. . . DOGE’s rapid implementation and the ensuing legal tumult reflect a bold reimagining of federal efficiency reforms, diverging from the established path of external auditing while echoing historical precedents in a distinctly modern guise. . . .
I. Introduction
On January 20, 2025, President Donald J. Trump signed Executive Order 14158, transforming the U.S. Digital Service (“USDS”) into the Department of Government Efficiency (“DOGE”) and tasking it with auditing and modernizing federal agencies under Elon Musk’s leadership as a special government employee (“SGE”). SeeExec. Order No. 14158, 90 Fed. Reg. 8441 (Jan. 29, 2025). Within weeks, DOGE’s auditors accessed the Treasury Department’s payment systems as well as other government agencies, sparking a wave of legal challenges—over twenty lawsuits alleging violations of constitutional, statutory, and regulatory norms. Among these, State of New York, et al. v. Trump, et al., Case No. 1:25-cv-01144, ECF No. 76 (S.D.N.Y. Feb. 21, 2025) (“Op.”), stands out as an instructive benchmark, with its preliminary injunction halting DOGE’s Treasury access until certain procedural flaws are corrected. Yet, federal auditing by private firms like PricewaterhouseCoopers (“PwC”) under the Federal Acquisition Regulation (“FAR”) proceeds routinely without such contention. If PwC can scrutinize agency systems as an external actor, why has DOGE—an internal government entity—ignited such a firestorm?
The answer lies in a novel and calculated choice by the new administration. Eschewing the FAR’s protracted procurement process for Big Four firms, Trump opted for Musk and his hand-picked team, blending SGEs who retain their private roles with agile direct government hiring of young talent. This workaround of FAR, harnessing this unique blend of talent and accelerating action, bypasses the delays and rigidity of traditional auditing contracts. The district court’s preliminary injunction ruling in State of New York validates, for now, DOGE’s intrusion into the role of traditional outside auditors like PwC, provided vetting, training, and supervision meet federal standards. Through this lens, DOGE’s spirited in-house model, though fraught with untested procedural risks, offers a potent alternative to external auditing firms in swiftly implementing consequential efficiency gains within the federal bureaucracy.
II. Background
DOGE’s rapid implementation and the ensuing legal tumult reflect a bold reimagining of federal efficiency reforms, diverging from the established path of external auditing while echoing historical precedents in a distinctly modern guise.
A. The Creation of DOGE
By signing Executive Order 14158, President Trump restructured the USDS—launched in 2014 by President Obama and funded in 2021 by Congress (Pub. L. No. 117-2, Sec. 4101, 135 Stat. 4 (2021))—into DOGE, an entity charged with sweeping governmental efficiency reforms. Rather than engaging outside auditors like PwC through the FAR’s lengthy procurement process, DOGE instead operates internally, leveraging USDS’s framework within the Executive Office of the President. Elon Musk, appointed as an SGE under 18 U.S.C. § 202(a), leads this effort, retaining stewardship over his private ventures (e.g., Tesla and SpaceX) with a 130-day tenure limit. DOGE’s personnel assigned to audit the Treasury comprise two types: SGEs like Thomas Krause, who continues as CEO of Cloud Software Group (Op. at 9 (citing Second Krause Decl., ECF No. 33, ¶ 6)), and direct hires like Marko Elez, a young software engineer deployed by DOGE to Treasury (Op. at 10 (citing Wenzler Decl., ECF No. 31, ¶ 9)). This in-house approach sidestepped FAR’s competitive bidding and vetting mandates, enabling rapid deployment of DOGE resources outside of conventional procedures.
