Federal Reports

We investigated allegations that an oil and gas company incorrectly adjusted oil and gas reporting and failed to apply the proper pricing for minerals produced from leases in New Mexico, potentially resulting in a loss of royalties.We determined that the alleged conduct occurred outside the 5-year statute of limitations for criminal conduct and would be appropriately addressed through administrative enforcement actions and orders. As a result, we referred the matter to the Office of Natural Resources Revenue (ONRR).

The Office of the Inspector General included an audit of TVA’s Maximo vendor master file in our annual audit plan due to the risk of improper payments associated with the large amount of payments processed annually using Maximo data. Our audit objective was to determine if TVA’s Maximo vendor master file is properly maintained according to best practices and Supply Chain Standard Programs and Processes 04.014, Supplier Maintenance. Our audit scope included the data in TVA’s Maximo vendor master file as of November 20, 2019.In summary, we found no significant instances of noncompliance with TVA’s Standard Programs and Processes, but did note that best practices were not consistently followed for maintenance of the vendor master file. Specifically, we found (1) Maximo does not log changes to the vendor master file, (2) instances where vendor addresses match employee addresses, (3) duplicate vendors, (4) vendors are not deactivated in a timely manner, (5) no minimum requirements for vendor record data, and (6) vendors with no physical address.

The objective for this report was to assess the extent to which the company has effectively implemented more economical purchasing practices we recommended in a 2015 report. We found that the company is realizing some of the cost-saving opportunities we identified in our prior report but still has not fully addressed the gaps in procurement practices we highlighted. For example, the company could have saved up to $4.5 million in material costs in fiscal year (FY) 2019 if it had a robust data analytics capability to assess its procurement data and used the results to influence its purchasing decisions. Additionally, the company has opportunities to reduce costs in its purchase order contracts by negotiating early payment discounts. Our analysis of FY 2019 purchase data showed it could have saved up to $5.4 million by these discounts.To address these findings, we recommended that the company develop and implement a data analytics capability to help enable better informed purchasing decisions. Additionally, we recommended that the company direct that buyers negotiate early payment discounts and extended payment terms, or to choose the most beneficial of the two options if vendors do not agree to both.

What We Looked AtIn 2012, Congress directed the Federal Aviation Administration (FAA) to develop a plan for the safe integration of unmanned aircraft systems (UAS)—also known as drones—into the National Airspace System. As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports. Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place. Our audit objectives were to (1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service. What We FoundFAA has not effectively ensured that DroneZone and LAANC have adequate security—including privacy—controls. For example, FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised. Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII. We also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability. Our RecommendationsFAA concurred with all 13 of our recommendations to improve the security of the DroneZone and LAANC systems and privacy of user information.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements