EEOC should ensure the existing policy in place is followed and documentation of the
process is reviewed by the CFO or their designee on a quarterly basis.
EEOC should enhance their current DATA Act internal control procedures over the
reliability and validity of their DATA Act submission by ensuring they meet all
aspects of OMB M-17-04, including documentation of all work performed to ensure
the alignment of data in Files C and D1. The enhanced internal control policy and
procedure developed should include categorical explanations for misalignments,
including legitimate differences between files C and D1.
We recommend EEOC OIT develop an action plan to address related policy and
procedural requirements of the SECURE Technology Act.
We recommend EEOC OIT enforce its mobile device management compliance policies
for all enrolled mobile devices and report noncompliance to the user and OIT senior
management for corrective action.
We recommend EEOC OIT review and remediate critical-risk, high-risk, and medium risk
vulnerabilities in accordance with EEOC OIT's assessment of risk. If the risk is not
remediated then we recommend EEOC OIT document the acceptance of the risk.
We recommend EEOC OIT provide specialized training for SharePoint administrators
and users to reduce the risk of exposing sensitive information and PII.
We recommend EEOC OIT conduct a privacy impact assessment of the SharePoint
system to identify privacy issues and risks associated with the security settings; and to
provide recommendations to mitigate potential privacy risk.
Recommendation EEOC Standard Operating Procedure should include a prompt deadline for the approval of purchase card statements by the Approving Official. HRK recommends that purchase card statements be approved within 30 days from the time of submittal. We recommend EEOC management follow-up with Approving Official(s) who have been found to not adhere to requirements of the Commercial Purchase Card Program and require them to obtain additional training, to include certifying they have read the Approving Officials responsibilities, as it relates to the aforementioned control.
Recommendation: We recommend that EEOC require all changes to OPM identified filing documents in personnel files be reviewed by an HR professional and, where possible, reviewed by the employee, to ensure the accuracy of the official personnel file (eOPF). EEOC HR professionals should perform random eOPF audits, at least semi-annually, to ensure that current documentation is included in the files to support all payroll expenses, benefits, and deductions.
Recommendation EEOC should have the appropriate level of management reviewing and approving the SF-133 to satisfy the control stated above and to ensure EEOC's Statement of Budgetary Resources is accurate. Additionally, when the appropriate level of management position is not filled, the responsibilities of that position should be clearly stated and conveyed to an appropriate level of management, whether that appropriate level of management be in an acting role or if that appropriate level of management is assigned to an existing FSSD employee by the CFO or Acting Director.