Recommendation Dashboard

Chief Information Officer update the change management charter to designate in writing the responsibilities for monitoring performance metrics, conducting lessons-learned activities, and documenting routine updates and minor changes.

Chief Information Officer update the system security plan to include the frequency for reviewing and updating the contingency plan.

Chief Information Officer develop and implement policies and procedures to obtain feedback on the agency's specialized security training, update the training program, and request that third-party providers update their training content, as appropriate, to keep current with security practices.

Chief Information Officer develop and implement policies and procedures for agency personnel to monitor performance metrics for information technology services provided by third parties.

Chief Information Officer develop and implement procedures to assess whether position risk designations are reviewed for all personnel.

Chief Information Officer develop and implement procedures to assess whether reinvestigations are performed timely for individuals who possess critical-sensitive/high-risk roles that require system access.

Chief Information Officer develop and implement policies and procedures to periodically assess its cybersecurity workforce's knowledge, skills, and abilities to confirm that security training and development activities align with agency needs.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.

To address these shortcomings, we recommend that USADF:
Update its training within 30 days of USAID OIG publishing this advisory to incorporate information on USAID OIG oversight authorities and procedures for disclosing allegations of fraud, waste, abuse, or mismanagement, and develop and implement a plan to provide the updated training to all USADF staff.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.

We recommend that USAID/Zambia verify that Centre for Infectious Disease Research in Zambia corrects the two instances of material noncompliance detailed on pages 67 to 69 of the audit report.

We recommend that USAID/Zambia verify that Centre for Infectious Disease Research in Zambia corrects the one material weaknesses in internal control detailed on pages 59 to 61 of the audit report.

USAID/Philippines verify that AgriterraPhils Inc. corrected the two instances of material noncompliance detailed on pages 33 to 35 of the audit report.

USAID/Philippines determine the allowability of $243,869 in questioned costs, ($12,276 of ineligible costs pertaining to USAID funds and $231,593 of unsupported costs [$164,567 pertaining to USAID funds and $67,026 pertaining to the awardee's cost sharing contributions]), as detailed on pages 21 to 30 and 36 of the audit report and recover any amount that is unallowable.

We recommend that IAF's chief information officer update the agency's system security plan to include controls in National Institute of Standards and Technology Special Publication 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations."

We recommend that IAF's chief information officer develop and implement a plan, including tools and other resources, to remediate critical and high vulnerabilities within the timeframes specified in the agency's "Information System Security Program Standard Operating Procedures" (February 2022).

Verify that Moona - A Space for Change, corrects the two instances of material noncompliance detailed on pages 23 and 24 of the audit report.

USAID West Bank and Gaza verify that Tech2Peace corrects the 3 instances of material noncompliance detailed on pages 25 to 27 of the audit report.

Develop and communicate guidance on post-award spot checks to include a more detailed definition of spot checks, illustrative procedures and opportunities for their use, and procedures for appropriately communicating their results, when warranted.

Develop and implement a process to track the status of organizational capacity reviews and ensure they are updated in accordance with Automated Directives System Chapter 308.

Develop and implement a formal follow-up mechanism to track the resolution of recommendations included in organizational capacity reviews.

We recommend that MCC's Chief Information Officer take the following action:
Recommendation 1. Implement level 3 event logging requirements in accordance with Office of Management and Budget Memorandum M-21-31.

USAID/ West Bank and Gaza verify that the auditee corrects the 3 instances of material noncompliance detailed on pages 22 to 24 of the audit report.

USAID/West Bank and Gaza verify that the auditee corrects the two material weaknesses in internal control detailed on pages 16 to 19 of the audit report.