Skip to main content
Report File
Date Issued
Submitting OIG
Department of Education OIG
Other Participating OIGs
Department of Education OIG
Agencies Reviewed/Investigated
Department of Education
Components
Office of Chief Financial Officer
Report Number
A22FS0064
Report Description

In accordance with the GPRA Modernization Act of 2010, the Department’s framework for performance management begins with the Strategic Plan, which serves as the foundation for establishing and implementing priorities, highlighting performance goals and objectives, and developing performance indicators to gauge progress and outcomes. Progress toward the Department’s strategic goals and its two-year Agency Priority Goals (APGs) are measured using data-driven review and analysis.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
21
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 21 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1.1 Yes $0 $0

We recommend that management design and implement controls that require the validation of the relevance and reliability of underlying data used in developing the assumptions related to the subsidy cost estimates. Such review should be documented and maintained.

2.1 Yes $0 $0

We recommend that the Department evaluate, develop, and implement a formal process to track and report all new and separated contractors.

2.2 Yes $0 $0

We recommend that the Department ensure separated contractors are off-boarded and system personnel are notified in a timely manner to disable or remove access to IT resources.

2.3 Yes $0 $0

We recommend that the Department provide training and oversight to the Department’s personnel with on/off-boarding responsibilities to help ensure new/separated contractors are properly tracked.

2.4 Yes $0 $0

We recommend that the Department update access review procedures to require the reviewers to verify the access lists received to be used in the performance of the access reviews is complete and accurate and not modified prior to commencing the access reviews.

2.5 Yes $0 $0

We recommend that the Department identify and implement a process for the reviewer to validate the population generated for review is complete and accurate.

2.6 Yes $0 $0

We recommend that the Department enforce established access authorization controls and ensure all requirements are met prior to granting system access.

2.7 Yes $0 $0

We recommend that the Department formally perform and document the periodic reviews of all database user accounts in accordance with Department policy to confirm access is current, authorized, and commensurate with job responsibilities.

2.8 Yes $0 $0

We recommend that the Department ensure the application and database server access reviews include the verification of access privileges assigned to the user accounts are commensurate with job responsibilities and follow the concept of least privilege.

2.9 Yes $0 $0

We recommend that the Department evaluate ensure the database and server layers comply with the disabling of inactive accounts and account lockout duration password setting requirements, as required by Department policy.

2.10 Yes $0 $0

We recommend that the Department adhere to the SSP control requirements and avoid the use of generic and shared accounts. If generic and shared accounts are required, obtain a formal risk acceptance and develop a policy and procedure to: • Authorize the use of these accounts by approved personnel, • Control who can access the generic/shared accounts and those sensitive actions performed by the accounts are logged and reviewed every time the accounts are used, and • Require that generic/shared accounts’ passwords are changed each time approved personnel separate or transfer from the Department.

2.11 Yes $0 $0

We recommend that FSA implement a process to evaluate the magnitude of impact, likelihood of occurrence, and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirm the noted deficiencies are fully addressed to help prevent future reoccurrences.

2.12 Yes $0 $0

We recommend that FSA formally develop and implement a quality control review process to ensure that logical access control processes are followed completely and accurately to validate logical access requests, reviews, and recertifications.

2.13 Yes $0 $0

We recommend that FSA ensure segregation of duties and least privilege principles are adhered to when granting user access to prevent users from having the ability to develop and/or change application code and having update access to the environment where the final tested and approved changes are staged prior to migration to the production environment; and prevent users with access to develop code from having update access to the production environment.

2.14 Yes $0 $0

We recommend that FSA evaluate and update the access review control process based on risk and enforce segregation of duties.

2.15 Yes $0 $0

We recommend that FSA reconcile the list of users’ roles and responsibilities per the identity and access software tools to the lists that reside in each system accessed by such users.

2.16 Yes $0 $0

We recommend that FSA update access review procedures to require the reviewer to verify the access list, received to be used in the performance of the access reviews, is complete and accurate and not modified prior to commencing the access reviews.

2.17 Yes $0 $0

We recommend that FSA enforce established access authorization controls and ensure all requirements are met prior to granting access to systems.

2.18 Yes $0 $0

We recommend that FSA ensure a complete and accurate population of application changes is provided. Formally develop and implement a quality control review process to ensure that the application change control process is followed and consistently and accurately documented.

3.1 Yes $0 $0

We recommend that management implement the following to improve the effectiveness of entity-level controls: improve the risk assessment process at the financial statement assertion level and at the process level to ensure the department is appropriately defining objectives to enable the identification of risks and define risk tolerances.

3.2 Yes $0 $0

We recommend that management implement the following to improve the effectiveness of entity-level controls: implement key monitoring controls to ensure that corrective action plans are implemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the process among various offices and directorates within the Department and FSA.

Department of Education OIG

United States