Federal Reports

This report summarizes the results of our fiscal year 2025 Federal Information Security Modernization Act (FISMA) evaluation of the U.S. Small Business Administration’s (SBA) information security program.

We found SBA’s overall information security program has defined policies but the agency has not consistently implemented them, falling short of the Office of Management and Budget rating for effective security controls. SBA fell below the baseline for effective controls in 9 of the 10 domains. Domains are metrics used to assess the effectiveness of an agency’s information security program. SBA made progress in 1 of the 10 domains, incident response, which was rated as optimized, exceeding the baseline for effective security controls. SBA regressed in three other domains: information security and continuous monitoring, identity and access management, and risk and asset management.

This fiscal year there are 17 new recommendations to improve SBA’s IT security program. Additionally, the agency continues to make progress on implementing 13 open recommendations from 4 prior evaluations. SBA managers agreed and proposed corrective actions that resolved all recommendations.

The CPSC's lack of necessary internal controls over the segregation of duties has created a potential fraud risk by authorizing the budget officer to hold incompatible roles in the appropriation process.  Additionally, the OIG determined that CPSC Directive 1230.1, meant to ensure compliance with OMB's A-11 Section 150 and Appendix H, is outdated and noncompliant with OMB’s requirements.  Management have indicated that are already taking the corrective action needed to correct these issues.

The CPSC’s lack of adequate controls over its Agency Clearance application has allowed application users inappropriate access to non-public government information without a valid need-to-know.  Since the initiation of this assessment, the CPSC has taken steps to strengthen its internal controls over the Agency Clearance application to restrict access of non-public government information to users with a valid need-to-know.

The VA Office of Inspector General reviewed acute inpatient mental health care at the Clement J. Zablocki VA Medical Center in Milwaukee, Wisconsin. Inspectors evaluated care in five areas. The OIG inspection team provided preliminary observations to leaders and later issued seven recommendations. The mental health leadership structure relied on shared responsibilities across multiple managers, which leaders perceived led to improved workload management and coverage. The Mental Health Executive Council did not include required veteran representation, limiting opportunities for veterans to influence the quality of care. The inpatient unit implemented recovery oriented practices. Veterans had daily interdisciplinary programming and access to natural light, a sunroom, and computer kiosks. Staff engaged consistently with veterans, and leaders supported recovery focused approaches. Inspectors identified gaps in clinical care coordination. Staff did not always document veterans’ legal status at admission or discussions about medication risks and benefits. Discharge instructions sometimes used undefined abbreviations or did not explain the purpose of medications, which could hinder veterans’ ability to safely manage their medications.

Staff completed required suicide risk screenings and safety plans before discharge. However, some staff had not completed mandatory suicide prevention training. Required safety inspections on the inpatient unit were completed and a ligature risk was corrected quickly, but a key team member did not attend inspections consistently. Several staff and volunteers also did not complete required training. The recommendations called for veteran participation on the Mental Health Executive Council, improved documentation practices, clearer discharge instructions, completion of required suicide prevention training, and full participation in environmental safety processes. VA leaders concurred with all recommendations and began corrective actions, including strengthening oversight, updating training requirements, improving documentation workflows, adding veteran input to governance, and monitoring compliance through established committees. These efforts are intended to improve the safety, quality, and recovery orientation of inpatient mental health care.

Why We Did This Report

The Federal Insecticide, Fungicide, and Rodenticide Act, or FIFRA, as amended by the Food Quality Protection Act, requires the EPA OIG to perform an annual audit of the financial statements for the Pesticides Reregistration and Expedited Processing Fund. Our primary objectives were to determine whether:

• The financial statements were fairly stated in all material respects.
• The EPA’s internal controls over financial reporting were in place.
• The EPA’s management complied with applicable laws, regulations, contracts, and grant agreements.

Summary of Findings

We found the fund’s financial statements to be fairly presented and free of material misstatement. We noted the following material weakness: The EPA did not appropriately allocate an expense paid to the U.S. General Services Administration for the use of government facilities.

Why We Did This Report

The Hazardous Waste Electronic Manifest Establishment Act requires the EPA to prepare and the OIG to audit the accompanying financial statements of the EPA’s Hazardous Waste Electronic Manifest System Fund. Our primary objectives were to determine whether the:

• Fund’s financial statements were fairly stated in all material respects.
• EPA’s internal control over financial reporting was in place.
• EPA’s management complied with applicable laws, regulations, contracts, and grant agreements.

Summary of Findings

We found the fund’s financial statements to be fairly presented and free of material misstatement. We did not identify any matters that we consider to be material weaknesses or significant deficiencies in the fund.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The Tennessee Valley Authority’s (TVA) Enterprise Risk Management (ERM) business unit focuses on identifying and prioritizing enterprise risks.  Annually, ERM leads the preparation of an enterprise risk portfolio, which includes risks across TVA, to aid leadership in strategic and business planning processes.  Each business unit includes their specific risks in the portfolio and documents the probability of occurrence, financial impact, and actions to manage the risk.  TVA Labor Relations included Lack of Robust Pathways and Pipelines to Support Workforce Readiness and Availability risk in the fiscal year 2025 ERM risk portfolio. The risk description stated, "Failure to take swift and strategic action to develop and execute a comprehensive and holistic workforce strategy could result in our inability to take on new projects, innovate sustainable technology, and continue to deliver on TVA's mission."  The actions to address the risk included apprentice recruitment and utilization measures, the establishment of a workforce development team and portal, and an hourly layoff process.  Due to the importance of workforce readiness and availability, we conducted an audit to determine if TVA was taking planned actions and measuring the impact of completed actions. 

We determined TVA has taken actions to address the workforce readiness risk. TVA Labor Relations has completed 13 of 14 mitigating actions identified for this risk.  However, we determined TVA was not effectively measuring the impact of completed actions on the risk’s probability of occurrence and financial impact. In addition, some risk information was not documented accurately.