Small Business Administration: Better Planning and Controls Needed for
Information Systems (Letter Report, 06/27/97, GAO/AIMD-97-94).

Pursuant to a congressional request, GAO reviewed the Small Business
Administration's (SBA) efforts to develop a risk management database and
a loan monitoring system, focusing on: (1) the status of SBA's
development and implementation of the risk management database; (2)
whether SBA has established adequate processes and controls to ensure
that the database will contain complete and accurate loan data; and (3)
whether SBA has performed the planning steps needed to serve as a basis
for funding the development phase of the proposed loan monitoring
system.

GAO noted that: (1) at the time of its review, SBA had completed
development of a database structure and taken action to capture data and
establish reporting capabilities to comply with the requirements of the
Small Business Programs Improvement Act of 1996; (2) SBA officials
expect that the system will be capturing the required data and that the
reporting capabilities will be developed before the June 30, 1997,
deadline mandated by the act; (3) while SBA expects the system to be
operational on time, it has not yet established and implemented the
controls needed to ensure that the risk management database contains
timely and accurate data which are also required by the act; (4) at this
time, the database has missing or incorrect data for about half the
guaranteed loans because SBA has not yet effectively implemented
controls over lender reporting; (5) SBA also has not yet established
controls to identify missing or incorrect underwriting characteristics
data on defaulted loans; (6) until it implements effective controls, SBA
has no means of ensuring that the risk management database will be
sufficiently timely and accurate for program management and
decision-making purposes; (7) finally, SBA has not yet performed
essential planning needed to serve as a basis for funding the
development of the proposed loan monitoring system; (8) to implement the
information systems investment requirements of the Clinger-Cohen Act of
1996, the Office of Management and Budget (OMB) established criteria
that major information systems investments should meet for funding in
the fiscal year (FY) 1998 budget; (9) SBA has not performed the planning
needed to demonstrate that the loan monitoring system will meet three of
the eight criteria, such as simplifying or redesigning work processes
and demonstrating a positive return on investment; and (10) without
performing essential planning, SBA increases the risk that the loan
monitoring system will not effectively meet the agency's goals or
provide the best return on investment.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-97-94
     TITLE:  Small Business Administration: Better Planning and Controls 
             Needed for Information Systems
      DATE:  06/27/97
   SUBJECT:  Information systems
             Systems design
             Strategic information systems planning
             Reporting requirements
             Data integrity
             Data bases
             Loan accounting systems
             Small business loans
             Internal controls
IDENTIFIER:  SBA Electronic Loan Input Processing System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Report to the Chairman, Committee on Small Business, U.S.  Senate

June 1997

SMALL BUSINESS ADMINISTRATION -
BETTER PLANNING AND CONTROLS
NEEDED FOR INFORMATION SYSTEMS

GAO/AIMD-97-94

Small Business Administration

(511421)


Abbreviations
=============================================================== ABBREV

  ELIPS - Electronic Loan Input Processing System
  OMB - Office of Management and Budget
  SBA - Small Business Administration

Letter
=============================================================== LETTER


B-276775

June 27, 1997

The Honorable Christopher S.  Bond
Chairman, Committee on Small Business
United States Senate

Dear Mr.  Chairman: 

This report contains the results of our review of the Small Business
Administration's (SBA) efforts to develop a risk management database
and a loan monitoring system.  SBA is developing the database to
comply with requirements of the Small Business Programs Improvement
Act of 1996.  SBA is also planning to develop a loan monitoring
system to help support its oversight of increased lender
responsibility for servicing loans.  Funds to develop the loan
monitoring system were requested in the President's fiscal year 1998
budget request. 

At your request, we reviewed (1) the status of SBA's development and
implementation of the risk management database, (2) whether SBA has
established adequate processes and controls to ensure that the
database will contain complete and accurate loan data, and (3)
whether SBA has performed the planning steps needed to serve as a
basis for funding the development phase of the proposed loan
monitoring system.  To address these issues, we conducted work at
SBA's headquarters in Washington, D.C., and at the offices of an SBA
contractor in New York, New York.  We conducted our work between
March and May 1997, in accordance with generally accepted government
auditing standards.  Details of our objectives, scope, and
methodology are presented in appendix I. 


   RESULTS IN BRIEF
------------------------------------------------------------ Letter :1

At the time of our review, SBA had completed development of a
database structure and taken action to capture data and establish
reporting capabilities to comply with the requirements of the Small
Business Programs Improvement Act of 1996.  SBA officials expect that
the system will be capturing the required data and that the reporting
capabilities will be developed before the June 30, 1997, deadline
mandated by the act. 

While SBA expects the system to be operational on time, it has not
yet established and implemented the controls needed to ensure that
the risk management database contains timely and accurate data which
are also required by the act.  At this time, the database has missing
or incorrect data for about half the guaranteed loans because SBA has
not yet effectively implemented controls over lender reporting.  SBA
also has not yet established controls to identify missing or
incorrect underwriting characteristics data on defaulted loans. 
Until it implements effective controls, SBA has no means of ensuring
that the risk management database will be sufficiently timely and
accurate for program management and decision-making purposes. 

Finally, SBA has not yet performed essential planning needed to serve
as a basis for funding the development of the proposed loan
monitoring system.  To implement the information systems investment
requirements of the Clinger-Cohen Act of 1996,\1 the Office of
Management and Budget (OMB) established criteria that major
information systems investments should meet for funding in the fiscal
year 1998 budget.  SBA has not performed the planning needed to
demonstrate that the loan monitoring system will meet three of the
eight criteria, such as simplifying or redesigning work processes and
demonstrating a positive return on investment.  Without performing
essential planning, SBA increases the risk that the loan monitoring
system will not effectively meet the agency's goals or provide the
best return on investment. 


--------------------
\1 The Clinger-Cohen Act of 1996 provides an analytical framework for
making information system investment decisions and managing
information system development based on best industry practices. 


   BACKGROUND
------------------------------------------------------------ Letter :2

As part of its programs to expand access to capital and assist
disadvantaged small businesses, SBA guarantees loans to small
businesses that are unable to obtain financing under reasonable terms
and conditions through normal business channels.  It also makes
physical disaster loans to small business and individual victims of
natural disasters, and economic injury loans to small business
victims of natural disasters.  As of February 28, 1997, SBA reported
having over $28 billion in loan guarantees and about $7 billion in
direct loans outstanding. 

The Small Business Programs Improvement Act of 1996 required SBA to
establish a risk management database that would provide timely and
accurate information to identify loan underwriting, collections,
recovery, and liquidation problems.  The database would include data
on guaranteed business loans and direct disaster loans.  The 1996 act
required SBA to start capturing data in the risk management database
in January 1997, and have the system fully operational by June 30,
1997. 

SBA's guaranteed loans are made and serviced by lenders who collect
payments and, in some cases, liquidate defaulted loans.\2 Each lender
is required to send to SBA's fiscal and transfer agent\3 (1) a
monthly report on the status of the loans, including information on
loan collections, deferrals, and delinquencies and (2) loan guarantee
fees that are due to SBA.  The fiscal and transfer agent processes
the reports and remittances and transmits a data file to SBA for its
accounting and information systems, including the new risk management
database.  Disaster loans are made and serviced by SBA, and the
accounting records for these loans are the source of data for the
risk management database. 

In its fiscal year 1998 budget request, SBA presented plans for
increased reliance on lenders to service and liquidate defaulted
small business loans.  To provide effective monitoring of the
lenders' activities, SBA plans to hire personnel with expertise in
lender oversight, establish financial performance goals for
private-sector partners, create a database for tracking lender and
portfolio performance, and develop a new loan monitoring system to
provide timely and accurate information to agency management.  SBA
requested $18 million to improve portfolio management, including
about $9.5 million to develop the information system improvements. 


