Federal Reports

We found several areas of the privacy program to be generally effective, including (1) completion of privacy impact assessments, (2) privacy related training taken by network users, (3) privacy considerations during the authority to operate process, (4) system categorization, (5) privacy incident response, (6) privacy-related contract terms and conditions, and (7) desktop and laptop sanitization. However, we identified seven issues that should be addressed by TVA management to further increase the effectiveness of the privacy program. Specifically, we found:1. Unsecured electronic restricted personally identifiable information on SharePoint and shared network drives. 2. Unsecured hard copy restricted personally identifiable information.3. No end user notifications for e-mail security violations.4. No technical controls for removable media.5. We could not confirm that all desktops and laptops utilize encryption.6. Privacy Act notices on TVA forms did not include all required elements.7. Not all external Web sites included privacy policies. (Note: Prior to completion of our audit, TVA Technology and Innovation took action to address the external Web sites that were missing required privacy policies.)We also found gaps between TVA’s policies and procedures and applicable federal privacy regulations and guidance.

This report presents the results of the System and Organization Controls 1 Type 2 examination conducted in accordance with Statement on Standards for Attestation Engagements No. 18 for the United States Department of Agriculture’s (USDA) National Finance Center (NFC) description of its payroll and personnel systems used to process user entities payroll and human resource transactions throughout the period October 1, 2020 to June 30, 2021.

This report presents the results of the System and Organization Controls 1 Type 2 examination conducted in accordance with Statement on Standards for Attestation Engagements No. 18 for the United States Department of Agriculture’s (USDA) National Finance Center (NFC) description of its payroll and personnel systems used to process user entities payroll and human resource transactions throughout the period October 1, 2020 to June 30, 2021.

Our objective was to assess the U.S. Postal Service’s service performance for all mail classes over an 18-month period and determine the most common failure points in the mail flow process.Mail is divided into different categories called “classes,” each having different features, service levels, and postage rates. The Postal Service has service standards for delivering mail in each class after receiving it from the customer. The delivered mail is measured against the service standards and the service performance targets for each mail class to determine the percentage of mail delivered on time.We analyzed service performance for Priority, First-Class, Periodicals, Marketing, and Bound Printed Matter mail classes. We also reviewed data to identify where in the mail flow process service failures occurred.

We focused on the Trusted Traveler Programs (TTP) membership revocations of three U.S. citizens associated with the migrant caravan and whether CBP revoked the TTP memberships in retaliation for the individuals’ support of the migrant caravan. We also addressed systemic issues related to TTP revocations that we identified while reviewing those three revocations. We found that CBP revoked three U.S. citizens’ TTP memberships after discovering links to information that it considered derogatory and a potential security risk. In two of the revocations, CBP did not assess the quality or accuracy of the potentially derogatory information at any step of the process. Specifically, we determined that CBP officers did not evaluate unsubstantiated information, and made unsupported conclusions and placed lookouts in TECS on these two individuals. Further, because of CBP’s policy to revoke memberships based on positive matches to TECS records, CBP revoked these two memberships without evaluating the underlying information. We made two recommendations to ensure two TTP membership revocations were based on quality and accurate information and to issue guidance to personnel about TTP revocation standards.

The evidence did not support a finding of retaliation because the letter issued by the senior official was not considered a personnel action.

Objective: To report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to the Social Security Administration (SSA) for resolution.