Federal Reports

Opportunities Exist to Strengthen Investment Management's Disclosure Review Program, Report No. 590

RMA Associates, LLC (RMA), under the oversight of the United States International Development Finance Corporation’s (DFC) Office of Inspector General (OIG), reviewed DFC’s compliance with the Payment Integrity Information Act of 2019 (PIIA) (Public Law 116-117) for the fiscal year (FY) ending September 30, 2025 in accordance with 1) the Office of Management and Budget (OMB) Memorandum M-21-19, Transmittal of Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement, 2) OMB Circular A-136, Financial Reporting Requirements, July 14, 2025; 3) Council of the Inspectors General on Integrity and Efficiency (CIGIE) Guidance for Payment Integrity Information Act Compliance Reviews, November 2025; and 4) the Government Accountability Office (GAO) Generally Accepted Government Auditing Standards (GAGAS).
We conducted this review in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the review to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our objectives.
 

In addition to the compliance criteria, we also reviewed DFC’s risk assessment process and efforts to prevent and reduce improper payments (IPs) and unknown payments (UPs). Our review was conducted from February 2026 through April 2026.
 

What We Concluded
RMA concluded that DFC complied with PIIA for FY 2025 (Table 1). DFC was compliant with requirements applicable to the agency for FY 2025. We noted that DFC performed risk assessments in FY 2025 using criteria defined by OMB Circular A-123 and conformed to this guidance for preventing and reducing IPs and UPs. We found DFC had completely and accurately reported payment recapture reporting information on PaymentAccuracy.gov.

This report transmits the results of the Federal Election Commission Office of the Inspector General fiscal year (FY) 2025 annual review of the FEC's compliance with the Payment Integrity Information Act of 2019 (PIIA).

The Department of Homeland Security Office of Intelligence and Analysis (I&A) and Office of the Chief Information Officer (OCIO) did not effectively manage and secure I&A mobile devices, resulting in vulnerabilities and a higher risk of cyberattacks, unauthorized access to sensitive information, and waste. • Two I&A-developed apps used to share intelligence with law enforcement and first responders had three vulnerabilities known to I&A but not remediated, risking exploitation.  • 76 percent of apps installed on I&A mobile devices pose security risks, are prohibited, or allow prohibited activities. • I&A and OCIO did not ensure I&A devices were authorized and protected for use outside of the United States, increasing the risk of exploitation by foreign adversaries. • I&A accounted for only 11 percent of mobile devices recorded in OCIO’s asset management system as issued to I&A staff, and OCIO did not properly sanitize disposed-of I&A mobile devices, risking protection of sensitive information.  • 27 percent of mobile device and 44 percent of mobile device management system security settings did not comply with DHS requirements, exposing devices to cybersecurity risks such as unauthorized access and data breaches. These deficiencies occurred in part because I&A did not address known vulnerabilities in mobile apps.  Additionally, OCIO did not establish or enforce security policies and procedures for mobile devices and supporting infrastructure, and in some cases had not identified vulnerabilities.  Also, I&A’s foreign travel policy was outdated, and OCIO had not implemented separate security controls for I&A devices used for international travel.   Data Access: OCIO denied us direct access to ServiceNow, which precluded an independent, comprehensive review of the data. 

Our objective was to determine whether NTIA has an adequate review process to ensure that states’ and territories’ plans meet the BEAD program’s planning phase requirements. We found that NTIA did not have an adequate review process to ensure that states’ and territories’ plans met the BEAD program’s planning phase requirements. Specifically, we found that NTIA did not have complete and accurate documentation to support its decisions for the BEAD program planning phase deliverables and experienced delays during its review of the required planning phase deliverables for the BEAD program grant awards.

We made five recommendations to NTIA to provide adequate oversight of its review of the deliverables and establish milestones or performance metrics for completing its reviews of planning phase deliverables. NTIA concurred with our recommendations and is working to implement them.