--------------------
\2 SBA requires some lenders to liquidate defaulted guaranteed loans
on its behalf, while SBA itself performs the liquidations on other
defaulted loans. 

\3 SBA's fiscal and transfer agent is a contractor who is responsible
for reconciling guarantee fee remittances from lenders to reported
amounts, verifying that lenders remit the correct fees, and
transferring the fees to SBA. 


   SBA HAS DEVELOPED A DATABASE
   STRUCTURE AND STARTED CAPTURING
   REQUIRED DATA
------------------------------------------------------------ Letter :3

SBA has developed a database structure, made provisions for
collecting data, and begun entering data required by the Small
Business Programs Improvement Act of 1996.  At the time the act was
passed, SBA had a database called the Electronic Loan Input
Processing System (ELIPS) that contained most of the required data
elements.  This included data to identify the borrower, lender,
location, loan program, and loan status.  To respond to the
requirements of the act, SBA decided to expand the ELIPS database
structure to include the required loan delinquency and underwriting
characteristics data. 

As of May 1997, SBA was capturing loan status data in the risk
management database as required by the act and had recently issued
instructions to field offices for the collection of underwriting
characteristics data.  Although the act required SBA to start
capturing data in January 1997, issuance of instructions for
collecting the underwriting characteristics data was delayed due to
the lack of standards for calculating some of the required ratios and
because reaching a consensus on the calculations took longer than
expected.  SBA does not expect the delay to affect the planned
operational date.  According to the SBA official responsible for
these operations, field staff will have sufficient time to collect
and enter the required data in time for the database to be fully
operational by June 30, 1997. 

SBA developed a task order for a contractor to determine reporting
requirements for the database and develop software applications to
produce the reports, but had not issued the task order at the time of
our review.  Although SBA was a few weeks behind its original
schedule for issuing the task order, SBA officials responsible for
the risk management database stated that they expect the work to be
completed and the system to be fully operational by the June 30,
1997, deadline. 


   CONTROLS NEEDED TO ENSURE DATA
   RELIABILITY
------------------------------------------------------------ Letter :4

SBA has not yet implemented effective controls to ensure that the
risk management database contains timely and accurate data as
required by the Small Business Programs Improvement Act of 1996. 
Until such controls are implemented, SBA will not be able to rely on
any analyses or reports produced from the database. 

SBA is capturing data from multiple sources for the risk management
database--disaster loan status information from files maintained by
the SBA field office that services the loans, guaranteed loan status
information provided by lenders through SBA's fiscal and transfer
agent, underwriting characteristics data collected by field staff
from SBA's loan files, monthly loan transactional data, and
historical data from existing program and accounting databases.  SBA
officials told us they are confident that they have complete and
accurate status information for the disaster loans; however, they
acknowledged quality problems with the data reported by lenders.  The
quality of status data reported by lenders is important to the
overall reliability of the database because guaranteed loans account
for about 80 percent of the dollar value of all loans to be included
in the risk management database. 

According to SBA's records, during the first 3 months of 1997,
lenders reported complete and accurate loan status data for only
about 50 percent of the guaranteed loans.  Officials of SBA's fiscal
and transfer agent told us that some of the initial data problems
occurred because (1) many lenders were not notified of the new
reporting requirements due to wrong mailing addresses in SBA's
records or (2) lenders misunderstood the reporting requirements.  The
officials also told us that the chance of data errors would be
significantly reduced if lenders submitted data in digital
form--files submitted using diskettes or electronic data
transfers--rather than paper documents.  About 75 percent of the
loans are reported by lenders using paper documents. 

To reduce data quality problems, the fiscal and transfer agent
established controls to help identify incomplete and inaccurate data
from lenders.  These controls include (1) edit checks to identify
invalid data, such as missing data in required data fields or invalid
status codes and (2) comparisons of loans reported by lenders with
SBA's records to identify unreported loans.  If the controls identify
inaccurate or missing loan data, the fiscal and transfer agent sends
a notice to the lender requesting the needed data.  Officials of the
SBA fiscal and transfer agent told us that these controls have helped
reduce unreported loans from 43 percent (79,000) in January 1997 to
29 percent (54,000) in March 1997 out of the total SBA guaranteed
loans.  Similarly, we were advised that errors for reported loans
decreased from about 27,000 to about 24,500 during the same period. 

