Open Recommendations

We recommend that management design and implement additional controls that respond to the risks associated with the relevance and reliability of underlying data used in developing the assumptions related to the subsidy re-estimates. Such review should be documented and maintained.

We recommend that FSA formally develop and implement a quality control review process to ensure that logical access control processes are followed completely and accurately to validate logical access requests, reviews, and recertifications.

We recommend that the Department provide training and oversight to the Department's personnel with access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system and network service directory access.

We recommend that the Department update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews.

We recommend that the Department ensure the database, server layer, and network service directory controls comply and operate with the disabling of inactive accounts, PIV authentication, account lockout duration password setting requirements, as required by Department policy.

We recommend that the Department following established user access provisioning procedures detailed in the Federal and Department guidance to authorize access and assign roles that are commensurate with job functions and do not violate the least privilege principle.

We recommend that the Department oversee the Department's systems change management process to enforce adherence to the change management plan to ensure relevant documentation and approvals are properly completed prior to closing the change ticket.

We recommend that the Department update the Department's systems' change management plan to require program change supporting documentation, such as approvals, be retained.

We recommend that the Department develop and implement formal procedures addressing controls over the Department's systems': (a) Changes to production jobs, and schedules; and (b) Monitoring of actions taken by the generic job processing account in the job scheduling tool, including management of the password for the generic account.

We recommend that FSA design and implement controls to evaluate the magnitude of impact, likelihood of occurrence, and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirm the noted deficiencies are fully addressed to help prevent future reoccurrences.

We recommend that FSA enforce established access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system access. Follow established user access provisioning procedures detailed in the Federal, Department, and FSA guidance to authorize system access and assign roles that are commensurate with job functions and do not violate the least privilege principle.

We recommend that FSA update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews.

We recommend that FSA perform and formally document the periodic reviews of all application user accounts in accordance with Department policy to confirm access is current, authorized, commensurate with job responsibilities, and follow the concept of least privileged.

We recommend that FSA ensure the application access controls comply and operate with the PIV authentication requirements, as required by Department policy.

We recommend that management improve the risk assessment process at the financial statement assertion level and at the process level to ensure the Department and FSA are appropriately defining objectives to enable the identification of risks and define risk tolerances.

We recommend that management implement key monitoring controls to ensure that corrective action plans are implemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the process among various offices and directorates within the Department and FSA.

We recommend that management update the risk assessment process related to the evaluation of internal controls to ensure it sufficiently addresses risks within key processes, key data, and other material line items on the consolidated financial statement.

We recommend that management implement the recommendation presented in the material weakness in Exhibit A.

We recommend that the Department evaluate, design, and implement controls to track and report all new and separated contractors to allow for timely onboarding or off-boarding, respectively.

(U) Rec 1.b: The DoD OIG recommended that the Defense Security Cooperation Agency Director implement procedures to verify that the Military Services enter data into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual, by monitoring Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell trackers and documentation.

(U) Rec 1.c: The DoD OIG recommended that the Defense Security Cooperation Agency Director add Security Assistance Group-Ukraine, 21st Theater Sustainment Command, and the Military Aid Contribution and Coordination Cell to the distribution list of weekly Presidential Determination trackers.

(U) Rec 1.d: The DoD OIG recommended that the Defense Security Cooperation Agency Director implement a plan of actions and milestones to provide technical updates and administrative procedures that improve functionality and provide simpler and more timely access to the Defense Security Cooperation Agency 1000 System for Military Services and other organizations with a need to know.

(U) Rec 2.a: The DoD OIG recommended that the U.S. Army Europe and Africa Commanding General direct 21st Theater Sustainment Command and the Military Aid Contribution and Coordination Cell to regularly maintain and post U.S. equipment delivery tracking data and completed shipment transfer documentation to a secure portal that is accessible by the Military Services and other organizations with a need to know to support an accurate property accountability and delivery status with DoD forms appropriately completed by Ukrainian officials.

(U) Rec 2.b: The DoD OIG recommended that the U.S. Army Europe and Africa Commanding General direct 21st Theater Sustainment Command and the Military Aid Contribution and Coordination Cell personnel to add Presidential Determination numbers (or the equivalent project code) and transportation control numbers to the maximum extent possible to delivery trackers and completed receipt documents for each shipment unit and to scan and upload the documentation to a secure portal.

(U) Rec 3.a: The DoD OIG recommended that the Army Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec 3.b: The DoD OIG recommended that the Army Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec 4.a: The DoD OIG recommended that the Chief of Naval Operations implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec 4.b: The DoD OIG recommended that the Chief of Naval Operations implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec 5.a: The DoD OIG recommended that the Air Force Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountabilities for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec 5.b: The DoD OIG recommended that the Air Force Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec 6.a: The DoD OIG recommended that the Marine Corps Commandant implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec 6.b: The DoD OIG recommended that the Marine Corps Commandant implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

Ensure that control activities are operating as designed and that the appropriate level of documentation to evidence reviews is maintained to prevent and detect material misstatements.

Consider whether additional training on proper operation of its controls is necessary to enhance NASA’s financial reporting control environment.

Perform ongoing monitoring over the operating effectiveness of its financial reporting controls.

Recommendations to address this significant deficiency have been separately provided to IRS management by the auditors of the IRS's financial statements. The ASM and DCFO should ensure that IRS implements corrective actions to resolve the significant deficiency at IRS.

Separate reports were provided to IRS management with recommendations to address noncompliance with the federal financial management system requirements. The ASM and DCFO should ensure that IRS develop and implement remediation plans outlining actions to be taken to resolve noncompliance with the federal financial management system requirements and the resources and responsible organizational units for such planned actions.

Enforce the requirement for the Tier 2 lead to perform the monthly audit of the inventory report. (New)

Develop, document, and communicate Supply Chain Risk Management procedures to address all FISMA Supply Chain Risk Management requirements. (Modified Repeat)

Develop and implement a written oversight process to ensure that Contracting Officer’s Representatives regularly provide the Office of Human Capital with names of contractors who require background investigations and that the Office of Information Technology confirms those background investigations are complete before contractors receive system access. (New)

Complete the Authorization To Use package that covers the Administrative Resource Center Financial System. (Modified Repeat)

Perform a gap analysis by reconciling all Security Information and Event Management solutions that are capturing logs. (New)

Design and implement control activities to ensure all 17 Government Accountability Office Green Book framework principles exist within the internal control program. Corrective actions should be implemented for any principle that operates with deficiencies to identify and remediate the cause(s) of the deficiencies. (Modified Repeat)

Work with AmeriCorps’ Office of General Counsel (OGC) and follow OMB Circular A-11, section 113.10, to determine if there are any potential violations, including violations of the Antideficiency Act. (New)

Complete its internal inquiry related to the overinvestment of the Trust Fund, document the causes and timing, and determine appropriate next steps in coordination with the Office of Inspector General. (New)

Evaluate its fund’s control system to mitigate the risk of overinvesting. (New)

Develop and implement standard operating procedures for analyzing account balances and monitoring significant fluctuations which will allow management to evaluate, document, and approve the reasonableness of balances and detect accounting errors in its financial statements. AmeriCorps should ensure these procedures and the staff responsible for performing, reviewing, and approving the procedures are documented. (Modified Repeat)

Establish policies and procedures that outline the roles and responsibilities of key staff, including those of its service provider, involved in the timely completion of the SF 132 and SF 133 reconciliation. (Modified Repeat)

Develop and implement standard operating procedures for performing, reviewing, and approving a comprehensive reconciliation of the SF 132 and SF 133 and ensure the documentation is reviewed and approved. (Modified Repeat)

Develop and implement performance goals to reduce the reliance of journal entries as a compensating measure. Performance goals should accompany the implementation of internal controls designed to analyze and address the root causes of financial reporting errors between financial management systems. (Modified Repeat)