Recommendation Dashboard

USAID/Mozambique determine the allowability of the $25,446 in questioned costs ($19,432 ineligible and $6,014 unsupported) identified on pages 11 and 12 of Ernst & Young's audit report and recover from Centro de Aprendizagem e Capacitacao da Sociedade Civil the amounts determined to be unallowable.

USAID/Mozambique verify that Centro de Aprendizagem e Capacitacao da Sociedade Civil corrects the two instances of material noncompliance detailed on pages 22 to 25 of Ernst & Young's audit report.

USAID's Office of Acquisition and Assistance, Cost, Audit and Support determine the allowability of $14,495 in unsupported direct questioned costs, $1,839 in
unsupported indirect questioned costs and collect any disallowed amounts from the Centre for International Studies and Cooperation (see pages I-5 through I-10 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support ensure that the Centre for International Studies and Cooperation has implemented the
auditor's recommendations for the two significant deficiencies in the report on internal control and the two material instances of noncompliance in the report on compliance (see pages IV-2 through IV-4 and III-1 and III-2 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support determine the allowability of $405,490 in ineligible direct questioned costs and $12,284,913 in unsupported direct questioned costs and collect any disallowed amounts from Futures Group (see pages 14 through 25 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support ensure that Futures Group has implemented the auditor's recommendations for Findings #1 through #4 (see pages 14 through 25 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support determine the allowability of $131,612 in unsupported direct questioned costs and collect any disallowed amounts from Planning and Learning Technologies, Inc. (see pages 1, 11, and 12 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support ensure that Planning and Learning Technologies, Inc. has implemented the auditor's recommendations for Finding #1 (see pages 11 and 12 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost. Audit and Support determine the allowability of $2,400 in ineligible direct questioned costs, and $2,597 in unsupported direct questioned costs and collect as appropriate any disallowed amounts from The Mentor Initiative (see page 15 and 23 through 26 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support ensure that The Mentor Initiative has implemented the auditor's recommendation for the significant deficiency in the report on internal control and the material instance of noncompliance in the report on compliance (see pages 23 through 26 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support, determine the allowabiltiy of $78,896 in unsupported direct questioned costs and collect as appropriate any disallowed amounts from Catholic Relief Services - United States Conference of Catholic Bishops and Affiliates (see page 22 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support, ensure that Catholic Relief Services - United States Conference of Catholic Bishops and Affiliates has implemented the auditor's recommendation for Findings 2016-001 through 2016-004 (see pages 20 through 22 of the report).

USAID/Philippines determine the allowability of and recover, as appropriate, ineligible questioned costs of $8,610 identified in the Fund Accountability Statement on page 10 and further detailed in Exhibit I on pages 22-23 of the report.

USAID/Philippines ensure that Campaigns & Grey Philippines corrects the one material instance of noncompliance identified in the report on compliance on page 20 and further detailed in Exhibit I (Details of Findings) on pages 22-23 of the report and the two issues which we considered as significant deficiencies in internal control as discussed on page 2 of this memorandum and further detailed in Exhibit II (Management Letter and Response) on page 24 of the report.

We recommend that the chief information officer document and implement a process to track and remediate persistent vulnerabilities, or document acceptance of the associated risks.

We recommend that the chief information officer document and implement a process to verify that vulnerability assessment tools are configured to detect vulnerabilities previously undiscovered by internal scans.

We recommend that the chief information officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. The risk and approval, including adequate compensating controls, should be documented if an exception must be made until the unsupported software is migrated to vendor-supported platforms.

We recommend that the chief information officer document and implement a process to verify that Microsoft Windows systems comply with the U.S. Government Configuration Baseline, and to grant and disseminate approved deviations from the baseline configuration settings.

We recommend that the chief information officer document and implement a plan to confirm all internal and external systems are currently authorized to operate.

We recommend that the chief information officer document and implement a plan to annually assess risks for all internal and external systems in accordance with agency policy.

We recommend that the chief information officer establish a process to monitor the operation of the automated script that disables accounts after 90 days of inactivity.

We recommend that the chief information officer (a) identify system owners; (b) require them to verify their procedures for revoking system access accounts for separated and transferred employees and contractors are enforced; and (c) document their responses.

We recommend that the chief information officer document and implement a procedure to check for unauthorized software at established intervals.

We recommend that the chief human capital officer document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.

We recommend that the chief information officer document and implement a
procedure to review and analyze remote access connections.

Determine the allowability of $75,728 in questioned costs, document the determination and recover any amount that is unallowable.

Request MCA-Indonesia submit a corrective action plan to correct the material instances of noncompliance described on pages 21 to 23 of the report

USADF's chief information security officer strengthen the organization-wide information security program in accordance with National Institute of Standards and Technology standards by establishing and implementing documented processes to:
-Establish, communicate, and implement an organization-wide risk management strategy for operation and use of the Foundation's information systems in accordance with National Institute of Standards and Technology standards.
-Review and update the system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations." At a minimum, this should include a determination whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.
-Perform information system security assessments on an annual basis in accordance with USADF's policy.
-Review and update the system risk

USADF's chief information security officer develop and implement a documented process to track and remediate vulnerabilities in accordance with USADF's policy. This includes confirming patches are applied in a timely manner and tested prior to implementation in accordance with USADF policy.

USADF's chief information security officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. That process must document the risks, required approvals, and adequate mitigating controls that will be used for unsupported software until it can be migrated to vendor-supported platforms.

USADF's chief information security officer develop and implement a written process to enforce the immediate disabling of employee user accounts upon separation from the organization and perform account recertification in accordance with USADF policy, including adhering to the required frequency for recertifying accounts and providing responses.