Federal Reports

What We Looked AtThe Federal Aviation Administration's (FAA) Office of Audit and Evaluation (AAE) investigates alleged lapses in aviation safety and oversight; violations of FAA regulations, orders, standards, or policies; and other whistleblower disclosures. In December 2020, a Senate committee reported that AAE did not necessarily conduct independent, objective, or impartial investigations and evaluations. In January 2021, the Federal Aviation Administrator asked our office to conduct a review of the office's practices. Our objectives were to evaluate whether AAE (1) aligned its practices for investigations of internal whistleblower safety disclosures with applicable investigative standards, benchmarks, or best practices; (2) documented sufficiency reviews of hotline investigations it referred to FAA lines of business (LOB) with best practices; and (3) complied with requirements in the Aircraft Certification, Safety, and Accountability Act of 2020.What We FoundAAE's investigative practices align with applicable quality standards. However, the office lacks comprehensive written standard operating procedures to reinforce its internal controls. In addition, AAE does not have a method to track and document sufficiency reviews of hotline investigations it referred to FAA's LOBs. Specifically, AAE reviewers did not maintain documentation supporting their sufficiency review conclusions. As a result, AAE cannot demonstrate that its review of investigations it referred to LOBs was of quality and consistent. Finally, FAA has only partially met the Aircraft Certification, Safety, and Accountability Act's requirements for AAE's organizational structure. FAA reorganized AAE in February 2022--renaming one sub-office as the Office of Whistleblower Aviation Safety Investigations and adding an Office of Whistleblower Ombudsman. However, until FAA limits the duties of the AAE Director, which are currently broader, to the specific activities listed in the act, AAE will not have fully implemented the law's requirements.Our RecommendationsWe made four recommendations to improve AAE's compliance with applicable standards and statutory requirements for whistleblower investigations and hotline sufficiency reviews. FAA concurred with all four recommendations and provided appropriate actions and completion dates.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess allegations related to the mental health care of a female patient at the VA Greater Los Angeles Healthcare System (facility) in California, which included that a psychiatry physician resident (psychiatry trainee) was inappropriate during treatment discussions with the patient. The psychiatry trainee utilized a modality called Intensive Short-Term Dynamic Psychotherapy in which a therapist seeks to understand a patient’s interpersonal difficulties, intensify and challenge resistance, analyze transference, explore conflict, and work through unconscious issues.The OIG did not substantiate that the psychiatry trainee’s behavior with the patient was inappropriate. Although the psychiatry trainee did not always engage in effective therapeutic intervention, the OIG was unable to determine that the treatment resulted in a decline in the patient’s mental health causing decreased trust and mental functioning.The OIG found the supervisor did not provide adequate supervision to the psychiatry trainee, to include the psychiatry trainee’s documentation and the supervisor’s documented oversight. The inadequate supervision may have impeded the supervisor’s ability to inform the therapy and hinder the opportunity to achieve a more desirable therapeutic outcome. In addition, the OIG substantiated that Mental Health Department leaders were not responsive to the patient’s concerns. During the inspection, the OIG identified an additional concern regarding the improper creation, storage, and disposition of video recordings and consent forms.The OIG made one recommendation to the Under Secretary for Health to assess the possible scope of current and former VA psychiatry residents being in possession of patients’ personal health information; two recommendations to the Veterans Integrated Service Network Director related to supervision, documentation, document control, and treatment protocols; and three recommendations to the Facility Director related to responses to the patient’s concerns, records, and utilization of video recordings.

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced is key to managing a flexible workforce and preparing for future emergencies.HUD experienced challenges with its IT infrastructure while under mandatory telework. We found (1) there were significant delays in processing computer security updates, (2) users encountered months of network performance issues, (3) the user password expiration policy was not enforced, and (4) the help desk system did not capture complete data. These conditions occurred because HUD’s virtual private network (VPN) bandwidth was not sufficient to accommodate the significant increase in users’ simultaneously needing remote access and because there were limitations in the technical environment and weaknesses in the help desk system’s controls. As a result, (1) HUD was vulnerable to cyber-attacks and unauthorized access, (2) HUD’s ability to accomplish its mission could be affected, and (3) HUD did not have assurance that all IT problems reported by users were resolved. Although HUD experienced challenges during mandatory telework, HUD continued its operations; increased network capacity; and plans to make additional network improvements, resume password policy enforcement, and potentially replace its help desk system. HUD needs to fully address the underlying causes of the issues identified so that it can manage its flexible workforce in a way that minimizes risk and prepares it for future emergencies.We recommend that HUD’s Office of the Chief Information Officer research, evaluate, and implement technical or alternative solutions to (1) deploy essential computer software updates using secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations; (2) provide additional improvements to VPN-related remote working capabilities, including performing routine VPN stress tests as part of its contingency planning and testing processes; (3) resolve user account management issues; and (4) assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. These measures include but are not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

FLRA's Compliance with the Payment Integrity Information Act of 2019 in the Fiscal Year 2022 PAR