INSPECTOR GENERAL'S STATEMENT

OIG MANAGEMENT CHALLENGES FOR THE PERFORMANCE AND ACCOUNTABILITY REPORT FISCAL YEAR 2015

Accomplishing the mission "to stop and remedy unlawful employment discrimination," at EEOC is difficult, given its inherent challenges and the demand for enforcement as well as education and outreach, and other vital EEOC activities. To make continued progress towards the mission, we believe EEOC needs to be successful in meeting these three challenges in 2016: strategic performance management, reduction of the private sector charge inventory, and data security: multi-factor authentication for network and system access.

Strategic Performance Management

Equal Employment Opportunity Commission (EEOC) continues to make progress in implementing its 2012-2016 Strategic Plan; however, critical work remains. This year, the agency had a mixed record of meeting its fiscal year 2015 Strategic Plan performance targets (seven targets met, seven partially met). EEOC also made progress on other fronts, including adopting several plans. As part of its implementation of the Strategic Enforcement Plan (SEP), EEOC approved, in late September 2015, a Research and Data Plan for fiscal years 2016-2019. The plan outlines several highly useful activities, including compiling an inventory of EEOC data, improving survey collection, and tracking and reporting data. In addition, the plan identifies several long-term projects that could help EEOC meet two of its three major objectives as cited in the Strategic Plan: combat employment discrimination through strategic law enforcement, and prevent employment discrimination through outreach and education.

As we noted in last year's Management Challenges, EEOC needs to implement another aspect of the SEP, the Quality Control Plan (QCP), in a timely manner. This should bring about more effective and efficient charge processing without sacrificing charge processing quality. The QCP applies to private and state and local government sectors. Work began on the QCP in fiscal year 2013, with adoption scheduled for April 30, 2013.

EEOC, after a considerable delay, approved a QCP on September 30, 2015. The QCP states that it "is intended to assist the Commission's field staff by providing an overview of effective investigative and conciliation practices." While the recently adopted QCP is useful, the Strategic Plan states that "the Commission will develop appropriate criteria for measuring the quality of investigations and conciliations and develop a peer review assessment system that will be used to judge the quality of investigations and conciliations." Therefore, we believe that in fiscal year 2016, EEOC needs to develop the peer review assessment system. The peer review system, though not essential to quality reviews, would supplement the current review process, which examines individual private-sector charges of discrimination. A well-designed peer review process will help ensure high-quality charge processing for EEOC's key customers, including those bringing discrimination charges (charging parties) and those responding to the charges (respondents).

We believe EEOC can meet some performance management goals by adopting outcome-based performance measures, amending the Strategic Plan and incorporating such measures into the next Strategic Plan (the 2018-2022 plan). In September 2012, the Office of Inspector General (OIG) commissioned an evaluation of the Strategic Plan's performance measures (Evaluation of EEOC's Performance Measures, 2012-10-PMEV). In its March 2013 report, the OIG concluded, in part, that "the current measures do not cover the nation's progress towards achieving the [EEOC's] overarching goal: to reduce employment discrimination in the United States." The report also concluded that these measures were not outcome-based.

In our view, EEOC can greatly improve its performance management by adopting outcome-based measures, amending the current strategic plan, and incorporating the new measures into the 2018-2022 Strategic Plan (for each of EEOC's three strategic objectives). We note the current strategic plan includes interim adjustments, but that the adjustments do not include additional outcome-based measures. Also, progress toward reducing employment discrimination in the United States can be tracked. Developing and tracking such measures is not easy, but it is well worth the investment if it enables EEOC to use its resources to maximum benefit in reducing employment discrimination.

Outreach and education are a vital agency activity, as reflected in the Strategic Plan, which calls for education and outreach to play a large role in preventing employment discrimination. On September 30, 2015, Chair Jenny R. Yang approved EEOC's agency-wide Communications and Outreach Plan (COP). This is EEOC's first such plan and represents a significant step toward making the agency more efficient and effective in its communications. The COP identifies the primary goals of communications and outreach at EEOC and describes the tactics that will achieve the goals.

Timely and effective implementation of the COP will help EEOC achieve greater efficiency and effectiveness in this critical activity. Implementation will take the agency closer to concretely achieving two major outcome goals contained in the Strategic Plan: that members of the public understand and know how to exercise their right to employment free of discrimination, and that employers, unions, and employment agencies (covered entities) better address and resolve equal employment opportunity issues, thereby creating more inclusive workplaces. In addition, effective implementation would represent progress toward meeting the recommendations in the OIG's May 8, 2015, report (Evaluation of EEOC's Outreach and Education, 2014-03-OE). The recommendations are designed to make outreach and education more effective and efficient.

Management of the Private-Sector Charge Inventory

As it does each year, EEOC faces a fundamental challenge in efficiently processing the pending inventory of private-sector discrimination charges while improving the quality of charge processing. Both current and trend data demonstrate the continuing wide scope of the challenge. After decreasing by an aggregate 18.6 percent in fiscal year 2011-2012, the inventory increased by less than 1 percent in fiscal year 2013, to 70,781. In fiscal year 2014, it increased 6.9 percent, to 75,658. In fiscal year 2015, inventory increased 1.0 percent, to 76,408.

