Open Recommendations

Design and implement an effective funds recovery plan and controls to ensure RRF awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.

Perform and update the program’s internal control assessment to identify changes to risks that may require the design and implementation of effective monitoring controls and review processes of SVOG awards to identify recipients that may not have been eligible to receive awards or that may have spent awards on ineligible expenses in accordance with the program’s terms.

Design and implement effective follow-up procedures for SVOG award recipients that are not complying with the program’s terms and to ensure complete, accurate, and timely reporting for the use of the award.

Design and implement an effective funds recovery plan and controls to ensure SVOG awards disbursed to ineligible recipients or spent on ineligible expenses are recovered and reported accurately and in a timely manner. In conjunction with the Office of Planning, Performance, and the Chief Financial Officer, design and implement an effective process to provide the information necessary to record any required accounting adjustments.

Develop and document the policies and procedures for the recovery of funds, the accounts receivable, and the allowance for estimated uncollectible amounts related to the programs created or expanded by the CARES Act and related legislation.

Document the current state of accounting policies and procedures for the recovery of funds, including the respective accounting entries for all applicable scenarios (e.g., fraud related, ineligibility) for COVID-19 EIDLs and PPP loans that have been charged-off or forgiven.

Inquire with standard setting bodies to confirm the appropriate accounting treatment throughout each step of the recovery lifecycle for COVID-19 EIDLs and the PPP loans that have been charged-off or forgiven. Memorialize the response by updating management’s documented policies and procedures including the respective accounting entries under generally accepted accounting principles for all applicable scenarios.

Design and implement effective controls and communication processes to timely obtain the information necessary from program offices to record any required accounting adjustments for programs created or expanded by the CARES Act and related legislation.

Continue implementing controls in collaboration with relevant program offices for the PPP and COVID19 EIDLs portfolios to accumulate relevant, complete, and accurate data on which to base the subsidy reestimate.

Design and implement adequate review and approval controls over the reestimate for the PPP and COVID-19 EIDLs portfolios by appropriate levels of management, and to coordinate with relevant program offices to assess the integrity of relevant data inputs used in the development of assumptions, and reasonableness for the selected assumptions used and the resulting estimates.

Refine existing review and approval controls to ensure the reestimate output is in accordance with accounting standards for charged-off loans.

Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to loan guarantee programs. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.

Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of loan guarantee programs transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described…

Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to the SVOG program. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.

Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of SVOG program transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following:• SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA.• All exceptions noted in the SOC 1 report – not just those described in…

In conjunction with the Office of the Chief Financial Officer, complete the internal control risk assessments for programs that have a material impact on the financial statements at a process level in a timely manner including the consideration of whether controls are designed, implemented, and are operating at a sufficient precision level in accordance with management’s materiality threshold and will be sufficient for financial reporting purposes.

Design, implement, and monitor the operating effectiveness of key controls that respond to significant risks of material misstatements and compliance with relevant laws and regulations.

Perform and document a thorough risk assessment at the financial statement assertion level to identify process level risks and communicate the results to relevant program offices. Also, assess the effectiveness of the key process level controls to respond to the identified risks in conjunction with relevant program offices.

Design and implement controls that demonstrate oversight over the contractor, including documentation that provides evidence over the adequate review and validation of the contractor’s work product.

Perform and document a thorough risk assessment of the payments for covered loans under the Debt Relief Program, including the impact of payments not considered, determined to be of lower risk, for which a variance threshold was applied, and the appropriateness and sufficiency of the applied methodology given the results of the review.

Based on the results of the risk assessment performed, design and implement appropriate controls to ensure an effective post payment review of payments for covered loans under the Debt Relief Program.

Review and update current processes and procedures for defining a time period by which system access must be disabled or removed for separated individuals.

Develop procedures to validate that access for separated employees is removed in accordance with required timeframes.

Develop procedures to validate that access for separated contractors is removed in accordance with required timeframes.

Design, implement, and document controls for monitoring job failures to ensure complete and accurate reports are generated.