This is the accessible text file for GAO report number GAO-08-918 entitled 'Veterans Affairs: Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses' which was released on August 1, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, House of Representatives: United States Government Accountability Office: GAO: July 2008: Veterans Affairs: Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses: VA IT Inventory Controls: GAO-08-918: GAO Highlights: Highlights of GAO-08-918, a report to the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, House of Representatives. Why GAO Did This Study: In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and effective inventory policies and procedures. In July 2007, GAO reported that continuing internal control weaknesses over IT equipment at four case study locations at VA resulted in an increased risk of theft, loss, and misappropriation of IT equipment assets. GAO’s two reports included 18 recommendations to improve internal control over IT equipment. GAO was asked to perform a follow-up audit to determine (1) whether VA has made progress in implementing GAO’s prior recommendations for improving internal control over IT equipment and (2) the effectiveness of VA’s current internal controls to prevent theft, loss, or misappropriation of IT equipment. GAO reviewed policies and other pertinent documentation, statistically tested IT equipment inventory controls at four geographically disparate locations, and interviewed VA officials. What GAO Found: VA has made significant progress in addressing prior GAO recommendations to improve controls over IT equipment. Of the 18 recommendations GAO made in its two earlier reports, VA completed action on 14 recommendations, partially implemented action on 2 recommendations, and is working to address the 2 remaining open recommendations. These recommendations focused on strengthening policies and procedures to establish a framework for accountability and control of IT equipment. If effectively implemented, VA’s July 2008 policy changes would address many of the control weaknesses GAO identified. Mandated early implementation of this new policy addresses user-level accountability and requirements for strengthening physical security. In addition, to determine the extent of inventory control weaknesses over its IT equipment, VA performed a departmentwide physical inventory in 2007. However, as of May 15, 2008, VA reported that it could not locate about 62,800 IT equipment items, of which 9,800 could have stored sensitive information. Because VA does not know what, if any, sensitive information resided on the equipment, potentially affected individuals could not be notified. GAO’s statistical tests of IT equipment inventory controls from February through May 2008 at four locations identified continuing control weaknesses, including missing items, lack of accountability, and errors in IT equipment inventory records. Although these control weaknesses may be addressed through early implementation of the July 2008 policies, the fact that GAO identified missing items only a few months after these locations had completed their physical inventories is an indication that underlying weaknesses in accountability over IT equipment have not yet been corrected. Table: IT Inventory Control Test Results at Four Case Study Locations: Control failures: Missing items; North Texas HCS: 6%; Boston HCS: 3%; Puget Sound HCS: 1%; VA headquarters: 12%. Control failures: Incorrect user organization; North Texas HCS: 91%; Boston HCS: 60%; Puget Sound HCS: 76%; VA headquarters: 12%. Control failures: Incorrect location; North Texas HCS: 46%; Boston HCS: 17%; Puget Sound HCS: 14%; VA headquarters: 33%. Control failures: Recordkeeping errors; North Texas HCS: 9%; Boston HCS: 41%; Puget Sound HCS: 9%; VA headquarters: 4%. Source: GAO analysis. Note: Each of these estimates has a margin of error, based on a two- sided, 95 percent confidence interval, of +/- 10 percent or less. [End of table] GAO’s tests identified 50 missing items, of which 34 could have stored sensitive data, but again, notifications to individuals could not be made. Further, the lack of user-level accountability and inaccurate records on status, location, and item description of IT equipment items at the four case study locations make it difficult to determine the extent to which actual theft, loss, or misappropriation of IT equipment may have occurred. In addition, the four locations had weaknesses in controls over hard drives in the property disposal process as well as physical security weaknesses at IT storage facilities. These control weaknesses present a risk that VA could lose control over new, used, and excess IT equipment and that any sensitive personal and medical information residing on hard drives in this equipment could be compromised. What GAO Recommends: GAO makes five recommendations to VA for additional actions to strengthen the overall control environment and improve specific internal control activities and safeguard IT equipment. VA’s initial response stated that it generally agreed with four of GAO’s five recommendations. After further clarification, VA officials stated that they agreed with the intent of all of GAO’s recommendations and were taking steps to address them. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-918]. For more information, contact Kay L. Daly at (202) 512-9095 or dalykl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: VA Has Made Significant Progress in Addressing GAO Recommendations and Completing a VA-Wide IT Equipment Inventory: Tests of IT Inventory Controls at Case Study Locations Identified Continuing Weaknesses: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Status of VA Actions on Recommendations in GAO's July 2007 and 2004 Reports: Appendix III: Comments from the Department of Veterans Affairs: Appendix IV: Reports of Survey on Missing IT Equipment for VA Case Study Locations: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Overview of Key Controls in VA's IT Property Management Process: Table 2: Status of VA's Actions on Prior Recommendations: Table 3: Summary of VA-Wide Fiscal Year 2007 IT Equipment Physical Inventory Results as of May 15, 2008: Table 4: Numbers of Missing IT Equipment Items at Four Test Locations That Were Identified during the 2007 VA-Wide IT Physical Inventory: Table 5: Estimated IT Equipment Inventory Control Failure Rates at Four Test Locations: Table 6: Number of Missing IT Equipment Items by Headquarters Organization and Missing Items That Could Have Stored Sensitive Personal Data: Table 7: Estimated IT Inventory Control Failure Rates Related to Correct User and Location at the Four Test Locations: Table 8: Estimated Percentages of Other IT Inventory Recordkeeping Failures at Four Test Locations: Table 9: Population of VA IT Equipment at Locations Selected for Testing: Table 10: GAO's 2007 Report Recommendations and Status of VA Actions as of July 2008: Table 11: GAO's 2004 Report Recommendations and Status of VA Actions as of July 2008: Table 12: Summary of Reports of Survey as of May 15, 2008, for Case Study Locations Covered in GAO Audits: Abbreviations: AEMS/MERS: Automated Engineering Management System/Medical Equipment Repair Service: CFR: Code of Federal Regulations: CIO: Chief Information Officer: EIL: equipment inventory listing: ELF: Equipment Loan Form: FMFIA: Federal Managers' Financial Integrity Act of 1982: HCS: health care system: HHS: Department of Health and Human Services: HIPAA: Health Information Portability and Accountability Act of 1996: IT: information technology: NARA: National Archives and Records Administration: NCA: National Cemetery Administration: OAL: Office of Acquisitions and Logistics: OIT: Office of Information and Technology: OMB: Office of Management and Budget: SMC: Security Management Committee: USC: United States Code: VA: Department of Veterans Affairs: VBA: Veterans Benefits Administration: VHA: Veterans Health Administration: VISN: Veterans Integrated Service Network: [End of section] United States Government Accountability Office: Washington, DC 20548: July 31, 2008: The Honorable Harry E. Mitchell: Chairman: The Honorable Ginny Brown-Waite: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Veterans' Affairs: House of Representatives: This report responds to your request that we perform a follow-up audit to assess the Department of Veterans Affairs (VA) progress in strengthening controls over information technology (IT) equipment. Past reports of thefts of laptop computers and data breaches raised concerns about the adequacy of controls over VA IT equipment. In July 2004, we reported[Footnote 1] that the six VA medical centers we audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. In July 2007, we reported[Footnote 2] that a weak overall control environment and pervasive weaknesses in inventory control and accountability at four locations we audited put IT equipment at risk of theft, loss, and misappropriation, including sensitive personal and medical information maintained on this equipment. For example, our statistical tests of IT equipment inventory controls at the four VA case study locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive information. Our 2004 and 2007 audits found that some medical centers did not account for IT equipment valued under $5,000 during physical inventories. Our 2004 report made 6 recommendations and our 2007 report made 12 recommendations for VA actions to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal and medical information. VA's mission is to promote the health, welfare, and dignity of all veterans in recognition of their service to the nation by ensuring they receive medical care, benefits, social support, and lasting memorials. The department's three major components are the Veterans Health Administration (VHA), the Veterans Benefits Administration (VBA), and the National Cemetery Administration (NCA). During 2007, VA employed over 230,000 individuals and relied on an undetermined number of contractors, volunteers, and students in carrying out its operations. VA provided these individuals with a wide range of IT equipment, including desktop and laptop computers, monitors and printers, personal digital assistants, unit-level workstations, local area networking equipment, and medical equipment capable of storing sensitive personal and medical information.[Footnote 3] By the start of fiscal year 2008, VA had centralized its IT function at all locations within its Office of Information and Technology (OIT). OIT staff share responsibility for management of IT equipment inventory with property management personnel. Accordingly, it is crucial for the department's Assistant Secretary for Information and Technology, who serves as the Chief Information Officer (CIO), to have the cooperation of property managers to ensure that well-established integrated processes exist for controlling IT inventory. Given the continuing nature of IT equipment inventory control problems and their significance, you asked us to perform additional follow-up work to determine (1) whether VA has made progress in implementing our prior recommendations for improving internal control over IT equipment and (2) the effectiveness of VA's current internal controls to prevent theft, loss, or misappropriation of IT equipment. To achieve our first objective, we conducted interviews and obtained documentation from VA property management and OIT officials on the actions taken to address the 12 recommendations in our July 2007 report and the 6 property-related recommendations in our July 2004 report. As you requested, we also reviewed the process and results of VA's 2007 departmentwide physical inventory of IT equipment and actions taken to resolve discrepancies, including VA inventory results for locations tested in our current and prior audits.[Footnote 4] In addition, we reviewed policy revisions related to IT equipment controls based on our prior recommendations. To achieve our second objective and determine the effectiveness of current internal controls for preventing theft, loss, or misappropriation of IT equipment, we used a case study approach, selecting three geographically disparate VA health care systems[Footnote 5] (HCS) located in Dallas, Texas; Seattle, Washington; and Boston, Massachusetts. We also selected VA headquarters organizations[Footnote 6] as a means of assessing the overall control environment, or "tone at the top," as we did in our 2007 audit. At each of the four case study locations, we statistically tested IT equipment inventory control attributes for existence (meaning IT equipment items listed in inventory records exist and can be located), user-level accountability, and inventory record accuracy. As in our 2007 audit, at each of our case study locations we also evaluated (1) VA's Reports of Survey[Footnote 7] on lost and stolen items, (2) controls over computer hard drives in the excess property disposal process,[Footnote 8] and (3) physical security controls for IT storage facilities. We performed sufficient procedures to determine that inventory data at the test locations were reliable for the purpose of our audit,[Footnote 9] including data analysis, interviews of key officials, and review of VA procedures for assuring the reliability of data generated by key property inventory systems. We conducted this performance audit from January 2008 through July 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We performed our investigative procedures in accordance with quality standards as set forth by the President's Council on Integrity and Efficiency. A detailed discussion of our objectives, scope, and methodology is included in appendix I. Results in Brief: VA has made significant progress in addressing our previous recommendations. These recommendations focused on strengthening policies and procedures to establish a framework for accountability and control of IT equipment. As of the end of our field work in July 2008, VA had completed action on 10 of the 12 recommendations in our July 2007 report[Footnote 10] and partially implemented actions on 1 other recommendation. VA also has actions under way to address the remaining recommendation in our 2007 report. Further, VA completed action on 4 of 6 property-related recommendations in our 2004 report,[Footnote 11] partially completed action on a fifth recommendation, and has plans to address the remaining 2004 recommendation. Details of VA's actions on our recommendations to strengthen controls over IT equipment are presented in appendix II. Importantly, VA's Assistant Secretary for Management and the CIO have worked together to draft a revised property management policy in a new VA Handbook 7002, Logistics Management Procedures, which includes requirements for user-level accountability, time frames for completing Reports of Survey[Footnote 12] on missing and stolen property, and requirements for strengthening physical security. On July 3, 2008, VA's Assistant Secretary for Management mandated early implementation of the handbook.[Footnote 13] If effectively implemented, the handbook changes would address many of the control weaknesses we identified. Further, in 2007 VA performed a departmentwide physical inventory of IT equipment at the Subcommittee's direction. Commensurate with the centralization of IT functions under the CIO, including IT asset management, OIT monitored the inventory effort. Initially VA's physical inventory determined that approximately 79,000 IT equipment items were missing. After several months of searching and research of property records, as of May 15, 2008, OIT reported that approximately 62,800 recorded IT equipment items could not be located, of which over 9,800 could have stored sensitive information. Because VA does not know what, if any, sensitive information resided on the equipment, notifications to potentially affected individuals could not be made.