The EPA Took Additional
Actions to Strengthen
Controls to Account for and
Secure Laptops
December 14, 2023 j Report No. 24-P-0011
-------�
Report Contributors
LaSharn Barnes
Vincent Campbell
Nancy Dao
Ashley Jaramillo
Shaheryar Qureshi
Gina Ross
Scott Sammons
Abbreviations
DSSD Desktop Support Services Division
EPA U.S. Environmental Protection Agency
OIG Office of Inspector General
Cover Image
Pallet of wrapped laptops outside the Region 6 help-desk office. (EPA OIG photo)
Are you aware of fraud, waste, or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG.Hotline@epa.qov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epaoiq.gov
Subscribe to our Email Updates.
Follow us on X (formerly Twitter) @EPAoiq.
Send us your Project Suggestions.
-------�
24-P-0011
December 14, 2023
At a Glance
The EPA Took Additional Actions to Strengthen Controls to Account
for and Secure Laptops
Why We Did This Audit
To accomplish this objective:
We performed this audit to determine
whether the U.S. Environmental
Protection Agency headquarters and
select regions have sufficient internal
controls to properly account for and
secure laptops in their possession to
prevent theft and misplacement. We
initiated this audit in response to two
hotline complaints alleging that
136 laptops were either lost, stolen, or
missing within the EPA headquarters
Desktop Support Services Division in
2019 and 2020.
As of April 11, 2022, the Agency asset
management system showed that the
EPA possessed 35,736 laptops with an
estimated value of $56.14 million,
averaging $1,571 per laptop. Because
we identified EPA Regions 4 and 6 as
the regions having the most laptops
and computers, we audited them along
with the Desktop Support Services
Division. The EPA's Personal Property
Manual, published in June 2017,
establishes roles and responsibilities
for personal property management.
To support this EPA mission-related
effort:
• Operating efficiently and
effectively.
To address this top EPA
management challenge:
• Managing grants, contracts, and
data systems.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG.PublicAffairs@epa.gov.
What We Found
The Desktop Support Services Division and the Region 4 Mission Support Division had
sufficient controls to account for and secure laptops within their possession to prevent theft
and misplacement. Their controls complied with the EPA's Personal Property Manual
requirements including implementing controls to properly account for personal property,
designating key property personnel to maintain accurate records of laptop inventory, and
storing laptops in secure locations.
While the Region 6 Mission Support Division had sufficient controls to secure laptops in its
possession, we identified a deficiency in its business practices to sufficiently account for new
laptops received. Because of this deficiency, Region 6 did not account for two of 12 laptops
that it received in January 2022 for more than 160 days in the Agency asset management
system. However, once we brought this issue to the attention of Region 6 property
management staff, they took immediate action to implement an additional control to further
improve their accountability of new laptops received.
Additionally, the Desktop Support Services Division and the Region 6 Mission Support
Division did not have fully developed and Agency-approved operating procedures for
personal property management. The Personal Property Manual requires all program and
regional offices to establish formal processes and controls to ensure that personal property
assets are handled according to all laws, regulations, and EPA policy. The manual further
requires that the agency property management officer approve each office's personal
property operating procedures. As a result of our audit, however, the Desktop Support
Services Division and Region 6 subsequently updated their operating procedures and
received approval from the agency property management officer.
Because of the corrective actions implemented by the Desktop Support Services Division
and Region 6, we make no recommendations in this report. The Office of Mission Support,
Region 4, and Region 6 informed us that they would not be providing a written response to
our draft report issued on September 25, 2023.
The EPA must execute processes with controls to enforce its
stewardship of laptops and to safeguard against activities that could
prevent it from protecting its assets from loss, theft, and
mismanagement.
List of OIG reports.
