Recommendation Dashboard

We recommend that IAF's chief information officer fully document and implement a process to include in the risk acceptance forms a clear business reason for risk acceptance and the compensating controls implemented to reduce the risk that vulnerabilities can be exploited.

Develop and implement supply chain risk management policies, procedures, and strategies.

We recommend that IAF's chief information officer develop and implement a procedure to document risk acceptance when vulnerabilities cannot be remediated within the timeframes specified in IAF's operating procedures.

We recommend that IAF's chief information officer approve and implement IAF's Information Resource Management Strategic Plan.

We recommend that IAF's chief information officer document and implement a procedure to approve IAF's table-top exercise plans before conducting the exercises.

We recommend that IAF's chief information officer document and implement a written process for obtaining and evaluating feedback on IAF's privacy and security training content, including role-based training.

We recommend that IAF's chief information officer develop and implement a process to document lessons learned related to risk management, configuration management, identity and access management, data protection and privacy, and information security continuous monitoring to improve IAF's security posture.

We recommend that IAF's chief information officer develop and implement an information security continuous monitoring strategy.

We recommend that IAF's chief information officer develop and implement a written process to document participants in IAF's contingency plan training.

USAID/Bangladesh issue formal policy or guidance on the use of third-party monitors to include when and how mission offices can use the services of qualified third-party monitors.

USAID/Bangladesh develop and implement a process with defined roles and responsibilities to track and resolve issues raised by third-party monitors, including documented actions undertaken to address them.

USAID/Nepal develop and implement a process with defined roles and responsibilities to track and resolve issues raised by third-party monitors, including documented actions undertaken to address them.

USAID/Pakistan develop and implement a process with defined roles and responsibilities to track and resolve issues raised by third-party monitors, including documented actions undertaken to address them.

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support Division verify that Practical Action corrects the three instances of material noncompliance detailed on pages 35 through 37 of the audit report.

We recommend that USAID/Uganda verify that Transcultural Psychosocial Organisation provide Catholic Relief Services with a copy of the findings raised in the audit report for their review and any appropriate action regarding the two instances of material noncompliance detailed on pages 59 to 61 related to subaward Sustainable Outcomes for Children and Youth in Central and Western Uganda.

Verify that Hanns R. Neumann Stiftung corrects the instance of material noncompliance detailed on pages III-1 and III-2 of the audit report.

Ensure that MCA project directors receive additional training on the documentation requirements they are responsible for to ensure timely processing of payments in accordance with the Fiscal Accountability Plan

Institute controls such as automated system reminders (i.e., Outlook Calendar Reminders) with the appropriate personnel within the MCC to help mitigate the risk of MCAs not meeting the Monthly Commitments and Disbursement Reports reporting time requirement.

Provide additional training to the MCAs regarding revisions to be made to MCC's Grant Accrual Guidance. Specifically, emphasize the responsibility of the MCA to identify all open contracts and require the project director/engineer over those contracts to provide an accrual estimate or a written explanation for why one is not needed to obtain full coverage.

Revise MCC's Grant Accrual Guidance to incorporate current data call requirements for the MCAs to identify open contracts.

Provide additional training to the MCAs to ensure the MCAs have a clear understanding of the grant accrual validation requirements.

Include the instructions provided to the accountable entities regarding the validation process within the Grant Accrual Guidance.

Complete "Sector Cost-Benefit Analysis Guidance" for the energy sector

Develop and complete "Sector Cost-Benefit Analysis Guidance" for the agriculture sector

Develop and complete "Sector Cost-Benefit Analysis Guidance" for the education sector

Develop and complete "Sector Cost-Benefit Analysis Guidance" for the health sector

Develop guidance to include peer reviews in the Economic Analysis Division's peer review repository

Update "Guidelines for Country Team and Peer Review of Cost-Benefit Analysis" to create and include documentation such as templates to aid in implementing the peer review guidance.

Determine the allowability of $44,363 in questioned costs ($15,992 ineligible, $28,371 unsupported) on pages 11 and 12 of the audit report and recover any amount that is unallowable.

Determine the allowability of $58,214 in unsupported cost sharing contributions questioned costs on pages 24 and 25 of the audit report and recover any amount that is unallowable.

Verify that ISPD corrects the six material weaknesses in internal control detailed on page 27 of the audit report.

Verify that ISPD corrects the four instances of noncompliance detailed on page 41 of the audit report.

Chief Information Security Officer document and implement a process for validating that medium and low risk vulnerabilities are remediated in accordance with the agency's policy.

Chief Information Security Officer develop and implement a process to monitor privileged activities, including which activities to monitor as well as the process and frequency for monitoring those activities.

Chief Financial Officer design and implement a process to screen USADF contractors at the extent and level appropriate to the risks associated with the position.

Chief Information Security Officer develop, document, and disseminate supply chain risk management procedures to facilitate the implementation of the USADF Supply Chain Risk Management Strategy & Policy.

Develop and maintain a DQP that meets the requirements of OMB Circular A-123

Develop and implement a plan to ensure the Senior Accountable Official bases certification on consideration of the Data Quality Plan and internal controls documented in the plan.

Improve controls over its financial assistance award recording process to ensure timely reporting

Distribute guidance to individuals recording grant information regarding the proper definition of Action Date per the DAIMS.