DHS FY 2025 Financial Statements and Internal Control Audit

OIG-26-03

FINAL REPORTIndependent Auditors’ Report on the Department of

Homeland Security’s FY 2025 Consolidated Financial Statements and Internal Control over Financial Reporting

Washington, DC 20528 | www.oig.dhs.gov

MEMORANDUM FOR: The Honorable Kristi Noem Secretary FROM: Glenn Sklar Principal Deputy Inspector General Independent Auditors’ Report on the Department of Homeland SUBJECT: Security’s FY 2025 Consolidated Financial Statements and Internal Control over Financial Reporting The attached report presents the results of an integrated audit of the Department of Homeland Security’s consolidated financial statements for fiscal year 2025 and internal control over Chief Financial Officers financial reporting as of September 30, 2025. This audit is required by the Act of 1990 Department of Homeland Security Financial Accountability Act , as amended by the (October 16, 2004). We contracted with the independent public accounting firm KPMG LLP (KPMG) to conduct the audit. The contract required that the audit be performed in accordance with U.S. generally accepted government auditing standards, Office of Management and Budget audit guidance, and Financial Audit Manualthe GAO/CIGIE . The Department achieved an unmodified (clean) opinion on all financial statements. However, KPMG issued an adverse opinion on DHS’s internal control over financial reporting because of material weaknesses in internal control in five areas. KPMG also identified a significant deficiency in one area and instances of noncompliance with two laws. Below is the list of material weaknesses, significant deficiency, and laws with which DHS did not comply. Material Weaknesses in Internal Control

1. Information Technology Controls and Information Systems
2. Financial Reporting
3. Taxes Receivable, Net
4. Construction in Progress
5. Internal Control Monitoring OIG Project No. AUD-25-019-AUD-DHS

Significant Deficiency in Internal Control

1. Grants Recipient Monitoring Noncompliance with Laws and Regulations Federal Managers’ Financial Integrity Act of 1982 1. Federal Financial Management Improvement Act of 19962. KPMG is responsible for the attached Independent Auditors’ Report dated January 22, 2026, and the conclusions expressed in the report. We do not express opinions on DHS’s financial statements or internal control over financial reporting or conclusions on compliance and other matters. Inspector General Act of 1978 amendedConsistent with our responsibility under the , as , we will provide copies of our report to congressional committees with oversight and appropriation responsibility over the Department of Homeland Security. We will post the report on our website for public dissemination. Please call me with any questions, or your staff may contact Craig Adelman, Deputy Inspector General for Audits, at (202) 981-6000. Attachment

Office of Inspector General U.S. Department of Homeland Security | Washington, DC 20528 | www.oig.dhs.gov

DHS OIG HIGHLIGHTS

Independent Auditors’ Report on the Department of Homeland Security’s FY 2025 Consolidated Financial Statements and Internal Control over Financial Reporting What We Found

Why We Did The independent public accounting firm KPMG LLP (KPMG) under contract with the DHS, Office of Inspector General, has This Audit issued an unmodified (clean) opinion on DHS’s fiscal year 2025 consolidated financial statements. KPMG noted that the financial statements present fairly, in all material respects, Chief Financial Officers Act of DHS’s financial position as of September 30, 2025. The 1990 (Public Law 101-576) and the KPMG issued an adverse opinion on DHS’s internal control over Financial Accountability Act financial reporting as of September 30, 2025. The report (Public identifies material weaknesses in internal control in five areas: Law 108-330) require us to conduct an annual audit of the Department

1. Information Technology Controls and Information Systems of Homeland Security’s consolidated
2. Financial Reporting financial statements and internal
3. Taxes Receivable, Net control over financial reporting.
4. Construction in Progress What We 5. Internal Control Monitoring Recommend KPMG also identified a significant deficiency related to Grant Recipient Monitoring as well as noncompliance with the following two laws: KPMG LLP made 20 recommendations that, when 1. Federal Managers’ Financial Integrity Act of 1982 implemented, may improve the 2. Federal Financial Management Improvement Act of 1996. Department’s internal control. Management’s Response DHS concurred with all the recommendations, noting that it continues to prioritize maturing its information technology controls and implement an aggressive plan to modernize its For Further Information: financial systems. DHS also indicated that it is committed to Contact our Office of Public Affairs at (202) 981-6000, or email us at: implementing the necessary corrective actions and will continue DHS-OIG.OfficePublicAffairs@oig.dhs.govto work diligently to address all issues identified in the report.

