Improper Payments
Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing Gao ID: GAO-08-77 November 9, 2007Agencies are required to report improper payment information under the Improper Payments Information Act of 2002 (IPIA) and recovery auditing information under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act. Since the first year of implementation, fiscal year 2004, limited improper payments reporting by the United States Agency for International Development (USAID) and the National Aeronautics and Space Administration (NASA) and concerns raised by NASA's auditors about its risk assessment process prompted scrutiny from the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, during several oversight hearings. Because the subcommittee noted that USAID's and NASA's performance and accountability report (PAR) reporting on improper payments and recovery auditing was minimal, GAO was asked to review both agencies' IPIA risk assessment methodologies, recovery auditing procedures, and actions under way to improve their IPIA and recovery audit reporting.
For the first 3 years of IPIA implementation, fiscal years 2004 through 2006, USAID and NASA performed various procedures to conduct their risk assessments. Many of these procedures are positive steps to address the requirements of IPIA. At the same time, GAO identified numerous deficiencies in the procedures that warrant further improvement. For example, neither USAID nor NASA had developed a systematic process to (1) identify risks that exist in their payment activities or (2) evaluate the results of their payment stream reviews, such as weighting and scoring the effectiveness of existing internal control over payments made and results from external audits. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments. A lack of detailed written guidance for both agencies may have contributed to the deficiencies identified. Due to inadequacies in their risk assessment process, USAID and NASA cannot be certain that they had no programs or activities susceptible to significant improper payments, and ultimately, had effectively implemented IPIA. Although USAID and NASA have reported on steps taken to recoup improper contract payments, GAO found several weaknesses in their recovery auditing procedures for fiscal years 2004 through 2006. In particular, USAID and NASA did not report recovery auditing information for each fiscal year, documentation was lacking or not adequately supported, and neither agency adhered to all of the reporting requirements outlined in Office of Management and Budget's (OMB's) implementing guidance. Other weaknesses noted were agency-specific. For example, USAID recovery auditing procedures were comprised of reviews of certain Office of Inspector General and external audit reports over USAID grant and contract programs. However, the methodology used for conducting those audits may not have constituted a recovery auditing program as defined by OMB guidance, and thus may be insufficient for this purpose. NASA, on the other hand, used IPIA contract payment review results to report amounts recovered for fiscal year 2005. However, the payment reviews were limited in scope and did not provide an adequate representation of the extent of contract overpayments. Due to a lack of, or insufficient, documentation, along with identified weaknesses, the validity and accuracy of the reported recovery amounts are questionable. While USAID and NASA have experienced significant challenges in their first 3 years of IPIA implementation, both agencies have taken steps to strengthen their risk assessment process and, ultimately, IPIA reporting. For example, USAID has developed an agencywide payment database that will be used to research and data mine for potential improper payments. NASA hired two different contractors to develop a methodology for conducting a risk assessment and testing of payment transactions. Actions are also under way to improve recovery auditing efforts. However, improvements are still needed to address some of the weaknesses identified related to conducting risk assessments and performing recovery auditing procedures.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-77, Improper Payments: Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing
This is the accessible text file for GAO report number GAO-08-77
entitled 'Improper Payments: Weaknesses in USAID's and NASA's
Implementation of the Improper Payments Information Act and Recovery
Auditing' which was released on December 10, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security, Committee on
Homeland Security and Governmental Affairs, U.S. Senate:
United States Government Accountability Office:
GAO:
November 2007:
Improper Payments:
Weaknesses in USAID's and NASA's Implementation of the Improper
Payments Information Act and Recovery Auditing:
GAO-08-77:
GAO Highlights:
Highlights of GAO-08-77, a report to the Subcommittee on Federal
Financial Management, Government Information, Federal Services, and
International Security, Committee on Homeland Security and Governmental
Affairs, U.S. Senate.
Why GAO Did This Study:
Agencies are required to report improper payment information under the
Improper Payments Information Act of 2002 (IPIA) and recovery auditing
information under section 831 of the National Defense Authorization Act
for Fiscal Year 2002, commonly known as the Recovery Auditing Act.
Since the first year of implementation, fiscal year 2004, limited
improper payments reporting by the United States Agency for
International Development (USAID) and the National Aeronautics and
Space Administration (NASA) and concerns raised by NASA‘s auditors
about its risk assessment process prompted scrutiny from this
subcommittee during several oversight hearings. Because the
subcommittee noted that USAID‘s and NASA‘s performance and
accountability report (PAR) reporting on improper payments and recovery
auditing was minimal, GAO was asked to review both agencies‘ IPIA risk
assessment methodologies, recovery auditing procedures, and actions
under way to improve their IPIA and recovery audit reporting.
What GAO Found:
For the first 3 years of IPIA implementation, fiscal years 2004 through
2006, USAID and NASA performed various procedures to conduct their risk
assessments. Many of these procedures are positive steps to address the
requirements of IPIA. At the same time, GAO identified numerous
deficiencies in the procedures that warrant further improvement. For
example, neither USAID nor NASA had developed a systematic process to
(1) identify risks that exist in their payment activities or (2)
evaluate the results of their payment stream reviews, such as weighting
and scoring the effectiveness of existing internal control over
payments made and results from external audits. Furthermore, risk
assessment documentation maintained by USAID and NASA was lacking or
insufficient to support their conclusions that no programs or
activities were susceptible to significant improper payments. A lack of
detailed written guidance for both agencies may have contributed to the
deficiencies identified. Due to inadequacies in their risk assessment
process, USAID and NASA cannot be certain that they had no programs or
activities susceptible to significant improper payments, and
ultimately, had effectively implemented IPIA.
Although USAID and NASA have reported on steps taken to recoup improper
contract payments, GAO found several weaknesses in their recovery
auditing procedures for fiscal years 2004 through 2006. In particular,
USAID and NASA did not report recovery auditing information for each
fiscal year, documentation was lacking or not adequately supported, and
neither agency adhered to all of the reporting requirements outlined in
OMB‘s implementing guidance. Other weaknesses noted were agency-
specific. For example, USAID recovery auditing procedures were
comprised of reviews of certain OIG and external audit reports over
USAID grant and contract programs. However, the methodology used for
conducting those audits may not have constituted a recovery auditing
program as defined by OMB guidance, and thus may be insufficient for
this purpose. NASA, on the other hand, used IPIA contract payment
review results to report amounts recovered for fiscal year 2005.
However, the payment reviews were limited in scope and did not provide
an adequate representation of the extent of contract overpayments. Due
to a lack of, or insufficient, documentation, along with identified
weaknesses, the validity and accuracy of the reported recovery amounts
are questionable.
While USAID and NASA have experienced significant challenges in their
first 3 years of IPIA implementation, both agencies have taken steps to
strengthen their risk assessment process and, ultimately, IPIA
reporting. For example, USAID has developed an agencywide payment
database that will be used to research and data mine for potential
improper payments. NASA hired two different contractors to develop a
methodology for conducting a risk assessment and testing of payment
transactions. Actions are also under way to improve recovery auditing
efforts. However, improvements are still needed to address some of the
weaknesses identified related to conducting risk assessments and
performing recovery auditing procedures.
What GAO Recommends:
GAO is making a total of 10 recommendations to help improve USAID‘s and
NASA‘s efforts to implement IPIA and the Recovery Auditing Act. USAID
did not specifically respond to the recommendations, but provided a
technical comment, which GAO addressed. NASA concurred with the
recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.GAO-08-77]. For more information, contact McCoy
Williams at (202) 512-9095 or williamsm1@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
USAID's and NASA's Risk Assessment Processes and Documentation Could Be
Improved:
Weaknesses Found in Recovery Auditing Procedures Raise Questions About
the Validity and Accuracy of Reported Recovery Audit Amounts:
USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment
Processes and Recovery Auditing Procedures, but Challenges Remain:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Types of Payment Streams Identified during United States
Agency for International Development's Risk Assessment:
Appendix III: Types of Payment Streams Identified during National
Aeronautics and Space Administration's Risk Assessment:
Appendix IV: Comments from the United States Agency for International
Development:
Appendix V: Comments from the National Aeronautics and Space
Administration:
Appendix VI: GAO Contact and Staff Acknowledgments:
Table:
Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for
Fiscal Years 2004 to 2006:
Figures:
Figure 1: USAID's Major Payment Streams for Fiscal Year 2004:
Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004:
Abbreviations:
CMP: Cash Management and Payment:
DCAA: Defense Contract Audit Agency:
DOJ: Department of Justice:
FP-AF: fixed-priced contracts with award fees:
IPIA: Improper Payments Information Act of 2002:
NASA: National Aeronautics and Space Administration:
OCFO: Office of Chief Financial Officer:
OIG: Office of Inspector General:
OMB: Office of Management and Budget:
PAR: performance and accountability report:
PMA: President's Management Agenda:
USAID: United States Agency for International Development:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
November 9, 2007:
The Honorable Thomas R. Carper:
Chairman:
The Honorable Tom Coburn:
Ranking Member:
Subcommittee on Federal Financial Management, Government Information,
Federal Services, and International Security Committee on Homeland
Security and Governmental Affairs:
United States Senate:
Fiscal year 2006 marked the third year that federal executive branch
agencies, including the United States Agency for International
Development (USAID) and the National Aeronautics and Space
Administration (NASA), were required to report improper payment
information under the Improper Payments Information Act of 2002
(IPIA)[Footnote 1] and information about their efforts to recover
improper payments made to contractors under section 831 of the National
Defense Authorization Act for Fiscal Year 2002, commonly known as the
Recovery Auditing Act.[Footnote 2] As we reported in March
2007,[Footnote 3] the total reported governmentwide improper payment
estimate was about $42 billion for fiscal year 2006. As the steward of
taxpayer dollars, the federal government is accountable for how its
agencies and awardees spend hundreds of billions of taxpayer dollars
and is responsible for safeguarding those funds against improper
payments as well as having mechanisms in place to recoup those funds
when improper payments occur. IPIA and the Recovery Auditing Act
provide an impetus for applicable agencies to systematically address
improper payment activity annually, and to identify and recover
contract overpayments.
Since fiscal year 2000, we have issued a number of reports and
testimonies aimed at raising the level of attention given to improper
payments. Our work over the past several years has demonstrated that
improper payments are a long-standing, widespread, and significant
problem in the federal government. IPIA has increased visibility over
improper payments by requiring executive branch agency heads, based on
guidance from the Office of Management and Budget (OMB),[Footnote 4] to
identify programs and activities susceptible to significant improper
payments,[Footnote 5] estimate amounts improperly paid, and report on
the amounts of improper payments and their actions to reduce them.
Similarly, the Recovery Auditing Act requires agencies to
systematically identify and recover contract overpayments. This act
requires, among other things, that all executive branch agencies
entering into contracts with a total value exceeding $500 million in a
fiscal year have cost-effective programs for identifying errors in
paying contractors and for recovering amounts erroneously paid. Since
fiscal year 2004, agencies have been required by OMB to report on IPIA
and recovery auditing efforts in their performance and accountability
reports (PAR).
For the first 3 years of IPIA implementation, fiscal years 2004 through
2006, USAID and NASA have reported that none of their programs and
activities were susceptible to significant improper payments and either
did not report any or provided minimal information on recovery auditing
activities. Although USAID and NASA differ in size, with annual budgets
exceeding $10 billion and $16 billion, respectively, both agencies
awarded over 75 percent of their total budget to contractors or
grantees[Footnote 6]--thereby increasing the risk of improper payments
made to awardees. In particular, at NASA, we have previously
reported[Footnote 7] on long-standing weaknesses and vulnerabilities in
its contract management. Since 1990, we have designated NASA's contract
management as high-risk principally because NASA lacked a modern
financial management system to provide accurate and reliable
information on contract spending and placed little emphasis on product
performance, cost controls, and program outcomes. The lack of an
effective financial management system is also included as a financial
management weakness that contributed to NASA receiving a disclaimer of
opinion on its financial statements for the past 3 fiscal years. NASA's
Office of Inspector General (OIG) has also identified financial
management and the contract and acquisition process as being among the
most serious management and performance challenges.
At USAID, we have reported[Footnote 8] on weaknesses associated with
its contract management and oversight of U.S. assistance to
Afghanistan. For example, we found that during fiscal year 2004, USAID
did not consistently require contractors to fulfill contract provisions
or provide adequate contract oversight, including holding contractors
to stipulated requirements and conducting required reviews of
contractor performance. We also have previously reported on control
weaknesses in USAID's ability to collect agencywide obligation and
expenditure data and long-standing challenges associated with USAID's
financial management and reporting, including a lack of complete,
reliable, and timely information needed to make sound, cost-effective
decisions.[Footnote 9]
OIG and external audit reports have also identified weaknesses related
to contract management and oversight in Iraq. USAID's OIG
reported[Footnote 10] that the agency made about $8 million in payments
to a contractor for security services in Iraq without a valid
obligation, including not obtaining the minimum documentation required
and signing a contract prior to making these payments. The OIG
determined that without an effective funds control system, USAID cannot
prevent overspending or ensure compliance with various laws enacted to
control and guide the implementation of federal fiscal policy. In
addition, on the basis of its review of a $1.33 billion cost-plus
reconstruction contract issued by USAID, the Special Inspector General
for Iraq Reconstruction found insufficient contract oversight that
resulted in inconsistent contract management, inadequate contractor
direction, and ineffective performance assessments.[Footnote 11]
In addition to these previously reported weaknesses in USAID and NASA
operations, limited improper payments reporting by the two agencies in
fiscal year 2004 and concerns raised by NASA's auditors regarding its
risk assessment process prompted scrutiny from your subcommittee during
several oversight hearings on governmentwide improper payments.
[Footnote 12] Because of congressional concern that USAID's and NASA's
PAR reporting on improper payments had not improved in the second year
of IPIA implementation, and both agencies reported minimal recovery
auditing information, you asked us to determine (1) the extent to which
USAID and NASA performed the required risk assessments to identify
programs and activities that were susceptible to significant improper
payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID
and NASA have taken to recoup improper payments through recovery
audits, and (3) actions USAID and NASA have under way to improve their
IPIA and recovery audit reporting.
To address each of these objectives, we reviewed improper payments and
recovery auditing legislation and OMB implementing guidance. We also
reviewed USAID's and NASA's fiscal years 2004 through 2006 PARs and
external audit reports and interviewed agency officials about their
risk assessment methodologies, recovery auditing activities, and
efforts completed and under way to meet the reporting requirements of
IPIA and the Recovery Auditing Act. To assess the reliability of
USAID's and NASA's IPIA and recovery auditing reporting, we talked to
agency officials about data quality control procedures and reviewed
relevant documentation. We determined the data were sufficiently
reliable for the purposes of this report. We conducted our work from
September 2006 through August 2007 in accordance with generally
accepted government auditing standards. See appendix I for more details
on our scope and methodology.
Results in Brief:
While both USAID and NASA took steps to assess their payment activities
for risk, including conducting a review of select payment
streams[Footnote 13] for improper payments, we identified numerous
deficiencies in their procedures. USAID and NASA lacked a systematic
method to review and analyze program operations to determine if risks
exist, what those risks are, and the potential or actual impact of
those risks on program operations. For example, neither USAID nor NASA
had developed a process to (1) identify risks that exist in their
payment activities or (2) evaluate the results of their payment stream
reviews, such as weighting and scoring the effectiveness of existing
internal control over payments made and results from external audits.
Other weaknesses related to USAID, NASA, or both included a lack of
established criteria for payment transaction reviews at the agency
component level and no review of grant program payments to ensure
awardees have safeguarded federal funds from improper payments. As a
result of the inadequacies we identified in their risk assessment
process, USAID and NASA cannot be certain that they have no programs or
activities susceptible to significant improper payments, and
ultimately, have not yet effectively implemented IPIA. Furthermore,
risk assessment documentation maintained by USAID and NASA was lacking
or insufficient to support their conclusions that no programs or
activities were susceptible to significant improper payments.
Although USAID and NASA have reported on steps taken to recoup improper
contract payments, we found that recovery auditing procedures were not
consistently performed for each of the 3 fiscal years reviewed. We also
noted that documentation was lacking or did not adequately support
reported recovery amounts and that neither agency adhered to all of the
reporting requirements outlined in OMB's implementing guidance. For
example, USAID and NASA did not report on recovery auditing activities
in their fiscal year 2004 PARs. NASA reported that it was in the
process of awarding a recovery audit contract. USAID reported on the
dollar amount of contracts reviewed, but for the sole purpose of
addressing IPIA reporting requirements and concluding that its grant
and contract payment activities were not susceptible to significant
improper payments.
For fiscal years 2005 and 2006, USAID recovery auditing procedures
consisted of reviews of certain OIG and external audit reports of
USAID. However, the methodology used for conducting those audits may
not have constituted a recovery audit as defined by OMB guidance, and
thus may be insufficient for this purpose. Also, USAID was unable to
provide documentation of audit findings to support any of the recovery
auditing amounts included in its PARs. Because of these limitations, we
were unable to determine the validity of USAID's recovery auditing
activities and accuracy of reported recovery amounts. NASA, on the
other hand, used IPIA contract payment review results to report amounts
recovered for fiscal year 2005. However, the payment reviews were
limited in scope and did not provide an adequate representation of the
extent of contract overpayments. For fiscal year 2006, NASA used a
contractor to perform a recovery audit. Although the contractor
identified about $121 million in potential contract overpayments, NASA
officials told us that based on their review, they identified a small
portion of that amount as "valid contract claims" totaling $256,255
with subsequent recoveries totaling $139,420. NASA officials determined
that a vast majority of the claims submitted by the contractor were not
improper as they related to cost-type contracts with provisional
billing rates included in the contract terms, and were subject to a
final or closeout audit that likely would have identified those
payments reported by the contractor. In addition, we noted that both
agencies did not adhere to all of the recovery auditing reporting
requirements outlined in OMB guidance, including that the agencies had
no description of a corrective action plan to address the root causes
of payment error or no disclosure of the description and justification
of the classes of contracts excluded from recovery auditing.
While USAID and NASA experienced significant challenges in their first
3 years of implementing IPIA and the Recovery Auditing Act, both
agencies have taken steps to strengthen their risk assessment process
and actions are under way to improve recovery audit efforts. For
example, for its fiscal year 2007 risk assessment, USAID developed a
database that compiles all of its payment disbursements made worldwide.
USAID told us that it will use this database to annually identify its
payment streams and corresponding volume and dollar amounts by mission
or geographic location, data mine for duplicate payments, research
other payment anomalies, and perform tests of transactions. USAID also
stated that it plans to leverage the agency's work related to internal
controls under OMB Circular No. A-123 requirements[Footnote 14] to
assess control activities for IPIA purposes. For recovery auditing,
USAID hired a contractor to carry out a recovery audit over all
contract payments for fiscal year 2007. However, because the contractor
identified minimal contract overpayments based on its limited review of
USAID's fiscal year 2005 contract payments, the recovery auditor
determined that it would not be profitable to continue its work at
USAID. Going forward, USAID plans to work with its OIG to enhance in-
house recovery auditing procedures as performed in past years. Overall,
we believe these actions under way will better position USAID to
identify and target high-risk areas and determine the effectiveness of
control activities to reduce risks of improper payments. However, we
note that USAID's current plans still lack a systematic method to
determine if risks of improper payments exist, what those risks are,
and the potential or actual impact of those risks on operations.
NASA hired a consulting firm to develop a methodology for conducting
its fiscal year 2007 risk assessment for IPIA reporting. The consultant
categorized the agency's disbursements within specific programs and
activities as opposed to payment streams as done by NASA in previous
years. Based on its work, the consultant identified 30 programs with
approximately $10.8 billion in disbursements to include in NASA's
review for determining risk level. The consultant then determined that
5 of the 30 programs were at risk for being susceptible to significant
improper payments. NASA subsequently hired another consulting firm to
conduct statistical sampling and testing of five different payment
categories included in the five programs to determine if the programs
were susceptible to significant improper payments, thus requiring NASA
to estimate and report on the amounts of improper payments and actions
to reduce them. From its review, the consulting firm reported that no
significant improper payments were found, but recommended various
actions for NASA to take to eliminate future errors. NASA plans to
report these results in its fiscal year 2007 PAR. The work of the
contractors represents a great enhancement in NASA's risk assessment
methodology, when compared to prior years. In addition, NASA hired a
recovery auditing firm to perform a recovery audit of its fixed priced
contracts, similar to previous years. However, NASA has determined that
its interim and closeout audits--including the withholding of final
funds until the audit is complete--and adjustments to future billings
for ongoing contracts, decrease the risk of contract overpayments, and
therefore, consistent with OMB guidance, has excluded other contract
types from its recovery auditing program. Although consistent with OMB
guidance, NASA's universe of contract dollars subject to a recovery
auditing program continues to remain relatively small, less than 20
percent of its total value of contracts. For its fiscal year 2007 PAR,
NASA anticipates reporting interim results of initial recoveries
related to contract overpayments. Because the contractor had just begun
work to develop and execute an approach for conducting the recovery
audit, we were unable to determine the reasonableness of the auditors'
methodology by the end of our fieldwork.
We make a total of 10 recommendations to USAID and NASA to help improve
their efforts to implement IPIA and the Recovery Auditing Act by
focusing on performing risk assessments and reporting on efforts to
recover improper payments.
We provided a draft of this report to USAID and NASA for comment. USAID
did not specifically respond to our recommendations, but provided a
technical comment which we incorporated into this report. NASA
concurred with our recommendations and also provided technical comments
on the draft, which have been incorporated as appropriate. Both
agencies' comments, along with our evaluation, are discussed in the
Agency Comments and Our Evaluation section of this report. Their
comments are also reprinted in their entirety in appendixes IV and V.
Background:
IPIA was passed in November 2002 with the major objective of enhancing
the accuracy and integrity of federal payments. IPIA requires executive
branch agency heads to review their programs and activities annually
and identify those that may be susceptible to significant improper
payments. For each program and activity agencies identify as
susceptible, the act requires them to estimate the annual amount of
improper payments and to report those estimates to the Congress. The
act further requires that for programs for which estimated improper
payments exceed $10 million, agencies are to report annually to the
Congress on the actions they are taking to reduce those payments.
The act also requires the Director of OMB to prescribe guidance for
agencies to use in implementing IPIA. OMB's implementing
guidance[Footnote 15] requires the use of a systematic method for the
annual review and identification of programs and activities that are
susceptible to significant improper payments. However, this guidance
also allows for annual reviews (also known as risk assessments) to be
conducted less often than annually for programs where improper payment
baselines are already established, are in the process of being
measured, or are scheduled to be measured by an established date--which
is inconsistent with the express requirement of IPIA. In addition,
OMB's guidance defines significant improper payments as those in any
particular program that exceed both 2.5 percent of program payments and
$10 million annually.[Footnote 16] It requires agencies to estimate
improper payments annually using statistically valid techniques for
each susceptible program or activity. The guidance also allows agencies
to use alternative sampling methodologies[Footnote 17] and requires
agencies to report on and provide a justification for using these
methodologies in their PARs. For those agency programs determined to be
susceptible to significant improper payments and with estimated annual
improper payments greater than $10 million, IPIA and related OMB
guidance require each agency to annually report the results of its
efforts to reduce improper payments.
In August 2004, OMB established Eliminating Improper Payments as a new
program-specific initiative under the President's Management Agenda
(PMA). This separate PMA program initiative began in the first quarter
of fiscal year 2005. Previously, agency efforts related to improper
payments were tracked along with other financial management activities
as part of the Improving Financial Performance initiative of the PMA.
The objective of establishing a separate initiative for improper
payments was to ensure that agency managers are held accountable for
meeting the goals of IPIA and are therefore dedicating the necessary
attention and resources to meeting IPIA requirements. With this
initiative, 15 agencies[Footnote 18] are to measure their improper
payments annually, develop improvement targets and corrective actions,
and track the results annually to ensure the corrective actions are
effective. This list does not include USAID or NASA, which are
nevertheless covered under IPIA and thus are required to address
improper payments for their programs and activities. However, both
USAID and NASA stated that they consulted with OMB, although
infrequently, about procedures planned or under way for the first 3
years of IPIA implementation.
In addition, applicable agencies are required by OMB guidance to report
their efforts to recoup contract-related improper payments under
section 831 of the National Defense Authorization Act for Fiscal Year
2002,[Footnote 19] commonly referred to as the Recovery Auditing Act.
This legislation provides an impetus for applicable agencies to
systematically identify and recover contract overpayments for executive
branch agencies entering into contracts with a cumulative total value
exceeding $500 million in a fiscal year. Furthermore, the law
authorizes federal agencies to retain recovered funds to cover in-house
administrative costs as well as to pay other contractors, such as
collection agencies.
Recovery auditing is a method that agencies can use to recoup detected
(as opposed to estimated) improper payments. As such, recovery auditing
is a detective control to help determine whether contractor payments
were proper. Specifically, it focuses on the identification of
erroneous invoices, discounts offered but not received, improper late
penalty payments, incorrect shipping costs, and multiple payments for
single invoices. Recovery auditing can be conducted in-house or
contracted out to recovery audit firms. The techniques used in recovery
auditing offer the opportunity for identifying weaknesses in agency
internal controls, which can be modified or upgraded to be more
effective in preventing improper payments before they occur during
subsequent contract outlays.
Agencies that are required to undertake recovery audit programs were
directed by OMB to provide annual reports on their recovery audit
efforts, along with improper payment reporting detailed in an appendix
to their PAR. Specifically, OMB's implementing guidance[Footnote 20]
requires that agencies include in the PAR:
* a general description and evaluation of the steps taken to carry out
a recovery auditing program;
* the total cost of the agency's recovery auditing program;
* the total amount of contracts subject to review, the actual amount of
contracts reviewed, the amounts identified for recovery, and the
amounts actually recovered in the current year;
* a corrective action plan to address the root causes of payment error;
* a general description and evaluation of any management improvement
program carried out; and:
* a description and justification of the classes of contracts excluded
from recovery auditing review by the agency head.
USAID's and NASA's Risk Assessment Processes and Documentation Could Be
Improved:
For the first 3 years of IPIA implementation--fiscal years 2004 through
2006--both agencies performed various procedures to conduct their risk
assessments. Many of these procedures are positive steps to address the
requirements of IPIA. At the same time, we identified numerous
deficiencies in the procedures that warrant further improvement.
