^tDsr^
$ O
® J
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Operating efficiently and effectively
EPA Should Improve
Oversight of Mobile Phones
Report No. 20-P-0068
January 10, 2020
-------�
Report Contributors:
Michael Davis
Madhu Dev
Gloria Taylor-Upshaw
Abbreviations
CIO
Chief Information Officer
EPA
U.S. Environmental Protection Agency
FY
Fiscal Year
GAO
U.S. Government Accountability Office
MDA
Mobile Device Administrator
OARM
Office of Administration and Resources Management
OEI
Office of Environmental Information
OIG
Office of Inspector General
OITO
Office of Information Technology Operations
OMB
Office of Management and Budget
SOP
Standard Operating Procedure
Cover Photos: An EPA-issued mobile smartphone (center) and mobile phones at EPA
Region 4 (left and right). (EPA OIG photos)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
^tDsrx
* Q \
\X!
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
20-P-0068
January 10, 2020
Why We Did This Project
We conducted this audit to
determine whether the
U.S. Environmental Protection
Agency (EPA) effectively
manages its mobile phones.
Per EPA Chief Information
Officer (CIO) Classification
No. 2150.4, Mobile Computing
Policy, the agency must
effectively manage mobile
resources to promote the
efficient spending of funds
allocated for information
technology needs. This policy
also requires that mobile
resources be monitored for
authorized and unauthorized
use, as well as be assessed to
establish controls.
The EPA's Office of Information
Technology Operations (OITO),
within the Office of Mission
Support, is responsible for
overseeing and implementing
CIO-2150.4 and the associated
Mobile Computing
Management Procedures
(CIO-2150.4-P-01.1).
This report addresses the
following:
• Operating efficiently and
effectively.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
EPA Should Improve Oversight of Mobile Phones
What We Found
The EPA's OITO needs to improve its oversight of
mobile phones at the program office and regional
levels. Specifically, the OITO did not:
• Require justifications for mobile phone use.
• Determine whether the program and regional
offices had standard operating procedures in
place for the management of mobile phones.
• Confirm that the required acknowledgment forms were signed and completed
before processing mobile phone orders.
• Inform all agency mobile phone users about what types of calls do not count
toward the agency's monthly ceiling of mobile voice and data limits.
According to the OITO, the management of mobile phones is the responsibility of
each program office and region. However, CIO-2150.4 assigns oversight
responsibility to the OITO. While the OITO does email quarterly mobile phone
utilization reports to the program and regional offices, it does not verify whether
these offices monitor mobile phone use. As a result, the OITO is not
implementing or enforcing effective management over the agency's mobile
phones.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Mission Support:
1. Establish internal controls that implement the oversight responsibilities
outlined in CIO-2150.4-P-01.1.
The EPA was billed at
least $12,000 over 2 years
for unused mobile phone
services due to needed
improvements in mobile
phone oversight. These
funds could have been
put to better use.
2. Update the agency's mobile device intranet site to include information on the
types of calls that do not count against the EPA's monthly mobile voice and
data limits.
3. Update the utilization reports to track calls that do not count against the
EPA's monthly mobile voice and data limits to establish baseline information
and make subsequent improvements.
The EPA agreed with all recommendations and completed the corrective actions
for Recommendations 2 and 3. The EPA provided an acceptable planned
corrective action and estimated completion date for Recommendation 1, which is
resolved with corrective action pending.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
January 10, 2020
MEMORANDUM
SUBJECT: EPA Should Improve Oversight of Mobile Phones
Report No. 20-P-0068
FROM: Charles J. Sheehan, Acting Inspector General
TO:
Donna Vizian, Principal Deputy Assistant Administrator
Office of Mission Support
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). The project number for this audit was OA&E-FY18-0290.
This report contains findings that describe the problems the OIG has identified and corrective actions the
OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the
final EPA position. Final determinations on matters in this report will be made by EPA managers in
accordance with established audit resolution procedures.
The EPA's Office of Mission Support is responsible for implementing the recommendations in this
report.
In accordance with EPA Manual 2750, your office completed acceptable corrective actions or provided
acceptable planned corrective actions with milestone dates in response to the OIG recommendations. All
recommendations are resolved, and no final response to this report is required. However, if you submit a
response, it will be posted on the OIG's website, along with our memorandum commenting on your
response. Your response should be provided as an Adobe PDF file that complies with the accessibility
requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should
not contain data that you do not want to be released to the public; if your response contains such data,
you should identify the data for redaction or removal along with corresponding justification.
We will post this report to our website at www.epa.gov/oig.
