10-06 - Audit of SBA’s FY 2009 Financial Statements- Management Letter

Date Issued: 
Tuesday, December 15, 2009
Report Number: 

Prepared by the
Office of Inspector General
U.S. Small Business Administration


U.S. Small Business Administration Office Inspector General

To: Jonathan L Carver Date: December 15,2009 ChiefFinancial Officer
Ilsl Original Signedl

From: Debra S.-Ritt
Assistant Inspector General for Auditing

Subject: Audit of SBA's FY 2009 Financial Statements -Management Letter Report No. 10-06

Attached is the Management Letter issued by KPMG LLP that identifies matters that came to its attention during the audit of SBA's FY 2009 financial statements. The audit was performed under a contract with the Office of Inspector General (OIG) and in accordance with Generally Accepted Government Auditing Standards; Office ofManagement and Budget's (OMB) Bulletin No. 07-04, Audit Requirementsfor Federal Financial Statements, as amended; the Government Accountability Office (GAO)/President's Council on Integrity and Efficiency (PC IE) Financial Audit Manual; and GAO's Federal Information System Controls Audit Manual.

KPMG addressed recommendations to the ChiefHuman Capital Officer; ChiefInformation Officer; Directors for the Processing and Disbursement Center, Office ofFinancial Program Operations, and Office of Surety Bond Guarantees; and to you. We provided a draft ofKPMG's report to each of these officials or their designees, who concurred with the fmdings relative to their respective areas. The officials or designees agreed to implement the recommendations or have already taken action to address the underlying conditions.

Should you or your staff have any questions, please contact Jeffrey R. Brindle, Director, Information Technology and Financial Management Group at (202) 205-[FOIA ex. 2]


November 13,2009


Office ofthe Inspector General,
U.S. Small Business Administration, and Administrator ofthe SBA:

We have audited the consolidated financial statements of the U.S. Small Business Administration (SBA) for the year ended September 30, 2009, and have issued our report thereon dated November 13,2009. In planning and perfonning our audit of the financial statements of SBA, we considered internal control in order to detennine our auditing procedures for the purpose of expressing our opinion on the financial statements. An audit does not include examining the effectiveness of internal control and does not provide assurance on internal control. We have not considered internal control since the date of our report.

During our audit, we noted certain matters involving internal control and other operational matters that are presented for your consideration. These comments and recommendations, all of which have been discussed with the appropriate members ofmanagement, are intended to improve internal control or result in other operating efficiencies and are presented in Exhibit I. The status of prior year comments is presented in Exhibit II.

Our audit procedures are designed primarily to enable us to fonn an opinion on the financial statements and, therefore, may not bring to light all weaknesses in policies or procedures that may exist. We aim, however, to use our knowledge of SBA gained during our work to make comments and suggestions that we hope will be useful to you.

We would be pleased to discuss these comments and recommendations with you at any time.

This report is intended solely for the infonnation and use of the Office of the Inspector General, management, and others within the organization and is not intended to be, and should not be, used by anyone other than these specified parties.


Statement of Federal Financial Accounting Standards (SFFAS) 31, Accounting for Fiduciary Activities, became effective as of October I, 2008. The SFFAS requires Federal entities to include two note disclosures providing information about fiduciary activities in their financial statements. SBA has fiduciary activities for both its 7(a) and 504 programs. At SBA, the Master Reserve Fund (MRF) and Master Reserve Account (MRA) are considered funds in which SBA accounts for fiduciary activity. The MRF is an account through which all payments from underlying loans and remittances to trust certificate investors flow for 7(a) loans that have been sold onto the secondary market. The MRA performs the same function for the 504 Certified Development Company debentures. Reporting on the MRF and MRA activity is provided to SBA by its Fiscal Transfer Agent (FTA), Colson Services Corporation (Colson).

The use of an FT A to service and process fiduciary activity for the MRF and MRA, in addition to other services, results in SBA relying on the controls ofa third-party service organization. Therefore, an annual SAS 70 Type II report is submitted by Colson providing an assurance statement on controls over the activities for which it performs for SBA. KPMG noted that with the implementation of SFF AS 31, the controls surrounding the MRA and MRF tested as part of the Colson SAS 70 review directly impact SBA's financial reporting.

KPMG inquired of management if it had planned for any additional objectives in its fiscal year 2009 SAS 70 Type II audit, or mitigating compensating controls to address the financial reporting requirements of SFFAS 31. Based on our inquiry, we determined that SBA did not take into consideration the impact of SFFAS 31 on Colson's SAS 70 procedures.

Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control, states:
"Management is responsible for developing and maintaining effective internal control. Effective internal control provides assurance that significant weaknesses in the design or operation of interniil control, that could adversely affect the agency's ability to meet its objectives, would be prevented or detected in a timely manner."
"Control weaknesses at a service organization could have a material impact on the controls of the customer organization. Therefore, management of cross-servicing agencies will need to provide an annual assurance statement to its customer agencies in advance to allow its customer agencies to rely upon that assurance statement. Management of cross-servicing agencies shall test the controls over the activities for which it performs for others on a yearly basis. These controls shall be highlighted in management's assurance statement that is provided to its customers. Cross-servicing and customer agencies will need to coordinate the timing of the assurance statements."

SBA does not have a process in place to evaluate the appropriateness of Colson's SAS70 Type II procedures in relation to SBA's changing financial activities, the objective of which would be to ensure controls over the data provided to SBA are adequately tested by the service organization's auditor.

Without a SAS 70 review by management, SBA is not able to ensure all key processes handled by Colson are adequately tested or mitigated by compensating controls. As such, control weaknesses may exist that go unidentified. Specifically, relating to the MRF and MRA, unidentified control weaknesses may exist that lead to inaccurate reporting of fiduciary activities.

Additionally, with the development of new programs and changes to SBA operations under the American Recovery and Reinvestment Act (ARRA) of 2009, Colson will continue to expand the services it provides to SBA. Without a process for SBA officials to periodically re-evaluate the objectives of Colson's SAS 70, the risk increases that new Colson process controls will not be adequately tested.


  1. We recommend the Chief Financial Officer (CFO) develop and implement policies and procedures to review the SAS 70 Type II procedures to ensure all significant Colson process controls, including over the MRF and MRA, are adequately tested.

  2. In addition, we recommend that the Office of Financial Assistance Director ensure the Service Level Agreement includes a SAS 70 Type II review for Colson's process controls over all significant SBA financial activities.

Management's Response:
SBA management concurs with the findings and recommendations.


In fiscal year 2008, KPMG issued a Notice of Finding and Recommendation (NFR) related to the employee separation process. The employee separation process is documented within the SBA Form 78, which documents the signatures of all required clearance officials prior to the separation of an SBA employee. During the first quarter of fiscal year 2009, SBA implemented corrective action to address this issue in the form of employee training and a quarterly review of completed separation forms. In fiscal year 2009, KPMG tested the key controls over the employee separation process. Based on our control testwork over 30 employee separation sample items, we noted the following:

  • Three sample items (sample items #12, #13, and #14) were missing the Office of Human Capital Management (OHeM) signature in Section VI ofthe SBA Form 78.
  • Twelve sample items (#16, #17, #18, #19, #21,22, #23, #24, #26, #27, #29, and #30) were missing the Office ofDisaster Assistance (ODA) signature in section VI ofthe SBA Form 78.
  • For three sample items (#1 and # 2 -Office of Chief Financial Officer (OCFO), and #8 -Office of Field Operations (OFO», section I of the SBA Form 78 was not signed by the Division Chief. Section I requires a signature that certifies all required forms have been completed and are attached, and the separated employee's work area has been inventoried.
  • For one sample time (#1 -OCFO), the second page of the SBA Form 78 was unavailable for review. The second page of the SBA Form 78 documents the clearance signatures for sections III, IV, V, and VI of the SBA Form 78. Section III requires the signature of an DIG official certifying that if the employee had access to classified information, the employee was debriefed. Section IV documents signatures evidencing whether items such as cellular telephones and pagers were returned. Section V documents the employee's certification that all SBA property has been returned to the agency. Section VI documents the signature of the OHCM servicing personnel specialist certifying the appropriate forms were provided to the employee and the final salary disbursements were scheduled for payment.
  • For one sample item (#8 -OFO), section II of the SBA Form 78 was not signed by a Facilities Management Branch (FMB) official. Section II of the SBA Form 78 documents all administrative clearances such as travel credit cards, keys, and property and equipment were returned.

Standard Operating Procedure (SOP) 00-13-5, Chapter 2, Property Management Program, Chapter 2, states:
"Regional administrators, district directors, disaster area directors, and Headquarters' division chiefs are designated property control officers for their respective areas of responsibility. As a Property Control Officer, you must:
Ensure that all SBA property is returned when an employee leaves SBA. Field office heads should indicate compliance by signing and dating SBA Form 78, "Separation Checklist." Headquarters Division Chiefs should initial SBA Form 78 and forward it to the FMB (Facilities Management Branch) for concurrence on the following items: Identification/Fascard, PropertylEquipment and Office!Fumiture-Keys. Once you have obtained all required clearances, forward to the Office of the ChiefHuman Capital Officer."
OMB Circular A-123 requires that documentation for internal control, all transactions, and other significant events be readily available for examination.

OHCM does not currently have a well-defined SOP that specifies the roles and responsibilities of all individuals involved in the separation process.

The separation checklist is not completed in a consistent and proper manner, which increases the risk that
government assets are not properly safeguarded.

We recommend that the Chief Human Capital Officer (CHCO):

  1. Develop an SOP that clearly delineates the responsibilities of all parties involved in the employee separation process.

  2. Modifiy current SBA Form 78 procedures to require the employee's supervisor be the last signature obtained as part of the separation process. The supervisor should certify all signatures are present prior to signing and then sending the completed form to OHCM, ODA, or OIG.

Managementts Response:
SBA management concurs with the findings and recommendations.


During testwork over loan guaranty charge-ofTs at the Fresno Commercial Loan Servicing Center (CLSC) and the Herndon National Guarantee Purchase Center (NOPC), an extended lag time between purchase and charge-off was noted in the following 11 sample items:

During test work over loan guaranty charge-offs at the Fresno Commercial Loan Servicing Center (CLSC) and the Herndon National Guarantee Purchase Center (NOPC), an extended lag time between purchase and charge-off was noted in the following 11 sample items:

View the table in the PDF.

Criteria: SOP 50-52, Consumer Loan Servicing and Collection for Disaster Home Loans, states: 1) The SBA Policy Regarding Charge-off Accounts, states: SBA's policy is to be diligent and thorough 'in its collection of debt and to promptly charge off all uncollectible accounts [emphasis added}. The charge-off status will more accurately reflect the status of the individual account and the Agency's entire portfolio. SEC. 31001, DEBT COLLECTION IMPROVEMENT ACT (DCIA) OF 1996
(b) The purposes of this section are the following:
(I) To maximize collections of delinquent debts owed to the Government by ensuring quick action to enforce recovery of debts [emphasis added] and the use of all appropriate collection tools.
The Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government:
"Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions [emphasis added]. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded."

Based on discussions with the Center Directors, the majority of the exceptions noted above were caused by the Centers' inheritance from district offices of a large portfolio of loans awaiting charge-off. Additionally, both Directors stated the influx of defaulted loans, coupled with inadequate staffing at the Center, has prevented the timely processing of charge-off actions.
Also, neither Center had a tracking mechanism to identify the length of time a loan awaits charge-off.

A delayed guaranty loan charge-off will prevent accurate reporting of the loan status in the financial statements. Once charged off, SBA recognizes a loss for the net amount of the loan balance and removes the loan receivable recorded at time of purchase.
Additionally, a delayed charge-off impedes the ability of Treasury to fully pursue recovery for delinquent loans.

We recommend the Office of Financial Program Operations (OFPO) Director:

  1. Allocate resources as required to address charge~offactions in a timely manner.
  2. Develop a tracking mechanism to ensure loans awaiting charge-off for an extensive period are quickly identified and processed.

Management's Response:
SBA management concurs with the findings and recommendations.



KPMG noted the following deviations from SOP 50 30 (6) "Disaster Assistance Program" while performing control testwork at the Ft. Worth Loan Processing and Disbursement Center (POC): 1) For two loans, totaling $241,200, we noted documentation in the chron log was not sufficient to determine whether the borrower verbally requested a loan cancellation or reduction, or whether the cancellation/reduction was due to other factors and should have been processed using the 14-day letter.

Note: No bankruptcy proceedings were involved in either case described above. Criteria: SOP 50 30 6, para. 109.a., Cancellation at Request of Borrower, states:
When we receive a written or oral request, we may cancel all or any portion ofan approved loan. Be careful before acting on an oral request to ensure cancellation is appropriate.
SOP 50 30 6, para. 109.c., Cancellation Notification Procedure, states:

(1) Before we initiate an action to cancel all or any funds, we must mail a letter giving 14 calendar days' notice ofthe pending cancellation. The letter must specify the action the borrower can take to prevent the cancellation.

EXCEPTION: A 14-day letter is not required when the cause for the cancellation is due to the borrower's request or we received notification that the borrower has filed for bankruptcy.

(2) Prior to submitting the loan modification for cancellation of the loan, the loan officer should contact the borrower to explain our action and the reasons for the cancellation. The loan officer will advise the borrower that written notification is forthcoming which will include information regarding the method and the deadline for requesting reinstatement (see paragraph 11O. a.). The loan officer must also advise the borrower that ifwe approve the reinstatement request, new loan closing documents will be issued and that the original documents are no longer valid and should be destroyed.

NOTE: The chron log should clearly reflect the details ofthis conversation; the reason(s) for the cancellation, the reinstatement process, and ifapproved, the issuance of
new loan closing documents.

GAO's Standards for Internal Control in the Federal Government, states, "control activities .. .include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of related records which provide evidence of execution of these activities as well as appropriate documentation." In addition, "access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained."

In addition, the U.S. Department of Treasury's Management ofFederal Receivables states, "Accurate and complete documentation is critical to providing proper servicing of debt, pursuing collection of delinquent debt, and in the case of guaranteed loans, processing claim payments."

Loan officers and customer service representatives did not sufficiently document the facts and circumstances ofthe conversations with the borrowers.

Cancellations totaling $241,200 were not properly supported by either a borrower request or 14-day letter.

7. We recommend the Director of the Fort Worth PDC provide guidelines to staff that outline what constitutes proper file documentation to ensure that a reviewer of the file may determine the origin of loan cancellations.

Management's Response:
SBA management concurs with the finding and recommendation.


During our testwork over guaranty loan charge-offs at the Fresno CLSC, we noted the following instances of inadequate documentation in the sample items reviewed:
1) Credit Bureau Report
For one 504 loan, the loan specialist failed to obtain a credit bureau report prior to charge-off. A credit bureau report is utilized to identify resources that could be used to pay down loan debt and to ensure the borrower is properly referred to Treasury at time ofcharge-off.

2) Cost/Benefit Analysis Supporting Forfeiture of Lien by SBA
One 504 loan was secured by a second lien on real estate with a loan balance of $1 ,419,095.53 at time of borrower default. The liquidation efforts were completed by the District Office and the loan file was shipped to Fresno for charge-off. It appeared the SBA District Office· abandoned collection efforts associated with the property lien in exchange for $ I 0,000 received from the senior lien holder. An appraisal located within the loan file suggested the fair market value of the property was significantly higher than the $10,000 offer accepted by SBA. Based on comments included within the Charge-off Form 327, Modification or Administrative Action, the Fresno CLSC recommending official was unable to clearly identify the liquidation efforts taken by the District Office.
KPMG was ultimately able to ascertain the lien forfeiture was in the best interest of the agency through follow-up discussions with the District Office and the Office of Financial Assistance (OF A) after the issue was presented to management. However, the information provided subsequent to KPMG's review was not docUmented within the loan file in the form of a costfbenefit analysis at time ofreview and approval by the charge-off official.

1) SOP 5051 2(A), Loan Liquidation and Acquired Property -Chapter 18, "Charge-off Procedures"

17) What Financial Information is Needed on Debtor?
You must have current credit information on each obligor to support a charge-off, (Le., Dun and Bradstreet, Equifax, or Credit Bureau Report).

2) SOP 50 512(A), Loan Liquidation and Acquired Property -Chapter 6, "SBA-Serviced Liquidation"
1. What is SBA's Policy for SBA-Serviced Liquidations?
a) You must direct your efforts toward maximizing recovery in a minimum amount oftime.
b) You must promptly proceed to locate, identify, assess, and protect all pledged real and personal property.

3) SOP 50 51 2(A), Loan Liquidation and Acquired Property -Chapter 6, "SBA-Serviced Liquidation"
13. Release/Subordination of Agency Lien.
Recommendations for release and/or subordination of SBA lien on loans "in liquidation" will only be considered if they clearly are in the Agency's best interest. Release/subordination should be used to effect maximum recovery. Each action will be considered based on its effect on the value of the collateral and the ability to obtain greater overall recovery on the loan.

The above matters occurred because SBA personnel did not adhere to SOP requirements.
The deficiencies noted above increase the risk of invalid charge-offs. In addition, there is a risk that the
agency may not maximize its collection efforts.

We recommend the OFPO Director:

  1. Reinforce, through the issuance of memorandum, the importance of the credit bureau report and/or asset search review prior to charge-off.

  2. Ensure all offices are adequately documenting lien release decisions. This should be in the form of a liquidation analysis included within the SBA Form 327 or other supporting documentation and should clearly evidence the action was in the best interest ofthe Agency.

Management's Response:
SBA management concurs with the findings and recommendations.


While performing test work over guaranty loan purchases at the Fresno CLSe, KPMG identified SBA interest overpayment made to a lender under the 7(a) FA$TRAK program.
The Loan Officer documented on SBA Form 327 that the lender had successfully liquidated the loan collateral and net proceeds were to be applied to 120 days of interest in arrears. At the time of actual liquidation, SBA determined that only 52 days of interest, or $1,606.49, was actually in arrears. However, the recommending official did not enter the interest purchase adjustment detailed on the SBA Form 327 into the Guaranty Purchase Tracking System (GPTS). Consequently, SBA paid 120 days of interest totaling $3,707.28.

