Recommendation Dashboard

USAID's Chief Information Officer conduct updated risk assessments for the two systems we identified

USAID's Chief Information Officer perform security controls assessments for the two systems we identified.

USAID's Chief Information Officer determine whether the Agency included cybersecurity duties in position descriptions and performance plans. If not, take corrective action, including addressing the causes for not doing so.

USAID's Chief Information Officer determine whether the Agency developed and implemented policies and procedures for maintaining data and metadata inventories for its various data types, including data from third-party providers. If not, take corrective action, including addressing the causes for not doing so.

USAID's Chief Information Officer determine whether the Agency implemented network monitoring and enforcement mechanisms to identify and disconnect or isolate noncompliant devices. If not, take corrective action, including addressing the causes for not doing so.

We recommend that USAID or other U.S. government officials responsible for the administration and oversight of the Dubai warehouse take the following actions: Update the warehouse contract to clarify requirements for temperature and humidity control, maintaining mechanical equipment, and inspecting commodities in the warehouse.

We recommend that USAID or other U.S. government officials responsible for the administration and oversight of the Dubai warehouse take the following actions: Update the statement of work for third-party inspections to clarify quarterly inspection requirements of Dubai warehouse conditions, such as pest control and temperature.

USAID or other U.S. government officials responsible for the administration and oversight of the direct budget support funds work with contractor KPMG to develop a plan to submit the required oversight deliverables to ensure U.S. government funds are being used as intended

USAID or other U.S. government officials responsible for the administration and oversight of the direct budget support funds develop and implement a plan to review the internally displaced persons expenditure category from June 2022 through December 2023 in the scope of work for future contracted audits of the Government of Ukraine to confirm that preventative controls screen beneficiaries for duplicate payments

USAID or other U.S. government officials responsible for the administration and oversight of the direct budget support funds work with the the Government of Ukraine to develop a plan to identify the extent to which payments were made to internally displaced persons living abroad between June 2022 and July 2023 that were reimbursed by USAID's contributions to the Public Expenditures for Administrative Capacity Endurance fund, and use the reconciliation process outlined in the World Bank's 2024 Project Operation Manual for any amounts determined to be ineligible

Verify that MCA Lesotho II Authority corrects the one material weakness in internal control detailed on pages 42 and 46 of the audit report.

Verify that MCA Lesotho II Authority corrects the one instance of material noncompliance detailed on pages 42 and 47 of the audit report.

We recommend that USAID verify that Amref Health Africa corrects the one instance of material noncompliance detailed on pages 59 to 61 of the audit report.

Finalize and implement a policy outlining responsibilities and procedures for using administrative funds for purchases, including procedures for documenting justifications and approvals of requests.

Determine the allowability of approximately $26,900 in questioned costs. 

We recommend that USAID verify that Baylor College of Medicine Children's Foundation Uganda corrects the one instance of material noncompliance detailed on page 31 of the audit report.

Identify key balances, such as high-risk balances or high dollar value items and ensure that supporting schedules in Phoenix agree with stated balances. Where balances and supporting schedules don't agree, research and resolve differences.

For material transactions that sample support cannot be located, obtain alternative evidence such as confirmations from vendors, grantees, or banks

Develop and document retention controls that take into consideration USAID's current structure

Develop a document that identifies critical processes, assigns responsibilities, and references existing policies where applicable. The document should also document what interim procedures are in place, and any compensating controls, focusing on high-risk areas.

Apply scaled internal control principles from OMB Circular A-123 and GAO Green Book, documenting exceptions and compensating controls where segregation of duties is not feasible.

Create an Agency Closeout Checklist, or similar document, covering reconciliations, financial statement certification, record transfer, and communication of residual risks.

Communicate simplified procedures to remaining staff and confirm understanding through briefings or written guidance.

Establish and implement a financial reporting process to ensure timely preparation of quarterly and annual financial statements in compliance with OMB Circular A136 that is appropriate for its current size, staffing levels, and mission

Address personnel gaps in its financial reporting function especially as it related to preparation of an Annual Financial Report (AFR) or a Performance and Accountability Report as required by OMB implementation guidance.

Implement monitoring mechanisms to ensure adherence to federal financial management requirements and timely corrective action for deficiencies.

Implement alternative solutions to provide internal control support, including FMFIA/OMB Circular A-123 testing, documentation updates, and corrective action tracking, to compensate for limited staff capacity and ensure continuity during the wind-down period.

Develop and implement a streamlined internal control plan focused on the drawdown of operations, prioritizing high-risk areas such as disbursements, grants, and closeout procedures to maintain compliance and financial integrity

Strengthen communication and accountability by issuing clear written guidance on roles and responsibilities for remaining personnel and establishing a simple escalation process for unresolved control issues.

Establish and implement procedures to consistently document and retain the design, implementation, and operating effectiveness of general information technology controls supporting Phoenix.

Develop a plan for completing the fiscal year 2026 internal controls assessment, Enterprise Risk Management process, and resulting assurance statements, including the timing and who is responsible for completing the assessment.

Perform the fiscal year 2026 internal controls assessment and prepare the resulting assurance statements in accordance with Federal requirements and within the required due date.

Establish and implement a financial reporting process to ensure timely preparation of an OMB Circular A-136-compliant AFR that is appropriate for its current size, staffing levels, and mission.

Address personnel gaps in its financial reporting function

Develop performance goals that align with its current mission and measure performance against those goals.

Develop procedures to analyze systems, controls, and legal compliance to the extent necessary to prepare management's assurances related to FMFIA.

MCC's Chief Information Officer develop a schedule for completing the overdue security assessment of the internal system and conduct the assessment accordingly.

MCC's Chief Information Officer develop and implement procedures requiring contracts for external systems to include assessments of security controls at a frequency MCC defines

We recommend that USADF's Chief Information Officer remediate the 122 high-risk and 23 critical vulnerabilities identified by USADF's December 2, 2024, scans.

We recommend that USADF's Chief Information Officer evaluate its vulnerability remediation process to determine why high and critical vulnerabilities were not addressed within required time frames and implement corrective actions as appropriate.

We recommend that USADF's Chief Information Officer finalize the enterprise risk management plan to define roles, responsibilities, and authority for cybersecurity risk management.

We recommend that USADF's Chief Information Officer determine why the enterprise risk management plan was not finalized and implement corrective action as appropriate.

We recommend that USADF's Chief Information Officer determine whether USADF updated its cybersecurity training strategy and plans to incorporate the results of the workforce assessments and, if not, update and implement the strategy and plan.