For underwriting characteristics data collected by its field offices,
SBA has developed edit checks to alert staff when they are entering
invalid data or not entering all required data for individual loans. 
However, SBA has not established any controls to alert managers when
data on defaulted loans are not entered or incomplete data are
entered into the database.  SBA's Chief Financial Officer agreed that
the addition of these controls would serve to increase the
reliability and integrity of the data, and agreed to look into
establishing controls for their database. 

The lack of effective controls may be attributed, at least in part,
to SBA not developing data quality standards.\4 Because SBA had to
develop the database within a few months and most of the data needed
were already captured in existing systems, SBA narrowly focused its
system development activities to begin with the development phase. 
Therefore, SBA did not perform many steps normally completed in the
definition phase of a project, including the development of data
quality standards.\5 Such standards define the timeliness, validity,
accuracy, and availability required for the intended system users to
rely on the data for program management and decision-making purposes. 
The standards also serve as a basis for establishing adequate
controls for data collection and processing.  Without data standards
and implementation of effective controls to meet the standards, SBA
can not ensure that data in the risk management database are
sufficiently timely and accurate for the system's intended purpose. 


--------------------
\4 The need for developing data standards, also referred to as data
requirements, has been specified in federal guidance, such as Federal
Information Processing Standards Publication 38, for many years.  The
definition of data requirements, as part of the data stewardship
function, is also specified by the Framework for Federal Financial
Management Systems issued by the Joint Financial Management
Improvement Program in January 1995.  One of the objectives of data
stewardship is to provide accurate, complete, timely, and reliable
information.  The framework establishes the requirements for all
federal financial systems and specifically covers guaranteed loan
system requirements. 

\5 The development of an automated information system is a
disciplined process with prescribed phases that should be completed. 
Successful system development normally proceeds through the following
phases:  (1) system planning and initiation, (2) requirements
definition and analysis of alternatives, (3) design and development,
(4) programming and testing, and (5) implementation.  There are a
number of planning activities associated with each phase. 


   ESSENTIAL PLANNING NOT
   PERFORMED FOR LOAN MONITORING
   SYSTEM
------------------------------------------------------------ Letter :5

SBA has not yet performed the essential planning needed to serve as a
basis for funding the development phase of the proposed loan
monitoring system.  SBA has not conducted any benchmarking studies,
defined system requirements, identified alternatives, or prepared
benefit/cost or return-on-investment analyses on the alternatives. 
Because SBA has performed limited planning, this proposed information
system investment does not meet the OMB criteria for funding in
fiscal year 1998. 

SBA officials told us that, although this project was in the early
conceptual phase when the fiscal year 1998 budget request was
submitted, funds were requested because SBA needed to move quickly to
develop a system to meet increasing responsibilities for lender
monitoring.  In addition to SBA's plans to increase use of lenders
for servicing and liquidating loans, the Small Business Programs
Improvement Act of 1996 gave lenders increased authority to service
and liquidate loans without prior SBA approval.  With this increased
reliance on lenders and the need to monitor their activities, SBA
requested funds to develop a system even though the planning had not
yet been performed to define the system. 

SBA's planning for the loan monitoring system does not meet OMB's
criteria for funding information system investments.  In implementing
the information technology investment requirements of the
Clinger-Cohen Act of 1996, OMB specified eight criteria that major
information system investments should meet for funding in the fiscal
year 1998 budget (see appendix II).  Four of the criteria relate to
capital planning, one concerns the use of an information architecture
to align information technology with mission goals, and three concern
risk management.  In comparing SBA planning actions to these
criteria, we found that SBA has not performed the planning or
analyses needed to demonstrate that the loan monitoring system will
meet three of the criteria.  SBA has not performed the work needed to
(1) simplify or redesign work processes, (2) demonstrate a positive
return on investment, or (3) ensure that the proposed system is
consistent with the agency's information architecture.  Without
performing the planning actions to comply with the Clinger-Cohen Act,
SBA increases the risk that the loan monitoring system will not
effectively meet its mission goals or provide the best return on
investment. 

