Federal Reports

This report summarizes the results of our fiscal year 2024 Federal Information Security Modernization Act (FISMA) evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security program. Our objectives were to determine whether SBA complied with FISMA and assessed the maturity of controls used to address risks in each of the nine security domains.

We found SBA generally responded to previously identified vulnerabilities and made progress in one of the nine domains, in the area of security training. The agency met the baseline in the area of incident response but fell below the baseline for an effective security program in several areas. We rated SBA’s overall information security program as “not effective.”

This fiscal year there are seven new recommendations for improvement. There are 11 open recommendations from 3 prior evaluations. Repeat recommendations from prior years were not included in this report because they have not yet been implemented. The agency successfully closed four recommendations from fiscal year 2023. SBA managers agreed with six recommendations and partially agreed with one. Their corrective actions resolved all the recommendations.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The Office of the Inspector General identified several issues with the use and oversight of the U.S. Nuclear Regulatory Commission’s telework program, including missing telework agreements and inaccurate telework records, both of which are required by law for proper program administration.  Additionally, we found inadequate compliance with documentation standards, which could result in inconsistent adherence to policies and inaccuracies in employee records. Finally, we identified discrepancies in some official duty stations and failure to comply with telework agreement terms, potentially resulting in incorrect locality pay.
This report makes seven recommendations to strengthen the telework program’s document management and oversight processes to ensure full compliance with federal laws and regulations.

At the request of the Tennessee Valley Authority’s (TVA) Supply Chain, we examined the cost proposal submitted by a company for designing, fabricating, and delivering hydraulic turbine runners and components as specified by TVA.  Our examination objective was to determine if the company’s cost proposal was fairly stated for a contract with expenditures up to $175 million.

In our opinion, the company’s proposed (1) hourly manufacturing and labor rates and (2) markup factors for recovery of indirect costs were fairly stated. However, the company’s proposed billing rates for craft labor were overstated.  Specifically, the proposed craft billing rates in the example project included (1) an ineligible sick leave markup, (2) overstated state unemployment insurance markup, and (3) duplicated workers’ compensation insurance markup.  We estimated TVA could avoid about $1.2 million over the potential $175 million contract by negotiating appropriate reductions to the craft labor billing rates.  In addition, we suggest TVA negotiate to include craft labor billing rates in the contract’s rate schedule, including craft markups and cost adders.  

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess an allegation that a physician (subject physician), who was not privileged at the Overton Brooks VA Medical Center (facility) in Shreveport, Louisiana, provided care to intensive care unit (ICU) patients. The OIG also identified concerns with a quality review completed after facility leaders’ awareness of the event.

The OIG substantiated that the subject physician, a fellow in training at an academic affiliate, provided patient care for three hours in the ICU with attending physician oversight. Failure to follow the trainee Veterans Health Administration (VHA) onboarding process and lack of oversight of physician coverage for the ICU contributed to the event. The resident student coordinator facilitated the VHA trainee onboarding process before receiving the required verification letter, resulting in the improper onboarding of the subject physician. Additionally, the chief of medicine failed to ensure a process was implemented to verify ICU coverage-pool physicians were credentialed and privileged at the facility.

The Facility Director chartered a root cause analysis (RCA); however, the RCA team’s application of the RCA process left patient safety risks unresolved and did not explore how the subject physician was onboarded as a trainee or provided care in the facility’s ICU. The RCA team’s failure to follow VHA required guidelines affected the reliability of the RCA team’s assessment and conclusion. The OIG also identified a facility practice involving an additional concurrence step, which created vulnerabilities related to breaching RCA confidentiality and service line leaders influence on RCA findings. 

The OIG made one recommendation to the Under Secretary for Health to evaluate VHA using an additional RCA concurrence step and three recommendations to the Facility Director related to trainee onboarding requirements, oversight of intensive care unit physician credentialing and privileging, and completing root cause analyses as required. 

After previous failed attempts, VA is modernizing its finance and acquisition systems by implementing the Integrated Financial and Acquisition Management System (iFAMS). The system is being deployed by the Financial Management Business Transformation Service (FMBTS) in waves across VA. The six waves that had been carried out as of June 2023 represent only about 3.6 percent of all projected iFAMS users. One remaining wave is for the Veterans Health Administration, which represents more than 92 percent of iFAMS users. As of fiscal year 2024, the life cycle cost estimate to deploy and sustain the system across VA is anticipated to be about $8.6 billion through 2050.

Interfaces, which are created and tested during the iFAMS software development process, facilitate the flow of data between systems to automatically complete business processes. Therefore, interface development is critical for iFAMS to meet users’ needs. The VA OIG conducted this audit to assess whether the interface development process aligned with stated goals to enhance iFAMS implementation. The OIG examined FMBTS’s planning, communication, and monitoring of success metrics for the process. This audit focuses on the Consolidated Wave Stack, the first wave that deployed both finance and acquisition functions simultaneously.

The OIG found that during the Consolidated Wave Stack, validation sessions lacked essential details and FMBTS missed opportunities to fully confirm the system functioned properly. If functionality issues are not identified or corrected before deployment, user productivity and efficiency can decrease while the risk of errors increases. Consequently, FMBTS should test essential functions for both real-world application and technical assessment moving forward. The OIG made four recommendations for FMBTS to improve the interface development process for future implementation waves.

Each year, the U.S. Department of Housing and Urban Development (HUD or Department) Office of Inspector General (OIG) provides the Department with a memorandum of priority open recommendations the OIG issued in its reports. The OIG designated these recommendations as“priority” because, if implemented, the recommendations will have the most significant impact on increasing efficiency in HUD programs, reducing fraud and wasteful spending, and assisting HUD with addressing its top management challenges.