SOP 50 51 2, Loan Liquidation & Acquired Property, Chapter 10, "Special Programs" states:
2. FASTRAK Program.
e. How are proceeds from the sale ofcollateral handled? Proceeds from the sale ofcollateral must be applied in the following order:

  • To expenses associated with the liquidation;

  • To interest (NOT to exceed 120 days of interest on the balance as of the earliest uncured payment default); and

  • To any principal balance.

g. How is the amount purchased detennined?
The purchase amount will consist of the SBA guaranteed percentage of the balance remaining after liquidation plus up to 120 days of interest calculated at the note rate minus 1 percent (if liquidation proceeds were insufficient to cover a full 120 days of interest) based on the balance outstanding at the time ofthe earliest uncured default.
The Improper Payments Infonnation Act of 2002, states:

IMPROPER PAYMENT. The term "improper payment" (A) means any payment that should not have been made or that was made in an incorrect amount (including over payments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements;

The approving official did not adequately review and compare supporting documentation to the GPTS balance prior to approving the purchase amount in GPTS.

SBA made an overpayment in the amount of $2, 1 01.

10. We recommend the OFPO Director reinforce the importance of a thorough review of both GPTS and the SBA Form 327 by approving officials to ensure they are in agreement at time of purchase.

Management's Response:
SBA management concurs with the finding and recommendation.


During our testwork over the guaranty loan charge-off process at the NGPC, we noted a lack of approving official review on SBA Form 327, Modification or Administrative Action, and within the GPTS for loan No. [FOIA ex. 2] in the amount of $275,762.35 (the total approved amount of the loan). This error was not identified by the loan servicing assistant during LAUD15 data entry processing.

SOP 50 51 2(A), Loan Liquidation & Acquired Property, Chapter 3 "Correspondence, Reports, and Control Systems", states:
"3) What is SBA Form 327, Modification or Administrative Action? The term "Modification or Administrative Action" refers to an action to modify the authorization or other actions which are necessary to help the borrower respond to a business growth opportunity or to respond to a problem. It also refers to actions that SBA may take that would affect the loan (e.g., change the status of loan from regular servicing to "in-liquidation", to transfer the loan from one lender to another, etc.)
All 327 actions require approval under the rule oftwo authority." [emphasis added]
As stated in the "LAUD1 5 Data Entry & Outprocessing Guidelines":
"LAUDI5 -To Recommend Charge-off
Enter "Y" (Yes) 3 times confirming this is proper, LAUD13 completed & PMNUOI has been addressed. "

KPMG noted the Q-Term processor (loan servicing assistant) in charge of the final review of the SBA Form 327 incorrectly confirmed that all required officials had approved the action on the LAUD 1 5 screen within Q-Term.
Additionally, in the LAUDl5 processing procedures document, which is used as a reference tool by loan processing personnel, SBA explicitly instructs the processor to answer 'Yes' to all questions on the LAUD15 screen. While all answers must ultimately be 'yes' for an approving official to charge-off, the guidelines should be stated so that the processor reviews each individual question and verifies the answers are 'yes' prior to inputting 'Y' on the LAUD15 screen.

Lack of documented approving official's review on the SBA Form 327 increases the risk of improper charge-offs being performed and recorded in the general ledger. Furthermore, improper charge-off procedures may limit SBA' s recovery on delinquent loans from collateral or through litigation.

We recommend the OFPO Director should:
II. Reinforce, through training of all personnel involved in the charge-off process, the importance of thoroughly reviewing the charge-off administrative action.

  1. Conduct periodic (at least quarterly) rev~ews of completed charge-offs to ensure that all appropriate personnel sign the administrative action.

  2. Revise the LAun15 processing procedures to require the LA un processor to verify that all required signatures are present on the administrative action. Management's

SBA management concurs with the findings and recommendations.


During our testwork over guaranty loan charge-otIs at the NOpe, we noted the following instances in
which the related documentation was incomplete: Lender Wrap up Report For five of the loans tested, we noted SBA personnel failed to obtain a Lender Wrap up Report
documenting the lender's actions and results in regards to liquidation efforts prior to charge-off. Criteria: 1) SOP 50 51 2(A), Loan Liquidation and Acquired Property -Chapter 10,. "Special Programs",
p) When must the lender provide a "wrap up report?"
i) The lender must provide SBA with a wrap up report documenting the lender's actions and

(1) When the lender determines that the loan will not be fully repaid after all worthwhile collateral has been liquidated; and
(2) No further recoveries are anticipated within a reasonable period of time, (see Appendix 18, "Final Wrap Up Report" checklist).

The attorney who reviewed the loan file at time of charge-off incorrectly concluded on the Guaranty Charge-off Checklist that the lender had submitted a wrap up report for two of the loans. In addition, there were no Charge-Off Checklists completed for three other loans prior to charge-off.

