Federal Reports

This report presents the results of our management advisory bringing the Small Business Administration’s (SBA) attention to concerns regarding forgiven Paycheck Protection Program (PPP) loans subsequently flagged as potentially ineligible using hold code 70 (potential clawback) for which the agency has not completed its review to facilitate recovery of improper payments for ineligible loans. A hold code is an identifier placed on a loan in the agency’s system indicating a potential issue needs to be resolved. SBA uses hold code 70 to flag forgiven PPP loans for which it subsequently suspects the borrower is potentially ineligible for the loan or for loan forgiveness. It is imperative that SBA completes its review to promote program integrity and mitigate financial loss by seeking recovery of improper payments for ineligible loans.

The unprecedented demand for PPP funds and the need to quickly award loans gave way to a pay and chase environment that relied heavily on post-payment reviews and resolving subsequent hold codes to ensure program integrity. SBA was required to issue PPP regulations no later than 15 days from the date the CARES Act was enacted (March 27, 2020) and lenders were to disburse loans within 10 days of approving applications and SBA reduced or eliminated key upfront controls as it sought to expedite aid.

As of May 24, 2024, SBA had forgiven over 10.5 million PPP loans, totaling over $750 billion, 37,938 of which (totaling approximately $4.6 billion) had an open hold code 70 (potential clawback). SBA’s guidance stipulates that all loans for which a forgiveness payment has been made and later determined to be potentially ineligible will be flagged using hold code 70 regardless of size; however, it also stipulates that if a forgiven loan is less than or equal to the $25,000 de minimis threshold, it may be considered immaterial, and recovery may not be prioritized. Of the 37,938 PPP loans subsequently flagged with a hold code 70, there were 26,234 loans, totaling $454 million, that were less than or equal to $25,000.

We found SBA did not complete its review process for the 37,938 PPP loans, totaling approximately $4.6 billion, that were flagged with a hold code 70 (potential clawback). Specifically, SBA only completed the first two steps of its four-step review process for loan and/or forgiveness amounts in which the reviewer and approver recommended the amount be denied in part or in full or for loans in which the approver disagreed with the reviewer’s loan review recommendation.

Management agreed with our recommendations to complete reviews for the 37,938 potentially ineligible PPP flagged with hold code 70 and to develop criteria to formalize policies and procedures for recovering improper payments for all loans subsequently flagged with hold code 70 and later deemed ineligible.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General initiated this project to determine whether Bacon & Company, CPAs, LLC performed the fiscal year 2022 single audit of the Narragansett Bay Commission in Rhode Island in accordance with applicable auditing standards and federal requirements for single audits.

Summary of Findings

We determined that Bacon & Company complied with the applicable auditing standards and federal requirements when it performed the FY 2022 single audit of the Narragansett Bay Commission. As a result, we assign Bacon & Company a pass rating. During our review, we also identified an error in Bacon & Company’s major program determination for compliance testing. However, this error did not impact the overall quality or our assigned rating.

We reviewed the Office of Contracting and Procurement’s controls over Contractor Performance Assessment Reporting System requirements.

This report provides information on the U.S. Fish and Wildlife Service’s use of Inflation Reduction Act funding for listed species recovery efforts.

The Office of Inspector General is issuing this management advisory to bring to the U.S. Small Business Administration’s (SBA) attention possible security threats from personally owned devices accessing the agency’s information technology network from national and international locations with only a username and password.

We identified in our fiscal years 2023 and 2024 Federal Information Security Modernization Act assessments that SBA did not have multifactor authentication enabled for users to access the agency’s secure network. Relying on usernames and passwords alone greatly increases the risk of SBA data being accessed and exploited by cyber criminals and other bad actors. We also determined personally owned devices could access the SBA network from foreign locations, which is prohibited by SBA information technology policy.

We made five recommendations, and SBA management agreed with all five. All of the recommendations have been closed or resolved.

The OIG received a hotline allegation from a VA medical center employee regarding the improper sharing of sensitive information on VA’s internal network. The complainant reported that an employee could search for fellow employees on the internal network and find documents and emails that contained sensitive personal information. Among these documents were human resources paperwork, such as interview questions and reference checks, performance awards, and personally identifiable information for veterans getting surgery.

The OIG confirmed sensitive personal information was accessible by VA users who had no business need to access it. Furthermore, the OIG noted that the type of sensitive personal information accessible should not have been hosted on the systems it was found on, as the information exceeded the systems’ security authorizations. The OIG determined this was a national issue because the hosting systems are cloud based and the information was observable by any authorized VA employee, regardless of location.

To address the reasons for the improper sharing, the OIG recommended that the assistant secretary for information and technology 
   •    ensure facilities and programs remove unauthorized sensitive personal information from collaborative application sites such as SharePoint; 
   •    direct facilities and programs to standardize SharePoint administration, inventory and consolidate their SharePoint sites; 
   •    implement enforcement mechanisms such as recommended architecture to allow greater control of permissions and content; 
   •    expand roles and responsibilities for privacy officers and information system security officers; 
   •    implement automated tools to detect and correct improper sharing agencywide; and 
   •    mandate standardized training for SharePoint administrators and owners. 

The assistant secretary concurred with all recommendations, and the OIG agreed to close two recommendations after VA provided sufficient evidence of implementation. The four other recommendations remain open.