Federal Reports

This report presents the results of our self-initiated audit of the efficiency of operations at the St. Louis Processing and Distribution Center (P&DC) in St. Louis, MO (Project Number 22-112). We conducted this audit to provide U.S. Postal Service management with timely information on operational risks at this P&DC. We judgmentally selected the St. Louis P&DC based on a review of overtime; penalty overtime; late, extra, and cancelled trips by Postal Vehicle Service (PVS) and Highway Contract Route (HCR) drivers; and overall scanning performance. The St. Louis P&DC is in the Midwest Division, it processes letters and flats, and it services multiple 3-digit ZIP Codes in urban and rural communities (see Table 1).

We reviewed the EEOC’s payment integrity section of its FY 2021 AFR to assess the agency’s compliance with the requirements of PIIA, OMB guidance, and information on PaymentAccuracy.gov. We found that EEOC was not compliant with PIIA for FY 2021. The agency included a payment integrity section in the FY 2021 AFR in accordance with IPERIA. EEOC completed a risk assessment in FY 2020 and was not required to conduct a risk assessment in FY 2021. However, the agency did not conduct its annual OMB payment integrity review and data call resulting in our finding of non-compliance with PIIA.

Results of the Inspector General’s Fiscal Year 2021 Purchase and Travel CardProgram Risk Assessment

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report provides a focused evaluation of the quality of care delivered in the inpatient and outpatient settings of the Martinsburg VA Medical Center. The inspection covered key clinical and administrative processes associated with promoting quality care. It focused on Leadership and Organizational Risks; COVID-19 Pandemic Readiness and Response; Quality, Safety, and Value; Registered Nurse Credentialing; Medication Management: Remdesivir Use in VHA; Mental Health: Emergency Department and Urgent Care Center Suicide Risk Screening and Evaluation; Care Coordination: Inter-facility Transfers; and High-Risk Processes: Management of Disruptive and Violent Behavior.At the time of the OIG’s virtual inspection, the medical center’s executive leadership team had worked together for just over one month. Employee survey data revealed opportunities for the Director; Chief of Staff; and Associate Director, Patient Care Services to reduce staff feelings of moral distress at work. Patient experience survey data indicated that leaders had an opportunity to improve female respondents’ inpatient and specialty care experiences. The OIG’s review of the medical center’s accreditation findings did not identify any substantial organizational risk factors. However, the OIG identified concerns related to sentinel events and institutional disclosures. Executive leaders were generally knowledgeable about selected data used in Strategic Analytics for Improvement and Learning models and should continue to take actions to sustain and improve performance.The OIG issued nine recommendations for improvement in four areas:(1) Leadership and Organizational Risks• Sentinel events and institutional disclosures(2) Quality, Safety, and Value• Systems Resign and Improvement Program• Surgical work group attendance(3) Care Coordination• Patient transfer monitoring and evaluations• Inter-facility transfer forms• Medication list transmission(4) High-Risk Processes• Disruptive behavior committee attendance• Staff training

The Veterans Health Administration (VHA) has three regional procurement offices (RPOs) that acquire supplies and services to support the medical facilities within their regions (Central, East, and West). In FY 2020, the VA Office of Inspector General (OIG) published a report on contract closeout compliance at RPO East. Because of problems identified there, the OIG conducted this review to determine whether RPO Central and RPO West contracting officers adequately performed and documented contract closeout requirements. When contracting officers do not follow the necessary steps to close out contracts, they increase future financial and legal risk to the government and may prevent it from obtaining the maximum benefit of any unused funds. Therefore, to protect veterans and taxpayer dollars, contracting officers must maintain the necessary evidence to demonstrate contractor compliance with contract terms and conditions.The team reviewed a random sample of 55 RPO Central contracts and 40 RPO West contracts, each valued at over $500,000, that were closed between June 1 and December 31, 2020. Based on the team’s review, the OIG found that RPOs Central and West contracting officers did not perform required contract closeout duties. Reasons included unclear policies and systems, as well as ineffective oversight of the closeout process. Contracting officers also informed the team that a heavy workload and the prioritization of awarding contracts affected their ability to comply with contract administration requirements.The OIG recommended the executive directors for RPO Central and RPO West establish consistent quality assurance reviews, balance contracting officer workload, update guidance on the use of simplified acquisition procedures, consider additional strategies to ensure contract closeout compliance, and verify that the contract files for the 81 sampled contracts have complete closeout documentation.

