Federal Reports

SEC’s Whistleblower Program: Additional Actions Are Needed To Better Prepare for Future Program Growth, Increase Efficiencies, and Enhance Program Management, Report No. 575

This report presents the results of our evaluation of the U.S. Small Business Administration’s (SBA) handling of cash contributions and gifts. The objective of the evaluation was to determine the adequacy of SBA controls over the solicitation, acceptance, holding, and use of cash contributions and gifts.We found SBA complied with the 2022 Consolidated Appropriations Act and SBA regulations and policies regarding soliciting and accepting cash contributions for National Small Business Week 2022. SBA’s Office of Communications and Public Liaison obtained proper approval from the Office of General Counsel for the 2022 business week cosponsored activity.We determined SBA complied with applicable laws and SBA regulations and policies regarding the acceptance, holding, and use of gift funds. Specifically, the agency accepted a $505,879 unsolicited gift from the cosponsors of business week activities held between 2020 and 2022. Excess funds are the contributed cash or collected fees that are left over after expenses are subtracted from the revenues. This gift represented the cosponsors share of excess cash contributions that remained at the conclusion of the activities. The cosponsors elected to have their share of the excess funds be made a gift to SBA, available for the next National Small Business Week cosponsored event.We made two recommendations to improve controls over 2022 business week closeout reporting and the government purchase card use. SBA management agreed with both recommendations and has fully implemented corrective actions for Recommendation 1.

This report presents the results of our evaluation of the U.S. Small Business Administration’s (SBA) handling of cash contributions and gifts. The objective of the evaluation was to determine the adequacy of SBA controls over the solicitation, acceptance, holding, and use of cash contributions and gifts.We found SBA complied with the 2022 Consolidated Appropriations Act and SBA regulations and policies regarding soliciting and accepting cash contributions for National Small Business Week 2022. SBA’s Office of Communications and Public Liaison obtained proper approval from the Office of General Counsel for the 2022 business week cosponsored activity.We determined SBA complied with applicable laws and SBA regulations and policies regarding the acceptance, holding, and use of gift funds. Specifically, the agency accepted a $505,879 unsolicited gift from the cosponsors of business week activities held between 2020 and 2022. Excess funds are the contributed cash or collected fees that are left over after expenses are subtracted from the revenues. This gift represented the cosponsors share of excess cash contributions that remained at the conclusion of the activities. The cosponsors elected to have their share of the excess funds be made a gift to SBA, available for the next National Small Business Week cosponsored event.We made two recommendations to improve controls over 2022 business week closeout reporting and the government purchase card use. SBA management agreed with both recommendations and has fully implemented corrective actions for Recommendation 1.

What We Looked AtEstablished in 1998 through the Transportation Equity Act for the 21st Century, the Transportation Infrastructure Finance and Innovation Act (TIFIA) program provides long-term, low-interest loans and other types of credit assistance to eligible applicants for surface transportation projects. Accordingly, our audit objective was to assess the effectiveness of the Build America Bureau internal controls to oversee and manage TIFIA credit agreements. What We FoundThe Build America Bureau has not established adequate internal controls to effectively oversee and manage its TIFIA credit assistance program. We found five instances where the Bureau did not notify borrowers timely, and one instance where the Bureau could not provide the notification letter. Additionally, we identified costs that had not been invoiced timely, as well as overpaid and unpaid fees. The Bureau has not provided operating administrations guidance that defines key roles and responsibilities for reviewing and approving TIFIA loan requisition requests. Further, the Bureau provided documentation to support 44 of the 47 disbursements we tested but could not provide documentation for 3 disbursements, totaling approximately $294.1 million. The Bureau maintains TIFIA loan applications and disbursement requests on a shared drive, which serves as its official system of record. We identified eight individuals who retained improper access to TIFIA’s shared drive and five discrepancies between TIFIA’s loan portfolio and the Bureau’s website. Our RecommendationsWe are making 10 recommendations to improve internal controls for overseeing and managing credit agreements associated with the TIFIA program. The Bureau concurred with all our recommendations and provided completion dates. We consider recommendation 7 resolved and closed based on documentation the Bureau provided after our review was completed. We consider the remaining recommendations 1 through 6 and 8 through 10 resolved but open pending completion of the planned actions.

Report undergoing 508 compliance review.

The U.S. Postal Service delivered over 129 billion mailpieces on more than 233,171 routes in fiscal year (FY) 2021. The Postal Service’s goal is for carriers to deliver all mail along their assigned route on the scheduled delivery day. However, there are situations where mail may not be delivered on a route for a particular day due to the unavailability of carriers, severe weather, or other reason. Routes are “undelivered” when all customers on a route do not receive daily deliveries and are “partially delivered” when only some customers do not receive daily deliveries.

In connection with the audit of the U.S. Government Publishing Office fiscal year (FY)2022 financial statements, attached is the non-information technology (IT) management letter issued by the independent public accounting firm of KPMG LLP (KPMG).

The Office of Inspector General (OIG) performed an inspection of the Office of the Chief Financial Officer (OCFO) National Finance Center (NFC) to determine how NFC prevents, detects, and resolves security vulnerabilities and the sophistication an attacker needs to compromise USDA systems or data.

The U.S. Postal Inspection Service is responsible for ensuring the safety and security of postal employees, postal facilities, and the mail. Postal inspectors are federal law enforcement agents authorized to carry out this mission. They use various tools and resources to conduct their work. For example, postal inspectors are assigned accountable property, including vehicles, and may use other tools, such as electronic surveillance equipment, for investigative purposes. They also use an online database to track case activities, such as logging property and evidence. Postal inspectors and postal police officers are required to regularly take training to maintain proficiency when performing their work.

The Federal Election Commission (FEC) Office of the Inspector General (OIG) initiated an investigation into a complaint that alleged improprieties concerning a recent hiring action for a vacant position within the Office of General Counsel (OGC).

The Postal Reorganization Act of 1970 requires annual audits of the U.S. Postal Service’s financial statements. In addition, the Postal Accountability and Enhancement Act of 2006 requires the Postal Service to comply with Section 404 of the Sarbanes-Oxley Act. This section requires the Postal Service to establish and maintain an adequate internal control structure and procedures, and assess the effectiveness.

The Federal Information Security Modernization Act of 2014 (FISMA) requires all Federal agencies to conduct independent penetration tests and vulnerability assessments on a sampling of information systems annually. In conjunction with our fiscal year 2022 FISMA evaluation (2022-OE-0001), we conducted a targeted penetration test and vulnerability assessment of sample systems that resulted in a Topic Brief. The objective of this testing was to determine whether the U.S. Department of Housing and Urban Development (HUD) sample systems and their supporting infrastructure contained security weaknesses. We identified potential vulnerabilities among the tested applications that HUD should review as part of its cybersecurity program and prioritize remediation of risks deemed critical, high, or medium. No formal recommendations were documented in the report. The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

This semiannual report summarizes the OIG's activities and accomplishments for April 1, 2022,through September 30, 2022. The OIG issued one inspection and one information security metricsreview. The Office of Inspector General received 1,256 investigative contacts between April 1,2022, and September 30, 2022.

An Amtrak Electrician based in Groton, Connecticut, violated company policy by misusing his company-owned vehicle by regularly traveling to and stopping atlocations not associated with his work duties during his shifts, including making multiple visits to his residence throughout July 2022. In addition, we determined that the employee violated company policies by attempting to cover the lens of the interior Lytx camera in his vehicle and for not being honest or forthcoming with our agents during his interview. The employee was terminated after his disciplinary hearing on December 13, 2022.

The Office of the Inspector General included an audit of the Tennessee Valley Authority’s (TVA) employee relocation allowances on our annual audit plan due to the potential reputational and financial risks associated with relocations that do not comply with TVA policies and procedures. Our audit objective was to determine if relocation allowances are paid in accordance with TVA Standard Programs and Processes (SPP) 11.208, Employee Relocation Allowances. Our audit scope included 308 completed employee relocations during calendar years 2019 through 2021, totaling approximately $8.4 million. TVA utilizes a third-party vendor, SIRVA Relocation, LLC, (SIRVA) to interface with the employee and administer the relocation in accordance with TVA’s policies. We found employee relocations were generally paid in accordance with TVA SPP 11.208 and the management review control for payment of these transactions was operating effectively. However, we identified an opportunity to improve the relocation process and instances where program guidance could be clarified. Specifically, we found (1) SIRVA’s review of miscellaneous expense allowance claims was not documented consistently, (2) program guidance for some employee relocations could be improved, (3) program guidance for manager and specialist new hires is unclear, and (4) program guidance for temporary living allowances incorrectly references the Federal Travel Regulation.

As part of the Pandemic Response Accountability Committee’s (PRAC)1 effort toprovide policymakers and stakeholders with information about the nature oftelehealth and its use across federal health care programs, the Office ofInspector General (OIG) conducted an evaluation to: (1) examine the use oftelehealth across the Department of Labor’s (DOL) workers’ compensationprograms during the first year of the COVID-19 pandemic, and (2) identifyemerging risks related to the use of telehealth.

Our annual plan identifies the audits, inspections, and other activities that the OIG intends to undertake to assist the U.S. Department of Education in fulfilling its responsibilities to America’s citizens and students.

The Government Performance and Results Modernization Act of 2010 defines major management challenges as programs or management functions that are vulnerable to waste, fraud, abuse, and mismanagement, and where a failure to perform well could seriously affect the ability of the U.S. Department of Education (Department) to achieve its mission or goals.In accordance with the Reports Consolidation Act of 2000, the Office of Inspector General (OIG) reports annually on the most serious management and performance challenges the Department faces. Our reports include a brief assessment of the Department’s progress in addressing the challenges. We also identify further actions that, if properly implemented, could enhance the effectiveness of the Department’s programs and operations.

This Office of Inspector General Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient settings of the Lexington VA Health Care System and associated outpatient clinics in Kentucky. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center prevention initiatives)The OIG issued 10 recommendations for improvement in four areas:1. Quality, safety, and value• Peer review improvement actions2. Medical staff privileging• Focused and Ongoing Professional Practice Evaluations3. Environment of care• Local naloxone policy• Product expiration dates• Furnishing safety and condition• Suicide risk abatement plans4. Mental health• Suicide risk screening

This report summarizes the results of our fiscal year (FY) 2022 Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains.We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated SBA’s overall program of information security as “not effective.” We found SBA generally responded to previously identified vulnerabilities. The agency made progress in supply chain risk management and continues to be rated at the effective maturity level for incident response. However, the results of our tests show SBA continues to experience security control challenges in areas of configuration management, risk management, user access, security training, information security continuous monitoring, and contingency planning.Based on tests of seven information systems, we determined the results of each domain as follows:1. Risk management: Defined2. Supply chain risk management: Defined3. Configuration management: Defined4. Identity and access management: Defined5. Data protection and privacy: Consistently implemented6. Security training: Ad hoc7. Information security continuous monitoring: Consistently implemented8. Incident response: Managed and measurable9. Contingency planning: Consistently implementedRatings of defined, ad hoc, and consistently implemented are below the baseline for an effective security program.In addition to two open FISMA recommendations from prior years, we made six recommendations for improvements in six of the nine domains: risk management, supply chain risk management, identity and access management, information system continuous monitoring, security training, and contingency planning.SBA management agreed with all six recommendations and outlined corrective action plans to address identified vulnerabilities.

Management Letter for the FY 2022 audit the financial statements.

EAC OIG issued this advisory to alert EAC’s Interim Executive Director and Acting General Counsel about an identified risk. Specifically, EAC may be inadvertently providing inconsistent guidance to grantees and there is a risk that unallowable activities may be taking place because the terms “voter registration,” “voter education,” and “get-out-the-vote” (GOTV) are not defined in the Help America Vote Act of 2002. Also, EAC has not adopted its own formal definitions.

This memorandum transmits the management letter prepared by Allmond & Company, LLC to address an internal control weakness over financial reporting identified during the audit that did not have a material effect on the financial statements.

Our objective for this report was to assess the extent to which the company has controls to manage, distribute, track, and retrieve high-security keys.We observed that high-security keys are broadly available to the public and can surface in online and brick-and-mortar marketplaces, contributing to security and safety risks. Senior officials told us the company has measures in place to largely mitigate serious risks, but the availability of these keys could still give bad actors an opportunity to disrupt train operations, causing unnecessary delays and costs.We further observed that high-security keys are publicly available in part because the company has not consistently implemented controls over the distribution, tracking, and retrieval of them. Senior officials agreed the company may reduce its risk by better safeguarding its high-security keys going forward.We provided several considerations for the company to address the report’s observations to include assessing the risks associated with keys currently in circulation and implementing controls to mitigate them to the extent practical. In addition, Amtrak may want to consider developing a key management policy that institutes new controls and establishing a centralized mechanism for tracking high-security keys, such as key management software.

The United States Capitol Police (USCP or the Department) Office of Inspector General (OIG) conducted an audit of the Department’s financial statements for the years ended September 30, 2022 and 2021.

