On November 15, 2007, the OIG issued the Independent Public Accountant or IPA’s findings in Audit Report 8-03, Audit of SBA’s FY 2007 Financial Statements. The IPA concluded that SBA’s consolidated financial statements as of and for the years ended September 30, 2007 and 2006, were presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. The auditor documented a significant deficiency in management’s information technology security controls. Specifically, the auditor noted that the SBA made progress in several areas toward addressing prior year Information Technology (IT) internal control deficiencies. Despite these improvements, deficiencies continued to exist in the areas of security access controls, software program changes, and end user computing. For example, the auditor found that: (1) there were not procedures documented for the sanctions process against the personnel not compliant with existing SBA security policies, (2) the Office of the Chief Information officer personnel/management did not maintain enough storage capacity for the server audit logs, (3) the OCIO did not retain the logs long enough to allow for a sufficient review, and (4) the OCIO did not have formal day-to-day operating procedures documented for data center employees, which included segregation of critical functions.
With regard to software program changes, the auditor noted the following deficiencies: (1) the configuration baselines for the Disaster Credit management System had not been updated with information from the last change to system settings, and (2) the configuration baselines for the Loan Accounting System (LAS) did not contain a date indicating when it was last updated.