Federal Reports

The Office of Inspector General (OIG) conducted an audit of Amtrak’s (the company) website security program. Our audit objective was to assess whether current controls provide reasonable assurance that the company’s publicly accessible websites are secure.The company uses numerous information technology (IT) applications accessible to the public via the Internet. Given the company’s reliance on publicly accessible websites, we compared its practices for IT website security to leading practices from the private and public sectors, including those of the National Institute of Standards and Technology.

OIG reviewed purchase card practices within Veterans Integrated Service Network (VISN) 15 based on a September 2015 request from the former Chairman of the House Committee on Veterans’ Affairs. VISN 15 purchase cardholders did not use purchase cards improperly by exceeding the micro-purchase threshold or splitting purchases on a VISN 15 contract for restroom supplies. However, after the contract expired, purchase cardholders made 18 split purchases valued at approximately $73,000 when placing Federal Supply Schedule (FSS) orders to buy restroom supplies from the same vendor that had performed the expired restroom supply contract. These split purchases resulted in unauthorized commitments as well as improper payments. This occurred because purchase cardholders continued to act as if they were still operating under the contract for restroom supplies after it had expired—by placing orders with the same vendor using a General Services Administration (GSA) FSS contract. Although the GSA FSS orders were similar to the orders allowable under the terms of the expired requirements contract, they were now considered split purchases under the terms of the Federal Acquisition Regulation because they were no longer governed by the contract. The split purchases also occurred because the purchase cardholders did not have a clear understanding of what constituted a split purchase. VISN 15’s oversight of these purchase card transactions was ineffective and approving officials did not question what appeared to be the same routine purchases of restroom supplies, which had been occurring year after year subsequent to the expiration of the contract. As of July 2016, VISN 15 officials were not awarding separate contracts to purchase commodity items such as restroom supplies. We recommended the VISN 15 Director submit ratification requests for FY 2015 unauthorized commitments identified in the report, conduct additional focused training on split purchases, and establish more rigorous monitoring mechanisms over the VISN 15 purchase card program.

SIGTARP identifies the most serious management and performance challenges and threats facing the Government in TARP. Our selection is based on the significance and duration of the challenge/threat to the mission of TARP and Government interests; the risk of fraud or other crimes, waste or abuse; the impact on agencies in addition to Treasury; and Treasury’s progress in mitigating the challenge/threat.

SIGTARP's Quarterly Report to Congress

We determined that component personnel are not always safeguarding or tracking sensitive assets that, if lost, would result in critical mission impact or loss of life. Additionally, component’s practices surrounding badges may result in unnecessary risk. We recommended that DHS enhance policy, improve oversight, and require justifications for any non-law enforcement badges. We made six recommendations to improve the tracking and safeguarding of sensitive assets. DHS concurred with all six of our recommendations

The narrative and accompanying responses submitted to the Office of Management and Budget (OMB) through the CyberScope portal provide our independent assessment of the quality of NARA’s information security practices.