[Footnote 14] Facility personnel were continuing to search for missing items, and the CIO formed a quick response team to help ensure that Reports of Survey on lost and stolen items are completed in a timely manner. Our tests of IT equipment inventory controls conducted from February through May 2008 at four case study locations, including three VA HCS and VA headquarters, identified continuing control weaknesses related to missing items, lack of accountability, and errors in IT equipment inventory records. Our Standards for Internal Control in the Federal Government[Footnote 15] requires agencies to establish physical control to secure and safeguard vulnerable assets, such as equipment that might be vulnerable to risk of loss or unauthorized use, including periodically counting the assets and comparing the results to control records. Our statistical tests of IT inventory controls excluded thousands of IT equipment items identified as missing at the four case study locations during VA's 2007 IT equipment inventory effort. Therefore, if adequate controls were in place at our test locations, we would not have expected to identify any additional missing items, blank data fields, or inaccurate inventory records. However, our statistical tests and data analysis at the four locations found significant control failures related to (1) missing items, (2) blank serial numbers, (3) inaccurate information on user organization, (4) inaccurate information on user location, and (5) other recordkeeping errors related to item description information (e.g., model number and manufacturer). Our statistical tests identified a total of 50 missing items, of which 34 could have stored sensitive information. As with missing items identified in VA's departmentwide physical inventory of IT equipment, because VA does not know what, if any, sensitive information resided on the equipment, notifications to potentially affected individuals could not be made. We estimate the percentage of inventory control failures related to these missing items to be 1 percent at the Puget Sound HCS, 3 percent at the Boston HCS, 6 percent at the North Texas HCS, and 12 percent for VA headquarters organizations.[Footnote 16] Although these control weaknesses may be addressed through VA's early implementation of the July 2008 policies, the fact that we identified missing items only a few months after these locations had completed their physical inventories is an indication that the locations had not yet corrected underlying control weaknesses related to accountability over their IT equipment. We also found that medical equipment with data storage and processing capabilities was not included in VA's physical inventory of IT equipment.[Footnote 17] The lack of user-level accountability and inaccurate records on status, location, and item descriptions found at our case study locations make it difficult to determine the extent to which actual theft, loss, or misappropriation of IT equipment may have occurred. Moreover, our follow-up work at the four case study locations found weaknesses in controls over hard drives in the property disposal process as well as physical security weaknesses at IT storage facilities. These control weaknesses present a risk that VA could lose control over new, used, and excess IT equipment and that any sensitive personal and medical information residing on hard drives in this equipment could be compromised. This report contains five recommendations to VA on additional actions needed to strengthen the overall control environment and improve key internal control activities to help ensure accountability and safeguard IT equipment. In initially commenting on our draft report, VA stated that it generally agreed with all but one of our five recommendations. VA was concerned that our recommendation to develop a list of medical equipment with data storage capabilities that should be considered as IT equipment for inventory control purposes intended that this equipment should be redefined (i.e., reclassified) as IT equipment. In a follow-up meeting with VA officials, we clarified that our recommendation was intended to provide the CIO visibility over this equipment for purposes of assuring accountability and information security. Following our discussion and clarifications, VA officials said they agreed with the intent of all five of our recommendations and noted actions they are taking to address them. VA's comments and our analysis are discussed in the Agency Comments and Our Evaluation section of this report. VA's comments are reprinted in appendix III. Background: VA's mission is to serve America's veterans and their families and to be their principal advocate in ensuring that they receive medical care, benefits, and social support in recognition of their service to our nation. VA, headquartered in Washington, D.C., is the second largest federal department and reported it had over 230,000 employees as of September 30, 2007, including physicians, nurses, counselors, statisticians, computer specialists, architects, and attorneys. VA has three major line organizations--VHA, VBA, and NCA--and field facilities throughout the United States. VHA has 21 Veterans Integrated Service Networks (VISN) that oversee medical center activities within their areas, which may cover one or more states. VA provides employees, contractors, volunteers, and students with a wide range of IT equipment,[Footnote 18] including desktop and laptop computers, monitors and printers, personal digital assistants, unit-level workstations, local area networking equipment, and medical equipment with memory and data processing/communication capabilities. By the start of fiscal year 2008, VA had centralized its IT function at all locations within the realigned OIT. VA's IT Property Management Process: The Assistant Secretary for Information and Technology heads VA's OIT, serves as the CIO for the department, and is the principal advisor to the Secretary on matters relating to IT management in the department. OIT staff share responsibility for management of IT equipment inventory with property management personnel. Accordingly, it is crucial for the department's CIO to have the cooperation of property managers to ensure that well-established integrated processes exist for controlling IT inventory. The steps in the IT property management process are key events, which should be documented by an inventory transaction, a financial transaction, or both, as appropriate. Federal records management law, as codified in Title 44 of the U.S. Code and implemented through National Archives and Records Administration (NARA) guidance, requires federal agencies to adequately document and maintain proper records of essential transactions and have effective controls for creating, maintaining, and using records of these transactions.[Footnote 19] Table 1 provides an overview of VA's IT property management process. Table 1: Overview of Key Controls in VA's IT Property Management Process: Receipt, deployment, and inventory control of items in service: Document receipt of new IT equipment items and update financial and property records; Upon receipt of IT equipment, property management personnel record receipt and acceptance for financial reporting and payment. Property personnel also affix bar code labels and create property records[A] for new IT equipment by entering in the automated property systems serial number, description, model number, manufacturer, and original acquisition value, among other elements. Timely recording of new IT equipment in the central property records reduces the risk of misappropriation and lessens the opportunity for undetected loss or theft. Deploy IT equipment and record user and location information; Upon deployment of new IT equipment or deployment of existing equipment for reuse, OIT personnel record the property location. OIT personnel also record organization and user information. Recording organization and user-level information creates an environment of accountability and helps ensure that individuals take responsibility for the IT equipment items assigned to them. Perform physical inventory of IT equipment; VA personnel confirm IT equipment existence during annual physical inventories. Personnel use handheld scanners to capture IT item bar code information and to update location information which helps achieve segregation of duties. In addition, VA Handbook 7127/4 requires that all completed inventories have a 5 percent verification inventory conducted by an accountable officer or designee, a disinterested party, and the custodial officer or designee. Comparing those items physically identified to the inventory records presents an opportunity to identify missing items and to update inventory records for changes in user, location, and status, as appropriate. Update property records; Once personnel have completed physical inventories they update the central property records to reflect current information. Missing items are reported to VA Police or security officers, as appropriate, and to a Board of Survey[B] for further investigation and write-off, if necessary. Updating information on a timely basis provides an organization with accurate information on the location, quantity, and status of its IT equipment for management accountability and decision making. Turn-in, hard drive cleansing, and disposal of excess IT equipment: Document turn-ins of excess IT equipment items; Once an IT item has been identified for turn-in or disposal, the user or OIT will complete VA Form 2237, "Request, Turn-In, and Receipt for Property or Services" or use an electronic turn-in process. Property management personnel are responsible for updating the status of the item in the inventory records. Accurate status information provides asset visibility over items that are in service (in use) and those that have been removed from service. Secure and remove data from hard drives in the property disposal process; OIT personnel are responsible for the physical security of computer hard drives during the disposal process. Physical security of hard drives during the disposal process mitigates the risk of theft or loss or compromise of sensitive information. As part of the disposal process, OIT personnel either cleanse the hard drives using VA-approved software or ship the hard drives to a vendor for physical destruction. Recording hard drive serial numbers and the corresponding item bar code and serial numbers of the host computers creates an audit trail that can be used to determine the system from which a hard drive originated. Since hard drives have the capability to store sensitive information, control of computer hard drives during the property disposal process is essential to safeguarding personal information that may be stored on the hard drives.[C] Redeploy or dispose excess IT equipment items and update inventory status; OIT personnel may redeploy IT equipment that is determined to be excess to the turn-in user's needs. Ultimately, VA will dispose of items excess to its needs by donating them to schools, transferring them to the General Services Administration for reuse within the federal government or resale, or transferring them to disposal (or scrap) vendors. Timely recording of turn-ins and disposal of excess IT equipment helps ensure that VA maintains accountability for IT equipment throughout its life cycle as well as the accuracy of its IT equipment inventory records. Source: GAO analysis of VA policies and procedures. [A] Medical center personnel use the Automated Equipment Management System/Medical Equipment Repair Service (AEMS/MERS) for new IT equipment acquisitions. AEMS/MERS is a general inventory management system that is local to each VA medical center. Headquarters personnel enter records of new IT equipment in the Inte-GreatTM Property Manager system. [B] VA Handbook 7125, Materiel Management Procedures, mandates that a Board of Survey be appointed when there is a possibility that a VA employee may be assessed a pecuniary (financial) liability or disciplinary action as a result of loss, damage, or destruction of property valued at $5,000 or more. The Board of Survey reviews the Report of Survey, which identifies IT equipment that is unaccounted for and explains efforts to account for missing items. The Board of Survey approves final Reports of Survey, including write-offs of missing items and determines if disciplinary action is warranted. [C] Federal agencies, such as VA, are required to protect sensitive data stored on their IT equipment against the risk of data breaches and thus the improper disclosure of personal identification information, such as names and social security numbers. Such information is regulated by privacy protections under the Privacy Act of 1974, codified, as amended, at 5 U.S.C. § 552a and, when information concerns an individual's health, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See Pub. L. No. 104-191, § 264, 110 Stat. 1936, 2033-34 (Aug. 21, 1996), and implementing regulations at 45 C.F.R. pt. 164. [End of table] VA Has Made Significant Progress in Addressing GAO Recommendations and Completing a VA-Wide IT Equipment Inventory: VA has made significant progress in addressing our previous recommendations directed at improving policies and procedures for control of IT equipment and reducing the risk of disclosure of sensitive personal and medical information. As of the end of our field work in July 2008, VA had completed action on 10 of our 12 recommendations from our July 2007 report.[Footnote 20] VA's Assistant Secretary for Management and the CIO worked together to draft a revised property management policy in a new VA Handbook 7002, Logistics Management Procedures, which addresses 7 of our 2007 recommendations. This revised policy is an important step in establishing a framework for control of IT equipment. On July 3, 2008, the Assistant Secretary for Management mandated early implementation of this policy, which includes requirements for user-level accountability, time frames for completing Reports of Survey on missing and stolen property, and requirements for strengthening physical security. VA also partially implemented action on one other recommendation and has actions under way to address the remaining recommendation from our 2007 report. Successful implementation of these efforts will be key to improving controls over VA's IT equipment. VA also made progress implementing recommendations from our 2004 report[Footnote 21] related to personal property and equipment management. VA completed action on four of six property-related recommendations in our 2004 report and partially completed action on a fifth recommendation. VA has plans to address the remaining 2004 recommendation. In addition, in response to your concerns about VA-wide controls based on our previous audits, VA required departmentwide physical inventories of IT equipment to be completed by December 31, 2007. OIT monitored the 2007 physical inventory effort for IT equipment and reported that as of May 15, 2008, VA was unable to locate approximately 62,800 recorded IT equipment items, of which over 9,800 could have stored sensitive information. The CIO formed a "tiger team"[Footnote 22] to monitor efforts under the Report of Survey[Footnote 23] system and to help ensure that Reports of Survey are completed in a timely manner. VA Has Made Significant Progress in Addressing GAO Recommendations: To address recommendations in our July 2007 report, VA completed action on 10 of our 12 recommendations, partially implemented actions on one other recommendation, and has actions under way to address the remaining recommendation. VA actions on our 2007 report recommendations included the establishment of specific time frames for finalizing Reports of Survey, granting OIT personnel access to the central property database, and holding employees financially liable for lost IT equipment. In addition, VA completed action on four of the six recommendations in our July 2004 report, partially completed action on a fifth recommendation, and has plans to address the remaining recommendation. For example, VA revised its policy through VA Handbook 7127/4, Materiel Management Procedures, to state that sensitive items include IT equipment and named several types of IT equipment items. VA's revised policy also stated that IT equipment items valued under $5,000 are to be included in physical inventories. Further, VA has drafted policies that provide a framework for strengthening controls over IT equipment, including VA Handbook 7002, Logistics Management Procedures.