Federal Reports

The Postal Service contracts with supplier-operated HCRs to transport mail and equipment between plants, post offices, or other designated points that receive or dispatch mail. Per the Postal Service’s Supplying Principles and Practices (SP&P), the supplier must maintain automobile liability insurance with a comprehensive policy that provides bodily injury and property damage liability covering the operation of all automobiles used in contract performance. Evidence of supplier insurance must be maintained in Postal Service’s electronic or paper format repositories. Our objective was to determine whether Postal Service Contracting Officers (CO) are properly managing Highway Contract Route (HCR) contracts — specifically liability insurance requirements — in accordance with policies and procedures.

We conducted a limited scope audit of South Arts for the period of July 1, 2015 to June 30, 2018. This type of audit involves a limited review of financial and nonfinancial information to ensure validity and accuracy of award recipients’ reported information, and compliance with state and Federal requirements. Our limited scope audit concluded that South Arts generally did not comply with the financial management system and recordkeeping requirements established by the OMB and NEA. While performance requirements were generally satisfied, we identified multiple financial management and internal control areas requiring improvement to ensure that South Arts complies with OMB and NEA award requirements as follows: South Arts reported unallowable costs on its Federal Financial Reports (FFRs) for two NEA Awards; South Arts reported duplicate costs on its FFR for one NEA award; South Arts did not report actual costs on its FFRs for two NEA awards; South Arts did not maintain adequate documentation to support costs charged to three NEA awards; South Arts did not maintain current debarment and suspension policies and procedures; South Arts did not comply with Federal requirements related to record retention; and South Arts did not have policies and procedures for the management of Federal awards.

We determined that the Federal Emergency Management Agency (FEMA) violated the Privacy Act of 1974 and Department of Homeland Security policy by unnecessarily releasing to a contractor the Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII) of 2.3 million survivors of Hurricanes Harvey, Irma, and Maria and the California wildfires in 2017. FEMA should have provided the contractor with only limited information needed to verify disaster survivors’ eligibility for the program. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements. Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud. We recommend FEMA implement controls to ensure it sends only required data elements to contractors. Further, FEMA should assess the extent of this privacy incident and implement a process for ensuring that PII, including SPII, of registered disaster survivors previously released to the contractor is properly destroyed pursuant to DHS policy. FEMA concurred with our two recommendations, notified Congress of the privacy incident as required, and has begun to take actions that have identified additional security vulnerabilities. FEMA’s estimated completion date for implementing the recommendations is June 30, 2020. Given the sensitive nature of these findings, we urge FEMA to expedite this timeline.

In accordance with our Annual Performance Plan Fiscal Year 2019, dated October 2018, the Office of Inspector General (OIG) assessed Avue. Our objectives were to determine if the Department (1) appropriately monitored the Avue contract, (2) established effective controls that ensured the integrity of Avue data, and (3) complied with laws, regulations, and guidance. Our scope included controls, processes, and operations during calendar year 2018.