NCUA 2020 Financial Statement Audits (SIF, OF, CLF, CDRLF)

View Report

Date Issued

Tuesday, February 16, 2021

Submitting OIG

National Credit Union Administration OIG

Other Participating OIGs

National Credit Union Administration OIG

Agencies Reviewed/Investigated

National Credit Union Administration

Report Number

OIG-21-02030405

Report Description

Under a contract monitored by the National Credit Union Administration OIG, KPMG, an independent certified public accounting firm, performed an audit of NCUA’s financial statements, which includes the Share Insurance Fund, the Operating Fund, the Central Liquidity Facility, and the Community Development Revolving Loan Fund, as of and for the years ending December 31, 2020 and 2019.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Additional Details

https://www.ncua.gov/files/audit-reports/inspector-general-financial-statement-…

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
OIG-21-02030405	No	$0	$0
1. Control Weaknesses over Rules of Behavior Process (NCUA IT-20-01) We noted weaknesses over the Rules of Behavior process. Specifically, we noted that NCUA management did not ensure that two (2) users out of a sample of fifteen (15) new users, signed the NCUA’s Rules of Behavior (RoB) acknowledgement, indicating they had read, understood and agreed to abide by the RoB prior to the agency authorizing the users to access the NCUA network. NCUA management did not develop and implement a process to enforce and ensure that the NCUA Information System Security Manual isfollowed for the onboarding process and that the user’s RoB acknowledgement was appropriately completed before granting the users access to their systems.
OIG-21-02030405	No	$0	$0
2. Control Weakness over the AMAC Data Center Access (NCUA IT-20-02) We noted AMAC management did not timely remove one (1) individual’s access to the AMAC Data Center on March 11, 2020. Due to a lack of enforcement of policy, an individual did not successfully remove access badge permissions.
OIG-21-02030405	No	$0	$0
3. Control Weaknesses over Separated Users and Removal of Users (NCUA-IT-20-03) We noted the following account management issues pertaining to separated and inactive users in the General Support System (GSS) Active Directory (AD) network:a. Separated Users: NCUA did not timely disable access for multiple users. For example, four (4) separated users accessed the GSS one day after their effective separation date.
OIG-21-02030405	No	$0	$0
4. Control Weakness over Third-Party Oversight for XP2 Application Hosted by Fiserv (NCUA IT-20-04) We noted that in performing its risk assessment, management did not adequately evaluate the System and Organization Controls (SOC) 1 report over Fiserv’s XP2 application service provider environment. Specifically, management’s risk assessment did not:a. Identify and evaluate the NCUA’s design and operating effectiveness of the Complementary User Entity Controls (CUECs) identified within the SOC 1 report.b. Identify and evaluate the complementary subservice organization controls (CSOCs) identified within the SOC 1 report.c. Obtain and perform an assessment of a bridge/gap letter to determine whether coverage was provided for the entire year.NCUA’s documented procedures do not provided detailed guidance on how to perform an assessment of a third party service provider organization, specifically as it relates to the SOC 1 report, as required by Office of Management and Budget Circular Memorandum 16-17 (OMB M-16-17). As a result, the NCUA’s annual assessment of controls related to XP2 was incomplete as it did not consider all relevant aspects of the SOC 1 report during its evaluation.