This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
INTERNATIONAL TELEPHONE SERVICE
AUDIT REPORT NO. 238
AUGUST 27, 1996
Although our audit of international telephone service did not identify any instances of abuse, management controls can be improved. We are making several recommendations, including strengthening access controls, reviewing international service in conference rooms, and issuing guidance for requesting service.
The Office of Administrative and Personnel Management generally concurred with our findings and recommendations. On August 5, 1996 it issued a memorandum implementing new procedures for granting and controlling international access. Its comments on our draft report are attached (see Appendix).
AUDIT OBJECTIVE AND SCOPE
The audit objective was to evaluate management controls over access to international telephone service, including procedures to identify potential instances of abuse. The audit reviewed international phone service from July 1995 to January 1996 for headquarters, the Operations Center, and the Annex building. Expenditures for international service in the field offices were immaterial and were not reviewed.
During the audit, we interviewed Commission staff, performed analytical procedures, and reviewed telephone records, access reports, and other supporting documentation. The audit was performed in accordance with generally accepted government auditing standards between September 1995 and May 1996.
The Commission uses a Private Automated Branch Exchange (PABX) telephone system for headquarters. The system provides local and long distance service, and the capability to track outgoing calls. It is maintained by Telecommunication Specialists in the Office of Administrative and Personnel Management (OAPM).
Offices and divisions can ask OAPM to provide international telephone service to authorized employees, based on their need for the service. As of September 15, 1995, approximately 420 employees had international access, approximately 24% of headquarters employees.
Management controls over international telephone service need to be improved to ensure that only authorized staff with a valid business purpose have access. Our limited review did not identify any instances of abuse, however.
The Office of Administrative and Personnel Management is currently drafting telecommunications policy guidance. OAPM should incorporate the recommendations below in the guidance.
Improve Access Controls
Currently, controls do not ensure that only authorized staff with a need for international service have access, and that access is promptly deleted when appropriate. The OAPM Telecommunications Specialists are not consistently provided with information about staffing changes or the continuing need for international access.
We found that twenty-one telephones with international service were assigned to former employees in PABX records, while six telephones with such access were not assigned to any employee ("vacant"). Presumably, international service provided to former employees was not deleted when they left. Employees using these telephones would have international access without a demonstrated need.
We also noted that almost all staff in the Equal Employment Office (EEO) had access, even though that office rarely makes international calls (only one call during the periods we reviewed in fiscal years 1995-96).
These conditions significantly increase the risk that Commission or contract employees may use the phone in an empty office (e.g., after hours) to make an international call for personal reasons. The Commission would pay for the call.
OAPM should provide the Telecommunications Specialists with timely information regarding staffing changes. Alternatively, access to international service could be deleted during the clearance procedures for separating employees.
The OAPM Telecommunications Specialists should periodically ask offices and divisions to confirm which staff still need international service (for example, by marking a listing of staff having access). Managers should be made aware of the risk imposed by granting international phone access to staff who do not have a demonstrated need for it.
Review Access in Conference Rooms
Many Commission conference rooms (and other non-secure areas such as file rooms) contain telephones with international access. These telephones can be used by anyone, at any time, increasing the risk of misuse.
OAPM, in consultation with offices and divisions, should determine whether conference room telephones need international access. If not, the access should be deleted. OAPM should also consider restricting international access to times requested, to reduce the risk of misuse.
Establish Procedures for Requesting Access
OAPM provides international telephone service based on electronic mail or memorandum from the requesting office. OAPM has not established standardized procedures for these requests. Based on our discussions with administrative staff, the requests differ in the extent of justification, who submits the request, and the level of the approving official.
OAPM should establish procedures for requesting international telephone access. The procedures should cover who should submit the request, who can approve the request, and the extent of justification required.
Maintain Request Documentation
We selected a judgement sample of fifteen employees with international service to review the written requests for this service. However, OAPM only had documentation for three of them, partly because the electronic mail requests had been inadvertently erased.
OAPM should maintain supporting documentation for international service.
Review PABX Reports
We reviewed PABX records of telephone calls during the periods from July 12, 1995 to August 11, 1995, and November 1, 1995 to January 31, 1996. We did not identify any patterns of possible abuse (for example, long and frequent calls to one number during weekends).
OAPM could perform similar reviews to help identify any apparent future abuse, using reports from the PABX system (if available) with defined parameters, such as length and time of call. Besides performing such reviews for international telephone calls, OAPM could also monitor regular long distance telephone calls.
OAPM should periodically review PABX reports if available (both long distance and international) to identify potential abuse. It should follow-up as appropriate on any apparent abuse.
Use Personal Identification Numbers
Personal Identification Numbers (PINs) would help ensure that only authorized users had access to international telephone services. According to OAPM, the current PABX software allows PINs to be associated with each telephone but not the person to whom that telephone is assigned. Employees with international access would enter the PIN together with the telephone number being called.
OAPM should implement Personal Identification Numbers for international telephone access.
Attached is our audit report on the Commission's International Telephone Service. We have modified the report as appropriate to reflect your comments. The courtesy and cooperation of you and your staff during this audit are appreciated.