The Tennessee Valley Authority (TVA) operates three nuclear plants capable of generating 7,800 megawatts of electricity. Groundwater contamination can result from routine nuclear plant activities such as wet storage of spent fuel, leaks from liquid waste pipelines and tanks, and leaks of contaminated cooling water. TVA Nuclear Power Group, Standard Programs and Processes 05.15, Fleet Groundwater Protection Program, establishes a long-term groundwater-monitoring program with the purpose of minimizing the potential for inadvertent releases to the environment from plant activities. Due to risks associated with potential groundwater contamination, we performed an evaluation to determine if TVA Nuclear has taken actions to address issues related to groundwater at nuclear plants, identified during fiscal years 2017 through 2021, in internal assessments, external assessments, consultant reports, and condition reports. We determined TVA Nuclear has taken actions, or no further actions were needed, to address the majority of issues and/or recommendations made. However, two recommendations from 2015 have not been addressed and likely affected TVA’s corporate insurance premiums.

This interim report presents the results of our self-initiated audit of mail delivery, customer service, and property conditions at the Marian Oldham Station in St. Louis, MO (Project Number 22-115-4). The Marian Oldham Station is in the Kansas-Missouri District of the Central Area and services ZIP Codes 63106 and 63108,1 which serve about 32,922 people and are considered to be urban. We judgmentally selected the Marian Oldham Station based on the number of customer inquiries per route that the unit received. From December 1, 2021 through February 28, 2022, the unit received 13.03 inquiries per route, which was more than the average of 7.02 inquiries per route for all sites serviced by the St. Louis Processing and Distribution Center (P&DC).

This interim report presents the results of our self-initiated audit of mail delivery, customer service, and property conditions at the Saint Peters Main Post Office (MPO) in Saint Peters, MO (Project Number 22-115-1). The Saint Peters MPO is in the Kansas-Missouri District of the Central Area and services ZIP Code 63376, which serves about 71,535 people and is considered to be urban. We judgmentally selected the Saint Peters MPO based on the number of customer inquiries per route the unit received. From December 1, 2021 through February 28, 2022, the unit received 12.54 inquiries per route, which was more than the average of 7.02 inquiries per route for all sites serviced by the St. Louis Processing and Distribution Center (P&DC).

What OIG Evaluated:

- Identify Fiscal Year risk metrics associated with the cybersecurity control areas included in the scope of our evaluation. 
- Determine maturity levels for the four aforementioned cybersecurity control areas using a defined  maturity model spectrum.
-  Report findings identified during the performance of evaluation procedures over selected cybersecurity controls. 

What OIG Found:

- Lack of Signed IT Contingency Plans 
- Lack of Complete and Accurate Inventory of Hardware Assets 
- Lack of Formal Policies and Procedures for Software Asset Management 
- Lack of Periodic Review/Update over the Library’s Organization-Tier Policies 
- Lack of Annual System Security y Plan Compliance Reviews 
- Inconsistent System-Level Ongoing Control Assessments 
- Inconsistent Completing and Reviewing of Security y Assessments Reports 
 

What OIG Recommends:

- Confirm and enforce a quality y control procedure to ensure that IT CPs are signed by the responsible personnel (Information System Business Owner, its ervice Operations Director, and Business Continuity y and Disaster Recovery Official) and uploaded to  the Library’s governance risk and compliance (GRC) platform, as required by Library policies. 2.1 Develop formal procedures for maintaining an up-to-date inventory of hardware assets and removing unauthorized or unmanaged hardware assets in a timely manner.
- Implement tools to a) track and monitor or all authorized hardware assets on the Library network and b) report or prevent unauthorized devices connecting to the network. 
-  Maintain a complete, accurate, and centralized repository of all hardware assets connected to the  Library network.
- Develop and implement formal policies and procedures over their process for maintaining an up to-date software inventory that incorporates security y controls requirements from National Institute of Standards and Technology Special Publication (SP) 800-53, Configuration Management (CM-8), and industry practices from National Institute of Standards and TechnologySP 800-37 and National Institute of Standards and TechnologySP 800-128. 
- Complete the implementation of its Configuration Management Database (CMDB) to track and manage the inventory of software assets.
- Identify Fiscal Year and authorize backup personnel to perform the annual review of the Library Security &A Guidance and Library Information Security y Continuous Monitoring (ISCM) Guidance in the event that the responsible personnel is unavailable.
- Identify Fiscal Year and authorize backup personnel to perform the annual System Security Plan (SSP) compliance review in the event that the responsible personnel is unavailable.
-  Remediate or enter Plan of Action and Milestones (POA&Ms) for control assessment discrepancies associated with relevant information systems so they are in alignment with the  Library’s policies and procedures and notifying the Authorizing Official (AO) of all updates or changes.
- Identify Fiscal  Year adequate resources to perform system control assessments.
- Enhance the Library’s procedures for validating the completion and tracking of ongoing control assessments to ensure they are being performed in accordance with the Library’s policies and procedures.
- Complete Security Assessment Reports (SARs) for the respective systems and notifying the AO of the results.
- Implement a quality control process to validate the completion of SARs in accordance with the Library’s policies and procedures.