Financial Management: Strategies to Address Improper Payments at
HUD, Education, and Other Federal Agencies (03-OCT-02,
GAO-03-167T).
This testimony discusses (1) how internal control weaknesses make
the departments of Housing and Urban Development (HUD) and
Education vulnerable to, and in some cases have resulted in,
improper and questionable payments and (2) strategies these and
other federal agencies can use to better manage their improper
payments. Despite a climate of increased scrutiny, most improper
payments associated with federal programs continue to go
unidentified as they drain taxpayer resources away from the
missions and goals of our government. GAO found that both HUD and
Education lacked fundamental internal controls over their
purchase card programs that would have minimized the risk of
improper purchases. Combined with a lack of monitoring,
environments were created at HUD and Education where improper
purchases could be made with little risk of detection. One of the
most important internal controls in the purchase card process is
the review of supporting documentation and approval of each
purchase by the approving official. Another control that is
effective in helping to prevent improper purchases is the
blocking of certain merchant category codes. This control,
available as part of the agencies' purchase card contracts with
the card issuing financial institutions, allows agencies to
prohibit certain types of purchases that are clearly not business
related.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-167T
ACCNO: A05234
TITLE: Financial Management: Strategies to Address Improper
Payments at HUD, Education, and Other Federal Agencies
DATE: 10/03/2002
SUBJECT: Accountability
Financial management
Internal controls
Strategic planning
Credit sales
Credit
Federal procurement
Erroneous payments
Financial Management: Strategies to Address Improper Payments at
HUD, Education, and Other Federal Agencies (03-OCT-02,
GAO-03-167T).
This testimony discusses (1) how internal control weaknesses make
the departments of Housing and Urban Development (HUD) and
Education vulnerable to, and in some cases have resulted in,
improper and questionable payments and (2) strategies these and
other federal agencies can use to better manage their improper
payments. Despite a climate of increased scrutiny, most improper
payments associated with federal programs continue to go
unidentified as they drain taxpayer resources away from the
missions and goals of our government. GAO found that both HUD and
Education lacked fundamental internal controls over their
purchase card programs that would have minimized the risk of
improper purchases. Combined with a lack of monitoring,
environments were created at HUD and Education where improper
purchases could be made with little risk of detection. One of the
most important internal controls in the purchase card process is
the review of supporting documentation and approval of each
purchase by the approving official. Another control that is
effective in helping to prevent improper purchases is the
blocking of certain merchant category codes. This control,
available as part of the agencies' purchase card contracts with
the card issuing financial institutions, allows agencies to
prohibit certain types of purchases that are clearly not business
related.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-167T
ACCNO: A05234
TITLE: Financial Management: Strategies to Address Improper
Payments at HUD, Education, and Other Federal Agencies
DATE: 10/03/2002
SUBJECT: Accountability
Financial management
Internal controls
Strategic planning
Credit sales
Credit
Federal procurement
Erroneous payments
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-03-167T
FINANCIAL MANAGEMENT
Strategies to Address Improper Payments at HUD, Education, and Other
Federal Agencies Statement of Linda Calbom Director, Financial Management
and Assurance
United States General Accounting Office
GAO Testimony Before the Subcommittee on Government Efficiency,
Financial Management and Intergovernmental Relations, House of
Representatives
For Release on Delivery Expected at 2: 00 p. m. Thursday, October 3, 2002
GAO- 03- 167T
1
Mr. Chairman and Members of the Subcommittee: I am pleased to be here
today to discuss (1) how internal control weaknesses we have noted make
the departments of Housing and Urban Development (HUD) and Education
vulnerable to, and in some cases have resulted in, improper and
questionable payments and (2) strategies these and other federal agencies
can use to better manage their improper payments. We are reporting our
findings on HUD for the first time today. We previously reported our
Education findings in a number of reports and testimonies. 1 In addition,
we issued an executive guide,
Strategies to Manage Improper Payments: Learning from Public and Private
Sector Organizations, 2 last October, which we will also focus on in this
testimony.
The federal government of the United States * the largest and most complex
organization in the world * expends approximately $2 trillion a year. As
the steward of taxpayer dollars, it is accountable for how its agencies
and grantees spend those funds, and is responsible for safeguarding
against improper payments by the government*payments that should not have
been made or that were made for incorrect or excessive amounts.
Improper payments are a widespread and significant problem receiving
increased attention not only in the federal government but also among
states, foreign governments, and private sector companies. As you know,
the President*s Management Agenda, Fiscal Year 2002, included five
governmentwide initiatives, one of which is improved financial
performance. This financial management initiative calls for the
administration to establish a baseline on the extent of erroneous
payments. 3 Under it, agencies were to include information on improper
payment rates in their 2003 budget submissions to the Office of Management
and Budget (OMB), including actual and target rates if available for
benefit and assistance programs over $2 billion annually. Legislation that
you sponsored, Mr. Chairman, and which is currently being considered by
the Senate (H.R. 4878), calls for more stringent requirements in the areas
of improper payment review and reporting than the President*s Management
Agenda.
Specifically, it requires agency heads to (1) review all programs and
activities that they administer, and identify those areas that may be
susceptible to improper
1 U. S. General Accounting Office, Financial Management: Internal Control
Weaknesses Leave Department of Education Vulnerable to Improper Payments,
GAO- 01- 585T (Washington, D. C.: Apr 3, 2001); Financial Management: Poor
Internal Control Exposes Department of Education to Improper Payments,
GAO- 01- 997T (Washington, D. C.: July 24, 2001); and Education Financial
Management: Weak Internal Controls Led to Instances of Fraud and Other
Improper Payments, GAO- 02- 406, (Washington, D. C.: Mar 28, 2002). 2 U.
S. General Accounting Office, Strategies to Manage Improper Payments:
Learning from Public
and Private Sector Organizations, GAO- 02- 69G (Washington, D. C.: October
2001). 3 Because of the similarity of the Office of Management and
Budget*s definition of erroneous payments
to our definition of improper payments, we consider the terms synonymous.
2
payments, (2) estimate the annual amount of improper payments, and (3)
where they exceed the lesser of 1 percent of the total program budget or
$1 million annually, report actions the agency is taking to reduce
improper payments.
In our executive guide, we identified practices that government and
private sector organizations in the United States. and abroad have used to
combat improper payments. Despite a climate of increased scrutiny, most
improper payments associated with federal programs continue to go
unidentified as they drain taxpayer resources away from the missions and
goals of our government. They occur for many reasons, including
insufficient oversight or monitoring, inadequate eligibility control, and
automated system deficiencies. However, one point is clear based on our
study*the root causes of improper payments can typically be traced to a
breakdown in or lack of internal control. Collectively, internal controls
are an integral component of an organization*s management that provides
reasonable assurance that the organization achieves the objectives of (1)
effective and efficient operations, (2) reliable financial reporting, and
(3) compliance with laws and regulations. Internal controls are not one
event, but a series of activities that occur throughout an entity*s
operations and on an ongoing basis. People make internal controls work,
and responsibility for good internal controls rests with all managers.
Both HUD and Education have histories of financial management problems,
including serious internal control weaknesses, which have affected their
ability to provide reliable financial information to decision makers both
inside and outside the agencies and to maintain the financial integrity of
their operations. Because of this, we have designated Education*s student
financial assistance programs and HUD*s single family and multifamily
housing programs as high-risk areas for waste, fraud, abuse, and
mismanagement. 4 We have also identified weak internal controls as a major
factor contributing to improper payments at other agencies and have issued
reports and testimonies on this topic, including several to this
subcommittee on the Department of Defense*s purchase card and travel card
programs. 5
4 U. S. General Accounting Office, Major Management Challenges and Program
Risks, Department of Housing and Urban Development, GAO- 01- 248
(Washington, D. C.: January 2001); Major Management Challenges and Program
Risks, Department of Education GAO- 01- 245 (Washington, D. C.: January
2001); and High- Risk Series: An Update, GAO- 01- 263, (Washington, D. C.:
January 2001). 5 U. S. General Accounting Office, Purchase Cards: Control
Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse, GAO- 01- 995T (Washington, D. C.: July 30,
2001); Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable
to Fraud and Abuse, GAO- 02- 32 (Washington, D. C.: Nov 30, 2001);
Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse, GAO- 02- 506T (Washington, D. C.: Mar 13,
2002); and Government Purchase Cards: Control Weaknesses Expose Agencies
to Fraud and Abuse, GAO- 02- 676T (Washington, D. C.: May 1, 2002).