. www.oig.dhs.gov OIG-26-03

Table of Contents

Independent Auditors’ Report……………………………………………………………………………1 Exhibit I – Material Weaknesses..…………………………….…………………………………………I.1 Exhibit II – Significant Deficiency...…………………………………………………………………….II.1 Exhibit III – Compliance and Other Matters…………………………………………………………..III.1

Appendixes

Appendix A: Management Comments to the Draft Report……………………………………6 Appendix B: Report Distribution…..…………………………………………………………….7

KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006

Secretary and Inspector General U.S. Department of Homeland Security: Report on the Consolidated Financial Statements and Internal Control Opinions on the Consolidated Financial Statements and Internal Control Over Financial Reporting We have audited the consolidated financial statements of the U.S. Department of Homeland Security (DHS), which comprise the consolidated balance sheet as of September 30, 2025, and the related consolidated statements of net cost, changes in net position, and custodial activity, and combined statement of budgetary resources for the year then ended, and the related notes to the consolidated financial statements. In our opinion, the accompanying consolidated financial statements present fairly, in all material respects, the financial position of DHS as of September 30, 2025, and its net cost, changes in net position, budgetary resources and custodial activity for the year then ended in accordance with U.S. generally accepted accounting principles. We also have audited DHS’s internal control over financial reporting as of September 30, 2025, based on criteria established in the Standards for Internal Control in the Federal Government (2014), issued by the Comptroller General of the United States. In our opinion, because of the effect of the material weaknesses described in the Basis for Adverse Opinion on Internal Control Over Financial Reporting section on the achievement of the objectives of the control criteria, DHS has not maintained effective internal control over financial reporting as of September 30, 2025, based on criteria established in the Standards for Internal Control in the Federal Government (2014), issued by the Comptroller General of the United States. We considered the material weaknesses described in the Basis for Adverse Opinion on Internal Control Over Financial Reporting section in determining the nature, timing, and extent of audit procedures applied in our audit of the fiscal year 2025 consolidated financial statements, and the material weaknesses do not affect such report on the consolidated financial statements. Basis for Opinions We conducted our audits in accordance with auditing standards generally accepted in the United States of America (GAAS), the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 24-02, Audit Requirements for Federal Financial Statements. Our responsibilities under those standards and OMB Bulletin No. 24-02 are further described in the Auditors’ Responsibilities for the Audits of the Consolidated Financial Statements and Internal Control Over Financial Reporting section of our report. We are required to be independent of DHS and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audits. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions. Basis for Adverse Opinion on Internal Control Over Financial Reporting A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s consolidated financial statements will not be prevented, or detected and corrected, on a timely basis. The following areas of material weaknesses have been identified and included in the accompanying Management’s Report on Internal Controls

KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee.

Over Financial Reporting and are further described in the accompanying Exhibits as items I-A, I-B, I-C, I-D, and I-E:

1. Information Technology Controls and Information Systems
2. Financial Reporting
3. Taxes Receivable, Net
4. Construction in Progress
5. Internal Control Monitoring Material weaknesses in the control environment, risk assessment process, information and communication, and monitoring activities have been identified but not included in the accompanying Management’s Report on Internal Controls Over Financial Reporting and are further described as the ‘Causes’ of the deficiencies reported throughout the accompanying Exhibits. Emphasis of Matter – Debt As discussed in Note 14 to the consolidated financial statements, DHS had intragovernmental debt of approximately $23 billion as of September 30, 2025, related to financing the National Flood Insurance Program (NFIP). The debt and interest payments are financed by flood premiums from policyholders. Given the current rate structure, DHS will not be able to pay its debt from the premium revenue alone; therefore, DHS does not anticipate repaying the debt in full. Our opinion is not modified with respect to this matter. Emphasis of Matter – Custodial Revenue As discussed in Note 27 to the consolidated financial statements, DHS experienced a significant increase in duties collected during FY 2025 compared to the prior year. This increase is primarily attributed to deposits of duties that were imposed pursuant to Executive Orders of the President issued under the International Emergency Economic Powers Act and Section 232 of the Trade Expansion Act of 1962. The authority to collect those duties is currently the subject of ongoing litigation, which is pending before the Supreme Court. Our opinion is not modified with respect to this matter. Other Matter – Interactive Data Management has elected to reference to information on websites or other forms of interactive data outside the Agency Financial Report to provide additional information for the users of its consolidated financial statements. Such information is not a required part of the consolidated financial statements or supplementary information required by the Federal Accounting Standards Advisory Board. The information on these websites or the other interactive data has not been subjected to any of our auditing procedures, and accordingly, we do not express an opinion or provide any assurance on it. Responsibilities of Management for the Consolidated Financial Statements and Internal Control Over Financial Reporting Management is responsible for the preparation and fair presentation of the consolidated financial statements in accordance with U.S. generally accepted accounting principles, and for the design, implementation, and maintenance of effective internal control over financial reporting relevant to the preparation and fair presentation of consolidated financial statements that are free from material misstatement, whether due to fraud or error. Management is also responsible for its assessment about the effectiveness of internal control over financial reporting, included in the accompanying Management’s Report on Internal Control Over Financial Reporting. Auditors’ Responsibilities for the Audits of the Consolidated Financial Statements and Internal Control Over Financial Reporting Our objectives are to obtain reasonable assurance about whether the consolidated financial statements as a whole are free from material misstatement, whether due to fraud or error, and about whether effective internal