-------�
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
December 14, 2023
MEMORANDUM
SUBJECT: The EPA Took Additional Actions to Strengthen Controls to Account for and
Secure Laptops
Report No. 24-P-0011
Office of Mission Support
Jeaneanne Gettle, Acting Regional Administrator
Region 4
Dr. Earthea Nance, Regional Administrator
Region 6
This is our report on the subject audit conducted by the U.S. Environmental Protection Agency Office of
Inspector General. This project number for this audit was OA-FY22-Q117. This report contains no findings
or recommendations. Thus, you are not required to respond to this report. If you submit a response,
however, it will be posted on the OIG's website, along with our memorandum commenting on your
response. Your response should be provided as an Adobe PDF file that complies with the accessibility
requirements of section 508 of the Rehabilitation Act of 1973, as amended. The final response should not
contain data that you do not want to be released to the public; if your response contains such data, you
should identify the data for redaction or removal along with corresponding justification.
We will post this report to our website at www.epaoig.gov.
To report potential fraud, waste, abuse, misconduct, or mismanagement, contact the OIG Hotline at (888) 546-8740 or OIG.Hotline@epa.gov.
FROM: Sean W. O'Donnell, Inspector General
TO:
Kimberly Patrick, Principal Deputy Assistant Administrator
-------�
Table of Contents
Purpose 1
Background 1
Responsible Offices 2
Scope and Methodology 3
Prior Reports 5
Results 5
EPA Standard Operating Procedures on Personal Property Management Needed Further
Development 6
The EPA Has Procedures to Account for Laptops but Further Improvements
Were Needed 7
The EPA Has Physical Security Controls in Place to Secure Laptops 11
Conclusions 12
A Distribution 13
24-P-0011 i
-------�
Purpose
The U.S. Environmental Protection Agency Office of Inspector General initiated this audit to determine
whether EPA headquarters and select regions have sufficient internal controls to properly account for
and secure laptops in their possession to prevent theft and misplacement. We initiated this audit in
response to two hotline complaints alleging that 136 laptops were either lost, stolen, or missing within
the EPA headquarters Desktop Support Services Division, known as the DSSD, in 2019 and 2020. We also
audited EPA Regions 4 and 6 because we identified them as having the most laptops and computers.
Top management challenge addressed
This audit addresses the following top management challenge for the Agency, as identified in OIG Report
No. 24-N-0008. The EPA's Fiscal Year 2024 Top Management Challenges, issued November 15, 2023:
® Managing grants, contracts, and data systems.
Background
As of April 11, 2022, the EPA possessed 35,736 laptops with an estimated value of $56.14 million,
averaging $1,571 per laptop according to the Agency asset management system. The highest individual
value of a laptop was $42,500. Figure 1 shows the number of laptops and their total value at EPA
headquarters and regions.
The high-value laptop contains proprietary software used in laboratory analyses to identify
anthrax, plague, and rabbit fever occurrences after September 11, 2001.
Figure 1: Laptops by location
Source: OIG analysis of laptops from the Agency asset
management system. (EPA OIG image)
24-P-0011
1
-------�
The EPA's Personal Property Manual, published in June 2017, establishes roles and responsibilities for
personal property management. Examples of personal property include computers, digital cameras,
firearms, motor vehicles, and furniture. For property management functions, the property accountable
officer is responsible for accounting for and controlling assets within one's designated office area, as
well as updating the Agency asset management system. The property custodial officer conducts annual
physical inventories of each asset within one's custodial area and reports to the property accountable
officer. The property custodial officer uses property records from the Agency asset management system
when conducting physical inventory to verify the accuracy and completeness of property records and to
safeguard property from theft, loss, waste, and mismanagement. All physical inventories must be
completed by July 31 each fiscal year. However, the manual indicated that more frequent inventories
may be required for sensitive property, such as desktop computers, tablets, and laptops, to assure
physical custody of these assets.
Pursuant to Section 2.5.5 of the Personal Property Manual, division directors and branch chiefs, or their
equivalents, are responsible for establishing and enforcing administrative directives and measures for
EPA personal property within their control. They are responsible for ensuring that personal property is
properly acquired, used, maintained, and safeguarded by property personnel.
To further safeguard sensitive property, the EPA requires these assets to be stored in a locked room or
other secure manner to deter theft. The DSSD elected to use tracking software to identify the location of
a laptop that is issued to the headquarters program offices and other sites under DSSD responsibility
when the device is connected to the internet or the EPA's networks. Regions 4 and 6 have elected not to
install the tracking software on their respective laptops since the use of the software is not mandatory;
however, the regional management personnel indicated that they use cybersecurity technologies
implemented within the EPA to detect when the laptops are connected to the EPA's network.
Responsible Offices
Within the Office of Mission Support, the DSSD provides desktop support services to EPA offices in
Washington, D.C.; Durham (Research Triangle Park), North Carolina; Cincinnati; Ann Arbor, Michigan;
and other remote sites.
The DSSD orders laptops for the EPA's headquarters program offices, including the OIG, and the regions.
The DSSD handles the distribution of laptops to the headquarters program offices and other sites under
its responsibility. The vendor delivers headquarters' laptops to the EPA's warehouse in Landover,
Maryland. For laptops ordered for each respective region, the vendor delivers the laptops to the regions'
respective shipping and receiving docks or other designated location.
24-P-0011
2
-------�
Within the Region 4 Mission Support Division, the Information Technology Support Services Section
supports computer help-desk operations, desktop support services, and information technology
infrastructure.
Within the Region 6 Mission Support Division, the Information Technology and Operations Management
Branch provides information technology help-desk and desktop services along with receiving,
inventorying, distributing, accounting, and maintaining all regional property.
Scope and Methodology
We conducted this performance audit from May 2022 to August 2023 in accordance with generally
accepted government auditing standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objective.
We assessed the internal controls necessary to satisfy our audit objective.1 In particular, we assessed
the internal control components—as outlined in the U.S. Government Accountability Office's Standards
for Internal Control in the Federal Government—significant to our audit objective. Any internal control
deficiencies we found are discussed in this report. Because our audit was limited to the internal control
components deemed significant to our audit objective, it may not have disclosed all internal control
deficiencies that may have existed at the time of the audit.
To answer the project objective, we reviewed relevant OIG and U.S. Government Accountability Office
reports for findings related to lost or stolen EPA laptops. To obtain an understanding of the applicable
criteria for personal property management, we reviewed relevant federal laws, regulations, guidance,
and EPA policies and procedures.
Key Terminology
Lost: An asset unaccounted for by the owner.
Stolen: An asset being acquired or possessed as a result of some wrongful or
dishonest act. The term "stolen" is synonymous with the term "theft."
Missing: An asset is not found in its expected place when first searched. Missing
defines a short period of uncertainty as to the whereabouts of the asset.
Sensitive property: An asset that requires special controls and accounting to
ensure accountability and safeguarding. An example is an asset with retainable
memory and data, such as desktop computers, tablets, or laptops.
1 An entity designs, implements, and operates internal controls to achieve its objectives related to operations,
reporting, and compliance. The U.S. Government Accountability Office sets internal control standards for federal
entities in GAO-14-704G, Standards for Internal Control in the Federal Government (also known as the "Green
Book"), issued September 10, 2014.
24-P-0011
3
-------�
To identify the laptop inventory for EPA headquarters program offices and regions, we performed:
• Data queries of the Agency asset management system to focus on laptops and computers within
the EPA's inventory as of April 11, 2022.
• Analyses to identify the regions with the most laptops and computers, which resulted in
Regions 4 and 6 being selected as audit locations for testing in addition to the DSSD.
• Analyses of laptop inventory in eBusiness to determine whether the DSSD adhered to the
Personal Property Manual when reporting laptops within its possession as missing and lost.
We reviewed the system security plans for the Agency asset management system and eBusiness to
obtain an understanding of who can make changes to the data within each system. We also reviewed
the following documentation:
• Fiscal year 2021 Certification of Personal Property Physical Inventory for the audit locations.
• Information technology service contracts related to laptops for audit locations.
• Supporting documentation of the June and July 2022 deliveries of new laptops—purchase order
invoice, packing slips, and shipping or delivery invoices—for all audit locations except for
Region 4 due to building closure, to verify that the laptops received match the laptops ordered
and that the property record for each laptop was created in the Agency asset management
system.
To evaluate DSSD and Region 6 accounting and storage processes, we reviewed a representative sample
of laptops that the EPA ordered and which were delivered in June and July 2022.
We conducted unannounced site visits to DSSD and Region 6 to observe their processes to account for
new laptops delivered on-site and physical security controls to safeguard laptops. During these visits, we
verified laptops locked in storage against property records in the Agency asset management system. We
also confirmed that the tracking software used to locate missing or stolen laptops was activated on
several laptops in the DSSD's possession by requesting DSSD management to demonstrate that the
software can be used to find the laptop.
We also interviewed property officers that support the daily property management activities in the
DSSD and Regions 4 and 6 to gain an understanding of their processes, standard operating procedures,
and management controls for laptops received at these locations.
We limited Region 4 audit work to documentation reviews and virtual meetings because its building was
closed during our audit because of a rodent infestation. We reviewed documentation to determine
whether the region was properly accounting for newly purchased laptops and had standard operating
procedures on property management and accountability. We did not observe, test, or assess the
adequacy of the physical security controls because we did not conduct on-site visits.
24-P-0011
4
-------�
Prior Reports
From 2011 through June 2023, we issued the following reports that are of significant relevance to this
audit:
• OIG Report 21-P-0094. EPA Improperly Awarded and Managed Information Technology
Contracts, issued March 10, 2021. We found that the EPA improperly awarded and managed
information technology contracts. The EPA did not monitor and report equipment and software
licenses in the agency property system as required. The EPA Office of Technology Solutions staff
neglected to follow the Personal Property Manual to monitor, count, or report the purchased
equipment, as required by federal requirements and EPA policies.
• OIG Report 18-P-0176, EPA Region 5 Needs to Better Protect Information Technology Property,
and Areas for Agencywide Improvement Exist, issued May 9, 2018. We found that the EPA did
not have a policy for tracking laptops in transition and personnel were unaware of information
technology property status or procedural changes. Additionally, EPA staff lacked awareness of
the Agency asset management system.
• OIG Report 15-P-0033. EPA Needs Better Management of Personal Property in Warehouses,
issued December 8, 2014. We found that the EPA did not adequately inventory property nor
provide adequate oversight to ensure effective and efficient use of EPA resources. The EPA did
not have policies and procedures in place to account for its nonaccountable and nonsensitive
personal property. It did not (1) maintain an annual physical inventory of personal property,
(2) follow a requirement to inventory and track all electronic equipment, and (3) record personal
property in the Agency's official inventory system.
• OIG Report 13-P-0272. Early Warning Report: Main EPA Headquarters Warehouse in Landover,
Maryland, Requires Immediate EPA Attention, issued May 31, 2013. We found that the
warehouse recordkeeping system was incomplete and inaccurate. The system did not accurately
reflect the contents, condition, location, or dollar value of new or surplus items stored in the
warehouse.
• OIG Report ll-P-0705, EPA's Contract Oversight and Controls over Personal Computers Need
Improvement, issued September 26, 2011. We found that the EPA did not safeguard and track
personal computers to ensure proper replacement and disposal in accordance with property
regulations. The EPA was unable to account for 638 personal computers valued at over
$1 million.
Results
Two of the three EPA offices that we audited, the DSSD and Region 6 Mission Support Division, did not
have fully developed and Agency-approved operating procedures for personal property management, as
required by the Personal Property Manual. The manual requires all program and regional offices to
establish formal processes and controls to ensure all personal property assets are handled according to
24-P-0011
5
-------�
all laws, regulations, and EPA policy. The manual also requires that the agency property management
officer approve each office's personal property operating procedures. The DSSD and Region 6
subsequently updated their operating procedures and received approval from the agency property
management officer.
