The Small Business Administration (SBA) is in the hot seat over allegations of mismanagement.
In a blistering report released this week, the U.S. General Accountability Office (GAO) says that of 69 recommendations it made in September to improve the SBA, only seven had been implemented. Chief among the GAO's findings are the agency's lack of an enterprise risk management system, and its failure to implement 30 recommendations for IT security.
The upshot: If you have a loan through the SBA or have other dealings with the agency, your data may not be safe.
"My greatest concern is on the IT security issue," House Small Business Committee chairman Steve Chabot (R-Ohio) said in a hearing Thursday where Administrator Maria Contreras-Sweet responded to the GAO's findings. "We have seen the White House for God's sake, and other federal entities hacked...and these small businesses give you a lot of sensitive information, so let's protect this."
According to the GAO, the SBA does not conduct regular reviews of its operational IT infrastructure. "Until SBA fully implements all of the required IT management initiatives, the agency cannot provide reasonable assurance that its IT investments are cost-effective, meet agency goals, or are effectively managed," the report says.
The report also cited management issues at the SBA created by the high level of turnover at the agency, which may complicate making significant operational changes. Other challenges include a management structure that is overly complex and redundant, the GAO noted.
Aiming to put concerns over IT security to rest, Contreras-Sweet said the SBA works closely with banks that provide financing for its loan portfolio, and that the agency meets financial institutions' stringent requirements.
"I have an auditor who tells us we have no material weaknesses in our system, and we have not had a breach," Contreras-Sweet said, adding she is nonetheless pushing to modernize the agency's technology.
Contreras-Sweet also spoke of challenges that the agency has recruiting young technology professionals to a government agency, suggesting lower pay and negative perceptions of government work may be issues. For example, the agency has lacked a chief information officer for the past six months, and appears to have trouble recruiting young, talented candidates.
"Give me the budget that [General Electric] has," Contreras Sweet said. "I want to make sure (our) job descriptions speak to the future."
On the positive side, the GAO noted seven areas where the SBA has made improvements, including implementing changes to speed up its process of making disaster recovery loans. The GAO previously faulted the agency for taking up to 45 days to make such loans, more than twice the time of its stated goal.
The SBA has until June 30 to make good on the remaining GAO recommendations, Chabot said during Thursday's hearing.