Recommendation Dashboard

We recommend that USAID's Office of Acquisition and Assistance Cost, Audit and Support Division/Contract Audit Management Branch verify that Nathan Associates, Inc., corrects the one reported material
weakness in internal control detailed on pages 8 and 9 of the audit report.

We recommend that USAID/Uganda verify that Joint Clinical Research Center corrects the one instance of material noncompliance detailed on page 27 of the audit report.

We recommend that USAID/Uganda verify that Makerere University Joint AIDS Program corrects the one instance of material noncompliance detailed on page 28 of the audit report.

We recommend that USAID's Chief Information Officer develop and implement a written procedure to document the Chief Information Officer's review and approval of all cloud service acquisition plans.

We recommend that USAID's IT Operations Division Chief complete plan of action and milestones, as required. This may include documenting the "planned remediation actions" in the reports.

We recommend that USAID's IT Operations Division Chief update the systems' continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

We recommend that USAID's Deputy Chief Human Capital Officer complete plan of action and milestone, as required. This may include documenting the "planned remediation actions" in the reports.

We recommend that USAID's Deputy Chief Human Capital Officer update the system's continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

We recommend that USAID's Chief Information Officer work with the Deputy Chief Human Capital Officer and IT Operations Division Chief to update the system security plan, as required. This may include updating the system security plan with the results of a security assessment or create a plan of actions and milestones.

We recommend that USAID's Chief Information Officer revise Agency procedures to address how system owners should document their monitoring of cloud service providers' remediation activities.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system accountable for noncompliance with plan of action and milestones requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system owners accountable for noncompliance with continuous monitoring reporting requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer revise the standard reporting template for continuous monitoring to clarify whether it applies to cloud systems.

We recommend that USAID's Chief Information Officer develop and implement a written process for defining and reviewing service level agreements to determine whether they meet Agency needs.

We recommend that USAID's Chief Information Officer develop and implement a written policy for monitoring and documenting cloud services providers' compliance with service level agreements.

We recommend that USAID's Chief Information Officer develop and implement written guidance for performing and documenting cost-benefit and alternative analyses for cloud acquisitions before procuring cloud services.

USAID/Nepal determine the allowability of $45,026 in questioned costs ($39,909 ineligible, $5,117 unsupported) on pages 13 to 14 and pages 33 to 41 of the audit report and recover any amount that is unallowable.

USAID/Nepal verify that the Government of Nepal's Department of Health and Services and Other Implementing Government Agencies corrects the 1 material weakness in internal control detailed on pages 25 to 26 of the audit report.

USAID/Nepal verify that the Government of Nepal's Department of Health and Services and Other Implementing Government Agencies corrects the 11 instances of material noncompliance detailed on pages 33 to 45 of the audit report.

Chief Information Officer update the change management charter to designate in writing the responsibilities for monitoring performance metrics, conducting lessons-learned activities, and documenting routine updates and minor changes.

Chief Information Officer update the system security plan to include the frequency for reviewing and updating the contingency plan.

Chief Information Officer develop and implement policies and procedures to obtain feedback on the agency's specialized security training, update the training program, and request that third-party providers update their training content, as appropriate, to keep current with security practices.

Chief Information Officer develop and implement policies and procedures for agency personnel to monitor performance metrics for information technology services provided by third parties.

Chief Information Officer develop and implement procedures to assess whether position risk designations are reviewed for all personnel.

Chief Information Officer develop and implement procedures to assess whether reinvestigations are performed timely for individuals who possess critical-sensitive/high-risk roles that require system access.

Chief Information Officer develop and implement policies and procedures to periodically assess its cybersecurity workforce's knowledge, skills, and abilities to confirm that security training and development activities align with agency needs.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.

To address these shortcomings, we recommend that USADF:
Update its training within 30 days of USAID OIG publishing this advisory to incorporate information on USAID OIG oversight authorities and procedures for disclosing allegations of fraud, waste, abuse, or mismanagement, and develop and implement a plan to provide the updated training to all USADF staff.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.

We recommend that USAID/Zambia verify that Centre for Infectious Disease Research in Zambia corrects the two instances of material noncompliance detailed on pages 67 to 69 of the audit report.

We recommend that USAID/Zambia verify that Centre for Infectious Disease Research in Zambia corrects the one material weaknesses in internal control detailed on pages 59 to 61 of the audit report.

USAID/Philippines verify that AgriterraPhils Inc. corrected the two instances of material noncompliance detailed on pages 33 to 35 of the audit report.

USAID/Philippines determine the allowability of $243,869 in questioned costs, ($12,276 of ineligible costs pertaining to USAID funds and $231,593 of unsupported costs [$164,567 pertaining to USAID funds and $67,026 pertaining to the awardee's cost sharing contributions]), as detailed on pages 21 to 30 and 36 of the audit report and recover any amount that is unallowable.

We recommend that IAF's chief information officer update the agency's system security plan to include controls in National Institute of Standards and Technology Special Publication 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations."

We recommend that IAF's chief information officer develop and implement a plan, including tools and other resources, to remediate critical and high vulnerabilities within the timeframes specified in the agency's "Information System Security Program Standard Operating Procedures" (February 2022).