Department of Homeland Security: Challenges in Implementing the
Improper Payments Information Act and Recovering Improper
Payments (19-SEP-07, GAO-07-913).
The federal government is accountable for how its agencies and
grantees spend more than $2 trillion of taxpayer dollars and is
responsible for safeguarding those funds against improper
payments as well as for recouping those funds when improper
payments occur. The Congress enacted the Improper Payments
Information Act of 2002 (IPIA) and the Recovery Auditing Act to
address these issues. Fiscal year 2006 marked the third year that
agencies were required to report improper payment and recovery
audit information in their Performance and Accountability
Reports. The Department of Homeland Security (DHS) reported
limited information during these 3 years. GAO was asked to (1)
determine the extent to which DHS has implemented the
requirements of IPIA, (2) identify actions DHS has under way to
improve IPIA compliance and reporting, and (3) determine what
efforts DHS has in place to recover improper payments. To
accomplish this, GAO analyzed DHS's internal guidance and action
plans, and reviewed information reported in its Performance and
Accountability Reports.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-913
ACCNO: A76488
TITLE: Department of Homeland Security: Challenges in
Implementing the Improper Payments Information Act and Recovering
Improper Payments
DATE: 09/19/2007
SUBJECT: Audit reports
Erroneous payments
Financial analysis
Financial management
Internal audits
Internal controls
Noncompliance
Payments
Program abuses
Program management
Reporting requirements
Risk assessment
Risk management
Strategic planning
GAO High Risk Series
Individuals and Households Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-913
* [1]Results in Brief
* [2]Background
* [3]Improper Payments Information Act of 2002
* [4]Recovery Auditing Act
* [5]OMB Guidance and Initiatives
* [6]DHS Has Made Some Progress in Implementing the Requirements
* [7]DHS's Efforts to Meet IPIA Requirements
* [8]Required Risk Assessments Not Completed for All Programs for
* [9]Grant Programs Continue to Present a Challenge for IPIA Impl
* [10]While DHS Has Developed Plans to Address IPIA Requirements a
* [11]DHS Has Developed a Corrective Action Plan for Compliance wi
* [12]DHS Has a Broader Initiative to Resolve Internal Control Wea
* [13]DHS Has Developed Plans to Reduce Improper Payments for FEMA
* [14]DHS's Efforts to Comply with the Recovery Auditing Act and t
* [15]Recovery Auditing Efforts at DHS Could Be Improved
* [16]DHS's Internal Guidance for Recovering Improper Payments Has
* [17]Conclusions
* [18]Recommendations for Executive Action
* [19]Agency Comments and Our Evaluation
* [20]GAO Contact
* [21]Staff Acknowledgments
* [22]GAO's Mission
* [23]Obtaining Copies of GAO Reports and Testimony
* [24]Order by Mail or Phone
* [25]To Report Fraud, Waste, and Abuse in Federal Programs
* [26]Congressional Relations
* [27]Public Affairs
United States Government Accountability Office
Report to Congressional Requesters
GAO
September 2007
DEPARTMENT OF HOMELAND SECURITY
Challenges in Implementing the Improper Payments Information Act and Recovering
Improper Payments
GAO-07-913
DEPARTMENT OF HOMELAND SECURITY
Challenges in Implementing the Improper Payments Information Act and
Recovering Improper Payments
What GAO Found
DHS has made some progress in implementing IPIA requirements, but much
more work remains for the agency to become compliant with IPIA. For
example, while DHS has made progress in identifying its programs, for
fiscal year 2006, the agency did not perform the required first step--a
risk assessment--on approximately $13 billion of its more than $29 billion
in disbursements subject to IPIA. Until DHS fully assesses its programs,
the potential magnitude of improper payments is unknown.
o For the remaining $16 billion, DHS determined that two programs--
Individuals and Households Program (IHP) assistance payments and
disaster-related vendor payments--were at high risk for issuing
improper payments and reported related estimates.
o For the $13 billion for which no risk assessment was performed, DHS
has encountered challenges with IPIA implementation. Of this amount,
over $6 billion relates to payments for grant programs. Developing a
plan to assess risk and potentially test grant payments is important
given that the DHS Office of Inspector General, GAO, and other
auditors have identified weaknesses in grant programs. This will allow
DHS to gain a better understanding of its risk for improper payments
and potentially reduce future improper payments.
DHS has actions under way to improve IPIA reporting and compliance, but
does not plan to be fully compliant in fiscal year 2007. DHS has prepared
a plan to address its noncompliance with IPIA, which included updating its
guidance to focus on program identification and risk assessments to build
a foundation for a sustainable IPIA program. In addition, DHS has
developed plans to reduce improper payments related to its two identified
high-risk programs. However, until DHS fully completes the required risk
assessments for all of its programs and then estimates for
risk-susceptible programs, it is not known whether other programs have
significant improper payments that also need to be addressed.
In addition, DHS's efforts to recover improper payments could be improved.
According to DHS, four of its components meet the criteria for recovery
auditing as specified in the Recovery Auditing Act. These four components
make at least $4 billion of contractor payments each fiscal year. DHS
encountered problems that kept it from reporting on recovery audit efforts
during fiscal year 2006 for three of the four components, and did not
perform recovery auditing at the fourth component. In March 2007, DHS
revised its guidance to clarify what is expected; however, ongoing
oversight will be necessary to monitor the components' progress. In
addition, DHS has reported limited information on its efforts to recover
specific improper payments identified during its testing of high-risk
programs. Although DHS is not currently required to do so, reporting this
information would provide a more complete picture of the agency's actions
to recover payments that it has identified as being improper.
United States Government Accountability Office
Contents
Letter 1
[28]Results in Brief 3
[29]Background 6
DHS Has Made Some Progress in Implementing the Requirements [30]of IPIA,
but Remains Noncompliant 10
While DHS Has Developed Plans to Address IPIA Requirements and Reduce
Improper Payments, Full Implementation Will Be [31]Longer Term 19
DHS's Efforts to Comply with the Recovery Auditing Act and to [32]Recover
Improper Payments Need to Be Enhanced 28
[33]Conclusions 31
[34]Recommendations for Executive Action 32
[35]Agency Comments and Our Evaluation 32
: DHS Fiscal Year 2006 IPIA Programs (based on fiscal year
[36]2005 disbursements)
[37]Appendix I Scope and Methodology
Appendix II Comments from the Department of Homeland Security
Appendix III Prior-Year IPIA Reporting by DHS and Its Independent Auditor
[38]Appendix IV DHS Grant Programs
[39]Appendix V Corrective Action Plans for High-Risk Programs
[40]Appendix VI GAO Contact and Staff Acknowledgments
Tables
Page i GAO-07-913 DHS Improper Payments
Table 2: Summary of DHS's Corrective Action Plan for IPIA
[41]Compliance as of June 7, 2007 21 Table 3: Summary of Critical
Milestones in DHS's Corrective Action
[42]Plan for IPIA Compliance Related to Fiscal Year 2007 22 [43]Table 4:
Recovery Audit Results for Fiscal Years 2004 through 2006 30 [44]Table 5:
Prior-Year IPIA Reporting by DHS 37 [45]Table 6: DHS Grant Programs and
Related Information 39 Table 7: DHS's Incomplete Critical Milestones for
Its IHP
[46]Corrective Action Plan, Status as of May 14, 2007 44 Table 8: DHS's
Incomplete Critical Milestones for Its Disaster-
Related Vendor Payments Corrective Action Plan, Status
[47]as of May 14, 2007 45
Figure
Figure 1: Required Steps to Identify, Estimate, Reduce, and Report
[48]Improper Payment Information
Abbreviations
CBP Customs and Border Protection
CFDA Catalog of Federal Domestic Assistance
CFO chief financial officer
CIS Citizenship and Immigration Services
COTR contracting officer technical representative
CPO chief procurement officer
DHS Department of Homeland Security
FAC Federal Audit Clearinghouse
FAM Federal Air Marshals
FEMA Federal Emergency Management Agency
FLETC Federal Law Enforcement Training Center
FYHSP Future Years Homeland Security Program
GPO Office of Grant Policy and Oversight
GT Office of Grants and Training
ICE Immigration and Customs Enforcement
ICOFR Internal Controls over Financial Reporting
IFMIS Integrated Financial Management Information System
IHP Individuals and Households Program
IPIA Improper Payments Information Act of 2002
IT information technology
NEMIS National Emergency Management Information System
NFIP National Flood Insurance Program
OCFO Office of the Chief Financial Officer
OFM Office of Financial Management
OGC Office of General Counsel
OIG Office of Inspector General
OMB Office of Management and Budget
PAR Performance and Accountability Report
PMA President's Management Agenda
PMO Program Management Office
S&T Science and Technology
TAFS Treasury Appropriation Fund Symbol
TSA Transportation Security Administration
USCG United States Coast Guard
USSS United States Secret Service
US-VISIT United States Visitor and Immigrant Status Indicator
Technology
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
September 19, 2007
The Honorable Joseph I. Lieberman
Chairman
The Honorable Susan M. Collins
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate
The Honorable Thomas R. Carper
Chairman
The Honorable Tom Coburn
Ranking Member
Subcommittee on Federal Financial Management, Government Information,
Federal Services, and International Security
Committee on Homeland Security and Governmental Affairs
United States Senate
Over the past several years, our work has shown that improper payments
continue to be a substantial problem for federal agencies. As the steward
of taxpayer dollars, the federal government is accountable for how its
agencies and grantees spend more than $2 trillion of taxpayer dollars each
year and is responsible for safeguarding those funds against improper
payments. Fiscal year 2004 marked the first year in which agencies were
required to report improper payments ^[49]1 information in their
Performance and Accountability Reports (PAR) under the Improper Payments
Information Act of 2002 (IPIA). ^[50]2 As a result, federal agencies
reported an estimated $46 billion in improper payments for fiscal year
2004. Although governmentwide reported amounts of estimated improper
payments decreased between fiscal year 2004 and fiscal year 2006, the
reported amount in fiscal year 2006 included more than $800 million as a
result of
improper disaster-related payments made by the Federal Emergency
Management Agency (FEMA) within the Department of Homeland Security (DHS)
in response to the 2005 Gulf Coast hurricanes. Since its establishment in
March 2003, DHS, whose annual budget generally tops $30 billion, has yet
to comply with IPIA. Moreover, during fiscal year 2006, its independent
auditors continued to report significant internal control weaknesses such
as weaknesses in financial management and oversight, and a weak control
environment. A weak internal control environment increases an agency's
susceptibility to improper payments.
^1Improper payments are defined as any payment that should not have been
made or that was made in an incorrect amount (including overpayments and
underpayments) under statutory, contractual, administrative, or other
legally applicable requirements. It includes any payment to an ineligible
recipient, any payment for an ineligible service, any duplicate payment,
payments for services not received, and any payment that does not account
for credit for applicable discounts.
^2Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002).
Generally, agencies, including DHS, must perform four key steps to address
the specific improper payment reporting requirements found in IPIA and
related Office of Management and Budget (OMB) guidance--
(1) perform a risk assessment of all programs and activities, (2)
estimate improper payments for risk-susceptible programs and
activities,
(3) implement a plan to reduce improper payments for
programs with estimates exceeding $10 million, and
(4) annually report improper payment estimates and
actions to reduce them. In addition, agencies that
enter into contracts with a total value exceeding
$500 million in a fiscal year are required under
section 831 of the National Defense Authorization Act
for Fiscal Year 2002, commonly known as the Recovery
Auditing Act, to have cost-effective programs for
identifying errors in payments to contractors and for
recovering amounts erroneously paid. ^[51]3
Given the reported condition of DHS's internal controls and reported
noncompliance with IPIA, you asked us to conduct a review of the department's
implementation of IPIA. Specifically, our objectives were to (1) determine
the extent to which DHS has implemented the requirements of IPIA, (2) identify
actions DHS has under way to improve IPIA compliance and reporting, and (3)
determine what efforts DHS has in place to recover improper payments. To address
these objectives, we reviewed applicable improper payments legislation, OMB
guidance, and agency Office of Inspector General (OIG) reports. We also reviewed
improper payment information reported in DHS's PARs over the past 3 fiscal year
(2004-2006). In addition, we analyzed DHS's regulations and methodology for
identifying programs and activities highly susceptible to improper payments,
interviewed officials from the Office of the Chief Financial Officer (OCFO),
reviewed workpapers prepared by DHS's
independent auditor, and summarized the results of this review. In
addition, we reviewed DHS's plans to reduce improper payments and become
compliant with IPIA and the Recovery Auditing Act.