Two of the three EPA offices that we audited, the DSSD and Region 4 Mission Support Division, had
sufficient controls to account for and secure laptops within their possession to prevent theft and
misplacement. Their controls complied with Personal Property Manual requirements including
implementing controls to properly account for personal property, designating key property personnel to
maintain accurate records of laptop inventory, and storing laptops in secure locations.
The Region 6 Mission Support Division had sufficient controls to secure laptops in its possession.
However, we identified a deficiency in its business practices to sufficiently account for new laptops
received. It did not account for two (17 percent) of the 12 laptops it received in January 2022 for more
than 160 days in the Agency asset management system. Once we brought this issue to the attention of
Region 6 property management staff, they took immediate action to implement an additional control to
further improve its accountability for new laptops received.
EPA Standard Operating Procedures on Personal Property Management Needed
Further Development
The EPA Took Actions to Further Develop Standard Operating Procedures on Personal
Property Management Operating Procedures
The DSSD and Region 6 did not have fully developed and approved operating procedures for personal
property management as required by the Personal Property Manual. As a result of our audit, however,
they established operating procedures to comply with Personal Property Manual requirements including
standardized processes for receiving, accounting for, and securing purchased assets and providing
guidance to property personnel to perform personal property management duties.
The DSSD provided us with the following operating procedures, guidance, and approvals as evidence
that it addressed our finding:
• A standard operating procedure on personal property management titled End User Services
Computer Technology Asset Management Process Controlled Quality Management Document,
dated May 18, 2022.
• The director-approved version of the End User Services Computer Technology Asset
Management Process Controlled Quality Management Document, which became effective
July 3, 2022.
• A December 16, 2022 memorandum from the Office of Mission Support acting senior resource
official directing the DSSD to obtain documented approval from the agency property
management officer for all future supplemental personal property instructions, procedures, and
24-P-0011
6
-------�
guidance prior to issuance to ensure compliance with federal and EPA personal property
management requirements.
• Approval by the agency property management officer on March 13, 2023, of its End User
Services Computer Technology Asset Management Process Controlled Quality Management
Document.
The Region 6 Mission Support Division provided us with the following operating procedures, guidance,
and approvals as evidence that it addressed our finding:
• A personal property management document, Standard Operating Procedure-New Laptop
Receipt at Region 6, dated May 24, 2022.
• An Internal Standard Operating Procedure-Processing Purchase Orders (POs) through Receiving,
dated June 15, 2022, which outlines procedural steps to inspect, tag, and account for property
items.
• An email showing that the Region 6 Mission Support Division submitted its revised property
management documents to the agency property management officer on December 15, 2022.
• The agency property management officer's January 31, 2023 approval of Region 6 Mission
Support Division Internal Standard Operations Procedure-Processing Purchase Orders (POs)
through Receiving.
The EPA Has Procedures to Account for Laptops but Further Improvements Were
Needed
The Personal Property Manual requires EPA offices to account for property considered sensitive, such as
laptops, regardless of the item's cost. The manual holds the property accountable officer within each
EPA office responsible to properly identify property within their assigned area, create an inventory
record within the Agency asset management system to assume stewardship of the property, and
conduct periodic inventory checks to maintain an accurate account of items within its possession. The
DSSD and Regions 4 and 6 Mission Support Divisions conduct multiple activities to account for laptops,
including:
• Reconciling laptops ordered with quantities delivered.
• Affixing the EPA property decal on the laptop to designate ownership.
EPA property decal affixed on laptop. (EPA OIG photo)
24-P-0011
7
-------�
• Creating a property record for each laptop in the Agency asset management system to promote
stewardship.
• Conducting periodic inventory of laptops within their possession.
• Identifying any potential inventory shortages.
