^tDsrx * Q \ \X! U.S. Environmental Protection Agency Office of Inspector General At a Glance 19-P-0278 August 19, 2019 Why We Did This Project The U.S. Environmental Protection Agency's (EPA's) Office of Inspector General (OIG) conducted this audit in response to an anonymous hotline complaint. We sought to determine whether the EPA followed documented policies and procedures for providing information technology (IT) software under the Working Capital Fund (WCF). Specifically, we reviewed how the EPA managed a project to implement an Enterprise Customer Service Solution (ECSS)/Customer Relationship Management system. The WCF provides a centralized source for administrative and support services for the EPA. The ECSS is a WCF application to host the EPA's Frequently Asked Questions and inquiries from the agency's public website. Since the ECSS is an IT investment, it must meet System Life Cycle Management (SLCM) and Capital Planning and Investment Control policies and procedures. This report addresses the following: • Operating efficiently and effectively. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. EPA Oversight over Enterprise Customer Service Soiution Needs Improvement What We Found The EPA did not implement key oversight activities for the ECSS to meet several agency software requirements. These activities included documenting the agency's business justification, having the required plans, and doing a user satisfaction review. Further, the ECSS was not classified into the correct IT investment category Office of Management and Budget memorandums describe the agency's management oversight responsibilities for information systems. The EPA SLCM policy and procedures provide a framework for system and project managers to tailor system life cycle management controls for information systems. The EPA Capital Planning and Investment Control policy and procedures identify the classification requirements for IT investments. The problems we identified existed because the ECSS team did not have processes in place to: • Transfer ownership during the responsible office's reorganization in 2016. • Document delivery of the vendor's annual deliverables. • Verify cloud service vendor compliance with mandatory federal IT security requirements. In addition, the ECSS team did not identify and report that annual costs exceeded a $250,000 threshold, which would have placed the project into a different IT investment category with additional reporting requirements. This occurred because the Capital Planning and Investment Control team lacked a process to validate the costs for IT investments and the team did not complete the corrective action for a prior 2015 OIG audit recommendation. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Mission Support verify that responsible personnel adhere to the agency's SLCM policy and procedures and implement needed internal controls. We also recommend implementing a process to verify that recording of costs is proper and make needed changes to project documentation. The agency agreed with the recommendations and provided acceptable planned corrective actions to address Recommendations 1, 3 and 4, and we consider those recommendations resolved with corrective actions pending. The agency did not provide acceptable corrective actions to address Recommendations 2 and 6 and we consider them unresolved pending management's response to the final report. The agency also took the corrective action for Recommendation 5 and we consider that recommendation completed. Ineffective project oversight limits the agency's ability to balance IT investments at the lowest cost while addressing agency needs. ------- |