Recommendation Dashboard

USAID/M/OAA/CAS/CAM determine the allowability of $28,739 in questioned costs ($16,270 ineligible and $12,469 unsupported) identified on page 9 of Akus Consult's audit report and recover from EQUIP Liberia the amounts determined to be unallowable.

USAID/M/OAA/CAS/CAM ensure that EQUIP Liberia corrects the four instances of material noncompliance detailed on pages 13 to 14 and 16 to 18 of Akus Consult's audit report.

We recommend that MCC's Department of Administration and Finance and the chief financial officer update its Expense Accruals Financial Management Procedure Manual to a) Require justification and analysis to be documented, supported, and approved by MCC's management when deviating from its accrual policy and procedures. This should include MCC verification of information provided by the Millennium Challenge Account to support the accrual. b) Include the guidance provided to the Millennium Challenge Accounts on how and what each Millennium Challenge Account will provide as support in addressing the reasonableness of their accrual.

We recommend that MCC's Department of Administration and Finance and the chief financial officer conduct a comprehensive review and formalize the Grant Accrual Validation Whitepaper as an official policy and procedures document that includes: a) Establishing a documented supervisory review of the grant accrual validation to ensure that the validation is performed correctly and is in accordance with MCC's validation methodology. b) Establishing procedures that clearly state how the accrual validation will be carried out when a Millennium Challenge Account is closed out and no longer exists.

We recommend that MCC's Department of Administration and Finance and the chief financial officer establish internal control procedures to properly review the accounting and reporting of funds returned by the Millennium Challenge Accounts and foreign governments, and other transactions that are not routinely prepared in its financial operations to ensure that these transactions are recorded correctly and in accordance with United States Standard General Ledger.

We recommend that MCC's Department of Administration and Finance and the chief financial officer establish an internal control process to ensure that financial statements are prepared in accordance with the most current version of Office of Management and Budget A-136.

We recommend that MCC's Department of Administration and Finance and the chief financial officer conduct a quarterly reconciliation between the status of budgetary resources and the Office of Management and Budget SF-132, Apportionment and Reapportionment Schedule.

We recommend that MCC's Department of Administration and Finance and the chief financial officer implement a management control to properly review and approve unapportioned funds by programs/projects at the fund level before entries are made.

We recommend that MCC's Department of Administration and Finance and the chief financial officer implement a management control to review the impact of funds unapportioned at the fund level before apportionment and recoveries adjustments are recorded.

We recommend that MCC's Department of Administration and Finance and the chief financial officer continue requiring all compact obligating documents be accompanied by an entry-into-force memo prior to recognizing obligation.

The Office of the Chief Financial Officer resolve all unexplained differences between USAID's Fund Balance With Treasury account and the Department of the Treasury by December 31, 2016, and institutionalize the monthly reconciliation of the Fund Balance With Treasury account.

The Office of the Chief Financial Officer implement a quality assurance program to validate the quarterly information that missions submit.

The Office of the Chief Financial Officer implement a plan to immediately investigate all potential funds control violations reported as of September 30, 2016, and resolve them by June 30, 2017.

The Office of the Chief Financial Officer enhance its policies and procedures to evaluate potential funds control violations so that they are investigated and resolved promptly.

The Overseas Private Investment Corporation's chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

(SBU) The Overseas Private Investment Corporation's chief information officer document a separation-of-duties matrix for Oracle E-Business Suite user roles and responsibilities.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to recertify Oracle EBusiness Suite accounts annually, including evaluating the separation of duties.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to disable inactive Oracle E=Business Suite accounts.

(SBU) The Overseas Private Investment Corporation's chief information officer implement Homeland Security Presidential Directive 12 personal identity verification for authentication of network user accounts as required by Office of Management and Budget M-16-04, "Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government," (October 30, 2015)
and document the results.

(SBU) The Overseas Private Investment Corporation's chief information officer either disable Citrix local drive mapping where non-Corporation equipment is used, and document the results, or document acceptance of the risk of allowing Citrix local drive mapping where non-Corporation equipment is used.

The Overseas Private Investment Corporation's chief information officer document and implement asset management procedures, including inventorying information system assets on an organization-defined frequency.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement a separation-of-duties matrix for OPIC Insight user roles and responsibilities.