The deficiencies noted above increase the risk that invalid charge-offs will be made in the system. In addition, there is a risk that the agency will not maximize its collection efforts.

We recommend the OFPO Director:

  1. Modifies the administrative action to require that the recommending official be given the choice of two available options when completing the Guaranty Charge-off Checklist as follows:
  • The lender wrap up report was submitted by the lender, or

  • There is sufficient information in the lender correspondence to satisfy the wrap up report requirement.

Management's Response:
SBA management concurs with the findings and recommendations.


KPMG tested a sample of 75 Undelivered Orders (UDOs) as of September 30, 2009, and noted the following exceptions:
1) The quarterly review of open obligations reports was incomplete. Currently, SBA requires program offices to conduct a quarterly review of their respective undelivered orders. However, the individual reports are reviewed at different cut-off dates, and therefore, it is difficult to agree the total UDOs reviewed to the agency's accounting books and records as of a specific date.

2) Five of the items were not properly de-obligated. The amount obligated related to these items totaled approximately $193,000.

OMB Circular A-123. section I, defines management controls as "the organization, policies and procedures used by agencies to reasonably ensure that: (i) programs achieve their intended results;
(ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported, and used for decision making."
OMB Circular A-123, section II, goes on to indicate, "Monitoring the effectiveness of internal control should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management's continuous monitoring of internal control, which should be ingrained in the agency's operations."

The errors appear to be attributed to human error and oversight related to the obligation process. The issues noted above are indicative of a lack of management/supervisory review of controls to ensure the existence and accuracy of the financial information recorded. Furthermore, the precision of the review does not appear detailed enough given there is no overall monitoring to ensure a complete list of UDOs are reviewed, since we identified exceptions in our testwork.

Untimely approval and posting of obligations and de-obligations within Oracle indicate inconsistencies in obligating procedures, and could result in an invalid obligation being made or remaining after it is no longer appropriate.
UDOs are overstated in the amount of$193,000.

We recommend the CFO:

  1. Continue to strengthen monitoring procedures over controls surrounding review and approval of obligations;
  2. Continue to review undelivered orders periodically to ensure that amounts are properly de-obligated as necessary.

Management's Response:
SBA management concurs with the findings and recommendations.


During our test work performed over 60payroll sample items for the period from October 1, 2008 to May 31,2009, we noted the following:
1) For three sample items (Denver [1] and Herndon [2], we noted that the OPM SF-52s, Request for Personnel Action, did not contain the authorization signature. Additionally, for one sample item (Headquarters), the Office of Personnel Management (OPM) SF-52 was not signed by the employee.
2) For one sample item, the original OPM Form 71, Request for Leave or Approved Absences, was not signed by the employee's supervisor. The employee worked in the Office of Field Operations (OFO).
3) For three sample items the STAR Time and Attendance (T&A) worksheets were not signed by the employees' supervisors. The three T&A exceptions noted related to employees working in the Office of International Trade (I item), OFO (I item), and the Los Angeles District Office (l item).

SBA's Guide to Preparing the OPM SFM52, Requestfor Personnel Action Part A Requesting Office, states that "6 ACTION AUTHORIZED BY Enter name, title, date, and signature of person authorized to approve the personnel or position action requested."
SOP 36 00, Attendance and Leave, states that "supervisors are responsible for ensuring that all employees under their supervision have worked the proper number of hours for the work schedule selected before signing individual Time and Attendance Reports."
SBA Manager's Toolkit states, "Ensure all STAR T&A worksheets are signed by timekeeper, employee, and supervisor. Ensure OPM Form 71 (Request for Leave or Approved Absence) is completed and approved in a timely manner. Do not make handwritten changes to the OPM Form 71 without initialing or signing, which indicates approval by management. Ensure timekeepers do not transmit T&A before all the proper signatures are obtained."
OMB Circular AM 123, requires that "documentation for internal control, all transactions, and other significant events be readily available for examination."

SBA does not have an effective control in place to detect payroll forms and actions that have not been properly approved and retained.
Lack of approved OPM SFM52s increases the risk that unauthorized personnel actions are processed. Lack of approved T&A worksheets and OPM Form 71 s by the supervisor or timekeeper increases the risk that incorrect hours and annual leave may be processed.

We recommend the CHCO work with:

  1. The Director of Administration, Office of Disaster Assistance, to reinforce the importance of obtaining the required signatures on the OPM Form SF-52.
  2. The Deputy of OFO to reinforce the importance of the approval of OPM Fonn 71 through periodic training or interim monitoring.
  3. The Associate Administrator for the Office of Capital Access, Los Angeles District Director, and the Deputy of OF A to reinforce the importance of the approval of T&A worksheets through periodic training or interim monitoring within their respective program offices.

