Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

Inspector General Open Recommendations

11/15/2023 - Small Business Administration Independent Auditors’ Report on SBA’s Fiscal Year 2023 Financial Statements [Report Details] Audit - Open Recommendations

33
Perform and document a thorough risk assessment at the financial statement assertion level to identify process level risks and communicate the results to relevant program offices. Also, assess the effectiveness of the key process level controls to respond to the identified risks in conjunction with relevant program offices.
32
Design, implement, and monitor the operating effectiveness of key controls that respond to significant risks of material misstatements and compliance with relevant laws and regulations.
31
In conjunction with the Office of the Chief Financial Officer, complete the internal control risk assessments for programs that have a material impact on the financial statements at a process level in a timely manner including the consideration of whether controls are designed, implemented, and are operating at a sufficient precision level in accordance with management’s materiality threshold and will be sufficient for financial reporting purposes.
30
Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of SVOG program transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following: • SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA. • All exceptions noted in the SOC 1 report – not just those described in the independent service auditor’s report – are evaluated to determine applicability to SBA’s internal controls over financial reporting, the potential impact to SBA’s financial statements, and mitigating controls considerations made during their risk assessment. • All complementary user entity controls described in the SOC 1 reports are evaluated using current information and with consideration to their applicability to SBA’s internal controls over financial reporting. • Evaluation procedures performed to assess whether complementary user entity controls and other SBA-performed controls were tested on a frequency determined by SBA and found operating effectively and, if they are not, assess the impact of such deficiencies on SBA’s internal controls over financial reporting. • All complementary subservice organization controls described in SOC 1 reports are evaluated to determine whether they provided services and performed controls considered relevant to SBA’s internal controls over financial reporting and, if relevant subservice organizations were identified, an evaluation is performed to obtain an understanding of the subservice organization(s) and their controls. • SOC 1 reports cover the appropriate period or corresponding gap letters provide sufficient coverage to assess impacts on SBA’s internal controls over financial reporting.
29
Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to the SVOG program. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.
28
Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of loan guarantee programs transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following: • SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA. • All exceptions noted in the SOC 1 report – not just those described in the independent service auditor’s report – are evaluated to determine applicability to SBA’s internal controls over financial reporting, the potential impact to SBA’s financial statements, and mitigating controls considerations made during their risk assessment. • All complementary user entity controls described in the SOC 1 reports are evaluated using current information and with consideration to their applicability to SBA’s internal controls over financial reporting. • Evaluation procedures performed to assess whether complementary user entity controls and other SBA-performed controls were tested on a frequency determined by SBA and found operating effectively and, if they are not, assess the impact of such deficiencies on SBA’s internal controls over financial reporting. • All complementary subservice organization controls described in SOC 1 reports are evaluated to determine whether they provided services and performed controls considered relevant to SBA’s internal controls over financial reporting and, if relevant subservice organizations were identified, an evaluation is performed to obtain an understanding of the subservice organization(s) and their controls. • SOC 1 reports cover the appropriate period or corresponding gap letters provide sufficient coverage to assess impacts on SBA’s internal controls over financial reporting.
27
Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to loan guarantee programs. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.
26
Refine existing review and approval controls to ensure the reestimate output is in accordance with accounting standards for charged-off loans.
25
Design and implement adequate review and approval controls over the reestimate for the PPP and COVID-19 EIDLs portfolios by appropriate levels of management, and to coordinate with relevant program offices to assess the integrity of relevant data inputs used in the development of assumptions, and reasonableness for the selected assumptions used and the resulting estimates.
24
Continue implementing controls in collaboration with relevant program offices for the PPP and COVID19 EIDLs portfolios to accumulate relevant, complete, and accurate data on which to base the subsidy reestimate.
23
Design and implement effective controls and communication processes to timely obtain the information necessary from program offices to record any required accounting adjustments for programs created or expanded by the CARES Act and related legislation.
22
Inquire with standard setting bodies to confirm the appropriate accounting treatment throughout each step of the recovery lifecycle for COVID-19 EIDLs and the PPP loans that have been charged-off or forgiven. Memorialize the response by updating management’s documented policies and procedures including the respective accounting entries under generally accepted accounting principles for all applicable scenarios.
21
Document the current state of accounting policies and procedures for the recovery of funds, including the respective accounting entries for all applicable scenarios (e.g., fraud related, ineligibility) for COVID-19 EIDLs and PPP loans that have been charged-off or forgiven.
20
Develop and document the policies and procedures for the recovery of funds, the accounts receivable, and the allowance for estimated uncollectible amounts related to the programs created or expanded by the CARES Act and related legislation.
19
Design and implement an effective funds recovery plan and controls to ensure SVOG awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.
18
Design and implement effective follow-up procedures for SVOG award recipients that are not complying with the program’s terms and to ensure complete, accurate, and timely reporting for the use of the award.
17
Perform and update the program’s internal control assessment to identify changes to risks that may require the design and implementation of effective monitoring controls and review processes of SVOG awards to identify recipients that may not have been eligible to receive awards or that may have spent awards on ineligible expenses in accordance with the program’s terms.
16
Design and implement an effective funds recovery plan and controls to ensure RRF awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.
15
Design and implement effective follow-up procedures for RRF award recipients that are not complying with the program’s terms and to ensure complete, accurate, and timely reporting for the use of the award.
14
Perform and update the program’s internal control assessment to identify changes to risks that may require the design and implementation of effective monitoring controls and review processes of RRF awards to identify recipients that may not have been eligible to receive awards or that may have spent awards on ineligible expenses in accordance with the program’s terms.

Pages

Displaying 161 - 180 of 14631 recommendations (Grouped by Reports)
Print Current Results to PDF (Maximum of 200 recommendations)