[Footnote 24] On July 3, 2008, VA's Assistant Secretary for Management mandated early implementation of this handbook. Effective implementation of this new policy will be essential to ensuring adequate control and accountability of VA's IT equipment and any sensitive information residing on that equipment. Table 2 provides a summary of our 2007 and 2004 recommendations and the current status of VA actions. For a more detailed explanation of VA's actions taken and planned on our recommendations, see appendix II. Table 2: Status of VA's Actions on Prior Recommendations: 2007 GAO recommendations: VA-wide recommendations: 1. Revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process; Status: Fully implemented. 2. Revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems; Status: Fully implemented. 3. Establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment; Status: Fully implemented. 4. Enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment; Status: Fully implemented. 5. Establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements; Status: Fully implemented. 6. Establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment; Status: Fully implemented. 7. Require that information resource management and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment; Status: Partially implemented. 8. Require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, where appropriate; Status: Fully implemented. 2007 GAO recommendations: Recommendations for the CIO: 9. Establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain; Status: Fully implemented. 10. Establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action; Status: Open. 11. Establish and implement a policy requiring information resource management personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections; Status: Fully implemented. 12. Establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed; Status: Fully implemented. 2007 GAO recommendations: 2004 GAO recommendations related to personal property and equipment: 1. Clarify existing guidance and establish consistent parameters for personal property that is required to be accounted for in the property control records and that is subject to physical inventory to include sensitive property; Status: Fully implemented. 2. Provide a more comprehensive list of the type of personal property assets that are considered sensitive for accountability purposes; Status: Fully implemented. 3. Direct that physical inventories of personal property be performed by the Acquisition and Materiel Management staff or other parties who are independent of those with property custodian responsibilities; Status: Partially implemented. 4. Reinforce VA's requirement to attach bar code labels to agency personal property; Status: Fully implemented. 5. At the six VA medical centers we visited, determine the location or disposition of personal property items not found during our site visits; Status: Fully implemented. 6. At the six VA medical centers we visited, review property records to identify and correct erroneous or incomplete data fields; Status: Open. Source: GAO interviews of agency officials and analysis of VA documentation. [End of table] VA's 2007 Physical Inventory Effort Demonstrated Continuing Problems with Controls over IT Equipment: VA's 2007 departmentwide inventory initially identified approximately 79,000 missing IT equipment items, underscoring the need to effectively implement the new policies and procedures mandated on July 3, 2008. In the 6 months following completion of the physical inventory, VA facilities undertook efforts to locate or determine reasons for missing items. VA was able to locate several thousand of the missing equipment items. However, as summarized in table 3, on May 15, 2008, OIT reported that VA was unable to locate approximately 62,800 recorded IT equipment items, of which over 9,800 could have stored sensitive information. Because VA does not know what, if any, sensitive information resided on the equipment and when the equipment was lost, notifications to potentially affected individuals could not be made in accordance with OMB guidance.[Footnote 25] We interviewed VA officials and obtained documentation on the VA-wide inventory; however, we did not validate the results. According to VA, many of the missing items were old equipment and may have been disposed of through VA's excess property program. However, because VA facilities had not always documented IT equipment disposal for many years, there was no way to determine whether any of the missing items were lost or stolen. Further, during our work, we discovered that not all IT equipment items were included in the departmentwide inventory. Consequently, the numbers of missing items could be higher. For example, VA's 2007 physical inventory did not include medical equipment with data storage or processing capabilities. In addition, IT equipment items not accounted for in the OIT equipment inventory listing (EIL) were not subject to the 2007 physical inventory at some VA facilities. Further, limited completeness tests we performed as part of our data reliability procedures at case study locations identified some IT equipment items recorded to EILs for organizations other than OIT. Prior to the establishment of OIT, EILs were aligned organizationally and some IT equipment assigned to other EILs had not yet been reassigned to the OIT EIL and, therefore, were omitted from the 2007 physical inventory. We discussed our finding with OIT officials, and they told us that they had met in June 2008 to develop strategies for moving all IT equipment items assigned to other EILs to the OIT EIL. Table 3: Summary of VA-Wide Fiscal Year 2007 IT Equipment Physical Inventory Results as of May 15, 2008: VA location: Region 1; (VISNs 18 - 22); Total missing items: 10,004; Open Reports of Survey items that could have stored sensitive data: 1,429; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 1,207; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 153; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 4; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 65. VA location: Region 2; (VISNs 12, 15-17, and 23); Total missing items: 18,966; Open Reports of Survey items that could have stored sensitive data: 3,089; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 2,899; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 20; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 140; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 3; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 27. VA location: Region 3; (VISNs 6 - 11); Total missing items: 18,623; Open Reports of Survey items that could have stored sensitive data: 2,736; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 2,038; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 72; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 593; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 22; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 11. VA location: Region 4; (VISNs 1 - 5); Total missing items: 13,475; Open Reports of Survey items that could have stored sensitive data: 2,037; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 1,688; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 12; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 281; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 22; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 43. VA location: Veterans Benefits Administration; Total missing items: 8; Open Reports of Survey items that could have stored sensitive data: 4; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 4; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 0. VA location: Field Program Offices; Total missing items: 490; Open Reports of Survey items that could have stored sensitive data: 1; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 1. VA location: VA Headquarters Organizations; Total missing items: 1,314; Open Reports of Survey items that could have stored sensitive data: 570; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 157; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 0; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 197; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 119; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 97. VA location: Total; Total missing items: 62,880; Open Reports of Survey items that could have stored sensitive data: 9,866; Types of missing items on open Reports of Survey that could have stored sensitive data: Desktop computers: 7,993; Types of missing items on open Reports of Survey that could have stored sensitive data: Main frame systems: 104; Types of missing items on open Reports of Survey that could have stored sensitive data: Laptop computers: 1,364; Types of missing items on open Reports of Survey that could have stored sensitive data: Personal digital assistants: 170; Types of missing items on open Reports of Survey that could have stored sensitive data: Other: 244. Source: VA OIT data. Notes: According to VA officials, the "main frame systems" category refers to mini computers (a largely obsolete term for a class of multi user, middle range computers). The "other" category includes thumb drives (small, lightweight, removable data storage devices) and servers. VA officials also stated that the mathematical differences for Region 4 data may be due to minor reporting variations. [End of table] In compliance with VA Handbook 7125, General Procedures, VA personnel submitted Reports of Survey for IT equipment items that were not located during the departmentwide physical inventory and subsequent follow-up investigation. A CIO tiger team was responsible for monitoring the Report of Survey process and helping to ensure that it was completed in a timely manner. Local Boards of Survey were responsible for investigating missing items and approving write-offs of IT equipment items that could not be located during the departmentwide physical inventory. However, as of May 15, 2008, VA had over 43,000 items that were listed on open Reports of Survey and facility personnel were continuing to search for missing items. The 2007 physical inventories were a massive undertaking and required significant effort over several months to resolve discrepancies. Although we would have expected the VA locations that we previously tested to have few, if any, missing items, as of May 15, 2008, 6 of the 12 locations reported from 1,269 to 6,427 missing IT items; 4 locations had from 115 to 863 missing IT items; and only 2 locations had fewer than 100 missing items. A summary of Reports of Survey data on missing IT equipment and the reported original acquisition cost identified in VA's 2007 physical inventory related to sites we tested in our 2004, 2007, and 2008 audits are presented in appendix IV. Tests of IT Inventory Controls at Case Study Locations Identified Continuing Weaknesses: Our tests of IT equipment inventory controls at four case study locations, including three VA HCS and VA headquarters, identified continuing control weaknesses related to missing items, lack of accountability, and errors in IT equipment inventory records. VA's 2007 departmentwide physical inventory effort was intended to establish a reliable IT equipment inventory baseline going forward. Accordingly, our tests excluded from the population of IT equipment thousands of items identified as missing during VA's 2007 IT physical inventory effort. Given the new baseline, if adequate controls had been in place by the end of this inventory process, we would not have expected to identify missing items, blank data fields, or inaccurate inventory records at our test locations. As previously noted, in July 2008 VA mandated early implementation of revised policy related to control of IT equipment. Although the early implementation of July 2008 policy changes may address IT equipment control weaknesses, this policy was not in effect at the time of our tests. Our Standards for Internal Control in the Federal Government[Footnote 26] states that a positive control environment provides discipline and structure as well as the climate that influences the quality of internal control. Further, these standards require agencies to establish physical control to secure and safeguard vulnerable assets, such as equipment that might be vulnerable to risk of loss or unauthorized use, including periodically counting the assets and comparing the results to control records. However, our tests of IT equipment inventory controls at the four case study locations, including three VA HCS and VA headquarters, identified continuing problems with (1) inventory control and accountability, (2) control over computer hard drives in the excess property disposal process, and (3) physical security of IT equipment storage locations. For example, our statistical tests at the four locations from February through May of 2008 identified significant numbers of missing items, several of which could have stored sensitive personal and medical information. Overall, our statistical tests and data analysis at the four locations found significant failures related to IT inventory control and accountability including (1) missing items, (2) blank serial numbers, (3) inaccurate information on user organization, (4) inaccurate information on user location, and (5) other recordkeeping errors. We also identified weaknesses in the controls over computer hard drives in the property disposal process at the four test locations, involving (1) lack of timely sanitization and disposal, (2) inadequate recordkeeping, and (3) physical security. In addition, we found physical security weaknesses at IT storage facilities at all four locations. These weaknesses increase the risk that sensitive personal and medical information could be compromised. GAO's IT Inventory Control Tests Found Continuing Problems: Our 2008 statistical tests of key IT equipment inventory controls and data analysis found significant inventory control failures related to (1) missing items, (2) blank serial numbers, (3) inaccurate information on user organization, (4) inaccurate information on user location, and (5) other recordkeeping errors. As noted previously, VA performed a 2007 physical inventory of IT equipment. We excluded from our populations