Life-Cycle Management of
Information Technology Assets
August 13, 2003
Supplement to Evaluation Report No. 03-032,
Dated July 18, 2003 No. 03-032
**This is not an evaluation report.**
This supplement contains copies of correspondence between the Office of Inspector General (OIG) and the Division of Information Resources Management subsequent to the issuance of Evaluation Report No: 03-032, dated July 18, 2003. The intent of this supplement is to show progress made on the resolution of conditions identified at the time the OIG issued the final report.
|
TABLE OF CONTENTS
I. OIG Assessment of Management Response to the Final Report
Memorandum dated August 13, 2003, from the Assistant Inspector General for Audits to the Acting Director, Division of Information Resources Management
II. Management Response to the Final Report
Memorandum dated August 8, 2003, from the Acting Director, Division of Information Resources Management to the Deputy Assistant Inspector General for Audits
I. OIG Assessment of Management Response to the Final Report
Federal Deposit
Insurance Corporation
Office of Audits
Office of Inspector
General
Washington, D.C. 20434
DATE: August 13, 2003
TO: Vijay G. Deshpande, Acting Director; Division of Information Resources Management
FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits
SUBJECT: Assessment of DIRM Response to Final Report Entitled Life Cycle Management of Information Technology Assets (Evaluation Report No. 03-032)
We have reviewed your August 8, 2003 memorandum, which discusses actions taken and planned to address program weaknesses within the information technology asset management (ITAM) program and your position on whether our evaluation findings constitute a potential material weakness for the Corporation.
The Chief Financial Officers Act of 1990 (CFOA) requires government corporations to submit an annual management report to the Congress. The report must include financial statements, an audit opinion on those statements, and a Statement on Internal Accounting and Administrative Controls, discussing any material weaknesses and plans for corrective actions. The determination of what constitutes a material weakness is a judgment call that rests with FDIC management. In making that judgment, FDIC considers a weakness material if it:
- violates statutory or regulatory requirements;
- significantly weakens safeguards against waste, loss, unauthorized use or misappropriation of
- funds, property, or other assets;
- significantly impairs the mission of the FDIC;
- fosters a conflict of interest;
- deprives the public of needed services; or
- merits the attention of the Chairman, the FDIC Board of Directors, or the Congress.
At the time we completed our evaluation, we considered the deficiencies in the ITAM program to be a potential material weakness based on two of the above criteria. First, there were weak safeguards against the loss or unauthorized use of computer equipment and the data that resided therein. Second, the long standing nature of the deficiencies warranted the attention of senior FDIC management. It is important to note, however, that management's determination of whether the ITAM program is a material weakness is not required until December 31, 2003-the end of the Corporation's financial reporting period.
Your memorandum states that our evaluation findings should not result in the classification of this program as a material weakness due to (1) the identification of the issues by the Division of Information Resources Management (DIRM) prior to the audit and (2) the substantial amount of work already accomplished to improve the program.
We disagree that the source (e.g., whether through the Corporation's internal evaluation processes or an Office of Inspector General evaluation) determining the issues being considered a material weakness is a factor. Rather, the determination is based on the criticality of the area or operation in which the weaknesses exist and whether there are any mitigating controls.
With respect to work already accomplished to improve the program, we acknowledge management's expressed commitment and have seen evidence of that commitment in corrective actions already in process. As stated previously, one of the purposes of declaring a program or activity as a material weakness is to focus sustained management attention on the issue. DIRM has, through its own initiative, and as a result of our review, devoted such attention to the ITAM program. Further, DIRM has committed to completing the corrective actions necessary to implement adequate internal control over its ITAM program by December 31, 2003. Accordingly, if DIRM successfully implements the actions it has planned and if those actions are effective, we agree that the ITAM program would not warrant a material weakness designation in the Corporation's 2003 Annual Report¤.
Should you have any questions concerning the report, please contact me at (202) 416-2543 or E. Marshall Gentry at (202) 416-2919.
¤ Beginning in 2002, the Corporation began issuing an annual report that combines the CFOA Report and the Program Performance Report required by the Government Performance Results Act. This action was taken in order to comply with the intent of the Reports Consolidation Act of 2002, which is not otherwise applicable to the FDIC.
II. Management Response to the Final Report
Federal Deposit
Insurance Corporation
Division of Information Resources Management
3501 Fairfax Dr. Arlington VA, 22226
DATE: August 13, 2003
MEMORANDUM TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits
Office of Inspector General
FROM: Vijay G. Deshpande [Electronically produced version; original signed by Vijay G. Deshpande], Acting Director
SUBJECT: DIRM Supplemntal Response to Report Entitled Life-Cycle Management of Information Technology Assets (Evaluation Report No. 03-032)
As per our agreement, the Division of Information Resources Management (DIRM) is providing the Office of the Inspector General with a supplemental report containing the actions DIRM has determined necessary to be completed or initiated by December 31, 2003 in order to implement an asset management program for its information technology (IT) assets. These actions are reflective of DIRM management's commitment to the establishment of an effective asset management life-cycle program.
Project: Inventory of IT hardware
Assignment: Complete 2003 physical inventory of assets reported in ITAMS.
Status: Completed
Date: May 31, 2003
Assignment: Complete reconciliation of 2003 ITAMS physical inventory.
Status: Completed
Date: June 20, 2003
Assignment: Add mainframe hardware to ITAMS and conduct physical inventory.
Status: Completed
Date: July 9, 2003
Assignment: Add midrange hardware to ITAMS and conduct physical inventory.
Status: Completed
Date: July 14, 2003
Assignment: Obtain authorization to inactivate missing assets that were purchased more than three years ago.
Status: Completed
Date: July 31, 2003
Assignment: Transfer telecommunications equipment data repository ownership to Asset Management group. Data will remain in the Remedy database until the implementation of the Enterprise Asset Management (EAM) system. Conduct physical inventory of telecommunication equipment.
Status: Initiated
Due: August 29, 2003
Assignment: Remedy database (telecommunications) cleanup.
Status: Initiated
Date: August 29, 2003
Assignment: Conduct room-by-room search of Virginia Square facility for IT hardware.
Status: Initiated
Due: September 30, 2003
Assignment: Reconciliation of the results of the Virginia Square re-inventory project.
Status: Planned, to be completed in 2003
Date: October 31, 2003
Assignment: ITAMS database cleanup.
Status: Initiated
Due: December 31, 2003
Project: Operations Manual
Assignment: Establish policies and procedures.
Status: Initiated
Due: December 31, 2003
Assignment: Establish roles and responsibilities.
Status: Initiated
Due: December 31, 2003
Assignment: Establish Asset Management Operations Manual.
Status: Planned, to be initiated
Due: 2004
Project: Other
Assignment: Establish read-only access to ITAMS data via external access tools to The SQL database.
Status: Completed
Date: July 18, 2003
Assignment: Establish performance measures.
Status: Completed
Due: July 31, 2003
Assignment: Baseline performance measures using ITAMS.
Status: Planned, to be complete in 2003
Due: August 29, 2003
Assignment: Obtain CIRC approval for Enterprise Asset Management (EAM), the
New asses data repository and discovery tool.
Status: Initiated Due: September 30, 2003
Assignment: Implement Enterprise Asset Management system.
Status: Planned, to commence in 2003
Due: 2004DIRM continues to believe that the findings of this audit do not constitute the classification of a "potential material weakness," due to the identification of the issues by DIRM prior to the audit, the actual circumstances behind many of the audit findings, and to the substantial amount of work already accomplished towards the previously defined program improvement goals. DIRM therefore believes that the completion of the above projects and assignments will further demonstrate senior level management commitment to ongoing improvements in IT asset management and that the IT asset management program does not present a potential material weakness situation.