By mid-February 2025, DOGE’s footprint across the bureaucracy was undeniable. DOGE auditors were hard at work at Treasury, reviewing the Bureau of Fiscal Services (“BFS”) payment systems that process $5.46 trillion annually across 1.2 billion transactions; involved in staffing reductions, including over 26,000 probationary positions government-wide; and had identified at least $6.5 billion of suspect funds to carve from USAID’s $47.8 billion budget. This swift action triggered a robust legal counteroffensive. Over twenty lawsuits emerged, including lawsuits alleging everything from Appointments Clause violations to breaches of classified data protocols. In State of New York v. Trump, the plaintiffs, a group of 19 states, challenged DOGE’s access to Treasury’s payment systems, asserting violations of the Administrative Procedure Act (“APA”), Privacy Act, Internal Revenue Code, and various provisions of the Constitution. See Case No. 1:25-cv-01144, ECF No. 7 (“Compl.”), ¶¶ 138-140. The district court’s February 8, 2025 Temporary Restraining Order (“TRO”) (ECF No. 6) and February 21, 2025 preliminary injunction (ECF No. 76) scrutinized this FAR workaround to determine whether DOGE’s personnel structure and procedural execution were lawful.
B. Historical Precedent for DOGE
Efforts to streamline the federal government’s operations are woven into the fabric of U.S. history. The Hoover Commissions (1947-49), authorized by Public Law 80-162, enlisted external advisors who proposed 273 structural reforms, including the unification of the Department of Defense. The Grace Commission (1982), established by Executive Order 12369, deployed private-sector experts who recommended $424 billion in savings across various government agencies. President Clinton’s National Performance Review (1993) eliminated 250,000 federal positions through consolidation of government agencies. These initiatives, whether externally advised or internally driven, share DOGE’s efficiency goals but differ in their operational frameworks.
DOGE aligns more closely with modern precedents of outside auditing firms examining agency operations. For example, outside auditing firms have audited the Department of Defense—such as PwC’s 2021 audit of the Institute for Defense Analysis. See Report No. DODIG-2021-087. Components of the Treasury Department have similarly faced external audits—such as KPMG’s 2023-24 audit of Treasury’s consolidated financial statements. See Report No. OIG-25-12. Yet, where these audits relied on FAR’s structured regulatory framework, DOGE’s in-house rebranding of USDS introduced a flexible alternative, trading procedural rigidity for rapid action—a choice that opened both opportunities for swift review of government accounts and avenues for legal contests.
III. Comparing Outside Auditors to DOGE
DOGE’s approach to auditing federal agencies departs markedly from the established model of using outside firms like PwC to conduct government audits, embodying a strategic workaround of FAR that balances significant advantages in flexibility with potential procedural vulnerabilities—the subject of the ensuing legal challenges.
A. Outside Auditors
When an agency retains outside auditors, it follows a meticulously regulated process under FAR. See generally 48 CFR Part 1. This begins with a Request for Proposal (“RFP”), issued pursuant to 48 CFR § 15.203, which precisely outlines the audit’s scope. Each outside auditor submits a competitive bid, and the resulting contract imposes stringent legal duties. For example, FAR provision 48 CFR § 52.224-2 mandates that contractors implement safeguards to protect personal data, ensuring compliance with the Privacy Act (5 U.S.C. § 552a), while 48 CFR § 52.204-2 restricts system access to approved personnel in compliance with the National Industrial Security Program Operating Manual (32 CFR part 117).
Oversight is multilayered, enforced by the agency’s Office of Inspector General and aligned with OMB Circular A-123 standards for internal controls. Though expeditable under emergency waivers (48 CFR § 6.302-2), this procurement process regularly consumes six to twelve months before the outside auditor is deployed to audit agency systems and make recommendations pursuant to its governing contract. This regulatory framework, methodical and transparent, shields auditors like PwC from legal challenges, grounding its authority in a regulatory structure that prioritizes data security and procedural integrity over rapid deployment.