Pub. L. No. 107-107, div. A, title VIII, S 831, 115 Stat. 1012, 1186 (Dec.
28, 2001) (codified at 31 U.S.C. SS 3561-3567).
To assess the reliability of data reported in DHS's PARs related to
improper payments and recovery audit efforts, we (1) reviewed existing
information about the data and the system that produced them and
(2) interviewed agency officials knowledgeable about the data. We
determined that the data were sufficiently reliable for the purposes of
this report. We conducted our work from October 2006 through June 2007 in
accordance with generally accepted government auditing standards. See
appendix I for more details on our scope and methodology.
Results in Brief
DHS has made some progress over the last 3 fiscal years in attempting to
fully implement IPIA requirements, but much more work remains to be done.
Although DHS has made progress in identifying its programs, for fiscal
year 2006, DHS had not yet performed the required first step--a risk
assessment--on programs with approximately $13 billion of its more than
$29 billion in disbursements subject to IPIA. For the remaining $16
billion in DHS disbursements subject to IPIA, DHS determined that two
programs were at high risk for issuing improper payments--the Individuals
and Households Program (IHP) assistance payments and disaster-related
vendor payments. DHS performed statistical sample testing of these
programs and estimated FEMA improper payments (step 2) from September 2005
through March 2006 of $450 million (8.56 percent) of IHP assistance
payments and $319 million (7.44 percent) of disaster-related vendor
payments. ^[52]4
DHS has developed plans to reduce future improper payments for these two
programs (step 3) and reported these estimates in its fiscal year 2006 PAR
(step 4). However, DHS's independent auditor found that the time
period covered for testing and reporting (i.e., September 2005 through
March 2006) was not in accordance with OMB's implementing guidance, which
also contributed to DHS's inability to meet the requirements of IPIA.
While DHS concluded that none of its other programs that DHS subjected to
a risk assessment met OMB's criteria for susceptibility to significant
improper payments, the basis for this conclusion was limited in scope. For
example, DHS only tested programs with disbursements greater than $100
million and did not perform a qualitative risk assessment of all program
operations such as an assessment of internal controls, oversight and
monitoring activities, and results from external audits. ^[53]5
^4U.S. Department of Homeland Security, Performance and Accountability
Report Fiscal Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also
reported estimated improper payments for all of fiscal year 2006 for these
two programs. However, DHS calculated the fiscal year 2006 estimates by
applying the estimated error percentage rates from the September 2005
through March 2006 testing to the fiscal year 2006 outlay figures. The
estimated error percentage rates for the September 2005 through March 2006
testing have a 90 percent confidence interval of plus or minus 2.32
percentage points for IHP assistance payments and plus or minus 2.62
percentage points for disaster-related vendor payments based on
statistically valid cluster samples. See IPIA reporting details in DHS's
fiscal year 2006 PAR.
For the programs with $13 billion in payments for which no risk assessment
was performed in fiscal year 2006, DHS has encountered challenges with
IPIA implementation. Of this amount, over $6 billion relates to payments
for grant programs, including $3 billion in payments made for the National
Flood Insurance Program (NFIP). Performing risk assessments of grant
programs and testing grant payments can be difficult because of the many
layers of grant recipients, as well as the types of recipients and number
of grant programs. During fiscal year 2006, DHS awarded grants to over 5
million recipients for 70 different grant programs. Developing a plan to
assess risk and potentially test grant payments is important given the
fact that the DHS OIG has identified weaknesses in grant programs and
considers grants management to be one of DHS's major management
challenges. Another challenge for DHS is that we recently added the NFIP,
one of DHS's largest grant programs, to our highrisk list in March 2006.
^[54]6 Assessing grant programs, and if necessary, performing IPIA
testing, will allow DHS to gain an understanding of its risk for improper
payments and potentially reduce future improper payments.
DHS has actions under way to improve IPIA reporting and compliance, but
does not plan to be compliant in fiscal year 2007 and will likely not be
compliant in fiscal year 2008. Actions under way include developing plans
to reduce improper payments related to its two identified high-risk
disaster-related programs and preparing departmentwide corrective action
plans to address internal control weaknesses and noncompliance issues,
including those related to IPIA. In addition, DHS recently updated its
guidance for implementing IPIA and plans to focus on program
identification and risk assessments to build a foundation for a
sustainable IPIA program, rather than aiming for compliance during fiscal
year 2007. The agency also plans to hold workshops for its components on
sample testing and reporting to ensure that they have a consistent
understanding of what is expected with regard to IPIA testing and
reporting. While DHS's plans appear to address IPIA compliance issues,
implementation will take significant time and effort as DHS has already
missed some key milestones related to the identification of IPIA programs
for each agency component. Solidifying its identification of IPIA programs
and completing a thorough risk assessment process will be important first
steps to adequately address IPIA reporting requirements.
^5For those programs with disbursements between $10 million and $100
million, DHS components were instructed to complete a qualitative risk
assessment--a series of questions to qualitatively ascertain whether a
program is at high risk for issuing improper payments.
^6GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January
2007). We placed the National Flood Insurance Program (NFIP) on our
high-risk list in March 2006 because it is unlikely that the NFIP will
generate sufficient revenues to repay the billions borrowed from the
Department of the Treasury to cover flood claims from the 2005 hurricanes.
Lastly, we identified several weaknesses in DHS's efforts to recover known
improper payments and to comply with the Recovery Auditing Act. According
to DHS, four of its components--Immigration and Customs Enforcement (ICE),
Customs and Border Protection (CBP), U.S. Coast Guard (USCG), and
FEMA--meet the criteria for recovery auditing as specified in the Recovery
Auditing Act (i.e., each has over $500 million in annual contractor
payments). ^[55]7 DHS began recovery auditing efforts during fiscal year
2004, hiring an independent contractor who conducted recovery audit work
at two major components, ICE and CBP; however, DHS was not able to report
on these efforts for that year because initial findings were not available
in time to be included in its annual PAR. DHS continued these efforts in
fiscal year 2005 and its contractor identified more than $2.1 million of
improper payments and recovered more than $1.2 million (over 50 percent of
identified improper payments). However, when DHS attempted to expand its
recovery audit efforts to USCG, it encountered problems with obtaining
disbursement data. In addition, DHS reported that delays in obtaining
security clearances for contract personnel severely hampered completion of
recovery audit work at CBP and ICE during fiscal year 2006. As a result,
DHS did not report on recovery audits during fiscal year 2006.
^7DHS as a whole meets the criteria for recovery auditing as specified in
the Recovery Auditing Act, but the agency has identified specific
components that individually meet the requirements and focuses its
recovery auditing efforts on those components.
In March 2007, DHS revised its guidance for recovery auditing for fiscal
year 2007--noting the disbursement data and security clearance issues
encountered in previous years--emphasizing timelines to help ensure that
all applicable components are able to complete recovery audits and report
on their efforts going forward. This guidance clarifies what is expected
of components; however, ongoing oversight by the OCFO will be necessary to
help ensure that the components are progressing with their recovery
auditing efforts and will be able to successfully report on results at
year end. In addition, DHS has not yet reported on its efforts to recover
improper payments identified during its testing of FEMA's disaster-related
vendor payments and has reported limited information on its efforts to
recover identified improper IHP assistance payments. DHS is currently not
required to report on these efforts, but reporting this information would
provide a more complete picture of the agency's actions to recover
payments that it has identified as being improper.
We are making four recommendations to DHS to help improve its efforts to
implement IPIA and recover improper payments by focusing on performing
risk assessments and reporting on efforts to recover improper payments.
We provided a draft of this report to DHS for comment. DHS concurred with
our recommendations, and its comments, along with our evaluation, are
discussed in the Agency Comments and Our Evaluation section of this
report. The comments are also reprinted in their entirety in appendix II.
Background
Our work over the past several years has demonstrated that improper
payments are a long-standing, widespread, and significant problem in the
federal government. IPIA has increased visibility over improper payments
by requiring executive branch agency heads to identify programs and
activities susceptible to significant improper payments, estimate amounts
improperly paid, and report on the amounts of improper payments and their
actions to reduce them. Similarly, the Recovery Auditing Act provides an
impetus for applicable agencies to systematically identify and recover
contract overpayments. As the steward of taxpayer dollars, the federal
government is accountable for how its agencies and grantees spend hundreds
of billions of taxpayer dollars and is responsible for safeguarding those
funds against improper payments as well as having mechanisms in place to
recoup those funds when improper payments occur.
Improper Payments Information Act of 2002
IPIA was enacted in November 2002 with the major objective of enhancing
the accuracy and integrity of federal payments. IPIA requires executive
branch agency heads to review their programs and activities annually and
identify those that may be susceptible to significant improper payments.
For each program and activity agencies identify as susceptible, the act
requires them to estimate the annual amount of improper payments and to
submit those estimates to the Congress. The act further requires that for
programs for which estimated improper payments exceed $10 million,
agencies are to report annually to the Congress on the actions they are
taking to reduce those payments.
The act also requires the Director of OMB to prescribe guidance for
agencies to use in implementing IPIA. OMB issued implementing guidance
^[56]8 which requires the use of a systematic method for the annual review
and identification of programs and activities that are susceptible to
significant improper payments. The guidance defines significant improper
payments as those in any particular program that exceed both 2.5 percent
of program payments and $10 million annually. ^[57]9 It requires agencies
to estimate improper payments annually using statistically valid
techniques for each susceptible program or activity. For those agency
programs determined to be susceptible to significant improper payments and
with estimated annual improper payments greater than $10 million, IPIA and
related OMB guidance require each agency to annually report the results of
its efforts to reduce improper payments. OMB has stated that having
high-quality risk assessments is critical to meeting the objectives of
identifying improper payments and is essential for performing corrective
actions to eliminate payment errors. ^[58]10 Figure 1 provides an overview
of the four key steps OMB requires agencies to perform in meeting the
improper payment reporting requirements.
^8Appendix C to OMB Circular No. A-123 consolidates three memorandums
previously issued by OMB. These memorandums are: M-03-07, "Programs to
Identify and Recover Erroneous Payments to Contractors" (Jan. 16, 2003);
M-03-12, "Allowability of Contingency Fee Contracts for Recovery Audits"
(May 8, 2003); and M-03-13, "Improper Payments Information Act of 2002
(Public Law 107-300)" (May 21, 2003).
^9IPIA does not mention the "exceeding the 2.5 percent of program payments"
threshold that OMB uses for identifying and estimating improper payments.
^10OMB, Improving the Accuracy and Integrity of Federal Payments (Washington,
D.C.: Jan. 31, 2007).
Figure 1: Required Steps to Identify, Estimate, Reduce, and Report
Improper Payment Information
Recovery Auditing Act
In addition, under certain conditions, applicable agencies are required to
report on their efforts to recover improper payments made to contractors
under section 831 of the National Defense Authorization Act for Fiscal
Year 2002, commonly known as the Recovery Auditing Act. This legislation
contains a provision that requires executive branch agencies entering into
contracts with a total value exceeding $500 million in a fiscal year to
have cost-effective programs for identifying errors in paying contractors
and for recovering amounts erroneously paid. The act further states that a
required element of such a program is the use of recovery audits and
recovery activities. The law authorizes federal agencies to retain
recovered funds to cover actual administrative costs as well as to pay
other contractors, such as collection agencies. Agencies that are required
to undertake recovery audit programs were directed by OMB to provide
annual reports on their recovery audit efforts, along with improper
payment reporting details, in an appendix to their PARs.
OMB Guidance and In August 2006, OMB revised its IPIA implementing
guidance. The revision
Initiatives consolidates into Appendix C of OMB Circular No. A-123,
Management's
Responsibility for Internal Control, all guidance for
improper payments
[59]and recovery auditing reporting.11 While
inconsistent with the language in
IPIA, the revised guidance allows for risk assessments
to be conducted
less often than annually for programs where improper
payment baselines
are already established, are in the process of being
measured, or are
scheduled to be measured by an established date.
Although OMB kept its
criteria for defining significant improper payments as
those exceeding
both 2.5 percent of program payments and $10 million,
OMB added that it
may determine on a case-by-case basis that certain
programs that do not
meet the threshold may be subject to the annual
reporting requirement.
Additionally, the revised guidance allows agencies to
use alternative
sampling methodologies and requires agencies to report
on and provide a
[60]justification for using these methodologies in
their PARs.12 This revised
guidance is effective for agencies' fiscal year 2006
improper payment
estimating and reporting in the PARs or annual reports.
Other OMB guidance states that agencies must describe
their corrective
[61]actions for reducing the estimate rate and amount
of improper payments.13
Related to corrective actions, OMB's implementing
guidance for IPIA
requires that agencies implement a plan to reduce
erroneous payments,
[62]including identifying the following.14
Root causes--For all programs and activities with
o erroneous payments
exceeding $10 million, agencies shall identify the
reasons their programs and activities are at risk of
erroneous payments and put in place a corrective action plan to reduce
erroneous payments.
^11OMB Circular No. A-123 provides a central reference point for guidance to
federal managers on improving the accountability and effectiveness of
federal programs and operations by establishing, assessing, correcting,
and reporting on internal control. The circular emphasizes the need for
integrated and coordinated internal control assessments that synchronize
all internal control-related activities. For prior improper payments
guidance, see footnote 8.
^12An example of an alternative sampling methodology includes developing an
annual error rate for a component of the program.
^13OMB Circular No. A-136, Financial Reporting Requirements, S II.5.7 (June 29,
2007).
^14Appendix C of OMB Circular No. A-123.
o Reduction targets--Targets are necessary for future improper payment
levels and a timeline within which the targets will be reached.
o Accountability--Ensure that their managers and accountable officers
(including the agency head) are held accountable for reducing improper
payments. Agencies shall assess whether they have the information
systems and other infrastructure needed to reduce improper payments to
minimal cost-effective levels, and identify any statutory or
regulatory barriers that may limit agencies' corrective actions in
reducing improper payments.
OMB has also established Eliminating Improper Payments as a
programspecific initiative under the President's Management Agenda (PMA).
This separate PMA program initiative began in the first quarter of fiscal
year 2005. Previously, agency efforts related to improper payments were
tracked along with other financial management activities as part of the
Improving Financial Performance initiative of the PMA. The objective of
establishing a separate initiative for improper payments was to ensure
that agency managers are held accountable for meeting the goals of IPIA
and are therefore dedicating the necessary attention and resources to
meeting IPIA requirements. This program initiative establishes an
accountability framework for ensuring that federal agencies initiate all
necessary financial management improvements for addressing this
significant and widespread problem. Specifically, agencies are to measure
their improper payments annually, develop improvement targets and
corrective actions, and track the results annually to ensure the
corrective actions are effective.
DHS Has Made Some Progress in Implementing the Requirements of IPIA, but Remains
Noncompliant
While DHS has taken actions over the last 3 fiscal years to implement IPIA
requirements, much more work needs to be done. In each of the last 3
fiscal years, DHS was unable to perform risk assessments for all of its
programs and activities--the first step of IPIA implementation. This and
other issues, such as concerns about program identification and testwork
performed, contributed to DHS's reported noncompliance with IPIA over the
last 3 fiscal years. Until DHS is able to fully assess its programs, the
potential magnitude of improper payments cannot be estimated.
For fiscal year 2006, DHS did not perform risk assessments on programs
with $13 billion of its $29 billion of payments subject to IPIA. Over $6
billion of this amount related to payments for grant programs. Performing
risk assessments of grant programs and testing grant payments
can be difficult because of the many layers of grant recipients, as well
as the type of recipients and number of grant programs. However,
developing a plan to assess risk and potentially test grant payments is
important because of financial management weaknesses reported at DHS
grantees and concerns about DHS's grants management process. Developing a
plan will also allow DHS to gain an understanding of its risk with respect
to grant payments and potentially reduce future improper payments.
DHS's Efforts to Meet IPIA Requirements
To comply with the requirements of IPIA and related guidance from OMB, DHS
initiated a plan in fiscal year 2004 to reduce its susceptibility to
issuing improper payments by having each of its organizational elements
complete a risk assessment of major programs ^[63]15 by assigning each one
an overall risk score. Based on this assessment, none of DHS's programs
were found to be high risk; however, DHS's independent auditor reported
that the agency was not in compliance with IPIA mainly because it had not
yet instituted a systematic method of reviewing all programs and
identifying those it believed were susceptible to significant erroneous
payments.
In fiscal year 2005, the auditor again reported noncompliance issues
regarding the adequacy of the agency's risk assessments. Based on DHS's
guidance, each component selected its largest program and completed
statistical testing. DHS regarded this quantitative selection as its risk
assessment process and did not incorporate qualitative factors. As with
fiscal year 2004, DHS reported that it did not identify any programs or
activities as being susceptible to significant improper payments and its
auditors again reported that DHS was not in compliance with IPIA.
The DHS OCFO worked with components during fiscal year 2006 to continue to
refine the population of improper payment programs by having the
components group Treasury Appropriation Fund Symbols (TAFS) ^[64]16 into
logical, recognizable programs. After identifying the
population of disbursements for fiscal year 2006 IPIA testing, DHS
components provided the necessary payment data to a contractor with
expertise in statistical testing. The contractor constructed stratified
sampling plans and samples for DHS components to perform IPIA testing for
DHS's risk assessment process. This testing was expanded from fiscal year
2005 to include, based on DHS's revised guidance, all DHS programs issuing
more than $100 million of IPIA-relevant payments. ^[65]17 Two programs
were found to be high risk. However, despite these efforts, DHS's
independent auditor found that the agency was still not in compliance with
IPIA as reported in its fiscal year 2006 PAR, primarily because not all
programs subject to IPIA were tested, and the population of disbursements
tested for some programs was not complete. Appendix III contains
additional information about DHS's prior year IPIA PAR reporting and
compliance issues reported by its independent auditor.
^15OMB's implementing guidance defines a "program" as activities or sets of
activities recognized as programs by the public, OMB, or the Congress, as
well as those that entail program management or policy direction. This
definition includes, but is not limited to, all grants, regulatory
activities, research and development activities, direct federal programs,
procurements including capital assets and service acquisition, and credit
programs. It also includes the activities engaged in by the agency in
support of its programs.
^16OMB Circular No. A-11, Preparation, Submission, and Execution of the
Budget (revised July 2, 2007), defines TAFS as a summary account
established in the Treasury for each appropriation and fund.
Required Risk Assessments Not Completed for All Programs for Fiscal Year
Although DHS made progress in identifying its programs in fiscal year
2006, the agency did not perform a risk assessment for all programs and
activities--covering approximately $13 billion of its more than $29
billion in disbursements subject to IPIA. According to DHS, this was
primarily due to a lack of resources, guidance, and experience in
performing this work. This was a major factor in the independent auditors'
finding that DHS was noncompliant with IPIA for fiscal year 2006. DHS
performed risk assessments (step 1) for programs accounting for
approximately $16 billion of the $29 billion in disbursements subject to
IPIA review. Of this $16 billion covered by risk assessments,
approximately $7 billion related to FEMA's disaster relief programs that
were found to be at high risk for issuing significant improper payments
and therefore steps 2 through 4 were completed to estimate improper
payments, develop a plan to reduce improper payments, and report this
information. This testing resulted in estimated improper payments issued
by FEMA from September 2005 through March 2006 of $450 million (8.56
percent) of IHP
assistance payments and $319 million (7.44 percent) of disaster-related
vendor payments. ^[66]18 Although the necessary IPIA work--steps 1 and 2--
was completed for the two DHS high-risk programs, the time period covered
for testing and reporting (i.e., September 2005 through March 2006) was
not in accordance with OMB's implementing guidance, also contributing to
DHS's reported noncompliance with IPIA. ^[67]19 The remaining programs
with disbursements totaling $9 billion in disbursements were not found to
be at risk for issuing significant improper payments and therefore DHS did
not report improper payments for these programs. For some of its
nondisaster programs, DHS performed statistical sample testing for those
programs with disbursements greater than $100 million, without first
performing a qualitative risk assessment such as an assessment of internal
controls, oversight and monitoring activities, and results from external
audits. While this approach is perhaps better than not doing any
assessment, DHS officials concurred that it could be considered an
inefficient use of resources, if a program is not at high risk.
^17DHS excluded payroll, intragovernmental, and travel payments from IPIA
testing. According to DHS, these payments were excluded because of the
following reasons:
(1) payroll was excluded because DHS identified it as having a low level
of risk due to the strong internal controls that result from payroll
payments being administered by a third party, the National Finance Center;
(2) intragovernmental payments were excluded as these do not result in net
gains or losses to the federal government; and (3) travel payments are a
small population and while they were not tested separately for IPIA
purposes, they were tested as part of internal control reviews by
individual components. In addition, purchase card transactions for the
entire department were tested centrally by the U.S. Coast Guard (USCG)
during fiscal year 2006.
Table 1 shows DHS's population of programs identified for IPIA testing and
the status of DHS's IPIA risk assessment process performed in fiscal year
2006.
^18U.S. Department of Homeland Security, Performance and Accountability
Report Fiscal Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also
reported estimated improper payments for all of fiscal year 2006 for these
two programs. However, DHS calculated the fiscal year 2006 estimates by
applying the estimated error percentage rates from the September 2005
through March 2006 testing to the fiscal year 2006 outlay figures. The
estimated error percentage rates for the September 2005 through March 2006
testing have a 90 percent confidence interval of plus or minus 2.32
percentage points for IHP assistance payments and plus or minus 2.62
percentage points for disaster-related vendor payments based on
statistically valid cluster samples. See IPIA reporting details in DHS's
fiscal year 2006 PAR.
^19According to DHS, the agency chose to use this time period because it was
the period of greatest payment activity following the 2005 Gulf Coast
hurricanes.
Table 1: DHS Fiscal Year 2006 IPIA Programs (based on fiscal year 2005
disbursements)
Dollars in millions
Risk assessment for fiscal year 2006 DHS IPIA program IPIA population^b
Performed^c Not performed^d
Customs and Border Protection (CBP) Custodial^a 1,116 $ 1,116
Other CBP programs 1,713 1,713
Federal Air Marshals (FAM) 318 318
Federal Emergency Management Agency (FEMA) disaster-related programs:
Disaster Relief 7,133 7,133^e
Cerro Grande Fire Claims 14 14
FEMA nondisaster programs 4,803 4,803
Federal Law Enforcement Training Center (FLETC) programs 139 139
Office of Grants and Training (GT) programs 3,136 3,136
Immigration and Customs Enforcement (ICE) and ICE components:^f
Salaries & Expenses 953 953
Technology 829 829
Federal Protective Service 548 548
US-VISIT 208 208
Other programs 649 649
Transportation Security Administration (TSA):
Original IPIA programs^g 3,414 1,384^g
Revised IPIA programs:
Grant programs 343
Nongrant programs 1,687
U.S. Coast Guard (USCG):
Operating Expenses 2,741 2,741
Acquisition, Construction & Improvements (reported as Contracts) 867 867
Other^h 620 620
U.S. Secret Service (USSS) Operating Expenses 83 83
Total IPIA program disbursements $ 29,284 $ 16,239 $ 13,045
Sources: DHS fiscal year 2006 IPIA programs (based on fiscal year 2005
disbursement populations) and GAO analysis of information provided by and
reported by DHS.
^aCBP collects import duties, taxes, and fees on merchandise arriving in the
United States from foreign countries, and subsequently transfers these
receipts to other entities. Receipts of import duties and related refunds
are presented in the statement of custodial activity in the DHS financial
statements. CBP tested the custodial program as part of remediating the
Custodial Revenue and Drawback material weakness. According to DHS, while
this testing did not follow Appendix C to OMB Circular No. A-123, it did
support the conclusion that this program is not at high risk for issuing
improper payments as no significant improper payments as defined by OMB
were identified.
^bThese disbursement amounts represent the original amounts provided by the
DHS Program Management Office to the individual DHS components. Actual
amounts used by the components as they performed additional analysis and
testing may differ. Also, according to DHS, the disbursement amounts were
based on Standard Form (SF) 133 outlay figures, and DHS found this to be
problematic. DHS will address these problems during fiscal year 2007.
^cUnless otherwise noted, a risk assessment was performed for the IPIA
program and the program was found to be not at high risk for issuing
significant improper payments.
^dA risk assessment was not performed for the IPIA program and, according to
its independent auditor, this contributed to DHS's noncompliance with IPIA
in fiscal year 2006.
^eA risk assessment was performed for the IPIA program and the
program--which includes IHP assistance and disaster-related vendor
payments--was found to be at high risk for issuing significant improper
payments. Additional work was completed to estimate improper payments,
develop a plan to reduce improper payments, and report this information.
^fICE components include U.S. Citizenship and Immigration Services, the
Management Directorate, the Science & Technology Directorate, the Office
of Intelligence and Analysis, and the Border and Transportation Security
Directorate, because ICE is the financial management provider for these
components.
^gBased on additional information provided by DHS, USCG is TSA's
accounting provider. USCG staff consolidated the TSA IPIA programs into
one entitywide program which was then split into grant and nongrant
segments. A risk assessment was performed for these two segments and
neither was found to be at risk for significant improper payments. The
reason for the consolidation was concern over insufficient time to
complete testing of multiple TSA programs. According to DHS, components in
the future will need to provide ample justification and receive formal DHS
OCFO concurrence before program definitions can be changed.
^hAccording to USCG, once all payroll amounts are deducted, the total would
be under $100 million.
Since DHS did not perform the required first step--a risk assessment--on
programs with approximately $13 billion of its more than $29 billion in
disbursements subject to IPIA, it is unknown whether these programs are at
high risk for issuing improper payments.
Grant Programs Continue to Present a Challenge for IPIA Implementation
DHS encountered challenges implementing IPIA for the programs with $13
billion of disbursements for which no risk assessment or testing was
performed in fiscal year 2006. Over $6 billion of this amount related to
payments for grant programs. The remaining $7 billion related primarily to
FEMA nondisaster programs and TSA programs not categorized as grant or
nongrant programs, and USCG operating expenses. DHS's grant programs
include the NFIP, which had disbursements of over $3 billion that should
have been included in DHS's IPIA population for review in fiscal year
2006. As we have previously reported, measuring improper payments and
designing and implementing actions to reduce or eliminate them are not
simple tasks, particularly for grant programs that rely on quality
administration efforts at the state level. ^[68]20 DHS has an even greater
challenge in the diversity of recipients for its grants which include
state and local governments, individuals, and other entities. During
fiscal year 2006, DHS awarded grants to over 5 million recipients ^[69]21
for 70 different grant programs, including state and local governments,
nonprofits, and other entities and individuals. Although disbursements
made related to these grants are subject to IPIA, as DHS has noted,
performing risk assessments of grant programs and testing grant payments
are difficult because of the many layers of grant recipients, as well as
the type of recipients and number of grant programs.
Developing a plan to assess risk and potentially test grant payments is
important because of noted financial management weaknesses of DHS
grantees. For example, DHS's independent auditors and the DHS OIG have
reported grants management weaknesses in part because the agency did not
adequately follow up on audit findings pertaining to grantees' potential
improper payments. In addition, the DHS OIG identified grants management
as a major management challenge facing the department. We have also
identified the NFIP as a high-risk program. ^[70]22 A list of DHS's grant
programs is presented in appendix IV. Appendix IV also shows the primary
types of recipients and fiscal year 2006 award information for each grant
program, as well as the component that administers the program. Given the
identified weaknesses and the high-dollar amount, as well as the inherent
risk associated with grant programs, it is important for DHS to assess
grant programs for susceptibility to significant improper payments in
accordance with IPIA. Assessing and, if necessary, testing these grant
programs will allow DHS to gain an understanding of its risk in this area
related to improper payments and potentially reduce future improper
payments.
During fiscal year 2006, DHS completed a risk assessment by performing
sample testing for grants administered by the Transportation Security
Administration (TSA) with disbursements of about $343 million; however,
the department was unable to perform an assessment of its grants programs
administered by the Office of Grants and Training (GT). Of the
approximately $13 billion for which DHS did not perform a risk assessment,
over $3 billion related to grant programs administered by GT. ^[71]23 In
addition to the NFIP, FEMA also administers other grant programs which,
with the exception of IHP, ^[72]24 were not tested during fiscal year
2006. DHS identified three IPIA programs within GT, including Domestic
Preparedness, State and Local Programs, and Firefighter Assistance Grants,
totaling $3.1 billion of fiscal year 2005 disbursements for fiscal year
2006 IPIA testing; however, GT did not perform an assessment or complete
statistical sample testing on these grants programs. In its fiscal year
2006 PAR, DHS reported that one complication that was not overcome was how
to extend statistical sample testing to grant recipients. DHS also had
difficulty testing its grant programs because of the large number of grant
programs identified for testing based on DHS's guidance for fiscal year
2006 program identification and risk assessment methodology, which
required that all programs with total disbursements exceeding $100 million
be selected and statistically tested. DHS reported that one of the
problems with its fiscal year 2006 IPIA methodology was that its risk
assessments were based on strictly quantitative factors, instead of both
qualitative and quantitative factors. Although OMB has not yet provided
guidance as we have previously recommended, ^[73]25 DHS issued internal
guidance recognizing the need to consider qualitative factors.
^20GAO, Improper Payments: Federal and State Coordination Needed to Report
National Improper Payment Estimates on Federal Programs, GAO-06-347
(Washington, D.C.: Apr. 14, 2006).
^21This amount includes both individual grant recipients as well as states
and other entities.
^22GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January
2007). We placed the National Flood Insurance Program (NFIP) on our
high-risk list in March 2006 because the NFIP will unlikely generate
sufficient revenues to repay the billions borrowed from the Department of
the Treasury to cover flood claims from the 2005 hurricanes.
One such qualitative factor that DHS could consider as part of its risk
assessment process are the results of Single Audit Act, as amended,
^[74]26 reports related to its grantees. During fiscal year 2006, DHS's
independent
auditors reported that the agency was not in compliance with the Single
Audit Act. According to the independent auditors' report, FEMA and TSA are
required to comply with certain provisions of OMB Circular No. A-133,
which requires agencies awarding grants to ensure they receive grantee
reports timely and to follow-up on grantee single audit findings. Although
certain procedures have been implemented to monitor grantees and their
audit findings, the auditors noted that DHS did not have procedures in
place to comply with these provisions in OMB Circular No. A-133 and follow
up on questioned costs ^[75]27 and other matters identified in these
reports. TSA has developed a corrective action plan to establish a new
system and processes to track and review single audit reports, but FEMA
has not completely developed its corrective action plans due to the
previously mentioned organizational changes during fiscal year 2007. We
identified 37 DHS grantees--with awards totaling $2.1 billion--that had
single audit findings related to questioned costs for fiscal year 2005.
Some examples of questioned costs described in audit reports follow.
^23During fiscal year 2007, FEMA underwent a reorganization and GT became a
part of FEMA. Therefore, the grant functions for both components are now
consolidated under FEMA.
^24IHP payments are included in disaster assistance grants administered by
FEMA.
^25GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the
Improper Payments Information Act Remains Incomplete, GAO-07-92
(Washington, D.C.: Nov. 14, 2006).
^2631 U.S.C. SS 7501-7507. Under the Single Audit Act, as amended, and
implementing guidance, independent auditors audit state and local
governments and nonprofit organizations that expend federal awards to
assess, among other things, compliance with laws, regulations, and the
provisions of contracts or grant agreements material to the entities'
major federal programs. Organizations are required to have single audits
if they expend $500,000 or more in federal awards.
o One single audit report questioned $353,000 in unallowable charges for
salaries and benefits due to a lack of adequate documentation.
o One grantee had expenditures that did not have appropriate supporting
documentation, with the questioned amount totaling almost $80,000.
o Another grantee had costs of about $72,000 that were improperly
charged to the grant program.
o A third grantee over-claimed reimbursement amounts of about
$4,000.
o The DHS OIG also conducts audits relating to the programs and
operations of DHS, including grant programs. The DHS OIG reviews
several factors to determine which activities to audit, including
current or potential dollar magnitude, and reports or allegations
of impropriety or problems in implementing the programs. The
objectives of these grant program audits include determining
whether the grantee accounted for and expended funds according to
federal regulations and DHS guidelines. For certain grantees, the
DHS OIG has found questioned costs such as excessive charges,
duplicate payments, ineligible contractor costs, unsupported
contractor and labor costs, and other expenditures. The following
are examples of DHS OIG findings from fiscal years 2005 through
2007.
o The DHS OIG found that one particular grantee had questioned costs of
more than $1.8 million.
^27A "questioned" cost is a finding which, at the time of the audit, is not
supported by adequate documentation or is unallowable.
o The DHS OIG has also found instances where the grantee did not follow
all federal procurement standards or DHS guidelines in awarding contracts,
and needed improvements in procedures to make payments to subgrantees. One
instance involved awarding contracts totaling more than $14 million and
another instance involved more than $8 million in contract work.
In an effort to address the agency's noncompliance with the Single Audit
Act, as amended, DHS's Office of Grant Policy and Oversight (GPO) told us
that it instituted an informal oversight process for single audits during
fiscal year 2007 and is in the process of developing formal procedures.
According to GPO, the development of this process is an attempt to address
some of the grants management concerns that have been identified at DHS by
its auditors and the DHS OIG. This monitoring process will help DHS to
focus on audit findings at grantees and could help DHS with performing a
risk assessment over grant programs for IPIA purposes by providing
qualitative criteria.
While DHS Has Developed Plans to Address IPIA Requirements and Reduce Improper
Payments, Full Implementation Will Be Longer Term
DHS has taken steps to address IPIA requirements, but the agency does not
plan to be compliant in fiscal year 2007 and will likely not be compliant
in fiscal year 2008. During fiscal year 2007, DHS prepared, and continues
to refine, a departmentwide corrective action plan to address internal
control weaknesses and noncompliance issues, including IPIA; however, the
agency continues to encounter challenges in developing a plan to fully
perform a risk assessment process. DHS used this corrective action plan to
update its guidance and, according to DHS officials, the agency plans to
focus on program identification and risk assessments during fiscal year
2007. Although DHS does not expect to be compliant in fiscal year 2007,
focusing on these areas will help the agency build a solid foundation for
its IPIA program.
In addition to its overall corrective action plan to comply with IPIA,
DHS, as required by IPIA and related OMB implementing guidance, has
developed plans to reduce improper payments related to the two high-risk
programs it has identified thus far. These plans include reducing manual
processing, improving system interfaces, and clarifying roles and
responsibilities. If properly executed, these plans should help reduce
future improper payments in these programs by strengthening internal
controls. With regard to system improvements, as we have previously
recommended, ^[76]28 DHS needs to conduct effective testing to provide
reasonable assurance that the system will function in a disaster recovery
environment.
