Federal Reports

See the additional details link below for the full report, report summary, multimedia or any agency follow-up.

During our audit of the Integrity of Postal Service’s Social Media Presence, we found a smishing campaign that may have a significant negative impact on the Postal Service’s brand, reputation, and customer loyalty. The purpose of this alert is to bring this issue to your attention with a recommendation for corrective action. Smishing is a mobile phishing attack that targets victims using text messages rather than emails. These messages appear to be sent by legitimate, trusted organizations like the Postal Service. Smishing attacks attempt to trick mobile users into clicking on links that are connected to fraudulent sites that could steal credentials or propagate malware.

Amtrak (the company) contracted with the independent certified public accounting firm of Ernst & Young LLP to audit its consolidated financial statements as of September 30, 2020, and for the year then ended, and to provide a report on internal control over financial reporting and on compliance and other matters. Because the company receives federal assistance, it must obtain an audit performed in accordance with generally accepted government auditing standards. As required by the Inspector General Act of 1978, we monitored the audit activities of Ernst & Young to help ensure audit quality and compliance with auditing standards. Our monitoring focused on two Ernst & Young reports and disclosed no instances in which Ernst & Young did not comply, in all material respects, with generally accepted government auditing standards.

While U.S. Customs and Border Protection’s (CBP) actions to implement prior OIG outage-related recommendations could not have prevented the onset of the nation-wide outage on August 16, 2019, the steps taken did help minimize the length and severity of disruptions to passenger screening. By addressing OIG recommendations, CBP established a more effective control structure for monitoring passenger screening systems, thus enabling prompt action to identify and resolve the outage. However, CBP’s configuration management policies and procedures were not sufficient to prevent the 2019 outage. Specifically, CBP’s critical passenger applications were operating on an Oracle database device that was not properly configured, and, did not have up-to-date patches. The outage resulted in longer wait times and delays up to 2.5 hours for arriving passengers, as well as the need for CBP to revert to less effective backup systems to support passenger screening procedures. CBP personnel faced additional challenges during the outage, as they were unable to quickly access “offline” systems and were not fully prepared for backup procedures. This was due to inadequate training and ineffective communication from CBP Headquarters during the outage. CBP should address these deficiencies, which may increase the risk of entry of unauthorized aliens who could threaten our Nation’s security. We made five recommendations to improve training, procedures, processes, and employee awareness. CBP concurred with all five of our recommendations.