Federal Reports

This management advisory highlights the risks associated with DOI awarding grants to the Illinois Department of Natural Resources.

KPMG LLP’s (KPMG) report on its financial statement audit of the National Credit Union Administration’s (NCUA) financial statements, which includes the Share Insurance Fund, the Operating Fund, the Central Liquidity Facility, and the Community Development Revolving Loan Fund, as of and for the years ended December 31, 2024, and 2023. The NCUA prepared financial statements in accordance with the Office of Management and Budget (OMB) Circular No. A-136 Revised, Financial Reporting Requirements, and subjected them to audit. Under a contract monitored by the NCUA OIG, KPMG, an independent certified public accounting firm, performed an audit of NCUA’s financial statements as of December 31, 2024. The contract required that the audit be performed in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States, OMB audit guidance, and the Government Accountability Office/President's Council on Integrity and Efficiency Financial Audit Manual. KPMG’s audit report for 2024 includes: (1) an opinion on the financial statements, (2) conclusions on internal control over financial reporting, and (3) a section addressing compliance and other matters. In its audit of the NCUA, KPMG found:• The financial statements were fairly presented, in all material respects, in conformity with U.S. generally accepted accounting principles,• There were no deficiencies in internal control identified as material weaknesses or significant deficiencies and• No instances of reportable noncompliance with laws and regulations it tested or other matters that are required to be reported under Government Auditing Standards or OMB guidance.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess clinic cancellation practices at a VA Northern Indiana Healthcare System (system) mental health clinic in Fort Wayne, Indiana. 

The OIG found that mental health leaders and a social work supervisor used a standard clinical disposition process to address the needs of a social work mental health provider’s (the provider’s) patients and transition patients to alternate appointments or treatment following the provider’s sudden resignation. Mental health leaders and a social work supervisor completed the clinical disposition process before advanced medical support assistants canceled patients’ previously scheduled appointment(s) with the provider. Upon review of the electronic health records and patient safety data, the OIG did not identify any concerns or adverse outcomes related to the cancellations.

The OIG concluded that the chief of mental health and the chief of social work did not notify the Chief of Staff (COS) to seek approval for urgent cancellations of the provider’s clinic as required by the system clinic cancellation policy. Ultimately, due to mental health and social work leaders’ communication failures, the COS could not approve the clinic cancellations or assess the need for, and potential allocation of, resources; nor did it allow for COS evaluation of the potential patient impact.

An additional concern was identified regarding the system’s failure to include social work providers assigned to mental health clinics during the system-initiated review of short notice clinic cancellations.

The OIG made two recommendations to the System Director to (1) evaluate the system clinic cancellation policy and COS notification of urgent clinic cancellations and to (2) include social work mental health provider data in the system review of short notice clinical cancellations within mental health clinics.

The VA Office of Inspector General (OIG) conducted this inspection to assess the oversight and stewardship of funds by the VA Tampa Healthcare System. This inspection assessed four financial activities and administrative processes to determine whether appropriate controls and oversight were in place: use of managerial cost accounting information, open obligations oversight, purchase card use and oversight, and supply chain management operations.

The OIG found the healthcare system could use managerial cost accounting information more effectively to help spend more efficiently and improve its performance measurement process for identifying and correcting cost inaccuracies.

The healthcare system did not always perform monthly reviews and deobligate funds no longer needed. The healthcare system appeared to use funds from the wrong fiscal year to pay for services, which may have violated the “bona fide needs” rule. The OIG estimated $6.3 million in open obligations was invalid due to the healthcare system’s lack of monthly follow-up and reconciliations and found that an estimated $5.9 million in invalid obligations should have been deobligated for better use.

The healthcare system did not always process purchase card transactions in accordance with VA policy. The OIG found violations involving a lack of prior approvals, supporting documentation, and segregation of duties.

Furthermore, the healthcare system did not meet the days-of-stock-on-hand metric or maintain accurate supply chain data. Officials also did not fulfill their duties to ensure that Medical Surgical Prime Vendor (MSPV) ordering officers and a facility contracting officer’s representative were nominated and delegated to ensure the MSPV program achieved its goals and objectives and effectively safeguarded the government’s interests and resources.

The OIG made 12 recommendations for improvement to the healthcare system director. The recommendations address issues that, if left unattended, may eventually interfere with financial efficiency practices and the strong stewardship of VA resources.

Congress enacted section 117 of the Higher Education Act, as amended, (Section 117) mandating financial transparency of institutions of higher education (institution) through required reporting of gifts from and contracts with a foreign source. Applicable institutions must file a disclosure report by one of the two annual reporting deadlines, January 31 or July 31, whichever is sooner, once the reporting obligation has been triggered. Section 117 helps to raise awareness of potential foreign influence on college campuses which could help stakeholders assess, detect, and respond to potential threats to U.S. academic and research pursuits, free speech on campuses, and national security. We conducted an inspection to evaluate FSA’s oversight of institutions’ reporting of foreign gifts and contracts under Section 117. To answer our objective, we reviewed FSA’s oversight activities, along with FSA’s monitoring plan, policies, and procedures related to its oversight of institutional reporting under Section 117. We also determined if FSA is accurately posting the data it receives from institutions. We found that FSA’s oversight of institutions’ reporting of foreign gifts and contracts under Section 117 needs improvement. Specifically, FSA’s oversight activities are limited to reviewing whistleblower tips, Department of Education news bulletins, and other media reports for potential institutional noncompliance with Section 117 and providing technical assistance to institutions. FSA does not have any monitoring plans, policies, or procedures in place for its oversight of Section 117 reporting. Additionally, we found that FSA is accurately posting the data it receives from institutions through its Section 117 reporting portal onto its public-facing website; however, FSA could improve its Section 117 reporting portal to assist in identifying and reducing data input errors.