Specifically, we found that both agencies lacked a systematic method to
determine if risk of improper payments existed in their programs or
activities, what those risks were, or the potential or actual impact of
those risks on operations. For example, USAID and NASA had not
developed a standardized process to evaluate the results of their
reviews, such as weighting and scoring the results of risk conditions
to determine susceptibility. As such, the various procedures performed
did not provide meaningful results or may not have adequately depicted
the agencies' risk of improper payments. In addition, we noted USAID
and NASA had not assessed the effectiveness of internal controls relied
upon and weaknesses existed in payment reviews performed at the agency
component level. Furthermore, risk assessment documentation maintained
by USAID and NASA was lacking or insufficient to support their
conclusions that no programs or activities were susceptible to
significant improper payments.
Overview of USAID's and NASA's IPIA Reporting for the First 3 Years of
Implementation:
Fiscal year 2004 marked the first year in which all executive branch
agencies were required to report improper payment information in their
PARs under IPIA. Both USAID and NASA conducted a review of their
payment streams as part of their risk assessment process to identify
significant improper payments. OMB's implementing guidance includes a
broad definition of programs and activities subject to IPIA,[Footnote
21] which encompasses a review of payment activities. We found during
our review of fiscal year 2006 PARs that agencies generally used one of
two approaches to conduct their risk assessments--a review of program
operations or a review of payment streams.[Footnote 22] Although
agencies are allowed under OMB's implementing guidance to determine
their program and activity inventory for the purposes of performing a
risk assessment, the two approaches can produce different results. In
particular, a review of payment streams identifies the susceptibility
of improper payments for specific payment types that could relate to
multiple programs within an organization. On the other hand, a review
of distinct programs would identify the susceptibility of improper
payments for the different payment types included in a particular
program. Depending on the volume and dollar amount of payments or size
of a program, an agency could determine based on OMB's current
definition of significant improper payments--exceeding $10 million and
2.5 percent of program payments--that it had significant improper
payments using one approach but not with the other, greatly impacting
its risk assessment results.
Implementing a payment stream approach, USAID and NASA did not identify
any risk-susceptible programs or activities for fiscal year 2004. This
continued into fiscal year 2005 for both agencies. For fiscal year
2006, USAID identified two high-risk payment streams as part of its
risk assessment--cash transfers and contracts, grants, and cooperative
agreements.[Footnote 23] However, the identification of these two
payment streams did not result from a systematic process in place to
identify high-risk programs, but rather was due to the high ratio of
disbursements for these two payment streams to total agency outlays
(about 77 percent for fiscal year 2006). On the other hand, NASA
continued to assert for fiscal year 2006 that it had no programs
susceptible to significant improper payments although it did not
perform a risk assessment for that year. The following is a description
of USAID's and NASA's risk assessment processes for fiscal years 2004
through 2006. Details of the weaknesses we identified in these
processes are included later in this section.
USAID's Risk Assessment:
At USAID, the Cash Management and Payment (CMP) division within the
Office of the Chief Financial Officer (OCFO) has the responsibility of
executing and meeting the requirements of IPIA for the agency. For
fiscal year 2004, CMP identified a universe of 11 payment
streams[Footnote 24] totaling about $7.6 billion as part of its IPIA
risk assessment. See appendix II for a description of each payment
stream. For fiscal year 2004, these payment streams consisted of
program, operating, and other fund disbursements made from headquarters
and its 38 accounting stations[Footnote 25] that conduct cash
management activities for approximately 70 mission offices[Footnote 26]
located overseas. Two of the 11 payment streams--cash transfers and
contracts, grants, and cooperative agreements--totaled $6.8 billion, or
90 percent of total outlays. USAID's payment streams are shown in
figure 1.
Figure 1: USAID's Major Payment Streams for Fiscal Year 2004 (dollars
in millions):
[See PDF for image]
This figure is a pie-chart, depicting the following data:
USAID's Major Payment Streams for Fiscal Year 2004 (dollars in
millions):
Contracts, grants, and cooperative agreements[B]: $5,179.4 (68%);
Cash Transfers: $1,639.1 (22%);
Other: $767.6 (10%).
Source: GAO analysis of USAID's fiscal year 2004 payment stream
outlays.
[A] The Other category consists of the remaining nine payment streams:
payroll, mission allowances, travel, transportation, training, other
operating expenses, payments to other agencies, credit-financing funds,
and revolving funds.
[B] For fiscal year 2004, contract payments totaled about $1.9 billion,
grant payments totaled about $1.7 billion, and cooperative agreement
payments totaled about $1.4 billion of the payment stream. In addition,
USAID officials told us that its interagency agreement payment activity
represented a small portion of this payment stream totaling about $155
million or 3 percent for the same year.
[End of figure]
USAID's risk assessment for fiscal year 2004 consisted of a two-pronged
review--payments made from headquarters and payments from the 38
mission accounting stations. According to USAID, approximately 75
percent of payments are made at headquarters and 25 percent from the
mission offices. For the headquarters' risk assessment, USAID stated it
performed a review of all 11 payment streams; however, it did not
perform any risk assessment procedures for two of the payment streams-
-training and transportation--because each of these payment streams'
total outlays did not exceed $10 million, and therefore, would not have
met OMB's dual criteria for estimating and reporting improper payments.
As part of its risk assessment process, USAID officials told us that
they conducted interviews with management and various operation
managers responsible for the payment types to determine internal
controls over payment activity. USAID also stated it performed sampling
of its fiscal year 2003 travel transactions and reviewed 25 percent of
all travel transactions above $2,500 that had been identified as risk
susceptible. In addition, USAID met with the OIG and stated that it
reviewed certain OIG reports and external audit reports with
recommendations, such as Defense Contract Audit Agency (DCAA) audit
reports and Single Audit Act[Footnote 27] reports, to identify internal
control weaknesses over grant funds. Lastly, USAID stated that it
relied on routine prepayment and postpayment review activities which
are designed to help ensure the accuracy and validity of payments made.
For example, according to USAID policy, voucher examiners review and
process vouchers that contractors submit to USAID for payment; the
examiners determine that a valid obligation exists, check mathematical
accuracy, and ascertain that proper approvals and authorizations have
taken place.
For the mission accounting stations' risk assessment, USAID required
that 4 of the 11 payment streams[Footnote 28] be reviewed since it had
access to the payment activity for the remaining 7 payment streams and
incorporated those payments into the headquarters risk assessment.
Also, similar to headquarters, the mission accounting stations were not
required to review payment streams with total outlays less than $10
million. USAID provided general guidance to the controllers of each
mission accounting station on IPIA and OMB implementing guidance, and
included a memorandum from the Deputy CFO to each controller explaining
actions needed to conduct the risk assessment, along with a template
for each mission accounting station to complete on their review of the
payment transactions. USAID incorporated the results of these payment
reviews in the headquarters' risk assessment to determine overall risk
for the agency.
For the fiscal year 2005 and 2006 risk assessments, USAID leveraged the
work completed for fiscal year 2004, its baseline year, and compared
total outlays for each subsequent fiscal year to fiscal year 2004, to
determine whether significant changes in reported outlays had occurred.
USAID determined that there had been no significant changes and thus
applied analytical procedures--consisting of multiplying fiscal year
2004 payment stream percentages of the total fiscal year 2004 net
outlay and fiscal years 2005 and 2006 total outlay amounts--to estimate
the dollar amount of each payment stream for each of the given years.
Using this information, USAID stated that it relied on its reviews of
OIG and external audit reports, prepayment and postpayment reviews, and
A-123 internal control reviews to ensure the risk of improper payments
was minimized. No payment reviews were performed at the mission
accounting stations for fiscal years 2005 and 2006 because USAID had
determined that payments made by the missions were not high-risk, based
on the results of its fiscal year 2004 risk assessment and the
quantitative and qualitative procedures performed. USAID officials also
informed us that they reviewed various external audit reports and
relied on the agency's routine pre-and postpayment reviews. For
example, USAID performs data mining of all payment transactions using
vendor information and dollar value to identify potential duplicate
payments.
NASA's Risk Assessment:
At NASA, the OCFO is responsible for executing and meeting the
requirements of IPIA for the agency. For fiscal years 2004 through
2006, NASA identified six payment streams as part of its IPIA risk
assessment--firm-fixed-price contracts, incentive-fee contracts, award-
fee contracts, cost-plus-fixed-fee contracts, other contracts, and
grants, totaling about $12 billion annually. See appendix III for a
description of each payment stream. These payment streams represent
procurement actions[Footnote 29] and grant awards made at NASA's
headquarters and its nine centers[Footnote 30] located around the
country. For its risk assessment, NASA did not identify a universe of
outlays for all types of payment streams such as travel, training, and
payroll, for our period of review, fiscal years 2004 through 2006. NASA
did provide us with a schedule of six payment streams representing
procurement and grant data reported in NASA's annual procurement
reports. Figure 2 provides a breakdown of NASA's major payment streams
with fiscal year 2004 amounts.
Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004
(dollars in millions):
[See PDF for image]
This figure is a pie-chart, depicting the following data:
NASA's Reported Major Payment Streams for Fiscal Year 2004 (dollars in
millions):
Award-fee contracts: $5,605.0 (47%);
Incentive-fee contracts: $3,166.0 (27%);
Firm-fixed-price contracts: $1,471.0 (12%);
Grants: $630.2 (5%);
Cost-plus-fixed-fee contracts: $574.0 (5%);
Other contracts[A]: $460.0 (4%).
Source: NASA.
[A] The Other contracts payment stream includes miscellaneous
expenditures such as fixed-price redetermination, economic price
adjustment, labor-hour, and time-and-material contracts.
[End of figure]
NASA's risk assessment included a review of payments made from
headquarters and the centers, although it did not include a review of
all payment streams. Specifically, for fiscal years 2004 and 2005, NASA
only performed a review of its firm-fixed-price payment stream,
representing a small portion (about 12 percent for fiscal year 2004 and
20 percent for fiscal year 2005) of total reported payment streams.
NASA stated that it excluded its various cost-type contracts because
(1) these contracts are subject to interim and closeout audits
performed by DCAA, (2) these contract payments may be adjusted in
future billings to correct previous errors, and (3) 5 to 10 percent of
the cost contract value is withheld until the closeout audit is
completed. NASA officials told us that NASA will include cost-type
contracts in its fiscal year 2007 risk assessment. Regarding the
exclusion of grant payments, NASA stated that these payments are
subject to Single Audit Act reviews as well as periodic reviews for
compliance with cash management, financial management system, or
financial reporting requirements. NASA's review of its firm-fixed-price
payment stream included selecting a sample of firm-fixed-price payment
transactions made during one quarter, at headquarters, and each center.
NASA provided its centers instructions, consisting of an e-mail from
the improper payments coordinator, on the scope of payment transactions
to be reviewed. On the basis of the results of each center's review,
NASA reported in its fiscal years 2004 and 2005 PARs that it had no
programs and activities susceptible to significant improper payments.
For fiscal year 2006, NASA OCFO officials told us that it did not
perform a risk assessment of all of its programs and activities due to
turnover of its headquarters staff responsible for IPIA and recovery
auditing. Instead, NASA relied on its recovery auditing work for fiscal
year 2006 to determine that no programs and activities were susceptible
to significant improper payments.
USAID and NASA Lacked Systematic Processes for Conducting Their Risk
Assessments:
We found numerous deficiencies in USAID's and NASA's procedures. Both
agencies lacked a systematic method to determine if risk of improper
payments existed in their programs or activities, what those risks
were, or the potential or actual impact of those risks on operations.
As such, the various procedures performed did not provide meaningful
results or may not have adequately depicted the agencies' risk of
improper payments. In addition, we noted USAID and NASA had not
assessed the effectiveness of internal controls relied upon and
weaknesses existed in payment reviews performed at the agency component
level.
A lack of detailed written guidance may have contributed to the
deficiencies we identified. Although USAID had general guidance in its
payables management directive that reiterated IPIA requirements, no
procedures existed on how to conduct a risk assessment and evaluate
those results. In addition, NASA had not developed any guidance that
could direct steps performed to ensure it met applicable IPIA
requirements. OMB guidance provides that agencies annually perform risk
assessments of their programs and activities, but offers limited
information on how to conduct a risk assessment, thus allowing agencies
broad flexibility for determining a methodology to employ to meet IPIA
requirements. In our November 2006 report,[Footnote 31] we recommended,
and OMB agreed, that the IPIA implementing guidance be expanded to
describe in greater detail factors that agencies should consider when
conducting their annual risk assessments. The OMB guidance, though, has
not yet been updated to describe risk factors agencies should consider
when conducting their annual risk assessments.
While OMB does not require agencies to develop agency-specific guidance
related to IPIA, during our review of agencies' internal IPIA guidance,
we noted that nine agencies[Footnote 32] had developed either guidance
or a tool, such as a schedule, survey, or questionnaire, to facilitate
their compliance with IPIA. As the risk assessment is a key step in
gaining assurance that programs and activities are operating as
intended and that they are achieving expected outcomes, it is critical
that agencies develop a comprehensive approach for determining the
extent and level of risk of improper payments in order to identify the
nature and type of corrective action needed.
Lack of Identified Risk Factors:
For the first 3 years of IPIA implementation, significant flaws existed
in USAID's and NASA's processes to identify risk in their payment
activities. For example, neither agency had established or considered
risk factors to assist them in identifying programs and activities
vulnerable to improper payments, such as assessments of internal
control, audit report findings, and human capital risks related to
staff turnover, training, or experience. We noted that some agencies
have developed factors or risk conditions that directly or indirectly
affect the likelihood of improper payments within a program or
activity. We noted from our review of fiscal year 2006 PARs or annual
reports that 13 agencies reported that one of the risk factors they
considered during the assessment included internal and external
reviews, such as results from identified system or program weaknesses,
and OIG and Single Audit Act reports. Similarly, 13 agencies reported
that an assessment of internal controls was another type of risk factor
used during their process.
Although there is no requirement for agencies to identify risk factors
as part of their risk assessment process, this type of identification
is consistent with our previous recommendation that OMB establish risk
factors in its guidance for agencies to consider and consistent with
our Standards for Internal Control in the Federal Government[Footnote
33] and executive guide on strategies to manage improper
payments,[Footnote 34] which provides a framework for conducting a
comprehensive risk assessment. Our executive guide identifies the
following four strategies that should be considered when determining
the nature and extent of improper payments:
* institute a systematic process to estimate the level of improper
payments being made by the organization;
* based on this process, determine where risks exist, what those risks
are, and the potential or actual impact of those risks on program
operations;
* use risk assessment results to target high-risk areas and focus
resources where the greatest exposure exists; and:
* reassess risks on a recurring basis to evaluate the impact of
changing conditions, both external and internal, on program operations.
While USAID and NASA did perform procedures that addressed some of the
common risk factors identified by other agencies, there was no
established process in place to identify the types of risk specific to
the payment streams reviewed during the assessment process. Had both
agencies made a more concerted effort to identify particular risk
factors, additional procedures may have been considered, facilitating a
more in-depth review and analysis of their payment streams or program
operations. We also found that USAID and NASA had not developed a
standardized process to evaluate the results of actions they completed
as part of their risk assessments, such as weighting and scoring the
results of risk conditions to determine susceptibility. As such, the
various procedures performed did not provide meaningful results or
adequately depict the agencies' risk of improper payments.
For example, both agencies reported performing one or more of the
following steps--assessing internal controls, reviewing external
audits, and conducting payment reviews--yet neither agency developed a
process that identified the potential or actual impact of those
results, and ultimately risks, on their agency operations. Assessing
the results or risk conditions identified during the risk assessment
plays a major role in determining the overall risk level of an agency's
operations as risk conditions do not have an equal effect on all
programs or activities. Some risk conditions may affect a program or
activity to a greater or lesser degree. Likewise, not all risk
conditions may be relevant to each program or activity. Therefore,
assigning a weight to each risk condition would accurately reflect the
level of importance and influence each risk condition has on a specific
program or activity.
We view findings from OIG and external audits as valuable information
that agencies can use to identify areas vulnerable to improper
payments. OIG and external audits, such as performance audits, provide
an objective and systematic examination of evidence for the purpose of
providing an assessment of the performance of a government
organization, program, activity, or function. As part of its risk
assessment, USAID reported conducting a review of OIG and external
audits, while NASA did not. Yet, as previously stated, USAID did not
have a process in place to evaluate the potential or actual impact of
those risks on operations. For both USAID and NASA, we identified
various GAO, OIG, and Single Audit Act audit reports as well as
Department of Justice (DOJ) investigation reports that highlighted
fraud, questioned costs, and internal control weaknesses, that may not
have been adequately considered during the risk assessment process.
Some examples of findings from investigations and audits for fiscal
years 2004 through 2006 follow.
USAID:
* USAID could not provide a complete accounting of $405 million
primarily used to support maternal and child health efforts in Africa,
Asia, Latin America, and the Caribbean.[Footnote 35]
* A vendor agreed to pay $1.2 million to settle potential claims that
it overcharged USAID in three contracts for overseas economic
development work.[Footnote 36]
* Two vendors agreed to pay a total of $1.31 million to settle
allegations that they knowingly submitted more than 100 false claims
for reimbursement, overstating the charges actually incurred for
freight and insurance.[Footnote 37]
NASA:
* A contractor paid the government $615 million, including $106.7
million to NASA, to resolve criminal and civil allegations that the
company improperly used another contractor's information to procure
contracts for launch services worth billions of dollars.[Footnote 38]
* A contractor paid a former NASA electrical subcontractor up to $2
million in unsupported costs. In addition, two of the contractor's
senior procurement officials admitted to soliciting and receiving
kickbacks from the subcontractor in exchange for bid information and
assistance in the approval of change orders. A civil settlement amount
of $1.4 million was reached between NASA and the contractor.[Footnote
39]
* NASA's OIG found various weaknesses in NASA's acquisition and
contracting processes such as a lack of a reliable financial management
system to track contract spending, inadequate control over government
property held by contractors, and procurement process abuses by NASA
employees and contractors.[Footnote 40]
Key Internal Controls Not Assessed for Effectiveness:
As part of their risk assessments, USAID and NASA reported that they
relied on pre-and postpayment controls over payment transactions to
identify risk. Although USAID and NASA provided us with some general
internal controls over various payment streams, neither had documented
the controls or the effectiveness of those controls to ensure proper
reliance for purposes of conducting a risk assessment.[Footnote 41] In
addition, USAID officials told us that they had interviewed management
and various program managers to assess internal controls. However,
USAID had not developed a list of, or series of questions--such as a
standard questionnaire--to ensure consistency regarding the types of
questions asked across agency operations and that focused discussions
on specific issues related to improper payments and internal controls.
Similarly, NASA told us that it relied on postpayment controls over its
various cost-type contracts, thus excluding over 80 percent of its
procurement dollars, and ultimately the related contract payments. Yet,
NASA performed no independent assessments[Footnote 42] of these
postpayment controls and was not knowledgeable of specific procedures
DCAA performed during its contract audits. As previously mentioned,
NASA officials told us that they will include cost-type contracts in
NASA's fiscal year 2007 risk assessment.
Weaknesses in Payment Reviews:
Although USAID and NASA performed select payment reviews as part of
their risk assessment, we found no established criteria for conducting
these reviews and the reviews were limited in scope in some instances,
as well as inconsistently performed. Because of the lack of guidance
and insufficient review, USAID and NASA cannot be certain that these
payment reviews adequately support that payments made were not
susceptible to significant improper payments.
For its fiscal year 2004 risk assessment, USAID instructed its 38
mission accounting stations to perform payment reviews of their
payroll, travel, allowances, and other payment streams totaling about
$159 million. Although USAID provided its mission accounting stations
with general guidance regarding IPIA and a template to use when
performing their payment reviews, there were no detailed instructions
on specific characteristics or attributes of the payment transactions
that the mission accounting stations should review to identify improper
payments. USAID told us that the mission accounting stations had
flexibility in tailoring the extent of their risk assessments and
sampling methodology because they collectively represent only 25
percent of USAID's total disbursements and each mission (1) differs
based on the nature of its programs and the volume of payment activity
and (2) performs 100 percent of payment reviews as part of its normal
course of business. Therefore, some mission accounting stations may
have conducted statistical or nonstatistical sampling while others
performed 100 percent payment reviews. As a result, such payment review
results may not be comparable among mission accounting stations or
representative of their payment activity. USAID stated that it was not
possible to verify or validate any of the information received from the
mission accounting stations since they used stand-alone accounting
systems that were not integrated with headquarter's accounting system
during our period of review. From these payment reviews, the mission
accounting stations collectively identified about $258,973 in improper
payments for fiscal year 2004. On the basis of the fiscal year 2004
mission risk assessment results and other quantitative and qualitative
analysis performed, USAID determined that payments made from mission
accounting stations were low-risk and therefore it did not conduct
separate payment reviews for fiscal years 2005 and 2006. For its fiscal
years 2005 and 2006 payment reviews at headquarters, USAID stated it
relied on its reviews of OIG and external audit reports, pre-and
postpayment reviews, and A-123 internal control reviews. However, we
were unable to verify that all payment streams were included in the
reviews and could not evaluate any procedures performed as USAID was
unable to provide documentation that supported these actions or their
results.
We identified similar weaknesses in NASA's payment reviews. For
example, NASA also lacked established criteria for payment transaction
reviews conducted by its centers for purposes of IPIA, including
specific characteristics or attributes of the payment transactions that
the centers should review to identify improper payments. This led to
inconsistent application of the methodology that centers were asked to
use to conduct their payment reviews. For example, one NASA center
selected payment transaction amounts of $100,000 or greater rather than
the 15 percent of its first quarter payments consistent with the other
centers and as requested by NASA headquarters. The same center also
noted that it reviewed documentation to determine whether or not the
payments complied with Prompt Payment Act[Footnote 43] provisions,
rather than IPIA requirements. When we brought it to their attention,
NASA OCFO officials said that the center could have erroneously tested
according to the wrong act.
On the basis of its testing of transactions, NASA reported that it
identified $70,599 in improper payments for fiscal year 2004 from its
examination of $14.6 million in firm-fixed-price contract payments and
identified $617,442 in improper payments for fiscal year 2005 based on
its examination of $82.5 million of those same types of contract
payments. However, we noted that NASA did not verify the results of its
centers' payment reviews. Furthermore, NASA's independent auditor
reported in fiscal year 2004 that the agency may not have fully
complied with IPIA requirements because NASA did not consider payments
other than firm-fixed-price contract payments as part of the risk
assessment process or prepare an estimate of improper payments.
Therefore, the total improper payment amounts reported may not be
accurate, especially given the inconsistencies we identified. For
fiscal year 2006, according to OCFO officials, NASA did not conduct any
payment reviews or overall risk assessment of its payment activities
due to headquarters staff turnover responsible for IPIA. Instead, it
relied on its recovery audit work performed during the year to conclude
it had no programs and activities susceptible to significant improper
payments. The adequacy of such a determination is questionable because
the scope of review under the Recovery Auditing Act targets a specific
type of payment--contracts--whereas the scope of review under IPIA
includes a review of all programs and activities that are subject to
different reporting requirements if they are found to be susceptible to
significant improper payments. Furthermore, OMB guidance under the
Recovery Auditing Act allows agencies to exclude certain classes of
contracts from consideration,[Footnote 44] which is not permitted under
IPIA. Under IPIA, all programs and activities are subject to review.
Although NASA reported its payment reviews were statistically based,
its minimal coverage of the firm-fixed-price payment stream was
inconsistent with OMB guidance that directs that agencies use a 12-
month period to report improper payment information. Specifically, for
fiscal years 2004 and 2005, NASA identified a small universe of firm-
fixed-price procurement payments as the basis for each year's payment
reviews. Already representing a small percentage of total reported
payment streams--12 percent for fiscal year 2004 and 20 percent for
fiscal year 2005--NASA OCFO further narrowed the scope of dollars to be
reviewed by instructing its centers to select statistical samples of
only 15 percent of its firm-fixed-price contract payments made during a
3-month period, January 1 to March 31 of each year. NASA was unable to
provide an explanation for the basis of these limited reviews. Despite
NASA's reported use of statistical sampling to conduct its payment
reviews, its small sample population and minimal coverage of the firm-
fixed-price payment stream compared to total procurement dollars does
not adequately represent NASA's total contract activity, which accounts
for about 85 percent of NASA's annual budget.
Furthermore, NASA excluded grant program payments, totaling about $630
million for fiscal year 2004, from its risk assessment review. OMB
guidance requires that agencies include federal awards subject to the
Single Audit Act, as amended, as part of their review to address IPIA
reporting requirements. In its fiscal year 2004 audit report, NASA's
auditors reported that the agency may not have fully complied with IPIA
requirements as it did not explicitly consider payments other than firm-
fixed-price as part of the risk assessment process or prepare an
estimate of improper payments. The auditors also reported that NASA
noted that audit efforts by nonfederal auditors with respect to
grantees and by government auditors with respect to certain NASA
contracts aid in identifying and mitigating improper payments. While
single audits could be a source of improper payment information, we
previously reported that single audits, by themselves, may lack the
level of detail necessary for achieving IPIA compliance.[Footnote 45]
Specifically, single audits generally focus on the largest dollar
amounts in an auditee's portfolio. Thus, all programs identified as
susceptible to improper payments at the federal level may not receive
extensive coverage under a single audit. Consequently, both the depth
and level of detail of single audit results are, generally,
insufficient to identify improper payments, estimate improper payments,
or both.
USAID and NASA Lacked Sufficient Documentation to Support Their Risk
Assessment Processes:
While OMB guidance requires agencies to maintain documentation of their
risk assessment, USAID and NASA were unable to support a majority of
the actions highlighted earlier in this report regarding their risk
assessment processes. Given the lack of documentation and deficiencies
we found relating to USAID's and NASA's risk assessments, we have no
basis to determine whether steps performed supported both agencies'
conclusions that no programs and activities were susceptible to
significant improper payments. Our Standards for Internal Control in
the Federal Government[Footnote 46] provides that internal control and
all transactions and other significant events need to be clearly
documented and readily available for examination. The documentation
should appear in management directives, administrative policies, or
operating manuals. Also, all documentation and records should be
properly managed and maintained.
At USAID, we noted a documentation requirement in its policy directive
related to IPIA reporting, yet the agency was unable to provide us the
following for each of the 3 fiscal years:
* documentation to support interviews of program managers regarding
program operations and internal control;
* testing of headquarters payment transactions, including sampling
plans of statistical samples used to test travel and other payment
transactions, a list of sample transactions selected, key attributes
tested, and evaluation of those results; and:
* a list of external audit reports reviewed, their findings, and impact
on the risk assessment process.
Furthermore, we found discrepancies when tracing lead schedules to
supporting documentation and inadequate documentation of USAID's
duplicate payment reviews. For example, as part of its duplicate
payment reviews, USAID did not document the search criteria used to
identify potential duplicate payments, the range of payments reviewed
to prevent overlapping or reviewing the same payments in subsequent
reviews, and the potential duplicate payments flagged and their
resolutions.
