Federal Reports

OIG is required by the Federal Information Security Management Act to assess SBA’s information security program every year. In FY 2020, SBA had an unprecedented volume of loan and grant applications because of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and other related pandemic legislation. As a result, the agency experienced new information security challenges. We tested a subset of systems in eight areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum. We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the eight domains. Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Configuration Management—Defined3. Identity and Access Management — Consistently Implemented4. Data Protection and Privacy — Consistently Implemented5. Security Training — Defined6. Information Security Continuous Monitoring — Defined7. Incident Response — Managed and Measurable8. Contingency Planning — Consistently Implemented. We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.

The Office of the Inspector General (OIG) conducted an inspection of GPO’s Suspension and Debarment Program to understand its overall process, associated timelines, and evaluate the effectiveness of the dissemination of debarments inside and outside of GPO.

The VA Office of Inspector General (OIG) examined whether Veterans Health Administration (VHA) medical facilities managed time and attendance for part-time physicians on adjustable work schedules to ensure salary payments were accurate.Part-time physicians on adjustable work schedules sign agreements estimating the number of hours they will work. They are paid according to that figure, up to a maximum of 1,820 hours a year, even if they work more or fewer hours. The physicians track the number of hours actually worked in the time and attendance system. At the end of the agreement period, payroll personnel reconcile the physicians’ salary payments against the hours worked, reimbursing for underpayments and billing for overpayments.Based on a review of 134 such agreements ending in 2019, the OIG found VHA medical facilities did not adequately manage time and attendance to ensure physicians were paid correctly for an estimated 44 percent of agreements. This occurred because key management controls were missing or not working. Officials did not make certain that medical facilities complied with policies and procedures.Consequently, the OIG estimated VHA medical facilities had about $8.3 million in questioned costs that year, and an additional $8.3 million in 2020. VHA medical facilities also may have violated the prohibition against voluntary services, and potentially the Antideficiency Act, by not correcting underpayments or by having physicians working above the 1,820-hour cap because their agreements were not properly reconciled.The OIG made nine recommendations to strengthen management controls, including completing overdue reconciliations, correcting inaccurate payments, and determining whether Antideficiency Act violations occurred. Recommendations also included ensuring time and attendance records are validated and certified, physicians do not significantly deviate from their agreements or work more than 1,820 hours in a service year, and reconciliations and associated payment corrections are promptly completed.