Federal Reports

This audit, performed by KPMG LLP (KPMG) on behalf of the Department of Energy Office of Inspector General (OIG), examined the Department’s cybersecurity and information technology (IT) governance program.

The audit’s objective was to determine whether the Department developed and implemented a governance structure over its cybersecurity and IT activities.

In contracting with an independent audit firm and drawing from the results of the audit, auditing standards require the OIG to review the work performed. Accordingly, the OIG oversaw the audit and reviewed the results. Our review disclosed no instances where KPMG did not comply, in all material respects, with generally accepted government auditing standards.

KPMG identified eight areas for improvement to the Department’s cybersecurity and IT governance program. Specifically, KPMG identified findings related to areas such as outdated contracts, policies, and/or requirements to include standard terms and conditions for prime and subcontractors. In addition, the Department had not fully implemented an enterprise data strategy, risk monitoring program, or comprehensive enterprise information system inventory to include those with personally identifiable information. Further, improvements were needed for ensuring compliance with Federal requirements, developing a comprehensive workforce assessment, and verifying the completeness and accuracy over various requests for data from Department elements.

KPMG made 11 recommendations to the Department to address the report’s 8 areas for improvement. These areas include enterprise-level approaches for ensuring the most recent Federal cybersecurity and IT governance requirements are more timely implemented and contractually required, enterprise-level areas, such as a data strategy, risk monitoring, and systems inventories, are either formalized and/or completed, and data call information is verified for completeness and accuracy.

The Department concurred with each of the 11 recommendations and planned to take corrective actions.

The Office of Inspector General is tasked with ensuring efficiency, accountability, and integrity in the U.S. Postal Service and its regulator, the Postal Regulatory Commission (PRC). We also have the distinct mission of helping to maintain confidence in the mail and postal system, as well as to improve USPS's bottom line. We use audits and investigations to help protect the integrity of the Postal Service and the PRC. Our Semiannual Report to Congress presents a snapshot of the work we did to fulfill our mission for the six-month period ending March 31, 2026. Our dynamic report format provides readers with easy access to facts and information, as well as succinct summaries of the work by area. Links are provided to the full reports featured in this report, as well as to the appendices.

Peace Corps OIG'S Semiannual Report to Congress describes OIG's work in identifying significant findings relating to the Peace Corps' administration programs and operations at both headquarters and overseas posts during the semiannual reporting period from October 1, 2025, through March 31, 2026.

The VA OIG’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to three high-risk control areas: configuration management, security management, and access. For this inspection, the OIG selected the VA Saginaw Healthcare System in Michigan and found deficiencies in all three areas.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in system baseline configurations and vulnerability scanning and remediation and had unauthorized software hosted on the network.

Security management controls had one deficiency. Although a physical security issue had been previously identified, OIT staff had not developed a plan of action to address it.

Access controls had five deficiencies. The OIG found that the healthcare system staff did not implement required controls for privileged accounts, did not maintain audit logs for local databases, did not consistently verify and document identity of vendors or contractors before granting them access to systems, and did not ensure all networked medical devices were protected by access control lists for their virtual local area networks. The team also identified fire hazards in two telecommunications rooms. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

In response to the OIG’s findings, healthcare system staff eliminated the identified fire hazards. To address the other deficiencies, the OIG made 10 recommendations to VA, all of which VA concurred with. Based on evidence the healthcare system provided, the OIG considers recommendations 3 through 7, as well as 9 and 10, closed.

Why We Did This Report

Under the Infrastructure Investment and Jobs Act, or IIJA, the U.S. Environmental Protection Agency was provided with over $60 billion in appropriations for Agency programs, including the Clean Water and Drinking Water State Revolving Fund Programs, the Superfund Program, geographic programs, and more. Since the IIJA’s enactment, the EPA Office of Inspector General has been conducting timely and relevant oversight to ensure that IIJA funds—taxpayer dollars—are used effectively. Our fourth annual IIJA progress report covers February 1, 2025, through January 31, 2026, and provides an update on our oversight of the EPA’s use of IIJA funds.

Summary of Findings

During the period covered in this report, the OIG issued seven audit reports, six evaluation reports, and two audit follow-up reports related to the Agency’s IIJA activities. In addition to examining initial implementation, we have increasingly focused on how the Agency is managing and overseeing IIJA funds that have already been awarded. In this report, we highlighted Agency accomplishments and identified key challenges, including gaps in the EPA’s guidance, oversight, timely fund utilization, recipient capacity, and data quality that risk slowing and undermining IIJA outcomes.

This memorandum provides the final results of the Office of Inspector General’s (OIG) risk assessment of the U.S. AbilityOne Commission’s (Commission) Government Purchase Card (purchase card) program for fiscal year (FY) 2025.  The OIG concluded that the risk of illegal, improper, or erroneous use in the Commission’s purchase card program is low.  As a result, an audit of the Commission’s purchase card program is not warranted.

The objective of the risk assessment was to analyze and identify the risks of illegal, improper, or erroneous purchases and payments within the Commission’s purchase card program, to determine whether an audit is warranted or make recommendations and identify areas of risk that the Commission could improve to strengthen its purchase card program.