VETERANS HEALTH ADMINISTRATION
Additional Actions Needed to Improve Oversight of Health Care System
Report to the Ranking Member, Committee on Veterans’ Affairs, House of Representatives
November 2024
GAO-25-106969
United States Government Accountability Office
View GAO‑25‑106969. For more information, contact Alyssa M. Hundrup at (202) 512-7114 or hundrupa@gao.gov.
Highlights of GAO‑25‑106969, a report to the Ranking Member, Committee on Veterans’ Affairs, House of Representatives
November 2024
veterans health ADMINISTRATION
Additional Actions Needed to Improve Oversight of Health Care System
Why GAO Did This Study
VHA operates one of the nation’s largest health care systems, offering services to over 9 million enrolled veterans. VHA has stated that effective oversight is paramount to its ability to deliver quality health care to veterans. However, our prior work found that VHA has faced challenges overseeing veterans’ health care. GAO added VA health care to its High-Risk List in 2015, due, in part, to these concerns.
GAO was asked to review how VHA manages selected oversight functions within its central office. This report examines how VHA has (1) organized its oversight offices, (2) followed leading practices for risk management, (3) established an Office of Internal Audit to help meet its oversight needs, and (4) guided select oversight functions through its Audit, Risk, and Compliance Committee.
GAO reviewed VHA documentation on its central office oversight functions, such as policies, organizational structure, and meeting minutes; and assessed VHA’s processes against relevant criteria. GAO also interviewed VHA officials from its oversight offices and from four VA medical centers and their regional networks selected for variation in geography, rurality, and type of compliance structure used.
What GAO Recommends
GAO is making four recommendations, including that VHA take steps to fully meet leading practices for managing risk; clearly define the purpose of its internal audit function; and take action to ensure its ability to monitor oversight findings. VA concurred with the recommendations and identified steps VHA will take to implement them.
What GAO Found
The Department of Veterans Affairs (VA) delivers services to veterans in a vast health care system operated by the Veterans Health Administration (VHA). Three VHA oversight offices are responsible for administering select oversight functions, including compliance, risk management, internal audit, and medical investigations. GAO found that VHA has made various organizational changes to its oversight offices since 2015. Most recently it reorganized them in 2024 with the goal of eliminating fragmentation, overlap, and duplication, according to VHA.
VHA’s Office of Integrity and Compliance is responsible for managing risks (threats to achieving VHA’s mission), by implementing an agencywide approach to understanding the combined impact of risks. GAO’s review showed that VHA has partially followed each of GAO’s six leading practices for managing risk. For example, the Office of Integrity and Compliance trained employees on its risk management approach through new courses in fiscal year 2023. However, VHA has not fully met these leading practices, such as by comprehensively identifying risks across its health care system. GAO’s prior work has shown that comprehensive risk identification is critical even if the agency does not control the source of the risk. By taking additional steps to fully meet leading practices, VHA can better respond to risks that could potentially interfere with the timeliness and quality of veterans’ health care.
VHA established the Office of Internal Audit in 2016 to provide objective information to VHA leadership on how well particular aspects of its health care system are working. However, GAO found the office encountered challenges due to its unclear reporting structure and oversight role. VHA did not define a clear purpose for its internal audit function and had not updated its policy directive in light of its 2024 reorganization. By clearly defining its purpose, VHA can better ensure its Office of Internal Audit is used effectively, such as to provide VHA leadership information on trends and emerging issues.
VHA established the Audit, Risk, and Compliance Committee as the governance body that is to guide its oversight and, in turn, make recommendations for system-wide improvements. However, GAO’s review of committee documentation from fiscal year 2021 through 2024 found that the committee did not review relevant oversight findings, such as those from its medical investigations, and did not provide recommendations for potential system-wide improvements. Reviewing additional oversight findings and providing such recommendations, as appropriate, may assist the committee in identifying critical opportunities for system-wide improvement.
Abbreviations
VA Department of Veterans Affairs
VHA Veterans Health Administration
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
November 7, 2024
The Honorable Mark Takano
Ranking Member
Committee on Veterans’ Affairs
House of Representatives
The Department of Veterans Affairs’ (VA) Veterans Health Administration (VHA) operates one of the nation’s largest health care systems. The system comprises 170 VA medical centers, more than 1,000 outpatient facilities, and offers services to over 9 million enrolled veterans. Our prior work, along with that of VA’s Office of Inspector General and others, found that VA has faced longstanding challenges overseeing this vast health care system.[1] For example, we have made over 200 recommendations since 2010 for VA to improve its oversight of the safety, quality, and timeliness of veterans’ health care.[2] As a result of these longstanding issues, we added VA health care to the GAO High-Risk List in 2015, and noted that inadequate oversight and accountability was an area of concern.[3]
VHA has stated that effective oversight is paramount to its ability to deliver quality health care to veterans. Various program offices within VHA’s central office (the Offices of Integrity and Compliance, Internal Audit, and the Medical Inspector) are responsible for oversight, such as evaluations to assist leaders in understanding how well particular aspects of the VHA health care system are working and in identifying opportunities for improvement. These offices are responsible for different oversight functions, including ensuring compliance with policies and standards (compliance), managing risk (risk management), evaluating the effectiveness of VHA operations (internal audit), and investigating concerns about the quality of care provided in VA medical facilities (medical investigations).[4]
In 2016, VHA identified that its historically fragmented approach to oversight was a root cause leading to inadequate oversight and accountability across its health care system. For example, VHA found that it did not have a consolidated agencywide risk management function to help it identify and mitigate risks to its delivery of health care services.[5] It also determined that it needed an internal audit function to provide objective information that VHA leadership can use to help ensure that agency decision-making is accurate, reliable, and timely, and created an Office of Internal Audit in 2016. Furthermore, VHA determined that it needed a governance body comprised of senior leadership to guide its compliance, risk management, and internal audit functions, and it created the Audit, Risk, and Compliance Committee to carry out that responsibility.
You asked us to assess how VHA manages selected oversight functions within its oversight offices at the central office level. In this report, we examine
1. how VHA has organized and staffed its oversight offices;
2. the extent to which VHA has followed leading practices for risk management;
3. VHA’s efforts to establish an Office of Internal Audit to help meet the oversight needs of the organization; and
4. the extent to which VHA’s Audit, Risk, and Compliance Committee guides selected oversight functions.
To examine how VHA has organized and staffed its oversight offices, we reviewed agency documentation on VHA’s organizational structure from 2015 to March 2024. We analyzed staffing information for selected functions within each of its oversight offices, as of July 2024, to determine current staffing levels and vacancies. We also reviewed VHA’s changes to its organizational structure for these oversight offices to identify staffing needs for 2015 through 2023. We assessed VHA’s staffing processes against GAO’s key principles for effective strategic workforce planning.[6] We interviewed VHA officials from each of the oversight offices about their efforts to obtain adequate staffing, including identifying and addressing any challenges.
To examine the extent to which VHA has followed leading practices for risk management, we reviewed the agency’s risk management documentation, such as guidance documents, presentations, and surveys on its risk management practices. We assessed VHA’s risk management approach against GAO’s leading practices for managing risk.[7] We interviewed VHA officials from the Office of Integrity and Compliance (the oversight office responsible for the risk management function) on their processes for managing risk, including the tools they use and how they obtain risk information from other entities in the organization. We also interviewed officials from four VA medical centers, one of which we visited in person, selected to represent variation in geographic region, rurality, and type of compliance structure (e.g., single compliance officer or team of compliance-related positions) used by the facility.[8] We interviewed officials from the VA medical centers and their regional networks about how they identify and report their risks to the Office of Integrity and Compliance.
To examine VHA’s efforts to establish an Office of Internal Audit to help meet the oversight needs of the organization, we reviewed Office of Internal Audit documentation such as its policy directive, management manual, and reports completed since the office was established in 2016. We also reviewed documentation on the Office of Internal Audit’s placement within VHA’s organizational structure for its oversight functions and the auditing processes it followed. We assessed VHA’s internal audit function and organizational placement against relevant auditing standards.[9] We also assessed whether VHA’s establishment of its internal audit function includes steps that are consistent with federal internal control standards—that is, whether VHA implements roles and responsibilities of the function through policies.[10] We interviewed VHA officials from the Office of Internal Audit on its ability to operate the function to meet the organization’s oversight needs. We also interviewed VHA officials from the Office of Integrity and Compliance (the oversight office with administrative responsibilities for internal audit) to obtain their perspectives on the function’s role and organizational placement.
To examine the extent to which VHA’s Audit, Risk, and Compliance Committee guides selected oversight functions, we reviewed agency documentation on the committee’s 2021 charter and meeting minutes from fiscal year 2021 through 2024. We also reviewed documentation on findings from VHA’s oversight functions as of 2024, including implementation of recommendations and how VHA uses findings to inform system-wide improvements. We assessed whether VHA’s Audit, Risk, and Compliance Committee includes steps that are consistent with federal internal control standards—that is, whether VHA evaluates the results of its monitoring activities.[11] We also assessed the committee’s processes for coordinating its review of the findings from its oversight functions against Office of Management and Budget requirements.[12] We interviewed VHA officials from each oversight office about their processes for identifying potential system-wide improvements.
We conducted this performance audit from July 2023 to November 2024 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
VHA Health Care System
VHA’s health care system is comprised of a central office, regional networks, medical facilities, and outpatient clinics.[13] At VHA’s central office, the Under Secretary for Health provides leadership over numerous clinical and non-clinical program offices, including those related to quality of care and patient safety. VHA central office establishes policy for the entire health care system based on legal and regulatory requirements and clinical practice guidelines. These policies are to guide the day-to-day functions of VA medical facilities and are essential for effective oversight, according to VHA.[14]
VHA’s health care system is organized into 18 regional networks, which together are responsible for overseeing 170 VA medical centers and more than 1,000 outpatient clinics and other facilities within defined geographic areas.[15] These facilities, in turn, deliver a wide range of health care services to veterans including traditional hospital-based services (e.g., surgery and pharmacy) and specialty services (e.g., dermatology and podiatry).
VHA Oversight
VHA’s oversight model, which it most recently updated in fiscal year 2024, provides a framework for conducting and coordinating oversight of its health care system.[16] VHA’s model calls for various levels of oversight, from specific oversight of practices at individual facilities to system-wide reviews of adherence to laws, policies, and standards. For example, at the local level, supervisors in VA medical centers oversee day-to-day activities and processes, and they are responsible for mitigating or elevating risks and other issues to higher levels of the organization as necessary.
According to VHA’s model, oversight across its health care system includes, but is not limited to, the following oversight functions: compliance, risk management, internal audit, and medical investigations. Within VHA central office, three oversight offices manage these functions—the Offices of Integrity and Compliance, Internal Audit, and the Medical Inspector. See figure 1.
aElements of VHA’s risk management function existed in other oversight offices prior to 2022. As of 2022, VHA’s agencywide enterprise risk management function, as defined by the Office of Management and Budget, is located in VHA’s Office of Integrity and Compliance, according to VHA documentation.
VHA oversight offices are responsible for carrying out different types of evaluations to assist VHA leaders in understanding how well particular aspects of the VHA health system are working and identifying opportunities for improvement. Findings from these evaluations may result in the oversight office making recommendations for a VHA entity—such as a VHA program office or medical center—to take corrective actions for improvement. After making recommendations for corrective actions, oversight offices are then responsible for tracking and assessing whether each of their recommendations was appropriately addressed by the responsible VHA entity.
VHA oversight offices have various responsibilities, based on their respective oversight roles:
Office of Integrity and Compliance. The Office of Integrity and Compliance is responsible for VHA’s compliance and risk management functions, in accordance with Office of Management and Budget requirements.[17] Consistent with these requirements, the Office of Integrity and Compliance has been transitioning since 2018 to a broader focus that considers all types of risk (see text box for further description of this transition). VHA has defined a risk as a future event or condition that could potentially affect the agency’s assets, activities, or operations.
|
Veterans Health Administration’s (VHA) Transition to Broader Risk Management Practices In 2018, the Office of Integrity and Compliance (formerly the Office of Compliance and Business Integrity) focused on managing risks related to fiscal oversight, such as assuring that VHA obtained third party insurance reimbursement from veterans who had other health insurance. Since that time, the office began transitioning to a broader approach, and in 2022, the office gained responsibility for VHA’s agencywide risk management function. To implement these responsibilities, the office has focused on broader risks, in line with guidance from the Office of Management and Budget, according to VHA documentation. The office’s broader risk focus includes operational risks (such as credentialing and staffing), financial risks (such as costs associated with business relationships and expenses), and patient safety risks (such as those related to the delivery of care), among others. This broader focus is known as integrated risk management, according to industry practices.a As of 2024, the transition to integrated risk management is continuing at all levels of the VHA health care system, according to our review of agency documentation and interviews with officials. For example, officials from one medical center we spoke with said their facility had fully adopted integrated risk management by focusing its efforts on better aligning privacy, compliance, and quality and patient safety, and enhancing the executive leadership team. Officials from the other three medical centers we spoke with said their facilities have partially adopted integrated risk management. According to VHA officials, reliable information about risk management from various levels of the organization helps VHA oversight offices operate more effectively. |
Source: GAO review of VHA information. | GAO‑25‑106969
aFor example, see Project Management Institute, Integrated Risk Management as a Framework for Organizational Success (Newtown Square, PA: 2006).
The Office of Integrity and Compliance works with staff in VA medical centers, regional networks, and program offices, who share responsibility for compliance and risk management functions at their respective levels of the organization.[18] For example, VA medical centers are responsible for conducting and tracking their own risk management activities. These facilities have compliance officers, who are non-clinical staff responsible for tracking compliance issues at their respective medical center, such as ensuring compliance with proper medical coding for billing purposes, and then developing corrective action plans as appropriate. Compliance officers are also tasked with using a centralized risk management portal to report their medical centers’ top risks (i.e., those risks identified at the medical center considered to be the most significant for further mitigation) to the Office of Integrity and Compliance.
Office of Internal Audit. The Office of Internal Audit is responsible for conducting internal audits, such as assessing the accuracy and reliability of particular data systems or assessing compliance with national policy for certain VHA programs. The office chooses audit topics as requested by VHA leadership or determined by its own annual audit plan. Office of Internal Audit officials told us that they track any recommendations they make to the audited entities and then monitor and validate whether actions taken by the audited entities fully address the recommendations.
Office of the Medical Inspector. The Office of the Medical Inspector has staff with clinical backgrounds (e.g., physicians and nurses) responsible for inspecting quality of care concerns at individual VA medical facilities, regional networks, and program offices. The Office of the Medical Inspector receives referrals to investigate concerns that are typically clinical in nature, such as concerns related to improper sterilization of equipment at VHA health care facilities.[19] The office opens a case if it determines that a referral warrants investigating. For each case, the Office of the Medical Inspector is responsible for investigating the underlying issue and then producing written reports with its findings, conclusions, and recommendations for corrective actions, as warranted. It is also responsible for monitoring and validating whether recommendations have been implemented.[20]
VHA Most Recently Reorganized Its Oversight Office Structure in 2024 and Has Faced Challenges Meeting Staffing Needs
VHA Has Made Various Organizational Changes to Its Oversight Offices since 2015
VHA made various changes to the organizational structure of its oversight offices since its high-risk designation in 2015, with its most recent reorganization in 2024 (see fig. 2). VHA documentation described some of these organizational changes as having the goal of eliminating fragmentation, overlap, and duplication across its different oversight offices. In 2016, VHA created an overarching office—the Office of Integrity—within its central office, to be responsible for managing various underlying oversight offices, including the Office of the Medical Inspector that previously was a standalone office.[21]
In 2020, VHA created the Office of Oversight, Risk, and Ethics, as part of a broader central office reorganization. This office replaced the Office of Integrity as the overarching oversight office responsible for managing the administrative needs (e.g., staffing and budget) of the underlying oversight offices. VHA stated that the goal of this realignment was to clarify office roles, streamline responsibilities, and improve coordination across offices within its central office.
Figure 2: Organizational Structure in 2015 and Subsequent Changes Made by the Veterans Health Administration (VHA) for Selected Oversight Functions
aAs of 2022, VHA’s agencywide enterprise risk management function, as defined by the Office of Management and Budget, is located in VHA’s Office of Integrity and Compliance, according to VHA documentation.
In 2024, VHA further reorganized the structure of its oversight offices. (See fig. 3.) Specifically, VHA determined that it would eliminate the Office of Oversight, Risk, and Ethics and instead realign the underlying oversight offices under one of its component offices, the Office of Integrity and Compliance. VHA officials said these organizational changes would streamline VHA’s oversight by removing a reporting level between the Under Secretary for Health and the oversight offices responsible for managing the agency’s oversight functions.
Figure 3: Veterans Health Administration (VHA) Governance Body and Organizational Structure Changes for Its Oversight Offices Between 2020 and 2024
Note: Under VHA’s 2024 reorganization of its oversight offices, it made the Office of Research Oversight a stand-alone office and realigned the National Center for Ethics in Health Care in VHA’s Office of Patient Care Services.
VHA began implementing its most recent reorganization in January 2024 and expected to complete the changes by October 2024, according to officials.
VHA Shifted Existing Staff as Part of Its 2024 Reorganization but Has Faced Challenges Meeting Staffing Needs
VHA shifted existing staff in each of its oversight offices to align with the changes it made to its organizational structure in 2024, according to VHA documentation we reviewed. Specifically, we found that VHA mostly maintained the staffing levels of the existing offices, while also consolidating various staff positions—including data analytics staff and clinical auditors—to support multiple oversight offices. As of July 2024, VHA had approximately 69 full-time equivalent staff across the Offices of Integrity and Compliance, Internal Audit, and the Medical Inspector to carry out its oversight functions.[22] See table 1 for staffing levels specific to VHA’s oversight offices and functions, as of July 2024.
