Audit Report 8-02: Controls over Access to Employee Emails by SBA Managers
On October 19, 2007, the OIG issued Audit Report 8-02, Controls over Access to Employee Emails by SBA Managers. The purpose of this review was to identify the potential risks related to administrative access to employee emails and information system applications by Small Business Administration (SBA) managers, and recommend actions to strengthen controls over email access.
The OIG determined that the SBA lacked clear written guidance for reviewing employee emails. For example, Standard Operating Procedure 90 40 specifies that emails “are subject to examination in connection with authorized official Agency review,” however, there was no guidance on when an administrative inquiry and review of emails would be considered authorized. The OIG made two recommendations and the SOP has since been revised.