-------�
EPA Should Improve Oversight
of Mobile Phones
20-P-0068
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Office 3
Scope and Methodology 3
Prior Reports 5
2 EPA Needs to Improve Its Oversight of Mobile Phones 6
OMB and EPA Guidance Addresses Management's
Oversight Responsibilities 6
OITO Needs to Improve Oversight of Mobile Phones 7
EPA Missed Savings Opportunities 12
Recommendations 13
Agency Response and OIG Evaluation 13
Status of Recommendations and Potential Monetary Benefits 14
Appendices
A Agency Response to Draft Report 15
B Distribution 19
-------�
Chapter 1
Introduction
Purpose
The Office of Inspector General (OIG) of the U.S. Environmental Protection
Agency (EPA) conducted this audit to determine whether the EPA effectively
manages its mobile phones.
Background
The EPA was billed approximately $4.8 million in fiscal year (FY) 2017 and
approximately $5.6 million in FY 2018 for mobile phones and mobile phone
services.
Per EPA Chief Information Officer (CIO) Classification No. 2150.4, Mobile
Computing Policy, the agency must effectively manage mobile resources,
including mobile phones, to promote the efficient spending of funds allocated for
information technology needs. Mobile resources must be monitored for
unauthorized use.
Mobile Phone Orders
The EPA uses its web-based information system, eBusiness, to order Working
Capital Fund services and products via an online catalog.1 The agency's
eBusiness account managers, who are situated within each of the EPA's program
and regional offices, use the mobile device service in eBusiness to obtain mobile
phones for their "customers" (i.e., employees and contractors who use EPA-
issued mobile phones). Before a mobile phone can be ordered, a customer must
complete a Mobile Device Acknowledgement Form, which must then be
uploaded to eBusiness. An account manager in the customer's program office or
region approves the order and forwards it to the EPA's Mobile Device Business
Office for processing. Mobile Device Administrators (MDAs), who are appointed
to each EPA program office and region, are responsible for initializing and
personalizing mobile phones, delivering mobile phones to customers, and
disseminating information related to mobile phones.
Pooled Minute Plans
The EPA has mobile phone contracts with three national carriers that provide the
agency's service plans. Two of these carriers offer pooled minute plans, with
1 The Working Capital Fund is a revolving fund set up to manage common administrative services within the
agency. The fund typically operates as a commercial operation within the agency, meaning that program offices and
regions "purchase" and are charged for services from the fund.
20-P-0068
1
-------�
100- and 400-minute options for their users. Each user of these plans is assigned a
monthly voice minute allowance of either 100 minutes or 400 minutes. If any
users have unused monthly voice minutes, those minutes are pooled and shared
with other users who may have exceeded their monthly voice-minute allowance
(Figure 1).
Figure 1: Monthly pooled plan
Pooled
minutes
Unused
minutes
Source: OIG image
~
Overage
(minutes exceeded)
Agency Mobile Phone Use and Review
When mobile phones were first introduced, they were primarily used to make
voice calls. As a result, per the EPA, the agency's metrics to determine the
usefulness of mobile phones focused on voice minutes. As technology advanced,
the use of mobile phones shifted. The EPA said that most mobile phones assigned
to employees and contractors are now primarily used to access email, which is the
principal method of communication in the agency. However, the EPA said that it
still relies on voice metrics to review mobile phone use.
The EPA's Office of Information Technology Operations (OITO)2 compiles a
quarterly mobile phone utilization report, which it submits to the agency's
program offices and regions. The report identifies assigned mobile phones that:
1. Had 30 percent or less of their available voice minutes used in the quarter.
2. Have been active in the current year.
3. Exceeded the alloted limit for voice or data use in the quarter.
4. Had no use in the quarter.
In addition to the above metrics, the OITO's utilization reports include the total
and average monthly use of voice minutes and data for that quarter. However, the
report identifies only the percentage of pooled plan voice minutes—and not the
pooled data—used.
2 On July 24, 2016, the EPA's Office of Environmental Information (OEI) realigned its offices to more efficiently
and effectively meet customer needs. As part of this realigmnent, the new OITO assumed the responsibilities
formerly assigned to the Office of Technology, Operations, and Planning.
20-P-0068
2
-------�
Responsible Office
The OITO, within the Office of Mission Support,3 implements and manages the
information technology infrastructure and information technology solutions for
the EPA. The OITO is also responsible for the assessment, operation,
administration and management of the agency's mobile phones.
Scope and Methodology
We conducted this audit from October 2018 to August 2019 in accordance with
generally accepted government auditing standards issued by the Comptroller
General of the United States. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objective. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objective.
To answer our objective, we reviewed the following directives, guidance, policies
and procedures related to the management of mobile phones:
1. Executive Order 13589, Promoting Efficient Spending, November 2011.
2. Office of Management and Budget (OMB) Memorandum M-16-17, OMB
Circular No. A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control, July 15, 2016.
3. OMB Memorandum M-l 6-20, Category Management Policy 16-3:
Improving the Acquisition and Management of Common Information
Technology: Mobile Devices and Services, August 4, 2016.
4. EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing
Management Procedures, December 6, 2013.
5. EPA Classification No. CIO-2150.4, Mobile Computing Policy,
December 6, 2013.
6. EPA Employee Mobile Device Acknowledgement Form, October 2016.
3 Effective November 26, 2018, the OEI and the Office of Administration and Resources Management (OARM) were
merged to form the Office of Mission Support. We still refer to "OARM" and "OEI" as appropriate within this report
because the OARM and the OEI were in place during the scope of our audit.
20-P-0068
3
-------�
Based on the agency's parameters in its utilization reports, we defined three
categories of mobile phone use (Figure 2):
• No use. Any active registered mobile phone with no voice minutes used.
• Low use or under use. Any active registered mobile phone with
25 percent or less of its pooled plan voice minutes used.
• High use. Any active registered mobile phone with 200 percent or more of
its pooled plan voice minutes used.
Figure 2: Categories of use thresholds
mouse LOW USE OR UNDER USE HIGH USE
r 200% ^
or more of its
pooled voice
minutes
^ used IS
or less of its
pooled voice
minutes
used
voice
minutes
used r
Source: OIG image.
We identified a universe of 6,180 mobile phones active in FY 2017 and
6,301 mobile phones active in FY 2018. We compared data for each fiscal year
regarding use and did not note any significant anomalies across each program
office and region. We identified 68 mobile phones that had no voice minutes used
in FYs 2017 and 2018. We also reviewed phone numbers for duplication and did
not identify any significant issues. From the FY 2018 universe of active mobile
phones, we sampled 69 mobile phones—three from each program office and
region—to determine whether each device had a signed Mobile Device
Acknowledgement Form.
The EPA said that it no longer offers data-only plans to its employees, since the
cost to the agency is the same as mobile phone plans with voice and data. Also,
the mobile phone carriers no longer provide an option to acquire data-only
smartphones. The agency's five mobile phones with data-only plans were
deactivated in FY 2017. Therefore, we did not review mobile phones with data-
only plans in our audit.
We focused our audit on voice use because the agency's mobile phone metrics
focus on voice use. However, our findings apply to both voice and data services
because most agency mobile phones have both services activated.
We also interviewed staff from the Office of the Chief Financial Officer and the
Office of Mission Support to understand their roles and responsibilities as they
relate to the management of mobile phones. We surveyed MDAs from all
20-P-0068
4
-------�
23 program offices and regions to obtain an understanding of their internal
processes, roles and responsibilities for monitoring mobile phones.
Prior Reports
EPA OIG Report No. 12-P-0427. Office of Environmental Information Should
Strengthen Controls Over Mobile Devices, issued April 2012, found that
supervisors approved employee/contractor requests for mobile phones without
guidance on how to determine the need for a device. There were also either no or
ineffective procedures and controls for tracking and recovering mobile phones. In
addition, the OEI had not established controls to determine when to disconnect
phones; consequently, over a 6-month period in 2011, 68 OEI mobile phone users
did not use their mobile phones, incurring costs of about $29,360. This report
made three recommendations; the agency reported that all recommendations were
completed.
In May 2015, the U.S. Government Accountability Office (GAO) issued Report
No. GAO-15-431. Telecommunications: Agencies Need Better Controls to Achieve
Significant Savings on Mobile Devices and Services, which included findings
about and recommendations to the EPA. For example, the GAO found that the
EPA's two components with the highest number of phones did not include steps in
their mobile device procedures or plans to identify overused phones. To help the
agency effectively manage spending on mobile phones and services, the GAO
recommended that the EPA establish procedures to monitor and control spending.
The GAO reported that the EPA completed corrective action for that
recommendation.
20-P-0068
5
-------�
Chapter 2
EPA Needs to Improve Its Oversight
of Mobile Phones
The EPA's OITO needs to improve its oversight of mobile phones at the program
office and regional levels. We found that the OITO did not:
• Require program offices and regions to justify mobile phone use.
• Determine whether program offices and regions had standard operating
procedures (SOPs) in place to manage mobile phones.
• Determine whether existing SOPs included all EPA-required activities for
managing mobile phones.
• Confirm that signed Mobile Device Acknowledgment Forms were
uploaded to eBusiness before processing mobile phone orders.
• Provide information to agency mobile phone users about what types of
calls do not affect the agency's pooled minute plan.
EPA policy assigns responsibility for overseeing mobile phones to the OITO
Director and requires the agency to effectively manage its mobile resources.
