FINANCIAL MANAGEMENT: Management Letter for the Audit of the Department of the Treasury's Consolidated Financial Statements for Fiscal Years 2024 and 2023

Title Full

Date Issued

Friday, December 6, 2024

Submitting OIG

Department of the Treasury OIG

Agencies Reviewed/Investigated

Department of the Treasury

Components

Departmental Offices

Report Number

OIG-25-012

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1-1	Yes	$0	$0
The IPA recommended that Departmental Offices (DO) management review DO-910 and FARS SSP password setting requirements to determine if they apply to all layers of system technologies (e.g., application, database, and operating system). If necessary, consider specifying distinct password setting requirements for the different layer.
1-2	Yes	$0	$0
The IPA recommended that DO management implement password authentication controls at the FARS database in accordance with the minimum requirements set by DO-910 and the FARS SSP, to include the number of failed login attempts allowed.
2-1	Yes	$0	$0
The IPA recommended that DO management: Develop policies and procedures for performing the quarterly review and reauthorization of privileged OS access, which specify: How to document the review of user access for continued appropriateness and the resulting determinations. Assignment of individual(s) responsible for performing the review(s) across the various privileged OS domains/groups/accounts, who are independent of the access they review and are of the appropriate authority. Identification/Inventory of the privileged OS domains/groups/accounts that are subject to review, to include any privileged OS service groups/accounts.
2-2	Yes	$0	$0
The IPA recommended that DO management disseminate said policies and procedures to control performers and re-perform a review and reauthorization of privileged OS access that enforces independence from an individual reviewing their own access, includes OS service groups/accounts, and is documented/retained, in accordance with the established policies and procedures.