Table 1: Staffing for Veterans Health Administration (VHA) Oversight Offices and Selected Functions, as of July 2024
|
Oversight office and function |
Number of full-time equivalent staff |
|||
|
|
Total authorized |
Filled |
Vacant (funded) |
Unfunded |
|
Office of Integrity and Compliancea |
||||
|
Compliance |
15 |
11 |
4 |
0 |
|
Risk management |
34 |
27 |
5 |
2 |
|
Office of Internal Audit |
||||
|
Internal audit |
21 |
15 |
6 |
0 |
|
Office of the Medical Inspector |
||||
|
Medical investigations |
16 |
16 |
0 |
0 |
Source: GAO review of VHA documentation. | GAO‑25‑106969
Note: Vacant (funded) positions are authorized and budgeted for but not filled. Unfunded positions are authorized but not budgeted and therefore not filled.
aThe Office of Integrity and Compliance, as the overarching office responsible for shared services and support such as budgets, fiscal management, and contracts, also employs staff not directly involved in carrying out its compliance, risk management, internal audit, and medical investigation functions. We do not include those staff in this table.
Each of the three VHA oversight offices identified some challenges in their office’s staffing configuration. For example:
· The Office of Integrity and Compliance stated in a fiscal year 2024 management plan for the risk management function that existing staffing levels did not support its needs, and identified challenges related to vague roles and responsibilities, vacancies, and a continuously evolving organization.
· Under VHA’s 2024 reorganization, staff may be placed in areas in which they do not have experience, according to an Office of Internal Audit organizational capability assessment completed in April 2024. As of July 2024, the Office of Internal Audit reported having the Chief Audit Executive position vacant as well as at least one vacancy in the three audit teams. Additionally, the Office of Internal Audit reported staff turnover in management positions over the past 3 years, such as for audit managers and specialists. These staffing challenges have made it difficult to sustain needed activities and to attract and retain staff with the required skills to conduct audit work, according to Office of Internal Audit documentation.
· According to an official from the Office of the Medical Inspector, two administrative positions within that office were moved as part of the 2024 reorganization to support multiple oversight functions, including the Office of the Medical Inspector, within the Office of Integrity and Compliance. As a result, the office is managing its operations with fewer staff and officials noted the Office of the Medical Inspector is evaluating its remaining administrative positions to determine whether additional support is needed. Further, the official from the Office of the Medical Inspector said it is hard to pinpoint their staffing needs because their workload is referral driven and therefore can vary each year.[23]
To help address their staffing challenges, we found that some oversight offices have established specific goals or mitigation strategies. For example, in its fiscal year 2024 plan for risk management, the Office of Integrity and Compliance identified a goal of providing operational stability for risk management staff by updating position descriptions and defining roles and responsibilities, among other things. Additionally, in its April 2024 organizational capability assessment, the Office of Internal Audit reported it would focus on staffing and recruitment strategies, which would include creating a plan to account for employee attrition.
However, VHA has not established strategies to address the overall staffing needs of the oversight offices as part of its 2024 reorganization. We found that VHA did not develop a workforce plan for its oversight offices as part of its reorganization of those offices in 2024. Specifically, in making changes to the organization of its oversight offices, VHA did not assess or define the staffing levels and skills and competencies each oversight office needs to carry out its respective oversight functions, such as through the development of a workforce plan. For example, VHA did not consult subject matter experts from some of the oversight offices on the changes being made in the 2024 reorganization, according to officials from two oversight offices. More strategically assessing needs through a workforce plan would better enable VHA to establish strategies to address its oversight office staffing challenges.
GAO’s key principles for effective strategic workforce planning state that agencies should develop strategies including those for hiring, training, and staff development that eliminate gaps and improve the contribution of the skills and competencies that are critical to successfully achieving their missions and goals.[24] VHA identified in its VA High Risk action plan the need to properly resource its oversight functions. Additionally, a workforce plan could help VHA ensure each oversight office has identified the staffing levels, skills, and competencies necessary to carry out their respective functions. With a workforce plan, VHA would therefore be better positioned to ensure that its oversight offices can effectively conduct the oversight functions that help it understand how well particular aspects of the VHA health care system are working.
VHA Partially Follows Leading Practices for Managing Risk
Based on our review of VHA documentation and interviews with officials, we found VHA’s approach to risk management partially follows leading practices for managing risk we identified in our prior work. In 2022, VHA delegated responsibility for the agency’s risk management function to the Office of Integrity and Compliance, which is implementing the function based on Office of Management and Budget requirements.[25] In our prior work, we identified six leading practices that federal agencies can use to implement these requirements and effectively manage risk.[26] We found that VHA has partially followed these leading practices for managing risk (see table 2). Appendix I includes additional detail on the extent to which VHA followed GAO’s leading practices.
Table 2: Veterans Health Administration (VHA) Implementation of GAO’s Leading Practices for Managing Risk
|
Leading practice |
Description of leading practice |
VHA implementation of leading practice |
|
Align risk processes to goals and objectives |
Ensure the risk management process maximizes the achievement of agency mission and results. |
◐ |
|
Identify risks |
Assemble a comprehensive list of risks, both threats and opportunities, that could affect the agency from achieving its goals and objectives. |
◐ |
|
Assess risks |
Examine risks considering both the likelihood of the risk and the impact of the risk on the agency’s mission. |
◐ |
|
Select risk response |
Select risk response including acceptance, avoidance, reduction, share or transfer, or maximize opportunity. |
◐ |
|
Monitor risks |
Monitor how risks are changing and if responses are successful. |
◐ |
|
Communicate and report on risks |
Communicate risks with stakeholders and report on the status of addressing the risk. |
◐ |
Legend: ● Met ◐ Partially Met ○ Not Met
Source: GAO analysis of VHA information against GAO leading practices for managing risk. | GAO‑25‑106969
Note: Leading practices are essential elements and good practices identified by GAO that federal agencies can use to implement Office of Management and Budget requirements and effectively manage risk. For each leading practice, there are also additional necessary actions to successfully build a risk management program. “Met” indicates VHA has met all of the leading practices and taken all of the necessary actions. “Partially Met” indicates that VHA has started but not completed the leading practices and necessary actions. “Not Met” indicates VHA has not met any of the leading practices or undertaken other necessary actions.
For example, we found VHA partially followed leading practices related to identifying, assessing, and communicating risk.
Identify risks. Our prior work has shown that comprehensive risk identification is critical even if the source of the risk is outside the agency’s control.[27] In July 2024, Office of Integrity and Compliance officials told us that they found over 1,300 different ways that entities across the various levels of the health care system may identify and document risks. VHA’s separate processes include those for clinical risks as well as for non-clinical risks.[28] For example, clinical staff (e.g., Chief of Staff, Chief of Nursing, and Quality and Patient Safety officials) are responsible for identifying clinical risks, and they use systems (such as the Joint Patient Safety Reporting system) to document and track identified risks. See text box for an example of VHA’s processes for identifying clinical risks.
|
Example of Veterans Health Administration (VHA) Processes for Identifying Clinical Risks To help identify clinical risks, VHA requires that Department of Veterans Affairs (VA) medical centers perform at least eight patient safety analyses annually including evaluations such as root cause analyses. For example, a VA medical center may conduct the following: · Root cause analyses for adverse events—incidents that pose a risk of injury to a patient as the result of a medical intervention or the lack of an appropriate intervention, such as a missed or delayed diagnosis. An example of an adverse event is the improper sterilization of medical equipment that can lead to veterans being exposed to infectious diseases. · Aggregate root cause analyses to analyze a collection of similar patient safety events (usually in a high-volume category such as medication and fall events) to determine prominent themes and risks worthy of a formal, focused review. Aggregate root cause analyses assist VA medical centers to analyze a group of similar patient safety or quality events to determine common causes and identify actions to prevent recurrences. |
Source: GAO review of VHA information and GAO‑15‑643. | GAO‑25‑106969
Our review of VHA documentation and interviews with officials showed that the Office of Integrity and Compliance has taken steps to assist staff to identify risks, such as training employees on VHA’s risk management approach and the basic concepts needed to conduct risk management. Program offices use their own risk assessments, systems, and analytics, as well as using different risk management terms, according to VHA officials. Due to this variation, VHA officials stated that there needs to be more clarity about how to implement risk management across the agency. To address these discrepancies, the Office of Integrity and Compliance piloted new risk training courses in fiscal year 2023, including training for program offices, according to officials.
However, we found that the Office of Integrity and Compliance does not identify risks comprehensively, due to the various ways used to track risks across VHA’s health care system. In July 2021, VHA officials responsible for its compliance, risk management, and internal audit functions conducted a baseline analysis of how risk management was being operated at the VA medical center, regional network, and program office levels. The analysis determined that these levels of the organization do not share risks outside of the separate systems they were each responsible for managing. As a result, risks did not consistently make their way to senior leaders for awareness and planning purposes.
According to the analysis, program offices named various systems to identify risks. For example, occupational safety officials use their program’s database for tracking open findings related to annual safety and industrial hygiene evaluations to identify risks. Office of Integrity and Compliance documentation states that the office plans to establish data sharing agreements with various VHA program offices by the end of fiscal year 2028, to help allow these offices to share information on the risks they identify.
Officials from the Office of Integrity and Compliance noted further challenges with comprehensive risk identification. According to a fiscal year 2023 annual review conducted by the office, there continued to be highly variable efforts among VA medical centers and regional networks to identify risks. Further, while the office developed tools for compliance officers to enter and track risks in their own centralized risk management portal, a December 2023 training from the office stated that these tools are not integrated with other risk management tools across the agency. As a result, the tools do not provide timely, actionable insights on VHA’s risks. By taking steps to comprehensively identify risks, including both non-clinical and clinical risks, VHA may be better positioned to proactively identify critical risks to particular aspects of its health care system.
