rowid,report_id,rec_number,significant,text,questioned_costs,funds_for_better_use
1,1-east-kentucky-corporation-dba-one-east-kentucky,26-12-01,No,"We recommend that the Grantee develop written policies and procedures regarding the management of federal awards, in accordance with the Uniform Guidance.",0,0
2,1-east-kentucky-corporation-dba-one-east-kentucky,26-12-02,No,We recommend that the Grantee revise the final Form SF-270 report issued to ARC to reflect the correct matching amounts.,0,0
3,2-platform-management-needs-improvement,5,No,The Chief Information Officer should retire older ******************** and migrate to more current ****************** in accordance with the documented migration plan.,0,0
4,2016-audit-boards-information-security-program,1,Yes,"Work with the Chief Information Officer Officer to perform a risk assessment to determine which aspects of an insider threat program are applicable to other types of sensitive Board information and develop and implement an agency-wide insider threat strategy for sensitive but unclassified Board information, as appropriate.",0,0
5,2017-hurricane-relief-emergency-conservation-program,3,Yes,Establish and implement monitoring procedures in guidance requiring State officials to ensure district directors complete reviews and evaluate the results of the reviews to ensure ECP policies are being followed.,718755,0
6,2017-hurricane-relief-emergency-conservation-program,4,Yes,Establish and implement procedures in guidance to define how the district director reviews should be documented.,0,0
7,2017-hurricane-relief-emergency-conservation-program,5,Yes,Establish and implement monitoring procedures in guidance requiring State officials to ensure county executive directors complete spot checks and evaluate the results of the reviews.,0,0
8,2018-audit-boards-information-security-program,6,No,"Develop and implement a process to assess the knowledge, skills, and abilities of Board staff with significant security responsibilities and establish plans to close identified gaps.",0,0
9,2018-audit-bureaus-information-security-program,3,No,Determine whether established processes and procedures for management of user-access agreements and rules-of-behavior forms for privileged users are effective and adequately resourced and make changes as needed.,0,0
10,2019-audit-boards-information-security-program,5,No,"Work with the Federal Reserve System to ensure that the data loss protection replacement solutiona. functions consistently across the Board's technology platforms.  b. supports rulesets that limit the exfiltration weaknesses we identified, to the extent practicable.",0,0
11,2019-audit-boards-information-security-program,6,No,Develop and implement a Boardwide process to incorporate the review of data loss protection logs into employee and contractor offboarding processes to identify any potential unauthorized data exfiltrations or access.,0,0
12,2022-audit-cfpbs-information-security-program,4,No,Ensure that an enterprisewide software inventory is conducted and maintained.,0,0
13,2023-audit-boards-information-security-program,1,No,"Prioritize the definition and incorporation of a cybersecurity risk tolerance into the agency's cybersecurity policies, procedures, and processes, as appropriate.",0,0
14,2023-audit-boards-information-security-program,3,No,"Document and implement a process to consistently inventory the Board's web applications, including its public-facing websites.",0,0
15,2023-audit-boards-information-security-program,4,No,"Document and implement a process to consistently inventory and prioritize the Board's third-party systems, including the identification of subcontractors.",0,0
16,2023-audit-boards-information-security-program,5,No,Enforce the agency's iOS Update and Device Inactivity Policy to ensure that agency services are denied to mobile devices that are out of compliance.,0,0
17,2023-audit-cfpbs-information-security-program,1,No,"Maintain a comprehensive schedule for testing current contingency plans, documenting test procedures, and maintaining relevant updates to the contingency plan.",0,0
18,2024-audit-boards-information-security-program,1,Yes,"Develop a supply chain risk management strategy that includes (a) a supply chain risk appetite and tolerance, (b) an enterprise supply chain risk management governance structure, and (c) supply chain risk assessment processes that include migration strategies or controls.",0,0
19,2024-audit-boards-information-security-program,2,No,Document and implement a baseline review and escalation process for data loss prevention alerts.,0,0
20,2024-audit-boards-information-security-program,3,No,Reinforce the requirements for identifying and documenting system interconnections as part of the Board’s training on its cyber risk management application and require all relevant individuals to take the training.,0,0