The Overseas Private Investment Corporation's chief information security officer, in coordination with the security officer, document and implement physical and environmental security policies and procedures including reviews of physical access as defined by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

The Overseas Private Investment Corporation's chief information officer document and implement an enterprise architecture methodology in line with the Federal enterprise architecture and risk
management framework.

The Overseas Private Investment Corporation's chief information officer update the Corporation's incident response plan to include the time frames for reporting incidents as specified in the "United States Computer Emergency Readiness Team Federal Incident Notification Guidelines."

The Overseas Private Investment Corporation's chief information officer complete the implementation of the Training Management System and verify in writing that records are retained for the Corporation-specified period.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a documented process to validate whether the annual testing of the Corporation's information system contingency plan is completed.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement processes to achieve acceptable compliance with configuration baseline settings for Windows 2003, Windows 2008, and CentOS servers.

The Overseas Private Investment Corporation's chief information officer implement the process to validate whether plans of action and milestones are completed and updated on time and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer review the accreditation boundaries of the OPIC External Services system, align external services with related mission functions, and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer implement a written process to assess external services before their authorizations to operate expire.

The United States African Development Foundation's president appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act and the National Institute of Standards and Technology.

The United States African Development Foundation's chief information security officer document and implement a process to review and update system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for
Federal Information Systems and Organizations." At a minimum, this process should include determining whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.

The United States African Development Foundation's chief information security officer document and implement a process to perform security assessments in accordance with National Institute of Standards and Technology standards. This process should include documenting assessment
procedures to be used to determine security control effectiveness and testing the operating effectiveness of security controls.

The United States African Development Foundation's chief information security officer document and implement a process for assessing risk in internal and cloud service provider's systems-taking into account all known vulnerabilities and threat sources, security controls planned or in place, and
residual risk-to make the authorizing official for each system aware of its security state.

The United States African Development Foundation's chief information security officer document and implement a process to update all known security weaknesses and associated corrective plans quarterly as required by the foundation's policy and include them in the plan of action and
milestones.

The United States African Development Foundation's chief information security officer document and implement a process to develop, communicate, and implement an organization-wide risk management strategy associated with the operation and use of the foundation's information systems in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to review and maintain an up-to-date information system inventory.

The United States African Development Foundation's chief information security officer document and implement a process to develop, document, and implement an enterprise architecture in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to perform quarterly scans of all Internet protocol ranges in the network.

The United States African Development Foundation's chief information security officer document and implement a process to track and remediate vulnerabilities timely in accordance with the foundation's policy. This process should include ascertaining that patches are tested before being put into production and applied promptly in accordance with policy.

The United States African Development Foundation's chief information security officer document and implement a process to migrate unsupported applications to platforms supported by vendors. For unsupported applications that cannot be migrated immediately, this process must include
documenting the risk of leaving them on their current platforms, acceptance of that risk, and compensating controls that will be used until migration is possible.

The United States African Development Foundation's chief information security officer document and implement a process to scan each workstation for compliance with the United States Government
Configuration Baseline settings, including remediating any noncompliant settings.

The United States African Development Foundation's chief information security officer document and implement a process to remove users' administrator access to foundation workstations and prevent
granting that access in the future. This process must include documenting the risk of such access and documenting the approval of any exceptions, along with adequate compensating controls.

The United States African Development Foundation's chief information security officer document and implement a process to document, approve, and disseminate approved deviations from the United States Government Configuration Baseline settings.

The United States African Development Foundation's chief information security officer document and implement a process to configure and regularly monitor password settings in accordance with the foundation's policy and encrypt passwords during authentication.

The United States African Development Foundation's chief information security officer document and implement a process to specify an organization-defined frequency for reviewing and updating the inventory of information system components.

The United States African Development Foundation's chief information security officer document and implement a process to maintain the inventory according to policy.

The United States African Development Foundation's chief information security officer document and implement a process to remove and decommission unused systems promptly.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce multifactor authentication for network access to privileged accounts.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce the use of personal identity verification credentials for access to the foundation's facilities, computers, and network.

The United States African Development Foundation's chief information security officer document and implement a process to change default usernames and passwords before system installation.

The United States African Development Foundation's chief information security officer document and implement a process to review and analyze all required audit logs in accordance with National Institute of Standards and Technology standards and the foundation's policy.

The United States African Development Foundation's chief information security officer document and implement a process to reevaluate the security categorization of the general support, travel, and
human resources systems in accordance with the Office of Management and Budget and National Institute of Standards and Technology guidance given that the systems contain personally identifiable information.

The United States African Development Foundation's chief information security officer document and implement a process to maintain a current interconnection security agreement and memorandum of understanding between the foundation and the U.S. Department of Interior's Interior Business Center.

The United States African Development Foundation's chief information security officer document and implement a process to provide annual security awareness training to overseas partners.

The United States African Development Foundation's chief information security officer document and implement a process to provide annual role-based training to all personnel with significant information security responsibilities.

The Inter-American Foundation's chief information officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor and document the results or document acceptance of the risks of those vulnerabilities.

The Inter-American Foundation's chief information officer develop and implement a continuous monitoring plan and program.

The Inter-American Foundation's chief information officer develop and implement monitoring controls of baseline configurations for the Enterprise Network and document the results.

The Inter-American Foundation's chief information officer complete a system risk assessment for the Enterprise Network that takes into account all known vulnerabilities, threat sources, and security controls planned or in place, determine the residual risk, and inform the authorizing official of the security state of the information system.

The Inter-American Foundation's chief information officer obtain a current authorization to operate the Enterprise Network that results from a completed security controls assessment and updated system security plan, risk assessment, and plan of action and milestones.

The Inter-American Foundation's chief information officer document and implement a process to review and analyze auditable events.

The Inter-American Foundation's chief information officer implement multifactor authentication for all network accounts and document the results.

The Inter-American Foundation's chief information officer update the continuity of operations plan to include a business impact analysis.

The Inter-American Foundation's chief information officer document and implement a process to validate annual testing of the continuity of operations plan.

The Inter-American Foundation's chief information officer develop and implement a written process to validate whether the plan of action and milestones is completed and updated promptly and includes all applicable control weaknesses.

The Inter-American Foundation's chief information officer update and implement the Information System Security Program Standard Operating Procedures to include the privacy controls identified in National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

The Inter-American Foundation's chief information officer update the organization's Enterprise Network and Software Applications System Security Plan to reflect the current operating environment.

The Inter-American Foundation chief information officer obtain a written, fully executed Interconnection Security Agreement with the Department of Interior Business Center.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a process to update baseline configurations for workstations periodically or document acceptance of the risk.

We recommend that Millennium Challenge Corporation's Chief Information Officer implement written procedures to complete, approve, and maintain users' access request forms for the Contract Management System Audit Tracking and Reporting System in accordance with "MCC Access Control Procedures."

We recommend that Millennium Challenge Corporation's Chief Information Officer either implement environmental controls for the secondary data center and document results or document acceptance of the risk.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a written physical and environmental protection policy that includes all security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," and reflects the current operating environment.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement written procedures to manage access to the secondary data center. At a minimum, the procedures should include periodically reviewing logs of personnel entering the data center, and implementing a visitor access log for the data center.

We recommend that the Millennium Challenge Corporation's Chief Information Officer activate the alarm in the secondary data center and document the results.

We recommend that Millennium Challenge Corporation's Chief Information Officer update the "Configuration Management Policies and Procedures" to include testing and approval requirements by the type of system changes.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement policy and procedures that include all personnel security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

We recommend that the Millennium Challenge Corporation obtain a written, fully executed Interconnection Security Agreement with the Department of Interior's Interior Business Center.

USAID/El Salvador work with Nathan Associates Inc. to implement a plan for helping producers overcome obstacles noted by regional buyers.

USAID/El Salvador, in coordination with Nathan Associates Inc., implement a plan for expediting delivery of equipment that grantees need to achieve their export goals.

USAID/El Salvador document a plan to measure the impact of value-chain interventions on nutrition and income for small farmers supported by the project.

USAID/El Salvador review and document the choice of value chains to determine whether they met the nutrition and income criteria established in the contract and make adjustments as appropriate.

USAID/El Salvador document a meaningful indicator to measure the project's impact on supported producers.

USAID/El Salvador document the rationale for expected targets for the Regional Trade and Market Alliances project and make adjustments as appropriate for the remainder of the activity.