However, the OITO said that managing mobile phones is the responsibility of each
program office and region. As a result, due to inadequate oversight of the agency's
mobile phones, the EPA was billed at least $12,000 from FY 2017 through
FY 2018 for unused mobile phone services. These funds could have been put to
better use. Also, without adequate information regarding monthly pooled plans,
agency users may not be using their mobile phones cost-effectively.
OMB and EPA Guidance Addresses Management's Oversight
Responsibilities
OMB Circular No. A-123, Management's Responsibility for Enterprise Risk
Management and Internal Control, states that managers are responsible for
compliance with relevant laws and regulations. Management is also responsible
for establishing and maintaining internal controls to achieve specific internal
control objectives related to operations, reporting and compliance. Management
must consistently apply these internal control standards to meet the internal
control objectives.
EPA Classification No. CIO-2150.4, Mobile Computing Policy, requires the
agency to effectively manage mobile resources to promote the efficient spending
of funds allocated for information technology needs. EPA Classification
No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures, assigns
20-P-0068
6
-------�
responsibility for overseeing the policy and procedures to the OITO Director.4
Specifically, the OITO Director oversees the program and regional offices'
development, maintenance and use of SOPs that support:
• Verifying and confirming accuracy of users' mobile device registrations
on a quarterly basis.
• Developing business case justifications for the issuance of mobile phones.
• Reporting mobile device business case justifications annually.
• Developing an upgrade and replacement schedule.
• Developing a process to determine appropriate consequences when
inappropriate use of a mobile device is detected.
• Monitoring mobile device data and cell use.
• Developing a process to review no-use mobile phones and business
justifications to determine whether a device should be terminated.
• Notifying users of the procedures to return their mobile phones.
• Verifying that mobile phones are used exclusively by authorized EPA
users for the performance of official agency business.
MDAs in each program office and region are responsible for having customers
sign the Mobile Device Acknowledgement Form, receiving and delivering mobile
phones to customers, and disseminating information related to mobile phones.
Additionally, the SOPs for Regions 5 and 7 require MDAs to conduct reviews of
mobile device use and provide written recommendations to senior management
regarding whether the phones and their services should be maintained or canceled.
OITO Needs to Improve Oversight of Mobile Phones
The EPA's OITO needs to improve its oversight of the implementation of
CIO-2150.4-P-01.1 throughout the agency. Specifically, the EPA needs to have
consistent procedures in place so that each device is properly justified, including
requiring that phones be ordered only after all the mandatory forms are
completed. In addition, the OITO should provide all mobile phone users with
guidance on using their phones cost-effectively.
Mobile Phone Justifications and Use Verifications
The OITO does not verify whether program offices and regions are justifying the
use of mobile phones. Additionally, the OITO does not require program offices and
regions to justify no-use mobile phones. In the quarterly emails it sends to transmit
the utilization reports, the OITO requests that the program offices and regions
provide justifications for "no-use" mobile phones. However, only some program
4 Per CIO-2150.4-P-01.1, the Director of the Office of Technology, Operations, and Planning within the OEI and the
Chief Technology Officer are responsible for overseeing the policy and implementation of the information in this
directive. However, due to the EPA's reorganization, all responsibilities formerly assigned to the Office of
Technology, Operations, and Planning Director are now assigned to the OITO Director.
20-P-0068
7
-------�
offices and regions respond to this request. The OITO relies on program offices and
regions to cancel or keep mobile phones active based on activity or business need.
Our audit identified 68 mobile phones that had no voice minutes used in
FYs 2017 and 2018. Based on discussions with MDAs, we determined that the
EPA did not monitor the voice use for eight of the 68 mobile phones. Table 1
provides details about these eight mobile phones.
Table 1: No voice-use mobile phones that were not monitored, FYs 2017-2018
Mobile
phone
Program office
Registration
number
Billed amount
Program office explanation
of why phone remained active
with no voice minutes used
FY 2017
FY 2018
1
Office of
International and
Tribal Affairs
R0581474
$840.79
$1,033.47
The office was unaware whether anyone had
spoken to the user about the phone during
FYs 2017 and 2018.
2
OARM
R0647577
425.24
471.21
The contractors assigned to these phones said
that they had reception issues inside the building,
so they stopped using and carrying the phones.
These phones were turned in and canceled.
3
R0647582
572.87
463.99
4
R0579672
840.79
1,033.47
The office said that it was not aware that these
phones were not actively used and did not have
justifications in FYs 2017 and 2018.
5
R0793809
868.02
1,280.33
6
Office of the Chief
Financial Officer
R0830346
365.82
927.27
The office said that the mobile phone registration
should have been but was not removed.
