WASHINGTON, DC 20570
September 27, 2001
I hereby submit the report titled Audit of Property Controls Over ADP Items, Report No. OIG-AMR-32-01-03. This audit was conducted to determine whether there were controls in place to safeguard automated data processing (ADP) items. This audit also: evaluated the Agency's property management systems against the Joint Financial Management Improvement Program (JFMIP) Property Management Systems Requirements; tested the accuracy of data in property management systems; and determined whether NLRB was in compliance with applicable laws, regulations, and Agency policies and procedures.
The Office of the Inspector General contracted with Cotton & Company LLP to conduct this audit. The accuracy of data in property management systems and the adequacy of controls over property were determined through testing performed at Headquarters and four Regional Offices.
Neither of the Agency's two property management systems met all 12 mandatory JFMIP general requirements for property management systems. The Asset Management Database (AMD) that monitors non-capitalized ADP equipment did not meet any JFMIP requirements and the Property Management Information System (PMIS) that tracks capitalized equipment did not meet 9 of 12 JFMIP requirements. Three of the requirements are not applicable because the Agency does not currently handle real property, such as land or buildings, or hazardous materials, but the systems should be capable of performing these functions. Information Technology Branch (ITB) officials stated that compensating controls outside the AMD system were developed for four other requirements.
The AMD contained a significant number of discrepancies for equipment at Headquarters and in Regional Offices visited. Discrepancies included missing bar codes, incorrect model numbers, incorrect serial numbers, and incorrect locations. We were, however, able to locate all equipment at Headquarters and most equipment in the Regional Offices.
Items in the PMIS report were missing many data elements necessary to track capitalized ADP items. These items include the serial numbers, descriptions that would allow equipment identification, and equipment location. Also we were unable to visually verify most equipment in the report because serial numbers and bar codes were not located on the outside of equipment and descriptions were general and did not include specific identifying information such as a manufacturer names and model numbers.
Surplus property practices observed increase the likelihood that equipment can be converted for personal gain without detection, and neither property management system met JFMIP requirements for property management throughout the entire asset life cycle. ITB officials stated that they have migrated from using Excel spreadsheets to an Access database and are developing a system using Standard Query Language, also known as SQL, that should address some property management issues.
These conditions are the result of obsolete systems and inadequate controls to ensure compliance with NLRB's Administrative Policy Circular 97-01 and Property Management Policies. These weaknesses increase the risk that lost or stolen property might not be identified and reported in a timely manner; reduce the integrity, reliability, accuracy, and completeness of the ADP equipment inventory; and decrease reliance that management can place on inventory records and reports.
We recommend that the Chief Information Officer (CIO) as ITB Chief:
1. In coordination with the Procurement and Facilities Branch (PFB), develop a consolidated property management system that includes all of the Agency's capitalized and non-capitalized property and complies with JFMIP mandatory requirements for such systems; and
2. Develop and implement comprehensive surplus property procedures implementing Federal policy for information technology equipment.
An exit conference was held on July 20, 2001, with the CIO and other ITB staff, PFB Assistant Chief, and Division of Operations-Management Deputy Assistant General Counsel to discuss findings and recommendations. A draft audit report was sent to the Director of Administration on August 3, 2001, for review and comment. The CIO responded that he agreed that a fully automated, life cycle system is preferable, and hopes that at some point technical and funding priorities will allow ITB to pursue it. He generally agreed with two of the three recommendations made in the draft report and will develop an action plan within 60 days of receiving the final report. The CIO's comments are presented in their entirety as an appendix to this report.
The Associate General Counsel for the Division of Operations-Management also submitted written comments. The CIO and Associate General Counsel disagreed with our recommendation to assess decentralizing data input separately from developing a consolidated property management system. We concurred and deleted this recommendation
Jane E. Altenhofen
The National Labor Relations Board (NLRB or Agency) administers the principal labor-relations law of the United States, the National Labor Relations Act of 1935, as amended. The Act is generally applied to all enterprises engaged in interstate commerce, including the United States Postal Service, but excluding some other governmental entities, as well as the railroads and the airline industry.
