The audit by the VA inspector general (.pdf) brings renewed attention to problems of data security and contract management after the department sustained blistering criticism for its last May.
The audit found that the VA put out multiple and inconsistent changes to the contract awarded in 2002 to VAST, a small business joint venture based in Texas, for computer service work aimed at fending off computer hackers.
In the report, the VA generally agreed with the findings. It said it has created contract review boards to help improve oversight and will seek to recoup lost or unaccounted for payments.
"VA is committed to being a good fiscal steward of taxpayer dollars in carrying out our important mission of serving veterans," spokesman Matt Burns said Wednesday.
According to the findings, the VA:
In addition, because the department spent money on the contract so quickly, it was left temporarily without a defense against hackers after the 10-year contract was allowed to expire prematurely in 2005.
In recent weeks, VA officials have faced a fresh round of bipartisan criticism over data security, with auditors telling Congress that gaping holes persist and that most VA data remains unencrypted.
At a hearing last month, Maureen Regan, counselor to the VA inspector general, said the department still hasn't fully implemented any of its recommendations from reports dating back to 2001.
The department also hasn't adopted five key recommendations issued shortly after the massive data breach last May involving veterans. That data was later recovered.
The inspector general's report was publicly released Feb. 26 and first noted Tuesday by McClatchy newspapers.
By Hope Yen