Federal Reports

KPMG LLC conducted an annual independent audit to determine the effectiveness of the DOI’s FY 2025 FISMA programs and practices.

Final OIG Letter to OMB on FTC Charge Card Risk Assessment

The following is the U.S. Department of Housing and Urban Development (HUD), Office of Inspector General’s (OIG) Annual Work Plan (AWP) for Fiscal Year (FY) 2026. The OIG conducts audits and evaluations to prevent and detect fraud and abuse and promote the economy, efficiency, and effectiveness of HUD’s programs and operations. 

The AWP highlights audits and evaluations the OIG will initiate in FY 2026, as well as ongoing projects that continue from prior years. All of the projects span HUD programs and operations and take into account HUD’s Top Management and Performance Challenges we identified through our past oversight work, HUD’s priorities as described in its Annual Performance Plan for FY 2026, and recommendations for action we issued to HUD that remain open. The projects also encompass mandatory audits and evaluations required by laws or regulations. 

We organized the AWP by focus areas that correspond to the challenges described in our Top Management and Performance Challenges Report. These focus areas are:

• Improving Business Operations: Modernizing IT Systems and Streamlining Procurement 

• Protecting Taxpayer Funds from Fraud, Waste, and Abuse

• Modernizing the Management of Grant Funds 

• Ensuring the Availability of and Access to Affordable and Quality Housing 

We are committed to providing objective oversight to protect taxpayer funds from fraud and waste and to improve the efficiency and effectiveness of HUD’s programs and operations. As with any plan, the AWP is subject to periodic review and revision to address emerging programmatic issues, priorities, and resource changes and to respond to HUD requests or legislative mandates. One area of developing oversight is the OIG’s work in support of safer homes and communities as mandated by the President’s Executive Orders and Presidential Memoranda.

The Office of Inspector General engaged the independent public accounting firm Harper, Rains, Knight, & Company, P.A. (HRK) to conduct the annual Federal Information Security Modernization Act (FISMA) evaluation and complete the FY 2025 Inspector General (IG) FISMA Reporting Metrics.  

The objective of the evaluation was to assess the effectiveness of the Commission's information security program and practices for FY 2025.  HRK determined the Commission’s maturity levels were consistently implemented and its information security program and practices were effective.

HRK identified one new finding with three corresponding recommendations.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The VA Office of Inspector General (OIG) conducted an inspection to evaluate allegations concerning patients’ data security and related oversight practices within the national cancer prevention, treatment, and research program and Office of Research & Development (ORD). The OIG identified additional concerns related to a Veterans Health Administration (VHA) project not submitted to an Institutional Review Board (IRB) and the process for reviewing a protected health information (PHI) breach.

The OIG did not substantiate that the national cancer prevention, treatment, and research program Executive Director categorized projects as operational to bypass IRB review. However, the OIG found that a collaborative project between VHA and non-VHA investigators was not submitted to a VHA IRB for approval. 

The OIG substantiated that the Executive Director of Operations for a national cancer testing program and project staff did not deidentify a data file before sharing with non-VHA investigators. The OIG review of the data file found a significant amount of data containing PHI. The Executive Director of Operations also did not recognize the extent of PHI disclosed. 

The OIG did not substantiate that the Executive Director of Operations for a national cancer testing program and an ORD privacy officer did not take action to review privacy concerns of a potential breach of PHI (privacy event). However, the privacy officer did not enter the privacy event into the tracking system or report the event to a VHA privacy officer timely. The Data Breach Response Service director reviewed the privacy event and determined it was not a data breach.

The OIG made six recommendations for VHA to ensure IRB review of the project and corrective actions address issues for determination of research project designation, privacy reporting and data disclosure, and national cancer prevention, treatment and research program staff receive training on IRB submission and privacy requirements.