Service-Disabled Veteran-Owned Small Business Program
Additional Improvements to Fraud Prevention Controls Are Needed Gao ID: GAO-12-205T November 30, 2011This testimony discusses the fraud prevention controls within the Service-Disabled Veteran-Owned Small Business (SDVOSB) program at the Department of Veterans Affairs (VA). Today's testimony summarizes our report, released today, on the design of VA's fraud prevention controls within the SDVOSB verification program, including recent improvements in controls. The SDVOSB program is intended to provide federal set-aside and sole-source contracts to small businesses owned and controlled by one or more service-disabled veterans. About $10.8 billion in contracts were awarded in fiscal year 2010 to firms that self-certified as SDVOSBs in the Central Contractor Registration (CCR), according to the Small Business Administration (SBA). VA's SDVOSB contracts accounted for $3.2 billion, or about 30 percent of the $10.8 billion in governmentwide SDVOSB contracts during fiscal year 2010. As of October 2011, VA's VetBiz Vendor Information Pages database shows that the agency has verified the eligibility of more than 5,000 SDVOSB firms. In addition, more than 15,000 firms also self-certified their SDVOSB eligibility in CCR. In audits of the SDVOSB program conducted in 2009 and 2010, we identified weaknesses in fraud prevention controls that allowed ineligible firms to receive about $100 million in SDVOSB contracts. These weaknesses included a lack of governmentwide controls, which allowed ineligible firms to receive contracts by self-certifying that they were legitimate SDVOSB firms. In addition, we found the absence of continued monitoring of firm eligibility and an ineffective process for investigating and prosecuting firms abusing the program. We also found that VA had made limited progress enacting an effective verification program as required by the Veterans Benefits, Health Care, and Information Technology Act of 2006. After the Veterans Benefits, Health Care, and Information Technology Act of 2006 was passed, Congress passed laws further intended to strengthen the SDVOSB program within VA and governmentwide. The Veterans Small Business Verification Act requires VA to verify a firm's eligibility before including that firm in the database and permits VA to request additional documentation substantiating veteran ownership and control of a firm in order to establish eligibility. To improve governmentwide program controls, we recommended that SBA and VA explore the feasibility of expanding the use of VA's verified VetBiz database to the rest of the federal government. SBA and VA generally agreed with our recommendation. Furthermore, Congress also passed the Small Business Jobs Act of 2010, which facilitates prosecution of firms that willfully seek and receive small business awards through misrepresentation of their status, including SDVOSBs. This testimony summarizes our report on the design of VA's fraud prevention controls within the SDVOSB verification program, including recent VetBiz verification efforts, instituted in response to the Veterans Small Business Verification Act.
VA's fraud prevention controls for the SDVOSB program within VA have improved since the Veterans Small Business Verification Act was enacted. Specifically, VA has made progress in implementing an enhanced initial SDVOSB verification process that reduces the risk that ineligible firms will receive VA contracts. However, further enhancements could do more to reduce the program's vulnerability. Improvements in the areas of preventive controls, detection and monitoring, and investigations and prosecutions could be made within VA's VetBiz verification process. With a comprehensive framework in place, VA can be more confident that the billions of dollars meant to provide VA contracting opportunities to our nation's service-disabled veteran entrepreneurs make it to the intended beneficiaries. In an effort to improve controls, in our report, we made recommendations to improve fraud prevention controls in the areas of prevention, detection and monitoring, and investigations and prosecutions. VA generally agreed with the recommendations.
