Federal Reports

This report presents the results of our self-initiated audit of Refunds and Voids at the Hoffman Estates, IL, Branch. The Hoffman Estates Branch is in the Central Illinois District of the Great Lakes Area. This audit was designed to provide U.S. Postal Service management with timely information on potential financial control risks at Postal Service locations.

We determined that although U.S. Customs and Border Protection (CBP) had controls over its polygraph examination process, a key control over its review and approval process was not always operating as intended. Specifically, in a small number of cases, the polygraph quality control program may not have always conducted independent and objective reviews (blind reviews) of polygraph examination results, as required. During the audit, CBP addressed our concerns and updated its quality controls procedures. These updated procedures - finalized in September 2017 - require independent and objective quality control reviews. We also determined that 96 percent of the complaints we reviewed were unfounded or ambiguous. However, CBP did not have a formal complaint review process, which led to inconsistent and subjective reviews. This approach risks not finding or properly addressing issues contained in the complaints. We made two recommendations that will improve CBP’s quality control reviews and its complaint review process. CBP concurred with the recommendations.

We completed an inspection of the U.S. Department of the Interior’s compliance with secure communication requirements for publicly accessible web and email systems from the U.S. Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). The General Services Administration (GSA) performs periodic testing for these requirements and publishes governmentwide compliance results on the Pulse Dashboard (Pulse).While our inspection revealed that the Department was over 90 percent compliant with the mandated security requirements, we found that the Department does not have an inventory of publicly accessible websites, did not meet encryption requirements for its primary email service (BisonConnect), and operated websites without the appropriate domain. Specifically, we found:• 92 percent of the Department websites we tested were compliant with the mandated security requirements. Our overall test results matched closely with the Pulse reported results (94 percent), demonstrating that the Department actively responded to the reports published on Pulse and worked to resolve noncompliant systems.• 357 publicly accessible websites that were not reported on Pulse, as the tool used by the GSA is not capable of testing websites accessed via IP address or over nonstandard ports. Our testing of these unknown websites found only a 48 percent compliance with the DHS and OMB requirements.• The Department implemented the Domain-based Message Authentication, Reporting and Conformance requirements for 134 of the 144 identified email domains (93 percent). In addition, we found that four email domains were ahead of schedule and already configured with requirements not due until October 2018. The BisonConnect email service used by all DOI employees, however, was not compliant with web or email encryption requirements.• The Department operated 20 websites that did not use the .gov Top-Level Domain, which contributed to the number of unidentified websites that are not being tested regularly. We believe the Department’s processes for deploying new websites will prevent this from happening in the future, as the non-compliant domains appear to be leftover configurations existing prior to the OMB requirement.Email and web systems that are not complaint with the DHS and OMB requirements pose an increased risk to the privacy of users and the confidentiality and integrity of Department data. We made six recommendations to help the Department improve its compliance with these requirements.

We inspected 15 financial assistance agreement files of the U.S. Fish and Wildlife Service’s (FWS’) International Affairs Program (IA).Across all 15 agreements reviewed, we found instances where the IA did not comply with Federal regulations, FWS policy, or agreement terms and conditions when awarding and monitoring the agreements. Specifically, the grants management specialists did not:• Determine which laws and regulations apply to the agreements• Use the proper risk assessment form• Properly evaluate recipients’ financial management systems• Complete the required business evaluation and budget analysis• Properly review recipients’ financial reports• Monitor the equipment schedulesThese failures could lead to fraud, waste, and mismanagement and affect the success of IA programs.We make 11 recommendations to help the IA better award and monitor its agreements with foreign recipients. The IA concurred with all recommendations.

Amtrak (the company) contracted with the independent public accounting firm of Ernst & Young LLP to audit its consolidated financial statements as of and for the fiscal year then ended, September 30, 2017, to provide a report on internal control over financial reporting and compliance with certain provisions of laws, regulations, contracts and grant agreements, and other matters. The contract also required Ernst & Young to perform a Single Audit of the company’s federal grants for the fiscal year ended September 30, 2017, in accordance with the audit requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the company receives federal funding, it must obtain an audit performed in accordance with U.S. generally accepted government auditing standards.As authorized by the Inspector General Act of 1978, we monitored the audit activities of Ernst & Young to help ensure audit quality and compliance with auditing standards. Our review disclosed no instances in which Ernst & Young did not comply, in all material respects, with U.S. generally accepted government auditing standards and Uniform Guidance requirements.