^tDsr^ $ O ® J U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Operating efficiently and effectively EPA Should Improve Oversight of Mobile Phones Report No. 20-P-0068 January 10, 2020 ------- Report Contributors: Michael Davis Madhu Dev Gloria Taylor-Upshaw Abbreviations CIO Chief Information Officer EPA U.S. Environmental Protection Agency FY Fiscal Year GAO U.S. Government Accountability Office MDA Mobile Device Administrator OARM Office of Administration and Resources Management OEI Office of Environmental Information OIG Office of Inspector General OITO Office of Information Technology Operations OMB Office of Management and Budget SOP Standard Operating Procedure Cover Photos: An EPA-issued mobile smartphone (center) and mobile phones at EPA Region 4 (left and right). (EPA OIG photos) Are you aware of fraud, waste or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, D.C. 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotline@epa.gov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, D.C. 20460 (202) 566-2391 www.epa.gov/oiq Subscribe to our Email Updates Follow us on Twitter @EPAoig Send us your Project Suggestions ------- ^tDsrx * Q \ \X! U.S. Environmental Protection Agency Office of Inspector General At a Glance 20-P-0068 January 10, 2020 Why We Did This Project We conducted this audit to determine whether the U.S. Environmental Protection Agency (EPA) effectively manages its mobile phones. Per EPA Chief Information Officer (CIO) Classification No. 2150.4, Mobile Computing Policy, the agency must effectively manage mobile resources to promote the efficient spending of funds allocated for information technology needs. This policy also requires that mobile resources be monitored for authorized and unauthorized use, as well as be assessed to establish controls. The EPA's Office of Information Technology Operations (OITO), within the Office of Mission Support, is responsible for overseeing and implementing CIO-2150.4 and the associated Mobile Computing Management Procedures (CIO-2150.4-P-01.1). This report addresses the following: • Operating efficiently and effectively. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. EPA Should Improve Oversight of Mobile Phones What We Found The EPA's OITO needs to improve its oversight of mobile phones at the program office and regional levels. Specifically, the OITO did not: • Require justifications for mobile phone use. • Determine whether the program and regional offices had standard operating procedures in place for the management of mobile phones. • Confirm that the required acknowledgment forms were signed and completed before processing mobile phone orders. • Inform all agency mobile phone users about what types of calls do not count toward the agency's monthly ceiling of mobile voice and data limits. According to the OITO, the management of mobile phones is the responsibility of each program office and region. However, CIO-2150.4 assigns oversight responsibility to the OITO. While the OITO does email quarterly mobile phone utilization reports to the program and regional offices, it does not verify whether these offices monitor mobile phone use. As a result, the OITO is not implementing or enforcing effective management over the agency's mobile phones. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Mission Support: 1. Establish internal controls that implement the oversight responsibilities outlined in CIO-2150.4-P-01.1. The EPA was billed at least $12,000 over 2 years for unused mobile phone services due to needed improvements in mobile phone oversight. These funds could have been put to better use. 2. Update the agency's mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly mobile voice and data limits. 3. Update the utilization reports to track calls that do not count against the EPA's monthly mobile voice and data limits to establish baseline information and make subsequent improvements. The EPA agreed with all recommendations and completed the corrective actions for Recommendations 2 and 3. The EPA provided an acceptable planned corrective action and estimated completion date for Recommendation 1, which is resolved with corrective action pending. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 OFFICE OF INSPECTOR GENERAL January 10, 2020 MEMORANDUM SUBJECT: EPA Should Improve Oversight of Mobile Phones Report No. 20-P-0068 FROM: Charles J. Sheehan, Acting Inspector General TO: Donna Vizian, Principal Deputy Assistant Administrator Office of Mission Support This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). The project number for this audit was OA&E-FY18-0290. This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. The EPA's Office of Mission Support is responsible for implementing the recommendations in this report. In accordance with EPA Manual 2750, your office completed acceptable corrective actions or provided acceptable planned corrective actions with milestone dates in response to the OIG recommendations. All recommendations are resolved, and no final response to this report is required. However, if you submit a response, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at www.epa.gov/oig. ------- EPA Should Improve Oversight of Mobile Phones 20-P-0068 Table of C Chapters 1 Introduction 1 Purpose 1 Background 1 Responsible Office 3 Scope and Methodology 3 Prior Reports 5 