Federal Reports

The VA Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to conduct annual reviews of their information security programs and report the results to the Department of Homeland Security. CliftonLarsonAllen LLP found that VA continues to face significant challenges complying with FISMA requirements. The report recommends several key areas for VA information security program improvement. Security-related issues contributed to an information technology material weakness reported in the fiscal year (FY) 2018 audit of VA’s Consolidated Financial Statements, which VA needs to address. It also needs to improve deployment of security patches, system upgrades, and system configurations. These improvements will mitigate significant security vulnerabilities and enforce a consistent process across all field offices. To ensure controls are operating as intended at all facilities, VA should also improve performance monitoring. Finally, VA needs to communicate identified security deficiencies to the appropriate personnel so they can take corrective actions that will mitigate these risks. Because CliftonLarsonAllen LLP is responsible for the findings and recommendations included in this report, the OIG is not expressing an opinion on VA’s information security program in place during FY 2018. This report provides 28 recommendations from CliftonLarsonAllen LLP for improving VA’s information security program. The Principal Deputy Assistant Secretary for Information and Technology concurred with 25 of the recommendations. The OIG believes the three remaining recommendations warrant further attention from VA and will follow up on the issues during the FY 2019 FISMA audit. The OIG’s independent auditors will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions during the FY 2019 assessment.

From August 2014 to June 2017, the North Carolina Commission on Volunteerism and Community Service (Commission) and two of its larger subgrantees claimed $16,132,771 in federal and match expenditures under the AmeriCorps State and National program. CNCS-OIG’s Agreed-Upon Procedures review (AUP) of the claimed costs discovered that $2,040,402 ($777,219 in Federal costs and $1,086,090 in match costs, as well as an additional $176,876 in questionable education awards and $217 in accrued interest) were improper or unsupported.We found substantial unexplained disparities between the costs reported to the Federal government and those shown on the Commission’s internal general ledgers; inadequate timekeeping practices at the Commission; failure by subgrantees to perform required end-of-term evaluations for AmeriCorps members; and insufficient criminal history checks by subgrantees that the Commission failed to discover and correct. Overall, the Commission did not provide sufficient program and financial oversight of its subgrantees, as required by grant terms and the Commission’s own monitoring policy. Finally, we found that the Commission charged the AmeriCorps grant for the salary of an employee performing unrelated duties on another grant, after that grant was exhausted.The Commission acknowledged the importance of appropriate administrative policies and procedures and strong oversight of subrecipients. It’s comprehensive response to the draft report documented that changes responsive to our recommendations are already underway. The Corporation for National and Community Service (CNCS) agreed with the majority of the recommendations. CNCS will make its final determination for all findings after the final report is issued.

The agreed-upon procedures (AUP) review of AmeriCorps grant funds to Serve Indiana and two subgrantees, the Boys and Girls Club of Wayne County Indiana (BGCWCI) and the American Red Cross of Indiana (ARCI), identified questioned Federal costs totaling $127,090, questioned matching costs of $82,157, questioned Education Awards of $20,055 and compliance findings. Most of the questioned costs identified were caused by inadequate financial management by BGCWCI and deficiencies with the National Service Criminal History Checks (NSCHC) by ARCI. The costs tested were incurred between October 1, 2014 and December 31, 2017.Serve Indiana concurred with most of the findings but generally disagreed with the recommended amount of related questioned costs. The Corporation also concurred with most of the findings, provided a detailed plan to implement certain corrective actions, and informed CNCS-OIG that it would make an independent determination about recommended questioned costs.