Information Technology Assets: Risk Assessment Actions Could Inform Inventory Activities during Future Disruptions
Fast Facts
GAO's shift to a remote operating posture during the pandemic affected its full annual inventory of accountable property. This includes IT assets that may process and store sensitive or classified information, such as laptops, printers, and scanners.
In FY 2020, GAO cancelled all inventory activities. In FY 2021, GAO inventoried a small sample of IT assets. GAO did not reflect these changes in its fraud risk profile and lacked documentation to support the inventory activities undertaken.
Our recommendations ensure that GAO updates its fraud risk profile when things change and uses risk-based assessments to inform future inventory activities.
Highlights
Objective
GAO shifted to a remote operating posture to help protect employees during the COVID-19 pandemic. This posed challenges for GAO's annual inventory of accountable property—which includes Information Technology (IT) assets like laptops, hard drives, scanners, mobile storage devices, and printers. These assets may process and potentially store information under GAO's authority or control that requires protection from unauthorized disclosure, including classified information. Given the potential for national security, privacy, and other major risks as well as reputational, mission, and fraud risks if these items are lost, stolen, or otherwise missing, OIG examined Infrastructure Operation's (IO) inventory control over certain IT assets during the onset and height of the pandemic.
What OIG Found
GAO's IO office cancelled all fiscal year 2020 inventory activities, including for 3,579 IT assets that were inventoried in 2019. IO did not leverage existing inventory procedures that verify barcodes and locations through email correspondence to account for IT assets assigned to specific individuals within GAO. In addition, IO did not consider the impact of cancelling inventory, a principal antifraud control activity, on the IT asset fraud risks identified or revise the IT asset fraud risk profile accordingly.
In fiscal year 2021, IO inventoried a sample of GAO's accountable personal property that included less than 20 percent (1,035) of the 5,374 IT assets OIG reviewed that may process and store sensitive information. While the majority (162) of the IT assets designated as classified IT equipment were inventoried, just over 15 percent (41) did not have an inventory date. IO officials said they developed a risk-based inventory plan to restart activities at GAO headquarters but were unable to provide documentation of any risk assessment performed for the purpose of sample selection. Such an assessment should have indicated the most significant property risks IO identified and assessed; the magnitude of those risks; alternatives to GAO's annual inventory activities that IO had evaluated to address those risks; and rationales for including property such as cafeteria, fitness center, and mailroom equipment in the modified inventory, but excluding most of the IT assets OIG reviewed.
What OIG Recommends
OIG recommends that GAO take two actions: (1) develop and document procedures to update or revise IT asset fraud risk profiles when unexpected or unanticipated events occur, such as operating posture disruptions or changes to GAO's telework program; and (2) develop and document procedures to ensure that the appropriate risk-based assessments are completed when planning to implement an alternative to GAO's full annual inventory to ensure samples are targeted to the highest-risk IT assets. GAO agreed with the recommendations.