Assess risks. Our prior work has also shown that assessing risks helps agency leadership prioritize risk response.[29] Once risks have been identified, additional actions are necessary for agencies to assess risks, such as by ranking risks by organizational priority to determine top risks (i.e., those that an agency considers to be the most significant for further mitigation) and grouping them into portfolios of related risks. The Office of Integrity and Compliance determined, for example, that one portfolio of VHA risks is suicide prevention, according to VHA officials.[30]
In our review of VHA documentation and interviews with officials, we found that the Office of Integrity and Compliance has taken steps to assess risks, such as by using a risk register to help track and assess how it is managing the risks it identifies.[31] The risk register is a tool consisting of an electronic repository where compliance officials from medical centers and regional networks enter real-time information, including their top risks. The risk register then helps the office assess the impact of these risks from an agencywide perspective (see example of one such risk assessed through VHA’s risk register in text box below).
|
Example of Veterans Health Administration (VHA) Risk Assessment In November 2022, VHA assessed a risk related to the lack of standardized oversight and operations of its Emergency Medical Services response and transportation, according to VHA documentation. VHA determined that, if the risk was not mitigated, veterans may experience inconsistent levels of care and response times and delays in care delivery. Further, VHA noted that there was an immediate need to mitigate the risk to avoid ongoing delayed and fragmented care to veterans resulting in harm. As part of assessing the risk, VHA aligned the risk to its agency priorities, such as one entitled “Connect veterans to the soonest and best care.” |
Source: GAO review of VHA information. | GAO‑25‑106969
However, we found that the Office of Integrity and Compliance is limited in its ability to further assess risks. For example, officials from the office told us that, in the spring of 2023, they determined that VHA’s risk register was not reflective of the agency’s current challenges or closely associated with agency objectives. Specifically, officials determined that its risk register was outdated and did not have clear processes to add risks to the register. As a result, officials said they are re-creating the risk register to ensure it has high-quality information for all types of risks. Specifically, they created new data fields for the risk register that groups risks together by portfolio to assist collaboration across the organization, according to VHA documentation.[32] With a more current and comprehensive list of its top risks, VHA will be better suited to provide timely, actionable guidance about which risks are the most significant to address.
Communicate and report on risks. Our prior work has shown that effective risk management incorporates feedback from internal and external stakeholders on their respective insights. Our review of VHA documentation indicates that the Office of Integrity and Compliance took steps to communicate risks in the following ways:
· Discussed risks with internal stakeholders through the Audit, Risk, and Compliance Committee’s Risk Subcommittee—a subcommittee established to assess, prioritize, and manage risks identified agencywide, according to its June 2021 charter. The Office of Integrity and Compliance then incorporates feedback from Risk Subcommittee members into its risk management practices, according to subcommittee documentation. For instance, committee members are to provide feedback on which risks are included in the risk register.
· Realigned liaisons who coordinate responses to VA Office of Inspector General and GAO reviews. Specifically, VHA placed these liaisons under the Office of Integrity and Compliance’s Risk and Issue Management team as part of its 2024 reorganization. VHA anticipates this will help the organization connect risk management with internal and external findings and recommendations, according to agency documentation.
However, we found the Office of Integrity and Compliance’s steps to communicate risks have not yet been fully implemented. For example, the Risk Subcommittee paused meetings in 2023 in conjunction with plans to reestablish the Audit, Risk, and Compliance Committee, according to Office of Integrity and Compliance officials. These officials noted that the subcommittee met in April 2024 and is in the process of updating its subcommittee charter, to include updates for the roles and responsibilities of its membership and for providing feedback on VHA’s risk management approach. In addition, while the Office of Integrity and Compliance has
|
Example of Risk Management at a Department of Veterans Affairs (VA) Medical Center At one VA medical center, local officials described how they approached a recent potential risk related to patient identification at their facility. Identify risks. A diagnostics chief reported that two patients with the same first and last names led to an unnecessary scan for one of the patients. The issue prompted officials to look more closely at how patients were being identified during the facility’s check-in process. Assess risks. Staff from the facility’s quality management and compliance departments coordinated to create a team that sat in waiting rooms and observed what patients were being asked during the facility’s check-in process. The team’s observations indicated that there was a gap in the facility’s check-in process. Communicate risks. Facility officials entered the patient identification risk into both a clinical tracker used by quality management staff and the risk management portal used by compliance staff. Quality management staff then organized an educational effort for facility employees to ensure compliance with check-in procedures, such as confirming patient identification with full names and full date of birth details. Staff also monitored the results of their efforts to ensure the risk was mitigated.
Source: GAO (text and icons). | GAO‑25‑106969 |
taken steps to communicate risks with certain stakeholders, such as the Risk Subcommittee, it does not have plans to include feedback from others, such as groups representing various veteran populations. Communicating risks with these groups may allow those stakeholders to provide VHA with insights into top risks facing the agency as these groups interface directly with various veteran populations.
Our prior work has demonstrated that the absence of any essential element of a leading practice would likely result in an agency incompletely managing its risk.[33] According to a training developed by the Office of Integrity and Compliance, VHA can overcome many strategic challenges through effective risk management, but the office is still developing its approach.
By taking additional steps to fully meet leading practices for managing risk as the Office of Integrity and Compliance works to implement its risk management approach, VHA can better address the full spectrum of its most significant risks rather than addressing risks only within silos. Fully implementing leading practices may also help VHA to effectively respond to new or emerging risks, or changes in existing risks. These steps, in turn, could help VA facilities address risks in a timely manner, which could positively affect their ability to provide quality and effective health care to veterans. For example, officials we spoke with at one VA medical center identified their top risks to be related to the facility’s aging infrastructure, ability to hire, and inpatient mental health processes. The medical center noted a number of consequences of not addressing these risks, including the timeliness and quality of care provided to veterans. Implementing leading practices may help VHA be more effective in managing the complex challenges facing its facilities by using an agencywide approach for addressing timeliness and quality of care concerns.
VHA’s Office of Internal Audit Completed Reviews on a Variety of Topics but Lacks a Clear Reporting Structure and Oversight Role
VHA’s Office of Internal Audit Completed 13 Reports since 2016, Including 45 Recommendations to Various Audited Entities
VHA established the Office of Internal Audit in 2016 and has since completed 13 reports, according to our review of Office of Internal Audit documentation. VHA created the Office of Internal Audit after identifying in a 2014 internal analysis that it was operating numerous, fragmented review functions that were unable to help the agency realize its desired outcomes. VHA determined that it should operate a dedicated internal audit function within VHA’s central office to help the agency ensure that health care quality and patient safety remain a primary and constant focus, as well as to enhance its system-wide oversight and accountability activities.
We reviewed the 13 reports the Office of Internal Audit completed from 2016 through 2023. We found that the reports covered various system-wide topics, such as those related to the agency’s strategic priority on suicide prevention. Seven of the reports included one or more recommendations to other entities in VHA, such as responsible program offices or regional networks (see text box for one example), for a total of 45 recommendations. The office reported that 28 of the 45 recommendations have been addressed by the responsible entity, as of January 2024.[34]
|
Example of Veterans Health Administration (VHA) Internal Audit Recommendations The VHA Office of Internal Audit issued a report entitled Veterans Affairs Care Coordination for Breast Cancer Screening Audit in November 2020. The office stated that it conducted this internal audit to determine how well the agency coordinated health care services following breast cancer screenings. The final report included a total of six recommendations, including recommendations for senior leadership at Department of Veterans Affairs medical centers and regional networks: 1. Enhance oversight of breast cancer screenings requiring follow-up testing to ensure patients receive recommended care. 2. Strengthen oversight to increase timely veteran notification of breast cancer screening results and ordering providers’ documentation of notification in the medical record. The Office of Internal Audit stated that it reviewed the steps taken by medical centers, regional networks, and VHA program offices that oversee women’s health services and the national radiology program to address its recommendations. The office determined that these steps addressed all six recommendations. |
Source: VHA documentation. | GAO‑25‑106969
VHA Did Not Establish a Clear Reporting Structure and Oversight Role for Its Office of Internal Audit
Based on our review of VHA documentation and interviews with officials, we found that VHA did not establish a clear reporting structure and oversight role for its Office of Internal Audit. An internal audit function, when used effectively, can provide valuable information on trends and emerging issues that may impact an organization, according to the Institute of Internal Auditors. To be effective, International Standards for the Professional Practice of Internal Auditing state that the purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, including defining the scope of internal audit activities.[35] Moreover, the standards state that conditions should be in place to mitigate any threats to organizational independence, such as having a governance body that approves the internal audit budget and resource plan. In addition, the internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.
However, we found the Office of Internal Audit has an unclear reporting structure and oversight role, as follows:
Unclear reporting structure. Since its creation in 2016, VHA has described the Office of Internal Audit as being independent within the organization. In particular, the Office of Internal Audit’s mission, policy directive, and management manual characterize the office as independent, in accordance with generally accepted government auditing standards.[36] Officials from the Office of Internal Audit noted their intent to be compliant with these standards and said they invested resources toward ensuring their independence, such as awarding contracts to assess the office’s audit capabilities in 2023 and 2024, including a review of its independence needs.