Our Objective(s)To perform a quality control review (QCR) of Allmond & Company, LLC's (Allmond), management letter related to the audit of STB's financial statements for fiscal years ended September 30, 2024, and September 30, 2023. We reviewed Allmond's management letter, dated November 6, 2024, and related documentation.
About This ReportWe contracted with the independent public accounting firm Allmond to audit STB's financial statements. Allmond also issued a management letter discussing internal control matters that Allmond was not required to include in its audit report.
What We FoundThe independent auditor, Allmond, found seven internal control matters in STB's operations.

STB does not have agency-specific written policies and procedures for processing personnel actions.
STB does not enforce existing policies that require employees to submit, and supervisors to approve, leave requests for annual leave used.
STB does not perform a full review of accountable property and does not update inventory listings when items are issued or reassigned to employees.
STB does not have a procedure to validate upward and downward adjustment activity in the general ledger and to make the necessary corrections to ensure that both the upward and downward adjustment balances are accurate.
STB does not have procedures to ensure that employees' annual leave balances are correct and that carryover balances comply with laws and regulations.
STB expensed a portion of capitalized equipment in error.
STB taxed Federal Employees Health Benefits premiums in error.

Our QCR disclosed no instances in which Allmond did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with Allmond's 13 recommendations to help strengthen STB's internal controls.

Our Objective(s)To perform a quality control review (QCR) of KPMG LLP's management letter related to the audit of the Federal Aviation Administration's (FAA) consolidated financial statements as of and for the fiscal years ended September 30, 2024, and September 30, 2023. We reviewed KPMG's management letter, dated November 27, 2024, and related documentation.
About This ReportWe contracted with the independent public accounting firm KPMG to audit FAA's consolidated financial statements. KPMG also issued a management letter discussing internal control matters that KPMG was not required to include in its audit report.
What We FoundThe independent auditor, KPMG, found 12 internal control matters in FAA's management of operations. Two of the matters are related to DOT's internal controls and, although they affect FAA's control environment, FAA is not required to take corrective actions. The remaining 10 internal control matters are weaknesses in FAA's:

procurement system separation of users,
procurement system new user and recertification processes,
timely recording of procurement
accounting for costs incurred in projects with both construction and operating
and accuracy of intragovernmental lease payments
over the timely deobligation of grant undelivered orders,
calculation of non-letter of intent and additional Infrastructure Investment and Jobs Act grant accruals, and
Headquarters review of manual journal vouchers.
In addition, documentation weaknesses exist in the Enterprise Services Center's review of FAA journal entries, and
FAA has an insufficient number of personnel to support the annual recertification of payroll system users.

Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with U.S. generally accepted Government auditing standards.
RecommendationsWe agree with KPMG's 15 recommendations to strengthen FAA's information technology and service organization system, business process, and manual journal voucher controls.

Our Objective(s)To determine whether DOT has established and implemented effective controls to secure and manage its mobile devices. As part of our review of DOT's mobile device management, we also assessed DOT's processes for maintaining an inventory of mobile devices and monitoring the costs of their use.
Why This AuditMany Federal employees use mobile devices, including smart phones to access their agencies' networks and systems, including those that process sensitive information. However, these devices can leave sensitive data vulnerable to cybersecurity threats and malicious software. Given increased use of mobile devices by DOT personnel and the cybersecurity risks associated with this use, we initiated this audit.
What We FoundDOT is taking steps to secure its mobile devices but has not yet implemented sufficient controls to effectively secure and manage all devices.

DOT's Office of the Chief Information Officer (OCIO), the Federal Aviation Administration (FAA), the U.S. Merchant Marine Academy (USMMA), and the Office of Inspector General (OIG) have begun implementing user and device authentication and data protection controls for their use of mobile devices. However, FAA and USMMA have not rapidly adopted software updates to ensure mobile operating systems are configured securely.
FAA and USMMA do not always restrict the use of mobile applications and do not have effective policies and procedures to manage and secure their mobile devices. In addition, OCIO and USMMA have not addressed security control weaknesses for their mobile device management solutions.

FAA has not maintained accurate inventories, and DOT OCIO and FAA have not ensured efficient spending for mobile devices.

Maintaining accurate inventories and monitoring spending are keys to efficient mobile device management. However, FAA did not maintain accurate inventories of its mobile devices. We found 157 personally owned mobile devices that had been granted access to FAA's network resources that FAA did not report to OIG when we took inventory.
DOT OCIO and FAA did not have effective controls in place to ensure efficient spending on mobile devices and services. We identified that FAA and OCIO were spending money on many mobile devices with zero usage, resulting in our identification of up to $422,838.45 for FAA and up to $203,884.19 for OCIO in funds that could be put to better use.

RecommendationsWe made 6 recommendations to improve DOT's process for managing and securing mobile devices within DOT's enterprise.