the missing items identified during VA's physical inventory at the four case study locations. Table 4 shows the 2007 VA-wide inventory results related to missing items at our four case study locations. Table 4: Numbers of Missing IT Equipment Items at Four Test Locations That Were Identified during the 2007 VA-Wide IT Physical Inventory: Inventory results: Date of VA inventory[A]; North Texas HCS: December 2007; Puget Sound HCS: December 2007; Boston HCS: December 2007; VA headquarters: January 2008. Inventory results: Missing items as of December 31, 2007; North Texas HCS: 5,309; Puget Sound HCS: 1,383; Boston HCS: 3,663; VA headquarters: 1,595. Inventory results: Missing items located as of May 15, 2008; North Texas HCS: 1; Puget Sound HCS: 114; Boston HCS: 437; VA headquarters: 281. Inventory results: Missing items not located as of May 15, 2008; North Texas HCS: 5,308; Puget Sound HCS: 1,269; Boston HCS: 3,226; VA headquarters: 1,314. Inventory results: Missing items as of May 15, 2008, that could have stored sensitive information; North Texas HCS: 3,351; Puget Sound HCS: 443; Boston HCS: 725; VA headquarters: 608. Source: GAO analysis of VA 2007 inventory results at four case study locations. [A] The dates of the VA inventories are completion dates. [End of table] Given our exclusions of missing items from the VA inventories, if adequate controls had been in place by the end of this inventory process, we would not have expected to identify missing items, blank data fields, or inaccurate inventory records at our test locations. Table 5 shows the results of our statistical tests at the four case study locations. We present our results as point estimates of control failure rates. Each point estimate has a margin of error, based on a two-sided, 95 percent confidence interval, of plus or minus 10 percent or less. Table 5: Estimated IT Equipment Inventory Control Failure Rates at Four Test Locations: Control failures: Missing items in sample; North Texas HCS: 6%; Boston HCS: 3%; Puget Sound HCS: 1%; VA headquarters: 12%. Control failures: Blank serial numbers (actual); North Texas HCS: 59%; Boston HCS: 17%; Puget Sound HCS: 1%; VA headquarters: 1%. Control failures: Incorrect user organization; North Texas HCS: 91%; Boston HCS: 60%; Puget Sound HCS: 76%; VA headquarters: 12%. Control failures: Incorrect user location; North Texas HCS: 46%; Boston HCS: 17%; Puget Sound HCS: 14%; VA headquarters: 33%. Control failures: Recordkeeping errors; North Texas HCS: 9%; Boston HCS: 41%; Puget Sound HCS: 9%; VA headquarters: 4%. Source: GAO analysis of statistical test results. Notes: The blank serial number failure rate represents the actual blank data field in the population of recorded IT equipment items in each location's property system. Each of the other estimates is based on our statistical tests, which have a margin of error based on a two-sided, 95 percent confidence internal of +/-10 percent or less. The details of our statistical testing are explained in appendix I. Because the four test locations did not record all IT equipment items in their inventory records, our estimated failure rates relate to current (recorded) inventory in the OIT EIL and not the population of all IT equipment at those locations. [End of table] Serial number control is essential to accountability for sensitive items, such as IT equipment, because it identifies unique items. The property bar code label alone is not a sufficient identifier for sensitive items because these labels are removable and can be replaced, if lost or damaged. In addition, because VA has not yet put in place a control for user-level accountability, accurate information on user organization and user location is key to maintaining accountability for IT equipment items. Further, recordkeeping errors impair the reliability of IT inventory information for management decision making. For example, inaccurate inventory records on item name, model number, and manufacturer impair asset visibility and affect decision making on timing of IT equipment upgrades. As discussed previously, limited completeness testing performed as part of our data reliability procedures identified IT equipment that was not included in the populations of recorded IT equipment used for our control tests. For example, our completeness tests at two of the four locations we tested identified three IT equipment items that were recorded to EILs for Psychology, Radiology, and Acquisition and Material Management rather than the OIT EIL. Our completeness tests also identified one item not recorded to an EIL. VA officials could not tell us the quantity of IT equipment items that were not included in the four case study IT equipment populations from which we selected our samples for testing. GAO Tests Identified Significant Numbers of Missing IT Equipment Items: Our tests of physical inventory controls from February through May of 2008 identified 50 missing IT equipment items, including 9 medical equipment items. Of the 50 missing items, 34 items could have stored sensitive personal and medical information. Because VA does not know what, if any, sensitive information resided on the equipment, notifications to potentially affected individuals could not be made. Following the recent completion of VA inventories of IT equipment and adjustment of inventory records at the four test locations, we would not have expected to identify any additional missing items. The continuing occurrences of missing items indicate that underlying control weaknesses have not yet been corrected. Lost and missing IT equipment pose both a financial risk as well as a security risk associated with sensitive information maintained on computer hard drives. The scope of our IT equipment inventory tests was broader than VA's IT inventory because we included medical items with data storage capability. Medical equipment with data storage capability is not currently included in VA's definition of IT equipment. VA CIO officials told us they are aware of the need to control medical equipment with data storage capability and plan to address control of IT components of this equipment. The following discussion summarizes the results of our inventory control tests at the four case study locations. * North Texas HCS. As noted in table 5, our physical inventory testing of the North Texas HCS--which covered the Dallas VA Medical Center and Fort Worth Outpatient Clinic components--found high control failure rates for all of our inventory control tests. Our existence test identified seven missing items, including two that had the capability to store sensitive information. One of the missing items was a piece of medical equipment. As noted in table 5, we estimated a 6 percent failure rate related to the missing items in the recorded population of 12,172 IT equipment items from which we selected our sample. In addition, our analysis of the population of recorded IT equipment found that 7,164, or about 59 percent, did not have their serial numbers recorded in the physical inventory records. Serial numbers are essential to proper identification of sensitive computer equipment. * Boston HCS. Our physical inventory testing of the Boston HCS--which covered the Brockton, Jamaica Plain, and West Roxbury Campuses-- identified 10 missing items, including 7 that had the capability to store sensitive information. The 7 missing items included four medical analyzers, two microcomputers, and a radiology equipment item. As noted in table 5, we estimated a 3 percent failure rate related to the missing items in the recorded population of 15,706 IT equipment items from which we selected our sample. * Puget Sound HCS. The Puget Sound HCS had an estimated failure rate of 1 percent related to missing items in the recorded population of 11,474 IT equipment items, allowing us to conclude that the HCS's controls over existence of IT equipment inventory are effective. Further, the one item we determined to be missing related to a computer monitor which did not have the capability to store data. However, the Puget Sound HCS had high failure rates for the user information and recordkeeping tests. * VA Headquarters Organizations. Our physical inventory testing of VA headquarters organizations IT equipment items identified an estimated failure rate of 12 percent related to missing items in the recorded population of 34,735 items. Our population included strata for VHA, VBA, OIT, Acquisition and Materiel Management, General Counsel, Policy and Planning, and a seventh strata with all other headquarters organizations. Table 6 identifies missing IT equipment items in our stratified sample by VA headquarters organization. Table 6: Number of Missing IT Equipment Items by Headquarters Organization and Missing Items That Could Have Stored Sensitive Personal Data: Test location: Acquisition and Material Management; Number of missing IT items in stratified sample: 0 of 10; Missing items with data storage capability: 0. Test location: General Counsel; Number of missing IT items in stratified sample: 0 of 10; Missing items with data storage capability: 0. Test location: Information and Technology; Number of missing IT items in stratified sample: 21 of 96; Missing items with data storage capability: 17 of 21. Test location: Policy and Planning; Number of missing IT items in stratified sample: 0 of 10; Missing items with data storage capability: 0. Test location: Veterans Health Administration; Number of missing IT items in stratified sample: 6 of 95; Missing items with data storage capability: 5 of 6. Test location: Veterans Benefits Administration; Number of missing IT items in stratified sample: 2 of 94; Missing items with data storage capability: 1 of 2. Test location: All other[A]; Number of missing IT items in stratified sample: 3 of 34; Missing items with data storage capability: 2 of 3. Source: GAO analysis of statistical test results. [A] All other includes 13 additional VA headquarters organizations. The missing items are from the Construction & Facilities Management Office, the Human Resource Management Office, and the Resolution Management Office. The missing items with data storage capability are from the Human Resource Management Office and the Resolution Management Office. [End of table] Lack of User-Level Accountability for IT Equipment at Case Study Locations: As was the case with our 2007 audit of VA IT equipment inventory controls, we found a lack of user-level accountability at the four case study locations in our current tests. As shown in table 7, VA has not yet assured accurate IT inventory records with regard to user organization and location. Information on organization and location are key to maintaining visibility and accountability for IT equipment items. VA property management policy[Footnote 27] and VA Handbook 7002 include guidelines for holding employees and supervisors pecuniarily (financially) liable for loss, damage, or destruction because of negligence or misuse of government property. Several VA facilities have provided us with current examples where VA employees have been held liable for lost and missing IT equipment. Since the completion of our tests, VA has mandated early implementation of Handbook 7002 which also requires assignment of user-level accountability for most IT equipment items. To be effective, the new policy will need to be adequately implemented and enforced. Table 7: Estimated IT Inventory Control Failure Rates Related to Correct User and Location at the Four Test Locations: Test location: North Texas HCS; Incorrect user organization: 91%; (85% to 95%); Incorrect user location: 46%; (36% to 56%). Test location: Boston HCS; Incorrect user organization: 60%; (50% to 70%); Incorrect user location: 17%; (10% to 25%). Test location: Puget Sound HCS; Incorrect user organization: 76%; (66% to 84%); Incorrect user location: 14%; (8% to 22%). Test location: VA headquarters organizations; Incorrect user organization: 12%; (8% to 17%); Incorrect user location: 33%; (26% to 40%). Source: GAO analysis of statistical test results. Note: The percentages represent point estimates and the two-sided, 95 percent confidence intervals. [End of table] The following discussion summarizes the results of our tests for user- level accountability. * North Texas HCS. The North Texas HCS components we tested had very high failure rates related to accountability--an estimated 91 percent for correct user organization and an estimated 46 percent for correct user location. North Texas HCS staff provided us with evidence of sign- out sheets and hand receipts for some IT equipment items such as pagers, cellular telephones, and personal digital assistants. However, for a majority of IT equipment items, the North Texas HCS did not assign user-level accountability through hand receipts or record user information in the inventory system. For medical IT equipment items, the inventory system included user organizations (e.g., radiology or anesthesiology), but did not assign the items to unit heads. * Boston HCS. The Boston HCS campuses we tested also had high failure rates related to accountability--an estimated 60 percent for correct user organization and an estimated 17 percent for correct user location. At our exit briefing in May 2008, Boston HCS staff reported that they are working with engineering personnel to better identify physical locations to aid in the tracking of mobile IT equipment items. For traditional IT equipment items, the Boston HCS generally did not record user organization in its IT equipment inventory records. Further, the Boston HCS generally did not assign user-level accountability through recorded user information or hand-receipts with the exception of pagers, cell phones, and laptops that have been assigned to specific users. For medical IT equipment items, the inventory system included user organizations (e.g., radiology or anesthesiology). However, the inventory records for some of the equipment listed the user as "Medical" or "Nursing" and did not specify what unit in the hospital was accountable for the equipment. * Puget Sound HCS. The Puget Sound HCS components we tested also had high failure rates related to accountability--an estimated 76 percent for correct user organization and an estimated 14 percent for correct user location. The Puget Sound HCS staff provided us with evidence of a locally developed supplemental application for AEMS/MERS, known as the Equipment Loan Form (ELF). Puget Sound HCS staff use the ELF to record user-level information for mobile IT equipment items (e.g., laptop computers) or IT equipment items taken off-site (e.g., a desktop computer at an employee's home). However, for traditional IT equipment items (e.g., desktop computers, printers, and monitors at HCS facilities), the HCS did not assign user-level accountability with recorded user information or hand-receipts. For traditional IT equipment items, the inventory records generally did not identify the user organizations. For medical IT equipment items, the inventory system included user organizations (e.g., radiology or anesthesiology), but did not assign accountability for shared items to unit heads. * VA Headquarters Organizations. Our statistical tests for accurate user organization information identified an estimated 12 percent error rate for VA headquarters organizations. In addition, our statistical tests for correct user information identified an estimated 52 percent error rate. Out tests included IT equipment coordinators--who are responsible for control of equipment shared by multiple users--and individual user employees. In situations where equipment, such