VHA documentation related to the 2024 reorganization indicated that the Office of Internal Audit would be aligned administratively under the Office of Integrity and Compliance but have a direct reporting line to the Under Secretary for Health to help ensure independence. However, officials told us that, as of July 2024, this reporting line had not been implemented as it has not been finalized as part of the organizational changes.[37] Officials from the Office of Integrity and Compliance told us they have also asked for further clarification from VHA human resources on how to delineate roles under the 2024 reorganization. As a result, it is unclear how the Office of Internal Audit’s direct reporting line will operate.
Moreover, the position of Chief Audit Executive, which leads the Office of Internal Audit, was vacant as of July 2024, and VHA’s Chief Compliance and Integrity Officer was leading the office as the acting executive.[38] Because the Chief Compliance and Integrity Officer is also responsible for leading VHA programs that could be audited by the Office of Internal Audit, this dual role may present a conflict of interest for selecting audit topics, according to VHA officials and documentation. As the acting Chief Audit Executive, the Chief Compliance and Integrity Officer is responsible for reviewing and ensuring that the Office of Internal Audit’s annual audit plan does not duplicate other functions, according to officials, and, as a result, may influence the scope of its audit topics.
In addition, officials from the Office of Internal Audit expressed concerns about their placement under the Office of Integrity and Compliance affecting their ability to be independent. They explained that they were unsure how to differentiate their independence as an internal audit entity from that of other oversight entities, such as the VA Office of Inspector General.[39] Based on our review of VHA documentation and interviews with officials, a potential conflict of interest could arise if an internal audit identified deficiencies with compliance or risk management processes overseen by the Office of Integrity and Compliance. As a result, the Office of Internal Audit might find itself unable to report those deficiencies objectively while being managed by the Office of Integrity and Compliance, which manages both compliance and risk management, according to officials and documentation.
Unclear oversight role. VHA’s existing policy directive for its internal audit function, issued in February 2018, states that internal audit is to provide independent and objective audit, assurance, and advisory services.[40] However, VHA’s policy directive has not been updated since 2018 and lacks detail on changes to oversight roles, such as responsibility for the risk management function moving to the Office of Integrity and Compliance from the Office of Internal Audit. In addition, officials from the Office of Internal Audit noted confusion about their oversight role in the context of VHA’s broader oversight model, amid the organizational changes that have occurred in recent years. According to VHA documentation, there is no statutory requirement for VHA to have an internal audit function. Therefore, according to officials from the Office of Internal Audit, the role of internal audit is dependent on the needs of leadership.
Officials from the Office of Internal Audit told us that its unclear role has made it difficult for them to set priorities for the topics they review and to add oversight value to the agency. These officials said they believe their office can be responsive to legislative requirements on behalf of the Secretary of Veterans Affairs. For example, in one of its past reports, the Office of Internal Audit validated VA compliance with a certain section of the VA Mission Act of 2018.[41] In contrast, officials from the Office of Integrity and Compliance identified different priorities for internal audit, such as choosing audit topics based on the top risks identified by its risk management function.
Our review of agency documentation also showed that VHA does not have a clear purpose for its internal audit function. A clearly defined purpose can assist VHA in determining the nature of the Chief Audit Executive’s reporting relationship and the internal audit activity’s role within the organization. Depending on that purpose, the office may require processes, such as safeguards, to be considered organizationally independent, as indicated in the International Standards for the Professional Practice of Internal Auditing.
Without a clearly defined purpose for the internal audit function reflected in an updated policy directive, VHA may be limiting the ability of the Office of Internal Audit to meet the organization’s oversight needs. For example, VHA’s internal audit function may be underutilized as an element of its oversight model, such as conducting critical checks on VHA’s strategies. Moreover, VHA may determine that a strong internal audit function, properly placed, with defined auditing standards, would position the agency to respond to quality concerns that adversely affect its mission to serve veterans. In contrast, VHA may find that its internal audit function, as currently structured, may be duplicative of other oversight efforts or prove unnecessary as an element of VHA’s oversight model. By clearly defining its purpose, including identifying a clear reporting structure and a defined oversight role, VHA can better ensure its Office of Internal Audit is used effectively to provide VHA leadership information on trends and emerging issues that may affect the organization.
VHA’s Audit, Risk, and Compliance Committee Provided Limited Guidance and Made No Recommendations
Based on our review of VHA documentation, we found that the Audit, Risk, and Compliance Committee was limited in its ability to guide VHA’s oversight functions and make recommendations to leadership. VHA established the Audit, Risk, and Compliance Committee as the governance body that is to provide strategic guidance and direction for VHA’s compliance, risk management, and internal audit functions.[42] The Deputy Under Secretary for Health chairs the committee, and the committee also includes the VHA Chief of Staff, two regional network and two medical center directors, and other executive-level staff from across VHA.
According to its 2021 charter, the Audit, Risk, and Compliance Committee is to meet quarterly to carry out its responsibilities. For example, in one of its fiscal year 2021 quarterly meetings, committee members discussed the following items:
· For the compliance function, an overview of the Office of Compliance and Business Integrity’s (now the Office of Integrity and Compliance) key initiatives for fiscal year 2021, such as implementing its revised policy directive.
· For the risk management function, the status of VHA’s July 2021 baseline analysis on how risk management was being operated across the organization and the next steps planned to address the challenges identified in the analysis.
· For the internal audit function, the status of four reviews the Office of Internal Audit was undergoing in fiscal year 2021 and an update on the then acting Under Secretary for Health’s approval of recommendations the office made in its fiscal year 2020 reports.
Our review identified that the committee met 11 times from fiscal year 2021 through 2024. However, our review of committee documentation identified the following limitations with its ability to provide strategic guidance and direction:
The committee does not have a full picture of relevant oversight findings. According to the Audit, Risk, and Compliance Committee’s charter, the committee is to collaborate with the Office of the Medical Inspector, VA Office of Inspector General, and GAO. However, the charter does not describe what that collaboration entails, such as a review of these entities’ oversight findings and recommendations. For example, our review of committee documentation from fiscal year 2021 through 2024 did not identify any discussion of oversight findings related to medical investigations conducted by the Office of the Medical Inspector. As a result, the committee may not be monitoring relevant oversight of VHA’s health care system that can help inform how it guides VHA’s oversight functions.
For the Office of the Medical Inspector, the Audit, Risk, and Compliance Committee’s charter also includes the Medical Inspector as a non-voting member of the committee. As of May 2024, the Medical Inspector told us that the office does not provide updates on its medical investigations to the committee; therefore, the Office of the Medical Inspector role on the committee is specific to collaboration. The Medical Inspector also told us that the office is developing a tracking system to monitor and better identify trends in its medical investigations over time. The office plans to share a report on those trends with the Under Secretary for Health beginning in fiscal year 2025, and said the tracking system may also be a useful tool for the Audit, Risk, and Compliance Committee. Some, but not all, findings and recommendations made by the Office of the Medical Inspector are made public (see text box for an example of the office’s findings and recommendations). Specifically, only reports based on an Office of Special Counsel referral are made public by that office on its website in redacted form.
|
Example of Veterans Health Administration (VHA) Medical Investigation Recommendations From fiscal year 2017 to 2023, VHA’s Office of the Medical Inspector reported its annual caseload ranged from 25 to 74 cases. Nearly all of its cases resulted in recommendations, most of which were directed to Department of Veterans Affairs (VA) medical centers. According to the office, most of the recommendations have been addressed by the VA medical center or other responsible VHA entity. For example, the Office of the Medical Inspector received a referral from the Under Secretary for Health to investigate three internal allegations related to a VA medical center’s pain management program. In response, the Office of the Medical Inspector assembled a team and conducted the investigation in March 2023, including interviewing a whistleblower who made allegations and conducting a site visit. The office substantiated one allegation and did not substantiate the other two allegations. Specifically, the Office of the Medical Inspector substantiated that 96 veterans did not receive a rescheduled appointment or community care consult when the VA medical center’s Chief of Pain Management was unavailable due to other duties. The Office of the Medical Inspector directed five recommendations to the VA medical center, including that it evaluate the 96 patients, offer them appointments (as appropriate), and track them to completion. As of January 2024, the office reviewed the steps taken by the medical center and determined that these steps addressed four of the five recommendations. |
Source: GAO analysis of VHA documentation and GAO‑23‑105634. | GAO‑25‑106969
The committee has not made recommendations for potential system-wide improvements. According to its charter, the Audit, Risk, and Compliance Committee has responsibility for reviewing the findings from across VHA’s oversight functions and, in turn, making recommendations to the Under Secretary for Health on how to implement changes across VHA. Our review of the committee’s meeting minutes indicated that it has not provided recommendations to the Under Secretary for Health since VHA updated the committee’s charter in 2021.
· In general, the majority of committee meetings from fiscal year 2021 through 2024 consisted of informational items related to VHA’s compliance, risk management, and internal audit functions. For example, in the meetings where informational items included updates on ongoing internal audit or risk management activities, the updates focused on the status of recommendation implementation rather than making subsequent recommendations to the Under Secretary for Health.
