On November 15, 2005, the OIG issued Audit Report 6-04, Audit of SBA’s FY 2005 Financial Statements. The IPA documented three findings and issued two recommendations. The first finding addressed financial management and reporting controls. While the SBA made substantial improvements to its internal control, improvement was still needed in the areas of: funds management, financial accounting transactions, review of account balances; financial statement preparation and quality assurance, which were all considered material weaknesses.
The second finding related to the Office of Disaster Assistance administrative expenditure controls. Specifically, the SBA did not maintain adequate controls at its Atlanta Disaster Area Office over the time and attendance reporting processes and Federal Express shipping processes during FY 2005. For example, SBA’s policies and procedures for these processes were not documented.
The third finding related to agency-wide information systems controls. The IPA found that while the SBA continued to improve internal control over its information system environment during FY 2005, there were still several areas that need improvement such as: (1) management did not take appropriate action to correct known prior weaknesses in a timely manner; (2) controls were not adequate to ensure that SBA’s IT security awareness program included initial training for all new employees, contractors, and users, and periodic refresher training thereafter; (3) independent risk assessments were not performed and documented when systems, facilities or other major conditions changed; (4) management did not take appropriate action to ensure duties within the DCMS were adequately segregated, and (5) controls were not adequate to ensure that FRIS backup files were created on a prescribed basis and rotated offsite often enough to avoid disruption if current files were lost or damaged.