2 EPA Needs to Improve Its Oversight of Mobile Phones 6 OMB and EPA Guidance Addresses Management's Oversight Responsibilities 6 OITO Needs to Improve Oversight of Mobile Phones 7 EPA Missed Savings Opportunities 12 Recommendations 13 Agency Response and OIG Evaluation 13 Status of Recommendations and Potential Monetary Benefits 14 Appendices A Agency Response to Draft Report 15 B Distribution 19 ------- Chapter 1 Introduction Purpose The Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA) conducted this audit to determine whether the EPA effectively manages its mobile phones. Background The EPA was billed approximately $4.8 million in fiscal year (FY) 2017 and approximately $5.6 million in FY 2018 for mobile phones and mobile phone services. Per EPA Chief Information Officer (CIO) Classification No. 2150.4, Mobile Computing Policy, the agency must effectively manage mobile resources, including mobile phones, to promote the efficient spending of funds allocated for information technology needs. Mobile resources must be monitored for unauthorized use. Mobile Phone Orders The EPA uses its web-based information system, eBusiness, to order Working Capital Fund services and products via an online catalog.1 The agency's eBusiness account managers, who are situated within each of the EPA's program and regional offices, use the mobile device service in eBusiness to obtain mobile phones for their "customers" (i.e., employees and contractors who use EPA- issued mobile phones). Before a mobile phone can be ordered, a customer must complete a Mobile Device Acknowledgement Form, which must then be uploaded to eBusiness. An account manager in the customer's program office or region approves the order and forwards it to the EPA's Mobile Device Business Office for processing. Mobile Device Administrators (MDAs), who are appointed to each EPA program office and region, are responsible for initializing and personalizing mobile phones, delivering mobile phones to customers, and disseminating information related to mobile phones. Pooled Minute Plans The EPA has mobile phone contracts with three national carriers that provide the agency's service plans. Two of these carriers offer pooled minute plans, with 1 The Working Capital Fund is a revolving fund set up to manage common administrative services within the agency. The fund typically operates as a commercial operation within the agency, meaning that program offices and regions "purchase" and are charged for services from the fund. 20-P-0068 1 ------- 100- and 400-minute options for their users. Each user of these plans is assigned a monthly voice minute allowance of either 100 minutes or 400 minutes. If any users have unused monthly voice minutes, those minutes are pooled and shared with other users who may have exceeded their monthly voice-minute allowance (Figure 1). Figure 1: Monthly pooled plan Pooled minutes Unused minutes Source: OIG image ~ Overage (minutes exceeded) Agency Mobile Phone Use and Review When mobile phones were first introduced, they were primarily used to make voice calls. As a result, per the EPA, the agency's metrics to determine the usefulness of mobile phones focused on voice minutes. As technology advanced, the use of mobile phones shifted. The EPA said that most mobile phones assigned to employees and contractors are now primarily used to access email, which is the principal method of communication in the agency. However, the EPA said that it still relies on voice metrics to review mobile phone use. The EPA's Office of Information Technology Operations (OITO)2 compiles a quarterly mobile phone utilization report, which it submits to the agency's program offices and regions. The report identifies assigned mobile phones that: 1. Had 30 percent or less of their available voice minutes used in the quarter. 2. Have been active in the current year. 3. Exceeded the alloted limit for voice or data use in the quarter. 4. Had no use in the quarter. In addition to the above metrics, the OITO's utilization reports include the total and average monthly use of voice minutes and data for that quarter. However, the report identifies only the percentage of pooled plan voice minutes—and not the pooled data—used. 2 On July 24, 2016, the EPA's Office of Environmental Information (OEI) realigned its offices to more efficiently and effectively meet customer needs. As part of this realigmnent, the new OITO assumed the responsibilities formerly assigned to the Office of Technology, Operations, and Planning. 20-P-0068 2 ------- Responsible Office The OITO, within the Office of Mission Support,3 implements and manages the information technology infrastructure and information technology solutions for the EPA. The OITO is also responsible for the assessment, operation, administration and management of the agency's mobile phones. Scope and Methodology We conducted this audit from October 2018 to August 2019 in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. To answer our objective, we reviewed the following directives, guidance, policies and procedures related to the management of mobile phones: 1. Executive Order 13589, Promoting Efficient Spending, November 2011. 2. Office of Management and Budget (OMB) Memorandum M-16-17, OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, July 15, 2016. 