Federal Reports

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess whether leaders implemented corrective actions to address pharmacy-related concerns at the VA Central Western Massachusetts Healthcare System (system) in Leeds.In early 2023, the OIG received five allegations related to prescription processing delays and inadequate pharmacy staff training, and requested the Veterans Integrated Service Network (VISN) Director to respond to the allegations. According to the response, an external review, performed by individuals associated with another VISN, partially substantiated or substantiated four of the five allegations and made 12 recommendations. The System Associate Director (Associate Director) adopted the recommendations as corrective actions and, in July, tasked the chief of pharmacy with implementation. The OIG opened a hotline in September to determine whether system leaders had implemented the 12 corrective actions.The OIG determined that 11 of the 12 corrective actions were incomplete. The OIG found the chief of pharmacy perceived the corrective actions as a disciplinary tool rather than an opportunity to improve pharmacy services and that this impacted implementation of the corrective actions.Further, the Associate Director and the acting Associate Director, as the chief of pharmacy’s supervisors, did not provide effective and timely oversight to ensure completion of the corrective actions. Although not required, they also missed opportunities to involve the VISN Pharmacist Executive earlier, rather than waiting until corrective action deadlines had passed, diminishing the effectiveness of the VISN Pharmacist Executive to assist the system with timely intervention.The OIG made three recommendations to the VISN Director related to the completion of the corrective actions; training of pharmacy staff and supervisors; and ensuring that leaders receive administrative action, as appropriate.

The Science and Technology Directorate (S&T) can improve management of its research, development, testing, and evaluation (R&D) activities related to critical infrastructure security and resilience. Although S&T is actively making efforts to improve processes, it:• does not use a risk-based, holistic approach to prioritize critical infrastructure R&D programs and projects department-wide;• does not follow established project management principles and its own project management policies and procedures; and• relies on inaccurate and incomplete information to manage its critical infrastructure R&D projects.These problems occurred because S&T relies on component-based R&D prioritization processes instead of establishing and updating department-wide strategic priorities. Additionally, S&T does not ensure adherence to project management best practices, such as integrating program and project plans, using standard terminology and abbreviations, and tailoring its processes to fit the project needs. Finally, S&T has no formal data validation process to ensure the quality of R&D project management data

What We Looked At    This report presents the results of our quality control review (QCR) of an attestation examination of the Department of Transportation’s (DOT) Enterprise Services Center (ESC) controls. ESC provides financial management services to DOT and other agencies and operates under the direction of DOT’s Chief Financial Officer. The Office of Management and Budget requires ESC, as a service organization, to either provide its user organizations with independent audit reports on the design and effectiveness of its internal controls or allow user auditors to perform tests of its controls.We contracted with KPMG LLP to conduct this examination subject to our oversight. The objectives of the review were to determine whether (1) management’s description of ESC’s systems is fairly presented, (2) ESC’s controls are suitably designed, and (3) ESC’s controls are operating effectively throughout the period of October 1, 2023, through June 30, 2024. We performed a QCR on KPMG’s report and related documentation.What We FoundOur QCR disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.Our RecommendationsKPMG made no recommendations.   

Amtrak notified our office February 16, 2024, of a potential data‐sharing incident. Our investigation found that an employee granted two third‐party email accounts access to an Amtrak OneDrive/SharePoint folder which contained 369 company files related to an Amtrak program. As a result of our investigation into the incident, the company took remedial action to optimize Microsoft tools for data loss prevention, conducted routine auditing and removal of guest accounts, completed additional security enhancements, and provided alerts for risky file sharing.