Federal Reports

The VA Office of Inspector General’s (OIG) information security inspection program assesses whether VA facilities are meeting federal security requirements related to three high-risk control areas: configuration management, security management, and access. For this inspection, the OIG selected the VA Spokane Healthcare System in Washington and found deficiencies in all three areas.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation and system baseline configurations.

Security management controls had one deficiency. The OIG identified volunteers and scheduling clerks who were granted unnecessary access to an electronic health record screen that contained unredacted personally identifiable information.

Access controls had four deficiencies. The OIG found that the Mann-Grandstaff VA Medical Center was deficient in inventory management of physical keys, unsecured network equipment, electrical grounding, and fuel storage. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

To address deficiencies, the OIG made seven recommendations to VA, all of which VA concurred with.

Our Objective(s)To assess FAA's oversight of United Airlines' maintenance practices. Specifically, we evaluated FAA's actions to address maintenance non-compliances and violations at the air carrier.
Why This AuditUnited Airlines is one of the world's largest commercial air carriers, carrying over 160million passengers annually. Several incidents, including in-flight engine shutdowns and emergency landings, have raised concerns about FAA's oversight of United's maintenance practices. Given these issues, we initiated this audit as part of a continuing series of audits related to FAA's oversight of maintenance and compliance issues in the airline industry.
What We FoundFAA's under-resourced inspections, low Certificate Management Office (CMO)inspector staffing levels, and ineffective workforce planning are insufficient to oversee safety risks.

When the CMO may not be able to conduct inspections onsite due to a lack of resources-such as insufficient staffing numbers or the ability to travel to the inspection site-FAA is conducting inspections virtually and not postponing the inspections in accordance with FAA requirements, which adversely impacts its risk quantification models.
The CMO does not have enough inspectors, which increases workload and staff turnover while reducing FAA's capabilities to inspect United's growing fleet of aircraft.
Continued CMO inspector vacancies have contributed to a loss of institutional knowledge within FAA's United CMO as well as prevented the CMO from completing all its required inspections.

FAA has not addressed all prior safety management system (SMS) oversight recommendations or ensured access to air carrier SMS data.

Five of the recommendations we have made to improve the CMO's oversight of SMS since 2019 remain open.
FAA has not effectively educated inspectors on how to access, obtain, and manage an air carrier's SMS data, which prevents inspectors from adequately assessing an air carrier's SMS and determining root causes of maintenance problems.

RecommendationsWe made 6 recommendations to improve FAA oversight of United's maintenance practices.

During the week of August 11, 2025, we performed a self-initiated audit at the Santa Clarita Processing and Distribution Center (P&DC) and four delivery units serviced by the plant. The delivery units included the Chandler Station, Encino and Sherman Oaks Branches, and Woodland Hills Main Post Office in the Los Angeles, CA, area.

We issued individual reports for the four delivery units and P&DC. We also issued another report summarizing the results of our audits at all four delivery units with specific recommendations for management to address.

The VA Office of Inspector General (OIG) completed a desk review of the single audit reporting package for the United States Veterans Initiative and Subsidiaries (U.S. VETS) for the year that ended June 30, 2024. The OIG performed this desk review consistent with its duties and responsibilities under the Inspector General Act, as amended, 5 U.S.C. § 404, with the objective of determining whether the single audit reporting package complied with the reporting requirements of the Uniform Guidance. 

Based on the OIG team’s review, the rating for the reporting package is “pass with deficiencies"—meaning there are quality deficiencies that should be brought to the attention of the auditor (and auditee, when appropriate) for correction in future audits. The OIG does not express an opinion on the quality of the audit work performed or on the accuracy of the single audit reporting package. 

Namely, the OIG team found that the U.S. VETS’ Schedule of Expenditures of Federal and Non-Federal Awards did not fully comply with reporting requirements, because it did not provide totals by individual federal programs and the associated assistance listing numbers, as required.

The OIG is providing a copy of this memorandum to VA officials, federal agencies with direct expenditures listed on the Schedule of Expenditures of Federal and Non-Federal Awards, and Armanino LLP (the firm that conducted the single audit) to inform them of the results of this desk review.