum to Administrative Officers and Budget Analysts which updated business processes at the EEOC. This CFO memo requires that an EEOC Form 112-Delivery Receipt be prepared for all IT equipment, software, supplies, and services that have been shipped directly to the field by the vendor, where the purchase order originated in the Office of Information Technology (OIT).
Between September 2004 and October 2004, the Office of Field Programs purchased 96 computers at a cost of $161,300.00 for use in FEPA offices. Of the 96 computers, 92 were shipped directly from the vendor to the FEPA with the remaining four (4) being shipped to Headquarters, EEOC. OFP personnel provided OIG a copy of the consolidated invoice from the vendor identifying where the vendor had shipped the goods. However, they were unable to show proof that the various FEPAs had actually received the equipment. Also, there were no attempts made by OFP to contact the FEPA offices to verify that the purchased equipment had been received. Over two (2) months passed before OFP entered manufacturer’s serial numbers relating to this equipment purchase into the Fixed Asset System (FAS) and assigned bar code stickers for each computer. However, as of April 2005, the bar code stickers were still in Headquarters and had not been applied to the equipment because they were not certain that the computers having the serial numbers identified on the vendor invoice were actually located at the FEPA listed on the invoice.
OIG Recommends that the Director of Office of Field Programs:
Regarding the purchase of IT equipment for the FEPAs, there were some questions initially deciding ownership for the equipment. Until those questions were resolved, it was not appropriate to assign barcodes and put the equipment into our inventory. When the questions were resolved, a process was put into place to both assign and affix the barcodes and enter the information for the equipment in the Fixed Asset System (FAS).
With regard to entering the information into FAS, since OIT normally enters all serial numbers for computer equipment in the FAS for Headquarters, OFP did not have access to the system and members of the staff had not received training in the use of the system. However, after resolving the issue of ownership, OFP agreed to enter the information in FAS, but encountered a delay while obtaining access to the system and adequate training to ensure that we were entering the information correctly. Once we received access and completed the training, we immediately entered the information into FAS.
In furtherance of the recommendations in your draft report, we propose the following procedures for purposes of tracking subject equipment, which we believe address the issues contained in this report:
OIG Concurs.
FMFIA reports submitted to the Chair by Office Directors did not include information about deficiencies in controls that allowed IT equipment to be removed or stolen from EEOC Headquarters during FY 2004. As was noted earlier, IT property with an estimated value of $51,083 was reported missing/stolen between April 29, 2004 and September 28, 2004 on EEOC Form 629s, Report of Loss, Theft, or Incident, reviewed by OIG. Even though the EEOC Form 629s were completed, Office Directors made no mention of these property losses in their FY 2004 FMFIA submissions or identified steps they would take in the future to prevent such occurrences. As a result, the Chair was not provided reasonable assurance that management controls were effective in detecting losses or thefts of IT equipment in FY 2004. Further, although the dollar amount of the losses was not material and the failure to disclose the thefts may not have been intentional, the accuracy of the Agency’s report to the President and Congress is compromised.
Agency heads are required to establish controls that reasonably ensure that (i) obligations and costs comply with applicable laws; (ii) assets are safeguarded against waste, loss, unauthorized use or misappropriation and (iii) revenues and expenditures are properly recorded and accounted for. Each year, agency heads must evaluate and report on the effectiveness of their management control program to the President and Congress.
EEOC Order 240.005- EEOC Information Security Program clearly states that agency employees are responsible for protecting IT resources from unauthorized use or theft. Office Directors and the office’s designated System Security Officer are responsible for defining and establishing the appropriate levels of control needed to safeguard their office’s information systems and IT resources.
Additionally, EEOC’s Chief Operating Officer issued a memo to Headquarters and Field Directors reminding them of their responsibilities for ensuring the security and accountability of IT equipment, in May 2004. Further, examples of specific internal controls were provided along with the requirement to report missing, lost or stolen IT equipment through the use of EEOC Form 629-Report of Loss, Theft, or Incident. In October 2004, the Chief Financial Officer followed up with a memo providing a refresher on timely reporting of loss, theft or incidents involving property, as well as staffs responsibility to ensure effective internal controls are in place to safeguard the agency’s IT equipment.
During FY 2004, there were four (4) incidents reported involving missing or stolen IT equipment. The chart below provides specific details relating to these incidents. Also, as indicated in the chart, none of the incidents were reported as deficiencies in the functional area reports submitted to support the Chair’s FY 2004 Assurance Statement to the President and Congress.
Chart 1- Summary of EEOC Forms 629- Reports of Loss, Theft or Incident Relating to IT Equipment Submitted During FY 2004
| Item Reported Missing | Date Item Reported Missing |
Item Missing by: |
Office Reporting Loss |
Estimated Value |
Serial #No. |
Item Noted in FY 2004 FMFIA |
|---|---|---|---|---|---|---|
(1) Ikegami HL-V75W Digital Camera Recorder and Travel Case |
9/10/2004 |
Theft |
OIT |
$25,000.00 |
LB1433 |
NO |
(1) View Sonic 17" LCD Monitor w/Speakers & Removable Stand, Model # VG710. |
9/23/2004 |
Loss |
OIT |
$519.00 |
AZW 642401713 |
NO |
(13) Cisco Catalyst 2950C-24 Network Switch, 24 (port) 10/100 and 2 (ports) 100 Base_FX uplink, Cisco Part # WS- 2950C-24 (est. Value $1,326.41 each) |
9/28/2004 |
Loss |
OIT |
$17,500.00 |
FOC0828X24A |
NO |
(4) Dell Latitude D600 Laptop Computers & (4) Optical Mouse Devices |
4/29/2004 |
Theft |
OFP |
$8,064.00 |
1- S/N: 6J86L31, |
NO |
In reviewing the EEOC Forms 629-Report of Loss, Theft, or Incident submitted during FY 2004 relating to missing/stolen IT equipment, we noted that two of the four forms submitted did not indicate that an administrative officer, supervisor or management official had been notified of the incident. These two incidents involved property having estimated combined values of $42,500. This may be an indication that supervisors/managers are not being informed of property losses and/or that internal controls are not being evaluated periodically by staff to support Office Director’s annual assurance statements to the Chair.
