All Reports can be searched for by key words using the box to the right, or by date range using the tool below. The list below is sorted beginning with the newest.
CNCS did not fully comply with the DATA Act due to weaknesses in its existing financial reporting system (internal control over source systems) and internal control weaknesses within financial reporting, data management, and data reporting processes. CNCS did not submit complete, timely, quality, and accurate financial and award data for the FY 2017 second quarter. The Corporation continues to grapple with the implementation challenges previously reported in the readiness review, as well as new challenges identified by this performance audit.
For the sixth consecutive year, the Corporation for National and Community Service (CNCS or the Corporation) did not comply with the Improper Payments Elimination and Recovery Act of 2010, as amended (IPERA), applicable Executive Orders and authoritative implementation guidance from Office of Management and Budget (OMB) in assessing and reporting in its FY 2016 Agency Financial Report (AFR) information concerning improper payments in CNCS programs. The Corporation has acknowledged that it did not meet its obligations in this area.
This memorandum summarizes the results of our readiness review of the implementation of the Digital Accountability and Transparency Act of 2014 (DATA Act) at the Corporation for National and Community Service (the Corporation or the Agency). The objective of this review was to assess the Corporation's efforts and implementation plans to report financial and payment data in accordance with the requirements of the DATA Act. The Office of Inspector General (CNCSOIG) conducted this review between May 2016 and October 2016.
The Corporation for National and Community Service (the Corporation or CNCS) has made significant progress in addressing the information security and privacy weaknesses identified in last year’s Federal Information Security Modernization Act of 2014 (FISMA) evaluation, resolving eight of 17 findings from FY 2015 and closing 67 of 90 recommendations open from prior years. CNCS has improved and updated its policies and procedures for key security program areas, e.g., information security continuous monitoring (ISCM), risk management and Plan of Action and Milestones (POA&M) management. It has also entered into new service level agreements with the information technology (IT) contractor that manages the Corporation’s desktops, servers and network infrastructure. These improvements led evaluators to reduce the severity of two previous program weaknesses from Significant Deficiencies to Control Deficiencies. Evaluators determined that the Corporation implemented improvements to close all seven recommendations related to privacy controls for protection of personally identifiable information (PII).
Nevertheless, much work remains to make information security fully effective at CNCS. The FY 2016 FISMA evaluation uncovered two new weaknesses relating to: (1) secure configuration management policies, procedures and practices; and (2) monitoring and remediation of server backup failures. CNCS’s ISCM and Incident Response Program are rated at Level 2: Defined on a maturity scale that ranges from Level 1: Ad hoc to Level 5: Optimized. Of the 57 security metrics in the remaining areas, testing identified 25 instances of noncompliance with applicable laws, regulations and authoritative guidance governing information security.
An audit of the Corporation for National and Community Service’s financial statements as of September 30, 2016 and 2015, found a recurrent significant deficiency in the Corporation’s internal control over financial reporting. The audit identified the causes of this repeat condition as a lack of governance and oversight, incomplete risk assessment, and inadequate monitoring processes. There were no instances of noncompliance with applicable provisions of laws, regulations, contracts and grant agreements. The Corporation’s financial statements presented fairly in all material respects and consistent with accounting principles generally accepted in the United States of America.
Despite years of trying, the Corporation for National and Community Service (CNCS) remains unable to perform a reliable assessment of the susceptibility of all of its programs and activities to improper payments, and likewise unable to estimate reliably the amount or the rate of improper payments in the AmeriCorps State and National Program in fiscal year (FY) 2015. CNCS also failed to complete its improper payment assessments for the two Senior Corps programs that it considers susceptible to significant risk of improper payments. The improper payments information reported in CNCS’s FY 2015 Agency Financial Report (AFR) is therefore unreliable and incomplete in several respects. CNCS has again been unable to comply with the Improper Payments Elimination and Recovery Act of 2010, as amended (IPERA). As in the past, we found significant flaws at every stage of CNCS’s improper payments assessment process. Many of these flaws resulted from a lack of sufficiently qualified personnel to develop a sound testing methodology and execute CNCS’s complex sampling process.
The audit found the following:
- The financial statements present fairly, in all material respects, in accordance with accounting principles generally accepted in the United States of America.
- Two significant deficiencies (Integrity Assurance Program and Information Technology) in the Corporation’s internal control over financial reporting; and
- One instance of noncompliance (Federal Information Security Modernization Act of 2014) with applicable provisions of laws, regulations, contracts.
The two significant deficiencies are a repeat condition from Fiscal Year 2014.