Concerning work processes, SBA has not yet analyzed the work
processes associated with lender monitoring or benchmarked them
against other organizations' work processes to determine whether the
processes need to be simplified or redesigned to improve efficiency
and effectiveness.  Subsequent to the budget submission, SBA
officials began looking at processes and systems used by other
organizations to monitor lenders' loan servicing activities. 
According to an SBA official involved in this effort, SBA learned
that the proposed loan monitoring system project may be much more
complex and costly than initially envisioned.  For example, other
organizations studied use various approaches to collect loan
information electronically from lenders, while SBA's lenders provide
loan information primarily on paper documents--as mentioned earlier,
about 75 percent of the time.  Nevertheless, SBA has not performed
formal benchmarking studies or analyses of alternatives to serve as a
basis for making system requirements decisions. 

Concerning demonstrating a positive return on investment, SBA's
fiscal year 1998 budget request stated that requiring lenders to
service and liquidate loans, requiring lenders to liquidate business
chattel prior to SBA purchase, and increasing SBA oversight will
result in a reduced subsidy rate for the guaranteed loans and a
reduced need for appropriations in fiscal year 1998 of $44.2 million. 
However, SBA does not have any studies or analyses to support this
estimate, according to the Deputy Chief Financial Officer.  In
addition, SBA views the $18 million requested as the fiscal year 1998
portion of the project, and as the functional and technology
requirements are further defined, remaining costs associated with the
project in fiscal year 1999 and beyond will be known. 

Finally, SBA has not yet defined its requirements, analyzed
alternatives to meet the requirements, or completed other actions
needed to propose a specific system that would be consistent with its
information architecture.  An SBA official responsible for this
system development effort stated that the agency is in the process of
further defining this project and plans to hire a contractor to
perform a requirements analysis. 


   CONCLUSIONS
------------------------------------------------------------ Letter :6

SBA has made progress in establishing a risk management database,
collecting the required data, and arranging for reporting
capabilities.  However, until SBA establishes data quality standards
for the database and effectively implements the controls needed to
ensure that the data are sufficiently timely and accurate, the
database will be unreliable and will not meet the intent of the Small
Business Programs Improvement Act of 1996. 

While SBA's proposal for a loan monitoring system has merit, the
agency has not performed the necessary planning mandated by the
Clinger-Cohen Act to provide a solid basis to begin developing such a
system.  Because SBA has not performed the work needed to simplify or
redesign work processes, demonstrate a positive return on investment,
or ensure that the proposed system is consistent with the agency's
information architecture, it faces increased risk that the
development will fall short of expectations and result in a system
that does not effectively and efficiently meet its objectives. 


   RECOMMENDATIONS
------------------------------------------------------------ Letter :7

We recommend that the Administrator of the Small Business
Administration establish data quality standards for the risk
management database and implement a system of controls to ensure
compliance with the standards.  For the proposed loan monitoring
system, we recommend that the Administrator not proceed with funding
the system development until adequate plans are prepared in
accordance with the Clinger-Cohen Act and OMB's criteria for fiscal
year 1998 information technology investments.  Further, in developing
the plans, we recommend that the Administrator

  -- benchmark loan monitoring business processes and systems against
     comparable processes used by other organizations and, if
     appropriate, simplify or redesign work processes;

  -- analyze the benefits and costs of the alternatives and use these
     to demonstrate that the project will have a positive
     return-on-investment; and

  -- ensure that the proposed information system is consistent with
     the agency's information architecture. 