Similarly, NASA provided us minimal supporting documentation of its
payment reviews for fiscal year 2004 and could not provide almost half
of the documentation for fiscal year 2005. NASA told us that each
year's payment reviews were based on a statistical sample of payments
made at headquarters and its centers. However, NASA could not provide
us a copy of its sampling plans, list of transactions selected, sample
results, and subsequent evaluation. NASA relied almost entirely on
these payment reviews to support its conclusion that it had no programs
and activities susceptible to significant improper payments for fiscal
years 2004 and 2005, yet could not provide documentation to support its
conclusions. For fiscal year 2006, NASA acknowledged that it did not
perform a risk assessment due to staff turnover, and thus no
documentation existed. Nevertheless, NASA still reported that it had no
programs and activities of significant risk based on recovery audit
work performed on its research and development contracts. Had NASA
adequately documented its IPIA efforts from the previous fiscal years,
it would have been better positioned to address IPIA requirements for
fiscal year 2006. Thus, documentation becomes even more essential
during periods of staff transition.
The magnitude of the lack of documentation issue was evident in the
NASA auditor's report on compliance with laws and regulations for
fiscal year 2006. In that report, the auditor raised concerns about the
lack of documentation to support the agency's IPIA efforts.
Specifically, the auditor reported that NASA had potentially violated
certain requirements of IPIA as management was unable to provide
sufficient documentation to support performance of an annual review of
all programs and activities it administers to identify those that may
be susceptible to significant improper payments.
Weaknesses Found in Recovery Auditing Procedures Raise Questions About
the Validity and Accuracy of Reported Recovery Audit Amounts:
Although USAID and NASA have reported on steps taken to recoup improper
contract payments, we found several weaknesses in their recovery
auditing procedures for fiscal years 2004 through 2006. In particular,
USAID and NASA did not report recovery auditing information for each
fiscal year, documentation was lacking or not adequately supported, and
neither agency adhered to all of the reporting requirements outlined in
OMB's implementing guidance. Due to a lack of, or insufficient,
documentation, along with identified weaknesses, the validity and
accuracy of the reported recovery amounts are questionable.
Recovery Audit Information Not Reported or Lacked Supporting
Documentation in Most Instances:
USAID and NASA did not fully report on recovery audit activities for
each of the 3 fiscal years under review. Specifically, USAID and NASA
did not report recovery audit information in their fiscal year 2004
PARs. NASA reported that it was in the process of awarding a recovery
audit contract, while USAID reported on the dollar amount of contracts
reviewed, but for the sole purpose of addressing IPIA reporting
requirements and concluding that its grant and contract payment
activities were not susceptible to significant improper payments.
Consequently, OMB did not recognize USAID or NASA as reporting fiscal
year 2004 recovery audit information when it reported on governmentwide
recovery audit efforts for that year.
For fiscal year 2005, USAID again leveraged the work used to address
IPIA requirements to satisfy the requirements of the Recovery Auditing
Act. USAID reported about $5.9 million in questioned costs identified
through OIG audits of grants and contracts. Of this amount, about $5.8
million (98 percent) had been recovered. While USAID reported this
information in its PAR, the agency was unable to provide us a list of
the audit reports reviewed and specific findings that supported the
amounts identified and actually recovered, raising questions about
their validity and accuracy. Likewise, NASA leveraged the results of
its IPIA work to address the recovery auditing requirements. However,
as we stated earlier, the scope of review was limited in nature as NASA
only tested 15 percent of its firm-fixed-price contract payments over a
3-month period and could not provide almost half of the documentation
to support the dollar value sampled. On the basis of its limited
testing, NASA identified and recovered only $617,442 in contract
overpayments.
For fiscal year 2006, USAID reviewed questioned costs identified
through OIG audits of grants and contracts as it had done in the
previous fiscal year. USAID reported about $9.1 million in questioned
costs identified through OIG audits of grants and contracts and DCAA
contract audits. Of this amount, about 99 percent had been recovered.
Again, USAID was unable to provide documentation of the specific audit
reports and findings to support the recovery audit amounts. In addition
to the lack of documentation for both fiscal years 2005 and 2006, the
audit reports used may not have been designed to identify the types of
payment errors that would be identified through a recovery audit, as
USAID stated that some of the audit findings resulted from DCAA
contract audits.
OMB guidance differentiates procedures performed under a recovery audit
versus a contract audit. OMB guidance defines a recovery audit as a
review and analysis of the agency's books, supporting documents, and
other available information supporting its payments that is
specifically designed to identify overpayments to contractors that are
due to payment errors.[Footnote 47] On the other hand, contract audits
are normally performed for the purpose of determining if amounts
claimed by the contractor are in compliance with the terms of the
contract and applicable laws and regulations and are not designed to
specifically identify payment errors as described under recovery
audits. If the DCAA and OIG audit reports used by USAID to identify the
recovery auditing amounts were not specifically designed to identify
payment errors, as defined by OMB, the reported recovery audit amounts
for fiscal years 2005 and 2006 may not accurately reflect payment
errors for purposes of recovery auditing and thus, may be misstated.
NASA used a recovery audit firm for fiscal year 2006 to review contract
payments made from fiscal years 1997 through 2005, totaling $57.4
billion. Of this amount, the recovery audit firm identified over $121
million in potential contract overpayments. However, based on NASA's
review and conclusion that most of the potential contract overpayments
identified by the recovery audit firm were not erroneous, it reported
significantly lower recovery audit amounts--$256,255 in contract
overpayments identified for recovery and $139,420 in actual recoveries.
See table 1 for recovery audit amounts reported by USAID and NASA for
fiscal years 2004 through 2006.
Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for
Fiscal Years 2004 to 2006:
Agency: USAID;
Fiscal year 2004: Agency-reported amount identified for recovery: did
not report;
Fiscal year 2004: Agency-reported amount recovered: did not report;
Fiscal year 2005: Agency-reported amount identified for recovery:
$5,900,000;
Fiscal year 2005: Agency-reported amount recovered: $5,782,000;
Fiscal year 2006: Agency-reported amount identified for recovery:
$17,100,000;
Fiscal year 2006: Agency-reported amount recovered: $17,090,000.
Agency: NASA;
Fiscal year 2004: Agency-reported amount identified for recovery: did
not report;
Fiscal year 2004: Agency-reported amount recovered: did not report;
Fiscal year 2005: Agency-reported amount identified for recovery:
$617,442;
Fiscal year 2005: Agency-reported amount recovered: $617,442;
Fiscal year 2006: Agency-reported amount identified for recovery:
$256,255;
Fiscal year 2006: Agency-reported amount recovered: $139,420.
Sources: OMB and USAID and NASA PARs for fiscal years 2004 through 2006.
[End of table]
We asked NASA officials about the significant difference in its
reported recovery audit amounts when compared to the recovery auditor's
reported amounts. According to NASA, the firm's recovery auditing work
covered all contract types from fiscal years 1997 through 2005. Upon
further review of the contractor's submitted claims, NASA determined
that a vast majority of the claims submitted by the contractor were not
erroneous as they related to cost-type contracts with provisional
billing rates included in the contract terms, which were subject to a
final or closeout audit that would likely have identified those
improper payments reported by the contractor. Thus, NASA officials
stated that only a small portion ($256,255) of the $121 million in
potential contract overpayments represented "valid contract claims" or
contract overpayments that would be pursued for recovery.
OMB guidance[Footnote 48] for recovery auditing allows agencies to
exclude classes of contracts and contract payments from recovery audit
activities when they have determined that recovery audits are
"inappropriate or are not a cost-effective method for identifying and
recovering erroneous payments." Examples OMB provides as classes of
contracts and contract payments that may be excluded include:
* cost-type contracts that have not been completed where payments are
interim, provisional, or otherwise subject to further adjustment by the
government in accordance with the terms and conditions of the contract;
* cost-type contracts that were completed, subjected to a final
contract audit and, prior to final payment of the contractor's final
voucher, all prior interim payments made under the contract were
accounted for and reconciled; and:
* other contracts that provide for contract financing payments or other
payments that are interim, provisional, or otherwise subject to further
adjustment by the government in accordance with the terms and
conditions of the contract.
Although NASA's exclusion of the bulk of the recovery audit firm's
potential contract overpayments (primarily related to cost-type
contracts) was consistent with OMB guidance, which allows agencies to
exclude these classes of contracts, limiting its universe to firm-
fixed-price contracts may not be the best use of resources. These types
of contracts typically provide the least amount of risk of improper
payments as firm-fixed-price contracts are generally not subject to
fluctuations in contractor costs, thereby decreasing the risk level of
improper payments made by agencies. However, NASA officials told us
that because its cost-type contract payments are subject to extensive
reviews via contract audits and internal reviews, further examination
under a recovery auditing program would not provide any additional
value and could be, to some extent, duplicative in nature.
USAID and NASA Did Not Adhere to Applicable OMB Recovery Auditing
Reporting Requirements:
There are several reporting requirements that agencies are required to
follow when reporting recovery auditing information, such as a
description and justification of the classes of contracts excluded from
recovery auditing and a corrective action plan to address the root
causes of any payment errors. Agencies are also required to report, in
table format, various amounts related to contracts subject to review
and actually reviewed, contract amounts identified for recovery and
actually recovered, and prior-year amounts.
From our review, we found that USAID's and NASA's reporting of recovery
auditing information did not meet the OMB reporting requirements.
Although we noted improvement in both agencies' fiscal year 2006
reporting of recovery auditing information when compared to the
previous fiscal year, USAID and NASA still had not addressed all key
elements. For example, both USAID and NASA provided a general
description of the steps taken to carry out their recovery auditing
program for fiscal year 2006 and presented, in table format, the
various recovery auditing amounts on contracts subject to review,
identified for recovery, and actually recovered.[Footnote 49] However,
we found no description of a corrective action plan to address the root
causes of payment error. In addition, for fiscal year 2005, NASA only
reported on recovery audit results for its firm-fixed-price contract
overpayments, but this information and its exclusion of other contract
types were not disclosed in NASA's PARs. Without adequate disclosure,
this type of presentation may lead to a mischaracterization of the
extent to which contract overpayments exist.
USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment
Processes and Recovery Auditing Procedures, but Challenges Remain:
While USAID and NASA have experienced significant challenges in their
first 3 years of IPIA implementation, both agencies have taken steps to
strengthen their risk assessment processes and ultimately, IPIA
reporting. Actions are also under way to improve recovery auditing
efforts. However, improvements are still needed to address some of the
weaknesses related to conducting risk assessments and performing
recovery auditing procedures.
Actions Under Way to Enhance Risk Assessment Process, but Additional
Steps Needed:
USAID has taken several steps to strengthen its process for identifying
programs and activities that may be susceptible to improper payments,
but additional steps are needed to adequately address IPIA reporting
requirements. USAID has developed a new IPIA database that is intended
to compile all of its payment disbursements made worldwide. The new,
interactive tool will interface with its core accounting system,
Phoenix, which will enable USAID to annually identify its payment
streams and corresponding volume and dollar amounts by mission or
geographic location, data mine for duplicate payments, research other
payment anomalies, and perform tests of transactions. USAID told us
that since August 2006, when Phoenix was fully implemented agencywide,
its monitoring capabilities and testing of payment transactions had
increased significantly now that its headquarters staff has access to
all disbursement activity regardless of where the payments were made.
Going forward, USAID also stated it plans to work more closely with the
OIG, including working with the OIG to develop a statistical sampling
methodology for testing its payment streams agencywide as part of its
risk assessment process. USAID also stated that it will periodically
contact OMB for input and feedback related to its risk assessment
process and results. Other steps USAID plans to implement include (1)
leveraging the agency's assessment of internal control under OMB
Circular No. A-123 requirements[Footnote 50] to determine whether
control activities in place are effectively preventing improper
payments; (2) increasing accountability among managers responsible for
addressing IPIA reporting requirements by including IPIA
responsibilities in their work plans, which are tied to the managers'
performance assessments; and (3) improving its documentation of steps
performed to comply with OMB guidance and internal policy. If these
actions are properly implemented, we believe these actions will address
some of our concerns related to conducting an assessment of internal
control and testing of payment transactions. Specifically, these
actions will better position USAID to identify and target high-risk
areas, determine the effectiveness of control activities to reduce the
risk of improper payments, and provide accountability among managers
responsible for executing IPIA activities.
With regard to manager accountability, we noted that no specific
standards have been developed for rating employee performance against
responsibilities related to IPIA and that no performance awards or
disciplinary actions exist as incentives for reducing improper
payments, which may not achieve the desired effect.[Footnote 51]
Lastly, USAID still lacks a systematic method to determine if risk of
improper payments exists, what those risks are, and the potential or
actual impact of those risks on operations. For example, while USAID
has developed various quantitative and qualitative procedures as part
of its risk assessment process, it still has not taken the first step
of identifying and documenting risk factors that should be considered
to ensure that the procedures performed adequately address areas within
the agency that may be susceptible to improper payments. Furthermore,
USAID has not developed an overall approach to then evaluate the work
performed, including weighting and scoring the results of its
quantitative and qualitative analysis, and thus provide a basis for
making a final determination of its risk level for assessing improper
payments under IPIA. We believe that implementation of these types of
strategies to identify the nature and extent of improper payments is
consistent with our framework for conducting risk assessments and will
provide a comprehensive review and analysis of program operations.
