[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
                  U.S. DEPARTMENT OF VETERANS AFFAIRS

              INFORMATION TECHNOLOGY INVENTORY MANAGEMENT

=======================================================================


                                HEARING

                               before the

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 of the

                     COMMITTEE ON VETERANS' AFFAIRS
                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 24, 2007

                               __________

                             Serial 110-36

                               __________

       Printed for the use of the Committee on Veterans' Affairs




                     U.S. GOVERNMENT PRINTING OFFICE

37-474 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001



                     COMMITTEE ON VETERANS' AFFAIRS

                    BOB FILNER, California, Chairman

CORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking
VIC SNYDER, Arkansas                 CLIFF STEARNS, Florida
MICHAEL H. MICHAUD, Maine            JERRY MORAN, Kansas
STEPHANIE HERSETH SANDLIN, South     RICHARD H. BAKER, Louisiana
Dakota                               HENRY E. BROWN, JR., South 
HARRY E. MITCHELL, Arizona           Carolina
JOHN J. HALL, New York               JEFF MILLER, Florida
PHIL HARE, Illinois                  JOHN BOOZMAN, Arkansas
MICHAEL F. DOYLE, Pennsylvania       GINNY BROWN-WAITE, Florida
SHELLEY BERKLEY, Nevada              MICHAEL R. TURNER, Ohio
JOHN T. SALAZAR, Colorado            BRIAN P. BILBRAY, California
CIRO D. RODRIGUEZ, Texas             DOUG LAMBORN, Colorado
JOE DONNELLY, Indiana                GUS M. BILIRAKIS, Florida
JERRY McNERNEY, California           VERN BUCHANAN, Florida
ZACHARY T. SPACE, Ohio
TIMOTHY J. WALZ, Minnesota

                   Malcom A. Shorter, Staff Director

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                  HARRY E. MITCHELL, Arizona, Chairman

ZACHARY T. SPACE, Ohio               GINNY BROWN-WAITE, Florida, 
TIMOTHY J. WALZ, Minnesota           Ranking
CIRO D. RODRIGUEZ, Texas             CLIFF STEARNS, Florida
                                     BRIAN P. BILBRAY, California

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                             July 24, 2007

                                                                   Page
U.S. Department of Veterans Affairs Information Technology 
  Inventory Management...........................................     1

                           OPENING STATEMENTS

Chairman Harry E. Mitchell.......................................     1
    Prepared statement of Chairman Mitchell......................    29
Hon. Ginny Brown-Waite, Ranking Republican Member................     3
    Prepared statement of Congresswoman Brown-Waite..............    30
Hon. Timothy J. Walz.............................................     4

                               WITNESSES

U.S. Government Accountability Office, McCoy Williams, Director, 
  Financial Management and Assurance.............................     5
    Prepared statement of Mr. Williams...........................    31
U.S. Department of Veterans Affairs:
Hon. Robert T. Howard, Assistant Secretary for Information and 
  Technology, and Chief Information Officer......................    14
    Prepared statement of Mr. Howard.............................    38
Hon. Robert J. Henke, Assistant Secretary for Management.........    16

                       SUBMISSIONS FOR THE RECORD

Space, Hon. Zachary T., a Representative in Congress from the 
  State of Ohio..................................................    39
Stearns, Hon. Cliff, a Representative in Congress from the State 
  of Florida, statement..........................................    39

                   MATERIAL SUBMITTED FOR THE RECORD

Report:
United States Government Accountability Office, Report to 
  Congressional Requesters, July 2007, entitled, ``Veterans 
  Affairs: Inadequate Controls over IT Equipment at Selected VA 
  Locations Pose Continuing Risk of Theft, Loss, and 
  Misappropriation,'' GAO-07-505.................................    41
Tables and Figures from GAO-07-505 [The Tables and Figures are 
    included in the GAO report and will not be reprinted.]
Post Hearing Questions and Responses for the Record:
Hon. Harry E. Mitchell, Chairman, and Hon. Ginny Brown-Waite, 
  Ranking Republican Member, Subcommittee on Oversight and 
  Investigations, to Hon. R. James Nicholson, Secretary, U.S. 
  Department of Veterans Affairs, letter dated July 20, 2007, 
  requesting the VA to provide the most recent equipment 
  inventory certification letters from all facility directors 
  [The information was provided to the Subcommittee and will be 
  retained in the Committee files.]..............................    73


                  U.S. DEPARTMENT OF VETERANS AFFAIRS



                    INFORMATION TECHNOLOGY INVENTORY



                               MANAGEMENT

                              ----------                              


                         TUESDAY, JULY 24, 2007

            U. S. House of Representatives,
      Subcommittee on Oversight and Investigations,
                            Committee on Veterans' Affairs,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 2:07 p.m., in 
Room 334, Cannon House Office Building, Hon. Harry E. Mitchell 
[Chairman of the Subcommittee] presiding.
    Present: Representatives Mitchell, Walz and Brown-Waite.

             OPENING STATEMENT OF CHAIRMAN MITCHELL

    Mr. Mitchell. Good afternoon. Welcome to the Subcommittee 
on Oversight and Investigations, and today's hearing is on 
information technology (IT). This hearing will come to order.
    I want to thank everyone for coming here today. I am very 
pleased that so many folks could attend this oversight hearing 
on the U.S. Department of Veterans Affairs (VA) information 
technology inventory issues. We know that VA has serious 
problems with keeping track of its IT inventory. This is not 
just a dollar issue, although it is certainly that; it is also 
a security and privacy issue. VA's inventory deficiencies mean 
that VA cannot assure that private medical and other 
information belonging to the Nation's veterans remains private.
    We are going to begin the hearing today by hearing from the 
U.S. Government Accountability Office (GAO) and their GAO 
report, and this is the report that is being released today: 
Inadequate Controls over IT Equipment at Selected VA Locations 
Pose Continuing Risk of Theft, Loss and Misappropriation. This 
was just released today, showing the results of its testing of 
inventory systems and procedures at four VA locations.
    The results are not pretty. As you can see from the chart, 
and there is a chart over here, most of you cannot see it here, 
but Members on the dais can see it. The sample location GAO 
tested showed that from 6 to 28 percent of IT items listed as 
being in inventory could not be located. The Washington, DC, VA 
Medical Center could not find an astonishing 28 percent of the 
IT items in inventory. The missing items at the four locations 
had a combined value of $6.4 million.
    Sad to say, this is not a recent problem. In July 2004, GAO 
reported that the six VA medical centers it audited did not 
have reliable property databases. GAO followed up on these 
sites as part of its current report and concluded that more 
than $13 million in IT equipment was still missing from those 
sites. Incredibly, an inventory being conducted by one of these 
sites in response to the 2004 GAO report is still not complete.
    If this were not bad enough, GAO further reports that VA 
has seriously flawed policies and procedures. Again, the chart 
illustrates the extent of the problem. One line says 
``incorrect user organization.'' That means the inventory 
system is incorrectly identified to whom the equipment was 
assigned.
    Look at the numbers: 80 percent of the Washington, DC, 
medical facility, 69 percent in Indianapolis, 70 percent in San 
Diego.
    VA's central headquarters does better, only 11 percent, but 
more than makes up for this with physical location of 44 
percent of its IT equipment misidentified in its inventory 
database.
    The issue of security could not be better illustrated than 
by a photograph you see over here, and there is a photograph, a 
blowup. And this photograph is of an IT equipment storeroom at 
VA central headquarters. It seems hardly necessary for GAO to 
have pointed out that this storeroom did not meet VA's 
requirements for motion intrusion detection alarm, secure 
doors, locks and special access keys.
    Security is no small matter, and we are not concerned only 
about hardware. GAO found hard drives at two of the four 
locations that were designated as excess property to be 
disposed of. It still had hundreds of veterans' names and 
Social Security numbers. This is completely unacceptable.
    At this time, I ask unanimous consent that the complete GAO 
report be entered into the record. Seeing no objection, so 
ordered.
    [The report, GAO-07-505, entitled, ``Veterans Affairs: 
Inadequate Controls over IT Equipment in Selected VA Locations 
Pose Continuing Risk of Theft, Loss and Misappropriation,'' 
appears on p. 41.]
    Mr. Mitchell. I can assure you, we will be back to hear 
this. We intend to ask GAO to conduct other checks of VA's 
inventory system in a few months' time, and if another hearing 
turns out to be necessary, we will have another one.
    Last week, Ms. Brown-Waite and I sent a letter to the VA--
and this is part of our letter--requesting copies of the most 
recent annual equipment inventory certification letters from 
all facility directors. We also requested a list of all 
facility directors who did not provide certification for 
completing their annual inventories. I would like to thank the 
VA for their prompt response.
    At this time, I ask unanimous consent that Ms. Brown-
Waite's and my letter be entered into the record. Seeing no 
objection, so ordered.
    [The July 20, 2007, letter to U.S. Department of Veterans 
Affairs Secretary Nicholson, appears on p. 73.]
    Mr. Mitchell. Before I recognize the ranking Republican 
Member for her remarks, I would like to swear in our witnesses, 
and I would like to ask all witnesses if they would please come 
forward and rise, both the first panel and the second panel. If 
you would, all please rise.
    [Witnesses sworn].
    Mr. Mitchell. Thank you.
    [The prepared statement of Chairman Mitchell appears on p. 
29.]
    Mr. Mitchell. I now recognize Ms. Brown-Waite for opening 
remarks.

          OPENING STATEMENT OF HON. GINNY BROWN-WAITE

    Ms. Brown-Waite. I thank the Chairman very much, and I also 
thank those who will be presenting today. My goal for this 
hearing is not just to learn where VA is relative to the 
current IT inventory management, but to learn where and how 
they are working to improve security controls, maintenance and 
management of their equipment.
    The July 2007 GAO report, which the Chairman just had 
admitted to the record, increased my growing concern over VA's 
control over its inventories from my reading of the weekly 
Security Operations Center (SOC) reports. The GAO report 
reflected four specific sites for their report. During this 
study fewer than half of the items GAO selected for testing 
could be located, and most of the items were information 
technology equipment.
    GAO found that the four VA locations reported over 2,400 
missing IT equipment items valued at about $6.4 million. These 
were identified in inventories performed during fiscal years 
2005 and 2006.
    Equally troubling in the information in the report was that 
missing items were not always reported right away, and in some 
instances, not for several years. At one of the locations, as 
shown on the easel, 28 percent of the items surveyed during the 
GAO audit were missing.
    Mr. Chairman, I find the lack of control over equipment 
completely unacceptable. Here in the House of Representatives 
our acquisition offices perform annual equipment inventories in 
all offices. The Chief Administrative Officer's staff comes 
into our offices either to tag equipment we have purchased, 
remove equipment we no longer use, or inventory the equipment 
under our control. By keeping a centralized acquisition and 
inventory process, the House is able to maintain tight control 
over its equipment inventory. Given the results of the GAO 
report, it appears that the VA is unable to do likewise.
    According to the report, there is also a lack of user-level 
accountability for the IT equipment due to weak overall control 
of the equipment environment. The IT personnel and IT 
coordinators do not have physical possession or custody of all 
the IT equipment under their purview. Therefore, they are not 
held accountable for IT equipment determined to be missing 
during physical inventories.
    In my opinion, Mr. Chairman, there needs to be 
accountability for inventories from the chief executive officer 
clear down the line to the user who is ultimately using the 
product. But I guess you could also say ``using or losing the 
product.''
    The weekly SOC reports consistently show missing IT-related 
items from the VA's inventories, whether it is listing old 
equipment that possibly had been disposed of after it was no 
longer of use to the VA, or new equipment that had been stolen.
    I am heartened to note that the VA is working with local 
and Federal law enforcement to track down and retrieve newer 
stolen equipment, but dismayed to see the number of equipment 
items that were either transferred to other facilities and not 
tracked or disposed of without proper notation in the equipment 
inventories.
    As of February 28th, the GAO report found four case-study 
locations covered in their report that were--2,400 IT equipment 
items weren't found, it was revealed, with a combined original 
acquisition value of about $6.4 million, as a result of 
inventories VA performed during fiscal years 2005 and 2006.
    Based on information GAO obtained through March 2, 2007, 
the five case-study locations previously audited had identified 
over 8,600 missing IT equipment items, with a combined original 
acquisition value of over $13.2 million. GAO reported that the 
missing IT items represent record keeping errors, the loss, 
theft or misappropriation of IT equipment.
    The GAO also cited that, because most of the nine case-
study locations had not consistently performed required annual 
physical inventories or completed reports of survey promptly, 
which prevented the reporting of missing IT equipment in some 
instances for several years. I am also surprised when I see a 
report--see a SOC report reporting the first instance of 
listing a missing piece of IT equipment from the mid-nineties; 
operating systems for this equipment would be totally out of 
date long ago, and it leaves me wondering just how long the 
equipment was actually missing before it was reported.
    Mr. Chairman, this is not the first time that GAO has 
reported on deficiencies in information technology equipment 
controls. In 2004, there was a similar report on VA medical 
centers entitled Internal Control Over Selected Operating 
Functions Needs Improvement. In this report, GAO indicated that 
the six VA medical centers they audited lacked a reliable 
property control database. One of the medical centers reviewed 
also was included in the most recent report, and yet those 
issues still remain.
    I look forward to today's hearing and hearing from today's 
witnesses and those accompanying them on how VA plans on moving 
forward, and how quickly and efficiently we can hope and 
encourage them to follow up on GAO's recommendation.
    I thank you, Mr. Chairman. I yield back the balance of my 
time.
    [The prepared statement of Congresswoman Brown-Waite 
appears on p. 30.]
    Mr. Mitchell. Thank you.
    Mr. Walz?

           OPENING STATEMENT OF HON. TIMOTHY J. WALZ

    Mr. Walz. Thank you, Mr. Chairman, thank you to the Ranking 
Member, and thank you to our panelists for being here today at 
this incredibly important hearing. Those of us that go out and 
talk to our veterans, this issue is still very, very important 
and at the forefront of what they are concerned about.
    I am one of those 26 million veterans who received the 
infamous letter saying my information may have been 
compromised, and what this does, from the sinking feeling of 
loss of personal security and the concern over data theft, is 
concern for the individual. It has a very corrosive effect on 
trust in the VA in general, and that is the part I am most 
concerned about.
    I am here today welcoming all of us as team players to 
figure out how we get at this, but I think each of the Members 
up here is sensing the frustration amongst our constituents and 
our veterans that this is another one of those issues we speak 
of often, yet see very little movement forward.
    So this is, to me, an absolute priority. We have to make 
sure that faith in the VA system remains strong and that data 
security is protected.
    So with that I look forward to these panels, and thank you 
again, Mr. Chairman, for holding this hearing.
    Mr. Mitchell. Thank you, Mr. Walz.
    At this time, I ask unanimous consent that all Members have 
5 legislative days to submit a statement for the record. Seeing 
no objection, so ordered.
    Mr. Mitchell. I will now proceed to Panel 1. Mr. McCoy 
Williams is the Director of Financial Management and Assurance 
for the U.S. Government Accountability Office. Mr. Williams' 
team was responsible for writing this troubling report on VA's 
IT inventory management. We look forward to hearing his views 
on what VA needs to do to improve inventory controls.
    Mr. Williams, if you would proceed but also keep in mind 
that we would like to keep this at 5 minutes.

STATEMENT OF McCOY WILLIAMS, DIRECTOR, FINANCIAL MANAGEMENT AND 
 ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED 
 BY GAYLE L. FISCHER, ASSISTANT DIRECTOR, FINANCIAL MANAGEMENT 
      AND ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Williams. Thank you. Mr. Chairman, Members of the 
Subcommittee, Ms. Fischer and I thank you for the opportunity 
to discuss our recent audit of controls over IT equipment at 
the Department of Veterans Affairs.
    In light of reported weaknesses in VA inventory controls 
and reported thefts of laptop computers and data breaches, the 
adequacy of such controls has been an ongoing concern. Today, I 
will summarize the results of our recent work, the details of 
which are included in our audit report, which the Subcommittee 
is releasing today. This audit followed a July 2004 report in 
which we identified weak practices and lax implementation of 
controls of equipment at the six VA medical centers we audited.
    For today's testimony, I will provide the highlights of our 
current findings related to three key issues: first, the risk 
of theft, loss or misappropriation of IT equipment at selected 
VA locations; second, whether selected VA locations have 
adequate procedures in place to assure physical security and 
accountability over IT equipment and excess property disposal 
process; and third, what actions VA management has taken to 
address identified IT equipment inventory control weaknesses.
    First, we concluded that for the four case-study locations 
we audited, there was an overall lack of accountability for IT 
equipment. Based on our tests of IT equipment inventory 
controls, we estimated that the percentage of inventory control 
failures related to missing items ranged from 6 percent at the 
Indianapolis Medical Center to 28 percent at the Washington, 
DC, Medical Center.
    In addition, we determined that VA property management 
policy does not establish accountability with individual users 
of IT equipment. Consequently, our control tests identified a 
pervasive lack of user level accountability across the four 
case-study locations and significant errors in recorded IT 
inventory information concerning user organization and 
location.
    Our analysis of the results of physical inventories 
performed by the four case-study locations in our current audit 
identified over 2,400 missing IT equipment items with a 
combined original acquisition value of about $6.4 million. In 
addition, the five locations we previously audited had reported 
over 8,600 missing IT equipment items, with a combined original 
acquisition value of over $13.2 million.
    Further, we found that missing IT items were often not 
reported for several months, and in some cases, several years, 
because most of the case-study locations had not consistently 
performed physical inventories or promptly completed the 
required report of survey.
    Second, Mr. Chairman, our limited tests of computer hard 
drives in the excess property disposal process at the four 
case-study locations found no data on those hard drives that 
were certified as sanitized. However, file dates on the hard 
drives we tested indicate that some of them had been in the 
disposal process for several years without being sanitized, 
creating an unnecessary risk that sensitive personal and 
medical information could be compromised.
    We also found numerous unofficial IT equipment storage 
locations in VA headquarters area office buildings that did not 
meet VA physical security requirements. For example, at some VA 
headquarters locations excess computer equipment was stored in 
open, unsecured areas.
    Finally, VA has made limited progress in addressing these 
problems since our July 2004 report, including, among other 
things, clarifying property management policies and 
centralizing IT functions under the new Chief Information 
Officer (CIO) organization. However, the Department has not yet 
ensured consistent implementation of effective controls for 
accountability of IT equipment inventory.
    Mr. Chairman, until these shortcomings are addressed, VA 
will continue to face major challenges in safeguarding IT 
equipment and sensitive personal data stored on this equipment 
from loss, theft and misappropriation.
    In conclusion, Mr. Chairman, strengthening the overall 
control environment and establishing specific IT controls will 
require a renewed focus, oversight and continuing commitment 
throughout the organization.
    This concludes our prepared statement. Ms. Fischer and I 
would be very happy to answer any questions that you or other 
Members of the Subcommittee may have at this time. Thank you.
    [The prepared statement of Mr. Williams appears on p. 31.]
    Mr. Mitchell. Thank you, Mr. Williams.
    In your first--in your most recent report, the GAO 
concluded that poor accountability and weak control environment 
have left the four VA case-study organizations vulnerable to 
continuing theft, loss and misappropriation of IT equipment and 
sensitive personal data. This conclusion is no different than 
what the GAO reached in 2004. Is that true?
    Mr. Williams. That is true, Mr. Chairman. While the 
conclusion is the same, if you look at the specific numbers as 
far as the amount of items that we were unable to find in the 
audit that we did in 2004, there has been some improvement 
there, but there is still a lot of work to be done. Given that 
amount of timeframe, there are some things that you would have 
expected to have been completed by this time based on those 
findings, but the conclusion is definitely the same.
    Mr. Mitchell. In your opinion, what is the VA's problem. 
Why hasn't anything really been done?
    Mr. Williams. I think, to address this problem, there are 
two or three things that need to be done; and I think one of 
the things that I would start out with is that there needs to 
be accountability, as we have stated in the report, at the 
individual level.
    When you have got accountability that is not assigned to 
the individuals in a situation which, as I like to say, when 
everybody is accountable, you end up with no one being 
accountable. Then you need to make sure that you have policies 
and procedures that are in place that are consistent throughout 
the organization, and they are carried out.
    It is one thing to have policies and procedures in place, 
but you want to make sure you have that oversight to make sure 
those policies and procedures are being implemented by 
management in the organization.
    Mr. Mitchell. Thank you. A bad inventory system obviously 
raises concern about wasting taxpayers' money, but there are 
also security concerns, concerns that are particularly acute 
given the VA's recent episodes on data loss.
    Your report describes concerns with the security of private 
veteran data. Please tell us about how the VA's inadequacy of 
their inventory system creates a danger for data loss.
    Mr. Williams. I think one of the examples that I just 
finished talking about in my opening statement was, we did not 
find any data on those hard drives that had been identified as 
being sanitized. The problem comes in, the risk comes in when 
you have hard drives that are waiting to be sanitized, and 
those are in file cabinets or in storage bins and they have 
been there for years.
    So when you leave those hard drives there, there is always 
the risk that someone can come along and take it and extract 
that information and use it for reasons that are not good.
    The other concern that we had was the security around the 
locations where the items were actually stored. As you can tell 
from one of the pictures that we have here, that there are 
certain requirements as far as what type of security is 
supposed to be associated with this type of equipment. Rooms 
are supposed to be locked, and so forth, there are supposed to 
be floor-to-ceiling walls so that individuals cannot get over 
and take some of these items out.
    So that is the concern we have. You want to make sure that 
you have got those controls in place so that this sensitive and 
very important data is properly protected and not in the 
hands--the possibility of its being in the hands of someone 
that would use it for bad purposes.
    Mr. Mitchell. You mentioned just a second ago about the 
importance of user-level accountability and how important that 
is. You also pointed out that they don't have it in the VA 
except for IT equipment that is taken off-site.
    What is the current process the VA has for assigning 
custody for IT equipment?
    Mr. Williams. As we stated in the report, there is a 
process in which you basically get a hand receipt for items 
that you are going to be--I guess mobile items, things you take 
offsite.
    The concern that was raised in our review of that 
particular area--and I will let Ms. Fischer chime in on the 
specific numbers if I am off. I think we requested about 15 
items to look at, items to identify if the policy was actually 
being followed, if there was actually a hand receipt for those 
items being taken off; and of that number, I think six items we 
were unable to get the hand receipt--the documentation to show 
the support for this is a receipt for this item being taken 
out.
    There were about nine other items; I think six of those 
nine we basically found that the documentation was recorded 
after the fact, I believe. And for two of the items we found it 
was valid. So out of those 15, we were only able to identify 2 
in which the process had actually been followed.
    Mr. Mitchell. One very quick follow-up, if the Subcommittee 
will indulge me here.
    How difficult would it be to implement a user 
accountability system?
    Mr. Williams. I think it would take some time to set that 
system up initially, but from a cost-benefit standpoint, once 
you get that particular process set up and you do that 
inventory on an annual basis, or whatever basis that you decide 
you want to do it, I think it is a process that could be 
followed and implemented throughout the organization.
    We have it at my organization. Once a year I get a call and 
I am notified that there is an inventory that is going to be 
performed. When that piece of equipment was assigned to me, I 
signed off on a sheet of paper and basically stated that, McCoy 
Williams, you are responsible for this particular computer, 
this particular device or what have you. It is only a matter of 
time, of another person coming through, independent 
verification; they will look at the Code that is on the 
equipment and basically check it off as being in my control.
    So I don't think it is a major, major problem. I will let 
Ms. Fischer add.
    Ms. Fischer. Mr. Chairman, I do want to point out that the 
Washington, DC, Medical Center implemented user level 
accountability for their IT equipment during March of 2007 as 
we were wrapping up our work. We have looked at their policy. 
It looks pretty good.
    When a user signs for accountability of their IT equipment, 
they are acknowledging at least eight rules and guidelines that 
they are attesting to that they will follow; and you might want 
to ask your witnesses today in Panel 2 how that is working for 
them.
    Mr. Mitchell. Thank you.
    At this time I would like to recognize Ms. Brown-Waite.
    Ms. Brown-Waite. Thank you, Mr. Chairman. I first of all 
thank both of you for being here.
    Mr. Williams. Thank you.
    Ms. Brown-Waite. Mr. Williams, is it that the policies VA 
currently has aren't being followed or that they need totally 
new policies?
    Mr. Williams. I wouldn't say that they need totally new 
policies, but I think there need to be some revisions to the 
policies to strengthen some of the controls. But there are also 
some controls that they currently have in place in those 
policies that we found were not being followed, so I would say 
it is a combination.
    Ms. Brown-Waite. A combination.
    Let me ask you this. In your report you mention the fact 
that VA policy mandates that a report of survey be appointed 
when there is a possibility that a VA employee may be assessed 
pecuniary liability or disciplinary action as a result of loss, 
damage or destruction of property and the value of the property 
is $5,000 or more.
    Are you aware, has this board survey ever been appointed 
and has anybody ever been held accountable for missing items?
    Mr. Williams. We will take this one jointly.
    Ms. Fischer. They have appointed boards of survey to 
further investigate items that are identified as missing in 
their physical inventories. We don't know of any specific 
instances where individuals have been held liable for lost 
equipment. However, VA probably has that information. You could 
ask the witnesses on Panel 2 if they have examples of that.
    Ms. Brown-Waite. If I may follow up with another question 
for Ms. Fischer, the report mentions a problem with purchase 
cards.
    Could you explain why IT equipment bought with a government 
purchase card was not recorded in the property records?
    Ms. Fischer. Yes, Congresswoman Brown-Waite. Their policy 
did not require the purchase card holders to notify the 
property officers when they acquired computer equipment with 
the purchase card. So it was put into service and never entered 
in the inventory records.
    We made a recommendation, and VA has stated that they will 
have that policy in place this month. Our recommendation was 
that they, of course, implement that requirement.
    Ms. Brown-Waite. And were they receptive to implementing 
that requirement? It just--to the average citizen out there, it 
just seems as if one hand does not know what the other hand is 
doing when it comes to inventory in the VA. It really does seem 
that way. And the sad part of it is, that translates into fewer 
dollars actually being used for the veterans, which I know 
troubles every Member of this Subcommittee up here. So is 
that----
    Mr. Williams. Let me take that.
    I would start by saying that having read VA's testimony for 
today, I think that if those actions that have been identified 
in today's testimony are followed through on, it looks like 
that is putting them on track to address these problems that we 
have identified back in 2004, as well as the problems that we 
have identified in our report that is being released today. 
That means that it is probably too soon to tell at this 
particular point in time.
    We have laid out the issues and we have laid out the 
recommendations. I think that this is a good first start, based 
on what I see in the testimony today. The proof will be in the 
actions that will follow down the road to see if these 
recommendations are actually implemented.
    Ms. Brown-Waite. Based on what we have heard so far, how is 
the team able to find most of the equipment when VA didn't know 
who had the equipment or where it was?
    Ms. Fischer. They were pretty familiar with the process by 
the time we did our second audit; and they had a team 
accompanying us, and when items could not be located, they sent 
people out to look for, say, turn-in documentation that may 
exist where items hadn't been updated in inventory as being 
disposed of. They looked at where IT equipment was plugged into 
the networks. Sometimes the central system could tell them 
where that equipment was located. And in some cases they did a 
full facility search.
    VA headquarters actually sent teams to the field to 
determine whether some of the IT equipment had been transferred 
to field locations without updating the inventory record. So 
all of these human intervention efforts helped them locate some 
of the items we couldn't initially identify during our 
inventory.
    Mr. Williams. May I add a point to that, because I was 
involved in the 2004 inventory also; and I remember to this 
date one location that I actually visited, and we had the same 
type of assistance in which VA staff would actually go to the 
various locations, and we would try to identify the properties 
and all.
    At this one particular location I recall my staff and I 
pulled up to the building and basically introduced ourselves 
and stated what we were there for, and we basically got the 
old-fashioned cold shoulder that you're here during my lunch 
time and this is not an important event for me.
    I would add the attitude this time, I think, based on Ms. 
Fischer's team going out, is the organization understands the 
importance of taking these inventories and why it is important 
you have these good records for the property that is in your 
control.
    Ms. Brown-Waite. With that, I yield back.
    Mr. Mitchell. Thank you.
    Mr. Walz?
    Mr. Walz. Thank you, Mr. Williams and Ms. Fischer. I really 
appreciate this; I appreciate the work that you are doing on 
this.
    I, for one, again can't stress enough that I believe that 
the work that the VA is doing and all the good that it is doing 
is almost immeasurable. But any time we have these types of 
issues, it totally undermines everything we are doing. So the 
criticalness of this and the sense of urgency is very much here 
with this Subcommittee.
    I want to just lay out a bit of a scenario and talk to you 
about this, having had some experience in Federal Government. 
But I think--Mr. Williams had me intrigued with his idea of 
this individual accountability thing.
    At one time, when I was a lowly GS-7, I was in charge of 
managing a national Guard armory, and I can remember signing 
those property books and being in charge of those, and I was 
the only one there and there were millions of dollars of 
equipment, from howitzers to mop heads, and they were all on 
the property books. I had to be accountable for every single 
one of them.
    I can remember turning an armory upside down looking for 
little radiac meters they gave us to see radiation in there 
that we weren't sure how to use them, but they had been given 
to us and they had a value; and the checklist and the 
accountability on that was so strong. I was absolutely there, 
and I actually processed some of these, on myself and others, a 
statement of charges if things were lost and they were under 
your care; and sometimes they were accidental and they would 
find out what happened and you would be cleared because it got 
run over accidentally in a training exercise. But there was no 
doubt in my mind somebody was watching, and I was accountable, 
and my commander, for every single piece of equipment. And this 
was back in 1989 when you had the big green printout sheets 
that would come.
    With the ability we know now to organize data, it seems 
amazing to me, because every month a random inventory, a 
partial inventory of our whole inventory would come out to us 
and we would have to physically sign off at the end. It 
behooved you to be organized, to know where this was and to 
know there was a day of reckoning if it was not there.
    My question is, especially on a large scale like that--
there were thousands of armories across the United States, and 
if you don't think these inventories were detailed, it was down 
to every single socket in tool kits, and if you didn't have the 
3/16th socket, no matter what else you had, somebody wanted to 
know about it and somebody was going to pay for it.
    So my question to you is, it seems to me the ability to do 
this and the best practices and the checklist are out there. We 
had to close the shop at the end of the day; that included 
security of the primitive technology at the time. But it was 
locked in the vault, it was signed off, it was secured; and 
when I opened that vault, my signature went on that. And those 
sheets were checked when someone would come through, and we 
didn't brush you off because when someone came to say they were 
going to look, we had to provide it and knew we had to provide 
it.
    So my question to you is, I know the ability to deliver 
this, at least I feel, is there; and I know that the culture at 
that time was for me to make sure I delivered it.
    Is there anything about what I am saying on this that is 
applicable to the VA?
    Mr. Williams. I will start by saying, in addition to having 
responsibility for the financial management at the VA, I also 
have responsibility for financial management at the Department 
of Defense and Homeland Security, so I am familiar with those 
property books that you are talking about.
    No, you are not being unreasonable in anything that you 
said, because I see that type of activity taking place now at 
the various agencies I have responsibility for. There are other 
problems as far as having good systems to keep track of those 
property books and all that we have reported on, but that 
process is one that can be done, and it is not something that 
you have to do everything, wall to wall, at one time.
    There are various ways in which you can rotate doing that 
inventory, maybe this unit this month, this unit that month, 
and so forth. If it is looking like it is going to interfere 
with your operations, you just shut everything down and try to 
do it.
    There are various ways that it can be done, but nothing you 
have said is unreasonable to expect, nothing that you have said 
is unreasonable, and in my mind that couldn't be done to get 
this accountability down to the individual levels and have 
individuals accountable for the property that has been assigned 
to them.
    Mr. Walz. And I guess my final question is, just thinking 
of how these things rolled down as we have issues. After the 
breach in the laptop computer and the 26 million individual 
records, or roughly what the number was, we saw--I think VA and 
the government responded, and what they did was, they started 
strengthening those Health Insurance Portability and 
Accountability Act rules, making sure privacy was there. And 
now I see what I think is an unintended consequence in our 
county service officers who are having a hard time accessing 
the VA system in terms of they now have to get the sign-off 
from them for power of attorney and those types of things.
    I am wondering, have we gone over on that or is that just 
part of strengthening this system?
    Mr. Williams. That is something you have to look at. When 
you are looking at a control environment and you are putting 
controls in place, you have to look at everything from a cost-
benefit standpoint, and you don't want to put anything in place 
that is actually going to cost you more than the benefits that 
you are going to expect to derive. So it is a balancing act.
    Mr. Walz. I thank you.
    And I yield back, Mr. Chairman. Thank you.
    Mr. Mitchell. Thank you.
    Ms. Brown-Waite?
    Ms. Brown-Waite. The one question that I was going to ask, 
which may be very similar, is, in our offices we are required 
to keep track of anything over $500 as part of the inventory. 
Is part of VA's problem that a lot of the missing equipment was 
under not $500, but $5,000, that it was never actually 
inventoried before? Is that part of the problem?
    Mr. Williams. Part of the problem is that a lot of these 
items are under that $5,000 window that we are talking about. 
But we did find some items missing that were over the $5,000 
amount. But there are a lot of computers and things along this 
line that cost $2,000, $1,000, what have you. These are items 
that you can easily walk out the door with, and that is why we 
feel that it is important that, as we recommended, I think, in 
the 2004 report, you properly identify those items that are 
sensitive and less than $5,000 and make sure you put the 
controls in place so that those items that can easily walk out 
the door, that you have got some controls around them so you 
know where they are and you have got individuals that are 
accountable for those individual items.
    Ms. Brown-Waite. When I asked about the dollar amount and 
found out that it is $5,000 for inventory for the VA, I was 
told that they inventory vehicles, ammunition, weapons, 
canines. What is the value of a canine? And the reason I am 
asking this is, think about it, that canine is not going to 
jeopardize anyone's security out there. But I just find it very 
strange that that was the response that we got.
    Mr. Williams. I will be honest with you, I asked my staff 
the same question before the hearing today from the standpoint 
of--well, my first question was, am I properly pronouncing 
this? I thought it was maybe some other type of equipment. But 
my understanding is that these are valuable assets that are 
used in the process of carrying out VA operations, so they are 
actually classified as assets that fall into that sensitive 
category as defined by VA.
    Ms. Brown-Waite. I am sure that they are. My canine at home 
is priceless. But the point being that while my Bentley at home 
may be priceless--that is my dog's name, not my vehicle--
certainly the canines do not have identifying information that 
could be misused; and I guess I am questioning the priority of 
the inventory.
    Mr. Williams. Yes.
    Ms. Brown-Waite. And I just found it so totally strange 
that canines are inventoried, but computers aren't. Laptops and 
Blackberries and other things aren't. The average citizen out 
there is asking, What the heck is going on up there?
    I thank you very much.
    Mr. Williams. Thank you.
    Mr. Mitchell. Mr. Walz, any other questions?
    Mr. Walz. I just had one more question and I may know this 
answer, but I am going to get it from the experts.
    What I am reading on the San Diego facility, it talked 
about the personnel there created their cuff records. Can you 
tell me what that is?
    Ms. Fischer. They were maintaining cuff records at San 
Diego and at VA headquarters, and these were records maintained 
outside the central inventory system for various reasons. At 
San Diego, the IT staff did not have access to the property 
system, so they felt the need to keep their own records to show 
when they removed a computer for repair or moved one to another 
location, so they could track it.
    They were trying to keep accountability there. The problem 
was, they didn't have access to the central system, so they 
couldn't update the central system for those changes; and so 
the central inventory system was out-of-date because of that.
    Mr. Walz. But it would be unfair to characterize this as a 
second set of books?
    Ms. Fischer. It was, in fact, a second set of records. Both 
sets of records, the central system and the cuff records, are 
considered official records.
    Mr. Walz. Okay.
    Mr. Williams. I would add, if you are looking at a good 
control environment, you would want the records to be in your 
main system, you wouldn't want to be relying on cuff records. 
You would like to have it in your official system in a good, 
internal control environment.
    Mr. Walz. Very good.
    Ms. Fischer. The cuff records were on somebody's personal 
computer on a spread sheet.
    Mr. Walz. They were making an effort at accountability 
because the system was hindering them from doing what they 
needed to do.
    Ms. Fischer. They were the only ones that had access to the 
records they created, so they weren't available for management 
information.
    Mr. Walz. Thank you.
    I yield back, Mr. Chairman.
    Mr. Mitchell. Thank you very much. Thank you for your 
testimony and for being here today.
    At this time I would like to welcome Panel 2 to the witness 
table. Mr. Robert T. Howard is the Assistant Secretary for 
Information and Technology at the VA and the Department's CIO. 
Assistant Secretary Howard is a former Major General in the 
Army Corps of Engineers and joined the VA in 2006 to head up 
the IT reorganization project. The Subcommittee has been most 
happy with Mr. Howard's progress in this project, but we 
understand that there is still a long way to go. We look 
forward to hearing Assistant Secretary Howard's testimony.
    And, Mr. Howard, would you please introduce the rest of 
your staff?

 STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SECRETARY FOR 
INFORMATION AND TECHNOLOGY, AND CHIEF INFORMATION OFFICER, U.S. 
   DEPARTMENT OF VETERANS AFFAIRS; AND HON. ROBERT J. HENKE, 
ASSISTANT SECRETARY FOR MANAGEMENT, U.S. DEPARTMENT OF VETERANS 
   AFFAIRS; ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY ASSISTANT 
 SECRETARY, INFORMATION PROTECTION AND RISK MANAGEMENT, OFFICE 
    OF INFORMATION AND TECHNOLOGY; ARNIE CLAUDIO, DIRECTOR, 
  INFORMATION TECHNOLOGY OVERSIGHT AND COMPLIANCE, OFFICE OF 
  INFORMATION AND TECHNOLOGY; RAY SULLIVAN, DIRECTOR OF FIELD 
  OPERATIONS, OFFICE OF INFORMATION AND TECHNOLOGY; SANDFORD 
  GARFUNKEL, DIRECTOR, VETERANS INTEGRATED SERVICE NETWORK 5, 
VETERANS HEALTH ADMINISTRATION; LARRY BIRO, DIRECTOR, VETERANS 
 INTEGRATED SERVICE NETWORK 7, VETERANS HEALTH ADMINISTRATION; 
   FERNANDO O. RIVERA, DIRECTOR, WASHINGTON, DC, VA MEDICAL 
  CENTER, VETERANS HEALTH ADMINISTRATION; AND STEVE ROBINSON, 
CHIEF, ACQUISITION AND MATERIEL MANAGEMENT SERVICE, WASHINGTON, 
  DC, VA MEDICAL CENTER, VETERANS HEALTH ADMINISTRATION, U.S. 
                 DEPARTMENT OF VETERANS AFFAIRS

               STATEMENT OF HON. ROBERT T. HOWARD

    Mr. Howard. Yes, sir. Thank you, Mr. Chairman. I would like 
to thank you for the opportunity to testify on IT asset 
management within the Department of Veterans Affairs.
    Mr. Mitchell. Is your microphone on?
    Mr. Howard. Yes, sir. Anyway, I do thank you for the 
opportunity to testify today on IT asset management within the 
Department of Veterans Affairs.
    I am joined today by Mr. Bob Henke, Assistant Secretary For 
Management, and I am also accompanied by Ms. Adair Martinez, my 
Deputy Assistant Secretary for Information Protection and Risk 
Management; Mr. Ray Sullivan, my Director of Field Operations; 
Mr. Arnie Claudio, my Director of IT Oversight and Compliance.
    In the group behind me are Mr. Sandford Garfunkel, Director 
of Veterans Health Administration's (VHA's) Veterans Integrated 
Services Network (VISN) 5; Mr. Larry Biro, of VISN-7, Mr. 
Fernando Rivera, Director of the Washington, DC, VA Medical 
Center; and Mr. Steve Robinson, Chief Acquisition and Materiel 
Management Service for the Washington, DC, VA Medical Center.
    Sir, IT asset management is a critically important issue 
that also, as you have mentioned, has a direct bearing on our 
ability to enhance information protection throughout VA. As you 
know, the recent GAO report on VA's IT asset management found 
inadequate controls and risk associated with threat, loss and 
misappropriation of IT equipment at selected VA locations. In 
that report, GAO found inadequate accountability and included a 
number of very important recommendations with which we agree.
    As the Chief of Information and Technology for VA, I am 
responsible for ensuring compliance with the integrity and 
security of VA's IT assets. I understand that when poor IT 
inventory procedures exist, both the loss of expensive 
equipment as well as the loss of any sensitive information 
resident in the equipment could occur.
    This is a situation of the utmost importance. It is a 
situation that we are working hard to remedy. We are prepared 
to answer your questions today about procedures that already 
exist, as well as more rigorous and standard procedures that 
are being implemented.
    The GAO findings demonstrate a need for more emphasis and 
vigilance in this area. With the establishment of a single IT 
authority in the VA we are now in a much better posture to 
improve the IT asset management situation, and we have a number 
of actions already under way. We currently have several systems 
in VA that capture IT assets, and we are working to standardize 
this and move to a single IT management system.
    We have been able to locate some of the equipment that was 
reported missing. For example, regarding the items of missing 
equipment that were assigned to the previous Office of 
Information and Technology, we have been able to locate most of 
them. We assembled a team to conduct a search for missing 
items--network equipment servers, digital cameras, and so 
forth--that were assigned to the Office of Information and 
Technology prior to the consolidation of IT in the VA.
    At the end of this review, which took place over a 3-month 
period, the team had located about 90 percent of the equipment; 
and though much of the equipment was found, the lack of 
accountability was clearly evident. You should not have to go 
through that in order to find your equipment.
    To improve our asset management and accountability within 
VA, a special team has been established to develop standard 
procedures; a new directive and accompanying handbook on the 
control of information technology equipment within the VA have 
been prepared, and we have already implemented some of the 
procedures they describe. The directive and handbook will 
provide clear direction on all aspects of IT asset management.
    Additionally, we have expanded the responsibility of my 
Office of Information Technology Oversight and Compliance. This 
office was established in February of 2007 to conduct on-site 
assessments of IT security, privacy and records management at 
VA facilities. As of today, the office has completed over 58 
assessments, and the oversight of physical security for IT 
assets is now a part of their assessment routine. The results 
of the reviews will help us support and strengthen VA IT 
security controls.
    This office ensures that facilities are aligned with the 
National Institute of Standards and Technologies' recommended 
security controls for Federal information systems.
    We must also increase awareness at the individual user 
level regarding accountability for IT equipment. The new 
directive and handbook mentioned earlier will require employees 
who have been assigned VA IT equipment to sign a receipt for 
the IT equipment in their possession. Supervisors will be held 
responsible for common equipment that is not assigned to 
individuals. The receipt used is the printout of the equipment 
inventory list which describes equipment assigned to employees 
by name. These procedures have already been implemented.
    We have begun to deploy network monitoring software. This 
is a very critical aspect of this issue, sir, that will help us 
detect and monitor any device that is connected to the VA 
network. Special procedures are also being implemented for 
equipment that may be considered expendable, but which must be 
accounted for, not because of the cost, but because the 
equipment has the potential for storing sensitive information. 
An example of such low-cost IT equipment that must be tracked 
are the encrypted thumb drives being distributed throughout the 
VA.
    In closing, I want to assure you, Mr. Chairman, that we 
will remain focused in our efforts to improve all aspects of 
the information technology environment in VA, including the 
overall accountability and control of IT equipment, as well as 
certain medical equipment that could potentially store 
sensitive information.
    It is about the sensitive information that we are 
particularly concerned. This will not only reduce the loss of 
expensive equipment, but also the potential loss of sensitive 
information the equipment may contain.
    Thank you for your time and the opportunity to speak to you 
on this issue and we would be pleased to answer any questions 
you may have.
    Mr. Mitchell. Thank you, Mr. Howard.
    [The prepared statement of Mr. Howard appears on p. 38.]
    Mr. Mitchell. Mr. Henke, do you care to make a statement?

               STATEMENT OF HON. ROBERT J. HENKE

    Mr. Henke. Sir, just two or three brief points and then we 
will turn to your questions, if you don't mind.
    Sir, from my perspective as the agency's Chief Financial 
Officer, any internal control deficiency, whether it is 
material or not to our financial posture, our financial 
statements, has my attention.
    First, in the GAO report, we concurred on all 12 of the 
recommendations and moved to change our policies and purchase 
card policies and modify our inventory system to add user level 
accountability to it.
    The second thing I would like to point out is that my 
internal auditors also do property reviews at VA medical 
centers. We have visited 14 medical centers to date this year, 
and in some of their findings they found stations that have 
zero discrepancies--zero discrepancies on their equipment 
inventories. What that tells me is that this can be done with 
the right amount of management attention. Salt Lake City, Utah, 
zero percent discrepancies; Muskogee, Oklahoma, 3.2 percent 
discrepancies; Wilmington, Delaware, 4.5 percent. So with 
management attention it can be done.
    Number three, we are going through a Sarbanes-Oxley-type 
process we're in year 2 of a 3-year process where we look at 
internal controls over our financial reporting. One of the 
processes we are looking at this year is property and 
equipment. We had some results come back, fairly mixed results. 
We told the teams, the national auditors we have and my 
auditors, to go out and do more site assessments and come back 
with more information.
    Finally, sir, I would like to point out that you mentioned, 
and Ms. Brown-Waite mentioned, the 2005 and 2006 inventories 
that were being done. We have results for 2007 to date, on 
inventories, and we can speak to those. The results are very 
different, and I can speak to the point that I believe the 
institution has gotten religion about accounting for IT 
equipment.
    Mr. Mitchell. Thank you. I just have a couple questions.
    Mr. Howard, your organization has devoted a great deal of 
time to ensuring that the personal data of veterans is 
protected from disclosure. Encryption of the data is one of the 
main defenses against disclosure; do you agree with that?
    Mr. Howard. Yes, sir.
    Mr. Mitchell. If GAO reports that your inventory records 
are incomplete and inaccurate, how do you know if all IT 
equipment requiring encryption has been encrypted?
    Mr. Howard. Sir, not all the IT equipment has been 
encrypted. In fact, some of it, we cannot encrypt. An example 
of that is IT equipment that is actually a part of a medical 
device that we cannot necessarily place encryption.
    I would agree with you that encryption is an extremely 
important tool and we need to encrypt everything we possibly 
can, but there are some items that you can't, which means there 
are other methodologies you have to follow.
    The basic rule that we have established in the VA is that 
sensitive equipment--sensitive information, rather, must be in 
a protected environment at all times or it must be encrypted. 
What I mean by that is, for example, if the Veterans Benefit 
Administration--they deal with paper, lots of paper; you can't 
encrypt it. But you also must protect it in a protected 
environment--listings of names and Social Security numbers, and 
what have you.
    So although encryption is an extremely important tool, and 
we are expanding that to the maximum possible degree, it is not 
the final answer. You still have to have some procedures that 
must be followed where encryption can't help you.
    Mr. Mitchell. Thank you. Let me ask a further question 
here. Are you aware of a single instance in which the problems 
with the VA inventory system that the GAO has very clearly 
identified that have existed for years have resulted in any 
disciplinary action by anyone at the VA.
    Mr. Howard. Sir, we got into that discussion this morning. 
The answer is ``yes.'' I don't know about disciplinary, but I 
will tell you that people have been held pecuniarily liable for 
missing equipment; I don't know the numbers per se, but I do 
know that that is true.
    Mr. Mitchell. All right. One last question before I turn it 
over.
    GAO's review of physical inventories performed by the 
locations tested in 2004 and 2005 and its 2007 audit found the 
test location reported significant loss of IT equipment as a 
result of their own inventories. In particular, the Los Angeles 
Medical Center reported losses of 8,402 items with an original 
acquisition value of nearly $12.5 million.
    Please explain, if you can, how a single medical center 
managed to lose $12 million worth of IT equipment.
    Mr. Howard. I don't know specifically what occurred at that 
particular facility. But what we see, quite frankly, are a 
number of the items that you have addressed earlier. And that 
is the movement of items; the equipment may be there, but it is 
moved somewhere else and you lose track of it. The real 
question is, is it truly missing or has it been moved somewhere 
else.
    And the numbers--for example, in my own organization, in 
last August of 2006 internal, right after the May breach, we 
directed an internal inventory take place. About 1,900 items 
could not be located to the amount of almost $8 million. We put 
a team to run around try to find that stuff, and brought it 
down to about 440 items, which we will implement a report and 
survey on.
    Now we should not have had to do that, but it gives you an 
idea of how transient this equipment is and very easy to move 
around. Which brings me to the point that it is not only going 
around with a clipboard or a scanner; software--you know, 
network monitoring software, is absolutely critical to solving 
this problem, because the equipment is too mobile. If it moves 
down the hall and gets plugged into the network, you need it 
see that right away. And there is software out that we will 
actually have deployed in certain parts of the VA that is 
tremendously helpful in keeping track of this item of 
equipment.
    With respect to the particular facility involved, it is 
probably a combination of things, poor inventory procedures, as 
well as not keeping up with the inventory on a quarterly basis.
    Mr. Mitchell. What kind of actions are you taking to 
correct those problems?
    Mr. Howard. If you want me to describe the new procedures 
we are putting in place, I can do that. It is different from 
the way it is handled right now.
    Mr. Mitchell. Maybe after everyone has a chance. My time is 
up.
    Mr. Howard. Okay.
    Mr. Mitchell. Ms. Brown-Waite?
    Ms. Brown-Waite. I thank the Chairman.
    Mr. Henke, the last time you were here I realized what a 
difficult job you have, and that is changing the culture at VA.
    GAO, in its report, stated that the VA's purchase card, 
credit card, does not require IT equipment bought with the 
purchase card to be reported to property management officials, 
and as a result there is no assurance of any kind of 
accountability over this equipment. GAO has reported that this 
is a continuing problem at VA headquarters.
    Why did the VA wait until GAO came out with this report 
before taking action?
    Mr. Henke. Ma'am, this is actually the subject we discussed 
at our last hearing when Mr. Walz asked me what things we can 
could do better and differently on the purchase cards.
    What we have done is changed--the policy already existed in 
the property policy that you need to inventory things that are 
sensitive or above $5,000. It simply wasn't reflected in the 
purchase card policy. That is not to say that people shouldn't 
have been doing it.
    There was a policy out that said, if you buy a piece of 
gear, it doesn't matter how you buy it, you buy it with a 
purchase card or not, you have to put a bar code on it and 
inventory it. So this was just tightening up one of the holes 
we found in our policies for purchase card holders to make 
these purchases.
    Another step that we have taken is--in part of 
consolidation of IT is, Mr. Howard has determined that there 
were too many purchases being made on purchase cards of IT 
equipment that were nonstandard. So we shut that down. He said, 
no more IT purchases using the purchase card; it was too loose. 
Those are the two steps we have taken to remediate that.
    Ms. Brown-Waite. General Howard, I understand there is one 
facility in the GAO report which did not include computer 
equipment valued under $5,000 in its last inventory.
    Which facility was this and under which VISN is that?
    Mr. Howard. Ma'am, I believe that was VISN-16, Houston. I 
believe it was the result of improper instructions that took 
place.
    Ms. Brown-Waite. And what sort of direction from the VISN 
or to the VISN has been given?
    Mr. Howard. Ma'am, I am not sure how that situation has 
been corrected. There is clear instruction regarding sensitive 
items. In fact, there is a memo that Mr. McFarland and Tim 
McClain signed out on October of 2005 that listed and discussed 
equipment that was less than $5,000. So the instruction is 
clear; there is a directive that goes all the way back to that 
timeframe about what sensitive items are that must be included 
in inventories. In fact, we are now expanding that list as part 
of our new procedures.
    Ms. Brown-Waite. Is it standardized now? If you don't know 
where the equipment is, how do you know what is on the laptops?
    Mr. Howard. Ma'am, you are exactly right. The items of 
equipment that are listed in the previous memo that I just 
mentioned, the directive from October 2005 does cite personal 
computers and other equipment that we understand in IT; in 
fact, most of it is IT-type equipment, but it is not complete 
enough. The list that we have now is much more extensive, that 
we intend to follow.
    Ms. Brown-Waite. Let me also follow up with a question that 
I asked the GAO and that is about a board of survey in the VA 
to take possible disciplinary action as a result of loss, 
damage or destruction of property.
    Has this been formulated? Is anyone responsible? Because 
let me tell you that when I owned a business, if I gave one of 
my employees a computer, they clearly knew that that was their 
responsibility. But apparently this responsibility level just 
doesn't appear to be evident at the government level. So tell 
me exactly what is being done.
    Mr. Howard. There have been reports of survey and people 
have been held pecuniarily liable. I don't know about the 
disciplinary part, but the requirement to pay has occurred.
    To what extent, I don't have that information right now, 
ma'am. We can get that for you.
    Ms. Brown-Waite. Mr. Chairman, I would like to ask them to 
get that information to the Committee so we can know that 
accountability at the user level is truly taking place, 
because--and you guys need to convey that clearly. Here is a 
computer, here is a BlackBerry; it is your responsibility not 
to lose it, not to misplace it. You are going to be held 
financially responsible.
    I think the Subcommittee deserves to know that information, 
who actually has been held responsible, personal 
responsibility.
    Thank you. With that I yield back.
    [The following information was provided by VA:]

          A request was made to provide Representative Brown-Waite with 
        a list of those employees who have been held pecuniary liable 
        for lost and/or damaged VA equipment VA-wide.
          The Veterans Health Administration (VHA), Prosthetics and 
        Clinical Logistics Office (10FL) consulted with the Office of 
        General Council regarding the release of a list of employee 
        names associated with this request. We were advised that the 
        Privacy Act protects information retrieved by a person's name 
        or other identifier. Therefore, VA cannot disclose such 
        information without the prior written consent of an individual, 
        or unless another exception applies. One exception permits 
        disclosure to either House of Congress, 5 U.S.C. Sec.  
        552a(b)(9).
          The Office of Management and Budget is charged by law with 
        implementing the Privacy Act, and has determined that Section 
        (b)(9) does not authorize the disclosure of a Privacy-Act 
        protected record to an individual member of Congress (see OMB 
        Guidelines, 40 Federal Register 28,948 and 28,955). Thus, the 
        exception provides authority to disclose records only to 
        requests from Chairs of Congressional Oversight Committees for 
        authorized oversight purposes. To that end, we offer the 
        attached summary and spreadsheet containing the requested data 
        (see attachments).
          [The attachment is being retained in the Committee files.]

