Watchdog: VA benefits system lacks accurate audit logs

The Department of Veterans Affairs' online benefits management system lacks accurate audit logs, and as a result cannot effectively identify the location of and respond to security violations, according to an April 28 Office of the Inspector General report.

The Veterans Benefits Administration established the Veterans Benefits Management System as a technology platform to eliminate the backlog of veteran compensation claims by transitioning from a paper-intensive claims process to a digitized system. VBMS has reportedly made progress in reducing the backlog, but remains subject to the limitations of the department's legacy systems.

Acting on an April 2015 anonymous tip, the VA OIG discovered the VBA failed to pass accurate information along to the legacy audit logs. Audit logs allow Information Security Officers to review, audit and intervene on potential security violations, and deficient ones result in an inability to detect and address security violations within VBMS.

At issue is whether VBA has the ability to detect whether claims employees are working on claims in which they have a conflict of interest, such as those of friends, co-workers, or even their own claims.

Auditors conducted tests of the system by observing 17 employees at three VA regional offices attempt to access veteran employee compensation claims in VBMS, which were committed improperly. Audit logs identified security violations for 15 of the 17 employees, but did not indicate that security violations had occurred within VBMS. Instead, violations were shown to have occurred in a different VBA application or in an unknown system.

VBA disputed the extent of the risk posed by the logging issue. Danny Pummill, acting undersecretary for benefits, wrote that the tests used by OIG to validate its findings create "a false impression of VBA information security weaknesses." Pummill said there are separate control systems that "prevent employees from colluding on the claims of other employees and to ensure separation of duties between staff involved in approving monetary awards and payment of benefits."

Pummell concurred with some of the technical recommendations, and said new requirements on how VBMS data should appear in audit logs by July 31. VA CIO LaVerne Council said that a more integrated audit log could be in place by the end of 2016.