control over financial reporting was maintained in all material respects, and to issue an auditors’ report that includes our opinions. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit of consolidated financial statements or an audit of internal control over financial reporting conducted in accordance with GAAS, Government Auditing Standards, and OMB Bulletin No. 24-02 will always detect a material misstatement or a material weakness when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered to be material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the consolidated financial statements. In performing an audit of consolidated financial statements and an audit of internal control over financial reporting in accordance with GAAS, Government Auditing Standards, and OMB Bulletin No. 24-02, we:

• Exercise professional judgment and maintain professional skepticism throughout the audits.

• Identify and assess the risks of material misstatement of the consolidated financial statements, whether
  due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements.

• Obtain an understanding of internal control relevant to the consolidated financial statement audit in order to
  design audit procedures that are appropriate in the circumstances.

• Obtain an understanding of internal control over financial reporting relevant to the audit of internal control
  over financial reporting, assess the risks that a material weakness exists, and test and evaluate the design and operating effectiveness of internal control over financial reporting based on the assessed risk.

• Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting
  estimates made by management, as well as evaluate the overall presentation of the consolidated financial statements.

• Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise
  substantial doubt about DHS’s ability to continue as a going concern for a reasonable period of time. We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control related matters that we identified during the consolidated financial statement audit. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal

Managers’ Financial Integrity Act of 1982.

Definition and Inherent Limitations of Internal Control Over Financial Reporting An entity’s internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with U.S. generally accepted accounting principles. An entity’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with U.S. generally accepted accounting principles, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention,

or timely detection and correction of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. Other Matter – Management’s Report on Internal Control Over Financial Reporting In Management’s Report on Internal Control over Financial Reporting, management has provided a qualified assessment of the effectiveness of the Entity’s internal control over financial reporting as of September 30,

1. Management’s report indicates that their assessment was qualified because of the material weakness described in their report. However, the existence of a single material weakness necessitates a conclusion that internal control over financial reporting is not effective. Management’s statements regarding DHS’s accomplishments in fiscal year 2025 and the continued existence of areas of improvement, included in the accompanying Management’s Report on Internal Control Over Financial Reporting, have not been subjected to any of our auditing procedures, and accordingly, we do not express an opinion or provide any assurance on it. Required Supplementary Information U.S. generally accepted accounting principles require that the information in the Management’s Discussion and Analysis and Required Supplementary Information sections be presented to supplement the basic consolidated financial statements. Such information is the responsibility of management and, although not a part of the basic consolidated financial statements, is required by the Federal Accounting Standards Advisory Board who considers it to be an essential part of financial reporting for placing the basic consolidated financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with GAAS, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic consolidated financial statements, and other knowledge we obtained during our audits of the basic consolidated financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance. Other Information Management is responsible for the other information included in the Agency Financial Report. The other information comprises the Welcome to the U.S. Department of Homeland Security’s Fiscal Year 2025 Agency Financial Report, Table of Contents, Message from the Secretary, Financial Information: Section Contents, Financial Information: Message from the Acting Chief Financial Officer, Other Information, Appendix A: Acronyms, and Appendix B: Acknowledgements sections, but does not include the consolidated financial statements and our auditors’ report thereon. Our opinion on the consolidated financial statements does not cover the other information, and we do not express an opinion or any form of assurance thereon. In connection with our audit of the consolidated financial statements, our responsibility is to read the other information and consider whether a material inconsistency exists between the other information and the consolidated financial statements, or the other information otherwise appears to be materially misstated. If, based on the work performed, we conclude that an uncorrected material misstatement of the other information exists, we are required to describe it in our report.

