Federal Reports

Each year agency program officials, chief information officers, and inspectors general must review their agencies’ information security programs and report to the Department of Homeland Security and Congress on the programs’ compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm CliftonLarsonAllen LLP (CLA) to evaluate VA’s information security program for FY 2022. After evaluating 47 major applications and general support systems hosted at 23 VA sites and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements. The audit found continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices, all of which are designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by improving the deployment of security patches, system upgrades, and system configurations to mitigate significant security vulnerabilities; enforcing a consistent process across all field offices and improve performance monitoring to ensure controls operate as intended at all facilities and communicate identified security deficiencies to mitigate significant risks; and addressing security-related issues that contributed to the information technology material weakness reported in the FY 2022 audit of VA’s consolidated financial statements. VA concurred with CLA’s 26 recommendations, some of which addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2023 audit of VA’s information security program.

We assessed NASA’s progress in developing new technologies and sustainable energy options for aircraft propulsion.

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine whether the U.S. Chemical Safety and Hazard Investigation Board complied with the Payment Integrity Information Act of 2019 in fiscal year 2022.

The Payment Integrity Information Act of 2019 (PIIA) was signed into law in March 2020. PIIA requires agencies to identify and review all programs and activities they administer that may be susceptible to significant improper payments based on guidance provided by the Office of Management and Budget (OMB). Additionally, the OMB Memorandum M-21-19, Transmittal of Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement, requires agencies to report technically improper payments, which are defined as a payment to the right recipient for the right amount where the payment process failed to follow all applicable statutes and regulations.We conducted this audit to determine whether the Department of Energy met OMB criteria for compliance with PIIA.The Department’s fiscal year 2022 improper payment reporting was aligned with OMB criteria. Specifically, the Department published its fiscal year 2022 Agency Financial Report and posted that report, and the accompanying materials, on its website. However, we identified areas where improvements to the payment integrity process are warranted. Specifically, the Department informed us that it underreported its improper payments in the fiscal year 2022 Agency Financial Report by approximately $867,000 because of a data entry error created by a third-party contractor. Additionally, new spending and loan programs introduce an increased risk that the Department may exceed the OMB’s $100 million threshold for being susceptible to improper payments. Because of this influx of funds, we determined that enhancements to the payment integrity process are necessary. Our recommendations focused on: (1) completing planned corrective actions for the consolidation of payment reporting sites’ improper payment information in the Agency Financial Report; (2) updating the Office of the Chief Financial Officer’s annual guidance to sites to include more specific direction on payment reporting sites’ collection of useful and consistent data to identify detailed root causes of reported improper payments and on developing plans to mitigate them in the future; and (3) expanding the Office of the Chief Financial Officer’s use of data analytics, at both the Department-wide level and payment reporting site level, to identify potential root causes for improper payments that could lead to the Department’s improper payment rate exceeding the OMB threshold.Management concurred with our findings and recommendations, and its proposed corrective actions are consistent with our recommendations.