Audit of NARA’s Fiscal Year 2025 Financial Statements

View Report

Date Issued

Thursday, December 18, 2025

Submitting OIG

National Archives and Records Administration OIG

Agencies Reviewed/Investigated

National Archives and Records Administration

Report Number

26-AUD-01

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Revise NARA 161, NARA’s Internal Control Program , to establish a process to periodically evaluate whether the prior-year risk assessment remains valid and appropriate to address significant organizational or operational changes.
2	No	$0	$0
Document through a written formal memorandum any periodic risk evaluations and the decision whether or not to update the last prior-year assessment to reflect the current risk environment. This memorandum should include a clear justification and documentation of the evaluation performed and be reviewed and approved by the Management Control Oversight Council to ensure appropriate oversight and accountability.
3	No	$0	$0
Establish NARA policy for reviewing System and Organization Controls 1 Type 2 reports and evaluating complementary user entity controls. This policy related to control activities should be integrated into the agency’s internal control over financial reporting framework and include: a. Identification and Evaluation of CUECs b. Assignment of Responsibility c. Assessment of Control Effectiveness d. Documentation and Oversight
4	No	$0	$0
Establish a written formalized methodology for calculating materiality thresholds in accordance with Office of Management and Budget Circular A-123, Appendix A.
5	No	$0	$0
Ensure access request forms are resubmitted for the NARANet accounts noted in the audit finding.
6	No	$0	$0
Implement procedures (e.g., patching, configuration weaknesses) to remediate security vulnerabilities identified by vulnerability scans within the defined remediation timeframes in the NARANet General Support System Common Controls System Security Plan and document an acceptance of associated risks as appropriate.
7	No	$0	$0
Conduct an assessment to: 1) identify applications running on unsupported platforms and their associated servers; 2) group applications and establish a migration schedule; and 3) migrate applications to vendor-supported platforms. For applications or operating systems that cannot be migrated, document the associated risks and obtain formal acceptance for continued operation.
8	No	$0	$0
Disable non-essential certificate service endpoints and web enrollment. Additionally, enable features that enhance the protection and handling of credentials when authenticating network connections.