7
Office of Air and
Radiation
R0141919
452.15
497.79
The office said that this phone was turned in to
the property manager in February 2016. The EPA
could not explain why the phone continued to
incur charges in FYs 2017 and 2018 and why
eBusiness did not reflect that the phone was
turned in.
8
Office of
Enforcement and
Compliance
Assurance
R0124673
883.45
1,076.10
The office said that the phone was turned in at
some point and was then sanitized and ready to
be surplused in September 2018. However, the
phone had not been canceled in eBusiness.
Total
$5,249.13
$6,783.63
Grand Total
$12,032.76
Source: OIG analysis of the EPA's mobile phone data.
The agency was billed over $12,000 for voice and data services that were not used
because the EPA did not monitor these eight mobile phones. This lack of
monitoring is contrary to EPA policy, which requires offices and regions to
effectively manage mobile phones so that information technology funds are
properly used for current mobile phone needs.
Furthermore, the OITO does not require program offices and regions to verify the
high or low use of mobile phone voice minutes. Based on the responses we
received from the 23 MDAs we surveyed, eight program offices and regions did
not take steps to verify and monitor mobile phones with a high use of voice
minutes (Table 2). As noted in Chapter 1, we define a high-use mobile phone as
any active mobile phone with 200 percent or more of its pooled plan voice
minutes used in a fiscal year.
20-P-0068
8
-------�
Table 2: EPA explanation for inaction on high-use phones
Program office
or region
Explanation for inaction on high-use mobile phones
Office of the
Administrator
The MDA does not verify excessive use of voice minutes.
OEI *
The MDA does not verify excessive use because managers are responsible for
reviewing activity and taking appropriate action.
Office of General
Counsel
The MDA said that nothing is done for high use since the pooled plan balances
out the high- and low-use mobile phones.
OIG*
The MDA said that the Information Management Officer receives the agency's
quarterly utilization reports and then sends them to the deputies for review.
Region 1 *
The MDA said that the OITO has not yet requested action on high-use phones.
The MDA looks at each quarterly utilization report but has yet to request
justifications from regional staff. Per the MDA, once justifications are requested,
the MDA will begin acting on high-use phones.
Region 3 *
The MDA reviews the quarterly utilization report. The region has not seen
excess minutes on iPhones or cell phones, since all phones are part of a pooled
plan. If regional users exceed their portion, the excess is covered by others who
have the voice minutes to spare.
Region 5 *
The MDA surveyed staff in the region, who said that no action is taken on users
who are over 100% of their pooled minutes.
Region 10 *
The MDA does not take steps to address excessive minutes.
Source: OIG survey of EPA program office and regional management of mobile phones.
* The OIG concluded that these program offices and regions also did not have steps in their
SOPs to address monitoring for high-use mobile phones.
The OITO told us that it did not verify justifications for mobile phone use because
the management of mobile phones is the responsibility of each program office and
region. However, CIO-2150.4-P.01.1 outlines the oversight role that the OITO
has for mobile computing management. While the OITO provides quarterly
utilization reports to program offices and regions that show information about
no-, low- and high-use mobile phones, the OITO only requests—and does not
require—a response with justifications for no-use phones. Only four of the
23 MDAs told us that they respond to the OITO's requests to provide
justifications. In addition, the OITO does not request justifications for high-use
phones at all.
SOPs in Program Offices and Regions
Agency procedures require each program office and region to develop, maintain
and use its own SOP for managing mobile phones. However, the OITO did not
verify that the required SOPs existed and did not confirm that the SOPs
sufficiently addressed the oversight activities required for agencywide consistency.
CIO-2150.4-P-01.1 states that Senior Information Officials are responsible for
"[i]m pi em en ting these procedures within their organization" and that the OITO is
responsible for "[ojverseeing policy and the implementation of these procedures."
Based on our survey of 23 MDAs, we found that 11 program offices and regions
had no written SOPs for mobile phone management. Additionally, we identified
six program offices and regions that had SOPs that only partially addressed the
activities required by agency procedures. Two of the six SOPs did not include
20-P-0068
9
-------�
steps for monitoring mobile phone use, and two did not identify processes for
determining consequences if someone inappropriately uses a mobile phone. One
SOP had procedures only to determine who is eligible for a mobile phone.
Another covered only how to assign phones, review their use and dispose of them.
Table 3 identifies the status of the program and regional office SOPs.
Table 3: Status of EPA program office and regional SOPs for mobile phone
management
No SOPs
Partial SOPs
Complete SOPs
1. Office of the Administrator
1. OARM
1. Office of Enforcement and
2. Office of Air and Radiation
2. OIG
Compliance Assurance
3. Office of Chemical Safety and
3. Office of Water
2. OEI
Pollution Prevention
4. Region 1
3. Office of Land and
4. Office of the Chief Financial
5. Region 3
Emergency Management
Officer
6. Region 10
4. Office of Research and
5. Office of General Counsel
Development
6. Office of International and
5. Region 5
Tribal Affairs
6. Region 7
7. Region 2
8. Region 4
9. Region 6
10. Region 8
11. Region 9
Source: OIG analysis of program offices and regions surveyed.