B. DOGE as Internal Auditor
USDS, now DOGE, by contrast, historically functioned as an internal government entity to audit and enhance agency efficiency without the constraints of FAR. Originally established in 2014 to modernize federal technology, DOGE now operates under Musk’s leadership as an SGE, who concurrently leads private ventures while involved in temporary government service. Its direct government hires function as agency employees, even if temporarily so. This in-house model, whose personnel are directly supervised by the audited agency heads, bypasses FAR’s competitive and time-consuming bidding requirements, relying instead on Article II’s executive prerogatives.
This FAR workaround offers distinct advantages. It enables swift action—DOGE accessed Treasury’s BFS systems within weeks of Trump’s inauguration (Op. at 50 (citing Gioeli Decl., ECF No. 34, ¶ 17))—and fosters recruitment from a curated talent pool, including high-profile figures like Musk and mobile young professionals. These hand-picked DOGE teams perform their work unencumbered by the protracted timelines of FAR and without the corporate constraints of the Big Four accounting firms. SGEs, with their limited tenure and advisory capacity, bring private-sector expertise without necessitating full-time commitment or Senate confirmation, while direct hires provide staffing agility. See Op. at 9. Yet, this flexibility introduces vulnerabilities—DOGE’s onboarding may lack the structured training and oversight mandated by FAR, a lapse that invites legal scrutiny.See Op. at 51-52. The State of New York litigation examines this tension, probing whether DOGE’s in-house advantages can be sustained without compromising the procedural standards that external auditors like PwC are bound to uphold.
IV. State of New York, et al. v. Trump, et al.
The Southern District of New York’s decision in State of New York, et al. v. Trump, et al., Case No. 1:25-cv-01144 (S.D.N.Y. 2025), provides an exemplary judicial assessment of DOGE’s authority to audit government systems, in this case, the Treasury Department’s payment systems. In its comprehensive 64-page opinion, the district court meticulously addressed the parties’ complex arguments—from the plaintiffs’ broad initial complaint that resulted in a sweeping initial TRO, to the court’s final narrowly tailored preliminary injunction.
A. The Complaint
On February 7, 2025, nineteen states, spearheaded by New York, filed a complaint against President Donald Trump, Treasury Secretary Scott Bessent, and other officials, challenging DOGE’s access to Treasury’s BFS payment systems as a breach of federal law that endangered their sensitive financial data. See Compl. Treasury processes more than 1.2 billion transactions annually, disbursing state funds for programs like Medicaid and FEMA grants. See Op. at 3 (citing Robinson Decl., ECF No. 32, ¶ 2; Compl., ¶ 69). Treasury’s systems necessarily record critical state information—bank account numbers and wiring instructions—alongside citizens’ personal identifying information (“PII”), such as Social Security numbers. See Compl., ¶¶ 74-80. The states alleged that DOGE’s Treasury team, comprising Thomas Krause (designated as an SGE) and Marko Elez (a temporary hire), accessed this data without proper vetting, training, or security protocols, risking unauthorized disclosures to other DOGE members or external third parties. See Compl., ¶¶ 9-11, 138-140. They framed this as a “unique security risk” to state sovereignty and citizen privacy, attributing those risks to a hastily implemented Engagement Plan implemented by the Treasury Secretary. See Compl., ¶ 139; Second Krause Decl., ECF No. 33, ¶ 15.
Specifically, the Complaint alleged violations of the APA for arbitrary and capricious action (5 U.S.C. §§ 551 et seq.), the Privacy Act for exposing PII (5 U.S.C. § 552a), Internal Revenue Code for risking unauthorized disclosure of tax data (26 U.S.C. § 6103), the E-Government Act for omitting a required privacy impact assessment (Section 208(b)(1)(A)(i)), and constitutional oversteps—separation of powers and the Take Care Clause—alleging DOGE aimed to block Congressionally-authorized funds. See Compl., ¶¶ 194-199. The relief sought matched this scope: an injunction to terminate DOGE’s data access and prevent interference with payment processing, aimed at protecting state financial operations and citizen data integrity. See Compl., Prayer for Relief.
