Small Business Administration's First-Year Implementation of the Federal Managers' Financial Integrity Act

GAO reviewed the processes used by the Small Business Administration (SBA) to implement the Federal Managers' Financial Integrity Act.

In its first-year efforts to implement the act, SBA issued a directive that assigned responsibilities for its internal control evaluation and improvement process. Further, as required by Office of Management and Budget (OMB) guidelines, SBA reviewed the internal controls for two of its programs during the first year. However, GAO found that SBA: (1) carried out its first-year internal control efforts without a long-range plan or agenda on how it would comply with the act's requirements; (2) did not adequately document the segmentation and vulnerability assessment phases of its internal control review process; (3) does not have a procedures manual for performing vulnerability assessments and internal control reviews; (4) did not adequately evaluate internal controls relating to automated systems, even though SBA is highly dependent on such systems to carry out its mission; and (5) does not have an agencywide system which logs and tracks internal control recommendations and planned corrective actions. In carrying out the act and the OMB guidelines, SBA used the Computerized Internal Control Review (CICR) system which is currently being modified to take on more of the internal control evaluation workload. Because CICR does not currently meet all OMB requirements, GAO believes that SBA should coordinate modifications to the system with OMB and obtain OMB approval of its usage.