On March 2, 1998, the OIG issued Audit Report 8-7-H-008-010, the Independent Public Accountant (IPA) report regarding the Audit of SBA’s FY 1997 Financial Statements. The IPA noted two reportable conditions that are considered material weaknesses: (1) SBA’s internal control functions governing the credit reform subsidy modeling and re-estimating processes need improvement, and (2) Improved financial reporting processes are needed at the SBA to ensure compliance with the Government management Reform Act of 1994 (GMRA). A third reportable condition, not considered a material weakness, states: the SBA needs to improve information system controls in the areas of (a) entity-wide security, (b) access privileges, (c) application development and program changes, (d) service continuity, (e) data authorization, completeness, and accuracy, and (f) segregation of duties. The IPA compared the above three conditions with the SBA’s 1997 Federal Managers’ Financial Integrity Act Report dated January 13, 1998. The IPA found that these three conditions were not presented in that report.
The IPA found that with the subsidy modeling and re-estimating process, SBA personnel computed subsidy re-estimates in January 1998. The OIG reviewed the re-estimate process and noted substantial errors in the 7(a), 504, and disaster program re-estimate calculations to be included in the FY 1997 principal statements. For example: (1) incorrect data were used in several re-estimate cash flow spreadsheets, including incorrect discount rates; (2) incorrect cell references and formulas occurred in several re-estimate spreadsheets, and (3) data were incorrectly carried forward to cash flow models from underlying spreadsheets. These errors resulted in adjustments to the principal statements in excess of $250 million.
Information Security Controls continue to need improvement. For example, computer programmers had unnecessary privileges that permitted remote access to Loan Accounting System (LAS) production data and programs. In another instance, quality assurance controls for major applications did not ensure data accuracy, reliability, and completeness. For example, loan disbursement amounts and balances differed among the Data Communication system, Automated Loan Control system, and the Loan Accounting System.