BBG Watch Commentary
The Broadcasting Board of Governors (BBG) federal agency in charge of the Voice of America (VOA) and other U.S. government-funded international media operations has no effective information security program and is vulnerable to IT-centered attacks and threats, an independent audit for the Inspector General has found year after year.
“Without an effective information security program, BBG is vulnerable to IT-centered attacks and threats. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered either accidentally or intentionally. Information security program weaknesses increase the risk that BBG will be unable to report financial data accurately. We have reported weaknesses in IT security controls each year since our audit of BBG’s FY 2013 financial statements.”
From: INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING
To: The Board of Governors and the Inspector General of the Broadcasting Board of Governors, Kearney & Company, November 13, 2017.
The Broadcasting Board of Governors (BBG) federal bureaucracy is famous not only for having the worst-managed medium size federal agency with the lowest employee morale but also for giving itself high merit awards and getting praise from BBG CEO John Lansing while downplaying warnings of substandard performance from auditors working for the U.S. Government, especially in the area of financial accountability and cyber security. The BBG’s Chief Information Officer/Chief Technology Officer, André Mendes, has been in charge of assuring cyber security for many years. Beginning in September 2017, he was also appointed by CEO John Lansing as the Acting Director of the Office of Cuba Broadcasting while keeping his CIO/CTO duties. He commutes weekly between Miami and Washington, DC, which further weakens already inadequate and ineffective management and increases costs for U.S. taxpayers.
Take a look (see attachments) at how the BBG blows off the thrust of this Kearney & Co audit focusing on financial reporting and technology issues. We have separated out the BBG response letter, and a paragraph from it, which obfuscates by heaping praise on the BBG mission but focuses only on one aspect of the report noting an improvement from the category of “Material Weakness” to the category of “Significant Deficiency.” We have excerpted major portions of the report, and bolded criticisms:
Of a sample of 118 ULOs tested, we found 38 (32 percent) invalid ULOs. During FY 2017, BBG’s Office of the Chief Financial Officer (OCFO) distributed monthly reports to respective allotment holders listing potentially invalid obligations. However, invalid ULOs continued to exist because some allotment holders were not responsive in researching and reviewing obligations and deobligating invalid obligations. We also found that some allotment holders were unaware of their responsibility to deobligate invalid obligations that had been identified. In addition, we found that BBG does not review overseas ULOs for validity because, according to OCFO officials, they have prioritized resolving domestic ULOs because those are the majority of the agency’s ULOs. We also found that BBG has updated its draft standard operating procedure for monitoring ULOs, but this document has not been approved and issued by BBG management. As a result of invalid ULOs identified by our audit, BBG adjusted its financial statements. We have identified weaknesses in controls over ULOs in each audit since our audit of BBG’sFY 2013 financial statements.
BBG is responsible for monitoring grantee use of BBG funds to ensure grantees adhere to applicable laws and regulations as well as all terms and conditions specified in the grant agreements. To aid in the monitoring process, BBG drafted a Grantee Monitoring Standard Operating Procedure (SOP), which presents information and procedures that BBG will use during the life of a grant. We selected 15 control activities from the draft SOP to test whether BBG had effectively implemented grantee monitoring. We found that 9 of the 15 controls tested [1 During FY 2017 ULO testing, we found that BBG’s efforts resulted in a reduced error rate, warranting a downgrade from a Material Weakness to a Significant Deficiency.] were implemented during FY 2017 but that the remaining 6 control activities were not implemented. For example, BBG had not performed risk assessments to finalize the scope and frequency of grantee site visits, issued site visit reports to communicate findings and needed improvements to its grantees, or obtained Performance Project Reports from its grantees. BBG officials stated that many oversight activities would not be initiated until the draft SOP is fully approved and finalized.
Because BBG lacked effective grantee oversight, the risk of waste, fraud, and abuse of Federal funds is increased. An organized and documented approach to oversight should be implemented to improve accountability and mitigate the risk of waste, fraud, and abuse. We have identified weaknesses in controls over grantee monitoring each year since our audit of BBG’s FY 2013 financial statements.
BBG’s information systems and sensitive information rely on the confidentiality, integrity, and availability of BBG’s comprehensive and interconnected infrastructure. Managing information security risk effectively throughout the organization is critical to achieving BBG’s mission. BBG uses several financial management systems to compile information for financial reporting purposes. BBG’s main domestic financial management and accounting system is Momentum, which is provided by an external service provider that is also responsible for maintaining a number of IT controls. However, Momentum is accessed through BBG’s general IT support system, which is a component of BBG’s information security program. Therefore, security weaknesses noted in BBG’s information security program could potentially impact Momentum as well. For overseas accounting and budget execution, BBG uses the Regional Financial Management System (RFMS) provided by the Department of State (Department). The Department is also responsible for maintaining an adequate information security program.
The Office of Inspector General (OIG) is responsible for the annual audits of BBG and Department information security programs’ compliance with IT provisions as required by the Federal Information Security Modernization Act of 2014 (FISMA). In the FY 2017 FISMA report for BBG, OIG reported security weaknesses that had a significant impact on BBG’s information security program. Specifically, OIG reported control weaknesses in all seven key FY 2017 Inspector General FISMA metric domains, which consist of risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.
OIG’s FY 2017 FISMA report for the Department identified information security program weaknesses that are similar to the weaknesses identified at BBG. OIG reported that the Department did not have an effective organization-wide information security program. As noted, RFMS is hosted on the Department’s general support system and is a component of the 2 OIG, Audit of the Broadcasting Board of Governors Information Security Program (AUD-IT-IB-18-13, October 2017). 3 OIG, Audit of Department of State Information Security Program (AUD-IT-18-12, October 2017).
Department’s information security program. Because of the security weaknesses noted with the information security program at the Department, BBG should implement additional controls to ensure that financial information is being processed accurately and completely by the Department.
Without an effective information security program, BBG is vulnerable to IT centered attacks and threats. Information security program weaknesses can affect the integrity of financial applications, which increases the risk that sensitive financial information could be accessed by unauthorized individuals or that financial transactions could be altered either accidentally or intentionally. Information security program weaknesses increase the risk that BBG will be unable to report financial data accurately. We have reported weaknesses in IT security controls each year since our audit of BBG’s FY 2013 financial statements.