The objective of this review was to perform an independent assessment of the Peace Corps’ information security program, including testing the effectiveness of security controls for a subset of systems as required, for FY 2017. Our results demonstrate that the Peace Corps lacks an effective information security program because of problems related to people, processes, technology, and culture. The Peace Corps needs to embrace a risk-based culture and place greater emphasis on the importance of a robust information security program by involving senior leadership, ensuring agency policies are comprehensive, and prioritizing the time and resources necessary to become fully compliant with Federal laws and eliminate weaknesses.

The Fiscal Year 2018 – 2020 Strategic Plan includes the long-range goals and objectives designed to enhance OIG oversight in support of the Peace Corps and its three goals.

We issued 12 audit recommendations in the 2013 audit report of Peace Corps/Zambia, all of which the post and the Office of the Chief Financial Officer implemented and we closed. However, during the follow-up audit we noted that the internal controls over the post’s financial and administrative operations required significant improvement to comply with agency policies and applicable Federal laws and regulations. Our report contains 21 recommendations directed to both the post and headquarters. At the post, our recommendations include implementing controls over fuel purchase and use, imprest funds, staff health insurance, disbursements, and security clearance for staff. We also recommend putting in place a contract with the auctioneer and enhancing controls over Volunteer allowances. We recommend that headquarters issue guidance on implementing internal controls over fuel purchase and use.