NLRB authority is divided by law and delegation. The five-member Board primarily acts as a quasi-judicial body in deciding cases on formal records. The General Counsel, like each Board Member, is appointed by the President and is responsible for issuing and prosecuting formal complaints in cases leading to Board decisions. The General Counsel has general supervision of NLRB's nationwide network of offices, through the Division of Operations-Management, and is responsible for the Division of Administration. Approximately 30,000 charges of unfair labor practices and 6,000 representation petitions are filed with NLRB each year.
The Joint Financial Management Improvement Program (JFMIP) is a joint undertaking of the U.S. Department of the Treasury, General Accounting Office, Office of Management and Budget, and Office of Personnel Management to improve financial management practices in Government. The JFMIP Program Management Office develops Federal financial management system requirements including the Property Management Systems Requirements which were issued in October 2000.
The Agency uses two systems to manage automated data processing (ADP) equipment. The Information Technology Branch (ITB) currently uses a contractor to provide comprehensive computer support services. This includes providing and maintaining the Asset Management Database (AMD) to monitor non-capitalized ADP property. The contractor is working on enhancing the AMD. ITB personnel maintained inventory records for non-capitalized ADP equipment on Excel spreadsheets. ITB stated that the Excel spreadsheets were the official system of record and thus are referred to as ITB's AMD throughout this report. The Procurement and Facilities Branch (PFB) uses the Property Management Information System (PMIS) for recording and maintaining NLRB's inventory of capitalized ADP property. The Agency has a $10,000 capitalization threshold.
In Fiscal Year (FY) 2001, the Agency was authorized 2,002 full time equivalents at: Headquarters; 3 Division of Judges Satellite Offices; and 32 regional, 3 sub-regional, and 16 resident offices (field offices). The Agency's FY 2001 appropriation was more than $216 million.
Most Agency employees have personal computer (PC) workstations consisting of a central processing unit, monitor, and printer. The PCs and local area network servers are connected to wide area networks that provide a communication linkage to the Headquarters' network. In FYs 1998 through 2000, NLRB spent approximately $7 million on capitalized and non-capitalized computer equipment. The Agency is on a 4-year ADP hardware replacement cycle and spent approximately $3 million in FY 2001.
Cotton & Company LLP conducted this audit to determine whether there were controls in place to safeguard ADP items. The entire asset life cycle consisting of planning, ordering, shipping, receiving, monitoring items on hand and in transit for repair, disposing of assets including excess property, and storing was reviewed.
Cotton & Company:
Conformance with JFMIP requirements and compliance with laws, regulations, and Agency policy and procedures was determined through interviewing appropriate management and technical personnel, reviewing supporting documentation, observing system activities, and testing controls.
Four Regional Offices and Headquarters were selected to test controls over non-capitalized ADP equipment and the accuracy of information in AMD. All 739 pieces of ADP equipment located in Region 22 (Newark), Region 9 (Cincinnati), Region 25 (Indianapolis), and Region 31 (Los Angeles) were tested against ITB records. A list of equipment in Regional Offices that was not included in the property records was compiled. At Headquarters, a random sample of 45 workstations consisting of 140 pieces of equipment was selected to test controls and verify whether equipment in the AMD was accurate. Forty-five workstations adjacent to the original sample with 118 associated pieces of equipment were traced to the AMD to determine whether AMD was complete, controls were in place, and data was accurate. Forty-seven out of 70 pieces of capitalized ADP equipment in the PMIS were tested in Headquarters. Capitalized ADP equipment consisted of a mainframe computer, file servers, and communications equipment.
This audit was performed in accordance with generally accepted government auditing standards during the period March through May 2001.
Neither the PMIS nor AMD met all mandatory JFMIP general requirements for property management systems; a significant number of discrepancies existed in both PMIS and AMD; and controls over surplus property and monitoring of equipment need strengthening.
These conditions are the result of obsolete systems and inadequate controls to ensure compliance with NLRB's Administrative Policy Circular 97-01 and property management policies. These weaknesses increase the risk that lost or stolen property might not be identified and reported in a timely manner; reduce the integrity, reliability, accuracy, and completeness of the ADP equipment inventory; and decrease reliance that management can place on inventory records and reports.
NLRB COMPLIANCE WITH JFMIP PROPERTY MANAGEMENT SYSTEMS REQUIREMENTS
The PMIS and AMD systems did not meet JFMIP's mandatory general requirements for Property Management Systems (JFMIP-SR-00-4, dated October 2000). PMIS does not meet 9 of the 12 mandatory JFMIP general requirements, and AMD does not meet any of the 12 mandatory JFMIP general requirements. In addition, neither system was integrated with NLRB's financial and accounting systems as required by JFMIP and Office of Management and Budget Circular A-127. PMIS is an old system scheduled for replacement along with the Financial Management Information Accounting System. AMD is a contractor provided database currently undergoing modification.
The matrix below identifies PMIS and AMD compliance with each of the 12 JFMIP mandatory general requirements. We note that items 2, 9, and 11 are not applicable because the Agency does not currently handle real property, such as land or buildings, or hazardous materials, but the systems should be capable of performing these functions. At the exit conference, ITB stated that it has developed manual compensating controls outside of the AMD system to deal with items 3, 4, 5, and 7.
|JFMIP MANDATORY GENERAL REQUIREMENTS||PMIS||AMD|
|1. Record beginning balances, acquisitions, and withdrawals and calculate ending balances expressed in values and physical units, except for heritage assets and stewardship land for which all end-of-period balances are expressed in physical units only. (See Asset Life Cycle on page 8)||No||No|
|2. Capture the condition of the asset for heritage assets, stewardship land, national defense property, plant and equipment (PP&E), and general PP&E for which a condition assessment was performed. NLRB stated that it does not own or manage real property at this time.||No||No|
|3. Provide edits (controls) to prevent duplication and reduce the likelihood of creating erroneous property documents and records to ensure the integrity of data recorded in the system.||Yes||No|
|4. Permit only authorized users to enter, modify, or otherwise alter property records.||No||No|
|5. Provide an audit trail for entries to a property record, including identification of individuals entering or approving information and data.||No||No|
|6. Identify the type of transaction affecting the property item initial acquisition, change in location, and disposal. (See Asset Life Cycle on page 8)||Yes||No|
|7. Incorporate adequate security features that prevent unauthorized access to the property system by unauthorized individuals.||No||No|
|8. Enable the transfer of responsibility for property from one authorized manager to another authorized manager. (See Asset Life Cycle on page 8)||No||No|
|9. Capture real property information for GSA's worldwide inventory system as directed in Federal Property Management Regulation (FPMR) 102-84 (property management only). NLRB stated that it does not own or manage real property at this time.||No||No|
|10. Produce reports in accordance with user-defined criteria. Such reports may:
Provide property information to allow appropriate users to conduct an inventory of current holdings or any subset of those holdings at any time.
Allow users to access both summary data and more detailed data.
(See PMIS and AMD Data Accuracy on pages 6 and 7)
|11. Capture the fact that an environmental or hazardous substance is located on or contained within a property item, in accordance with 41 CFR 101-42.202. NLRB stated that it does not have property within this category.||No||No|
|12. Distinguish between capitalized property and expensed property tracked in the property management system.||No||No|
PMIS DATA ACCURACY
PMIS was missing many data elements necessary to track capitalized ADP equipment during the asset life cycle. PFB's Fixed Asset Report provided on April 16, 2001, identified 70 capitalized ADP items with a total acquisition value of $1,284,659. The table below identifies missing data elements or items containing a general description rather than specific information that would enable verification.
|Missing/General Data Elements||Number of|
|1. Equipment descriptions were often general, such as "File Server system w/Rack," rather than including manufacturer name and model number.||67|
|2. Missing serial number||16|
|3. Missing equipment location||6|
We tested 47 of the 70 items identified on the PFB Fixed Asset Report and could not verify 43 of them. The 43 items had an acquisition value of $812,683. We were unable to visually verify the information without causing possible network disruptions, because serial numbers are located internally within the equipment. Also, for each item that we were unable to verify, the report contained a general description rather than specific verifiable information and a bar code was not located on the exterior of the equipment, which would allow visual verification.
AMD DATA ACCURACY
ITB's controls and policies are not adequate to ensure that information is provided in a timely manner or that AMD is updated on a timely basis. ITB did not have a current, accurate, and complete listing of non-capitalized ADP equipment residing at Headquarters and in the Regional Offices, thus making equipment verification difficult. The Agency's non-capitalized equipment listing contained central processing units, monitors, and printers.
Although we identified significant discrepancies with data contained in AMD, as summarized in the following tables, we were able to locate all non-capitalized equipment at Headquarters and most equipment in the Regional Offices.
Tracing From AMD to Property
Tracing From AMD to Property
|Count of ADP Items Tested||140||100.00||118||100.00|
|Incorrect or Missing Bar Codes||25||17.86||26||22.03|
|Incorrect Model Number in AMD||32||22.86||33||27.97|
|Incorrect Serial Number in AMD||75||53.57||26||22.03|
|Incorrect Location in AMD||42||30.00||43||36.44|
|Equipment Not Found||0||0.00||0||0.00|
|Cincinnati Region 9||Newark Region 22||Indianapolis Region 25||Los Angeles Region 31|
|Count of ADP Items Tested||232||100.00||171||100.00||149||100.00||187||100.00|
|Incorrect or Missing Bar Codes||7||3.02||11||6.43||11||7.38||17||9.09|
|Incorrect Model Number in AMD||20||8.62||94||54.97||13||8.72||19||10.16|
|Incorrect Serial Number in AMD||3||1.29||15||8.77||10||6.71||1||.53|
|Incorrect Location in AMD||0||0||6||3.51||4||2.68||28||14.97|
|Equipment Not Found||1||0.43||7||4.09||3||2.01||2||1.07|
Regional Office personnel stated that they update their own records as soon as they receive equipment. The Regional Offices send an e-mail to ITB to notify ITB that the office received the equipment. ITB is responsible for updating the official records. The Regional Office personnel indicated that they could update ITB's records if they had access to ITB's spreadsheet or database.
SURPLUS EQUIPMENT DISPOSAL
When an ADP item is declared as surplus, ITB removes it from inventory, and the Regional Offices are to physically dispose of the property in accordance with NLRB APC 97-01. We noted, however, that two Regional Offices retained the property. Region 31 (Los Angeles) had 7 pieces of equipment and Region 9 (Cincinnati) had 9 pieces of equipment not recorded in the AMD. These were identified by the Regional Offices as surplus property that was being held indefinitely for emergency purposes. At Headquarters, equipment identified as surplus was not delivered to NLRB's warehouse for proper disposal in a timely manner in two instances. These practices increase the likelihood that equipment can be converted for personal gain without detection.
ASSET LIFE CYCLE
PMIS and AMD did not meet mandatory JFMIP Property Management Systems Requirements that allow property management throughout an asset's life cycle. NLRB could benefit from features that allow PMIS and AMD to track planned expenditures through the ordering and purchasing phases of an acquisition. NLRB does not have adequate monitoring controls to ensure that records are updated in a timely manner as equipment is moved from one location to another or slated for disposal and does not have a sound process to identify items that have been received. In addition, PMIS does not meet mandatory requirements for calculating depreciation, amortization, or depletion of capitalized assets to provide management with the necessary financial information to forecast future funding requirements and to identify equipment reaching obsolescence.
The Agency could benefit from monitoring acquisitions at an earlier stage of the process. Currently, purchase orders are submitted to PFB. PFB and ITB do not, however, maintain an automated process to identify the number or type of ADP equipment ordered or how many items have been shipped or received. The NLRB does not have the automated ability to track planned expenditures through the ordering, purchasing, and receiving phases. Through enhancements, AMD can provide the means for ITB and PFB to provide the automated process to track planned and ordered equipment.