Other Reporting Required by Government Auditing Standards Other Reporting on Internal Control In accordance with Government Auditing Standards, we are required to report findings of significant deficiencies. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Our audit of internal control over financial reporting was not designed to identify all deficiencies in internal control that might be significant deficiencies. Given these limitations, significant deficiencies may exist that were not identified. We consider the deficiency described in the accompanying Exhibits as item II-F Grant Recipient Monitoring to be a significant deficiency. Report on Compliance and Other Matters As part of obtaining reasonable assurance about whether DHS’s consolidated financial statements as of and for the year ended September 30, 2025 are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the consolidated financial statements. However, providing an opinion on compliance with those provisions was not an objective of our audits, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 24-02, and which are described in the accompanying Exhibits as item III-G Federal Managers’ Financial Integrity Act of 1982 (FMFIA). We also performed tests of DHS’s compliance with certain provisions referred to in Section 803(a) of the Federal Financial Management Improvement Act of 1996 (FFMIA). Providing an opinion on compliance with FFMIA was not an objective of our audits, and accordingly, we do not express such an opinion. The results of our tests disclosed instances, described in the accompanying Exhibits as item III-H Federal Financial Management Improvement Act of 1996 (FFMIA), in which DHS’s financial management systems did not substantially comply with the Federal financial management systems requirements and the United States Government Standard General Ledger at the transaction level. The results of our tests disclosed no instances in which DHS’s financial management systems did not substantially comply with the applicable Federal accounting standards. DHS’s Response to Findings Government Auditing Standards requires the auditor to perform limited procedures on DHS's response to the findings identified in our audits and described in Appendix A. DHS’s response was not subjected to the other auditing procedures applied in the audit of the consolidated financial statements or the audit of internal control over financial reporting and, accordingly, we express no opinion on the response. Purpose of the Other Reporting Required by Government Auditing Standards The purpose of the Other Reporting Required by Government Auditing Standards is solely to describe the deficiencies we consider to be significant deficiencies and the scope of our testing of compliance and the results of that testing, and not to provide an opinion on compliance. This communication is an integral part of an audit performed in accordance with Government Auditing Standards in considering DHS’s internal control and compliance. Accordingly, this communication is not suitable for any other purpose.

Washington, D.C. January 22, 2026

Exhibits Overview The weaknesses in internal control over financial reporting (internal control) existed as of September 30, 2025, and the instances of noncompliance with certain provisions of laws and regulations occurred during the year ended September 30, 2025. The determination of which control deficiencies rise to the level of a material weakness or a significant deficiency is based on an evaluation of the impact of control deficiencies identified across DHS (including headquarters and the components), considered individually and in the aggregate, on the DHS consolidated financial statements as of, and for the year ended, September 30, 2025. The associated material weaknesses in entity level controls, as defined by the Government Accountability Office’s Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States in September 2014 (Green Book), are also identified in relation to the control activities in the corresponding areas of the following Exhibits. The material weaknesses in entity level controls are reported by each of the impacted Green Book principles in Exhibits I and II. The findings are presented in three Exhibits: Exhibit I Material Weaknesses. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s consolidated financial statements will not be prevented, or detected and corrected, on a timely basis. DHS had material weaknesses within each of the following areas, as well as the associated Entity Level Controls related to the Control Environment, Risk Assessment Process, Information and Communication and Monitoring activities:

1. Information Technology Controls and Information Systems
2. Financial Reporting
3. Taxes Receivable, Net
4. Construction in Progress

5. Internal Control Monitoring
   Exhibit II Significant Deficiency. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by DHS management and others in positions of DHS oversight. DHS had a significant deficiency within the following area:

6. Grant Recipient Monitoring
   Exhibit III Compliance and Other Matters. The compliance and other matters section includes instances of noncompliance with certain provisions of laws, regulations, contracts, and grant agreements, and other matters that are required to be reported under Government

Auditing Standards or Office of Management and Budget (OMB) Bulletin No. 24-02, Audit Requirements for Federal Financial Statements. DHS had instances of noncompliance as

follows:

1. Federal Managers’ Financial Integrity Act of 1982
2. Federal Financial Management Improvement Act of 1996 Criteria DHS’s internal control over financial reporting is based on the criteria established by the 17 principles of the Green Book.

