Federal Reports

The Chief Financial Officers Act of 1990 requires the Inspector General to audit the agency’s financial statements each year, which is intended to help improve an agency’s financial management and controls over financial reporting. For FY 2025, the auditors issued an unmodified opinion on the FY 2025 consolidated financial statement of the Department. The auditors reported that the FY 2025 consolidated financial statement is presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles. In the Report on Internal Control over Financial Reporting, the auditors identified one material weakness and three significant deficiencies in internal control over financial reporting. In the Report on Compliance and Other Matters, the auditors reported no instances of noncompliance that were required to be reported under Government Auditing Standards or OMB Bulletin No. 24-02. Seven recommendations were made to the Department to address the internal control findings.  Management concurred with the findings and agreed to take action to address the recommendations.  See pages 84-96 for the report.

Semiannual Report to the Congress April 1, 2025 – September 30, 2025

In accordance with the Reports Consolidation Act of 2000, the OIG reports annually on the most serious management and performance challenges the U.S. Department of Education (Department) faces. For FY 2026, we identified five management challenges the Department faces as it continues its efforts to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. These challenges are add (1) change management; (2) oversight and monitoring of grantees, (3) Oversight & monitoring of student financial assistance programs; (4) data quality and reporting, and (5) information technology security. The report includes a summary of each challenge, a brief assessment of the Department’s progress in addressing each challenge, and shares information on further actions that, if properly implemented, could enhance the effectiveness of the Department’s programs and operations.

This report was issued in conjunction with the Office of Inspector General for the Railroad Retirement Board's Semiannual Report to the Congress. It was incorporated by reference in the corresponding Semiannual Report which is available at the link below.

Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls.  Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.

We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA.  However, we identified wording in the contract that could be improved to avoid potential confusion.  TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.

The report contains an unmodified opinion on Natural Resources Conservation Service’s financial statements as of September 30, 2025, as well as an assessment of NRCS' internal controls over financial reporting and compliance with laws and regulations.

The U.S. Consumer Product Safety Commission (CPSC) OIG retained KPMG, LLP (KPMG), an independent public accounting firm, to perform the independent audit of the CPSC’s financial statements for fiscal year (FY) 2025 in accordance with auditing standards generally accepted in the United States.  This report is contained in the CPSC’s Annual Financial Report which also contains the complete set of financial statements, management’s discussion and analysis, and required supplementary and other information.  KPMG found that the CPSC received a qualified or clean opinion.  However, the agency was found to have two material weaknesses, first identified in FY 2023; and one significant deficiency.

There continues to be an increased focus on supply chain risks in the Federal Government. In December 2020, the Government Accountability Office reported that a majority of the 23 agencies reviewed, which included the Department of Energy, had not implemented selected foundational practices for managing information and communications technology supply chain risks. In the Department’s case, information technology (IT) supply chain risk management (SCRM) is a particular challenge due to the diversity of its missions and decentralized operating environment.

We initiated this audit to determine whether the Department effectively managed its IT SCRM process.

We determined that the Department made progress in effectively managing its IT SCRM process, but opportunities for improvement existed to help ensure compliance with Federal and Department requirements. Specifically, we found issues related to the accuracy of the Department’s critical software inventory and insufficient assessments and reviews of potentially vulnerable suppliers. For example, the Department had not developed an accurate inventory of its critical software, which could have prevented it from protecting critical software, platforms, and data from unauthorized access. The Department also faced unknown SCRM risks because it did not always conduct assessments of technology acquisitions, including vendors with foreign ownership, control, or influence.

Without improvements to its SCRM process, the Department is vulnerable to potentially malicious, counterfeit, or vulnerable IT equipment or services. The inability to identify critical software quickly also places the Department at an elevated risk in the event of a compromise as it may be unable to rapidly respond to remediate vulnerabilities. Further, had entities routinely performed SCRM assessments and reviews, they may have increased awareness of supply chain risks involving certain vendors, resulting in different security decisions including implementing monitoring, conducting routine reviews of the vendor, or selecting a different vendor.

We suggest that the Department develop an accurate inventory of its critical software. In addition, we also suggest that three of the sites reviewed ensure that policies and procedures related to SCRM for IT acquisitions are developed and effectively implemented.