An audit of the finances of the Small Business Administration highlighted the need for improved cybersecurity and internal controls over IT systems.
The fiscal year 2019 audit, conducted by KPMG and released November 15, found both material weaknesses (bigger issues) and significant deficiencies (smaller issues) related to IT at SBA.
The audit found that SBA moving a financial reporting system to the cloud and implementing a new loan origination system led to issues in risk assessment. While the agency set up some internal controls, the reporting on the new systems was not adequate to fully assess risk at the organizational level. The auditors recommended that SBA’s CIO work with the relevant program offices to make sure documents provide the needed information for risk assessment, and SBA concurred with that recommendation.
“As part of its risk assessment process, SBA could not demonstrate the process used to adequately identify and assess the risks related to financial reporting for these changes to the relevant IT environments affected by the use of service organizations,” the report states.
The auditors also highlighted cybersecurity concerns with SBA’s financial systems. In particular, the audit found issues with inappropriate access to systems and pushing patches into production before testing.
“During the FY 2019 financial statement audit, we found that SBA continued to implement corrective actions on some of the prior year IT findings; however, a number of conditions persisted in FY 2019 that limited SBA’s ability to effectively manage its information system risks,” the audit states.
KPMG recommended that SBA create a working group to oversee access control issues, enforce a stricter policy on inactive accounts, and implement segregation of duties to prevent migration of code into the production environment, among other recommendations. SBA concurred with the recommendation.