I-A Information Technology Controls and Information Systems

Information technology (IT) systems are comprised of four layers of technology – application, database, operating system, and network. Each layer presents risks arising from IT that an entity needs to address for automated controls to operate and function effectively, and for the integrity of data and information sources from the entity’s IT system to be maintained. IT general controls (ITGCs) address risks arising from IT in the areas of access to programs and data, program changes, program acquisition and development, and computer operations. Automated controls are those performed by an IT system.

DHS did not design its information systems and related control activities to achieve objectives and respond to risks arising from IT (Principle 11). For certain areas of its information system that were properly designed, DHS did not implement the control activities (Principle 12). In addition, certain control activities that were properly designed and implemented did not operate effectively. Material weaknesses existed in ITGCs within information systems used for financial reporting at headquarters and various components across DHS, including the U.S. Coast Guard (USCG), Federal Emergency Management Agency (FEMA), U.S. Immigration and Customs Enforcement (ICE), and Transportation Security Administration (TSA). In addition, a material weakness existed in automated controls at U.S. Customs and Border Protection (CBP). Specifically, DHS did not design, implement, or effectively operate ITGCs in the following areas:

Access to programs and data

• User, service, shared, privileged, and generic (including emergency, temporary, developer, and
  migrator) accounts were not properly authorized, recertified, or revoked timely.

• Passwords were not properly configured.

Program changes

• System changes to the database and application layer were not documented, authorized, or
  monitored, including changes made by privileged users. In addition, DHS did not:

• timely review and remediate certain database and operating system vulnerabilities; or

• properly design application controls.

Causes:

These deficiencies are a result of weaknesses in the DHS’s control environment, risk assessment process, information and communication, and monitoring activities because DHS did not:

• document processes related to privileged user access reviews (Principle 3);

• maintain documentation of its internal control related to user access approval and recertification
  (Principle 3);

• hold system owners accountable for terminating user access timely (Principle 5);

• identify, analyze, and respond to risks arising from IT, including risks created by historic limitations in
  the functionality of its information systems (Principle 7);

• identify, analyze, and respond to changes associated with a new system (Principle 9);

• monitor database and application changes implemented into the production environment (Principle
  16); and

• remediate previously identified internal control deficiencies that have existed for years in multiple
  information systems (Principle 17). I.2

Effects:

As a result of these ITGC deficiencies, material weaknesses existed in the automated controls for 10 information systems. The deficiencies increase the risk of unauthorized access to information systems or data and inappropriate disclosures of sensitive data. As such, there is a reasonable possibility that material misstatements in each financial statement line item and related disclosures of the consolidated financial statements will not be prevented, or detected and corrected, on a timely basis. In addition, key DHS financial information systems, including general ledger systems at USCG, FEMA and TSA, were not compliant with Federal financial management system requirements as defined by FFMIA, as reported in Exhibit III-H. Automated controls at CBP, USCG, and ICE were not compliant with the USSGL at the transaction level as defined by FFMIA, as reported in Exhibit III-H.

We recommend:

1. DHS Office of the Chief Financial Officer (OCFO), in coordination with the DHS Office of the
   Chief Information Officer (OCIO), the DHS Office of the Chief Information Security Officer (OCISO), and component IT and financial management:

2. improve organizational structure to consistently complete a comprehensive risk analysis at
   each component and develop a mitigation plan to timely respond to risks related to ITGC and application control deficiencies;

3. design, implement, and communicate internal controls to address the risk of errors due to IT
   system functionality issues, the inability to rely on information derived from systems, and the inability to rely on application controls until information system deficiencies are remediated; and

4. develop, implement, operate and monitor policies and procedures and corrective action plans.

5. OCIO, OCISO, and component IT management monitor IT vulnerabilities and limitations, and
   coordinate with the OCFO and component financial management to implement manual controls to mitigate risk until automated controls are adequately designed and implemented.

I-B Financial Reporting

Financial reporting involves recording journal entries and compiling financial statements and disclosures to present DHS’s financial position and results in accordance with U.S. generally accepted accounting principles.

1. and implement control activities through policies and procedures (Principle 12). In addition, certain control activities that were properly designed and implemented did not operate effectively. Material weaknesses were identified in controls over journal entries and the accounts used in the presentation of the financial statements and disclosures. Specifically, DHS did not effectively:

Journal entries

• Design, implement, and operate controls over the accuracy of journal entries at CBP and USCG.

