Federal Reports

The VA Office of Inspector General (OIG) conducted this audit to determine if the Beneficiary Fiduciary Field System (BFFS) had the necessary controls to protect data integrity and safeguard protected information. The BFFS is the information technology system for VA’s Fiduciary Program that handles benefit payments for veterans and other beneficiaries who, due to injury, disease, or age, are unable to manage their financial affairs and are thus vulnerable to fraud or abuse. In 2017, fiduciaries received about $3.1 billion in payments on behalf of more than 211,000 beneficiaries. The OIG found the BFFS lacked sufficient controls to ensure privacy of sensitive data and prevent fraud and misuse. Specifically, the OIG found VA’s Office of Information and Technology inappropriately set the security risk level for BFFS at moderate instead of high. Risk managers did not follow established standards and did not consider whether information for beneficiaries and fiduciaries stored in the system’s database was sufficiently protected. The OIG also found more than 1,600 BFFS users had nationwide access to data, including records not needed for their duties. The Veterans Benefits Administration (VBA) does not have a review process for access privileges, and officials did not fully enable audit logs. When combined, this created an unnecessary risk that unauthorized access to sensitive information would go undetected. Finally, the OIG found VBA did not fully separate duties during the field examination report submission process, potentially allowing sensitive information to be changed without approval or documentation. The OIG made four recommendations, including reevaluating the risk determination for the BFFS, improving controls over end-user access levels, fully enabling audit logs to accurately and comprehensively track access to system records, and improving separation of duties issues.

The VA Office of Inspector General (OIG) conducted reviews of each of the three Veterans Health Administration (VHA) Regional Procurement Offices (RPOs) to assess the use of sole-source procedures when awarding service contracts valued at more than $700,000 in fiscal year (FY) 2017. A sole-source contract is awarded without full and open competition. The Federal Acquisition Regulation states, with a few exceptions, that a contracting officer will not negotiate sole-source contracts without a written justification and appropriate approvals. The lack of approval violates the Federal Acquisition Regulation, and without competition the government could pay more and be more susceptible to fraud. The OIG reviewed 18 sole-source contracts awarded by RPO Central valued at about $77 million to determine whether proper justification had been filed and approval obtained. The OIG found that a contracting officer did not obtain the required approval for an ambulance service contract worth about $2.2 million because he did not understand the procedures. The same contracting officer also unnecessarily limited competition on the same contract by failing to plan for the procurement in advance. The new sole-source contract was awarded based on compelling urgency, even though RPO Central officials knew for several years that they would need to open a new competition when the existing contract expired. When contracting officers violate federal regulation by failing to obtain the required approval for sole-source contracts, they exceed their authority and this could result in the termination of their warrant, which is their authority to enter into, administer, or terminate contracts. Because the RPO Central contracting officer exceeded his authority on the ambulance service contract, the $2.2 million cost was not fully justified. The OIG recommended VHA ensure awareness of approval procedures for sole-source contracts and ensure adequate time is allotted for soliciting and awarding recurring services competitively.

Medicaid plays a critical role in providing behavioral healthcare. Nationally, Medicaid is the single largest payor for behavioral healthcare. In addition, Medicaid enrollees experience a higher rate of behavioral health disorders-which includes both mental health disorders and substance use disorders-than the general population. In spite of the importance of treating such disorders, many Medicaid enrollees encounter significant barriers when accessing behavioral health treatment. The need for behavioral health services is particularly pronounced in New Mexico-a State that has among the highest rates for suicide and deaths from overdose in the Nation. The Office of Inspector General received a congressional request to look into concerns about behavioral health provider shortages and the availability of care for Medicaid managed care enrollees; these enrollees account for most of New Mexico's Medicaid population.

What We Looked AtThe U.S. Equal Employment Opportunity Commission (EEOC) requires Federal agencies to establish anti-harassment programs, which are designed to identify and resolve harassment issues before they become severe and pervasive. We initiated this review after a previous audit identified concerns about the Department of Transportation's (DOT) Operating Administrations' (OA) anti-harassment policies and procedures. Our audit objectives were to assess the extent to which the Department and its OAs (1) have anti-harassment policies and procedures that comply with EEOC guidance and (2) collect and use data on harassment complaints.What We FoundThe DOT policy in place during our audit complied with 13 of 18 EEOC requirements but did not clearly explain prohibited conduct, require the EEO program to inform the anti-harassment program about all harassment allegations, provide for periodic training of managers, provide for periodic training of employees, or create firewalls between the decision makers for the anti-harassment and EEO programs. It also did not require OAs to develop implementation procedures, and the Department and four OAs did not have them, as EEOC requires. One reason for the gaps was EEOC's evolving and expanding oversight of anti-harassment programs--which led the Department to develop its U.S. DOT's Policy Framework for the Prevention of Harassment and Unprofessional Conduct (Policy Framework) over several years, including throughout our audit. In response to our findings, the Department closed all the gaps we identified and issued the Policy Framework on June 21, 2019. Also, while the Department was responsible for collecting, monitoring, and analyzing harassment data for 10 OAs, it did not have a system in place that met EEOC requirements. However, the Policy Framework establishes data collection requirements that may enhance the Department's and the OAs' ability to identify, address, and stop harassment before it becomes severe or pervasive.Our RecommendationsThe Department concurred with our recommendation for improving DOT's anti-harassment procedures. We consider recommendation 1 resolved but open pending completion of the Department's planned actions.