Review of Personal Property Management System and Practices for Calendar Year 2017

View Report

Date Issued

Friday, May 31, 2019

Submitting OIG

Consumer Product Safety Commission OIG

Other Participating OIGs

Consumer Product Safety Commission OIG

Agencies Reviewed/Investigated

Consumer Product Safety Commission

Report Number

19-A-06CPSC

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
7	No	$0	$0
Develop and implement controls to ensure that the data entered into PMS and IFS is accurate and consistent with CPSC policies and procedures.
8	No	$0	$0
Develop procedures to review applicable regulations and laws on an annual basis in order to ensure the property management policies and procedures remain accurate and complete.
11	No	$0	$0
Establish and implement POA&M management procedures to ensure that all identified security weaknesses, including PMS application-specific and inherited control weaknesses, are fully documented and tracked.
13	No	$0	$0
Establish and implement POA&M management procedures to ensure that changes to estimated completion dates should be documented and reflected in the POA&M tracker.
14	No	$0	$0
Estimated completion dates should be documented and reflected in the POA&M tracker.
16	Yes	$0	$0
Upon a justifiable determination of PMS’s system categorization, design and implement standard procedures for requesting and approving user access to roles and resources in PMS.
21	No	$0	$0
Upon completion of the risk analysis, develop and implement procedures to ensure that CPSC users do not have unmonitored conflicting access across multiple systems.
22	No	$0	$0
Perform and document a risk analysis to identify potential SoD conflicts within PMS.
23	No	$0	$0
Upon the completion of the risk analysis noted above, management should develop and implement procedures that ensure PMS users do not have sufficient access to allow the unmonitored execution of incompatible transactions.