Federal Reports

What Was Reviewed 

The U.S. International Development Finance Corporation Office of Inspector General (OIG) contracted with the independent public accounting firm RMA Associates, LLC (RMA) to audit DFC’s charge card program in accordance with Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act). The Charge Card Act requires the OIG to conduct periodic reviews of DFC’s charge card program for illegal, improper, or erroneous transactions to prevent fraud, delinquency, or misuse. 

The objectives of this audit were as follows: 

1. To determine the scope, frequency, and number of audits or reviews, conduct a risk assessment to assess, identify, and analyze the risks of illegal, improper, or erroneous purchases and payments within DFC’s charge card program. 

2. Address the requirements of the Charge Card Act, OMB and General Services Administration (GSA) requirements and standards. 

What Was Found 

In its audit of DFC, RMA found that DFC implemented an effective Government Charge Card Program for FY 2024. As a result, there were no recommendations. RMA concluded that based on the results of their review of the current information, the results of their sample testing, and Appendix B guidance, that the next audit of the charge card program should be in FY 2026 for FY 2025 transactions. There were no prior year recommendations findings and all recommendations prior to 2022 were closed.

Report on the results of our performance audit of the Maryland State Arts Council (MSAC) for the period of August 1, 2021 through July 31, 2024. During this period the National Endowment for the Arts (Arts Endowment) closed four MSAC awards, totaling $4,545,800 in Arts Endowment funds and $24,614,504 in total reported costs. 

U.S. Customs and Border Protection (CBP) did not effectively manage and secure its mobile devices, resulting in vulnerabilities and higher susceptibility to cyberattacks, potential unauthorized access to law enforcement and operational sensitive information, and waste and abuse from under- or over-usage.  Specifically, we found that CBP did not: • Consistently implement required security settings to protect its mobile devices or mitigate risks from applications installed on these devices; • Use its mobile device management system to fully manage and secure its mobile devices; • Address software vulnerabilities within the mobile device management system; • Increase monitoring and protection for devices used outside the United States, which are at a higher risk of cyberattacks; • Perform required steps to reduce risks associated with the disposal, loss, or theft of its mobile devices; and • Monitor its mobile devices for under- or over-usage. CBP allowed mobile devices to operate without completing a security authorization process to ensure required security controls; did not establish or implement sufficient security policies and processes; relied on unclear or contradictory guidance; and did not address its increased mobile device losses.  Moreover, the Department did not provide oversight to ensure that CBP fulfilled DHS requirements for monitoring mobile devices outside the United States and CBP did not enforce its policies.   

In 2015, the Environmental Protection Agency issued the Coal Combustion Residuals (CCR) rule, which included requirements for addressing the risks from coal ash disposal.  The Tennessee Valley Authority (TVA) updated the program funding for its CCR management program in 2015 to address compliance with the CCR rule and in 2017 began developing a site-specific project to address coal ash at Gallatin Fossil Plant.  The Gallatin Ash Pond Complex Closure and Restoration (Gallatin Ash) project activities include (1) construction, operation, and closure of on-site lined landfills; (2) excavation and disposal of approximately 14 million cubic yards of CCR from Gallatin Fossil Plant; and (3) closure of the legacy ash site and coal yard, along with other site restoration work. 

The project was first approved for implementation by the Project Review Board in February 2018 with a total estimated project cost of approximately $899 million.  As of July 2024, the total estimated project cost had increased to approximately $1.64 billion, an increase of approximately 82 percent.  Because of the costs associated with this project, we assessed the management of project costs. 

We determined cost management for the Gallatin Ash project needed improvement related to the development of the project estimate and monitoring and tracking of project change requests (PCRs).  Specifically, the project estimate (1) did not include the complete scope of work and (2) was not developed using definitive costs as required.  As a result, the initial implementation project estimate was significantly understated.  Some PCRs submitted by contractors lacked adequate detail to determine if project cost increases were reasonable.  In addition, PCRs were not prepared for cost increases resulting from inaccurate project estimates. During the review, we also identified confidential contractor information that was shared by TVA project management with another contractor, creating reputational and liability risks for TVA.

The Department of Homeland Security Headquarters (HQ) did not adequately secure a non-Tier 1 High Value Asset (HVA) system used to support data analysis and reporting on DHS component operations, which rendered the system and its sensitive information vulnerable to cyberattacks. Although DHS HQ developed policies and procedures meant to reduce risks to sensitive information stored on the HVA system and effectively implemented certain controls, we determined the system did not meet security requirements.  We identified nine unique critical and high-risk vulnerabilities that appeared 182 times in the system and, through simulated cyberattack penetration testing, were able to exploit vulnerabilities.  The vulnerabilities we identified pose significant security risks, increasing the likelihood an attacker could gain access to sensitive information. These deficiencies demonstrate that DHS HQ needs to strengthen its management of the HVA system.  Ensuring the system complies with the Department’s security and privacy policies will better protect the sensitive information processed by the system.  Until these deficiencies are addressed, DHS HQ may not be equipped to protect the HVA system and cannot ensure it will be able to quickly respond to and recover from a cyberattack. 

The U.S. Postal Service has been transporting live, day-old poultry since 1918. “Day-old poultry” is defined as day-old chickens, ducks, emus, geese, guinea birds, partridges, pheasants, quail, and turkeys. As the primary shipper for these time-sensitive shipments, or “lives,” the Postal Service provides an essential service for hatcheries, farmers, feed stores, and backyard hobbyists. Last year, the Postal Service handled over 41 million lives through its air network alone.

To ensure safe, effective, and efficient transportation, the Postal Service requires mailers of live animals to comply with established guidelines. In turn, the Postal Service prioritizes shipment of lives through its processing and logistic networks.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to review allegations regarding internal endocrine consult management, endocrine clinic utilization, and patient access to gender-affirming hormone therapy (GAHT) at the VA Fayetteville Coastal Healthcare System (system) in North Carolina. The OIG also reviewed leaders’ awareness of and response to these concerns.

The OIG substantiated that the chief of medicine (COM) did not effectively manage internal consults. Specifically, the COM did not communicate endocrine consult management process changes to key stakeholders, did not process consults according to Veterans Health Administration (VHA) timeliness requirements, canceled a large volume of consults without communicating to sending providers, converted face-to face consults to e-consults without providing a mechanism for sending providers to communicate concerns, and delayed implementation of a required service line agreement. 

The COM’s deficient management of endocrine consults negatively impacted endocrine clinic utilization and resulted in provider-created workarounds and patients not receiving timely endocrine appointments. From February through early October 2024, patient access to GAHT was delayed because of the COM’s actions, resulting in adverse clinical outcomes. The OIG found the COM’s interpersonal communication skills did not reflect the high reliability organization (HRO) values of clear communication and respect for others, and negatively affected system staff across multiple services.

The OIG made one recommendation to the Veterans Integrated Service Network Director to review the leadership performance of the COM, and six recommendations to the System Director related to reviewing the endocrine consult management process, reviewing patients affected by delayed endocrine consults, ensuring service line agreements are developed, confirming effective utilization of endocrine clinic appointments, ensuring there is a process for monitoring and tracking clinic profile modification requests, and evaluating communication gaps between leaders to comply with HRO goals.