Total Recommendations
-
# Recommendations
136
-
# Closed
56
TSP Audits
| Audit Area | # Recommendations | # Closed |
|---|---|---|
| Total IT Recommendations | 73 | 50 |
| 1 IT Operations Management | ||
| 2019 IT Operations This audit looked to determine whether the Agency implemented certain procedures to: (1) support and maintain the overall IT operating environment, including hardware operations and software inventory; (2) identify, track, respond, and report asset incidents; (3) schedule jobs and process batches, and (4) manage databases; including documenting data dictionaries and performing database integrity checks. Determine the status of the prior EBSA TSP open recommendations. | 9 | 8 |
| 2 Computer Access and Technical Security Controls | ||
| 2020 Computer Access and Technical Security Controls This audit looked to determine whether (1) security management controls had been established, documented, and implemented for in-scope TSP systems1; (2) physical and logical access controls had been established, documented, and enforced for in-scope TSP systems; and (3) privacy controls had been established, documented, and enforced to protect TSP data. Determine the status of the prior EBSA TSP computer access and security controls open recommendations. | 24 | 23 |
| 5 Mobile Device Security and Governance Controls | ||
| 2018 Mobile Device Security and Governance Controls This audit looked to determine whether (1) management developed a mobile device security and governance program; (2) management established controls for tracking and monitoring mobile devices; and (3) management established controls for configuring, updating, and removing mobile devices from the TSP network. | 11 | 9 |
| 2021 Mobile Device Security and Governance Controls This audit looked to determine whether (1) management developed a mobile device security and governance program; (2) management established controls for tracking and monitoring mobile devices; (3) management established controls for configuring, updating, and removing mobile devices from the Agency’s network; and (4) management established controls over its mobile device security and governance program that supported the Agency’s response to the coronavirus pandemic. Determine the status of the prior EBSA TSP mobile device security and governance controls open recommendations. | 11 | 9 |
| 2024 Mobile Device Security and Governance Controls This audit looked to determine whether the Federal Retirement Thrift Investment Board’s Staff (Agency) and its TSP recordkeeping systems (Converge) vendor (1) developed a mobile device security and governance program for Agency-managed mobile devices; (2) established controls for tracking and monitoring Agency-managed mobile devices; (3) established controls for configuring, updating, and removing mobile devices from the Agency’s network; (4) developed a mobile device security and governance program for Converge-issued mobile devices; and (5) established controls for configuring, updating, and removing mobile devices from the Converge network. | 11 | 9 |
| 6 Status of Certain Prior Year Findings | ||
| 2023 Status Determination of Prior Year Recommendations This audit looked to determine and validate whether recommendations that the Agency views as effectively resolved have been resolved. Conduct procedures over certain prior year recommendations to determine whether each recommendation has been closed, partially closed, or remains open (or may have been potentially overtaken by events). | 3 | 0 |
| 8 Vendor Risk Management | ||
| 2023 Vendor Risk Management This audit looked to determine whether the Agency implemented certain procedures to (1) assess service providers against key contractual and service level agreement requirements related to information technology security; (2) establish, document, and implement security management controls for the new recordkeeping system; and (3) establish, document, and implement privacy controls to protect TSP data by third-party vendors. Determine the research and benchmarking performed by the Agency when establishing service level requirements and key performance metrics for the Converge contract. Determine the status of four prior EBSA recommendations related to TSP risk management and vendor risk management controls to determine their current status. | 3 | 0 |
| 9 Computer Access and Data Security Controls | ||
| 2023 Computer Access and Data Security This audit looked to determine whether the Agency and its prime information technology (IT) vendor implemented certain cybersecurity procedures to: (1) limit access to physical and logical assets and facilities to authorized users; and (2) manage information and data consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Determine the status of 10 prior EBSA recommendations related to TSP computer access and data security controls to determine their current status. | 3 | 0 |
| 10 Information Protection Policies and Procedures | ||
