Federal Reports

The VA Office of Inspector General (OIG) conducted a healthcare inspection to evaluate allegations regarding the availability of breast images from community providers and the potential impact on patient care at the VA Eastern Colorado Health Care System (facility) in Aurora. Following the departure of the facility’s sole mammographer in February 2024, the facility’s in-house mammography program closed, and all breast imaging was referred to community care.

The OIG substantiated that delayed receipt of images from community care providers, and delayed uploading of images by facility staff once the images were received, did not ensure timely availability of breast images for facility providers to coordinate patient care. The OIG found factors contributing to the delays included community providers not sending breast images with reports, facility staff not following medical request processes, and VA technology limitations.

The OIG found the facility lacked guidance and processes for required women’s health tracking of abnormal mammography results. The OIG also learned facility primary care staff did not fully implement processes to identify patients due for breast cancer screening. Additionally, the OIG identified deficiencies with the credentialing and privileging of a mammographer.

The OIG made nine recommendations. The Under Secretary for Health and the Veterans Integrated Service Network and Facility Directors concurred with eight recommendations and concurred in principle with one recommendation. Acceptable action plans were provided, including plans to communicate expectations of community care providers related to breast images; address the request, receipt, and uploading of breast images; take action to modernize image sharing technology; address processes for breast cancer screening and care coordination; and address processes for credentialing and privileging.

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) conducted this self-initiated audit to assess the NCUA’s Enterprise Risk Management Risk Profiles. The objective of our audit was to determine if the NCUA adequately established, maintained, and used risk profiles to address enterprise-level risks.

We are pleased to present our report for the period October 1, 2025, to March 31, 2026.  In this semiannual period, our audit, evaluation, and investigative activities identified more than $41.7 million in questioned costs, recoveries, fees, and savings; and opportunities for Tennessee Valley Authority (TVA) to improve its programs and operations.  In our semiannual report feature, we discuss TVA’s role and challenges in Energizing the Valley’s and America’s Future. 

TVA manages one of the nation’s largest public power systems and faces a variety of strategic, operational, and compliance risks as the energy landscape rapidly evolves.  As TVA continues to build new generation and integrate new nuclear technologies to increase capacity, it must also keep at the forefront the need to maintain high reliability and keep rates as low as feasible.

The TVA OIG provides independent oversight with the vision to help make TVA better.  Through audits, evaluations, and investigations, the OIG identifies vulnerabilities, promotes efficiency, and addresses concerns involving fraud, waste, or misconduct.  By delivering objective analysis and actionable recommendations, the OIG supports TVA leadership in making informed decisions, enhancing transparency, and improving operations for the 10 million people of the Tennessee Valley.

This report summarizes the results of our fiscal year 2025 Federal Information Security Modernization Act (FISMA) evaluation of the U.S. Small Business Administration’s (SBA) information security program.

We found SBA’s overall information security program has defined policies but the agency has not consistently implemented them, falling short of the Office of Management and Budget rating for effective security controls. SBA fell below the baseline for effective controls in 9 of the 10 domains. Domains are metrics used to assess the effectiveness of an agency’s information security program. SBA made progress in 1 of the 10 domains, incident response, which was rated as optimized, exceeding the baseline for effective security controls. SBA regressed in three other domains: information security and continuous monitoring, identity and access management, and risk and asset management.

This fiscal year there are 17 new recommendations to improve SBA’s IT security program. Additionally, the agency continues to make progress on implementing 13 open recommendations from 4 prior evaluations. SBA managers agreed and proposed corrective actions that resolved all recommendations.

The CPSC's lack of necessary internal controls over the segregation of duties has created a potential fraud risk by authorizing the budget officer to hold incompatible roles in the appropriation process.  Additionally, the OIG determined that CPSC Directive 1230.1, meant to ensure compliance with OMB's A-11 Section 150 and Appendix H, is outdated and noncompliant with OMB’s requirements.  Management have indicated that are already taking the corrective action needed to correct these issues.

The CPSC’s lack of adequate controls over its Agency Clearance application has allowed application users inappropriate access to non-public government information without a valid need-to-know.  Since the initiation of this assessment, the CPSC has taken steps to strengthen its internal controls over the Agency Clearance application to restrict access of non-public government information to users with a valid need-to-know.

The VA Office of Inspector General reviewed acute inpatient mental health care at the Clement J. Zablocki VA Medical Center in Milwaukee, Wisconsin. Inspectors evaluated care in five areas. The OIG inspection team provided preliminary observations to leaders and later issued seven recommendations. The mental health leadership structure relied on shared responsibilities across multiple managers, which leaders perceived led to improved workload management and coverage. The Mental Health Executive Council did not include required veteran representation, limiting opportunities for veterans to influence the quality of care. The inpatient unit implemented recovery oriented practices. Veterans had daily interdisciplinary programming and access to natural light, a sunroom, and computer kiosks. Staff engaged consistently with veterans, and leaders supported recovery focused approaches. Inspectors identified gaps in clinical care coordination. Staff did not always document veterans’ legal status at admission or discussions about medication risks and benefits. Discharge instructions sometimes used undefined abbreviations or did not explain the purpose of medications, which could hinder veterans’ ability to safely manage their medications.

Staff completed required suicide risk screenings and safety plans before discharge. However, some staff had not completed mandatory suicide prevention training. Required safety inspections on the inpatient unit were completed and a ligature risk was corrected quickly, but a key team member did not attend inspections consistently. Several staff and volunteers also did not complete required training. The recommendations called for veteran participation on the Mental Health Executive Council, improved documentation practices, clearer discharge instructions, completion of required suicide prevention training, and full participation in environmental safety processes. VA leaders concurred with all recommendations and began corrective actions, including strengthening oversight, updating training requirements, improving documentation workflows, adding veteran input to governance, and monitoring compliance through established committees. These efforts are intended to improve the safety, quality, and recovery orientation of inpatient mental health care.