Federal Reports

The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority’s (TVA’s) corporate deployment of Microsoft 365® was configured to require and enforce the use of multi-factor authentication (MFA) for all accounts.  Our scope was limited to MFA managed through Microsoft Entra® ID.  We determined TVA has required and enforced the use of MFA for all accounts with limited exclusions for service accounts. Additionally, we reviewed a sample of service accounts and determined they were approved and documented in accordance with the applicable tech standard.  However, we identified internal control deficiencies related to MFA enforcement access policies and MFA applicability to enterprise applications. Specifically, we found (1) an MFA enforcement access policy applicable to 26 of 2,448 enterprise applications was not fully implemented in accordance with the applicable TVA tech standard and identified best practices, and (2) 1,802 of 2,448 enterprise applications were not covered by an MFA enforcement access policy.

This report specifically identifies Microsoft, a nongovernmental organization/business entity. Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified.  Any response provided for that purpose will be appended to the final, published report. If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.

Final Management Letter: Audit of the SEC’s Efforts to Recruit and Retain a Highly Skilled Workforce and Address Related Challenges

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to assess the EPA’s oversight of state subrecipient monitoring in the Clean Water State Revolving Fund Program, including the monitoring of subrecipients of Infrastructure Investment and Jobs Act funds.

Summary of Findings

While the annual review procedures for nondiscrimination laws, suspension and debarment, and single audit requirements follow statutory requirements, we found opportunities for the EPA to improve its oversight practices in the annual review steps devoted to subrecipient monitoring activities in these areas. The EPA provided CWSRF Program guidance that supported the three states that we reviewed in monitoring the subrecipients in their state CWSRF programs. The EPA could further support the states in their subrecipient monitoring activities by providing a guide of best practices for subrecipient monitoring and a best practices guide for helping equivalency subrecipients compliance.

We also made observations outside of our audit objective. The CWSRF capitalization grant terms and conditions could include a requirement that recipients and subrecipients must report violations of federal criminal law involving fraud, bribery, or gratuity violations to the OIG. The EPA could also encourage states to include a provision in their CWSRF loan agreements consistent with 2 C.F.R. § 200.113.

The objective of this evaluation was to determine whether the U.S. Consumer Product Safety Commission (CPSC) was in compliance with the Payment Integrity Information Act of 2019 (PIIA) for the fiscal year (FY) ended September 30, 2024. The Office of Inspector General retained the services of KPMG, an independent public accounting firm, to evaluate the CPSC’s FY 2024 PIIA compliance. This evaluation was performed in accordance with the Council of Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

Section 487(a)(17) of the Higher Education Act of 1965, as amended (HEA), requires postsecondary schools participating in Title IV programs to annually report data, including data relevant to students’ cost of attendance and financial aid and the schools’ graduation rates, to the U.S. Department of Education’s (Department) Integrated Postsecondary Education Data System (IPEDS) to the satisfaction of the Secretary. The objective of our inspection was to determine whether Spring Hill College (Alabama) reported verifiable data to IPEDS for the 2021–2022 reporting period. We determined that Spring Hill College reported verifiable data to the Department’s IPEDS for the 2021–2022 reporting period. Specifically, all data elements that we selected and reviewed that the school reported through the Graduation Rates, Institutional Characteristics, and Student Financial Aid surveys for the 2021–2022 reporting period were supported by datasets, information system reports, or other records. Because all the data sets that we reviewed were verifiable, we do not make any recommendations in this report. However, our results are limited to the data sets we reviewed, and it is critical that Spring Hill College continue to report verifiable data to IPEDS.