On February 24, 2005, the OIG issued Audit Report 5-12, Audit of SBA’s Information Systems Controls Fiscal Year 2004, as part of the Independent Public Accountant or IPA’s audit of the SBA’s FY 2004 financial statements. The IPA found that the SBA continued to improve internal control over its information system environment during FY 2004 in certain areas. Specifically, the SBA: (1) conducted certification and accreditation (C&A) reviews for additional major applications; (2) continued to implement the Windows 2000 operating system at various field locations, and (3) conducted a disaster recovery exercise.
The IPA reported that these accomplishments were overshadowed by the following weaknesses that were identified during the review:
(1) the SBA did not have an adequate information-technology training program in place;
(2) the SBA had not initiated prompt action to correct known deficiencies (specifically, out of the 26 recommendations related to 13 findings noted in FY 2003, fourteen recommendations were not adequately addressed);
(3) duties within financial applications are not adequately segregated in that JAAMS security administration and user account administration privileges had been granted to several individuals. In addition, one user was identified as having both financial and Information Technology (IT) incompatible duties within JAAMS;
(4) policies and procedures for the administration of the network operating system (Windows 2000 O/S) had not been developed;
(5) no minimally acceptable baseline configurations existed;
(6) access authorizations to the SBA Network, JAAMS, LAS, and the Sybase general support systems were not adequate;
(7) emergency access authorizations to SBA’s Network, JAAMS, LAS, and the Sybase general support system were not adequate;
(8) password controls were weak;
(9) review of inactive accounts was not being performed on the network, LAS, or the Sybase general support system;
(10) logging and monitoring of SBA general support systems and JAAMS was not adequate; and
(11) Business Resumption Plans had not been completed and fully incorporated into SBA’s Continuity of Operations Plan (COOP).