Evaluation Report 15-12: Improvement is Needed in SBA’s Separation Controls and Procedures
About this document and download
On May 26, 2015, the Office of Inspector General issued Evaluation Report 15-12, Improvement is Needed in SBA’s Separation Controls and Procedures. Our objective was to determine the effectiveness of the Small Business Administration’s (SBA) controls over separated personnel.
We found that existing separation controls were not effectively followed. These controls include deactivating network accounts within 24 hours of separation and collecting Federal property from separated personnel. Specifically, our analysis of network accounts identified 73 active accounts which should have been deactivated when the personnel separated from SBA. A large number of these 73 accounts were not automatically deleted as those accounts had never been accessed. Additionally, two active network accounts were accessed after the personnel had separated from the Agency—which was identified as security incidents.
We also reviewed 57 employee separation checklists, which are used to document the termination of network access and collect Federal property from separated employees. However, we found that less than half of the forms—46 percent—were correctly completed, and 19 percent could not be found.
We also found multiple errors in the manner that contracting officer’s representatives (CORs) carried out contractor separations, and also noted that SBA did not have formal procedures on how to deactivate and terminate intern and volunteer accounts.
We made six recommendations to SBA. SBA fully agreed with five of the six recommendations, and partially agreed with the sixth recommendation. SBA agreed to reinforce the importance of completing the separation checklist. Additionally, SBA identified that it would start holding line-management responsible if the forms were not fully completed. SBA agreed to investigate the two security incidents and report these incidents to the US Computer Emergency Readiness Team. SBA agreed to a new recertification policy in which every account is reviewed and any account not accessed within the previous 60 days is disabled. SBA agreed to revise contracting guidance so that CORs follow the same separation guidance as other SBA personnel with separations documented in a separation checklist. Finally, SBA agreed to have interns and volunteer separation procedures documented in revised Personnel ID Verification card procedures.