as a printer, was shared by multiple employees, we based our tests on whether the inventory records correctly listed the equipment coordinator. In other situations where equipment was in possession and use by an individual employee, we tested to see if that employee was listed in the property record. Overall, we found 147 errors out of a sample of 349 records tested. Regarding user location, our statistical tests found an estimated 33 percent error rate related to situations where inventory records were not updated to reflect the transfer or relocation of IT equipment. We also identified inconsistencies in the use of hand receipts for assigning user-level accountability of mobile IT equipment that can be removed from VA offices for use by employees who are on travel or are working at home. For example, we requested hand receipts for 38 mobile IT equipment items in our statistical sample that were being used by VA headquarters employees. These items either could be or were taken off- site. We received 20 hand receipts--4 that were dated after the date of our request and 16 that were valid. We did not receive hand receipts for the other 18 devices. Recordkeeping Errors in IT Equipment Inventory Status and Item Description Information: As shown in table 8, we found some problems with the accuracy of IT equipment inventory records, ranging from an estimated 4 percent at VA headquarters to an estimated 41 percent at the Boston HCS. Recordkeeping errors included inaccurate information on the status (in use, turned-in, disposal), serial numbers, and item descriptions. Although the estimated overall failure rates for these tests were lower than the failure rates for the other control attributes we tested, they were significant for the various recordkeeping attributes we tested at the four locations. Table 8: Estimated Percentages of Other IT Inventory Recordkeeping Failures at Four Test Locations: Test location: North Texas HCS; Inventory status: 2%; (0% to 7%); Serial number: 1%; (0% to 6%); Item description: 6%; (3% to 12%); Total recordkeeping failures: 9%; (5% to 16%). Test location: Boston HCS; Inventory status: 8%; (4% to 16%); Serial number: 15%; (8% to 24%); Item description: 26%; (17% to 36%); Total recordkeeping failures: 41%; (32% to 51%). Test location: Puget Sound HCS; Inventory status: 1%; (0% to 6%); Serial number: 3%; (1% to 9%); Item description: 5%; (2% to 12%); Total recordkeeping failures: 9%; (4% to 16%). Test location: VA headquarters organizations; Inventory status: 0%; (0% to 2%); Serial number: 1%; (0% to 3%); Item description: 3%; (1% to 7%); Total recordkeeping failures: 4%; (1% to 7%). Source: GAO analysis of statistical test results. Notes: The percentages represent point estimates and the two-sided, 95 percent confidence intervals. Inventory status includes items in use, turned-in, and disposed. The item description includes name, model number, and manufacturer. [End of table] Accurate IT equipment inventory records are important to management decision making because these records are used to determine the types, quantities, and age of equipment as well as life cycle and replacement time frames. Inaccurate information on the status of items--in service, sent for repair, turned in for disposal--masks visibility of items that are not available for use and may need to be replaced. Serial number errors, such as typographical errors, can impair accountability. Further, inaccurate inventory information can cause significant waste and inefficiency during physical inventories because it may require additional time to locate and verify the status of the items. Our review of the data submissions from all four test locations we visited identified data consistency and standardization issues with recorded names, models, and manufacturers of IT equipment. As a result, management at facilities we tested could not tell how many items of a certain model they had in service. Because property system data fields for item description are free-form and do not provide for data standardization, accurate data entry is critical to the identification of like items. For example, North Texas HCS inventory data showed one Solar 8000 physiological monitor listed as model "soalr 8000," one listed as "Solar 800," 26 listed as "Solar 8000," and 70 listed as "Solar8000." Although some of these differences appear to be typographical errors, when searching for Solar 8000 equipment in the database, there is no assurance that other variations of the item name would appear in the search results. Further, this situation hindered the North Texas HCS staff's identification of medical IT equipment items that store or process patient data, requiring us to select a second sample and make an additional site visit. At the Boston HCS, we found that Samsung monitor model number 150N was referred to inconsistently as a "Monitor" 4 times, "Neoware" 3 times, "Samsung 15 Inch" 33 times, and a "Samsung Monitor" 58 times. VA's policy does not address data consistency and standardization. Our Internal Control Management and Evaluation Tool[Footnote 28] states that an agency should: * establish a variety of control activities suited to information processing systems to ensure accuracy and completeness, * consider whether edit checks are used in controlling data entry, and: * consider accuracy control in relation to data entry design features. Although this tool is not required to be used, it is intended to provide a systematic, organized, and structured approach for federal agency use in assessing internal control structure. The failure to maintain consistent information on identical items or classes of items impairs visibility over IT assets as well as analysis and management decision making on existing IT equipment and replacements. Weaknesses in Controls over Hard Drives in the Disposal Process: Although VA requires that hard drives of IT equipment and medical equipment be sanitized prior to disposal to prevent unauthorized release of sensitive personal and medical information, we found weaknesses in the disposal process at each of our test locations that pose a risk that sensitive personal and medical information could be compromised.[Footnote 29] Specifically, we found weaknesses related to (1) timeliness of data sanitization, (2) adequacy of inventory recordkeeping for hard drives removed from their host computers, and (3) physical security controls. Currently, VA OIT personnel are not cleansing all hard drives in the property disposal process because of the guidance from VA's Office of General Counsel to preserve electronic information relevant to a class action lawsuit filed against VA in 2007 (the litigation hold),[Footnote 30] which heightens the need to maintain control over the hard drives in the property disposal process. However, two case study locations had not performed timely sanitization and disposal of hard drives prior to the effective date of the litigation hold. Specifically, one of our HCS test locations had stored excess hard drives for 3 to 4 years and another HCS test location indicated some of its excess hard drives dated back to the 1980s. Two HCS locations did not record dates that all hard drives were received. VA headquarters organizations did not keep records on hard drives in the disposal process prior to February 2008. In addition, adequate control over computer hard drives in the property disposal process requires accurate and complete recordkeeping, such as recording the hard drive serial number along with property identification and serial numbers of the original host computer. The ability to identify hard drives with the host computer inventory records also provides a means to determine the type of data that may have been stored on the hard drives. However, two of our four test locations did not record sufficient information to identify hard drives with host computers, and VA did not have a standard procedure to address this issue. Moreover, although storage locations used for excess hard drives are subject to access controls in VA Handbook 0730/1, Security and Law Enforcement, including motion detection intrusion alarm systems and special key (access) controls, three of our four case study locations did not comply with these requirements. Weaknesses in the controls over hard drives in the property disposal process create an unnecessary risk that sensitive personal information protected under the Privacy Act of 1974 [Footnote 31] and health information accorded additional protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[Footnote 32] could be compromised. The following discussion summarizes our findings at the four case study locations. * North Texas HCS. We found that the North Texas HCS had weaknesses in controls over hard drives in the property disposal process related to timely sanitization, inadequate recordkeeping, and lack of access controls. According to North Texas HCS staff, they were not sanitizing data from any hard drives in the property disposal process at the time of our site visit because of the litigation hold related to the class action lawsuit. The North Texas HCS also indicated that not all hard drives received for sanitization and disposal had been logged in their tracking system. However, for those drives that were recorded, we found that the hard drive disposal records contained sufficient information for identifying hard drives with their original host computers. In addition, the disposal records contained the dates on which the hard drives were removed from their original host computers. The North Texas HCS also maintained a file on certifications of drives that had been cleansed. Further, we observed that one of the two storage locations storing hard drives had inadequate physical security because of the absence of an access control system and intrusion detection alarm system, as required by VA Handbook 0730/1. * Boston HCS. Our work identified recordkeeping weaknesses in the hard drive disposal process at the Boston HCS. Specifically, we found that the hard drive disposal records did not contain sufficient information for identifying hard drives with their original host computers. Further, these records did not indicate the dates on which OIT personnel removed hard drives from their original host computers, which would impede an assessment of timely sanitization or disposal. The Boston HCS also had a practice of storing used hard drives in unsecured locations, such as closets and cabinets, and indicated that it had hard drives dating back to the 1980's. The Boston HCS Information Security Officer is in the process of establishing a centralized storage facility for computer hard drives. * Puget Sound HCS. We identified control weaknesses in the hard drive disposal process at the Puget Sound HCS related to a lack of timely sanitization and disposal and inadequate recordkeeping. Although Puget Sound HCS officials are holding drives because of the litigation hold related to the class action lawsuit, they told us that approximately 100 of the hard drives we observed had been in storage for approximately 3 or 4 years, and therefore are not related to the litigation hold. In addition, the hard drive disposal records at the Puget Sound HCS did not contain sufficient information for identifying hard drives with their original host computers. After our site visit, Puget Sound HCS staff provided us with revised hard drive records that include property identification numbers and hard drive serial numbers and identify hard drives with their original host computers. The Puget Sound HCS stored hard drives in a location that was in full compliance with physical security requirements in VA Handbook 0730/1. * VA Headquarters Organizations. Weaknesses we identified in controls involved the lack of recordkeeping prior to February 2008 and the lack of access controls of hard drive storage facilities. We found that the current hard drive disposal records at VA headquarters contain sufficient information for identifying hard drives with their original host computers. Specifically, OIT records hard drive information in a log that requires, among other elements, the bar code and serial numbers of the original host computer from which OIT personnel removed the hard drive and the serial number of the hard drive. OIT also records the dates on which hard drives are removed from original host computers. However, according to OIT officials and our review of the hard drive records, VA headquarters did not maintain a central record of hard drives prior to February 2008. Further, one of the two hard drive storage locations that we observed at VA headquarters had inadequate physical security because of the absence of an access control system and intrusion detection alarm system, as required by VA Handbook 0730/1. Physical Security Weaknesses Increase Risk of Loss, Theft, and Misappropriation: VA Handbook 0730/1, Security and Law Enforcement, prescribes physical security requirements for storage of new and used IT equipment. Specifically, the handbook requires warehouse-type storerooms to have walls to ceiling height with either masonry or gypsum wall board reaching the underside of the slab (floor) above. OIT storerooms are required to have overhead barricades that prevent "up and over" access from adjacent rooms. Warehouse, OIT, and medical equipment storerooms are all required to have motion intrusion detection alarm systems that detect entry and broadcast an alarm of sufficient volume to cause an illegal entrant to abandon a burglary attempt. Finally, OIT storerooms also are required to have special key control, meaning room door lock keys and day lock combinations that are not master keyed for use by others. Our investigator's inspection of physical security at officially designated IT warehouses and storerooms that held new and used IT equipment at the four case study locations found that most of these storage facilities met the requirements in VA Handbook 0730/1. However, we identified some deficiencies. For example, our investigator found at least one room at all four case study locations that did not have an electronic access control system or an intrusion detection system. Designated IT equipment storage locations at the Seattle Division of the Puget Sound HCS met the physical security requirements in VA Handbook 0730/1. However, IT workrooms and other informal, undesignated storage facilities did not. Despite the established physical security requirements, we found numerous informal, undesignated IT equipment storage locations that did not meet VA physical security requirements. For example, we observed an excess property storage room at the North Texas HCS that contained boxes of 86 hard drives that needed to be disposed of or sanitized. This room lacked a motion detection alarm system and the type of locking system prescribed in VA policy. North Texas HCS staff believed this room was not subject to the security provisions of VA Handbook 0730/1 because it was not formally designated as a storeroom or warehouse. Our investigator also identified an IT equipment work room at the North Texas HCS that lacked adequate physical security measures and was considered temporary in nature. In addition, at the Boston HCS, our investigator found that security personnel were unaware of several temporary storage rooms that contained IT equipment. Some of these rooms were initially established by OIT personnel as temporary storage areas, but had been in use for several years. Because these storerooms had not been formally designated as IT storage facilities, they were not subjected to required physical