This audit report presents the results of our audit of SBA’s Fiscal Transfer Agent’s controls and security over the loan reporting and servicing process. The objective of our audit was to determine the adequacy of SBA’s controls and oversight over the development, security, and operation of certain information technology systems and processes performed by Colson Services Corporation (Colson). Colson performed certain functions for SBA 7(a) and 504 loan programs including processing certain automated transactions and developing new information technology systems.
We found that the SBA did not 1) adequately address systemic data control weaknesses; 2) provide adequate oversight of the First Mortgage Loan Pooling System development; 3) ensure that Colson’s operation of SBA systems met federal security requirements; and 4) adequately enforce collection of secondary market late penalty fees. These data control weaknesses resulted in an overstatement of unpaid loan balances and loan error volume reaching approximately 44,000 errors. Some SBA systems were also being operated without adequate assurance that they met SBA quality standards and Federal security requirements.
We made 11 recommendations, the most significant being to: 1) correct loan balances contributing to the subsidy overstatement; 2) collect outstanding late penalty fees; 3) ensure that system development projects adhere to SBA quality standards for systems development projects; and 4) ensure that systems are authorized to operate prior to being put into production. Management agreed with all of our recommendations except for the recommendation to collect the outstanding late penalty fees.