Federal Reports

We audited WSFR grants awarded by FWS to the Oregon Department of Fish and Wildlife to ensure compliance and cost allowability.

Investigative Summary 24-0001

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to three control areas the OIG determined to be at highest risk: configuration management controls, security management controls, and access controls. For this inspection, the OIG selected the Battle Creek Healthcare System in Michigan. The OIG found deficiencies in all three areas inspected.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system baseline configurations, and unauthorized software remediation.

Security management controls had one deficiency. The OIG found biomedical staff relied on incomplete security remediation reports to manage vulnerabilities on medical devices. The inspection team identified 25 vulnerabilities on seven biomedical devices that were not tracked in security remediation reports used by biomedical staff.

Access controls had three deficiencies. The OIG found the Battle Creek facility was deficient in physical access, environmental controls, and network segmentation. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

The OIG made three recommendations to the assistant secretary for information and technology and chief information officer to improve vulnerability management processes, implement a more effective baseline configuration process, and improve the remediations reporting process for the Continuous Readiness in Information Security Program. The OIG also made three recommendations to the healthcare system’s director, in conjunction with the assistant secretary for information and technology and chief information officer, to implement improved physical access controls, ensure network segmentation controls are applied as appropriate, and implement improved, consistent environmental controls for network communications closets.

The Office of Inspector General (OIG) is issuing this Evaluation Report to determine whether the U.S. Small Business Administration (SBA) made Paycheck Protection Program (PPP) loans in accordance with program size standards. This is a follow-up to our earlier report which identified 355 PPP loans that likely exceeded the maximum size standard and may have been erroneously approved. Based on updated data analysis, we identified that 79 of those 355 loans still appeared to exceed the maximum size standard. Our objective was to determine whether PPP loans were made in accordance with program size standards.

We reviewed 64 of the 79 loans identified as potentially exceeding size standards and determined SBA did not validate size standard eligibility requirements for 48 of them, totaling approximately $343 million. Of the 48 loans, 29 totaling $196.5 million were forgiven using memoranda unrelated to size standard requirements; and 19 totaling $146 million were forgiven without sufficient documentation to support loan review decisions. This occurred because SBA’s process changes allowed it to forgive loans flagged as potentially ineligible prior to conducting manual reviews to ensure borrowers met eligibility requirements. As a result, SBA did not have reasonable assurance that borrowers met size standard requirements, which increased the risk of improper payments and loss of taxpayer funds. Further, without properly evaluating compliance with size standard requirements for the 48 loans totaling about $343 million, SBA forgave PPP loans to potentially ineligible businesses.

Although SBA implemented controls designed to ensure borrowers met size standard eligibility requirements, the agency overrode these controls and did not always validate eligibility for borrowers flagged as potentially exceeding the size standard. We recommended SBA obtain the documentation necessary to fully assess borrower size standard eligibility for the 48 loans to ensure eligibility requirements were met and, if not, seek repayment of forgiveness amounts granted to ineligible borrowers. SBA management partially agreed with our recommendations.