At a Glance: Improved Internal Controls Needed in the Gulf of Mexico Program Office


tfED STAf.
*. U.S. Environmental Protection Agency	13-P-0271
Office of Inspector General	May 30 2013
/ rn

\.o At a Glance
Why We Did This Review
The Gulf of Mexico is one of
the U.S. Environmental
Protection Agency's (EPA's)
Large Aquatic Ecosystem
programs. Due to its size and
rich biodiversity, the Gulf is
critically important for the
nation's environmental and
economic well-being. Recent
environmental disasters, such
as Hurricane Katrina and the
BP Deepwater Horizon oil spill,
have focused national attention
on the Gulf region.
Consequently, our objective
was to determine whether the
Gulf of Mexico Program Office
(GMPO) had established
effective internal controls over
program operations.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Protecting America's waters.
Improved Internal Controls Needed In the
Gulf of Mexico Program Office
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2013/
20130530-13-P-0271.pdf
What We Found
Two of GMPO's performance measures are unrealistic in that they do not reflect
what the office was set up to achieve. The two unrealistic measures involve the
size of the hypoxic zone and the National Coastal Condition Report Index.
Further, one strategic objective (environmental education) is not being measured.
This occurred because GMPO had not performed an assessment of its strategic
objectives and performance measures, as required by governmentwide internal
control standards. As a result, some of the functions that GMPO performs are not
being properly measured and, thus, GMPO's resources might not be used in the
most efficient or effective way.
GMPO management did not ensure that its Local Area Network (LAN) was
secure, did not have primary information security controls in place, and did not
ensure the contractor met the security requirements in the LAN contract. This
occurred because the GMPO's former Acting Director was not trained on and
therefore not technically knowledgeable of federal and agency IT security
requirements. As a result, GMPO's LAN is vulnerable to individuals and groups
with malicious intentions, and EPA has not received the full benefit of the
$749,755 paid over 4 years for LAN security services.
The GMPO Web page displayed inaccurate data for over 18 months. GMPO did
not perform a review of the content before posting, use a Content Manager to
review the content, or follow EPA's Web governance policies or content review
procedures. This occurred because GMPO personnel were not aware of the EPA
Web governance policies or content review procedures. Because information
posted on EPA's Web pages is accessed by the public, inaccurate data can
negatively impact EPA's credibility.
Recommendations and Planned Agency Corrective Actions
We recommend that GMPO conduct a risk assessment of its strategic objectives
and measures, and work with the Office of Water to adjust those measures as
needed to accurately reflect GMPO's mission. We recommend that GMPO and
Region 4 officials correct the LAN security controls deficiencies. We also
recommend that GMPO complete actions to establish an office Web content
review process. Further, we recommend that the Office of Environmental
Information address LAN deficiencies and, along with the Office of External
Affairs and Environmental Education, monitor GMPO Web actions. EPA agreed
with 12 of our 13 recommendations and proposed a satisfactory alternative
corrective action for the remaining recommendation.

-------