3. OMB Memorandum M-l 6-20, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services, August 4, 2016. 4. EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures, December 6, 2013. 5. EPA Classification No. CIO-2150.4, Mobile Computing Policy, December 6, 2013. 6. EPA Employee Mobile Device Acknowledgement Form, October 2016. 3 Effective November 26, 2018, the OEI and the Office of Administration and Resources Management (OARM) were merged to form the Office of Mission Support. We still refer to "OARM" and "OEI" as appropriate within this report because the OARM and the OEI were in place during the scope of our audit. 20-P-0068 3 ------- Based on the agency's parameters in its utilization reports, we defined three categories of mobile phone use (Figure 2): • No use. Any active registered mobile phone with no voice minutes used. • Low use or under use. Any active registered mobile phone with 25 percent or less of its pooled plan voice minutes used. • High use. Any active registered mobile phone with 200 percent or more of its pooled plan voice minutes used. Figure 2: Categories of use thresholds mouse LOW USE OR UNDER USE HIGH USE r 200% ^ or more of its pooled voice minutes ^ used IS or less of its pooled voice minutes used voice minutes used r Source: OIG image. We identified a universe of 6,180 mobile phones active in FY 2017 and 6,301 mobile phones active in FY 2018. We compared data for each fiscal year regarding use and did not note any significant anomalies across each program office and region. We identified 68 mobile phones that had no voice minutes used in FYs 2017 and 2018. We also reviewed phone numbers for duplication and did not identify any significant issues. From the FY 2018 universe of active mobile phones, we sampled 69 mobile phones—three from each program office and region—to determine whether each device had a signed Mobile Device Acknowledgement Form. The EPA said that it no longer offers data-only plans to its employees, since the cost to the agency is the same as mobile phone plans with voice and data. Also, the mobile phone carriers no longer provide an option to acquire data-only smartphones. The agency's five mobile phones with data-only plans were deactivated in FY 2017. Therefore, we did not review mobile phones with data- only plans in our audit. We focused our audit on voice use because the agency's mobile phone metrics focus on voice use. However, our findings apply to both voice and data services because most agency mobile phones have both services activated. We also interviewed staff from the Office of the Chief Financial Officer and the Office of Mission Support to understand their roles and responsibilities as they relate to the management of mobile phones. We surveyed MDAs from all 20-P-0068 4 ------- 23 program offices and regions to obtain an understanding of their internal processes, roles and responsibilities for monitoring mobile phones. Prior Reports EPA OIG Report No. 12-P-0427. Office of Environmental Information Should Strengthen Controls Over Mobile Devices, issued April 2012, found that supervisors approved employee/contractor requests for mobile phones without guidance on how to determine the need for a device. There were also either no or ineffective procedures and controls for tracking and recovering mobile phones. In addition, the OEI had not established controls to determine when to disconnect phones; consequently, over a 6-month period in 2011, 68 OEI mobile phone users did not use their mobile phones, incurring costs of about $29,360. This report made three recommendations; the agency reported that all recommendations were completed. In May 2015, the U.S. Government Accountability Office (GAO) issued Report No. GAO-15-431. Telecommunications: Agencies Need Better Controls to Achieve Significant Savings on Mobile Devices and Services, which included findings about and recommendations to the EPA. For example, the GAO found that the EPA's two components with the highest number of phones did not include steps in their mobile device procedures or plans to identify overused phones. To help the agency effectively manage spending on mobile phones and services, the GAO recommended that the EPA establish procedures to monitor and control spending. The GAO reported that the EPA completed corrective action for that recommendation. 20-P-0068 5 ------- Chapter 2 EPA Needs to Improve Its Oversight of Mobile Phones The EPA's OITO needs to improve its oversight of mobile phones at the program office and regional levels. We found that the OITO did not: • Require program offices and regions to justify mobile phone use. • Determine whether program offices and regions had standard operating procedures (SOPs) in place to manage mobile phones. • Determine whether existing SOPs included all EPA-required activities for managing mobile phones. • Confirm that signed Mobile Device Acknowledgment Forms were uploaded to eBusiness before processing mobile phone orders. • Provide information to agency mobile phone users about what types of calls do not affect the agency's pooled minute plan. EPA policy assigns responsibility for overseeing mobile phones to the OITO Director and requires the agency to effectively manage its mobile resources. However, the OITO said that managing mobile phones is the responsibility of each program office and region. As a result, due to inadequate oversight of the agency's