Audit Report 3-39: Monitoring of SBA’s Implementation of the Disaster Credit Management System
Date Issued: Wednesday, September 24, 2003
Report Number: 3-39

On September 24, 2003, the OIG issued Audit Report 3-39, Monitoring of SBA’s Implementation of the Disaster Credit Management System.  The objectives of this audit were to monitor the SBA’s implementation of the Disaster Credit Management System (DCMS).  The Office Disaster Assistance utilized the Automated Loan Control System to process disaster assistance.  The ACLS was a distributed system that utilized a mix of mainframe and microcomputer capabilities to process disaster loan assistance.  In an effort to improve its disaster loan origination and servicing activities, the ODA purchased the Disaster Credit Management System or DCMS.  The DCMS is a commercially available solution intended to provide more features, better usability, improved reliability and maintainability, better performance, better security than the existing Automated Loan Control system.  The DCMS was designed to introduce paperless loan application, virtual loan processing, access to outside data sources, and improved workflow and document preparation.  The SBA determined that the ODA had followed a disciplined planning process but that the need for improvement in security planning, quality assurance and certification and accreditation planning.  Additionally, the Office of Chief Information Officer needed to provide more disciplined oversight of the DCMS project to ensure that it meets SBA’s requirements for a system “under development.”  The OIG had six findings and recommendations, including:  (1) The SBA did not conduct a risk analysis for system security; (2) The SBA has not fully determined DCMS security requirements; (3) The SBA has not established a security plan for DCMS; (4) The SBA does not plan to conduct an Independent Verification and Validation of the DCMS before implementation; (5) The SBA has not planned a Certification and Accreditation Review of DCMS and (6) the SBA OCIO has not provided adequate oversight of the DCMS Project.  The OIG made six recommendations.