Review of Alleged Lack of Audit Logs for the Veterans Benefits Management System

In April 2015, the Office of Inspector General (OIG) received an anonymous allegation that the Veterans Benefits Administration (VBA) failed to integrate suitable audit logs into the Veterans Benefits Management System (VBMS). We substantiated the allegation that VBA failed to integrate suitable audit logs that clearly reported all security violations occurring in VBMS. We tested the existence and accuracy of audit logs by having 17 employees at 3 VA Regional Offices (VAROs) attempt to access same station veteran employee compensation claims in VBMS. Although audit logs identified security violations for 15 of the 17 employees, the logs did not show that the security violations occurred within VBMS. Instead, the audit logs indicated that the violations occurred in the Share application used by VARO employees or an unknown system. The other two employees did not appear on the audit logs. We could not determine why the two employees did not appear on the audit logs. This occurred because VBA officials did not develop sufficient system requirements to ensure that audit logs exist and are accessible to Information Security Officers (ISO). As a result, ISOs were unable to effectively detect, report, and respond to security violations occurring within VBMS. Until VBA resolves this issue, its VAROs will be more susceptible to fraudulent compensation claims processing. We recommended the Acting Under Secretary for Benefits develop system requirements for integrating audit logs into VBMS. We also recommended the Assistant Secretary for Information and Technology integrate audit logs into VBMS based on the requirements provided by the Acting Under Secretary for Benefits. Finally, we recommended the Acting Under Secretary for Benefits test the audit logs to ensure the logs capture all potential security violations. The Acting Under Secretary for Benefits and the Assistant Secretary for Information and Technology concurred with our recommendations and provided acceptable corrective action plans. We will monitor their implementation. The Acting Under Secretary also provided technical comments, which we took into consideration.