During our discussions with program office and regional MDAs, six MDAs stated
that they follow policies and guidance from the OITO, such as CIO-2150.4 and
use of the Mobile Device Acknowledgment Form. However, following this policy
and guidance does not meet the requirement for each program office and region to
maintain its own SOP, as required by CIO-2150.4-P-01.1. Additionally, the OITO
did not determine whether program offices and regions had the required SOPs for
managing mobile phones.
Mobile Device Acknowledgement Forms in eBusiness Prior
to Ordering
The EPA requires employees who use a government-furnished mobile device to
sign the Mobile Device Acknowledgment Form. Nevertheless, the OITO's
Mobile Device Business Office issued mobile phones to users without signed
Mobile Device Acknowledgment Forms uploaded in eBusiness. The MDA is
responsible for confirming that each customer being issued a mobile phone signs
an acknowledgement form. The Mobile Device Acknowledgement Form
instructions state the following:
Starting December 5, 2016, eBusiness will require the new
"Employee Mobile Device Acknowledgement Form" for all new
mobile device orders, cancellations and change orders. The signed
Employee Mobile Device Acknowledgement Form must be
attached in eBusiness not only for a new order but also for
cancellations (returns) and change orders (transfer, upgrade or
20-P-0068
10
-------�
replacement of a device), before the eBusiness request will be
processed.
We organized the numbers for mobile phones by the 23 program and regional
offices and then randomly selected 69 mobile phones for our sample—three from
each program office and region—to determine whether eBusiness contained a
signed acknowledgment form for each device. We found that 10 of the 69 mobile
phones did not have a signed acknowledgement form in eBusiness before the
Mobile Device Business Office processed the order.
When we contacted the cognizant MDAs about the missing forms, they sent us
copies of the signed forms and uploaded them to eBusiness. However, the Mobile
Device Business Office should not have processed the orders for these 10 mobile
phones without the required form.
We identified three reasons why eBusiness may not contain completed forms:
• The customer was overlooked during the agencywide update of all mobile
phones.
• The MDA mistakenly uploaded a blank form instead of the user-signed
form.
• The orderer forgot to upload the signed form.
Ultimately, however, the OITO did not verify that the Mobile Device
Acknowledgement Forms were signed and uploaded in eBusiness before
processing the orders for program offices and regions.
Calls that Do Not Affect EPA's Pooled Minute Plans
The OITO did not track calls that do not affect the agency's pooled minute plans,
which would enable the agency to determine how many users do or do not take
advantage of cost-effective calls.
The following types of calls made from EPA-issued mobile phones do not count
against the plan minutes:
1. Calls made to other EPA-issued mobile phones with national carriers.
2. Calls made to phone numbers on the national carrier's Friends & Family
List. This list includes the EPA's audio-conferencing lines.
3. Calls made over Wi-Fi.
The OITO did not provide information to agency mobile phone users about these
types of calls that do not affect the agency's pooled minute plan. The OITO also
did not explain the different categories of calls on the intranet site it maintains to
notify mobile phone users about phone use and activities.
20-P-0068
11
-------�
Additionally, OITO staff said that they were unsure whether information about
the types of calls that do not count against the agency's pooled minutes plans was
provided to users. They also told us that their focus was to manage pooled plans
to make sure that the EPA did not exceed agencywide minute and data limits.
Therefore, the OITO's utilization report had not been updated to capture the types
of calls that do not count against EPA mobile device plans.
EPA Missed Savings Opportunities
The EPA missed an opportunity to better use at least $12,000 spent on unused
mobile phone voice and data services. The OITO's overreliance on the program
offices and regions to perform key oversight activities also resulted in the missed
opportunity to improve the agency's mobile phone program.
Some staff managing mobile phones believed that monitoring phone use is
unnecessary because the agency's pooled minutes plans compensate for
individual overages. While we agree that contracts enabling the shared use of
voice and data minutes can help limit the risk of incurring charges from overuse,
the EPA cannot rely on this feature of the plans in lieu of adequate oversight.
Furthermore, the OITO is required by agency procedures to oversee and verify
that the program offices and regions are monitoring the use of mobile phones, so
that the EPA does not pay for underused or inappropriately used mobile phones.
The OITO is also required by agency procedures to confirm that program offices
and regions have SOPs to manage mobile phones, so that the OITO can hold them
accountable for charges for no-use and low-use mobile phones. Consequently, the
agency has not met the requirement for effective management controls over EPA
mobile phones.