Management's Response:
SBA management concurs with the fmdings and recommendations.


In fiscal year 2008, we issued NFR-2008-12 which noted that SOP 00 08 (2), National 4/93 Organizational Structure, was not up-to-date to reflect the current titles and functions, organizational charts, and responsibility/authorities of SBA offices. While SBA made several minor revisions to this SOP in 2005 and 2006 to chapters I, 2, and appendix 2, the majority of the SOP, which includes organization charts, mission statements, responsibilities, service areas, jurisdictions, etc . has not been updated since 1993. SBA management responded to NFR-2008-12 by stating that it concurred with the finding and would review and update the organization-specific portions of SOP 00 08 (2) by September 30, 2009.
We re-examined the status of SOP 00 08 (2) revisions as part of our entity-level control test work in fiscal year 2009. We noted that no progress has been made as of September 10,2009 to update and revise the outdated information contained in the SOP.

OMB Circular A-123, Internal Control over Financial Reporting, states, "A factor affecting the control environment is the agency's organizational structure. It provides management's framework for planning, directing and controlling operations to achieve agency objectives. A good internal control environment requires that the agency's organizational structure clearly define key areas of authority and responsibility and establish appropriate lines of reporting.

SOP 00 08, Organizational Structure, states, "The AA/HCM will revise this SOP (title changes, functional statements, organizational charts, etc.), update the organizational structure data in the personnel and payroll data system, and request that the Office of Administration prepares Agency and Federal Register notifications (if required)."

Based on discussion with OHCM personnel, the SOP has not been revised because there are higher priority issues within the agency and limited resources.

The lack of a documented organizational structure and clearly defined policies and procedures of key areas of authority and responsibility can negatively impact SBA's overall control environment.


  1. We recommend the CHCO revise the SOP for organizational structure to reflect the current organizational structure including title changes, functional statements, organizational charts, and responsibility authorities.

Management's Response:
SBA management concurs with the finding and recommendation.


As part of our Statement of Net Cost methodology test work, we selected a sample of employee surveys to validate the cost allocation report downloaded from SBA's costing system, OROS ABC Model. This system supports the allocated amounts in SBA's Statement of Net Cost and the Stewardship Investments in Human Capital reported in the Required Supplementary Stewardship Information section of the financial statements. We noted for one of 26 sample items selected for testing that SBA was unable to provide the supporting employee's survey.

Upon requesting the file from the Arizona District Office, which was listed as the employee's office per the cost allocation report, we were informed by management that the individual was actually working for the Office of Capital Access at the Citrus Heights District Office. We verified this through documents, including OPM SF-50 -Notification of Personnel Action, Time and Attendance Report, and Form AD-334 -Earnings and Leave Statement, which we received as part of our payroll test work. The Citrus Heights District Office was also unable to provide us with a copy of the employee survey.

SBA must allocate the net cost of operations over major goals, and the programs within these goals. OMB Circular A-136, Financial Reporting Requirements, states:
"The Statement of Net Cost should show the net cost of operations for the reporting entity by major program, which should relate to the major goal(s) and outputs(s) described in the entity's strategic and performance plans, required by GPRA. These major programs must be organized into meaningful groups which must be an organized set of activities, directed toward a common purpose or goal. The reporting entity should accumulate and assign costs to these major programs in accordance with the costing methodology in SFFAS No.4."
The Statement of Federal Financial Accounting Standards No.4, Managerial Cost Accounting Concepts and Standards for the Federal Government, states:
"The costing methodology used by an entity should be appropriate for management's needs and the operating environment and should allow outputs produced to accumulate by type of resource that directly or indirectly contributes to the production of those outputs. This system should also be capable of identifying costs within responsibility segments. The costing methodology chosen should be followed consistently and the cost assignments should be performed within the system on a regular basis. "
SBA Procedural Notice 2000-767, FY 2009 Cost Allocation Survey, states:
"Supervisors are required to ensure that all oftheir employees complete the survey and must. review their employees' survey responses. After completing the survey, all employees must provide their immediate supervisor with a printed copy of their survey responses. After the supervisor signs the printed survey, the employee must "submit" the survey".

The employee incorrectly filled out the survey by indicating his office location as Arizona, instead of Citrus Heights, and the error was not detected as part of SBA's established review process.

The error in office code on the survey was not found through supervisory review; as such, the costs associated with this employee were not allocated to the appropriate district office. A copy of the employee survey was not kept in the employee file; and as such, we were not able to verify that the costs related to this employee's activities were allocated to the appropriate activity.
The percentages that are developed from survey results from each office allocate costs across SBA's operations. The aggregation of errors such as this can lead to the generation and use of incorrect information in making management decisions and in allocating resources across agency programs and to individual offices. The misallocations could also lead to the presentation of incorrectly calculated information for the Statement of Net Cost and the Stewardship Investments in Human Capital.