· Our review identified very few decision-related items the Audit, Risk, and Compliance Committee considered. Among the few we identified was one item to approve the charters of two subcommittees related to compliance and fraud, waste, and abuse functions.[43] While committee meetings included updates on how VHA was addressing our high-risk designation related to inadequate oversight and accountability concerns, it did not include any decision-related items regarding the high-risk designation.
VHA designated the Audit, Risk, and Compliance Committee as a key part of how it monitors concerns related to inadequate oversight and accountability, according to VA’s fiscal year 2024 action plan addressing its high-risk designation. For example, VHA tasked the committee with monitoring the metrics it developed to show progress on addressing high-risk concerns. Such a committee would align with standards for internal control in the federal government, which state that management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.[44] Additionally, management should use the results of evaluations, including accompanying findings and recommendations, to monitor the design or operating effectiveness of its systems, according to the Office of Management and Budget.[45]
However, we found that the Audit, Risk, and Compliance Committee was limited in its ability to effectively monitor oversight findings and take appropriate action. According to VA’s fiscal year 2024 action plan addressing its high-risk designation, VHA plans to reestablish the Audit, Risk, and Compliance Committee by the end of fiscal year 2025. However, the plan does not provide detail on the oversight findings the committee will review.[46] Officials from the Office of Integrity and Compliance told us that VHA plans to update the committee’s charter to align the committee with the 2024 reorganization it is implementing.
By reviewing relevant oversight findings and providing system-wide recommendations, as appropriate, the committee may allow VHA to leverage the work performed by individual oversight functions to provide better strategic direction for its health care system. Officials from two medical centers and a regional network noted that they could learn from findings beyond those specific to their facility. Officials from one regional network emphasized that whenever they identify an issue at one facility, their first step is to determine whether it is occurring at any other facilities within their regional network. However, findings from the Offices of Internal Audit and the Medical Inspector are not always publicly available or disseminated across VHA’s health care system unless the regional network or medical center was the subject of the audit or investigation. The Audit, Risk, and Compliance Committee is uniquely positioned to identify common areas in need of system-wide improvement and communicate potential improvements more broadly across the organization from VA medical centers to the Under Secretary for Health.
Conclusions
It has been nearly a decade since we added VA health care to GAO’s High-Risk List, and in those intervening years VHA has taken important steps to improve its oversight of its vast health care system. Since its high-risk designation, VHA has undergone various organizational changes to the offices responsible for carrying out select oversight functions, with the goal of eliminating fragmentation, overlap, and duplication across oversight offices. These reorganizations, however, also highlighted the need for a workforce plan to clearly assess the number and type of staff needed to conduct each office’s work and the overall staffing needs of the oversight offices together. With such a plan, VHA would be better positioned to ensure that its oversight offices can effectively conduct the oversight functions that help it understand how well particular aspects of the VHA health care system are working.
Furthermore, the Office of Integrity and Compliance has taken steps to provide a more comprehensive picture of clinical and non-clinical risks to VHA’s health care system, instead of considering risks in silos. However, we found that the office is only partially following leading practices for managing risk, which limits its ability to identify, assess, and communicate risks. By fully meeting the leading practices for managing risk, VHA can better identify and mitigate risks to its delivery of health care services.
Similarly, we found that the Office of Internal Audit has taken steps to carry out VHA’s internal audit function. However, the office’s policy directive lacks detail on the purpose of the function, in light of VHA’s most recent organizational changes. By clearly defining the purpose of its internal audit function, including identifying a clear reporting structure and a defined oversight role, VHA has the opportunity to make the function more effective in providing VHA leadership information on trends and emerging issues that may impact its health care system.
Lastly, VHA created its Audit, Risk, and Compliance Committee to guide compliance, risk management, and internal audit functions and is making changes to the committee, consistent with its 2024 reorganization. However, we found that the Audit, Risk, and Compliance Committee has not reviewed relevant oversight findings, such as from medical investigations, and has not provided recommendations for system-wide improvements. By taking steps to review relevant oversight findings and make such recommendations, as appropriate, the committee can help VHA leverage the work performed by its individual oversight offices and others to provide better strategic direction for its health care system. These steps are particularly important to help address VHA’s historically fragmented oversight approach and to help ensure VHA is able to provide quality health care to veterans.
Recommendations for Executive Action
We are making the following four recommendations to VHA:
The Under Secretary for Health should develop a workforce plan for its oversight offices based on evaluating the staff needed to effectively conduct compliance, risk management, internal audit, and medical investigations functions. (Recommendation 1)
The Under Secretary for Health should take steps to fully meet leading practices for managing risk as the Office of Integrity and Compliance implements the agency’s risk management function. (Recommendation 2)
The Under Secretary for Health should clearly define the purpose of VHA’s internal audit function in an updated policy directive for the Office of Internal Audit. Such a policy should include a clear reporting structure and a defined oversight role with the types of audit activities and priorities for which the office is responsible. (Recommendation 3)
The Under Secretary for Health should take action to ensure the Audit, Risk, and Compliance Committee’s ability to monitor oversight findings and to provide recommendations to VHA leadership to help inform potential system-wide improvements, as appropriate. (Recommendation 4)
Agency Comments
We provided a draft of this report to VA for review and comment. In its written comments, reproduced in appendix II, VA concurred with our recommendations and identified actions VHA will take to address them.
Regarding our first recommendation, VA stated that the agency will assess the resources and associated workloads for its oversight offices to develop a workforce plan. VHA’s Office of Integrity and Compliance will subsequently report its workforce plan actions to relevant governance bodies, such as the Audit, Risk, and Compliance Committee, on a quarterly basis.
With respect to our second recommendation, VA stated that the Office of Integrity and Compliance is taking a multi-year approach to implementing VHA’s risk management function, consistent with Office of Management and Budget requirements. The office will continue its agencywide collaboration on risk management activities, in addition to monitoring and reporting its progress to relevant governance bodies, such as the Audit, Risk, and Compliance Committee.
For our third recommendation on clearly defining a purpose for VHA’s internal audit function, VA stated that the agency will revise VHA Directive 1370 to include a clear reporting structure and defined oversight role. As part of the revision, the Office of Integrity and Compliance will obtain input from VHA’s internal audit staff and leadership. The office plans to report on its progress on a quarterly basis to relevant governance bodies, such as the Audit, Risk, and Compliance Committee.
Regarding our fourth recommendation on the Audit, Risk, and Compliance Committee, VA stated that the Office of Integrity and Compliance will strengthen the committee’s processes by revising its charter and membership roles and responsibilities. Through this committee or a successor oversight committee, the office will also clarify the committee’s role related to informing system-wide improvements and monitoring oversight findings.
VA also provided technical comments, which we incorporated as appropriate.
As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the appropriate congressional staff, the Secretary of Veterans Affairs, and other interested parties. In addition, the report will be available at no charge on the GAO website at https://www.gao.gov.
If you or your staff have any questions about this report, please contact me at (202) 512-7114 or hundrupa@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III.
Alyssa M. Hundrup
Director, Health Care
The Veterans Health Administration’s (VHA) Office of Integrity and Compliance is responsible for managing the agency’s risk management function.[47] As part of our review, we assessed the office’s risk management approach against GAO’s leading practices for managing risk (see fig. 4).[48]
Specifically, GAO’s prior work identified six leading practices that federal agencies should use to implement risk management effectively. For each leading practice, GAO also identified additional necessary actions for each leading practice to successfully build a risk management program. See table 3 for our assessment of VHA’s risk management practices and examples of steps VHA has taken to follow each leading practice.