The next sections provide further details on Region 6, DSSD, and Region 4 procedures that we assessed
to determine whether they had sufficient controls in place to account for laptops within their respective
office.
Region 6 Procedures to Account for Laptops Needed Further Improvement
During our audit, we identified a deficiency with Region 6's business practices to account for laptops
when it received two shipments for a total of 12 laptops. Specifically, two (17 percent) of the 12 laptops
that Region 6 help desk technical support received in January 2022 were not accounted for in the
Agency asset management system until July 2022, approximately 160 days after receipt. These two
laptops were valued at $3,086 total. The Personal Property Manual requires the property accountable
officer to record assets in the Agency asset management system within five business days of receipt.
This deficiency occurred because the Region 6 Mission Support Division required help desk technical
support to email only the Region 6 property accountable officer when it received new laptops. The
property accountable officer was on extended leave so the Region 6 Mission Support Division was not
aware of the shipment, leaving two laptops unaccounted for in the Agency asset management system.
As a result of our audit, Region 6 took immediate actions to remediate this deficiency. The Region 6
Mission Support Division created an inventory support mail group that the help desk technical support
team can use to notify the Region 6 property accountable officer, the backup property accountable
officer, and Region 6 Mission Support management when it receives new laptops. This new control will
provide more awareness to Region 6 Mission Support personnel when laptops are received and
reasonable assurance that all laptops will be promptly accounted for in the Agency asset management
system.
The Region 6 procurement team coordinates with the vendor to establish a delivery date for purchased
laptops. The confirmed delivery date is communicated with Region 6 information technology services
contractor staff to coordinate on-site receipt. The help desk contract support group conducts weekly
inventory of laptops and reports the information to the Region 6 information technology management.
We noted during our observation of the delivery of laptops on July 1, 2022, that:
• Pallets of wrapped and intact laptops were temporarily staged in the hallway outside of the
information technology help desk space. One staff member remained with the pallets until all
laptops were relocated within the help desk office space.
• Contract personnel affixed the EPA property decal, scanned the decal and the laptop's serial
number, and entered that information in a spreadsheet.
24-P-0011
8
-------�
• Contract personnel forwarded the spreadsheet to the Region 6 property accountable officer.
• The property accountable officer received the shipping invoice and reconciled the information
with the purchase order.
• The property accountable officer created property records in the Agency asset management
system for each laptop.
Based on the actions taken by Region 6 to address our finding and through our observations of Region 6
personnel accounting for laptops, we concluded that Region 6 procedures complied with the Personal
Property Manual regarding accounting for property. Specifically, Region 6 affixed a decal on each item,
created a property record for each laptop in the Agency asset management system to denote
ownership, and conducted periodic inventories to maintain an accurate count of laptops within its
possession. Therefore, we concluded that Region 6 has implemented sufficient controls to account for
laptops within its possession to prevent misplacement.
DSSD Procedures to Account for Laptops
EPA property contract personnel at the EPA's warehouse in Landover inventory each laptop, affix the
EPA property decal sticker on the laptop to denote ownership, and create a property record within the
Agency asset management system. The DSSD's custodial officer submits a laptop request via email to
the warehouse personnel, who deliver the requested laptops to headquarters. The DSSD's asset and
inventory contractors:
• Scan the decals on the laptops to verify that the information is consistent with a delivery email
notice from the warehouse staff.
• Enter laptop descriptive information, including model number, serial number, laptop location,
date received, and custodial officer, in eBusiness, a web-based application that can track
purchase orders and generate inventory reports by office.
The DSSD's property custodial officer checks the property records in the Agency asset management
system to verify that the new laptops are with DSSD. The DSSD's inventory contractors conduct a weekly
inventory of laptops in their possession by comparing laptops in the inventory system to laptops on
hand. The DSSD property management staff and contractors meet weekly to discuss any discrepancies
with the inventory and actions needed to resolve issues.
