The Office of Inspector General (OIG) is the independent “watchdog” for DFC. We protect America’s investment in international development initiatives through independent oversight of DFC programs and operations.

Audit Announcements, Reports, Open Recommendations, and Correspondence

The OIG conducts and supervises audits of DFC’s programs and operations around the world. These include audits mandated by law (e.g., Data Act, Payment Integrity Information Act (PIIA), Federal Information Security Modernization Act (FISMA), charge card, and annual financial statements), as well as performance audits determined by the IG. At the end of each audit, the OIG issues a report to the appropriate DFC management official detailing the findings and recommendations to address their causes. These recommendations are intended to improve the efficiency and effectiveness of DFC programs and operations. DFC management has an opportunity to comment on OIG findings and recommendations. Recommendations are considered closed when DFC has implemented corrective action. Open recommendations may be resolved or unresolved:

  • An open recommendation is resolved when the OIG agrees with the agency's plan of action.
  • An open recommendation is unresolved when the agency has yet to share a plan of action, or the OIG disagrees with the plan.


Audit Announcements

Audit Reports

Open Recommendations
Report TitleReport NumberDate of ReportRecommendation NumberRecommendation
OPIC Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are NeededA-OPC-17-007-C9/28/2017  1OPIC's chief information officer remediate network vulnerabilities identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.
OPIC Has Generally Implemented Controls in Support of FISMA for Fiscal Year 2018A-OPC-19-006-C1/30/20192OPIC chief information officer remediate patch and configuration vulnerabilities in the network identified by the OIG, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.
   3OPIC chief information officer document and implement a process to verify that patches are applied in a timely manner.
DFC Generally Implemented an Effective Information Security Program for Fiscal Year 2020 in Support of FISMAA-DFC-21-005-C1/28/2021 3Implement multifactor authentication for network access for privileged accounts.
DFC Generally Complied with the Digital Accountability and Transparency Act in Fiscal Year 2021DFC-22-001-C3/8/2022 1Require business process owners to populate LegalEntityZIPLast4 information in source systems at the time of the transaction.
   2Design and implement policies and procedures that require the agency to report financial assistance awards to FABS within 30 days after an award is issued.
   3Continue to work with Treasury and OMB to clarify the procedure to report subsidy modifications.
DFC Generally Implemented an Effective Government Charge Card Program for Fiscal Years 2020 and 2021DFC-22-002-C3/8/2022 2Amend applicable policies and procedures to include steps to ensure the recovery of employee debts including those incurred as a result of any illegal, improper, or erroneous purchases or payments. These steps should also specify the roles and responsibilities of personnel involved in this process.
DFC Made Significant Progress Implementing Provisions of the Better Utilization of Investments Leading to Development ActDFC-22-005-C9/22/2022 4Finalize the approval and communication of financial performance standards.
Fiscal Year 2022 DFC Federal Information Security Modernization Act of 2014 AuditDFC-23-001-C11/9/2022 1Update Authorization to Operate and system-level Security Assessment Reports annually.
   2Implement a plan to replace or upgrade the unsupported software within DFC's network.
   3Document and implement lessons learned to enhance the continuous monitoring process to instruct employees to record, analyze, and revise control activities on a cyclical basis to continuously improve DFC security posture as defined in the Security Continuous Monitoring Plan.
   5Develop a methodology and implement a tool to track the timely review of periodic updates for BIAs and contingency tests.