OIG compared the EEOC Forms 629-Report of Loss, Theft or Incident submitted during FY 2004 to the FY 2004 annual FMFIA reporting packages submitted by Office Directors to determine if any internal control weaknesses or deficiencies relating to the management of IT property had been disclosed. None of the FMFIA reporting packages submitted by Office Directors contained any details relating to lost, missing, or stolen IT property. However, the Chief Financial Officer (CFO) whose office has primary responsibility for property management did note that reported thefts in Headquarters and in some field offices were being investigated and that the adequacy of controls would be evaluated for improvement during FY 2005. However, the FMFIA report to the Chair clearly stated that “No deficiencies were identified” by Headquarters Offices or District Offices.
We recommend that all EEOC Office Directors for the FY 2006 FMFIA reporting cycle:
OCFOAS concurs with OIG’s recommendation that all EEOC Office Directors perform internal control reviews for IT equipment.
OIT agrees with the OIG on FMFIA reporting and that offices should report missing or stolen equipment on FMFIA reports. Even though OIT reported equipment missing they failed to include this information in their FMFIA reports for FY 2004. EEOC Order 195.001, Management Accountability and Controls section 8(e)(4) Identifying Deficiencies and Material weaknesses in Controls states:
“EEOC managers and staff are encouraged to identify and report deficiencies in management controls. Reporting deficiencies reflect positively in the agency’s commitment to recognize and address management areas of concern. In contrast, failure to report a known deficiency reflects adversely on offices and the agency as a whole."
Regarding, “IT Property Losses Not Included in FY 2004 FMFIA Reports to the Chair”, you indicate that the 2004 losses were not material and the loss may not have been intentional. Since the losses were not material, I do not believe that it necessarily follows that the Agency’s report to the President and Congress is compromised. Because the Chair probably would not have determined that this controls issue was material, even if it had been reported she would not have reported it to the President and Congress anyhow. Her report would therefore not have been “compromised’ by the absence of this information in the first place. I think that the nexus made in the report should be removed.
OIG disagrees and believes that the Chair should have at least been informed of the property losses and given an opportunity to make the decision on her own whether or not the information should be reported to the President and Congress. OMB Circular A-123, Management’s Responsibility for Internal Controls, section IV(B) Identification of Deficiencies states that agency employees and managers shall report control deficiencies to the next supervisory level, which will allow the chain of command structure to determine the relative importance of each deficiency.
Regarding the four Dell Latitude D600 Laptop Computers and four Optical Mouse Devices, which we did not report as deficiencies in the functional area reports submitted in support of the Chair’s FY 2004 Assurance Statement to the President and Congress, this equipment was not part of OFP’s equipment inventory. The equipment was OlT’s and was set up by them for OFP’s use in the OCLA conference room. The theft was reported to OlT.
In OIG’s opinion it would have been a good business practice for OFP to have included the stolen computer equipment in their FY 2004 functional area reports, especially since they were responsible for safekeeping of the equipment when the thefts occurred.
In their comments, OIT makes the statement “Had the OIG conducted an exit interview with OIT prior to the distribution of the draft report, many of the inaccuracies could have been discussed and issues clarified, Instead a meeting was conducted after the distribution of the draft report, at the request of OIT.”
OIG disagrees that there are many inaccuracies and stands by the information contained in this report. Further, OIG’s Senior Auditor met with the Director, Office of Information Technology on August 5, 2005 prior to releasing the Draft Report to the Chair. At that meeting, each finding was discussed with the OIT Director and OIG invited the OIT Director to contact our office if additional questions arose later or if they had issues with information in the report. OIT contacted OIG requesting a meeting to clarify a few issues in the report a few days later. A meeting was held on August 11, 2005 between OIT staff and OIG’s Senior Auditor. To ensure better communications OIG will provide draft reports to auditees in advance of formal Exit Conferences where affected Office Directors or their representatives must attend.
The Office of Management and Budget issued Circular Number A-50, Audit Follow up, to ensure that corrective action on audit findings and recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit Follow up Program, implements Circular Number A-50 and requires that for resolved recommendations, a corrective action work plan should be submitted within 30 days of the final evaluation report date describing specific tasks and completion dates necessary to implement audit recommendations. Circular Number A-50 requires prompt resolution and corrective action on audit recommendations. Resolutions should be made within six months of final report issuance.
1. A Fair Employment Practices Agency is a state or local authority that investigates and resolves charges of employment discrimination filed under Title VII, ADA, and/or the ADEA and compatible state and /or local ordinances in partnership with the EEOC. There were a total of 92 FEPAs as of March 31, 2003. All FEPAs received PCs from the EEOC.
This page was last modified on August 9, 2006.