security inspections. Weaknesses in physical security heighten the risk that sensitive information contained on IT equipment stored in unsecured warehouses and storerooms could be compromised. Conclusions: Our audits and VA's departmentwide physical inventory of IT equipment identified pervasive control weaknesses that resulted in tens of thousands of missing IT equipment items that were purchased with taxpayer dollars. About 9,800 of these items have data storage capabilities and therefore pose a risk of improper disclosure of veterans' personal and medical information. Further, VA's lack of user- level accountability and its failure to maintain accurate and complete IT inventory records have hindered efforts to locate missing items. In the past year, VA has made significant progress in implementing its realigned OIT organization and strengthening policies for control over IT equipment. However, ensuring that IT inventory records are complete and that they are updated as changes in status occur will be key to maintaining accuracy and accountability over IT equipment items. VA's continued efforts to establish and maintain control over IT assets will be essential if VA is to adequately safeguard those assets from theft, loss, and misappropriation and protect sensitive personal and medical information of the nation's veterans. Recommendations for Executive Action: We recommend that the Secretary of Veterans Affairs require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to take the following five actions to improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information: * Review property inventory records and confirm that all IT equipment, regardless of the organizational equipment inventory listing, is identified in the property system. * Establish and implement a policy requiring development of standardized naming classifications for IT equipment--including item name, manufacturer, and model--for recording IT equipment into local property inventory systems. * Develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purposes. * Develop a procedure for identifying hard drive serial numbers with both the property identification numbers and serial numbers of host computers. * Revise the definition of IT storage locations in VA's Handbook 0730/ 1, Security and Law Enforcement, to include informal IT storage locations, such as OIT work rooms, and require these locations to be included in physical security inspections. Agency Comments and Our Evaluation: In its July 28, 2008, written comments on our report, which are reprinted in appendix III, VA generally agreed with four of our five recommendations. VA initially disagreed with our recommendation concerning inventory control over medical equipment because it interpreted our recommendation as requiring them to redefine (i.e., reclassify) medical equipment with data storage capability as IT equipment. Instead, our recommendation was directed at developing a list of medical equipment with data storage capability and including this equipment in physical inventories of IT equipment to provide for CIO oversight of these items. We followed up with VA officials to clarify the intent of our recommendation. We also made appropriate changes to our report to clarify the intent of our recommendation. In addition, while agreeing with the intent of our recommendation concerning the development of standard naming classifications for its IT equipment, VA initially commented that it differed with part of our recommendation concerning who should be responsible for the development of standardized naming classifications. However, VA's comments indicate that it interpreted this recommendation as requiring classification action to occur on a decentralized basis at each VA facility. This was not our intent. In follow-up discussions with VA officials, we explained that our recommendation was directed at taking action to establish VA-wide naming conventions that would be used by all VA facilities in recording property information in their local inventory systems. We clarified the wording in our recommendation accordingly. Based on our follow-up meeting, VA officials said they agreed with all five of our recommendations. They reiterated actions noted in VA's comment letter on steps taken as well as planned actions to improve the accuracy and consistency of information in VA's property inventory systems. We are sending copies of this report to interested congressional committees; the Secretary of Veterans Affairs; the Veterans Affairs Chief Information Officer; the Under Secretary of Health, Veterans Health Administration; and the Director of the Office of Management and Budget. We will make copies available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. Please contact me at (202) 512-9095 or dalykl@gao.gov, if you of your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report are acknowledged in appendix V. Signed by: Kay L. Daly: Acting Director: Financial Management and Assurance: [End of section] Appendix I: Objectives, Scope, and Methodology: Given the continuing nature of information technology (IT) equipment inventory control problems and their significance, the Chairman and Ranking Member of the House Committee on Veterans' Affairs, Subcommittee on Oversight and Investigations asked us to perform additional follow-up work to determine (1) whether the Department of Veterans Affairs (VA) has made progress in implementing our prior recommendations for improving internal control over IT equipment and (2) the effectiveness of VA's current internal controls to prevent theft, loss, or misappropriation of IT equipment. We evaluated VA's progress in implementing our previously reported recommendations by reviewing agency documentation and interviewing property management and Office of Information Technology (OIT) officials on actions taken in response to recommendations in our 2007 and 2004 reports.[Footnote 33] In concert with the Subcommittee request that VA perform a departmentwide physical inventory of IT assets, we reviewed the results of VA's 2007 physical inventory of IT equipment items and VA's process for completing Reports of Survey[Footnote 34] on lost and stolen items. We also evaluated policies that include guidance for improving accountability of IT equipment and accuracy of inventory records, related memorandums, and other documentation, such as action summaries. In addition, we interviewed cognizant VA officials about specific actions under way or completed, the component organizations responsible for those actions, and the status and targeted completion dates of those actions. Our assessment of the effectiveness of current VA IT equipment inventory controls included statistical tests of key control attributes at four case study locations, including the health care systems (HCS) in North Texas, Boston, and Puget Sound, and VA headquarters organizations. We also assessed controls over hard drives in the excess property disposal process, and our investigators made physical security inspections of IT storage locations at our four case study locations. We used as our criteria applicable law and VA policy, as well as our Standards for Internal Control in the Federal Government[Footnote 35] and our Internal Control Management and Evaluation Tool.[Footnote 36] We reviewed applicable program guidance provided by the test locations and interviewed officials about their IT inventory processes and controls. In selecting our case study locations, we chose three geographically disparate VA HCS. We also tested inventory at VA headquarters organizations as a means of assessing the overall control environment, or "tone at the top," as we did in our 2007 audit. Table 9 shows the VA locations selected for IT equipment inventory control testing, the sample size, and the reported number and value of IT equipment items at each location. Table 9: Population of VA IT Equipment at Locations Selected for Testing: VA location: North Texas HCS; Sample size and number of VA IT equipment items: 167 of 12,172; Value of VA IT equipment inventory: $49,097,365. VA location: Boston HCS; Sample size and number of VA IT equipment items: 148 of 15,706; Value of VA IT equipment inventory: 48,972,306. VA location: Puget Sound HCS; Sample size and number of VA IT equipment items: 147 of 11,474; Value of VA IT equipment inventory: 33,969,881. VA location: VA headquarters; Sample size and number of VA IT equipment items: 349 of 34,735; Value of VA IT equipment inventory: 48,996,332. Source: GAO analysis of VA facility IT equipment inventory data. Note: The data represent current inventory at the time we selected our samples. The reported value is the original acquisition cost, though not all items in VA's property management systems included original acquisition values. [End of table] We performed appropriate data reliability procedures, including an assessment of each VA test location's procedures for assuring data reliability, reasonableness checks on electronic data, and tests to assure that IT equipment inventory was sufficiently complete for the purposes of our work. As in our 2007 work, we relied on biomedical engineers to provide lists of medical equipment with the ability to store or process electronic data. We performed analytical procedures to confirm reasonableness of the medical equipment listings provided by the three HCS. Our analysis determined that the original listing submitted by the North Texas HCS staff was incomplete regarding medical equipment meeting our definition as IT equipment. We revisited our criteria for identifying medical equipment with data storage and processing capability with North Texas HCS officials and asked them to provide us a new medical equipment listing to support our sampling and control tests. Our procedures and test work also identified a limitation related to the completeness of IT equipment inventory at our four test locations. The VA North Texas and Boston HCS maintained some IT equipment records outside of their central listings of IT equipment. We also identified evidence that the VA Puget Sound and VA headquarters did not record all IT equipment items in the official property records. Further, our statistical tests determined that some IT equipment was recorded in inventory categories other than IT. We disclosed this limitation in the discussion of our test results. As a result of these limitations, the population of IT equipment is not known for VA overall or by location and we were not able to project our test results to the population of IT equipment inventory at each of our four test locations. However, we determined that these data were sufficiently reliable for us to project our test results to the population of current, recorded IT equipment inventory at each of the four locations. From the population of current, recorded IT equipment inventory at the time of our tests,[Footnote 37] we selected stratified random probability samples of IT equipment, including medical equipment with data storage capability, at each of the three HCS locations. For the 19 VA headquarters organizations, we stratified our sample by 6 major offices and used a seventh stratum for the remaining 13 organizations. With these statistically valid samples, each item in the population for the four case study locations had a nonzero probability of being included, and that probability could be computed for any item. Each sample item for a test location was subsequently weighted in our analysis to account statistically for all items in the population for that location, including those that were not selected. We performed tests on statistical samples of IT equipment inventory transactions at each of the four case study locations to assess whether the system of internal control over physical IT equipment inventory was effective (i.e., provided reasonable assurance of the reliability of inventory information and accountability of the individual items). For each IT equipment item in our statistical sample, we assessed whether (1) the item existed (meaning that the item recorded in the inventory records could be located), (2) inventory records and processes provided adequate accountability, and (3) identifying information (property number, serial number, model number, and location) was accurate. We explain the results of our existence tests in terms of control failures related to missing items and recordkeeping errors. The results of our statistical samples are specific to each of the four test locations and cannot be projected to the population of VA IT inventory as a whole. We present the results of our statistical samples for each population as point estimates representing (1) our projection of the estimated error overall for each control attribute and (2) the two-sided, 95 percent confidence intervals for the failure rates. To assess VA's controls over computer hard drives in the property disposal process, at each HCS and VA headquarters we interviewed OIT officials, observed hard drive storage locations, and obtained copies of VA documentation related to hard drives in the disposal process at the time of our site visits. Our investigators supported our tests of IT physical inventory controls by assessing the physical security of various IT equipment storage facilities at each of our four case study locations. As part of our assessment, one of our investigators interviewed VA Police at the three HCS locations and federal agency law enforcement officers at VA headquarters and met with physical security specialists at each of the test locations to discuss the results of our physical security inspections and the status of VA actions on identified weaknesses. We briefed VA managers at our three HCS test locations and VA headquarters, including VA HCS directors and OIT and property management officials, on the details of our audit, our findings, and their implications. On July 15, 2008, we requested comments on a draft of this report. We received comments from the Secretary of Veterans Affairs on July 28, 2008, and we had follow-up discussions with cognizant VA officials. We have summarized VA's comments and our follow- up discussions in the Agency Comments and Our Evaluation section of this report. We conducted this performance audit from January 2008 through July 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We performed our investigative work in accordance with standards prescribed by the President's Council on Integrity and Efficiency. [End of section] Appendix II: Status of VA Actions on Recommendations in GAO's July 2007 and 2004 Reports: Table 10 lists the 12 recommendations from our 2007 report, summarizes VA's actions, and presents the status of each recommendation. VA property officials from the Office of Acquisition and Logistics (OAL) and officials in the Office of Information and Technology (OIT) worked together to create a new VA Handbook 7002, Logistics Management Procedures, which updates VA policy for property management, including specific policy pertaining to information technology (IT) equipment. The Assistant Secretary for Management mandated early implementation of VA Handbook 7002 on July 3, 2008. Table 10: GAO's 2007 Report Recommendations and Status of VA Actions as of July 2008: 2007 VA-wide recommendations: GAO recommendation: 1. Revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process; VA action on the recommendation: VA mandated early implementation of Handbook 7002, Logistics Management Procedures, which requires the recording of key inventory events, including the recording of IT equipment information upon receipt, changes in item status, and turn-in and disposal; Status of GAO recommendation: Fully implemented. GAO recommendation: 2. Revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems; VA action on the recommendation: VA mandated early implementation of VA Handbook 4080, Government Purchase Card Procedures, which requires purchase cardholders to notify the property officer of IT equipment acquired with the purchase card so that these items may be recorded in the property management system. Handbook 7002 includes the same requirement; Status of GAO recommendation: Fully implemented. GAO recommendation: 3. Establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment; VA action on the recommendation: Handbook 7002 requires employees to sign for IT equipment assigned exclusively for individual use and department heads or service chiefs to sign for shared IT equipment; Status of GAO recommendation: Fully implemented. GAO recommendation: 4. Enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment; VA action on the recommendation: VA facilities provided several fiscal year 2008 examples of bills sent to VA personnel for lost and damaged IT equipment items; Status of GAO recommendation: Fully implemented. GAO recommendation: 5. Establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements; VA action on the recommendation: In May 2008, OAL issued an information letter implementing immediately an overall Report of Survey timeline of 60 days. In addition, Handbook 7002 requires the Report of Survey process to be completed within 60 days; Status of GAO recommendation: Fully implemented. GAO recommendation: 6. Establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment; VA action on the recommendation: VA established the Office of Information Technology Oversight and Compliance in February 2007, which reviewed compliance with established VA policy. VA also established a tiger team in May 2007, which reviewed the results of the VA-wide 2007 physical inventory of IT equipment; Status of GAO recommendation: Fully implemented. GAO recommendation: 7. Require that information resource management and IT Services personnel at the various medical centers be given access to the central property database and be furnished with scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment; VA action on the recommendation: VA has granted OIT personnel access to the central property database (AEMS/MERS). Furthermore, VA has begun to furnish OIT employees with hand scanners that may be used to scan equipment during routine maintenance. VA reports that it is currently assessing how many hand scanners various VA facilities need; Status of GAO recommendation: Partially implemented. GAO recommendation: 8. Require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, as appropriate; VA action on the recommendation: In September 2007, VA established Handbook 6500, Information Security Program, requiring that the Information Security Officer conduct and document physical security reviews as part of the annual review of the system security plan to help analyze any new or existing physical security vulnerabilities; Status of GAO recommendation: Fully implemented. 2007 Recommendations for the CIO: GAO recommendation: 9. Establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain; VA action on the recommendation: VA Handbook 7002 requires the accountable officer to ensure that property records have been updated correctly at the completion of each physical inventory and that no blank fields remain; Status of GAO recommendation: Fully implemented. GAO recommendation: 10. Establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action; VA action on the recommendation: VA's OIT is working with OAL and the Office of Prosthetics and Clinical Logistics to develop an integrated approach for Report of Survey monitoring. OIT's tiger team also is reviewing VA facilities' internal controls for IT equipment and the results of the 2007 physical inventory, which included IT equipment items submitted for Report of Survey processing. However, VA has not yet established a formalized process for reviewing Reports of Survey; Status of GAO recommendation: Open. GAO recommendation: 11. Establish and implement a policy requiring information resource management personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections; VA action on the recommendation: VA Handbook 7002 requires that facilities' Security Management Committees (SMC) develop local strategic security plans as guides to identify physical and procedural security needs. Handbook 7002 requires the IT custodial officer to provide the facility information security officer a list of all IT storage areas and that access to IT equipment storage areas be provided to facility security personnel for use in performing regular inspections; Status of GAO recommendation: Fully implemented. GAO recommendation: 12. Establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed; VA action on the recommendation: VA Handbook 7002 states that the IT custodial officer will coordinate with the SMC to develop a plan to address IT-related security requirements identified in the strategic security plan. The handbook also requires the IT custodial officer to develop a plan to address all corrective actions identified in the Report of Physical Security Inspection of IT Equipment Store Rooms within 10 days of receipt of the report from security personnel; Status of GAO recommendation: Fully implemented. Source: GAO interviews of agency officials and analysis of VA documentation. [End of table] Table 11 lists the 6 property-related recommendations from our 2004 report, summarizes VA's actions, and presents the status of each recommendation. Table 11: GAO's 2004 Report Recommendations and Status of VA Actions as of July 2008: 2004 Property-related recommendations: GAO recommendation: 1. Clarify existing guidance and establish consistent parameters for personal property that is required to be accounted for in the property control records and that is subject to physical inventory to include sensitive property; VA action on the recommendation: In October 2005, VA issued a modification to VA Handbook 7127/4, Materiel Management Procedures, which stated that sensitive items, regardless of cost, should be included in annual equipment inventories. In addition, the guidance provided an expanded list of eight categories of sensitive items; Status of GAO recommendation: Fully implemented. GAO recommendation: 2. Provide a more comprehensive list of the type of personal property assets that are considered sensitive for accountability purposes; VA action on the recommendation: In October 2005, VA issued a modification to VA Handbook 7127/4, Materiel Management Procedures, which provided an expanded list of eight categories of sensitive items, including handheld and portable communication devices, printers, desktop and laptop computers, and video imaging equipment; Status of GAO recommendation: Fully implemented. GAO recommendation: 3. Direct that physical inventories of personal property be performed by the Acquisition and Materiel Management staff or other parties who are independent of those with property custodian responsibilities; VA action on the recommendation: In October 2005, VA issued a modification to Handbook 7127/4, Materiel Management Procedures, which required that all completed inventories have a 5 percent verification inventory conducted by an accountable officer or designee, a disinterested party, and the custodial officer or designee. However, the handbook did not direct that the independent party should perform the physical inventories, and 5 percent verifications do not suffice for independent inventories. In addition, VA has begun to furnish OIT employees with hand scanners that may be used to scan equipment. VA reports that it is currently assessing how many hand scanners its facilities need. The use of hand scanners for capturing IT equipment bar code label and serial number information during physical inventories would help achieve necessary independence; Status of GAO recommendation: Partially implemented. GAO recommendation: 4. Reinforce VA's requirement to attach bar code labels to agency personal property; VA action on the recommendation: During a June 2008 property conference call with property management personnel from VA field locations across the nation, OAL personnel reinforced VA's requirement to attach bar code labels to agency personal property; Status of GAO recommendation: Fully implemented. GAO recommendation: 5. For the six sites we visited in 2004, determine the location or disposition of personal property items not found during our site visits; VA action on the recommendation: VA reported in its Fiscal Year 2006 Budget Submission that the six identified medical centers were directed to conduct inventories of equipment inventory listings by March 31, 2005. VA further reported that upon completion of the inventories, the network director must submit certification that inventories were accomplished, any discrepancies were identified, and required Reports of Survey were prepared on items that could not be found; Status of GAO recommendation: Fully implemented. GAO recommendation: 6. For the six sites we visited in 2004, review property records to identify and correct erroneous or incomplete data fields; VA action on the recommendation: In June 2008, VA's Office of Information and Technology Oversight and Compliance planned to review the erroneous and blank data fields at the six medical centers we visited. In addition, VA officials indicated that they plan to review the data fields at a national level using a data warehouse and provide reports to the six sites by September 1, 2008. However, VA has not yet reviewed or corrected these erroneous and blank data fields; Status of GAO recommendation: Open. Source: GAO interviews of agency officials and analysis of VA documentation. [End of table] [End of section] Appendix III: Comments from the Department of Veterans Affairs: The Secretary Of Veterans Affairs: Washington: July 28, 2008: Ms. Kay L. Daly: Acting Director: Financial Management and Assurance: U. S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Daly: The Department of Veterans Affairs (VA) has reviewed your draft report, Veterans Affairs: Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses (GAO-08-918), and generally agrees with all but one of the recommendations. VA does not agree with the recommendation that medical devices with data storage capability be considered information technology (IT) equipment for the purpose of inventory control. Not only is this counter to the Joint Commission accreditation requirements, a separate inventory of medical equipment is a necessity to address the Food and Drug Administration's recalls and other hazard notifications related to patient safety. VA does agree that sensitive information must be protected, and VA has established policy to deal with this issue. VA agrees with GAO's recommendation regarding the development of a standardized naming classification for IT equipment, but differs on the responsibility for implementing the recommendation. The enclosure specifically addresses GAO's recommendations and provides additional discussion and comments to the draft report. VA appreciates the opportunity to comment on your draft report. Sincerely yours. Signed by: James B. Peake, M.D. Enclosure: Department of Veterans Affairs (VA) Comments to Government Accountability Office (GAO) Draft Report: Continued Action Needed To Reduce It Equipment Losses And Correct Control Weaknesses (GAO-08-918): GAO recommends that the Department of Veterans Affairs take the following five actions: * Review property inventory records and confirm that all IT equipment, regardless of the organizational equipment inventory listing, is identified in the property system. Concur- VA Handbook 7002 requires the senior information technology (IT) official at each facility to review property inventory records and ensure that all IT equipment is identified in the VA property system. The senior IT official is responsible for establishing and implementing a process to identify, account for, track, monitor, inventory, and dispose of IT items that are capable of storing information electronically but are not assigned catalog stock numbers (CSN). The senior IT official will coordinate perpetual inventory activities as well as schedule and conduct an annual physical inventory of expendable IT items to verify the accuracy of the data contained in the sensitive expendable IT item listing (SEIIL). The senior IT official will document and report any discrepancies identified during inventory activities. The senior IT official will also coordinate perpetual inventory activities and conduct an annual physical inventory of IT equipment items assigned a CSN in accordance with the schedule established by Logistic Services to verify the accuracy of the data contained in the equipment inventory listing (EIL). The senior IT official is responsible for documenting and reporting any discrepancies identified during inventory activities. The annual EIL/SEIIL inventories include an audit to ensure accurate documentation in the inventory tracking systems. Following an inventory of IT items, or whenever an IT equipment item is identified as not accounted for', the senior IT official will review the documentation for discrepancies and coordinate with Logistic Services regarding a determination as to the need for report of survey (ROS) action. IT items on ROS must be resolved within 60 days of initiation. Any exceptions will be documented in a plan of action and approved by the facility director. The facility director is accountable for all equipment in their facility and is responsible for ensuring adherence to all applicable policies. Performance measures are being established for Office of Information and Technology (OI&T) regional directors and Veterans Health Administration (VHA) facility directors related to the accountability of IT equipment under their cognizance. * Establish and implement a policy requiring facility CIOs to develop standardized naming classifications for IT equipment, including item name, manufacturer, and model, for recording IT equipment into local property inventory systems. Partially Concur-VA concurs that standardized naming classifications are required to support tracking of IT equipment. However, VA does not concur that the standardized naming classifications should be established at the facility level. VA employs a cataloging process to categorize equipment using CSNs. The CSNs are assigned according to the schema established in VA Catalog No. 3, Section V, which provides a description for each CSN. This provides for a standardized naming classification system that applies across the Department. In the Fall of 2006 a group of subject matter experts assembled to develop standard operating procedures (SOP) for Veterans Health Administration (VHA) on asset management. These SOPs were issued March 8, 2007. One of the SOPs (AM 1 SOP) specifically addresses the data elements required to be included in the local property inventory system maintained in the Automated Engineering Management System/Medical Equipment Repair Service (AEMS/MERS) system. These data elements include item name, manufacturer, and model number/designation for each item of IT equipment. Prosthetics and Clinical Logistics Office (P&CLO) will be assessing compliance with this requirement by September 2008. Monthly reports will be generated and analyzed to identify facilities with incomplete data. P&CLO