| 2023 Information Protection Policies and Procedures This audit looked to determine whether the Agency and its vendor implemented certain cybersecurity procedures to (1) maintain and manage the protection of information systems and assets through configuration management, backup and recovery, media sanitization, personnel security, and vulnerability management controls; and (2) evaluate vendor’s contractual compliance with its data and privacy protection contractual provisions. Determine the status of five prior EBSA recommendations related to TSP information protection processes and procedures to determine their current status. | 3 | 0 |
| 11 Decommissioning of Legacy Thrift Savings Plan (TSP) Systems | ||
| 2024 Decommissioning of Legacy Thrift Savings Plan (TSP) Systems This audit looked to determine whether the Agency implemented certain procedures related to the legacy TSP system to: (1) manage and track the decommissioning and disposal of legacy hardware; and (2) sanitize hardware prior to disposal to protect participant information. | 2 | 0 |
| Audit Area | # Recommendations | # Closed |
|---|---|---|
| Total Process Audits | 49 | 0 |
| 1 Account Maintenance | ||
| 2024 Account Maintenance This audit looked to determine whether the Agency and its vendor implemented certain procedures to (1) accurately reflect in participant accounts contributions as elected by participants, daily valuation, and the fund balances; (2) process TSP contributions, rollovers, breakage, adjustments, interfund transfers, forfeitures, and forfeitures restorations promptly and i accurately in individual participant accounts and in the appropriate investment fund(s); (3) monitor manual adjustments made to transactions and participant accounts; (4) accurately record account maintenance activity in the TSP accounting records; (5) monitor for and detect potential fraudulent activity associated with participant accounts; (6) investigate and resolve potential fraudulent activity identified internally and/or reported by participants; and (7) revise or augment preventative procedures when fraudulent activity or other risk factors are identified; and test compliance of the TSP account maintenance process with 5 USC 8432(a)(3), 8432(b)(1)(2), 8432(d), 8432(g)(1)-(3), 8438(c)(2), and 8439(d) (hereinafter referred to as FERSA), and 5 CFR 1600.11, 1600.12, 1600.13, 1600.14, 1600.18, 1600.19, 1600.21, 1600.22, 1600.23, 1600.30(c), 1600.31, 1600.32, 1600.33(a)-(g), 1600.34(a)-(b), 1600.35(a)-(b), 1600.37, 1601.12, 1601.13(a)(2)-(3) and (5), 1601.22(a)-(b), 1601.23(a)-(b), 1601.32, 1601.33, 1601.34, 1603.2, 1603.3, 1605.2(a)-(e), 1605.3, 1605.11(b)-(c), 1605.12(a)-(f), 1605.13(a)(3), 1605.14(a)-(b), 1605.15(c), 1605.16(c), 1605.21(b), 1605.22(b)-(c), 1605.31(d), 1620.44, 1620.46(e), 1640.2, 1645.2, 1650.5, 1650.11(b)-(c), 1651.3(a)-(d), 1651.4, 1651.19(m)(4), and 1651.19(j). | 19 | 0 |
| 2 Participant Support and Contact Center Operations | ||
| 2023 Participant Support This audit looked to determine whether the Agency and its vendor implemented certain procedures to (1) respond to participants’ and Congressional inquiries in an accurate and timely manner, especially correspondence related to the change in recordkeepers; (2) plan, manage, configure and monitor call load handling and call volumes in accordance with contractual requirements, including controls for handling increased demands because of the change in recordkeeping systems; (3) enforce appropriate caller authentication and privacy controls at the contact centers; (4) transfer and make available historical participant account information after the change in recordkeepers; and (5) enforce appropriate physical and logical access controls at the contact centers; and determine whether the Agency implemented certain procedures to monitor the contact centers’ vendors to ensure they were following the terms of the contract. | 7 | 0 |
| 3 Withdrawals | ||
| 2023 Withdrawals This audit looked todetermine if the Agency and its vendor implemented certain procedures to (1) promptly and accurately process TSP withdrawal transactions for individual participant accounts; (2) process authorized participant withdrawal payments in accordance with applicable regulations; and (3) accurately record withdrawals activity in the TSP accounting records; and test compliance of the TSP withdrawals process in accordance with 5 United States Code (USC) Sections 8424(d), 8433, and 8435 (hereinafter referred to as FERSA), the Code of Federal Regulations (CFR) Title 5 Parts 1650, 1651, and 1653 (hereinafter referred to as Agency Regulations), and Public Laws 114-26 and 115-84. | 7 | 0 |
| 4 Loan Operations | ||