Without information regarding mobile phone use—both data and voice—that
does not affect monthly pooled plans, users are not given the opportunity to use
their mobile phones efficiently. The agency said that even though a mobile phone
may be identified as low-use, it may actually be used regularly in ways that do not
count toward monthly ceilings. Therefore, low-use mobile phones may not point
to a problem but could be an indicator that the EPA should review whether use
appears to be abnormal for any potential savings. However, because the OITO
does not track use that does not count toward plan limits, it cannot determine
whether some no-use and low-use phones are being used optimally. Specifically,
if the OITO does not track "Friends and Family" calls, calls made to other EPA-
issued mobile phones with national carriers, or Wi-Fi calls, the EPA may not be
accurately determining actual use by mobile phone users.
20-P-0068
12
-------�
Recommendations
We recommend that the Assistant Administrator for Mission Support:
1. Establish internal controls that implement the oversight responsibilities in
EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing
Management Procedures, and thus reduce agency risk.
2. Update the mobile device intranet site to include information on the types
of calls that do not count against the EPA's monthly plan limits.
3. Update utilization reports to track voice and data use that does not count
toward monthly mobile phone plan limits, establish a baseline of this cost-
effective use, and make subsequent improvements in how agency users
can cost-effectively use their mobile phones.
Agency Response and OIG Evaluation
The EPA concurred with all three recommendations.
For Recommendation 1, the Office of Mission Support initially stated that the
agency completed corrective action in May 2019. However, we found that the
corrective action had not been completed. On January 8, 2020, the EPA provided
us with an updated estimated completion date of February 29, 2020, for creating
controls that implement the oversight responsibilities in EPA Classification
No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures. The
proposed corrective action and planned completion date for Recommendation 1
satisfy the recommendation, and we consider the recommendation resolved with
corrective action pending.
In May 2019, the Office of Mission Support completed corrective action for
Recommendation 2. The office updated its mobile device intranet site to include
information on the types of calls that do not count against the EPA's monthly plan
minutes. We concur that the corrective action for Recommendation 2 is complete.
For Recommendation 3, the Office of Mission Support provided support on
January 8, 2020, that it updated the utilization reports to reflect voice and data use
that does not count toward monthly mobile phone plan limits. We concur that the
corrective action for Recommendation 3 is complete.
The complete agency response to the draft report is in Appendix A.
20-P-0068
13
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
1
13
Establish internal controls that implement the oversight
responsibilities in EPA Classification No. C10-2150.4-P-01.1,
Mobile Computing Management Procedures, and thus reduce
agency risk.
R
Assistant Administrator for
Mission Support
2/29/20
$12
2
13
Update the mobile device intranet site to include information on
the types of calls that do not count against the EPA's monthly
plan limits.
C
Assistant Administrator for
Mission Support
5/31/19
3
13
Update utilization reports to track voice and data use that does
not count toward monthly mobile phone plan limits, establish a
baseline of this cost-effective use, and make subsequent
improvements in how agency users can cost-effectively use their
mobile phones.
C
Assistant Administrator for
Mission Support
11/12/19
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
20-P-0068
14
-------�
Appendix A
Agency Response to Draft Report
$ *L UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
5 r^R-7 \ WASHINGTON. I).C. 20460
v 'V
*£ PRO**4-
OFFICE OF MISSION SUPPORT
MEMORANDUM
SUBJECT:
FROM:
TO:
Thank you for the opportunity to respond to the issues and recommendations in the subject audit
report. Following is a summary of the agency's overall position, along with its position on each
of the report recommendations. The agency concurs with the recommendations found in the
draft report and have provided corrective actions and completion dates. For your consideration,
we have included a Technical Comments Attachment to supplement this response.
AGENCY'S OVERALL POSITION
The Office of Mission Support concurs with the recommendations and have provided corrective
actions and completion dates.
AGENCY'S RESPONSE TO RKPORT RECOMMENDATIONS
No.
Recommendation
High Level Corrective Actions
Estimated
Completion
Date
I
Establish internal controls
that implement the
oversight responsibilities
in EPA Classification No.
CIO-2150.4-P-01.1,
Mobile Computing
Management Procedures.
Create controls that implement the oversight
responsibilities in EPA Classification No. CIO-
2150.4-P-01.1, Mobile Computing Procedures.
Completed
Response to Office of Inspector General Draft Report No. OA&E-FY 18-0290
"EPA Oversight of Mobile Phones Could Be Improved", dated August 23, 2019
Vaughn Noga, Chief Information Officer / 7 ~ 2-
and Deputy Assistant Administrator for Environmental Information
Michael D. Davis, Director
Efficiency Audits
Office of Audit and Evaluation
20-P-0068
15
-------�
and thus reduce agency
risk.
2
Update the mobile device
intranet site to include
information on the types of
calls that do not count
against the EPA's monthly
plan limits
Update the mobile device intranet site to
include information on the types of calls that
do not count against the EPA's monthly plan
limits
Completed
3
Update utilization reports
to track voice and data use
that does not count toward
monthly mobile phone
plan limits, establish a
baseline of this cost-
effective use, and make
subsequent improvements
in how agency users can
cost-effectively use their
mobile phones.
Update utilization reports to track voice and
data use not counted toward monthly mobile
phone plan limits, establish baseline of cost
effective use and make improvements in how
agency users can cost effectively use mobile
phones.
December
2019
CONTACT INFORMATION
If you have any questions regarding this response, please contact Marilyn Armstrong, Audit
Follow-up Coordinator, Office of Mission Support, on 202-564-1876.
Attachments
Cc: Madhu Dev
Gloria Taylor-Upshaw
Sherri Anthony
Annette Morant
Brittany Wilson
Erin Collard
Dan Coogan
Janice Jablonski
Marilyn Armstrong
Brian Epley
David Updike
Brenda Young
Liza Hearns
Thomas Reilly
Lynsey Lanier
20-P-0068
16
-------�
Corrective Action Technical Comments
Title of Audit: "EPA Oversight of Mobile Phones Could Be Improveddated
August 23, 2019
No
Recommendati
on
Technical Comments
Estimated
Completi
on Date
1
Establish
internal
controls that
implement the
oversight
responsibilities
in EPA
Classification
No. CIO-
2150.4-P-01.1,
Mobile
Computing
Management
Procedures,
and thus
reduce agency
risk.
The Office of the Chief Information Officer (CIO) has
controls in place to ensure the agency does not provision or
charge for an unauthorized mobile device. An example of
this control is the acknowledgement form within eBusiness.
As per CIO 2150.4-P-01.1, the Agency Senior Information
Officials are responsible for authorizing mobile devices and
notifying the Office of the Chief Information Officer when
devices are no longer authorized or necessary. Therefore,
program and local Senior Information Officials are
responsible for justification of mobile devices and
monitoring of the usage of mobile devices within their
respective organizations.
As part of our regular policy and procedures review cycle,
the Office of the Chief Information Officer updates policies
and procedures to further clarify the Program and Senior
Information Official oversight responsibilities. The Chief
Information Officer communicates to all Senior
Information Officials and Information Management
Officers to ensure they understand their responsibilities and
implement standard procedures for all CIO directives
including mobile devices.
No additional internal controls are necessary at this time.
] 'inolovec !vl
May
2019
2
Update the
mobile device
intranet site to
include
information on
the types of
calls that do
not count
against the
EPA's
monthly plan
limits
Update the mobile device intranet site, Working Capital
Fund catalog and memo for the quarterly review of devices
have been updated to include information on the types of
calls that do not count against EPA monthly plan minutes.
, * s - r imnet Site
!.'¦¦¦¦ landing Pooled and * = \ • *
on".- ' -business.epa.sjov/el " m • . • • .taloa.extendedinfo&oi
' i i( e 2?^
May
2019
3
Update
utilization
reports to track
In response to the discussion draft in May 2019, Utilization
reports will be updated to reflect the voice and data use that
does not count toward monthly mobile phone plan limits.
Decembe
r 2019
20-P-0068
17
-------�
voice and data
use that does
not count
toward
monthly
mobile phone
plan limits,
establish a
baseline of this
cost-effective
use, and make
subsequent
improvements
in how agency
users can cost-
effectively use
their mobile
phones.
Additional reference documents have been added such as
the Understanding Pooled and Voice Data usage and MD
Billing FAQs have also been uploaded to the eBusiness
service page to assist programs in effectively providing
oversight of mobile devices.
Mc ces Utilization Report
Un ig Pooled and Voice Data Usage
ML/ i uiiing i'AQ
20-P-0068
18
-------�
Appendix B
Distribution
The Administrator
Assistant Deputy Administrator
Associate Deputy Administrator
Chief of Staff
Deputy Chief of Staff
Assistant Administrator for Mission Support
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Director, Office of Continuous Improvement, Office of the Administrator
Principal Deputy Assistant Administrator for Mission Support
Associate Deputy Assistant Administrator for Mission Support
Deputy Assistant Administrator for Administration and Resources Management, Office of
Mission Support
Deputy Assistant Administrator for Environmental Information and Chief Information Officer,
Office of Mission Support
Director, Office of Resources and Business Operations, Office of Mission Support
Director, Office of Information Technology Operations, Office of Mission Support
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Mission Support
20-P-0068
19
-------� |