Management Letter for the Deficiencies in Internal Control over Cash Management Systems at the Bureau of the Fiscal Service Identified during the Audit of the Department of the Treasury’s Consolidated Financial Statements for Fiscal Year 2025

Title Full

FINANCIAL MANAGEMENT: Management Letter for the Deficiencies in Internal Control over Cash Management Systems at the Bureau of the Fiscal Service Identified during the Audit of the Department of the Treasury’s Consolidated Financial Statements for Fiscal Year 2025

Date Issued

Friday, February 13, 2026

Submitting OIG

Department of the Treasury OIG

Agencies Reviewed/Investigated

Department of the Treasury

Report Number

OIG-26-017

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 11 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1-1	Yes	$0	$0
The IPA recommended that Fiscal Service management reinforce policy requirements (through training or other means) for removing logical access of terminated and transferred Fiscal Service employees and contractors within 2 business days of their separation date.
1-2	Yes	$0	$0
The IPA recommended that Fiscal Service management perform ongoing monitoring to hold responsible control performers accountable for timely completion of such control activities
2-1	Yes	$0	$0
The IPA recommended that Fiscal Service develop and implement documentation to assign responsibility for ensuring adequacy of UNIX and database security and baseline settings.
2-2	Yes	$0	$0
The IPA recommended that Fiscal Service update existing UNIX and database configuration security baseline documents to ensure that these documents fully incorporate and enforce the components of the DISA STIGs. Management should document any deviations from the STIGs and note compensating controls that mitigate the security risk to an acceptable level.
2-3	Yes	$0	$0
The IPA recommended that Fiscal Service develop, document, and implement policies, procedures, and controls to conduct periodic reviews of actual UNIX and database settings against the security configuration baselines.
2-4	Yes	$0	$0
The IPA recommended that Fiscal Service provide logging and monitoring of security related events to include the retention of evidence of reviews performed.
2-5	Yes	$0	$0
The IPA recommended that Fiscal Service develop a baseline of essential security settings and specify that baseline as the standard to be observed.
2-6	Yes	$0	$0
The IPA recommended that Fiscal Service implement corrective actions to address all vulnerabilities associated with the baseline enforcement to include removing the three default user accounts on UNIX servers.
3-1	Yes	$0	$0
The IPA recommended that Fiscal Service perform a review of the current system environment against the CMDB.
3-2	Yes	$0	$0
The IPA recommended that Fiscal Service perform a risk assessment over the subject matter and determine the appropriate personnel to be responsible for monitoring and updating the CMDB.
3-3	Yes	$0	$0
The IPA recommended that Fiscal Service update policy and procedures related to the above recommendations and disseminate the documentation to enforce such policy and procedures.