We observed the DSSD's asset and inventory contractors install tracking software on the laptops. The
tracking software has designated data fields for the contractor to enter information, such as the serial
number, to track the location of the laptop. For the 11 laptops with tracking software, we observed the
contractor enter the serial number in the designated data field. After that information was entered, a
map with street names appeared with an icon designating the location of the laptop, as seen in Figure 2.
Other data fields within the tracking software populated other descriptive information such as the
24-P-0011
9
-------�
physical address where the laptop was located and the last time the laptop was connected to the
network.
Our audit on some of the laptops delivered to the DSSD revealed that the DSSD properly accounted for
each laptop. Our observations confirmed that DSSD's procedures complied with the Personal Property
Manual regarding accounting for property. Specifically, Region 6 affixed a decal on each item, created a
property record for each laptop in the Agency asset management system to denote ownership, and
conducted periodic inventories to maintain an accurate count of laptops within its possession.
Therefore, we concluded that the DSSD had sufficient controls to account for laptops within its
possession to prevent misplacement.
Figure 2: Tracking software identifies location of EPA laptop
T V ©
C C 4 ft GntalH 'C
• * 5 s £
\ S C
I J ? A A
- Somerset * * *> >
1 * V/ /
v
|
»<¦»**" r« rPV
Fffendshrp „
¦* " -O
£ ^
Village
/a>v 4/ V A U *
// N \ \ § l \%-
^ //
4 MrpaK*
^ AN*
"V\ __ // ' r™aKW 3
V • FRIENDSHIP h*rt,3r s *"* 5
9 •* jKO 5 FRIENDSHIP
" ' V » HEIGHTS
? 2 t' A* B
cate\ I / \. ^ ^ 5 S
Note: The blue dot in the map denotes the location of an EPA laptop.
Source: EPA tracking software. (EPA image)
Region 4 Procedures to Account for Laptops
Region 4 personal property standard operating procedures include control activities to account for
laptops. The procedures define property personnel roles and responsibilities and state that the:
Region 4 property accountable officer and custodial officer are required to compare purchase
requests with delivery documentation to confirm items ordered are consistent with items
received.
Region 4 property management team affixes the required EPA property decals on each laptop.
Region 4 property accountable officer adjusts the property records in the Agency asset
management system when laptops are delivered and assigned to a user's custodial officer.
24-P-0011
10
-------�
Based on the information provided by Region 4, we concluded that Region 4 procedures provide
sufficient details to comply with the Personal Property Manual regarding accounting for property.
Specifically, Region 6 affixed a decal on each item and denoted ownership of each laptop in the Agency
asset management system. Therefore, we concluded that Region 4 had sufficient controls to account for
laptops within their possession to prevent misplacement.
The EPA Has Physical Security Controls in Place to Secure Laptops
We found that each audited location has physical security controls in place to control access to its
respective laptop inventory. The Personal Property Manual requires safeguards to protect property
against loss, theft, damage, and destruction. The manual states that "Access to storage areas shall be
controlled to the least number of authorized personnel as practical." The next sections provide further
details on DSSD and Regions 4 and 6 Mission Support Divisions' physical security controls that we
assessed to determine whether they had sufficient controls in place to secure laptops within their
respective office.
Description of DSSD Physical Security Controls
Our observations revealed that there are two physical security controls at the main entry door to the
asset and inventory contractor's office—a proximity card reader and cameras in the ceiling.
The office has a computer where all visitors are required to sign in when entering the main office area.
The DSSD's asset and inventory contractors secure laptops in a locked storage room next to the asset
manager's office; the asset manager maintains the key. To retrieve laptops from the storage room, DSSD
procedures require that two DSSD asset and inventory contractors sign in on a log sheet to enforce
inventory accountability and track how many laptops were removed. The contractors can enter the
storage room from 6 a.m. to 6 p.m., Monday through Friday, excluding federal holidays, per DSSD
procedures. The asset and inventory contractors use a separate, secure room, which is restricted to
DSSD contract technicians via a proximity card reader, to prepare the laptop to be issued to a user. We
concluded that the DSSD had sufficient controls to secure for laptops within its possession to prevent
theft.
