Ineligible contractors getting $500M a year from VA, OIG says

Federal auditors took a hard look at procurement practices at the Veterans Affairs Department in two new reports, finding that VA is likely to be awarding about $500 million a year to ineligible contractors.

In a July 25 audit, investigators evaluated the veteran-owned small business (VOSB) and the service-disabled veteran-owned small business programs (SDVOSB), which together generated about $3.5 billion in procurements in fiscal 2010, or about 23 percent of total VA procurements.

The inspector general’s office reviewed 42 “statistically-selected” contracts in those two programs with a total value of $46.5 million that had been awarded to businesses alleged to be eligible for those programs. The review found that 32 of the businesses were ineligible to participate in the programs or were ineligible for the specific contracts they were awarded.

Based on that analysis, the inspector general’s office forecasted the total impact of contracts in those programs awarded to businesses that are ineligible for those programs.

“We project that VA awarded ineligible businesses at least 1,400 VOSB and SDVOSB contracts valued at $500 million annually, and that it will award about $2.5 billion in VOSB and SDVOSB contracts to ineligible businesses over the next five years if it does not strengthen oversight and verification procedures,” Belinda Finn, assistant inspector general for audits and evaluations, wrote in the report.

“VA and the Office of Small and Disadvantaged Business Utilization (OSDBU) need to improve contracting officer oversight, document reviews, completion of site visits for 'high-risk' businesses, and the accuracy of VetBiz Vendor Information Pages information,” Finn concluded.

Finn recommended that the VA implement “comprehensive program controls to ensure awards are not made to ineligible businesses and improve adherence to federal and VA regulations.” VA officials agreed with the recommendations.

In a second report, issued on July 27, the inspector general found that certain contractor personnel did not comply with VA information security policies when accessing VA networks and the VA’s electronic health record system known as “VistA” (Veterans Health Information System and Technology Architecture).

The contractor personnel improperly shared user accounts, did not terminate user accounts for former employees on a timely basis, and did not obtain appropriate security clearances or complete security awareness training, the report said. The contractor personnel also possibly exposed VA systems to potential IT security deficiencies that could have infected VA systems, the report said.

“VA has not implemented effective oversight to ensure that contractor practices comply with its information security policies and procedures. Contractor personnel also stated they were not well aware of VA’s information security requirements. As a result of these deficiencies, VA sensitive data is at risk of inappropriate disclosure or misuse,” Finn wrote in the report.

The report made several recommendations to the VA’s Office of Information and Technology to improve security. VA managers agreed with the findings and recommendations.