^tDsrx
* Q \
\X!
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-P-0278
August 19, 2019
Why We Did This Project
The U.S. Environmental
Protection Agency's (EPA's)
Office of Inspector General
(OIG) conducted this audit in
response to an anonymous
hotline complaint. We sought to
determine whether the EPA
followed documented policies
and procedures for providing
information technology (IT)
software under the Working
Capital Fund (WCF).
Specifically, we reviewed how
the EPA managed a project to
implement an Enterprise
Customer Service Solution
(ECSS)/Customer Relationship
Management system.
The WCF provides a centralized
source for administrative and
support services for the EPA.
The ECSS is a WCF application
to host the EPA's Frequently
Asked Questions and inquiries
from the agency's public
website. Since the ECSS is an
IT investment, it must meet
System Life Cycle Management
(SLCM) and Capital Planning
and Investment Control policies
and procedures.
This report addresses the
following:
• Operating efficiently and
effectively.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
EPA Oversight over Enterprise Customer
Service Soiution Needs Improvement
What We Found
The EPA did not implement key oversight
activities for the ECSS to meet several agency
software requirements. These activities included
documenting the agency's business justification,
having the required plans, and doing a user
satisfaction review. Further, the ECSS was not
classified into the correct IT investment category
Office of Management and Budget memorandums describe the agency's
management oversight responsibilities for information systems. The EPA SLCM
policy and procedures provide a framework for system and project managers to
tailor system life cycle management controls for information systems. The EPA
Capital Planning and Investment Control policy and procedures identify the
classification requirements for IT investments.
The problems we identified existed because the ECSS team did not have
processes in place to:
•	Transfer ownership during the responsible office's reorganization in 2016.
•	Document delivery of the vendor's annual deliverables.
•	Verify cloud service vendor compliance with mandatory federal IT security
requirements.
In addition, the ECSS team did not identify and report that annual costs
exceeded a $250,000 threshold, which would have placed the project into a
different IT investment category with additional reporting requirements. This
occurred because the Capital Planning and Investment Control team lacked a
process to validate the costs for IT investments and the team did not complete
the corrective action for a prior 2015 OIG audit recommendation.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Mission Support verify that
responsible personnel adhere to the agency's SLCM policy and procedures and
implement needed internal controls. We also recommend implementing a
process to verify that recording of costs is proper and make needed changes to
project documentation. The agency agreed with the recommendations and
provided acceptable planned corrective actions to address Recommendations 1,
3 and 4, and we consider those recommendations resolved with corrective
actions pending. The agency did not provide acceptable corrective actions to
address Recommendations 2 and 6 and we consider them unresolved pending
management's response to the final report. The agency also took the corrective
action for Recommendation 5 and we consider that recommendation completed.
Ineffective project
oversight limits the
agency's ability to balance
IT investments at the
lowest cost while
addressing agency needs.

-------