Recommendation Dashboard

We recommend that USAID/Kenya and East Africa determine the allowability of $85,508 in unsupported cost-sharing contributions on pages 53, and 48 to 49 of the audit report and take any corrective action deemed necessary under ADS 303.3.10.3.

We recommend that USAID/Kenya and East Africa verify that World Vision Kenya corrects the four instances of material noncompliance detailed on pages 44 to 52 of the audit report.

We recommend that USAID/Kenya and East Africa determine the allowability of $109,177 in ineligible questioned costs on pages 26 and 30 of the audit report and recover any amount that is unallowable.

We recommend that USAID/Zimbabwe verify that the implementer corrects the one instance of material noncompliance detailed on pages 23 and 24 of the audit report.

We recommend that USAID's Office of Acquisition and Assistance Cost, Audit and Support Division/Contract Audit Management Branch verify that Nathan Associates, Inc., corrects the one reported material
weakness in internal control detailed on pages 8 and 9 of the audit report.

We recommend that USAID's Chief Information Officer update the
event logging checklist to include details of event logging level 3 (advanced) applicability and implement requirements as specified by Office of Management and Budget Memorandum M-21-31.

We recommend that USAID's Chief Information Officer implement accurate automated dashboards to provide enterprise-wide metrics to inform top management of its information technology risks.

We recommend that USAID's Chief Information Officer establish and implement a process to track the progress of conducting annual reviews and related lessons learned from the implementation of its Information Security Continuous Monitoring Strategy.

We recommend that USAID's Chief Information Officer develop and
implement procedures to document deviations from Agency policy on security control assessments, including acceptance of the risk of such deviations.

We recommend that USAID's Chief Information Officer establish a
formal training program in counterfeit component detection to educate responsible personnel. The training should cover identifying counterfeit hardware, software, and firmware components and should be updated regularly.

We recommend that USAID's Chief Human Capital Officer request its
cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not maintaining records evidencing that staff have been offboarded in accordance with Agency policy, as identified in Office of Inspector General Report
No. A-000-21-004-C, Recommendation 3.

We recommend that USAID's Chief Information Officer request its
cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not timely disabling network accounts for separated employees and contractors, as identified in Office of Inspector General Report No. A-000-21-004-C, Recommendation 2.

We recommend that USAID/Uganda verify that Joint Clinical Research Center corrects the one instance of material noncompliance detailed on page 27 of the audit report.

We recommend that USAID/Uganda verify that Makerere University Joint AIDS Program corrects the one instance of material noncompliance detailed on page 28 of the audit report.

We recommend that USAID's Chief Information Officer develop and implement a written procedure to document the Chief Information Officer's review and approval of all cloud service acquisition plans.

We recommend that USAID's IT Operations Division Chief complete plan of action and milestones, as required. This may include documenting the "planned remediation actions" in the reports.

We recommend that USAID's IT Operations Division Chief update the systems' continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

We recommend that USAID's Deputy Chief Human Capital Officer complete plan of action and milestone, as required. This may include documenting the "planned remediation actions" in the reports.

We recommend that USAID's Deputy Chief Human Capital Officer update the system's continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

We recommend that USAID's Chief Information Officer work with the Deputy Chief Human Capital Officer and IT Operations Division Chief to update the system security plan, as required. This may include updating the system security plan with the results of a security assessment or create a plan of actions and milestones.

We recommend that USAID's Chief Information Officer revise Agency procedures to address how system owners should document their monitoring of cloud service providers' remediation activities.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system accountable for noncompliance with plan of action and milestones requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system owners accountable for noncompliance with continuous monitoring reporting requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer revise the standard reporting template for continuous monitoring to clarify whether it applies to cloud systems.

We recommend that USAID's Chief Information Officer develop and implement a written process for defining and reviewing service level agreements to determine whether they meet Agency needs.

We recommend that USAID's Chief Information Officer develop and implement a written policy for monitoring and documenting cloud services providers' compliance with service level agreements.

We recommend that USAID's Chief Information Officer develop and implement written guidance for performing and documenting cost-benefit and alternative analyses for cloud acquisitions before procuring cloud services.

USAID/Nepal determine the allowability of $45,026 in questioned costs ($39,909 ineligible, $5,117 unsupported) on pages 13 to 14 and pages 33 to 41 of the audit report and recover any amount that is unallowable.

USAID/Nepal verify that the Government of Nepal's Department of Health and Services and Other Implementing Government Agencies corrects the 1 material weakness in internal control detailed on pages 25 to 26 of the audit report.

USAID/Nepal verify that the Government of Nepal's Department of Health and Services and Other Implementing Government Agencies corrects the 11 instances of material noncompliance detailed on pages 33 to 45 of the audit report.

Chief Information Officer update the change management charter to designate in writing the responsibilities for monitoring performance metrics, conducting lessons-learned activities, and documenting routine updates and minor changes.

Chief Information Officer update the system security plan to include the frequency for reviewing and updating the contingency plan.

Chief Information Officer develop and implement policies and procedures to obtain feedback on the agency's specialized security training, update the training program, and request that third-party providers update their training content, as appropriate, to keep current with security practices.

Chief Information Officer develop and implement policies and procedures for agency personnel to monitor performance metrics for information technology services provided by third parties.

Chief Information Officer develop and implement procedures to assess whether position risk designations are reviewed for all personnel.

Chief Information Officer develop and implement procedures to assess whether reinvestigations are performed timely for individuals who possess critical-sensitive/high-risk roles that require system access.

Chief Information Officer develop and implement policies and procedures to periodically assess its cybersecurity workforce's knowledge, skills, and abilities to confirm that security training and development activities align with agency needs.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.

To address these shortcomings, we recommend that USADF:
Update its training within 30 days of USAID OIG publishing this advisory to incorporate information on USAID OIG oversight authorities and procedures for disclosing allegations of fraud, waste, abuse, or mismanagement, and develop and implement a plan to provide the updated training to all USADF staff.

To address these shortcomings, we recommend that USADF:
Develop and implement a plan within 90 days of USAID OIG publishing this advisory to schedule fraud awareness briefings with USAID OIG's Office of Investigations for all USADF staff.