OIG Reports

No. 1   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Establish robust oversight of the personnel suitability program within responsible office(s) that includes verifying background investigations are initiated and adjudicated within prescribed timelines and that documentation is filed as required.

No. 2   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Reimplement the monitoring program specifically required by VA Handbook 0710 as part of VA’s oversight efforts, or an appropriate equivalent, to identify and prevent systemic weaknesses in the personnel suitability program.

No. 3   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Assess program resources and allocate staff as needed to prioritize oversight of the personnel suitability program within responsible office(s).

No. 4   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Establish a plan to implement the updated staffing metrics for the Veterans Health Administration’s suitability function and consider using available hiring flexibilities.

No. 5   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

[Recommendation Title Missing]

No. 6   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Develop and execute a plan to collect, maintain, and access sufficient and appropriate data through a single system to support the tracking of background investigations from initiation to adjudication.

No. 7   to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)

Establish a plan to ensure that future systems support the functionality needed to effectively oversee and manage the background investigation process, including addressing limitations identified in the current systems and incorporating the fields necessary to track timeliness metrics.

No. 1   to Veterans Benefits Administration (VBA)

Develop and implement procedures to ensure the Veteran Readiness and Employment Service has properly researched and clearly understands changes to the laws and regulations that govern Chapter 31–only schools and training programs.

No. 2   to Veterans Benefits Administration (VBA)

Review the existing manual requirements for waivers and coordinate with appropriate officials to ensure amendments to 38 United States Code § 3104(b) have been properly implemented and included in the manual.

No. 3   to Veterans Benefits Administration (VBA)

Train all appropriate Veteran Readiness and Employment Service regional office staff to ensure waivers are obtained for each veteran with the required documentation in accordance with the manual before approval to attend a Chapter 31–only school or training program.

No. 4   to Veterans Benefits Administration (VBA)

Coordinate with appropriate officials to determine whether the existing manual guidance for compliance surveys meets the requirements of 38 United States Code § 3693 as it applies to Chapter 31–only schools and training programs, and if necessary, update the manual and train appropriate Veteran Readiness and Employment Service regional office staff accordingly.

No. 5   to Veterans Benefits Administration (VBA)

Develop and implement monitoring processes—to include veteran waivers, compliance surveys, and completeness of electronic folders—to provide Veteran Readiness and Employment Service reasonable assurance that Chapter 31–only schools and training programs are used as intended by law and regulations.

No. 1   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits assess the loan comparison statement controls implemented in December 2021 and 2022 to ensure they operate as planned and confirm borrowers receive these statements as required.

No. 2   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits seek a legal opinion from the VA’s Office of General Counsel on the allowability of fees initially charged as itemized fees to be retroactively accepted as part of the 1 percent flat charge if unsupported, and then review the potential overcharges identified in the audit sample to determine if action is needed to make the borrowers whole.

No. 3   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits develop and update policies and procedures to ensure invoices or bills are obtained for all third-party charges and lenders report itemized closing costs at the lowest level of detail.

No. 4   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits develop and update policies and procedures for the state deviation process and requirements, assess the extent of missing VA authorizations on the schedule of state deviations and obtain the necessary documentation, and obtain a legal opinion from the VA’s Office of General Counsel on the allowability of state deviation charges in excess of the state-published amounts, and then review the potential overcharges identified in the audit sample to determine if action is needed to make the borrowers whole.

No. 5   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits revise policies and procedures to comply with federal regulations on the itemization of costs charged under the 1 percent flat charge to ensure closing costs are properly charged.

No. 6   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits obtain a legal opinion from the VA’s Office of General Counsel on the allowability of mortgage brokerage fees charged under the 1 percent flat charge, and then review the potential overcharge identified in the audit sample to determine if action is needed to make the borrower whole.

No. 7   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits provide lenders at least annual communication about the importance of providing justifications for any loans not reported within 60 days.

No. 8   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits modify policies and procedures for full-file loan reviews to include detailed steps for loan specialists to conduct reviews, as well as the risk factors and methodology for loan selection.

No. 9   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits update policies and procedures to ensure the borrower is reimbursed for any overcharges identified during regional loan center quality reviews.

No. 1   to Veterans Health Administration (VHA)

Implement consistent data entry, standardized organizational codes, and periodic reviews for HR Smart community care data.

No. 2   to Veterans Health Administration (VHA)

Develop staffing reports that can be searched by service departments to ensure appropriate resources to meet their assigned missions.

No. 3   to Veterans Health Administration (VHA)

Improve usability of the staffing assessment tool by implementing policy to address the inconsistencies with staffing data entry and review the reported data for accuracy.

No. 4   to Veterans Health Administration (VHA)

Assess whether consolidated community care units would more broadly support veterans’ access to community care and help mitigate the impact of staffing shortages, and, if so, develop a project management plan for implementing those units.

No. 5   to Veterans Health Administration (VHA)

Assess the use of monetary and nonmonetary incentives to evaluate whether they are effective in recruiting and retaining administrative staff within community care departments.

No. 1   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a repeat recommendation from prior years.)

No. 2   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a repeat recommendation from prior years.)

No. 3   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a repeat recommendation from prior years.)

No. 4   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)

No. 5   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans, risk assessments, and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a repeat recommendation from prior years.)

No. 6   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)

No. 7   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)

No. 8   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years.)

No. 9   to Office of Information and Technology (OIT)

We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate data within VA’s authoritative system of record for background investigations. (This is a modified repeat recommendation from prior years.)

No. 10   to Office of Information and Technology (OIT)

We recommended the Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are completed for applicable VA employees and contractors. (This is a modified repeat recommendation from prior years.)

No. 11   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)

No. 12   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)

No. 13   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately monitored for compliance with established VA security standards. (This is a repeat recommendation from prior years.)

No. 14   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a repeat recommendation from prior years.)

No. 15   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)

No. 16   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)

No. 17   to Office of Information and Technology (OIT)

We recommended the Acting Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)

No. 18   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives can be measured and met. (This is a modified repeat recommendation from prior years.)

No. 19   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that contingency plans for all systems are updated to include critical inventory components and are tested in accordance with VA requirements. (This is a repeat recommendation from prior years.)

No. 20   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)

No. 21   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)

No. 22   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)

No. 23   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that all security controls are assessed in accordance with VA policy and that identified issues or weaknesses are adequately documented and tracked within POA&Ms. (This is a repeat recommendation from prior years.)

No. 24   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)

No. 25   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)

No. 26   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a repeat recommendation from prior years.)

No. 1   to Office of Management

Assess the iFAMS configuration to determine whether integration with the payroll subsystems can be accomplished to resolve some of the payroll-related issues that require the need for expenditure transfers.

No. 2   to Veterans Health Administration (VHA)

Establish guidance that outlines the type of documentation required to support the amounts identified in the manual journal vouchers when processing expenditure transfers.

No. 3   to Veterans Health Administration (VHA)

Require medical facility staff have documented authority, through proper delegation, to make purchases.

No. 4   to Veterans Health Administration (VHA)

Verify that medical facility staff segregate duties so that the same person is not both authorizing and receiving goods and services.

No. 5   to Veterans Health Administration (VHA)

Make certain the purchase card holder is not the requestor or approver for the purchase.

No. 6   to Veterans Health Administration (VHA)

Ensure contracting officer’s representatives know and understand their duties and responsibilities for the certification and payment of invoices.

No. 7   to Veterans Health Administration (VHA)

Check vendors’ compliance with contract terms to include the comparison of invoiced amounts with the contract line-item unit costs.esponse to the pandemic and develop appropriate action plans to integrate oversight roles, responsibilities, and clear guidance into the use of supplemental funds.

No. 8   to Veterans Health Administration (VHA)

Ensure that medical facility staff track the receipt of goods to make certain they are the correct quantity.

No. 9   to Veterans Health Administration (VHA)

Conduct an assessment of lessons learned from the emergency response to the pandemic and develop appropriate action plans to integrate oversight roles, responsibilities, and clear guidance into the use of supplemental funds.

No. 1   to Veterans Health Administration (VHA)

Ensure medical facilities monitor resilient high-frequency radio network training and staffing levels and maintain enough trained staff to operate the resilient high-frequency radio network.

No. 2   to Veterans Health Administration (VHA)

Ensure that the appropriate stakeholders know the program office responsible for the resilient high-frequency radio network and understand the roles and responsibilities for the Veterans Health Administration’s Resilient High-Frequency Radio Network program.

No. 3   to Veterans Health Administration (VHA)

Finalize the Veterans Health Administration High-Frequency Radio Operations Plan.

No. 4   to Veterans Health Administration (VHA)

If additional resilient high-frequency radio network equipment is purchased, work with the contracting officer to provide guidance to facility representatives to ensure they verify radios are fully functional before acceptance.

No. 5   to Veterans Health Administration (VHA)

Conduct a risk assessment and provide guidance for the placement of resilient high-frequency radio networks within facilities and any needed monitoring schedules.

No. 6   to Veterans Health Administration (VHA)

Ensure sites can obtain repairs for broken or inoperable resilient high-frequency radio network equipment.

No. 1   to Office of Management

Implement controls to mitigate the risk that data are unreliable and inconsistently recorded between eCMS and iFAMS when staff deobligate funds for converted contracts.

No. 2   to Office of Management

Establish and implement a methodology to prioritize user feedback into the risk management process.

No. 3   to Office of Management

Use the risk register to document and assess the risks associated with the manual deobligation process.

No. 4   to Office of Management

Ensure that converted contracts are included in integrated system testing and user acceptance testing.

No. 5   to Office of Management

Implement a process that provides formal acknowledgment on whether requests related to high-priority business intelligence reports have been accepted as requirements.

No. 1   to Office of Acquisitions, Logistics, and Construction (OALC)

Assess compliance weaknesses identified by VA Office of Procurement Policy, Systems and Oversight internal reviews, and implement corrective actions determined appropriate.

No. 2   to Office of Acquisitions, Logistics, and Construction (OALC)

Require contracting officers responsible for Buy American Act compliance deficiencies identified by contract file reviewers and VA Office of Procurement Policy, Systems and Oversight internal reviews to attend refresher Buy American Act–specific training.

No. 3   to Veterans Health Administration (VHA)

Evaluate the contract file review procedures to make certain they require the use of the Definitions of Comment Categories, and presolicitation and preaward checklists, and document that use, to strengthen compliance.