Federal Reports

The Office of Inspector General (OIG) is issuing this Evaluation Report to determine whether the U.S. Small Business Administration (SBA) made Paycheck Protection Program (PPP) loans in accordance with program size standards. This is a follow-up to our earlier report which identified 355 PPP loans that likely exceeded the maximum size standard and may have been erroneously approved. Based on updated data analysis, we identified that 79 of those 355 loans still appeared to exceed the maximum size standard. Our objective was to determine whether PPP loans were made in accordance with program size standards.

We reviewed 64 of the 79 loans identified as potentially exceeding size standards and determined SBA did not validate size standard eligibility requirements for 48 of them, totaling approximately $343 million. Of the 48 loans, 29 totaling $196.5 million were forgiven using memoranda unrelated to size standard requirements; and 19 totaling $146 million were forgiven without sufficient documentation to support loan review decisions. This occurred because SBA’s process changes allowed it to forgive loans flagged as potentially ineligible prior to conducting manual reviews to ensure borrowers met eligibility requirements. As a result, SBA did not have reasonable assurance that borrowers met size standard requirements, which increased the risk of improper payments and loss of taxpayer funds. Further, without properly evaluating compliance with size standard requirements for the 48 loans totaling about $343 million, SBA forgave PPP loans to potentially ineligible businesses.

Although SBA implemented controls designed to ensure borrowers met size standard eligibility requirements, the agency overrode these controls and did not always validate eligibility for borrowers flagged as potentially exceeding the size standard. We recommended SBA obtain the documentation necessary to fully assess borrower size standard eligibility for the 48 loans to ensure eligibility requirements were met and, if not, seek repayment of forgiveness amounts granted to ineligible borrowers. SBA management partially agreed with our recommendations.

The Veterans Affairs Office of Inspector General conducted an administrative investigation into alleged ethics violations by Tracy Skala, former deputy director of the Orlando VA Medical Center. Ms. Skala’s son, who had a different last name, was a former VA employee who subsequently worked for a software development company with a mobile wayfinding application that could help veterans navigate VA facilities on their smartphones. Ms. Skala did not disclose their relationship when her son attended an April 6, 2023, meeting of the Veterans Integrated Service Network (VISN) 8 Executive Leadership Board. VISN 8 serves more than 1.4 million veterans. During the presentation and at many other times, Ms. Skala encouraged VISN leaders and a subordinate in her medical facility to approve the application for use, knowing her son could receive bonus pay as a percentage of a new VA contract. A VISN 8 executive who learned of their relationship promptly alerted the OIG.

The investigation found that Ms. Skala violated ethics rules by using her position to promote procurement of software from her son’s employer. Her participation in matters involving her son’s employer was an apparent conflict of interest. The OIG also noted that Ms. Skala, who retired from VA in April 2024, informed VA that she received a critical skills incentive, but VA had not initiated the process to recover any debt owed from her retiring before the requisite term of service. 

Due to Ms. Skala’s retirement, the OIG did not make recommendations regarding her conduct. VA concurred, or concurred in principle, with the OIG’s three recommendations relating to identifying potential conflicts before vendor presentations and improving critical skill incentive recoupment processes. VA provided acceptable action plans to implement the OIG recommendations and VA’s progress will be monitored until sufficient documentation has been received to close them as implemented.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine whether the EPA has established sufficient controls to prevent unauthorized access to the Central Data Exchange system.

Summary of Findings

The EPA needs to strengthen management and access security controls for the Central Data Exchange, or CDX, system. The security of the CDX system is integral to the EPA accepting electronic environmental data for the Agency’s air, water, hazardous waste, and toxics release inventory programs. Without adequate security controls, the CDX is vulnerable to threat actors exploiting weak security controls to potentially gain unauthorized access, create fraudulent accounts, and enter unreliable data into the system.

This report summarizes the results of our fiscal year 2024 Federal Information Security Modernization Act (FISMA) evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security program. Our objectives were to determine whether SBA complied with FISMA and assessed the maturity of controls used to address risks in each of the nine security domains.

We found SBA generally responded to previously identified vulnerabilities and made progress in one of the nine domains, in the area of security training. The agency met the baseline in the area of incident response but fell below the baseline for an effective security program in several areas. We rated SBA’s overall information security program as “not effective.”

This fiscal year there are seven new recommendations for improvement. There are 11 open recommendations from 3 prior evaluations. Repeat recommendations from prior years were not included in this report because they have not yet been implemented. The agency successfully closed four recommendations from fiscal year 2023. SBA managers agreed with six recommendations and partially agreed with one. Their corrective actions resolved all the recommendations.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The Office of the Inspector General identified several issues with the use and oversight of the U.S. Nuclear Regulatory Commission’s telework program, including missing telework agreements and inaccurate telework records, both of which are required by law for proper program administration.  Additionally, we found inadequate compliance with documentation standards, which could result in inconsistent adherence to policies and inaccuracies in employee records. Finally, we identified discrepancies in some official duty stations and failure to comply with telework agreement terms, potentially resulting in incorrect locality pay.
This report makes seven recommendations to strengthen the telework program’s document management and oversight processes to ensure full compliance with federal laws and regulations.