Audit Report 9-24: Audit of SBA’s FY 1998 Financial Statements
Date Issued: Monday, September 20, 1999
Report Number: 9-24

On September 20, 1999, the OIG issued audit report number 9-24, the Independent Public Accountant (IPA) report, Audit of SBA’s FY 1998 Financial Statements.  The IPA concluded that the financial statements presented fairly, in all material respects, the financial position of the SBA as of September 30, 1998, and its net cost, changes in net positions, budgetary resources, and financing for the year then ended.  The IPA identified problems related to (1) financial reporting processes, (2) subsidy modeling and re-estimating processes, and (3) information systems controls.  The IPA also found that SBA’s financial management system did not comply with the requirements of the Federal Financial Management Improvement Act of 1996. 

The independent auditor found that SBA’s comprehensive plan for preparing financial statements lacked sufficient detail, the quality control process was not completely effective, and management did not dedicate enough resources to ensure the timely completion of its financial statements.  The IPA also found that the SBA’s quality control process was not completely effective.  Specifically, although SBA’s plan identified individuals responsible for quality control reviews of the financial statements, the auditor found several errors and omissions on the statements. 

The IPA acknowledged that the SBA had taken steps to implement correctives actions, further improvements were still needed to address the root causes of the general control weaknesses over SBA’s information systems.  During the FY 1009 financial statements audit, the IPA noted that the SBA needed to (1) fund and implement an entity-wide security program, (2) eliminate and reduce unnecessary and excessive access privileges that lessen accountability and create segregation-of-duties weaknesses, (3) consistently apply application development and change control procedures, (4) monitor programmer ability to access operating systems, and (5) train security administrators and program managers.