Investigators are a primary resource in the agency's efforts to process discrimination claims. For fiscal year 2015, EEOC hired 90 investigators, resulting in a net increase of 16, a 1.9 percent increase. In fiscal year 2014, the net increase was approximately 60. EEOC's Office of Field Programs reports that for 2016 it may not be able to increase the net number of investigators and could lose some, depending on EEOC's congressional appropriation. As we have previously noted, because of fluctuations in the number of charges received and the potential impact from losing experienced investigators, the increases in investigative staff will not automatically translate into reductions in the inventory. Finally, as previously noted, EEOC's management needs to ensure high quality standards for charge processing (as discussed under "Strategic Performance Management" above) and maintain accurate information in the Information Management System.

Data Security: Multifactor Authentication for Network and System Access

Due to continuous attacks on the U.S. federal government information technology infrastructure, the Office of Management and Budget (OMB) has placed significant focus on the importance of cybersecurity (measures taken to protect a computer or computer system against unauthorized access or attack). Recently OMB called for a 30-day "Cyber Sprint," mandating that each agency meet a set of five baseline requirements:

1. Validation of scanning for indicators of compromise per United States-Computer Emergency Readiness Team (US-CERT) and notify of any found.
2. Patch vulnerabilities.
3. Tighten policies for privileged users.
4. Accelerate multifactor authentication implementation.
5. Identify high-value assets and make a risk-based assessment of cybersecurity and physical protection for these items.

Smaller federal agencies (including EEOC) were not required to participate in the Cyber Sprint but were encouraged to perform the specified baseline assessment requirements. The Office of Information Technology (OIT) conducted its Cyber Sprint assessment and reported that the agency was in compliance with four of the five baseline requirements. The agency faces a challenge in meeting one requirement, implementing multifactor authentication for network and system access to protect against the unauthorized access to sensitive information, including personally identifiable information (PII) maintained by the agency.

As stated in OMB's June 12, 2015 cybersecurity fact sheet, intruders can easily steal or guess usernames and passwords and use them to gain access to Federal networks, systems, and data. Requiring the use of a personal identity verification (PIV) card or an alternative form of multifactor authentication can significantly reduce the risk of adversaries penetrating agency networks and systems.

According to OIT, EEOC has not implemented multifactor authentication due to a lack of funding/resources. The OIG has reported the multifactor authentication issue as a finding in previous Federal Information Security Management Act independent evaluations. It is imperative that agency senior management find the funding/resources for the implementation of multifactor authentication to access EEOC's networks and systems.

Office of the Inspector General to the Chair

November 13, 2015

MEMORANDUM

TO:                 Jenny R. Yang
                        Chair

FROM:           Milton A. Mayo, Jr.

Image

SUBJECT:    FY 2015Agency Compliance with the Federal Managers' Financial Integrity Act   (OIG Report No. 2015-01-FMFIA) 

The Federal Managers' Financial Integrity Act (FMFIA), P.L. 97-255, as well as the Office of Management and Budget's (OMB) Circular A-123, Management Accountability and Control, establish specific requirements for management controls.  Each agency head must establish controls to reasonably ensure that: (1) obligations and costs are in compliance with applicable laws; (2) funds, property and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (3) revenues and expenditures applicable to agency operations are properly recorded and accounted for in order to permit the preparation of reliable financial and statistical reports, as well as to maintain accountability over the assets.  FMFIA further requires each executive agency head, on the basis of an evaluation conducted in accordance with applicable guidelines, to prepare and submit a signed statement to the President disclosing that the agency's system of internal accounting and administrative control fully comply with requirements established in FMFIA. 

EEOC Order 195.001, Internal Control Systems requires the Office of Inspector General (OIG) to annually provide a written advisory to the Chair on whether the management control evaluation process complied with OMB guidelines.  On November 6, 2015, the Office of Research, Information and Planning (ORIP) submitted EEOC's Fiscal Year 2015 FMFIA Assurance Statement to the Chair and to the OIG for review. The OIG reviewed: (1) assurance statements submitted by headquarters and district directors attesting that their systems of management accountability and control were effective and that resources under their control were used consistent with the agency's mission and complied with FMFIA; (2)  all functional area summary tables, and functional area reports; and (3) ORIP's Fiscal year 2015 Federal Managers' Financial Integrity Act Assurance Statement, and Assurance Statement Letter, and attachments.   Based on our limited independent assessment of this year's process, OIG is pleased to advise you that the Agency's management control evaluation was conducted in accordance with OMB and FMFIA regulations.

Further, based on the results of our FY 2015 financial statement audit, our auditors, Harper, Rains, Knight & Co. (HRK) identified one material weakness in internal controls over financial reporting relating to the lack of sufficient controls over financial management during this reporting cycle.

OIG concurs with ORIP's reporting of nine financial non-conformances where a corrective action plan has been implemented to resolve it in FY 2016.