Skip to main content
Report File
Date Issued
Submitting OIG
National Credit Union Administration OIG
Other Participating OIGs
National Credit Union Administration OIG
Agencies Reviewed/Investigated
National Credit Union Administration
Report Number
OIG-21-02030405
Report Description

Under a contract monitored by the National Credit Union Administration OIG, KPMG, an independent certified public accounting firm, performed an audit of NCUA’s financial statements, which includes the Share Insurance Fund, the Operating Fund, the Central Liquidity Facility, and the Community Development Revolving Loan Fund, as of and for the years ending December 31, 2020 and 2019.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
4
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
OIG-21-02030405 No $0 $0

1. Control Weaknesses over Rules of Behavior Process (NCUA IT-20-01) We noted weaknesses over the Rules of Behavior process. Specifically, we noted that NCUA management did not ensure that two (2) users out of a sample of fifteen (15) new users, signed the NCUA’s Rules of Behavior (RoB) acknowledgement, indicating they had read, understood and agreed to abide by the RoB prior to the agency authorizing the users to access the NCUA network. NCUA management did not develop and implement a process to enforce and ensure that the NCUA Information System Security Manual isfollowed for the onboarding process and that the user’s RoB acknowledgement was appropriately completed before granting the users access to their systems.

OIG-21-02030405 No $0 $0

2. Control Weakness over the AMAC Data Center Access (NCUA IT-20-02) We noted AMAC management did not timely remove one (1) individual’s access to the AMAC Data Center on March 11, 2020. Due to a lack of enforcement of policy, an individual did not successfully remove access badge permissions.

OIG-21-02030405 No $0 $0

3. Control Weaknesses over Separated Users and Removal of Users (NCUA-IT-20-03) We noted the following account management issues pertaining to separated and inactive users in the General Support System (GSS) Active Directory (AD) network:a. Separated Users: NCUA did not timely disable access for multiple users. For example, four (4) separated users accessed the GSS one day after their effective separation date.

OIG-21-02030405 No $0 $0

4. Control Weakness over Third-Party Oversight for XP2 Application Hosted by Fiserv (NCUA IT-20-04) We noted that in performing its risk assessment, management did not adequately evaluate the System and Organization Controls (SOC) 1 report over Fiserv’s XP2 application service provider environment. Specifically, management’s risk assessment did not:a. Identify and evaluate the NCUA’s design and operating effectiveness of the Complementary User Entity Controls (CUECs) identified within the SOC 1 report.b. Identify and evaluate the complementary subservice organization controls (CSOCs) identified within the SOC 1 report.c. Obtain and perform an assessment of a bridge/gap letter to determine whether coverage was provided for the entire year.NCUA’s documented procedures do not provided detailed guidance on how to perform an assessment of a third party service provider organization, specifically as it relates to the SOC 1 report, as required by Office of Management and Budget Circular Memorandum 16-17 (OMB M-16-17). As a result, the NCUA’s annual assessment of controls related to XP2 was incomplete as it did not consider all relevant aspects of the SOC 1 report during its evaluation.

National Credit Union Administration OIG

United States