Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation

In response to our recommendation, as of July 2008, VA had completed actions to revise property management policies and procedures concerning the recording of inventory events. Specifically, VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Among other things, Handbook 7002 specified required steps for recording of key inventory events, including the recording of IT equipment information upon receipt, changes in item status, and turn-in and disposal. In addition, on July 3, 2008, the Assistant Secretary for Management mandated early implementation of Handbook 7002. In July 2008, we followed up on this issue and reported in Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses (GAO-08-918), that this recommendation was fully implemented. By implementing our recommendation to revise VA property management policies and procedures concerning the recording of inventory events, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to revise purchase card policy. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This Handbook requires purchase cardholders to notify the property officer of IT equipment acquired with the purchase card so that these items may be recorded in the property management system. In July 2008, we followed up on this issue and found that this recommendation was fully implemented. By implementing GAO's recommendation to revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment purchases, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to establish new procedures for handling IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In particular, VA Handbook 7002 established procedures to require specific, individual user-level accountability for IT equipment, including requiring employees to sign for IT equipment assigned exclusively for individual use and department heads or service chiefs to sign for shared IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing GAO's recommendation to establish procedures to require specific, individual user-level accountability for IT equipment, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to enforce user-level accountability, including enhanced provisions for disciplinary actions, for lost or missing IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. VA provided several fiscal year 2008 examples of bills sent to VA personnel for lost and damaged IT equipment items. By implementing GAO's recommendation to enforce user-level accountability and appropriate disciplinary actions for lost or missing IT equipment, VA has improved its accountability over IT equipment inventory and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to establish specific time frames for finalizing Reports of Survey related to the loss, damage, or destruction of government property. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Handbook 7002 now requires the Report of Survey process to be completed within 60 days. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish specific timeframes for completing a Report of Survey, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items. VA established the Office of Information Technology Oversight and Compliance in February 2007, responsible for reviewing centers' compliance with established VA policy. VA also established a tiger team in May 2007, which reviewed the results of the VA-wide 2007 physical inventory of IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA granted OIT personnel access to the central property database (AEMS/MERS). Furthermore, in March 2011, VA reported that OI&IT personnel had been furnished with hand scanners to be used to scan equipment during routine maintenance. By implementing our recommendation to require that IRM and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners, VA improved accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to implement new physical security inspection procedures. In September 2007, VA established Handbook 6500, Information Security Program, requiring that the Information Security Officer conduct and document physical security reviews as part of the annual review of the system security plan to help analyze any new or existing physical security vulnerabilities. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to implement new physical security inspection procedures, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to establish a formal policy requiring a review of the results of annual inventories. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This revised policy requires the accountable officer to ensure that property records have been updated correctly at the completion of each physical inventory and that no blank fields remain. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to ensure that property records have been updated correctly at the completion of each physical inventory, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In July 2011, the Department of Veterans Affairs (VA) implemented a Reports of Survey (ROS) registry website to replace the manual entry of ROS in spreadsheets. Users enter data about the missing IT equipment such as the item description, serial number, and acquisition cost. The website allows the officials responsible for ROS oversight to review summary reports in their area of responsibility for such items as the total number of ROS on time, completed, and late, and the average number of days to process an ROS. The report also lets the official review ROS by facilities and to review each ROS individually. In addition, VA has also established a process to review the ROS during the monthly Information Technology Asset Advisory Group (ITAAG) meetings. The ITAAG reviews the ROS website for trends, including losses of high dollar items or facilities with a large number of lost, missing, or stolen IT items. By implementing a ROS registry website and having the ITAAG review ROS website information on a monthly basis, VA established a process for reviewing ROS for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.

In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 requires that facilities' Security Management Committees (SMC) develop local strategic security plans as guides to identify physical and procedural security needs. Handbook 7002 requires the IT custodial officer to provide the facility information security officer a list of all IT storage areas and that access to IT equipment storage areas be provided to facility security personnel for use in performing regular inspections. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 provides that the IT custodial officer is to coordinate with the Security Management Committee to develop a plan to address IT-related security requirements identified in the strategic security plan. The Handbook also requires the IT custodial officer to develop a plan to address all corrective actions identified in the Report of Physical Security Inspection of IT Equipment Store Rooms within 10 days of receipt of the report from security personnel. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.