Report Summary

Title: Security and Access Controls for the Beneficiary Fiduciary Field System Need Improvement
Report Number: 18-05258-193 Download
Issue Date: 9/12/2019
VA Office: Veterans Benefits Administration (VBA)
Report Author: Office of Audits and Evaluations
Report Type: Audit
Release Type: Unrestricted

The VA Office of Inspector General (OIG) conducted this audit to determine if the Beneficiary Fiduciary Field System (BFFS) had the necessary controls to protect data integrity and safeguard protected information.

The BFFS is the information technology system for VA’s Fiduciary Program that handles benefit payments for veterans and other beneficiaries who, due to injury, disease, or age, are unable to manage their financial affairs and are thus vulnerable to fraud or abuse. In 2017, fiduciaries received about $3.1 billion in payments on behalf of more than 211,000 beneficiaries.

The OIG found the BFFS lacked sufficient controls to ensure privacy of sensitive data and prevent fraud and misuse. Specifically, the OIG found VA’s Office of Information and Technology inappropriately set the security risk level for BFFS at moderate instead of high. Risk managers did not follow established standards and did not consider whether information for beneficiaries and fiduciaries stored in the system’s database was sufficiently protected.

The OIG also found more than 1,600 BFFS users had nationwide access to data, including records not needed for their duties. The Veterans Benefits Administration (VBA) does not have a review process for access privileges, and officials did not fully enable audit logs. When combined, this created an unnecessary risk that unauthorized access to sensitive information would go undetected.

Finally, the OIG found VBA did not fully separate duties during the field examination report submission process, potentially allowing sensitive information to be changed without approval or documentation.

The OIG made four recommendations, including reevaluating the risk determination for the BFFS, improving controls over end-user access levels, fully enabling audit logs to accurately and comprehensively track access to system records, and improving separation of duties issues.