NASA has made significant strides since its first year of IPIA
implementation to improve its approach for conducting risk assessments
and other IPIA reporting requirements. NASA hired a consulting firm for
2 months (February 2007 through March 2007) to develop a methodology
for conducting its fiscal year 2007 risk assessment. The consultant
categorized the agency's fiscal year 2006 disbursements, including cost-
type contracts and grant payments, by programs instead of by payment
streams, as was done by NASA in previous years. On the basis of its
review of disbursements, the consulting firm established a materiality
level of $80 million. All programs with total disbursements greater
than $80 million were included in the program universe for further
review. The consultant identified 30 programs with approximately $10.8
billion in disbursements to include in the scope of review for
determining risk level.
To assess the risk level of the programs, the consultant examined
agency documentation and conducted (1) site visits; (2) interviews of
program managers, other agency personnel, and NASA OIG; and (3) walk-
throughs of program operations. On the basis of these steps, the
consultant identified seven risk conditions[Footnote 52] and developed
a risk matrix to evaluate and score each risk condition, using a 5
point scale--with 1 point indicating low risk and 5 points indicating
high risk. Following a calculation of the key risk factors that
considered the frequency of risk, severity of risk, and the overall
risk score, 5 of the 30 programs were deemed to be at risk for being
susceptible to significant improper payments. The 5 programs are (1)
Mars Exploration, (2) Solar System Research, (3) Space Shuttle Program,
(4) International Space Station Program, and (5) Institutions and
Management.
NASA subsequently hired another consulting firm to conduct statistical
sampling from April 2007 through September 2007 of the 5 programs to
determine if the programs are susceptible to significant improper
payments and thus would need to estimate and report on the amounts of
improper payments and actions to reduce them. Within each of these 5
programs, the consulting firm identified five payment categories that
were subject to detailed testing; they were travel expense
reimbursement, payroll and employee benefits, grant payments,
government purchase cards, and procurement and contracts. From its
review, the consulting firm found approximately $884,243 of improper
payments during the period of October 1, 2005, through September 30,
2006.[Footnote 53] Although the consulting firm reported that no
significant improper payments were found, it recommended various
actions for NASA to take, including continuing to ensure that internal
controls--automated and manual--are operating effectively relating to
the receipt and processing of vendor invoices to ensure timely payment.
The consulting firm submitted its final report with recommendations for
improvement on October 23, 2007, in time for inclusion in NASA's fiscal
year 2007 PAR.
During our review, NASA acknowledged weaknesses in its IPIA reporting
for fiscal years 2004 through 2006 and stated that its risk assessment
procedures did not adequately address OMB guidance. However, NASA felt
confident that it had made significant gains with its IPIA reporting
for fiscal year 2007. Although we did not perform a detailed review of
its methodology--the work was ongoing during our fieldwork--NASA, with
the assistance of outside contractors, appears to have developed an
extensive methodology for conducting a risk assessment to identify
programs and activities susceptible to significant improper payments.
The steps taken thus far appear to align with our framework for
conducting a risk assessment to determine the nature and extent of
improper payments.
Recovery Auditing Efforts Have Begun:
In June 2006, USAID engaged the services of a recovery auditing firm to
perform recovery auditing activities for its fiscal year 2007 PAR
reporting. For the fiscal year 2007 reporting period, the recovery
auditor's scope of review included payments made at headquarters for
fiscal years 2003 through 2005. For payments made from mission
accounting stations that were captured in USAID's core accounting
system, the recovery auditors performed analytical procedures and
concluded that no further work was warranted. The recovery auditors
developed a three-tier process to identify the following types of
potential contract overpayments:
* first tier--potential duplicate payments;
* second tier--amounts paid that exceeded the obligation or any
adjustments not properly accounted for, and:
* third tier--invoices and payment vouchers with errors, including
general and administrative rate variances.
From its review,[Footnote 54] the recovery auditor identified 300
contracts, comprising 2,900 invoices, that warranted further review.
The recovery auditor also reported that it randomly sampled an
additional 900 invoices for review, but did not identify the number of
contracts. On the basis of its work, the auditors referred $3 million
of potential contract overpayments to USAID for review. From its
review, USAID determined that of the $3 million, approximately $11,000
constituted actual overpayments related to discount claims that had not
been taken and decided it would initiate collection efforts. However,
we were provided no documentation of the resolution of remaining
contract payments determined not to be improper. After completing a
limited review of fiscal year 2005 payments, the recovery auditor
decided to discontinue its recovery auditing work at USAID as the
results of its limited review revealed that the continuation of audit
work would not be economically feasible or profitable. For its fiscal
year 2007 PAR reporting, USAID stated it will report on the work
performed by the recovery auditor. Going forward, USAID plans to
conduct an in-house recovery auditing program as done in previous
years, but stated it would work with the OIG to enhance procedures and
address requirements in OMB's guidance. While the hiring of a recovery
auditor did not identify a significant amount of contract overpayments,
additional steps would help USAID ensure that its in-house recovery
auditing program is consistent with the requirements of the Recovery
Auditing Act and specifically designed to identify overpayments to
contractors that are due to payment error.
For fiscal year 2007, NASA recompeted its contract for recovery
auditing services and hired another recovery auditing firm in August
2007. NASA stated that the scope of review will include only fiscal
year 2006 fixed price contract payments valued at $1,000 or more.
Although consistent with OMB guidance, NASA's universe of contract
dollars subject to a recovery auditing program continues to remain
relatively small, less than 20 percent of the total value of its
contracts. As part of its recovery auditing procedures, the contractor
will interview agency personnel and review applicable documentation to
gain an understanding of NASA's payment processes. NASA anticipates
reporting interim results of initial recoveries of contract
overpayments in its fiscal year 2007 PAR. Because the recovery auditor
had just begun work to develop and execute an approach for conducting
the recovery audit, we were unable to determine the reasonableness of
its methodology by the end of our fieldwork.
Conclusions:
Measuring improper payments and designing and implementing actions to
reduce them are not simple tasks and will not be easily accomplished.
USAID and NASA, under the umbrella of OMB's leadership, are working on
this issue. Further, while internal control should be maintained as the
front-line defense against improper payments, recovery auditing holds
promise as a cost-effective means of identifying contractor
overpayments. Preventing, identifying, and recovering improper payments
in that order are what is needed across government. Both USAID and NASA
have taken positive steps towards better implementation of improper
payments and recovery auditing requirements for fiscal year 2007.
Fulfilling the requirements of IPIA and the Recovery Auditing Act will
require sustained attention to implementation and oversight to monitor
whether desired results are being achieved.
Recommendations for Executive Action:
We are making a total of 10 recommendations to USAID and NASA to help
improve their efforts to implement IPIA and the Recovery Auditing Act
by focusing on performing risk assessments and reporting on efforts to
recover improper payments. Specifically, we recommend that the
Administrator, USAID,
* expand existing IPIA guidance to include detailed procedures for
addressing the four key steps--perform risk assessment, estimate
improper payments, implement a corrective action plan, annually report-
-that OMB requires agencies to perform in meeting the improper payment
reporting requirements;
* develop a risk assessment tool, such as a risk assessment matrix, to
determine if risks exist, what those risks are, and the potential or
actual impact of those risks on program operations;
* use the risk assessment tool to institute a systematic approach to
identify programs and activities susceptible to significant improper
payments under IPIA;
* maintain documentation of actions performed to address IPIA and the
Recovery Auditing Act requirements;
* develop a comprehensive recovery auditing program that is
specifically designed to identify overpayments to contractors that are
due to payment errors; and:
* adhere to OMB's guidance for reporting recovery auditing information
in the annual PAR.
We recommend that the Administrator, NASA,
* develop IPIA guidance to include detailed procedures for addressing
the four key steps--perform risk assessment, estimate improper
payments, implement a corrective action plan, annually report--that OMB
requires agencies to perform in meeting the improper payment reporting
requirements;
* as part of this guidance, incorporate the risk assessment methodology
developed by NASA's consulting firm to determine if risks exist, what
those risks are, and the potential or actual impact of those risks on
program operations;
* maintain documentation of actions performed to address IPIA and
Recovery Auditing Act requirements; and:
* adhere to OMB's guidance for reporting recovery auditing information
in its annual PAR.
Agency Comments and Our Evaluation:
We requested comments on a draft of this report from the Administrators
of USAID and NASA or their designees. These comments are reprinted in
their entirety in appendixes IV and V of this report. USAID did not
specifically respond to our recommendations. However, USAID suggested
expanding the definition of its Credit-Financing payment stream to
provide more details on the purpose and use of this funding mechanism,
which we incorporated as suggested. NASA concurred with all four of our
recommendations and indicated that it would develop IPIA guidance to
include detailed procedures to address the four key steps of IPIA,
including incorporating the risk assessment methodology developed by
its consulting firm. NASA noted that it has centralized its IPIA and
Recovery Auditing Act activities at the NASA Headquarters OCFO (which
will include responsibility for maintaining documentation to support
its activities) and stated that it will report recovery auditing
information in its PAR in accordance with OMB guidance. NASA also
provided technical comments on the draft, which have been incorporated
as appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its date. At that time, we will send copies of this report to the
Administrators of USAID and NASA and other interested parties. Copies
will also be available to others upon request. In addition, the report
is available at no charge on GAO's Web site at [hyperlink,
http://www.gao.gov].
If you or your staffs have any questions regarding this report, please
contact me at (202) 512-9095 or at williamsm1@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Major contributors to this
report are listed in appendix VI.
Signed by:
McCoy Williams:
Director, Financial Management and Assurance:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of this review were to determine (1) the extent to which
USAID and NASA performed the required risk assessments to identify
programs and activities that were susceptible to significant improper
payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID
and NASA have taken to recoup improper payments through recovery
audits, and (3) actions USAID and NASA have under way to improve their
IPIA and recovery audit reporting. The scope of our review included two
agencies, USAID and NASA.
To determine the extent to which USAID and NASA performed the required
risk assessments for fiscal years 2004 through 2006, we reviewed
improper payment legislation and OMB implementing guidance[Footnote
55]. For both agencies, we reviewed their PARs for fiscal years 2004
through 2006; reviewed internal guidance consisting of policies and
procedures to address cash disbursements, accounts payable, and
contract management; interviewed agency officials about the risk
assessment process; and, when available, obtained and reviewed
supporting documentation. In addition, we reviewed criteria for
conducting risk assessments in our Standards for Internal Control in
the Federal Government[Footnote 56] and executive guide on Strategies
to Manage Improper Payments: Learning from Public and Private Sector
Organizations[Footnote 57]. We also reviewed other agencies' PARs and
internal IPIA guidance to identify examples of risk factors used and
procedures followed when conducting their risk assessment process.
To determine steps USAID and NASA took to recoup improper payments
through recovery audits, we reviewed the Recovery Auditing Act and
Appendix C to OMB Circular No. A-123, Requirements for Effective
Measurement and Remediation of Improper Payments.[Footnote 58] For both
agencies, we reviewed their PARs for fiscal years 2004 through 2006 and
internal guidance over contract management and debt collection
activities. We also interviewed agency officials and their recovery
audit contractor about recovery auditing efforts and when available,
obtained and reviewed supporting documentation for recovery auditing
amounts reported in the PARs.
To determine actions USAID and NASA had under way to improve their IPIA
and recovery audit reporting, we interviewed agency officials and when
available, obtained supporting documentation of plans for fiscal year
2007 reporting. We also reviewed the agencies' fiscal year 2006 PARs,
Request for Proposal documents, and Statements of Work documents for
hired contractors.
To assess the reliability of USAID's and NASA's IPIA and recovery
auditing reporting, we talked to agency officials about data quality
control procedures and reviewed relevant documentation. For example, to
determine the reliability of USAID's payment inventory data for fiscal
year 2004, we tied USAID's total payment streams to the Statement of
Budgetary Resources included in the financial section of the agency's
PAR. For NASA, we applied alternative analytical procedures to assess
the reliability of NASA's payment data, as we did not receive a
breakout of the payment streams to tie directly to the Statement of
Budgetary Resources. We compared procurement obligations contained in
the annual procurement reports with NASA's net outlays in the Statement
of Budgetary Resources for fiscal year 2006. We matched the percentage
of obligations with information contained in our fiscal year 2007 High-
Risk Series,[Footnote 59] and found that fiscal year 2006 net outlays
comprised approximately 85 percent of obligations. We determined the
data were sufficiently reliable for the purposes of this report. We
requested comments on a draft of this report from the Administrators of
USAID and NASA or their designees. Written comments were received from
the Counselor to the Agency, USAID, and Deputy Administrator, NASA, on
October 26, 2007. USAID's and NASA's comments are reprinted in
appendixes IV and V. We conducted our work from September 2006 through
August 2007 in accordance with generally accepted government auditing
standards.
[End of section]
Appendix II: Types of Payment Streams Identified during United States
Agency for International Development's Risk Assessment:
For fiscal years 2004 through 2006, USAID based its improper payment
risk assessments on 11 payment streams--(1) Payroll, (2) Mission
Allowances, (3) Cash Transfers, (4) Travel, (5) Transportation, (6)
Training, (7) Other Operating Expenses, (8) Payments to Other Agencies,
(9) Credit-Financing Funds, (10) Revolving Funds, and (11) Contracts,
Grants, and Cooperative Agreements. A description of the 11 payment
streams, along with a definition of each, follow.