Presentation of financial statements and disclosures

• Design and implement controls over the accounts used to present civil monetary penalties at CBP
  and ICE.

• Operate controls over the accounts used to present Category C apportionments at USCG and
  U.S. Citizenship and Immigration Services (USCIS).

• Design and implement controls over the preparation of the custodial revenue disclosure at CBP.

Causes:

These deficiencies are a result of weaknesses in DHS’s control environment, risk assessment process, information and communication, and monitoring activities because DHS did not:

• adequately train resources to perform their key control responsibilities over journal entries at CBP and
  USCG (Principle 4);

• adequately hold personnel accountable and adjust excessive pressures on personnel to help them
  fulfill their internal control responsibilities over journal entries and disclosures at CBP (Principle 5);

• identify, analyze, and respond to the risks posed by incomplete or inaccurate supporting
  documentation used to record journal entries and disclosures at CBP and USCG (Principle 7);

• analyze and respond to changes related to civil monetary penalties at CBP and ICE and
  apportionments at USCG and USCIS (Principle 9);

• process and use quality information for the preparation of the custodial revenue disclosure at CBP
  (Principle 13);

• communicate internally to consistently record civil monetary penalties and apportionments across
  DHS (Principle 14); and

Effects:

As a result of the deficiencies described above, misstatements occurred in multiple financial statement line items and disclosures and were subsequently corrected. Specifically, misstatements occurred in: (1) the gross costs line item for ICE on the statement of net cost and the non-exchange revenue line item on the statement of changes in net position; (2) the apportioned, unexpired and unapportioned, unexpired line items on the statement of budgetary resources; (3) the taxes receivable, net and accounts receivable,

net disclosures; (4) the non-exchange, non-custodial revenues disclosure; and (5) the custodial revenues disclosure. Additionally, there is a reasonable possibility that additional material misstatements in each financial statement line item and the related disclosures will not be prevented, or detected and corrected, on a timely basis. These material weaknesses at CBP, USCG, USCIS, and ICE also resulted in instances of noncompliance with the application of the USSGL at the transaction level, as defined by FFMIA and reported in Exhibit III-

1. perform an analysis to assess the risks of insufficient resources and implement processes and
   controls to ensure all necessary journal entries are accurately recorded in each period;

2. adequately train resources and reinforce existing policies, procedures, and established related
   internal controls, to ensure journal entries are adequately researched, supported, and reviewed for accuracy before recording in the general ledger;

3. identify, analyze, and respond to significant changes and update risk assessments related to
   financial reporting;

4. implement comprehensive reconciliation and review processes for the presentation of
   disclosures, including processing and using quality information; and

5. recruit and retain additional resources and align knowledgeable individuals to monitor and
   evaluate internal controls.

I-C Taxes Receivable, Net

DHS assesses duties, taxes, and fees on goods and merchandise brought into the United States from foreign countries. DHS’s CBP is responsible for collecting custodial revenues and remitting funds to the General Fund of the U.S. Government (General Fund) and other federal entities. The related receivables are non-entity assets for which there is an offsetting liability due to the General Fund. The majority of the taxes receivable, net line item on the balance sheet consists of entry receivables and the related allowance.

1. and implement control activities through policies and procedures (Principle 12). Specifically, DHS did not effectively design and implement controls over the completeness and accuracy of the system- generated reports used to calculate the entry receivable balance or the assumptions used to calculate the related allowance.

Causes:

These deficiencies are a result of weaknesses in the entity’s risk assessment process and information and communication because DHS did not:

• identify, analyze, and respond to the risks that the system-generated reports include incomplete and
  inaccurate information or that the assumptions used in the allowance methodology were inaccurate (Principle 7); and

• process and use quality information to record the entry receivable balance (Principle 13).

Effects:

misstatements in the taxes receivable, net and corresponding liability to the General Fund line item on the balance sheet, as well as the related accrual adjustment on the statement of custodial activity, will not be prevented, or detected and corrected, on a timely basis.

1. identify, analyze, and respond to the risk related to the configuration of the system-generated
   reports to ensure the reports extract complete and accurate information from the information system; and

2. identify, analyze, and respond to the risk related to the assumptions used in the allowance
   methodology to ensure the accuracy of the allowance.

