Federal Reports

We received an anonymous hotline complaint in January 2025 asking the Office of Inspector General to investigate a conflict of interest involving two senior CPSC officials at the Consumer Product Safety Commission.

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security (InfoSec) program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2025 annual assessment.  In FY 2025, we assessed HUD at maturity level 3, consistently implemented, for its overall InfoSec program.  HUD has made incremental progress across its InfoSec program and should continue to take steps to improve the security of its IT systems and assets, which will lead to an increase in its FISMA maturity level.  We assessed HUD’s maturity across 25 metrics.  HUD scored 3.13 in the 20 core metrics that we have assessed every year since FY 2022, and it scored 2.67 in the 5 supplemental metrics that were first assessed in FY 2025.

We contracted with the independent public accounting firm of Sikich CPA LLC to audit the financial statements of HUD as of and for the fiscal year ending September 30, 2025, and to provide reports on HUD’s (1) internal control over financial reporting and (2) compliance with laws, regulations, contracts, and grant agreements and other matters, including whether financial management systems complied substantially with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA).  Our contract with Sikich required that the audit be performed in accordance with U.S. generally accepted government auditing standards, Office of Management and Budget audit requirements, and the Financial Audit Manual of the U.S. Government Accountability Office and the Council of the Inspectors General on Integrity and Efficiency. 

 In its audit of HUD, Sikich reported 

• A Disclaimer of Opinion on HUD’s financial statements as of and for the fiscal year ending September 30, 2025.  Management indicated in its written representations that it cannot assert to the fair presentation of the FY 2025 HUD financial statements. Since management could not make this assertion, Sikich was unable to express an opinion on the fair presentation of HUD’s financial statements.
• Two significant deficiencies for fiscal year 2025 in internal control over financial reporting, based on the limited procedures performed.  The significant deficiencies were related to internal control deficiencies identified by the HUD AIR Program and internal control deficiencies over FHA’s loans receivables.   
• No reportable noncompliance issues for fiscal year 2025 with provisions of applicable laws, regulations, contracts, and grant agreements or other matters.
• Due to the matter discussed in the Basis for Disclaimer of Opinion paragraph, Sikich was unable to obtain sufficient evidence to conclude whether HUD substantially complied with FFMIA. 

In connection with the contract, we reviewed Sikich’s reports and related documentation and questioned its representatives.  Our review, as differentiated from an audit of the financial statements in accordance with U.S. generally accepted government auditing standards, was not intended to enable us to express and we do not express opinions on HUD’s financial statements or conclusions about (1) the effectiveness of HUD’s internal control over financial reporting; (2) HUD’s compliance with laws, regulations, contracts,  and grant agreements or other matters; or (3) whether HUD’s financial management systems complied substantially with the three FFMIA requirements.  Sikich is responsible for the attached Independent Auditors’ Report, dated December 18, 2025, and the conclusions expressed therein.  Our review disclosed no instances in which Sikich did not comply, in all material respects, with U.S. generally accepted government auditing standards. 

HUD’s financial statements are included in HUD’s Agency Financial Report, which can be found at - https://www.hud.gov/sites/dfiles/CFO/documents/afr2025.pdf.

We contracted with the independent public accounting firm Sikich CPA LLC to audit the financial statements of Ginnie Mae as of and for the years ending September 30, 2025 and 2024, and to provide reports on Ginnie Mae’s (1) internal control over financial reporting and (2) compliance with laws, regulations, contracts, and grant agreements and other matters. Our contract with Sikich required that the audit be performed in accordance with U.S. generally accepted auditing standards, Office of Management and Budget audit requirements, and the Financial Audit Manual of the U.S. Government Accountability Office and the Council of the Inspectors General on Integrity and Efficiency. 

In its audit of Ginnie Mae, Sikich reported 

• That Ginnie Mae’s financial statements as of and for the fiscal years ending September 30, 2025 and 2024, were presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles.
• No material weaknesses or significant deficiencies for fiscal year 2025 in internal control over financial reporting, based on limited procedures performed.
• No reportable noncompliance for fiscal year 2025 with provisions of applicable laws, regulations, contracts, and grant agreements or other matters. 

 In connection with the contract, we reviewed Sikich’s reports and related documentation and questioned its representatives. Our review, as differentiated from an audit of the financial statements in accordance with U.S. generally accepted government auditing standards, was not intended to enable us to express and we do not express opinions on Ginnie Mae’s financial statements or conclusions about (1) the effectiveness of Ginnie Mae’s internal control over financial reporting and (2) Ginnie Mae’s compliance with laws, regulations, contracts, and grant agreements or other matters. Sikich is responsible for the attached Independent Auditors’ Report, dated December 18, 2025, and the conclusions expressed therein. Our review disclosed no instances in which Sikich did not comply, in all material respects, with U.S. generally accepted government auditing standards.

 When Ginnie Mae publishes its Annual Report, we will update this post to include this report and a link to Ginnie Mae's audited financial statements.

We found that the company has started upgrading its maintenance facilities to support its major fleet acquisitions, but challenges in planning and managing this effort have delayed its progress. As a result, some facilities will not be ready in time to service the company’s new trains, which could hinder its ability to fully operate the new equipment at their intended service levels. Instead, the company may need to store some new trains intermittently, which could postpone the capture of additional revenue. Further facility delays—which remain a risk—would add to the existing delays in fully operating its new fleets.

Two factors contributed to these circumstances. First, the company’s facility planning has significantly lagged behind its fleet planning despite the two efforts being closely interconnected. Second, the company is separately managing dozens of facility projects rather than managing them as a single, coordinated effort, as called for by company and industry standards.

We recommended that the company continue to develop a joint strategic fleet/facilities plan that defines company goals, timelines, and next steps. We also recommended that the company develop a management framework for its facility upgrades, including a risk management process.

Background

Business mailers accounted for approximately $16.2 billion of the Postal Service’s revenue through marketing and other large-scale mailings, of which $9.4 billion (58 percent) was generated through the PostalOne! application in fiscal year 2024. PostalOne! provides business mailers with a web-based alternative to manual business mail acceptance processes and interfaces with 45 different Postal Service systems to provide mailers a streamlined process for mail entry, payment, tracking, and reporting. As such, it is critical that changes to PostalOne! are communicated and managed effectively to avoid disruptions in service.

What We Did

Our objective was to determine whether the Postal Service appropriately implemented and communicated changes to PostalOne!.

What We Found 

The Postal Service generally communicated PostalOne! changes to mailers effectively by using available resources—such as websites, alerts, briefings, and meetings—and made further improvements to communications with mailers. Further, although the Postal Service mostly followed its approved processes for change and problem management, opportunities exist to improve these processes. Specifically, the Postal Service can improve closure of changes, closure of high and critical incident tickets, and after-action reporting of incidents. Strengthening controls in the management of changes to PostalOne! can improve customers’ ability to use the application and reduce potential security risks.

Recommendations and Management’s Comments

We made four recommendations for the Postal Service to improve its change request processes, resolution of critical and high incident tickets, and after-action reporting and management agreed with all four. We consider management’s comments responsive to all four recommendations as corrective actions should resolve the issues identified in the report. Management’s comments and our evaluation are at the end of each finding and recommendation.