Open Recommendations

Continue implementing controls in collaboration with relevant program offices for the PPP and COVID19 EIDLs portfolios to accumulate relevant, complete, and accurate data on which to base the subsidy reestimate.

Design and implement adequate review and approval controls over the reestimate for the PPP and COVID-19 EIDLs portfolios by appropriate levels of management, and to coordinate with relevant program offices to assess the integrity of relevant data inputs used in the development of assumptions, and reasonableness for the selected assumptions used and the resulting estimates.

Refine existing review and approval controls to ensure the reestimate output is in accordance with accounting standards for charged-off loans.

Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to loan guarantee programs. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.

Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of loan guarantee programs transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described…

Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to the SVOG program. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.

Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of SVOG program transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described in…

In conjunction with the Office of the Chief Financial Officer, complete the internal control risk assessments for programs that have a material impact on the financial statements at a process level in a timely manner including the consideration of whether controls are designed, implemented, and are operating at a sufficient precision level in accordance with management’s materiality threshold and will be sufficient for financial reporting purposes.

Design, implement, and monitor the operating effectiveness of key controls that respond to significant risks of material misstatements and compliance with relevant laws and regulations.

Perform and document a thorough risk assessment at the financial statement assertion level to identify process level risks and communicate the results to relevant program offices. Also, assess the effectiveness of the key process level controls to respond to the identified risks in conjunction with relevant program offices.

Design and implement controls that demonstrate oversight over the contractor, including documentation that provides evidence over the adequate review and validation of the contractor’s work product.

Perform and document a thorough risk assessment of the payments for covered loans under the Debt Relief Program, including the impact of payments not considered, determined to be of lower risk, for which a variance threshold was applied, and the appropriateness and sufficiency of the applied methodology given the results of the review.

Based on the results of the risk assessment performed, design and implement appropriate controls to ensure an effective post payment review of payments for covered loans under the Debt Relief Program.

Review and update current processes and procedures for defining a time period by which system access must be disabled or removed for separated individuals.

Develop procedures to validate that access for separated employees is removed in accordance with required timeframes.

Develop procedures to validate that access for separated contractors is removed in accordance with required timeframes.

Design, implement, and document controls for monitoring job failures to ensure complete and accurate reports are generated.

Design and implement multi-factor authentication controls for non-privileged users.

Implement monitoring controls to track compliance with the multi-factor authentication controls.

Design and implement controls to validate that access for separated employees is removed in accordance with required timeframes.

Design and implement effective communication processes with other relevant offices, including the Office of General Counsel, to ensure subsequent events are timely identified and reported completely and accurately.

Improve training plans to ensure individuals responsible for financial reporting functions are adequately prepared to respond to the occurrence of events or transactions that may require financial reporting considerations, including subsequent events, under generally accepted accounting principles.

Reassess existing policies to ensure they are supported by quality information stemming from an effective control environment that reviews the root causes of borrower delinquency prior to charge-off and referral to Treasury. Perform a regular review of the implemented policies to ensure they are responding to relevant risks of noncompliance for the current fiscal year.

Design, implement, and document appropriate monitoring controls to address compliance with DCIA.

Reevaluate the operational infrastructure to address relevant risks of noncompliance and ensure that borrowers are notified timely of delinquency, and if applicable, subsequently referred to Treasury timely.