   AGENCY COMMENTS AND OUR
   EVALUATION
------------------------------------------------------------ Letter :8

SBA's comments and our evaluation are summarized below, and the
comments are reprinted in appendix III.  SBA was concerned about our
findings and conclusions and suggested that the report be revised
significantly.  We disagree and have not substantially revised our
report. 

Concerning the status of the development and implementation of the
risk management database, SBA asserted that it has taken reasonable
and prudent actions to meet the deadline for the congressionally
mandated project.  SBA said our use of the Clinger-Cohen Act as a
benchmark for evaluating the project is not justified since the act
does not address congressionally mandated projects, especially those
with extremely challenging deadlines. 

Although we did not use the Clinger-Cohen Act in our discussion of
SBA's efforts to develop the risk management database because its
development was substantially completed, it does apply to all
information system projects whether or not they are congressionally
mandated.  Our report focuses on a factual analysis of the status of
SBA's efforts to develop the risk management database in order to
meet the requirements of the Small Business Programs Improvement Act
of 1996. 

SBA stated that the congressional deadline to complete the risk
management database precluded its ability to undertake a proper level
of system analysis, including establishment of data accuracy and
reliability standards.  SBA said it decided to rely principally on
loan data maintained in existing agency databases, supplemented by
limited underwriting data to be captured by its field offices.  The
agency provided some information on its efforts to capture data over
the past year, and said it believes its actions to use the fiscal and
transfer agent will result in accurate and timely data being input
into the risk management database.  SBA also noted that it plans to
enhance the quality of the data and identify other ways that the data
can be used to assess the portfolio risk.  With regard to our
recommendation to establish data quality standards and implement a
system of controls to ensure compliance with the standards, SBA's
Chief Financial Officer agreed that controls would serve to increase
the reliability and integrity of the data and agreed to look into
establishing controls for the risk management database. 

Concerning whether SBA has performed the planning needed to serve as
the basis for funding the development of the proposed loan monitoring
system, SBA said the Clinger-Cohen Act was passed late last year and
imposes many new requirements on agencies as they plan for future
technology investments.  SBA asserted that it is aggressively
implementing the Clinger-Cohen Act, but believes it is premature to
apply the standards of the act so strictly considering its recent
enactment and evolving implementation.  Also in this regard, SBA
disagreed with our recommendation that the Administrator not proceed
with funding the system development until adequate plans are prepared
in accordance with the Clinger-Cohen Act and OMB's criteria for
fiscal year 1998 information technology investments. 

We disagree with SBA's contention that it is premature to apply the
Clinger-Cohen Act.  The requirements of the act were well known
before SBA submitted its fiscal year 1998 budget request.  The act
was signed into law over a year ago on February 10, 1996, and became
effective on August 8, 1996.  We believe that SBA should be complying
with the act so that it effectively manages its information
technology investments.  In addition, many of the rudimentary
planning actions necessary for effective system development
efforts--such as adequately defining systems requirements, analyzing
alternative ways of meeting requirements including alternative system
designs, and analyzing the benefits and costs of the
alternatives--have been required for many years by OMB circulars
(particularly A-130 and A-11), Federal Information Resources
Management Regulations, Federal Information Processing Standards, and
other federal guidance. 

As to SBA's disagreement with our recommendation, we believe that it
is imperative that SBA perform the essential planning before funding
the development phase because this system will directly support SBA's
mission activities related to monitoring lenders' servicing of
billions of dollars of guaranteed loans.  The Clinger-Cohen Act
established requirements aimed at increasing the assurance that
investments in information technology help agencies meet their
mission goals and provide the best return on investment.  In this
regard, SBA has not performed the work needed to (1) simplify or
redesign work processes that this system will support, (2)
demonstrate a positive return on investment, or (3) ensure that the
proposed system is consistent with the agency's information
architecture.  As a result, it faces increased risk that the
development will fall short of expectations and result in a system
that does not effectively and efficiently meet its objectives.  We
believe that the $9.5 million information system investment planned
for fiscal year 1998, considered by SBA to be the initial portion of
a yet to be determined total investment, to be a substantial sum that
should be committed to developing the system only after the necessary
planning is completed and the project is shown to be a prudent use of
funds. 

