Federal Reports

What Office of Inspector General Evaluated

We conducted an audit of the Library of Congress gift shop. Our objectives were to determine whether the design and documentation of the systems of internal control were adequate to ensure the accuracy and reliability of accounting data and to protect Gift Shop assets, and assessing whether compliance with the systems of internal control was adequate to rely on those controls Office of Inspector General conducted the Audit  from February 2018 through December 2018.

What Office of Inspector General Found

The Audit report highlights key considerations for the Library’s Gift Shop as it prepares for increased customer traffic and sales following the introduction of the new Visitor Experience. To meet these demands, management must address higher inventory levels, increased point-of-sale activity, and improve merchandising data for informed investment decisions. As a revolving fund, the Gift Shop relies entirely on its  ability to operate profit ably, without appropriations, necessitating strong business expertise from its  management team. 

We found:

• The gift shop must implement an improved accounting system for its financial management and reporting.
• Annual merchandise plans and inventory planning require enhanced documentation.
• Integrating online sales into DAX will reduce exposure to error.
• Management should address other internal control issues found including point-of-sale transactions and segregation of duties.

What Office of Inspector General Recommends

We made 22 recommendations related to improving gift shop operations in the area of financial management and accounting.

The Office of the Inspector General audited TVA’s information systems categorization process to determine if TVA’s information systems categorization process was effective and in compliance with Federal Information Processing Standards Publication 199 and National Institute of Standards and Technology Special Publication (NIST SP) 800-60. We determined that portions of TVA’s process were effective. However, we found gaps with implementing NIST SP 800-60 guidance. TVA management agreed with our findings and recommendations.

The Office of Inspector General conducted a follow‐up audit evaluating NASA’s process for transferring Agency‐developed technology to the commercial sector.

We identified actions that Washington has taken, using Federal funds for improving prescription drug monitoring programs (PDMPs), to achieve program goals toward improving safe prescribing practices and preventing prescription drug abuse and misuse. As of July 2018, Washington had completed some of the activities it proposed for the Centers for Disease Control and Prevention (CDC) grant to enhance and maximize its PDMP. Specifically, of the 11 activities proposed for the audit period (March 1, 2016, through August 31, 2017), 6 were completed, and the remaining 5 were partially completed.

Overall, the Department continues to implement changes to strengthen its enterprise-wide information security program. We identified opportunities where the Department can strengthen their overall information security program. The Department continues to work toward implementing a Department-wide Continuous Diagnostics and Mitigation program with the Department of Homeland Security. This should help the Department achieve a higher level of maturity for its information security program in subsequent years. Additionally, we identified weaknesses in the following areas: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning. The Department needs to ensure that all operating divisions consistently review and remediate or address the risk presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid Authority to Operate. Additionally, the Department should focus on configuring recently deployed continuous diagnostic monitoring tools to automate the integration of cyber risks into newly developed enterprise risk management programs. These steps will strengthen the information security program and further enhance its mission.