21,2024-audit-boards-information-security-program,4,No,Evaluate and implement options to enforce the agency’s existing guidance related to identifying and documenting system interconnections.,0,0
22,2024-audit-boards-information-security-program,5,No,Develop and implement a mobile application scanning program that includes a vulnerability scanning solution and process to identify and remediate vulnerabilities.,0,0
23,2024-audit-boards-information-security-program,6,No,"Ensure that the Board’s Incident Notification and Breach Response Plan is reviewed, tested and approved annually.",0,0
24,2024-audit-boards-information-security-program,8,No,Incorporate targeted phishing exercises into the Board’s security awareness and training program and processes.,0,0
25,2024-audit-cfpbs-information-security-program,1,No,Complete finalization of an agencywide data classification policy that accounts for the sensitivity of the data maintained by the CFPB.,0,0
26,2024-audit-cfpbs-information-security-program,2,No,Ensure that data classification and sensitivity labels are incorporated into the CFPB’s data loss prevention program.,0,0
27,2024-audit-cfpbs-information-security-program,3,Yes,"Strengthen flaw remediation processes by developing and implementing a process to clearly map identified vulnerabilities to system IP addresses, host names, and remediation owners within the CFPB’s configuration management database.",0,0
28,2024-audit-cfpbs-information-security-program,6,No,Ensure that testing of mission-essential functions identified in the CFPB’s continuity of operations plan is periodically performed.,0,0
29,2024-audit-cfpbs-information-security-program,8,No,"Implement a process that ensures the cyber risk information in the CFPB’s governance, risk, and compliance tool is accurate and maintained.",0,0
30,2025-audit-boards-information-security-program,1,No,"Develop and maintain cybersecurity profile(s) that define key elements of the Board’s current and target cybersecurity program in alignment with the Board’s organizational risk tolerance, mission objectives, and threat environment.",0,0
31,2025-audit-boards-information-security-program,2,No,"Evaluate the dual-use model for the Board’s mobile devices, in accordance with the Board’s security objectives and risk tolerance, and review and update the Information Technology Resources Use policy as appropriate.",0,0
32,2025-audit-boards-information-security-program,3,No,Strengthen mobile device security controls to enforce content and data protection policies.,0,0
33,2025-audit-cfpbs-information-security-program,1,No,"Determine what enterprise risk management roles, responsibilities, and strategy components should be defined and leveraged for the development and maintenance of cybersecurity profiles.",0,0
34,2025-audit-cfpbs-information-security-program,2,No,"Develop and maintain cybersecurity risk registers to aggregate, normalize, and prioritize cybersecurity risks.",0,0
35,2025-audit-cfpbs-information-security-program,3,Yes,Develop policies and procedures to create and maintain cybersecurity profiles.,0,0
36,2025-audit-cfpbs-information-security-program,4,No,"Perform a review of previously granted risk acceptance memorandums to determine whether they were based on a complete review of the system or common controls (as required by National Institute of Standards and Technology Special Publication 800-37, Revision 2) and perform additional risk analysis and/or compensating controls as needed for affected systems.",0,0
37,2025-audit-cfpbs-information-security-program,5,No,"Ensure that risk acceptance memorandums reflect an assessment of qualitative and quantitative cybersecurity risks, as applicable.",0,0
38,2025-audit-cfpbs-information-security-program,6,No,Evaluate options to perform ongoing information continuous monitoring activities commensurate with the current threat environment.,0,0
39,2025-evaluation-farm-credit-administrations-compliance-federal-information-security,2,No,Not publicly released. Reach out to FCA OIG for more information.,0,0
40,2025-evaluation-farm-credit-administrations-compliance-federal-information-security,3,No,Not publicly released. Reach out to FCA OIG for more information.,0,0
41,3-year-exposure-privacy-act-protected-data-revealed-uspto-mismanagement-safeguarding,8,Yes,8. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office update USPTO policy to meet the federal minimum standard of 2 years and 6 months of log retention.,0,0
42,3-year-exposure-privacy-act-protected-data-revealed-uspto-mismanagement-safeguarding,10,Yes,10. We recommend that the Deputy Assistant Secretary for Administration direct the Office of Privacy and Open Government Director to implement compensating controls and redundant procedures for receiving incidents reported to the Department Chief Privacy Officer.,0,0
43,7a-loan-approval-borrowers-unresolved-covid-19-pandemic-loan-compliance-issues,1,Yes,"Review and appropriately resolve hold codes related to the 5,044 7(a) loans to determine impact on 7(a) eligibility and seek remedy or repayment of all 7(a) loans deemed ineligible.",0,0
44,access-executive-branch-personnel-records,2,No,"Develop and implement effective processes immediately to ensure that counterintelligence evaluations are conducted in accordance with 10 CFR 709 and the exemptions reflected in SEAD 4, Executive Order 13467, and Executive Order 12968.",0,0
45,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,01,No,"Veteran Readiness and Employment should coordinate with VAs Office of General Counsel to assess the eligibility decision process and ensure all legal and regulatory requirements are accounted for and confirmed by the appropriate staff. If necessary, Veteran Readiness and Employment should update the process to conform with the general counsels interpretation of legal requirements.",0,0
46,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,02,No,"Veteran Readiness and Employment should develop a standard documentation method for verifying eligibility periods, deferrals, extensions, and final eligibility decisions and train appropriate staff, including vocational rehabilitation counselors, on how to properly document eligibility decisions.",0,0
47,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,03,No,Veteran Readiness and Employment should develop a quality assurance review process to monitor the accuracy of eligibility decisions.,0,0
48,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,04,No,"Veteran Readiness and Employment should coordinate with VAs Office of General Counsel to assess the entitlement requirements and whether those used to confirm and document entitlement decisions are compliant with laws and regulatory requirements. If changes are needed, Veteran Readiness and Employment should update the manual and train appropriate staff accordingly.",0,0
49,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,05,No,"Veteran Readiness and Employment should develop additional controls to ensure official entitlement decisions in the narrative report are documented in a manner that is clear and would allow for effective oversight from both internal and external entities, such as containing clear documentation of the assessment of employability factors and additional evidence used to substantiate the claim.",0,0
50,accuracy-veteran-readiness-and-employment-claims-cannot-be-assessed-because,3,No,Veteran Readiness and Employment should develop a quality assurance review process to monitor the accuracy of eligibility decisions.,0,0
51,acf-cannot-ensure-all-child-victims-abuse-and-neglect-have-court-representation,6722,No,"ACF should conduct oversight activities to identify States that may not appoint a GAL to every child victim who undergoes a judicial proceeding, seeking statutory authority as necessary.",0,0
52,acf-cannot-ensure-all-child-victims-abuse-and-neglect-have-court-representation,6723,No,ACF should proactively provide technical assistance to States that face challenges in appointing a GAL for every child victim.,0,0
53,acf-cannot-ensure-all-child-victims-abuse-and-neglect-have-court-representation,6724,No,ACF should proactively identify and address obstacles that States face in reporting complete and accurate GAL data.,0,0
54,acf-should-improve-oversight-head-start-better-protect-childrens-safety,22-E-BL-037.01,No,"ACF should improve Head Start grant recipients' self-reporting of incidents of child abuse, lack of supervision, and unauthorized release through better guidance and stronger consequences for failure to report.",0,0
55,acf-should-improve-oversight-head-start-better-protect-childrens-safety,22-E-BL-037.03,No,"ACF shpould improve data-sharing with States about incidents of child abuse, lack of supervision, and unauthorized release in Head Start centers.",0,0
56,acf-should-improve-oversight-head-start-better-protect-childrens-safety,22-E-BL-037.04,No,ACF should disseminate information about innovative practices that OHS regional offices have developed to better identify and prevent incidents that threaten children's safety.,0,0
57,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.01,No,We recommend that the Administration for Children and Families update its policies and procedures for awarding contracts for other than full and open competition in emergency situations to incorporate FAR requirements for time-and-materials contracts.,0,0
58,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.02,No,"We recommend that the Administration for Children and Families provide training to program officials and contracting staff as appropriate that covers requirements for:
o	administering nonpersonal services contracts for professional support services,
o	specifying that contracts must not be used for the performance of inherently governmental functions,
o	providing written consent for the use of subcontractors,
o	reviewing and approving invoices, and
o	maintaining documentation to support costs for services performed",0,0
59,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.03,No,"We recommend that the Administration for Children and Families update its policies and procedures for receipt and oversight of deliverables and to incorporate Federal requirements related to the: (1) review, approval, and monitoring of invoices and (2) use of CLINs to properly account for and pay contractor expenditures.",0,0
60,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.04,No,"We recommend that the Administration for Children and Families review potentially unallowable costs and obtain supporting documentation or take appropriate action to recoup from Deloitte any improperly paid amounts for the following:
o	$2,022,468 for invoices that did not identify CLINs to track expenses,
o	$1,362,621 in overtime charges,
o	$1,226,649 of labor charges for invoices that did not include specific dates when each employee performed work,
o	$244,174 in nonlabor costs that were not supported by receipts, and
o	$112,945 of unsupported subcontractor charges",4968857,0
61,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.05,No,We recommend that the Administration for Children and Families review and correct potential Antideficiency Act violations by deobligating and obligating funds to appropriate CLINs used and report an Antideficiency Act violation if the violation cannot be corrected.,0,0
62,acf-used-contractor-personnel-perform-inherently-governmental-functions-and-paid,25-A-12-051.06,No,"We recommend that the Administration for Children and Families develop and implement policies and procedures:
o	requiring contracts to include FAR clauses related to overtime requirements in contracts
o	for tracking and verifying that all contractor staff (including subcontractors) assigned to work on a contract complete required trainings before performing any work under the contract (or within the allowed time).",0,0
63,acquisition-and-procurement-company-has-opportunities-more-effectively-ensure-it,1,No,Develop and implement a process to assess ongoing solicitations for compliance with the company’s procurement manual.,0,0
64,acquisition-and-procurement-company-has-opportunities-more-effectively-ensure-it,2,No,"Develop and implement additional guidance to help COs determine when to require end users to provide more detailed cost estimates, in line with leading practices, and consider adjusting its policies accordingly.",0,0
65,acquisition-and-procurement-company-has-opportunities-more-effectively-ensure-it,3,No,"Implement a companywide process to consistently collect and analyze key pre-award data elements, such as those we raised for the company’s consideration in our April 2024 report, as necessary to identify indicators of fraud.",0,0
66,acquisition-and-procurement-company-has-opportunities-more-effectively-ensure-it,4,No,"Develop and implement mandatory, recurring fraud training for employees involved in the pre-award phase. At a minimum, this training should include how to detect indicators of the fraud schemes that most commonly occur during this phase.",0,0
67,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-142,No,We recommend that the Office of Administration/Division of Acquisition Management update Administrative Circular OA-14 and implement the necessary updates to align procurement procedures with current federal acquisition regulation and agency practices.,0,0
68,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-143,No,We recommend that the Office of Administration/Division of Acquisition Management update standard policies and procedures to clearly convey the documentation required to be maintained in the contract file in order to support the solicitation phase.,0,0
69,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-144,No,"We recommend that the Office of Administration/Division of Acquisition Management develop and implement standard checklist guidance to be included in the contract file that lists the required solicitation documentation, identifies if the documentation was applicable to the solicitation, and indicates the section in which the supporting documents are located.",0,0
70,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-145,No,We recommend that the Office of Administration/Division of Acquisition Management update standard policies and procedures to clearly convey the documentation required to be maintained in the contract file in order to support the award and administration phase.,0,0
