Federal Reports

We performed an audit of the costs billed to the Tennessee Valley Authority (TVA) by Johnson Service Group, Inc. (JSG) under Contract No. TVA‑04012020‑125806 for noncraft staff augmentation services.  Our audit objective was to determine if the costs billed to TVA by JSG were in accordance with the contract’s terms.  Our audit scope included about $32.5 million in costs billed to TVA from June 26, 2024, to March 11, 2025. 

In summary, we determined the costs billed by JSG generally complied with the contract except for a net overbilling of $3,288 in travel costs.  We also determined that TVA inadvertently credited an invoice instead of issuing a payment, resulting in an underpayment of $1,700.  In addition, TVA’s hiring managers provided approval for costs to be billed by JSG, which were not in accordance with the contract’s terms. Specifically, TVA could have saved $30,765 if TVA hiring managers had not allowed and/or approved reimbursement for (1) travel instead of temporary living allowances (TLA) for temporary assignments at one location exceeding 90 days, (2) excessive TLA rates, and (3) ineligible or excessive travel costs.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General received an allegation of whistleblower reprisal under 41 U.S.C. § 4712 from a former employee of an EPA grantee. The complainant alleged that she was terminated in December 2023 in retaliation for making several disclosures regarding potential grant fraud and gross mismanagement of an EPA grant or subgrant.

Summary of Findings

The investigation determined that the complainant made at least five separate protected disclosures to tribal employees, including the COO and CEO. We found that these protected disclosures were contributing factors in the complainant’s termination. We also determined that the tribe cannot demonstrate by clear and convincing evidence that it would have terminated the complainant in the absence of her protected disclosures. As such, we substantiated the complainant’s retaliation allegations.

This management advisory memorandum outlines the OIG’s findings and observations about whether VA and Oracle Health followed electronic health record (EHR) interface testing procedures at the Captain James A. Lovell Federal Health Care Center, where VA had to synchronize its system rollout with the Department of Defense’s (DOD) system rollout before going live on March 9, 2024. The interfaces the OIG considered provided a connection between two devices, applications, or networks or a boundary across systems that communicate.
The OIG confirmed VA and Oracle Health conducted the correct tests and applicable retesting for the 24 interfaces reviewed. Although the correct tests were completed, the OIG team observed inadequate documentation. Sufficient documentation is needed to verify proper implementation, operation, and security requirements critical to future EHR deployments.
For example, the required repository for recording problems identified in testing did not show testing had been done before the healthcare center went live with the Financial Management System interface, which bridges the EHR system and VA’s payment and billing system. Testing was delayed by a cyberattack, and results were recorded in another system.
Further, some procedures did not clearly detail what to do when testing results and notations conflicted: The notation “no run” means no test steps were run, but it was used together with the notation “passed” for four of 24 interfaces. These four EHR interfaces exchange clinical health information involving imaging, patient movement, bed management, and surgical instruments.
Finally, the OIG confirmed a lack of functionality with two interfaces between VA and the DOD. For at least these two, documentation showed testers had not accounted for the joint nature of workflows at the Lovell facility.
This memorandum conveys information to VA so that VA can determine whether additional actions should be taken.

VA provides compensation to veterans for service-connected disabilities. Veterans file claims for this compensation, and in some cases, a disability compensation medical examination is needed for VA staff to decide these claims. Disability compensation examiners must complete training courses before conducting an examination, and the PACT Act resulted in additional training. The OIG conducted this review to determine whether VHA examiners and VBA contract examiners are complying with training requirements, including the recently added PACT Act training, before completing related medical examinations.

The team found that 29 of 100 VHA medical opinions reviewed were provided before PACT Act training was completed. From this number, the team estimated that in calendar year 2023, VHA disability compensation examiners provided about 8,600 nonpresumptive PACT Act medical opinions (29 percent) before completing the PACT Act Key Terms and Medical Opinions course. VHA was notified of the training in January 2023 and established August 1, 2023, as the deadline for completion, in part, to allow time for local union notifications and negotiations and for compensation examiners to complete the training. Most of the instances where opinions were provided before PACT Act training was completed occurred before August 1, 2023, which suggests the issue of VHA examiners providing opinions without necessary training was mostly resolved by the deadline.

The team also found that generally, compared to VHA examiners, more VBA contract examiners had completed PACT Act training before providing medical opinions. Nevertheless, in any instance where examiners provide opinions before taking necessary training, VA risks claims decisions leading to improper payments to veterans. Therefore, the OIG made one recommendation to the under secretary for benefits to ensure an independent assessment and medical opinion is provided for the cases identified by the OIG during this review. VBA concurred with the recommendation.

Anthony Gregory, a former Amtrak conductor based in Los Angeles, California, pleaded guilty on September 3, 2025, in the Superior Court of the State of California for the County of San Diego, to one count Obscene Matter Depicting Persons Under 18 and to one count Disobeying a Court Order. Our investigation found that Gregory advertised for sale and distribution obscene matter depicting a person under the age of 18 years old. Gregory also violated a court order obtained to prevent domestic violence and disturbance of the peace.

Gregory will be sentenced at a future date.

Our Objective(s)
To perform a quality control review (QCR) of Williams Adley & Company-DC LLP's fiscal year 2025 audit of the effectiveness of STB's information security program and practices.

Why This Audit
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. The Act also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, STB requested that we perform its fiscal year 2025 FISMA review. Williams Adley of Washington, DC, completed the audit of STB's information security program and practices under contract with the Office of Inspector General. We performed a QCR of Williams Adley's report and related documentation.

What We Found
The independent auditor, Williams Adley, found that STB's information security program and practices were not effective and made five recommendations to improve STB's information security program.
Develop and implement a formal process for defining, documenting, and maintaining its cybersecurity target profile(s).
Develop and formalize thresholds or target values for key cybersecurity and risk performance metrics.
Develop and implement detailed procedures to support its existing supply chain risk management policy and implementation plan.
Establish policies and standards for data classification, quality, access, lifecycle management, and metadata management.
Identify the baseline knowledge, skills, and abilities required for STB's cybersecurity workforce, conduct an assessment to determine any skill gaps, and customize specialized training to address the identified deficiencies.

Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations
STB concurs with Williams Adley's five recommendations.