eiv security awareness training

My Tickets Open a ticket Notifications Logout
ID Status Date Public/Private Industry AHACPA Contact
#14446 Closed public Multifamily Les Sparks
Customer Reply

a management company has requested proof that we attended this training, the security awareness training.  see attachment below.  I don’t believe we are required as auditors since we are not staff of owners or agents.  Can you help me on this?

thanks
Les Sparks
Craig the security training mentioned is specifically mandated for those who have access to all aspects of EIV reporting.  I am including below the section of the Handbook discussing the requirement.
9-20 Security Training
A. EIV users are required to complete online security training annually. To meet this requirement, EIV users must complete the online Cyber-Awareness Challenge (for DoD and Federal Personnel) training program. At the end of the training, EIV users must print and maintain the Certificate of Completion provided. The training can be found at http://iase.disa.mil/eta/index.html#onlinetraining.
EIV users authorized by owners to have access to EIV on their behalf may also need to complete the applicable online Security Awareness Training Questionnaire for Multifamily Housing Programs upon initial access to the system and annually thereafter.
B…
C. Owner and management agent staff who do not have access to EIV but who use EIV reports to perform their job function must have security training annually.
So, IPA’s have no access to EIV reports or actually have no access at all. Further, IPAs are NOT classed as an Owner or management staff. IPAs are a separate class of user and are not required to obtain the training. All that is required for IPAs is to sign the ROB.  If the training was required it would be listed in the list of items for IPAs.  Here is that list.
  1. 1. Official Purpose Includes:
    a. Owners, in connection with the administration of Multifamily Housing programs, for verifying the employment and income at the time of recertification and for reducing administrative and subsidy payment errors.
    b. CAs (PBCAs and TCAs) and HUD staff for monitoring and oversight of the access and mandatory use of the EIV system.
    c. IPAs, when hired by an owner to perform the financial audit of the project, for use in determining the owner’s compliance with verifying income and determining the accuracy of the rent and subsidy calculations.
    Restrictions on disclosure requirements for IPAs:
       (1) Can only access EIV income information within hard copy files and only within the offices of the owner or management agent;
       (2) Cannot transmit or transport EIV income information in any form;
       (3) Cannot enter EIV income information on any portable media;
       (4) Must sign non-disclosure oaths (Rules of Behavior for Non-system Users) that the EIV income information will be used only for the purpose of the audit; and
       (5) Cannot duplicate EIV income information or re-disclose EIV income information to any user not authorized by Section 435(j)(7) of the Social Security Act to have access to the EIV income data.
  2. NOTE: See the Glossary for the definition of Independent Public Auditor.
    d. OIG investigators for auditing purposes.
    e. Disclosure of EIV information to individuals who are assisting in the recertification process and who are present during the recertification interview and process. (See Section B above)
Every once in a while we get this question, but it is clear that such training is generally not required by most management companies. Nor is it a requirement.
Les Sparks
AHACPA
(801) 547-0809
From: “AHACPA Support” <support@ahacpa.org>
To: “Les Sparks” <les@ahacpa.org>
Sent: Tuesday, January 12, 2021 5:03:34 PM
Subject: eiv security awareness training

Write a reply

The ticket has been closed. If you feel that your issue has not been solved yet or something new came up in relation to this ticket, you can re-open it by clicking this link.
Item Status Opt-in Date Opt-out Date Action
Subject
Additional Information
Subject