mobile phones, the EPA was billed at least $12,000 from FY 2017 through FY 2018 for unused mobile phone services. These funds could have been put to better use. Also, without adequate information regarding monthly pooled plans, agency users may not be using their mobile phones cost-effectively. OMB and EPA Guidance Addresses Management's Oversight Responsibilities OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, states that managers are responsible for compliance with relevant laws and regulations. Management is also responsible for establishing and maintaining internal controls to achieve specific internal control objectives related to operations, reporting and compliance. Management must consistently apply these internal control standards to meet the internal control objectives. EPA Classification No. CIO-2150.4, Mobile Computing Policy, requires the agency to effectively manage mobile resources to promote the efficient spending of funds allocated for information technology needs. EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures, assigns 20-P-0068 6 ------- responsibility for overseeing the policy and procedures to the OITO Director.4 Specifically, the OITO Director oversees the program and regional offices' development, maintenance and use of SOPs that support: • Verifying and confirming accuracy of users' mobile device registrations on a quarterly basis. • Developing business case justifications for the issuance of mobile phones. • Reporting mobile device business case justifications annually. • Developing an upgrade and replacement schedule. • Developing a process to determine appropriate consequences when inappropriate use of a mobile device is detected. • Monitoring mobile device data and cell use. • Developing a process to review no-use mobile phones and business justifications to determine whether a device should be terminated. • Notifying users of the procedures to return their mobile phones. • Verifying that mobile phones are used exclusively by authorized EPA users for the performance of official agency business. MDAs in each program office and region are responsible for having customers sign the Mobile Device Acknowledgement Form, receiving and delivering mobile phones to customers, and disseminating information related to mobile phones. Additionally, the SOPs for Regions 5 and 7 require MDAs to conduct reviews of mobile device use and provide written recommendations to senior management regarding whether the phones and their services should be maintained or canceled. OITO Needs to Improve Oversight of Mobile Phones The EPA's OITO needs to improve its oversight of the implementation of CIO-2150.4-P-01.1 throughout the agency. Specifically, the EPA needs to have consistent procedures in place so that each device is properly justified, including requiring that phones be ordered only after all the mandatory forms are completed. In addition, the OITO should provide all mobile phone users with guidance on using their phones cost-effectively. Mobile Phone Justifications and Use Verifications The OITO does not verify whether program offices and regions are justifying the use of mobile phones. Additionally, the OITO does not require program offices and regions to justify no-use mobile phones. In the quarterly emails it sends to transmit the utilization reports, the OITO requests that the program offices and regions provide justifications for "no-use" mobile phones. However, only some program 4 Per CIO-2150.4-P-01.1, the Director of the Office of Technology, Operations, and Planning within the OEI and the Chief Technology Officer are responsible for overseeing the policy and implementation of the information in this directive. However, due to the EPA's reorganization, all responsibilities formerly assigned to the Office of Technology, Operations, and Planning Director are now assigned to the OITO Director. 20-P-0068 7 ------- offices and regions respond to this request. The OITO relies on program offices and regions to cancel or keep mobile phones active based on activity or business need. Our audit identified 68 mobile phones that had no voice minutes used in FYs 2017 and 2018. Based on discussions with MDAs, we determined that the EPA did not monitor the voice use for eight of the 68 mobile phones. Table 1 provides details about these eight mobile phones. Table 1: No voice-use mobile phones that were not monitored, FYs 2017-2018 Mobile phone Program office Registration number Billed amount Program office explanation of why phone remained active with no voice minutes used FY 2017 FY 2018 1 Office of International and Tribal Affairs R0581474 $840.79 $1,033.47 The office was unaware whether anyone had spoken to the user about the phone during FYs 2017 and 2018. 2 OARM R0647577 425.24 471.21 The contractors assigned to these phones said that they had reception issues inside the building, so they stopped using and carrying the phones. These phones were turned in and canceled. 3 R0647582 572.87 463.99 4 R0579672 840.79 1,033.47 The office said that it was not aware that these phones were not actively used and did not have justifications in FYs 2017 and 2018. 5 R0793809 868.02 1,280.33 6 Office of the Chief Financial Officer R0830346 365.82 927.27 The office said that the mobile phone registration should have been but was not removed. 7 Office of Air and Radiation R0141919 452.15 497.79 The office said that this phone was turned in to the property manager in February 2016. The EPA could not explain why the phone continued to incur charges in FYs 2017 and 2018 and why eBusiness did not reflect that the phone was turned in. 8 Office of Enforcement and Compliance Assurance R0124673 883.45 1,076.10 The office said that the phone was turned in at some point and was then sanitized and ready to be surplused in September 2018. However, the phone had not been canceled in eBusiness. Total $5,249.13 $6,783.63 Grand Total $12,032.76 Source: OIG analysis of the EPA's mobile phone data. The agency was billed over $12,000 for voice and data services that were not used because the EPA did not monitor these eight mobile phones. This lack of monitoring is contrary to EPA policy, which requires offices and regions to effectively manage mobile phones so that information technology funds are properly used for current mobile phone needs. Furthermore, the OITO does not require program offices and regions to verify the high or low use of mobile phone voice minutes. Based on the responses we received from the 23 MDAs we surveyed, eight program offices and regions did not take steps to verify and monitor mobile phones with a high use of voice minutes (Table 2). As noted in Chapter 1, we define a high-use mobile phone as any active mobile phone with 200 percent or more of its pooled plan voice minutes used in a fiscal year. 20-P-0068 8 ------- Table 2: EPA explanation for inaction on high-use phones Program office or region Explanation for inaction on high-use mobile phones Office of the Administrator The MDA does not verify excessive use of voice minutes. OEI * The MDA does not verify excessive use because managers are responsible for reviewing activity and taking appropriate action. Office of General Counsel The MDA said that nothing is done for high use since the pooled plan balances out the high- and low-use mobile phones. OIG* The MDA said that the Information Management Officer receives the agency's quarterly utilization reports and then sends them to the deputies for review. Region 1 * The MDA said that the OITO has not yet requested action on high-use phones. The MDA looks at each quarterly utilization report but has yet to request justifications from regional staff. Per the MDA, once justifications are requested, the MDA will begin acting on high-use phones. Region 3 * The MDA reviews the quarterly utilization report. The region has not seen excess minutes on iPhones or cell phones, since all phones are part of a pooled plan. If regional users exceed their portion, the excess is covered by others who have the voice minutes to spare. Region 5 * The MDA surveyed staff in the region, who said that no action is taken on users who are over 100% of their pooled minutes. Region 10 * The MDA does not take steps to address excessive minutes. Source: OIG survey of EPA program office and regional management of mobile phones. * The OIG concluded that these program offices and regions also did not have steps in their SOPs to address monitoring for high-use mobile phones. The OITO told us that it did not verify justifications for mobile phone use because the management of mobile phones is the responsibility of each program office and region. However, CIO-2150.4-P.01.1 outlines the oversight role that the OITO has for mobile computing management. While the OITO provides quarterly utilization reports to program offices and regions that show information about no-, low- and high-use mobile phones, the OITO only requests—and does not require—a response with justifications for no-use phones. Only four of the 23 MDAs told us that they respond to the OITO's requests to provide justifications. In addition, the OITO does not request justifications for high-use phones at all. SOPs in Program Offices and Regions Agency procedures require each program office and region to develop, maintain and use its own SOP for managing mobile phones. However, the OITO did not verify that the required SOPs existed and did not confirm that the SOPs sufficiently addressed the oversight activities required for agencywide consistency. CIO-2150.4-P-01.1 states that Senior Information Officials are responsible for "[i]m pi em en ting these procedures within their organization" and that the OITO is responsible for "[ojverseeing policy and the implementation of these procedures." Based on our survey of 23 MDAs, we found that 11 program offices and regions had no written SOPs for mobile phone management. Additionally, we identified six program offices and regions that had SOPs that only partially addressed the activities required by agency procedures. Two of the six SOPs did not include 20-P-0068 9 ------- steps for monitoring mobile phone use, and two did not identify processes for determining consequences if someone inappropriately uses a mobile phone. One SOP had procedures only to determine who is eligible for a mobile phone. Another covered only how to assign phones, review their use and dispose of them. Table 3 identifies the status of the program and regional office SOPs. Table 3: Status of EPA program office and regional SOPs for mobile phone management No SOPs Partial SOPs Complete SOPs 1. Office of the Administrator 1. OARM 1. Office of Enforcement and 2. Office of Air and Radiation 2. OIG Compliance