Federal Reports

There continues to be an increased focus on supply chain risks in the Federal Government. In December 2020, the Government Accountability Office reported that a majority of the 23 agencies reviewed, which included the Department of Energy, had not implemented selected foundational practices for managing information and communications technology supply chain risks. In the Department’s case, information technology (IT) supply chain risk management (SCRM) is a particular challenge due to the diversity of its missions and decentralized operating environment.

We initiated this audit to determine whether the Department effectively managed its IT SCRM process.

We determined that the Department made progress in effectively managing its IT SCRM process, but opportunities for improvement existed to help ensure compliance with Federal and Department requirements. Specifically, we found issues related to the accuracy of the Department’s critical software inventory and insufficient assessments and reviews of potentially vulnerable suppliers. For example, the Department had not developed an accurate inventory of its critical software, which could have prevented it from protecting critical software, platforms, and data from unauthorized access. The Department also faced unknown SCRM risks because it did not always conduct assessments of technology acquisitions, including vendors with foreign ownership, control, or influence.

Without improvements to its SCRM process, the Department is vulnerable to potentially malicious, counterfeit, or vulnerable IT equipment or services. The inability to identify critical software quickly also places the Department at an elevated risk in the event of a compromise as it may be unable to rapidly respond to remediate vulnerabilities. Further, had entities routinely performed SCRM assessments and reviews, they may have increased awareness of supply chain risks involving certain vendors, resulting in different security decisions including implementing monitoring, conducting routine reviews of the vendor, or selecting a different vendor.

We suggest that the Department develop an accurate inventory of its critical software. In addition, we also suggest that three of the sites reviewed ensure that policies and procedures related to SCRM for IT acquisitions are developed and effectively implemented.

The U.S. Small Business Administration (SBA) Office of Inspector General contracted with the independent certified public accounting firm KPMG LLP to conduct an audit of SBA’s consolidated balance sheet as of September 30, 2025 and the related notes. KPMG was not engaged to audit the consolidated statement of net cost, consolidated statement of changes in net position, and combined statement of budgetary resources. Our contract required KPMG to conduct the audit in accordance with Government Auditing Standards and Office of Management and Budget Bulletin No. 24-02, Audit Requirements for Federal Financial Statements.

KPMG issued a disclaimer of opinion on the consolidated balance sheet as of September 30, 2025. A disclaimer means that an auditor was unable to obtain sufficient information to determine whether the organization’s financial statements were accurate. The basis for the disclaimer was that because of control deficiencies identified, SBA was unable to provide adequate evidential matter in support of a significant number of transactions and account balances related to the Paycheck Protection Program and Economic Injury Disaster Loan programs. Additionally, management was unable to provide sufficient appropriate audit evidence to support the data used to develop assumptions used in the subsidy allowance estimate for SBA’s direct loan and loan guaranty programs.

During the audit, KPMG identified four material weaknesses and one significant deficiency in internal control over financial reporting. Material weaknesses are a serious concern that an organization’s financial reporting controls are not effective to detect major errors or fraud. We note that SBA made considerable progress addressing prior year audit findings, resulting in the successful remediation of two material weaknesses (controls over general information technology and controls over the evaluation of service organizations) and the downgrading of one material weakness (controls over monitoring Restaurant Revitalization Fund and Shuttered Venue Operators Grant programs) to a significant deficiency. Appendices I and II of this report describe details of KPMG’s conclusions about the material weaknesses and significant deficiency. KPMG also identified three instances of noncompliance with applicable laws or other matters, which are discussed in Appendix III of this report.

Why We Did This Report

This report describes an issue that the U.S. Environmental Protection Agency Office of Inspector General identified during its audit of the U.S. Infrastructure Investment and Jobs Act-funded IRL Council for the Indian River Lagoon National Estuary Program grant program.
 

Summary of Findings

The EPA OIG found that the IRL Council did not complete or submit any of the required Federal Financial Reports, or FFRs, for the first two years of its award and stated the reason was that the EPA did not request annual FFRs. This raised concerns that the EPA was not requiring any National Estuary Program, or NEP, award recipients to submit FFRs annually as mandated by 2 C.F.R. § 200.328.

Today, the U.S. Consumer Product Safety Commission Office of Inspector General released their semiannual report for the reporting period ending September 30, 2025.  The report is part of the semiannual requirement to communicate OIG oversight activities of the CPSC to Congress and the American people.

We found that ONRR did not appropriately identify, assess, issue, and collect penalties related to mineral and energy leases.

The Department of Game and Fish should take steps to improve its leave allocation process, as well as subaward and equipment management.