    Mr. Mitchell. Thank you.
    Mr. Walz?
    Mr. Walz. Thank you, Mr. Chairman. And thank you, General 
Howard, for being here. And thank you for your service, and 
thank you for taking on at a difficult time. I know you have 
been on your job slightly longer than I have been on mine here. 
You came at a critical time, you came at a time when 
expectations for change were very high.
    I think the same could be same for Mr. Henke, and I 
appreciate your taking on this challenge; and I hope in the 
spirit of why we are here, working together. The ultimate 
outcome is all that matters, taking care of our veterans the 
best that we possibly can while safeguarding taxpayer dollars 
and resources.
    So in that spirit, just a couple of things I wanted to ask. 
How do you think the GAO did on this report? In your opinion, 
how do you view it? Do you think it was a fair assessment of 
what is happening, and is it going to be helpful in helping 
correct this?
    Mr. Howard. Sir, the GAO is always fair.
    Sir, it is clearly going to help us, there is no doubt 
about that. Not only reports like this that put emphasis on 
very significant problems that we must deal with, but our own 
internal efforts.
    I mentioned the oversight and compliance that Arnie Claudio 
has been doing, the SOC reports. Quite frankly, we know who is 
losing computers and we--in fact, we have got a whole list of 
that, as the Subcommittee does. You were provided the weekly 
summaries and we can pull that information from our database to 
find out what is happening with this particular piece of 
equipment. In fact, we have already started to collect that 
information; I don't have it right now, but the point is that 
oversight examination is very, very important.
    But, sir, I would like to add one thing. The oversight and 
the examinations, investigations, highlight the problem, but 
sometimes we understaff support-type activities. Organizations 
tend to do that. I don't know for sure. I am looking very hard 
through the new IT organization.
    As you know, we own all the IT folks and we are examining 
what we have. Where are they? Do we need more or less, or do we 
need to move people around? And my guess is that this area of 
IT, of asset management, is not adequately staffed; that is my 
personal opinion, and we are looking hard at that.
    Mr. Walz. That is what we need to know. I want you to know 
that that is what we see as our responsibility. We need to know 
what you need. I would say that the willingness of this 
Subcommittee to listen and work together is probably almost 
boundless, except for the one I know puts a huge constraint on 
you is time and patience on this right now. I know that you 
need those things to a certain degree, but my question to you 
might be, what do I tell my veterans in Minnesota, what is 
going on, and reassure them of the faith, and that is what we 
are looking for. So I really appreciate your attitude on that.
    This one might be better for Mr. Sullivan. I just wanted to 
know if you could give me--what would it look like for me as an 
employee at any of the facilities, how would I start the day 
getting into my technology and how would I end the day?
    I know in my office the computers are shut off, they are 
backed up, they are password secured; and anything that is done 
behind that is done with the rolling passwords on the key chain 
thing.
    I am just wondering what would it look like out there in 
the VA system?
    Mr. Sullivan. Exactly the same for us. You would need to 
come in in the morning. You would need to go through your 
password authentication. If you step away from your computer 
for any length of time or you don't use it, it goes into 
automatic lock mode, and you would need to come back and unlock 
it. At the end of the day you would log off your computer. We 
tend to leave our computers turned on so we can do automatic 
patching and assessment at night.
    Some of the tools that we are talking about, we build an 
inventory when you log on so we know that you have a computer, 
we know where it is physically in that building. If it 
disappears from the network for a long period of time, it could 
be that it was turned off, but it sends an alert, so we can 
follow up.
    Those are the technologies we are looking to standardize 
across the Agency.
    Mr. Walz. Where is this equipment going? Is this theft or 
is this misplacement?
    Mr. Howard. Sure, some of it is theft. But theft is a minor 
problem; I think the bigger problem is keeping up with it.
    Let me give you a good example, computers excessed--in 
fact, Ray could probably pile on a little more on this. 
Computers that are excessed, are no longer useful, some 
previous operating system or whatever; you know yourself that 
is pretty fast, the turnover of equipment like that.
    Mr. Walz. Right.
    Mr. Howard. We have to go through certain procedures. We 
have to pull the hard drive, you have to cleanse it 
forensically, which means several times, it is a 4-hour drill 
to go through and clean that off. But then the equipment may 
get offered to redistribution within the VA, redistribution 
among other government agencies, redistribution to charity 
institutions. And you have to go through all these, just so. It 
is sitting there in the room as you go through all these 
procedures; you can't just get rid of it necessarily, you have 
to follow these procedures. And, quite frankly, sir, that is 
taking us too long, we need to move quicker on that.
    Ray can tell you instances where he knows for sure items 
were turned in as excess, no longer required, and they sat 
there for long periods of time. That means the IT community and 
the logistics disposal community need to work hand-in-glove to 
make sure there is follow-up.
    To do that, I intend to energize my ISOs, Information 
Security Officers, to do that follow-up with the material 
management people who handle the redistribution of assets. That 
is kind of out of our hands at that point. Very important 
capability, but it is part of the problem that we need to get 
our arms around.
    Mr. Walz. Thank you.
    And I yield back, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Mr. Henke, you are the Assistant Secretary For Management, 
and Mr. Howard, you are the Assistant Secretary For Information 
and Technology, and yet neither of you, as I understand it, has 
line authority over the logistic folks at the medical centers 
and other facilities who are responsible for inventory. Is that 
a problem?
    Mr. Howard. Sir, let me take that. Not for me, because I do 
have line authority over the CIOs. And the procedure that I 
mentioned to you before--I can now summarize that if you would 
like, the procedure that we will put in place. But it starts 
with the director of the facility--the director of the facility 
does not work for me, but they are responsible for all 
activities that occur at the facility, to include all the 
equipment that is there, the people, everything.
    But it doesn't stop there. In fact, we have already 
implemented the procedure where the CIO, the senior IT official 
at the facility, is the custodian of IT equipment, the guy who 
works for me, up through Ray Sullivan. And I do have authority 
over that person, believe me.
    What does he or she do? It doesn't stop there either, 
because he or she, working with the director, has to designate 
custodians at the very service levels. The head of radiology, 
you are responsible for the IT equipment that is in your 
jurisdiction.
    Now, the CIO and the IT people at that facility assist in 
it, but the CIO has got to take a very active role at the 
facility level to include mandating that individuals sign for 
their individual equipment and that the service chief, be it 
the head of radiology or whatever, signs for the common 
equipment that cannot necessarily be assigned to a particular 
individual.
    That is the procedure that we are putting in place. In 
fact, Ray is responsible for the directive and handbook; it is 
in draft, but we have already implemented the procedures. I 
have told my people, don't wait on this thing, you do it. We 
actually have this working group together with the 
administrations and the staff agencies and Bob's people. We are 
in agreement that this is the direction we need to go.
    But, sir, the software also has to be implemented, that Ray 
described earlier, to contract this stuff because it can move 
around so easily. One computer is down the hallway, but--all of 
a sudden, you lost it, but boom, when you stick it in the 
network, it shows right up again. This is extremely important 
for an all-encompassing solution.
    Mr. Mitchell. Thank you very much.
    This question is for Mr. Biro.
    Mr. Biro. Yes?
    Mr. Mitchell. You are the Director for VISN-7. I have been 
told you decided to take this inventory issue very, very 
seriously and do something about it; is that correct?
    Mr. Biro. Yes.
    Mr. Mitchell. And would you tell us what you did?
    Mr. Biro. Well, I have only been in VISN-7 for 4 months. It 
started with VISN-7 at Birmingham, with the loss of data at 
Birmingham. They started an inventory that was very thorough, 
and I continued to support having that inventory completed, 
which took in over 55,000 items with focus on those that had 
PII, personal identifiable information.
    We were down to about less than 20,000 items. For the items 
we couldn't find, my contribution is that, I asked for a second 
inventory; and we used teams of both information systems people 
and facility people, and we also mixed those teams up so they 
came from different facilities. So in 3 weeks, we knocked that 
list down to less than 500 items.
    My other contribution is that, I am insisting on reports of 
survey that have been talked about over and over again, be 
completed on that final missing equipment list, and that the 
appropriate disposition take place on that equipment, that we 
pursue this to the end. That is going to be done within less 
than 30 days; they are winding those down.
    To your question, then, we will look at if we can find 
people that need to be held accountable for that through that 
process. Everything that has been said we have--we have 
software, the best way to find the equipment. Much of it is 
seeing where it has been used last and where it has been, 
because it moves all over. The biggest problem is the 
portability of it, but a lot is detective work. This is the 
kind of detective work I use in 7, and I also was using in 19. 
Everywhere I have worked, something has been cited and as best 
practice.
    Salt Lake City has a perfect inventory. I used to work in 
VISN-4; they have a very good inventory. So it is paying 
attention to details and insisting on that high level of 
performance.
    Mr. Mitchell. Thank you. Sometimes this Subcommittee has a 
reputation for being very hard on the VA. We all want what is 
best for the veterans and taxpayers; they deserve nothing but 
excellence. Although we may be demanding, I really want to 
recognize what you deserve, and that is congratulations on the 
work that you are doing. You are a positive example of what can 
be done, and I want to thank you for that.
    Also, is there any reason why what you have done in VISN-7 
couldn't be done at other VISNs?
    Mr. Biro. No, there is no reason. My fellow--other 20 
network directors are working on this very hard. We just got 
some direction today--some more. Internal controls are 
extremely important, and we are working on them. I am known as 
the leader of that effort.
    Mr. Mitchell. Thank you very much.
    Mr. Biro. So I am working on it.
    Ms. Brown-Waite. If Mr. Garfunkel could come forward, 
please, I understand that you recently were promoted to VISN-5 
directorship. I guess congratulations are in order.
    I also understand that you were the last Director of 
Washington's VA Medical Center where the most current GAO 
report wasn't too kind about the way IT inventory was managed 
there.
    Would you care to comment on why your last facility's IT 
inventory sample indicated 28 percent missing items, 80 percent 
incorrect user organization identifiers and 57 percent 
incorrect location of the equipment?
    Mr. Garfunkel. Yes, ma'am, thank you.
    First of all, no matter what I say, let me say these 
numbers are totally unacceptable. In the 2004 GAO audit, we had 
something like an 87 percent ``couldn't locate the equipment''; 
that was down to 28 percent. I am very glad to say, as of April 
2007, we now are at 4 percent.
    So we have taken this audit very seriously. As GAO has 
testified, we now have personnel hand receipts responsible 
through class 3 software that was developed and we have lots of 
equipment that was--in fact, we know was surplussed in previous 
years--that should have been taken off the equipment inventory 
lists (EILs), that we thought were taken off the EILs, and it 
turns out that they were not.
    So we have done the reports of survey that have identified 
those issues, and I think we have taken very swift and definite 
action since that time to assure that we have a good system in 
place to identify this equipment.
    Ms. Brown-Waite. So what you are saying is, you were at 87 
percent missing?
    Mr. Garfunkel. I believe the 2004 audit was something like 
87 percent missing, yes.
    Ms. Brown-Waite. And the 28 percent found this time is 
good?
    Mr. Garfunkel. No, ma'am.
    Ms. Brown-Waite. And all of a sudden, we are down to 4 
percent?
    Tell me why the great discrepancy between what GAO found 
and what you are trying to convey to us now that is down to 4 
percent.
    Mr. Garfunkel. Well, since the GAO audit, we identified 
which equipment was, in fact--that we know, in fact, was 
surplussed. We bar-coded our equipment and the doors so we know 
what--by scanning the door, we know where the equipment is 
located. And we know what equipment belongs in there, so we can 
identify all the equipment.
    We have begun the process of having individuals sign for 
their individual pieces of equipment, so they will be held 
responsible for it.
    Ms. Brown-Waite. When did this procedure go into effect? 
Because obviously between 2004 and now it is--there were some 
pretty sloppy procedures going on.
    Mr. Garfunkel. Yes, ma'am, they were pretty sloppy 
procedures, although obviously there was improvement from the 
2004 audit.
    We face lots of issues. I don't want to make a lot of 
excuse for it. We implemented some actions. We identified the 
equipment we had that is no longer on station; we know what 
happened to it, and we have now put some very strong processes 
in place.
    Mr. Claudio came to our facility in, I believe, February, 
and while he had some recommendations, he felt we had pretty 
good processes in place for IT security.
    Ms. Brown-Waite. Now, is it accurate that in the new VISN 
that you have four hospitals and 15 Community Based Outpatient 
Clinics?
    Mr. Garfunkel. I believe that is correct, ma'am, yes.
    Ms. Brown-Waite. And how long have you been VISN Director?
    Mr. Garfunkel. A couple months.
    Ms. Brown-Waite. And you don't know for sure?
    Mr. Garfunkel. No--it is correct, yes.
    Ms. Brown-Waite. Well, obviously I hope that the lack of 
accountability at the other center here at Washington VA 
Medical Center is not going to be continued in your new role as 
VISN director.
    What practices are you putting into effect in VISN that you 
are now the director of?
    Mr. Garfunkel. Well, I think we are certainly going to 
follow Mr. Biro's example to make sure we have 100 percent 
wall-to-wall inventory at every facility. The VA at Maryland 
healthcare system, they are doing that over the next couple of 
weeks. We will implement the process of hand receipts as new 
policies come out, and we will make sure these inventories are 
done on a regular basis.
    Obviously, this issue has my attention and I will make sure 
it has the attention of medical directors and others and make 
sure we do the best job we can.
    Ms. Brown-Waite. Mr. Henke or Mr. Howard--I don't know who 
to ask this of, so--are we going to have standard procedures 
throughout the VA so that Mr. Biro's best management practices 
are carried out throughout the entire VA? Are we going to have 
all of these separate accounting systems out there that will be 
a future problem for you all?
    Mr. Howard. Ma'am, we are moving to a centralized system. 
It will take time. I think you know that there are various 
systems used; VHA uses one system, National Cemetery 
Administration another, there are differences.
    Several weeks ago the deputy secretary made the decision on 
the new enterprise-wide asset management application called 
Maximo; that is the one that we will begin to implement, that 
is for all assets. However, in the IT arena, we will need a 
supplement to that. The reason for it is, for normal asset 
management you need numbers: You need where it is, you need how 
much it costs, when you got it, that sort of stuff. For IT, you 
need much more information: What is on the device, is there any 
software, is it up to date, any personal identifiable 
information. You need to be able to see inside the item of 
equipment and know much more.
    So we need to augment that enterprise capability with the 
IT asset management system. And, in fact, we have got an 
request for information (RFI) on the street right now to get 
feedback on--we know what is out there; in fact, we already 
have licenses for some of these items.
    Nevertheless, we have got an RFI on the street. We need 
that capability to augment the asset management enterprise 
solution that is being put in place. We are talking about a 
process that we have to go through to remove the existing 
systems and introduce the new system that will take place, a 
Web-based system.
    Ms. Brown-Waite. Do you have a time line? As soon as that 
question is answered, I will yield back.
    Mr. Howard. On the Maximo, I think it is about a year and a 
half.
    Bob?
    Yeah. Actually, the Maximo implementation is part of Bob's 
organization, it is part of the FLITE program, the Financial 
Logistics Integrated Technology Enterprise program--the 
logistic subset is what I am now speaking to--that will 
interface with the financial system that is the other very 
important part.
    The IT system that we use must be able to feed that, it 
must provide feeds of certain elements of data that can, in 
turn, be linked to the financial system. That is where we are 
heading. It will go beyond a year, that is for sure; it is 
very, very complicated. That is because we have to remove the 
existing systems as we implement the new one.
    Ms. Brown-Waite. Thank you.
    Mr. Mitchell. Mr. Walz?
    Mr. Walz. Thank you, Mr. Chairman. Just one more question.
    Again, it goes back to if this Subcommittee wants to 
provide anything that we can provide, but the time and patience 
thing is starting to wear on people. I am just noticing on the 
GAO report that the Tampa, Florida, inventory--am I right, that 
that is not completed? 14 months, ongoing, it is showing?
    Mr. Howard. Sir, I am not sure on Tampa exactly where that 
stands, but the procedures for the inventory process, the way 
it currently should work, it is a rolling inventory. In other 
words, each quarter--in fact, those were the documents that we 
provided the Committee today to indicate where the folks are in 
terms of their inventories. Every quarter, they are supposed to 
have so much done and they sign off on that and send it in to 
headquarters. The folks that you are referring to, sir, have 
been doing that.
    We have the first two quarters of 2007, the reports--I 
believe we have them. Bob is looking at them right here; in 
fact, we have a little color code here. Obviously, if you are 
green, you are up to speed, you have in excess of 90 percent of 
your inventory done for the quarter.
    We have a few red folks who may not be keeping up to speed, 
and these reports are provided by VHA, in this case, every 
quarter.
    Mr. Walz. The thing that counsel is talking to me about is, 
the data I am getting is, you are showing ``unknown,'' it is 
showing ``number of missing items, unknown''; ``acquisition of 
missing items, unknown''; ``data on report of survey, not yet 
prepared.''
    What you are saying is, there is information supplementing 
this that we don't have or I haven't been given?
    Mr. Henke. Yes, sir, you are looking at--the facility 
performed audits in 2005 and 2006, found discrepancies, they 
have a report, they have to survey it off the books, they have 
to get rid of it, find it, reconcile.
    What we have here is a current status across VHA of fiscal 
year 2007 inventories; it tells me that we have got to date.
    If I could----
    Mr. Walz. But this would not have an outside eye like GAO 
looking at it? This would still be internal?
    Mr. Henke. That is my understanding, sir. Those are the 
internal audits that Tampa did during 2005 and 2006 in their 
clean-up work to bring those to closure, to rest and do the 
surveys----
    Mr. Walz. It is safe to say at the 14-month period they 
were not done?
    Mr. Henke. I believe that is correct, if my review of the 
report is accurate.
    Mr. Walz. Am I wrong to think that is a long time?
    Mr. Henke. You are not.
    Mr. Howard. No. 2006, we know there were some that didn't 
make it; they were in the red category.
    Mr. Henke. One more datapoint. For current information, 
through the second quarter, we across VHA had planned to 
inventory 4,000 equipment lists--not 4,000 items but 4,000 
lists of equipment. We performed 90 percent of those, so 3,618 
lists were inventoried. The results came back and we had--out 
of 391,000 pieces of equipment on those lists, we came back 
missing 0.85 percent, so that's significantly different from 
2005 and 2006 reports that you may be looking at. So it shows 
focus on the effort.
    Mr. Walz. So there is a curve that says it is improving and 
that is what we will see.
    Mr. Henke. Yes, sir. Management's attention is focused on 
it to get the problem solved.
    Mr. Walz. I yield back, Mr. Chairman.
    Mr. Mitchell. Anything else anybody would like to add?
    Let me just say, I appreciate your candidness and your 
work. As I said earlier, what we are here to do is to try to 
make sure that the veterans get what is due to them, delivery 
of services, as well as the taxpayers not getting shortchanged. 
We are concerned about excellence in all these fields.
    We are also very pleased to hear that what you are doing 
seemed to be in the right direction. Let me just say part of 
the name of this Subcommittee is ``oversight and 
investigations.'' We are not here--it seems to me to find out 
what laws need to be made, but is seems we are talking about 
policies that you can implement and policies that you can do 
and carry out for the betterment of veterans, as well as 
taxpayers.
    We appreciate that effort and what you are doing, and I 
just want you to know what we can do is investigation and 
oversight, and we are looking to the GAO to help us out. 
Hopefully, when we come back with another report, things are 
great.
    Ms. Brown-Waite. Mr. Chairman, I would ask to be able to 
ask one other question and that is of General Howard.
    What other VISNs actually have exhibited some proactive, 
rather than reactive, initiatives to really address what 
appears to have been a, hopefully in the past, laissez faire or 
lackadaisical approach to IT control? What other VISNs are 
exemplary?
    Mr. Howard. Ma'am, one for sure, in addition to Larry Biro 
in VISN-7; Max Lewis up in VISN-20 is doing a very good job. I 
would cite that VISN; in fact, that is where Ray Sullivan 
plants himself, that is where his office is up there in the 
Pacific Northwest.
    Ms. Brown-Waite. So we have two that are truly being 
proactive?
    Mr. Howard. Yes, ma'am. There are others, but those come to 
mind.
    Ms. Brown-Waite. How do we get the message across to them 
that the taxpayers do care about the inventory and the dollars 
that we are being asked every year to increase for VA?
    And when some of my colleagues talk about waste, fraud and 
abuse, I know some of the equipment is just--when someone else 
left, someone else picked up that computer and started using 
it, but you know, getting a handle on this is important. It is 
not just the equipment dollars, it clearly is also the 
availability on those computers, of identifying information 
that--if you don't know where the IT equipment is, you don't 
know what is on it and it is missing, you don't know what you 
are missing. That is part of the problem.
    And getting that message out there is certainly our job, 
but it certainly is your job. I would just encourage to you do 
that, do a best management practices, get them moving. I know 
that culture in the VA is very difficult to jump-start, but you 
need to do it, you absolutely need to do it gentlemen.
    Mr. Mitchell. Thank you. This concludes our hearing, and I 
appreciate very much all the witnesses being here today and 
thank you again.
    Mr. Howard. Thank you, sir.
    Mr. Henke. Thank you.
    [Whereupon, at 3:41 p.m., the Subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

             Prepared Statement of Hon. Harry E. Mitchell,
         Chairman, Subcommittee on Oversight and Investigations
    This hearing will come to order.
    Thank you all for coming today. I am pleased that so many folks 
could attend this oversight hearing on VA information technology 
inventory issues. We know that VA has serious problems with keeping 
track of its IT inventory. This is not just a dollar issue, although it 
certainly is that. It is also a security and privacy issue. VA's 
inventory deficiencies mean that VA cannot ensure that private medical 
and other information belonging to the nation's veterans remains 
private.
    We are going to begin today by hearing from the General Accounting 
Office concerning GAO's report, Inadequate Controls over IT Equipment 
at Selected VA Locations Pose Continuing Risk of Theft, Loss, and 
Misappropriation, released just today, showing the results of its 
testing of inventory systems and procedures at four VA locations. The 
results are not pretty. As you can see from the chart, the sample 
locations GAO tested show that from 6 to 28 percent of IT items listed 
as being in inventory could not be located. The Washington, DC VA 
medical center could not find an astonishing 28 percent of the IT items 
on inventory. The missing items at the four locations had a combined 
value of $6.4 million.
    Sad to say, this is not a recent problem. In July 2004 GAO reported 
that the six VA medical centers it audited did not have reliable 
property databases. GAO followed up on these sites as part of its 
current report and concluded that more than $13 million in IT equipment 
was still missing from those sites. Incredibly, an inventory being 
conducted by one of the sites in response to the 2004 GAO report is 
still not completed.
    If this were not bad enough, GAO further reports that VA has 
seriously flawed policies and procedures. Again, the chart illustrates 
the extent of the problem. One line says ``incorrect user 
organization''--that means the inventory system incorrectly identified 
to whom the equipment was assigned. Look at the numbers--80 percent at 
the Washington DC medical facility, 69 percent in Indianapolis, and 70 
percent in San Diego. VA's central headquarters does better--``only'' 
11 percent, but more than makes up for this with the physical location 
of 44 percent of its IT equipment misidentified in its inventory 
database.
    The issue of security could not be better illustrated than by the 
photograph you see over there. That photograph is of an IT equipment 
storeroom at VA's central headquarters. It seems hardly necessary for 
GAO to have pointed out that this storeroom did not meet VA's 
requirements for motion intrusion detection, alarms, secure doors, 
locks, and special access keys.
    Security is no small matter, and we are not concerned only about 
hardware. GAO found hard drives at two of the four locations that were 
designated as excess property to be disposed of that still had hundreds 
of veteran names and Social Security numbers. This is completely 
unacceptable.
    I can assure you, we will all be back here. We intend to ask GAO to 
conduct another check of VA's inventory system in a few months time, 
and if another hearing turns out to be necessary, we will have one.
    Last week, Ms. Brown-Waite and I sent a letter to the VA requesting 
copies of the most recent annual equipment inventory certification 
letters from all facility directors. We also requested a list of all 
facility directors who did not provide certification for completing 
their annual inventories. I would like to thank the VA for their prompt 
response to this request.

                                 
             Prepared Statement of Hon. Ginny Brown-Waite,
                       Ranking Republican Member
    Thank you, Mr. Chairman for yielding.
    Mr. Chairman, my goal for this hearing is not just to learn where 
VA is relative to their current IT inventory management, but to learn 
where and how they are working to improve security, controls, 
maintenance and management of their IT equipment. The July 2007 GAO 
report, increased my growing concerns over VA's control over its 
inventories, from reading the weekly SOC.
    The GAO report selected four specific sites for their report. 
During this study, fewer than half of the items GAO selected for 
testing could be located, and most of the items were information 
technology (IT) equipment. GAO found that the four VA locations 
reported over 2,400 missing IT equipment items, valued at about $6.4 
million, identified in inventories performed during fiscal years 2005 
and 2006. Missing items were not always reported right away, and in 
some cases, not for several years. At one of the locations, 28 percent 
of the items surveyed during the GAO audit were missing.
    Mr. Chairman, I find this lack of control over equipment completely 
unacceptable. Here in the House of Representatives, our acquisition 
offices perform annual equipment inventories in all offices. The Chief 
Administrative Officer's staff comes into our offices either to tag 
equipment we have received, remove equipment we no longer use, or 
inventory the equipment under our control. By keeping a centralized 
acquisition and inventory process, the House is able to maintain tight 
control over its equipment inventory. Given the results of the GAO 
report, it appears the VA is unable to do likewise.
    According to the GAO report, there is also a lack of user-level 
accountability for IT equipment, due to weak overall control of the 
equipment environment. The IT personnel and IT coordinators do not have 
possession (physical custody) of all IT equipment under their purview, 
therefore, they are not held accountable for IT equipment determined to 
be missing during physical inventories. In my opinion, Mr. Chairman, 
there needs to be accountability for inventories from the Chief 
Executive Officer clear down the line to the user who is ultimately 
using the product.
    The weekly SOC reports consistently show missing IT related items 
from the VA's inventories, whether it is listing old equipment that 
possibly had been disposed of after it was no longer of use to the VA, 
or new equipment that had been stolen. I am heartened to note that the 
VA is working with local and federal law enforcement to track down and 
retrieve newer stolen equipment, but dismayed to see the number of 
equipment items that were either transferred to other facilities and 
not tracked, or disposed of without the proper notation in the 
equipment inventories.
    As of February 28, 2007, the GAO report found the four case study 
locations covered in their current audit reported over 2,400 missing IT 
equipment items with a combined original acquisition value of about 
$6.4 million as a result of inventories VA performed during fiscal 
years 2005 and 2006. Based on information GAO obtained through March 2, 
2007, the five case study locations previously audited had identified 
over 8,600 missing IT equipment items with a combined original 
acquisition value of over $13.2 million. GAO reported that the missing 
IT items represent record keeping errors, the loss, theft or 
misappropriation of IT equipment. The GAO also cited that because most 
of the nine case study locations had not consistently performed 
required annual physical inventories or completed Reports of Survey 
promptly, which prevented the reporting of missing IT equipment in some 
instances for several years. I am always surprised when I see a SOC 
reporting the first instance of listing a missing piece of IT equipment 
from the mid-nineties. Operating Systems for this equipment would be 
totally out of date long ago, and it leaves me wondering just how long 
the equipment was actually missing before reported on the SOC.
    Mr. Chairman, this is not the first time that GAO has reported on 
deficiencies in information technology equipment controls. In July 
2004, GAO issues a report titled VA Medical Centers: Internal Control 
over Selected Operating Functions Needs Improvement. In this report, 
GAO indicated that the six VA medical centers they audited lacked a 
reliable property control database, which did not produce a complete 
and accurate record of current inventory and compromised effective 
management and security of agency assets. One of the medical centers 
reviewed, was also reviewed in the most recent report, and yet issues 
remain. I look forward to hearing from today's witnesses, and those who 
are accompanying them on how the VA is going to move forward to gain 
tighter control over its inventory, and how they plan to follow up on 
GAO's recommendations.
    Thank you, and I yield back my time.

                                 
            Prepared Statement of McCoy Williams, Director,
                  Financial Management and Assurance,
                 U.S. Government Accountability Office
                             GAO HIGHLIGHTS
           Lack of Accountability and Control Weaknesses Over
                 IT Equipment at Selected VA Locations
Why GAO Did This Study
    In July 2004, GAO reported that the six Department of Veterans 
Affairs (VA) medical centers it audited lacked a reliable property 
control database and had problems with implementation of VA inventory 
policies and procedures. Fewer than half the items GAO selected for 
testing could be located. Most of the missing items were information 
technology (IT) equipment. In light of these concerns and recent thefts 
of laptops and data breaches at VA, this testimony focuses on (1) the 
risk of theft, loss, or misappropriation of IT equipment at selected 
locations; (2) whether selected locations have adequate procedures in 
place to assure accountability and physical security of IT equipment in 
the excess property disposal process; and (3) what actions VA 
management has taken to address identified IT inventory control 
weaknesses. GAO statistically tested inventory controls at four case 
study locations.
What GAO Recommends
    GAO's companion report (GAO-07-505), released with this testimony, 
includes 12 recommendations to improve VA-wide policies and procedures 
with respect to controls over IT equipment, including record keeping 
requirements, physical inventories, user-level accountability, and 
physical security. VA agreed with GAO's findings, noted significant 
actions under way, and concurred on the 12 recommendations.
What GAO Found
    A weak overall control environment for VA IT equipment at the four 
locations GAO audited poses a significant security vulnerability to the 
nation's veterans with regard to sensitive data maintained on this 
equipment. GAO's Standards for Internal Control in the Federal 
Government requires agencies to establish physical controls to 
safeguard vulnerable assets, such as IT equipment, which might be 
vulnerable to risk of loss, and federal records management law requires 
federal agencies to record essential transactions. However, GAO found 
that current VA property management policy does not provide guidance 
for creating records of inventory transactions as changes occur. GAO 
also found that policies requiring annual inventories of sensitive 
items, such as IT equipment; adequate physical security; and immediate 
reporting of lost and missing items have not been enforced. GAO's 
statistical tests of physical inventory controls at four VA locations 
identified a total of 123 missing IT equipment items, including 53 
computers that could have stored sensitive data. The lack of user-level 
accountability and inaccurate records on status, location, and item 
descriptions make it difficult to determine the extent to which actual 
theft, loss, or misappropriation may have occurred without detection. 
The table below summarizes the results of GAO's statistical tests at 
each location.


