Veterans Affairs: Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses

In response to our recommendation, VA established new procedures to review property inventory records and confirm that all IT equipment is identified in the property system. In July 2009, VA issued VA Handbook 7002 with new inventory control procedures. At each facility, an IT Custodial Officer is to coordinate perpetual inventory activities and conduct an annual inventory of IT equipment items assigned a Catalog Stock Number (CSN) as well as expendable IT equipment items. Following an inventory of IT items, or whenever an IT equipment item is identified as "not accounted for", the IT Custodial Officer is to review, document and report any discrepancies identified during inventory activities. A VA IT Inventory Compliance Portal has been established to monitor the completeness of inventory data and the status of perpetual inventory efforts. By implementing our recommendation to review property inventory records and confirm that all IT equipment is identified in the property system, VA improved its accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, in March 2010, VA issued an SOP to standardize the naming classification for IT equipment. The SOP required that fields for item name, manufacturer, and model be completed for all IT equipment. In addition, VA established a new web portal to monitor compliance with these requirements. The website provides information on IT equipment data completeness. For example, a VA staff person can view for a given facility a list of the number and percentage of items with complete information on serial number, manufacturer, and model. By implementing our recommendation to establish and implement a policy requiring development of standardized naming classification for recording IT equipment into local property inventory systems, VA has improved its accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, in April 2010, VA published a list of medical equipment Catalog Stock Numbers (CSNs) to be used for maintaining accountability over VA medical equipment with data storage capabilities to be included in its IT equipment inventory. The list includes six new CSNs for computers, printers, and monitors, which are utilized as part of a system of medical equipment, and their life expectancies. For example, there is a new CSN for laptop computers that are always used with MRI or CT equipment. By implementing our recommendation to develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purposes, VA has improved its accountability of IT medical equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, in July 2009, VA issued VA Handbook 7002 part 4 requiring that IT Custodial Officers ensure that each hard drive is marked with the equipment entry number of the host system whenever the hard drive is removed from the host system. The equipment entry numbers are to be written on the hard drives with an indelible marker at the time the hard drives are removed from the host systems. This procedure enables tracking of the hard drive to the host computer. By implementing our recommendation to develop a procedure for identifying and linking hard drives to host computers, VA has improved its accountability of IT equipment, and reduced the risk of disclosure or compromise of sensitive personal and medical information.

VA concurred with our recommendation. In March 2013, VA officials updated VA Handbook 0730/1 (currently 0730/4, the fourth version of VA Handbook 0730), Security and Law Enforcement. This update requires that temporary IT storage locations have minimum physical security requirements and that temporary IT storage locations are included in physical security inspections.