On May 14, 2008, the OIG issued Audit Report 8-13, Planning for the Loan Management and Accounting System Modernization and Development Effort. The Loan Management and Accounting system (LMAS) modernization and development effort was initiated in November 2005 in an effort to make the LMAS independent from the mainframe, which was inflexible, presented security risks, and was based on obsolete technology. It is one in a series of attempts by the SBA during the past several years to update existing financial software application modules. The current Loan Accounting System (LAS) has been in place over 30 years. The objectives of this audit were to evaluate the (1) progress the SBA has made since project inception, (2) soundness of the project management approach, and (3) adequacy of project oversight.
Despite the urgency of addressing LAS security vulnerabilities, the SBA was unable to replace the system prior to the expiration of the mainframe contract in February 2007, causing the Agency to renew costly contracts for mainframe and application support services for another five years. These services are expected to cost approximately $6 million per year.
The OIG issued the following findings: (1) The SBA has not migrated LAS off the Mainframe, (2) by delaying its mainframe migration, the SBA is not adhering to Federal guidance that requires timely remediation of information security risks, (3) the SBA lacks both an enterprise-wide and project-level Quality Assurance function to ensure that LMAS adheres to Quality Standards, and (4) the SBA has not finalized a Quality Plan for the LMAS Project.
The chief Information Officer provided written comments to the draft that incorporated comments from the Office of Capital Access, to address recommendations 1, 2, and 3. The LMAS project manager did not provide a response. Management concurred with recommendations 1, 2, and 3 but did not provide periods for implementing the proposed actions. Once the Agency submits periods for implementing the proposed actions, they will be considered fully responsive. The OIG determined that they would pursue a management decision on recommendations 4 and 5 through the audit resolution process.