The Chief Financial Officers Act of 1990 requires the Inspector General to audit the agency’s financial statements each year, which is intended to help improve an agency’s financial management and controls over financial reporting. The auditors issued a disclaimer of opinion on the FY 2024 consolidated financial statement of the U.S. Department of Education (Department), as they were not able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion because of errors identified in the underlying data used to calculate the subsidy re-estimates for the Department’s direct loan and loan guaranty programs. In addition, in the Report on Internal Control over Financial Reporting, the auditors identified one material weakness and two significant deficiencies in internal control over financial reporting. In the Report on Compliance and Other Matters, the auditors reported two instances of noncompliance that were required to be reported under Government Auditing Standards or OMB Bulletin No. 24-02. Nineteen recommendations were made to the Department to address the internal control and compliance findings. (See page 90 for the audit report).
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| We recommend that management design and implement additional controls that respond to the risks associated with the relevance and reliability of underlying data used in developing the assumptions related to the subsidy re-estimates. Such review should be documented and maintained. | |||||
| 2.10 | Yes | $0 | $0 | ||
| We recommend that FSA formally develop and implement a quality control review process to ensure that logical access control processes are followed completely and accurately to validate logical access requests, reviews, and recertifications. | |||||
| 2.2 | Yes | $0 | $0 | ||
| We recommend that the Department provide training and oversight to the Department's personnel with access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system and network service directory access. | |||||
| 2.3 | Yes | $0 | $0 | ||
| We recommend that the Department update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews. | |||||
| 2.4 | Yes | $0 | $0 | ||
| We recommend that the Department ensure the database, server layer, and network service directory controls comply and operate with the disabling of inactive accounts, PIV authentication, account lockout duration password setting requirements, as required by Department policy. | |||||
| 2.5 | Yes | $0 | $0 | ||
| We recommend that the Department following established user access provisioning procedures detailed in the Federal and Department guidance to authorize access and assign roles that are commensurate with job functions and do not violate the least privilege principle. | |||||
| 2.6 | Yes | $0 | $0 | ||
| We recommend that the Department oversee the Department's systems change management process to enforce adherence to the change management plan to ensure relevant documentation and approvals are properly completed prior to closing the change ticket. | |||||
| 2.7 | Yes | $0 | $0 | ||
| We recommend that the Department update the Department's systems' change management plan to require program change supporting documentation, such as approvals, be retained. | |||||
| 2.8 | Yes | $0 | $0 | ||
| We recommend that the Department develop and implement formal procedures addressing controls over the Department's systems': (a) Changes to production jobs, and schedules; and (b) Monitoring of actions taken by the generic job processing account in the job scheduling tool, including management of the password for the generic account. | |||||
| 2.9 | Yes | $0 | $0 | ||
| We recommend that FSA design and implement controls to evaluate the magnitude of impact, likelihood of occurrence, and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirm the noted deficiencies are fully addressed to help prevent future reoccurrences. | |||||
| 2.11 | Yes | $0 | $0 | ||
| We recommend that FSA enforce established access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system access. Follow established user access provisioning procedures detailed in the Federal, Department, and FSA guidance to authorize system access and assign roles that are commensurate with job functions and do not violate the least privilege principle. | |||||
| 2.12 | Yes | $0 | $0 | ||
| We recommend that FSA update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews. | |||||
| 2.13 | Yes | $0 | $0 | ||
| We recommend that FSA perform and formally document the periodic reviews of all application user accounts in accordance with Department policy to confirm access is current, authorized, commensurate with job responsibilities, and follow the concept of least privileged. | |||||
| 2.14 | Yes | $0 | $0 | ||
| We recommend that FSA ensure the application access controls comply and operate with the PIV authentication requirements, as required by Department policy. | |||||
| 3.1 | Yes | $0 | $0 | ||
| We recommend that management improve the risk assessment process at the financial statement assertion level and at the process level to ensure the Department and FSA are appropriately defining objectives to enable the identification of risks and define risk tolerances. | |||||
| 3.2 | Yes | $0 | $0 | ||
| We recommend that management implement key monitoring controls to ensure that corrective action plans are implemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the process among various offices and directorates within the Department and FSA. | |||||
| 4.1 | Yes | $0 | $0 | ||
| We recommend that management update the risk assessment process related to the evaluation of internal controls to ensure it sufficiently addresses risks within key processes, key data, and other material line items on the consolidated financial statement. | |||||
| 5.1 | Yes | $0 | $0 | ||
| We recommend that management implement the recommendation presented in the material weakness in Exhibit A. | |||||
| 2.1 | Yes | $0 | $0 | ||
| We recommend that the Department evaluate, design, and implement controls to track and report all new and separated contractors to allow for timely onboarding or off-boarding, respectively. | |||||