In planning and performing our audit of the financial statements of the United States Capitol Police (USCP or the Department) as of and for the year ended September 30, 2022. We considered USCP’s internal control over financial reporting as a basis for designing audit procedures that are appropriate in circumstances for the purpose of expressing our opinion on the financial statements. 

This management advisory memorandum has been issued to raise awareness among Veterans Benefits Administration (VBA) leaders and personnel about VA Office of Inspector General (OIG) concerns with decision-making on specific issues (highlighted in four prior reports) that adversely affect some veterans and beneficiaries. It is meant to strengthen VA’s efforts to advance VA’s I CARE principles codified in 2012 that emphasize veteran-centric experiences and high standards in services and care.The OIG recognizes VBA personnel’s commitment to veterans and their progress on addressing recommendations for improvement but believes more can be done to improve efficiencies while minimizing negative consequences for affected veterans. In looking across four prior reports, the OIG found VBA’s focus on addressing issues such as long wait times, backlogs, and processing errors came at the cost of poor outcomes for some beneficiaries. When the reports were issued, this included thousands of exempt veterans not receiving refunds of home loan funding fees; due process deficiencies in pension-reduction cases; increased risk of disclosure of personal information; and unnecessary disability medical examinations. VBA executive directors interviewed acknowledged they should always promote I CARE values but that sometimes VBA focused narrowly on a specific problem, resulting in adverse outcomes for veterans.This OIG advisory suggests VBA could better institutionalize I CARE values by ensuring these regulatory requirements are fully considered when making program decisions. VBA was asked to provide information on actions taken in response to the memorandum.VBA commented on the memorandum that although VBA concurred, or concurred in principle, with the four prior OIG reports and recommendations, it “strongly oppose[s] the implication that VBA did not always fully consider the effect organizational decisions would have on Veterans, beneficiaries, and their families.” VBA comments are included in full in an appendix to the memorandum.

To see our report, click on the link below

The VA Office of Inspector General (OIG) conducted this review to determine whether community care providers are receiving potential duplicate payments for the same healthcare services from VHA and Medicare and to determine whether VHA paid any of these claims without authorization. In this review, the VA OIG collaborated with the Department of Health and Human Services (HHS) OIG—which is currently conducting its own review of duplicate Medicare payments—to better understand duplicate payments and confirm that they had occurred. The VA OIG determined that VHA and Medicare made potential duplicate claim payments for community care services that were authorized by VHA. Because VHA and the Centers for Medicare and Medicaid Services do not share healthcare claims data, neither agency is aware of claims paid by the other agency. Without an interagency system, the risk of duplicate payments is increased, and it may be difficult to determine which agency should pay the claim and which agency can collect overpayments.The OIG made three recommendations to the under secretary for health, including working with the Centers for Medicare and Medicaid Services to establish a data-sharing agreement with VA to limit duplicate claim payments. The OIG also recommended identifying overpayments made for care provided to dual-eligible veterans that were not authorized by VHA and ensure documentation of care is completed or that VA seeks reimbursement for any unauthorized care. Finally, the OIG recommended making sure all nonemergent community care is preauthorized and that documentation for all authorizations is complete and properly stored before services are provided.

The VA Office of Inspector General (OIG) conducted this review to determine whether the Compensation Service complied with accessibility requirements for communicating benefits- related information to veterans with visual impairments. The OIG found that VBA’s Compensation Service did not fully comply with section 504 of the Rehabilitation Act. The review team determined that visually impaired veterans could be excluded from accommodations by the Compensation Service’s criteria, and even the legally blind veterans who meet the criteria are not accommodated through the entire claims process. Although VBA’s Adjudication Procedures Manual instructs claims processors to contact visually impaired veterans by telephone to discuss the contents of decision notices, 87 of 100 claims reviewed showed no documentation of processors making such calls. Consequently, some veterans may not have been made aware of adverse claims decisions or their rights to challenge such decisions.The OIG concluded that the Compensation Service’s continued failure to coordinate with relevant agencies, along with its failure to comply with VA-wide accessibility implementation requirements, will continue to make it more difficult for veterans with visual impairments to participate fully in the disability compensation program.The OIG made five recommendations to the under secretary for benefits: (1) update the process for developing, approving, and issuing guidance for accommodating visually impaired veterans to include steps for consulting with the Office of General Counsel; Office of Resolution Management, Diversity, and Inclusion; and previously, the Department of Justice Civil Rights Division; (2) update the adjudication procedures to comply with federal regulations and VA policies; (3) develop and implement a quality assurance mechanism to ensure compliance with accessibility requirements; (4) assign accessibility coordinators, publicize their names, and conduct a self-evaluation of policies outlined in VA accessibility requirements; and (5) coordinate a process to ensure visually impaired veterans are informed of the availability of accommodations.