GAO-12-205T, Service-Disabled Veteran-Owned Small Business Program: Additional Improvements to Fraud Prevention Controls Are Needed
This is the accessible text file for GAO report number GAO-12-205T
entitled 'Service-Disabled Veteran-Owned Small Business Program:
Additional Improvements to Fraud Prevention Controls Are Needed' which
was released on November 30, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittees on Economic Opportunity and Oversight and
Investigations, Committee on Veterans' Affairs, House of
Representatives:
For Release on Delivery:
Expected at 10:00 a.m. EST:
Wednesday, November 30, 2011:
Service-Disabled Veteran-Owned Small Business Program:
Additional Improvements to Fraud Prevention Controls Are Needed:
Statement of Gregory D. Kutz, Director:
Forensic Audits and Investigative Service:
GAO-12-205T:
Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly,
and Members of the Subcommittees:
Thank you for the opportunity to discuss the fraud prevention controls
within the Service-Disabled Veteran-Owned Small Business (SDVOSB)
program at the Department of Veterans Affairs (VA). Today's testimony
summarizes our report, released today, on the design of VA's fraud
prevention controls within the SDVOSB verification program, including
recent improvements in controls.[Footnote 1] The SDVOSB program is
intended to provide federal set-aside and sole-source contracts to
small businesses owned and controlled by one or more service-disabled
veterans. About $10.8 billion in contracts were awarded in fiscal year
2010 to firms that self-certified as SDVOSBs in the Central Contractor
Registration (CCR), according to the Small Business Administration
(SBA).[Footnote 2] VA's SDVOSB contracts accounted for $3.2 billion,
or about 30 percent of the $10.8 billion in governmentwide SDVOSB
contracts during fiscal year 2010. As of October 2011, VA's VetBiz
Vendor Information Pages database shows that the agency has verified
the eligibility of more than 5,000 SDVOSB firms. In addition, more
than 15,000 firms also self-certified their SDVOSB eligibility in CCR.
In audits of the SDVOSB program conducted in 2009 and 2010, we
identified weaknesses in fraud prevention controls that allowed
ineligible firms to receive about $100 million in SDVOSB contracts.
[Footnote 3] These weaknesses included a lack of governmentwide
controls, which allowed ineligible firms to receive contracts by self-
certifying that they were legitimate SDVOSB firms. In addition, we
found the absence of continued monitoring of firm eligibility and an
ineffective process for investigating and prosecuting firms abusing
the program. We also found that VA had made limited progress enacting
an effective verification program as required by the Veterans
Benefits, Health Care, and Information Technology Act of 2006.
[Footnote 4] To improve governmentwide program controls, we
recommended that SBA and VA explore the feasibility of expanding the
use of VA's verified VetBiz database to the rest of the federal
government. SBA and VA generally agreed with our recommendation.
After the Veterans Benefits, Health Care, and Information Technology
Act of 2006 was passed, Congress passed laws further intended to
strengthen the SDVOSB program within VA and governmentwide. The
Veterans Small Business Verification Act requires VA to verify a
firm's eligibility before including that firm in the database and
permits VA to request additional documentation substantiating veteran
ownership and control of a firm in order to establish
eligibility.[Footnote 5] Furthermore, Congress also passed the Small
Business Jobs Act of 2010, which facilitates prosecution of firms that
willfully seek and receive small business awards through
misrepresentation of their status, including SDVOSBs.[Footnote 6]
Today's testimony summarizes our report on the design of VA's fraud
prevention controls within the SDVOSB verification program, including
recent VetBiz verification efforts, instituted in response to the
Veterans Small Business Verification Act. The report is being released
today as a separate product.[Footnote 7] To conduct this work, we
reviewed prior findings from GAO audits and investigations of the
SDVOSB program. We reviewed applicable guidance on internal control
standards from GAO's Standards for Internal Control in the Federal
Government,[Footnote 8] the fraud prevention framework,[Footnote 9]
VA's Office of Inspector General (OIG) report,[Footnote 10] and VA's
Verification Process Guidelines and internal control policies. We also
interviewed VA officials and reviewed related documents. In addition,
we conducted undercover tests to assess initial screening controls of
an individual's service-disabled veteran status within VA's
verification process. The undercover tests were limited in scope to
providing a fictitious firm controlled by an individual whose Social
Security number was not listed as a service-disabled veteran in VA's
database of service-disabled veterans. Our assessment is part of an
ongoing review of fraud prevention controls for the entire SDVOSB
program. This testimony focuses on the design of VA's SDVOSB
verification controls within its Center for Veterans Enterprise (CVE)
office. With the exception of undercover tests to assess initial
screening controls, we did not test the effectiveness of VA's fraud
prevention controls or attempt to project the extent of fraud and
abuse. Additional information on our scope and methodology is
available in the issued report.
We conducted the work related to the report from July 2011 to October
2011 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. We
performed our investigative work, limited to our undercover tests, in
accordance with the standards prescribed by the Council of the
Inspectors General on Integrity and Efficiency.
Summary:
VA's fraud prevention controls for the SDVOSB program within VA have
improved since the Veterans Small Business Verification Act was
enacted. Specifically, VA has made progress in implementing an
enhanced initial SDVOSB verification process that reduces the risk
that ineligible firms will receive VA contracts. However, further
enhancements could do more to reduce the program's vulnerability.