----------------------------------------------------------------------------------------------------------------
                                              Washington, DC,    Indianapolis      San Diego     VA headquarters
              Control failures                 medical center   medical center   medical center      offices
----------------------------------------------------------------------------------------------------------------
Missing items in sample                                  28%               6%              10%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user organization                              80%              69%              70%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user location                                  57%              23%              53%              44%
----------------------------------------------------------------------------------------------------------------
Record keeping errors                                     5%               0%               5%               3%
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Notes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of
  10 percent or less. Because the four test locations did not record all IT equipment items in their
  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population
  of all IT equipment at those locations.


    GAO also found that the four VA locations reported over 2,400 
missing IT equipment items, valued at about $6.4 million, identified 
during physical inventories performed during fiscal years 2005 and 
2006. Missing items were often not reported for several months and, in 
some cases, several years. It is very difficult to investigate these 
losses because information on specific events and circumstances at the 
time of the losses is not known. GAO's limited tests of computer hard 
drives in the excess property disposal process found hard drives at two 
of the four case study locations that contained personal information, 
including veterans' names and Social Security numbers. GAO's tests did 
not find any remaining data after sanitization procedures were 
performed. However, weaknesses in physical security at IT storage 
locations and delays in completing the data sanitization process 
heighten the risk of data breach. Although VA management has taken some 
actions to improve controls over IT equipment, including strengthening 
policies and procedures, improving the overall control environment for 
sensitive IT equipment will require a renewed focus, oversight, and 
continued commitment throughout the organization.

                               __________

Mr. Chairman and Members of the Subcommittee:

    Thank you for the opportunity to discuss our recent audit of 
controls over information technology (IT) equipment at the Department 
of Veterans Affairs (VA). In light of reported weaknesses in VA 
inventory controls and reported thefts of laptop computers and data 
breaches, the adequacy of such controls has been an ongoing concern. 
Today, I will summarize the results of our recent work, the details of 
which are included in our audit report, which the Subcommittee is 
releasing today. \1\ This audit followed a July 2004 report \2\ in 
which we identified weak practices and lax implementation of controls 
over equipment at the six VA medical centers we audited. As a result, 
personnel at the VA medical centers located fewer than half of the 100 
items we selected for testing at each of five medical centers and 62 of 
100 items at the sixth medical center. Most of the items that could not 
be located were computer equipment.
---------------------------------------------------------------------------
    \1\ GAO, Veterans Affairs: Inadequate Controls over IT Equipment at 
Selected VA Locations Pose Continuing Risk of Theft, Loss, and 
Misappropriation, GAO-07-505 (Washington, DC: July 16, 2007).
    \2\ GAO, VA Medical Centers: Internal Control over Selected 
Operating Functions Needs Improvement, GAO-04-755 (Washington, DC: July 
21, 2004).
---------------------------------------------------------------------------
    For today's testimony, I will provide the highlights of our current 
findings related to

      the risk of theft, loss, or misappropriation \3\ of IT 
equipment \4\ at selected VA locations;
      whether selected VA locations have adequate procedures in 
place to assure physical security and accountability over IT equipment 
in the excess property disposal process; \5\ and
      what actions VA management has taken to address 
identified IT equipment inventory control weaknesses.
---------------------------------------------------------------------------
    \3\ As used in this testimony, theft and misappropriation both 
refer to the unlawful taking or stealing of personal property, with 
misappropriation occurring when the wrongdoer is an employee or other 
authorized user.
    \4\ For the purpose of our test work, we defined IT equipment as 
any equipment capable of processing or storing data, regardless of how 
VA classifies it. Therefore, medical devices that would typically not 
be classified as IT equipment, but may capture, process, or store 
patient data, were considered IT equipment for this audit.
    \5\ As used in this testimony, the term excess property refers to 
property that a federal agency leases or owns that is not required to 
meet either the agency's needs or any other federal agency's needs.

    My statement is based on our report on VA IT inventory controls, 
which you are releasing today. \6\ As part of our audit, we 
statistically tested IT equipment inventory at selected case study 
locations. In addition, our investigator inspected physical security at 
IT equipment storage sites. We performed our audit procedures in 
accordance with generally accepted government auditing standards, and 
we performed our investigative procedures in accordance with quality 
standards for investigators as set forth by the President's Council on 
Integrity and Efficiency.
---------------------------------------------------------------------------
    \6\ GAO-07-505.
---------------------------------------------------------------------------
Summary
    Our statistical tests of IT equipment inventory controls at our 
four VA case study locations identified a total of 123 missing IT 
equipment items, including 53 computers that could have stored 
sensitive data. Our estimates of the percentage of inventory control 
failures related to these missing items ranged from 6 percent at the 
Indianapolis medical center to 28 percent at the Washington, DC, 
medical center. \7\ In addition, we determined that VA property 
management policy does not establish accountability with individual 
users of IT equipment. Consequently, our control tests identified a 
pervasive lack of user-level accountability across the four case study 
locations and significant errors in recorded IT inventory information 
concerning user organization and location. As a result, we concluded 
that for the four case study locations we audited, essentially no one 
was accountable for IT equipment.
---------------------------------------------------------------------------
    \7\ Each of these estimates has a margin of error, based on a two-
sided, 95 percent confidence interval, of 7 percent or 
less.
---------------------------------------------------------------------------
    Our analysis of the results of physical inventories performed by 
the current four case study locations \8\ identified over 2,400 missing 
IT equipment items, with a combined original acquisition value of about 
$6.4 million. In addition, the five other locations we previously 
audited had reported over 8,600 missing IT equipment items with a 
combined original acquisition value of over $13.2 million. Further, we 
found that missing IT items were often not reported for several months 
and, in some cases, several years, because most of the case study 
locations had not consistently performed physical inventories or 
completed Reports of Survey \9\ promptly.
---------------------------------------------------------------------------
    \8\ The Washington, DC, medical center was covered in both audits.
    \9\ The Report of Survey system is the method used by VA to obtain 
an explanation of the circumstances surrounding loss, damage, or 
destruction of government property other than through normal wear and 
tear.
---------------------------------------------------------------------------
    Our limited tests of computer hard drives in the excess property 
disposal process at the four case study locations found no data on 
those hard drives that were certified as sanitized. \10\ However, file 
dates on the hard drives we tested indicated that some of them had been 
in the disposal process for several years without being sanitized, 
creating an unnecessary risk of compromising sensitive personal and 
medical information. We also found numerous unofficial IT equipment 
storage locations in VA headquarters area office buildings that did not 
meet VA physical security requirements. For example, at some VA 
headquarters locations, excess computer equipment was stored in open or 
unsecured areas.
---------------------------------------------------------------------------
    \10\ VA information resource management (IRM) personnel and 
contractors follow National Institute of Standards and Technology 
(NIST) Special Publication 800-88 guidelines as well as more stringent 
Department of Defense (DoD) policy in DoD 5220.22-M, National 
Industrial Security Program Operating Manual, ch. 8, Sec.  8-301, which 
requires performing three separate erasures for media sanitization.
---------------------------------------------------------------------------
    Since our July 2004 report, VA management has taken some actions 
and has other actions under way to strengthen controls over IT 
equipment, including clarifying property management policies \11\ and 
centralizing functional IT units under the new Chief Information 
Officer (CIO) organization. Even with these improvements, the 
department had not yet established and ensured consistent 
implementation of effective controls for accountability of IT equipment 
inventory, and IT inventory responsibilities are not well-defined. 
Until these shortcomings are addressed, VA will continue to face major 
challenges in safeguarding IT equipment and sensitive personal data on 
this equipment from loss, theft, and misappropriation. Our companion 
report released today includes 12 recommendations to VA to improve the 
overall control environment and strengthen key internal control 
activities and to increase attention to protecting IT equipment used in 
VA operations. VA generally agreed with our findings, noted significant 
actions under way, and concurred on the 12 recommendations.
---------------------------------------------------------------------------
    \11\ VA Handbook 7127/4 Sec.  5302.3, ``Inventory of Equipment in 
Use.''
---------------------------------------------------------------------------
Inadequate IT Inventory Control and Accountability Pose Risk of Loss, 
        Theft, and Misappropriation
    Our tests of IT equipment inventory controls at four case study 
locations, including three VA medical centers and VA headquarters, 
identified a weak overall control environment and a pervasive lack of 
accountability for IT equipment items across the locations we tested. 
As summarized in table 1, our statistical tests of key IT inventory 
controls at our four case study locations found significant control 
failures. None of the case study locations had effective controls to 
safeguard IT equipment from loss, theft, and misappropriation.


              Table 1--Current IT Equipment Inventory Control Failure Rates at Four Test Locations
----------------------------------------------------------------------------------------------------------------
                                              Washington, DC,    Indianapolis      San Diego     VA headquarters
              Control failures                 medical center   medical center   medical center      offices
----------------------------------------------------------------------------------------------------------------
Missing items in sample                                  28%               6%              10%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user organization                              80%              69%              70%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user location                                  57%              23%              53%              44%
----------------------------------------------------------------------------------------------------------------
Record keeping errors                                     5%               0%               5%               3%
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Notes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of
  10 percent or less. Because the four test locations did not record all IT equipment items in their
  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population
  of all IT equipment at those locations.


    Our statistical tests identified a total of 123 lost and missing IT 
equipment items across the four case locations, including 53 IT 
equipment items that could have stored sensitive personal information. 
Such information could include names and Social Security numbers 
protected under the Privacy Act 1974 \12\ and personal health 
information accorded additional protections from unauthorized release 
under the Health Information Portability and Accountability Act 1996 
(HIPAA) and implementing regulations. \13\ Although VA property 
management policy \14\ establishes guidelines for holding employees and 
supervisors pecuniarily (financially) liable for loss, damage, or 
destruction because of negligence and misuse of government property, 
except for a few isolated instances, none of the case study locations 
assigned user-level accountability for IT equipment. Instead, these 
locations relied on information about user organization and user 
location, which was often incorrect and incomplete. Under this lax 
control environment, missing IT equipment items were often not reported 
for several months and, in some cases several years, until the problem 
was identified during a physical inventory.
---------------------------------------------------------------------------
    \12\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  
552a.
    \13\ HIPAA, Pub. L. No. 104-191, Sec.  264, 110 Stat. 1936, 2033-34 
(Aug. 21, 1996). The Secretary of Health and Human Services has 
prescribed standards for safeguarding medical information in the HIPAA 
Medical Privacy Rule. See 45 C.F.R. pt. 164.
    \14\ VA Handbook 7125, Materiel Management General Procedures, 
Sec.  5003 (Oct. 11, 2005).
---------------------------------------------------------------------------
Inventory Tests Identified Significant Numbers of Missing Items
    Our statistical tests of IT equipment existence at the four case 
study locations identified a total of 123 missing IT equipment items. 
The 123 missing IT equipment items included 44 at the Washington, DC, 
medical center; 9 at the Indianapolis medical center; 17 at the San 
Diego medical center; and 53 at VA headquarters. Our statistical tests 
of missing equipment found that none of the four test locations had 
effective controls.
    Missing IT equipment items pose not only a financial risk but also 
a security risk associated with compromising sensitive personal data 
maintained on computer hard drives. The 123 missing IT equipment items 
included 53 that could have stored sensitive personal information, 
including 19 from the Washington, DC, medical center; 3 from the 
Indianapolis medical center; 8 from the San Diego medical center; and 
23 from VA headquarters. Because of a lack of user-level accountability 
and the failure to consistently update inventory records for inventory 
status and user location changes, VA officials at our test locations 
could not determine the user or type of data stored on this equipment 
and therefore the risk posed by the loss of these items.
Pervasive Lack of User-Level Accountability for IT Equipment at Case 
        Study Locations
    VA management has not enforced VA property management policy and 
has generally left implementation decisions up to local organizations, 
creating a nonstandard, high-risk environment. Although VA property 
management policy establishes guidelines for user-level accountability, 
\15\ the three medical centers we tested assigned accountability for 
most IT equipment to their information resource management (IRM) or IT 
Services organizations, and VA headquarters organizations tracked IT 
equipment items through their IT inventory coordinators. However, 
because these personnel did not have possession (physical custody) of 
all IT equipment under their purview, they were not held accountable 
for IT equipment determined to be missing during physical inventories. 
Because of this weak overall control environment, we concluded that at 
the four case study locations essentially no one was accountable for IT 
equipment.
---------------------------------------------------------------------------
    \15\ VA Handbook 7125, Materiel Management General Procedures, 
Sec.  5003.
---------------------------------------------------------------------------
    Absent user-level accountability, accurate information on the using 
organization and location of IT equipment is critical to maintaining 
effective asset visibility and control over IT equipment items. 
However, as table 1 shows, we identified high failure rates in our 
tests for correct user organization and location of IT equipment. 
Because property management system inventory records were inaccurate, 
it is not possible to determine the timing or events associated with 
lost IT equipment as a basis for holding individual employees 
accountable.
    Although our Standards for Internal Control in the Federal 
Government \16\ requires timely recording of transactions as part of an 
effective internal control structure and safeguarding of sensitive 
assets, we found that VA's property management policy \17\ neither 
specified what transactions were to be recorded for various changes in 
inventory status nor provided criteria for timely recording. Further, 
IRM and IT Services personnel responsible for installation, removal, 
and disposal of IT equipment did not record or assure that transactions 
were recorded by property management officials when these events 
occurred.
---------------------------------------------------------------------------
    \16\ GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, DC: November 1999).
    \17\ VA Handbook 7127/3, Material Management Procedures, pt. 1, 
Sec.  5002-2.3, and VA Handbook 7127/4, Material Management Procedures, 
pt. 4, Sec.  5302.3.
---------------------------------------------------------------------------
Errors in IT Equipment Inventory Status and Item Description 
        Information
    We found errors related to the accuracy of other information in IT 
equipment inventory records, including equipment status (e.g., in use, 
turned-in, disposal), serial numbers, model numbers, and item 
descriptions. As shown in table 1, estimated overall error rates for 
record keeping were lower than the error rates for the other control 
attributes we tested. Even so, the errors we identified affect 
management decision making and create waste and inefficiency in 
operations. Many of these errors should have been detected and 
corrected during annual physical inventories.
Physical Inventories by Case Study Locations Identified Thousands of 
        Missing IT Equipment Items Valued at Millions of Dollars
    To assess the effect of the lax control environment for IT 
equipment, we asked VA officials at the case study locations covered in 
both our current and previous audits to provide us with information on 
the results of their physical inventories performed after issuance of 
recommendations in our July 2004 report, including Reports of Survey 
information on identified losses of IT equipment. As of February 28, 
2007, the four case study locations covered in our current audit 
reported over 2,400 missing IT equipment items with a combined original 
acquisition value of about $6.4 million as a result of inventories they 
performed during fiscal years 2005 and 2006. Based on information 
obtained through March 2, 2007, the five case study locations we 
previously audited had identified over 8,600 missing IT equipment items 
with a combined original acquisition value of over $13.2 million, $12.4 
million of which was identified at the Los Angeles medical center. 
Because inventory records were not consistently updated as changes in 
user organization or location occurred and none of the locations we 
audited required accountability at the user level, it is not possible 
to determine whether the missing IT equipment items represent record 
keeping errors or the loss, theft, or misappropriation of IT equipment. 
Further, missing IT equipment items were often not reported for several 
months and, in some cases, several years. Although physical inventories 
should be performed over a finite period, at most of the case study 
locations, these inventories were not completed for several months or 
even several years while officials performed extensive searches in an 
attempt to locate missing items before preparing Reports of Survey to 
write them off. According to VA Police and security specialists, \18\ 
it is very difficult to conduct an investigation after significant 
amounts of time have passed because the details of the incidents cannot 
be determined.
---------------------------------------------------------------------------
    \18\ VA medical centers and other facilities have a VA Police 
Service, which provides law enforcement and physical security services, 
including security inspections and criminal investigations. The VA 
headquarters building does not have a police service. VA headquarters 
law enforcement duties are the responsibility of the Federal Protective 
Service.
---------------------------------------------------------------------------
    The timing and scope of the physical inventories performed by the 
case study locations varied. For example, the Indianapolis medical 
center had performed annual physical inventories in accordance with VA 
policy for several years. The Washington, DC, medical center performed 
a wall-to-wall physical inventory in response to our July 2004 report. 
In this case, inventory results reflected several years of activity 
involving IT inventory records that had not been updated and lost and 
missing IT equipment items that had not previously been identified and 
reported. In addition, the San Diego and Houston medical centers had 
not followed VA policy for including sensitive items, such as IT 
equipment valued at less than $5,000, in their physical inventories.
Physical Security Weaknesses Increase Risk of Loss, Theft, and 
        Misappropriation of IT Equipment and Sensitive Data
    Our investigator's inspection of physical security at officially 
designated IT warehouses and storerooms at our four case study 
locations that held new and used IT equipment found that most of these 
storage facilities met the requirements in VA Handbook 0730/1, Security 
and Law Enforcement. However, not all of the formally designated 
storage locations at two medical centers had required motion detection 
alarm systems and special door locks. We also found numerous instances 
of informal IT storage areas at VA headquarters that did not meet VA 
physical security requirements. In addition, although VA requires that 
hard drives of IT equipment and medical equipment be sanitized prior to 
disposal to prevent unauthorized release of sensitive personal and 
medical information, we found weaknesses in the disposal process that 
pose a risk of data breach related to sensitive personal information 
residing on hard drives in the property disposal process that have not 
yet been sanitized.
Weaknesses in Procedures for Controlling Excess Computer Hard Drives
    VA requires that hard drives of excess computers be sanitized prior 
to reuse or disposal because they can store sensitive personal and 
medical information used in VA programs and activities, which could be 
compromised and used for unauthorized purposes. For example, our 
limited tests of excess computer hard drives in the disposal process 
that had not yet been sanitized found hundreds of unique names and 
Social Security numbers on VA headquarters computers and detailed 
medical histories with Social Security numbers on computer hard drives 
at the San Diego medical center. Our limited tests of hard drives that 
were identified as having been subjected to data sanitization 
procedures did not find data remaining on these hard drives. However, 
our limited tests identified some problems that could pose a risk of 
data breach with regard to sensitive personal and medical information 
on hard drives in the disposal process that had not yet been sanitized. 
For example, our IT security specialist noted excessive delays--up to 6 
years--in performing data sanitization once the computer systems had 
been identified for disposal, posing an unnecessary risk of losing the 
sensitive personal and medical information contained on those systems.
Physical Security Weaknesses at IT Storage Locations Pose Risk of Data 
        Breach
    VA Handbook 0730/1, Security and Law Enforcement, prescribes 
physical security requirements for storage of new and used IT 
equipment, requiring storerooms to have walls to ceiling height, 
overhead barricades that prevent ``up and over'' access from adjacent 
rooms, motion intrusion detection alarm systems, and special key 
control, meaning room door lock keys and day lock combinations that are 
not master keyed for use by others. Most of the designated IT equipment 
storage facilities at the four case study locations met VA IT physical 
security requirements; however, we identified deficiencies related to 
lack of intrusion detection systems at the Washington, DC, and San 
Diego medical centers and inadequate door locks at the Washington, DC, 
medical center. In response to our findings, these facilities initiated 
actions to correct these weaknesses.
    We also found numerous informal, undesignated IT equipment storage 
locations that did not meet VA physical security requirements. For 
example, at the VA headquarters building, our investigator found that 
the physical security specialist was unaware of the existence of IT 
equipment in some storerooms. Consequently, these storerooms had not 
been subjected to required physical security inspections. Further, 
during our statistical tests, we observed one IT equipment storeroom in 
the VA headquarters building IT Support Services area that had a 
separate wall, but no door. The wall opening into the storeroom had 
yellow tape labeled ``CAUTION'' above the doorway. The storeroom was 
within an IT work area that had dropped ceilings that could provide 
``up and over'' access from adjacent rooms, and it did not meet VA's 
physical security requirements for motion intrusion detection and 
alarms and secure doors, locks, and special access keys. In another 
headquarters building, we observed excess IT equipment stacked in the 
corners of a large work area that had multiple doors and open access to 
numerous individuals. We also found that VA headquarters IT 
coordinators used storerooms and closets with office-type door locks 
and locked filing cabinets in open areas to store IT equipment that was 
not currently in use. The failure to provide adequate security leaves 
the information stored on these computers vulnerable to data breach.
Status of VA Actions to Improve IT Equipment Management
    Mr. Chairman, although VA strengthened existing property management 
policy \19\ in response to recommendations in our July 2004 report, 
issued several new policies to establish guidance and controls for IT 
security, and reorganized and centralized the IT function within the 
department under the CIO, additional actions are needed to establish 
effective control in this area. For example, pursuant to 
recommendations made in our July 2004 report, VA updated its property 
management policy to clarify that IT equipment valued at under $5,000 
is to be included in annual inventories. However, as noted in this 
testimony and described in more detail in our companion report, VA had 
not taken action to assure that these items were, in fact, subjected to 
physical inventory. In addition, the new CIO organization has no formal 
responsibility for medical equipment that stores or processes patient 
data and does not address roles or necessary coordination between IRM 
and property management personnel with regard to inventory control of 
IT equipment. The Assistant Secretary for Information and Technology, 
who serves as the CIO, told us that the new CIO organization structure 
will include a unit that will have responsibility for IT equipment 
asset management once it becomes operational. However, this unit has 
not yet been funded or staffed. To assure accountability and 
safeguarding of sensitive IT equipment, effective implementation will 
be key to the success of VA IT policy and organizational changes.
---------------------------------------------------------------------------
    \19\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, 
2005).
---------------------------------------------------------------------------
    Our companion report released today made 12 recommendations to VA 
to strengthen accountability of IT equipment and minimize the risk of 
theft, loss, misappropriation, and compromise of sensitive data. These 
included recommendations for revising policies related to record 
keeping requirements to document essential inventory events and 
transactions, ensuring that physical inventories are performed in 
accordance with VA policy, enforcing user-level accountability for IT 
equipment, and strengthening physical security of IT equipment storage 
locations. VA management agreed with our findings and concurred with 
all 12 recommendations. In VA's written comments provided to us, it 
noted actions planned or under way to address our recommendations.
Concluding Remarks
    Poor accountability and a weak control environment have left the 
four VA case study organizations vulnerable to continuing theft, loss, 
and misappropriation of IT equipment and sensitive personal data. To 
provide a framework for accountability and security of IT equipment, 
the Secretary of Veterans Affairs needs to establish clear, 
sufficiently detailed mandatory agency wide policies rather than 
leaving the details of how policies will be implemented to the 
discretion of local VA organizations. Keys to safeguarding IT equipment 
are effective internal controls for the creation and maintenance of 
essential transaction records; a disciplined framework for specific, 
individual user-level accountability, whereby employees are held 
accountable for property assigned to them, including appropriate 
disciplinary action for any lost equipment; and maintaining adequate 
physical security over IT equipment items. Although VA management has 
taken some actions to improve inventory controls, strengthening the 
overall control environment and establishing and implementing specific 
IT equipment controls will require a renewed focus, oversight, and 
continuing commitment throughout the organization. We appreciate VA's 
positive response to our current recommendations and planned actions to 
address them. If effectively implemented, these actions will go a long 
way to assuring that the weaknesses identified in our last two audits 
of VA IT equipment will be effectively resolved in the near future.
    Mr. Chairman and Members of the Subcommittee, this concludes my 
statement. I would be pleased to answer any questions that you may have 
at this time.
Contacts and Acknowledgments
    For further information about this testimony, please contact McCoy 
Williams at (202) 512-9095 or [email protected]. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this statement. Major contributors to this 
testimony include Gayle L. Fischer, Assistant Director; Andrew 
O'Connell, Assistant Director and Supervisory Special Agent; Abe 
Dymond, Assistant General Counsel; Monica Perez Anatalio; James D. 
Ashley; Francine DelVecchio; Lauren S. Fassler; Dennis Fauber; Jason 
Kelly; Steven M. Koons; Christopher D. Morehouse; Lori B. Tanaka; Chris 
J. Rodriguez; Special Agent Ramon J. Rodriguez; and Danietta S. 
Williams. In addition, technical expertise was provided by Keith A. 
Rhodes, Chief Technologist, and Harold Lewis, Assistant Director, 
Information Technology Security, Applied Research and Methods.

                                 
              Prepared Statement of Hon. Robert T. Howard,
 Assistant Secretary for Information Technology and Chief Information 
              Officer, U.S. Department of Veterans Affairs
    Thank you, Mr. Chairman. I would like to thank you for the 
opportunity to testify on IT asset management within the Department of 
Veterans Affairs. I am joined today by Mr. Robert J. Henke, Assistant 
Secretary for Management. I am also accompanied by:

      Ms. Adair Martinez, my Deputy Assistant Secretary for 
Information Protection and Risk Management
      Mr. Ray Sullivan, my Director of Field Operations
      Mr. Arnie Claudio, my Director for IT Oversight and 
Compliance
      Mr. Fernando O. Rivera, Director of the Washington DC VA 
Medical Center and
      Mr. Steve Robinson, Chief Acquisition and Materiel 
Management Service for the Washington DC VA Medical Center

    IT asset management is a critically important issue that also has a 
direct bearing on our ability to enhance information protection 
throughout VA. As you know, a recent GAO report (GAO report 07-505) on 
VA's IT asset management found inadequate controls and risk associated 
with theft, loss, and misappropriation of IT equipment at selected VA 
locations. In that report, GAO found inadequate accountability and 
included a number of important recommendations--with which we agree.
    As the Chief Information Officer for VA, I am responsible for 
ensuring compliance with the integrity and security of VA's IT assets. 
I understand that when poor IT inventory procedures exist, both the 
loss of expensive equipment, as well as the loss of any sensitive 
information resident on the equipment, could occur. This is a situation 
of the utmost importance. It is a situation that we are working hard to 
remedy. I am prepared to answer your questions today about procedures 
that already exist, as well as more rigorous and standard procedures 
that are being implemented.
    The GAO findings demonstrate a need for more emphasis and vigilance 
in this area. With the establishment of a single IT authority in the 
VA, we are now in a much better posture to improve the IT asset 
management situation and have a number of actions already underway. We 
currently have several systems in VA that capture IT assets, and we are 
working to standardize this and move to a single IT asset management 
system.
    We have been able to locate some of the equipment that was reported 
missing. For example, regarding the items of missing equipment that 
were assigned to the previous Office of Information and Technology 
organization, we have been able to locate most of them. We assembled a 
team to conduct a search for missing items (e.g. network equipment, 
servers, digital cameras, and so forthetera) that were assigned to the 
Office of Information and Technology prior to the consolidation of IT 
in VA. At the end of this review, which took place over a 3-month 
period, the team had located about 90 percent of the equipment and 
although much of the equipment was found, the lack of accountability 
was clearly evident.
    To improve our asset management and accountability within VA, a 
special team has been established to develop standard procedures. A new 
Directive and accompanying Handbook on the Control of Information 
Technology Equipment within the VA have been prepared and we have 
already implemented some of the procedures they describe. The Directive 
and Handbook will provide clear direction on all aspects of IT asset 
management.
    Additionally, we have expanded the responsibilities of my Office of 
Information Technology Oversight and Compliance. This office was 
established in February 2007 to conduct on-site assessments of IT 
security, privacy and records management at VA facilities. As of today, 
the office has completed over 58 assessments. The oversight of physical 
security for IT assets is now a part of their assessment routine. The 
results of the reviews will help us support and strengthen VA IT 
security controls. This office ensures that facilities are aligned with 
the National Institute of Standards and Technology's recommended 
security controls for Federal Information Systems.
    We must also increase awareness at the individual user-level 
regarding accountability for IT equipment. The new Directive and 
Handbook, mentioned earlier, will require employees, who have been 
assigned VA IT equipment, sign a receipt for the IT equipment in their 
possession. Supervisors will be held responsible for common equipment 
that is not assigned to individuals. The receipt used is the printout 
of the Equipment Inventory List, which describes equipment assigned to 
employees by name. These procedures have already been implemented. We 
have also begun to deploy network monitoring software that will help us 
detect and monitor any device that is connected to the VA network.
    Special procedures are also being implemented for equipment that 
may be considered ``expendable'' but which must be accounted for, not 
because of the cost, but because the equipment has the potential for 
storing sensitive information. An example of such low-cost IT equipment 
that must be tracked are the encrypted thumb drives being distributed 
throughout the VA.
    In closing, I want to assure you Mr. Chairman that we will remain 
focused in our efforts to improve all aspects of the Information and 
Technology environment in the VA--including the overall accountability 
and control of IT equipment. This will not only reduce the risk of loss 
of expensive equipment but also the potential loss of sensitive 
information the equipment may contain. Thank you for your time and the 
opportunity to speak on this issue. I would be happy to answer any 
questions you may have.

