Reports: Audit

The fiscal year 2023 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective, assessed as of July 31, 2023. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) Inventory management, (2) vulnerability and patch management program, (3) unsupported software, (4) authorization packages, (5) incident response plan, (6) logging and (7) contingency planning.

The audit of 15 AmeriCorps Seniors grantees found that their financial management systems did not comply with Federal regulations and grant terms and conditions. As a result of these deficiencies, we identified $268,627 in questioned Federal costs and $377,199 in non-compliant match costs reported on AmeriCorps grants. AmeriCorps waived match requirements for AmeriCorps Seniors grants during the COVID-19 pandemic, which was within our audit scope, so we could not question the $377,199 in unsupported match costs.

In 2019, Congress enacted the Payment Integrity Information Act (PIIA) to update required reporting on agencies’ improper payments. PIIA requires agencies to review and identify programs and activities that may be susceptible to significant improper payments, estimate the improper payments rates in agency programs, and report on their actions to reduce and recover those payments. The Inspector General of each agency assesses compliance with these requirements annually. AmeriCorps implemented corrective actions in FY 2022 that improved its compliance with PIIA reporting requirements.

The fiscal year 2022 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) mobile devices, (2) IT asset inventory management, (3) vulnerability and patch management program, (4) Personal Identity Verification (PIV) multifactor authentication, (5) performance measures, (6) security assessments and (7) contingency planning.

In accordance with the Government Charge Card Abuse Prevention Act of 2012), AmeriCorps, a Federal grant-making agency, is responsible for establishing and maintaining safeguards and internal controls for its government card program. The government card program is composed of purchase cards used by AmeriCorps personnel to purchase commercial goods and services, and travel cards used for official government travel expenses. In FY 2021, AmeriCorps transitioned its financial operations to a shared service platform offered by the Administrative Resource Center (ARC) within the U.S.

AmeriCorps has been unable to produce auditable financial statements for the last six years. This year, independent auditors again issued a disclaimer of opinion, reporting 12 material weaknesses and two significant deficiencies. Ten of the material weaknesses are recurring, four of them since FY 2017, five since FY 2018, and one since FY 2021. The auditors reported two new material weaknesses: (1) Knowledge Gap throughout Financial Management Operations and (2) Advances from Others. Further, the financial statements and accompanying notes were not in accordance with U.S.

The National Service Trust holds the funds set aside to pay the education awards of national service members who successfully complete their service terms. Responsibility for the education awards that have been earned or will be earned in the near future is the largest liability on AmeriCorps’ financial statements at $340 million. AmeriCorps has been unable to produce auditable financial statements for the last six years. This year, independent auditors again issued a disclaimer of opinion, reporting six material weaknesses and one significant deficiency.

AmeriCorps’ security program has not been effective in accordance with Federal Information Security Management Act (FISMA) since Fiscal Year 2017. In order to determine its current status, AmeriCorps OIG engaged an independent certified public accounting firm to conduct an internal penetration test of AmeriCorps’ network. The independent auditors tested AmeriCorps’ network to evaluate the effectiveness of its information security program and to identify areas of weakness.

In 2019, Congress enacted the Payment Integrity Information Act (PIIA) to update required reporting on agencies’ improper payments. PIIA requires agencies to review and identify programs and activities that may be susceptible to significant improper payments, estimate the improper payments rates in agency programs, and report on their actions to reduce and recover those payments. The Inspector General of each agency assesses compliance with these requirements annually. AmeriCorps implemented corrective actions in FY 2021 that improved its compliance with PIIA reporting requirements.

The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations.