Federal Reports

Our audit objective was to determine whether USPTO had an effective governance structure and processes in place to manage its AI tools. To meet our objective, we tested two of the six AI tools USPTO had in use when we began our audit. 

Overall, we found that USPTO has begun developing its AI workforce but should strengthen key organizational and system-level governance practices needed to effectively manage and oversee its AI tools. Specifically, USPTO:

• Has a governance structure that defines roles and responsibilities for key personnel, but should improve internal stakeholder involvement
• Should promote transparency on its AI tools to external stakeholders
• Does not have the specific, measurable objectives needed to define system success 
• Did not trace requirements or technical specifications to system objectives
• Does not have an AI-specific risk management plan

Together, these weaknesses increase the risk that USPTO will develop unreliable, untrustworthy AI systems. 
 

The Office of Inspector General performed an evaluation of an Agricultural Research Service (ARS) facility’s physical condition and security.

The Office of Inspector General is issuing this management advisory to bring to the U.S. Small Business Administration’s (SBA) attention possible security threats from personally owned devices accessing the agency’s information technology network from national and international locations with only a username and password.

We identified in our fiscal years 2023 and 2024 Federal Information Security Modernization Act assessments that SBA did not have multifactor authentication enabled for users to access the agency’s secure network. Relying on usernames and passwords alone greatly increases the risk of SBA data being accessed and exploited by cyber criminals and other bad actors. We also determined personally owned devices could access the SBA network from foreign locations, which is prohibited by SBA information technology policy.

We made five recommendations, and SBA management agreed with all five. All of the recommendations have been closed or resolved.

The Office of the Inspector General performed an audit of TVA’s transmission network cybersecurity.  The audit scope was limited to a specific type of connectivity within TVA’s transmission network.  The audit objective was to determine the level of cybersecurity in place for this type of connectivity.

We determined the connectivity within TVA’s transmission network had a high level of cybersecurity in place commensurate with the level of associated risk.  In addition, our testing of internal controls identified process improvements related to configuration management.  We recommend the Senior Vice President, Grid, update configuration management processes to improve periodic reviews. 

The VA Office of Inspector General (OIG) conducted a healthcare inspection to evaluate allegations related to a patient’s care and the lung cancer screening (LCS) program at the VA Eastern Kansas Healthcare System (system) in Topeka and Leavenworth.

The OIG substantiated that a patient experienced a delay in the diagnosis of and treatment for lung cancer. Neither the patient aligned care team (PACT) provider nor the system pulmonologist took the necessary steps to ensure a bronchoscopy was ordered and completed. The PACT provider ordered, but failed to track, a positron emission tomography (PET) scan completed by a community provider; and failed to communicate the abnormal results to the patient and initiate clinical actions as indicated. System leaders conducted an institutional disclosure to the patient; however, the institutional disclosure documentation did not include required details.

The OIG identified concerns related to the absence of an established process for community care providers to communicate abnormal test results directly to the system’s ordering providers.

Community care staff did not make timely, sufficient efforts to retrieve the patient’s PET scan results. The OIG found a broad system failure of community care staff not making three attempts to retrieve patient records within 90 days of completed appointments, which leaders partially attributed to metrics that prioritized receiving and scheduling community care appointments.

System and program leaders failed to develop the LCS program infrastructure prior to implementation. The LCS program lacked oversight, multidisciplinary engagement, policy, and adequate primary care training and engagement.

The OIG made one recommendation to the Under Secretary for Health related to the communication of patients’ abnormal test results and one recommendation to the Veterans Integrated Service Network Director regarding the system’s LCS program. The OIG made four recommendations to the System Director related to test results, institutional disclosures, and community care records. 

FSA’s launch of the 2024–2025 FAFSA was plagued by multiple system implementation issues that prevented students and families from successfully applying for financial aid within critical timeframes. As a result, FSA developed actions to improve the 2025–2026 FAFSA process and increase transparency and communication. The objective of our review was to describe FSA’s plans to solicit, analyze, and incorporate feedback from students, families, institutions of higher education, and other stakeholders for the completion, submission, and processing of the 2025–2026 FAFSA. We found that although FSA did not have a formal plan with specific details about how it would solicit, analyze, and incorporate the feedback it received regarding the completion, submission, and processing of the 2025–2026 FAFSA, FSA and the Department established multiple channels of communication for receiving feedback. On November 14, 2024, FSA announced that since the start of beta testing on October 1, 2024, more than 14,000 students successfully submitted their 2025–2026 FAFSAs and that the Department had successfully processed their applications, sending over 81,000 records to more than 1,850 schools and 43 States.