Assurance 3. Office of Chemical Safety and 3. Office of Water 2. OEI Pollution Prevention 4. Region 1 3. Office of Land and 4. Office of the Chief Financial 5. Region 3 Emergency Management Officer 6. Region 10 4. Office of Research and 5. Office of General Counsel Development 6. Office of International and 5. Region 5 Tribal Affairs 6. Region 7 7. Region 2 8. Region 4 9. Region 6 10. Region 8 11. Region 9 Source: OIG analysis of program offices and regions surveyed. During our discussions with program office and regional MDAs, six MDAs stated that they follow policies and guidance from the OITO, such as CIO-2150.4 and use of the Mobile Device Acknowledgment Form. However, following this policy and guidance does not meet the requirement for each program office and region to maintain its own SOP, as required by CIO-2150.4-P-01.1. Additionally, the OITO did not determine whether program offices and regions had the required SOPs for managing mobile phones. Mobile Device Acknowledgement Forms in eBusiness Prior to Ordering The EPA requires employees who use a government-furnished mobile device to sign the Mobile Device Acknowledgment Form. Nevertheless, the OITO's Mobile Device Business Office issued mobile phones to users without signed Mobile Device Acknowledgment Forms uploaded in eBusiness. The MDA is responsible for confirming that each customer being issued a mobile phone signs an acknowledgement form. The Mobile Device Acknowledgement Form instructions state the following: Starting December 5, 2016, eBusiness will require the new "Employee Mobile Device Acknowledgement Form" for all new mobile device orders, cancellations and change orders. The signed Employee Mobile Device Acknowledgement Form must be attached in eBusiness not only for a new order but also for cancellations (returns) and change orders (transfer, upgrade or 20-P-0068 10 ------- replacement of a device), before the eBusiness request will be processed. We organized the numbers for mobile phones by the 23 program and regional offices and then randomly selected 69 mobile phones for our sample—three from each program office and region—to determine whether eBusiness contained a signed acknowledgment form for each device. We found that 10 of the 69 mobile phones did not have a signed acknowledgement form in eBusiness before the Mobile Device Business Office processed the order. When we contacted the cognizant MDAs about the missing forms, they sent us copies of the signed forms and uploaded them to eBusiness. However, the Mobile Device Business Office should not have processed the orders for these 10 mobile phones without the required form. We identified three reasons why eBusiness may not contain completed forms: • The customer was overlooked during the agencywide update of all mobile phones. • The MDA mistakenly uploaded a blank form instead of the user-signed form. • The orderer forgot to upload the signed form. Ultimately, however, the OITO did not verify that the Mobile Device Acknowledgement Forms were signed and uploaded in eBusiness before processing the orders for program offices and regions. Calls that Do Not Affect EPA's Pooled Minute Plans The OITO did not track calls that do not affect the agency's pooled minute plans, which would enable the agency to determine how many users do or do not take advantage of cost-effective calls. The following types of calls made from EPA-issued mobile phones do not count against the plan minutes: 1. Calls made to other EPA-issued mobile phones with national carriers. 2. Calls made to phone numbers on the national carrier's Friends & Family List. This list includes the EPA's audio-conferencing lines. 3. Calls made over Wi-Fi. The OITO did not provide information to agency mobile phone users about these types of calls that do not affect the agency's pooled minute plan. The OITO also did not explain the different categories of calls on the intranet site it maintains to notify mobile phone users about phone use and activities. 20-P-0068 11 ------- Additionally, OITO staff said that they were unsure whether information about the types of calls that do not count against the agency's pooled minutes plans was provided to users. They also told us that their focus was to manage pooled plans to make sure that the EPA did not exceed agencywide minute and data limits. Therefore, the OITO's utilization report had not been updated to capture the types of calls that do not count against EPA mobile device plans. EPA Missed Savings Opportunities The EPA missed an opportunity to better use at least $12,000 spent on unused mobile phone voice and data services. The OITO's overreliance on the program offices and regions to perform key oversight activities also resulted in the missed opportunity to improve the agency's mobile phone program. Some staff managing mobile phones believed that monitoring phone use is unnecessary because the agency's pooled minutes plans compensate for individual overages. While we agree that contracts enabling the shared use of voice and data minutes can help limit the risk of incurring charges from overuse, the EPA cannot rely on this feature of the plans in lieu of adequate oversight. Furthermore, the OITO is required by agency procedures to oversee and verify that the program offices and regions are monitoring the use of mobile phones, so that the EPA does not