Reports: Audit

The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations.

The National Service Trust holds the funds set aside to pay the education awards of national service members who successfully complete their service terms. Responsibility for the education awards that have been earned or will be earned in the near future is the largest liability on AmeriCorps’ financial statements at $356 million. Since FY 2017, independent auditors have declined to issue an opinion on the financial statements of AmeriCorps and the National Service Trust.

Since FY 2017, independent auditors have declined to issue an opinion on AmeriCorps’ financial statements. This year, they again issued a disclaimer of opinion, reporting nine material weaknesses and one significant deficiency. Eight of the material weaknesses are recurring, three of them since FY 2017 and five since FY 2018. AmeriCorps acknowledged at the beginning of the audit that it had not made progress in addressing five of the material weaknesses and requested that they be excluded from the scope of the audit.

AmeriCorps submits quarterly grant and procurement award data for publication on USASpending.gov as required by the Digital Accountability and Transparency Act of 2014 (DATA Act). The Office of Management and Budget (OMB) and Department of Treasury (Treasury) established standards for Federal agencies to use 59 data elements in reporting its financial and award information. Periodically, the AmeriCorps Office Inspector General (OIG) audits the agency’s spending data to assess its completeness, accuracy, timeliness, and quality, as well as its adherence to the government-wide data standards.

Beginning in FY 2017, independent auditors have been unable to render an opinion on the consolidated financial statements of AmeriCorps and the National Service Trust. The audits resulted in disclaimers of opinion and identified numerous material weaknesses that remained uncorrected.

In 2019, Congress enacted the Payment Integrity Information Act (PIIA) to update required reporting on agencies’ improper payments. PIIA requires agencies to review and identify programs and activities that may be susceptible to significant improper payments, to estimate the rate and amount of improper payments in agency programs, and to report on their actions to reduce and recover those payments.

The information security program of the Corporation for National and Community Service, now called AmeriCorps, remains Not Effective and has shown little progress over the past four years. While AmeriCorps has demonstrated some improvement on configuration management, key areas of organization-wide risk management strategy, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management have remained stagnant at a low level of maturity.

The audit of a CNCS Social Innovation Fund award to Youthprise and four of its six subgrantees (Amherst H. Wilder Foundation, MIGIZI Communications, Sauk-Rapids Rice, and Guadalupe Alternative Programs) identified questioned Federal costs of $626,099, questioned match costs of $990,137, and compliance findings. These costs tested were incurred between August 1, 2016 and June 30, 2018. Most of the questioned costs identified were associated with (1) Youthprise improperly awarding sole-source contracts; and (2) subgrantees’ timekeeping deficiencies.

Despite continuing work to improve its Improper Payments Elimination and Recovery Act (IPERA) compliance program, the Corporation for National and Community Service (CNCS) did not meet three of the six IPERA compliance criteria, unchanged from FY 2018. Specifically, CNCS was unable to reliably estimate the amount or the rate of improper payments in the AmeriCorps State and National Program, the Foster Grandparent Program (FGP), the Senior Companion Program, and the Retired and Senior Volunteer Program (RSVP).

The information security program of the Corporation for National and Community Service (CNCS) has been assessed as not effective with little progress over the past three years. While security training remains an area of strength at CNCS, performance in this area is outweighed by the substantial risks resulting from the continuing control weaknesses in configuration management, identity, and access management, and data protection and privacy.