DHS Has Developed a Corrective Action Plan for Compliance with IPIA, but
Implementation Challenges Remain
DHS has developed a corrective action plan to address the findings of its
independent auditor, ^[77]29 including its noncompliance with IPIA. In its
most recent audit report for fiscal year 2006, the auditor recommended
that DHS follow OMB guidance ^[78]30 to complete the necessary
susceptibility assessments, perform testwork over all material programs,
and institute sampling techniques to allow for statistical projection of
the results of its improper payments testing.
In its IPIA corrective action plan, DHS documented the root causes that it
believes have resulted in its noncompliance, and analyzed the key success
factors, key performance measures, verification and validation procedures,
risks, impediments, dependencies with other corrective actions, resources
required, and critical milestones needed to become compliant with IPIA;
however, implementation will take significant time and effort. DHS cited
its lack of resources, guidance, and experience with IPIA to execute risk
assessments as root causes for its noncompliance with IPIA. The corrective
action plan identified the following items related to IPIA, including root
causes.
^28GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).
^29OMB Circular No. A-50, Audit Followup (revised Sept. 29, 1982), requires
agencies to develop corrective action plans to address audit findings,
stating that corrective action taken by management on audit findings and
recommendations is essential to improving the effectiveness and efficiency
of government operations. According to OMB's guidance, each agency is
required to establish systems to assure the prompt and proper resolution
and implementation of audit recommendations.
^30OMB Memorandum M-03-13, along with other improper payment guidance, was
consolidated into Appendix C of OMB Circular No. A-123. Appendix C was in
effect for fiscal year 2006.
Table 2: Summary of DHS's Corrective Action Plan for IPIA Compliance as of June
7, 2007
Area Description
Root cause o Lack of program-level financial reporting
o Lack of experience and guidance with IPIA to execute risk assessments,
which led to the absence of proper risk assessments
o Difficulty in testing DHS grant programs
o Hurricane Katrina effects that highlight internal control weaknesses
over disbursements at FEMA
Key success factors o Define IPIA compliance criteria
o Define IPIA programs
o Complete a rigorous risk assessment
o Develop sample test plans and execute sample
testing
o Establish a review program to ensure that an
independent party reviews preparer responses
o Develop a corrective action plan based on test
results
o Have components update these corrective action
plans periodically
Key performance o 100% identification of DHS population of programs
measures for IPIA work
o 100% completion of risk assessments by components
o 100% completion of IPIA sample testing by July 31,
2007, for all components' high-risk programs
o 100% oversight of component corrective action plans
for high-risk programs
o IPIA compliance guidance for fiscal year 2007
issued by May 31, 2007
o Completion of supplemental sample payment testing
that confirms that corrective action plan targets
for high-risk programs are being met or exceeded
o Increase recoupment (recovery) for identified
improper payments
o Completion of secondary control of recovery audit
for components with IPIA total disbursement
populations above $500 million
o Submission of corrective action plans for all
high-risk IPIA programs by September 15, 2007
Verification and Confirm improper payment sample test
validation o populations tie to an independent verifiable
source
o Assess the operating effectiveness of sample
test results
o Confirm claimed recovery amounts are
reflected in general ledger postings
o Review recovery audit contract reports
against general ledger balances to confirm
comprehensiveness of work
o Test common high-risk factors identified by
sample test results after performing a
cost-benefit analysis
Risks, impediments, and Grant impediment: legal and political
dependencies o o restrictions, lack of guidance Budgetary and
financial system impediment
o FEMA risk: breakdown of controls and scale of
disbursements for Hurricane Katrina
o Guidance risk: clarification of requirements
in Appendix C to OMB Circular No. A-123 would
be helpful
o Sample design impediment: the trial balance
data used for IPIA analysis does not readily
yield true IPIA disbursement population
amounts
o Recovery audit impediment: security- and
staffing-related issues have hampered the
ability of recovery audit contractors
Area Description
Resources required
o DHS OCFO has hired contractor support to review DHS IPIA compliance
guidance, provide IPIA training, review DHS component-completed risk
assessments, and develop testing sample sizes to include in DHS
component-developed test plans
o DHS components will conduct the risk assessments and develop their own
test plans for high-risk programs
o FEMA hired contractor support to design and implement an improper
payment test plan for Hurricane Katrina-related payments for
individual housing programs, contracts, mission assignments, and
grants
o FEMA also hired a contractor to assist with IPIA program definitions
and risk assessments for all FEMA programs
Source: DHS Office of Financial Management, Improper Payments Information
Act Corrective Action Plan Summary Report (as of June 7, 2007).
DHS also identified critical milestones in its corrective action plan for
IPIA compliance, including due dates and status. However, these efforts
remain ongoing and DHS has already missed some milestones. For example,
while DHS initially planned for each component to identify its IPIA
programs and disbursement populations by January 2007, this milestone was
delayed until June 2007. As of July 8, 2007, according to DHS, the agency
was waiting for one component to submit its list of programs, and DHS was
in the process of reviewing submissions from the other components. Because
of such delays, DHS does not expect to be in compliance with IPIA in
fiscal year 2007 and will likely be noncompliant in fiscal year 2008.
DHS's updated critical milestones as of June 7, 2007, related to fiscal
year 2007 are presented in table 3.
Table 3: Summary of Critical Milestones in DHS's Corrective Action Plan
for IPIA Compliance Related to Fiscal Year 2007
Completion
status according
Topic Due date to DHS
Guidance and training:
Update fiscal year 2007 IPIA PAR idance 2/1/2007 Completed-100%
gu
Hold corrective action plan on program or fiscal Completed-100%
workshopidentification and risk year 5/30/2007
assessments f2007
Hold corrective action plan on sample 007 6/29/2007 Planning-25%
workshoptesting and reporting for
fiscal year 2
Program identification:
Program identification for fiscal 2007 6/15/2007 In progress-50%
year
Risk assessment:
A-123 pilot for FEMA for fiscal year 2006 IPIA work 11/15/2007 In progress-50%
Completion
status according
Topic Due date to DHS
Sample testing:
Develop sample test plans for cal year 2007 IPIA In progress-50%
fiswork 6/28/2007
Complete sample test plans for fiscal year 2007 8/31/2007 Not started-0%
IPIA work
Generate programwide error estimates for fiscal 9/14/2007 Not started-0%
year 2007 IPIA work
Error analysis/corrective actions for high-risk
programs:
Implement corrective action plans for fiscal 11/15/2007 Completed-100%
year
2006 IPIA work
Develop corrective action plans with projected 8/31/2007 Not started-0%
error
rate improvement for fiscal year 2007 IPIA work
Implement corrective action plans for fiscal 11/15/2007 Not started-0%
year
2007 IPIA work
Recovery audit/collections:
Sign contract with recovery audit firm for 10/2/2006 Completed-100%
fiscal year
2007
Receive progress updates and final report for 9/30/2007 In progress-50%
fiscal
year 2007 IPIA work
PAR reporting:
Provide OMB with a draft fiscal year 2007 PAR 10/19/2007 Not started-0%
and
address all OMB feedback
Source: DHS Office of Financial Management, IPIA Corrective Action Plan
Summary and Detailed Reports (as of June 7, 2007).
DHS's planning and assessment process to develop its IPIA corrective
action plan enabled the agency to update its guidance for its components
and, according to DHS, the agency plans to focus on program identification
and risk assessments during fiscal year 2007. Strengthening risk
assessments and identifying potential improper payments are also important
in order for DHS to begin taking steps to reduce improper payments and
ultimately improve the integrity of the payments it makes. According to
DHS officials, the department has been working in close consultation with
OMB, sharing guidance documents, program test plans and results, and
recovery audit status reports. Regardless of whether DHS is able to fully
complete these efforts in fiscal year 2007, focusing on these areas will
help the agency build a solid foundation for a sustainable IPIA program.
The updated guidance was issued in May 2007 and is to be in effect for
fiscal year 2007 reporting. In this revised guidance, DHS clarifies how
its components should identify their population of programs. In addition,
DHS requires its components to perform a comprehensive risk assessment in
order to identify programs susceptible to significant improper payments.
DHS has designed a detailed methodology to conduct the IPIA risk
assessment, and this methodology is outlined in the May 2007 guidance. The
methodology, which includes qualitative criteria, as we have previously
discussed, involves the creation of a program risk matrix based upon
specific risk elements that affect the likelihood of improper payments.
Further, the guidance states that a program may be selected for testing
even if it does not meet the quantitative or qualitative assessments,
noting that it is entirely possible that the risk assessment process may
not identify a program as high risk, but component management may believe
a program is high risk due to a high-level public profile or known
financial or regulatory issues (such as a high-profile contract). For
those programs found to be at high risk for issuing improper payments, the
guidance also provides instructions for estimating improper payments,
implementing a plan to reduce improper payments, and reporting on this
information. Each of these procedures outlined in the May 2007 guidance
includes instructions to submit information or documentation to the
Internal Controls over Financial Reporting (ICOFR) Program Management
Office (PMO). ^[79]31
DHS's May 2007 guidance for fiscal year 2007 also outlines possible
alternative approaches for testing grants. One possible alternative is the
complete documentation of the component's grant management process and the
testing of internal controls. According to DHS, this approach helps the
component identify specific weaknesses within the grant process, rather
than sampling payments at random to determine potential errors. A second
alternative is to perform a risk assessment on the program's grant
portfolio. This alternative helps the program identify specific grants
that may be more susceptible to improper payments. The identified grants
would then be subject to improper payment sampling. If a component wishes
to consider alternative approaches to grant sampling, an explanatory
memorandum must be submitted to the ICOFR PMO for review and approval. If
approved by the ICOFR PMO, DHS will submit the alternative approach
request to OMB for review and approval. Also, OMB
has reported ^[80]32 that the Chief Financial Officers (CFO) Council
^[81]33 continues to play a critical role in efforts to address and reduce
improper payments through its Improper Payments Transformation Team. This
group has been collaborating with nongovernmental entities to consolidate
governmentwide best practices; enumerate legislative and regulatory
barriers that hinder program integrity efforts; and develop forums where
federal and state stakeholders from the program, audit, and financial
communities work together to solve program integrity challenges. These
activities could provide guidance to help DHS determine how to best test
its grant programs.
^31The ICOFR PMO, as discussed in the next section of this report, is an
office within the DHS OCFO.
DHS also plans to hold workshops for its components on statistical sample
testing and reporting to ensure that they have a consistent understanding
of what is expected with regard to IPIA testing and reporting. Although
DHS does not expect to be in compliance with IPIA in fiscal year 2007,
completing a thorough risk assessment process is an important first step.
DHS Has a Broader Initiative to Resolve Internal Control Weaknesses across the
Department
In addition to developing the corrective action plans described, DHS has a
broader initiative to resolve material internal control weaknesses and
build management assurances across the department. During fiscal year
2007, DHS established the ICOFR PMO as a new office within the DHS OCFO.
The ICOFR PMO is responsible for departmentwide implementation of OMB
Circular No. A-123. In March 2007, DHS issued the ICOFR Playbook, which
outlines the department's strategy and processes to resolve material
weaknesses and build management assurances and incorporates the
departmentwide corrective action plans, which contain more detailed
information. The ICOFR PMO is responsible for the ICOFR Playbook and,
according to DHS, the agency will update the ICOFR Playbook each year,
establishing milestones and focus areas that will be tracked during the
year. One section of the ICOFR Playbook relates to IPIA testing, and it
discusses the actions taken by DHS in fiscal year 2006 to meet IPIA
requirements. This section also states that DHS will develop policies and
procedures to integrate the requirements of OMB's implementing guidance
for IPIA into annual component management
assurances of compliance with significant laws and regulations, as part of
DHS management's assertion on internal controls over financial reporting
and in an effort to strengthen internal controls to support DHS's mission.
In addition to management providing an assertion on internal controls over
financial reporting, DHS is required to obtain a related auditor's
opinion. ^[82]34 Incorporating IPIA into this guidance will increase the
likelihood of successful implementation and could also strengthen related
internal controls.
^32OMB, Improving the Accuracy and Integrity of Federal Payments
(Washington, D.C.: Jan. 31, 2007).
^33The CFO Council is an organization comprised of the CFOs and Deputy CFOs
of the 24 CFO Act agencies, and senior officials in OMB and the Department
of the Treasury who work collaboratively to improve financial management
in the U.S. government.
The ICOFR Playbook draws attention to the process of addressing IPIA
requirements across the department. By successfully addressing the
requirements of IPIA, DHS will be in a better position to take steps to
reduce improper payments, as the ultimate goal of IPIA reporting is to
improve the integrity of payments that the agency makes. Further, DHS has
testified that to ensure the long-term effectiveness of the department's
efforts to reduce improper payments, DHS requested resources in its fiscal
year 2008 budget to hire additional staff so that it can enhance risk
assessment procedures and conduct oversight and review of component test
plans.
DHS Has Developed Plans to Reduce Improper Payments for FEMA's Two
Disaster-Related Programs, but Effects Remain Unknown
In addition to its overall corrective action plan to comply with IPIA,
DHS, as required by IPIA and related OMB implementing guidance, has
developed plans to reduce improper payments related to the two high-risk
programs it identified in its fiscal year 2006 testing--FEMA's IHP
assistance payments and disaster-related vendor payment programs. These
plans highlighted improving internal controls to prevent improper payments
in each of these programs.
FEMA's testing of its two high-risk disaster-related programs identified
several key internal control weaknesses, including ineffective system
controls to review data for potential duplications and inconsistently
applied standards for supporting evidence and documentation. To address
these findings, FEMA initiated corrective action plans aimed at reducing
improper payments by strengthening internal controls. These plans included
validating Social Security numbers during telephone registration,
increasing IT systems capabilities to handle high volume during a
catastrophic disaster, and enhancing post-payment reviews. Our prior
reporting ^[83]35 also identified significant internal control
deficiencies in the IHP program.
^34 31 U.S.C. 3516(f)(2).
To address OMB's reporting requirements on actions for reducing improper
payments, DHS included in its fiscal year 2006 PAR corrective action plans
for IHP assistance payments and disaster-related vendor payments. For each
of the two high-risk programs, DHS prepared a schedule of corrective
action plans with target completion dates. For the IHP program, DHS
included corrective action plans that were already completed in addition
to those in process and planned. DHS has also established critical
milestones for reducing improper, disaster-related vendor payments. During
fiscal year 2007, DHS updated and tracked its corrective action plan
critical milestones. Details of these corrective action plan critical
milestones can be found in appendix V.
Based on DHS's updated corrective action plan report for IHP, as of May
14, 2007, DHS had not completed certain critical milestones by the
identified target date. These milestones included system interface
improvements and certain contract awards. Missing these established
critical milestones delays strengthening internal controls that are
necessary to reduce future improper payments, and therefore it is
important that DHS stays on track in implementing its corrective action
plans.
DHS also noted that human capital is the principal requirement to execute
these two corrective action plans; however, according to DHS, exact
requirements are not estimable at this time. With regard to system
improvements, as we have previously recommended, ^[84]36 DHS needs to
conduct effective testing to provide reasonable assurance that the system
will function in a disaster recovery environment.
^35See, for example, GAO, Expedited Assistance for Victims of Hurricanes
Katrina and Rita: FEMA's Control Weaknesses Exposed the Government to
Significant Fraud and Abuse, GAO-06-655 (Washington, D.C.: June 16, 2006);
Hurricanes Katrina and Rita Disaster Relief: Improper and Potentially
Fraudulent Individual Assistance Payments Estimated to Be Between $600
Million and $1.4 Billion, GAO-06-844T (Washington, D.C.: June 14, 2006);
and Expedited Assistance for Victims of Hurricanes Katrina and Rita:
FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse, GAO-06-403T (Washington, D.C.: Feb. 13, 2006).
^36GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).
DHS's Efforts to Comply with the Recovery Auditing Act and to Recover Improper
Payments Need to Be Enhanced
For the last 3 years, DHS has contracted with a recovery auditing firm to
perform recovery audit work to comply with the Recovery Auditing Act;
however, activities in this area could be improved. Specifically, DHS
encountered problems that kept it from reporting on recovery audit efforts
during fiscal year 2006. DHS was not able to report recovery audit results
in fiscal year 2006 for three of the four components it identified as
meeting the criteria for recovery auditing as specified in the Recovery
Auditing Act (i.e., over $500 million in contractor payments) due to
problems obtaining disbursement data and delays in obtaining security
clearances for contract personnel. In addition, DHS did not perform
recovery auditing efforts at the fourth component identified as meeting
the criteria. Further, DHS has not yet reported on its efforts to recover
improper payments identified during its testing of FEMA's disaster-related
vendor payments and has reported limited information on its efforts to
recover identified improper IHP assistance payments.
In March 2007, DHS revised its internal guidance for recovery auditing for
fiscal year 2007 to discuss the issues encountered in previous years and
to emphasize timelines to help ensure that all applicable components are
able to report. This guidance clarifies what is expected of applicable
components, but ongoing oversight within the OCFO will be necessary to
ensure that components are progressing with their recovery auditing
efforts and will be able to successfully report on the results of these
efforts at year end. In addition, DHS's updated guidance does not require
components to report on efforts to recover improper payments identified
during IPIA testing. Reporting this information in the annual PAR would
provide a more complete picture of the agency's actions to recover
payments that it has identified as being improper.
Recovery Auditing Efforts at DHS Could Be Improved
As an executive branch agency, DHS is required to perform recovery audits
under certain conditions as specified by the Recovery Auditing Act.
Beginning with fiscal year 2004, OMB required that applicable agencies
publicly report on their recovery auditing efforts as part of their PAR
reporting of improper payment information. Agencies are required to
discuss any contract types excluded from review and justification for
doing so. Agencies are also required to report, in table format, various
amounts related to contracts subject to review and actually reviewed,
contract amounts identified for recovery and actually recovered, and
prior-year amounts.
DHS took steps to identify and recover improperly disbursed funds by
hiring an independent contractor who conducted recovery audit work at two
major components, ICE and CBP. DHS began recovery auditing efforts during
fiscal year 2004 but was not able to report on these efforts for that year
because initial findings were not available in time to be included in the
annual PAR. This recovery audit work continued during fiscal year 2005 and
covered all fiscal year 2004 disbursements to contractors from these two
components, ultimately identifying more than $2.1 million of improper
payments and recovering more than $1.2 million, as reported in DHS's
fiscal year 2005 PAR. While DHS was able to recover about 55 percent of
improper payments identified through its recovery audit efforts, based on
our review of other agencies, we have previously questioned ^[85]37
whether agency amounts identified for recovery should have been much
higher, which would thereby significantly decrease the agencyspecific and
overall high rate of recovery.
According to DHS's fiscal year 2006 PAR reporting, recovery audit contract
work over fiscal year 2005 disbursements began in fiscal year 2005 at CBP
and ICE, and DHS extended its recovery audit work to include USCG in
fiscal year 2006. Delays in obtaining security clearances for contract
personnel severely hampered completion of recovery audit work at CBP and
ICE. Delays in supplying needed disbursement information hindered recovery
audit work at USCG. As a result, DHS was not able to provide conclusive
recovery audit summary results for fiscal year 2006 PAR reporting.
According to DHS, four of its components--ICE, CBP, USCG, and FEMA--meet
the criteria for recovery auditing as specified in the Recovery Auditing
Act (i.e., each has over $500 million in contractor payments). ICE, CBP,
and USCG entered into the same recovery audit contract. FEMA's recovery
audit work in fiscal year 2006 was part of a pilot study on internal
controls over improper payments for IHP assistance and disaster-related
vendor payments. In the aftermath of Hurricane Katrina, DHS and FEMA, with
the assistance of a contractor, conducted an internal controls assessment
related to improper IHP assistance and disaster-related vendor payments.
Although this assessment identified improper payments, DHS has not yet
reported on its efforts to recover improper payments identified during its
testing of FEMA's disaster-related vendor payments and has reported
limited information, such as the dollar amount of improper payments
approved
for recovery and the amount returned to FEMA, related to its efforts to
recover improper IHP payments.
^37GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the
Improper Payments Information Act Remains Incomplete, GAO-07-92
(Washington, D.C.: Nov. 14, 2006).
Of the 3 years agencies have been required to report on recovery audits in
table format, DHS was only able to report required recovery audit data in
its fiscal year 2005 PAR. ^[86]38 Table 4 presents DHS's recovery audit
efforts and results for fiscal years 2004 through 2006.
Table 4: Recovery Audit Results for Fiscal Years 2004 through 2006
PAR Agency-reported Agency-reported Agency-reported Agency-reported
amount actual
fiscal subject to amount reviewed amount amount Related
review for and identified for recovered
fiscal
year year reporting reported in recovery in in fiscal components
fiscal year fiscal year year
2004 (not reported) (not reported) (not reported) (not CBP, ICEa
reported)
2005 $3,232,300,000 $3,232,300,000 $2,191,000 $1,207,000 CBP, ICE
2006 (not reported) (not reported) (not reported) (not CBP, ICE,
reported) and USCGb
Sources: DHS Performance and Accountability Reports for 2004, 2005, and
2006.
^aDHS contracted for recovery audit work at CBP and ICE; however, DHS was
not able to provide recovery audit results for fiscal year 2003
disbursements in its fiscal year 2004 PAR.
^bDHS contracted for recovery audit work at CBP, ICE, and USCG; however, DHS
was not able to provide recovery audit results for fiscal year 2005
disbursements in its fiscal year 2006 PAR.
DHS's Internal Guidance for Recovering Improper Payments Has Been Revised but
Additional Information Could Be Reported
DHS has recently revised and clarified its internal guidance related to
recovery auditing for fiscal year 2007 to discuss prior issues and
emphasize timelines to help ensure that all applicable components are able
to complete recovery audits and report on their efforts. The new guidance
requires that applicable DHS components provide the ICOFR PMO with a
general description and evaluation of the steps taken to carry out a
recovery auditing program. Components are required to include a discussion
of any security clearance requirements and show that there is sufficient
time to allow contractors to complete audit recovery work in time to meet
PAR reporting deadlines. Every update should include the total amount of
contracts subject to review, the actual amount of contracts reviewed, the
amount identified for recovery, and the amounts actually recovered in the
current year. The year-end update should include a
corrective action plan to address the root causes of payment errors. A
general description and evaluation of any management improvements to
address flaws in a component's internal controls over contractor payments
discovered during the course of implementing a recovery audit program, or
other control activities over contractor payments, is also required. This
guidance applies to the four DHS components--CBP, FEMA, ICE, and
USCG--that meet Recovery Auditing Act criteria. In addition, according to
DHS, the ICOFR PMO may expand recovery audit contracting to other
components as the benefits of this work become clearer. Although DHS's
guidance clarifies what is expected of components, ongoing oversight
within the OCFO will be necessary to ensure that the components are
progressing with their recovery auditing efforts and will be able to
successfully report on results at year end.
^38Subsequent to issuing its fiscal year 2006 PAR, DHS reported recovery
audit amounts to OMB for inclusion in OMB's governmentwide reporting of
fiscal year 2006 recovery auditing information.
In addition to specific recovery audit work to identify improper payments
made to contractors, DHS also identifies improper payments through its
IPIA testing. For example, as discussed previously, DHS's testing in
fiscal year 2006 of its two high-risk programs identified improper IHP
assistance payments and disaster-related vendor payments made by FEMA.
However, DHS's internal guidance does not require components to include
information in its annual PAR related to its efforts to recover improper
payments identified during IPIA testing and, as a result, DHS has not yet
reported on its efforts to recover improper disaster-related vendor
payments identified and has reported limited information on its efforts to
recover identified improper IHP assistance payments. Having components
report this information in the annual PAR would provide a more complete
picture of the agency's actions to recover payments that it has identified
as being improper.
Conclusions
Although DHS has made some progress in implementing the requirements of
IPIA, challenges remain in ensuring that all DHS programs and activities,
including grant programs, have been reviewed to determine their
susceptibility to significant improper payments and tested, if applicable.
As DHS continues to improve its IPIA efforts and identify and test its
high-risk programs, the agency should be better able to identify, and
ultimately strengthen controls, to reduce improper payments.
While preventive internal controls should be maintained as the agency's
front-line defense against making improper payments, recovery auditing
holds promise as a cost-effective means of identifying contractor
overpayments. In addition, reporting on efforts to recover any other
specific improper payments identified would provide a more complete
picture of the agency's actions to recover payments that it has identified
as being improper. With the ongoing imbalance between revenues and outlays
across the federal government, and the Congress's and the American
public's increasing demands for accountability over taxpayer funds,
identifying, reducing, and recovering improper payments become even more
critical.
Recommendations for Executive Action
To help improve its efforts to implement IPIA and recover improper
payments, we recommend that the Secretary of Homeland Security direct the
Chief Financial Officer to take the following actions.
(1)
Maintain oversight and control over critical milestones identified
in the DHS corrective action plan for IPIA compliance so that DHS
components stay on track, specifically in regard to identifying
programs and performing risk assessments and any related testing.
(2)
Require all applicable components to determine and document how
they plan to assess their grant programs to determine whether they
are at high risk for issuing significant improper payments, and,
if necessary, test these grant programs.
(3)
Provide oversight and monitor the progress of all applicable DHS
components to successfully perform and report on their recovery
auditing efforts.
(4)
Similar to the required reporting on efforts to recover improper
payments made to contractors under the Recovery Auditing Act,
develop procedures for reporting in its annual PAR on the results
of yearly efforts to recover any other known improper payments
identified under IPIA, by the DHS OIG, or other external auditors.
Agency Comments and Our Evaluation
We requested comments on a draft of this report from the Secretary of
Homeland Security. These comments are reprinted in appendix II. DHS
concurred with the recommendations in our report. DHS noted that
significant actions under way include strengthening the department's
financial management and oversight functions to improve the DHS control
environment and implementing risk assessments to build a foundation for a
sustainable IPIA program.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its date. At that time, we will send copies of this report to the
Secretary of Homeland Security and other interested parties. Copies will
also be made available to others upon request. In addition, this report
will also be [87]available at no charge on GAO's Web site at
http://www.gao.gov.
If you or your staff have any questions regarding this report, please
[88]contact me at (202) 512-9095 or at [email protected]. Contact points
for our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made contributions to this
report are listed in appendix VI.
McCoy Williams
Director, Financial Management and Assurance
Appendix I: Scope and Methodology
To determine to what extent the Department of Homeland Security (DHS) has
implemented the requirements of the Improper Payments Information Act of
2002 (IPIA), we compared the IPIA legislation, and the related Office of
Management and Budget (OMB) implementing guidance, with DHS improper
payment risk assessment methodologies, and IPIA Performance and
Accountability Report (PAR) information for fiscal years 2004 through
2006. To analyze DHS risk assessment compliance with IPIA, we obtained and
reviewed documents regarding its regulations and methodology for
identifying programs and activities highly susceptible to improper
payments. We reviewed DHS's PARs, Office of Inspector General (OIG)
semiannual reports to the Congress, and GAO reports for fiscal years 2004
through 2006 for improper payment information. We also reviewed procedures
performed by DHS's independent financial statement auditor related to
DHS's compliance with IPIA.
We reviewed the programs that DHS identified as its IPIA population and
analyzed the risk assessments that were performed during fiscal year 2006.
This allowed us to determine which components did not perform a risk
assessment and which programs were not covered. During our review, we
noted that the Office of Grants and Training (GT), a DHS component, did
not perform an assessment or complete payment statistical sample testing
on its grants programs for fiscal year 2006 as required of all DHS
programs issuing more than $100 million of IPIA relevant payments in
fiscal year 2005. To analyze improper payments related to DHS grantees and
highlight the importance of performing IPIA testing in this area, we
obtained and reviewed fiscal year 2005 single audit reports of these
entities. We used fiscal year 2005 reports because that is the most recent
year for which complete audit results have been posted to the Federal
Audit Clearinghouse (FAC). ^[89]1 We also reviewed GAO reports and DHS OIG
Financial Assistance (Grants) Reports for fiscal year 2005 through fiscal
year 2007 to identify weaknesses reported at DHS grantees. In addition, we
reviewed DHS OIG Management Reports (audits and inspections) for fiscal
year 2005 through fiscal year 2007 that were related to grants and DHS OIG
semiannual reports to the Congress for fiscal years 2005 and 2006 to
identify questioned costs related to DHS grantees.
^1The FAC's primary purposes are to (1) disseminate audit information to
federal agencies and the public, (2) support OMB oversight and assessment
of federal award audit requirements, (3) assist federal cognizant and
oversight agencies in obtaining OMB Circular No. A-133 data and reporting
packages, and (4) help auditors and auditees minimize the reporting burden
of complying with Circular No. A-133 audit requirements.
To identify what actions DHS has under way to improve IPIA compliance and
reporting, we interviewed DHS staff in the Office of the Chief Financial
Officer and reviewed DHS corrective action plans and the Internal Controls
Over Financial Reporting (ICOFR) Playbook. We also reviewed DHS's IPIA
implementing guidance for fiscal year 2007--revised in March 2007 and May
2007--and determined whether it was consistent with IPIA requirements. We
discussed these revisions with improper payment and financial management
officials from DHS to inquire about what is currently being implemented
and what will be implemented in the future to ensure compliance with DHS's
revised internal guidance.
To determine what efforts DHS has in place to recover improper payments,
we compared section 831 of the National Defense Authorization Act for
Fiscal Year 2002, commonly known as the Recovery Auditing Act, and the
related OMB implementing guidance, with DHS recovery auditing procedures
and PAR-reported information for fiscal year 2006. We also reviewed DHS
PARs, OIG semiannual reports to the Congress, and GAO reports for fiscal
years 2004 through 2006 for recovery audit information.
To assess the reliability of data reported in DHS's PARs related to
improper payments and recovery audit efforts, we (1) reviewed existing
information about the data and the system that produced them and
(2) interviewed agency officials knowledgeable about the data. Based on
these assessments, we determined that the data were sufficiently reliable
for the purposes of this report. We conducted our work from October 2006
through June 2007 in accordance with generally accepted government
auditing standards. We requested comments on a draft of this report from
the Secretary of Homeland Security or his designee. The Director,
Departmental GAO/OIG Liaison Office, provided written comments, which are
presented in the Agency Comments and Our Evaluation section of this report
and are reprinted in appendix II.
Appendix II: Comments from the Department of Homeland Security
Appendix III: Prior-Year IPIA Reporting by DHS and Its Independent Auditor
Table 5 presents information on prior-year IPIA reporting by DHS, including
compliance issues reported by the independent auditor.
Table 5: Prior-Year IPIA Reporting by DHS
Fiscal
year Description of DHS IPIA PAR Compliance issues reported by the
reporting independent auditor
2004 DHS's PAR presented a completed The independent auditor reported
IPIA risk matrix for all that DHS did not comply
DHS programs exceeding $100 with IPIA. Specifically, DHS did
million in nonpayroll not
annual disbursements. Programs o properly define programs and
were defined using the Future activities, o institute a
Years Homeland Security Program systematic method of reviewing
(FYHSP) system. If a program did all programs and identifying
not reach a $100 million those it believed were
nonpayroll fiscal year 2005 susceptible to significant
operating budget level, the erroneous payments, and o
program was judged too small to properly sample or compute the
be at risk for annually issuing estimated dollar amount of
$10 million in improper payments. improper payments.
According to DHS, payroll
disbursements were excluded
because of
their repetitive, stable nature The auditor recommended that DHS
and the extensive internal follow the guidance provided in
controls they are subjected to by OMB M-03-13 in fiscal year 2005,
the National Finance Center. An including reexamining the
overall risk score was assigned definition of a program,
to each FYHSP by evaluating completing the necessary
internal control, human capital, susceptibility assessments,
programmatic risk, and instituting sampling techniques
materiality of operating budget to allow for statistical
risk factors. The fiscal year projection of the results, and
2004 risk matrix identified no providing information for proper
highrisk IPIA programs. disclosure in its PAR.
2005 DHS defined IPIA programs by Treasury Appropriation Fund Symbol
(TAFS). This change in program definition reflected the absence of FYHSP
detail and the presence of TAFS detail at the transaction level and
avoided testing issues stemming from FYHSP cost allocations. Each
component sample tested major payment categories for the largest TAFS
provided that total disbursements exceeded $100 million exclusive of
payroll and intragovernmental payments. An exception was made for one
component, FEMA, which tested a TAFS that was involved in an improper
payment related OIG finding for the Individuals and Households Program
(IHP). Fiscal year 2005 sample testing identified no high-risk IPIA
programs.
The auditor identified the following instances of noncompliance with IPIA
at DHS. Specifically, DHS did not
o institute a systematic method of reviewing all programs and
identifying those it believed were susceptible to significant
erroneous payments; and
o perform testwork to evaluate improper payments for all material
programs; testing was only performed over the TAFS with the largest
disbursements for each component or the largest TAFS maintained by an
internal DHS accounting service provider.
The auditor recommended that DHS follow the guidance provided in OMB
M-03-13 in fiscal year 2006, including completing the necessary
susceptibility assessments, performing testwork over all material
programs, and instituting sampling techniques to allow for statistical
projection of the results.
Appendix III: Prior-Year IPIA Reporting by DHS and Its Independent Auditor
Fiscal
year Description of DHS IPIA PAR reporting Compliance issues reported by
the independent auditor
2006 DHS defined IPIA programs by The auditor identified the
management-identified following instances of
groupings of TAFS. These groupings noncompliance with IPIA at
were designed to DHS and its components.
meet the draft Appendix C definition o Not all programs subject to
of an IPIA program (Appendix C was IPIA were tested, and the
issued August 10, 2006). Sample test population of disbursements
plans were designed by a statistical tested for some programs was
team which used stratified sampling not complete. o In some
techniques. Sample sizes both in cases, the samples tested
number of payments and amount of were not statistically
payments increased dramatically derived, and thus, identified
compared with previous years. Two errors could not be
programs were found to be at high statistically projected to
risk for issuing improper the entire population of
payments--FEMA's IHP and disbursements (including the
disaster-related vendor payments. untested portion). o In some
Corrective action plans were cases, the personnel
developed for each. IPIA problems performing the testwork were
included (1) required sample testing not knowledgeable or trained
was not completed for all programs, on the purpose or procedures
(2) sample test design to be performed.
was hampered by the use of SF-133 o The time period from which
outlay figures during IPIA program disbursements were selected
identification, (3) risk assessments for testwork was not always
were based on strictly quantitative in compliance with IPIA
factors, and (4) recovery audit requirements. For example,
results were not complete enough to the auditor noted that one
report in the PAR. component limited the time
period of disbursement
samples to October 2005
through March 2006. (Note:
The actual time period also
included September 2005 but
the auditors did not note
this as an exception).
o Centralized monitoring was
not performed over the IPIA
results to ensure that IPIA
testing was completed for all
required programs in
accordance with the
department's
requirements.
The auditor recommended that
DHS follow the guidance
provided in OMB M-03-13 in
fiscal year 2007, including
completing the necessary
susceptibility assessments,
performing testwork over all
material programs, and
instituting sampling
techniques to allow for
statistical
projection of the results of
its improper payments
testing.
Source: DHS Performance and Accountability Reports.
Appendix IV: DHS Grant Programs
Table 6 provides a list of DHS grant programs, primary recipients, and
award information for fiscal year 2006.
