OIG cites weaknesses in NCUA monitoring, accounting of IT equipment

An audit of information technology equipment inventory by the National Credit Union Administration (NCUA) found that the agency did not adequately monitor, account, and dispose of all its information technology (IT) equipment and that improvements were needed in the agency’s instruction on the disposition of IT equipment, the NCUA Office of Inspector General (OIG) reported recently.

The audit, covering the period from Jan. 1, 2014, through June 30, 2017, was conducted to determine whether the NCUA has IT equipment inventory policies and procedures; and whether the NCUA adequately monitors and accounts for its IT equipment from acquisition through final disposition. The OIG made seven recommendations addressing identified deficiencies and reports the agency agreed to all of them.

“Our audit determined that although the NCUA has an instruction on the disposition of personal property, including the disposition of IT equipment, the instruction needs improvements, including broadening its application to the entire life cycle of IT equipment, not just its disposition,” the report states. “In addition, procedures implementing the instruction are needed, including requiring employees to sign receipts when they are issued IT equipment and requiring performance plans for employees responsible for IT equipment inventory management to have that criterion reflecting that responsibility.”

The report says the OIG “also concluded the implementation of a comprehensive asset management system could provide NCUA management with reliable information to support decision-making and evaluate the performance of its inventory management program.”

Despite “significant information limitation,” the report presents valid findings and conclusions based on evidence deemed to be sufficient and appropriate to support its conclusions, the OIG stated. “We did not identify fraud or any indicators of fraud during our audit. However, given the significant information limitation, we believe that the risk for fraud within the NCUA’s inventory systems was high due to an ineffective internal control environment and therefore make no judgments as to its existence.”

The seven recommendations made by the OIG include:

  • finalize a draft handbook on accountable property operations;
  • develop a responsibility statement to the Record Receipt—Property Issued to Employee Form that all employes, contractors, and others who are issued IT equipment must acknowledge (electronically or in writing) issuance of NCUA equipment procedures;
  • ensure performance criteria are incorporated into performance plans for all employees who are responsible for managing the agency’s IT equipment;
  • implementa comprehensive asset management system that designated employees must update, within a specific number of days, upon acquisition, distribution, and disposition of IT equipment, in accordance with NCUA’s instruction, handbook, and related documents;
  • survey IT equipment at least annually to identify excess or exhausted equipment, and then sell, transfer, or donate within a specific timeframe, according to parameters established in NCUA’s instruction, handbook, and related documents;
  • ensure the new instruction, handbook, and related documents provide a specific number of days for the removal of assets from the NCUA’s financial system; and
  • consider in future contracts for IT equipment the ability to buy or lease assets on demand, which would reduce costs for equipment not needed.

Audit of the NCUA’s Information Technology Equipment Inventory (Report #OIG-19-05 March 28, 2019