3
In order to carry out our improper payments reviews at HUD and Education,
we identified disbursement processes at those agencies that would be
highly susceptible to improper payments. 6 Based on this analysis, we
focused our reviews on (1) HUD*s purchase card and multifamily property
payment processes and (2) Education*s grants and loans, purchase card, and
third party draft payment processes. 7 Our work at both of these agencies
was designed to (1) determine if the existing controls provided reasonable
assurance that improper payments would not occur or would be detected in
the normal course of business and (2) determine if expenditures were
properly supported as a valid use of government funds. Our work at
Education was also designed to determine if computer equipment purchased
with purchase cards and third party drafts was being included in
Education*s inventory and appropriately safeguarded.
Our work at Education is complete, but our HUD work is ongoing. In the
second phase of that work, we will continue to review multifamily
disbursements and will also assess single family program payments to
management and marketing contractors that maintain and sell single family
houses owned by HUD. We will also follow up on physical control of
computer equipment as we did at Education.
To accomplish our two separate reviews of HUD and Education, we used data
mining techniques 8 and other computer analyses to identify unusual
transactions and payment patterns that may be indicative of improper
payments. Our review included the $181.4 billion in grants and loans
disbursed by Education from May 1998 through September 2000, $214 million
of payments made by HUD during fiscal year 2001 for goods and services to
support multifamily properties, $22 million of purchase cards purchases
made by Education from May 1998 through September 2000, and $10 million of
purchase cards purchases made by HUD during fiscal year 2001. 9 We
conducted our work in accordance with generally accepted government
auditing standards, as well with investigative standards established by
the President*s Council on Integrity and Efficiency.
6 We did not focus on HUD*s rental housing assistance program because HUD
is estimating improper payments for the program, and the HUD OIG and GAO
have performed extensive work in that area. 7 Our testimony today
generally will not address third party drafts, since Education eliminated
that
payment process in fiscal year 2001. However, we will discus the results
of our inventory of computers and computer equipment purchased with third
party drafts. 8 Data mining for improper payments involves using computer-
aided auditing techniques to identify
hidden patterns and relationships in data that are indicators of unusual
transactions, which may be improper payments. 9 Due to separate
congressional requests, the period of our review at Education differed
from that for
HUD.
4
In my testimony today I will discuss
poor controls over purchase cards and how they resulted in some
fraudulent, improper, and questionable purchases at HUD and Education;
the failure of controls over Education*s grants disbursement process to
detect certain improper payments;
the lack of monitoring of a key HUD contractor and how it resulted in
improper payments; and
strategies that HUD, Education, and other federal agencies can use to
manage improper payments.
The benefits of using purchase cards versus traditional contracting and
payment processes are lower transaction processing costs and less *red
tape* for both the government and the vendor community. We support the use
of a well-controlled purchase card program to streamline the government*s
acquisition processes. However, it is important that agencies have
adequate internal controls in place to protect the government from fraud,
waste, and abuse. We found that both HUD and Education lacked fundamental
internal controls over their purchase card programs that would have
minimized the risk of improper purchases. For example, both agencies had
inconsistent and inadequate pre-approval and review processes for purchase
card transactions * key preventive and detective controls.
Combined with a lack of monitoring, environments were created at HUD and
Education where improper purchases could be made with little risk of
detection. Inadequate controls over these expenditures, along with the
inherent risk of fraud and abuse associated with purchase cards, likely
contributed to the $4.0 million of fraudulent, improper, and questionable
purchases we identified at HUD and Education through our data mining
efforts.
According to our Standards for Internal Control in the Federal Government,
10 transactions and other significant events should be authorized and
executed only by persons acting within the scope of their authority.
Although pre-approval and review of transactions by persons in authority
is the principal means of assuring that transactions are valid, we found
that the pre-approval and review process for purchase card purchases was
inadequate at both HUD and Education.
During our review of HUD and Education*s purchase card programs, we found
that department personnel did not consistently obtain pre-approval prior
to making
10 Standards for Internal Control in the Federal Government (GAO/ AIMD-
00- 21. 3.1), which was prepared to fulfill our statutory requirement the
Federal Managers* Financial Integrity Act, provides an overall framework
for establishing and maintaining internal control and for identifying and
addressing major management challenges and areas at greatest risk of
fraud, waste, abuse, and mismanagement.
Poor Controls over Purchase Cards Resulted in Some Fraudulent, Improper,
and Questionable Purchases at HUD and Education
5
some or all purchases, as required by the departments* policies. According
to HUD*s October 30, 1995, purchase card policy, the approving official is
required to establish a pre-approval process for each cardholder to ensure
that purchases have the necessary technical approval or clearance before
purchases are made and that all transactions are appropriate and for
official use only. However, during our review we found that only the
Information Technology Office routinely obtained authorization prior to
purchasing items with the purchase card. Similarly, at the Department of
Education, we found that 10 of its 14 offices did not require cardholders
to obtain authorization prior to making some or all purchases, although
Education*s policy required that all requests to purchase items over
$1,000 be made in writing to the applicable department executive officer.
One of the most important internal controls in the purchase card process
is the review of supporting documentation and approval of each purchase by
the approving official. Approving officials at both HUD and Education are
required to review each monthly statement of purchases along with the
applicable supporting documentation and certify that these purchases were
appropriate, in accordance with department regulations, and a valid use of
government funds. Based on our testing of both HUD and Education*s
approving officials* review of monthly purchase card statements, we found
that this key control was not an effective means of detecting improper
purchases. At HUD, we selected a stratified random sample of 222 purchase
card transactions made during fiscal year 2001, and found that $1.4
million, or about 77 percent, of the $1.8 million of sampled purchases
lacked adequate support for the approving official to determine what was
purchased, whether the purchase was previously authorized, and if there
was a legitimate government need for the items purchased. 11 We found
similar problems at Education. To test the effectiveness of Education*s
approving officials* review, we analyzed 5 months of cardholder statements
and found that 37 percent of the 903 monthly cardholder statements we
reviewed were not approved by the appropriate official. These 338
unapproved statements totaled about $1.8 million.
Another control that is effective in helping to prevent improper purchases
is the blocking of certain merchant category codes (MCC). This control,
available as part of the agencies* purchase card contracts with the card
issuing financial institutions, allows agencies to prohibit certain types
of purchases that are clearly not business related, such as purchases from
jewelry stores or entertainment establishments. During our reviews, we
noted that, initially, neither HUD nor Education was effectively using the
MCC*s as a preventive control. HUD was not blocking any MCCs and Education
blocked only four MCCs. As a result, there
11 Based on our testing, we estimate that $4, 678, 689 (plus or minus
$678,806) of the total $10 million in purchase card transactions made
during fiscal year 2001 lacked adequate supporting documentation. Our
estimate is based on a 95 percent confidence level and a tolerable error
rate of $1, 059, 046 (10 percent of the population total of $10,590, 461).
6
were almost no restrictions on the types of purchases employees could make
during the period of our audit. Both agencies took action to block more of
the MCCs after we began our reviews of their purchase card programs.
Our Standards for Internal Control in the Federal Government state that
internal control should generally be designed to assure that ongoing
monitoring occurs in the course of normal operations. Internal control
monitoring should assess the quality of performance over time and ensure
that findings of audits and other reviews are promptly resolved. Program
and operational managers should monitor the effectiveness of control
activities as part of their regular duties. HUD*s purchase card policy
requires the department to perform annual program reviews and report the
results, including findings and recommendations, to the purchase card
program administrator. However, HUD officials could locate only one such
report. This November 2001 report, prepared by a consultant, identified
problems that were similar to the findings previously reported 12 by the
Office of Inspector General (OIG) in February 1999. Both reports
documented problems with weak internal controls and insufficient
supporting documentation. The consultant*s report also noted that HUD was
not performing the periodic program reviews required by its policies and
that employees were making improper split purchases. HUD management agreed
with the findings in the OIG report and developed and implemented an
action plan to address the identified weaknesses. According to HUD OIG
staff, its recommendations were implemented and have been closed. However,
based on our findings, corrective actions taken at that time were not
fully effective.
