The Chief Financial Officers Act of 1990 requires the Inspector General to audit the agency’s financial statements each year, which is intended to help improve an agency’s financial management and controls over financial reporting. The Inspector General is also required to audit the Federal Student Aid (FSA) office’s financial statements, as it is a Performance-Based Organization. For FY 2023, the independent auditor issued a disclaimer of opinion as it was not able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion because of unresolved errors identified in the underlying data used to calculate the subsidy re-estimates for the FSA’s direct loan and loan guaranty programs. The auditors identified one material weakness related to the Direct and FFEL student loan portfolios, and two significant deficiencies related to information technology controls and entity-level controls. See page 168 for the audit.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1.1 | Yes | $0 | $0 | ||
We recommend that management design and implement controls that require the validation of the relevance and reliabilityof underlying data used in developing the assumptions related to the subsidy re-estimates. Such review should bedocumented and maintained. | |||||
2.1 | Yes | $0 | $0 | ||
We recommend that the Department improve the risk assessment process over IT to help ensure the Department isappropriately defining objectives to enable the identification of risks and associated controls to help mitigate the risks. | |||||
2.10 | Yes | $0 | $0 | ||
We recommend that the Department ensure the database and server layer controls comply and operate with the disablingof inactive accounts and account lockout duration password setting requirements, as required by Department Policy. | |||||
2.11 | Yes | $0 | $0 | ||
We recommend that the Department adhere to the SSP control requirements and avoid the use of generic and sharedaccounts. If generic and shared accounts are required, obtain a formal risk acceptance and develop a policy andprocedure to: a. Authorize the use of these accounts by approved personnel, b. Control who can access thegeneric/shared accounts and those sensitive actions performed by the accounts are logged and reviewed every time theaccounts are used, and c. Require that generic/shared accounts’ passwords are changed each time approved personnelseparate or transfer from the Department. | |||||
2.12 | Yes | $0 | $0 | ||
We recommend that FSA design and implement improvements for the risk assessment process over IT to help ensure theFSA is appropriately defining objectives to enable the identification of risks and associated controls to help mitigate therisks. | |||||
2.13 | Yes | $0 | $0 | ||
We recommend that FSA design and implement controls to evaluate the magnitude of impact, likelihood of occurrence,and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause.Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirmthe noted deficiencies are fully addressed to help prevent future reoccurrences. | |||||
2.14 | Yes | $0 | $0 | ||
We recommend that FSA formally develop and implement a quality control review process to ensure that logical accesscontrol processes are followed completely and accurately to validate logical access requests, reviews, andrecertifications. | |||||
2.15 | Yes | $0 | $0 | ||
We recommend that FSA ensure segregation of duties and least privilege principles are adhered to when granting useraccess. | |||||
2.16 | Yes | $0 | $0 | ||
We recommend that FSA evaluate and update the access review controls based on risk and enforce segregation ofduties. | |||||
2.17 | Yes | $0 | $0 | ||
We recommend that FSA reconcile the list of users’ roles and responsibilities from the identity and access software toolsto the lists that reside in each system accessed by such users. | |||||
2.18 | Yes | $0 | $0 | ||
We recommend that FSA update access review policies and controls to require the reviewer to verify the access list,received to be used in the performance of the access reviews, is complete and accurate and not modified prior tocommencing the access reviews. | |||||
2.19 | Yes | $0 | $0 | ||
We recommend that FSA enforce the operation of established access authorization controls and ensure all requirementsare met prior to granting access to systems. | |||||
2.2 | Yes | $0 | $0 | ||
We recommend that the Department communicate control issues and/or weaknesses through established tools andrelevant reporting lines to the appropriate parties on a timely basis to enable prompt evaluation and resolution of theissues and/or weaknesses. | |||||
2.3 | Yes | $0 | $0 | ||
We recommend that the Department evaluate, design, and implement controls to track and report all new and separatedcontractors. | |||||
2.4 | Yes | $0 | $0 | ||
We recommend that the Department ensure separated contractors are off-boarded and system personnel are notified in atimely manner to disable or remove access to IT resources. | |||||
2.5 | Yes | $0 | $0 | ||
We recommend that the Department provide training and oversight to the Department’s personnel with on/off-boardingcontrols to help ensure new/separated contractors are properly tracked. | |||||
2.6 | Yes | $0 | $0 | ||
We recommend that the Department update access review procedures to require the reviewers to verify the access listsreceived to be used in the performance and operation of the access reviews is complete and accurate and not modifiedprior to commencing the access reviews. | |||||
2.7 | Yes | $0 | $0 | ||
We recommend that the Department identify, design, and implement controls requiring a reviewer to validate thepopulation generated for review is complete and accurate. | |||||
2.8 | Yes | $0 | $0 | ||
We recommend that the Department enforce established access authorization controls and ensure all requirements aremet prior to granting system access. Formally perform and document the periodic reviews of all database user accountsin accordance with Department policy to confirm access is current, authorized, and commensurate with jobresponsibilities. | |||||
2.9 | Yes | $0 | $0 | ||
We recommend that the Department ensure the application and database server access review controls include theverification of access privileges assigned to the user accounts are commensurate with job responsibilities and follow theconcept of least privilege. | |||||
3.1 | Yes | $0 | $0 | ||
We recommend that management improve the risk assessment process at the financial statement assertion level and atthe process level to ensure FSA is appropriately defining objectives to enable the identification of risks and define risktolerances. | |||||
3.2 | Yes | $0 | $0 | ||
We recommend that management implement key monitoring controls to ensure that corrective action plans areimplemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountabilityover the process among various offices and directorates within FSA. |