Federal Reports

VA medical facilities use automated dispensing cabinets to help manage medication inventory and allow clinical staff to dispense medications to patients near the point of care. The OIG conducted this national review to evaluate whether controls at VHA medical facilities ensure accountability over high-risk medications when clinical staff remove them from these cabinets using generic information, such as codes or nonpatient information.

The OIG estimated that in fiscal year 2024, VA medical facilities could not fully account for 46 percent of medications removed with generic information from cabinet A (one of two types of cabinets reviewed, called A and B in the report). Facilities had the most issues tracing propofol to specific patients. Cabinet B transactions could not be projected due to data limitations, but these transactions may also be at risk of not being traceable to a patient. These issues occurred because medical facilities’ standard operating procedures and local policies did not address monitoring of medication removals from cabinets using generic information. Some staff reported using generic information out of convenience or to be more efficient.

The OIG reviewed 40 transactions in which staff removed controlled substances using generic information and found one instance in which a facility could not trace a controlled substance to a specific patient. VHA policy does not prohibit using cabinets to store controlled substances, but it does require facilities to maintain full accountability over them through an electronic record that tracks the medication’s removal from a cabinet to its final dispensation. Removing medications without using a patient’s name increases the risk of drug diversion, so this practice should be closely monitored.

VHA concurred with the OIG’s three recommendations to enhance local guidance on, compliance with, and monitoring of these transactions.
 

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine to what extent the EPA National Center for Radiation Field Operations, or NCRFO, has the capability—including appropriate management and internal control, resources, and staff qualifications—to successfully fulfill its roles and responsibilities in preparing for and responding to radiological incidents. 

Summary of Findings

We found that the NCRFO needs to take steps to improve its preparedness to respond to radiological emergencies. While the NCRFO successfully conducted nonemergency responses, such as site assessments, we found that it was not fully prepared for the one emergency response it conducted during the period we reviewed.

This report provides the results of Objective 1, in which we determined whether the State of Michigan used FNS SNAP administrative funds to provide benefits to participants.

This report summarizes the results of Sikich’s independent evaluation and contains ten new recommendations that will assist the agency in improving the effectiveness of its information security and its privacy programs and practices. NCUA management concurred with and has identified corrective actions to address the recommendations.

Our Objective(s)
To perform a quality control review (QCR) of KPMG LLP's examination of the Enterprise Services Center's (ESC) description of its system and the suitability of the design and operating effectiveness of controls for the period October 1, 2024, to June 30, 2025. We reviewed KPMG's report, dated July 31, 2025, and related documentation.

Why This Audit
ESC provides financial management services to the Department of Transportation (DOT) and other agencies and operates under the direction of DOT's Chief Financial Officer. The Office of Management and Budget requires ESC, as a service organization, to either provide its user organizations with independent audit reports on the design and effectiveness of its internal controls or allow user auditors to perform tests of its controls. We contracted with KPMG LLP to conduct this examination subject to our oversight.

What We Found
The independent auditor, KPMG, found that in all material respects:
the description fairly presents ESC's system that was designed and implemented throughout the period October 1, 2024, to June 30, 2025;
the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period October 1,2024, to June 30, 2025; and user entities applied the complementary controls assumed in the design of ESC's controls throughout the period October 1, 2024, to June 30, 2025; and
the controls operated effectively to provide reasonable assurance that the control objectives stated in the description were achieved throughout the period October 1, 2024, to June30, 2025, if complementary user entity controls assumed in the design of ESC's controls operated effectively throughout the period October 1, 2024, to June 30, 2025.

Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations
KPMG made no recommendations.
The underlying report has been marked and/or withheld as Controlled Unclassified Information to protect sensitive information that may be exempt from public disclosure under the Freedom of Information Act, 5 U.S. Code 552.

The OIG conducted a healthcare inspection to assess the quality of care provided to a patient while hospitalized at the Overton Brooks VA Medical Center (facility). The OIG also identified concerns with a quality review completed after facility leaders became aware of staff’s mismanagement of a patient’s distressed behaviors.

The OIG found deficiencies with the clinical management of the patient while hospitalized. Deficiencies included a physician who lacked a complete understanding of the patient’s diagnosis and clinical response to a medication prior to discontinuing the medication. Further, facility staff mismanaged the patient’s distressed behaviors. Specifically, staff did not: (1) implement one-to-one observation according to facility policy, (2) activate a behavioral patient record flag (an established safety tool for distressed behaviors), or (3) use the electronic health record as a communication tool between disciplines, according to Veterans Health Administration (VHA) policy.

The Facility Director chartered a root cause analysis (RCA); however, the RCA team’s application of the RCA process did not align with VHA requirements. The RCA team’s failure to follow VHA-required guidelines for the composition and the execution of RCA steps and the RCA’s timeliness affected the reliability of the RCA team’s assessment and conclusion. This finding was similar to one published in an April 2025 VA OIG report on this facility.

The Facility Director concurred with the five recommendations the OIG made related to a comprehensive review of the patient’s hospitalization, obtainment of outside medical records, adherence to one-to-one observation policy, interim behavioral patient record flag processes, and accurate documentation of behavioral events.

The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop, implement, and manage agency-wide information security programs. Agencies are also required to provide acceptable levels of security for the information and systems that support their operations and assets.

The Federal Information Security Modernization Act of 2014 also mandates that the Office of Inspector General conduct an independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems in accordance with Federal and Department requirements.

Our fiscal year 2024 Federal Information Security Modernization Act of 2014 evaluation determined that the Department, including the National Nuclear Security Administration, had taken actions to address some of the previously identified weaknesses related to its unclassified cybersecurity program. While actions were taken to close 19 of 63 (30 percent) recommendations from our prior year audits and evaluations, 44 prior year recommendations remained open. We also issued 79 new recommendations throughout the fiscal year related to various areas of cybersecurity programs.

The weaknesses identified occurred for a variety of reasons. For instance, findings at some Department sites had occurred due to vulnerability management processes that were not fully effective in identifying, addressing, and/or remediating vulnerabilities. We also found that several sites had not fully developed and/or maintained policies and procedures to help facilitate the design and implementation of security controls.

Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or modification.

When fully implemented, the 123 recommendations made during fiscal year 2024 should help to enhance the Department’s unclassified cybersecurity program. The Department should emphasize closing findings in a timely manner, especially those findings repeated from prior years. As cybersecurity remains an ongoing challenge, it is important that the Department take action to implement the latest Federal cybersecurity requirements and enhancements to assist in ensuring adequate protection of the Department’s data and information systems at risk to emerging threats and vulnerabilities.