Federal Reports

We found that the Department and FSA made progress in strengthening its information security programs; however, weaknesses remained and the Department-wide information systems continued to be vulnerable to security threats. Specifically, we found that the Department was not generally effective in 4 of the 10 security areas reviewed—continuous monitoring, configuration management, incident response and reporting, and remote access management. Although we determined that the Department’s and FSA’s information technology security programs were generally effective in key aspects of three metric areas—risk management, security training, and contingency planning—we also noted that improvements were still needed in these areas. For the Department and FSA’s plan of action and milestones process, wedetermined that if implemented as intended, it should be effective. We also determined that the Department’s identity and accessmanagement programs and practices would be generally effective if implemented properly but that the Department’s controls overaccess to FSA’s mainframe environment need improvement.

For FY 2015, both the Department and FSA financial statements were fairly presented, in all material respects, in accordance with generally accepted accounting principles; however, like FY 2014, the financial statement auditors identified one significant deficiency in internal control over financial reporting and one instance of reportable noncompliance. The significant deficiency involved information technology controlsover security management, personnel security, access controls, and configuration management, which can increase the risk of unauthorized access to the Department’s systems used to capture, process, and report financial transactions and balances, affecting the reliability and security of the data and information. The instance of noncompliance involved a provision of the Debt Collection Improvement Act of 1996, as amended by the Digital Accountability and Transparency Act of 2014 which requires Federal agencies to notify the Secretary of the Treasury of debts that are more than 120 days delinquent. The auditors found that neither the Department nor FSA had processes in place to comply with the 120-day notification requirement.

For FY 2015, both the Department and FSA financial statements were fairly presented, in all material respects, in accordance with generally accepted accounting principles; however, like FY 2014, the financial statement auditors identified one significant deficiency in internal control over financial reporting and one instance of reportable noncompliance. The significant deficiency involved information technology controlsover security management, personnel security, access controls, and configuration management, which can increase the risk of unauthorized access to the Department’s systems used to capture, process, and report financial transactions and balances, affecting the reliability and security of the data and information. The instance of noncompliance involved a provision of the Debt Collection Improvement Act of 1996, as amended by the Digital Accountability and Transparency Act of 2014 which requires Federal agencies to notify the Secretary of the Treasury of debts that are more than 120 days delinquent. The auditors found that neither the Department nor FSA had processes in place to comply with the 120-day notification requirement.

To determine the accuracy of Social Security disability benefits paid to beneficiaries who also received Federal Employees’ Compensation Act (FECA) payments.