Federal Reports

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Northern Arizona VA Healthcare System because it had not been previously visited as part of the annual FISMA audit.The OIG’s information security inspections focus on three control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies in all three areas.Deficiencies in configuration management included previously unidentified critical vulnerabilities, uninstalled patches, and network operating systems no longer supported by the vendor—all of which could deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The OIG identified almost twice as many devices on the network than the inventory listed, which constitutes a security management weakness. Weak access controls included missing video surveillance at a data center, inadequate fire-detection and suppression equipment, insufficient water sensors and climate controls, unmounted or stacked network equipment, and communications rooms without backup power supplies.The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the healthcare system because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made five recommendations to the Northern Arizona VA Healthcare System director.

The U.S. International Development Finance Corporation Office of Inspector General (DFC OIG) contracted with RMA Associates, LLC (RMA) to conduct a review of DFC’s compliance with Payment Integrity Information Act of 2019 (PIIA) for fiscal year (FY) ending September 30, 2022. The review was conducted in accordance with 1) the Office of Management and Budget (OMB) Memorandum M-21-19, Transmittal of Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement and 2) OMB Circular A-136, Financial Reporting Requirements, June 3, 2022.

Our objective was to review cash and inventory, daily reporting activities, clock ring adjustments, and employee separations at the Madeira Branch Office. The scope period was October 1, 2022 through March 31, 2023.

Our objective was to review cash and stamp inventory, daily reporting activities, clock ring adjustments, and employee separations at Groesbeck Branch. Our audit scope was October 1, 2022, through March 31, 2023.

Our objective was to review cash and stamp inventory, daily reporting activities, clock ring adjustments, and employee separations at the Cincinnati Main Office. Our audit review scope period was October 1, 2022, through March 31, 2023.

Five Ticket Accounting Clerks based in Massachusetts violated company policies by using their Smart ID badges to fraudulently swipe one another in and/or out of Amtrak’s time and attendance machines. Four employees admitted to the violations during their interviews with our agents, and we found a fifth employee also violated company policies by helping these employees engage in this misconduct. The five employees resigned in lieu of their disciplinary hearings and are ineligible for rehire.