Federal Reports

What Was Reviewed 

The U.S. International Development Finance Corporation Office of Inspector General (OIG) contracted with the independent public accounting firm RMA Associates, LLC (RMA) to audit DFC’s charge card program in accordance with Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act). The Charge Card Act requires the OIG to conduct periodic reviews of DFC’s charge card program for illegal, improper, or erroneous transactions to prevent fraud, delinquency, or misuse. 

The objectives of this audit were as follows: 

1. To determine the scope, frequency, and number of audits or reviews, conduct a risk assessment to assess, identify, and analyze the risks of illegal, improper, or erroneous purchases and payments within DFC’s charge card program. 

2. Address the requirements of the Charge Card Act, OMB and General Services Administration (GSA) requirements and standards. 

What Was Found 

In its audit of DFC, RMA found that DFC implemented an effective Government Charge Card Program for FY 2024. As a result, there were no recommendations. RMA concluded that based on the results of their review of the current information, the results of their sample testing, and Appendix B guidance, that the next audit of the charge card program should be in FY 2026 for FY 2025 transactions. There were no prior year recommendations findings and all recommendations prior to 2022 were closed.

Report on the results of our performance audit of the Maryland State Arts Council (MSAC) for the period of August 1, 2021 through July 31, 2024. During this period the National Endowment for the Arts (Arts Endowment) closed four MSAC awards, totaling $4,545,800 in Arts Endowment funds and $24,614,504 in total reported costs. 

U.S. Customs and Border Protection (CBP) did not effectively manage and secure its mobile devices, resulting in vulnerabilities and higher susceptibility to cyberattacks, potential unauthorized access to law enforcement and operational sensitive information, and waste and abuse from under- or over-usage.  Specifically, we found that CBP did not: • Consistently implement required security settings to protect its mobile devices or mitigate risks from applications installed on these devices; • Use its mobile device management system to fully manage and secure its mobile devices; • Address software vulnerabilities within the mobile device management system; • Increase monitoring and protection for devices used outside the United States, which are at a higher risk of cyberattacks; • Perform required steps to reduce risks associated with the disposal, loss, or theft of its mobile devices; and • Monitor its mobile devices for under- or over-usage. CBP allowed mobile devices to operate without completing a security authorization process to ensure required security controls; did not establish or implement sufficient security policies and processes; relied on unclear or contradictory guidance; and did not address its increased mobile device losses.  Moreover, the Department did not provide oversight to ensure that CBP fulfilled DHS requirements for monitoring mobile devices outside the United States and CBP did not enforce its policies.   

In 2015, the Environmental Protection Agency issued the Coal Combustion Residuals (CCR) rule, which included requirements for addressing the risks from coal ash disposal.  The Tennessee Valley Authority (TVA) updated the program funding for its CCR management program in 2015 to address compliance with the CCR rule and in 2017 began developing a site-specific project to address coal ash at Gallatin Fossil Plant.  The Gallatin Ash Pond Complex Closure and Restoration (Gallatin Ash) project activities include (1) construction, operation, and closure of on-site lined landfills; (2) excavation and disposal of approximately 14 million cubic yards of CCR from Gallatin Fossil Plant; and (3) closure of the legacy ash site and coal yard, along with other site restoration work. 

The project was first approved for implementation by the Project Review Board in February 2018 with a total estimated project cost of approximately $899 million.  As of July 2024, the total estimated project cost had increased to approximately $1.64 billion, an increase of approximately 82 percent.  Because of the costs associated with this project, we assessed the management of project costs. 

We determined cost management for the Gallatin Ash project needed improvement related to the development of the project estimate and monitoring and tracking of project change requests (PCRs).  Specifically, the project estimate (1) did not include the complete scope of work and (2) was not developed using definitive costs as required.  As a result, the initial implementation project estimate was significantly understated.  Some PCRs submitted by contractors lacked adequate detail to determine if project cost increases were reasonable.  In addition, PCRs were not prepared for cost increases resulting from inaccurate project estimates. During the review, we also identified confidential contractor information that was shared by TVA project management with another contractor, creating reputational and liability risks for TVA.