71,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-146,No,"We recommend that the Office of Administration/Division of Acquisition Management develop and implement standard checklist guidance to be included in the contract file that lists the required award and administration documentation, identifies if the documentation was applicable to the award, and indicates the section in which the supporting documents are located.",0,0
72,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-149,No,We recommend that the Office of Administration/Division of Acquisition Management establish a checklist or other control process to ensure that the required conflict of interest statement is presented to vendors.,0,0
73,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-1411,No,We recommend that the Office of Administration/Division of Acquisition Management establish standard procedures for identifying and tracking contracts that have been physically completed.,0,0
74,acquisition-management-function-railroad-retirement-board-was-not-fully-adequate-or,19-1413,No,We recommend that the Office of Administration/Division of Acquisition Management review the established control process used to transmit information to the Federal Procurement Data System and update the process in order to report information more accurately.,0,0
75,actions-are-being-taken-reduce-risks-employees-whose-names-are-required-be-included,1,No,"On November 29, 2022, the Treasury Inspector General for Tax Administration recommended that the Director and Deputy Director, Submission Processing, Wage and Investment Division, protect the identity of IRS employees signing manually generated tax processing correspondence by removing their first name and replacing it with the employee’s title, Mr., Ms., or a gender-neutral title, in accordance with Chief Counsel Notice N(30)000-317.",0,0
76,actions-are-being-taken-reduce-risks-employees-whose-names-are-required-be-included,2,No,"The Commissioner, Wage and Investment Division, should ensure that all tax processing correspondence is revised to remove the signing IRS employee’s first name and replace it with the employee’s title.",0,0
77,actions-are-needed-address-inaccurate-incomplete-and-inconsistent-taxpayer-assistance,4,No,"The Commissioner, Wage and Investment Division, should assess and implement, if possible, the capability to provide taxpayers with the option to transfer to the appointment line versus having to hang up and call a different number.",0,0
78,actions-are-needed-reduce-risk-fraudulent-use-employer-identification-numbers-and,3,No,"The Commissioner, Wage and Investment Division, should correct programming to reject EIN applications when an EIN has previously been assigned to the same sole proprietor and to reject applications when IRS data indicate that the sole proprietor is deceased.",0,0
79,actions-are-needed-reduce-risk-fraudulent-use-employer-identification-numbers-and,9,No,"The Commissioner, Wage and Investment Division, should develop programming to reject estate applications if the decedent TIN is not that of a deceased individual.",0,0
80,actions-have-been-taken-implement-taxpayer-first-act-provisions-related-irs,1,No,"The Chief, Appeals, should establish a process with the appropriate Business Operating Divisions (BOD) to identify, track, and update forms, letters, publications, notices, websites, and social media that still require the new IRS Independent Office of Appeals name.",0,0
81,actions-need-be-taken-address-taxpayer-assistance-center-safety-and-security-weaknesses,3,No,"The Chief, Facilities Management and Security Services, should revise procedures to include specific criteria on ************************ at TACs.",0,0
82,actions-need-be-taken-improve-data-loss-prevention-solution-and-reduce-risk-data,2,No,"The Chief Information Officer, in conjunction with the Chief Operating Officer, should revise the DLP rules to be more restrictive to help prevent intentional data exfiltration.",0,0
83,actions-need-be-taken-improve-services-provided-taxpayer-assistance-centers,1,No,"The Chief, Taxpayer Services, should ensure that taxpayers without scheduled appointments are provided an opportunity to wait for an available TAC assistor on a first-come, first-served basis.",0,0
84,actions-need-be-taken-improve-services-provided-taxpayer-assistance-centers,4,No,"The Chief, Taxpayer Services, should ensure that TAC managers enforce procedures for providing CSS cards at TACs.",0,0
85,actions-need-be-taken-improve-services-provided-taxpayer-assistance-centers,5,No,"The Chief, Taxpayer Services, should Ensure that TAC managers enforce procedures for wearing name tags at TACs.",0,0
86,actions-need-be-taken-improve-services-provided-taxpayer-assistance-centers,6,No,"The Chief, Taxpayer Services should ensure that TAC managers enforce procedures for treating non-English speaking customers properly at TACs.",0,0
