In statements to Congress this week, the VA Inspector General (IG) blasted the agency’s technology systems saying they put veterans’ financial information at risk.
VA hired the firm CliftonLarsonAllen (CLA) to audit the agency’s financial management processes and software. They audit revealed VA has even more weaknesses than previously hoped that make it… wait for it… wait for it… harder to audit.
That is right.
VA ineptitude at managing its own affairs and creating effective processes for managing money has also made it very difficult to audit the agency to catch errors or even fraud.
No wonder VA needs more and more money while never really fixing anything, right?
RELATED: Colorado VA Bans iPhones
Is it just me, or does the VA system generally seem more broken every time it gets a financial injection. Case in point is are the technology systems American taxpayers keep buying while never working as advertised.
The deputy IG Nicholas Dahl provided testimony on point to Congress on May 24, 2017.
Dahl informed Congress that IT security controls are still bad, which has been a repeat finding since 2000. You know, that is almost as long as VA employees manipulated wait times in VA’s computer system to improve performance numbers.
Here, the problem was due to untimely patching of security vulnerabilities and a general failure to enforce password standards, among other things.
Never, Not Ever, Use “password” As Your Password
You know, those pesky passwords can really be a mother. Hopefully, VA was using a more stringent standard than John Podesta’s password strategy that was hacked resulting in the Wikileaks file called “The Podesta Files. His password was reportedly: “password”.
Even after being warned about the low standard and his need to change it, Podesta left it along. His entire email was then phished and leaked to Wikileaks.
Perhaps Podesta and VA use the same IT companies to secure their systems?
As for VA and its recent audit, one has to wonder where all the billions are going that taxpayers keep allocating to VA.
“Without good information technology security controls, VA’s financial information may not be safe in terms of confidentiality, integrity and availability,” according to Mr. Dahl.
The material weaknesses cited by Dahl are as follows. For your own information, a “material weakness” is:
A material weakness is a deficiency, or a combination of deficiencies, in internal controls such that there is a reasonable possibility that a material misstatement of VA’s financial statements will not be prevented, or detected and corrected, on a timely basis.
VA IT – Now For The Bad News
So, it is a bad thing. Here is part of what Dahl reported. The material weaknesses are (taken straight from the testimony):
- Information technology security controls – This is a repeat finding that our contract auditors have reported since FY 2000. Weaknesses existed in configuration management, such as untimely patching to mitigate security vulnerabilities; access controls, including inconsistent enforcement of password standards; security management; and contingency planning. Without good information technology security controls, VA’s financial information may not be safe in terms of confidentiality, integrity, and availability.
- Community care obligations, reconciliations, and accrued expenses – This is a repeat finding from the FY 2015 audit. CLA identified numerous examples of obligations for Community Care Programs that were overstated compared to actual payments. As a result, VA management performed its own analysis and recorded journal entries of approximately $1.9 billion to reduce overstated Choice Program obligations and $2.6 billion to reduce other overstated Community Care Program obligations in VA’s general ledger on September 30, 2016. The overestimation of obligations also resulted in a large overstatement of accrued expenses, which management also reduced through journal entries. CLA identified several causes of these overstatements, but overall, significant system limitations hindered effective and efficient operations and controls. CLA also reported that methods to estimate the cost of care were inconsistent at medical centers and the Office of Community Care’s procedures for its monitoring activities were not adequate. For most of FY 2016, the Office of Community Care had not performed a nationwide consolidated reconciliation of obligations and disbursements between VA’s Financial Management System (FMS) and the system used to authorize and process individual non-VA care claims.
- Financial reporting – This is a repeat finding from the FY 2015 audit. VA’s financial management and general ledger system is FMS. Since its implementation in 1992, 3 Federal financial reporting requirements have become more complicated and the level of financial information needed by management and oversight bodies has become increasingly complex. Due to FMS’ limited functionality to meet current financial reporting needs, VA utilizes another system to create financial statements for external reporting. However, this process requires significant manual intervention and workarounds to ensure accurate financial reporting. CLA reported that VA recorded a large number of adjustments (called journal vouchers) to its accounts in order to prepare VA’s financial statements. Also, significant abnormal account balances (that is, an account balance that shows a debit balance when it should be a credit balance or vice versa) were not researched and cleared timely. These weaknesses increase the risk of material errors in financial reporting. Although VA has made improvements in areas such as the reduced use of journal vouchers, many issues have existed for years and require extensive efforts to implement solutions to resolve them.
- Education benefits accrued liability – This is a new finding identified during the FY 2016 audit. CLA reported VA did not use the appropriate method to account for veterans’ education benefits. VA manages several education benefit programs with total disbursements of approximately $14.5 billion in FY 2016, with the Post 9/11 G.I. Bill Program being the largest. Prior to FY 2016, management did not view education benefit payments as post-employment benefits. As a result, VA did not report an estimated liability for future benefit payments as required by accounting standards. In FY 2016, VA reported this liability in the amount of approximately $60 billion for the first time on its balance sheet.
- Control environment surrounding the compensation, pension, and burial actuarial estimates – This is a new finding identified during the FY 2016 audit. It resulted from the lack of succession planning for the chief actuary who was responsible for the calculation of VA’s unfunded veterans’ compensation and burial liability amount. This amount was reported on VA’s balance sheet as of September 30, 2016, as approximately $2.5 trillion. The chief actuary left VA in July 2016, and VA did not have a successor actuary with the appropriate qualifications and experience to take full responsibility to manage the actuarial model assumptions and review the related calculations. Management subsequently obtained the services of a credentialed actuary on detail from another department. VA also noted its model’s assumption for the rate of new compensation cases was outdated and adjusted its balance sheet by $277 billion. CLA reported VA needed to review the reasonableness of its key model assumptions, which would include comparing relevant actuarial information from the Department of Defense.
- CFO organizational structure for VA and VHA – This was elevated from a significant deficiency in FY 2015 to a material weakness in FY 2016. CLA reported VA has a decentralized and fragmented organizational structure for financial management and reporting that did not operate in a fully integrated manner. The VA CFO establishes financial policy and produces VA’s consolidated financial statements. Business components, such as the Veterans Health Administration (VHA), the Veterans 4 Benefits Administration (VBA), and the National Cemetery Administration, have their own CFOs, who oversee financial management operations and follow the chain of command within those organizations. VHA’s financial management structure was further fragmented, with three different CFO organizational structures within the Administration. CLA observed instances where procedures the VA CFO depended on were not completed by VA components or communication issues existed.
CLA concluded the decentralization of financial management functions among the VA component entities without organizational reporting and accountability back to the VA CFO decreased the VA CFO’s ability to affect financial management at the component level and across the VA enterprise, and also presented a risk to VA’s planned conversion to a shared service provider in order to modernize its financial systems.
So… on that note, have a Happy Memorial Day Weekend! Thank you to all who have served and to those families that paid the ultimate sacrifice.