Audit of USAID User Profiles for Applications Hosted by the National Finance Center

Recommendations

Recommendation 1

USAID's Chief Human Capital Officer revise NFC User Access Request Process to fully include written procedures for requesting and granting access to National Finance Center payroll applications. At a minimum, the procedures should describe a formal access authorization form, limiting access based on the principle of least privilege, training users, and maintaining access authorization records.

Questioned Cost:
$0
Close Date:
Recommendation 2

USAID's Chief Human Capital Officer revalidate the access and access rights for each individual with access to National Finance Center's payroll applications to verify that their access has been authorized properly and their access rights are based on the principle of least privilege.

Questioned Cost:
$0
Close Date:
Recommendation 3

USAID's Chief Human Capital Officer implement a written records management system to maintain and readily locate evidence of approved access to National Finance Center's payroll applications.

Questioned Cost:
$0
Close Date:
Recommendation 4

USAID's Chief Human Capital Officer designate an information system security officer for National Finance Center payroll applications in accordance with Automated Directives System 545.3.3.1.

Questioned Cost:
$0
Close Date:
Recommendation 5

USAID's Chief Human Capital Officer develop and formalize written procedures for proactively reviewing National Finance Center payroll applications' user account activity, which include modifying, disabling, and terminating actions. At a minimum, the procedures should specify a time frame for considering user accounts to be inactive, steps for following up on inactive accounts, and documenting a determination as to whether an account should be disabled.

Questioned Cost:
$0
Close Date:
Recommendation 6

USAID's Chief Human Capital Officer issue guidance to supervisors of the Agency's users of National Finance Center payroll applications on the need to notify within an Agency-established time frame the Agency's applications' system administrator when a user's access privileges to the applications need to be changed or deleted.

Questioned Cost:
$0
Close Date: