SBA Needs to Improve Compliance with Key Legislation, OIG Says

The Small Business Administration’s (SBA) Office of Inspector General (OIG) found that the agency needs to improve compliance three key pieces of Federal IT Legislation, according to OIG’s semiannual report, released May 25 and covering October 2017 through March 2018.

The report notes compliance issues with the Digital Accountability and Transparency Act of 2014 (DATA Act), Federal IT Acquisition Reform Act (FITARA), and the Federal Information Security Management Act (FISMA).

DATA Act

The DATA Act aims to make information regarding Federal expenditures more easily accessible and transparent. Under the law, the Department of the Treasury had to establish common standards for financial data provided by all government agencies and to increase the amount of data that agencies must provide to the government website, USASpending.

OIG contracted with KPMG, an independent certified public accounting firm, to perform an “attestation engagement”–which is required under the DATA Act. After examining SBA’s FY 2017 second quarter data submission, KPMG reported that there was a material weakness related to SBA’s control over the accuracy of data reported on USASpending. KPMG reported that SBA had a 32 percent error rate regarding data accuracy. KPMG reported that the errors likely occurred because SBA didn’t properly design and implement control activities over the input of data into relevant source systems, adequately train personnel on the process, or perform monitoring activities to determine that the wrong information was being used to populate USASpending submissions.

As a result of the material weaknesses, OIG issued an advisory memorandum to “facilitate control improvements, as well as ensure the exceptions (or errors) identified in KPMG’s report are remediated.” OIG also offered 14 recommendations that SBA management agreed to address.

FITARA

At a very basic level, FITARA made changes to the ways the U.S. Federal government buys and manages computer technology. OIG was specifically interested in how SBA was implementing critical components of FITARA since, “SBA identified implementation of FITARA as integral to meeting its strategic goals of implementing and maintaining modern, secure, and reliable information technology systems and services.”

While OIG found that SBA has made progress in implementing FITARA, “it needs to consistently establish performance baselines for its IT investments and update system development guidance to reflect current project implementation methodologies. Additionally, it needs to fully deploy a strategy to implement enterprise architecture and to implement an IT workforce planning process.”

In a report from November 2017, OIG offered SBA six recommendations to improve implementation of FITARA: first, ensure that SBA’s oversight body tracks baselines; second, measure and report IT project performance against baselines; third, update system development policies and procedures; fourth, incorporate IT architecture review into the acquisition program; fifth, implement IT architecture guides; and sixth, develop IT workforce competencies.

FISMA

FISMA requires Federal agencies to develop, implement, and report on the effectiveness of their information security programs. For FY 2017, OIGs were also required to report on risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.

During the FY 2017 FISMA review, KPMG rated each of the required categories at SBA as either “defined” or “consistently implemented.” Defined meant that policies, procedures, and strategy are formalized and documented, but not consistently implemented. Conversely, consistently implemented mean that policies, procedures, and strategy are consistently implemented but effectiveness measures are lacking. SBA scored “consistently implemented” for risk management and configuration management. The agency scored “defined” for identity and access management, security training, information security continuous monitoring, incident response, and contingency planning. As a result, OIG offered 11 recommendations to SBA–in addition to the existing 17 open FISMA recommendations before the agency. SBA concurred with the 11 new recommendations.

Recent