SBA faces fraud risks and IT security woes, IG says
The Small Business Administration has struggled to cope with an onslaught of potentially fraudulent activity within its direct lending programs spurred by the COVID-19 pandemic, Inspector General Hannibal Ware testified to the House Small Business Committee.
The Small Business Administration has been inundated with potentially fraudulent proposals for economic relief during the COVID-19 pandemic, at a time when increased workload throughout the agency deflected attention from IT security issues, the agency's Inspector General Hannibal Ware testified Wednesday.
Economic relief programs associated with recovery efforts around the pandemic, including the COVID-19 Economic Injury Disaster Loan (EIDL) program, were identified as one of the SBA’s top management challenges in the Office of Inspector General’s (OIG) recent semiannual report to Congress.
"COVID-19 relief efforts diverted SBA resources from some daily compliance activities. As a result, SBA continues to experience security challenges in areas of user access, configuration management and security training," the report states.
Ware said at a Wednesday hearing of the House Small Business Committee, that his office and its oversight of the agency's pandemic response efforts played a "critical role" in recovering and saving $4.2 billion during fiscal year 2021, with 366 indictments and 142 convictions associated with fraudulent activity in SBA’s direct lending programs. Still, he said SBA lacked the necessary resources to aggressively combat fraud, waste and abuse.
The SBA’s Office of Inspector General (OIG) identified $84 billion in potentially fraudulent activity within loans disbursed through the EIDL program, whereas the Paycheck Protection Program saw just $4.6 billion in potentially fraudulent activity. SBA was directly responsible for overseeing the EIDL program, while private financial institutions played a key role in the disbursement of PPP funds.
Rep. Blaine Luetkemeyer (R-MO), ranking member of the House Small Business Committee, described the SBA as the "sole and only gatekeeper" for the EIDL program and said the differences in its management in contrast to PPP "cannot be overstated."
The IG also said in its semiannual report that inaccurate procurement data and eligibility concerns within SBA programs were undermining the reliability of contractor goal achievements, and noted significant challenges surrounding the agency’s IT investment and security controls.
Ware said “a lot of protections have been put in place” in response to the pandemic, and added that some recommendations from the OIG to improve its security controls were implemented in real-time. He said the agency took steps to combat fraudulent activity by stopping changes to bank numbers on loan applications and addressing duplicative IP addresses.
But the IG acknowledged a longstanding lack of investment in IT security at the SBA, saying the agency's current system development controls fail to reflect the changing IT application landscape. He explained how some modernization efforts had apparently stalled, including the SBA’s beta certification management experience, dubbed Beta Certify, which he said “still isn’t working as promised.”
Asked what additional resources were necessary to ensure the OIG was conducting effective oversight of SBA's pandemic response, Ware replied: "I think a reframing of the question might be: Do we have enough resources for the oversight that we'll provide for the pandemic loans many years after the pandemic?"
The SBA's total IT spending in fiscal year 2021 was $128.9 million, down from $140.9 million in 2020. The agency's total IT investments for 2022 amount to $108.8 million, according to the federal IT dashboard. The agency is also one of just a few that have established working capital funds as authorized by the Modernizing Government Technology Act. In its congressional budget justification, the agency said it plans to use the to support modernization projects in 2022, including cloud-based solutions and enterprise data capabilities to improve overall management of its systems and services.