Federal Reports

This report summarizes the results of our fiscal year 2025 Federal Information Security Modernization Act (FISMA) evaluation of the U.S. Small Business Administration’s (SBA) information security program.

We found SBA’s overall information security program has defined policies but the agency has not consistently implemented them, falling short of the Office of Management and Budget rating for effective security controls. SBA fell below the baseline for effective controls in 9 of the 10 domains. Domains are metrics used to assess the effectiveness of an agency’s information security program. SBA made progress in 1 of the 10 domains, incident response, which was rated as optimized, exceeding the baseline for effective security controls. SBA regressed in three other domains: information security and continuous monitoring, identity and access management, and risk and asset management.

This fiscal year there are 17 new recommendations to improve SBA’s IT security program. Additionally, the agency continues to make progress on implementing 13 open recommendations from 4 prior evaluations. SBA managers agreed and proposed corrective actions that resolved all recommendations.

The CPSC's lack of necessary internal controls over the segregation of duties has created a potential fraud risk by authorizing the budget officer to hold incompatible roles in the appropriation process.  Additionally, the OIG determined that CPSC Directive 1230.1, meant to ensure compliance with OMB's A-11 Section 150 and Appendix H, is outdated and noncompliant with OMB’s requirements.  Management have indicated that are already taking the corrective action needed to correct these issues.

The CPSC’s lack of adequate controls over its Agency Clearance application has allowed application users inappropriate access to non-public government information without a valid need-to-know.  Since the initiation of this assessment, the CPSC has taken steps to strengthen its internal controls over the Agency Clearance application to restrict access of non-public government information to users with a valid need-to-know.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The Tennessee Valley Authority’s (TVA) Enterprise Risk Management (ERM) business unit focuses on identifying and prioritizing enterprise risks.  Annually, ERM leads the preparation of an enterprise risk portfolio, which includes risks across TVA, to aid leadership in strategic and business planning processes.  Each business unit includes their specific risks in the portfolio and documents the probability of occurrence, financial impact, and actions to manage the risk.  TVA Labor Relations included Lack of Robust Pathways and Pipelines to Support Workforce Readiness and Availability risk in the fiscal year 2025 ERM risk portfolio. The risk description stated, "Failure to take swift and strategic action to develop and execute a comprehensive and holistic workforce strategy could result in our inability to take on new projects, innovate sustainable technology, and continue to deliver on TVA's mission."  The actions to address the risk included apprentice recruitment and utilization measures, the establishment of a workforce development team and portal, and an hourly layoff process.  Due to the importance of workforce readiness and availability, we conducted an audit to determine if TVA was taking planned actions and measuring the impact of completed actions. 

We determined TVA has taken actions to address the workforce readiness risk. TVA Labor Relations has completed 13 of 14 mitigating actions identified for this risk.  However, we determined TVA was not effectively measuring the impact of completed actions on the risk’s probability of occurrence and financial impact. In addition, some risk information was not documented accurately. 

This independent auditors’ report on the U.S. Small Business Administration’s (SBA) improper payment reporting is required by the Payment Integrity Information Act of 2019. We contracted with the independent certified public accounting firm KPMG LLP to conduct a performance audit of SBA’s fiscal year (FY) 2025 compliance with the Act. The auditor was engaged to review the payment integrity section of SBA’s Agency Financial Report Fiscal Year 2025 and accompanying materials to determine whether the agency complied with the reporting requirements under the Act.

In the report, KPMG auditors found SBA was not compliant with reporting requirements under the Act and Office of Management and Budget (OMB) guidance. Specifically, SBA is not compliant with the Act because it did not:

• Publish complete and accurate root causes and tolerable rates for all applicable programs, including Section 1112 payments and disaster assistance loans, and ensure they agreed with accompanying materials and supporting documentation for FY 2025.
• Perform or document updated required risk assessments for all applicable programs in FY 2025.
• Design and implement adequate review procedures to produce reliable sample results that supported accurate improper and unknown payment estimates for Paycheck Protection Program (PPP) loan guaranty purchases.
• Provide sufficient documentation to support corrective action plans or ensure those plans aligned with root causes for PPP loan guaranty purchases.
• Ensure published root causes and reduction targets were accurately disclosed, published, and consistent with accompanying materials for all applicable programs, including 7(a) loan guaranty approvals, 7(a) loan guaranty purchases, 504 Certified Development Company loan approvals, disaster assistance loans, PPP loan forgiveness, and PPP loan guaranty purchases, and Section 1112 payments.
• Improve improper and unknown payment rates or meet established reduction targets for 7(a) loan guaranty approvals, 504 Certified Development Company loan approvals, disaster assistance loans, PPP loan forgiveness, and PPP loan guaranty purchases.
• Submit all required quarterly information to OMB for PPP loan forgiveness and PPP loan guaranty purchases.
• Publish improper payment and unknown payment rate estimates less than 10 percent for the PPP loan forgiveness, PPP loan guaranty purchases, and Shuttered Venue Operators Grant programs and include the required program integrity proposals in the congressional budget justification for the PPP loan forgiveness and PPP loan guaranty purchases programs.

SBA concurred with the recommendations and indicated that it is committed to reducing the dollar amount of improper payments, ensuring program integrity, and continuing to implement effective risk management procedures in accordance with improper payment legislation, as well as guidance prescribed in OMB Memorandum M-21-19, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement.