Federal Reports

Why We Did This Report

We visited the Wyckoff/Eagle Harbor Superfund site on Bainbridge Island, Washington, to observe the EPA’s management of public access to the site, including contaminated beaches. Through our visit, we aimed to determine whether we should conduct additional oversight. 

Summary of Findings

Prior to our visit we identified concerns about public access to the site, but during our visit we observed physical access controls and informational devices that should effectively limit public exposure to contaminants. Therefore, we do not anticipate conducting additional oversight at this time.

Amtrak (the company) has been moving its technology systems and data to the cloud to provide on-demand access to shared services and reduce its dependence on in-house servers and databases. Migrating applications and data to the cloud, however, poses inherent security risks, exposing the company to an increased risk of cyberattacks. Accordingly, our objective was to assess the extent to which the company has implemented effective governance processes and security controls for cloud computing. In July 2025, we issued an interim report on this audit to alert the company to two pressing cybersecurity issues related to its cloud computing. In this report, we provide an update on the company’s progress on these issues and an overall assessment of its cloud computing practices. Given the sensitive nature of the report’s information, however, we are summarizing the results in this public version of the report.

Our assessment of the company’s governance processes and security controls of its cloud applications resulted in nine recommendations. In commenting on a draft of this report, the Executive Vice President for Digital Technology and Innovation agreed with our recommendations and described ongoing and planned actions to address them.

This audit was performed by CohnReznick LLP (CohnReznick) on behalf of the Department of Energy Office of Inspector General and examined Stanford University’s costs incurred and claimed for fiscal years 2016, 2018, 2019, and 2020 at SLAC National Accelerator Laboratory under management and operating contract No. DE-AC02-76SF00515.

The audit’s objective was to determine if costs charged to Department contract No. DE-AC02-76SF00515 for fiscal years 2016, 2018, 2019, and 2020 were allowable, allocable, and reasonable in accordance with applicable laws, regulations, and contract terms.

CohnReznick performed the audit in accordance with generally accepted government auditing standards.

CohnReznick did not identify any questioned costs during the audit. However, CohnReznick identified two controls deficiencies and considered approximately $272 million in subcontractor costs unresolved pending audit. The identified control deficiencies related to a lack of documentation to support costs and a lack of adequate controls over timesheets for certain labor costs. Further, CohnReznick reported three qualifications that may have impacted the results of the audit if the related information had been received and evaluated.

CohnReznick made two recommendations. We also recommend that the contractor coordinate with the contracting officer to address the unresolved costs pending audit identified in this report. If the issues identified are fully addressed, it should help ensure that costs charged to the Department are allowable, allocable, and reasonable in accordance with contract terms.

Stanford University nonconcurred with the identified control deficiencies. Further, Stanford University asserted that sufficient documentation and adequate controls were present to support claimed costs.

DOI complied with PIIA for FY 2025 and did not identify or report any programs susceptible to significant improper payments.