All Reports

Patching is the process for updating products and systems. Patches correct security and functionality problems in software and firmware. We performed an audit of the Tennessee Valley Authority’s (TVA) patching of Windows® desktops and laptops to determine if high-risk vulnerabilities on desktops and laptops were patched in accordance with TVA policy and best practices.

We performed an audit of the Tennessee Valley Authority’s (TVA) management of privileged accounts. Our objective was to determine if TVA's management of privileged accounts is following TVA policy and best practices. A privileged user has an account that is authorized for the performance of security-related functions that ordinary users cannot perform.

The Office of the Inspector General conducted a review of the Transmission Field Operations, North Maintenance organization to identify factors that could impact its organizational effectiveness. During the course of our evaluation, we identified behaviors that had a positive impact on Transmission Field Operations – North Maintenance; however, we also identified needed improvements related to coworker interactions with a few employees. We also identified minimal risks to operations related to resource concerns, including inadequate staffing and equipment and/or tool needs.

We found several areas of the privacy program to be generally effective, including (1) completion of privacy impact assessments, (2) privacy related training taken by network users, (3) privacy considerations during the authority to operate process, (4) system categorization, (5) privacy incident response, (6) privacy-related contract terms and conditions, and (7) desktop and laptop sanitization. However, we identified seven issues that should be addressed by TVA management to further increase the effectiveness of the privacy program.

As part of our annual audit plan, we audited costs billed to the Tennessee Valley Authority (TVA) by Black & Veatch Corporation (B&V) for engineering services under Contract No. 10820. Our audit objective was to determine if costs were billed in accordance with the terms and conditions of the contract. Our audit scope included about $42.46 million in costs billed to TVA from November 2, 2015, through February 13, 2020.

As part of our annual audit plan, we audited costs billed to the Tennessee Valley Authority (TVA) by Mesa Associates, Inc. (Mesa) under Contract No. 13191 for engineering, design, and construction support services in support of TVA's dam safety, generation, and transmission work. The contract provided for TVA to compensate Mesa for these services on either a cost-reimbursable or fixed price basis.

As part of our annual audit plan, we audited the Tennessee Valley Authority's (TVA) utility-scale Solar Purchased Power Agreements (PPA). Our audit objectives were to determine if TVA has (1) approached Solar PPAs to better understand the industry and market trends being developed prior to entering into multiple agreements and (2) developed Solar PPAs to recognize positive financial value earlier in the term of the PPAs. The scope of our review was utility-scale solar PPAs in place as of December 31, 2020.

The Office of the Inspector General determined the Tennessee Valley Authority’s (TVA) industrial hygiene (IH) planning and assessment process had weaknesses that resulted in some hazards not being identified and evaluated. Specifically, we identified the following IH process weaknesses: (1) TVA relied on limited information to identify health hazards; (2) there was no formal evaluation of the risks posed by identified hazards; (3) IH plans did not prioritize hazards; and, (4) an incomplete monitoring process allowed for misalignment between plans and exposure assessments.

The Office of the Inspector General included an audit of contractor use of TVA’s purchasing cards in its fiscal year 2021 Audit Plan, based on the significant amount of charges made using TVA purchasing cards assigned to contractors. The objective of the audit was to determine if adequate controls were in place to ensure purchases made by TVA contractors using a TVA purchasing card were (1) for TVA business purposes and not the use of another entity and (2) not being billed back to TVA.

The Office of the Inspector General determined the Tennessee Valley Authority’s (TVA) industrial hygiene (IH) planning and assessment process had weaknesses that resulted in some hazards not being identified and evaluated. Specifically, we identified the following IH process weaknesses: (1) TVA relied on limited information to identify health hazards; (2) there was no formal evaluation of the risks posed by identified hazards; (3) IH plans did not prioritize hazards; and (4) incomplete monitoring efforts allowed misalignment between procedures, plans, and exposure assessments.