B. Temporary Restraining Order
The states’ urgent plea met with swift judicial intervention. On February 8, 2025, the Part I Judge, District Judge Engelmayer, issued an ex parte TRO, imposing a comprehensive restriction on DOGE’s activities within the Treasury Department. See ECF No. 6. The order barred access to “any Treasury Department payment record, payment systems, or any other data systems maintained by the Treasury Department containing personally identifiable information and/or confidential financial information of payees” by anyone other than BFS civil servants with a demonstrated “need for access to perform their job duties” who had completed background checks and training. Id. at 3.
This expansive decree explicitly prohibited “all political appointees, special government employees, and government employees detailed from an agency outside the Treasury Department”—a scope so broad it initially encompassed even Senate-confirmed Treasury leadership, such as the Secretary. Id. The Part I Judge anchored this relief in findings of “irreparable harm” from the “risk that the new policy presents of the disclosure of sensitive and confidential information and the heightened risk that the systems in question will be more vulnerable than before to hacking,” bolstered by the states’ “particularly strong” statutory claims. Id. at 2. A preliminary injunction hearing was set for February 14 before the Part II Judge, District Judge Vargas. Id.
Defendants responded on February 9 with an emergency motion to dissolve or modify the TRO, arguing that its breadth raised constitutional concerns by restricting senior Treasury officials’ access and disrupted BFS operations by excluding Federal Reserve employees and contractors essential for system maintenance. SeeECF No. 12 at 5-9. After negotiations, District Judge Vargas issued a Modified TRO, narrowing the exclusion to enable access for Senate-confirmed officers and operational support personnel, while maintaining the bar on DOGE team members. See Modified TRO, ECF No. 28, at 6-7. Following this modification, the parties submitted briefing on the plaintiffs’ motion for a preliminary injunction.
C. Preliminary Injunction
On February 21, 2025, Judge Vargas granted a preliminary injunction, largely retaining the scope of the modified TRO which barred DOGE’s access to Treasury payment systems, unless and until they demonstrated compliance with the APA.
1. Plaintiffs’ Standing
Although the court rejected the plaintiffs’ standing to assert their citizens’ privacy rights, the states ultimately secured Article III standing through a tangible and imminent threat to their own financial data within Treasury’s systems. See Op. at 37-38. The court identified a concrete injury in DOGE’s access—Elez’s erroneously obtained read/write access to the Secure Payment System (“SPS”) (Gioeli Decl., ECF No. 34, ¶¶ 17-20) and potential for unauthorized external disclosure of Treasury information via emails he sent to DOGE members not directly employed by Treasury. Op. at 27, PI Hearing Tr., ECF No. 68, at 15:18-23. This risk was deemed neither speculative nor remote, but “actual and imminent,” directly traceable to the Treasury’s Engagement Plan and redressable by injunctive relief. Op. at 30-31 (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)). Finding standing, the district court comprehensively reviewed the states’ multifaceted legal challenges.
2. Plaintiffs’ Claims, Defendants’ Responses, and Court’s Disposition
The states’ ambitious array of claims encountered a skeptical judicial eye, with only a single procedural APA violation surviving. First, the states argued that DOGE’s BFS access violated the Privacy Act by exposing their financial data without safeguards (Compl., ¶¶ 154-163), seeking a sweeping injunction to bar all DOGE personnel from payment systems. See Compl., Prayer for Relief. The court dismissed this assertion, reasoning that the states’ bank information—unlike individual PII—falls outside the Privacy Act’s zone of interests, which protects only personal financial data. See Op. at 38-40.
Next, plaintiffs’ claim under the Internal Revenue Code asserted that DOGE risked exposing tax information (Compl., ¶¶ 164-167), but the court found that the states’ financial information maintained at Treasury was distinct from “tax return information” protected under the Internal Revenue Code. See Op. at 38-39 (citing Stokwitz v. United States, 831 F.2d 893, 894 (9th Cir. 1987)). The plaintiffs’ E-Government Act claim alleged that DOGE’s development of a separate and secure “sandbox” to review read-only data required a privacy impact assessment (Pls. Rep. Br., ECF No. 51, at 51), yet this too failed, as the states lack the individual privacy interest the Act safeguards. See Op. at 40-41 (citing Electronic Privacy Information Center v. Presidential Advisory Commission, 878 F.3d 371, 378 (D.C. Cir. 2017)).
The plaintiffs’ constitutional claims met a similar end. The states contended that DOGE’s payment pauses infringed Congress’s power over the purse. See Compl., ¶ 189; Pls. Br. at 23-24. But the court found no evidence that any payments had been withheld or paused and that this alleged claim was disconnected from the plaintiffs’ alleged data security breach, which they conceded was their sole basis for suit. See Op. at 53-54 (citing PI Hearing Tr. at 12:14-24). The plaintiffs’ Take Care Clause claim posited that EO 14158 contravened the President’s duty to faithfully execute laws, yet the court found that this claim lacked evidence of statutory overreach and raised justiciability concerns, leading to its rejection. See Op. at 55-56 (citing Citizens for Responsibility & Ethics in Washington v. Trump, 302 F. Supp. 3d 127, 139-40 (D.D.C. 2018)). The plaintiffs’ ultra vires claim, alleging Treasury exceeded its authority, faltered absent a “clear and mandatory” statutory prohibition. See Op. at 57. And the court was satisfied that DOGE staff, as employees of the government, fit within Privacy Act exceptions allowing their access to Treasury information. See Op. at 56-57 (citing Yale New Haven Hosp. v. Becerra, 56 F.4th 9, 26-27 (2d Cir. 2022)).
The plaintiffs’ APA claim of arbitrary and capricious action by Treasury stood alone as the states’ sole success, meriting the court’s thorough exploration of DOGE’s FAR workaround. The court first found that, although not committed to writing, Treasury implemented an “Engagement Plan” in granting DOGE personnel access to BFS systems. That conduct qualified as a final agency action under Bennett v. Spear, 520 U.S. 154, 177-78 (1997), as it was a “consummated” decision with “concrete consequences,” such as heightened data-exposure risks which Treasury acknowledged. Op. at 43-48 (citing Gioeli Decl., ECF No. 34, ¶ 11). Largely uncontested by the government, the court further found that the implementation of this plan was plagued by a “chaotic” implementation, rendering it “arbitrary and capricious.” Op. at 48-52 (citing Motor Vehicle Mfrs. Ass’n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 43 (1983)).
Treasury’s haste was evident from the record: Elez was hired on January 21, 2025, and had accessed BFS systems by February 3. Krause similarly gained access to Treasury systems within weeks of accepting his role in DOGE. See Op. at 50 (citing Gioeli Decl., ¶¶ 17-19; Third Krause Decl., ECF No. 58, ¶¶ 3-4). Neither received specific training on the numerous federal regulations and policies governing the handling and care of sensitive information beyond basic instructions to confine data to BFS laptops, a significant oversight given BFS’s critical role in processing the nation’s Treasury funds. See Op. at 51 (citing Gioeli Decl., ¶ 14; PI Hearing Tr. at 20:13-19).
This rushed onboarding precipitated tangible errors, most notably Elez’s mistaken read/write access to the SPS database, uncovered only after his February 6 resignation. See Op. at 51 (citing Gioeli Decl., ¶ 20). Because Elez’s access went unmonitored in real-time, Treasury was forced to rely on post-hoc log reviews to ascertain the scope of his actions. See Op. at 51 (citing Gioeli Decl., ¶ 18). This reactive stance, the court found, epitomized a clear error of judgment in oversight. See Op. at 50-51. Supervision structures were equally ambiguous: Krause’s dual reporting to DOGE and Treasury lacked clear delineation, complicating accountability. See Op. at 51 (citing Second Krause Decl., ¶ 4).
