An official website of the United States government
Here's how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Brought to you by the Council of the Inspectors General on Integrity and Efficiency
Federal Reports
Report Date
Agency Reviewed / Investigated
Report Title
Type
Location
U.S. Postal Service
Review of the Postal Regulatory Commission’s Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025
This report presents a review of the U.S. Postal Regulatory Commission’s (PRC) information security program and practices for fiscal year (FY) 2025. The Federal Information Security Modernization Act, amended in 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget.
In September 2025, the OIG issued a special report on the Peace Corps’ Information Technology environment. OIG contracted with technical subject matter experts to conduct three cybersecurity tests from January 2025 to March 2025. The three tests included a simulated phishing campaign, a review of the agency’s internal vulnerability management practices, and penetration tests that targeted critical Peace Corps systems.
While observing the agency’s security processes throughout the assessment, OIG found that the Peace Corps’ monitoring capabilities were able to identify the testing activities and demonstrate its incident response procedures. However, the cybersecurity tests also uncovered multiple vulnerabilities and misconfigurations, ranging from informational issues to critical severity risks that the Peace Corps needs to review and address.
From October 2023 through September 2024, VHA processed almost 114,000 manual journal vouchers, representing about $71.2 billion in healthcare-related accounting transactions. Manual journal vouchers are used to record salary accruals, expenditure transfers, and other adjustments where processing cannot be automated. Although these journal vouchers are intended to support accurate records, they introduce the risk of error and misclassification because they rely on manual input, a vulnerability the OIG has highlighted in the past.
The OIG found that staff at 172 medical centers did not follow VHA financial policy in processing manual journal vouchers. The OIG estimated that 76 percent of manual journal vouchers lacked one or more required elements, such as clear justification, and estimated that at least $27 billion in transactions were processed using manual journal vouchers that lacked the required documentation or approvals. Reasons included limited staff training, ineffective use of a journal voucher generator tool, and inconsistent oversight at the regional level of medical facilities’ financial teams. Some staff reported never receiving formal journal voucher training, and no refresher training or onboarding instruction was required. Moreover, use of the tool was not mandatory, and some staff used outdated versions or used the tool incorrectly. In terms of regional financial managers, their responsibilities were not clearly delineated. Oversight was therefore inconsistent, with limited monitoring of facility compliance. As a result, a large volume of transactions were at elevated risk of misstatement.
The OIG recommended developing a plan to ensure manual journal vouchers are justified, documented, and approved before they are entered into the Financial Management System (VA’s official system of record), and then reviewed after posting. In addition, VHA should require ongoing training, clarify use of journal voucher tools, and define clear oversight responsibilities for regional financial managers. VHA concurred with all four recommendations.
VHA provides outpatient services to veterans at community-based outpatient clinics (CBOCs) nationwide. The VA OIG conducted this review to assess contract oversight of staffing and appointment cancellation performance measures at five Loma Linda Healthcare System CBOCs in California.
The OIG found that VA leaders in the Loma Linda healthcare system did not ensure contractor compliance with performance standards for staffing or for the number of appointments canceled by the clinics during FYs 2022 and 2023. Specifically, Loma Linda officials did not effectively monitor contractor-staffed primary care Patient Aligned Care Teams to ensure contract compliance. The contractor did not meet required staffing levels at any of the five contracted CBOCs for at least 22 of 24 months in FYs 2022 and 2023; two CBOCs were noncompliant 100 percent of the time, and the remaining three were noncompliant more than 90 percent of the time.
The contractor also did not consistently meet the appointment cancellation performance standard regarding appointments canceled by clinics at contracted CBOCs. In FYs 2022 and 2023, all five CBOCs under the contract were noncompliant with appointment cancellation standards at least 79 percent of the time, and two CBOCs were noncompliant 100 percent of the time. Finally, the OIG found that the contracting officer’s attempt to recover government funds associated with using VA personnel to cover shortages at the contracted clinics was insufficient.
Contract noncompliance occurred, in part, because the assistant director did not provide effective oversight of the contracting officer’s representative (COR) or the CBOC nurse coordinator. The OIG also found that the assistant director did not effectively coordinate with the COR and the contracting officer to ensure that the contractor’s contingency plan requirement was sufficiently enforced during staffing shortages. The OIG made nine recommendations for VA to improve oversight of CBOC contracts.
The U.S. Nuclear Regulatory Commission (NRC) does not have an adequate process for managing, tracking, and monitoring staff qualification records. The OIG found that NRC offices use inconsistent information-gathering methods, driven by changes in management’s workforce planning and individual office preferences for using separate information systems. As a result, the NRC may face reduced efficiency in retrieving qualification records and may lack full visibility into staff qualification gaps─factors that could adversely impact the agency’s ability to carry out its mission. Additionally, the OIG found that refresher training is tracked informally, with many staff relying on personal reminders to complete mandatory requirements. This informal approach exists because the NRC lacks a structured, agency-wide system for managing refresher training. The absence of such a system could result in decreased staff productivity, non-compliance with safety and security requirements, and lower employee morale and retention. Refresher training is essential for maintaining up-to-date knowledge, skills, and safety practices, which are critical to ensuring that staff can perform their duties effectively and safely. This report makes three recommendations to improve the NRC’s process for managing, tracking, and monitoring its qualification programs.
Orphaned Wells Program Office and the State of Kansas Have Opportunities To Improve Spending of Infrastructure Investment and Jobs Act Orphaned Wells Funding