At a Glance: Office of Environmental Information Should Strengthen Controls Over Mobile Devices


STA?.
*. U.S. Environmental Protection Agency	12-P-0427
?	^ Offira of I ncnprtnr fi^noral	APril 25> 2012
^ (fcjl z Office of Inspector General
IS3Z2J
* At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA)
Office of Inspector General
(OIG) received a hotline
complaint regarding misuse of
mobile devices within the
Office of Environmental
Information (OEI). We
reviewed the effectiveness of
OEI's internal controls for
mobile devices issued to OEI
employees and contractors,
focusing on issuance,
disconnection, multiple
devices, inappropriate use, and
tracking and recovery.
Background
OEI provides technology
services for EPA, including
providing telecommunications
and other technologies to
support Agency activities.
Executive Order 13589, issued
on November 9, 2011, requires
agencies to assess device usage
and establish controls on
unused or underutilized
equipment or services, as well
as limit the number of
employee devices.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.e pa .qov/oiq/re ports/2012/
20120425-12-P-0427.pdf
Office of Environmental Information Should
Strengthen Controls Over Mobile Devices
What We Found
Although OEI is in the process of developing policies for domestic and
international mobile device usage, OEI has no organization-wide standard
operating procedures that explain responsibilities for OEI employees and
contractors regarding mobile devices. OEI currently does not have effective
controls for the five areas of concern noted in the hotline complaint: issuance,
disconnection, multiple devices, inappropriate use, and tracking and recovery.
We found that supervisors approve employee/contractor requests for mobile
devices without guidance on determining the need for a device, and there is no
guidance on the frequency with which employees can upgrade a device after it
has been issued. OEI has also not established controls to determine when to
disconnect devices; over a 6-month period in 2011, 68 OEI employees had zero
usage of their mobile devices, incurring costs of about $29,360. Moreover, OEI
managers tend not to be concerned about employees having multiple devices, and
we found that eBusiness does not correctly reflect the number of devices issued
to employees. Therefore, EPA may be paying for service on mobile devices that
are not used. In addition, we found that one OEI employee and one OEI
contractor made costly personal international phone calls. Finally, procedures and
controls for tracking and recovering mobile devices are missing or ineffective.
What We Recommend
We recommend that OEI implement standard operating procedures for each step
of the mobile device process to cover all aspects of issuance, disconnection,
multiple devices, inappropriate use, and tracking and recovery. We also
recommend that OEI follow up with OEI employees and contractors to determine
business case justifications for users of multiple devices, and take appropriate
action on unauthorized calls identified in the sample we reviewed. Lastly, we
recommend that OEI finalize Agency-wide draft domestic and international
mobile device procedures and develop other Agency-wide procedures as
necessary. OEI concurred with the majority of our recommendations and
described planned actions to address our recommendations. Our
recommendations remain open pending OEI's corrective action plan with
milestone dates, as well as additional specificity from OEI on monitoring
inappropriate device usage.

-------