USAID/El Salvador develop written instructions to staff requiring them to comply with USAID policy by documenting targets.

USAID/El Salvador instruct Nathan Associates Inc. to verify the number of small producer units participating in regional and export value chains supported by the project.

USAID/El Salvador develop a joint training program for technical officers and the monitoring and evaluation specialist to review their shared responsibilities for performance monitoring and data quality, as described in Mission Order 203.

USAID/El Salvador formally request that the Bureau for Latin America and the Caribbean review and issue a written decision on the curtailment of project activities in the Dominican Republic.

USAID/El Salvador perform a financial review of Nathan Associates Inc. to determine whether its systems meet acquisition requirements.

USAID/El Salvador determine the allowability of $172,570 in ineligible questioned costs for consulting contracts that did not follow acquisition regulations, and recover from Nathan Associates Inc. any amount deemed unallowable.

USAID/El Salvador issue written instructions to the contractor officer's representative on the proper procedures for contract approvals.

The Deputy Administrator develop and implement a plan to ensure the chief information officer position reports directly to the Administrator or Deputy Administrator as required by the Federal Information Technology Acquisition Reform Act of 2014 and the Clinger-Cohen Act of 1996.

The Deputy Administrator develop a written plan to ensure the chief information officer has a significant role in the management, governance, and oversight of information technology as required by the Federal Information Technology Acquisition Reform Act of 2014.

The chief information officer implement a plan to segregate the deputy chief information officer and chief information security officer positions and appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act.

The chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

The chief information officer document and
implement a process to track and remediate persistent vulnerabilities promptly, or document acceptance of the risk of those vulnerabilities.

The chief information officer document and implement a process to ensure vulnerability assessment tools are configured to detect vulnerabilities previously not detected by internal scans.

The chief information officer document and implement a process to centrally manage printers and apply hardened security configurations prior to placing printers into the production environment.

The chief information officer document and implement a plan to make sure all internal and external systems have a current authority to operate.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to minimize exposure of personally identifiable information in webTA.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to complete, approve, and maintain access request forms for webTA users in accordance with policies, or document acceptance of the risk of not having such controls.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to review webTA accounts periodically for appropriateness in accordance with policies or document acceptance of the risk of not having such controls.

The chief information officer develop and implement a written process to validate that the AIDnet plan of action and milestones is completed and updated promptly.

The director of the Office of Management Policy, Budget, and Performance, in coordination with the chief information officer and the chief human capital officer, document and implement a procedure to promptly remove system accounts associated with people no longer at the Agency.

The chief information officer, in coordination with the chief human capital officer, document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.

The chief information officer document and implement a procedure to complete, approve, and maintain access request forms for individuals requiring access to the information technology rooms in the Ronald Reagan Building and Two Potomac Yard locations.

The chief information officer document and implement a procedure to review individual access periodically and ensure only authorized personnel have access to information technology rooms in the Ronald Reagan Building and Two Potomac Yard locations.

The chief information officer document and implement a validation process to confirm that all memorandums of understanding and interconnection security agreements are current and approved.

The chief financial officer document and implement a procedure to review third-party assessment reports to ensure complementary user entity controls have been implemented for the Enterprise Loan Management System.

The chief financial officer document and implement a procedure to review active Enterprise Loan Management System accounts that have not been used for a specified period and disable them as necessary in accordance with agency policy.

The chief financial officer document and implement a procedure to periodically review the Department of State vulnerability scan results and remediation actions supporting the Phoenix application.

USAID/Afghanistan determine the allowability of $684,367 in questioned costs ($129,715 ineligible and $554,652 unsupported) identified on page 18 of Davis and Associates' audit report and recover from Advanced Engineering Associates International, Inc. any amounts determined to be unallowable.

USAID/Afghanistan verify that Advanced Engineering Associates International, Inc. corrects the one significant deficiency in internal control (payment of local staff salaries and purchase of fuel in cash) identified on pages 27 of Davis and Associates' audit report and further detailed on pages 48-49.

USAID/Afghanistan verify that Advanced Engineering Associates International, Inc. corrects the four instances of material noncompliance (purchase of business class airfare, lack of competition and vetting, making severance payment to TCN personnel, and not withholding taxes from payments made to certain companies) identified on pages 28-29 of Davis and Associates' audit report and further detailed on pages 33-47.