The fiscal year 2023 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective, assessed as of July 31, 2023. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) Inventory management, (2) vulnerability and patch management program, (3) unsupported software, (4) authorization packages, (5) incident response plan, (6) logging and (7) contingency planning.

The audit of 15 AmeriCorps Seniors grantees found that their financial management systems did not comply with Federal regulations and grant terms and conditions. As a result of these deficiencies, we identified $268,627 in questioned Federal costs and $377,199 in non-compliant match costs reported on AmeriCorps grants. AmeriCorps waived match requirements for AmeriCorps Seniors grants during the COVID-19 pandemic, which was within our audit scope, so we could not question the $377,199 in unsupported match costs.

In 2019, Congress enacted the Payment Integrity Information Act (PIIA) to update required reporting on agencies’ improper payments. PIIA requires agencies to review and identify programs and activities that may be susceptible to significant improper payments, estimate the improper payments rates in agency programs, and report on their actions to reduce and recover those payments. The Inspector General of each agency assesses compliance with these requirements annually. AmeriCorps implemented corrective actions in FY 2022 that improved its compliance with PIIA reporting requirements.

The fiscal year 2022 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) mobile devices, (2) IT asset inventory management, (3) vulnerability and patch management program, (4) Personal Identity Verification (PIV) multifactor authentication, (5) performance measures, (6) security assessments and (7) contingency planning.

In accordance with the Government Charge Card Abuse Prevention Act of 2012), AmeriCorps, a Federal grant-making agency, is responsible for establishing and maintaining safeguards and internal controls for its government card program. The government card program is composed of purchase cards used by AmeriCorps personnel to purchase commercial goods and services, and travel cards used for official government travel expenses. In FY 2021, AmeriCorps transitioned its financial operations to a shared service platform offered by the Administrative Resource Center (ARC) within the U.S.