Improvements in the areas of preventive controls, detection and
monitoring, and investigations and prosecutions could be made within
VA's VetBiz verification process. With a comprehensive framework in
place, VA can be more confident that the billions of dollars meant to
provide VA contracting opportunities to our nation's service-disabled
veteran entrepreneurs make it to the intended beneficiaries. In an
effort to improve controls, in our report, we made recommendations to
improve fraud prevention controls in the areas of prevention,
detection and monitoring, and investigations and prosecutions. VA
generally agreed with the recommendations.
VA's SDVOSB Program Controls Have Improved, but Vulnerabilities Remain:
VA's fraud prevention controls for the SDVOSB program have improved
since the Veterans Small Business Verification Act was enacted, but
additional enhancements would further reduce the vulnerabilities we
identified in the areas of preventive controls, monitoring and
detection, and investigations and prosecutions. These are also the
components of GAO's fraud prevention framework (see fig. 1). First,
preventive controls are an effective and efficient way of preventing
ineligible firms from being verified. Second, active and continual
monitoring of verified SDVOSB firms is necessary to detect any changes
in their status that may affect eligibility. Third, investigations and
prosecution is a strong deterrent for those considering
misrepresenting their SDVOSB status.
Figure 1: GAO's Fraud Prevention Framework:
[Refer to PDF for image: illustration]
Potential fraud, waste, and abuse:
Implementation of Prevention controls: leads to:
Smaller amount of Potential fraud, waste, and abuse:
Implementation of detection and monitoring (lessons learned influence
future use of prevention controls): leads to:
Smaller amount of Potential fraud, waste, and abuse:
Implementation of investigations and prosecutions (lessons learned
influence future use of prevention controls).
Source: GAO.
[End of figure]
Additional Improvements to Preventive Controls Are Needed:
VA has enhanced deterrents to ineligible firms becoming verified
through VetBiz. As of April 2011, VA had established verification
guidelines, including a requirement to search the exact names of
company principals in the Excluded Parties List System, and developed
a risk assessment model to examine applications. VA also updated its
data systems to limit manual data entries. Its process of verifying
service-disabled veteran status allowed VA to prevent two fictitious
ineligible SDVOSB applications submitted by GAO from being verified.
Specifically, we submitted two fictitious companies for verification,
listing the names and Social Security numbers of the majority owners
who were not service-disabled veterans. VA's controls appropriately
identified that our company owners were not service-disabled veterans
and rejected our applications. VA also hired additional CVE staff to
conduct initial file reviews and site visits. Additionally, VA has
conducted announced site visits at high-risk firms before they receive
VetBiz approval. Finally, VA created a quality review team to inspect
a subset of initial file examination decisions. VA's enhanced
deterrents under new guidelines have resulted in VA's denial of
verification to over 1,800 firms under the new verification
guidelines, according to VA.
Even with these enhanced deterrents, program weakness and
vulnerabilities remain within VA's SDVOSB program. During our
interviews with CVE officials, we found that CVE had not performed a
systematic assessment of the qualifications of its staff. In addition,
CVE staff and contracting officials had not received fraud awareness
training. VA also did not have formal processes or procedures for
considering all SBA status protest decisions related to an applicant,
and was not validating applicants' self-reported information. VA also
did not have a formal process for selecting high-risk companies for
unannounced site visits or using information from previously denied
SDVOSB applications to prevent individuals and fraudulent companies
from repeated attempts at breaching VA controls. Additionally, we
found that VA was not requesting that denied companies reassess their
self-certified SDVOSB status in CCR. By addressing the identified
vulnerabilities, VA could further improve its fraud prevention
controls.
Additional Improvements to Detection and Monitoring Controls Are
Needed:
VA has developed some controls that may help identify firms in the
VetBiz-verified database that do not meet SDVOSB eligibility
requirements, such as a reverification initiative designed to review
previously verified SDVOSB firms under new controls. VA has also
developed a process for interested parties to protest a firm's status,
and instituted random announced site visits of verified SDVOSB firms.
However, even with enhanced controls, certain weaknesses and
vulnerabilities remain because of VA's focus on initial eligibility
verification. For example, VA does not monitor firms' continued
compliance with North American Industry Classification System size
standards, nor does it have contact with contracting officials to
determine whether the required percentage of work on SDVOSB contracts
has been performed. VA also does not systematically data mine existing
contract awards for review and further inspection. VA also does not
have a formal process for selecting companies for unannounced site
visits to contract performance locations and does not have a formal
process for interviewing contracting officials. Finally, VA has not
formalized its quality assurance process for selecting verified
companies for unannounced site visits to determine if the verification
process is effective. Further improvements in these areas would
increase the design of detection and monitoring controls within the
verification process.
Additional Improvements to Investigations and Prosecutions Are Needed:
VA has taken some actions to debar firms violating SDVOSB program
requirements. VA may debar an ineligible firm in accordance with the
Veterans Benefits, Health Care, and Information Technology Act of
2006, which requires that any business determined to have
misrepresented its status as an SDVOSB shall be debarred from
contracting for a reasonable period of time, as determined by VA. VA
instituted a debarment committee in September 2010 specifically to
debar firms violating SDVOSB regulations. As of October 2011, the
committee had debarred one SDVOSB firm and related individuals that
had misrepresented their status as an SDVOSB. Several other debarment
actions are currently pending or are being litigated. Additionally,
CVE officials have sent about 70 referrals to the VA OIG for potential
fraudulent actions by firms receiving SDVOSB contracts. VA OIG is
currently investigating these cases.
We identified certain weaknesses and vulnerabilities in the
investigation and prosecution controls during our site visits. The
debarment of only one firm and related individuals suggests that there
is room for additional action given the 1,800 firms rejected by VA
during its verification process and the 70 firms referred to VA OIG
for potentially fraudulent actions. Additionally, VA does not have
specific procedures for CVE staff to refer companies to the debarment
committee or VA OIG, and has no specific guidelines documenting how VA
is implementing debarments or outlining the debarment committee's
decision process. Providing more emphasis on debarments and
investigations could further help VA deter firms from attempting to
fraudulently gain access to its SDVOSB program.
Conclusions:
In conclusion, VA has made progress in implementing a valid
verification program to deter ineligible firms from becoming verified
and receiving SDVOSB contracts. However, additional improvements can
be made, particularly in monitoring and detection and investigations
and prosecutions. Specifically, developing a robust unannounced site
visit process for verified firms and aggressively pursuing debarments
and prosecutions of firms found to have violated program rules will
further enhance fraud prevention controls. With a comprehensive
framework in place, VA can be more confident that the billions of
dollars meant to provide VA contracting opportunities to our nation's
service-disabled veteran entrepreneurs make it to the intended
beneficiaries.
To minimize the risk of fraud and abuse within VA's SDVOSB program, in
the report released today, we recommended that the Secretary of
Veterans Affairs take 13 actions in the following three areas:
* Improve VA's preventive controls to provide reasonable assurance
that only eligible firms gain access to the VetBiz database.
* Strengthen VA's detection and monitoring controls over verified
firms.
* Strengthen VA's investigative and prosecutorial actions for firms
violating SDVOSB program laws and regulations.
VA generally concurred with our recommendations and noted a number of
significant actions planned or taken since the time of our site visits
and development of our findings, which, according to VA, address many
of the identified vulnerabilities.
According to VA officials, VA has recently made improvements of its
preventive controls. For example, VA officials stated that CVE staff
and most contractors assisting with the application evaluation are now
required to receive Certified Fraud Examiner training, and additional
VetBiz training has been provided to contracting officials. VA
officials also stated VA has recently strengthened the agency's
monitoring and detection of verified SDVOSB firms. Specifically, VA
officials stated that VA conducts unannounced visits to verified
companies either randomly or during the course of a high-risk SDVOSB
reverification assessment. Finally, VA officials stated that VA
recently strengthened the investigative and prosecutorial actions by
creating guidelines for referring firms to VA OIG and the debarment
committee. We plan to follow up on actions taken by VA as part of our
ongoing work and will report back to the subcommittees on our findings.
Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly,
and Members of the Subcommittees, this completes my prepared
statement. I would be pleased to answer any questions that you may
have at this time.
GAO Contacts:
If you or your staff have any questions about this testimony, please
contact Gregory D. Kutz at (202) 512-6722 or kutzg@gao.gov. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this statement.
