Federal Reports

The objective of our review was to determine the Department’s progress on spending program administration funds authorized by coronavirus response and relief laws, including how those funds have been used to date, and the Department’s plans for using remaining funds.We found that the Department has allocated nearly 100 percent2 of its pandemic assistance program administration funds and that the Department is on track to obligate all of its program administration funds prior to the dates the funds are set to expire. The Department allocated the funds to 11 principal offices and as of February 1, 2022, these principal offices have obligated3 or committed4 approximately $19.4 million (51 percent) of the $38 million in total pandemic assistance program administration funds.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess allegations of adverse clinical outcomes related to three patients’ surgical or invasive procedure(s) at the Columbia VA Health Care System (facility) in South Carolina.The OIG substantiated three patients experienced adverse clinical outcomes related to their surgical or invasive procedure(s). The OIG found quality of care concerns with two of the three patients however, no quality of care concerns were identified for the third patient who experienced complications following a surgical procedure.A medical intensivist incorrectly placed a chest catheter and a thoracic surgeon incorrectly placed a chest tube while attempting to drain a patient’s pleural effusion. The OIG found that clinical care deficiencies made by the intensivist and surgeon led to a series of unplanned events that contributed to the patient’s death. The OIG identified deficiencies in the peer review and quality management processes.A vascular surgeon conducted a wrong site surgery when amputating a patient’s third versus fourth toe. The OIG found that although removal of the patient’s third toe was clinically indicated due to infection, the surgeon failed to acknowledge and discuss the deviation from the informed consent and pre-operative plan with the patient and surgical team. Leaders failed to address the surgeon’s undermining of patient safety protocols and high reliability organization principles. Additionally, the OIG identified deficiencies in practitioners’ and surgical nurses’ compliance with informed consent and time-out protocols.The OIG made one recommendation to the Veterans Integrated Service Network Director regarding a comprehensive review of a patient’s care. The OIG made six recommendations to the Facility Director related to medically-complex patients, peer review practices, timeliness of institutional disclosures and internal reviews, the vascular surgeon’s disregard of patient safety protocols, and informed consent and time-out protocol compliance.

This administrative investigation addressed allegations that VA’s Executive Protection Division (EPD), a component of VA’s Office of Operations, Security, and Preparedness (OSP) that provides protective services to the VA Secretary and Deputy Secretary, was inadequately equipped. The allegations included that EPD personnel (special agents and physical security specialists) had expired or no ballistic body armor (vests), that senior leaders in OSP were aware of this and had denied previous requests to purchase vests, and that special agents’ firearms malfunctioned frequently and needed to be replaced.The OIG found that VA had not procured ballistic vests for some EPD personnel despite a standard operating procedure requiring them to wear body armor most of the time they were working. Further, there were no procedures to assess compliance (such as routine inspections) or establish consequences for nonuse; procure body armor for new personnel; track the condition of armor assigned to personnel; or replace vests that were beyond the manufacturer’s warranty, did not fit, or had other defects.However, the available evidence did not substantiate allegations that senior leaders in OSP had denied vest procurement requests or knew that some personnel needed them. The OIG also could not substantiate based on documentation and interviews that EPD special agents’ firearms malfunctioned frequently and needed replacement.To effectively protect its employees and leaders, VA must provide EPD personnel with the basic safety equipment for performing their jobs. VA concurred with the OIG’s four recommendations for improvements to EPD procedures to address the issuance, maintenance, and replacement of ballistic body armor, as well as enforcing the requirement that EPD personnel wear their vests. It also concurred with the recommendation calling for a review of the condition of all firearms assigned to EPD special agents.

Election Mail is any mailpiece that an authorized election official creates for voters participating in the election process and includes ballots and voter registration materials. The U.S. Postal Service has specific policies and procedures on the proper acceptance, processing, delivery, and recording of Election Mail.Our objective was to evaluate the Postal Service’s readiness for timely processing of Election Mail for the 2022 mid-term election to be held Tuesday, November 8, 2022. To evaluate readiness, during primary elections, we reviewed Election Mail policies, analyzed service performance data, and conducted observations at six Processing and Distribution Centers and 10 delivery units. We also followed up on 14 prior recommendations to determine if the Postal Service’s corrective actions were effective.

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Harlingen VA Health Care Center in Texas was meeting federal security guidance. The OIG selected the Harlingen center because it had not been previously visited as part of the OIG’s annual Federal Information Security Modernization Act audit of VA’s information security program and practices.The OIG team found deficiencies in the center’s component inventory, vulnerability management, and system life-cycle management. Specifically, the center had an inaccurate component inventory; unsupported versions of applications, missing patches, and vulnerable plug-ins; and critical or high-risk vulnerabilities in the network that had gone unidentified. Additionally, the inspection team found the system life cycle did not replace applications before they became unsupported. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended.The team also found the Harlingen VA Health Care Center was deficient in contingency planning. The center did not adequately plan for restoring local IT operations. Consequently, after a disaster, the center may not be able to readily restore all operations as they existed before.Further, the center had deficiencies in three access controls. Database managers did not adequately maintain log data for local databases, computer rooms and communications closets were not equipped with fire detection devices, and the center’s VA police computer room did not have a visitor access log. These deficiencies could impede the center’s ability to respond to incidents.The OIG made five recommendations to address the deficiencies.

This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs.We found the agency’s entity-level control environment was not designed in accordance with federal guidance at the beginning of the COVID-19 assistance programs. The agency allowed the third-party systems to be put into service without conducting the baseline assessments. With no baseline, the agency could not perform effective continuous monitoring. Also, we found that control processes did not identify, communicate, and capture privacy and identity risks on an enterprise-wide basis.We made 10 recommendations to strengthen the agency’s entity-level IT control environment. The areas addressed included cybersecurity risk and privacy controls, system development life cycle, continuous monitoring, and the supply chain risk management processes.SBA management fully agreed with seven recommendations, disagreed with two recommendations, and stated one recommendation was specific to the pandemic and will not likely be repeated. While the agency agreed to implement seven recommendations, management’s planned corrective actions did not fully address identified control issues.

The U.S. Postal Service uses the Time and Attendance Collection System (TACS) as the primary application to collect employee time and attendance data to capture the number of workhours employees spend working various Postal Service operations.This was a follow-up to our Timecard Administration audit issued December 9, 2020. In the prior audit we identified issues with disallowed timecard adjustments, management oversight, time collection devices replacement strategies, and TACS control deficiencies. We recommended management reiterate disallowed time policy; establish a formal oversight process to ensure periodic reviews of supervisors’ documentation supporting disallowed timecard adjustments; resolve system deficiencies that allow supervisors to bypass completing the time disallowance record in TACS; and procure and test new, automated time collection devices.