The Chief Financial Officers Act of 1990 requires the Inspector General to audit the agency’s financial statements each year, which is intended to help improve an agency’s financial management and controls over financial reporting. For FY 2025, the auditors issued an unmodified opinion on the FY 2025 consolidated financial statement of the Department. The auditors reported that the FY 2025 consolidated financial statement is presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles. In the Report on Internal Control over Financial Reporting, the auditors identified one material weakness and three significant deficiencies in internal control over financial reporting. In the Report on Compliance and Other Matters, the auditors reported no instances of noncompliance that were required to be reported under Government Auditing Standards or OMB Bulletin No. 24-02. Seven recommendations were made to the Department to address the internal control findings. Management concurred with the findings and agreed to take action to address the recommendations. See pages 84-96 for the report.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| We recommend that management design and implement controls that respond to the risks associated with the reliability of key underlying data and code used in developing the subsidy re-estimates. Such review should be documented and maintained. | |||||
| 2.1 | Yes | $0 | $0 | ||
| We recommend that management: 1. Evaluate, design, and implement security management controls to ensure that corrective actions remediate the risk and address the root cause of findings and quality reviews over the POA&M closure documentation are conducted to confirm that the noted deficiencies are fully addressed to prevent future reoccurrences. | |||||
| 2.2 | Yes | $0 | $0 | ||
| We recommend that management evaluate, design, and implement logical access controls and provide training and oversight over access provisioning, removal and/or deactivation of access, periodic reviews and recertifications of access, and adherence to password and security setting requirements, segregation of duties, and least privileged principles. | |||||
| 2.3 | Yes | $0 | $0 | ||
| We recommend that management evaluate, design, and implement change management controls to ensure the Department’s system change management process identifies and categorizes the types of changes that impact the system, data, and configurations in addition to defining and documenting the change descriptions and requirements for testing, approvals, documentation, audit trails, and retention for each system change. | |||||
| 2.4 | Yes | $0 | $0 | ||
| We recommend that management evaluate, design, and implement computer operations controls to develop and implement formal procedures addressing controls over changes to production jobs and schedules and the monitoring of actions taken by the generic/shared job processing account in the job scheduling tool. | |||||
| 3.1 | Yes | $0 | $0 | ||
| We recommend that management ensure that controls are operating effectively over the complete and timely review of SOC reports to ensure the scope adequately covers the controls in place at the service organization, including the CUECs presented in such reports. Furthermore, management should implement and execute controls designed to address those CUECs in a timely manner. | |||||
| 4.1 | Yes | $0 | $0 | ||
| We recommend that management implement key monitoring controls to ensure that corrective action plans are implemented to remediate control deficiencies identified in a timely manner. In addition, increase oversight, review, and accountability over the process among various offices and directorates within the Department. | |||||