I-D Construction in Progress

DHS’s property, plant and equipment includes costs associated with construction projects, which are recorded as construction-in-progress (CIP) until the asset is placed in service. For USCG, these projects primarily relate to construction of surface vessels, aircraft, and shore infrastructure. In July 2025, Public Law 119-21 provided $24.6 billion in future funding for construction, acquisition, and maintenance of USCG equipment.

1. and implement control activities through policies and procedures (Principle 12). Specifically, DHS did not effectively design and implement controls over the completeness, existence, accuracy and presentation of CIP transactions.

Causes:

These deficiencies are a result of weaknesses in DHS’s control environment and information and communication because DHS did not:

• recruit, develop, and retain personnel to properly perform assigned roles and responsibilities
  (Principle 4);

• process and use quality information to record CIP transactions (Principle 13);

• communicate internally to convey accurate project status information to control owners to accurately
  record the related CIP transactions (Principle 14); and

Effects:

misstatements in the CIP balance reported as part of the property, plant, and equipment, net line item on the balance sheet and the related disclosure will not be prevented, or detected and corrected, on a timely basis. In addition, the ineffective recording of CIP transactions resulted in instances of noncompliance with the application of the USSGL at the transaction level, as defined by FFMIA and reported in Exhibit III-

1. recruit, develop, and retain personnel to perform assigned roles and responsibilities;

2. train personnel on the proper recording of costs and adjustments and the related accounting
   policies;

3. implement comprehensive reconciliation and review processes for CIP projects and assets,
   including processing and using quality information in the reconciliation; and

4. update policies and procedures to ensure the consistent communication of project status.
   I-E Internal Control Monitoring

DHS conducts monitoring of its internal control in accordance with the Green Book. Monitoring internal control involves establishing a baseline, evaluating the effectiveness of DHS’s controls, including assessing the reliability of information used in controls and considering the impact of service organizations on DHS’s control environment.

DHS did not sufficiently design, implement, and operate control activities to obtain and generate relevant, quality information to support the functioning of the internal control system (Principle 13) and establish and operate monitoring activities to monitor the internal control system and evaluate the results (Principle 16). Material weaknesses were identified in controls over the information and communication and monitoring of the control environment. Specifically, DHS did not effectively:

Information used in controls

• Design and implement controls to inventory and baseline all automated controls, including
  automated controls producing information used in manual controls at USCG, USCIS, FEMA, ICE, and TSA.

• Operate effective controls to baseline all automated controls, including automated controls
  producing information used in manual controls at CBP.

Service organizations

• Design, implement, and operate effective controls to monitor the National Flood Insurance
  Program (NFIP) Write Your Own (WYO) service providers at FEMA.

• Design and implement controls over the gap period between the end date of the reporting period
  covered by the Service Organization Control (SOC) report and the balance sheet date for one service organization at CBP.

• Operate effective complementary end user controls for one service organization at USCIS.

Causes:

These deficiencies are a result of weaknesses in the entity’s control environment, risk assessment process, and monitoring activities because DHS did not:

• recruit and retain sufficient personnel to accomplish the control objectives (Principle 4);

• assess and respond to risks related to the reliance on automated controls, including information used
  in the performance of manual controls (Principle 7);

• assess and respond to risks related to the use of service organizations at CBP, USCIS, and FEMA
  (Principle 7); and

Effects:

misstatements in the financial statement line items and related disclosures will not be prevented, or detected and corrected, on a timely basis. The deficiencies also resulted in noncompliance with Federal financial management system requirements, as defined by FFMIA and reported in Exhibit III-H. The failure to perform continuous monitoring and testing of IT and business process-level controls results in a lack of timely remediation of existing deficiencies and noncompliance with FMFIA, as reported in Exhibit III-G.

1. recruit and retain additional resources and align knowledgeable individuals to monitor and
   evaluate internal controls;

2. update policies and procedures to establish thresholds to validate the accuracy of WYO
   information used in the NFIP actuarial liability; and

3. enhance existing policies and procedures and documentation over the monitoring of service
   organizations to ensure gap periods and complementary end user controls are sufficiently assessed, analyzed, and addressed.

Exhibit II – Significant Deficiency II-F Grant Recipient Monitoring

DHS’s FEMA manages multiple Federal disaster and non-disaster grant programs. In FY 2025, DHS continued efforts to standardize its grant management activities. This included coordination among the grant regional offices and central management as well as among the various grant program offices. To monitor the grant recipients’ spending of the Federal disaster and non-disaster grants awarded to them, DHS planned to perform site visits of the grant recipients and complete desk reviews of their submitted Federal Financial Reports.

