Federal Reports

Our Objective(s)
To perform a quality control review (QCR) of Sikich's fiscal year 2025 audit of the effectiveness of the Department of Transportation's (DOT) information security program and practices.

Why This Audit
The Federal Information Security Modernization Act of 2014 requires agencies to develop, implement, and document agencywide information security programs and practices. The Act also requires inspectors general to conduct annual reviews to determine the effectiveness of their agencies' information security programs and report their review results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. We performed a QCR of Sikich's report and related documentation.

What We Found
The independent auditor, Sikich, found that DOT's information security program and practices were not effective and made seven recommendations to improve DOT's information security program.
Establish and implement guidance for performing Cybersecurity Framework 2.0 activities through policies and procedures, including the development of current and target cybersecurity profiles which consider anticipated changes in DOT's cybersecurity posture.
Define and implement policies and procedures that utilize standard data elements and taxonomy to develop and maintain an up-to-date inventory of all software assets and associated licenses, including Executive Order critical software.
Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for DOT's data types.
Create and maintain a comprehensive inventory of data and corresponding metadata.
Work with Federal Aviation Administration (FAA) Chief Information Officer (CIO) to secure a reliable funding stream for continuous vetting.
Work with FAA CIO to initiate and complete the background investigation of FAA employees in public trust positions.
Work with FAA CIO to enroll FAA employees into continuous vetting through Trusted Workforce.

Our QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations
DOT concurs with Sikich's seven recommendations.

The objective of our review was to determine whether the U.S. Department of Education (Department) complied with transfer of funds and reprogramming requirements under appropriations laws. To achieve our objective, we identified the Department’s transfer and reprogramming activities from November 5, 2024, through January 20, 2025, and the extent to which these activities complied with applicable appropriations laws.  We found that the Department did not fully comply with transfer of funds and reprogramming requirements under applicable appropriations laws. We identified a total of six transactions, consisting of five transfers and one reprogramming, that occurred from November 5, 2024, through January 20, 2025. We determined that two of these transactions—one of the transfers and the one reprogramming—were made using authorities granted under applicable appropriations laws. For these two transactions, we found that the transfer was compliant with applicable requirements; the reprogramming was not. Specifically, we found that the Department did not consult or notify Congress of the reprogramming as required by the appropriations laws. The remaining four transfers were appropriately made under other statutory authorities. The Department’s failure to comply with applicable statutory transfer authorities and reprogramming requirements may result in Federal funds not being used as originally intended by Congress, funds being deemed unavailable for obligation, and potential violations of the Antideficiency Act. Additionally, failure to notify Congress of transfers of funds and reprogrammings hinders congressional oversight of how agencies execute their budgets and fulfill their missions. We recommended that the Department establish appropriate controls to ensure that transfers of funds and reprogrammings comply with all applicable statutory authority requirements, including notifications to the House and Senate Appropriations Committees. 

AmeriCorps OIG investigated allegations that individuals posing as AmeriCorps employees on social media sites offered grant funds in exchange for a fee, such as gift cards or cell phones, as part of a scheme known as "advance fee fraud." The evidence collected through the investigation supports the finding that the fraud suspects executed the schemes by utilizing fake social media profiles, Voice Over Internet Protocol (VOIP) phone numbers, fake email addresses, and Virtual Private Networks (VPNs). At the conclusion of the investigation, AmeriCorps OIG made six recommendations to AmeriCorps, which concurred with five of the six.

AmeriCorps Office of Inspector General (OIG) investigated allegations that Corp Regional de Guayama de Servicios a la Comunidad (CRGSC), located in Cayey, PR, drew down grant funds through the U.S. Department of Health and Human Services’ Payment Management System (HHS-PMS) for its Foster Grandparent Program (FGP) without corresponding supporting documentation as required by 2 CFR 200.430.