                                 
                                      Congress of the United States
                                                     Washington, DC
                                                      July 24, 2007

Dear Members of the House Veterans' Affairs Committee Subcommittee on 
Oversight and Investigations,

    I would like to submit for the record my most sincere apologies for 
my absence this afternoon. An unexpected family emergency has called me 
away from my Congressional duties. While I would like very much to be 
in attendance to review the GAO and VA testimony regarding IT Inventory 
Management, I must attend to my daughter who has fallen ill.
    I appreciate your understanding on this matter. Please know that I 
remain committed as ever to the important work of this Subcommittee and 
those that is serves.

            Sincerely,
                                                         Zack Space
                                                 Member of Congress

                                 
                  Statement of the Hon. Cliff Stearns,
         a Representative in Congress from the State of Florida
Mr. Chairman,

    Thank you for holding this very important hearing regarding 
inventory management of the VA's IT equipment. I have long been 
concerned regarding the security of personal information at the VA, 
particularly with regard to the immediate need to equip each laptop 
with basic security encryption. However, there is a critical oversight 
we must address before we can fully encrypt all VA laptops, and that is 
we do not know how many laptops there are to secure! The VA has yet to 
complete a full and accurate accounting of all its IT equipment and 
systems. Without that, it is a fool's errand to pursue real IT 
security.
    On February 28, 2007, we heard testimony from Mr. Gregory Wilshusen 
of the GAO that the Department of Veterans Affairs needed to address 
longstanding weaknesses in its IT security. He testified that the GAO 
had made several recommendations in 2002 for improving security 
management, including the basic restriction of access to IT equipment 
and network to only authorized users. However, Mr. Wilshusen summarized 
that, ``In the auditors' report on internal controls prepared at the 
completion of VA's 2006 financial statement audit, information 
technology security controls were identified as a material weakness 
because of serious weaknesses related to access control, segregation of 
duties, change control, and service continuity. These areas of weakness 
are virtually identical to those that we had identified years 
earlier.'' And here we are again to hear basically the same testimony 
as a result of yet another investigation of IT security by the GAO.
    In its most recent report, the GAO stated that the six VA medical 
centers it audited lacked a reliable property control database and had 
problems with implementation of VA inventory policies and procedures. 
They then make several recommendations, such as clarifying existing 
policy regarding sensitive items that must be accounted for in the 
property control records; providing a more comprehensive list of the 
type of personal property assets that are considered sensitive for 
accountability purposes; and reinforcing the VA's requirement to attach 
bar code labels to agency property. Unfortunately, GAO's tests of 
physical inventory controls at four VA locations identified 123 missing 
IT equipment items that could have stored sensitive data, including 53 
missing computers! At these locations, investigators discovered there 
were over 2,400 missing IT equipment items, totaling around $6.4 
million. Immediate reporting of missing items as recommended by the GAO 
in 2002 is clearly not followed through in practice, as many missing 
items were not reported for several months and, in some cases, several 
years.
    This dangerous mix of a lack of user accountability and hopelessly 
inaccurate records creates an environment that will lead to further 
loss of equipment, and makes another security breach highly likely. For 
these IT security weaknesses to have been identified and yet 
unaddressed for over five years is frankly inexcusable. I look forward 
to hearing from our panel of witnesses regarding what steps they are 
taking now to correct this problem, and how they will work to ensure 
that this round of recommendations are implemented department wide.

            Thank you.

                                 
                 U.S. GOVERNMENT ACCOUNTABILITY OFFICE,
                   REPORT TO CONGRESSIONAL REQUESTERS
                               July 2007
Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA 
 Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, 
                               GAO-07-505
GAO Highlights
    Highlights of GAO-07-505, a report to congressional requesters
Why GAO Did This Study
    In July 2004, GAO reported that the six Department of Veterans 
Affairs (VA) medical centers it audited lacked a reliable property 
control database and had problems with implementation of VA inventory 
policies and procedures. Fewer than half the items GAO selected for 
testing could be located. Most of the missing items were information 
technology (IT) equipment. Given recent thefts of laptops and data 
breaches, the requesters were concerned about the adequacy of physical 
inventory controls over VA IT equipment. GAO was asked to determine (1) 
the risk of theft, loss, or misappropriation of IT equipment at 
selected locations; (2) whether selected locations have adequate 
procedures in place to assure accountability and physical security of 
IT equipment in the excess property disposal process; and (3) what 
actions VA management has taken to address identified IT inventory 
control weaknesses. GAO statistically tested inventory controls at four 
case study locations.
What GAO Found
    A weak overall control environment for VA IT equipment at the four 
locations GAO audited poses a significant security vulnerability to the 
nation's veterans with regard to sensitive data maintained on this 
equipment. GAO's Standards for Internal Control in the Federal 
Government requires agencies to establish physical controls to 
safeguard vulnerable assets, such as IT equipment, which might be 
vulnerable to risk of loss, and federal records management law requires 
federal agencies to record essential transactions. However, GAO found 
that current VA property management policy does not provide guidance 
for creating records of inventory transactions as changes occur. GAO 
also found that policies requiring annual inventories of sensitive 
items, such as IT equipment; adequate physical security; and immediate 
reporting of lost and missing items have not been enforced. GAO's 
statistical tests of physical inventory controls at four VA locations 
identified a total of 123 missing IT equipment items, including 53 
computers that could have stored sensitive data. The lack of user-level 
accountability and inaccurate records on status, location, and item 
descriptions make it difficult to determine the extent to which actual 
theft, loss, or misappropriation may have occurred without detection. 
The table below summarizes the results of GAO's statistical tests at 
each location.


                          Current IT Inventory Control Failures at Four Test Locations
----------------------------------------------------------------------------------------------------------------
              Control failures                 Washington, DC    Indianapolis      San Diego      VA HQ offices
----------------------------------------------------------------------------------------------------------------
Missing items                                            28%               6%              10%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user organization                              80%              69%              70%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect location                                       57%              23%              53%              44%
----------------------------------------------------------------------------------------------------------------
Record keeping errors                                     5%               0%               5%               3%
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Notes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of
  10 percent or less.


    GAO also found that the four VA locations reported over 2,400 
missing IT equipment items, valued at about $6.4 million, identified 
during physical inventories performed during fiscal years 2005 and 
2006. Missing items were often not reported for several months and, in 
some cases, several years. It is very difficult to investigate these 
losses because information on specific events and circumstances at the 
time of the losses is not known. GAO's limited tests of computer hard 
drives in the excess property disposal process found hard drives at two 
of the four case study locations that contained personal information, 
including veterans' names and Social Security numbers. GAO's tests did 
not find any remaining data after sanitization procedures were 
performed. However, weaknesses in physical security at IT storage 
locations and delays in completing the data sanitization process 
heighten the risk of data breach. Although VA management has taken some 
actions to improve controls over IT equipment, including strengthening 
policies and procedures, improving the overall control environment for 
sensitive IT equipment will require a renewed focus, oversight, and 
continued commitment throughout the organization.
What GAO Recommends
    GAO makes 12 recommendations to improve VA-wide policies and 
procedures with respect to controls over IT equipment, including record 
keeping requirements, physical inventories, user-level accountability, 
and physical security. VA agreed with GAO's findings, noted significant 
actions under way, and concurred on the 12 recommendations.
                               __________
                                CONTENTS

                                                                   Page
Letter...........................................................    45

    Results in Brief.............................................    46
    Background...................................................    48
    Inadequate IT Inventory Control and Accountability Pose Risk 
      of Loss, Theft, and Misappropriation.......................    51
    Physical Security Weaknesses Increase Risk of Loss, Theft, 
      and Misappropriation of IT Equipment and Sensitive Data....    60
    VA Actions to Improve IT Management and Controls Have Been 
      Limited....................................................    63
    Conclusions..................................................    64
    Recommendations for Executive Action.........................    64
    Agency Comments and Our Evaluation...........................    65

Appendix I: Objectives, Scope, and Methodology...................    65

Appendix II: Comments from the Department of Veterans Affairs....    68

Appendix III: GAO Contact and Staff Acknowledgments..............    72

Tables

    Table 1: Current IT Equipment Inventory Control Failure Rates 
      at Four Test Locations.....................................    52
    Table 2: Number of Missing IT Equipment Items at Four Test 
      Locations, Including Items That Could Have Stored Sensitive 
      Information................................................    53
    Table 3: Number of Missing IT Equipment Items by Headquarters 
      Office and Missing Items That Could Have Stored Sensitive 
      Personal Data and Information..............................    55
    Table 4: Estimated Percentage of IT Inventory Control 
      Failures Related to Correct User and Location at the Four 
      Test Locations.............................................    56
    Table 5: Estimated Percentage of Other IT Inventory Record 
      Keeping Failures at Four Test Locations....................    57
    Table 6: Summary of Physical Inventories and Missing IT 
      Equipment Identified by the Four Current Case Study 
      Locations as of February 28, 2007..........................    59
    Table 7: Summary of Physical Inventories and Missing IT 
      Equipment Identified by Five Case Study Locations 
      Previously Audited as of March 2, 2007.....................    60
    Table 8: Population of VA IT Equipment at Locations Selected 
      for Testing................................................    66
    Table 9: Number of Computer Hard Drives in the Property 
      Disposal Process Selected for Testing at Four Locations....    67

Figures

    Figure 1: VA's IT Property Management Process................    49
    Figure 2: Photograph of Unsecured IT Equipment Storeroom in 
      the VA Headquarters Building...............................    62
Abbreviations

AEMS/MERS: Automated Engineering Management System/Medical Equipment 
Repair Service
CFR: Code of Federal Regulations
CIO: Chief Information Officer
CMR: consolidated memorandum receipt
DoD: Department of Defense
EIL: equipment inventory listing
FMFIA: Financial Managers' Financial Integrity Act 1982
HHS: Department of Health and Human Services
HIPAA: Health Information Portability and Accountability Act 1996
IFCAPS: Integrated Funds Distribution Control Point Activity, 
Accounting, and Procurement System
IRM: information resource management
IT: information technology
MRI: magnetic resonance imaging
NARA: National Archives and Records Administration
NIST: National Institute of Standards and Technology
USB: universal serial bus
USC: United States Code
VA: Department of Veterans Affairs
VHA: Veterans Health Administration
VISN: Veterans Integrated Service Network

                                 
                             U.S. Government Accountability Office:
                                               Washington, DC 20548
                                                      July 16, 2007

The Honorable Bob Filner
Chairman
The Honorable Steve Buyer
Ranking Member
Committee on Veterans' Affairs
House of Representatives

The Honorable Harry E. Mitchell
Chairman
The Honorable Ginny Brown-Waite
Ranking Member
Subcommittee on Oversight and Investigations
Committee on Veterans' Affairs
House of Representatives

    In light of reported weaknesses in Department of Veterans Affairs 
(VA) inventory controls and reported thefts of laptop computers and 
data breaches, you were concerned about the adequacy of controls over 
VA information technology (IT) equipment. In July 2004, we reported \1\ 
that the six VA medical centers we audited lacked a reliable property 
control database, which did not produce a complete and accurate record 
of current inventory and compromised effective management and security 
of agency assets. We found that key policies and procedures established 
by VA to control personal property provided facilities with substantial 
latitude in conducting physical inventories \2\ and maintaining their 
property management systems, which resulted in reduced property 
accountability. For example, VA's Handbook 7127/3, Materiel Management 
Procedures \3\ allowed the person responsible for custody of VA 
property to attest to the existence of that property rather than 
requiring independent verification. Also, personnel at some locations 
interpreted a policy that established a $5,000 threshold for property 
that must be inventoried as a license to ignore VA requirements to 
account for sensitive, lower cost items that are susceptible to theft 
or loss, such as personal computers and peripheral equipment. Personnel 
at the VA medical centers, which are part of the Veterans Health 
Administration (VHA), located fewer than half of the 100 items we 
selected for testing at each of five medical centers and 62 of 100 
items at the sixth medical center. Most of the items that could not be 
located were computer equipment. Based on our work, we concluded in our 
July 2004 report that these weak practices, combined with lax 
implementation, resulted in low levels of accountability and heightened 
risk of loss.
---------------------------------------------------------------------------
    \1\ GAO, VA Medical Centers: Internal Control over Selected 
Operating Functions Needs Improvement, GAO-04-755 (Washington, DC July 
21, 2004).
    \2\ Physical inventory is the process of reconciling personal 
property records with the property actually on hand.
    \3\ Department of Veterans Affairs, VA Handbook 7127/3, Materiel 
Management Procedures.
---------------------------------------------------------------------------
    During 2006, VA employed nearly 235,000 employees and relied on an 
undetermined number of contractors, volunteers, and students to support 
its operations. VA provided these individuals a wide range of IT 
equipment, \4\ including desktop and laptop computers, monitors and 
printers, personal digital assistants, unit-level workstations, local 
area networks, and medical equipment with memory and data processing/
communication capabilities. VA information resource management (IRM) 
and property management personnel share responsibility for management 
of IT equipment inventory.
---------------------------------------------------------------------------
    \4\ For the purpose of this audit, we defined IT equipment as any 
equipment capable of processing or storing data, regardless of how VA 
classifies it. Therefore, medical devices that would typically not be 
classified as IT equipment, but may capture, process, or store patient 
data, were considered IT equipment for this audit.
---------------------------------------------------------------------------
    This report responds to your request that we perform follow-up work 
to determine (1) the risk of theft, loss, or misappropriation \5\ of IT 
equipment at selected VA locations; (2) whether selected VA locations 
have adequate procedures in place to assure physical security and 
accountability over IT equipment in the excess property disposal 
process; \6\ and (3) what actions VA management has taken to address 
identified IT equipment inventory control weaknesses. In assessing the 
risk of theft, loss, or misappropriation of IT equipment, you also 
asked that we consider the results of physical inventories performed by 
the four case study locations covered in this audit and the six medical 
centers we previously audited. \7\
---------------------------------------------------------------------------
    \5\ As used in this report, theft and misappropriation both refer 
to the unlawful taking or stealing of personal property, with 
misappropriation occurring when the wrongdoer is an employee or other 
authorized user.
    \6\ As used in this report, the term excess property refers to 
property that a federal agency leases or owns that is not required to 
meet either the agency's needs or any other federal agency's needs.
    \7\ The Washington, DC, medical center was also covered in our 2004 
report.
---------------------------------------------------------------------------
    To achieve our first two objectives, we used a case study approach, 
selecting VA medical centers located in Washington, DC, Indianapolis, 
Indiana, and San Diego, California; associated clinics; and VA 
headquarters organizations for our test work. To determine the risk of 
theft, loss, or misappropriation of IT equipment at these locations, we 
statistically tested IT equipment inventory to determine the 
effectiveness of controls relied on for accurate recording of inventory 
transactions, including existence (meaning IT equipment items listed in 
inventory records exist and can be located), user-level accountability, 
and inventory record accuracy. As requested, we also obtained and 
analyzed the results of physical inventories performed by the case 
study locations covered in our current and our previous audits. In 
addition, our investigator assessed physical security of IT equipment 
storerooms and procedures for reporting lost and missing items to VA 
law enforcement officials at our four current case study locations. To 
determine if the four case study locations had adequate procedures in 
place for proper disposal of excess IT equipment, we assessed 
procedures for security and accountability of excess IT equipment and 
independently tested a limited selection of computer hard drives for 
proper removal of data and compliance with VA property management 
policies. We performed sufficient procedures to determine that 
inventory data at the test locations were reliable for the purpose of 
our audit. \8\ We conducted our audit and investigation from September 
2006 through March 2007. We performed our audit procedures in 
accordance with generally accepted government auditing standards, and 
we performed our investigative procedures in accordance with quality 
standards for investigators as set forth by the President's Council on 
Integrity and Efficiency. We obtained agency comments on a draft of 
this report. A detailed discussion of our objectives, scope, and 
methodology is included in appendix I.
---------------------------------------------------------------------------
    \8\ The universe of IT equipment items for the four test locations 
did not include the population of all IT equipment at those locations. 
Therefore, we can project our test results to the universe of current, 
recorded IT equipment inventory at each location, but not the 
population of all IT equipment. Our tests were specific to each of the 
case study locations and cannot be projected to VA IT equipment 
inventory as a whole.
---------------------------------------------------------------------------
Results in Brief
    A weak overall control environment and pervasive weaknesses in 
inventory control and accountability at the four locations we audited 
put IT equipment at risk of theft, loss, and misappropriation and pose 
a continuing security vulnerability to our Nation's veterans with 
regard to sensitive data maintained on this equipment. Our Standards 
for Internal Control in the Federal Government\9\ requires agencies to 
establish physical control to secure and safeguard vulnerable assets, 
such as equipment that might be vulnerable to risk of loss or 
unauthorized use. Further, federal records management law and 
regulations require agencies to create and maintain records of 
essential transactions, including property records, as part of an 
effective internal control structure. However, we found that current VA 
property management policy does not provide guidance for recording IT 
equipment inventory transactions as events occur. We also found that 
certain other VA policies have not been enforced, including policies 
requiring (1) user-level accountability; (2) annual inventories of 
sensitive items, including IT equipment; (3) adequate physical 
security; and (4) immediate reporting of lost and missing items. Our 
statistical tests of IT equipment inventory controls at our four VA 
case study locations identified a total of 123 missing IT equipment 
items, including 53 computers that could have stored sensitive data. We 
estimate the percentage of inventory control failures related to these 
missing items to be 6 percent at the Indianapolis medical center, 10 
percent at the San Diego medical center, 28 percent at the Washington, 
DC, medical center, and 11 percent for VA headquarters organizations. 
\10\ In addition, although VA property management policy establishes 
guidelines for user-level accountability, we found a pervasive lack of 
user-level accountability across the four case study locations, and 
significant errors in recorded IT inventory information concerning user 
organization and location. As a result, for the four case study 
locations, we concluded that under the lax control environment, 
essentially no one was accountable for IT equipment. The lack of user-
level accountability and inaccurate records on status, location, and 
item descriptions make it difficult to determine the extent to which 
actual theft, loss, or misappropriation may have occurred without 
detection at the case study locations.
---------------------------------------------------------------------------
    \9\ GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, DC November 1999).
    \10\ Each of these estimates has a margin of error, based on a two-
sided, 95 percent confidence interval, of 7 percent or 
less.
---------------------------------------------------------------------------
    Our follow-up on the results of physical inventories performed by 
the four case study locations included in our current audit and the 
five other case study locations from our previous audit found that the 
case study locations identified thousands of missing IT equipment items 
valued at tens of millions of dollars. For example, the four case study 
locations included in our current audit reported over 2,400 missing IT 
equipment items, with a combined original acquisition value of about 
$6.4 million. Information we obtained as of March 2, 2007, showed that 
the five other locations we previously audited had identified over 
8,600 missing IT equipment items with a combined original acquisition 
value of over $13.2 million. One of the four case study locations in 
our current audit and three of the five other case study locations 
covered in our previous audit had not yet completed Reports of Survey 
\11\ on losses identified in their physical inventories. Because none 
of the nine case study locations consistently recorded transactions as 
changes in IT equipment inventory status and location occurred, it is 
not possible to determine the disposition of IT equipment items that 
cannot be located. When attempts to locate missing IT equipment items 
were unfruitful, the losses were administratively reported for record 
keeping purposes, including the authorization to write them off in the 
property records. According to VA Police and security specialists, \12\ 
when losses are not immediately identified and reported, it is very 
difficult to conduct an investigation because information about the 
specific events and circumstances of the losses is no longer available.
---------------------------------------------------------------------------
    \11\ The Report of Survey system is the method used by VA to obtain 
an explanation of the circumstances surrounding loss, damage, or 
destruction of government property other than through normal wear and 
tear.
    \12\ VA medical centers and other facilities have a VA Police 
Service, which provides law enforcement and physical security services, 
including security inspections and criminal investigations. The VA 
headquarters building does not have a police service. VA headquarters 
law enforcement duties are the responsibility of the Federal Protective 
Service.
---------------------------------------------------------------------------
    Our limited tests of computer hard drives in the excess property 
disposal process at the four case study locations found no data on 
those hard drives that were certified as sanitized. \13\ However, at 
two of the four test locations, we found that hard drives not yet 
subjected to data sanitization contained hundreds of names and Social 
Security numbers. Further, file dates on the hard drives we tested 
indicate that some of them had been in the disposal process for several 
years without being sanitized, creating an unnecessary risk that 
sensitive personal and medical information could be compromised. 
Excessive delays in completing data sanitization processes and 
noncompliance with VA physical security policy heighten the risk of 
data breach related to sensitive personal information residing on hard 
drives in the excess property disposal process. For example, we found 
numerous unofficial IT equipment storage locations in VA headquarters 
area office buildings that did not meet VA physical security 
requirements. One IT storeroom at the VA headquarters building did not 
have a door. At other VA headquarters buildings, we found IT equipment 
stored in open areas, closets, and filing cabinets. These storage 
locations did not meet VA physical security requirements for secure 
walls, doors, locks, special keys, and intrusion detection alarms.
---------------------------------------------------------------------------
    \13\ VA IRM personnel and contractors follow National Institute of 
Standards and Technology (NIST) Special Publication 800-88 guidelines 
as well as more stringent Department of Defense (DoD) policy in DoD 
5220.22-M, National Industrial Security Program Operating Manual, ch. 
8, Sec.  8-301, which requires performing three separate erasures for 
media sanitization.
---------------------------------------------------------------------------
    Since our July 2004 report, VA management has taken some actions 
and has other actions under way to strengthen controls over IT 
equipment. For example, on October 11, 2005, VA revised its Materiel 
Management Procedures\14\ to emphasize that requirements for annual 
inventories of sensitive items valued at under $5,000 include IT 
equipment. On August 4, 2006, VA issued a new directive entitled 
Information Security Program, which requires, in part, periodic 
evaluations and testing of the effectiveness of all management, 
operational, and technical controls and calls for procedures for 
immediately reporting and responding to security incidents. In December 
2006, VA's new Chief Information Officer (CIO) centralized functional 
IT units across local VA organizations under the CIO organization. 
Despite these improvements, the department has not yet established and 
ensured consistent implementation of effective controls for 
accountability of IT equipment inventory, and IT inventory 
responsibilities shared by IRM and property management personnel are 
not well-defined. Until these shortcomings are addressed, VA will 
continue to face major challenges in safeguarding IT equipment and 
sensitive personal data on this equipment from loss, theft, and 
misappropriation.
---------------------------------------------------------------------------
    \14\ VA Handbook 7127/4 Sec.  5302.3, ``Inventory of Equipment in 
Use.''
---------------------------------------------------------------------------
    This report contains 12 recommendations to VA to further improve 
the overall control environment and strengthen key internal control 
activities and to increase attention to protecting IT equipment used in 
VA operations. In comments on a draft of this report, VA generally 
agreed with our findings, noted significant actions under way, and 
concurred on the 12 recommendations. VA also provided technical 
comments. VA's comments, including its technical comments, are 
discussed in the Agency Comments and Our Evaluation section of this 
report. VA's written comments are reprinted in appendix II.
Background
    VA's mission is to serve America's veterans and their families and 
to be their principal advocate in ensuring that they receive medical 
care, benefits, and Social support in recognition of their service to 
our nation. VA, headquartered in Washington, DC, is the second largest 
federal department and has over 235,000 employees, including 
physicians, nurses, counselors, statisticians, computer specialists, 
architects, and attorneys. VA carries out its mission through three 
major line organizations--VIHA, Veterans Benefits Administration, and 
National Cemetery Administration--and field facilities throughout the 
United States. VA provides services and benefits through a nationwide 
network of 156 hospitals, 877 outpatient clinics, 136 nursing homes, 43 
residential rehabilitation treatment programs, 207 readjustment 
counseling centers, 57 veterans' benefits regional offices, and 122 
national cemeteries.
Previously Reported Weaknesses in IT Inventory Controls
    Our July 2004 report found significant property management 
weaknesses, including weaknesses in controls over IT equipment items 
valued at under $5,000 that are required to have inventory control. In 
that report, we made several recommendations for improving property 
management, including actions to (1) clarify existing policy regarding 
sensitive items that are required to be accounted for in the property 
control records, (2) provide a more comprehensive list of the type of 
personal property assets that are considered sensitive for 
accountability purposes, and (3) reinforce VA's requirement to attach 
bar code labels to agency personal property.
VA's IT Property Management Process
    The Assistant Secretary for Information and Technology serves as 
the CIO for the department and is the principal advisor to the 
Secretary on matters relating to IT management in the department. Key 
functions in VA's IT property management process are performed by IRM 
and property management personnel. These functions include identifying 
requirements; ordering, receiving, and installing IT equipment; 
performing periodic inventories; and identifying, removing, and 
disposing of obsolete and unneeded IT equipment. Figure 1 illustrates 
the IT property management process. In general, this is the process we 
observed at the four VA locations we audited.
    The steps in the IT property management process are key events, 
which should be documented by an inventory transaction, financial 
transaction, or both, as appropriate. Federal records management law, 
as codified in Title 44 of the U.S. Code and implemented through 
National Archives and Records Administration (NARA) guidance, requires 
federal agencies to adequately document and maintain proper records of 
essential transactions and have effective controls for creating, 
maintaining, and using records of these transactions. \15\
---------------------------------------------------------------------------
    \15\ 44 U.S.C. Sec. Sec.  3101 and 3102, and implementing NARA 
regulations at 36 C.F.R. Sec.  1222.38. This is consistent with the 
more general requirement for agencies to establish internal controls 
under 31 U.S.C. Sec.  3512 (c), (d), commonly known as the Federal 
Managers' Financial Integrity Act 1982 (FMFIA), and GAO/AIMD-00-21.3.1.