|
Leading practice |
Example of leading practice |
VHA status in following leading practice |
Steps VHA took to follow leading practice for managing risk |
|
Leaders align risk processes to agency goals and objectives |
Designate risk management leaders |
◐ |
VHA’s Risk and Issue Management team, located in the Office of Integrity and Compliance, has a Risk Director to manage risk activities and assigned liaisons to serve as subject matter experts. VHA officials also noted that they identified individuals to serve as risk leads for some program offices to champion risk management. They anticipate identifying more risk leads in the future but did not identify a timeline for doing so. |
|
Commit organization resources to support risk management |
◐ |
The Office of Integrity and Compliance developed training for VHA’s workforce on identifying and mitigating risk through Risk University courses and also developed new risk management training for executive leaders. As of August 2023, staff from one regional network, two program offices, and four medical facilities completed Risk University and 50 personnel completed the executive training. In fiscal year 2024, the Office of Integrity and Compliance revised its curriculum based on feedback from participants and scheduled trainings through the end of the year, according to officials. The office also made executive training available on request for regional networks and offered the training to various groups, such as quality management staff. |
|
|
Set organizational risk appetite |
◐ |
The Audit, Risk, and Compliance Committee has not adopted the agency’s risk appetite statement, which helps provide guidance on the amount of risk an organization is willing to accept. The Office of Integrity and Compliance took steps in preparation, such as collecting input from VHA leadership to inform an initial draft of the statement, according to officials. The office anticipated ongoing internal reviews in August 2024 followed by a 3-to-6 month review process, with an expected publication date in fiscal year 2025. |
|
|
Identify risks and develop a risk-informed culture |
Encourage employees to discuss risks openly |
◐ |
An Office of Integrity and Compliance training from December 2023 noted that VHA lacks a culture for disclosing risks and compliance officials told us that oversight is generally understood as something negative. To counter this perception, the office created a field advisory group to provide communication and assistance as well as develop trust with Department of Veterans Affairs (VA) medical centers and their associated regional networks, according to compliance officials. |
|
Train employees on risk management approach |
◐ |
Officials from the Office of Integrity and Compliance told us that various offices use different risk management terms and that there needs to be more clarity about risk management across the agency. The Office of Integrity and Compliance piloted new risk training courses in fiscal year 2023 and is developing training for program offices to help address these discrepancies. It planned to offer the training to program offices and VA medical centers in fiscal year 2024. |
|
|
Engage employees in risk management efforts |
◐ |
An Office of Integrity and Compliance survey from fiscal year 2023 indicated that 27 percent of VA medical centers had risk management practices that are not well understood or practiced.a The Office of Integrity and Compliance created a field advisory group in 2023 to help local officials communicate with central office about the design and implementation of program activities. |
|
|
Customize risk management tools for organizational mission and culture |
◐ |
A December 2023 training from the Office of Integrity and Compliance stated that its existing management tools are not integrated and do not provide actionable insights. The office is updating its risk management tools and addressing outdated information as of this report, according to officials. |
|
|
Assess risks and integrate risk processes into strategic planning |
Incorporate risk management into strategic planning processes |
◐ |
Office of Integrity and Compliance officials said they have taken steps to integrate risk processes into strategic planning. For example, risk officials engaged with VHA’s Chief Strategy Office in fiscal year 2024 to assist with developing processes around when and how risk assessment will be included and reviewed in strategic market assessment planning. |
|
Use risk management to improve information for agency decisions |
◐ |
Office of Integrity and Compliance officials told us that they developed in fiscal year 2024 a VHA Risk Profile—a method to help agencies prioritize risks. The office submitted the profile to the Audit, Risk, and Compliance Committee’s Risk Subcommittee in June and August 2024 and the subcommittee approved the profile for further discussion. |
|
|
Select a risk response and establish a customized risk program |
Design a risk management program that allows for customized agency fit |
◐ |
The Office of Integrity and Compliance is developing a risk management framework that will include key items necessary to evaluate risks, such as risk criteria, according to officials. The office planned for the new framework to be evaluated by the Audit, Risk, and Compliance’s Risk Subcommittee by the end of fiscal year 2024. |
|
Develop a consistent, routinized risk management program |
◐ |
VHA documentation shows that the Office of Integrity and Compliance is in the process of defining roles and responsibilities for its risk management program and governance structure. For example, officials told us that, in fall 2023, the office created new position descriptions for program analysts to more closely align with the structure of the risk management program. The office anticipated clarifying these roles once a new VHA risk framework is adopted with a target date by the end of fiscal year 2024. |
|
|
Use a maturity model approach to build a risk management program |
◐ |
Office of Integrity and Compliance documentation from fiscal year 2024 on managing risks states that it intends to adopt a maturity model approach to help the organization identify gaps in its existing risk management processes. According to documentation from the Audit, Risk, and Compliance Committee’s Risk Subcommittee, it voted to move forward with a maturity model approach in August 2024. The documentation notes that the office’s goal is to begin implementing the maturity model in fiscal year 2025. |
|
|
Monitor and continuously manage risks |
Track and monitor current and emerging risks |
◐ |
The Office of Integrity and Compliance created tools to track and monitor risk, such as VHA’s Risk Management Portal and Compliance Inquiry Reporting and Tracking System, according to officials. The office is reassessing other aspects of monitoring and managing risks, such as updating charters for various risk governance groups, according to compliance officials. |
|
Communicate and share information with internal and external stakeholders |
Incorporate feedback on risks from internal and external stakeholders |
◐ |
To help connect risk management with internal and external findings and recommendations, VHA realigned the VHA liaisons who coordinate responses to VA Office of Inspector General and GAO reviews. Specifically, VHA placed these liaisons under the Office of Integrity and Compliance’s Risk and Issue Management team as part of its fiscal year 2024 organizational change. While the Office of Integrity and Compliance has taken steps to communicate risks with certain stakeholders, it has not included feedback from other external stakeholders, such as groups representing various veteran populations. |
|
Share risk information across the enterprise |
◐ |
The Office of Integrity and Compliance created risk management templates and resources to share across the agency. Officials from the office told us that not all VA medical centers openly share risk information with VHA central office and a December 2023 training from the office indicates that VHA lacks a universal culture for risk disclosure. |
Legend: ● Met ◐ Partially Met ○ Not Met
Source: GAO assessment of Veterans Health Administration (VHA) information against GAO leading practices for managing risk. | GAO‑25‑106969
Note: Leading practices are essential elements and good practices identified by GAO that federal agencies can use to implement risk management effectively. For each leading practice, there are also additional necessary actions to successfully build a risk management program. “Met” indicates VHA has taken steps to meet all of the leading practices and taken all of the necessary actions. “Partially Met” indicates that VHA has started but not completed steps to meet the leading practices and necessary actions. “Not Met” indicates VHA has not met any of the leading practices or undertaken other necessary actions.
aIn addition, the Office of Integrity and Compliance survey from fiscal year 2023 noted that 49.6 percent of VA medical centers reported having risk management capabilities in place with a general understanding of some risk practices in most business areas. Further, 22.6 percent of VA medical centers reported risk management practices were generally well established.
GAO Contact
Alyssa M. Hundrup, (202) 512-7114 or hundrupa@gao.gov.
Staff Acknowledgments
In addition to the contact named above, Rebecca Rust Williamson (Assistant Director), E. Jane Whipple (Analyst-in-Charge), Sara Brinegar, Kaitlin Dunn, Erin Murphy, and Cathleen Whitmore made key contributions to this report. Also contributing were Jacquelyn Hamilton, David Jones, and Diona Martyn.
GAO’s Mission
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on Facebook, Flickr, X, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454 or (202) 512-7700
Congressional Relations
A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548
Public Affairs
Sarah Kaczmarek, Managing Director, KaczmarekS@gao.gov, (202) 512-4800, U.S.
Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Strategic Planning and External Liaison
Stephen J. Sanford, Managing
Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington,
DC 20548
[1]See, for example, VA Office of Inspector General, Veterans Health Administration’s Failure to Properly Identify and Exclude Ineligible Providers from the VA Community Care Program (Washington, D.C.: April 9, 2024); Improved Oversight Needed to Evaluate Network Adequacy and Contractor Performance (Washington, D.C.: April 9, 2024); and Greater Compliance with Policies Needed Related to the Management of Emergent Care for Patients Presenting with Acute Sexual Assault (Washington, D.C.: Dec. 12, 2023).
[2]For reports with one or more of our recommendations that VA has not fully implemented as of October 2024, see, for example, GAO, Veterans Health: VA Should Improve Its Monitoring of Severe Maternal Complications and Mental Health Screenings, GAO‑24‑106209 (Washington, D.C.: Jan. 16, 2024); Veterans Health Care: VA Actions Needed to Ensure Timely Scheduling of Specialty Care Appointments, GAO‑23‑105617 (Washington, D.C.: Jan. 4, 2023); and Veterans Community Care Program: Improvements Needed to Help Ensure Timely Access to Care, GAO‑20‑643 (Washington, D.C.: Sept. 28, 2020).
[3]See GAO, High-Risk Series: An Update, GAO‑15‑290 (Washington, D.C.: Feb. 11, 2015). The four other areas are ambiguous policies and inconsistent processes; information technology challenges; inadequate training for VA staff; and unclear resource needs and allocation priorities.
[4]VHA conducts other oversight, such as for areas related to clinical risk management, privacy and information security, financial audits, health informatics management, and research. These functions are outside the scope of our report. Apart from these functions, Congress first established the offices of inspectors general in 1978, such as VA’s Office of Inspector General, to prevent and detect fraud and abuse in federal agencies’ programs and operations; conduct and supervise audits and investigations; and recommend policies to promote economy, efficiency, and effectiveness.
[5]In this report, the risk management function refers to enterprise risk management. According to the Office of Management and Budget, enterprise risk management is defined as an effective agencywide approach to addressing the full spectrum of the organization’s internal and external risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. An example of an agency enterprise risk is unfilled mission critical positions across the entire organization that, when examined as a whole, could threaten the accomplishment of the mission.
[6]See GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, GAO‑04‑39 (Washington, D.C.: Dec. 11, 2003).
[7]See GAO, Enterprise Risk Management: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk, GAO‑17‑63 (Washington, D.C.: Dec. 1, 2016). We identified six leading practices that federal agencies can use to implement risk management effectively by combining the essential elements and good practices. The essential elements include align risk processes to goals and objectives, identify risks, assess risks, select risk response, monitor risks, and communicate and report on risks.
[8]We interviewed officials from the VA Chillicothe health care system (Chillicothe, Ohio), the VA Maine health care system (Togus, Maine), the VA North Texas health care system (Dallas, Texas) and the VA Puget Sound health care system (Seattle, Washington). We also spoke to officials from the VA regional networks for each health care system—VA networks 1, 10, 17, and 20.
[9]Internal audit functions are encouraged to use the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, in conjunction with generally accepted government auditing standards. See The Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (Lake Mary, Fla: Jan. 2017).
