An official website of the United States government
Here's how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Brought to you by the Council of the Inspectors General on Integrity and Efficiency
Federal Reports
Report Date
Agency Reviewed / Investigated
Report Title
Type
Location
Social Security Administration
Single Audit of the State of Illinois for the Fiscal Year Ended June 30, 2023
Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls. Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.
We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA. However, we identified wording in the contract that could be improved to avoid potential confusion. TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.
The report contains an unmodified opinion on Natural Resources Conservation Service’s financial statements as of September 30, 2025, as well as an assessment of NRCS' internal controls over financial reporting and compliance with laws and regulations.
The U.S. Consumer Product Safety Commission (CPSC) OIG retained KPMG, LLP (KPMG), an independent public accounting firm, to perform the independent audit of the CPSC’s financial statements for fiscal year (FY) 2025 in accordance with auditing standards generally accepted in the United States. This report is contained in the CPSC’s Annual Financial Report which also contains the complete set of financial statements, management’s discussion and analysis, and required supplementary and other information. KPMG found that the CPSC received a qualified or clean opinion. However, the agency was found to have two material weaknesses, first identified in FY 2023; and one significant deficiency.
There continues to be an increased focus on supply chain risks in the Federal Government. In December 2020, the Government Accountability Office reported that a majority of the 23 agencies reviewed, which included the Department of Energy, had not implemented selected foundational practices for managing information and communications technology supply chain risks. In the Department’s case, information technology (IT) supply chain risk management (SCRM) is a particular challenge due to the diversity of its missions and decentralized operating environment.
We initiated this audit to determine whether the Department effectively managed its IT SCRM process.
We determined that the Department made progress in effectively managing its IT SCRM process, but opportunities for improvement existed to help ensure compliance with Federal and Department requirements. Specifically, we found issues related to the accuracy of the Department’s critical software inventory and insufficient assessments and reviews of potentially vulnerable suppliers. For example, the Department had not developed an accurate inventory of its critical software, which could have prevented it from protecting critical software, platforms, and data from unauthorized access. The Department also faced unknown SCRM risks because it did not always conduct assessments of technology acquisitions, including vendors with foreign ownership, control, or influence.
Without improvements to its SCRM process, the Department is vulnerable to potentially malicious, counterfeit, or vulnerable IT equipment or services. The inability to identify critical software quickly also places the Department at an elevated risk in the event of a compromise as it may be unable to rapidly respond to remediate vulnerabilities. Further, had entities routinely performed SCRM assessments and reviews, they may have increased awareness of supply chain risks involving certain vendors, resulting in different security decisions including implementing monitoring, conducting routine reviews of the vendor, or selecting a different vendor.
We suggest that the Department develop an accurate inventory of its critical software. In addition, we also suggest that three of the sites reviewed ensure that policies and procedures related to SCRM for IT acquisitions are developed and effectively implemented.
Our Objective(s)To assess whether GLS's contract award and administration practices comply with Federal and Departmental requirements. Specifically, we evaluated GLS's compliance with contract award and administration requirements and overseeing contracting officer warrants.
Why This AuditBetween 2021 and 2024, GLS received around $154.8 million in Congressional funds to carry out its mission. In this time, GLS has managed a $65.1 million contract portfolio. Our prior work and that of DOT's Office of the Senior Procurement Executive previously identified that GLS did not always comply with Federal and Departmental acquisition requirements, including the Federal Acquisition Regulation (FAR), across the acquisition lifecycle. Considering these issues and the importance of GLS's mission, we initiated this audit.
What We FoundGLS cannot demonstrate compliance with several contract award and administration requirements.
For 43 of the 48 contracts in our sample-totaling $40.4 million-GLS could not demonstrate that it complied with key contract award and administration process requirements set by DOT's Transportation Acquisition Manual and the FAR.
These noncompliance issues put up to $18.7 million at risk.
GLS could not always verify that its contracting officials held proper warrants.
GLS officials could not provide evidence that three of its contracting officers who awarded six contracts in our sample between fiscal years 2021 and 2024 totaling around $1 million, were correctly warranted.
Further, between July 2023 and April 2024, GLS's Chief of the Contracting Office awarded 12 contracts totaling approximately $11.7 million without warrant authority.
RecommendationsWe made 5 recommendations to improve GLS's compliance with Federal and Departmental contracting requirements.