87,actions-were-not-taken-timely-strengthen-practitioner-priority-service-telephone-line,2,No,"The Deputy Commissioner should establish a Service-wide process where representatives from key functional areas including CFAM, RAAS and Accounts Management officials are responsible for expeditiously reviewing and addressing emerging/ongoing fraud schemes where advanced analytics and matching to IRS sourced information proactively identifies a scam.",47698849,0
88,active-directory-oversight-needs-improvement-and-criminal-investigation-computer,3,No,"The Chief, CI, with assistance from the Chief Information Officer, should complete a cost analysis to 1) determine the efficacy of relocating CI assets in each of the field offices to existing IRS computer rooms versus upgrading the CI computer rooms to ensure that assets are protected in accordance with Federal and IRM security requirements and 2) implement the most cost-effective solution.",0,0
89,additional-actions-are-needed-further-reduce-undeliverable-mail,1,No,The Deputy Commissioner for Services and Enforcement should develop Service-wide processes and procedures to ensure that all operating divisions suppress the issuance of nonstatutory notices to taxpayers that have a UD mail indicator on their account; suppress the issuance of correspondence when a taxpayer's address of record is an IRS campus; and research and update taxpayer addresses for which the USPS returns undeliverable mail with a yellow label that provides a more current address.,0,0
90,additional-actions-are-needed-further-reduce-undeliverable-mail,2,No,"The Commissioner, Wage and Investment Division, should install and use hygiene software to perfect taxpayer addresses on the Individual Taxpayer Identification Number (ITIN) RTS system.",0,0
91,additional-actions-are-needed-improve-and-secure-income-verification-express-service,8,No,Complete a usage study and document a decision regarding if the IRS will mandate that participants use the TFA IVES system.,0,0
92,additional-actions-are-needed-make-worker-misclassification-initiative-department-labor,1,No,"The Commissioner, Small Business/Self-Employed Division, should evaluate whether provisions of the MOU require amendment, revision, or termination and ensure that the duties and responsibilities of the IRS, as outlined in the MOU, are executed as required.",0,0
93,additional-actions-are-needed-reduce-accounts-management-function-inventories-below,10,No,"Coordinate with the Information Technology organization to explore adding Taxpayer Relations inventories into the CII, so that all Accounts Management inventory is located in the same inventory management system.",0,0
94,additional-controls-are-needed-improve-reliability-grant-and-diem-program-data,01,No,Establish policies and procedures for Grant and Per Diem liaisons to obtain reliable discharge information from grantees when veterans exit from the Grant and Per Diem Program.,0,0
95,additional-controls-are-needed-improve-reliability-grant-and-diem-program-data,02,No,"Implement controls, including enhanced medical facility and grantee guidance and training, to ensure grantee files and VA medical record documentation of veteran housing outcomes are consistent with Homeless Operations, Management, and Evaluation System data definitions and support the data in the Homeless Operations, Management, and Evaluation System.",0,0
96,additional-controls-are-needed-improve-reliability-grant-and-diem-program-data,03,No,"Implement controls, such as quality reviews, to ensure Homeless Operations, Management, and Evaluation System outcome data are supported by and consistent with veteran medical records and grantee files.",0,0
97,additional-details-supplement-2015-and-2014-restated-financial-statement-audit,2016-FO-0003-006-E,No,Contact all other HUD program offices to determine whether any other programs authorize or are aware of grantees holding funds in advance of their immediate disbursement needs and determine financial statement impact on and compliance with Treasury cash management requirements of any found.,0,0
98,additional-oversight-remote-patient-monitoring-medicare-needed,24-E-02-045.01,No,CMS should implement additional safeguards to ensure that remote patient monitoring is used and billed appropriately in Medicare.,0,0
99,additional-oversight-remote-patient-monitoring-medicare-needed,24-E-02-045.02,No,CMS should require that remote patient monitoring be ordered and that information about the ordering provider be included on claims and encounter data for remote patient monitoring.,0,0
100,additional-oversight-remote-patient-monitoring-medicare-needed,24-E-02-045.03,No,CMS should develop methods to identify what health data are being monitored.,0,0