Recommendation Dashboard
Report 2018-007-AOIG - Performance Audit Report on the EEOC Charge Card Program: Fiscal Years Ending September 30 2018 and 2017
For purchase cards, the Administrative Officer (AO) or District Resources Manager (DRM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the AO or DRM who received the employee's charge card, the date the card was turned in, the date the card was physically destroyed, and the date that account closure was confirmed by the Charge Card Vendor.
For travel cards, the Charge Card Program Manager (CCPM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the immediate supervisor and/or servicing personnel officer who received the employee's charge card, the date the card was turned in, the date the card was cut in half, and the date that account closure was confirmed by the Charge Card Vendor. The policy or procedure should include monitoring by the CCPM and appropriate disciplinary actions for non-compliance.
Report 2018-004-AOIG - U.S. Equal Employment Opportunity Commission Federal Information Security Modernization Act of 2014 (FISMA) Fiscal Year 2018 Independent Evaluation
We recommend the OIT review and remediate critical-risk, high-risk and moderate-risk vulnerabilities. These vulnerabilities should be resolved to avoid compromise to EEOC’s systems; or the Agency should document acceptance of the risk or reclassification of the risk
We recommend the OIT employed an automated mechanism that ensures sensitive PII is encrypted on removable mobile media.
We recommend the OCHCO and OIT define and implement a process for conducting assessment of the knowledge, skills, and abilities of EEOC’s cybersecurity workforce.
We recommend the OCHCO and OIT conduct a baseline assessment of the EEOC’s cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel.
Report 2018-002-AOIG - U.S. Equal Employment Opportunity Commission FY 2018 Management Letter
Recommendation EEOC Standard Operating Procedure should include a prompt deadline for the approval of purchase card statements by the Approving Official. HRK recommends that purchase card statements be approved within 30 days from the time of submittal. We recommend EEOC management follow-up with Approving Official(s) who have been found to not adhere to requirements of the Commercial Purchase Card Program and require them to obtain additional training, to include certifying they have read the Approving Officials responsibilities, as it relates to the aforementioned control.
Recommendation EEOC should have the appropriate level of management reviewing and signing off on the Capital Property Reconciliations to satisfy the control stated above and to ensure property, plant, and equipment is valued accurately in the Account Reconciliation Reserve Ledger Report and the general ledger.
Recommendation EEOC should have the appropriate level of management reviewing and approving the SF-133 to satisfy the control stated above and to ensure EEOC's Statement of Budgetary Resources is accurate. Additionally, when the appropriate level of management position is not filled, the responsibilities of that position should be clearly stated and conveyed to an appropriate level of management, whether that appropriate level of management be in an acting role or if that appropriate level of management is assigned to an existing FSSD employee by the CFO or Acting Director.
Recommendation: We recommend that EEOC require all changes to OPM identified filing documents in personnel files be reviewed by an HR professional and, where possible, reviewed by the employee, to ensure the accuracy of the official personnel file (eOPF). EEOC HR professionals should perform random eOPF audits, at least semi-annually, to ensure that current documentation is included in the files to support all payroll expenses, benefits, and deductions.
Report 2017-007-AOIG - Independent Evaluation of the U.S. Equal Employment Opportunity Commission’s Compliance with Provisions of the Federal Information Security Modernization Act of 2014 (FISMA)
EEOC should implement an automated solution that provides a centralized, enterprise-wide view of risk across the agency.
EEOC should develop a Trusted Internet Connection (TIC) program that meets OMB requirements to improve the agency’s security posture.
EEOC should conduct an e-authentication risk assessment for its digital systems and has not fully implemented multifactor authentication for logical and remote access for privileged and non-privileged users. (Repeat finding since FY 2008)
Report 2017-002-EOIG - Evaluation of the EEOC’s Data Analytics Activities
Engender trust in enterprise-wide steering committees and governance boards.
Invest in modern reporting and visualization tools that allow for automated, customizable, visualization-enhanced reporting that effectively leverage a data warehouse.
Adopt proven modeling approaches and model management techniques.
Establish a data warehouse to address data retention, versioning, and reporting needs.
Support analytics projects through governance of the Analytics Center of Excellence, promoting awareness of iterative analytical project processes and usage of Agile-friendly project management tools.
Consider new approaches, such as web-enabled and cloud-based solutions, to support expanding IT infrastructure needs of both the analytics team as well as analytical product users.
Invest in the generation of new metrics that quantify opportunity costs and corresponding benefits of data collection and data assurance.
Report 2017-006-AOIG - PERFORMANCE AUDIT OF THE COMPLIANCE WITH THE FINANCIAL AND AWARD DATA SUBMISSIONS FOR THE SECOND QUARTER FY 2017
EEOC’sSenior Accountability Officer (SAO), or their designee, should create a quarterly assurance package that includes all the necessary elements in the OMB guidance.
EEOC should perform additional reconciliations over Files C and D1 to determine the root cause of their differences, whether it is the known issue or a potential control issue with the data being submitted from the Contract Lifecycle Management (CLM) module.
Report 2016-008-EOIG - Independent Evaluation of the U.S. Equal Employment Opportunity Commission’s Compliance with Provisions of the Federal Information Security Modernization Act of 2014 (FISMA)
EEOC OIT should review and analyze critical, high, and medium vulnerabilities. These vulnerabilities should be resolved to avoid compromise of EEOC’s systems; or the agency should document acceptance of the risk or reclassification of the risk.
Report 2014-008-EOIG - Evaluation of Equal Employment Opportunity Commission’s (EEOC) Compliance with Provisions of the Federal Information Security Management Act of 2002 (OIG REPORT NUMBER 2012-03-FISMA
Implementation of background checks for student interns to ensure that international visas are current.
Development of policies and procedures to properly manage physical security access cards.
Report 2014-003-OE - Evaluation of EEOC’s Outreach and Education
EEOC and its district and field offices should routinely conduct follow-up through surveys with partners, perhaps three months after events.
Report 2013-008-PSA - Performance Audit of the Agency’s Personnel Security Program
Immediately correct any known weaknesses. If EEOC determines not to correct a noted weakness, EEOC should document this analysis and their acceptance of the associated risk.
Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for Memorandums of Understanding between agencies.
Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU.