Federal Reports

The Office of Inspector General (OIG) is initiating an evaluation of the Commission’s information security program pursuant to the Federal Information Security Modernization Act of 2014 (FISMA). 

The objective of the evaluation is to determine the effectiveness of the Commission’s information security program and practices.  The evaluation will assess information security program controls to support the OIG’s reporting of FISMA metrics into the Department of Homeland Security’s CyberScope application.  The independent public accounting firm Harper, Rains, Knight & Company will conduct the evaluation with the OIG providing oversight as required by the IG Act of 1978, as amended.

This review will be performed in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. 

The VA Office of Inspector General (OIG) conducted a healthcare inspection in response to an inquiry from Congressman Pete Aguilar and a complaint regarding patient care involving a nurse practitioner (NP) and physician assistant (PA) in the hematology/oncology section at the VA Loma Linda Healthcare System (system) in California. The OIG initiated the inspection in May 2025, conducted a site visit in June, and continued off-site inspection activities through November 2025.

The OIG determined that two of the NP’s patients, and two of the PA’s patients had hematology/oncology clinical care concerns. The Chief of Staff assessed the four patient cases through appropriate reviews; however, the Chief of Staff delayed the initiation of two peer reviews by approximately five months. Credentialing documentation confirmed that the NP and PA were credentialed and met Veterans Health Administration (VHA) requirements to provide hematology/oncology care at the facility. Service leaders supervised the NP and PA by completing focused and ongoing professional practice evaluations and appraisals, but delays occurred in completing the NP’s initial focused professional practice evaluation and a focused professional practice evaluation for additional privileges. Interviews revealed leaders’ lack of awareness of requirements and lack of a tracking system may have contributed to these delays. Ongoing professional practice evaluations were also historically late, though service leaders took corrective actions before the site visit. The OIG found the Chief of Staff had not designated collaborating physicians for the PA, which was corrected after OIG identified the issue.

The System Director concurred with the OIG’s two recommendations and shared plans and actions taken to address timely signing of designation memos for peer reviews and completion of focused professional practice evaluations. The OIG will continue to monitor VHA’s management changes to ensure effective programs for veterans.

As part of our mission to safeguard the U.S. Department of Housing and Urban Development’s (HUD) programs from fraud, waste, and abuse, and to identify opportunities for HUD programs to progress and succeed, we selected Colorado for a review of potential improper payments.  Our audit objective was to determine whether Colorado made improper non-Federal match activity payments.  We also assessed whether the Office of Community Planning and Development’s Office of Disaster Recovery (CPD ODR) had sufficient and adequate controls to prevent improper match payments.

We did not identify duplicate or significant amounts of unsupported non-Federal match payments for Colorado.  However, Colorado received $1.3 million of disaster recovery reimbursements from HUD that it reported as matching costs for FEMA’s Public Assistance program, but the costs were other disaster recovery costs.  This occurred because Colorado did not establish financial or payment controls for non-Federal match costs within HUD’s Disaster Recovery Grants Reporting (DRGR) system.  CPD does not require disaster recovery grantees to separately report non-Federal match costs in its data systems.  As a result, Colorado over-reported the amount of HUD disaster recovery funds it spent on non-Federal match activities.  Colorado’s reporting could increase the risk of improper payments as HUD and its stakeholders cannot use HUD’s data systems and reports to ensure that Colorado properly uses its disaster recovery funds for non-Federal match activities.

We recommend that Colorado incorporate financial and other internal controls to ensure that it allocates, tracks, and reports non-Federal match costs separately from non-match costs.  If Colorado does so, it will enhance the accuracy and transparency of its reporting of $1.3 million of disaster recovery funds.  We also recommend that CPD ODR require disaster recovery grantees to report non-Federal match activities or expenses in its data systems in a manner which will show that grantees are properly using their disaster recovery funds for the non-Federal match portion of FEMA’s Public Assistance program.
 

The Federal Emergency Management Agency (FEMA) cannot ensure non-Federal entities used Emergency Food and Shelter Program Humanitarian Relief (EFSP-H) and Shelter and Services Program (SSP) funding in fiscal years 2023 and 2024 in compliance with applicable laws and regulations.  Without improved oversight, FEMA faces an increased risk of funding unallowable costs and making duplicate payments when administering grants.   Specifically, we found FEMA: • did not review EFSP-H expenditures to ensure funds were used for allowable costs and eligible aliens, resulting in $425 million in questioned costs; • did not consistently review SSP payment requests to verify that costs were allowable, resulting in $16.5 million in questioned costs; and • did not perform verification to prevent duplication of funding between EFSP-H and SSP grants.  These deficiencies occurred because FEMA did not establish and implement necessary internal controls to review EFSP-H and SSP expenditures.  Although DHS terminated the SSP grant awards after we began fieldwork, we completed this audit as our findings may help FEMA avoid fraud, waste, or abuse during program closeout.   Data Access: FEMA denied us direct, read-only access to the FEMA Grants Outcomes back-end database.  After multiple delays, FEMA instead provided raw data for SSP grants and then direct, read-only access to SSP award records through the system’s front-end interface. 

Semiannual Report to Congress (26-1)