[End of section]
Related GAO Products:
Service-Disabled Veteran-Owned Small Business Program: Additional
Improvements to Fraud Prevention Controls Are Needed. [hyperlink,
http://www.gao.gov/products/GAO-12-152R]. Washington, D.C.: October
26, 2011.
Service-Disabled Veteran-Owned Small Business Program: Preliminary
Information on Actions Taken by Agencies to Address Fraud and Abuse
and Remaining Vulnerabilities. [hyperlink,
http://www.gao.gov/products/GAO-11-589T]. Washington, D.C.: July 28,
2011.
Department of Veterans Affairs: Agency Has Exceeded Contracting Goals
for Veteran-Owned Small Businesses, but It Faces Challenges with Its
Verification Program. [hyperlink,
http://www.gao.gov/products/GAO-10-458]. Washington, D.C.: May 28,
2010.
Service-Disabled Veteran-Owned Small Business Program: Fraud
Prevention Controls Needed to Improve Program Integrity. [hyperlink,
http://www.gao.gov/products/GAO-10-740T]. Washington, D.C.: May 24,
2010.
Service-Disabled Veteran-Owned Small Business Program: Case Studies
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of
Dollars in Contracts. [hyperlink,
http://www.gao.gov/products/GAO-10-306T]. Washington, D.C.: December
16, 2009.
Service-Disabled Veteran-Owned Small Business Program: Case Studies
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of
Dollars in Contracts. [hyperlink,
http://www.gao.gov/products/GAO-10-255T]. Washington, D.C.: November
19, 2009.
Service-Disabled Veteran-Owned Small Business Program: Case Studies
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of
Dollars in Contracts. [hyperlink,
http://www.gao.gov/products/GAO-10-108]. Washington, D.C.: October 23,
2009.
[End of section]
Footnotes:
[1] GAO, Service-Disabled Veteran-Owned Small Business Program:
Additional Improvements to Fraud Prevention Controls Are Needed,
[hyperlink, http://www.gao.gov/products/GAO-12-152R] (Washington D.C.:
Oct. 26, 2011).
[2] CCR is the primary contractor registrant database for the U.S.
federal government. CCR collects, validates, stores, and disseminates
data in support of agency acquisition missions.
[3] See the list of related GAO products at the end of this testimony.
[4] The act requires VA to institute controls over its SDVOSB
contracts. The requirement to maintain a database of VA-verified
SDVOSBs and Veteran-Owned Small Businesses (VOSB) became effective
June 2007. The act also requires that VA only use its set-aside and
sole-source award authority for SDVOSB firms listed in the database
and to debar for a reasonable period of time, as determined by VA,
firms that misrepresent SDVOSB and VOSB status. Pub. L. No. 109-461, §
502, 120 Stat. 3403, 3431-3435 (2006).
[5] Veterans Small Business Verification Act, Pub. L. No. 111-275, §
104, 124 Stat. 2864, 2867 - 2868 (2010).
[6] Small Business Jobs Act of 2010, Pub. L. No. 111-240, § 1341, 124
Stat. 2504, 2543 - 2544 (2010).
[7] [hyperlink, http://www.gao.gov/products/GAO-12-152R].
[8] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[9] GAO, Service-Disabled Veteran-Owned Small Business Program: Fraud
Prevention Controls Needed to Improve Program Integrity, [hyperlink,
http://www.gao.gov/products/GAO-10-740T] (Washington, D.C.: May 24,
2010).
[10] VA OIG, Office of Audit and Evaluations, Department of Veteran
Affairs: Audit of Veteran-Owned and Service-Disabled Veteran-Owned
Small Business Programs, 10-02436-234 (July 25, 2011).
[End of section]
GAO‘s Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the
performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates
federal programs and policies; and provides analyses, recommendations,
and other assistance to help Congress make informed oversight, policy,
and funding decisions. GAO‘s commitment to good government is
reflected in its core values of accountability, integrity, and
reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO‘s website [hyperlink, http://www.gao.gov]. Each
weekday afternoon, GAO posts on its website newly released reports,
testimony, and correspondence. To have GAO e mail you a list of newly
posted products, go to [hyperlink, http://www.gao.gov] and select ’E-
mail Updates.“
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black
and white. Pricing and ordering information is posted on GAO‘s
website, [hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
Connect with GAO:
Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm];
E-mail: fraudnet@gao.gov;
Automated answering system: (800) 424-5454 or (202) 512-7470.
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548.