  1. We recommend the OFPO Director ensure that SBA supervisory personnel at the Citrus Heights office follow the procedural notice issued to all SBA employees.

Management's Response:
SBA management concurs with the finding and recommendation.


During fiscal year 2009, we found that controls over security management were weak. Specifically, we noted that approvals for successfully completed clearance documents were not retained for all selected new hires. We sampled a total of 15 new hires; however, two of the requested SBA Form 1228s, which evidence the successful completion of a background investigation were either incomplete or could not be provided. We noted that the missing forms were for new SBA employees. Therefore, we were unable to determine if all new staff was successfully cleared before their employment began.

The Federal Information Security Management Act (FISMA) requires Federal agencies to comply with information security guidance issued by the National Institute of Standards and Technology (NIST).
OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, requires Federal agencies to screen individuals applying for access to government data and systems based on the level of risk presented by their access.
SOP 3300-2, Employment, states, "The SBA requires the completion of a Single Scope Background Investigation before employing you."

Management represented to us that competing resources have prevented SBA from implementing policies and procedures within SOP 3300-2, Employment, which addresses the retention of background investigation forms.

Incomplete documentation supporting the completeness of initial and follow-up background investigations may lead to issues with security related personnel policies. For example, without evidence of background investigations, the requirement to update security clearance certifications based upon position sensitivity changes may be overlooked.

We recommend the Chief Information Officer (CIO):

  1. Timely confirm the validity of the missing employees' background investigations identified in the condition above.

  2. Oversee and enforce the authorization and document retention of the clearance documents for all employees and contractors.

Managements Response:
SBA management concurs with the finding and recommendations.


During our fiscal year 2009 test work, KPMG noted that the New World Apps provides the alternate processing services for the Local Area Network/Wide Area Network (LAN/WAN), Financial Reporting Information System (FRIS), and E-Tran. Upon reviewing the contractual agreement, we noted that the contract does not indicate the period of coverage. The document only stated the contract's date of order, which was September 4,2008. Therefore, the period of coverage for the contract was unclear.

FISMA requires federal agencies to comply with information security guidance issued by NIST.
SOP 90 47 2, Automated Information System Security Program, states, "Regardless of which type of off site alternate site is used, there are six possible scenarios that apply for backup and recovery capability. Regular backups by system administrators, associated backup documentation, and the process for security administrative passwords should be established to provide a basic level of recovery capability in addition to incorporating any of the additional techniques emphasized above. (Appendix V, page 41)"
NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, states, "One common preparation [ ... ] is to establish contracts and agreements, if the contingency strategy calls for them (Chapter 11)."

Lack of management oversight has resulted in the Office of the Chief Information Officer (OCIO) staff neglecting to prioritize the retention of key third party contracts. Effect:
The lack of retained contractual information. such as the date of coverage for services, can lead to
inconsistency in authorized and agreed services by vendors.

24. We recommend the CIO ensure that third party contracts remain current and reflect the period of coverage.

Management's Response:
SBA management concurs with the finding and recommendation.


During our test work, we determined that a mandatory training program for IT security personnel is not place. The current process used by the OCIO is to recommend courses to IT Security personnel; however, this process is relatively informal as attendance is neither mandatory nor tracked for compliance.

FISMA requires federal agencies to comply with information security guidance issued by NIST.
OMB Circular A-130, Appendix III, addresses training as an element of a system security plan for a general support system and as an element of an application security plan for a major application. Regarding the training element of a system security plan, the Circular states, "Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall ensure that employees are versed in the rules of the system [ ...] and apprise them about available technical assistance and technical security products and techniques."
NIST Special Publication 800-50, Building and Information Technology Security Aware ness and Training Program, states, "An awareness and training program is crucial in that it is the vehicle for disseminating information that users, including managers, need in order to do their jobs. In the case of an IT security program, it is the vehicle to be used to communicate security requirements across the enterprise."

Management represented to us that competing resources have prevented the implementation of a mandatory training program for IT security personnel. However, the a CIO has plans to implement a program within fiscal year 2010.

The lack of a mandatory training program for IT security personnel can lead to inconsistent and inadequate knowledge of job function duties.

We recommend the CIO:

  1. Require effective training programs for IT security personnel.

  2. Develop a method of monitoring the training program to ensure compliance by all personnel with IT security roles and responsibilities.

Management's Response:
SBA management concurs with the finding and recommendations.

To view Exhibit 2, please see the attached doucment.