Audit of Integrated Financial and Acquisition Management System Access Controls

The Integrated Financial and Acquisition Management System (iFAMS) is a comprehensive financial management system intended to replace multiple legacy systems and combine both acquisition and financial functions. iFAMS, as part of the system’s financial-related functionality, contains sensitive acquisition information like pricing and labor rates. This information must be protected. The VA OIG conducted this audit to determine whether iFAMS user access controls that are intended to limit account privileges are sufficient to safeguard VA data and comply with applicable laws, regulations, and guidance.

The OIG found access was not sufficiently limited as required for all 20 Technology Acquisition Center (TAC) users sampled. The team determined 91 percent of the 2,818 users with access to TAC data did not work for TAC but were requesting access to TAC information as of February 2025. Additionally, 78 percent of these users had roles that granted exceptionally broad access to sensitive acquisition information, presenting widespread risk of unnecessary access.

This risk occurred, in part, because iFAMS access controls were too broad. Additionally, quality reviews did not capture all access granted to a user. Finally, the electronic tool that is available for supervisors and information owners to routinely see user roles and accesses does not show all accesses the users have been granted.

Unnecessary access could compromise sensitive acquisition data in iFAMS. With every additional user who can access sensitive information, the risk of misuse increases. VA concurred with the OIG’s three recommendations to improve iFAMS access controls before the system is implemented further.