Organizational Renewal: Semiannual Report to Congress for April 1, 2021 - September 30, 2021.

Semiannual Report to Congress, Volume 88 (April 1, 2022 - September 30, 2022)

This report presents selected findings and three lessons developed from prior OIG reports on EPA programs that received funds under the American Recovery and Reinvestment Act. Consideration of these lessons may help the EPA prepare, implement, and oversee programs receiving Infrastructure Investment and Jobs Act appropriations.

The VA Office of Inspector General (OIG) conducted a review to assess the merits of a January 2022 hotline allegation concerning inappropriate edits to community care referrals, known as consults, at the Puget Sound VA Health Care System in Seattle, Washington. The VA MISSION Act of 2018 allows veterans to receive care from non-VA healthcare providers in their area (known as community care) under certain circumstances. Community care schedulers are required to notify veterans of their eligibility, including if veterans are eligible to make such appointments themselves, called self-scheduling.The complainant made three allegations: (1) a leader at the Puget Sound facility inappropriately edited community care consults to reduce backlog; (2) a community care scheduler enrolled patients in self-scheduling without asking them; (3) and facility leaders encouraged staff to inappropriately edit consults to reduce backlog and improve wait times.Though a facility leader made approximately 5,300 edits to about 4,400 community care consults between June and December 2021, the review team did not substantiate that the edits were inappropriate and intended to improperly reduce backlog. Records show a scheduler registered veterans for self-scheduling on 1,158 consults during a two-week period in June 2021, but evidence was insufficient to substantiate whether the scheduler spoke with veterans or sent them letters before converting them to self-scheduling. A requirement to document notification was not in place at the time of the scheduler’s actions, and the team could not interview the scheduler, who left VA employment before an interview could take place. The team reviewed more than 3,800 VA email records and interviewed leaders and staff but found no evidence that facility leaders encouraged staff to inappropriately edit community care consults to reduce backlog and improve wait time metrics.Given the lack of substantiation, the OIG made no recommendations to VA for corrective actions.

The VA Office of Inspector General (OIG) contracted with the independent public accounting firm CliftonLarsonAllen LLP (CLA) to audit VA’s financial statements as of September 30, 2022 and 2021, and for the fiscal years then ended. CLA provided an unmodified opinion on VA’s financial statements for fiscal year (FY) 2022 and FY 2021. CLA did, however, note material weaknesses and significant deficiencies in internal control and instances of noncompliance with laws and regulations.Regarding internal control, CLA identified three material weaknesses. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.CLA also identified two significant deficiencies. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. CLA is responsible for the attached audit report dated November 15, 2022, and the conclusions expressed in the report. The OIG does not express opinions on VA’s financial statements, internal control, or compliance with FFMIA, nor does the OIG express conclusions on VA’s compliance with laws and regulations. The independent auditors will follow up on these internal control and compliance findings and evaluate the adequacy of corrective actions taken during the FY 2023 audit of VA’s financial statements.

ED OIG SAR 85 Final 508

This report highlights and summarizes significant oversight work performed during this period that have strengthened the Denali Commission's programs and operations for the period ending September 30, 2022.

This report is a summary of the Pandemic Response Accountability Committee’s accomplishments between April 1, 2022, and September 30, 2022.

This Office of Inspector General Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient settings of the Louisville VA Medical Center and associated outpatient clinics in Indiana and Kentucky. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center prevention initiatives)The OIG issued five recommendations for improvement in three areas:1. Quality, safety, and value• Executive Leadership Council processes• Peer review processes2. Medical staff privileging• Focused Professional Practice Evaluations3. Environment of care• Environmental cleanliness

In accordance with the Government Performance and Results Modernization Act of 2010, this report presents the results of ED OIG's work over fiscal year 2022 in meeting its performance goals.

Independent Review of 4003(b) Loan Recipient’s Validation Memo – Timco Engine Center, Inc.

Independent Review of 4003(b) Loan Recipient’s Validation Memo – Timco Engine Center, Inc.

The objective of the evaluation was to assess the compliance of the Commission’s information security policies, procedures and standards and guidelines with the Federal Information Security Modernization Act (FISMA).