Federal Reports

The U.S. Consumer Product Safety Commission (CPSC) OIG retained KPMG, LLP (KPMG), an independent public accounting firm, to perform the independent audit of the CPSC’s financial statements for fiscal year (FY) 2025 in accordance with auditing standards generally accepted in the United States.  This report is contained in the CPSC’s Annual Financial Report which also contains the complete set of financial statements, management’s discussion and analysis, and required supplementary and other information.  KPMG found that the CPSC received a qualified or clean opinion.  However, the agency was found to have two material weaknesses, first identified in FY 2023; and one significant deficiency.

Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls.  Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.

We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA.  However, we identified wording in the contract that could be improved to avoid potential confusion.  TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.

The U.S. Small Business Administration (SBA) Office of Inspector General contracted with the independent certified public accounting firm KPMG LLP to conduct an audit of SBA’s consolidated balance sheet as of September 30, 2025 and the related notes. KPMG was not engaged to audit the consolidated statement of net cost, consolidated statement of changes in net position, and combined statement of budgetary resources. Our contract required KPMG to conduct the audit in accordance with Government Auditing Standards and Office of Management and Budget Bulletin No. 24-02, Audit Requirements for Federal Financial Statements.

KPMG issued a disclaimer of opinion on the consolidated balance sheet as of September 30, 2025. A disclaimer means that an auditor was unable to obtain sufficient information to determine whether the organization’s financial statements were accurate. The basis for the disclaimer was that because of control deficiencies identified, SBA was unable to provide adequate evidential matter in support of a significant number of transactions and account balances related to the Paycheck Protection Program and Economic Injury Disaster Loan programs. Additionally, management was unable to provide sufficient appropriate audit evidence to support the data used to develop assumptions used in the subsidy allowance estimate for SBA’s direct loan and loan guaranty programs.

During the audit, KPMG identified four material weaknesses and one significant deficiency in internal control over financial reporting. Material weaknesses are a serious concern that an organization’s financial reporting controls are not effective to detect major errors or fraud. We note that SBA made considerable progress addressing prior year audit findings, resulting in the successful remediation of two material weaknesses (controls over general information technology and controls over the evaluation of service organizations) and the downgrading of one material weakness (controls over monitoring Restaurant Revitalization Fund and Shuttered Venue Operators Grant programs) to a significant deficiency. Appendices I and II of this report describe details of KPMG’s conclusions about the material weaknesses and significant deficiency. KPMG also identified three instances of noncompliance with applicable laws or other matters, which are discussed in Appendix III of this report.

Why We Did This Report

This report describes an issue that the U.S. Environmental Protection Agency Office of Inspector General identified during its audit of the U.S. Infrastructure Investment and Jobs Act-funded IRL Council for the Indian River Lagoon National Estuary Program grant program.
 

Summary of Findings

The EPA OIG found that the IRL Council did not complete or submit any of the required Federal Financial Reports, or FFRs, for the first two years of its award and stated the reason was that the EPA did not request annual FFRs. This raised concerns that the EPA was not requiring any National Estuary Program, or NEP, award recipients to submit FFRs annually as mandated by 2 C.F.R. § 200.328.

Today, the U.S. Consumer Product Safety Commission Office of Inspector General released their semiannual report for the reporting period ending September 30, 2025.  The report is part of the semiannual requirement to communicate OIG oversight activities of the CPSC to Congress and the American people.

Due to the importance of protecting the Tennessee Valley Authority’s (TVA) operations from external cyber events, we performed an audit of TVA’s transmission control center network cybersecurity. The audit objective was to determine if TVA has sustainable processes for identifying, implementing, and managing the network architecture to reduce the overall cybersecurity risk to TVA resources in their transmission networks.  The audit scope was limited to TVA’s transmission control center network.  We made one recommendation to TVA management. The specifics are being withheld from public release due to their sensitive nature in relation to TVA’s cybersecurity.