Federal Reports

The Office of the Inspector General audited TVA’s information technology (IT) equipment inventory to determine if TVA had controls and processes in place to maintain an accurate and complete inventory of IT equipment. Due to the inventory inaccuracies and control weaknesses, we did not test for inventory completeness. Although we found access controls to IT inventory data were effective, we found TVA’s controls and processes in place to maintain an accurate and complete inventory of IT equipment were ineffective. Specifically, we found IT inventory (1) records were not accurate, (2) lacked reconciliation processes, (3) lacked a deployment and tracking policy, and (4) policies and procedures were not reviewed and updated timely. TVA management agreed with our recommendations.

The objective was to determine the extent to which the Office of Intelligence and Analysis (I&A) has an effective process for collecting, managing, and protecting open source intelligence (OSINT) for operational and intelligence purposes.

In the course of its work, the OIG learned that survey records for VA educational programs submitted remotely during the pandemic lacked sufficient protection for students’ personally identifiable information. This management advisory memorandum conveyed information needed for the Veterans Benefits Administration (VBA) to determine the need for corrective actions.Both VBA and state approving agencies use education compliance survey specialists to conduct in-person surveys meant to ensure VA payments to each school and the students enrolled there are based on proper and correct enrollment information, and applicable legal requirements are met. But on March 16, 2020, VBA required surveys to be conducted remotely and documents submitted electronically to the survey specialists as COVID-19 precautions. About 4,570 surveys were conducted through March 16, 2022. The OIG estimates almost 37,800 students had their records requested in the process.The OIG reviewed documents for 30 of those compliance surveys and found 26 contained personally identifiable information of 323 students, including full names, dates of birth, social security numbers, and addresses.VBA’s guidance for remote compliance surveys says under circumstances including a travel ban schools should submit requested documents by mail or email (with no mention of encryption). The memorandum issued to suspend in-person compliance surveys did not provide any indication of how documentation should be collected electronically. VBA and state approving agency staff asked school certifying officials to send the documents electronically, instead of requiring they be sent by mail with a tracking number.The lack of standard procedures and oversight has resulted in personally identifiable information not being consistently safeguarded as required. The OIG did not assess whether any information had been inappropriately disclosed but requested that VBA provide follow-up information. VBA agreed to review, research, and evaluate the OIG findings and take corrective action as needed.