The Office of the Inspector General OIG audited the Tennessee Valley Authority’s (TVA) use of remote application and desktop virtualization due to the risk of increased remote users during the COVID-19 pandemic and recent publicized remote access vulnerabilities. We found several areas where TVA was consistent with cybersecurity remote access best practices. However, we identified gaps in TVA’s configuration settings, architectural design, and administrative procedures. We recommend the Vice President and Chief Information and Digital Officer, Technology & Information, review the identified...
Evaluation of the Federal Reserve System’s Loan Purchase and Administration for Its Main Street Lending Program (MSLP)
In response to the COVID-19 pandemic, the Federal Reserve System established the MSLP—composed of five different lending facilities—to facilitate lending to small and medium-sized for-profit and nonprofit organizations. Through the MSLP, the Federal Reserve Bank of Boston (FRB Boston) purchased 1,830 loans amounting to approximately $17.5 billion from lenders; the majority of these loans were purchased during the last 2 months of the program. Following the purchase of the loans, FRB Boston is now responsible for administering the loans, including assessing overall credit risk and identifying substandard loans. FRB Boston leveraged third-party vendors to support both loan purchases and loan administration. We plan to assess the MSLP’s processes for loan purchases and loan administration, including the design, implementation, and operating effectiveness of internal controls.
Evaluation of the Federal Reserve System’s Vendor Selection and Management Processes Related to the Federal Reserve Bank of New York’s Emergency Lending Programs
As part of its emergency lending program, FRB New York operated six emergency lending facilities, five of which were supported by multiple vendor contracts. FRB New York awarded some of its emergency lending program–related contracts noncompetitively because of the exigent circumstances, and other contracts pose potential conflict-of-interest risks to the System. FRB New York’s reliance on vendors highlights the importance of its monitoring of vendor performance. We plan to assess the Board’s and FRB New York’s processes related to vendor selection and management for FRB New York’s emergency lending programs.
Results of Analytical Testing of the Board's Publicly Reported Data for the Secondary Market Corporate Credit Facility
Evaluation of Third-Party Cybersecurity Risk Management Processes for Vendors Supporting the Main Street Lending Program (MSLP) and the Secondary Market Corporate Credit Facility (SMCCF)
In response to the economic effects of the COVID-19 pandemic, the Board created new lending programs and facilities to provide loans to employers, certain businesses, and communities across the country to support the U.S. economy. To support the implementation of specific programs and facilities, the Federal Reserve Banks have contracted with third- party vendors for various services, such as administrative, custodial, legal, design, and investment management services. These vendors provide data generated from the operations and management of the facilities to the Reserve Banks, who then provide the data to the Board. We are evaluating the effectiveness of (1) the risk management processes designed to ensure that effective information security and data integrity controls are implemented by third parties supporting the administration of the MSLP and the SMCCF and (2) select security controls managed.
In March 2020, the World Health Organization declared the coronavirus (COVID-19) outbreak a global pandemic. The Tennessee Valley Authority (TVA) began taking steps to keep employees and their families’ safe, while also ensuring the agency could fulfill its mission of service. Due to the ongoing pandemic and its impact on TVA’s workforce related to mandatory telework and staffing, we initiated an evaluation to assess TVA’s response to COVID-19. The objective of our evaluation was to assess TVA’s response to COVID-19. Our scope included actions taken by TVA related to staffing, employee safety...
Audit of the Board's Data Aggregation, Validation, and Reporting Processes for its CARES Act Lending Programs
Section 4026 of the CARES Act and section 13(3) of the Federal Reserve Act require the Board to report certain information regarding its emergency lending programs. The Board has stated its commitment to transparency and accountability by announcing that it will report, on a monthly basis, information on the lending programs using CARES Act funding, including the names and details of the participants in each program; the amounts borrowed and the interest rate charged; and the overall costs, revenues, and fees for each program. We are assessing the Board’s processes for collecting, aggregating, and reporting lending information related to its CARES Act lending programs, including the data validation processes it uses to ensure that the information is current, accurate, and complete.
Monitoring of the Federal Reserve’s Lending Facilities
In response to the economic effects of the coronavirus pandemic, the Federal Reserve recently announced that it would create new lending facilities to provide loans to employers, certain businesses, and communities across the country to support the U.S. economy. Specifically, the following programs have been created or are in development: the Main Street Lending Program, the Paycheck Protection Program Liquidity Facility, the Municipal Liquidity Facility, the Primary Market Corporate Credit Facility, and the Secondary Market Corporate Credit Facility. We are initiating an active monitoring effort of these programs to gain an understanding of operational, governance, reputational, and financial matters associated with them. Through this monitoring effort, we will refine our focus on the programs and identify areas for future audits or evaluations. Some of the topics we are considering include the design, operation, governance, and oversight of the lending programs; data collection and reporting associated with the programs; and the effect of the programs on the Board’s supervision and regulation activities.