Federal Reports

This report presents a review of the U.S. Postal Regulatory Commission’s (PRC) information security program and practices for fiscal year (FY) 2025. The Federal Information Security Modernization Act, amended in 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. 

In September 2025, the OIG issued a special report on the Peace Corps’ Information Technology environment. OIG contracted with technical subject matter experts to conduct three cybersecurity tests from January 2025 to March 2025. The three tests included a simulated phishing campaign, a review of the agency’s internal vulnerability management practices, and penetration tests that targeted critical Peace Corps systems.

While observing the agency’s security processes throughout the assessment, OIG found that the Peace Corps’ monitoring capabilities were able to identify the testing activities and demonstrate its incident response procedures. However, the cybersecurity tests also uncovered multiple vulnerabilities and misconfigurations, ranging from informational issues to critical severity risks that the Peace Corps needs to review and address.

From October 2023 through September 2024, VHA processed almost 114,000 manual journal vouchers, representing about $71.2 billion in healthcare-related accounting transactions. Manual journal vouchers are used to record salary accruals, expenditure transfers, and other adjustments where processing cannot be automated. Although these journal vouchers are intended to support accurate records, they introduce the risk of error and misclassification because they rely on manual input, a vulnerability the OIG has highlighted in the past.

The OIG found that staff at 172 medical centers did not follow VHA financial policy in processing manual journal vouchers. The OIG estimated that 76 percent of manual journal vouchers lacked one or more required elements, such as clear justification, and estimated that at least $27 billion in transactions were processed using manual journal vouchers that lacked the required documentation or approvals. Reasons included limited staff training, ineffective use of a journal voucher generator tool, and inconsistent oversight at the regional level of medical facilities’ financial teams. Some staff reported never receiving formal journal voucher training, and no refresher training or onboarding instruction was required. Moreover, use of the tool was not mandatory, and some staff used outdated versions or used the tool incorrectly. In terms of regional financial managers, their responsibilities were not clearly delineated. Oversight was therefore inconsistent, with limited monitoring of facility compliance. As a result, a large volume of transactions were at elevated risk of misstatement.

The OIG recommended developing a plan to ensure manual journal vouchers are justified, documented, and approved before they are entered into the Financial Management System (VA’s official system of record), and then reviewed after posting. In addition, VHA should require ongoing training, clarify use of journal voucher tools, and define clear oversight responsibilities for regional financial managers. VHA concurred with all four recommendations.