Independent Auditors’ Report on SBA’s Fiscal Year 2023 Financial Statements

View Report

Date Issued

Wednesday, November 15, 2023

Submitting OIG

Small Business Administration OIG

Other Participating OIGs

Small Business Administration OIG

Agencies Reviewed/Investigated

Small Business Administration

Report Number

24-03

Report Description

The U.S. Small Business Administration (SBA) Office of Inspector General (OIG) contracted with the independent certified public accounting firm KPMG LLP to conduct an audit of SBA’s consolidated balance sheets as of September 30, 2023 and 2022 and the related notes to these statements. Our contract with KPMG required that the audit be performed in accordance with auditing standards generally accepted in the United States of America, Government Auditing Standards issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 24-01, Audit Requirements for Federal Financial Statements.In the audit, KPMG reported significant matters for which they were unable to obtain sufficient and appropriate audit evidence to provide a basis for an audit opinion on SBA’s balance sheet as of September 30, 2023. Accordingly, KPMG issued a disclaimer of opinion on the consolidated balance sheets as of September 30, 2023 and 2022.The basis for the disclaimer was that due to inadequate processes and controls, SBA was unable to provide adequate evidential matter in support of a significant number of transactions and account balances related to the Paycheck Protection Program, Economic Injury Disaster Loan program, the Restaurant Revitalization Fund, and Shuttered Venue Operators Grant program.As a result, KPMG was unable to determine whether any adjustments might have been necessary with respect to the following line items and the related notes:- Credit Program Receivables and Related Foreclosed Property, Net- Other than Intragovernmental Accounts Receivable, Net- Downward Reestimate Payable to Treasury- Loan Guarantee LiabilitiesFor the period ended September 30, 2023, KPMG identified six material weaknesses and three significant deficiencies in internal control over financial reporting. Appendices I and II of this report describe details of KPMG’s conclusions about the material weaknesses and significant deficiencies. Appendix III describes instances of noncompliance with applicable laws or other matters required to be reported under Government Auditing Standards or OMB Bulletin No. 24-01.

