Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: July 18, 2003

TO: Vijay G. Deshpande, Acting Director; Division of Information Resources Management

FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits

SUBJECT: Life‑Cycle Management of Information Technology Assets (Evaluation Report No. 03-032)

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an evaluation of the Division of Information Resources Management’s (DIRM) information technology asset management (ITAM) program.  In September 2002, the OIG received a Hotline complaint alleging DIRM mismanagement of the Information Technology Asset Management System (ITAMS), the FDIC’s repository system for inventorying information technology (IT) assets. The complainant also alleged that DIRM management allowed $5 million in IT equipment to sit in a DIRM warehouse and become obsolete.  Based on the specifics of the allegation, we determined that the objective of our review would be to evaluate the overall adequacy of DIRM’s program for managing IT assets.  We also learned that DIRM had begun research and initiated other efforts to replace ITAMS.  As a result, in fulfilling our objective, we evaluated the accuracy and reliability of ITAMS for the purposes of making observations and recommendations relevant to the new system being developed.  Appendix I provides details of our scope and methodology.  Appendix II includes a list of acronyms and abbreviations used in this report.

BACKGROUND

DIRM provides information technology to the FDIC and its customers.  DIRM’s strategic vision is to leverage information technology to streamline and improve work processes, both within and across organizational boundaries, to maximize efficiency and productivity throughout the Corporation.  DIRM has established a strategic goal to improve the efficiency and effectiveness of IT management.

DIRM is responsible for keeping an accurate inventory of IT assets, including computer, wide and local area network, and telecommunication equipment and software.  Specifically, DIRM must maintain current and accurate records for the receipt, transfer, disposal and adjustment of IT equipment as well as the ability to determine the status of IT assets at any given time.

Contents of Text box: The benefit of a centralized asset management system is that it presents a comprehensive picture of the cost of acquiring, maintaining and disposing of IT equipment and software, as well as the ability to determine the Corporation’s assets at any point in time.  The FDIC would also be able to better plan for the replacement of aging IT assets, such as hardware, based on actual cost, depreciation and usage.  Knowledge of the total cost of ownership (TCO) enhances asset management by ensuring that analysis includes selection of the appropriate technology solution, and promotes continuing management of the selected solution to yield the greatest benefit in meeting business requirements.

Source: DIRM IT Strategic Plan
[end of text box]

History of the Information Technology Asset Management System

In March 1997, DIRM contracted with Innovative Logistics Techniques, Inc. (INNOLOG) to design an inventory data collection system for the FDIC’s IT assets.  The original contract amount was for $2.4 million and also required INNOLOG to provide a centralized warehouse and distribution facility.  In July 1999, DIRM awarded a second contract for $4.1 million to INNOLOG.  Under this contract, INNOLOG was responsible for the life‑cycle management of information technology assets and the staffing of two DIRM distribution centers (DDC), one at Virginia Square and one in Springfield, Virginia.  The original contract price included $50,000 for the purchase of Maximo, a commercial off‑the‑shelf (COTS) software recommended by the contractor.  INNOLOG refined Maximo to meet the FDIC’s needs and renamed it ITAMS.  In 1998, DIRM implemented ITAMS nationwide.   On June 7, 2001, the FDIC’s Division of Administration (DOA) issued a “Cure Notice” to INNOLOG indicating that the contractor was not complying with certain terms and conditions of the contract.  On September 21, 2001, DOA issued an early contract termination (termination for convenience) paying a little over $3 million of the original $4.1 million contract amount.

We reviewed INNOLOG invoices and determined that approximately $1.8 million of the $5.9 million paid to INNOLOG during the period March 1997 through September 2001 was attributable to ITAMS system development and maintenance.  The remaining $4.1 million paid to INNOLOG was for the management of the DDCs.

DIRM engaged the Systems Research Corporation (SRC) to conduct post‑implementation reviews of ITAMS.  SRC issued three reports, the last of which was completed in May 2000.  SRC concluded that ITAMS could serve the FDIC’s near‑term inventory management needs, but recommended that, from a strategic planning standpoint, the FDIC consider alternatives to ITAMS.  SRC also conducted a market survey of software alternatives for the FDIC, dated February 28, 2001.

As of January 3, 2003, ITAMS contained more than 38,000 individual IT equipment records valued at $32.8 million.  However, as discussed later in this report, 38 percent of those records had zero dollar balances within the purchase price field.

ITAMS tracks personal computers (PCs), laptops, monitors, printers, and some servers. (Note: ITAMS refers to personal computers as central processing units.  For the purposes of this report, we are referring to central processing units as PCs.) Telecommunication equipment such as switches and routers, mainframe and midrange equipment, and software are not tracked in ITAMS. In late January 2003, DIRM imposed an asset threshold of $500 for assets tracked in ITAMS. As a result, the number of assets tracked in ITAMS was reduced by 47 percent. (Note: This action only reduced the purchase price value of ITAMS assets by about $1 million because most of the assets were small dollar assets or were lacking purchase price information.) Figure 1 presents the composition of asset items tracked in ITAMS following the asset reduction.

Figure 1: Composition of ITAMS Assets as of 1/22/03

[This image appears in the non-508-compliant version of the evaluation report.]

Text description of Figure 1: ITAMS assets as of January 22, 2003, included the following: PCs, 44%; Laptops, 24%; Printers, 16%; Other, 9%; Servers, 4%; Uncategorized, 3%.

Source: ITAMS

DIRM Plans for Replacing ITAMS

DIRM is considering replacing ITAMS with a new system. DIRM presented a proposal for replacing ITAMS to the Capital Investment Review Committee (CIRC) in November 2002. (Note: The CIRC is an FDIC committee comprised of senior executive officials who implement a systematic management review process of FDIC capital initiatives exceeding $3 million or meeting certain other criteria.) In a December 2002 draft ITAM Project Definition Report (PDR), DIRM noted that the current ITAM environment created risk that:

• Assets can be lost, including those that contain sensitive or restricted data;
• Improper IT asset disposal can violate federal regulations;
• Inaccurate software license management exposes the FDIC to potential legal action by software vendors;
• IT assets that cannot be accounted for encourage the U.S. General Accounting Office (GAO) and the Inspector General to add new or tighten existing procedures; and
• Inability to answer basic management accountability questions such as: “How many items does FDIC have, what is their configuration, and where are they located?” undermines government, customer and stakeholder confidence.

The CIRC approved a 2003 planning budget of $250,000.  DIRM personnel stated that a preliminary estimate for a complete solution, including software and consulting, ranges from $1.5 million to $3 million.  The FDIC issued a Sources Sought Notice in January 2003 to identify potential IT asset management solutions.  DIRM is scheduled to present the completed PDR and return on investment and cost benefit analyses to the CIRC in July 2003.  DIRM anticipates completing the replacement IT asset repository in early 2004 and phasing in additional functionality such as an auto‑discovery tool and integration with DIRM’s National Technical Call Center. (Note: Auto‑discovery is an application program that develops a map of the hardware equipment items within a networked computer environment. Auto‑discovery tools can automatically identify whether equipment is connected to the network and greatly reduce the need for manual physical inventories. The National Technical Call Center provides technical telephonic support for headquarters and remote site clients with IT problems or inquiries.)

Previous Audits and Investigations

DIRM’s ITAM program has been the subject of a number of OIG audits and investigations.  In 2001, the OIG issued audits of the INNOLOG contract and controls over the FDIC’s laptop inventory and identified internal control weaknesses.  The OIG also conducted an investigation that resulted in the discovery of approximately 55 stolen laptop computers.  In 2002, the OIG conducted an audit of INNOLOG’s process for disposing of personal and laptop computers and determined that INNOLOG was not adequately degaussing the hard drives on excessed computers as required by its contract. (Note: Degaussing is the process of electronically cleaning a computer’s hard drive to protect data security.) Appendix III presents a timeline showing contract actions and OIG reviews related to ITAMS. 

RESULTS OF EVALUATION

DIRM’s program for managing IT assets was not adequate.  Specifically, a weak control environment and weak control activities related to ITAMS resulted in:

• Missing assets, including more than 200 computers, some of which could contain sensitive information;
• Incomplete data in ITAMS on reported assets, such as purchase price and warranty provisions;
• Outdated and inaccurate custodial records that reflected PC and laptop assignments to 129 employees who had left the Corporation;
• Existing assets not recorded in ITAMS, including over 700 telecommunication items and mainframe and mid-range equipment and software that were tracked through separate, non-integrated systems;
• Weaknesses in management of IT equipment while it was assigned to a warehouse; and
• Weak system access controls that created the potential for ITAMS records to be altered without an appropriate audit trail for the transaction.