Condition:

DHS did not fully implement control activities through policies (Principle 12). Specifically, at FEMA, DHS did not implement effective controls over the monitoring of grant recipients.

Causes:

The deficiency is a result of weaknesses in DHS’s control environment, risk assessment process, and monitoring activities because DHS did not:

• recruit and retain additional resources to perform control responsibilities related to reviewing risk
  assessment criteria and selecting grant awards for monitoring (Principle 4);

• identify and analyze grant awards per established control thresholds to determine the appropriate
  scope of grant monitoring site visits and desk reviews to minimize residual risk (Principle 7); and

• effectively implement controls to remediate grants management deficiencies and execute corrective
  actions to address previously identified deficiencies that have existed for years (Principle 17).

Effects:

As a result of the deficiency described above, there is a reasonable possibility of inaccurate or unauthorized expense reporting by grant recipients and ineffective monitoring of open and closed grants, which may affect the recoverability of grant funds and increases the risk that DHS may not identify corrective actions for grant recipients timely.

1. recruit and retain additional resources and align knowledgeable individuals to monitor and
   evaluate internal controls; and

2. implement controls to enhance existing procedures related to grant monitoring site visits and
   desk reviews.

II.1

Exhibit III – Compliance and Other Matters III-G Federal Managers’ Financial Integrity Act of 1982 FMFIA requires agencies to establish effective internal control and information systems and to continuously evaluate and assess the effectiveness of their internal control. DHS has implemented a multi-year plan to implement OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk

Management and Internal Control, to comply with FMFIA. However, the DHS Secretary’s Assurance Statement, dated January 22, 2026, as presented in Management’s Discussion and Analysis of DHS’s FY

2025 Agency Financial Report, acknowledged the existence of material weaknesses, and therefore provided modified assurance that internal control over financial reporting was operating effectively as of September 30, 2025. DHS did not perform continuous monitoring and testing of both IT and business process-level controls for all significant areas. DHS did not fully establish effective systems, processes, policies, and testing procedures to ensure that internal controls were operating effectively throughout DHS.

Recommendation:

1. implement corrective actions to address internal control deficiencies to ensure compliance with FMFIA, and implement the recommendations provided in Exhibits I and II.

III.1

Exhibit III – Compliance and Other Matters III-H Federal Financial Management Improvement Act of 1996 FFMIA Section 803(a) requires that agency Federal financial management systems comply with: (1) applicable Federal accounting standards; (2) Federal financial management system requirements; and (3) the USSGL at the transaction level. FFMIA emphasizes the need for agencies to have systems that can generate timely, reliable, and useful information with which to make informed decisions to ensure ongoing accountability. As of September 30, 2025, DHS did not comply with Federal financial management system requirements and application of the USSGL at the transaction level in certain instances, as described in Exhibits I-A and I-B. The results of our tests disclosed no instances in which DHS’s financial management systems did not substantially comply with the applicable Federal accounting standards. The DHS Secretary stated in the Secretary’s Assurance Statement, dated January 22, 2026, that DHS’s financial management systems did not substantially comply with government-wide requirements mandated by FFMIA.

Recommendation:

1. enhance the capabilities of its financial management systems to ensure compliance with FFMIA, and implement the recommendations provided in Exhibits I and II.

III.2

Appendix A

Management Comments to the Draft Report

Appendix B Report Distribution Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretary Director, GAO/OIG Liaison Office Under Secretary, Office of Strategy, Policy, and Plans Assistant Secretary of Office of Policy Assistant Secretary of Office of Public Affairs Assistant Secretary for Office of Legislative Affairs Chief Financial Officer DHS Chief Information Office Chief Information Security Officer Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees

Additional Information

To view this and any other DHS OIG reports, Please visit our website: www.oig.dhs.gov For further information or questions, please contact the DHS OIG Office of Public Affairs via email: DHS-OIG.OfficePublicAffairs@oig.dhs.gov

DHS OIG Hotline

To report fraud, waste, abuse, or criminal misconduct involving U.S. Department of Homeland Security programs, personnel, and funds, please visit: www.oig.dhs.gov/hotline If you cannot access our website, please contact the hotline by phone or mail: Call: 1-800-323-8603 U.S. Mail: Office of Inspector General, Mail Stop 0305 Attention: Hotline 245 Murray Drive SW Washington, DC 20528-0305