Lab misspent more than $1M on IT purchases, says SEC OIG
A lab at the Securities and Exchange Commission is responsible for some major spending and IT security infractions, according to an SEC Office of Inspector General report (.pdf) released publicly Nov. 19 but dated Aug. 30.
The investigation, which was launched as the result of an anonymous complaint, uncovered the violations at the Division on Trading and Markets' automation review policy program, or ARP lab.
"ARP lab staff spent over a million dollars on computer equipment and software with little oversight or planning," write report authors. "Much of the equipment and software purchased was unneeded or never used in the inspection program."
Some of the equipment was taken home and used by employees for personal purposes. Other equipment was purchased under false pretenses. During the investigation, two staff members admitted to misrepresenting the need for laptops in contracting documents, write report authors.
In addition to the unauthorized purchase and misuse of IT equipment, ARP lab staff did not follow SEC's required security protocols. Staff took unencrypted laptops and laptops without virus protection on inspections, says the OIG.
"Although no lab laptop was reported lost or stolen, any of the unprotected laptops could have been compromised," say report authors, who add that unprotected laptops were left unattended in hotel rooms and in offices outside the SEC, and were connecting to public wireless networks at hotels.
Lab staff also used an "unfiltered, unmonitored" Internet connections to access websites prohibited by SEC's office of information technology policy, such as personal email sites and sites to download freeware that could have potentially infected the network.
According to the OIG, lab management did little to monitor what was happening in the lab and couldn't even physically access the lab with their badges for several years. They "did not know what equipment the lab purchased or what it was used for," write report authors.
The OIG says SEC management has already remedied some problems identified by the investigation, including placing two lab staffers on administrative leave. However, the OIG recommends the ARP lab's future equipment purchases be monitored by another SEC office that can confirm that purchases are cost-effective and appropriate for the lab's mission.
The OIG also asked the office of audits to conduct follow-up audits for the lab and audit information technology equipment purchases across the SEC.
- download the report, Case No. OIG-557 (.pdf)