SBA said that we made no reference to the planning effort each year
to produce a 5-year information technology plan.  According to SBA,
this plan documents its overall information technology strategy and
details the specific developmental efforts planned for the upcoming
years.  As part of our work, we reviewed SBA's latest 5-year
information technology plan.  We note that the proposed loan
monitoring system is not discussed in the latest plan, and therefore,
there is no need to discuss the plan in our report. 


---------------------------------------------------------- Letter :8.1

We are sending copies of this report to the Ranking Minority Member
of the Committee on Small Business; other interested congressional
committees; the Administrator, Small Business Administration; the
Director, Office of Management and Budget; and other interested
parties.  Copies will also be made available to others upon request. 

I can be reached at (202) 512-6408 or by e-mail at
willemssenj.aimd@gao.gov, if you or your staff have any questions. 
Major contributors to this report are listed in appendix IV. 

Sincerely yours,

Joel C.  Willemssen
Director, Information Resources Management


OBJECTIVES, SCOPE, AND METHODOLOGY
=========================================================== Appendix I

As requested by the Chairman of the Senate Committee on Small
Business, our objectives were to review (1) the status of SBA's
development and implementation of its risk management database, (2)
whether SBA has established adequate processes and controls to ensure
that the risk management database will contain complete and accurate
loan data, and (3) whether SBA has performed the planning steps
needed to serve as a basis for funding the development phase of the
proposed loan monitoring system. 

To ascertain the status of SBA's development and implementation of
its risk management database, we compared the database structure
developed by SBA to the requirements of the Small Business Programs
Improvement Act of 1996, interviewed SBA officials, and reviewed
project documentation.  To determine whether SBA had established
adequate processes and controls to ensure that the risk management
database will contain complete and accurate loan data as required by
the act, we identified the processes and controls used to ensure that
complete and accurate data are obtained and recorded from lenders and
SBA field offices on the status of loans.  We analyzed the processes
and controls using the requirements specified in the Federal
Information Processing Standards Publication 38 and the Framework for
Federal Financial Management Systems issued by the Joint Financial
Management Improvement Program in January 1995.  We also reviewed
summary records concerning reporting errors and missing data and
reviewed reports showing the results of tests of software
applications used to capture and enter data into the risk management
database.  SBA has a separate system from the risk management
database that is used to meet the requirements of the Credit Reform
Act.  We did not examine that system or the accuracy of data in the
system as part of our review. 

To determine whether SBA has performed the planning steps needed to
serve as a basis for funding the development phase of the proposed
loan monitoring system, we interviewed SBA officials and reviewed
documentation on the actions taken by SBA to develop the proposal for
the system.  We compared these actions to the criteria required by
the Office of Management and Budget for information technology
projects contained in the fiscal year 1998 budget request. 

We conducted our work at SBA headquarters in Washington, D.C., and at
offices of SBA's fiscal and transfer agent in New York, New York.  We
performed our work between March 1997 and May 1997, in accordance
with generally accepted government auditing standards. 

SBA provided written comments on a draft of this report.  These
comments are presented and evaluated in our report and are reproduced
in appendix III. 




(See figure in printed edition.)Appendix II
OMB CRITERIA FOR FUNDING
INFORMATION SYSTEMS
=========================================================== Appendix I



(See figure in printed edition.)



(See figure in printed edition.)




(See figure in printed edition.)Appendix III
COMMENTS FROM THE SMALL BUSINESS
ADMINISTRATION
=========================================================== Appendix I



(See figure in printed edition.)



(See figure in printed edition.)


MAJOR CONTRIBUTORS TO THIS REPORT
========================================================== Appendix IV

ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION, WASHINGTON,
D.C. 

David G.  Gill, Assistant Director
Mirko J.  Dolak, Technical Asistant Director
James R.  Hamilton, Evaluator-In-Charge

*** End of document. ***