This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs.We found the agency’s entity-level control environment was not designed in accordance with federal guidance at the beginning of the COVID-19 assistance programs. The agency allowed the third-party systems to be put into service without conducting the baseline assessments. With no baseline, the agency could not perform effective continuous monitoring. Also, we found that control processes did not identify, communicate, and capture privacy and identity risks on an enterprise-wide basis.We made 10 recommendations to strengthen the agency’s entity-level IT control environment. The areas addressed included cybersecurity risk and privacy controls, system development life cycle, continuous monitoring, and the supply chain risk management processes.SBA management fully agreed with seven recommendations, disagreed with two recommendations, and stated one recommendation was specific to the pandemic and will not likely be repeated. While the agency agreed to implement seven recommendations, management’s planned corrective actions did not fully address identified control issues.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Small Business Administration | COVID-19 and Disaster Assistance Information Systems Security Controls | Audit | Agency-Wide | View Report | |
| Department of the Treasury | Audit of the Department of the Treasury’s Compliance with the Geospatial Data Act of 2018 | Audit | Agency-Wide | View Report | |
| U.S. Postal Service | Timecard Administration Follow-Up | Audit | Agency-Wide | View Report | |
| Federal Housing Finance Agency | FHFA Could Enhance the Efficiency of the Agency’s Oversight of Enterprise Executive Compensation by Ensuring Sufficient Human Capital Resources and Updating Procedures | Inspection / Evaluation | Agency-Wide | View Report | |
| Federal Deposit Insurance Corporation | The FDIC’s Information Security Program – 2022 | Audit | Agency-Wide | View Report | |
| Internal Revenue Service | Cloud Services Were Implemented Without Key Security Controls, Placing Taxpayer Data at Risk | Audit | Agency-Wide | View Report | |
| Internal Revenue Service | Fiscal Year 2022 Statutory Audit of Compliance With Legal Guidelines Restricting the Use of Records of Tax Enforcement Results | Audit | Agency-Wide | View Report | |
| Department of the Treasury | Independent Review of 4003(b) Loan Recipient’s Validation Memo – SpinLaunch Inc. | Review | Agency-Wide | View Report | |
| Department of Justice | Management Advisory Memorandum: Notification of Concerns Resulting from Multiple Office of the Inspector General Reviews Related to the Federal Bureau of Prisons Strategy for its Medical Services Contracts | Other | Agency-Wide | View Report | |
| U.S. Agency for International Development | Financial Audit of the HIV Prevention for High Risk Individuals Project in Guatemala, Managed by Pan American Social Marketing Organization, Cooperative Agreement 72052020CA00002, September 1, 2020, to December 31, 2021 | Other |
|
View Report | |
