Federal Reports

Based on our audit, we determined that the Water Infrastructure Finance and Innovation Act of 2014 program’s loan award process and subsequent monitoring activities provided reasonable assurance that WIFIA loans were administered in accordance with federal and EPA requirements and that funding was used as intended to improve America’s public water infrastructure.

Since Fiscal Year (FY) 2017, AmeriCorps has not obtained an audit opinion on its financial statements. In FY 2021, independent auditors found nine material weaknesses and one significant deficiency, resulting in a total of 73 recommendations. In addition, each of AmeriCorps Office of Inspector General’s (OIG) annual Federal Information Security Modernization Act of 2014 (FISMA) evaluations since FY 2017 concluded that AmeriCorps’ cybersecurity and privacy program is ineffective. AmeriCorps has made little progress in implementing the 41 FISMA recommendations. The OIG historically conducts these evaluations in tandem with the financial statement audit because they overlap in significant respects. AmeriCorps’ challenges in financial management and accounting were the subject of December 1, 2021, hearing before the House Committee on Education and Labor. On a bipartisan basis, members articulated their expectation that AmeriCorps take decisive action to remedy the recurring problems identified in past financial statement audits. AmeriCorps, in response, described how it intends to address these serious weaknesses through a multi-year process and comprehensive corrective action plans (CAPs). To support these measures, the OIG engaged CliftonLarsonAllen, LLP (CLA), which conducted the financial statement audits and FISMA evaluations, to provide immediate feedback on AmeriCorps CAPS, approved as of January 7, 2022. While a CAP assessment should ordinarily occur during a financial statement audit and FISMA evaluation, AmeriCorps had not previously prepared meaningful CAPs. This report contains CLA’s assessment of the current CAPs. CLA rated 59 percent of the financial statement audit CAPs as “Reasonable,” 31 percent as “Required Refinement,” and 10 percent as “Inadequate.” For the FISMA evaluation CAPs, CLA determined that 66 percent were “Reasonable,” 22 percent “Required Refinement”, and 12 percent were “Inadequate.” CLA’s assessment included explanations for any CAP rated “Inadequate” and the improvements necessary to obtain a rating of “Reasonable.”Since the December 2021 hearing, AmeriCorps has made meaningful progress in creating CAPs and centralizing and elevating their supervision to the executive level. Additional expertise is needed, however, to address the most consequential of the material weaknesses. With a sustained commitment, AmeriCorps can substantially improve its financial management and cybersecurity infrastructure.

The VA Office of Inspector General (OIG) evaluated the merits of a May 2021 hotline complaint alleging that the Veterans Benefits Administration (VBA) disregarded privacy procedures so it could more quickly use a workload tracking system without receiving the appropriate security authorization. The Mission Accountability Support Tracker (MAST) helps quantify the work VBA’s support services staff perform in response to employee requests for facility, equipment, and vehicle management; reasonable accommodation; and identification card issuance and renewal. Because staff use personally identifiable information (PII) in their work, the information could be compromised in an unauthorized, unsecure application.The complaint also alleged that VBA knew that MAST did not have an approved privacy threshold analysis or privacy impact assessment, yet trained staff on using the system and knowingly “loaded” PII into the application. The privacy threshold analysis and privacy impact assessment mitigate the risk of unauthorized access and subsequent data misuse, changes, loss, or disclosure. The assessments also help ensure that systems or applications have security controls that are appropriate for the sensitivity of the information stored.The OIG found that VBA and the Office of Information and Technology (OIT) did not correctly follow privacy and security procedures. VBA’s privacy threshold analysis was inaccurate, and OIT did not conduct a privacy impact assessment. OIT’s misclassification of MAST as an asset resulted in insufficient security controls. Further, VBA lacked the authority to operate MAST before using it in regional offices.The OIG made four recommendations to ensure future information technology projects follow an approved management process and that VBA provides sufficient guidance to staff to ensure MAST is used as intended while keeping the PII of VA employees and contractors safe and secure.

This report presents a summary of the results of our self-initiated audits assessing mail delivery, customer service, and property conditions at three select delivery units in the Indianapolis, IN region (Project Number 22-091). These delivery units were the Plainfield Main Post Office (MPO) in Plainfield, the Carmel MPO in Carmel, and Linwood Station in Indianapolis. We previously issued interim reports to district management for each of these units regarding the conditions we identified. In addition, we issued a report on the efficiency of operations at the Indianapolis Processing and Distribution Center (P&DC), which services these three delivery units.All three delivery units are in the Indiana District of the Central Area and have a combined total of 66 city routes and 44 rural routes. Staffing at the delivery units during our audits included 69 full-time city carriers, 19 city carrier assistants, 45 full-time rural carriers, 23 rural replacement carriers, 24 full-time clerks, and five postal support employees (see Table 1).