             Figure 1--VA's IT Property Management Process
[GRAPHIC] [TIFF OMITTED] 37474B.001


    Source: GAO.
Request and Ordering of IT Equipment
    IRM personnel determine IT equipment requirements for a particular 
VA medical center or headquarters office based on strategic planning, 
medical center or office needs, specific requests, and budgetary 
resources. IRM personnel then submit requests to the cognizant Veterans 
Integrated Service Network (VISN), \16\ the CIO, and VA headquarters in 
Washington, DC, for approval. For VA medical centers, the VISN 
generally purchases or leases IT equipment to realize economies of 
scale, but individual medical centers also may place incidental orders 
to meet their needs. In addition, headquarters offices may place 
individual orders or use purchase cards to acquire IT equipment. 
Medical equipment with IT capability is generally acquired through 
procurement contracts. When contracting personnel create a purchase 
order and submit it to the vendor, contracting personnel are required 
to send a copy of the purchase order to the appropriate property 
management personnel to notify them of a new order.
---------------------------------------------------------------------------
    \16\ VHA has 21 VISNs that oversee medical center activities within 
their area, which may cover one or more states.
---------------------------------------------------------------------------
    When the vendor delivers ordered IT equipment to the loading dock, 
property management warehouse personnel inspect the boxes for visible 
signs of damage, and after accepting delivery, store IT equipment until 
they can transfer it to IRM personnel. Warehouse personnel confirm 
receipt and acceptance in the Integrated Funds Distribution Control 
Point Activity, Accounting, and Procurement System (IFCAPS), which then 
notifies the Financial Management System so that payment can be made to 
the vendor. Once the receipt is confirmed within IFCAPS, warehouse 
personnel notify IRM personnel of the delivery and arrange a transfer 
of the equipment to them. Upon transfer, an IRM official signs the 
receipt document, signifying acceptance of custody for the IT 
equipment.
Recording of IT Equipment Acquisitions in Inventory Records
    VA medical center property management personnel use information 
from the purchase order, including item name, item description, model 
number, manufacturer, vendor, and acquisition cost, to create property 
record(s) in the Automated Equipment Management System/Medical 
Equipment Repair Service (AEMS/MERS) for new IT equipment acquisitions. 
\17\ AEMS/MERS is a general inventory management system that is local 
to each VA medical center. Headquarters personnel also use purchase 
order information to enter records of new IT equipment in the Inte-
GreatTM Property Manager system. Property management 
personnel also identify the department responsible for the IT equipment 
by recording an equipment inventory listing (ElL) code at VA medical 
centers and a consolidated memorandum receipt (CMR) code at 
headquarters. Once property records are created, property management 
personnel generate a bar code label for each piece of IT equipment. IRM 
personnel may prepare the equipment for issuance to specific users by 
installing VA-specific software and configurations prior to 
installation. In addition, VA medical center biomedical engineering 
personnel may test medical equipment for electrical safety before 
placing it in service.
---------------------------------------------------------------------------
    \17\ VA Handbook 7127, Materiel Management Procedures (Sept. 19, 
1995), required that all sensitive items, including those valued under 
$5,000, be inventoried regardless of cost. According to VA Handbook 
7127/1 (Oct. 21, 1997), records of property costing $5,000 or greater 
will be maintained in AMES/MERS. In addition to assets valued over 
$5,000, VA Handbook 7124/4 (Oct. 11, 2005) added a further explanation 
that sensitive items include handheld and portable telecommunication 
devices, printers, data storage equipment (e.g., desktop and laptop 
computers), video imaging equipment, cell phones, radios, motor 
vehicles, and firearms and ammunition.
---------------------------------------------------------------------------
Issuance and Replacement of IT Equipment
    IRM personnel or, in some cases, contractor personnel deliver new 
IT equipment to the appropriate service or location for installation. 
IRM or contractor personnel also remove and replace old IT equipment 
that has been approved for replacement. At some VA facilities, a bar 
code label is affixed to a door jam or other physical element of the 
specific location in which the IT equipment has been installed to 
document item locations in the property management system. Once the new 
equipment is installed, IRM or contractor personnel transfer the 
replaced equipment to an IRM storage room pending disposal.
Physical Inventories of IT Equipment and Reports of Survey
    VA policy \18\ mandates that each VA facility take physical 
inventory of its accountable property using one of two methods. The 
first method determines when the next inventory will be taken based on 
the accuracy rate for each EIL or CMR during the previous inventory. If 
an EIL or CMR was found to have an accuracy rate of 95 percent or 
above, the VA facility may inventory that EIL or CMR in 12 months. If 
the EIL or CMR has an accuracy rate of less than 95 percent, the VA 
facility must inventory that EIL or CMR within 6 months. The second 
method permits physical inventories to be performed on an exception 
basis. Under this method, a VA facility uses property management system 
data to identify the item bar codes that were scanned since the last 
inventory. If items have been scanned since the last inventory, they 
may be excluded from the current physical inventory.
---------------------------------------------------------------------------
    \18\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, 
2005).
---------------------------------------------------------------------------
    When a VA facility determines that items listed in inventory cannot 
be located, those items are listed on a Report of Survey and facility 
personnel convene a Board of Survey. Reports of Survey are provided to 
medical center VA Police or the Federal Protective Service officers at 
VA headquarters, as appropriate. The Report of Survey documents the 
circumstances of loss, damage, or destruction of government property. 
VA policy \19\ mandates that a Board of Survey be appointed when there 
is a possibility that a VA employee may be assessed pecuniary liability 
or disciplinary action as a result of loss, damage, or destruction of 
property and the value of the property involved is $5,000 or more. The 
Board of Survey reviews the Report of Survey, which identifies IT 
equipment that is unaccounted for and explains efforts made to account 
for the missing items. An approved Report of Survey provides necessary 
support for writing off lost and missing items. For items on the Report 
of Survey, VA personnel are supposed to update the use status in the 
property management system from ``in-use'' to ``lost.'' Updating the 
use status allows for the generation of an exception report in case any 
of the items unaccounted for are subsequently located.
---------------------------------------------------------------------------
    \19\ VA Handbook 7125, Materiel Management General Procedures, pt. 
5, Sec.  5101-8.
---------------------------------------------------------------------------
Approval for Turn-in and Disposal
    An IRM technician originates the request for turn-in of old IT 
equipment using VA Form 2237, ``Request, Turn-In, and Receipt for 
Property or Services,'' or users may submit an electronic form 2237. 
Pending final approval of VA Form 2237, electronic notification is 
given to property management and IRM personnel, who use this 
documentation to ensure that they are removing and disposing of the 
correct item(s). IRM or contractor personnel transfer the old IT 
equipment to an IRM storage room for hard drive sanitization and 
subsequent reuse or disposal. Medical equipment with IT capability is 
generally traded in to the vendor for upgraded models after medical 
center IRM personnel have documented that data sanitization procedures 
were completed.
    Federal agencies, such as VA, are required to protect sensitive 
data stored on their IT equipment against the risk of data breaches and 
thus the improper disclosure of personal identification information, 
such as names and Social Security numbers. Such information is 
regulated by privacy protections under the Privacy Act 1974 \20\ and, 
when information concerns an individual's health, the Health Insurance 
Portability and Accountability Act 1996 (HIPAA) and implementing 
regulations. \21\
---------------------------------------------------------------------------
    \20\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  
552a.
    \21\ HIPAA required the Secretary of Health and Human Services 
(HHS) to submit to Congress detailed recommendations on standards 
related to the privacy of individually identifiable health information, 
including an individual's rights with respect to such information, 
procedures for an individual to exercise those rights, and the 
authorized uses and disclosures of such information by others, such as 
healthcare providers and insurers. The HHS Secretary has prescribed 
such standards in the HIPAA Medical Privacy Rule. See Pub. L. No. 104-
191, Sec.  264, 110 Stat. 1936, 2033-34 (Aug. 21, 1996), and 
implementing regulations at 45 C.F.R. pt. 164.
---------------------------------------------------------------------------
Removal of Data from Hard Drives
    VA facilities have two options for removing data from hard drives 
of IT equipment in the excess property disposal process. Under the 
first option, the VA medical center removes the hard drives from the IT 
equipment and ships them to a vendor for sanitization (data erasing). 
The vendor physically destroys any hard drives it cannot successfully 
erase. The vendor submits certification of hard drive sanitization or 
destruction to IRM personnel and ships the sanitized hard drives back 
to the VA facility for disposal. Under the second option, VA IRM 
personnel perform the procedures to sanitize the hard drives using VA-
approved software, such as Data EraserTM. IRM personnel 
complete VA Form 0751, ``Information Technology Equipment Sanitization 
Certification,'' to document the erasing of the hard drives. Hard 
drives that Data EraserTM software cannot successfully 
sanitize are held at the VA facility in IRM storage for physical 
destruction by another contractor at various intervals throughout the 
year.
Final Disposition of IT Equipment
    After data have been removed from the hard drives, the hard drives 
can be placed back into the IT equipment from which they were 
previously removed so that the computers can be reused or shipped 
directly to a VA IT equipment disposal vendor. For IT equipment that is 
not selected for reuse within VA, IRM personnel will notify cognizant 
property management personnel that the IT equipment is ready for final 
disposal and property management personnel transfer the items to a 
warehouse. VA facilities use different processes to handle the final 
disposal of IT equipment. For example, property management personnel 
may contact transportation personnel at the VA Central Office, who then 
contact a shipper to take the IT equipment to a disposal vendor, or a 
disposal vendor may pick up the IT equipment from the VA facility. 
Disposal vendors, including Federal Prison Industries, Inc., \22\ 
determine what IT equipment is to be donated to schools. Generally, 
within several days of the equipment being shipped to the disposal 
vendor, property management personnel change the status field of the 
equipment in the property management system from ``in-use'' to 
``turned-in'' and designate the property record as inactive.
---------------------------------------------------------------------------
    \22\ Federal Prison Industries, Inc. (also known as UNICOR) is a 
wholly owned U.S. government corporation, which operates factories and 
employs inmates in federal prisons. See 31 U.S.C. Sec.  9101 (3)(E), 18 
U.S.C. Sec. Sec.  4121-4129.
---------------------------------------------------------------------------
Inadequate IT Inventory Control and Accountability Pose Risk of Loss, 
        Theft, and Misappropriation
    Our tests of IT equipment inventory controls at four case study 
locations, including three VA medical centers and VA headquarters, 
identified a weak overall control environment and a pervasive lack of 
accountability for IT equipment items across the four locations we 
tested. Our Standards for Internal Control in the Federal Government 
\23\ states that a positive control environment provides discipline and 
structure as well as the climate that influences the quality of 
internal control. However, as summarized in table 1, our statistical 
tests of key IT inventory controls at our four case study locations 
found significant control failures related to (1) missing IT equipment 
items in our existence tests, (2) inaccurate information on user 
organization, (3) inaccurate information on user location, and (4) 
other record keeping errors. None of the case study locations had 
effective controls to safeguard IT assets from risk of loss, theft, and 
misappropriation.
---------------------------------------------------------------------------
    \23\ GAO/AIMD-00-21.3.1.


              Table 1--Current IT Equipment Inventory Control Failure Rates at Four Test Locations
----------------------------------------------------------------------------------------------------------------
                                              Washington, DC,    Indianapolis      San Diego
              Control failures                 medical center   medical center   medical center  VA headquarters
----------------------------------------------------------------------------------------------------------------
Missing items in sample                                  28%               6%              10%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect user organization                              80%              69%              70%              11%
----------------------------------------------------------------------------------------------------------------
Incorrect location                                       57%              23%              53%              44%
----------------------------------------------------------------------------------------------------------------
Record keeping errors                                     5%               0%               5%               3%
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Notes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of
  10 percent or less. Because the four test locations did not record all IT equipment items in their
  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population
  of all IT equipment at those locations.


    Moreover, our statistical tests identified a total of 123 lost and 
missing IT equipment items across the four case locations, including 53 
IT equipment items that could have stored sensitive personal 
information. Personal information, such as names and Social Security 
numbers, is regulated by privacy protections under the Privacy Act 1974 
\24\ and information concerning an individual's health is accorded 
additional protections from unauthorized release under HIPAA and 
implementing regulations. \25\ Although VA property management policy 
\26\ establishes guidelines for holding employees and supervisors 
pecuniarily (financially) liable for loss, damage, or destruction 
because of negligence and misuse of government property, except for a 
few isolated instances, none of the case study locations assigned user-
level accountability. Instead, these locations relied on information 
about user organization and user location, which was often incorrect 
and incomplete. In addition, although our standards for internal 
control require timely recording of transactions as part of an 
effective internal control structure and safeguarding of sensitive 
assets, we found that VA's property management policy \27\ neither 
specified what transactions were to be recorded for various changes in 
inventory status nor provided criteria for timely recording. Further, 
IRM and IT Services personnel responsible for installation, removal, 
and disposal of IT equipment did not record or assure that transactions 
were recorded by property management officials when these events 
occurred. Under this lax control environment, missing IT equipment 
items were often not reported for several months and, in some cases 
several years, until the problem was identified during a physical 
inventory.
---------------------------------------------------------------------------
    \24\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  
552a.
    \25\ The HHS Secretary has prescribed standards for safeguarding 
medical information in the HIPAA Medical Privacy Rule. See 45 C.F.R. 
pt. 164.
    \26\ VA Handbook 7125, Materiel Management General Procedures, 
Sec.  5003 (Oct. 11, 2005).
    \27\ VA Handbook 7127/3, Material Management Procedures, pt. 1 
Sec.  5002-2.3, and VA Handbook 7127/4, Material Management Procedures, 
pt. 4, Sec.  5302.3.
---------------------------------------------------------------------------
Inventory Tests Identified Significant Numbers of Missing Items
    As shown in table 2, our statistical tests of IT equipment 
existence at the four case study locations identified a total of 123 
missing IT equipment items, including 53 items that could have stored 
sensitive personal data and information. Although VA headquarters had 
the highest number of missing items, none of the four test locations 
had effective controls. Missing IT equipment items pose not only a 
financial risk but also a security risk associated with sensitive 
personal data maintained on computer hard drives.


  Table 2--Number of Missing IT Equipment Items at Four Test Locations, Including Items That Could Have Stored
                                              Sensitive Information
----------------------------------------------------------------------------------------------------------------
                                              Washington, DC,    Indianapolis      San Diego
                Test Results                   medical center   medical center   medical center  VA headquarters
----------------------------------------------------------------------------------------------------------------
Number of missing items in each sample                    44                9               17               52
----------------------------------------------------------------------------------------------------------------
Total missing items that could have stored                19                3                8               23
 sensitive data
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Note: After we completed our analysis, Washington, DC, medical center personnel provided documentation that one
  of the missing items--a new computer monitor--had been located. This information is not reflected in the
  table.


    Because of the lack of user-level accountability and the failure to 
consistently update inventory records for changes in inventory status 
and user location, VA officials at our test locations could not 
determine the user or type of data stored on the 53 missing IT 
equipment items that could have stored sensitive personal information 
and, therefore, the risk posed by the loss of these items. The details 
of our test work at each location follow.
Washington, DC, Medical Center
    Our physical inventory existence testing at the Washington, DC, 
medical center identified an estimated 28 percent failure rate \28\ 
related to missing items in the recorded universe of 8,728 IT equipment 
items. Our analysis determined that the primary cause of these high 
control failure rates was a lack of coordination and communication 
between medical center IRM and property management personnel to assure 
that documentation on IT items in physical inventory was updated in the 
property management system when changes occurred. VA records management 
policy \29\ that implements federal records management law and NARA 
guidance \30\ requires the creation and maintenance of records of 
essential transactions, such as creating a timely record of newly 
acquired IT equipment in the property management system, and recording 
timely updates for changes in the status of IT equipment, including 
transfers, turn-ins, and replacement of equipment, and disposals.
---------------------------------------------------------------------------
    \28\ The two-sided, 95 percent confidence interval for this 
estimate is from 21 percent to 35 percent.
    \29\ VA Directive 6300, Records and Information Management, Sec.  2 
(Jan. 12, 1998).
    \30\ 44 U.S.C. Sec. Sec.  3101 and 3102, and implementing NARA 
regulations at 36 C.F.R. Sec.  1222.38. This is consistent with the 
more general requirement for agencies to establish internal controls 
under 31 U.S.C. Sec.  3512 (c), (d), commonly known as FMFIA, and GAO/
AIMD-00-21.3.1.
---------------------------------------------------------------------------
    The medical center's IT equipment inventory records included 550 
older IT equipment items that property management officials told us 
should have been removed from active inventory. Because the inventory 
status fields for these items were either blank or indicated the items 
were ``in use,'' we included these items in the universe of current 
inventory for purposes of our statistical sample. Of the 44 missing IT 
equipment items identified in our statistical tests at the Washington, 
DC, medical center, 9 items related to the 550 older IT equipment items 
of questionable status. Washington, DC, medical center officials 
asserted that because of their age, these items would likely have been 
turned in for disposal. However, because the property system had not 
been updated to reflect a turn-in or disposal and no hard copy 
documentation had been retained, it was not possible to determine 
whether any of the 44 missing IT equipment items, including 19 items 
that could have stored sensitive personal information, had been sent to 
disposal or if any of them were lost or stolen.
    For other IT equipment items that could not be located during our 
existence testing, IRM or property management officials were able to 
provide documentation created and saved outside the property management 
system that showed several of these items had been turned in for 
disposal without recording the corresponding inventory transaction in 
the property management system. In March 2006, the Washington, DC, 
medical center initiated an automated process for electronic 
notification and documentation of property turn-ins in the property 
management system. If effectively implemented, the electronic process 
should help resolve this problem going forward.
    With regard to the use and type of data stored on the 19 computers 
that our tests identified as missing, Washington DC, medical center 
officials could not tell us the users or the types of data that would 
have been on these computers. This is because local medical center 
property management procedures call for recording the local IRM 
organization as the user for most IT equipment in the property 
management system, rather than the actual custodian or user of the IT 
equipment.
Indianapolis Medical Center
    The Indianapolis medical center had an estimated failure rate of 6 
percent \31\ related to missing items in the recorded universe of 7,614 
IT equipment items. However, our test results do not allow us to 
conclude that the center's controls over existence of IT equipment 
inventory are effective. Our statistical tests identified 9 missing IT 
equipment items, including 3 items that could have stored sensitive 
personal and medical information. Of the 3 missing items that could 
have stored sensitive information, medical center inventory records 
showed that 2 of these items were medical devices assigned to the 
radiology unit. Although medical center officials provided us with 
turn-in documentation for one of these items-a magnetic resonance 
imaging (MRI) machine that had just been disassembled and removed from 
service-the documentation did not match the bar code (property 
identification number) or the serial number for our sample item, 
indicating possible record keeping errors. The user of the third item, 
a computer, was not known.
---------------------------------------------------------------------------
    \31\ The two-sided, 95 percent confidence interval for this 
estimate is from 2 percent to 13 percent.
---------------------------------------------------------------------------
    In addition, our review of Indianapolis medical center purchase 
card records determined that some IT equipment items that were not 
included in property inventory records had been acquired with a 
government purchase card. We found that VA purchase card policy \32\ 
does not require cardholders to notify property management officials of 
the receipt of property items acquired with a purchase card, including 
IT equipment. As a result, there is no asset visibility \33\ or 
accountability for these items. Further, there is no assurance that 
sensitive personal data, medical data, or both that could be stored on 
these items are properly safeguarded.
---------------------------------------------------------------------------
    \32\ VA Handbook 1730/1, Use and Management of the Government 
Purchase Card Program (June 17, 2005).
    \33\ Asset visibility refers to accurate and timely information on 
the location, movement, status, and identifying information for 
property and equipment assets.
---------------------------------------------------------------------------
San Diego Medical Center
    We estimated an overall failure rate of 10 percent \34\ related to 
missing items in the San Diego medical center's recorded universe of 
11,604 IT equipment items. Our statistical tests at the San Diego 
medical center identified 17 missing IT equipment items, including 8 
items that could have stored sensitive personal data and information. 
San Diego medical center officials could not tell us the user or type 
of data that would have been stored on the missing computers. San Diego 
medical center officials noted that some of the missing items were 
older IT equipment that would no longer be in use. However, without 
valid turn-in documentation, it is not possible to determine whether 
these IT equipment items were disposed of without creating the 
appropriate transaction record or if any of these items, including 
items that could have stored sensitive personal and medical 
information, were lost, stolen, or misappropriated without detection.
---------------------------------------------------------------------------
    \34\ The two-sided, 95 percent confidence interval for this 
estimate is from 5 percent to 17 percent.
---------------------------------------------------------------------------
    Our tests also determined that San Diego medical center officials 
were not following VA policy for physical inventory control and 
accountability of IT equipment. Consistent with a finding in our July 
2004 report, we found that the San Diego medical center had not 
included IT equipment items valued at less than $5,000 in annual 
physical inventories. Although San Diego medical center property 
management officials record IT equipment ordered through the formal 
property acquisition process in inventory records at the time it is 
acquired, absent an annual physical inventory, center officials have no 
way of knowing whether these items are still in use or if any of these 
items were lost, stolen, or misappropriated. VA property management 
policy \35\ requires that sensitive items, including computer 
equipment, be subjected to annual physical inventories. At the time of 
our IT equipment inventory testing in January 2007, San Diego medical 
center officials told us that consistent with requirements in VA 
Handbook 7127/4, they were initiating a physical inventory of all IT 
equipment items, including those items valued at less than $5,000.
---------------------------------------------------------------------------
    \35\ VA Handbook 7127/4, Materiel Management Procedures, pt. 1, 
Sec.  5002.2 and pt. 4, Sec.  5302.3 (Oct. 11, 2005).
---------------------------------------------------------------------------
    In addition, our analysis of San Diego medical center purchase card 
records identified several purchases of IT equipment that had not been 
recorded in the medical center's inventory records. As a result, our 
statistical tests did not include these items. Because the medical 
center's IT Services and property management officials are not tracking 
IT equipment items that were acquired with government purchase cards, 
there is no accountability for these items. As a result, San Diego 
medical center management does not know how many of these items have 
not been recorded in the property inventory records or how many of 
these items could contain sensitive personal information. If San Diego 
medical center officials properly perform their fiscal year 2007 
physical inventory, they should be able to locate and establish an 
accountable record for IT equipment items acquired with purchase cards 
that are being used within their facility. However, additional research 
would be required to identify all IT equipment items that were acquired 
with a purchase card and are being used at employees' homes or other 
offsite locations.
    San Diego medical center IT Services personnel told us that they 
created and maintained informal ``cuff records'' outside the property 
management system to document installation and removal of IT equipment 
because property management officials did not permit them to have 
access to the property management system. In addition, IT Services 
personnel did not provide information from their informal cuff records 
to property management officials so that they could update the formal 
records maintained in property management system. As a result, the 
formal IT equipment inventory records saved in the property management 
system remained out-of-date, while more accurate records were 
maintained as separate IT Services files outside the formal system and 
were not available for management decision making. Further, San Diego 
IT Services personnel were not provided handheld scanners so that they 
could electronically update inventory records when they installed or 
removed IT equipment. The San Diego medical center IT Services' 
informal cuff records create internal control weaknesses because they 
do not provide reasonable assurance of furnishing information the 
agency needs to conduct current business.
VA Headquarters Offices
    We statistically tested a random sample of VA headquarters IT 
equipment items, which included IT equipment for each headquarters 
office. Based on our sample, we estimate an 11 percent failure rate 
\36\ related to missing items in the VA headquarters recorded universe 
of 25,353 IT equipment items. In addition, our tests of VA headquarters 
IT inventory identified 53 missing IT equipment items, including 23 
computers that could have stored sensitive personal information. VA 
headquarters officials could not tell us the use or type of information 
that would have been stored on the missing computers. Table 3 
identifies missing IT equipment items in our stratified sample by VA 
headquarters office.
---------------------------------------------------------------------------
    \36\ The two-sided, 95 percent confidence interval for this 
estimate is from 8 percent to 15 percent.


  Table 3--Number of Missing IT Equipment Items by Headquarters Office and Missing Items That Could Have Stored
                                     Sensitive Personal Data and Information
----------------------------------------------------------------------------------------------------------------
                                                                Number of missing IT
                        Test location                            items in stratified     Missing items with data
                                                                       sample              storage capability
----------------------------------------------------------------------------------------------------------------
Acquisition and Materiel                                                      0 of 10                         0
----------------------------------------------------------------------------------------------------------------
General Counsel                                                               2 of 10                   0 of 2
----------------------------------------------------------------------------------------------------------------
Information and Technology                                                    9 of 94                   6 of 9
----------------------------------------------------------------------------------------------------------------
Policy and Planning                                                           0 of 10                         0
----------------------------------------------------------------------------------------------------------------
Veterans Health Administration                                               27 of 95                   7 of 17
----------------------------------------------------------------------------------------------------------------
Veterans benefits Administration                                             24 of 93                  10 of 24
----------------------------------------------------------------------------------------------------------------
All other \a\                                                                 1 of 32                   0 of 1
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
\a\ All other includes 17 additional VA headquarters organizations. The missing item in this category related to
  the Human Resource Management Office.


    We found that the IT coordinators maintained informal spreadsheets, 
or cuff records, to track IT equipment assigned to their units instead 
of updating IT equipment records in the formal VA headquarters property 
system. As stated previously, the use of informal cuff records creates 
an internal control weakness because management does not have 
visibility over this information for decision making purposes.
    VA headquarters officials also told us that various headquarters 
offices acquire IT equipment using government purchase cards and that 
these items are not identified and recorded in inventory unless they 
are observed coming through the mail room or they are identified during 
physical inventories. As previously discussed, VA purchase card policy 
does not require purchase card holders to notify property management 
officials at the time they receive IT equipment and other property 
acquired with government purchase cards.
Pervasive Lack of User-Level Accountability for IT Equipment at Case 
        Study Locations
    VA management has not enforced VA property management policy and 
has generally left implementation decisions up to local organizations, 
creating a nonstandard, high-risk environment. Although VA property 
management policy establishes guidelines for user-level accountability, 
\37\ the three medical centers we tested assigned accountability for 
most IT equipment to their IRM or IT Services organizations, and VA 
headquarters organizations tracked IT equipment items through their IT 
inventory coordinators. However, because these IT personnel and IT 
coordinators did not have possession (physical custody) of all IT 
equipment under their purview, they were not held accountable for IT 
equipment determined to be missing during physical inventories. This 
weak overall control environment at the four case study locations 
resulted in a pervasive lack of user-level accountability for IT 
equipment.
---------------------------------------------------------------------------
    \37\ VA Handbook 7125, Materiel Management General Procedures, 
Sec.  5003.
---------------------------------------------------------------------------
    Absent user-level accountability, accurate information on the using 
organization and location of IT equipment is key to maintaining asset 
visibility and control over IT equipment items. The high failure rates 
in our tests for correct user organization and location of IT 
equipment, shown in table 4, underscore the lack of user-level 
accountability at the four case study locations. The lack of 
accountability has in turn resulted in a lax attitude about controlling 
IT equipment. As a result, for the four case study locations, we 
concluded that under the current lax control environment, essentially 
no one was accountable for IT equipment.


 Table 4--Estimated Percentage of IT Inventory Control Failures Related to Correct User and Location at the Four
                                                 Test Locations
----------------------------------------------------------------------------------------------------------------
                                                                   Incorrect user
                        Test location                               organization         Incorrect user location
----------------------------------------------------------------------------------------------------------------
Washington, DC, medical center                                                    80%                       57%
                                                                         (72% to 87%)              (49% to 64%)
----------------------------------------------------------------------------------------------------------------
Indianapolis, IN, medical center                                                  69%                       23%
                                                                         (60% to 78%)              (15% to 33%)
----------------------------------------------------------------------------------------------------------------
San Diego, CA, medical center                                                     70%                       53%
                                                                         (61% to 78%)              (43% to 63%)
----------------------------------------------------------------------------------------------------------------
VA headquarters organizations                                                     11%                       44%
                                                                          (8% to 15%)              (37% to 51%)
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Note: The percentages represent point estimates and the two-sided, 95 percent confidence interval.


