Federal Reports

To evaluate the Social Security Administration’s (SSA) process for preventing unauthorized access to its online services and ensuring sensitive information is safeguarded.

OIG administers the Medicaid Fraud Control Unit (MFCU or Unit) grant awards, annually recertifies the Units, and oversees the Units' performance in accordance with the requirements of the grant. As part of this oversight, OIG conducts periodic onsite reviews of all Units and prepares public reports based on these reviews. These reviews assess Units' adherence to the 12 MFCU performance standards and Units' compliance with applicable Federal statutes and regulations.

Classification is an important tool that allows the Federal government to protect information that might damage national security; however, over-classification may pose risks to national security, too. Over-classification may prevent Federal agencies from sharing information internally and with other agencies, potentially hindering efforts to identify possible risks to national security. The use of portion markings may reduce over-classification by permitting access to those portions of a classified document that are less sensitive than the overall document classification. The Reducing Over-Classification Act of 2010 requires Federal agencies to decrease over-classification.

To view the report, please click on the link below.

Environmental Permitting and Compliance (EP&C), a business unit falling under TVA's Safety, River Management, and Environment, is responsible for providing oversight, consistency, and standardization in TVA's permitting and compliance activities, interactions with regulators, and alignment of environmental policy with line organization execution. EP&C's long-term vision is to "continue to improve TVA's environmental performance and reputation through integrated project planning and execution, compliance guidance and oversight, and strong regulatory strategy and engagement." The OIG assessed strengths and risks that could affect EP&C's organizational effectiveness. Our review identified strengths within EP&C related to (1) compliance with regulations, (2) providing support to Operations, (3) relationships with regulators, (4) teamwork, (5) safety, and (6) direct management support of employees. However, we also identified internal and external factors that, if left unresolved, could increase the risk that EP&C will not be able to effectively meet its long-term vision and could impact TVA's ability to meet the environmental portion of its mission. These factors are related to (1) organizational alignment and role clarity within TVA's environmental functions, (2) resource availability to cover the current and emerging TVA risk landscape, and (3) employee engagement risks.

Actions taken at the Cumberland plant appear to have addressed areas for improvement identified in our initial organizational effectiveness review. Employees and management reported positive change at the plant, including better communication, an improved safety culture, and a general acknowledgement by employees of management's efforts to improve its relationship with them.

An Audit was conducted to determine whether the Denali Commission's internal control over purchase card transactions is sufficient to ensure federal funds are being appropriately managed.

We did not post this report due to concerns with information protected under the Freedom of Information Act.

The U.S. Department of Housing and Urban Development (HUD), Office of Inspector General, audited the City of Joplin, MO’s Community Development Block Grant Disaster Recovery (CDBG-DR) program because the City was awarded more than $45 million inCDBG-DR funds in April 2012 and received an additional $113 million in May 2013. We previously audited the City’s CDBG-DR program in 2013 and issued audit report 2014-KC-1002. At that time, the City had obligated only $50,000 and had spent only $20,280. Our audit objective for this report was to determine whether the City complied with the requirements of Section 3 of the Housing and Urban Development Act of 1968 in its CDBG-DR program. The City did not always comply with the requirements of Section 3 of the Housing and Urban Development Act of 1968 for its CDBG-DR program. It did not always direct employment and other economic opportunities generated from CDBG-DR funding to low- and very low-income persons and the businesses that employed them. In addition, it did not always incorporate the Section 3 clause into its contracts. As a result, the City may have denied low- and very low-income residents and the businesses that employed them more than $2.2 million in economic benefits.We recommend that the Director of HUD’s Kansas City, KS, Office of Community Planning and Development require the City to develop a checklist or other processes to verify that all contractors implement their Section 3 plans to ensure that the City spends disaster funds in compliance with the requirements to ensure that $2.2 million in CDBG-DR funds are put to better use in the future. We also recommend that the Director of HUD’s Kansas City, KS, Office of Fair Housing and Equal Opportunity provide Section 3 technical assistance to the City and monitor the City’s compliance with Section 3 requirements.

The U.S. Department of Housing and Urban Development (HUD), Office of Inspector General audited Boulder County because it is a significant recipient of the State of Colorado’s more than $320 million Community Development Block Grant Disaster Recovery grant, having received grants of more than $6 million. Our audit objective was to determine whether Boulder approved its grants and procured consultants in accordance with applicable Federal requirements.Boulder County generally approved its grants and procured consultants in accordance with applicable Federal requirements. The CDBG-funded projects reviewed were generally eligible, and consultants were properly procured. This report contains no recommendations.

A Management Advisory Recommending the Strengthening of the FTC Ethics Program by Extending Mandatory Annual Ethics Training to Employees at or Below the GS-13 Grade Level Who Occupy High Risk Positions.

Sleep Health Center (Sleep Health), based in Fort Myers, Florida, billed Medicare claims for polysomnography services that did not always comply with Medicare billing requirements. Of the 100 randomly selected beneficiaries that we reviewed, Sleep Health billed Medicare claims for polysomnography services that met Medicare billing requirements for 36 beneficiaries with 137 corresponding lines of service. However, Sleep Health billed Medicare claims for the remaining 64 beneficiaries with 149 corresponding lines of service that did not meet Medicare requirements, resulting in overpayments totaling $49,000. These errors occurred primarily because Sleep Health did not have adequate controls to ensure that it properly documented polysomnography services billed to Medicare. On the basis of our sample results, we estimated that Sleep Health received overpayments of at least $487,000 for the audit period.