pay for underused or inappropriately used mobile phones. The OITO is also required by agency procedures to confirm that program offices and regions have SOPs to manage mobile phones, so that the OITO can hold them accountable for charges for no-use and low-use mobile phones. Consequently, the agency has not met the requirement for effective management controls over EPA mobile phones. Without information regarding mobile phone use—both data and voice—that does not affect monthly pooled plans, users are not given the opportunity to use their mobile phones efficiently. The agency said that even though a mobile phone may be identified as low-use, it may actually be used regularly in ways that do not count toward monthly ceilings. Therefore, low-use mobile phones may not point to a problem but could be an indicator that the EPA should review whether use appears to be abnormal for any potential savings. However, because the OITO does not track use that does not count toward plan limits, it cannot determine whether some no-use and low-use phones are being used optimally. Specifically, if the OITO does not track "Friends and Family" calls, calls made to other EPA- issued mobile phones with national carriers, or Wi-Fi calls, the EPA may not be accurately determining actual use by mobile phone users. 20-P-0068 12 ------- Recommendations We recommend that the Assistant Administrator for Mission Support: 1. Establish internal controls that implement the oversight responsibilities in EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures, and thus reduce agency risk. 2. Update the mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan limits. 3. Update utilization reports to track voice and data use that does not count toward monthly mobile phone plan limits, establish a baseline of this cost- effective use, and make subsequent improvements in how agency users can cost-effectively use their mobile phones. Agency Response and OIG Evaluation The EPA concurred with all three recommendations. For Recommendation 1, the Office of Mission Support initially stated that the agency completed corrective action in May 2019. However, we found that the corrective action had not been completed. On January 8, 2020, the EPA provided us with an updated estimated completion date of February 29, 2020, for creating controls that implement the oversight responsibilities in EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures. The proposed corrective action and planned completion date for Recommendation 1 satisfy the recommendation, and we consider the recommendation resolved with corrective action pending. In May 2019, the Office of Mission Support completed corrective action for Recommendation 2. The office updated its mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan minutes. We concur that the corrective action for Recommendation 2 is complete. For Recommendation 3, the Office of Mission Support provided support on January 8, 2020, that it updated the utilization reports to reflect voice and data use that does not count toward monthly mobile phone plan limits. We concur that the corrective action for Recommendation 3 is complete. The complete agency response to the draft report is in Appendix A. 20-P-0068 13 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Rec. No. Page No. Subject Status1 Action Official Planned Completion Date Potential Monetary Benefits (in $000s) 1 13 Establish internal controls that implement the oversight responsibilities in EPA Classification No. C10-2150.4-P-01.1, Mobile Computing Management Procedures, and thus reduce agency risk. R Assistant Administrator for Mission Support 2/29/20 $12 2 13 Update the mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan limits. C Assistant Administrator for Mission Support 5/31/19 3 13 Update utilization reports to track voice and data use that does not count toward monthly mobile phone plan limits, establish a baseline of this cost-effective use, and make subsequent improvements in how agency users can cost-effectively use their mobile phones. C Assistant Administrator for Mission Support 11/12/19 1 C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 20-P-0068 14 ------- Appendix A Agency Response to Draft Report $ *L UNITED STATES ENVIRONMENTAL PROTECTION AGENCY 5 r^R-7 \ WASHINGTON. I).C. 20460 v 'V *£ PRO**4- OFFICE OF MISSION SUPPORT MEMORANDUM SUBJECT: FROM: TO: Thank you for the opportunity to respond to the issues and recommendations in the subject audit report. Following is a summary of the agency's overall position, along with its position on each of the report recommendations. The agency concurs with the recommendations found in the draft report and have provided corrective actions and completion dates. For your consideration, we have included a Technical Comments Attachment to supplement this response. AGENCY'S OVERALL POSITION The Office of Mission Support concurs with the recommendations and have provided corrective actions and completion dates. AGENCY'S RESPONSE TO RKPORT RECOMMENDATIONS No. Recommendation High Level Corrective Actions Estimated Completion Date I Establish internal controls that implement the oversight responsibilities in EPA Classification No. CIO-2150.4-P-01.1, Mobile Computing Management Procedures. Create controls that implement the oversight responsibilities in EPA Classification No. CIO- 