Federal Reports

We audited $2.49 million of costs billed to TVA by a contractor from January 1, 2005, through December 31, 2006, for the administration of TVA's vision benefit program. Our audit objective was to determine if the costs billed to TVA were in compliance with the contract terms and conditions. In summary, we found TVA was billed (1)an estimated $69,928 for miscalculated and unsupported claim costs, (2)$4,210 for duplicate claims, and (3)$22,255 for claims that exceeded the contract frequency limitations. Additionally, TVA was billed an estimated $56,748 in ineligible claim costs that occurred because eligibility information was not timely updated. Summary Only

We audited $3.9 million of costs billed by a TVA contractor who provided engineering, materials, and installation support for automating TVA's hydro system. We found TVA was billed $380,000 for costs and associated fees that were either excessive, unsupported, or not in accordance with the contract. The overbillings included excessive labor markups, unsupported labor costs, unallowable or unsupported travel costs, excessive facility rental costs, duplicate billings, overstated retroactive billing adjustments, and fees. Summary Only

We completed agreed-upon procedures to assist the Center for Resource Solutions (CRS) in determining TVA's compliance with the annual reporting requirements of CRS' Green Pricing Accreditation Program for the year ended December 31, 2006. The required information on TVA's renewable energy initiative, "Green Power Switch," was provided to CRS.

We evaluated the design, implementation, and effectiveness of TVA's Ethics and Compliance Program and found:TVA's current ethics program was limited to the Office of Government Ethics' standards and requirements. The Designated Agency Ethics Officer (DAEO), currently within the General Counsel's office, is responsible for making sure the appropriate employees are trained in these standards. Currently, about 20 percent of TVA employees are required to participate in annual ethics training. The audit team found that leading practice provides ethics training to all employees and addresses how ethical behavior affects and supports a company's overall mission. It has been shown that such training provides an ethical foundation for employees which, in turn, provides the basis for a company's compliance program.TVA's compliance program is comprised of "silos." Each business unit, such as TVA's nuclear and fossil power organizations, has experts in nuclear and environmental regulations who assist individual nuclear and fossil plants in complying with specific regulations. However, leading practice trends toward a more centralized corporate compliance management approach. This centralized approach provides for coordination of each business unit's compliance program and allows for better communication of issues across the organizations. Based on these findings, we recommended to the Chief Executive Officer (CEO) that TVA establish a Chief Ethics and Compliance Officer (CECO) position and move the responsibility for TVA's Ethics Program from the General Counsels' office to the CECO, who would be responsible for directing the ethics program and coordinating compliance programs across TVA. We recommended the CECO report to TVA's CEO and Board of Directors. The CEO agreed with our recommendation to establish and fill the CECO position at TVA and indicated implementation details would be addressed after the appointment.

We determined: Personally identifiable information (PII) and other sensitive information were not properly secured thus exposing the information to anyone with a TVA network ID;Temporary shares were being used to store non-business related information;TVA does not have a policy or guidance for management of temporary shares to address the proper use of the share (i.e., types of information that can be stored and the unsecured nature of the share), responsibilities of the users, and maintenance (i.e., maximum time frame for retention of files on the share); TVA Standard Programs and Processes (SPP) 12.9, Computer Security and Privacy Incident Response, which includes procedures for notifying TVA employees and their dependents, contractors, and retirees and their dependents when PII has potentially been compromised, has yet to be implemented; and Two business practice drafts (1) TVA Information Security Policy, which describes classification and protection of information, and (2) Acceptable Use of Information Resources (Rules of Behavior), which explicitly prohibits storage of non-TVA information on TVA servers, have yet to be implemented. TVA management agreed with the findings and has taken or is taking corrective action.