1. Payroll. This payment stream consists of all U.S. direct hire base
pay and related expenses, foreign national direct hire payroll,
retirement and benefits, all personal services contractor's payroll,
and all foreign national personal services contractor's payroll,
retirement, and benefits.
2. Mission Allowances. This payment stream consists of employee
allowances, cost of living, educational allowances, and home service
transfer allowances.
3. Cash Transfers. This payment stream consists of the agency's cash
transfers to the benefiting foreign countries as well as foreign
organizations. These payments are made and deposited via the U.S.
Treasury and/or the Federal Reserve Bank into the foreign government's
account as designated in the official agreement or treaty between the
U.S. and the foreign government.
4. Travel. This payment stream represents all travel expenses,
including travel costs incurred for educational language training,
evacuation, postassignment travel to field, home leave and rest and
relaxation, site visits to mission offices, conferences, seminars, and
meetings, and other operational travel.
5. Transportation. This payment stream consists of all transportation
and freight costs incurred to missions or headquarters and from
missions or headquarters.
6. Training. This payment stream consists of all costs incurred to
obtain technical and professional training, such as language training,
certification training for contract, project, and financial offices,
training support costs, and other technical and professional training.
7. Other Operating Expenses. This payment stream consists of other
expenses incurred by USAID to perform its work. Examples of other
operating expenses are supplies, local travel, conferences, and other
miscellaneous expenses that are deemed necessary for the successful
performance of USAID's work.
8. Payments to Other Agencies. This payment stream consists of all
payments made to other federal agencies for services and/or goods
received. Outlays include rental payments to the General Services
Administration for office and warehouse rent, payments to the Office of
Personnel Management for background investigation services, and
payments to the Defense Contract Audit Agency for federal audit
services.
9. Credit-Financing Funds. This payment stream is principally intended
for credit enhancement purposes and may be used where (a) the agency's
sustainable development objectives may best be achieved effectively
using credit, and (b) the risks of default may be reasonably estimated
and managed. It is a financing tool to be used in addition to or in
lieu of grant funding where appropriate. Credit financing funds
agreements will be utilized only when the partner is a non-sovereign
entity. No sovereign loan guarantees are permissible under existing
credit financing authorities. Credit financing shall be a demand-driven
initiative, with operating units having primary responsibility for
designing, authorizing, and implementing activities in support of
approved strategic objectives and within administration and
congressional priorities for assistance. Credit financing operations
require a clear separation of responsibility for assessing the
developmental soundness and the financial soundness of each activity,
with the latter responsibilities entrusted to a credit review board
within the agency. Credit financing shall not be used unless it is
probable that the transaction would not go forward without it, taking
into consideration whether such financing is available for the term
needed and at a reasonable cost.
10. Revolving Funds. This payment stream was created for a one-time
purchase of land and a building in fiscal year 2004. There were no
payments made from this account in either fiscal year 2005 or fiscal
year 2006.
11. Contracts, Grants, and Cooperative Agreements.
* Contract. A mutually binding legal relationship obligating the seller
to furnish the supplies or services (including construction) and the
buyer to pay for them. It includes all types of commitments that
obligate the government to an expenditure of appropriated funds and
that, except as otherwise authorized, are in writing. In addition to
bilateral instruments, contracts include (but are not limited to)
awards and notices of awards; job orders or task letters issued under
basic ordering agreements; letter contracts; orders, such as purchase
orders, under which the contract becomes effective by written
acceptance or performance; and bilateral contract modifications.
Contracts do not include grants and cooperative agreements.
* Grant. A financial support to accomplish a public purpose in the form
of money, or property in lieu of money from the federal government to
an eligible recipient.
* Cooperative Agreement.[Footnote 60] A financial support to accomplish
a public purpose in the form of money, or property in lieu of money,
from the federal government to an eligible recipient.
[End of section]
Appendix III: Types of Payment Streams Identified during National
Aeronautics and Space Administration's Risk Assessment:
For fiscal years 2004 and 2005, NASA based its improper payment risk
assessments on six payment streams--(1) firm-fixed-price contracts, (2)
incentive-fee contracts, (3) award-fee contracts, (4) cost-plus-fixed-
fee, (5) other contracts, and (6) grants. NASA did not conduct a risk
assessment for fiscal year 2006. Instead, NASA relied on its recovery
auditing work to determine that no programs and activities were
susceptible to significant improper payments. A description of the six
payment streams, along with a definition of each, follow.
1. Firm-fixed-price contracts provide for a price that is not subject
to any adjustment on the basis of the contractor's cost experience in
performing the contract. This contract type places upon the contractor
maximum risk and full responsibility for all costs and resulting profit
or loss. It provides maximum incentive for the contractor to control
costs and perform effectively and imposes a minimum administrative
burden upon the contracting parties. The contracting officer may use a
firm-fixed-price contract in conjunction with an award-fee incentive
and performance or delivery incentives when the award fee or incentive
is based solely on factors other than cost. The contract type remains
firm-fixed-price when used with these incentives.
2. Incentive-fee contracts:
a. Cost-plus-incentive-fee is a cost-reimbursement contract that
provides for an initially negotiated fee to be adjusted later by a
formula based on the relationship of total allowable costs to total
target costs. This contract type specifies a target cost, a target fee,
minimum and maximum fees, and a fee adjustment formula. After contract
performance, a fee payable to the contractor is determined in
accordance with the formula. The formula provides, within limits, for
increases in the fee above the target fee when total allowable costs
are less than target costs, and decreases in the fee below the target
fee when total allowable costs exceed target costs. This increase or
decrease is intended to provide an incentive for the contractor to
manage the contract effectively. When total allowable cost is greater
than or less than the range of costs within which the fee-adjustment
formula operates, the contractor is paid total allowable costs, plus
the minimum or maximum fee.
b. Fixed-price incentive contract is a fixed-price contract that
provides for adjusting profit and establishing a final contract price
by application of a formula based on the relationship of total final
negotiated cost to the total target cost. The final price is subject to
a price ceiling, negotiated at the outset. There are two types of fixed-
price incentive contracts--firm target and successive target contracts.
3. Award-fee contracts:
a. Cost-plus-award-fee is a cost-reimbursement contract that provides
for a fee consisting of (a) a base amount fixed at inception of the
contract, and (b) an award amount that the contractor may earn in whole
or in part during performance and that is sufficient to provide
motivation for excellence in such areas as quality, timeliness,
technical ingenuity, and cost-effective management. The amount of the
award fee to be paid is determined by the government's judgmental
evaluation of the contractor's performance in terms of the criteria
stated in the contract. This determination and methodology for
determining the award fee are unilateral decisions made solely at the
discretion of the government.
b. Fixed-price contracts with award fees (FP-AF), a fixed price
consisting of all estimated costs and profit is established at contract
award along with an additional, separate award fee amount. The fixed
price is paid for satisfactory performance; the award fee, if any, is
earned, for performance beyond that required. Procurement officer
approval is required for this type of contract. FP-AF combinations are
used when the government, although wanting to provide an incentive to
the contractor to deliver at an excellent or outstanding technical
level, is unable to define that level in quantitative terms, or when
metrics are not available or their use is not practical.
4. Cost-plus-fixed-fee is a cost-reimbursement contract that provides
for payment to the contractor of a negotiated fee that is fixed at the
inception of the contract. The fixed fee does not vary with actual
cost, but may be adjusted as a result of changes in the work to be
performed under the contract. This contract type permits contracting
for efforts that might otherwise present too great a risk to
contractors, but it provides the contractor only a minimum incentive to
control costs.
5. Other contracts:
a. Fixed-price redetermination provides for both a firm fixed price for
an initial period of contract deliveries or performance, and
prospective redetermination, at a stated time or times during
performance, of the price for subsequent periods of performance.
b. Fixed-price contracts with economic price adjustment provide for
upward and downward revision of the stated contract price upon the
occurrence of specified contingencies. Economic price adjustments are
of three general types: adjustments based on established prices,
adjustments based on actual costs of labor or material, and adjustments
based on cost indexes of labor or materials.
c. Cost, or cost-no-fee, is a contract where the contractor is
reimbursed allowable, allocable, and reasonable costs but receives no
fee. Generally, cost contracts are used for research and development
work performed by nonprofits and educational institutions, for
facilities contracts, and for research and development or production
contracts with for-profit contracts when they expect to derive some
commercial benefit from the contracts. These contracts provide little
incentive to the institution or contractor to control costs.
d. Cost-sharing contracts are cost-reimbursement contracts in which the
contractor receives no fee and is reimbursed only for an agreed-upon
portion of its allowable costs.
e. Labor-hour contracts are a variation of the time-and-materials
contract, differing only in that materials are not supplied by the
contractor.
f. Time-and-materials contracts provide for acquiring supplies or
services on the basis of (a) direct labor hours at specified fixed
hourly rates that include wages, overhead, general and administrative
expenses, and profit, and (b) actual cost for materials.
g. Other is a designation for any other contract types that are not
separately listed in the NASA annual procurement report. It is not a
federal acquisition regulation-recognized contract type.
h. Combination is not a separate contract type; it notes that a
particular contract consists of more than one contract type, e.g., a
cost-plus-award-fee contract and a cost-incentive-fee contract.
6. Grant is an award of financial assistance, including cooperative
agreements, in the form of money or property in lieu of money, by the
federal government to an eligible grantee. The term does not include
technical assistance which provides services instead of money, or other
assistance in the form of revenue sharing, loans, loan grantees,
interest subsidies, insurance, or direct appropriations. Also, the term
does not include assistance, such as a fellowship or other lump sum
award, which the grantee is not required to account for.
[End of section]
Appendix IV: Comments from the United States Agency for International
Development:
USAID:
From The American People:
U.S. Agency for International Development:
1300 Pennsylvania Avenue, NW:
Washington, DC 20523:
[hyperlink, http://www.usaid.gov]:
October 26, 2007:
Mr. McCoy Williams:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Williams:
I am pleased to provide the U.S. Agency for International Development's
(USAID) formal response on the draft GAO report entitled Improper
Payments: Weaknesses in USAID's and NASA's Implementation of the
Improper Payments Information Act and Recovery Auditing (GAO-08-77).
The Office of the Chief Financial Officer reviewed the draft GAO report
(GAO-08-77) and has one recommendation at this time. Please expand the
Credit-Financing Funds definition located on page 60 to the following:
9. Credit Financing is principally intended for credit enhancement
purposes and may be used where (a) the Agency's sustainable development
objectives may best be achieved effectively using credit, and (b) the
risks of default may be reasonably estimated and managed. It is a
financing tool to be used in addition to or in lieu of grant funding
where appropriate. Credit financing funds agreements will be
utilized only when the partner is a non-sovereign entity. No sovereign
loan guarantees are permissible under existing Credit Financing
authorities. Credit Financing shall be a demand-driven initiative, with
Operating Units having primary responsibility for designing,
authorizing, and implementing activities in support of approved
strategic objectives and within Administration and Congressional
priorities for assistance. Credit Financing operations require a clear
separation of responsibility for assessing the developmental soundness
and the financial soundness of each activity, with the latter
responsibilities entrusted to a credit review board within the Agency.
Credit financing shall not be used unless it is probable that the
transaction would not go forward without it, taking into consideration
whether such financing is available for the term needed and at a
reasonable cost.
The Office of the Chief Financial Officer acknowledges that the Agency
will have 60 days to respond to GAO's Recommendations for Executive
Action once the final report is issued. Thank you for the opportunity
to respond to the GAO final report and for the courtesies extended by
your staff in the conduct of this review.
Sincerely,
Signed by:
Mosina H. Jordan:
Counselor to the Agency:
[End of section]
Appendix V: Comments from the National Aeronautics and Space
Administration:
National Aeronautics and Space Administration:
Office of the Administrator:
Washington, DC 20546-0001:
October 25, 2007:
Mr. McCoy Williams:
Director:
Financial Management and Assurance:
United States Government Accountability Office:
Washington, DC 20548:
Dear Mr. Williams:
Thank you for the opportunity to review and comment on the draft report
entitled "Improper Payments: Weaknesses in USAID's and NASA's
Implementation of the Improper Payments Information Act and Recovery
Auditing" (GAO-08-77), dated November 2007.
NASA appreciates the GAO noting that, "NASA has made significant
strides since its first year of IPIA implementation to improve its
approach for conducting risk assessments and other IPIA reporting
requirements." Also, GAO notes that "NASA...appears to have developed
an extensive methodology for conducting a risk assessment to identify
programs and activities susceptible to significant improper payments.
The steps taken thus far appear to align with our framework for
conducting a risk assessment to determine the nature and extent of
improper payments."
In its draft report, the GAO makes four recommendations to NASA aimed
at improving the Agency's efforts to implement the IPIA and the
Recovery Auditing Act by focusing on performing risk assessments and
reporting on efforts to recover improper payments.
Recommendation 1: Develop IPIA guidance to include detailed procedures
for addressing the four key steps – perform risk assessment, estimate
improper payments, implement a corrective action plan, annually report
– that OMB requires agencies to perform in meeting the improper payment
reporting requirements.
Response: NASA concurs with this recommendation. As noted in the GAO
report, the steps NASA has taken so far are intended to align with the
GAO framework for conducting a risk assessment. We will now prepare
detailed procedures as recommended to address the four key steps in
this process – perform risk assessment, estimate improper payments,
implement a corrective action plan, and annually report. We anticipate
completing this documentation during the second quarter of FY 2008.