[10]Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. GAO, Standards for Internal Control in the Federal Government, GAO‑14‑704G (Washington, D.C.: September 2014).
[11]See GAO‑14‑704G.
[12]According to the Office of Management and Budget, an agency’s management is responsible for its enterprise risk management systems. Internal or external auditors conduct independent and objective audits, evaluations, and investigations of an agency’s programs and operations, which includes aspects of the internal control and risk management systems. Management uses the results of such evaluations, including accompanying findings and recommendations, to monitor the design or operating effectiveness of these systems at a specific time or of a specific function or process. See Office of Management and Budget Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (Washington, D.C.: July 15, 2016).
[13]To meet the needs of the veterans it serves, VA is also authorized to pay for eligible veterans to receive medical care from providers in the community. See VA MISSION Act of 2018, Pub. L. No. 115-182, § 101, 132 Stat. 1393, 1395-1404 (2018).
[14]In August 2024, VHA updated its policy directive that sets forth the roles, responsibilities, and levels of authorities for VHA central office entities, including broad responsibility for oversight. VHA added responsibilities in its policy directive to include directors in regional networks and VA medical facilities. See VHA Directive 1217, VHA Central Office Operating Units (Washington, D.C.: Aug. 14, 2024).
[15]In June 2019, we recommended that VHA establish a comprehensive policy that clearly defines regional network roles and responsibilities for managing and overseeing medical centers. In its August 2024 update to Directive 1217, VHA included roles and responsibilities for the regional network director but did not address other key leadership roles, such as for the deputy director or Chief Medical Officer. A more comprehensive policy would better position VHA to develop an oversight process to effectively assess overall regional network performance in managing and overseeing medical centers. See GAO, Veterans Health Administration: Regional Networks Need Improved Oversight and Clearly Defined Roles and Responsibilities, GAO‑19‑462 (Washington, D.C.: June 19, 2019).
[16]VHA previously based its oversight model on the Institute of Internal Auditors’ Three Lines Model. However, in fiscal year 2024, VHA determined that the Three Lines Model was insufficiently clear due to the complexity of VHA’s health care system. According to VHA, it then developed its own oversight model with overlapping levels of oversight responsibility.
[17]See Office of Management and Budget Circular No. A-123. The Office of Integrity and Compliance is responsible for various other compliance activities, such as VHA’s anti-fraud, waste, and abuse, statement of assurance, and internal controls assessment responsibilities. These compliance activities are outside the scope of our report.
[18]According to officials, different types of staff complete compliance and risk management activities as these activities occur throughout the organization at VA medical centers, regional networks, and program offices. For example, various staff in operations, clinical services, and quality and patient safety roles complete risk management activities for clinical programs. The Office of Integrity and Compliance then has responsibility for consolidating all risk management activities into a more system-wide perspective of VHA risk.
[19]The Office of the Medical Inspector does not initiate work on its own. Instead, the office’s caseload is based on referrals it receives from VA and VHA components, the U.S. Office of Special Counsel, and others. The origins of referrals can include VA whistleblowers; members of Congress in response to information received from constituents, veterans service organizations, or media reports of problems at certain VA medical facilities; and VA employees and the general public who submit complaints to the VA Office of Inspector General’s complaint hotline.
[20]In July 2023, we recommended that the Office of the Medical Inspector establish and document responsibilities for supervisory review processes, which it implemented in November 2023. We recommended that the office establish strategic goals and related performance goals, which it implemented in February 2024. We also made two other recommendations that the Office of the Medical Inspector establish performance measures and collect relevant information and that the office use this information to assess its progress toward meeting its mission. As of May 2024, VHA had been working on addressing these two recommendations with a plan to implement them by early 2025. See GAO, VA Health Care: Office of the Medical Inspector Should Strengthen Oversight of Recommendations and Assess Performance, GAO‑23‑105634 (Washington, D.C.: July 27, 2023).
[21]In 2016, VHA also reorganized the Office of Compliance and Business Integrity (now the Office of Integrity and Compliance) under the Office of Integrity.
[22]The Office of Integrity and Compliance is also responsible for shared services and support such as budgets, fiscal management, and contracts, but these functions are not directly related to conducting oversight, so we excluded staff in these positions in our review. The office had an additional 67 total full-time equivalent staff working in these areas, as of July 2024, according to VHA documentation.
[23]The Office of the Medical Inspector’s cases are driven by external referrals and ranged between 25 to 74 cases from fiscal year 2017 to 2023.
[25]See Office of Management and Budget Circular No. A-123. Effective as of fiscal year 2017, these requirements are for federal agencies to implement agencywide risk management, defined as an effective agencywide approach to addressing the full spectrum of the organization’s internal and external risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.
[27]See GAO‑17‑63. Further, the Office of Management and Budget states that agencies must continuously build risk identification capabilities into risk management to identify new or emerging risks, or changes in existing risks. See Office of Management and Budget Circular No. A-123.
[28]VHA uses the American Society for Health Care Risk Management guidelines to define eight common risks. For example, clinical risks are those associated with the delivery of care to patients and others that include failure to follow evidence-based practices, medication errors, hospital acquired conditions, and serious safety events. Another example is non-clinical risks that result from inadequate or failed internal processes, people, or systems that affect business operations. In this report, we use non-clinical risks to also refer to those risks that do not directly relate to providing care to veterans, to include risks such as operational, financial, and human capital risks. See American Society for Health Care Risk Management, Enterprise Risk Management: Implementing ERM (Chicago, Ill.: 2020).
[30]Suicide prevention is VA’s stated top clinical priority. For information on VHA’s organizational structure for its suicide prevention programs, see GAO, VA Health Care: Organization of the Office of Mental Health and Suicide Prevention, GAO‑24‑106023 (Washington, D.C.: Feb. 29, 2024).
[31]The Office of Integrity and Compliance operates VHA’s risk register on SharePoint for use by the agency’s compliance officials. The risk register is housed within the risk management portal, which is used by the office to document and track risks.
[32]According to Office of Integrity and Compliance documentation, one of the office’s 2024 fiscal year goals for managing risk was to obtain approval to use the updated risk register from the Audit, Risk, and Compliance Committee. In addition, by the end of fiscal year 2025, the office plans to implement processes to support the integration of strategic planning activities and risk management activities.
[34]According to internal audit documentation from 2023, the Office of Internal Audit planned to review its process for monitoring progress and closing recommendations but did not specify a timeline for doing so.
[35]See The Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (Lake Mary, Fla.: Jan. 2017). In addition, standards for internal control in the federal government state that management should design control activities, such as policies and procedures, to help management fulfill responsibilities, assign roles, and address any risk in achieving objectives. See GAO‑14‑704G.
[36]Generally accepted government auditing standards provide the preeminent standards for government auditing. See GAO, Government Auditing Standards: 2018 Revision Technical Update April 2021, GAO‑21‑368G (Washington, D.C.: April 2021).
[37]According to VHA documentation, the 2024 reorganization maintained the Office of the Medical Inspector’s direct reporting line to the Under Secretary for Health. Officials from the Office of the Medical Inspector told us they brief the Under Secretary for Health every 2 weeks with an executive summary of their recent findings and recommendations. In contrast, Office of Internal Audit officials told us that they do not meet periodically with the Under Secretary for Health.
[38]Officials told us that the Office of Internal Audit has had inconsistent leadership since VHA established the office in 2016. For example, the office had a permanent Chief Audit Executive for only 2 of the past 5 years.
[39]See GAO‑21‑368G. Government internal auditors, such as the Office of Internal Audit, who work under the direction of the audited entity’s management are considered structurally independent for the purposes of reporting internally, if the head of the audit organization meets certain criteria. The Office of Internal Audit reports to senior management within VHA and does not report externally or conduct engagements pertaining to parties external to VHA. In comparison, the VA Office of Inspector General reports internally and externally but has statutory safeguards that help mitigate the effects of any structural threats to independence.
[40]See Veterans Health Administration, Internal Audit and Risk Assessment, VHA Directive 1370 (Washington, D.C.: Feb. 5, 2018). In its fiscal year 2024 high-risk action plan, VHA noted that it is in the process of revising this policy directive. VHA did not identify an estimated date for when it would reissue the policy directive.
[41]See VA MISSION Act of 2018, Pub. L. No. 115-182, § 104, 132 Stat. 1393, 1409-1412 (2018).
[42]See VHA, Audit, Risk and Compliance Committee Charter (Washington, D.C.: March 18, 2021). VHA officials told us that the agency initially chartered the Audit, Risk, and Compliance Committee in 2017 and updated the committee’s charter in 2021, following the 2020 reorganization in VHA central office.
[43]VHA established three subcommittees under the Audit, Risk, and Compliance Committee devoted to (1) compliance, (2) fraud, waste, and abuse, and (3) risk.
[44]See GAO‑14‑704G.
[45]See Office of Management and Budget Circular No. A-123.
[46]See VA, GAO High Risk List Action Plan Update for Fiscal Year 2024: Managing Risks and Improving VA Health Care.
[47]Risk management is a series of activities to control threats to achieve an organization’s goals and objectives or the organization’s well-being. Risk management includes activities and sometimes the application of resources to minimize, monitor, detect, control, or prevent the probability or impact of future adverse events or to maximize the realization of opportunities.