At the time of our review, Education did not have a monitoring system for
purchase card activity to determine whether its staff was complying with
key aspects of the purchase card program. We also found that approving
officials at Education did not use monitoring reports that were available
from its purchase card contractor to identify unusual or unauthorized
purchases. However, as I will discuss later, the department subsequently
issued new policies and procedures that, among other things, establish a
quarterly quality review of a sample of purchase card transactions to
ensure compliance with key aspects of the department*s policy.
The types of internal control weaknesses that I have just described
created environments where improper purchases could be made with little
risk of detection and likely contributed to the $4 million of fraudulent,
improper, and questionable purchases we identified through our data mining
efforts at both HUD
12 Department of Housing and Urban Development Office of Inspector
General, Commercial Credit Card Program, 99-DP-166-0001 (Washington, D.C.:
Feb 1, 1999).
7
and Education. We also found that property purchased with purchase cards
was not always recorded in Education*s property records, which likely
contributed to missing or stolen property. This could also be an issue at
HUD based on our preliminary inquiries into its property management
system.
I will now provide a few examples of how employees used their purchase
cards to make fraudulent, improper, and questionable purchases. We
considered fraudulent purchases to be those that were unauthorized and
intended for personal use. Improper payments include errors, such as
duplicate payments and miscalculations; payments for services not
rendered; multiple payments to the same vendor for a single purchase to
circumvent existing single purchase limits * known as split purchases; and
payments resulting from fraud and abuse. We defined questionable
transactions as those that, while authorized, were for items purchased at
excessive costs, for questionable government need, or both, as well as
transactions for which the departments could not provide adequate
supporting documentation to enable us to determine whether the purchases
were valid.
In May 2002, we provided HUD with 5,459 transactions, totaling about $3.8
million in which the (1) payee appeared to be an unusual vendor to be
engaging in commerce with the agency, (2) purchase was made on either a
holiday or weekend, or (3) purchase appeared to be a split purchase. As of
September 2002, HUD was able to provide adequate support for 3,428 of
these questionable transactions, totaling about $1.5 million. HUD could
not provide adequate supporting documentation to enable us to assess the
propriety of the remaining 2,031 transactions totaling about $2.3 million,
or 38 percent of the total questionable transactions and 61 percent of the
total dollars requested. For these transactions, HUD could not provide
support to determine what was purchased, whether it was authorized, and
whether there was a legitimate government need for the item purchased.
These purchases included (1) 1,183 questionable vendor transactions
totaling about $869,000, (2) 31 purchases made on holidays totaling about
$10,000, (3) 264 weekend purchases totaling about $354,000; and (4) 541
potential improper split transactions totaling about $1 million.
Some examples of questionable vendor transactions for which we did not
receive adequate support included (1) over $27,000 to various department
stores, such as Best Buy, Circuit City, Dillard*s, JC Penny, Lord &
Taylor, Macys, and Sears, (2) over $8,900 to several music and audio
stores, including Sound Craft Systems, J&R*s Music Store, Guitar Source,
and Clean Cuts Music, and (3) over $9,700 to various restaurants, such as
Legal Sea Foods, Levis Restaurant, The Cheesecake Factory, and TGI
Fridays. Additional examples of questionable or improper purchases we
found included $25,400 of *no show* hotel charges for HUD employees who
did not attend scheduled training and $21,400 of purchases from vendors
where it appears the vendors were out of business prior to the purchases.
8
Because HUD was unable to provide adequate documentation for these
purchases, we consider them to be questionable uses of government funds
and therefore potentially improper purchases.
In order to identify potential improper payments in Education*s purchase
card program, we requested supporting documentation for (1) 338 monthly
statements totaling $1.8 million that our testing of the approval function
identified as not properly approved, and (2) other transactions,
identified using data mining techniques, that appeared unusual. Education
was unable to provide adequate supporting documentation to enable us to
determine the validity of purchases totaling over $218,000.
Education could not provide any support for more than $152,000 of these
purchases nor could it specify what was purchased, why it was purchased,
or whether these purchases were appropriate. For the remaining $66,000,
Education was able to provide only limited supporting documentation. As a
result, we were unable to assess the validity of these payments, and we
consider these purchases to be potentially improper. These inadequately
supported or unsupported purchases included charges to various hotels for
more than $3,000, purchases of computer equipment and software totaling
more than $22,000, and charges for various college and other training
courses totaling about $51,000. Numerous other purchases were made from
home electronics and appliance stores as well as toy, book, and furniture
stores.
In our review of the documentation Education did provide, we identified
some fraudulent, improper, and questionable purchases. Examples of these
include the following:
In one instance, a cardholder made several fraudulent purchases from two
Internet sites for pornographic services. As a result, Education
management issued a termination letter, prompting the employee to resign.
Over several years, an Education employee made improper charges totaling
$11,700 for herself and a coworker to attend college classes that were
unrelated to Education*s mission, such as biology, music, and theology. 13
This same individual also had numerous questionable charges for other
college classes totaling $24,060.
There were restaurant charges totaling $4,427 from a Year 2000 focus
group meeting in San Juan, Puerto Rico, for meals for nonfederal
employees. We
13 The Government Employees Training Act, 5 U.S.C. 4103 and 4107, requires
that training be related to an employee*s job and prohibits expenditures
to obtain a college degree unless necessitated by retention or recruitment
needs, which was not the case here.
9
referred additional charges of this same nature totaling approximately
$45,000 to Education*s OIG. 14
Another type of improper purchase we identified is the *split purchase,*
which we defined as purchases made on the same day from the same vendor
that appear to circumvent single purchase limits. Federal Acquisition
Regulation prohibits splitting a transaction into more than one segment to
avoid the requirement to obtain competitive bids for purchases over the
$2,500 micro-purchase limit. At HUD, we identified 88 improper purchases
totaling about $112,000 where employees made multiple purchases from a
single vendor on the same day in excess of the $2,500 micro-purchase
threshold. For example, one cardholder purchased nine personal digital
assistants and the related accessories from a single vendor on the same
day in two separate transactions just 5 minutes apart. Because the total
purchase price of $3,788 exceeded the cardholder*s single purchase limit
of $2,500, the purchase was split into two transactions of $2,388 and
$1,400, respectively. We identified 451 additional purchases totaling
$893,000 where HUD employees made multiple purchases from a vendor on the
same day in excess of $2,500. Although we were unable to determine whether
these purchases were improper, based on the available supporting
documentation, these transactions share similar characteristics with the
88 split purchases we identified.
We also found improper split purchases at Education. For example, one
cardholder from Education purchased two computers from the same vendor at
essentially the same time. Because the total cost of these computers
exceeded the cardholder*s $2,500 single purchase limit, the total of
$4,184.90 was split into two purchases of $2,092.45 each. We found 27
additional purchases totaling almost $120,000 where Education employees
improperly made multiple purchases from a vendor on the same day.
In addition to poor internal controls over the purchase card program, we
found that Education lacked appropriate physical controls and segregation
of duties over computer equipment purchased with purchase cards and third
party drafts. According to the Education Inspector General, the department
had not taken a comprehensive physical inventory for at least 2 years
before our review. Further, one office lacked appropriate segregation of
duties where responsibility for receiving, bar coding, securing the
equipment, and delivering computers to the end users was done by only two
individuals. According to our Standards for Internal Control in the
Federal Government, an agency must establish physical control to secure
and safeguard vulnerable assets. Such assets should be
14 These additional estimated charges were identified by an Education
official. Under 31 U. S. C. 1345, appropriated funds may not be used to
pay the costs of non- federal individuals to attend meetings unless
otherwise specifically authorized by law. 5 U. S. C. 5703 allows the
federal government to pay the costs of non- federal individuals to attend
meetings if the attendees are providing direct services to the government.
Education could not provide us with evidence that this was the case.
10
periodically counted and compared to control records. Recording the items
purchased in property records is an important step to ensuring
accountability and financial control over these assets and, along with
periodic inventory counts, to preventing theft or improper use of
government property. At Education, we found that employees regularly
purchased computers using their purchase cards, which was a violation of
the department*s policy prohibiting the use of purchase cards for this
purpose. From May 1998 through September 2000, the period covered by our
audit, Education made purchases totaling more than $2.9 million from
personal computer and computer-related equipment vendors. To determine
whether this computer equipment was appropriately recorded in the
department*s inventory, we compared serial numbers obtained from the
department*s largest computer vendor to those in the asset management
system and identified 384 pieces of computer equipment, including desktop
computers, printers, and scanners, that were not in the property records.
We conducted an unannounced inventory to determine whether the equipment
was actually missing or inadvertently omitted from the property records.
Although we found 143 pieces of equipment during this inventory that were
not recorded on Education*s books, and an additional 62 items were later
found by Education, department officials have been unable to locate the
remaining 179 pieces of missing equipment costing over $200,000. They
surmised that some of these items may have been surplused; however, there
is no documentation to determine whether this assertion is valid.
According to Education officials, new policies were implemented that do
not allow individual offices to purchase computer equipment without the
consent of the Office of the Chief Information Officer. In addition, the
new policies were designed to maintain control over the procurement of
computers and related equipment, including
purchasing computers from preferred vendors that apply the department*s
inventory bar code label and record the serial number of each computer on
a computer disk that is sent directly to the Education official in charge
of the property records;
loading the computer disk containing the bar code, serial number, and
description of the computer into the property records; and
having an employee verify that the computers received from the vendor
match the serial numbers and bar codes on the shipping documents and the
approved purchase orders.
While these are very positive steps, a continued lack of adequate physical
control could negate the effectiveness of these new procedures. For
example, during a follow-up visit to Education, we found that the doors to
the various rooms used to store computer equipment waiting to be installed
were both unlocked and
11
unattended. Without enhanced physical security, Education will continue to
be at risk for further computer equipment losses.
We also have concerns about HUD*s accountability for computer and related
equipment purchased with purchase cards because of the large volume of
purchases for which it did not have appropriate documentation. In these
cases, HUD likely does not know what was purchased, why it was purchased,
whether there was a legitimate government need for the item purchased, and
where the item is now. For example, HUD employees used their purchase
cards to purchase portable assets such as computer equipment and digital
cameras, totaling over $74,500, for which they have provided either no
support or inadequate support. Further, in its purchase card remedial
action plan, which I will discuss further shortly, HUD stated that not all
property is entered in its automated property inventory system. When these
purchases are not entered in an agency*s inventory system, they become
more vulnerable to loss or theft. In our follow-up work, we plan to
determine whether these items are included in HUD*s inventory and are
being appropriately safeguarded.
In April 2002, OMB issued a memorandum requiring all agencies to develop
remedial action plans to manage the risk associated with purchase card
usage. Agencies were required to submit their plans to the Office of
Federal Procurement Policy no later than June 1, 2002. Both HUD and
Education submitted their plans to OMB on time. While Education*s plan was
accepted by OMB and addressed the findings and recommendations in our
September 2001 interim report and final Education report, HUD*s plan was
rejected because it lacked a timeline for when the corrective actions
would be implemented. This plan also did not address key weaknesses we
identified.
HUD submitted a new plan to OMB on August 28, 2002. While the revised
remedial action plan includes a broad timeline for when each objective
will be completed, we found that it still does not adequately address key
control weaknesses we identified, in part because it lacks specific steps
necessary to fully address identified problem areas. For example, HUD*s
plan recognizes that monitoring of purchasing activities and the frequency
of internal audits are areas that need improvement. However, the plan does
not address developing and implementing a robust review and approval
function for purchase card transactions, focusing on identifying split
purchases and other inappropriate transactions. Further, this plan does
not timely address some of the other serious weaknesses we found. For
example, the revised remedial plan does not require the program
administration staff to begin designing a monitoring plan to assess HUD*s
compliance with key aspects of its purchase card policy until the second
quarter of fiscal year 2003 and does not give an estimated completion date
for when this key internal control will be implemented. Additionally, the
revised plan Effectiveness of
Remedial Action Plans and Other Recent Steps to Curb Purchase Card Abuse
Is Mixed
12
does not specifically identify who is responsible for developing or
implementing any of the proposed improvements. We will be issuing a
separate letter to HUD that will include recommendations to address these
and other issues we identified during our review of its purchase card
program.
In contrast, Education*s plan specifically addresses the findings and
recommendations in our September 2001 interim report and final Education
reports. These recommendations included (1) emphasizing policies on
appropriate use of the purchase card and cardholder and approving official
responsibilities, (2) ensuring that approving officials are trained on how
to perform their responsibilities, and (3) ensuring that approving
officials review purchases and their supporting documentation before
certifying the statements for payment. Education took actions to respond
to these recommendations, such as (1) reducing monthly and single purchase
spending limits, (2) blocking over 300 MCCs, (3) implementing a new
approval process, and (4) issuing new policies and procedures.
However, during our follow-up work at Education, we found that weaknesses
remained that continued to leave the department vulnerable to fraudulent
and improper payments and lost assets. For example, the effectiveness of
the department*s new approval process was minimized because approving
officials were not ensuring that adequate supporting documentation existed
for all purchases. According to Education, it has since implemented a
quarterly monitoring program to assess compliance with key aspects of the
purchase card program. As discussed in our Executive Guide, which I will
cover later, managing improper payments is a continuous cycle and
includes, among other things, constant monitoring of the effectiveness of
implemented controls and adjustments to these controls as warranted by
monitoring results.
Education*s grant and loan disbursement process relies on computer systems
application controls, or edit checks, to help ensure the propriety of
payments. We focused our review on these edit checks and related controls
because they are key to helping prevent or detect improper payments in an
automated process. As we testified in July 2001, 15 controls over grant
and loan disbursements at Education did not include a key edit check or
follow-up process that would help identify schools that were disbursing
Pell Grants to ineligible students. To identify improper payments that may
have resulted from the absence of these controls, we performed a variety
of tests, including a test to identify students 70 years of age and older
because we did not expect large numbers of older students to be
15 U.S. General Accounting Office, Financial Management: Poor Internal
Control Exposes Department of Education to Improper Payments, GAO-01-997T
(Washington, D. C.: July 24, 2001). Controls over Education*s
Grants Disbursement Process Failed to Detect Certain Improper Payments
13
receiving Pell Grants. 16 Our review also built upon earlier work where we
identified abuses in the Pell Grant program. 17 Based on the initial
results of our tests and because of the problems we identified in the
past, we expanded our review of seven schools that had disproportionately
high numbers of older students to include recipients 50 years of age and
older. We found that three schools fraudulently disbursed about $2 million
in Pell Grants to ineligible students, and another school improperly
disbursed about $1.4 million in Pell Grants to ineligible students. We
also identified 31 other schools that had similar disbursement patterns to
those making the payments to ineligible students. These 31 schools
disbursed approximately $1.6 million of Pell Grants to potentially
ineligible students. We provided information on these schools to Education
for follow-up.
Education*s staff and officials told us that they have performed ad hoc
reviews in the past to identify schools that disbursed Pell Grants to
ineligible students and have recovered some improper payments as a result.
However, Education did not have a formal, systematic process in place
specifically designed to identify schools that may be improperly
disbursing Pell Grants. In our September 2001 interim report, we
recommended that the Secretary of Education (1) establish appropriate edit
checks to identify unusual grant and loan disbursement patterns and (2)
design and implement a formal, routine process to investigate unusual
disbursement patterns identified by the edit checks.
Education subsequently implemented an age limit edit check of 75 years of
age or older. If the student*s date of birth indicates that he or she is
75 years of age or older, the system edit will reject the application and
the school will not be authorized to give the student federal education
funds until the student either submits a corrected date of birth or
verifies that it is correct. However, without also looking for unusual
patterns and following up, the edit may not be very effective, other than
to correct data entry errors or confirm older students applying for aid.
Education also implemented a new system, called the Common Origination and
Disbursement (COD) system, which became operational in April 2002.
Education officials told us that this integrated system will replace the
separate systems Education has used for Pell Grants, direct loans, and
other systems containing information on student aid, and it will integrate
with applicant data in the application processing system. The focus of COD
is to improve program and data integrity. If properly implemented, a
byproduct of this new system should be
16 A Pell Grant is a form of financial aid that is awarded to
undergraduate students who have not earned bachelor*s or professional
degrees, and who are enrolled in degree or certificate programs. 17 U.S.
General Accounting Office, Student Financial Aid Programs: Pell Grant
Program Abuse, GAO/T-OSI-
94-8 (Washington, D.C.: Oct 27, 1993).
14
improved controls over grant and loan disbursements. According to
Education officials, they will be able to use COD to identify schools with
characteristics like those we identified. However, until there is a
mechanism in place to investigate schools once unusual patterns are
identified, Education will continue to be vulnerable to the types of
improper Pell Grant payments we identified during our review.