| 2023 Loan Operations This audit looked to determine whether the Federal Retirement Thrift Investment Board’s Staff (Agency) and its vendor implemented certain procedures to (1) process TSP loan transactions promptly and accurately in individual participant accounts and in the appropriate investment fund(s); (2) disburse TSP loans in accordance with regulations and participant authorizations; (3) limit participation in the TSP loan program to participants who meet eligibility criteria; and (4) accurately record loan activity in the TSP accounting records; and test compliance of the TSP loans process with United States Code Title 5, Sections 8433(g) and 8435(e)(g) (hereinafter referred to as FERSA) and Code of Federal Regulations Title 5, Parts 1655.2, 1655.4, 1655.5, 1655.6, 1655.7, 1655.9, 1655.12, 1655.13(a-d), 1655.14(a-f), 1655.15(a-d), 1655.16(a-c), 1655.17(a-b), 1655.18(a-c), 1655.19, 1655.20(a)(e-f), and 1655.21 (hereinafter referred to as Agency regulations); and assess the status of the prior EBSA TSP open recommendations. | 16 | 0 |
| Audit Area | # Recommendations | # Closed |
|---|---|---|
| Total Other TSP Audits | 14 | 6 |
| 1 The Board's Staff | ||
| 2018 Board's Staff Determine if the Agency implemented certain procedures to: (1) maintain standards of conduct and provide ethics training; (2) establish an organizational structure with defined roles and responsibilities and delegated authority, and provide for succession planning; (3) process newly hired employees and separating employees; (4) identify risks to the entity and monitor response to risks through development, implementation, and evaluation of internal control processes; (5) establish and monitor an annual budget; (6) procure goods and services in accordance with federal regulations; (7) monitor the reasonableness of administrative expenses; (8) maintain standards of conduct specific to the procurement function; (9) monitor the receipt of goods and services, and authorize expenses; (10) accurately record investment activity in the accounting records; (11) based on the net yield of the investments, less authorized administrative expenses and fees; and (12) monitor investment operations and results and maintain policies to provide retirement benefits to participants and beneficiaries in accordance with federal law; test compliance with United States Code (USC) Chapter 5, Sections 8437(c)(3), 8438(b), 8438(c)(1), 8438(f), 8439(a)(3), 8439(b)(2), 8439(b)(3), 8472, 8473(a-b), 8474(a)(1), 8474(a)(2), 8474(c)(5), 8475, 8476(a), 8477(b), 8477(c)(1-2), 8478(a)(1), and 8478(a)(2)(A), and Code of Federal Regulations (CFR) Title 5, Parts 1645.3, 1645.4, 2634.201, 2634.605, 2634.903, 2638.301, 2638.304, 2638.307, and 2638.308; and determine the status of the prior EBSA TSP open recommendations. | 6 | 3 |
| 2020 Board's Staff This audit looked to determine if the Agency implemented certain procedures to: (1) maintain standards of conduct and provide ethics training; (2) establish an organizational structure with defined roles and responsibilities and delegated authority, and provide for succession planning; (3) process newly hired employees and separating employees; (4) identify risks to the entity and monitor response to risks through development, implementation, and evaluation of internal control processes; (5) establish and monitor an annual budget; (6) procure goods and services in accordance with federal regulations; (7) monitor the reasonableness of administrative expenses; (8) maintain standards of conduct specific to the procurement function; (9) monitor the receipt of goods and services, and authorize expenses; (10) accurately record investment activity in the accounting records; (11) calculate the daily value of each fund’s investments based on the net yield of the investments, less authorized administrative expenses and fees; and (12) monitor investment operations and results and maintain policies to provide retirement benefits to participants and beneficiaries in accordance with federal law; test compliance with 5 USC 8437(c)(d), 8438(b), 8438(c), 8438(f), 8439(a)(3), 8439(b)(2), 8439(b)(3), 8472(e), 8472(f)(1-3), 8472(i), 8473(a)(b), 8474(a)(1), 8474(a)(2), 8474(b)(6), 8474(c)(5), 8475(1)(2), 8476(a)(b)(c), 8477, 8478(a-e) (hereinafter referred to as FERSA), and 5 CFR Parts 1632.10, 1645.2-4, 1645.5(a), 1645.6, 2634.201, 2634.605, 2634.903, 2635.107, 2638.301, 2638.304, 2638.306, 2638.307, and 2638.308 (hereinafter referred to as Agency Regulations); and determine the status of the prior EBSA TSP open recommendations. | 5 | 3 |
| 4 Annuity Operations | ||
| 2020 Annuity Process This audit looked to determine whether the Federal Retirement Thrift Investment Board’s Staff (Agency) implemented certain procedures to (1) process annuity payments and payments to beneficiaries promptly and accurately; (2) provide the annuity options prescribed under the Federal Employees’ Retirement System Act (FERSA) of 1986, as amended, and applicable Agency regulations; (3) perform due diligence reviews of the annuity vendor’s financial condition and evaluate the financial stability of the annuity vendor at the time of contract award and in subsequent years as prescribed under FERSA; test compliance with 5 USC Sections 8434 and 8435 (hereinafter referred to as FERSA) and 5 CFR 1650.14 and 1650.61 (hereinafter referred to as Agency Regulations); and determine the status of the prior EBSA TSP open recommendations. | 3 | 0 |