Report Type

Audit

Agency Wide

Yes

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 52 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
Design and implement controls to ensure the population used in the review and follow-up of nonreporting loan status reports or loan status reports with errors is complete and accurate.
2	Yes	$0	$0
Determine enforceable actions and controls to hold lenders accountable for submitting loan status reports timely and correctly.
3	Yes	$0	$0
Assess the sufficiency of implemented controls to monitor incomplete or inaccurate PPP lender loan status reports on an ongoing basis, including the identification and resolution of the root causes of reporting noncompliance.
4	Yes	$0	$0
Design and implement an automated system control to accurately reduce the outstanding principal balance after the processing of all forgiveness payments.
5	Yes	$0	$0
Perform a thorough review of the outstanding PPP loan guarantees and determine the impact on the outstanding guarantee and eligibility for forgiveness of loans determined to not be in conformance with the related legislation and program’s terms.
6	Yes	$0	$0
Design, implement, and document an effective PPP forgiveness review process for loan guarantees that were forgiven that addresses both the eligibility and the accuracy of the loan approval and forgiveness amounts.
7	Yes	$0	$0
Design and implement an effective funds recovery plan to ensure PPP funds disbursed on behalf of ineligible recipients are recovered and reported accurately in a timely manner. The plan should include an effective process to provide the information necessary to the Office of Performance, Planning, and the Chief Financial Officer to record any required accounting adjustments.
8	Yes	$0	$0
Perform a thorough and complete analysis of all requirements communicated to lenders for the PPP program and determine how to evaluate whether lenders met the requirements prior to disbursing a PPP loan. The analysis should include evidence to support the adequacy of SBA’s review process when determining which purchase requests will require additional review.
9	Yes	$0	$0
Develop and implement an effective process to review purchase requests for outstanding PPP loan guarantees and for loans that have already been purchased that addresses whether the lender met their requirements in accordance with the program requirements.
10	Yes	$0	$0
Develop and implement an effective funds recovery plan to ensure funds related to PPP purchases disbursed to ineligible recipients are recovered and reported accurately in a timely manner. The plan should include an effective process to provide the information necessary to the Office of Performance, Planning, and the Chief Financial Officer to record any required accounting adjustments.
11	Yes	$0	$0
Perform and update the program’s internal control risk assessment to identify changes to risks that may require the design and implementation of effective monitoring controls over the review of the COVID-19 EIDLs portfolio.
12	Yes	$0	$0
Design and implement an effective funds recovery plan to ensure COVID-19 EIDLs funds disbursed to ineligible recipients are recovered and reported accurately and in a timely manner. The plan should include an effective process to provide the information necessary to the Office of Planning, Performance, and the Chief Financial Officer to record any required accounting adjustments.
13	Yes	$0	$0
Reevaluate the appropriateness and update SBA’s existing policies and procedures to ensure they are supported by quality information stemming from effective control activities. This includes assessing the recoverability of COVID-19 EIDLs prior to charge-off. Perform a regular review of implemented policies to ensure they are responding to relevant risks.
14	Yes	$0	$0
Perform and update the program’s internal control assessment to identify changes to risks that may require the design and implementation of effective monitoring controls and review processes of RRF awards to identify recipients that may not have been eligible to receive awards or that may have spent awards on ineligible expenses in accordance with the program’s terms.
15	Yes	$0	$0
Design and implement effective follow-up procedures for RRF award recipients that are not complying with the program’s terms and to ensure complete, accurate, and timely reporting for the use of the award.
16	Yes	$0	$0
Design and implement an effective funds recovery plan and controls to ensure RRF awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.
17	Yes	$0	$0
Perform and update the program’s internal control assessment to identify changes to risks that may require the design and implementation of effective monitoring controls and review processes of SVOG awards to identify recipients that may not have been eligible to receive awards or that may have spent awards on ineligible expenses in accordance with the program’s terms.
18	Yes	$0	$0
Design and implement effective follow-up procedures for SVOG award recipients that are not complying with the program’s terms and to ensure complete, accurate, and timely reporting for the use of the award.
19	Yes	$0	$0
Design and implement an effective funds recovery plan and controls to ensure SVOG awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.
20	Yes	$0	$0
Develop and document the policies and procedures for the recovery of funds, the accounts receivable, and the allowance for estimated uncollectible amounts related to the programs created or expanded by the CARES Act and related legislation.
21	Yes	$0	$0
Document the current state of accounting policies and procedures for the recovery of funds, including the respective accounting entries for all applicable scenarios (e.g., fraud related, ineligibility) for COVID-19 EIDLs and PPP loans that have been charged-off or forgiven.
22	Yes	$0	$0
Inquire with standard setting bodies to confirm the appropriate accounting treatment throughout each step of the recovery lifecycle for COVID-19 EIDLs and the PPP loans that have been charged-off or forgiven. Memorialize the response by updating management’s documented policies and procedures including the respective accounting entries under generally accepted accounting principles for all applicable scenarios.
23	Yes	$0	$0
Design and implement effective controls and communication processes to timely obtain the information necessary from program offices to record any required accounting adjustments for programs created or expanded by the CARES Act and related legislation.
24	Yes	$0	$0
Continue implementing controls in collaboration with relevant program offices for the PPP and COVID19 EIDLs portfolios to accumulate relevant, complete, and accurate data on which to base the subsidy reestimate.
25	Yes	$0	$0
Design and implement adequate review and approval controls over the reestimate for the PPP and COVID-19 EIDLs portfolios by appropriate levels of management, and to coordinate with relevant program offices to assess the integrity of relevant data inputs used in the development of assumptions, and reasonableness for the selected assumptions used and the resulting estimates.
26	Yes	$0	$0
Refine existing review and approval controls to ensure the reestimate output is in accordance with accounting standards for charged-off loans.
27	Yes	$0	$0
Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to loan guarantee programs. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.
28	Yes	$0	$0
Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of loan guarantee programs transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described in the independent service auditor’s report – are evaluated to determine applicability to SBA’s internal controls over financial reporting, the potential impact to SBA’s financial statements, and mitigating controls considerations made during their risk assessment. • All complementary user entity controls described in the SOC 1 reports are evaluated using current information and with consideration to their applicability to SBA’s internal controls over financial reporting. • Evaluation procedures performed to assess whether complementary user entity controls and other SBA-performed controls were tested on a frequency determined by SBA and found operating effectively and, if they are not, assess the impact of such deficiencies on SBA’s internal controls over financial reporting. • All complementary subservice organization controls described in SOC 1 reports are evaluated to determine whether they provided services and performed controls considered relevant to SBA’s internal controls over financial reporting and, if relevant subservice organizations were identified, an evaluation is performed to obtain an understanding of the subservice organization(s) and their controls. • SOC 1 reports cover the appropriate period or corresponding gap letters provide sufficient coverage to assess impacts on SBA’s internal controls over financial reporting.
29	Yes	$0	$0
Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to the SVOG program. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.
30	Yes	$0	$0
Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of SVOG program transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described in the independent service auditor’s report – are evaluated to determine applicability to SBA’s internal controls over financial reporting, the potential impact to SBA’s financial statements, and mitigating controls considerations made during their risk assessment. • All complementary user entity controls described in the SOC 1 reports are evaluated using current information and with consideration to their applicability to SBA’s internal controls over financial reporting. • Evaluation procedures performed to assess whether complementary user entity controls and other SBA-performed controls were tested on a frequency determined by SBA and found operating effectively and, if they are not, assess the impact of such deficiencies on SBA’s internal controls over financial reporting. • All complementary subservice organization controls described in SOC 1 reports are evaluated to determine whether they provided services and performed controls considered relevant to SBA’s internal controls over financial reporting and, if relevant subservice organizations were identified, an evaluation is performed to obtain an understanding of the subservice organization(s) and their controls. • SOC 1 reports cover the appropriate period or corresponding gap letters provide sufficient coverage to assess impacts on SBA’s internal controls over financial reporting.
31	Yes	$0	$0
In conjunction with the Office of the Chief Financial Officer, complete the internal control risk assessments for programs that have a material impact on the financial statements at a process level in a timely manner including the consideration of whether controls are designed, implemented, and are operating at a sufficient precision level in accordance with management’s materiality threshold and will be sufficient for financial reporting purposes.
32	Yes	$0	$0
Design, implement, and monitor the operating effectiveness of key controls that respond to significant risks of material misstatements and compliance with relevant laws and regulations.
33	Yes	$0	$0
Perform and document a thorough risk assessment at the financial statement assertion level to identify process level risks and communicate the results to relevant program offices. Also, assess the effectiveness of the key process level controls to respond to the identified risks in conjunction with relevant program offices.
34	Yes	$0	$0
Design and implement controls that demonstrate oversight over the contractor, including documentation that provides evidence over the adequate review and validation of the contractor’s work product.
35	Yes	$0	$0
Perform and document a thorough risk assessment of the payments for covered loans under the Debt Relief Program, including the impact of payments not considered, determined to be of lower risk, for which a variance threshold was applied, and the appropriateness and sufficiency of the applied methodology given the results of the review.
36	Yes	$0	$0
Based on the results of the risk assessment performed, design and implement appropriate controls to ensure an effective post payment review of payments for covered loans under the Debt Relief Program.
37	Yes	$0	$0
Review and update current processes and procedures for defining a time period by which system access must be disabled or removed for separated individuals.
38	Yes	$0	$0
Develop procedures to validate that access for separated employees is removed in accordance with required timeframes.
39	Yes	$0	$0
Develop procedures to validate that access for separated contractors is removed in accordance with required timeframes.
40	Yes	$0	$0
Design, implement, and document controls for monitoring job failures to ensure complete and accurate reports are generated.
41	Yes	$0	$0
Design and implement multi-factor authentication controls for non-privileged users.
42	Yes	$0	$0
Implement monitoring controls to track compliance with the multi-factor authentication controls.
43	Yes	$0	$0
Design and implement controls to validate that access for separated employees is removed in accordance with required timeframes.
47	Yes	$0	$0
Design and implement effective communication processes with other relevant offices, including the Office of General Counsel, to ensure subsequent events are timely identified and reported completely and accurately.
48	Yes	$0	$0
Improve training plans to ensure individuals responsible for financial reporting functions are adequately prepared to respond to the occurrence of events or transactions that may require financial reporting considerations, including subsequent events, under generally accepted accounting principles.
49	Yes	$0	$0
Reassess existing policies to ensure they are supported by quality information stemming from an effective control environment that reviews the root causes of borrower delinquency prior to charge-off and referral to Treasury. Perform a regular review of the implemented policies to ensure they are responding to relevant risks of noncompliance for the current fiscal year.
50	Yes	$0	$0
Design, implement, and document appropriate monitoring controls to address compliance with DCIA.
51	Yes	$0	$0
Reevaluate the operational infrastructure to address relevant risks of noncompliance and ensure that borrowers are notified timely of delinquency, and if applicable, subsequently referred to Treasury timely.
52	Yes	$0	$0
Update the risk assessment regarding the evaluation of internal controls to ensure it includes all significant programs, key processes, and other material line items on the consolidated financial statements.
53	Yes	$0	$0
In conjunction with relevant program offices, perform and document the internal control evaluation for significant programs or processes affecting the financial statements. This should include entity level controls, manual controls, general information technology controls, and system application controls covering key financial statement line items and risks.
54	Yes	$0	$0
Update the existing policy and implement adequate controls to ensure that the statement of assurances provided by the program offices are adequately documented and reviewed for completeness and accuracy to provide a sufficient basis to support the Administrator’s statement of assurance.
55	Yes	$0	$0
Address the control deficiencies over transactions arising from the implementation of the CARES Act and related legislation by working with the Office of Capital Access and the Office of Disaster Recovery and Resilience to implement the recommendations in Appendix I – Material Weaknesses.