Federal Reports

The OIG is issuing this evaluation to assess whether the U.S. Small Business Administration (SBA) effectively implemented internal controls when using the U.S. Department of the Treasury’s Do Not Pay (DNP) databases to detect and prevent payments of Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loans (EIDL) and grants to ineligible entities.Despite implementing controls requiring loan officers to check DNP databases prior to approval of COVID-19 EIDLs and provide applicants 30 days to rectify any negative information received from DNP, the agency continued to award and disburse COVID-19 EIDL and grant funds to those listed in a DNP database without mitigating the negative information.We recommended the agency review the 3,643 potential improper payments we identified and determine if applicants can rectify the negative information; if not, we recommend the agency work to recover the funds.SBA management partially agreed with our recommendation, stating they will review and address loans and grants in the child support population that had information on the application or credit report that was not previously addressed. For the remainder of the DNP population, management stated they will review those grants and loans with an alert in the file that was not previously addressed. Management’s proposed corrective actions do not satisfy the recommendation to review the potentially ineligible loans and grants.

The FCC was compliant in 11 of its 13 programs that were susceptible to significant improper payments. The Universal Service Fund (USF)-Lifeline (LL) program, and the Affordable Connectivity Program (ACP) were non-compliant with one of the 10 PIIA criteria. The report presents five findings and five recommendations to address the audit findings. In the Management Response, the FCC concurred on four findings and non-concurred on one of the two noncompliance findings, related to the Lifeline Program.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.

Why We Did This ReportWe are alerting the U.S. Environmental Protection Agency to the need to ensure that mobile devices for separating employees are properly preserved and timely accessible to the Office of Inspector General to prevent the loss of evidence and other relevant records. Summary The EPA OIG is conducting an administrative investigation of a senior official for alleged ethics violations. In 2024, we notified the EPA Office of Mission Support that the senior official intended to leave, or separate from, the Agency in 2024, and we requested that the OMS preserve the information on the senior official’s electronic devices. Upon the senior official’s separation 30 days later, the OMS received five electronic devices from the official but failed to retain the three mobile devices in a way that would allow us or the Agency to access the information stored on them. As a result, we have been unable to retrieve the information and any potential federal records on these devices that may be relevant to our investigation, including text messages, telephone contact lists, and other forms of messaging. We are concerned that this is not an isolated issue.