This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs.We found the agency’s entity-level control environment was not designed in accordance with federal guidance at the beginning of the COVID-19 assistance programs. The agency allowed the third-party systems to be put into service without conducting the baseline assessments. With no baseline, the agency could not perform effective continuous monitoring. Also, we found that control processes did not identify, communicate, and capture privacy and identity risks on an enterprise-wide basis.We made 10 recommendations to strengthen the agency’s entity-level IT control environment. The areas addressed included cybersecurity risk and privacy controls, system development life cycle, continuous monitoring, and the supply chain risk management processes.SBA management fully agreed with seven recommendations, disagreed with two recommendations, and stated one recommendation was specific to the pandemic and will not likely be repeated. While the agency agreed to implement seven recommendations, management’s planned corrective actions did not fully address identified control issues.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | Yes | $0 | $0 | ||
Ensure the existing SBA System Development Methodology is updated to include supply chain risk-management practices as required by OMB Circular A-130 and high-value asset system designation guidance. Also, ensure high-value asset system risks are incorporated into the enterprise risk management framework, as recommended by OMB M-19-03 and SBA SOP 90 47 6. | |||||
2 | Yes | $0 | $0 | ||
Communicate and enforce the SBA System Development Methodology in which a traceability matrix is used to ensure that system requirements can be tested and demonstrated in the operational system. Ensure all requirements are aligned with the contractual acceptance criteria. | |||||
3 | Yes | $0 | $0 | ||
Implement in updated agency guidance, the requirements of OMB Circular No. A-123 that stipulate a SOC 1 Type 2 report is needed for all new and existing financial systems. This guidance should also require confirmation at least annually that the controls are functioning as designed. | |||||
5 | Yes | $0 | $0 | ||
In conjunction with the Enterprise Risk Management Board, implement enterprise-wide privacy risk mitigation practices that can be assimilated into new and existing system program designs. | |||||
6 | Yes | $0 | $0 | ||
Complete an initial assessment and authorization for each information system and all agency-designated common controls before operation. | |||||
7 | Yes | $0 | $0 | ||
Transition information systems and common controls to an ongoing authorization process (when eligible for such a process) with the formal approval of the respective authorizing officials or reauthorize information systems and common controls as needed, on a time or event-driven basis in accordance with agency risk tolerance, as required by OMB Circular No. A-130 and SOP 90 47 6. | |||||
8 | Yes | $0 | $0 | ||
Review and update POA&Ms at least quarterly as required by SOP 90 47 6. | |||||
10 | Yes | $0 | $0 | ||
Implement an automated process to document and monitor system changes as recommended by NIST SP 800-53 Rev. 5. |