Office of Inspector General Assessment of AmeriCorps' Financial Statement Audit and Cybersecurity Corrective Action Plans

Since Fiscal Year (FY) 2017, AmeriCorps has not obtained an audit opinion on its financial statements. In FY 2021, independent auditors found nine material weaknesses and one significant deficiency, resulting in a total of 73 recommendations. In addition, each of AmeriCorps Office of Inspector General’s (OIG) annual Federal Information Security Modernization Act of 2014 (FISMA) evaluations since FY 2017 concluded that AmeriCorps’ cybersecurity and privacy program is ineffective. AmeriCorps has made little progress in implementing the 41 FISMA recommendations. The OIG historically conducts these evaluations in tandem with the financial statement audit because they overlap in significant respects. AmeriCorps’ challenges in financial management and accounting were the subject of December 1, 2021, hearing before the House Committee on Education and Labor. On a bipartisan basis, members articulated their expectation that AmeriCorps take decisive action to remedy the recurring problems identified in past financial statement audits. AmeriCorps, in response, described how it intends to address these serious weaknesses through a multi-year process and comprehensive corrective action plans (CAPs). To support these measures, the OIG engaged CliftonLarsonAllen, LLP (CLA), which conducted the financial statement audits and FISMA evaluations, to provide immediate feedback on AmeriCorps CAPS, approved as of January 7, 2022. While a CAP assessment should ordinarily occur during a financial statement audit and FISMA evaluation, AmeriCorps had not previously prepared meaningful CAPs. This report contains CLA’s assessment of the current CAPs. CLA rated 59 percent of the financial statement audit CAPs as “Reasonable,” 31 percent as “Required Refinement,” and 10 percent as “Inadequate.” For the FISMA evaluation CAPs, CLA determined that 66 percent were “Reasonable,” 22 percent “Required Refinement”, and 12 percent were “Inadequate.” CLA’s assessment included explanations for any CAP rated “Inadequate” and the improvements necessary to obtain a rating of “Reasonable.”Since the December 2021 hearing, AmeriCorps has made meaningful progress in creating CAPs and centralizing and elevating their supervision to the executive level. Additional expertise is needed, however, to address the most consequential of the material weaknesses. With a sustained commitment, AmeriCorps can substantially improve its financial management and cybersecurity infrastructure.