The Department of Energy's Western Area Power Administration (Western) markets and delivers hydroelectric power and related services to 15 states within the central and western United States. To successfully transmit hydroelectric power to customers and local utilities within its territory, Western relies on a number of information systems that support the operation, maintenance and management of a massive electrical power complex, as well as financial and administrative activities. The audit found that Western had made a number of enhancements to its cyber security program since our prior review. However, we identified several weaknesses related to vulnerability management and security controls that could negatively impact its cyber security posture. In particular, nearly all of the workstations tested contained at least one high-risk vulnerability related to software updates or patches. Also, during internal vulnerability scanning, a network server was running an unsupported version of a software application and 30 network servers were identified that contained vulnerabilities that could have been made more secure by applying publicly available security patches and updates. In addition, external vulnerability testing revealed a public-facing application server that was configured with a default username and password, and testing of cyber security controls identified weaknesses related to access security controls. The weaknesses identified occurred, in part, because Western had not always implemented policies and procedures related to vulnerability and patch management. In response to our finding, Department management concurred with the recommendations, and initiated corrective actions for program improvements.