The Centers for Medicare & Medicaid Services (CMS) had policies and procedures to ensure that payments were not made for Medicare services rendered to unlawfully present beneficiaries in accordance with Federal requirements, but it did not always follow those policies and procedures. When CMS's data systems indicated that at the time a claim was processed the beneficiary was unlawfully present, CMS had policies and procedures to prevent payment for Medicare services, and CMS followed those procedures.

To view the report, please click on the link below.

Audit report of NLRB's training and conferences from July 1, 2014 to June 30, 2015.

Our audit found that the Oregon Department of Education (Oregon) Consolidated Collection System, Oregon’s Statewide Longitudinal Data System, had a lack of documented internal controls in the system that increases the risk that Oregon will be unable to prevent or detectunauthorized access and disclosure of personally identifiable information. Specifically, we found that Oregon did not ensure that the Consolidated Collection System met the minimum requirements in Oregon’s Department of Administrative Services State Standards, which require the system controls and documentation of those controls. Since Oregon did not meet the minimum State requirements, it was notin compliance with Statewide Longitudinal Data Systems grant requirements. In addition, Oregon had policies and procedures that address reporting and responding to unauthorized access and disclosure of personally identifiable information in its data system. However, we could not determine whether the procedures were effective because Oregon had not reported any system breaches in the Consolidated CollectionSystem.

Seek link below for the full report, report summary, multimedia or any agency follow-up.

To assess the Social Security Administration’s (SSA) management of the Plan to Achieve Self-Support (PASS) program and its vulnerability to misuse.

The OIG audited the hydroelectric dam network architecture at a TVA facility to identify security zones and perimeters and analyze network devices and the physical infrastructure for compliance with policies, procedures, and best practices. We found TVA has used proven best practices in the design of the physical and wireless corporate networks, as well as the control network. These networks were architected appropriately and the cable plant was installed in a neat and organized manner. However, we found one corporate network switch was physically unsecure and another lacked a remote access list which would reduce the risk of inappropriate access.(Summary Only)

City governments around the country are taking on “smart city” initiatives that use big data technology to gather information and improve life for their residents. It is often difficult for cities to deploy this technology in enough locations to collect actionable data. The Postal Service, because of its vast presence in every city, could attach sensors to its physical infrastructure to quickly gather data from around the city. The OIG identified five pilot projects in which the Postal Service could participate in the short term that would involve little to no financial or operational commitment.

This is our audit report on the National Oceanic and Atmospheric Administration (NOAA) National Marine Fisheries Service (NMFS) Fisheries Finance Program (the Program). The purpose of our audit was to evaluate management’s controls over the Program’s loan approval, monitoring, and debt collection processes.

The Virginia Department of Medical Assistance Services (State agency) did not always use the correct Federal medical assistance percentage (FMAP) when processing claim adjustments reported on Form CMS-64. The State agency used the current FMAP on the date the adjustment was made. In doing so, the State agency repaid to the Federal Government a higher amount than it received for the original claim. Furthermore, when the State agency submitted the revised claim, it received a higher FMAP payment than it should have received. Taking into consideration both of the errors, the net effect resulted in no overpayment or underpayment. The State agency agreed with our finding and concurred with our recommendation.

The Minnesota's Health Insurance Marketplace (MNsure) had implemented security controls, policies, and procedures intended to prevent vulnerabilities in its Web applications (Web site), database, and other supporting information systems. However, it did not always comply with Federal and State information technology requirements when it implemented those security controls, policies, and procedures, which increased MNsure's risk that personally identifiable information (PII) could have been exposed. We conducted tests of MNsure's Web site, database, and supporting information systems and found weaknesses in MNsure systems. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations. The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the integrity of the marketplace.

Although the California Department of Health Care Services (State agency) made Medicaid electronic health record (EHR) incentive program payments to eligible hospitals, it did not always make these payments in accordance with Federal requirements. Specifically, from October 1, 2011, through December 31, 2015, the State agency made incorrect Medicaid EHR incentive payments to 61 of the 64 hospitals reviewed, totaling $23.2 million. These incorrect payments included both overpayments and underpayments, resulting in a net overpayment of $22 million. Because the incentive payment is calculated once and then paid out over 4 years, payments made after December 31, 2015, will also be incorrect. The adjustments to these payments total $6.3 million.

Environmental Operations (EO) is responsible for the environmental site and field support for all operations, including inspections, environmental sampling, regulatory reporting, and oversight. The OIG assessed strengths and risks that could affect EO's organizational effectiveness. Our review identified strengths in EO related to (1) organizational alignment, (2) positive work relationships with other organizations, (3) management support of employees, and (4) employee teamwork. However, we also identified issues that, if left unresolved, could increase the risk EO will be unable to effectively meet its responsibilities in the future. Specifically, our interviews of EO personnel and review of operational information disclosed issues related to (1) role clarity and relationship issues with Nuclear, (2) staffing concerns and environmental audit coverage, and (3) concerns with one manager's behavior.

In September 2016, we issued a Management Information Report that informed the Department of our concerns regarding how the FSA ID and the Personal Authentication Service were being misused by commercial third parties to take over borrower accounts. The OIG identified this problem through various investigations and developed recommendations to address the misuse. Our report recommended changes to strengthen the banner language for the FSA ID and Personal Authentication Service to enhance the OIG's ability to successfully investigate and prosecute third parties who improperly create, access, or make changes to FSA IDs and accounts. The report also recommended that FSA increase its proactive monitoring of FSA IDs and Personal Authentication Service audit logs and ensure that it proactively monitors the types of abuses identified.

The Department of Vermont Health Access, part of Vermont's Agency of Human Services (State agency) did not always follow Federal requirements for (1) allocating costs to its establishment grants for implementing a health insurance marketplace and (2) drawing down establishment grant funds.