will send notifications to OI&T regional directors and VI- IA facility directors of non-compliant sites. Copies of reports will also be provided to the IT Asset Advisory Group (ITAAG) for trend analysis and to support the identification of systemic issues requiring corrective action. * Develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purposes. Partially Concur - VA does concur with maintaining an inventory of all equipment, including medical for inventory control purposes. In accordance with VA Handbook 7002, the facility director is responsible for ensuring that all nonexpendable equipment items, and sensitive equipment items regardless of cost, are entered into the VA property system for inventory control purposes. The Joint Commission verifies that medical devices are subjected to inspection before deployment; this inspection process includes the entry of these items into the property system. VA Handbook 6500 addresses the requirements associated with the management and protection of sensitive information and applies to all organizational components of the Department. VA does not concur with redefining medical equipment as IT equipment. Joint Commission accreditation requirements include maintenance of a separate and distinct medical equipment inventory to manage and document quality assurance activities. Medical devices are highly regulated by the Food and Drug Administration and a separate and accurate inventory is a necessity to address recall and other hazard notifications to minimize potential impact on patient safety. * Develop a procedure for identifying hard drive serial numbers with both the property identification numbers and serial numbers of host computers. Concur- VA agrees that hard drives need to be tracked and matched to host computers. OI&T and P&CLO will develop a procedure for identifying hard drive serial numbers with both the property identification numbers and serial numbers of host computers by the end of fiscal year 2008. This procedure will delineate organizational responsibilities and the process for ensuring appropriate mapping of hard drives to host computers. * Revise the definition of IT storage locations in VA's Handbook 0730/1, Security and Law Enforcement, to include informal IT storage locations, such as OIT work rooms and require these locations to be included in physical security inspections. Concur- OI&T will work with Security and Law Enforcement to revise the definition of IT storage locations to include informal IT storage locations. Meanwhile, IT custodial officers are responsible for identifying all IT storage areas for security personnel. The following requirements are included in VA Handbook 7002: The IT Custodial Officer will provide a list of all IT storage areas to the Facility IT Security Officer (FISO). This list will be updated as necessary to ensure it is maintained current.... Access to IT equipment storage locations will be provided to facility security personnel to perform regular inspections. Security personnel will provide a Report of Physical Security inspection of IT Equipment Store Rooms to the IT Custodial Officer at the facility within 10 days of completing a physical security inspection. The report will document [End of section] Appendix IV: Reports of Survey on Missing IT Equipment for VA Case Study Locations: Table 12 summarizes Report of Survey[Footnote 38] information related to VA's 2007 physical inventories of IT equipment for the 12 case study locations covered in our 2004, 2007, and 2008 audits. We used the original acquisition value as the best available data for the cost of IT equipment items that could not be located during VA's 2007 physical inventory. Table 12: Summary of Reports of Survey as of May 15, 2008, for Case Study Locations Covered in GAO Audits: Location: Atlanta medical center; Date physical inventory completed: Aug. 2007; Dates VA closed Reports of Survey: Apr. 2008; Items missing as of 12/31/07: 198; Items missing as of 5/15/08: 129; Reported original acquisition value of missing items as of 5/15/08: $220,115. Location: Boston healthcare system; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 3,663; Items missing as of 5/15/08: 3,226; Reported original acquisition value of missing items as of 5/15/08: $5,026,271. Location: North Texas healthcare system; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 5,309; Items missing as of 5/15/08: 5,308; Reported original acquisition value of missing items as of 5/15/08: $5,615,070. Location: Washington D.C. medical center; Date physical inventory completed: Sept. 2007; Dates VA closed Reports of Survey: May 2008; Items missing as of 12/31/07: 139; Items missing as of 5/15/08: 115; Reported original acquisition value of missing items as of 5/15/08: $120,048. Location: Houston medical center; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 6,485; Items missing as of 5/15/08: 6,427; Reported original acquisition value of missing items as of 5/15/08: $7,737,917. Location: Indianapolis medical center; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: May 2008; Items missing as of 12/31/07: 113; Items missing as of 5/15/08: 82; Reported original acquisition value of missing items as of 5/15/08: $29,986. Location: Los Angeles medical center; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 1,767; Items missing as of 5/15/08: 1,648; Reported original acquisition value of missing items as of 5/15/08: $1,273,144. Location: VA headquarters; Date physical inventory completed: Jan. 2008; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 1,595; Items missing as of 5/15/08: 1,314; Reported original acquisition value of missing items as of 5/15/08: $3,316,951. Location: San Diego healthcare system; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Feb. 2008; Items missing as of 12/31/07: 930; Items missing as of 5/15/08: 863; Reported original acquisition value of missing items as of 5/15/08: $717,805. Location: San Francisco medical center; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: May 2008; Items missing as of 12/31/07: 39; Items missing as of 5/15/08: 39; Reported original acquisition value of missing items as of 5/15/08: $105,298. Location: Puget Sound healthcare system; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 1,383; Items missing as of 5/15/08: 1,269; Reported original acquisition value of missing items as of 5/15/08: $1,536,840. Location: Tampa medical center; Date physical inventory completed: Dec. 2007; Dates VA closed Reports of Survey: Ongoing; Items missing as of 12/31/07: 815; Items missing as of 5/15/08: 690; Reported original acquisition value of missing items as of 5/15/08: $638,946. Source: GAO analysis of VA-reported 2007 inventory results and related Reports of Survey data. [End of table] [End of section] Appendix V GAO Contact and Staff Acknowledgments: GAO Contact: Kay L. Daly, (202) 512-9095 or dalykl@gao.gov: Acknowledgments: In addition to the contact named above, Gayle L. Fischer, Assistant Director; Andrew O'Connell, Assistant Director and Supervisory Special Agent; F. Abe Dymond, Assistant General Counsel; Doreen S. Eng, Assistant Director; Bamidele A. Adesina; James D. Ashley; Deyanna J. Beeler; Francine M. DelVecchio; Lauren S. Fassler; Steven M. Koons; Kelly A. Richburg; Ramon J. Rodriguez, Special Agent; Daniel E. Silva; Chevalier C. Strong; Danietta S. Williams; and Matthew L. Wood made key contributions to this report. [End of section] Footnotes: [1] GAO, VA Medical Centers: Internal Control over Selected Operating Functions Needs Improvement, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-755] (Washington, D.C.: July 21, 2004). [2] GAO, Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07- 505] (Washington, D.C.: July 16, 2007). [3] For the purpose this audit, we included in our definition of IT equipment any equipment capable of storing or processing data, regardless of how VA classifies it. Therefore, medical devices that would typically not be classified as IT equipment, but may capture, process, or store patient data, were considered IT equipment for this audit. For example, we included electrocardiograph, anesthesiology, and ultrasound equipment in our tests. [4] Our 2007 audit covered medical centers in Washington, D.C.; Indianapolis, Ind.; San Diego, Calif.; and VA headquarters organizations. Our 2004 audit covered medical centers in Atlanta, Ga.; Houston, Tex.; Los Angeles, Calif.; San Francisco, Calif.; Tampa, Fla.; and Washington, D.C. [5] Each of the three HCS locations included multiple medical facilities. [6] Our tests of VA headquarters consist of separate strata for 6 organizations and a seventh strata for all other organizations. [7] The Report of Survey system is the method used by VA to obtain an explanation of the circumstances surrounding loss, damage, or destruction of government property other than through normal wear and tear. [8] As used in this report, the term excess property refers to property that a federal agency leases or owns that is not required to meet either the agency's needs or any other federal agency's needs. [9] The population of IT equipment items for the four test locations did not include the population of all IT equipment at those locations. Therefore, we can project our test results to the population of current, recorded IT equipment inventory at each location, but not the population of all IT equipment. Our tests were specific to each of the case study locations and cannot be projected to VA IT equipment inventory as a whole. [10] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-505]. [11] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-755]. [12] The Report of Survey system is the method used by VA to obtain an explanation of the circumstances surrounding loss, damage, or destruction of government property other than through normal wear and tear. [13] The Assistant Secretary for Management's July 3, 2008, information letter states that although the draft handbook was under final review within VA, the contents of the handbook "are of such importance that the policies and procedures need to be implemented as soon as possible." [14] See Office of Management and Budget (OMB), Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Memorandum (Washington, D.C: May 22, 2007). This memorandum requires agencies to develop and implement an information breach notification policy. [15] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). This document was prepared to fulfill our statutory requirement under 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982, to issue standards that provide the overall framework for establishing and maintaining internal control. [16] Each of these estimates has a margin of error, based on a two- sided, 95 percent confidence interval, of +/-10 percent or less. [17] We included medical equipment with the capability to store or process data in our tests; such items were excluded from the 2007 VA- wide physical inventory of IT equipment. [18] For the purpose of this audit, we include in our definition of IT equipment any equipment capable of storing or processing data, regardless of how VA classifies it. Therefore, medical devices that would typically not be classified as IT equipment, but may capture, process, or store patient data, were considered IT equipment for this audit. For example, we included electrocardiograph, anesthesiology, and ultrasound equipment in our tests. [19] 44 U.S.C. §§ 3101 and 3102, and implementing NARA regulations at 36 C.F.R. § 1222.38. This is consistent with the more general requirement for agencies to establish internal controls under 31 U.S.C. § 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA), and [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO/AIMD-00-21.3.1]. [20] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-505]. [21] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-755]. [22] A tiger team is a quick response team formed to determine causes of identified problems and develop corrective action plans. [23] The Report of Survey system is the method used by VA to obtain an explanation of the circumstances surrounding loss, damage, or destruction of government property other than through normal wear and tear. [24] This policy combines information originally contained in VA Handbooks 7125, General Procedures, and 7127, Materiel Management Procedures, and would rescind these policies when approved in final form. [25] See OMB, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Memorandum (Washington, D.C: May 22, 2007). This memorandum requires agencies to develop and implement an information breach notification policy. [26] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1]. [27] VA Handbook 7125, Materiel Management General Procedures, § 5003 (Oct. 11, 2005). [28] GAO, Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G] (Washington, D.C.: August 2001). This document was prepared to assist agencies in maintaining or implementing effective internal control and, when needed, to help determine what, where, and how improvements can be implemented. [29] VA OIT personnel and contractors follow National Institute of Standards and Technology Special Publication 800-88 guidelines, which require performing three separate erasures for media sanitization. [30] On August 21, 2007, VA distributed a "litigation hold" memorandum that explained issues in Veterans for Common Sense v. Peake, a class action lawsuit filed in July 2007 against VA, and VA's ongoing obligation to identify and preserve electronic information relevant to those issues. VA directed employees not to preserve all information, only information relevant to the lawsuit. [31] Privacy Act of 1974, codified, as amended, at 5 U.S.C. § 552a. [32] HIPAA, Pub. L. No. 104-191, § 264, 110 Stat. 1936, 2033-34 (Aug. 21, 1996). The HHS Secretary has prescribed standards for safeguarding health information in the HIPAA Medical Privacy Rule. See 45 C.F.R. pt. 164. [33] GAO, Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07- 505] (Washington, D.C.: July 16, 2007) and GAO, VA Medical Centers: Internal Control over Selected Operating Functions Needs Improvement, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-755] (Washington, D.C.: July 21, 2004). [34] The Report of Survey system is the method used by VA to obtain an explanation of the circumstances surrounding loss, damage, or destruction of government property other than through normal wear and tear. [35] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). This document was prepared to fulfill our statutory requirement under 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982, to issue standards that provide the overall framework for establishing and maintaining internal control. [36] GAO, Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G] (Washington, D.C.: August 2001). This document was prepared to assist agencies in maintaining or implementing effective internal control and, when needed, to help determine what, where, and how improvements can be implemented. Although this tool is not required to be used, it is intended to provide a systematic, organized, and structured approach to assessing the internal control structure. [37] The population of IT equipment from which we selected our samples excluded IT equipment items identified as missing at the time of each of our tests. [38] The Report of Survey system is the method used by VA to obtain an explanation of the circumstances surrounding loss, damage, or destruction of government property other than through normal wear and tear. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: