U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
09-P-0226
August 31, 2009
Catalyst for Improving the Environment
Why We Did This Review
This review, conducted by
KPMG, LLP, on behalf of the
Office of Inspector General,
sought to evaluate the quality and
integrity of data that resides in
the U.S. Environmental
Protection Agency's (EPA's)
Enforcement and Compliance
History Online (ECHO) system.
Background
ECHO provides integrated
compliance and enforcement
information for approximately
800,000 regulated facilities
nationwide. ECHO allows users
to find inspection, violation,
I enforcement action, informal
enforcement action, and penalty
information about facilities for
the past 3 years. ECHO contains
information for the facilities
regulated under the following
environmental statutes: Clean
Air Act Stationary Source
Program, Clean Water Act
National Pollutant Discharge
Elimination System, and
Resource Conservation and
Recovery Act.
For further information,
contact our Office of
Congressional, Public Affairs and
Management at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2009/
20090831-09-P-0226.pdf
ECHO Data Quality Audit - Phase I Results:
The Integrated Compliance Information System
Needs Security Controls to Protect Significant
Non-Compliance Data
What KPMG Found
End users of the Permit Compliance System and Integrated Compliance
Information System National Pollutant Discharge Elimination System
(ICIS-NPDES) can override the Significant Non-Compliance (SNC) data field
without additional access controls. This occurs because EPA has not
implemented database security features to restrict access to this field. Further,
the ICIS-NPDES database edit checks do not prevent access to the SNC field.
As a result, users can change original data without authorization, which could
directly affect ICIS-NPDES data made available to the public via ECHO.
Other than the above weakness, KPMG noted that EPA implemented many
effective processes designed to populate the Integrated Data for Enforcement
Analysis (IDEA) database, which the ECHO system uses to create reports for
its users. KPMG noted that many of the EPA systems that feed data to IDEA
have front-end edit checks designed to help ensure data quality. Further,
KPMG noted that making data available through ECHO is a very complex
process that involves many data systems. KPMG noted that EPA has
developed a methodology to manage the States' data conversions. KPMG
noted that EPA's data mapping and system life-cycle documentation, data
migration tools, and lessons learned processes are effective in managing this
complex data conversion process.
What KPMG Recommends
The Director, Office of Compliance, Office of Enforcement and Compliance
Assurance (OECA), should implement database security features to limit the
end users' ability to change the SNC code in ICIS-NPDES.
On August 6, 2009, the EPA Office of Inspector General met with OECA to
provide a briefing report of KPMG's work to date and discuss the SNC code
finding. OECA provided informal comments on the finding. OECA plans to
explore additional options to restrict manual SNC code override in
ICIS-NPDES.
-------� |