Federal Reports

The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority’s (TVA’s) corporate deployment of Microsoft 365® was configured to require and enforce the use of multi-factor authentication (MFA) for all accounts.  Our scope was limited to MFA managed through Microsoft Entra® ID.  We determined TVA has required and enforced the use of MFA for all accounts with limited exclusions for service accounts. Additionally, we reviewed a sample of service accounts and determined they were approved and documented in accordance with the applicable tech standard.  However, we identified internal control deficiencies related to MFA enforcement access policies and MFA applicability to enterprise applications. Specifically, we found (1) an MFA enforcement access policy applicable to 26 of 2,448 enterprise applications was not fully implemented in accordance with the applicable TVA tech standard and identified best practices, and (2) 1,802 of 2,448 enterprise applications were not covered by an MFA enforcement access policy.

This report specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified.  Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.

Our Objective(s)To evaluate the Federal Railroad Administrations (FRA) oversight of railroads implementation of the Roadway Worker Protection (RWP) regulation. Specifically, we assessed (1) RWP oversight activities conducted by FRA safety inspectors, (2) FRAs on-track safety program reviews, and (3) pursuit of civil penalties for RWP violations.
Why This AuditGiven the continuing occurrence of RWP-related accidents and the substantial increase in funding for rail projects through the Infrastructure Investment and Jobs Act, we initiated this audit to evaluate FRAs oversight of railroads implementation of the RWP regulation.
What We FoundFRA is performing fewer RWP-related inspections, and available data are not effectively used to inform RWP oversight or planning.

In 2022, safety inspectors completed 10 percent fewer inspection reports overall, but 17 percent fewer RWP-related inspection reports.
FRA created new RWP-related inspection activity codes but reporting errors and missing inspection details limit FRAs oversight.
FRA does not use injury data for RWP oversight or inspection planning because it is difficult to identify injuries caused by non-compliance.
FRA lacks a documented data quality assurance process for its new inspection data system.

FRA monitors railroads compliance with some on-track safety program (OTSP) requirements but does not document comprehensive reviews.

FRA does not consistently document OTSP reviews. This is due to a lack of centralized recordkeeping and staff turnover.
FRA improved its OTSP notification process by providing railroads an email reporting option. FRA also developed an internal webpage to centralize documentation and guidance for officials and inspectors.

FRA took RWP enforcement actions but published incorrect closed case data in recent Annual Enforcement Reports (AERs).

FRA assessed $1.3 million in monetary penalties for 472 RWP violations from fiscal years 2018 through 2023.
Incorrect RWP data reported in FRAs AERs resulted from a system issue in FRAs Railroad Compliance System we identified in a previous audit.

RecommendationsWe are making 13 recommendations to improve FRAs oversight of railroads compliance with the RWP regulation.

Our Objective(s)To determine (1) whether Crowe PR PSCs work complied with the Single Audit Act of 1984, as amended, and the Office of Management and Budget's Uniform Guidance, and the extent to which we could rely on the auditor's work on the U.S. Department of Transportations (DOT) major programs, and (2) whether the Puerto Rico Highways and Transportation Authoritys (Authority) reporting package complied with the reporting requirements of the Uniform Guidance.
Why This ReportDuring the fiscal year that ended on June 30, 2023, the Authority expended approximately $189 million from DOT programs. Crowe PR determined DOTs major programs were FHWAs Highway Planning and Construction and FTAs Formula Grants for Rural Areas and Tribal Transit Program. We performed a quality control review on the single audit conducted by Crowe PR to verify compliance with all Federal laws and regulations.
What We FoundReview of Audit Work

Crowe PR complied with the requirements of the Single Audit Act, the Office of Management and Budget's Uniform Guidance, and DOTs major programs.
We found nothing to indicate that Crowe PRs opinion on DOT's major programs were inappropriate or unreliable.
We identified an unreported noncompliance in Crowe PRs audit work that is required to be reported in a reissued single audit report.

Review of Reporting Package

We did not identify any deficiencies in the Authoritys reporting package that required correction and resubmission.

RatingWe assigned Crowe PR an overall rating of Pass with deficiencies.