Federal Reports

The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority’s (TVA’s) corporate deployment of Microsoft 365® was configured to require and enforce the use of multi-factor authentication (MFA) for all accounts.  Our scope was limited to MFA managed through Microsoft Entra® ID.  We determined TVA has required and enforced the use of MFA for all accounts with limited exclusions for service accounts. Additionally, we reviewed a sample of service accounts and determined they were approved and documented in accordance with the applicable tech standard.  However, we identified internal control deficiencies related to MFA enforcement access policies and MFA applicability to enterprise applications. Specifically, we found (1) an MFA enforcement access policy applicable to 26 of 2,448 enterprise applications was not fully implemented in accordance with the applicable TVA tech standard and identified best practices, and (2) 1,802 of 2,448 enterprise applications were not covered by an MFA enforcement access policy.

This report specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified.  Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.

Final Management Letter: Audit of the SEC’s Efforts to Recruit and Retain a Highly Skilled Workforce and Address Related Challenges

The objective of our audit was to assess the NRC’s compliance with the Payment Integrity Information Act of 2019 for fiscal year 2024 in accordance with Office of Management and Budget Memorandum M-21-19, Appendix C to OMB Circular No. A-123, Requirements for Payment Integrity Improvement, dated March 5, 2021.  The OIG found that the NRC complied with the requirements of the Payment Integrity Information Act of 2019 for Fiscal Year 2024.

The objective of our performance audit was to assess the Defense Nuclear Facilities Safety Board’s (DNFSB) compliance with the Payment Integrity Information Act of 2019 for Fiscal Year 2024, in accordance with Office of Management and Budget Memorandum M-21-19, Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement, dated March 5, 2021.  The OIG found that the DNFSB complied with the requirements of the Payment Integrity Information Act of 2019 for Fiscal Year 2024.