We recommend that the Chief Information Officer (CIO) as ITB Chief:
1. In coordination with the PFB Chief, develop a consolidated property management system that includes all of the Agency's capitalized and non-capitalized property and complies with JFMIP mandatory requirements for such systems.
2. Develop and implement comprehensive surplus property procedures implementing Federal policy for information technology equipment.
The CIO responded that he agreed that a fully automated, life cycle system is preferable, and hopes that at some point technical and funding priorities will allow ITB to pursue it. We understand that the development of property controls needs to be scheduled in consideration of other priorities. However, the Agency spends approximately $3 million annually on ADP equipment that should be considered in setting the priority for this project.
Concerning the recommendation to assess decentralizing data input, the CIO noted that in addition to performing a cost-and-benefit analysis, verification and validation procedures would need to be developed. The Associate General Counsel for the Division of Operations-Management also commented on this recommendation. The Associate General Counsel stated that to ensure appropriate security controls, data integrity, and consistency that the data input function should be centralized in ITB. We concurred that these controls did not have to be developed separately from a consolidated property management system and deleted this recommendation.
The Associate General Counsel also stated that Regional Offices were instructed to keep some PCs to run software that is not compatible with newer computer equipment and to have equipment available for legal interns, co-ops, and volunteers. He noted, and we agree, that a comprehensive surplus property procedure should include procedures for retaining needed computer equipment.
UNITED STATES GOVERNMENT
National Labor Relations Board
TO: Jane E. Altenhofen
FROM: Louis B. Adams
Chief Information Officer
DATE: August 31, 2001
SUBJECT: Draft Report "Audit of Property Controls Over ADP Items"
We have reviewed the draft report, "Audit of Property Controls Over ADP Items" dated August 3, 2001.
During the last three years, the Information Technology Branch (ITB) has championed an IT modernization program. The program has included upgrades to telecommunications, servers, and desktops. As part of that program, we have developed processes and procedures to manage IT equipment inventory. Part of this process is automated. Much of it is not. Considering where we were three years ago, we were pleased that your audit was able to locate 100% of the items surveyed. We agree with your report that a fully automated, life cycle system is preferable, and we hope that at some point technical and funding priorities will allow us to pursue it. As to your specific recommendations, we submit the following comments for your consideration:
Recommendation 1: Develop a consolidated property management system that includes all of the Agency's capitalized and non-capitalized property and complies with JFMIP mandatory requirement for such systems.
Basically we agree with this recommendation. However, in our opinion, ITB and Procurement need to identify and document life cycle processes and procedures, analyze and streamline where necessary, before entertaining whether to build or buy a consolidated automation system. A cost benefit analysis may also be necessary to justify funding for such a project.
Recommendation 2: Perform a cost-and-benefit assessment of permitting direct electronic access to the property management database so appropriate Headquarters and field office personnel can update the database and manage property throughout the asset's life cycle.
There is more at issue than cost and benefit in determining whether Headquarters and field office personnel should update the database and manage property throughout the asset's life cycle. Of equal concern to ITB is that updated information be valid and verifiable. It was suggested in our discussion on August 14, 2001 that an audit trail within the database would serve this purpose. We believe that while an audit trail may help locate who is responsible for a particular action, if one were to discover equipment missing for example, it won't prevent it. A verification and validation procedure must be part of any system before the master database can be officially updated. Without this step, ITB and Procurement will lose control over the equipment for which they are ultimately responsible.
Recommendation 3: Develop and implement comprehensive surplus property procedures implementing Federal policy for IT equipment.
We agree with one addition. Disposition of software must also be addressed as well hardware. While regulations state that software that is no longer being used should be thrown away, this is not clear to points of contact.
Please contact Bette Mohr, ITB Customer Support Section Chief if you have any questions about these comments.
Cc: Gloria J. Joseph, Director of Administration
The General Counsel
Jim Paulsen, Assistant GC, Operations
Angela Crawford, Procurement and Facilities Branch Chief