Federal Reports

We concluded that the EPA achieved an overall maturity level of Level 3, Consistently Implemented, for the five security functions and nine domains outlined in the Office of Management and Budget's FY 2023 - 2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics. This means that the EPA consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking. We identified that the EPA had deficiencies in three areas.

Our objective was to evaluate the effectiveness of the Defense Intelligence Agency’s (DIA’s) overall information security program based on DIA’s implementation of the Federal Information Security Modernization Act. We issued our results in a classified report on August 2, 2024.

The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. Each independent evaluation must include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. For FY 2024, the auditors determined that the Department’s overall IT security program and practices are effective as eight out of the nine FISMA domains met the requirements needed to operate at a Level 4 maturity rating (Managed and Measurable) or higher. The auditors also identified a total of six conditions across the nine FISMA domains indicating potential areas of improvement for the Department.

The Postal Reorganization Act (PRA) of 1970 entrusted the Postal Service with a mission to provide trusted and affordable universal service to the American public. Congress established the U.S. Postal Service as an independent agency that receives the vast majority of its funding through revenue from postage. It is supported by the longstanding mailbox and mail delivery monopolies rather than from congressional appropriations. Over the last few decades, however, the steady decline of mail volume, the substantial liability of health and retirement benefit programs and, recently, an increasingly competitive package market have strained USPS’s financial sustainability.

We audited the California Department of Housing and Community Development (HCD) with the objective of evaluating HCD’s fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program and assessing the maturity of its efforts to prevent, detect, and respond to fraud. Fraudulent activity in the ESG CARES Act program can lead to significant financial losses, reputational damage to the grantee and the U.S. Department of Housing and Urban Development (HUD), breach of fiduciary duty, and most importantly, loss of funding assistance to intended beneficiaries. A robust antifraud program will help ensure that pandemic grant funds are put toward their intended uses, funds are spent effectively, and assets are safeguarded. Congress provided $4 billion for the ESG CARES Act program, which represented a 1,379 percent increase to the regular 2020 annual ESG appropriation. Given the influx of funding, we initiated a series of audits examining ESG CARES Act grantees’ fraud risk management practices and evaluating whether selected ESG CARES Act grantees are adequately prepared to prevent, detect, and respond to fraud. HCD was selected because it was authorized more than $319.5 million in ESG CARES Act program funds, a 2,505 percent funding increase from its formula ESG allocation for fiscal year 2020. HCD was not adequately prepared to prevent, detect, and respond to fraud due to the lack of focus it placed on fraud risks and establishing a robust fraud risk management framework. Although HCD established a departmentwide enterprise risk management (ERM) framework, it was not robust enough to proactively identify fraud risks, and it was not developed with leading industry standards and best practices.[1] This deficiency resulted in the lowest desired maturity goal state – ad hoc – for the organization’s antifraud initiatives. HCD noted that it had limited resources to implement additional fraud risk measures. Further, HCD believed that it was not necessary to create a separate fraud risk management framework or build upon its existing ERM framework to incorporate fraud risk management practices. HCD’s management is responsible for managing fraud risk, including assessing the potential of fraud, and designing and implementing strategies to mitigate fraud risks. Because it placed little emphasis on identifying fraud risks under its ERM framework and did not improve its antifraud practices to rise to a higher fraud risk management maturity level, it put more than $319.5 million in ESG CARES Act funds at an increased risk of fraud. Although a well-designed fraud risk management framework is not infallible regarding fraud and risks of fraud, it is a powerful tool that can enhance management decision making, strengthen HCD’s reputation, and reinforce its commitment to safeguard HUD funding with regulators and the public. We recommend that HUD instruct HCD to (1) establish a separate fraud risk management framework or evaluate and build upon its ERM framework by incorporating fraud risk management practices and (2) obtain training or technical assistance on the implementation of fraud risk management practices. Chief Financial Officers Council’s Antifraud Playbook; the U.S. Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government, also known as the Green Book; and GAO’s A Framework for Managing Fraud Risks in Federal Programs