Description of Region 4 Physical Security Controls
Our review of documentation and meetings with the Region 4 Mission Support Division revealed that:
• The locked storage cabinets containing laptops are restricted to Region 4 help-desk contractors
and designated EPA employees.
• The help-desk contractors maintain visitor log sheets to track who visited the help-desk room.
Based on the information Region 4 provided, we concluded that Region 4 personnel had sufficient
controls to secure laptops within their possession to prevent theft.
24-P-0011
11
-------�
Description of Region 6 Physical Security Controls
Our observations revealed that there are several physical security controls that limit access to the
laptops maintained in the technical support office. A proximity card reader and a camera are located
outside the main door. Within the technical support office, there are additional physical security
controls, including a camera monitoring the storage room and locked file cabinets. The technical support
personnel maintain the key to the file cabinet. We concluded that Region 6 had sufficient controls to
secure laptops within its possession to prevent theft.
Key Terminology
A proximity card reader is an access control panei typically placed near doors to restrict access to only authorized
personnel. The control pane! reads information stored on the card regarding the type of access the individual has
to determine whether the individual should be granted or denied access to certain buildings and rooms.
From left to right: A proximity card reader. Proximity card reader and cameras at main entry. (EPA OIG photos)
Conclusions
Based on the corrective actions that the DSSD and Region 6 Mission Support Division have taken, the
EPA has established sufficient controls to further improve its personal property accountability in
compliance with EPA requirements. It remains paramount that the EPA continues to execute processes
with controls that (1) enforce its stewardship of laptops and (2) safeguard against activities that could
prevent the EPA from protecting these assets from loss, theft, and mismanagement.
Because the DSSD and Region 6 have taken corrective actions to address our findings, we make no
recommendations in this report.
On October 17, 2023, the Office of Mission Support as well as Regions 4 and 6 informed us that they
would not be providing a written response to our draft report issued on September 25, 2023.
24-P-0011
12
-------�
Appendix A
Distribution
The Administrator
Deputy Administrator
Chief of Staff, Office of the Administrator
Deputy Chief of Staff for Management, Office of the Administrator
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
Assistant Administrator for Mission Support
Regional Administrator, Region 4
Regional Administrator, Region 6
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Principal Deputy Assistant Administrator for Mission Support
Deputy Assistant Administrator for Mission Support
Chief information Officer and Deputy Assistant Administrator for Environmental Information, Office of
Mission Support
Deputy Assistant Administrator for Administration and Resource Management, Office of Mission
Support
Deputy Regional Administrator, Region 4
Deputy Regional Administrator, Region 6
Director, Office of Resources and Business Operations, Office of Mission Support
Director, Office of Continuous Improvement, Office of the Chief Financial Officer
Director, Office of Regional Operations
Office of Policy OIG Liaison
Office of Policy GAO Liaison
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Mission Support
Audit Follow-Up Coordinator, Region 4
Audit Follow-Up Coordinator, Region 6
Audit Liaison, Office of Resources and Business Operations, Office of Mission Support
24-P-0011
13
-------�
Whistleblower Protection
U.S. Environmental Protection Agency
The whistleblower protection coordinator's role
is to educate Agency employees about
prohibitions against retaliation for protected
disclosures and the rights and remedies against
retaliation. For more information, please visit
the OIG's whistleblower protection webpage.
Contact us:
Congressional Inquiries: OIG.CongressionalAffairsffiepa.gov
Media Inquiries: OIG.PublicAffairs(5)epa.gov
line EPA OIG Hotline: QIG.Hotline(5)epa.gov
-jig- Web: epaoig.gov
Follow us:
^ X (formerly Twitter): (5)epaoig
Linkedln: linkedin.com/company/epa-oig
YouTube: /outube.com/epaoig
[SI Instagram: 5)epa.ig.on.ig
-------� |