2150.4-P-01.1, Mobile Computing Procedures. Completed Response to Office of Inspector General Draft Report No. OA&E-FY 18-0290 "EPA Oversight of Mobile Phones Could Be Improved", dated August 23, 2019 Vaughn Noga, Chief Information Officer / 7 ~ 2- and Deputy Assistant Administrator for Environmental Information Michael D. Davis, Director Efficiency Audits Office of Audit and Evaluation 20-P-0068 15 ------- and thus reduce agency risk. 2 Update the mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan limits Update the mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan limits Completed 3 Update utilization reports to track voice and data use that does not count toward monthly mobile phone plan limits, establish a baseline of this cost- effective use, and make subsequent improvements in how agency users can cost-effectively use their mobile phones. Update utilization reports to track voice and data use not counted toward monthly mobile phone plan limits, establish baseline of cost effective use and make improvements in how agency users can cost effectively use mobile phones. December 2019 CONTACT INFORMATION If you have any questions regarding this response, please contact Marilyn Armstrong, Audit Follow-up Coordinator, Office of Mission Support, on 202-564-1876. Attachments Cc: Madhu Dev Gloria Taylor-Upshaw Sherri Anthony Annette Morant Brittany Wilson Erin Collard Dan Coogan Janice Jablonski Marilyn Armstrong Brian Epley David Updike Brenda Young Liza Hearns Thomas Reilly Lynsey Lanier 20-P-0068 16 ------- Corrective Action Technical Comments Title of Audit: "EPA Oversight of Mobile Phones Could Be Improveddated August 23, 2019 No Recommendati on Technical Comments Estimated Completi on Date 1 Establish internal controls that implement the oversight responsibilities in EPA Classification No. CIO- 2150.4-P-01.1, Mobile Computing Management Procedures, and thus reduce agency risk. The Office of the Chief Information Officer (CIO) has controls in place to ensure the agency does not provision or charge for an unauthorized mobile device. An example of this control is the acknowledgement form within eBusiness. As per CIO 2150.4-P-01.1, the Agency Senior Information Officials are responsible for authorizing mobile devices and notifying the Office of the Chief Information Officer when devices are no longer authorized or necessary. Therefore, program and local Senior Information Officials are responsible for justification of mobile devices and monitoring of the usage of mobile devices within their respective organizations. As part of our regular policy and procedures review cycle, the Office of the Chief Information Officer updates policies and procedures to further clarify the Program and Senior Information Official oversight responsibilities. The Chief Information Officer communicates to all Senior Information Officials and Information Management Officers to ensure they understand their responsibilities and implement standard procedures for all CIO directives including mobile devices. No additional internal controls are necessary at this time. ] 'inolovec !vl May 2019 2 Update the mobile device intranet site to include information on the types of calls that do not count against the EPA's monthly plan limits Update the mobile device intranet site, Working Capital Fund catalog and memo for the quarterly review of devices have been updated to include information on the types of calls that do not count against EPA monthly plan minutes. , * s - r imnet Site !.'¦¦¦¦ landing Pooled and * = \ • * on".- ' -business.epa.sjov/el " m • . • • .taloa.extendedinfo&oi ' i i( e 2?^ May 2019 3 Update utilization reports to track In response to the discussion draft in May 2019, Utilization reports will be updated to reflect the voice and data use that does not count toward monthly mobile phone plan limits. Decembe r 2019 20-P-0068 17 ------- voice and data use that does not count toward monthly mobile phone plan limits, establish a baseline of this cost-effective use, and make subsequent improvements in how agency users can cost- effectively use their mobile phones. Additional reference documents have been added such as the Understanding Pooled and Voice Data usage and MD Billing FAQs have also been uploaded to the eBusiness service page to assist programs in effectively providing oversight of mobile devices. Mc ces Utilization Report Un ig Pooled and Voice Data Usage ML/ i uiiing i'AQ 20-P-0068 18 ------- Appendix B Distribution The Administrator Assistant Deputy Administrator Associate Deputy Administrator Chief of Staff Deputy Chief of Staff Assistant Administrator for Mission Support Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Director, Office of Continuous Improvement, Office of the Administrator Principal Deputy Assistant Administrator for Mission Support Associate Deputy Assistant Administrator for Mission Support Deputy Assistant Administrator for Administration and Resources Management, Office of Mission Support Deputy Assistant Administrator for Environmental Information and Chief Information Officer, Office of Mission Support Director, Office of Resources and Business Operations, Office of Mission Support Director, Office of Information Technology Operations, Office of Mission Support Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of Mission Support 20-P-0068 19 ------- |