tfED STAf. *. U.S. Environmental Protection Agency 13-P-0271 Office of Inspector General May 30 2013 / rn \.o At a Glance Why We Did This Review The Gulf of Mexico is one of the U.S. Environmental Protection Agency's (EPA's) Large Aquatic Ecosystem programs. Due to its size and rich biodiversity, the Gulf is critically important for the nation's environmental and economic well-being. Recent environmental disasters, such as Hurricane Katrina and the BP Deepwater Horizon oil spill, have focused national attention on the Gulf region. Consequently, our objective was to determine whether the Gulf of Mexico Program Office (GMPO) had established effective internal controls over program operations. This report addresses the following EPA Goal or Cross-Cutting Strategy: • Protecting America's waters. Improved Internal Controls Needed In the Gulf of Mexico Program Office For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2013/ 20130530-13-P-0271.pdf What We Found Two of GMPO's performance measures are unrealistic in that they do not reflect what the office was set up to achieve. The two unrealistic measures involve the size of the hypoxic zone and the National Coastal Condition Report Index. Further, one strategic objective (environmental education) is not being measured. This occurred because GMPO had not performed an assessment of its strategic objectives and performance measures, as required by governmentwide internal control standards. As a result, some of the functions that GMPO performs are not being properly measured and, thus, GMPO's resources might not be used in the most efficient or effective way. GMPO management did not ensure that its Local Area Network (LAN) was secure, did not have primary information security controls in place, and did not ensure the contractor met the security requirements in the LAN contract. This occurred because the GMPO's former Acting Director was not trained on and therefore not technically knowledgeable of federal and agency IT security requirements. As a result, GMPO's LAN is vulnerable to individuals and groups with malicious intentions, and EPA has not received the full benefit of the $749,755 paid over 4 years for LAN security services. The GMPO Web page displayed inaccurate data for over 18 months. GMPO did not perform a review of the content before posting, use a Content Manager to review the content, or follow EPA's Web governance policies or content review procedures. This occurred because GMPO personnel were not aware of the EPA Web governance policies or content review procedures. Because information posted on EPA's Web pages is accessed by the public, inaccurate data can negatively impact EPA's credibility. Recommendations and Planned Agency Corrective Actions We recommend that GMPO conduct a risk assessment of its strategic objectives and measures, and work with the Office of Water to adjust those measures as needed to accurately reflect GMPO's mission. We recommend that GMPO and Region 4 officials correct the LAN security controls deficiencies. We also recommend that GMPO complete actions to establish an office Web content review process. Further, we recommend that the Office of Environmental Information address LAN deficiencies and, along with the Office of External Affairs and Environmental Education, monitor GMPO Web actions. EPA agreed with 12 of our 13 recommendations and proposed a satisfactory alternative corrective action for the remaining recommendation. ------- |