AOIG

We recommend EEOC management update its policies and procedures to include all required safeguards and internal controls to be compliant with the Government Charge Card Abuse Prevention Act of 2012. In addition, EEOC should create a monitoring control to review the policy when changes or updates are made to federal law or Office of Management and Budget or General Services Administration guidance. (Repeat Finding)

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, purchase cards transactions to ensure all obligating documents and purchase orders are in conformity with EEOC Directives Transmittal Order 360.003, Commercial Purchase Charge Card Program Practical User’s Guide.

We recommend EEOC ensure that emailed policy memos are promptly updated in the appropriate EEOC Directives Transmittal Order

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, the purchase card account closure documentation to ensure it adheres to the EEOC Purchase Card Audit Finding Update Memo.

Simplify the EEOC social media architecture by consolidating many of the existing social media channels and limiting creation of new channels.

EEOC should ensure the existing policy in place is followed and documentation of the
process is reviewed by the CFO or their designee on a quarterly basis.

We recommend EEOC OIT review and remediate critical-risk, high-risk, and medium risk
vulnerabilities in accordance with EEOC OIT's assessment of risk. If the risk is not
remediated then we recommend EEOC OIT document the acceptance of the risk.

We recommend EEOC OIT provide specialized training for SharePoint administrators
and users to reduce the risk of exposing sensitive information and PII.

We recommend EEOC OIT conduct a privacy impact assessment of the SharePoint
system to identify privacy issues and risks associated with the security settings; and to
provide recommendations to mitigate potential privacy risk.