Importantly, the district court’s preliminary injunction ruling did not challenge DOGE’s underlying mission to audit and enhance efficiency, nor did it deem its staffing model—SGEs like Musk and Krause or direct hires like Elez—inherently impermissible. Instead, it pinpointed deficiencies in how these personnel were trained and supervised, signaling that DOGE’s FAR workaround could endure if the onboarding “ha[d] been implemented in a measured, reasonable, and thoughtful way.” See Op. at 52.
3. Scope of Preliminary Injunction & Opportunity to Cure
The preliminary injunction markedly narrowed the initial ex parte TRO’s sweep, barring only DOGE personnel from accessing BFS systems containing PII or financial data, rather than halting Treasury’s review of payment processing as the states had originally sought. See Op. at 61-62. The preliminary injunction further provided that, by March 24, 2025, Treasury must certify that its DOGE members have undergone training, vetting, and supervision consistent with Treasury standards, thereby providing a pathway to cure the APA defect found by the court. See Op. at 63-64. Nonetheless, while affirming DOGE’s potential to audit Treasury payment systems with embedded Treasury employees, the court left unresolved the permissible scope of data-sharing between the embedded employees and other members of DOGE, a lingering ambiguity amid the broader validation of DOGE’s in-house workaround of FAR. See Op. at 46.
Curiously, the district court appears to have glossed over a specific privacy violation raised by the plaintiffs—that DOGE fed Treasury BFS data into AI systems for analysis. See Op. at 20 n.1 (citing Compl., ECF No. 1, ¶ 10). Perhaps it was just as well that the court deferred judgment on this issue since it likely has implications extending beyond DOGE. Indeed, the Big Four accounting firms now routinely employ AI systems to carry out complex audits. For example, PwC advertises its use of artificial intelligence tools, such as its GL.ai platform, to process vast datasets. See PwC, Global Artificial Intelligence Study: Exploiting the AI Revolution (2020) (online). Conceivably, this issue will be explored further in other legal challenges to DOGE’s audits of the federal bureaucracy.
V. Conclusion
The district court’s ruling in State of New York answers the inquiry posed by this article’s title—“If PwC Can Do It, Then Why Not DOGE?”—with a resounding, albeit conditional, affirmation. DOGE can audit federal agencies like Treasury in a manner comparable to outside auditors, provided it adheres to robust procedural safeguards. Outside audits of federal agencies have flourished under FAR’s meticulous framework, requiring competitive bids, extensive vetting, and stringent regulatory and contractual restrictions that unfold over months. DOGE, however, represents a deliberate workaround of FAR, eschewing external firms for a flexible and dynamic in-house model. This approach—integrating SGEs like Musk and Krause, who retain their private roles with limited tenures, with swiftly onboarded agency hires like Elez—unlocks unparalleled flexibility and access to a hand-picked talent pool, circumventing the delays and rigidity of traditional procurement that the Trump administration apparently deemed ill-suited to the rapid implementation of its agenda.
The court’s opinion inState of New Yorkmostly validates this workaround’s viability, exposing both its promise and its pitfalls. The court’s preliminary injunction stopped short of an outright repudiation of DOGE’s mission and its staffing structure—but highlighted procedural lapses that marred the legality of its rollout. The rushed onboarding of personnel, inadequate training, and lax supervision constituted an “arbitrary and capricious” violation of the APA. Yet, by granting Treasury until March 24, 2025, to certify vetting, training, and oversight consistent with Treasury requirements, the court affirmed that these lapses are not insurmountable. For legal scholars, practitioners, and policymakers,State of New Yorkthus suggests that DOGE’s FAR workaround, when paired with robust safeguards, not only matches but may surpass the capabilities of external auditors like PwC, heralding a new paradigm for imposing swift and wide-spread control over the federal bureaucracy.
Comments