Recommendation 2: As part of this guidance, incorporate the risk
assessment methodology developed by NASA's consulting firm to determine
if risks exist, what those risks are, and the potential or actual
impact of those risks on program operations.
Response: NASA concurs with this recommendation. NASA is pleased with
the methodology developed by its consultant for conducting the risk
assessment for FY 2007 and will include that methodology in its
guidance procedures in response to GAO's Recommendation 1.
Recommendation 3: Maintain documentation of actions performed to
address IPIA and Recovery Auditing Act requirements.
Response: NASA concurs with this recommendation. In FY 2007, NASA
changed its approach for complying with IPIA requirements and has now
centralized its activities at NASA Headquarters in the Office of the
Chief Financial Officer (OCFO). NASA has redirected resources more
effectively to achieve consistency and effective management of the
program. Maintaining appropriate documentation is being accomplished by
the OCFO at NASA Headquarters.
Recommendation 4: Adhere to OMB's guidance for reporting recovery
auditing information in its annual PAR.
Response: NASA concurs with this recommendation. NASA is prepared to
adhere to OMB's guidance for reporting recovery auditing information in
its annual PAR.
Technical comments to the draft report have been provided to GAO
separately.
My point of contact for this matter is Mr. Frank E. Petersen, III,
Director of the Office of Quality Assurance, OCFO. He may be contacted
by telephone at (202) 358-4772 or by e-mail at Frank.Petersen-1@nasa.gov.
Sincerely,
Signed by:
Shana Dale:
Deputy Administrator:
[End of section]
Appendix VI: GAO Contact and Staff Acknowledgments:
GAO Contact:
McCoy Williams, (202) 512-9095 or williamsm1@gao.gov:
Acknowledgments:
In addition to the contact named above, Carla Lewis, Assistant
Director; Francine DelVecchio; Lisa M. Galvan-Trevino; Estela Guerrero;
James Maziasz; Christina Quattrociocchi; Heather Rasmussen; Donell
Ries; Chris Rodriguez; and Viny Talwar made key contributions to this
report.
[End of section]
Footnotes:
[1] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002).
[2] National Defense Authorization Act for Fiscal Year 2002, Pub. L.
No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28,
2001) (codified at 31 U.S.C. §§ 3561-3567).
[3] GAO, Improper Payments: Agencies' Efforts to Address Improper
Payment and Recovery Auditing Requirements Continue, GAO-07-635T
(Washington, D.C.: Mar. 29, 2007).
[4] OMB Circular No. A-123 Appendix C, Requirements for Effective
Measurement and Remediation of Improper Payments (Aug. 10, 2006).
[5] IPIA defines improper payments as any payment that should not have
been made or that was made in an incorrect amount (including
overpayments and underpayments) under statutory, contractual,
administrative, or other legally applicable requirements. It includes
any payment to an ineligible recipient, any payment for an ineligible
service, any duplicate payment, payments for services not received, and
any payment that does not account for credit for applicable discounts.
[6] In general, the term contractors refers to contract activities
while the term grantees refers to assistance activities such as grants
and cooperative agreements. See appendixes II and III for a further
description of these funding mechanisms.
[7] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007); Financial Management Systems: Additional Efforts Needed
to Address Key Causes of Modernization Failures, GAO-06-184
(Washington, D.C.: Mar. 15, 2006).
[8] GAO, Afghanistan Reconstruction: Despite Some Progress,
Deteriorating Security and Other Obstacles Continue to Threaten
Achievement of U.S. Goals, GAO-05-742 (Washington, D.C.: July 28,
2005).
[9] GAO, Global Health: USAID Supported a Wide Range of Child and
Maternal Health Activities, but Lacked Detailed Spending Data and a
Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.:
Apr. 20, 2007); Financial Management: Sustained Effort Needed to
Resolve Long-Standing Problems at U.S. Agency for International
Development, GAO-03-1170T (Washington, D.C.: Sept. 24, 2003); Major
Management Challenges and Program Risks: U.S. Agency for International
Development, GAO-03-111 (Washington, D.C.: January 2003); Major
Management Challenges and Program Risks: U.S. Agency for International
Development, GAO-01-256 (Washington, D.C.: Jan. 1, 2001); and Financial
Management: Inadequate Accounting and System Project Controls at AID,
GAO/AFMD-93-19 (Washington, D.C.: May 24, 1993).
[10] U.S. Agency for International Development, Office of Inspector
General, Audit of USAID's Compliance With Federal Regulations in
Awarding the Contract for Security Services in Iraq to Kroll Government
Services International Inc., A-267-05-005-P (Washington, D.C.: Jan. 6,
2005).
[11] Special Inspector General for Iraq Reconstruction, Quarterly
Report and Semiannual Report to the United States Congress, (Arlington,
VA: July 30, 2007).
[12] Hearing before the Subcommittee on Federal Financial Management,
Government Information, and International Security, Committee on
Homeland Security and Governmental Affairs, United States Senate,
Improper Payments: Where Are Truth and Transparency in Federal
Financial Reporting, July 12, 2005 and Reporting Improper Payments: A
Report Card on Agencies' Progress, March 9, 2006. Hearing before the
Subcommittee on Federal Financial Management, Government Information,
Federal Services, and International Security, Committee on Homeland
Security and Governmental Affairs, United States Senate, Eliminating
and Recovering Improper Payments, March 29, 2007.
[13] OMB's implementing guidance includes a broad definition of
programs and activities subject to IPIA and allows agencies to
determine their program and activity inventory for the purposes of
performing a risk assessment. Two approaches agencies commonly use to
carry out their risk assessments include a review of program operations
or a review of payment activity or streams.
[14] In December 2004, OMB revised its Circular No. A-123, Management's
Responsibility for Internal Control, to provide guidance to federal
managers on improving the accountability and effectiveness of federal
programs and operations by establishing, assessing, correcting, and
reporting on management controls.
[15] In August 2006, OMB revised its IPIA implementing guidance. The
revision consolidates into Appendix C to OMB Circular No. A-123 three
memorandums previously issued by OMB. These memorandums are: M-03-07,
"Programs to Identify and Recover Erroneous Payments to Contractors,"
(Jan. 16, 2003); M-03-12, "Allowability of Contingency Fee Contracts
for Recovery Audits," (May 8, 2003); and M-03-13, "Improper Payments
Information Act of 2002 (Public Law 107-300)," (May 21, 2003). The
revised guidance is effective for agencies' fiscal year 2006 improper
payment estimating and reporting in the PARs or annual reports.
[16] IPIA does not mention the "exceeding the 2.5 percent of program
payments" threshold that OMB uses for identifying and estimating
improper payments.
[17] An example of an alternative sampling methodology includes
developing an annual error rate for a component of the program.
[18] The 15 agencies include 14 that were previously required to report
improper payments information under OMB Circular No. A-11, plus the
Department of Homeland Security. According to OMB, these 15 agencies
have programs and activities with the highest risk of improper
payments. With this PMA initiative, OMB has stated that it can better
ensure that those taxpayer dollars most susceptible to risk for
improper payments receive the greatest amount of focus and review.
[19] Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012,
1186 (Dec. 28, 2001) (codified at 31 U.S.C. §§ 3561-3567).
[20] See footnote 4.
[21] OMB's IPIA guidance states that the term program includes
activities or sets of activities recognized as programs by the public,
OMB, or the Congress, as well as those that entail program management
or policy direction. It also includes the activities engaged in by an
agency in support of its programs.
[22] We noted that for their risk assessments, five agencies used a
combination of programs and payment streams.
[23] USAID includes interagency agreements as part of the contracts,
grants, and cooperative agreements payment stream.
[24] The 11 payment streams were (1) payroll, (2) mission allowances,
(3) cash transfers, (4) travel, (5) transportation, (6) training, (7)
other operating expenses, (8) payments to other agencies, (9) credit-
financing funds, (10) revolving funds, and (11) contracts, grants, and
cooperative agreements.
[25] According to USAID officials, mission accounting stations perform
accounting services for other mission offices.
[26] Mission offices are organizational units within USAID that operate
under decentralized program authorities, allowing them to design and
implement programs and negotiate and execute agreements.
[27] Pub. L. No. 98-502, 98 Stat. 2327 (Oct. 19, 1984) (codified, as
amended, at 31 U.S.C. §§ 7501-7507). Under the Single Audit Act, as
amended, and implementing guidance, independent auditors audit state
and local governments and nonprofit organizations that expend federal
awards to assess, among other things, compliance with laws,
regulations, and the provisions of contracts or grant agreements
material to the entities' major federal programs. Organizations are
required to have single audits if they annually expend $500,000 or more
in federal funds.
[28] The four payment streams are payroll, travel, allowances, and
other.
[29] NASA defines a procurement action as any contractual action to
obtain supplies, services, or construction that increases or decreases
funds. A procurement action thus may be a new procurement or a
modification, such as a supplemental agreement, change order, or
termination to an existing contract that changes the total amount of
funds obligated.
[30] NASA centers are organizational components that support the
agency's space exploration objectives, scientific initiatives, and
aeronautics research.
[31] GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under
the Improper Payments Information Act Remains Incomplete, GAO-07-92
(Washington, D.C.: Nov. 14, 2006).
[32] The nine agencies are the Departments of Agriculture, Commerce,
Defense, Energy, Homeland Security, Interior, Justice, and Treasury,
and the Social Security Administration.
[33] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999).
[34] GAO, Strategies to Manage Improper Payments: Learning From Public
and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October
2001).
[35] GAO, Global Health: USAID Supported a Wide Range of Child and
Maternal Health Activities, but Lacked Detailed Spending Data and a
Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.:
Apr. 20, 2007).
[36] Department of Justice, USAID Vendor Agrees to Pay $1.2 Million To
Settle Overcharging Claim (Washington, D.C.: Dec. 28, 2005).
[37] U.S. Agency for International Development, Office of Inspector
General, $1.31 Million Recovered From Companies That Defrauded USAID
(Washington, D.C.: Oct. 14, 2005).
[38] National Aeronautics and Space Administration, Office of Inspector
General, Semiannual Report, April 1, 2006-September 30, 2006
(Washington, DC).
[39] National Aeronautics and Space Administration, Office of Inspector
General, Semiannual Report, October 1, 2004-March 31, 2005 (Washington,
DC).
[40] National Aeronautics and Space Administration, Office of Inspector
General, Letter to Honorable Thad Cochran, Committee on Appropriations
(Washington, D.C.: Dec. 20, 2005).
[41] Internal controls and legal requirements applicable to agency
payment processes are set out in Title 7, Fiscal Guidance, of GAO's
Policy and Procedures Manual for Guidance of Federal Agencies
(Washington, D.C.: May 18, 1993).
[42] NASA's officials stated that the contracting officer generally
reviews DCAA's audits of NASA contracts, but did not know what the
reviews entailed or their frequency.
[43] 31 U.S.C. §§ 3901-3907.
[44] See Appendix C to OMB Circular No. A-123, pt. II(D)(2).
[45] GAO-07-92.
[46] GAO/AIMD-00-21.3.1.
[47] Payment errors are errors resulting from duplicate payments;
errors on invoices or financing requests; failure to reduce payments by
applicable sales discounts, cash discounts, rebates, or other
allowances; payments for items not received; mathematical or other
errors in determining payment amounts and executing payments; and the
failure to obtain credit for returned merchandise.
[48] See footnote 4.
[49] NASA headquarters and the Stennis Space Flight center contract
payments were excluded from its table presentation of recovery audit
amounts reported in the fiscal year 2006 PAR. According to NASA,
headquarters payments were included with the Goddard Space Flight
center payment information. Also, the Stennis Space Flight center was
included in the recovery audit firm's scope of review, but NASA
inadvertently excluded the center from its table presentation. NASA
told us the Stennis Space Flight center had no reportable amounts for
recovery for fiscal year 2006.
[50] See footnote 14.
[51] We did not review USAID's implementation of laws and policies
under which accountable officers, such as payment certifying officers,
are held financially liable for improper payments. See 31 U.S.C. §
3528(a).
[52] The seven risk conditions include (1) financial processing and
internal controls, (2) internal monitoring and assessments, (3)
external monitoring and assessments, (4) human capital risk, (5)
programmatic risk, (6) nature of program payments, and (7) contract/
grant management.
[53] According to the consulting firm's report, it statistically tested
1,517 payment transactions totaling $71.8 million which is .7 percent
of the total value of payments included in the 5 payment categories,
which totaled approximately $10 billion.
[54] The recovery auditors reported that the contracts and data
reviewed for USAID for fiscal years 2003 through 2005 equaled
approximately $3 billion.
[55] OMB's implementing guidance effective for fiscal years 2004 and
2005 was OMB Memorandum M-03-13 "Improper Payments Information Act of
2002 (Public Law 107-300)" (May 21, 2003). For fiscal year 2006
reporting, agencies were required to follow Appendix C to OMB Circular
No. A-123, Requirements for Effective Measurement and Remediation of
Improper Payments.
[56] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999).
[57] GAO, Strategies to Manage Improper Payments: Learning From Public
and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October
2001).
[58] OMB's guidance also includes a section on recovery auditing
requirements.
[59] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
[60] The involvement of USAID's program office dictates the type of
financial support instrument to be awarded. If the program office is
substantially involved (i.e., start to finish) in the award process,
the instrument awarded is called a cooperative agreement. If the
program office is not substantially involved (i.e., only involved when
needed) in the award process, the instrument awarded is called a grant.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, DC 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, jarmong@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, DC 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, DC 20548:
