Reports

Department of Defense OIG

Audit of DoD Actions Taken to Protect DoD Information When Using Collaboration Tools During the Coronavirus Disease–2019 Pandemic

Full Details: Oversight.gov Report Page

Audit | 6/06/2023

D-2023-0079-D000CR-0001-0001.A1a - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0001.A1b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0002.A2 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0003.A3 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0004.A4 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0005.A5 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0001.B1a - Closed

(U) Rec. B.1.a: The DoD OIG recommended that the Chief Information Officer for the Defense Finance and Accounting Service renegotiate changes with the Adobe Connect vendor to configure Adobe Connect to require privileged users to authenticate into the collaboration tool using multifactor authentication.

D-2023-0079-D000CR-0002-0001.B1b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0002.B2 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3a - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3c - Closed

Rec. B.3.c: The DoD OIG recommended that the Chief Information Officer for the Defense Threat Reduction Agency configure Zoom for Government to lock user accounts after three unsuccessful logon attempts in a 15-minute period.

D-2023-0079-D000CR-0003-0001.C1 - Closed

Recommendation is CUI

Department of Education OIG

Federal Student Aid’s Processes for Waiving Return of Title IV Requirements, Cancelling Borrowers’ Obligation to Repay Direct Loans, and Excluding Pell Grants from Federal Pell Lifetime Usage

FSA had adequate processes for waiving R2T4 requirements, cancelling borrowers’ obligation to repay Direct Loans, and excluding Pell disbursements from Pell lifetime usage for impacted students. FSA also designed adequate processes for schools to report the number and amounts of R2T4 waivers applied.

Full Details: Oversight.gov Report Page

Department of Defense OIG

Audit of DoD Actions Taken to Implement Cybersecurity Protections Over Remote Access Software in the Coronavirus Disease–2019 Telework Environment

Full Details: Oversight.gov Report Page

Audit | 3/24/2023

D-2023-0057-D000CR-0001-0001.A1 - Closed

Rec. A.1: The DoD OIG recommended that the Director of the U.S. Southern Command - Joint Interagency Task Force South Command, Control, Communications, Computers, Cyber and Intelligence direct its network administrators to scan the VMware Horizon main virtual desktop for malware in accordance with the McAfee Endpoint Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not scanning the main virtual desktop.

D-2023-0057-D000CR-0001-0002.A2a - Open

Rec. A.2.a: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force revise its policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive user accounts after no more than 35 days.

D-2023-0057-D000CR-0001-0002.A2b - Open

Rec. A.2.b: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0003.A3 - Closed

Rec. A.3: The DoD OIG recommended that the Chief Information Officer of the Naval Surface Warfare Center - Panama City Division direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0004.A4a - Closed

Rec. A.4.a: The DoD OIG recommended that the Chief Information Officer of the Defense Intelligence Agency revise its policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive users after no more than 35 days.

D-2023-0057-D000CR-0001-0004.A4b - Closed

Rec. A.4.b: The DoD OIG recommended that the Chief Information Officer of the Defense Intelligence Agency direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0005.A5a - Closed

Rec. A.5.a: The DoD OIG recommended that the Director of the Marine Corps Information Command, Control, Communications, and Computers revise the organization's policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive users after no more than 35 days.

D-2023-0057-D000CR-0001-0005.A5b - Closed

Rec. A.5.b: The DoD OIG recommended that the Director of the Marine Corps Information Command, Control, Communications, and Computers direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0006.A6 - Closed

Rec. A.6: The DoD OIG recommended that the Director of the Defense Information Systems Agency Joint Service Provider direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0002-0001.B1 - Closed

Rec. B.1: The DoD OIG recommended that the Director of the Defense Information Systems Agency Joint Service Provider direct network and system administrators to revise the vulnerability management program to include mitigation timeframes for all vulnerabilities and develop plans of actions and milestones for all vulnerabilities that cannot be mitigated in a timely manner.

Department of Education OIG

University of Cincinnati’s Use of Higher Education Emergency Relief Fund Student Aid and Institutional Grants

Our objective was to determine whether the University of Cincinnati (University) used the Student Aid (Assistance Listing Number (ALN) 84.425E) and Institutional (ALN 84.425F) portions of its Higher Education Emergency Relief Fund (HEERF) funds for allowable and intended purposes. The University spent $109.9 million (83 percent) of its total HEERF allocation of $132.8 million as of September 30, 2021. The University generally used the Student Aid ($42.1 million) and Institutional ($67.8 million) portions of its HEERF grant funds for allowable and intended purposes but needs to strengthen its...

Full Details: Oversight.gov Report Page

Audit | 1/17/2023

1.1 - Closed

Require the University of Cincinnati to develop and implement a review process to prevent or detect payment errors when awarding emergency financial aid grants to students, including written policies and procedures detailing how the reviews shall be conducted and the results documented, in accordance with 2 C.F.R. section 200.303.

1.2 - Open

Require the University of Cincinnati to develop and implement written policies, procedures, and management review to ensure that its award determinations, eligibility criteria, and management decisions related to eligibility for its emergency financial aid grants to students are adequately documented and supported at the time award decisions are made, in accordance with 2 C.F.R. section 200.302(b)(3).

1.3 - Open

Require the University of Cincinnati to carefully document how its student aid eligibility criteria prioritized and continues to prioritize students with exceptional need throughout the HEERF grant performance period.

2.1 - Open

Require the University of Cincinnati to develop and implement written policies and procedures, including procedures that would identify and prevent improper revenue recognition and duplicate charges, to ensure that future calculations for charging lost revenue to its HEERF Institutional grant are reviewed for accuracy and consistency with its financial reporting policies and procedures.

2.2 - Open

Determine whether the University of Cincinnati implemented appropriate corrective actions to resolve the $797,965 in unsupported lost revenue costs it charged to its HEERF Institutional grant; and, if the corrective actions are inappropriate, require the University to either return the funds to the Department or reallocate the funds for allowable expenditures.

2.3 - Open

Determine whether the $1,916,041 that the University of Cincinnati charged to its HEERF Institutional grant for noncompetitive procurements was reasonable when compared to the costs of suitable alternatives; and, if the charges were inappropriate, require the University to either return the funds to the Department or reallocate the funds for allowable expenditures.

2.4 - Open

Require the University of Cincinnati to develop and implement written policies and procedures to ensure that procurements charged to its HEERF Institutional grant are in accordance with applicable Federal requirements; and it consistently follows its procurement policies and procedures, including maintaining sufficient documentation to support its rationale for noncompetitive procurements and the basis for and reasonableness of the contract price.

3.1 - Open

Require the University of Cincinnati to incorporate in its policies and procedures and implement the cash management requirements for minimizing the time between drawing down and disbursing Federal grant funds, and remitting interest earned in excess of $500 in accordance with 2 C.F.R. section 200.305(b).

3.2 - Open

Require the University of Cincinnati to remit $35,439 based on the TIP’s average rate of return, less no more than $320 ($500 minus the $180 already retained) for administrative expenses if applicable; and remit the actual amount of earned interest on any future advances of Federal funds, in accordance with 2 C.F.R. section 200.305(b)(9).

4.1 - Open

Require the University of Cincinnati to develop and implement written policies and procedures that incorporate the HEERF program’s reporting requirements and ensure that the expenditures in its quarterly HEERF Institutional expenditure reports are accurate and reported in the appropriate expenditure category.

Small Business Administration OIG

COVID-19 and Disaster Assistance Information Systems Security Controls

This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs. We found the...

Full Details: Oversight.gov Report Page

Audit | 9/27/2022

1 - Open

Ensure the existing SBA System Development Methodology is updated to include supply chain risk-management practices as required by OMB Circular A-130 and high-value asset system designation guidance. Also, ensure high-value asset system risks are incorporated into the enterprise risk management framework, as recommended by OMB M-19-03 and SBA SOP 90 47 6.

10 - Open

Implement an automated process to document and monitor system changes as recommended by NIST SP 800-53 Rev. 5.

2 - Open

Communicate and enforce the SBA System Development Methodology in which a traceability matrix is used to ensure that system requirements can be tested and demonstrated in the operational system. Ensure all requirements are aligned with the contractual acceptance criteria.

3 - Open

Implement in updated agency guidance, the requirements of OMB Circular No. A-123 that stipulate a SOC 1 Type 2 report is needed for all new and existing financial systems. This guidance should also require confirmation at least annually that the controls are functioning as designed.

4 - Closed

Enforce the requirement to establish and implement internal controls to ensure appropriate program officials perform and document contract reviews to ensure that information security is appropriately addressed in the contracting language, as required by OMB Circular A-130 and SBA SOP 90 47 6.

5 - Open

In conjunction with the Enterprise Risk Management Board, implement enterprise-wide privacy risk mitigation practices that can be assimilated into new and existing system program designs.

6 - Open

Complete an initial assessment and authorization for each information system and all agency-designated common controls before operation.

7 - Open

Transition information systems and common controls to an ongoing authorization process (when eligible for such a process) with the formal approval of the respective authorizing officials or reauthorize information systems and common controls as needed, on a time or event-driven basis in accordance with agency risk tolerance, as required by OMB Circular No. A-130 and SOP 90 47 6.

8 - Open

Review and update POA&Ms at least quarterly as required by SOP 90 47 6.

9 - Closed

Ensure data-sharing agreements are reviewed annually as required by SBA SOP 90 47 6.

Department of Defense OIG

Audit of the DoD Certification Process for Coronavirus Aid, Relief, and Economic Security Act Section 4003 Loans Provided to Businesses Designated as Critical to Maintaining National Security

Full Details: Oversight.gov Report Page

Audit | 9/20/2022

Department of Education OIG

Michigan’s Administration of the Governor’s Emergency Education Relief Fund

The objectives of the audit were to determine whether the State of Michigan (Michigan) designed and implemented awarding processes that ensured that the Governor’s Emergency Education Relief Fund (GEER grant) was used to support local educational agencies (LEAs) and institutions of higher education (IHEs) that were most significantly impacted by the coronavirus or LEAs, IHEs, or other education-related entities within the State that were deemed essential for carrying out emergency educational services; and monitoring processes to ensure that subgrantees used GEER grant funds in accordance with...

Full Details: Oversight.gov Report Page

Audit | 9/14/2022

Small Business Administration OIG

COVID-19 Economic Injury Disaster Loan Applications Submitted from Foreign IP Addresses

We evaluated the U.S. Small Business Administration’s (SBA) controls to flag or prevent potentially fraudulent Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loan (EIDL) applications submitted from foreign Internet Protocol (IP) addresses. Although the agency implemented several layers of controls to prevent or reduce fraud from foreign countries, individuals at foreign IP addresses were able to access the COVID-19 EIDL application system. SBA received millions of attempts to submit COVID-19 EIDL applications from foreign IP addresses and stopped most of them; however, the agency...

Full Details: Oversight.gov Report Page

Audit | 9/12/2022

Department of Education OIG

Oklahoma’s Administration of the Governor’s Emergency Education Relief Fund Grant

The objectives of the audit were to determine whether the State of Oklahoma (Oklahoma) designed and implemented awarding processes that ensured that the Governor's Emergency Education Relief Fund (GEER grant) was used to support local educational agencies (LEA) and institutions of higher education (IHE) that were most significantly impacted by the coronavirus or LEAs, IHEs, or other education-related entities within the State that were deemed essential for carrying out emergency educational services; and monitoring processes to ensure that subgrantees used GEER grant funds in accordance with...

Full Details: Oversight.gov Report Page

Audit | 7/18/2022

1.1 - Open

Provide documentation, or a full and detailed written explanation, of the process Oklahoma used to determine the initiatives it supported with GEER grant funds and the entities it selected to administer the initiatives.

1.2 - Open

Develop and implement a process to ensure that it documents the criteria and decisions made for awarding future GEER grant funds in accordance with applicable requirements.

1.3 - Open

Develop and implement internal controls to ensure that it administers current and future GEER grants in accordance with applicable Federal laws and grant requirements, including ensuring that grant subrecipients are provided the proper award documentation; and that any entity that is awarded Federal funds retains records relating to those awards in accordance with Federal requirements.

1.4 - Open

Perform a 100 percent review, or review a statistical sample, of the Stay in School Fund microgrant recipients to confirm that all students were eligible to receive GEER grant funds.

1.5 - Open

Develop and implement written policies and procedures to describe the specific circumstances under which deviations from procurement rules are warranted, including procedures about required documentation of such decisions for procurements that do not use competitive bidding but use Federal education funds.

1.6 - Open

Take appropriate action if the documentation and other information provided by Oklahoma in response to the above recommendations does not support that the State followed applicable requirements.

2.1 - Open

Return $652,720 to the Department for the unallowable Bridge the Gap expenditures we identified or provide documentation to support that the expenditures were allowable or the items were purchased with personal funds.

2.2 - Open

Perform a 100-percent review, or review a statistical sample, of the $5,473,894 in Bridge the Gap expenditures that we did not review to determine whether the expenditures were allowable, and if applicable, return the funds for any unallowable expenditures to the Department.

2.3 - Open

Develop and implement additional internal controls for the Skills to Rebuild, Learn Anywhere Oklahoma, Bridge the Gap, and Stay in School Fund initiatives that include written monitoring procedures for those processes that are already in place, and for additional procedures that include a review of expenditures and supporting documentation, and a review of documentation that supports the information in initiatives’ weekly status reports.

2.4 - Open

Develop and implement internal controls to ensure that fiscal agents for Federal grant programs obtain an understanding of the rules and regulations surrounding the grant programs they are tasked with overseeing.

3.1 - Open

Develop and implement controls to ensure that Oklahoma’s State agencies that receive Federal funds have written cash management policies and procedures, including policies for the draw down and disbursement of grant funds in accordance with Federal requirements.

3.2 - Open

Return to the Department any unexpended GEER grant funds applicable to our audit scope that are being held by GEER grant subrecipients.

3.3 - Open

3.4 - Open

Require its fiscal agent or State program representative to work closely with the Department to ensure that other GEER grants are administered in compliance with cash management rules and with any actions the Department determines are needed, if warranted.

Department of Defense OIG

DoD Cooperative Agreements With Coronavirus Aid, Relief, and Economic Security Act Obligations

Full Details: Oversight.gov Report Page

Date Range

Report Type

Report Category

Submitting Agency

State/Local Agency

State (State and Local Reports)

Fraud Type

Agency Reviewed

Related Organizations

Management Challenges

Any Recommendations

Any Open Recommendations

Reports

Audit of DoD Actions Taken to Protect DoD Information When Using Collaboration Tools During the Coronavirus Disease–2019 Pandemic

Federal Student Aid’s Processes for Waiving Return of Title IV Requirements, Cancelling Borrowers’ Obligation to Repay Direct Loans, and Excluding Pell Grants from Federal Pell Lifetime Usage

Audit of DoD Actions Taken to Implement Cybersecurity Protections Over Remote Access Software in the Coronavirus Disease–2019 Telework Environment

University of Cincinnati’s Use of Higher Education Emergency Relief Fund Student Aid and Institutional Grants

COVID-19 and Disaster Assistance Information Systems Security Controls

Audit of the DoD Certification Process for Coronavirus Aid, Relief, and Economic Security Act Section 4003 Loans Provided to Businesses Designated as Critical to Maintaining National Security

Michigan’s Administration of the Governor’s Emergency Education Relief Fund

COVID-19 Economic Injury Disaster Loan Applications Submitted from Foreign IP Addresses

Oklahoma’s Administration of the Governor’s Emergency Education Relief Fund Grant

DoD Cooperative Agreements With Coronavirus Aid, Relief, and Economic Security Act Obligations

Glossary

Glossary name will go here