The overarching cause of these conditions was a lack of management commitment to a strong internal control environment and control activities.  Specifically, DIRM has not historically:

• Conducted effective periodic physical inventories or reconciled count discrepancies,
• Researched unreconciled items timely,
• Prepared formal, current policies and procedures,
• Achieved adequate segregation of duties over the inventory process,
• Established sufficient accountability for the asset management program,
• Maintained adequate security within ITAMS,
• Integrated disparate IT asset inventory systems, or
• Effectively captured asset cost information about IT assets.

During 2003, DIRM has worked aggressively to improve the ITAM program by defining what assets should be tracked, improving initial receipt and recording of assets into ITAMS, and conducting a 100‑percent inventory of equipment recorded in ITAMS.  Nevertheless, at the time we concluded our review, ITAMS remained unreliable and incomplete.  Further, viewed collectively, the conditions we found constitute a potential material internal control weakness and could result in a loss or misuse of equipment, unwarranted or unsupported procurement actions, and unauthorized access to sensitive information. (Note: The Federal Information Security Management Act of 2002 (FISMA) (Title III of Pub. L. No. 107-347, codified in pertinent part, to 44, United States Code) requires each agency to test and evaluate the effectiveness of information security policies, procedures, and practices no less than annually and to report the results to the Office of Management and Budget.  FISMA also requires that agencies report any significant deficiency in a policy, procedure, or practice identified during that evaluation as a material weakness in reporting under section 3512 of title 31, known as the Federal Managers’ Financial Integrity Act (FMFIA) of 1982.  FMFIA requires agencies to evaluate their internal control systems on an annual basis and report the results of the evaluation, along with any material weaknesses, as determined by the agency head, and plans for corrective actions, to the President and the Congress. FMFIA applies to the FDIC pursuant to the Chief Financial Officers Act of 1990 (Pub. L. No. 101-576, codified principally to Title 31 U.S.C.).)

As part of this evaluation, we conducted best practices research, including reviewing IT asset management practices at other selected federal banking agencies. The results of that research are included as Appendix IV.

FINDING: IT ASSET MANAGEMENT PROGRAM WAS NOT ADEQUATE

CONDITIONS

Missing Assets

DIRM could not physically locate numerous assets. In March 2003, DIRM Asset Management prepared a draft memorandum requesting approval from the Technical Infrastructure Deputy Director to inactivate 331 ITAMS equipment items that DIRM could not physically locate. The memorandum stated that some of the items had been missing since 1998 and recommended inactivating the equipment within ITAMS.  By doing so, the equipment could be reactivated if found, but would not be counted as part of the FDIC’s IT equipment inventory.  Table 1 presents the missing equipment items by equipment category.

Table 1: Missing IT Equipment Scheduled for Inactivation

Source: DIRM Asset Management

Because most of the missing assets were PCs and laptops which could have potentially contained sensitive data, DIRM also conducted an analysis of missing PCs and laptops by FDIC division and by equipment model.  DIRM concluded that 20 percent (44 items) of the missing items were last assigned to divisions with a greater potential for handling sensitive data (i.e., Division of Resolutions and Receiverships, Division of Supervision and Consumer Protection, Legal Division, and OIG) than other FDIC divisions. Further, DIRM determined that most of the PCs and laptops were equipment models that the Corporation had already excessed.  The draft memorandum stated that a number of equipment items were last assigned to the Springfield, Virginia DDC, which was closed quickly in September 2001 due to the cancellation of the INNOLOG contract.  The draft memorandum concluded that INNOLOG may have excessed some of the missing items without reflecting the transactions within ITAMS.  However, DIRM does not have records to support that these missing PCs and laptops were excessed by INNOLOG or properly degaussed to remove sensitive data.

Almost 70 percent of the 331 equipment items in ITAMS did not include purchase price information (229 items).  We estimated purchase price values for the 218 missing PCs and laptops by researching similar equipment items in ITAMS and estimate an original purchase price value of about $363,500 for the 218 equipment items.  We also performed our own analysis of the information within ITAMS and determined that:

• 46 percent of the 331 assets were placed in service during 1998, and 30 percent of the 331 assets were placed in service in 1999.
  
  
• Of the 218 PCs and laptops, 169, or 78 percent, are equipment model numbers that the Corporation has excessed, that are no longer in use at the Corporation.

However, we did identify several mid- to high-dollar assets that warrant additional discussion:

SUN 4-Way 3500 Server: One of the 331 missing items identified for inactivation was a $73,000 server which was the single most expensive equipment item within ITAMS.  We discussed this item with Asset Management, which initiated a search for the asset.  Asset Management informed us that the server was intended for disaster recovery purposes and was located in the Dallas Regional Office, the FDIC’s back‑up site in the event of a catastrophic event in the Washington, D.C. area.  Upon further review, DIRM reported that the server was in fact located in the Virginia Square server room in Arlington, Virginia.  We physically observed the asset and verified its serial number and asset description. 

Exabyte Tape Drives:  The missing equipment list included seven tape drives.  We reviewed model numbers on the Internet and determined that one of these assets was valued at about $11,700.  These drives record electronic information onto magnetic tapes that are then removed from the tape drives and stored in a secure file room.

We understand that Asset Management has delayed its plans to inactivate these 331 missing equipment items until it has taken more aggressive efforts to locate these assets.

Incomplete Data in ITAMS

ITAMS contains a number of data elements about IT equipment, from standard identification data such as bar code number, serial number, and location to more life‑cycle‑related data pertaining to budget, warranty, and depreciation.  We observed that numerous fields within ITAMS equipment records were blank.  Figure 2 presents a print screen from an ITAMS equipment record showing inventory information for a network server.

Figure 2: Print Screen from ITAMS

[This image appears in the non-508-compliant version of the evaluation report.]

Text description of Figure 2: Figure 2 shows a print screen from ITAMS that has the following information under the Equipment tab: Barcode #: 056752, HP Netserver LD Pro 6/200; Location: VASQCSB2, Unveryfied Equipment Storage; Item #: CPU01533, HP Netserver LX PRO 6/200; Bin: [blank space]; Manufacturer: HP, Hewlett Packard Company.  In the Detail section, the following fields are blank: Serial, Failure Class, Priority, Offsite Location, and Offsite Address. The Downtime section shows the following information: Up?: Y; Date: 6/7/1999 7:33 A. In the Costs section, the following fields show $0.00: Total, YTD, Budgeted, Inventory. In the Depreciation Info section, the following fields are blank: Purchase Type, Useful Life (Months), Residual Value %. In the Purchase Info section, the following fields are blank: Installation Date, Warranty Activation, Warranty Duration, Warranty Date, Purchase Date, and Purchase Order; the Purchase Price field shows $0.00. The Modified section shows the following information: Modified By: AKOZLOVSKY; Date: 11/19/01 4:02 PM; Verified By: [blank space]; Date: [blank space].

Source: ITAMS

In addition, we analyzed data records contained in ITAMS to determine the number of equipment items that did not have completed data fields, such as the purchase price or serial number, and items with duplicate serial numbers.  We found that 31 percent (6,280 records) of the equipment items within ITAMS did not include purchase price information.  The results of our analysis for selected data fields are shown in Table 2.

Table 2: Equipment with Incomplete Data Fields

Source: OIG Analysis of ITAMS

As shown, in January 2003, DIRM began aggressive actions to improve the quality of data within ITAMS and to establish controls over the asset management process.  DIRM established a $500 original purchase price threshold for which assets would be tracked in ITAMS.  This action reduced by approximately 18,000 the number of assets inventoried in ITAMS.

Outdated and Inaccurate Custodial Records

To review ITAMS data accuracy, we conducted a number of evaluation tests.  Generally, we found that ITAMS data were inaccurate, incomplete, not updated in a timely manner, and necessary edit controls were not built into the system.  Table 3 presents a discussion of each test performed, test results, and OIG observations.

Table 3: Results of Evaluation Testing

Source: OIG Analysis

IT Assets Not Recorded in ITAMS

The July 1999 contract with INNOLOG made the contractor responsible for activities relating to the life‑cycle management of IT assets at the FDIC.  The contract defined IT assets as network resources and assets including, but not limited to, personal computers, peripherals, wide area network components, and voice and data system hardware and software.  However, ITAMS mostly consists of personal and laptop computers and printers.  For the most part, ITAMS does not include telecommunication, mainframe, or midrange equipment or software.  Further, we learned that IT equipment purchased with procurement cards may not always have been entered into ITAMS.  Figure 3 presents a graphic of IT equipment and information not captured in ITAMS.

Figure 3: Information Not Included in ITAMS

[This image appears in the non-508-compliant version of the evaluation report.]

Text description of Figure 3: Figure 3 is a graphic showing IT information not contained in ITAMS. IT assets for which information was mostly in ITAMS included personal computers, laptops, and printers. IT assets with limited or no information in ITAMS included mainframe equipment, telecom equipment, software, and mid-range equipment. In addition, maintenance, warranty repair, specific financial information regarding capitalization, and disposal and retirement information were not included in the ITAMS equipment records we tested. Further, purchase information for IT equipment purchased with FDIC procurement cards was not always entered into ITAMS.

Source: OIG Internal Analysis

From a strategic asset management standpoint, we believe DIRM’s ITAM program would be improved by including all types of IT assets, including telecommunication, mainframe, and midrange equipment and software.  Moreover, we concluded that these assets have not been subject to periodic, independent physical inventory and reconciliation. 

Telecommunication equipment: DIRM identified 745 telecommunication equipment items.  Telecommunication assets include switches, routers, and servers associated with the FDIC’s voice and data network. (Note: This telecommunication equipment does not include telephone handset units or cellular telephones.) The FDIC’s telecommunication equipment is maintained on a standalone spreadsheet by DIRM’s Telecommunications Section.  We reviewed this spreadsheet and identified 25 of the 745 equipment items that were also included in ITAMS.  This spreadsheet contains limited information, such as serial number and asset description.  The Telecommunications Section was not able to readily provide information such as asset location, purchase date, or purchase price.  Further, the telecommunication spreadsheet did not include serial number information for 395 equipment items.  However, the Telecommunications Section Chief noted that because the majority of DIRM’s telecommunication equipment is connected to a network, DIRM knows where each asset physically is and whether the asset is operational.  The Chief indicated that many FDIC users would be impacted if a device were to become missing, and DIRM would immediately know because of its network monitoring systems.

Mainframe equipment:  ITAMS does not include mainframe equipment.  The DIRM Chief responsible for mainframe operations provided a list of the mainframe assets.  At our request, he added information to the list about where each piece is located, whether it is under warranty, whether it is installed and in-use, an in-service date, if known, and an estimated value.   Most mainframe equipment is located within the Virginia Square Data Center, and the equipment is not easily relocated because of size, weight, power requirements, and air conditioning requirements. 

Mid‑range equipment: ITAMS does not include mid‑range equipment.  In general, mid‑range refers to computers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.  We identified and asked about mid‑range equipment items during a walk‑through of the DIRM Server Room.  Asset Management indicated that no single functional manager was responsible for mid‑range equipment items.  We informed Asset Management of the exclusion of mid-range equipment from prior inventories and Asset Management took actions to include mid‑range equipment items in ITAMS.

Software assets: Software assets are not maintained in ITAMS.  Asset Management initially indicated that software inventory information was maintained on a separate system, the Application Request Tracking System (ARTS).  However, upon further review, we concluded that ARTS does not maintain an inventory of software asset information such as license or software usage information.  An itemized listing of the FDIC’s software assets was not available.  DIRM only provided a summary schedule showing aggregate information about individual software programs and the number of licenses that the FDIC owns.

Procurement Card Purchases: IT equipment, such as laptops, printers, and software, purchased with the FDIC procurement card may not be in ITAMS.  Previously, all IT purchases made using the procurement card did not have a central receiving location.  Therefore, deliveries of IT equipment were made to various locations, such as directly to the FDIC employee making the purchase.  No one individual had the responsibility of ensuring that the purchases made using the procurement card were actually received and included in ITAMS before the equipment was issued or put to use; therefore, IT equipment purchased using the procurement credit card was not being tracked.  In November 2002, DIRM assigned a computer specialist the task of reviewing all IT equipment purchased for years 2001 and 2002 using the procurement card to ensure that it is reflected in ITAMS.  In February 2003, the Technical Infrastructure Deputy Director began requiring that all equipment purchased under procurement cards be delivered to the Virginia Square DDC and entered into ITAMS at the point of receipt.

Warehouse Management

In addition to ITAMS inaccuracy, the original OIG Hotline complaint alleged that DIRM management allowed $5 million in IT equipment to sit in a DIRM warehouse and become obsolete.  We performed tests and observed the DIRM warehouse to address this issue.  We randomly selected 60 items listed on ITAMS that were assigned in FDIC’s warehouse space.  We verified the serial numbers for all 60 pieces of equipment and confirmed that the equipment was, in fact, in the warehouse.  In addition, while at the warehouse, we took bar code information for 45 randomly selected pieces of IT equipment and verified that ITAMS reported the bar code and asset location correctly.  We did not find any exceptions while performing either test.

However, during our review of the warehouse, we observed several issues related to inventory management of IT equipment.  Generally, we found that

• Not all IT equipment stored in the warehouse is in ITAMS;



• IT equipment has been stored in the warehouse for over 1 year;



• ITAMS does not accurately reflect the current use of IT equipment; and



• Warehouse space is not clean, secure, or temperature controlled. 

Table 4 presents selected observations from our warehouse visit.

Table 4: Warehouse Observations and Associated Risks

Source: OIG Analysis

Lack of Audit Trail

During our review of ITAMS, DIRM informed us that ITAMS is not secure.  DIRM personnel stated that ITAMS can be inappropriately accessed through Structured Query Language (SQL), and changes can be made without an audit trail.  However, the individual making changes must have at least read‑only access to ITAMS in order to accomplish this.  Approximately 120 current FDIC employees have access to ITAMS.  To verify this problem, we observed DIRM personnel access ITAMS through SQL and make changes to current data.  The changes made during this test were entirely undetected, and no audit trail existed to trace the changes made.  Once an individual logs into ITAMS through SQL, he or she can either add or delete equipment on ITAMS, and no audit trail would be preserved.  Therefore, equipment could be deleted from ITAMS and no record of the change would be available for audit or review.  Without proper audit trails there is increased risk for equipment to be either lost or stolen.

DIRM Efforts to Improve the Program

DIRM has acknowledged that ITAMS data are unreliable and need improvement.  In early 2003, DIRM began an aggressive effort to improve the quality of data within ITAMS and establish controls over the asset management process.  For example, in November 2002, DIRM established a threshold of $500 for assets that would be included in ITAMS.  In January 2003, Technical Infrastructure inactivated approximately 18,000 assets from ITAMS, bringing the total number of assets from 38,015 to 20,090.  Table 5 presents the impact this threshold had on ITAMS asset composition.

Table 5: Impact of Threshold Requirement on ITAMS Asset Statistics and Asset Composition

Source: OIG Analysis of ITAMS Data

DIRM has also issued informal guidance to improve the program.  During the Spring 2003, DIRM began a 100‑percent inventory of assets within ITAMS.  Appendix V includes a summary of DIRM’s efforts to improve the program.

CRITERIA

GAO Standards for Internal Control

The U.S. General Accounting Office’s Standards for Internal Control in the Federal Government, updated in November 1999, known as the “Green Book,” provides the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.  GAO notes that internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives and, in doing so, supports performance‑based management.

Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud.  In short, internal control, which is synonymous with management control, helps government program managers achieve desired results through effective stewardship of public resources.

Contents of Text box: Internal control should provide reasonable assurance that the objectives of the agency are being achieved in the following categories:

• Effectiveness and efficiency of operations, including the use of the entity’s resources.



• Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use.



• Compliance with applicable laws and regulations.

A subset of these objectives is the safeguarding of assets.  Internal control should be designed to provide reasonable assurance regarding the prevention of or prompt detection of unauthorized acquisition, use, or disposition of an agency’s assets.