We performed several additional tests of Education*s disbursements to
identify potentially improper grant and loan payments that may not have
been detected because of missing or ineffective edit checks. In addition
to Pell Grant payments to students 70 years of age and older, we
identified $28.8 million of other potentially improper grant and loan
payments made by more than 1,800 schools to students who (1) were much
older or younger than would be expected, (2) had social security numbers
(SSN) that were either not in Social Security Administration (SSA)
database or were in SSA death records, or (3) received Pell Grants in
excess of statutory limits. Based on supporting documentation provided to
us by Education, we determined that $20.3 million of these payments were
proper. However, Education did not provide adequate supporting
documentation to enable us to determine the validity of the remaining $8.5
million of payments made by these schools. Although Education officials
told us that they requested supporting documentation from the
approximately 1,800 schools that disbursed these funds, over 1,000 schools
did not provide the documentation, and documentation provided by some of
the schools was inadequate for independent verification of the validity of
these payments.
According to Education officials, if a school that did not provide support
or provided inadequate support had only a small number of potential
improper payments, the department did not follow up because it did not
consider doing so a wise use of its resources. We agree that Education
should weigh the costs of resources required to follow up on potential
improper payments with the benefits that could be obtained when making
such decisions. However, 20 of the schools that did not provide support or
provided inadequate support had from 20 to 138 instances of these
potential improper payments totaling $1.5 million.
While the amount of improper and potentially improper grant and loan
payments we identified is relatively insignificant compared to the
billions of dollars disbursed for these programs annually, it represents a
control risk that could easily be exploited to a greater extent. As I will
discuss later, once such a risk has been identified, appropriate control
activities need to be implemented to respond to it.
In addition to the recommendations that I have already discussed, we
previously recommended that Education (1) conduct on-site investigations,
including interviews of school personnel and students, at the 28 schools
with characteristics
15
similar to those we found that improperly disbursed Pell Grants to
determine whether the grants were properly disbursed, (2) follow up with
the schools that had high concentrations of the $12 million in potential
improper payments for which the department did not provide adequate
supporting documentation, and (3) implement a process to verify borrowers*
SSNs and dates of birth submitted by schools to Loan Origination System
(LOS). While Education has implemented a process to verify borrowers* SSNs
and dates of birth submitted by schools to LOS, the other two
recommendations remain open.
Internal control standards state that monitoring should assess the quality
of performance over time and ensure that review findings are promptly
resolved. Due to a lack of monitoring, the internal controls of the HUD
multifamily housing program*s payment processes do not provide reasonable
assurance that improper payments would be identified and corrected in the
normal course of business. As we testified in July 2002, HUD has a limited
ability to effectively monitor its contractors and as I am about to
discuss, this left HUD vulnerable to abusive billing practices by its
property management firms. 18
HUD contracts with two property management firms, which are given a great
deal of autonomy, to manage the operation of its multifamily properties,
19 including apartment projects, nursing homes, and hospitals. These
management firms are charged with initiating property renovations, hiring
on-site staff, selecting vendors and certifying the acceptable delivery
and performance of these activities. The vendors that provide the goods
and services at the HUD properties submit their invoices to the property
management firm for payment by HUD. The management firm forwards the
invoices and required supporting documentation to another HUD contractor
that maintains the department*s property management system, provides a
limited cursory review of the supporting documentation, and pays the
vendors. HUD pre-approval for payment of these goods and services is not
required when (1) the vendor*s estimate will cost less than agreed upon
dollar thresholds, which, depending upon the property management company,
are as high as $50,000, or (2) an emergency situation exists that affects
or endangers the health and/or safety of residents or property. The
property manager is also not required to obtain competitive bids when the
work is done to correct an emergency situation. Generally, the contractor
that pays the vendors obtains a daily E-mail authorization from HUD prior
to disbursing the funds. However, unless the amount exceeds the
predetermined thresholds, HUD does not routinely review documentation
supporting the payments and does not verify that the work was actually
performed.
18 U. S. General Accounting Office, HUD Management: HUD*s High- Risk
Program Areas and Management Challenges, GAO- 02- 869T (Washington, D. C.:
July 24, 2002).
19 In addition, HUD and the Massachusetts Housing Finance Agency have an
agreement for the disposition and interim management of select HUD-owned
multifamily properties in Boston. This pilot project was not implemented
for other state housing agencies. Lack of Monitoring of a
Key HUD Contractor Resulted in Improper Payments
16
Given the fairly broad delegation of authority to these contractors, it is
important that HUD have effective processes for monitoring performance and
the propriety of payment. We found that HUD did not comply with its
monitoring policy to perform quarterly, on-site inspections and management
reviews of its multifamily housing projects and had incomplete guidance on
how to do so. Inspections and reviews were not conducted at the majority
of multifamily properties and HUD could not provide documentation for some
of the limited reviews and inspections that HUD officials said were
performed. We found no on-site inspection guidance in the multifamily
handbook, which establishes the policies and procedures to be followed by
the multifamily staff.
In two instances where HUD did conduct and document reviews of one of the
property management firms, it did not follow up on or promptly resolve its
findings. Based on these two reviews of the purchasing practices of the
property management firm, HUD documented concerns about the (1) amount of
money being disbursed to a limited number of construction companies with
little control in place to ensure fair and reasonable prices and (2)
unusually high number of emergency renovations made by this management
firm. Yet HUD continued to authorize payments of over $8 million to these
construction companies after it was known that the property management
firm was not selecting these companies in accordance with provisions of
its contract that required obtaining competitive quotes from several
vendors, even for purchases below the $50,000 pre-approval threshold.
Obtaining competitive quotes helps ensure that the government pays a
reasonable price for goods and services.
The property management firm told HUD that the vendors it used were the
only ones that would work in the neighborhoods where the properties were
located, and that other vendors did not feel comfortable with HUD*s vendor
payment process. HUD*s staff accepted this explanation without independent
verification. Had HUD followed up on their findings, it may have
discovered what we found * funds being disbursed for alleged emergency
goods and services that were not received or performed.
Using computerized data mining techniques, we analyzed the $214 million of
multifamily property payments made during fiscal year 2001 to identify
potentially improper payments that could have resulted from HUD*s lack of
contractor oversight. The majority of the questionable disbursements
identified by our analyses were for transactions initiated by one of the
two management firms. Hence, we concentrated our efforts on HUD
disbursements for this firm*s transactions. Based on our data mining and
reviews of the supporting documentation, we determined that a vice
president and maintenance director of this property management firm, on
numerous occasions circumvented HUD
17
controls by (1) alleging that construction renovations were emergencies,
thus not requiring multiple bids or HUD pre-approval, and (2) splitting
renovations into multiple projects to stay below the $50,000 threshold of
HUD-required approval. Over 18 months HUD authorized and paid for
approximately $10 million of renovations, of which each invoice was for
less than $50,000, at two properties where the above-mentioned maintenance
director was employed. HUD did not verify that any of the construction
renovations were actually performed or determine whether the emergency
expenditures constituted such a classification.
The following examples of improprieties, which are now being investigated
by the HUD OIG and our Office of Special Investigations, could have been
prevented or detected had HUD performed its contractor monitoring
responsibilities. During June 2001, the maintenance director of the
property management company falsified documents that indicated that 15,000
square feet of concrete sidewalk, at a cost of $227,500, was replaced and
classified these repairs as an emergency. To remain below the HUD
threshold of $50,000, the property management maintenance director had the
vendor submit five separate invoices, each for $45,500, for the
replacement of 3,000 square feet of concrete sidewalk in front of five
buildings. HUD*s contractor paid all five invoices. Based on our site
visits and conversation with the maintenance director, we determined the
square footage billed for sidewalk replacement had not actually been
replaced. Figure 1 illustrates how only portions (the lighter shaded
sections) of the sidewalk were replaced and not the entire sidewalk as was
listed on the paid invoices.
Figure 1: HUD Improper Payments With the assistance of an independent
construction firm, we hired, we determined that only about one-third of
the work HUD paid for was actually performed. As a
18
result, more than $164,000 of the $227,500 billed and paid for *emergency*
installation of concrete sidewalk appears to be fraudulent.
At this same property, we found instances where HUD paid construction
companies for certain apartment renovations, deemed *emergency repairs,*
that were not made. Three of the 10 tenants we interviewed told us that
some work listed on the invoice that the property management firm
submitted was not performed at their homes. For instance, while an invoice
indicated that the apartment floor and closet doors had been replaced at a
cost of $10,400, the tenant stated that the floors and doors were never
replaced.
On several other occasions, HUD paid the same amount to perform *emergency
renovations* of apartments of varying sizes and, more than likely, in
differing degrees of disrepair. For example, HUD paid three identical
$32,100 invoices for the emergency renovation of a one bedroom (600square
feet), a two bedroom (800 square feet) and a three bedroom (1000 square
feet) apartment. All three invoices listed the exact work performed. For
example, each invoice listed a $4,500 cabinet fee, yet the one bedroom
unit had five fewer cabinets than the three bedroom dwelling. We and the
independent construction firm we hired questioned the validity of the same
charge for units of varying sizes and the likelihood of numerous
apartments being in identical condition and in need of the same extensive
renovations.
When confronted with these disparities, the property management company*s
maintenance director told us that although he did not have any
documentation to support it, he kept mental notes of work that was billed
and not performed and had the construction company perform additional
unbilled renovations, rather than revising original emergency invoices.
Our review of the maintenance director*s files found multiple
*boilerplate* copies of signed receiving reports, indicating that
acceptable emergency work had been done, that had yet to be awarded to
vendors, further evidence of ongoing improprieties.
We will be providing formal recommendations to HUD to address these
issues, as well as other acquisition management challenges, in a separate
report to be issued in November 2002.
Now I would like to talk about some of the things that HUD, Education, and
other federal agencies can do to address their improper payments
comprehensively. As we recently reported, 20 our review of improper
payments reported in agency financial statements over the past 3 years
shows some change in individual
20 U. S. General Accounting Office, Financial Management: Coordinated
Approach Needed to Address the Government*s Improper Payments Problems,
GAO- 02- 749 (Washington, D. C.: Aug 9, 2002)
Strategies to Manage Improper Payments
19
agencies and programs, but little change in the total amount over the
period. While the total reported amount has decreased from about $20.7
billion in fiscal year 1999 to $19.1 billion in fiscal year 2001, these
figures do not give a true picture of the level of improper payments in
federal programs and activities. As significant as the $19 billion in
improper payments is, the actual extent of improper payments government
wide is unknown, likely to be billions of dollars more, and will likely
grow without concerted, coordinated efforts by agencies, the
administration, and the Congress.
As we have seen, weak or nonexistent internal controls can result in a
variety of improper payments that can affect an agency*s ability to
achieve its goals. Attacking the problem of improper payments requires
strategies tailored to the organization involved and its particular risks.
To identify effective practices and provide case illustrations and other
information for federal agencies to consider when addressing improper
payments, we contacted public and private sector organizations and talked
with them about actions they had taken and considered effective in
reducing improper payments. Participants were the Department of Health and
Human Services* Health Care Financing Administration; 21 the Social
Security Administration; the Department of Veterans Affairs; the states of
Illinois, Texas, and Kentucky; the governments of Australia, New Zealand,
and the United Kingdom; and three private sector corporations. Our
executive guide, Strategies to Manage Improper Payments: Learning from
Public and Private Sector Organizations, issued last year, highlights the
actions taken by these organizations. We categorized the actions into the
five components of internal control outlined in the Comptroller General*s
Standards for Internal control in the Federal Government. We defined these
components as follows:
Control environment*creating a culture of accountability by establishing
a positive and supportive attitude toward improvement and achievement of
established program outcomes.
Risk assessment*performing comprehensive reviews and analyses of program
operations to determine if risks exist and if so, their nature and extent.
Control activities*taking actions to address identified risk areas and
help ensure that management*s decisions and plans are carried out and
program objectives are met.
Information and communications*using and sharing relevant, reliable and
timely financial and nonfinancial information in managing activities
related to improper payments.
21 The Health Care Financing Administration was renamed the Centers for
Medicare and Medicaid Services in July 2002.
20
Monitoring*tracking improvement initiatives over time, and identifying
additional actions needed to further improve program efficiency and
effectiveness.
I will address each of these control activities briefly in turn, giving
examples that illustrate their use in combating improper payments. While I
will discuss these activities separately, it is important to remember that
managing improper payments typically requires continuous interaction among
these areas.
Perhaps the most significant of the elements critical to identifying,
developing and implementing activities to reduce improper payments is the
control environment. Top officials, whether in government or the private
sector, and oversight bodies such as legislatures, set the stage for
change with clearly established expectations and demands for improvement.
Many of the officials we met with in the course of our work told us that
without the clearly established demands and expectations for improvement
by top management and legislators, little would have happened to
effectively reduce fraud and errors in their programs. In addition, while
top management sets the tone for cultural change, all personnel must buy
into this change and work to achieve its overall goals.
The cultural change fostered by an effective control environment stresses
the importance of improvement and efficient and effective program
operations while maintaining a balance with concerns about privacy and
information security in a world where computers and electronic data are
indispensable to making payments. In the oversight and legislative arena,
it involves initiatives such as those in the
President*s Management Agenda, as I discussed earlier and legislation such
as that introduced by you, Mr. Chairman, which requires comprehensive
improper payment reviews and reporting.
Interest in the amount of improper payments at the organizations that
participated in our study often resulted from program, audit or media
reports of misspent funds or fraudulent activities. As the magnitude of
improper payments became known, government officials and legislative
bodies faced increased pressure to reduce them.
In Texas, for instance, the legislature was instrumental in changing in
the state*s benefit programs after reports of improper payments in the
Medicaid program that ranged from $365 million to $730 million as well as
in the Temporary Assistance to Needy Families and Food Stamps programs,
estimated at a total of $222.4 million. Lawmakers sought to reduce these
improper payments by mandating specific actions that included use of
computer technology to deter fraud and abuse. Control Environment:
Instilling a Culture of Accountability
21
The government has led the way in setting the stage for changes in the
United Kingdom. Following Comptroller and Auditor General reports stating
that the government did not know enough about the level of fraud in its
benefits programs, Parliament required the Department of Work and Pensions
(DWP) to improve measurement of fraud in its programs. DWP conducted a
benefit review from which the government estimated that $3 billion per
year were lost to known fraud. The government further noted that if all
suspicions of fraud were well founded, the figure could be as high as $10
billion per year. DWP proposed a strategy to reform the welfare system and
reduce improper payments.
Through the process, Parliament has stayed actively involved, enacting
legislation to allow data sharing between government agencies and
departments. In addition, the Treasury requires departments to disclose
irregular expenditures arising from erroneous benefit awards and fraud by
claimants. Further, the Comptroller and Auditor General qualified his
opinion on DWP*s fiscal years 1995 through 2000 financial statements
because of the level of fraud and error identified in the benefit
programs. This served to reinforce the message that high levels of
improper payments are unacceptable.
At the day-to-day level, improper payments resulting from miscalculation
and other errors often receive inadequate attention. Centrelink, a
*one-stop shop* that pays a variety of Australian government benefits,
found through audit reports that up to 30 percent of its work was rework.
The organization*s management responded by implementing a *Getting it
Right* strategy in 2000, setting out the roles and responsibilities of
managers and team leaders as well as minimum standards for the staff to
apply when making payment decisions. Centrelink distributed posters and
mouse pads to reinforce the *Getting it Right* message. Centrelink*s Chief
Executive Officer has stated that she expects the implementation of the
strategy to result in a reduction of improper payments as well as
continued timeliness in payments to beneficiaries.
Study participants successfully used the following strategies to create a
control environment that instilled a culture of accountability over
improper payments, and could also be used at federal agencies:
Provide leadership in setting and maintaining the agency*s ethical code
of conduct and in ensuring proper behavior under the code.
Provide a cultural framework for managing risk by engaging everyone in
the organization in the risk management process.
Increase accountability by establishing goals for reducing improper
payments for major programs.
Foster an atmosphere that regards improper payments as unacceptable.
22
Among the organizations we studied, pressures from oversight entities and
top management were instrumental in creating change. The President*s
Management Agenda and the previously mentioned legislation help define and
communicate the need for improvement. By being transparent in redefining
the culture, oversight entities and top management can set expectations
and obtain agreement on the need for change from individuals managing
day-to-day program activities. This culture of accountability is necessary
to begin the critical next step in managing improper payments, the risk
assessment process.
Strong systems of internal control provide reasonable assurance that
programs are operating as intended and are achieving expected outcomes. A
key step in gaining this assurance is conducting a risk assessment. This
involves comprehensively reviewing and analyzing program operations to
determine where risks lie and what they are, and then measuring the
potential or actual effect of those risks on program operations.
The information developed during a risk assessment forms the foundation
from which management can determine the corrective actions needed and
provides baseline information for measuring progress. Specific
methodologies for managing risk vary by organization depending on mission
and the difficulty in quantifying and defining risk levels. In addition,
because economic, governmental, industrial, regulatory, and operating
conditions continually change, risk assessments should be updated to
identify and address any new risks. The organizations that participated in
our study found that conducting risk assessments to determine the nature
of their improper payments was essential to helping them focus on the most
significant problem and determine what needed to be done to address it.
While many federal agencies do not perform risk assessments, some do. The
Department of Health and Human Services, for example, began reporting an
annual estimate of improper payments in the Medicare fee-for-service
program in 1996. In fiscal year 2001, it reported estimated improper
Medicare fee-for-service payments of $12.1 billion, or about 6.3 percent
of such benefits. This analysis and reporting has led to the
implementation of several initiatives to identify and reduce improper
payments, including working with medical providers to ensure that medical
records support billed services.
HUD also measures improper payments in its housing assistance programs,
reporting $1.87 billion in fiscal year 2000 and $2 billion in fiscal year
2001. HUD has taken actions to identify the risks associated with these
programs and is working to refine the procedures currently used to obtain
more useful information. HUD has not, however, done risk assessments in
other disbursement areas. Risk Assessment:
Determining the Nature and Extent of the Problem
23
A thorough risk assessment allows organizations to target high-risk areas,
focusing limited resources where the greatest exposure exists. The
Illinois Department of Public Aid (IDPA), for instance, found that it had
a payment accuracy rate of 95 percent. Its payment accuracy review
identified errors and their causes that allowed IDPA to focus its
attention on the 5 percent of inaccurate payments. In doing so, it
discovered that of the $37.2 million spent for nonemergency transportation
services, $11.55 million, or 31 percent, was estimated to be in error.
This discovery led to a series of actions to address this problem.
Government agencies in other countries have also used payment accuracy
reviews to identify high-risk areas. For instance, the United Kingdom*s
DPW uses the results of rolling program reviews to determine levels of
fraud and error in its Income Support and Jobseeker*s Allowance benefit
programs. These reviews quantify the amount of fraud and error affecting
benefit claims and are used to target areas for prevention and detection.
Participants in our study used the following strategies successfully to
assess risk and determine the nature and extent of improper payments. We
believe that federal agencies should also consider these strategies to
address improper payments.
Institute a systematic process to estimate the level of improper
payments being made by the organization.
Based on this process, determine where risks exist, what those risks
are, and the potential or actual effect of those risks on program
operations.
Use the results of the risk assessment to target high-risk areas and
focus resources where the greatest exposure exists.
Reassess risks on a recurring basis to evaluate the effect of changing
conditions, both external and internal, on program operations.
Assessing risk allows an organization to set goals and target its efforts
to reduce improper payments. Having developed such a framework, an
organization can then proceed to determine which control activities to
implement to reduce risks and, ultimately, fraud and errors.
Control activities are the policies, procedures, techniques, and
mechanisms that are designed to help ensure that management*s decisions
and plans are carried out. Once an organization has identified and
quantified the risks in its operations, and management has set a goal for
reducing the risks, the organization must take action to achieve that
goal. Control activities used by organizations to address Control
Activities:
Taking Action to Address Identified Risk Areas
24
improper payments vary depending on risks faced; objectives; managerial
judgment; size and complexity of the organization; the operational
environment; sensitivity of data; and requirements for system reliability,
availability, and performance. Control activities can include both
prepayment and post payment mechanisms.
Given the large volume of federal payments, it is generally more efficient
to prevent improper payments rather than attempt to recover overpayments
that have already been made. Recognizing, however, that some overpayments
are inevitable, agencies should adopt effective detection techniques to
identify and recover them. These techniques can range from sophisticated
computer analyses of program data to post award contract audits and are
dictated by the type of payment activity that presents the most risk in a
particular organization. They include the following:
data sharing, which allows organizations to compare information from
different sources to help ensure that payments are appropriate;
data mining, which analyzes data for relationships that were previously
unknown;
neural networking, which analyzes associations and patterns among data
elements;
recovery auditing, which is the practice of identifying and recovering
overpayments using payment file information;
contract audits, which verify that payments are being made in accordance
with contract terms and applicable regulations, and
prepayment investigations, in which contradictory information is
investigated before payment is made.
Data sharing, data mining, and neural networking techniques are powerful
internal control tools that provide useful, timely access to information.
Using these techniques can provide potentially significant savings by
identifying reporting errors and misinformation before payments are made
or by detecting improper payments already made. However, more extensive
use of personal information in an evolving technological environment
raises new questions about privacy and how it should be protected. In the
federal arena, these techniques must be implemented consistent with the
protections of the Privacy Act of 1974, as amended by the Computer
Matching and Privacy Protection Act of 1988, and other privacy statutes.
These techniques are an example of the types of activities that our study
participants found useful. For example, in 1995, the United Kingdom
formalized data matching between government organizations. It reported
that through March of 2000, it had saved about $450 million dollars.
Further, from April 1999
25
through March 2000, data matches identified 217,000 inconsistencies for
investigation, resulting in another $53 million in benefit savings. In the
United States, SSA shares information with federal agencies through more
than 15 data matches to prevent and detect fraud. SSA estimates that it
saves approximately $1.5 billion each year for other agencies through data
these data matches. In its own programs, SSA estimates that it saves $350
million annually for Old Age and Survivors Insurance and Disability
Insurance and $325 million annually for Supplemental Security Income
through the use of data matching.
While data matching or sharing gives an organization the means to compare
data from different sources, data mining offers a tool to review and
analyze diverse data. The IDPA, for instance, had identified one of its
risk areas as health care providers who were billing in excess of 24 hours
in a single day. Using its data mining capability, the Illinois OIG
identified 18 providers who had billed in excess of 24 hours for at least
1 day during a 6-month period. A number of these providers were already
under investigation for other program violations. As a result of this
analysis, the OIG planned to refer serious cases to law enforcement
agencies and take administrative action against less serious violators.
Neural networking analyzes associations and patterns among data elements,
allowing an organization to find relationships that can result in new
queries. In Texas, models used with neural networking technology
identified fraudulent patterns from large volumes of medical claims and
patient and provider history data. Such models can help identify
perpetrators of both known and unknown fraud schemes by analyzing
utilization trends, patterns, and complex interrelationships in the data.
The state currently has models for physicians and dentists and plans to
initiate a model for pharmacies.
Recovery auditing, which came into use about 30 years ago, has a
long-standing record in the private sector, and more recently, in the
federal government. 22 More extensive use of recovery auditing could offer
federal agencies an opportunity to prevent and detect improper payments.
One private sector company that participated in our study contracted with
a recovery audit firm to review its accounts payable files. The company*s
own systems had found no errors in these files, yet the review resulted in
the recovery of $8 million in improper payments. Subsequently, the company
began to use recovery auditing techniques on accounts payable information
to prevent improper payments, through such things as identifying potential
duplicate payments. During our visit, this system identified and avoided a
duplicate payment of $136,000 from the reports generated by the recovery
audit software. In addition, as a result of using
22 Section 831 of Pub. L. 107- 107 requires executive agencies that enter
into contracts totaling greater than $500 million in a fiscal year to have
a program for recovering any amounts erroneously paid to contractors,
including the use of recovery audits.
26
recovery auditing before payments are made, the company identified and
stopped the processing of $41 million in duplicative wire payments. The
particular software this company uses also identifies the employees making
the errors so that they can be trained appropriately.
The organizations that participated in our study used the following
strategies successfully to identify and address risks. We believe these
same strategies could be used successfully by federal agencies.
Based on an analysis of the specific risks facing the organization, and
taking into consideration the nature of the organization and the
environment in which it operates, determine which types of control
activities would be most effective in addressing the identified risks.
Where in-house expertise is not available, investigate the possibility
of contracting activities out to firms that specialize in specific areas,
such as recovery auditing and neural networking.
Perform cost-benefit analyses of potential control activities before
implementation to help ensure that the cost is not greater than the
potential benefit.
Ensure that personnel involved in developing, maintaining, and
implementing control activities have the requisite skills and knowledge,
recognizing that staff expertise needs to be frequently updated in
evolving areas such as information technology and fraud investigation.
Recognize and consider the importance of privacy and information
security issues when developing and implementing control activities.
An agency*s internal control activities should be flexible, weigh costs
and benefits, and be tailored to an agency*s needs. Once control
activities are in place, the internal control cycle continues with the
prompt communication of information that managers need to help them carry
out these activities and run their operations efficiently and effectively.
Those responsible for managing and controlling program operations need
relevant, reliable, and timely financial and nonfinancial information to
make operating decisions, monitor performance, and allocate resources.
This information can be obtained through a variety of sources using a wide
range of data collection methodologies. The organizations that
participated in our study used internal and external sources to obtain the
information they needed. Further, these sources varied widely, from
multiple computer databases to periodic meetings.
The need for information and communication also extends beyond
organizational boundaries. Many of the governmental programs with improper
payments are Information and
Communications: Using and Sharing Knowledge to Manage Improper Payments
27
benefit programs that involve recipients and providers of services.
Organizations in our study developed educational programs to assist these
participants in understanding eligibility and other requirements, and for
service providers, information on issues including common claim filing
errors.
For instance, in 1997 Texas implemented several initiatives to educate new
medical providers before they enroll in the Texas Medicaid program. Each
new provider receives a hand-delivered package with information on claim
filing, helpful tips, and instructions on how to use the automated phone
system for inquiries. Three months after the provider is enrolled, a field
representative from Medicaid evaluates a sample of the provider*s claims
and revisits the provider to answer questions and discuss any problems
noted in the claims sample.
In another example, Australia*s Health Insurance Commission (HIC)
implemented a feedback program to provide medical practitioners with
regular information about their own benefit authorization, patient
demographics, and comparative statistical information showing services
rendered and the dollar value of benefits paid. All 32,000 practitioners
receive correspondence once a year from HIC. While at first most
practitioners did not realize that HIC was able to accumulate and analyze
this information, the program has now become an effective deterrent to
wrongdoing as well as a desired source of information to medical
providers. Some practitioners have asked for additional information or
statistics prior to the annual feedback report. HIC has since established
an on-line feedback and statistics site for general practitioners, 2,100
of whom accessed their reports online in 1999.
Coordination and cooperation with local law enforcement and other sources
outside an agency can also establish an infrastructure conducive to
preventing and detecting fraud. The IDPA OIG established a Fraud and Abuse
Executive (FAE) whose objective is to be a conduit among internal and
external parties for all fraud issues. As a result of cooperation between
the Illinois State Police, one bank, and the FAE, thousands of dollars in
fraudulent payments were stopped and a number of perpetrators were
arrested.
Organizations that participated in our study used the following strategies
to help them effectively use and share knowledge to manage improper
payments. These strategies could also be used by federal agencies.
Determine what information is needed by managers to meet and support
initiatives aimed at reducing improper payments.
Ensure that necessary information provided to managers is accurate and
timely.
28
Provide managers with timely feedback on applicable performance measures
so they can use the information to manage their programs effectively.
Develop educational programs to assist program participants in
understanding program requirements.
Ensure that there are adequate means of communicating with, and
obtaining information from, external stakeholders that may have a
significant effect on improper payment initiatives.
Develop working relationships with other organization to share
information and pursue potential instances of fraud or other wrongdoing.
Communications are effective when information flows up, down, and across
an organization. In addition to internal communications, management should
ensure that there are adequate means to give and obtain information from
external parties who could have an effect on the agency*s goals. Moreover,
effective information technology management is critical. Managers need
operational and financial data to monitor whether they are meeting their
agency*s goals with appropriate resources.
Monitoring focuses on assessing the quality of an organization*s
performance over time and on promptly resolving problems identified either
through separate program evaluations or audits. Evaluation of an
organization*s programs and its successes in meeting its established goals
and in identifying additional actions is an integral element of
performance measurement and continued improvement in operations. Once an
organization has identified its risks related to improper payments and
undertaken activities to reduce these risks through internal controls,
monitoring performance allows the organization to gauge how well its
efforts are working.
When Illinois had assessed the risk of improper payments in its Medicaid
program, based on the results, it implemented initiatives to improve
payment accuracy. To monitor the effect of the new initiatives, the state
uses random claims sampling to test the accuracy of payments. The goal of
the project, which reviews 1,800 claims per year, is to ensure that every
paid claim faces an equal chance of random review. This approach not only
provides periodic estimates of payment accuracy rates but helps deter
future erroneous and fraudulent billings.
Performance measures are key to monitoring progress in addressing improper
payments. The government of New Zealand, for instance, requires audited
statements of objectives and service performance to be included along with
financial statements. These statements include performance measures
related to improper payments. Work and Income New Zealand (WINZ), a
government agency that provides income support and employment assistance
to eligible Monitoring: Tracking the
Success of Improvement Initiatives
29
people, has established performance measures for entitlement accuracy,
services to reduce benefit crime, and debt management. WINZ*s financial
statements are the main accountability reports used by Parliament to
monitor the agency*s performance. In addition, Parliament uses the audited
information to make informed decisions on resource allocation, and through
a monitoring body, to hold the entity*s chief executive officer
responsible if performance standards are not met.
Participants in our study used the following strategies successfully to
track the success of improvement initiatives. We believe the strategies
would be effective for federal agencies as well.
Establish agency-specific goals and measures for reducing improper
payments.
Using baseline information for comparison, periodically monitor the
progress in achieving the established performance measures.
Make the results of performance reviews widely available to permit
independent evaluations of the success of efforts to reduce improper
payments.
Ensure timely resolution of problems identified by audits and other
reviews.
Adjust control activities, as necessary, based on the results of
monitoring activities
Organizations should monitor the control activities they use to address
improper payments continuously, ingraining them in their operations. This
kind of ongoing monitoring enables organizations to measure how well they
are doing, track performance measures, and adjust control activities based
on the results. Monitoring should also include policies and procedures for
communicating review results to appropriate individuals in the
organization so any problems can be resolved.
In closing, Mr. Chairman, I want to emphasize that high levels of improper
payments need not and should not be an accepted cost of running federal
programs. The organizations that participated in our study found that they
could effectively and efficiently manage improper payments by (1) changing
their organization*s control environments or cultures, (2) performing risk
assessments, (3) implementing activities to reduce fraud and errors, (4)
providing relevant, reliable and timely information and communication to
management on results and (5) monitoring performance over time. While HUD,
Education, and other agencies have taken some steps in these areas,
effectively addressing improper payments requires a comprehensive strategy
that permeates the entire organization. Conclusions
30
Implementing such a comprehensive strategy at federal agencies will not be
easy or quick. It will require continued strong support from the
President, the Congress, top-level administration appointees, and agency
officials. The effort must include a willingness to dedicate personnel and
money to implement the changes. This could involve performing needs
assessments and hiring individuals with the necessary skills and knowledge
to turn planned actions into reality. In addition, many actions that
proved successful for organizations in our study involved computer
assisted analyses of data. Implementing some of these practices could
involve funding for computer software or hardware, and additional staff or
training.
In addition, it is important that the results of actions taken to address
improper payments be openly communicated not only to the Congress and
agency management, but to the public. This transparency demonstrates the
importance that government places on the need for change at the same time
it openly communicates performance results. It also acts as an incentive
for agencies to be ever vigilant in their efforts to address wasteful
spending that results from weak controls that lead to improper payments.
Mr. Chairman, this concludes my statement. I would be happy to answer any
questions you or other Members of the Subcommittee may have.
31
For information about this statement, please contact Linda Calbom,
Director, Financial Management and Assurance, at (202) 512-9508 or at
[email protected].
Individuals making key contributions to this statement include Dan Blair,
Don Campbell, Lisa Crye, Anh Dang, Bonnie Derby, Kelly Lehr, Carla Lewis,
Sharon Loftin, Irving McMasters, Diane Morris, Andy O*Connell, Russell
Rowe, Ruth Walk, Brooke Whittaker, and Doris Yanger.
(190042) Contact and
Acknowledgments
*** End of document. ***