Audit Report 9-19: Audit of SBA’s Information Systems Controls
On September 2, 1999, the OIG issued audit report 9-19, the Independent Public Accountant (IPA) report regarding the audit of SBA’s 1998 Financial Statements, Audit of SBA’s Information Systems Controls. The IPA concluded that SBA’s general controls were not fully in compliance with established policies and procedures. For example, (1) the SBA had not funded and implemented an entity-wide security program, (2) unnecessary and excessive access privileges reduced accountability and created segregation of duties weaknesses, (3) application development and change control procedures were not consistently applied in systems outside the Office of the Chief Information Officer’s control, (4) programmer abilities to access operating systems could not be monitored and (5) security administrators and program managers needed training. The IPA issued two findings and two recommendations related to the establishment of an ongoing agency-wide information systems security program.