We conducted this performance audit in accordance with generally accepted government auditing standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
The objective of this performance audit was to assess the effectiveness of the EEOC’s information security program and practices for FY 2023. As part of our audit, we responded to the core metrics and supplemental metrics identified in the FY 2023 -2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics (IG Metrics), the associated FY 2023 Inspector General FISMA Metrics Evaluator’s Guide, and assessed the maturity levels on behalf of the EEOC OIG to be consistently implemented, which is not effective, per the IG Metrics. We also considered applicable OMB policy and guidelines, National Institute of Standards and Technology’s (NIST) standards and guidelines, and the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).