    Our statistical tests found numerous instances where inventory 
records were not updated when equipment was transferred to another VA 
unit, moved to another location, or removed from a facility. We also 
found that critical inventory system data fields, such as user and 
location, were often blank. Completion of these data fields would have 
created records of essential transactions for IT inventory events. 
Because property management system inventory records were incomplete 
and out-of-date, it is not possible to determine the timing or events 
associated with lost IT equipment as a basis for holding individual 
employees accountable.
    In addition to failures in our tests for accurate user organization 
and location, we found that the inventory system data field for 
identifying IT coordinators at headquarters units was often blank or 
incorrect. The IT coordinator role, which is unique to VA headquarters 
offices, is intended to provide an additional level of control for 
tracking and managing assignment of IT equipment within each 
headquarters organizational unit. Our tests for accurate and complete 
information on headquarters IT coordinators found 85 errors out of a 
sample of 344 records tested. We estimated the failure rate for the IT 
coordinator records at VA headquarters units to be 47 percent. \38\ 
Further, although VA headquarters
---------------------------------------------------------------------------
    \38\ The margin of error, based on a two-sided, 95 percent 
confidence interval is 3 percent.
---------------------------------------------------------------------------
    Officials told us they use hand receipts \39\ for user-level 
accountability of mobile IT equipment that can be removed from VA 
offices for use by employees who are on travel or are working at home, 
we found this procedure was not used consistently. For example, we 
requested hand receipts for 15 mobile IT equipment items in our 
statistical sample that were being used by VA headquarters employees. 
These items either could be or were taken offsite. We received nine 
hand receipts--one that had expired, six that were dated after the date 
of our request, and two that were valid. Officials at the three medical 
centers we tested were able to provide hand receipts for IT equipment 
that was being used by their employees at home.
---------------------------------------------------------------------------
    \39\ A hand receipt is a document used to assign individual custody 
of a government-furnished equipment item. At VA headquarters a hand 
receipt includes the description and bar code number of the item, and 
it is signed by the employee responsible for the equipment and an 
authorizing official.
---------------------------------------------------------------------------
    Officials at all four case study locations expressed concerns that 
it would be difficult and burdensome to implement user-level 
accountability for IT equipment, particularly in the case of shared 
workstations used by multiple employees. However, Washington, DC, 
medical center officials initiated actions to establish user-level 
accountability for individual employees and unit heads who have shared 
workstations. In March 2007, Washington, DC, medical center officials 
implemented a policy for user-level accountability and began training 
their employees on the new requirements. The new policy requires 
employees to sign personal custody receipts for IT equipment assigned 
to them, and it requires supervisors to be responsible for IT equipment 
that is shared among staff in their sections. The policy states that 
users of IT equipment will be held accountable for acts deemed 
inappropriate or negligent and that employees are personally and 
financially responsible for loss, theft, damage, or destruction of 
government property caused by negligence. VA headquarters officials 
told us that they are considering approaches for implementing a VA-wide 
policy for user-level accountability of IT equipment.
Errors in IT Equipment Inventory Status and Item Description 
        Information
    As shown in table 5, we also found some problems with the accuracy 
of IT equipment inventory records, including inaccurate information on 
status (e.g., in use, turned-in, disposal), serial numbers, model 
numbers, and item descriptions. The estimated overall error rates for 
these tests were lower than the error rates for the other control 
attributes we tested, and the Indianapolis medical center had no 
errors.


       Table 5--Estimated Percentage of Other IT Inventory Record Keeping Failures at Four Test Locations
----------------------------------------------------------------------------------------------------------------
                                                     Inventory
                  Test Location                       status       Serial number       Item       Total failures
                                                    information                     description
----------------------------------------------------------------------------------------------------------------
Washington, DC, medical center                               1%              6%              0%              5%
                                                     (0% to 4%)     (2% to 11%)      (0% to 5%)     (2% to 10%)
----------------------------------------------------------------------------------------------------------------
Indianapolis medical center                                  0%              0%              0%              0%
                                                     (0% to 2%)      (0% to 4%)      (0% to 2%)      (0% to 4%)
----------------------------------------------------------------------------------------------------------------
San Diego medical center                                     2%              1%              2%              5%
                                                     (0% to 7%)      (0% to 6%)      (0% to 8%)     (2% to 12%)
----------------------------------------------------------------------------------------------------------------
VA headquarters organizations                                0%              2%              1%              3%
                                                     (0% to 2%)      (1% to 7%)      (0% to 2%)      (1% to 6%)
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
Note: The percentages represent point estimates and the two-sided, 95 percent confidence interval.


    The errors we identified affect management decision making and 
create waste and inefficiency in operations. For example, inaccurate 
information on the status of IT equipment inventory items impairs 
management's ability to determine what items are available or in use. 
Errors in item descriptions impair management decision making on the 
number and types of available items and timing for replacement of these 
items, and serial number errors impair accountability. Further, 
inaccurate inventory information on the IT equipment item status, as 
well as the location errors discussed above, caused significant waste 
and inefficiency during physical inventories. Many of these errors 
should have been detected and corrected during annual physical 
inventories.
Physical Inventories by Case Study Locations Identified Thousands of 
        Missing IT Equipment Items Valued at Millions of Dollars
    To assess the effect of the lax control environment for IT 
equipment, we asked VA officials at the case study locations covered in 
both our current and previous audits to provide us with information on 
the results of their physical inventories performed after issuance of 
recommendations in our July 2004 report, including Reports of Survey 
\40\ information on identified losses of IT equipment. VA policy \41\ 
requires that when property items are determined to be lost or missing, 
they are to be listed in a Report of Survey and an investigation is to 
be conducted into the circumstances of the loss before these items are 
written off in the property records. As of February 28, 2007, the four 
case study locations covered in our current audit reported over 2,400 
missing IT equipment items with a combined original acquisition value 
of about $6.4 million as a result of inventories they performed during 
fiscal years 2005 and 2006. Based on information obtained through March 
2, 2007, the five case study locations we previously audited had 
identified over 8,600 missing IT equipment items with a combined 
original acquisition value of over $13.2 million. Because inventory 
records were not consistently updated as changes in user organization 
or location occurred and none of the locations we audited required 
accountability at the user level, it is not possible to determine 
whether the missing IT equipment items represent record keeping errors 
or the loss, theft, or misappropriation of IT equipment. Further, 
missing IT equipment items were often not reported for several months 
and, in some cases several years, because most of the nine case study 
locations had not consistently performed required annual physical 
inventories or completed Reports of Survey promptly. Although physical 
inventories should be performed over a finite period, at most of the 
nine case study locations these inventories were not completed for 
several months or even several years while officials performed 
extensive searches in an attempt to locate missing items before 
preparing Reports of Survey to write them off.
---------------------------------------------------------------------------
    \40\ The Report of Survey System is the method used by VA to obtain 
an explanation of the circumstances surrounding loss, damage, or 
destruction of government property other than through normal wear and 
tear.
    \41\ VA Handbook 7125, Materiel Management General Procedures, pt. 
5, Sec.  5101 and Sec.  5101-21.
---------------------------------------------------------------------------
    According to VA Police and security specialists, \42\ it is very 
difficult to conduct an investigation at this point because the details 
of the incidents cannot be determined. As law enforcement officers, VA 
Police are trained in investigative techniques that could potentially 
track and recover lost and missing items if promptly reported. Further, 
because VA Police are responsible for facility security, consistent 
reporting of lost and missing IT equipment to the Chief of Police at 
each VA medical center or federal law enforcement officers responsible 
for building security at VA headquarters locations could identify 
patterns of vulnerability that could be addressed through upgraded 
security plans.
---------------------------------------------------------------------------
    \42\ VA medical centers and other facilities have a VA Police 
Service, which provides law enforcement and physical security services, 
including security inspections and criminal investigations. The VA 
headquarters building does not have a police service. VA headquarters 
law enforcement duties are the responsibility of the Federal Protective 
Service.
---------------------------------------------------------------------------
Physical Inventories Performed by Four Case Study Locations Identify 
        Significant Numbers of Missing IT Equipment Items
    The timing and scope of the physical inventories performed by the 
four case study locations in our current audit varied. For example, the 
Indianapolis medical center had been performing annual physical 
inventories in accordance with VA policy for several years. As a 
result, IT equipment inventory records were more accurate and physical 
inventories identified fewer missing items than most locations tested. 
The Washington, DC, medical center performed a wall-to-wall physical 
inventory in response to our July 2004 report, which found that 
previously performed physical inventories of IT equipment were 
ineffective. In this case, inventory results reflected several years of 
activity involving IT inventory records that had not been updated and 
lost and missing IT equipment items that had not previously been 
identified and reported. Although the San Diego medical center had 
performed periodic physical inventories, it had not followed VA policy 
for including sensitive items, such as IT equipment valued at less than 
$5,000. As a result, the San Diego medical center's Reports of Survey 
are not a good indicator of the extent of lost and missing IT equipment 
at this location. The fiscal year 2006 VA headquarters physical 
inventory identified IT equipment items that may have been lost or 
missing for several years without detection or final resolution. For 
example, VA headquarters officials told us that during renovations of 
headquarters offices 10 years ago, IT equipment was relocated to office 
space designated as storerooms. When this space had to be vacated for 
renovation, the IT equipment had to be relocated, and many items were 
sent to disposal. According to VA headquarters officials, 
accountability for individual IT equipment items was not maintained 
during the renovation or disposal process. This weak overall control 
environment presents an opportunity for theft, loss, or 
misappropriation to occur without detection.
    As of February 28, 2007, based on inventories they performed during 
fiscal years 2005 and 2006, the four case study locations covered in 
our current audit reported over 2,400 missing IT equipment items with a 
combined original acquisition value of about $6.4 million. Table 6 
provides information on the results of physical inventories performed 
by our four current case study locations.


   Table 6--Summary of Physical Inventories and Missing IT Equipment Identified by the Four Current Case Study
                                        Locations as of February 28, 2007
----------------------------------------------------------------------------------------------------------------
                                                                                                     Original
                                                   Fiscal years      Dates of        Number of      acquisition
                  Test location                    of inventory     Reports of     missing items     value of
                                                                      Survey        identified     missing items
----------------------------------------------------------------------------------------------------------------
Washington, DC, medical center                    2005 thru 2006  Mar. 2006 thru          1,133      $1,758,096
                                                                      Oct. 2006
----------------------------------------------------------------------------------------------------------------
Indianapolis medical center                                2005       Dec. 2004               6         $23,206
                                                           2006       Oct. 2006             112         $79,230
----------------------------------------------------------------------------------------------------------------
San Diego medical center*                                  2005       Dec. 2004              42        $135,344
                                                           2006         Ongoing              15         $24,418
----------------------------------------------------------------------------------------------------------------
VA headquarters offices                                2006 and         Not yet           1,162      $4,385,444
                                                        ongoing       finalized
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
*The San Diego medical center IT Services personnel inventoried only items valued at $5,000 or more.


    In response to our test work, in January 2007, the Washington, DC, 
medical center prepared an additional Report of Survey to write off 699 
older IT equipment items valued at $794,835 that had not been located 
or removed from current inventory. The VA headquarters physical 
inventory had initially identified about 2,700 missing IT equipment 
items, and officials told us that their research has resolved over half 
of the discrepancies. VA headquarters officials told us that they have 
not yet prepared a Report of Survey because they believe some of their 
missing IT equipment items may still be located.
Physical Inventories by Five Locations Previously Audited Also Identify 
        Significant Numbers of Missing IT Equipment Items
    We also followed up with the five other case study locations \43\ 
that we previously audited to determine the results of physical 
inventories performed in response to recommendations in our July 2004 
report. As of the end of our fieldwork in February 2007, the Tampa, 
Florida, medical center had not yet completed its physical inventory. 
In addition, the Houston, Texas, medical center's fiscal year 2005 
physical inventory procedures continued to exclude IT equipment valued 
under $5,000 because the center had followed inaccurate guidance from 
its VISN.
---------------------------------------------------------------------------
    \43\ The Washington, DC, medical center was covered in both audits.
---------------------------------------------------------------------------
    Our standards for internal control require federal agencies to have 
policies and procedures for ensuring that the findings of audits and 
other reviews are promptly resolved. In accordance with these 
standards, managers are to (1) promptly evaluate findings from audits 
and other reviews, including those showing deficiencies and 
recommendations; (2) determine proper actions in response to findings 
and recommendations; and (3) complete, within established timeframes, 
all actions that correct or otherwise resolve the matters brought to 
management's attention. The failure to ensure that VA organizations 
take appropriate, timely action to address audit findings and 
recommendations indicates a significant control environment weakness 
with regard to a ``tone at the top'' and does not set an example that 
supports performance-based management and establishes controls that 
serve as the first line of defense in safeguarding assets and 
preventing and detecting errors.
    Based on information obtained through March 2, 2007, the five case 
study locations we previously audited had identified over 8,600 missing 
IT equipment items with a combined original acquisition value of over 
$13.2 million. As noted in table 7, of the three medical centers that 
completed their physical inventories, the Los Angeles, California, 
medical center reported over 8,400 missing IT equipment items valued at 
over $12.4 million.


    Table 7--Summary of Physical Inventories and Missing IT Equipment Identified by Five Case Study Locations
                                     Previously Audited as of March 2, 2007
----------------------------------------------------------------------------------------------------------------
                                                                                                 Original items
                                           Fiscal year of   Dates of Reports      Number of        acquisition
      Medical center test location            inventory         of Survey          missing      value of missing
                                                                                                      items
----------------------------------------------------------------------------------------------------------------
Atlanta, GA                                 Ongoing since   Not yet prepared              195          $254,666
                                                     2005
----------------------------------------------------------------------------------------------------------------
Houston, TX\a\                                       2005         Mar. 2005                 3           $79,703
----------------------------------------------------------------------------------------------------------------
Los Angeles, CA                                      2006   Not yet prepared            8,402       $12,424,860
----------------------------------------------------------------------------------------------------------------
San Francisco, CA                                    2005    Oct. 2004 thru                68          $463,373
                                                                  Dec. 2005
----------------------------------------------------------------------------------------------------------------
Tampa, FL                                   Ongoing since   Not yet prepared          Unknown           Unknown
                                                Jan. 2006
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.
\a\ The Houston medical center inventoried only items valued at $5,000 or more.


    We found that Houston medical center property management policy did 
not include IT equipment within its definition of sensitive items 
requiring annual physical inventories. As a result, the Houston medical 
center inventoried items valued at $5,000 or more and reported three 
missing IT equipment items valued at $79,703. Houston medical center 
officials told us that they are now complying with VA policy to include 
all IT equipment in their current annual physical inventory effort. The 
Atlanta medical center identified 195 missing IT equipment items valued 
at $254,666, and the San Francisco medical center reported a total of 
68 missing IT equipment items valued at $463,373. Three of the five 
medical centers-in Atlanta, Los Angeles, and Tampa-had not yet prepared 
Reports of Survey on the missing items identified in their physical 
inventories.
Physical Security Weaknesses Increase Risk of Loss, Theft, and 
        Misappropriation of IT Equipment and Sensitive Data
    Our investigator's inspection of physical security at officially 
designated IT warehouses and storerooms that held new and used IT 
equipment found that most of these storage facilities met the 
requirements in VA Handbook 0730/1, Security and Law Enforcement. 
However, not all of the formally designated storage locations had 
required motion detection alarm systems and special door locks. In 
response to our findings, physical security specialists at the four 
case study locations told us that they had recommended that the needed 
mechanisms be installed. We also found numerous instances of IT 
equipment storage areas at VA headquarters offices that had not been 
formally designated as IT storerooms, and these informal IT storage 
areas did not meet VA physical security requirements.
    In addition, although VA requires that hard drives of IT equipment 
and medical equipment be sanitized prior to disposal to prevent 
unauthorized release of sensitive personal and medical information, we 
found weaknesses in the disposal process that pose a risk of data 
breach. \44\ For example, our tests of computer hard drives in the 
excess property disposal process found that hard drives at two of the 
four case study locations that had not yet been sanitized contained 
hundreds of names and Social Security numbers. We also found that some 
of the hard drives had been in the disposal process for several years 
without being sanitized, creating an unnecessary risk that sensitive 
personal information protected under the Privacy Act 1974 \45\ and 
personal medical information accorded additional protections under 
HIPAA \46\ could be compromised. Weaknesses in physical security 
heighten the risk of data breach related to sensitive personal 
information residing on hard drives in the property disposal process 
that have not yet been sanitized.
---------------------------------------------------------------------------
    \44\ VA IRM personnel and contractors follow NIST Special 
Publication 800-88 guidelines as well as more stringent DoD policy in 
DoD 5220.22-M, National Industrial Security Program Operating Manual, 
ch. 8, Sec.  8-301, which requires performing three separate erasures 
for media sanitization.
    \45\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  
552a.
    \46\ Pub. L. No. 104-191, Sec.  264, 110 Stat. 1936, 2033-34 (Aug. 
21, 1996), and implementing regulations at 45 C.F.R. pt. 164.
---------------------------------------------------------------------------
Weaknesses in Procedures for Controlling Excess Computer Hard Drives
    As previously discussed, VA requires that hard drives of excess 
computers be sanitized prior to reuse or disposal because they can 
store sensitive personal and medical information used in VA programs 
and activities, which could be compromised or used for unauthorized 
purposes. For example, our limited tests of excess computer hard drives 
in the disposal process that had not yet been sanitized found 419 
unique names and Social Security numbers on three of the six Board of 
Veterans Appeals hard drives and one record on one of two VHA hard 
drives we tested. Our tests of five San Diego medical center hard 
drives that had not yet been sanitized found that one hard drive held 
at least 20 detailed patient medical histories, including 5 histories 
that contained Social Security numbers. Our limited tests of hard 
drives that were identified as having been subjected to internal or 
contractor data sanitization procedures did not find data remaining on 
these hard drives.
    However, our limited tests identified some problems that could pose 
a risk of data breach with regard to sensitive personal and medical 
information on hard drives in the disposal process that had not yet 
been sanitized. For example, our IT security specialist found that five 
hard drives stored in a bin labeled by the San Diego medical center as 
holding hard drives that had not been erased had in fact been 
sanitized. The lack of proper segregation and tracking of hard drives 
in the sanitization process poses a risk that some hard drives could 
make it through this process and be selected for reuse without having 
been sanitized. Further, based on the file dates on some of the 
computer hard drives that had not yet been sanitized at the San Diego 
and Indianapolis medical centers, our IT security specialist noted 
excessive delays-up to 6 years-in performing data sanitization once the 
computer systems had been identified for removal from use and disposal. 
Excessive delays in completing hard drive sanitization and disposal 
procedures pose an unnecessary risk when sensitive personal and medical 
information that is no longer needed is not removed from excess 
computer hard drives in a timely manner.
Physical Security Weaknesses at IT Storage Locations Pose Risk of Data 
        Breach
    VA Handbook 0730/1, Security and Law Enforcement, prescribes 
physical security requirements for storage of new and used IT 
equipment. Specifically, the Handbook requires warehouse-type 
storerooms to have walls to ceiling height with either masonry or 
gypsum wall board reaching to the underside of the slab (floor) above. 
IRM storerooms are required to have overhead barricades that prevent 
``up and over'' access from adjacent rooms. Warehouse, IRM, and medical 
equipment storerooms are all required to have motion intrusion 
detection alarm systems that detect entry and broadcast an alarm of 
sufficient volume to cause an illegal entrant to abandon a burglary 
attempt. Intrusion detection alarms for storerooms outside facility 
grounds, such as outpatient clinics, are required to be connected 
remotely to a commercial security alarm monitoring firm, local police 
department, or security office charged with building security. Finally, 
IRM storerooms also are required to have special key control, meaning 
room door lock keys and day lock combinations that are not master keyed 
for use by others.
    Most of the designated IT equipment storage facilities at the four 
case study locations met VA IT physical security requirements in VA 
Handbook 0730/1; however, we identified some deficiencies. For example, 
our investigator found that the Washington, DC, and San Diego medical 
center IRM equipment storerooms lacked motion intrusion detection alarm 
systems and the Washington, DC, medical center IRM storeroom did not 
meet door locking requirements. Based on our investigator's findings, 
physical security specialists at the San Diego and Washington, DC, 
medical centers told us they have recommended that required intrusion 
detectors be installed in their IRM storerooms. In addition, the 
Washington, DC, medical center reduced the number of keys to its IRM 
storerooms and changed storeroom locks to meet established 
requirements. Designated IT equipment storage facilities at the 
Indianapolis medical center met VA physical security requirements.
    Despite the established physical security requirements, we found 
numerous informal, undesignated IT equipment storage locations that did 
not meet VA physical security requirements. For example, our 
investigator observed an IT workroom at the Indianapolis medical center 
where new IT equipment was placed on the floor. This room lacked a 
motion detection alarm system and the type of locking system prescribed 
in VA policy. Indianapolis VA Police told our investigator that such a 
level of security was not required for this room under VA policy, 
because it was not designated as a storeroom. In addition, at the VA 
headquarters building, our investigator found that the physical 
security specialist was unaware of the existence of IT equipment in 
some storerooms. Thus, these storerooms had not been subjected to 
required physical security inspections. VA Police and physical security 
specialists at our test locations agreed with our investigator's 
assessment that the physical security of these IT storerooms was 
inadequate..
    During our statistical tests, we observed one IT equipment 
storeroom in the VA headquarters building IT Support Services area that 
had a separate wall, but no door. As shown in figure 2, the wall 
opening into the storeroom had yellow tape labeled ``CAUTION'' above 
the doorway. The store room was within an IT work area that had dropped 
ceilings that could provide ``up and over'' access from adjacent rooms, 
such as the employee store, and no alarm or intrusion detector. This 
storeroom did not meet VA's physical security requirements for motion 
intrusion detection and alarms and secure doors, locks, and special 
access keys.

  Figure 2--Photograph of Unsecured IT Equipment Storeroom in the VA 
                         Headquarters Building
[GRAPHIC] [TIFF OMITTED] 37474A.002


    Source: GAO.

    In another headquarters building, which housed VA's Office of 
General Counsel, we observed excess IT equipment, including computers 
with hard drives that had been awaiting turn-in and disposal for 
several months. This IT equipment was stacked in the corners of a large 
work area that had multiple doors and open access to numerous 
individuals, including vendors, contractors, employees, and others. 
Because our limited tests found sensitive personal data and information 
on hard drives that had not yet been sanitized, the failure to provide 
adequate security leaves this information vulnerable to data breach. 
Further, because software that can be used to image, or copy, this 
information is readily available, it is important to provide adequate 
security for these items. For example, imaging software, such as 
``Foremost,'' which was one of the imaging software products used by 
our IT security specialist, can be downloaded at no cost from the 
Internet and used to copy information from one hard drive to another in 
a few minutes. Thus, it is possible for a data breach to occur without 
theft of the IT equipment on which the data reside.
    We also found that VA headquarters IT coordinators used storerooms 
and closets with office-type door locks to store IT equipment that was 
not currently in use. Other headquarters organizations stored laptops 
that were in the ``loaner pool'' for use by employees on travel or at 
home in locked filing cabinets in open areas. In addition, during our 
test work, we observed that very few IT equipment items had been 
secured by locked cables. Physical security of IT equipment is of 
particular concern at the VA medical centers because these centers 
provide open access to visitors, students, contractors, and others. The 
lack of secure storage leaves this IT equipment and any sensitive 
personal information stored on this equipment vulnerable to theft, 
loss, misappropriation, and data breach.
VA Actions to Improve IT Management and Controls Have Been Limited
    Although VA has strengthened existing property management policy 
\47\ in response to recommendations in our July 2004 report, issued 
several new policies to establish guidance and controls for IT 
security, and reorganized and centralized the IT function within the 
department under the CIO, these actions have not yet been fully 
implemented. For example, the CIO has no formal responsibility for 
medical equipment that stores or processes patient data. VA 
headquarters CIO officials agree that this is an area of vulnerability 
that needs to be addressed. In addition, the new CIO organization 
structure does not address roles or necessary coordination between IRM 
and property management personnel with regard to inventory control of 
sensitive IT equipment items. The Assistant Secretary for Information 
and Technology, who serves as the CIO, told us that his staff is aware 
of this problem and the new CIO organization structure includes a unit 
that will have responsibility for IT equipment asset management once it 
becomes operational. However, this unit has not yet been funded or 
staffed.
---------------------------------------------------------------------------
    \47\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, 
2005).
---------------------------------------------------------------------------
    Regarding new policies, on October 11, 2005, VA revised its 
Handbook on materiel management procedures to emphasize that annual 
inventory requirements for sensitive items valued at under $5,000 
include IT equipment, and specifically lists these items as including 
desktop and laptop computers, CD drives, printers, monitors, and 
handheld portable telecommunication devices. However, as noted in this 
report, VA has not ensured that sensitive IT equipment items valued at 
less than $5,000 have been subjected to annual physical inventories. In 
addition, on March 9, 2007, at the time we began briefing VA management 
on the results of our audit, VA's Office of Information and Technology 
issued a policy \48\ that includes assignment of user-level 
accountability for certain IT equipment, including external drives, 
desktop and laptop computers, and mobile phones that can be taken 
offsite for individual use. However, this policy had not yet been 
coordinated with property management officials who will be responsible 
for implementing the policy.
---------------------------------------------------------------------------
    \48\ Universal Serial Bus (USB) Flash Drive User Guide 2.0 (Mar. 9, 
2007).
---------------------------------------------------------------------------
    On August 4, 2006, VA issued a new directive entitled Information 
Security Program, which requires, in part, periodic evaluations and 
testing of the effectiveness of all management, operational, and 
technical controls and calls for procedures for immediately reporting 
and responding to security incidents. A thorough understanding of the 
IT inventory control process and required internal controls within this 
process will be key to effective testing and oversight. Managers were 
not always aware of the inherent problems in their IT inventory 
processes discussed in this report, including the lack of required 
controls. Because the directive does not provide specific information 
on how these procedures will be carried out, the CIO is developing 
supplementary user guides. Effective implementation will be key to the 
success of VA IT policy and organizational changes.
Conclusions
    Poor accountability and a weak control environment have left the 
four VA case study organizations vulnerable to continuing theft, loss, 
and misappropriation of IT equipment and sensitive personal data. To 
provide a framework for accountability and security of IT equipment, 
the Secretary of Veterans Affairs needs to establish clear, 
sufficiently detailed mandatory policies rather than leaving the 
details of how policies will be implemented to the discretion of local 
VA organizations. Keys to safeguarding IT equipment are effective 
internal controls for the creation and maintenance of essential 
transaction records; a disciplined framework for specific, individual 
user-level accountability, whereby employees are held accountable for 
property assigned to them, including appropriate disciplinary action; 
and maintaining adequate physical security over IT equipment items. 
Although VA management has taken some actions to improve inventory 
controls, strengthening the overall control environment and 
establishing and implementing specific IT equipment controls will 
require a renewed focus, oversight, and continuing commitment 
throughout the organization.
Recommendations for Executive Action
    We recommend that the Secretary of Veterans Affairs require that 
the medical centers and VA headquarters offices we tested and other VA 
organizations, as appropriate, take the following 12 actions to improve 
accountability of IT equipment inventory and reduce the risk of 
disclosure of sensitive personal data, medical data, or both.
    To help minimize the risk of loss, theft, and misappropriation of 
government IT equipment used in VA operations, we recommend that the 
Secretary take the following eight departmentwide actions.

      Revise VA property management policy and procedures to 
include detailed requirements for what transactions must be recorded to 
document inventory events and to clearly establish individual 
responsibility for recording all essential transactions in the property 
management process.
      Revise VA purchase card policy to require purchase card 
holders to notify property management officials of IT equipment and 
other property items acquired with government purchase cards at the 
time the items are received so that they can be recorded in property 
management systems.
      Establish procedures to require specific, individual 
user-level accountability for IT equipment. In implementing this 
recommendation, consideration should be given to making the unit head, 
or a designee, accountable for shared IT equipment.
      Enforce user-level accountability and IT coordinator 
responsibility by taking appropriate disciplinary action, including 
holding employees financially liable, as appropriate, for lost or 
missing IT equipment.
      Establish specific timeframes for finalizing a Report of 
Survey once an inventory has been completed so that research on missing 
items is completed expeditiously and does not continue indefinitely 
without meeting formal reporting requirements.
      Establish a mechanism to monitor adherence by the San 
Diego and Houston medical centers and other VA organizations, as 
appropriate, to VA policy for performing annual inventories of 
sensitive items under $5,000, including IT equipment.
      Require that IRM and IT Services personnel at the various 
medical centers be given access to the central property database and be 
furnished with hand scanners so they can electronically update the 
property control records, as appropriate, during installation, repair, 
replacement, and relocation or disposal of IT equipment.
      Require physical security personnel to perform 
inspections of buildings and storage facilities to identify informal 
and undesignated IT storage locations so that security assessments are 
performed and corrective actions are implemented, where appropriate.

    To assure inventory accuracy and prompt resolution of inventory 
discrepancies and improve security of IT equipment and any sensitive 
data stored on that equipment, we recommend that the Secretary require 
the CIO to take the following four actions.

      Establish a formal policy requiring a review of the 
results of annual inventories to ensure that IT equipment inventory 
records are properly updated and no blank fields remain.
      Establish a process for reviewing Reports of Survey for 
lost, missing, and stolen IT equipment items to identify systemic 
weaknesses for appropriate corrective action.
      Establish and implement a policy requiring IRM personnel 
and IT coordinators to inform physical security officers of the site of 
all IT equipment storage locations so that these store rooms can be 
subjected to required inspections.
      Establish and implement a policy for reviewing the 
results of physical security inspections of IT equipment storerooms and 
ensure that needed corrective actions are completed.
Agency Comments and Our Evaluation
    In written comments dated June 22, 2007, on a draft of this report, 
VA generally agreed with our findings, noted significant actions under 
way, and concurred on the 12 recommendations. For example, with regard 
to establishing detailed requirements for what transactions must be 
recorded to document inventory events, VA stated that it is performing 
a comprehensive update of department policies and procedures and plans 
to provide additional training and equipment audits, as necessary. With 
regard to establishing user-level accountability, VA stated that it is 
developing a policy that will require (1) unit heads or their designees 
to sign for all IT equipment issued to their service/unit and (2) hand 
receipts for IT equipment at the user-level.
    VA also provided technical comments regarding the information in 
tables 6 and 7. Specifically, VA stated that our data did not specify 
whether the estimated value provided for missing IT equipment was based 
on a depreciated loss value or a replacement value. Consistent with 
VA's reporting requirements for its Reports of Survey on lost personal 
property items, which include IT equipment, we used the original 
acquisition value for our estimates. Accordingly, we revised the column 
headings in the tables to note that the reported dollar value of 
missing items relates to the original acquisition value. Further, VA 
stated that some of the missing equipment included in our estimate may, 
in fact, have been properly disposed of but the proper documentation 
was not available. As stated in our report, proper documentation of key 
equipment events, such as transfer, turn-in, and disposal, must be 
documented by an inventory transaction, financial transaction, or both, 
as appropriate. Because the property system had not been updated to 
reflect a transfer, turn-in, or disposal and no hard copy documentation 
had been retained, it is not possible to determine whether any of the 
missing IT equipment items had been properly sent to disposal, and VA 
has no assurance that they were not lost or stolen.
    As agreed with your offices, unless you announce its contents 
earlier, we will not distribute this report until 30 days from its 
date. At that time, we will send copies to interested congressional 
Committees; the Secretary of Veterans Affairs; the Veterans Affairs 
Chief Information Officer; the Acting Secretary of Health, Veterans 
Health Administration; and the Director of the Office of Management and 
Budget. We will make copies available to others upon request. In 
addition, this report will be available at no charge on the GAO Web 
site at http://www.gao.gov.
    Please contact me at (202) 512-9095 or [email protected], if you 
or your staff have any questions concerning this report. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Major contributors to this 
report are acknowledged in appendix III.

                                                     McCoy Williams
                                                           Director
                                 Financial Management and Assurance

                               __________

             Appendix I: Objectives, Scope, and Methodology
    Pursuant to a request from the Chairman and Ranking Minority Member 
of the House Committee on Veterans' Affairs, we audited the Department 
of Veterans Affairs (VA) information technology (IT) equipment 
inventory controls. Our audit covered the following.

      An assessment of the risk of loss, theft, and 
misappropriation of VA IT equipment items based on statistical tests of 
VA IT equipment inventory at selected case study locations and our 
investigator's evaluations of physical security and VA law enforcement 
investigations of incidents of loss or theft.
      Results of physical inventories of IT equipment performed 
by case study locations covered in this audit and our previous audit.
      An assessment of the adequacy of VA's physical security 
and accountability procedures for IT equipment in the property disposal 
process.
      Management actions taken or under way to address 
previously identified IT equipment inventory control weaknesses.

    We used as our criteria applicable law and VA policy, as well as 
our Standards for Internal Control in the Federal Government \1\ and 
our Internal Control Management and Evaluation Tool. \2\ To assess the 
control environment at our test locations, we obtained an understanding 
of the processes and controls over IT equipment from acquisition to 
issuance and periodic inventories and disposal. We performed walk-
throughs of these processes at all four test locations. We reviewed 
applicable program guidance provided by the test locations and 
interviewed officials about their IT inventory processes and controls.
---------------------------------------------------------------------------
    \1\ GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, DC: November 1999). This document was 
prepared to fulfill our statutory requirement under 31 U.S.C. 3512 (c), 
(d), commonly known as the Federal Managers' Financial Integrity Act 
1982, to issue standards that provide the overall framework for 
establishing and maintaining internal control.
    \2\ GAO, Internal Control Management and Evaluation Tool, GAO-0l-
1008G (Washington, DC: August 2001). This document was prepared to 
assist agencies in maintaining or implementing effective internal 
control and, when needed, to help determine what, where, and how 
improvements can be implemented. Although this tool is not required to 
be used, it is intended to provide a systematic, organized, and 
structured approach to assessing the internal control structure.
---------------------------------------------------------------------------
    In selecting our case study locations, we chose one location-the 
Washington, DC, VA medical center-that had the most significant 
problems identified in our July 2004 report and two other 
geographically dispersed VA medical centers. We also tested inventory 
at VA headquarters as a means of assessing the overall control 
environment, or ``tone at the top.'' Table 8 shows the VA locations 
selected for IT equipment inventory control testing and the number and 
reported value of IT equipment items at each location.


                    Table 8--Population of VA IT Equipment at Locations Selected for Testing
----------------------------------------------------------------------------------------------------------------
                                                               Sample size and number   Value of VA IT equipment
                         VA location                          of VA IT equipment items          inventory
----------------------------------------------------------------------------------------------------------------
Washington, DC, medical center                                       168 of 8,728 \a\               $33,065,322
----------------------------------------------------------------------------------------------------------------
Indianapolis, IN, medical center                                        144 of 7,614                $29,101,577
----------------------------------------------------------------------------------------------------------------
San Diego, CA, medical center                                           148 of 11,604               $48,077,071
----------------------------------------------------------------------------------------------------------------
VA headquarters                                                         344 of 25,353               $31,301,951
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of VA facility IT equipment inventory.
Note: The data represent current inventory at the time we pulled our samples. The reported value is the original
  acquisition cost.
\a\ Includes 4,127 leased IT equipment items.


    To follow up on actions taken in response to recommendations in our 
July 2004 report for improving physical inventories, we obtained and 
reviewed information on physical inventory results at the four case 
study locations as well as the five other case study locations 
previously audited.
    We performed appropriate data reliability procedures, including an 
assessment of each VA test location's procedures for assuring data 
reliability, and tests to assure that IT equipment inventory was 
sufficiently complete for the purposes of our work. Our procedures and 
test work identified a limitation related to IT equipment inventory 
completeness at our four test locations. IT equipment inventories at 
the Indianapolis and San Diego medical centers and VA headquarters 
organizations did not include all IT equipment acquired with purchase 
cards or purchased directly from local vendors. Also, the Washington, 
DC, medical center inventory did not include one inventory category 
consisting of 149 older computer monitors and workstations. This data 
limitation prevented us from projecting our test results to the 
population of IT equipment inventory at each of our four test 
locations. However, we determined that these data were sufficiently 
reliable for us to project our test results to the population of 
current, recorded IT equipment inventory at each of the four locations.
    From the universe of current, recorded IT equipment inventory at 
the time of our tests, we selected stratified random probability 
samples of IT equipment, including medical equipment with data storage 
capability, at each of the three medical center locations. For the 23 
VA headquarters organizations, we stratified our sample by 6 major 
offices and used a seventh stratum for the remaining 17 organizations. 
With these statistically valid samples, each item in the population for 
the four case study locations had a nonzero probability of being 
included, and that probability could be computed for any item. Each 
sample item for a test location was subsequently weighted in our 
analysis to account statistically for all items in the population for 
that location, including those that were not selected.
    We performed tests on statistical samples of IT equipment inventory 
transactions at each of the four case study locations to assess whether 
the system of internal controls over physical IT equipment inventory 
was effective (Le., provided reasonable assurance of the reliability of 
inventory information and accountability of the individual items). For 
each IT equipment item in our statistical sample, we assessed whether 
(1) the item existed (meaning that the item recorded in the inventory 
records could be located), (2) inventory records and processes provided 
adequate accountability, and (3) identifying information (property 
number, serial number, model number, and location) was accurate. We 
explain the results of our existence tests in terms of control failures 
related to missing items and record keeping errors. The results of our 
statistical samples are specific to each of the four test locations and 
cannot be projected to the population of VA IT transactions as a whole. 
We present the results of our statistical samples for each population 
as (1) our projection of the estimated error overall and for each 
control attribute as point estimates and (2) the two-sided, 95 percent 
confidence intervals for the failure rates.
    Our investigator supported our tests of IT physical inventory 
controls by assessing physical security and reporting of missing items 
for purposes of law enforcement investigations. As part of our 
assessment, our investigator interviewed VA Police at the three medical 
centers and federal agency law enforcement officers at VA headquarters 
about reports and investigations of lost, stolen, and missing IT 
equipment. Our investigator also met with physical security specialists 
at each of the test locations to discuss the results of physical 
security inspections and the status of VA actions on identified 
weaknesses.
    To determine if the four test locations had adequate procedures for 
control and removal of data from hard drives of IT equipment in the 
property disposal process, our IT security specialist selected a 
limited number of computer hard drives for testing. We attempted to 
test a total of 10 hard drives in each category-drives with data and 
drives that had been sanitized-at each of the four test locations. 
Because some hard drives we selected were damaged or computer systems 
pulled for hard drive testing did not contain hard drives, the number 
of hard drives actually tested was less than the number we selected for 
testing. At the San Diego medical center, 5 hard drives selected for 
testing that were labeled as unerased had in fact been sanitized, and 
we included these hard drives in our sanitization testing. Table 9 
shows the numbers of hard drives tested at the four locations we 
audited.


 Table 9--Number of Computer Hard Drives in the Property Disposal Process Selected for Testing at Four Locations
----------------------------------------------------------------------------------------------------------------
             Test location medical centers                Drives with data   Sanitized drives        Total
----------------------------------------------------------------------------------------------------------------
Washington, DC                                                          4                  4                  8
----------------------------------------------------------------------------------------------------------------
Indianapolis                                                            5                  6                 11
----------------------------------------------------------------------------------------------------------------
San Diego                                                              10                 15                 25
----------------------------------------------------------------------------------------------------------------
VA headquarters offices
--------------------------------------------------------
Veterans Health Administration                                          2                  1                  3
----------------------------------------------------------------------------------------------------------------
Board of Veterans Appeals                                               6                  8                 14
----------------------------------------------------------------------------------------------------------------
Office of Cyber Information Security                                    3                  1                  4
----------------------------------------------------------------------------------------------------------------
VA headquarters, subtotal                                              11                 10                 21
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis.


    In performing these tests, our specialist used SMARTTM 
and Foremost software. SMARTTM is a software utility that 
has been designed and optimized to support forensic data practitioners 
and information security personnel in pursuit of their respective 
duties and goals. SMARTTM is currently used by federal, 
state, and local law enforcement; U.S. military and intelligence 
organizations; accounting firms; and forensic data examiners. Foremost 
is a program used to recover files based on their headers, footers, and 
internal data structures. Foremost, originally developed by the United 
States Air Force Office of special Investigations and the Center for 
Information Systems Security Studies and Research, is now available to 
the general public. In addition, our investigator performed physical 
security inspections and assessed accountability over computer hard 
drives in the disposal process.
    To identify management actions taken in response to previously 
identified control weaknesses, we interviewed VA officials at our test 
locations, walked through the IT inventory processes to observe 
controls as implemented, and met with VA's Chief Information Officer 
(CIO). We also obtained and reviewed copies of new and revised VA 
policies and procedures.
    We briefed VA managers at our test locations and VA headquarters, 
including VA medical center directors, VA headquarters information 
resource management and property management officials, and VA's CIO on 
the details of our audit, including our findings and their 
implications. On April 9, 2007, we requested comments on a draft of 
this report. We received comments on June 22, 2007, and have summarized 
those comments in the Agency Comments and Our Evaluation section of 
this report. We conducted our audit work from September 2006 through 
March 2007 in accordance with generally accepted government auditing 
standards, and we performed our investigative work in accordance with 
standards prescribed by the President's Council on Integrity and 
Efficiency.

                               __________

     Appendix II: Comments from the Department of Veterans Affairs
                           The Deputy Secretary Of Veterans Affairs
                                                     Washington, DC
                                                      June 22, 2007

Mr. McCoy Williams
Director
Information Management Issues
U. S. Government Accountability Office
441 G Street, NW
Washington, DC 20540

Dear Mr. Williams:

    The Department of Veterans Affairs (VA) has reviewed the government 
Accountability Office's (GAO) draft report: VETERANS AFFAIRS: 
Inadequate Controls over IT Equipment at Selected VA Locations Pose 
Continuing Risk of Theft, Loss, and Misappropriation (GAO-07-505) and 
generally agrees with its findings. VA supports GAO's conclusion that 
improving the overall control environment for sensitive information 
technology (IT) equipment requires renewed focus, oversight, and 
continued commitment throughout the organization.
    The Department has already taken significant actions, including the 
recent transformation of VA's IT program to a single authority under 
the Chief Information Officer. This will enable the Department to 
centralize and standardize IT equipment accountability policies and 
procedures. and replicate identified IT inventory best practices across 
VA.
    Accomplishing this task will require a concerted effort by many 
different offices within the Department VA will analyze why VA medical 
center employees were found to have used their own systems to track IT 
equipment assigned to their units instead of updating records through 
VA's existing formal control system. Accordingly, the Department win 
convene a formal work group to include representatives from at least 
the Office of Information and Technology, Office of Acquisition and 
Materiel Management. the Office of Security and Law Enforcement, the 
Veterans Health Administration, and the Office of Human Resources and 
Administration to ensure development of a comprehensive strategy to 
address all of GAO's recommendations.
    Additionally, during the past nine months VA Central Office (VACO) 
has revised and implemented procedures to improve the reconciliation 
process of future annual VACO inventories. These procedures include 
refresher training for all Equipment Inventory Listing (EIL) officials, 
incorporating property accountability and responsibility in New 
Employee Orientation, and strengthening controls over the employee 
clearance process to ensure greater property accountability as 
individuals depart VACO.
    The Department is finalizing new policy directives that will 
require senior IT officials at the facility level to maintain an 
inventory of all IT equipment. The VA Office of Acquisition and 
Materiel Management provides current policy regarding the use and 
protection of VA-owned IT equipment. Department officials will 
reinforce those policies across an business lines.
    I appreciate your efforts to illuminate continuing weaknesses that 
undermine VA's efforts to protect the sensitive personal information 
the Department needs to provide services to our Nation's veterans. The 
enclosure discusses each of GAO's recommendations in detail. It also 
suggests some technical clarification for the report's overall 
accuracy.

            Sincerely yours,
                                                Gordon H. Mansfield

Enclosure

                               __________

            DEPARTMENT OF VETERANS AFFAIRS (VA) COMMENTS TO
          GOVERNMENT ACCOUNTABILITY OFFICE (GAO) DRAFT REPORT
VETERANS AFFAIRS: Inadequate Controls over IT Equipment at Selected VA 
  Locations Pose Continuing Risk of Theft, Loss, and Misappropriation 
                              (GAO-07-505)
   To help minimize the risk of loss, theft, and misappropriation of 
government IT equipment used In VA operations, GAO recommends that the 
Secretary of Veterans Affairs take the following departmentwide actions
  Revise VA property management policy and procedures to 
        include detailed requirements for what transactions must be 
        recorded to document inventory events and to clearly establish 
        individual responsibility for recording all essential 
        transactions In the property management process.
    Concur--VA is performing a comprehensive update of Department 
policies and procedures on equipment management, and we will include 
detailed requirements as appropriate.
    To improve awareness of and compliance with existing policies and 
procedures, the Veterans Health Administration (VHA) recently issued 11 
standard operating procedures with detailed guidance to supplement VA 
policy and procedures on equipment management.
    In addition, VA's Office of Acquisition and Materiel Management 
(OA&MM) is working with VHA. the Veterans Benefits Administration, the 
National Cemetery Administration and the Office of Information and 
Technology (OI&T) to identify specific ways to improve compliance with 
VA's policies and procedures on equipment management. Topics under 
review include:

      launch of a nationwide training program on equipment 
accountability;
      review of logistical organizational structures;
      implementation of a logistics certification program; and
      issuance of a memorandum to facility directors 
emphasizing the importance of equipment management and recommended 
actions to strengthen local programs.

    Finally, OA&MM is collaborating with VHA's Office of Business 
Oversight to include additional areas of audit for equipment 
management. This will also include a review of audit findings to 
determine where policies and procedures need enhancement.
  Revise VA purchase card policy to require purchase card 
        holders to notify property management officials of IT equipment 
        and other property items acquired with a government purchase 
        card at the time the items are received so that they can be 
        recorded in property management systems.
    Concur--The Office of Finance will revise VA purchase card policy 
to require purchase card holders to notify property management 
officials of IT equipment and other property items acquired with a 
government purchase card at the time the items are received so that 
they can be recorded in property management systems. Target completion 
date is July 2007.
    On page 7, under ``Requests and Ordering of IT Equipment,'' the 
sentence that begins online 7 is no longer applicable. Headquarters 
offices may no longer place individual orders or use purchase cards to 
acquire IT equipment per recent guidance from the Chief Information 
Officer (CIO).
  Establish procedures to require specific, individual user-
        level accountability for IT equipment In implementing this 
        recommendation, consideration should be given to making the 
        unit head, or a designee, accountable for shared IT equipment
    Concur--The Office of Information and Technology is developing an 
operations policy that requires the senior IT official at a facility to 
maintain an inventory of all IT equipment and to have the business/
service unit head or designee sign for all IT equipment issued to their 
service/unit. Also, the policy will require issuing of hand receipts 
for IT equipment at the user-level.
  Enforce user-level accountability and IT coordinator 
        responsibility by taking appropriate disciplinary action, 
        including holding employees financially liable, as appropriate. 
        for lost or missing IT equipment
    Concur--For VA Central Office (VACO), O/A's Property Management 
Division is responsible for processing Report of Surveys from Central 
Office organizations for lost or damaged VA property. The Property 
Management Division win expeditiously assign the Report of Survey to a 
Survey Board to determine if the employee(s) should be held financially 
liable or if disciplinary actions should be taken as a result of the 
loss. damage. or destruction of the property.
    When the Survey Board recommends that an employee should be held 
financially liable. a copy of the Report of Survey, complete findings 
and recommendations will be sent directly to the employee. instructing 
them to submit a written concurrence or objections to the findings 
within 10 working days to the approving official. An employee's failure 
to submit a written reply to the approving official within 10 working 
days will be submitted as acceptance of financial liability. Employees 
have the right to have an adverse survey finding reviewed by higher 
authority if requested within 10 working days after receiving 
notification of findings. The decision of the higher approving 
authority will be final. VA supervisors are responsible for ensuring 
that their employees are held accountable for VA property assigned to 
tl1em in performance of their job. Supervisors are also responsible for 
any property not directly assigned to an individual employee in their 
area.
    O/A's Property Management Division is also implementing new VACO 
procedures to increase supervisory awareness and accountability for 
property lost, damaged. or destroyed by employees under their 
supervision. when supported by findings and recommendations from the 
Survey Board. This procedure includes the issuance of a memorandum from 
the approving official and Report of Survey findings, to the employee's 
supervisor with a courtesy copy to the second-line supervisor and 
Employee Relations, Central Office Human Resources Service, 
recommending that the supervisor take corrective action. including 
disciplinary action as appropriate. against the employee. Employee 
Relations. Central Office Human Resources Service, will follow up with 
the employee's immediate and second-line supervisors to ensure 
appropriate action Is taken within 45 calendar days.
  Establish specific timeframes for finalizing a Report of 
        Survey once an Inventory has been completed so that research on 
        missing Items Is completed In an expeditious manner and does 
        not continue indefinitely without meeting formal reporting 
        requirements.
    Concur--OI& T is developing an operations policy that win include 
the requirement that a Report of Survey will be completed within 15 
working days following completion of annual inventory. In VACO, after 
an annual Equipment Inventory is conducted. the Not Found Property 
Report must be reconciled within 15 days of receiving the report. (In 
the past, the Office of Administration [OA] has honored organizational 
requests to extend this timeframe for equipment believed misplaced 
rather than stolen.) Equipment that cannot be reconciled must 
immediately be reported on a Report of Survey to the Property 
Management Division. Property Management Division will immediately 
conduct an investigation on the missing equipment by forming a Board of 
Survey. Recent memorandums to the various VACO department heads 
addressed these procedures. Details were also provided to Equipment 
Inventory List (EIL) officials in VACO.
  Establish a mechanism to monitor San Diego, California, and 
        Houston, Texas, medical center and other VA organization 
        adherence as appropriate, to VA policy for performing annual 
        Inventories of sensitive Items under $5,000, including IT 
        equipment.
    Concur--The Veterans Health Administration's (VHA) Prosthetics and 
Clinical Logistics Office (P&CLO) is monitoring all VA medical centers 
to ensure adherence to policy requiring an annual inventory of all 
items. To facilitate this effort, all facilities are required to report 
their Electronic Inventory List compliance on a quarterly basis to the 
Deputy Under Secretary for Health for Operations and Management 
(DUSHOM). This monitoring includes sensitive items under $5.000. P&CLO 
will disseminate further direction to the field on sensitive items 
through annual training, reminders at the materiel management 
conference calls, and e-mails.
  Require that IRM and IT Services personnel at the various 
        medical centers be given access to the central property 
        database and be furnished with hand scanners so they can 
        electronically update the property control records, as 
        appropriate, during installation, repair, replacement, and 
        relocation or disposal of IT equipment.
    Concur--VA's current asset management system (AEMS/MERS) allows for 
IRM and IT Services to be given restricted access to the AEMS/MERS 
system in order to record/update inventory records to reflect status 
and location. Hand scanners can be purchased locally as needed. 
Nevertheless, VHA's P&CLO is working with the DUSHOM to disseminate a 
memorandum to all VA medical centers directing them to give access to 
AEMS/MERS for all applicable information resource management and IT 
staff involved in IT asset management. P&CLO and DUSOHOM will provide 
direction in the memorandum to ensure open communication between IT 
staff and logistics staff in coordination of either procuring bar code 
scanners or making available existing bar code scanners at the medical 
centers. The memorandum will specify follow-up through regular 
conference calls and e-mails as required. Lastly, P&CLO is working with 
OI&T to establish better communication in defining roles and 
responsibilities of frontline staff in updating the equipment records 
as appropriate.
  Require physical security personnel to perform inspections of 
        buildings and storage facilities to Identify Informal and 
        undesignated IT storage locations so that security assessments 
        are performed and corrective actions are Implemented, where 
        appropriate.
    Concur--The current version of the Security and Law Enforcement 
policy (0730/1) is referenced in this report. This version has 
undergone a large-scale revision and is in the Department concurrence 
process. There is a new requirement to the revised policy that each VA 
facility establish a Security Management Committee (SMC). One of the 
tasks of the SMC is to develop a local strategic security plan (SSP). 
The SSP is intended as a framework for identifying a facility's 
security needs and resolutions.
    We also wish to note that specific physical security requirements 
for IT resources and spaces have been updated. In addition, IT spaces 
are now required to be protected with physical access control systems 
(PACS). In previous versions, this was an optional item.
    To assure inventory accuracy and prompt resolution of inventory 
discrepancies and Improve security of IT equipment and any sensitive 
data stored on that equipment, GAO recommends that the Secretary 
require the CIO to take the following four actions:
  Establish a formal policy requiring a review of the results 
        of annual Inventories to ensure that IT equipment inventory 
        records are properly updated and no blank fields remain.
    Concur--OI&T is developing a policy that requires the senior IT 
official at a facility to maintain an inventory of all IT equipment and 
to have the business service unit head or designee sign for all IT 
equipment issued to their service/unit. The policy will require issuing 
of hand receipts for IT equipment at the user-level. The senior IT 
official at a facility will be required to complete an annual survey 
that ensures IT equipment inventory records are complete and up-to-
date.
  Establish a process for reviewing Reports of Survey for lost, 
        missing, and stolen IT equipment Items to identify systemic 
        weaknesses for appropriate corrective action.
    Concur--OI&T is developing a policy that will include the 
requirement that a report of survey will be completed within 15 working 
days following completion of annual inventory. The policy will also 
require an analysis of the reports to identify any weakness trends.
  Establish and implement a policy requiring IRM Personnel and 
        IT coordinators to inform Physical Security Officers of the 
        location of all IT equipment storage locations so that these 
        store rooms can be subjected to required inspections.
    Concur--OI&T is developing a policy that will require the senior IT 
official at every facility to provide IT equipment storage locations to 
facility security personnel to perform regular inspections.
  Establish and implement a policy for reviewing the results of 
        physical security inspections of IT equipment store rooms and 
        ensure that needed corrective actions are completed.
    Concur--OI&T is developing a policy that will require senior IT 
officials at every site to complete corrective actions addressed from 
all physical security inspections of IT equipment store rooms.
Technical comments:
    Pages 4 and 20, and Tables 6 and 7, portray IT equipment that 
cannot be accounted for as having a combined potential financial loss 
in tile millions of dollars. However, the report does not specify 
whether this cost estimate is provided as a depreciated loss value or a 
replacement value. Distinguishing between the two is very important as 
it directly impacts the loss estimate value. For instance, if IT 
equipment was purchased in previous years, it depreciates at a 
significant determined rate. On the other hand, if GAO used replacement 
costs to estimate the loss value. it needs to further clarify which 
year values it used (i.e. 2002 values, 2005 values, or current 2007 
values). In addition, the tally of unaccounted-for equipment that GAO 
used for its estimate of loss value was surmised as a result of this 
audit. However, VA could, in fact, have properly disposed of some of 
the ``missing'' equipment, but the proper documentation of the disposal 
is just not available. If this is the case, then it should not be 
subject to having a replacement cost associated with it.

                               __________

          Appendix III: GAO Contact and Staff Acknowledgments
GAO Contact: McCoy Williams, (202) 512-9095 or [email protected]
Acknowledgments:
    In addition to the contact named above, Gayle L. Fischer, Assistant 
Director; Andrew O'Connell, Assistant Director and Supervisory special 
Agent; Abe Dymond, Assistant General Counsel; Monica Perez Anatalio; 
James D. Ashley; Francine DelVecchio; Lauren S. Fassler; Dennis Fauber; 
Jason Kelly; Steven M. Koons; Christopher D. Morehouse; Chris J. 
Rodriguez; Special Agent Ramon J. Rodriguez; Lori B. Tanaka; and 
Danietta S. Williams made key contributions to this report.
    Technical expertise was provided by Keith A. Rhodes, Chief 
Technologist, and Harold Lewis, Assistant Director, Information 
Technology Security, Applied Research and Methods.

                                 
                     COMMITTEE ON VETERANS' AFFAIRS
                                     Committee on Veterans' Affairs
                       Subcommittee on Oversight and Investigations
                                                      July 20, 2007

Honorable R. James Nicholson
Secretary
U.S. Department of Veterans Affairs
810 Vermont Ave., NW
Washington, DC 20420

Dear Secretary Nicholson:

    On Tuesday, July 24, 2007, the Subcommittee on Oversight and 
Investigations of the House Committee on Veterans' Affairs will conduct 
a hearing on IT Inventory Management. This hearing will be held at 2:00 
PM in room 334 Cannon House Office Building.
    The Subcommittee requests the most recent equipment inventory 
certification letters from all facility directors. We also would like a 
list of any facility directors who did not the latest annual provide 
certification for completing their annual inventories.
    Please contact Geoffrey Bestor, Esq., Staff Director of the 
Subcommittee on Oversight and Investigations, Committee on Veterans' 
Affairs, at (202) 225-3569 if you have any questions.

            Sincerely,
                                                  HARRY E. MITCHELL
                                                           Chairman

                                                  GINNY BROWN-WAITE
                                          Ranking Republican Member

[The information was provided to the Subcommittee and will be retained 
in the Committee files.]

                                 
