All Reports

The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our objective was to determine the effectiveness of the Tennessee Valley Authority’s (TVA) ISP and practices as defined by the FY [Fiscal Year] 2023 – 2024 IG FISMA Reporting Metrics.

For most Tennessee Valley Authority (TVA) employees, annual compensation consists of two components: base pay (salary) and pay at risk (Winning Performance [WP]). WP is a performance management program designed to promote teamwork, encourage high performance behaviors, and motivate and reward TVA employees for achieving goals aligned with TVA’s mission and values. We included an audit of TVA’s Load Not Served (LNS) WP measure in our annual audit plan because LNS was the second highest weighted measure in the fiscal year (FY) 2022 WP scorecard.

The Office of the Inspector General audited costs billed to the Tennessee Valley Authority (TVA) by Accenture Federal Services LLC (AFS) under Contract No. 14910. AFS provides enterprise architecture and information technology infrastructure services to TVA under the contract. The contract provided that work could be performed using time and material or fixed price payment terms as agreed by the parties in purchase orders (PO).

As part of our annual audit plan, we performed an audit of costs billed to the Tennessee Valley Authority (TVA) by Robert E. Lamb, Inc., (Lamb) to provide architectural engineering services to assist with site selection, final programming, and schematic design for a new control center under Contract No. 13659 (formerly Contract No. 11638). Our audit objective was to determine if costs were billed in accordance with the terms of the contract.

The Office of the Inspector General conducted a review of the Magnolia Combined Cycle Plant (MCC) to identify factors that could impact MCC’s organizational effectiveness. During interviews, MCC personnel revealed positive interactions with team members and most management. However, we identified issues that could negatively impact MCC’s effectiveness, if not addressed. These issues include (1) improvements needed with work packages and (2) staffing concerns.

The Tennessee Valley Authority (TVA) defines critical spares as components or parts needed to (1) prevent loss of generation or transmission, (2) prevent unsafe operating conditions, and/or (3) return critical components to service. TVA identified 45,934 critical components for its 18 natural gas plants.

We determined the Tennessee Valley Authority’s (TVA) coal plants have taken steps to reduce combustible coal dust since dedicated Combustible Dust Program funding was provided by TVA in 2018. Specifically, coal plants have dedicated combustible dust housekeeping crews to help mitigate combustible dust accumulations, and projects were completed to improve conditions at the plants.

As part of our annual audit planning, we completed a threat assessment to identify high risk cybersecurity threats that could potentially impact Tennessee Valley Authority (TVA). We determined the potential impact for system intrusion through misconfigurations or unpatched systems to be high. Therefore, we included an audit of TVA Transmission Operations and Power Supply (TOPS) organization’s management of Mac® desktops and laptops as part of our 2022 audit plan. In summary, we determined MacBooks® managed by TOPS followed TVA’s configuration management policy.

The Office of the Inspector General audited the Tennessee Valley Authority’s (TVA) use of remote application and desktop virtualization client due to the risks of (1) potential system intrusion through misconfigurations and (2) continued elevated remote users during the COVID-19 pandemic. We found the configuration management control for TVA’s remote application desktop virtualization client was ineffective. However, we determined compensating access controls were in place to mitigate the risk to an overall acceptable level.

The Office of the Inspector General conducted a review of TVA Police and Emergency Management’s (TVAP&EM) organization to identify factors that could impact TVAP&EM’s organizational effectiveness. During interviews, TVAP&EM personnel revealed positive interactions within and outside TVAP&EM. However, we identified issues that have, or could, affect accomplishment of the TVAP&EM mission, if not addressed.