Evaluation of the Corporation’s Information Security and Privacy Program found these were not compliant in a number of respects with FISMA legislation, Office of Management and Budget guidance and applicable National Institute of Standards and Technology security publications. Evaluations testing found controls were ineffective in eight of 11 areas. In two of the eight areas, Continuous Monitoring Management and Risk Management, the deficiencies were severe enough to constitute a significant deficiency.
For fiscal year (FY) 2014, the Corporation for National and Community Service (CNCS) did not perform a reliable assessment of the susceptibility of its programs and activities to improper payments, nor did it did it reliably estimate the amount or the rate of improper payments in the AmeriCorps Program. As a result, the improper payments information reported in CNCS’s FY 2014 Agency Financial Report (AFR) is unreliable and is also incomplete in other respects. We found significant flaws at every stage of CNCS’s improper payments assessment process. Some of those flaws had a tendency to understate CNCS’s improper payments.
Given the weaknesses discovered in this evaluation, we believe that CNCS has not met its obligation to perform a susceptibility analysis in FY 2014 and should not wait two years before performing a reliable analysis. Instead, CNCS should use the information in this evaluation to conduct a more accurate risk assessment in FY 2015, develop a better estimate of improper payments in the AmeriCorps Program, and accurately report the results.
Audit of the Corporation’s Financial Statements found the statements presented fairly the financial position of the Corporation as of September 30, 2014 and 2013.
The auditors also identified two significant deficiencies and one instance of noncompliance with the Federal Information Security Management Act.
- Integrity Assurance Program - The Corporation does not yet have a fully functioning internal control monitoring process in place to determine the effectiveness of internal controls and support management’s required annual assurance statement under the Federal Managers Financial Integrity Act.
- Information Technology – The Corporation’s information technology internal control structure did not support a sound internal control environment in five categories: security management, access controls, configuration management, segregation of duties, and contingency planning.
Kearney & Company, P.C. has concluded that the Corporation's Information Security and Privacy Program was not compliant in a number of respects with FISMA legislation, OMB guidance, and applicable NIST security publications as of September 30, 2014. Their testing found the controls were ineffective in seven of the 12 areas. In four of the seven areas, the deficiencies were severe enough to constitute a significant deficiency; these areas were Continuous Monitoring Management, Risk Management, Plans of Action and Milestones (POA&M), and Privacy.
This is the third consecutive year in which OIG has questioned the validity of the Corporation’s IPERA analysis. In Fiscal Year (FY) 2011, the Corporation’s AFR reported that none of its programs was susceptible to significant improper payments and reported improper payments in the AmeriCorps Volunteers in Service to America (VISTA) program of only $2.14 and projected improper payments of $3,947, results that were on their face unreasonable. The Corporation reached these results because it failed to examine whether the Corporation’s expenditures were used for their intended purpose, a key IPERA criterion.
The Corporation's financial statements present fairly, in all material respects, the financial position of the Corporation as of September 30, 2013 and 2012, and its net cost of operations, changes in net position, cash flows, and budgetary resources for the years then ended, in accordance with accounting principles generally accepted in the United States of America.
The auditors determined that the Corporation has limited assurance that its Information Security Program is compliant with the Federal Information Security Management Act legislation, applicable Office of Management and Budget (OMB) guidance, and National Institute of Standards and Technology (NIST) Special Publications (SP). Their evaluation identified 30 instances of noncompliance with OMB guidance and NIST SPs. These areas of noncompliance are grouped into six findings, resulting in nine recommendations to strengthen the Corporation's Information Security Program.
In response to the President's July 2010 mandate on implementing the Improper Payments Elimination and Recovery Act (IPERA), the Office of Inspector General (OIG), Corporation for National and Community Service (Corporation) performed an evaluation of the Corporation's compliance with IPERA. The objective of our evaluation was to determine whether the Corporation performed its improper payments assessment in compliance with IPERA, applicable Executive Orders, and the Office of Management and Budget (OMB) guidance.
For the second year in a row, the OIG concludes that the Corporation continues to understate its improper payments and has not accurately assessed the susceptibility of at least some of its programs. Six OIG audits of AmeriCorps State and National grantees, representing a small fraction of the grant portfolio, in Fiscal Year (FY) 2012 uncovered questioned costs of approximately $ 3.6 million. Experience suggests that similar problems exist elsewhere in the portfolio, making improper payments more prevalent than the Corporation acknowledges. Despite this, the Corporation's FY 2012 Agency Financial Report (AFR) does not contain an estimate of improper payments, does not describe the actions taken or to be taken to prevent and recover improper payments, and does not address the adequacy of its internal controls.