OIG Issues Report on the FDIC’s Controls over the Information Technology Hardware Asset Management Program
On June 9, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued an evaluation report regarding controls over the FDIC’s Information Technology (IT) Hardware Asset Management Program. The FDIC uses IT hardware assets, among other things, for personal computing throughout the Corporation, supporting network operations, and providing communications connectivity. At the time of our fieldwork, the FDIC had 38,796 IT hardware items in inventory, including laptops, workstations, desktops, tablets, printers, scanners, servers, drives, routers, mainframes, and other equipment. IT hardware assets are vulnerable to several risks, including inefficient or costly procurement, delays in deployment, equipment theft and obsolescence, and data loss.
We reported that the FDIC had established some key controls over the IT hardware asset management program, including policies and procedures that specified roles and responsibilities for employees and contractors. However, we found that the FDIC needed to update its policies and procedures and strengthen its controls in most aspects of the program. Further, data needed to manage the program was frequently unreliable. Collectively, these weaknesses created an environment in which the FDIC was vulnerable to ineffectively managing IT hardware assets or having them lost or stolen.
To illustrate:
- Information in the Corporation’s IT asset management system and reports generated by the system were not always accurate. As a result, the FDIC was unable to accurately value its IT assets or evaluate the timeliness of receiving assets and providing them to users.
- With respect to tracking and protecting IT assets, the system showed 40 of the 178 employees (22 percent) who had separated from the Corporation over a 4-month period still had at least one IT asset assigned to them in the system.
- The contractor responsible for forms used to assign asset custody had not uploaded the equipment hand receipts for 15 of 36 laptops that we tested, and hand receipt dates were missing for 33 percent of deployed laptops and 46 percent of deployed desktops.
- The FDIC needed to establish procedures for using its technology refresh schedule along with data in its IT asset management system to make informed decisions about an asset’s useful life.
We made nine recommendations for the FDIC to enhance asset management life cycle policies and procedures to reflect current practices; strengthen controls to better ensure program objectives are met; and improve the IT asset management tracking system data entry, reliability, and reporting to support IT asset management and decision-making. The FDIC concurred with our recommendations.