Too many employees in all the Defense Department inspectors general offices were allowed access to sensitive whistleblower reprisal investigation files without full authorization, the Government Accountability Office reported on Thursday.

In a report that marked overall progress in the IGs’ efforts to improve timeliness and quality in processing complaints, auditors found that from 2016-2018, “numerous restricted whistleblower records in its document repository were accessible to DODIG personnel without a need to know.”

In addition, “employees in Marine Corps IG offices were able to see whistleblower cases assigned to other IG offices without a need to know,” GAO said. “While some actions have been taken to address these issues, additional steps are needed to restrict access to case information in order to mitigate ongoing risks to whistleblower confidentiality.”

In general, inspectors general for the military services and the Defense IG “have met some key goals and have policies that address whistleblower confidentiality,” the report said. In addition, the offices generally met key documentation and data requirements for the 125 cases dismissed by the Defense IG involving civilian presidentially appointed Defense officials by reporting most credible allegations.

Yet about 85 percent of Defense IG reprisal and senior official misconduct investigations were late, exceeding statutory and internal timeliness goals, according to surveys of employees with access. And military service IGs did not meet most goals for handling cases within prescribed timeframes, said the report required under the fiscal 2017 National Defense Authorization Act.

The service IGs averaged between 17 and 84 days to notify the Defense IG of their receipt of whistleblower reprisal allegations, exceeding the 10-day goal. The Defense IG’s 108 employees who handle complaints received 12,000 contacts from prospective whistleblowers in fiscal 2018.

The IGs have taken remedial steps such as restricting access to case information through unique user permissions and by taking actions to follow the department’s information technology risk management process. But some gaps persist in the IGs’ confidentiality approach.

“For example, DODIG guidance for protecting whistleblowers who report internal DODIG misconduct does not specify key steps investigators should take to protect confidentiality, such as not identifying complainants during interviews with case subjects,” GAO said. “Also, Air Force, Naval, and Marine Corps IG guidance does not specify when whistleblower identities can be disclosed without consent.”

Overall, “without formal guidance documenting procedures for protecting the confidentiality of whistleblowers reporting potential internal DODIG employee misconduct,” the audit continued, employees “lack assurance that DODIG can fully protect their identities” after they report waste, fraud, abuse or misconduct.

Acknowledging the IGs’ various initiatives underway to improve promptness, GAO made 12 recommendations of additional actions that could “provide a more targeted approach to improving performance against unmet timeliness goals—such as for senior official misconduct investigations—and better assure whistleblowers that their cases will be handled expeditiously.”

The department managers agreed, though they noted, for example, that the record closure of 60 reprisal investigations in fiscal 2018 was a significant improvement over the 37 closed in fiscal 2017.