Federal Reports

We audited Flat Branch Mortgage, Inc., to evaluate its quality control (QC) program for originating and underwriting Single Family FHA-insured loans.  Our audit covered the period October 2020 through September 2022.  We selected Flat Branch for review based on its loan volume and delinquency rate and because its rate of self-reporting loans to HUD when it identified fraud, material misrepresentations, and other material findings that it could not mitigate was below average for more than a 5-year period.

We found that Flat Branch’s QC program for originating and underwriting FHA-insured loans was not sufficient.  Specifically, Flat Branch (1) did not select the proper number of loans for review and maintain complete and accurate data to document its loan selection process; (2) did not complete all loan reviews in a timely manner; (3) did not always complete key review steps and sometimes missed material deficiencies; and (4) did not adequately assess, mitigate, and report loan review findings, which included self-reporting loans to HUD when required.  These issues occurred because Flat Branch had insufficient controls over its QC program, was not always familiar with HUD requirements, and experienced staffing constraints.  As a result, HUD did not have assurance that Flat Branch’s QC program fully achieved its intended purposes, which include, among other things, protecting the FHA insurance fund and lender from unacceptable risk, guarding against fraud, and ensuring timely and appropriate corrective action.

We recommend that HUD require Flat Branch to (1) update its QC plan and related procedures to align with HUD requirements; (2) provide training to staff and management on HUD requirements for lender QC programs; (3) review the loans that it had not selected and take appropriate actions when applicable; (4) obtain credit reports and reverifications of borrower information for QC reviews in which it did not complete these steps and evaluate the risk of findings identified for these loans; and (5) evaluate its QC files for the loans in which it identified material findings to confirm whether it self-reported to HUD all findings of fraud or material misrepresentation, along with any other material findings that it did not acceptably mitigate.

Our investigation determined that a Clerk based in New Brunswick, New Jersey, violated company policies by using her company-issued computer and other company equipment, such as printers and copiers, to conduct personal business by selling items online on company time. We also confirmed that she was selling company property on Poshmark for personal profit. She was terminated on June 20, 2025, and she is not eligible for rehire.

New York based health care providers Muhammad Mirza, a medical doctor, and Punson Figueroa, an acupuncturist, were excluded June 19, 2025, from participating in federal health care programs by the Health and Human Services Office of Inspector General (HHS OIG). The two providers previously pleaded guilty for their participation in an Amtrak-OIG investigated health care fraud conspiracy in which they conspired with dozens of Amtrak employees to use the employees’ health insurance information to file fraudulent claims. In exchange, the two providers paid cash kickbacks to the employees.

Mirza was sentenced on May 10, 2024, to 26 months in prison and ordered to pay restitution of $1.37 million, and Figueroa was sentenced on September 26, 2024, to 34 months in prison and ordered to pay restitution of $9.05 million. Both Mirza and Figueroa were excluded from participating in federal health care programs for 25 and 30 years, respectively.

The U.S. AbilityOne Commission (AbilityOne) Office of Inspector General (OIG) conducted an investigation of employee conduct in response to a complaint received.

Agency program officials, chief information officers, and inspectors general must annually review information security programs and report to the Department of Homeland Security and Congress on agency compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm, CliftonLarsonAllen LLP (CLA), to evaluate VA’s information security program for FY 2024. After assessing 49 major applications and general support systems hosted at 23 VA facilities and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements because of the nature and maturity of its information security program.

The audit found continuing deficiencies related to access controls, configuration management controls, security management controls, and service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by addressing security-related issues that contributed to the information technology material weakness reported in the FY 2024 audit of VA’s consolidated financial statements; improving the deployment of security patches, system upgrades, and system configurations; improving performance monitoring to ensure controls operate as intended; and communicating identified security deficiencies to appropriate personnel.

Of CLA’s 23 recommendations, VA concurred with 12 and did not concur with 11. Some of the 23 recommendations addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2025 audit of VA’s information security program.