Source: GAO Green Book
[end of text box]

The Green Book identifies five standards for internal control and tasks management with the responsibility for implementing those standards through the development of detailed policies, procedures, and practices to fit their agency’s operations and for ensuring that these standards are built into and are an integral part of operations.

Contents of Text Box: The Five Standards for Internal Control:

• Control Environment



• Risk Assessment



• Control Activities



• Information and Communications



• Monitoring

[end of text box]

The following standards have particular importance for the ITAM program.

• Control Environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management.  GAO notes that a positive control environment is the foundation for all other standards and provides discipline and structure as well as the climate that influences the quality of internal control.  The control environment is also affected by, among other things, the agency’s organizational structure and the manner in which the agency delegates authority and responsibility throughout the organization.



• Control Activities: These are the policies, procedures, techniques, and mechanisms that enforce management’s directives, such as physical control over vulnerable assets and proper segregation of duties.  Control activities are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.

Contents of Text Box: Internal control activities help ensure that management’s directives are carried out. The control activities should be effective and efficient in accomplishing the agency’s control objectives.

• Top level reviews of actual performance,
• Reviews by management at the functional or activity level,
• Management of human capital,
• Controls over information processing,
• Physical control over vulnerable assets,
• Establishment and review of performance measures and indicators,
• Segregation of duties,
• Proper execution of transactions and events,
• Accurate and timely recording of transactions and events,
• Access restrictions to and accountability for resources and records, and
• Appropriate documentation of transactions and internal control.

[end of text box]

IT Asset Management Policies and Guidance

There are several DIRM and INNOLOG system guides, policies, and directives related to ITAMS.  Specifically, ITAMS 4.03 System Administration User Guide, issued in January 2001 and ITAMS 4.03 User Guide issued in March 2001 provides guidance for the system administrator and users to perform administrative and user tasks on ITAMS respectively.  In addition, INNOLOG developed DIRM Distribution Center Standard Operating Procedures dated December 14, 2001, for the operation of the DDC.  Finally, Circular 1380.3 entitled Laptop Computer Assignments, Safeguards, and Asset Management, dated April 13, 1999, detailed the policies and procedures for managing all FDIC-owned laptop computers throughout their life cycle.

More recently, DIRM has issued related guidance of a more informal nature.  On November 27, 2002, DIRM issued guidance entitled Asset Management Tracked Asset List.  The guidance identified equipment items that will be tracked for inventory purposes and established specific criteria to be followed for tracking assets, including all hardware over $500 and all software.  The Deputy Director, DIRM, also sent an e‑mail to all DIRM employees on February 12, 2003, establishing that all IT hardware and software must be received by the DIRM DDC before delivery to the appropriate location and end user.  Finally, DIRM prepared guidance entitled 2003 ITAMS Physical Inventory Process.  The guidance was sent to the regional managers and other Technical Infrastructure managers and explains current procedures for performing a physical inventory in 2003, including timeframes for completion.

Contents of Text Box: Key Factors in Achieving Consistent and Accurate Counts of Physical Inventories—Management Commitment:

1. Establish accountability,
2. Establish written policies,
3. Select an approach,
4. Determine frequency of counts,
5. Maintain segregation of duties,
6. Enlist knowledgeable staff,
7. Provide adequate supervision,
8. Perform blind counts,
9. Ensure completeness of count,
10. Execute physical count,
11. Perform research, and
12. Evaluate count results.

Source: GAO Executive Guide
[end of text box]

CAUSE

An overarching cause of the inadequacies in the FDIC’s ITAM program was the lack of management commitment to a strong internal control environment and control activities.  ITAMS has been the subject of several OIG audits and investigations.  Further, external and internal DIRM studies have reported the need to improve the IT asset management program. (Note: 2001 Most Efficient Organization Study and 2001 draft Technical Infrastructure Asset Management Project Issues Report.) Nevertheless, data reliability problems and control weaknesses persist.

A July 2001 GAO executive guide for inventory management states that management’s commitment is critical to establishing effective and reliable internal controls and notes that a disciplined and structured culture, which fosters integrity, corporate values, and commitment to competence begins with top management and is seeded throughout the organization at all levels of staff and supervisory personnel. (Note: GAO-01-763G, Executive Guide: Best Practices in Achieving Consistent, Accurate Physical Counts of Inventory and Related Property, dated July 2001.) The GAO guide also identifies several other key factors in effective inventory management, and those factors are included below in our discussion of the contributing causes to weaknesses in the FDIC’s IT asset management program.

In addition to insufficient management commitment, we also identified the following contributing causes.  Specifically, DIRM has not:

• Conducted effective periodic physical inventories or reconciled inventory count discrepancies.  We saw evidence that DIRM had performed periodic inventories of specific classes of equipment, such as laptops and personal computers.  In some cases equipment verifications were performed in conjunction with nationwide computer upgrade initiatives.  Nevertheless, we concluded that DIRM’s inventory and reconciliation efforts were not effective in establishing the accuracy and reliability of ITAMS.  The GAO Executive Guide notes that the process of counting physical inventory is an essential control for operational efficiency and financial reporting.  A physical count, when property executed, verifies the existence of physical assets and the completeness and accuracy of records.  Accurate inventory records are key to management’s confidence in financial and other information used in decision‑making.  During 2003, Asset Management began a complete inventory of all items within ITAMS.  However, this effort will not identify those IT assets that are not currently included in ITAMS.

Contents of Text box:

1. There are numerous duplicates indicated in ITAMS.  A single serial number may have multiple bar codes.  This has resulted in equipment that has been donated under the Computers for Learning initiative still appearing in the Inventory as in another location.  This result[sic] in showing equipment no longer in service as still in inventory. (CSB [Client Services Branch] is working with the ITAMS team toward a resolution of this issue.)
2. There is still active and undocumented movement of equipment (such as between labs or shipped to other sites) within Washington (especially VASQ) that is NOT coordinated through the PAM [property asset manager] or CSB.
3. Most of the equipment in the server room and most of the telecom equipment is NOT tracked in ITAMS, as the PAM has no access or control of these areas or this equipment.

Source: Comments from a May 2000 ITAMS certification for equipment assigned to the Washington Region.
[end of text box]

• Researched unreconciled equipment items timely.  As discussed earlier, DIRM has identified more than 200 computers listed on ITAMS that it cannot physically locate.  DIRM has not been able to locate or verify some of those equipment items since as far back as 1998.  Further, DIRM does not have a process for communicating information about missing or stolen equipment to the Division of Administration’s Physical Security Unit.  DIRM management has not taken sufficient or timely efforts to research the cause for these missing items.  The GAO Executive Guide lists “root cause analysis” and reconciliation of variances as an essential element of an effective physical count process.  Such research provides support for adjustment to the inventory records, identifies causes for variances, and provides management with information with which to implement corrective actions. 



• Prepared formal, current policies and procedures.  Such procedures should define: (1) ITAM program responsibility and requirements; (2) specifically what types of assets will be tracked in ITAMS, and (3) detailed procedures for receiving, deploying, inventorying, reconciling, managing; and retiring IT assets.  Policies and procedures demonstrate management’s commitment to the inventory process and provide to all personnel clear communication and comprehensive instructions and guidelines.  During 2003, the Technical Infrastructure Deputy Director issued several internal policies by e-mail.  However, these policies do not constitute formal criteria, such as statements of policy, operational manuals, or DIRM directives.  Asset Management intends to contract with an IT consulting group to review DIRM’s IT asset management program and prepare asset management policies and procedures.  Formal procedures are important in ensuring that management’s directives are carried out, transactions and events are recorded accurately and timely, and vulnerable assets and sensitive data are safeguarded.



• Achieved adequate segregation of duties.  Based on our discussions and review of inventory certification documents, we concluded that telecommunication, midrange, and mainframe equipment and software are not subject to independent physical inventories.  Instead, functional managers within the Technical Infrastructure Operations Branch conduct any inventories that may be performed.  The GAO Executive Guide indicates that adequate segregation of duties for the physical count of assets includes using personnel who do not have overlapping responsibilities in (1) custody or access to the inventory items for count, (2) recording transactions resulting from the count, and (3) authority for approving adjustments resulting from the count.  Proper segregation of duties reduces the risk of error and fraud so that no single individual can adversely affect the accuracy and integrity of the physical inventory count.



• Established sufficient accountability for the asset management program.  Establishing accountability requires setting performance goals and holding the appropriate level of personnel responsible for the overall physical inventory process.  Performance goals establish targets for achieving management’s objectives and contribute to the overall mission of the organization.  Accountability within an organization should exist from the top of the organization to the lowest level.  However, primary responsibility for the overall physical inventory counts should be specifically designated and assigned.  DIRM has designated Property Asset Managers (PAMs) nationwide who are responsible for the receipt and bar coding of equipment, movement of equipment, maintenance of IT asset data in ITAMS, and disposal of equipment.  Accountability should be established through better defining and communicating the role of the PAM and other personnel involved in the custody and inventorying of assets, and setting performance goals and measures such as inventory accuracy rates or time frames for researching unreconciled equipment items.



• Maintained warehoused equipment in a clean and secure environment.  Equipment inventory is currently located in the Virginia Square garage.  The garage does not provide an appropriate environment for storing sensitive IT equipment items.



• Maintained adequate security to ITAMS, which allows users to inappropriately access ITAMS through SQL and make changes to IT equipment data without an audit trail.



• Integrated disparate IT asset inventory systems.  As discussed earlier, ITAMS does not include telecommunication, midrange, or mainframe equipment or software.  Thus, ITAMS does not provide an accurate repository of the Corporation’s true IT assets.



• Effectively captured asset cost and other information about IT assets.  As discussed earlier, 38 percent of equipment item records in ITAMS had zero dollar balances in the purchase price field.  We asked DIRM for aggregate cost data for IT equipment maintained in ITAMS.  A DIRM budget manager informed us that DIRM was unable to provide that type of aggregate cost data.  Gartner, Inc., an IT consulting firm, has reported that effective IT asset management programs should capture three types of data about IT assets:  (1) physical details—such as who is using the asset and where it is located; (2) financial details about the asset—such as the asset’s cost, depreciation, and book value; and (3) contractual details—such as warranty and maintenance information and contract end dates.  As discussed earlier, DIRM is considering replacing ITAMS.  It is crucial that any system selected to replace ITAMS integrate with the FDIC’s New Financial Environment and Corporate Human Resources Information System and DIRM’s helpdesk system (Remedy).

EFFECT

The existing control weaknesses we identified in this report resulted in the tangible effect of ITAMS becoming unreliable, inaccurate, and incomplete.  However, these control weaknesses also had several intangible effects on the program.  Specifically, these control weaknesses resulted in:

• An undisciplined culture toward IT asset management.  A 2001 draft internal Asset Management Issues Report noted that individuals were not being held accountable for their responsibilities with regard to IT asset management.  The draft report discussed developing a responsibilities document and recommended the development of an asset management team.  Asset Management also indicated that DIRM employees would often move equipment such as computers and printers within DIRM space without authorization and without notifying Asset Management, which would result in ITAMS being inaccurate.  Further, during physical inventories conducted in May 2003, Asset Management noticed server equipment with multiple bar codes and concluded that DIRM employees had removed components and spare parts from some server equipment items for use in other server equipment items.



• Increased potential for missing and lost equipment.  Because ITAMS is not complete, accurate, or secure, the FDIC’s risk of IT equipment becoming lost or stolen is increased.  As discussed earlier, DIRM has identified 331 equipment items listed in ITAMS that it cannot physically locate.  Moreover, hundreds of IT assets are not included in ITAMS.  Some of these assets are government furnished equipment (GFE) items which are located at contractor sites, making those assets even more vulnerable to risk of loss or unauthorized use.  Without a complete and accurate IT asset inventory system, DIRM cannot ensure that all of the Corporation’s IT assets are properly safeguarded.



• ITAMS not being an effective management tool.  ITAMS information is unreliable and therefore cannot be used as a management tool as it was originally intended.  For example, as noted above, we found IT equipment stored in the DDC for over 1 year.  The FDIC’s personal and laptop computer replacement cycle is only 3 years.  If information is not accurate on ITAMS, FDIC personnel may not know whether equipment is available in the warehouse and may purchase additional unneeded equipment.  Further, without entering all required fields in ITAMS, warranty issues and cost information is not available for specific equipment.  Management might forego warranty items on equipment and incur additional expenses repairing equipment that is covered by a warranty.  In addition, without cost data, the FDIC does not know the total cost of equipment purchased.

Finally, because ITAMS is neither complete nor accurate, the FDIC faces the risk of not being able to recover potential insurance claims that may arise.  The FDIC maintains an insurance policy with a $500,000 deductible that covers IT equipment.  The potential exists that if the FDIC had a catastrophic event, such as a fire, without accurate and complete inventory records, the FDIC would not be able to support items that were destroyed. During a 1997 audit of safeguards over IT equipment, we reported that the FDIC had not been able to recover proceeds from its insurance company from the theft of 34 laptop computers because the FDIC had not maintained an adequate inventory of the equipment items. (Note: Audit Report No. D97-103, Audit of Safeguards Over EDP Equipment, dated October 24, 1997.)

CONCLUSIONS

We found that internal control over IT assets was inadequate.  Specifically, a weak control environment and control activities related to ITAMS resulted in missing assets, incomplete data repository information, outdated and inaccurate custodial records, numerous assets not included in ITAMS, and weak system access control.  Collectively, these conditions constitute a potential material internal control weakness that could lead to loss or misuse of equipment, unwarranted or unsupported procurement actions, and unauthorized access to sensitive information.

DIRM has not historically conducted effective periodic physical inventories or reconciliations, researched unreconciled equipment items timely, prepared formal current policies and procedures, achieved adequate separation of duties, integrated disparate IT asset inventory systems, or effectively captured cost or other information about IT assets.  These control weaknesses have resulted in:  (1) ITAMS becoming unreliable, (2) the development of an undisciplined culture toward IT asset management, (3) increased potential for missing and lost equipment, and (4) ITAMS not being an effective management tool for managing IT inventory.

RECOMMENDATIONS

We recommend that the Acting Director, DIRM:

1. Conduct a one‑time independent physical inventory of all IT assets, including owned or leased equipment not presently listed on ITAMS.  This inventory should consist of a room‑to‑room search for IT assets to ensure that ITAMS includes all FDIC IT assets.  The inventory should be conducted for all owned and leased FDIC buildings nationwide.



2. Reconcile the results of the independent physical inventory with ITAMS.



3. Develop policies and procedures for the purchase, receipt, warehousing, deployment, repair, maintenance, and retirement of IT assets.  Specifically, the policies and procedures should address the following:
   
   
   • Define all assets that will be tracked in ITAMS, including laptops, PCs, printers, servers, routers, switches, telecommunication, midrange, and mainframe equipment, and software.
   
   
   
   • Establish parameters, such as dollar or security thresholds, for what assets will be inventoried and targets for when assets will be identified for surplus.
   
   
   
   • Establish a central point of receipt for all purchased IT equipment, including IT equipment purchased with the procurement card, and require that all equipment be entered into ITAMS at the time of receipt.
   
   
   
   • Develop procedures for conducting independent periodic physical inventories of all IT equipment, including equipment items such as telecommunication, midrange, and mainframe equipment and software that have not historically been tracked in ITAMS.
   
   
   
   • Outline specific steps that DIRM needs to perform before writing off or inactivating missing equipment on ITAMS.  These steps should, at a minimum, include measures to determine the cause of any missing equipment items.
   
   
   
4. Ensure adequate segregation of duties so that individuals responsible for conducting asset inventories are not also responsible for the custody of assets. 



5. Establish performance measures to monitor IT asset management, such as targets for inventory accuracy and time frames for researching unreconciled items.



6. Strengthen roles and responsibilities of personnel responsible for the overall physical inventory process, including the property asset management function, to increase program accountability and to ensure that custody of assigned assets and reliability of information within ITAMS is maintained at all times. 



7. Move all IT equipment that is currently located in the Virginia Square garage to a storage area that is clean, secure, and allows for proper temperature controls for IT equipment.



8. Correct the ITAMS system access weakness associated with SQL.  Specifically, develop application controls to prevent the improper access of ITAMS through SQL, or implement compensating controls to ensure that an audit trail exists for all changes made to IT equipment information within ITAMS.

If a replacement system is pursued, we recommend the Acting Director, DIRM:

9. Consolidate the IT asset inventory into a single repository or multiple repositories that can be integrated.



10. Require that alternatives for replacement of ITAMS seamlessly integrate with other major corporate systems, including the New Financial Environment, the Corporate Human Resources Information System, and DIRM’s helpdesk system (Remedy).

CORPORATION COMMENTS AND OIG EVALUATION

The Acting Director, DIRM, provided a written response, dated July 17, 2003, to a draft of this report.  DIRM’s response is presented in its entirety in Appendix VI.  DIRM did not agree with recommendations number 1 and 2, but presented alternative corrective actions that generally address the intent of these recommendations.  Recommendation 1 required DIRM to conduct a one-time independent physical inventory of all IT assets, consisting of a nationwide room-to-room search for assets not listed on ITAMS.  Recommendation 2 required DIRM to reconcile the results of the physical inventory with ITAMS.  DIRM agreed to implement a stepped approach and complete separate inventories of mainframe, midrange, and telecommunication equipment and a room-by-room search of the Virginia Square facility.  Should DIRM’s search of the Virgina Square facility identify unrecorded assets, we encourage DIRM to expand the search to other headquarters and regional facilities.  DIRM’s proposed actions are sufficient to resolve recommendations 1 and 2.

DIRM agreed with recommendations 3 through 10 and proposed actions sufficient to resolve each recommendation.  We initially had questions about DIRM’s proposed action for resolving recommendation 8, but clarified through subsequent conversation with DIRM that its proposed action to limit SQL access privileges would address this recommendation. 

Recommendations 1 through 10 will remain undispositioned and open for reporting purposes until we have determined that agreed‑to corrective actions have been completed and are effective.  Appendix VII presents a summary chart showing DIRM’s responses to our recommendations and associated resolution and disposition status.

We also asked DIRM to comment on our characterization of the ITAM program as a potential material weakness.  The Acting Director responded that senior management is aware of weaknesses in the program and has instituted aggressive steps to address them and, therefore, does not concur that the ITAM program represents a potential material internal control weakness.   The magnitude and long‑standing nature of the IT asset management deficiencies identified by the OIG and DIRM, which have not yet been fully corrected, warrant the senior management emphasis associated with designation as a material internal control weakness.  Therefore, we will identify the ITAM program as a potential material internal control weakness as part of our input to the FDIC annual Statement on Internal Accounting and Administrative Controls required by the Federal Managers Financial Integrity Act of 1982, as codified.

The DIRM Acting Director also requested that the final evaluation report be classified Privileged and Confidential.  We reviewed information contained in the final report and did not identify any information that we consider to be of a sensitive nature.  Accordingly, we intend to issue this report without restriction.

Lastly, the Acting Director’s response included one discussion item that requires additional clarification.  The Acting Director stated:  “I would like to point out that the issues raised in this draft, are for the most part, those that DIRM previously identified and provided to the OIG in a recent [October 25, 2001] ‘self‑assessment’ review.”  In fact, our findings and recommendations go well beyond the prior assessment. 

At the outset of our evaluation in November 2002, we were informed of a draft internal assessment that contained recommendations for the IT asset management program that DIRM management had largely not implemented.  In discussions with the OIG, senior DIRM managers even questioned the accuracy of this document in key areas.  Most of the internal assessment recommendations were operational enhancements to the ITAM program.  Conversely, most of our recommendations are related to strengthening internal controls over IT assets.  Although the internal assessment made useful recommendations, the assessment also recommended some actions that would result in inadequate segregation of duties or other control weaknesses, with which we disagreed.  Table 6 presents a comparison of recommendations made in DIRM’s internal assessment and our evaluation.

Table 6: Comparison of DIRM Internal Assessment and OIG Evaluation Recommendations

Source: OIG Analysis

Moreover, the draft internal assessment was dated October 2001 and not finalized.  As we stated throughout our report, DIRM has taken aggressive efforts to improve the ITAM program.  However, the bulk of these efforts were initiated after we began our review in November 2002, not after the draft assessment was issued.  To imply that most of these efforts were underway or completed prior to November 2002 is inaccurate.

In conclusion, DIRM and OIG share the same objective, that is, to improve the IT asset management program.  The recommendations outlined in this report, to which DIRM has agreed, should accomplish that objective, and we will continue to work with DIRM to see to that end.

APPENDIX I:  SCOPE AND METHODOLOGY

To accomplish our objective, we:

• Interviewed DIRM personnel responsible for the management of ITAMS and the IT asset management program, including officials responsible for monitoring the former contract with INNOLOG, officials responsible for controlling inventory, and the property asset managers in all FDIC regions and headquarters.  In addition, we interviewed personnel from various FDIC divisions and offices, including Division of Administration and Division of Finance personnel responsible for contracting and financial reporting, respectively.



• Reviewed policies and procedures, including the ITAMS Users Manual.  In addition, reviewed Standard Operating Procedures and other directives and guidance relevant to the program. 



• Obtained read‑only access to ITAMS and became familiar with the system and inventory controls.  In addition, we performed various tests to confirm IT asset information in ITAMS.



• In performing this audit, we gained an understanding of management controls over the ITAMS inventory system.  Specifically, we focused our efforts on assessing the control environment and control activities relating to the IT asset management program through interviews, review of policies and procedures, and by performing specific tests relating to the accuracy of ITAMS information.  In addition we reviewed GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, issued November 1999), Internal Control Management and Evaluation Tool (GAO-01-1008G, issued August 2001), and Executive Guide: Best Practices in Achieving Consistent, Accurate Physical Counts of Inventory and Related Property (GAO-01-763G, dated July 2001).



• During our review, we relied on computer generated data to test the accuracy and reliability of ITAMS.  Specifically, we relied upon information from the FDIC’s Microsoft Outlook System and the National Finance Center.  We did not evaluate general or application controls for any of the systems used during our review. 



• To determine whether ITAMS is accurate, we selected 20 current FDIC employees and confirmed by physical inspection that all IT equipment assigned to them in ITAMS was correct.



• Secured a list of all FDIC employees that left the FDIC during 2002 and compared the list to ITAMS to see if former employees were still assigned IT equipment.



• Matched a list of all FDIC current employees listed on the Outlook system to employees listed on ITAMS to ensure that all current employees had IT equipment assigned to them on ITAMS.



• From a review of all INNOLOG invoices, determined the total cost that the FDIC paid to INNOLOG for developmental and warehouse costs for ITAMS.  In addition, estimated the total developmental charges for ITAMS.



• Reviewed the contract for INNOLOG to determine contract requirements and system expectations.



• Performed limited work to identify applicable laws and regulations; however, we did not specifically test for compliance with laws and regulations.

We conducted the evaluation from November 2002 through May 2003 in accordance with generally accepted government auditing standards.

APPENDIX II: ACRONYMS AND ABBREVIATIONS

Appendix II Table: Acronyms and Abbreviations

APPENDIX III: PRIOR OIG AUDITS AND INVESTIGATIONS

Table 7:  Timeline of Events

Source: OIG Analysis

APPENDIX IV:  BEST PRACTICES AT OCC AND OTS

We interviewed officials from the Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision (OTS) to understand their approach to managing IT assets.  Selected information about OCC’s and OTS’s ITAM program is presented in Table 8.  

Table 8: ITAM Best Practices Information

Source: Interviews with agency officials

APPENDIX V: DIRM EFFORTS TO IMPROVE THE PROGRAM

As shown in Table 9, DIRM has taken a number of actions to improve the ITAM program. 

Table 9: DIRM Efforts to Improve the ITAM Program

Source: OIG Analysis

APPENDIX VI: CORPORATION COMMENTS

Federal Deposit Insurance Corporation
550 17th St NW Washington, DC 20429
Division of Information Resources Management

July 17, 2003

MEMORANDUM TO: Russell A. Rau, Assistant Inspector General for Audits, Office of the Inspector General

FROM: Vijay G. Deshpande [Electronically produced version; original signed by Vijay G. Deshpande], Acting Director

SUBJECT: DIRM Response to the Draft Report Entitled Life-Cycle Management of Information Technology Assets (Assignment No. 2003-007)

The Division of Information Resources Management (DIRM) has reviewed the subject draft audit report.  We appreciate the opportunity to review and comment on these findings during a comprehensive exit conference conducted with the Office of the Inspector General. 

DIRM senior management has been aware of weaknesses in the inventory control process and has already instituted aggressive steps to address them.  I would like to point out that the issues raised in this draft, are for the most part, those that DIRM previously identified and provided to the OIG in a recent “self-assessment” review.  The asset management staff openly provided and discussed these issues with the OIG staff as well as the corrective actions completed, in-process and/or planned.  This is an area that has senior management’s attention and priority.  Given the self-identified issues, the specific corrective actions planned, and the progress being made, DIRM does not concur that the asset management program represents a potential material internal control weakness.

General Comments

DIRM is committed to full life-cycle asset management.  Our senior managers are aware of the need for the program within DIRM and its impact on the efficiency and effectiveness of IT asset management.   As you know, DIRM has taken significant steps towards implementing a modern and comprehensive asset management system while identifying and addressing existing inventory control issues.

On October 25, 2001, the Technical Infrastructure Management staff presented a proposal to DIRM senior management to substantially restructure the asset management program.  This proposal outlined the functions needed to establish a successful program, as well as areas where the current inventory process was weak.  DIRM senior management agreed with the proposal and the project was initiated in January 2002.  A copy of a draft document outlining DIRM’s self-assessment of the asset management issues was provided to your staff at the beginning of the audit. 

The process to implement a full life-cycle asset management program is a long process. However, we have made significant progress.  Since our original presentation in 2001, DIRM has:

• Separated the asset management function from the procurement and receiving functions by transferring Asset Management to report directly to the Deputy Director of Technical Infrastructure Management;



• Assumed full responsibility for the Information Technology Asset Management System (ITAMS), which was previously handled through the INNOLOG contract;



• Established new criteria for assets to be tracked.  This action removed small dollar valued assets (under $500 and no capacity for data retention) from ITAMS and reduced the volume of assets by 17,526 records;



• Issued internal policy requiring all IT assets (hardware and software) procured for the Washington area be received by the DIRM Distribution Center (DDC);



• Established data responsibility for the repository (currently ITAMS) to the Property Account Managers (PAMs) in the responsible DIRM business units;



• Conducted a nationwide physical inventory of IT hardware in ITAMS totaling 17,312 verified active assets;



• Completed the deployment of over 4,800 new desktop computers and properly disposed of the old computers;



• Initiated a project to replace ITAMS and implement full life-cycle asset management tools.  The project definition report was approved and the business case is being finalized for presentation to the Capital Investment Review Committee (CIRC).  We have established an Enterprise Asset Management  (EAM) Steering Committee made up of several DIRM senior managers as well as senior managers from DOF and DOA, and are working closely with the NFE project team towards system integration; and



• Worked extensively with research organizations (Gartner and MetaGroup) to become educated in asset management strategies and best practices, as well as establishing the requirements for a life-cycle asset management program.  This included a year-long commitment with MetaGroup in its “Operations Excellence” program in the area of Enterprise Asset Management best practices.

Prior to the initiation of the audit and as a result of our initiative to implement asset management tools (data repository and auto-discovery), DIRM began the following initiatives related to asset management:

• Establishing an asset management team including the PAMs in the respective DIRM business units and partnered divisions;



• Developing a phased-in approach for single data repository for tracked IT assets.  This includes all hardware and software for all platforms (PC/LAN, midrange, mainframe, and telecommunications).  This also includes maintenance contracts for owned IT assets, as well as maintenance history for the individual assets;

,br>
• Performing data scrubbing in ITAMS, prior to migration to new data repository (EAM);

,br>
• Developing an Asset Management Operations Manual (including program objectives, roles/responsibilities, policies, procedures and standards); and



• Establishing an IT Asset Management Measurement Program; this will include a compliance review of current and future policies and procedures.

DIRM requests that this audit be classified PRIVILEGED AND CONFIDENTIAL.  The confidential classification for this audit would be consistent with the classification given audit 2001-922, “The FDIC’s Excess Computer Hard Drive Sanitation Process.”

Attached is a detailed corrective action plan for addressing the specific recommendations presented in the draft report.  

If you have any questions, please contact Rack Campbell, Chief ITES, on (703) 516-1422.

Attachment

cc: James D. Collins, DIRM
Michael Bartell, DIRM
Mike MacDermott, OICM

DIRM Corrective Action Plan
IT Asset Management Life-Cycle Program

Recommendation 1:

Conduct a one time independent physical inventory of all IT assets, including owned or leased equipment not presently listed on ITAMS. This inventory should consist of a room to room search for IT assets to ensure that ITAMS includes all FDIC IT assets. The inventory should be conducted for all owned and leased FDIC buildings nationwide.

DIRM does not agree with the recommendation; however, a stepped approached is being followed which will accomplish much of the same desired results. It should be noted that many of the tracked assets are mobile assets which would not be verified in any room-to-room search. A full inventory of the assets that are in ITAMS has recently been completed. The mainframe assets have been inventoried and added to the ITAMS database. The inventory of the mid-range assets and the inputting of those not currently reflected in ITAMS will be completed by July 31, 2003. Plans are underway to address the telecommunication assets presently tracked in Remedy. The following is a list of the 2003 completed and scheduled hardware asset projects:

• On May 31, DIRM completed the 2003 physical inventory of the assets currently tracked in our asset repository, ITAMS. The total number of assets verified was 17,312. After the inventory was completed by the responsible asset managers, DIRM’s asset management staff conducted a validation process of reviewing a sample of the data in ITAMS to ensure the accuracy of the identification of the assets and the location of the assets. The minimum sample taken during this validation was 10%. In some cases, depending on the asset, 100% validation was done. Final outcome was less than a 0.5% error rate with all errors corrected in a timely manner.



• By July 31, 2003, the mainframe (done) and mid-range assets will be added to ITAMS. This will include a 100% physical review by DIRM’s asset management staff.



• By August 29, 2003, telecommunication’s equipment database of routers, switches, PBX equipment, and other tracked assets will be reviewed for accuracy, and a physical inventory will be completed. This will include a 100% physical review by DIRM’s asset management staff. DIRM will determine during this period the temporary data repository (either ITAMS or the Remedy database) for these assets until the new data repository (EAM) is implemented.



• The recently completed inventory of ITAMS indicated that 87.2% of the assets that could not be verified had Virginia Square as the last know location. After completing the inventories on the mainframe, mid-range and telecommunication assets, a room-to-room search will be conducted for the Virginia Square facility. Estimated completion date is September 30, 2003.



• The next complete annual inventory will be conducted by June 11, 2004. It is our intention to have the new data repository and an auto-discovery tool implemented prior to the initiation of the 2004 inventory. With an auto-discovery tool, approximately 80% of the assets will be discovered through the network and the remaining assets will be physically inventoried.

Recommendation 2:

Reconcile the results of the independent physical inventory with ITAMS.

Response 2: Responsible Supervisor – Leonard Nelson

DIRM does not agree with the recommendation; however, the results of each intermediate inventory will be reconciled with the system of record. A reconciliation of the Virginia Square re-inventory project will be completed by October 31, 2003.

Recommendation 3:

Develop policies and procedures for the purchase, receipt, warehousing, deployment, repair, maintenance, and retirement of IT assets. Specifically, the policies and procedures should address the following:

• Define all assets that will be tracked in ITAMS, including laptops, PCs, printers, servers, routers, switches, telecommunication, midrange, and mainframe equipment and software.



• Establish parameters, such as dollar or security thresholds, for what assets will be inventoried and targets for when assets will be identified for surplus.



• Establish a central point of receipt for all purchased IT equipment, including IT equipment purchased with the procurement card, and require that all equipment be entered into ITAMS at the time of receipt.



• Develop procedures for conducting independent periodic physical inventories of all IT equipment, including equipment items such as telecommunication, midrange, and mainframe equipment and software that have not historically been tracked in ITAMS.
• Outline specific steps that DIRM needs to perform before writing off or inactivating missing equipment in ITAMS. These steps should, at a minimum, include measures to determine the cause of any missing equipment items.

Response 3: Responsible Supervisor – Leonard Nelson, Daniel Mahoney and Robert Redmond

DIRM agrees with this recommendation, and funds were budgeted for 2003 to start this project. Current policies and procedures will be reviewed and updated as needed. In areas where no policies or procedures exist, new documents will be created. The format of the policies will follow corporate or divisional requirements, depending on the scope of the subject. Estimated completion date for reviewing and updating the policies and procedures is December 31, 2003.

An operations manual will be developed for asset management. Further discussion of its roles/responsibilities is discussed in Response 6. Completion of the operations manual is scheduled for June 11, 2004, assuming funds are budgeted for this purpose in 2004.

Recommendation 4:

Ensure adequate segregation of duties so that individuals responsible for conducting asset inventories are not also responsible for the custody of assets.

Response 4: Responsible Supervisor – Leonard Nelson

DIRM agrees and has already started the process. As stated in Response 1, mainframe and midrange assets will be converted to ITAMS by July 31, 2003, which will add assets to the oversight provided by DIRM’s asset management. The transfer of the asset management oversight for the telecommunication assets is scheduled for a completion date of August 29, 2003. DIRM’s asset management team will work closely with the asset custodians to ensure the data in ITAMS or the Remedy database is complete by September 30, 2003.

Recommendation 5:

Establish performance measures to monitor IT asset management, such as targets for inventory accuracy and time frames for researching unreconciled items.

Response 5: Responsible Supervisor – Leonard Nelson

DIRM agrees, and baseline metrics for inventory and asset data accuracy will be established by July 31, 2003. We will also establish a schedule for periodic calculations and reviews by July 31, 2003.

The reconciliation of assets not located during the 2003 ITAMS physical inventory will be completed by July 31, 2003. Assets not located will become inactive. With the inactivation of these assets, DIRM will have an accurate record of the assets, and can impose accountability to the custodians of these assets. New metrics concerning unlocated assets will be included in the baseline metrics established by July 31, 2003.

Recommendation 6:

Strengthen roles and responsibilities of personnel responsible for the overall physical inventory process, including the property asset management function, to increase program accountability and to ensure that custody of assigned assets and reliability of information within ITAMS is maintained at all times.

Response 6: Responsible Supervisor – Leonard Nelson

DIRM agrees and has already started the process. For the recently completed inventory of the assets in ITAMS, the various custodial units were held accountable for the accuracy of their respective assets. This was further emphasized by Michael Bartell’s e-mail of May 21, 2003, to all DIRM Infrastructure Managers. The completed document outlining the roles and responsibilities will be completed by year end (December 31, 2003) and will be included in the operations manual scheduled for completion on June 11, 2004 (refer to Response 3).

Recommendation 7:

Move all IT equipment that is currently located in the Virginia Square garage to a storage area that is clean, secure, and allows for proper temperature controls for IT equipment.

Response 7: Responsible Supervisor – Robert Redmond

The use of the Virginia Square garage was a one-time temporary measure. The new equipment purchased for the WinXP project was to be stored in this area for only up to three months. However, the use of this space was extended due to a delay in the rollout of the new equipment. There is no expectation to use the garage storage areas on a permanent basis. The equipment placed in this temporary storage has been moved to the DIRM Distribution Center’s storage facilities within Virginia Square. DIRM considers compliance with this recommendation complete.

Recommendation 8:

Correct the ITAMS system access weakness associated with SQL. Specifically, develop application controls to prevent the improper access of ITAMS through SQL, or implement compensating controls to ensure that an audit trail exists for all changes made to IT equipment information within ITAMS.

Response 8: Responsible Supervisor – Leonard Nelson; ITAMS Project Manager – Cassandra Monroe

DIRM pointed out these weaknesses to the audit team during the course of the audit as examples of some inherent problems with ITAMS, and why a new modern and secure data base is required. We are in the process of restricting access to the data by establishing the default value for ITAMS users of “read only” when accessing the ITAMS data. This change is in the testing phase and is scheduled for completion by July 18, 2003.

To establish an audit trail for data changes in ITAMS requires programming changes, and at this time would not be financially prudent with the estimated implementation of EAM by March 31, 2004. This is an absolute requirement for the new enterprise asset management environment.

Recommendation 9:

Consolidate the IT asset inventory into a single repository or multiple repositories that can be integrated.

Response 9: Responsible Supervisor – Leonard Nelson; EAM Project Manager – Cassandra Monroe

DIRM concurs and has stated this requirement in numerous project documents. This is one of our stated goals for a new IT asset data repository in the project definition report, “Information Technology Asset Management” dated December 30, 2002. In section 2.2 of this document, it states “The IT asset management goals of DIRM reflect the guidance from FDIC, GAO, OMB, the Inspector General and others. The following IT asset management goals have been defined to help meet FDIC business, strategic and IT objectives…Establish a single corporate asset management repository.”

Completion of the implementation of the inventory phase of EAM is scheduled for March 31, 2004. This date may be delayed based on factors outside the control of the EAM project team (e.g., CIRC approval and procurement activities).

Recommendation 10:

Require that alternatives for replacement of ITAMS seamlessly integrate with other major corporate systems, including the New Financial Environment, the Corporate Human Resources Information System, and DIRM’s helpdesk system (Remedy).

Response 10: Responsible Supervisor – Leonard Nelson; EAM Project Manager – Cassandra Monroe

This recommendation has already been identified and adopted by DIRM. In section 2.2 of the December 30, 2002 project definition report entitled, “Information Technology Asset Management”, it states that “The IT asset management goals of DIRM reflect the guidance from FDIC, GAO, OMB, the Inspector General and others. The following IT asset management goals have been defined to help meet FDIC business, strategic and IT objectives…Integrate with corporate areas (e.g., NFE and the National Technical Call Center (NTCC)).”

Completion for integration with corporate systems will be scheduled upon the approval of EAM, with priority given to Remedy (NTCC) and NFE. The first integration is anticipated to be with Remedy at the time of implementation or shortly thereafter, followed by NFE. NFE’s integration date will be dependent on the implementation of this application. Integration with CHRIS will require additional analysis and is considered the next integration point with EAM.

APPENDIX VII: MANAGEMENT RESPONSES TO RECOMMENDATIONS

The following presents the management responses that have been made on recommendations in our report and the status of recommendations as of the date of report issuance. The information is based on management's written response to our report and subsequent communication with management representatives.

Please note the following definitions that relate to the management responses to the recommendations:

Resolved: (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG. (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

Dispositioned: The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation. Once the OIG dispositions the recommendation, it can then be closed.

Corrective Action: Taken or Planned/Status: DIRM does not directly concur with this recommendation to conduct a one-time independent physical inventory of all IT assets but has offered an acceptable alternative in performing separate individual inventories and a room-by-room search of the Virginia Square facility which will meet the intent of our recommendation.

Expected Completion Date: September 30, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM does not directly concur with recommendation to reconcile the results of the independent physical inventory with ITAMS but has offered an acceptable alternative in reconciling the results of each individual inventory with the appropriate system of record and will meet the intent of our recommendation.

Expected Completion Date: October 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with this recommendation and will contract with an IT consulting group to review DIRM’s IT asset management program and prepare asset management policies and procedures.

Expected Completion Date: December 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with this recommendation and will address segregation of duties in its policies and procedures manual.

Expected Completion Date: September 30, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with this recommendation and will establish performance measures such as targets for inventory accuracy and time frames for researching unreconciled items in its new policies and procedures.

Expected Completion Date: July 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with this recommendation and will address roles and responsibilities of personnel responsible for the overall physical inventory process in its new policies and procedures.

Expected Completion Date: December 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM agrees with this recommendation and has already moved all IT equipment from the Virginia Square garage to an inside facility.

Expected Completion Date: Completed

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM indicated it has taken efforts to address these weaknesses.  Through subsequent conversation with DIRM we clarified that DIRM will impose access restrictions at the SQL level, which would address the intent of this recommendation.

Expected Completion Date: July 18, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with the recommendation and will consolidate the IT asset inventory into a single repository or multiple repositories that can be integrated with FDIC's New Financial Environment, the Corporate Human Resources Information System, and DIRM's helpdesk system.

Expected Completion Date: March 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Corrective Action: Taken or Planned/Status: DIRM concurs with the recommendation and will ensure that the replacement for ITAMS will integrate with FDIC’s New Financial Environment, the Corporate Human Resources Information System, and DIRM’s helpdesk system.

Expected Completion Date: Expected completion date to be provided.

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open