Table 6: DHS Grant Programs and Related Information
Number
of awards Average
CFDA Primary in fiscal Fiscal year award
2006
DHS component number recipients year 2006 award amount
Program amount
Citizenship & 97.009
1 Immigration Cuban/Haitian Nonprofit 2 $10,292,085 $5,146,043
Entrant
Services (CIS) Program organizations
Federal 97.017 States and
2 Emergency Pre-Disaster Indian 74 126,245,825 1,706,025
Mitigation
Management Agency Competitive tribal
Grants
(FEMA)--Nondisaster governments
3 97.023 Community States 64 7,500,000 117,188
Assistance
Program State Support
Services Element
4 97.024 Emergency Food Community 1 151,473,765
and 151,473,765
Shelter National Board groups
Program
5 97.025 National Urban State and 100 39,482,142 394,821
Search local
and Rescue Response governments
System
6 97.026 Emergency Individuals 3,424a 1,421,511 415
Management
Institute (EMI) Training
Assistance
7 97.027 EMI Independent Individuals 3,729,647a 884,090 < 1
Study
Program
8 97.028 EMI Resident Individuals 13,605a 3,006,705 221
Educational
Program
9 97.029 Flood States and 83 17,473,353 210,522
Mitigation
Assistance communities
97.041 National
10 Dam Safety States 51 3,374,476 66,166
Program
11 97.045 Cooperating States and 86 54,139,208 629,526
Technical
Partners communities
97.047 State and
12 Pre-Disaster Indian 178 134,880,496 757,756
Mitigation
tribal
governments
13 97.070 Map States and 69 9,769,657 141,589
Modernization
Management Support communities
14 97.082 Earthquake State, local, 3 850,000 283,333
Consortium and
Indian tribal
governments
97.095 Safe Kids
15 Worldwide Communities 1 199,480 199,480
Appendix IV: DHS Grant Programs Appendix IV: DHS Grant Programs Appendix IV: DHS
Grant Programs
Number
of awards Average
CFDA Primary in Fiscal year award
fiscal 2006
DHS component number Program recipients year award amount amount
2006
16 FEMA--Disaster 97.022 Flood Individuals 30,995a 848,691,742 27,382
Insurance
Assistance 97.030 Community
17 Disaster Local 153 1,270,501,241 8,303,930
Loans governments
18 97.032 Crisis States 26 96,148,654 3,698,025
Counseling
19 97.033 Disaster Individuals 7a 360,611 51,516
Legal Services
20 97.034 Disaster States 33 392,016,043 11,879,274
Unemployment
Assistance
21 97.036 Disaster State, 66,797 8,138,441,132 121,838
Grants--Public local, and
Assistance (also Indian
includes tribal
Emergency governments
Assistance
and Fire
Suppression)
22 97.039 Hazard State, 1,268 401,694,926 316,794
Mitigation local, and
Indian
tribal
governments
23 97.046 Fire State and 319 68,143,552 213,616
Management Indian
Assistance tribal
governments
24 97.048 Disaster Individuals 866,268a 2,637,939,099 3,045
Housing
Assistance to
Individuals
and Households in
Presidential
Declared
Disaster Zonesb
97.049 States and
25 Presidential other 123 4,773,963,866 38,812,714
Declared
Disaster entities
Assistance--
Disaster Housing
Operations for
Individuals and
Households b
97.050
26 Presidential Individuals 706,760a 2,247,028,347 3,179
Declared
Disaster
Assistance to
Individuals and
Households--Other
Needsb
27 97.084 Hurricane Private 1 66,000,000 66,000,000
Katrina Case nonprofit
Management entities
Initiative
Program
28 97.092 Repetitive States, 39 9,821,659 251,837
Flood Claims Indian
tribal
governments,
and
communities
29 97.098 Disaster State and 1 950,000 950,000
Donations local
Management governments
Program
30 FEMA--Chemical 97.040 Chemical State, 21 65,010,240 3,095,726
Stockpile local, and
Programs Emergency Indian
Preparedness tribal
Program governments
Number
of awards Average
CFDA Primary in Fiscal year award
fiscal 2006
DHS component number Program recipients year award amount
2006 amount
FEMA--U.S. 97.001 Pilot
31 Fire Demonstration Nonfederal 8 1,184,999 148,125
or
Administration Earmarked entitiesc
Projects
97.016 Fire
32 Reimbursement departments 2 1,243 622
for
Firefighting on
Federal
Property
33 97.018 National Individuals 5,948a 1,464,314 246
Fire Academy
Training
Assistance
34 97.019 National Individuals 75,107a 5,236,342 70
Fire Academy
Educational
Program
35 97.043 State States 48 1,344,000 28,000
Fire Training
Systems Grants
97.093 Fire Private
36 Service nonprofit 1 50,000 50,000
Hazardous
Materials entities
Preparedness
and Response
97.094 State and
37 Prevention local 7 21,000 3,000
Advocacy
Resources and governments
Data
Exchange
Program
Training State and
38 97.097 Resource local 9 93,000 10,333
and
Data governments
Exchange
97.081 Law
39 Federal Law Enforcement Individuals 1,579a 1,136,880 720
Training
Enforcement and Technical
Training Assistance
Center (FLETC)
Office of 97.005 State State and
40 Grants and and Local local 13 82,207,860 6,323,682
Homeland
Training (GT)d Security
Training governments
Program
41 97.007 Homeland State and 4 16,692,768 4,173,192
Security local
Preparedness governments
Technical
Assistance
Program
42 97.008 Urban State and 0 0 0
Areas Security local
Initiativee governments
97.042 State,
43 Emergency local, and 58 177,655,500 3,063,026
Management
Performance Indian
Grants tribal
governments
97.044 Fire
44 Assistance to departments 4,246 270,622,058 63,736
Firefighters
45 97.053 Citizen State and 3 1,295,000 431,667
Corps e local
governments
46 97.056 Port Seaports 99 168,052,500 1,697,500
Security Grant and
Program terminals
97.057
47 Intercity Bus Bus systems 36 9,603,000 266,750
Security
Grants
Number
of awards Average
CFDA Primary in Fiscal year 2006 award
fiscal
DHS component number recipients year award amount amount
Program 2006
97.059 Truck
48 Security Commercial 1 4,801,500 4,801,500
Program
motor carriers
and national
transportation
community
97.067
49 Homeland State and 56 1,670,921,920 29,837,891
Security local
Grant
Program governments
97.068 State and
50 Competitive local 11 28,809,000 2,619,000
Training
Grants governments
97.071 Local and
51 Metropolitan Indian 0 0 0
Medical
Response tribal
System e
governments
97.073 State State and
52 Homeland local 0 0 0
Security
Programe governments
53 97.074 Law State and 0 0 0
Enforcement local
Terrorism governments
Prevention
Programe
97.075 Rail
54 and Transit Transportation 21 143,240,948 6,820,998
Security
Grant Program systems
97.078 Buffer State and
55 Zone local 62 72,965,000 1,176,855
Protection
Plan governments
97.083
56 Staffing for Local 243 99,394,888 409,032
Adequate Fire
and Emergency communities
Response
57 97.089 Real States and 2 6,000,000 3,000,000
ID Program other
entities
Information 97.079 Public
58 Analysis and Alert Radios Schools 77,035 1,828,045 24
for
Infrastructure Schools
Protection
Science & 97.061 U.S.
59 Technology Centers for institutions 8 24,570,000 3,071,250
Homeland
(S&T) Security of higher
education
97.062
60 Scholars and Individuals 383a 10,436,453 27,249
Fellows
97.069
61 Aviation U.S. 36 11,824,817 328,467
Research institutions
Grants
of higher
education
97.077
62 Homeland Nonfederal 5 1,298,590 259,718
Security
Testing, entities
Evaluation,
and
Demonstration
of
Technologies
97.086
63 Homeland Federal and 10 9,626,326 962,633
Security
Outreach, nonfederal
Education,
and
Technical entities
Assistance
97.091 State and
64 Homeland local 52 45,661,986 878,115
Security
Biowatch governments
Program
Appendix IV: DHS Grant Programs
Number
of awards Average
CFDA Primary in fiscal Fiscal year award
2006
DHS component number recipients year 2006 award amount amount
Program
Transportation 97.072
65 Security National Transportation 17 2,132,055 125,415
Explosives
Administration Detection systems
(TSA) Canine Team
Program
97.090 Law State and
66 Enforcement local 274 67,804,209 247,461
Officer
Reimbursement governments
Agreement
Program
97.100
67 Airport State, local, 7 240,447,289 34,349,613
Checked or
Baggage
Screening other public
Program
entities
97.012
68 U.S. Coast Boating States and 79 87,667,046 1,109,709
Guard Safety
Financial
(USCG) Assistance nonprofit
organizations
U.S. Secret 97.015 Secret n/af
69 Service Service Sworn members n/a n/a
Training
(USSS) Activities of a law
enforcement
agency
97.076 Private
70 National nonprofit 1 5,445,000 5,445,000
Center for
Missing and entities
Exploited
Children
Total-all DHS 5,585,670 $24,849,239,441
components
Awards to 5,433,723
individualsa
Awards to others 151,947
Sources: Fiscal Year 2006 Funded Award Summary for DHS Grant Programs;
Schedule of DHS Programs as of May 9, 2007.
^aThis amount reflects either individual claims, payments to individuals, or
individuals that received training.
^bThis grant program is part of the Individuals and Households Program
(IHP).
Nonfederal entities include state, local government, private, public,
profit or nonprofit organizations, Indian Tribal government, or
individuals specified in a U.S. appropriation statute.
^dGT was incorporated into FEMA as of March 31, 2007.
^eThis grant program is incorporated into the Homeland Security Grant
Program.
^fAccording to DHS, the USSS provides training as part of its routine work
and does not report this information separately.
Appendix V: Corrective Action Plans for High-Risk Programs
Table 7 describes the details of the open corrective action plan critical
milestones as of May 14, 2007, as reported by DHS, for reducing improper
IHP assistance payments.
Table 7: DHS's Incomplete Critical Milestones for Its IHP Corrective
Action Plan, Status as of May 14, 2007
Completion Target status according Topic date to DHS
If the Office of General Counsel (OGC) approves, September 0% provide the
contractor with requirements and obtain 2006 information from them
regarding their ability to prepopulate insurance data in applicant files.
Improve the National Emergency Management November 50% Information System
(NEMIS) accounts receivable-- 2006 Integrated Financial Management
Information System (IFMIS) interface.
Ensure compliance with rules and regulations is part December 50% of the
annual NEMIS audit. 2006
Explore alternate receipt posting possibilities using March 2007 25%
electronic files.
Award contract(s) for up to 6,000 call center agents March 2007 50% to
private sector business(es).
Note: The previous items were past due as of May 14, 2007.
Conduct a second round of IPIA testing on Hurricane June 2007 50% Katrina
IHP payments made between March and September 2006.
Put in place a contract for data verification and pre-September 50%
population of verified data. 2007
Make appropriate updates to NEMIS to ensure September 50% maximum use of
technology to reduce manual 2007 processing.
Improve communications with and messaging to September 50% disaster
victims. 2007
Clarify with OGC if FEMA can get legislative backing December 50% to allow
the collection of insurance policy data. 2007
Limit access to NEMIS to users authorized via the January 2008 47%
Integrated Security and Access Control System.
Integrate shelter tracking mechanisms into NEMIS. January 2008 25%
Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for
FEMA's IHP as of May 14, 2007.
Based on DHS's updated corrective action plan report for IHP, as of May
14, 2007, DHS had not completed certain critical milestones by the
identified target date. These milestones included system interface
improvements and certain contract awards. Missing these established
critical milestones only delays strengthening internal controls that are
necessary to reduce future improper payments. It is important that DHS
stays on track in implementing its corrective action plans.
DHS has also established critical milestones for reducing improper
disaster-related vendor payments. Table 8 describes the details of the
open corrective action plan critical milestones as of May 14, 2007, as
reported by DHS for reducing improper disaster-related vendor payments.
Table 8: DHS's Incomplete Critical Milestones for Its Disaster-Related
Vendor Payments Corrective Action Plan, Status as of May 14, 2007
Completion Target status according Topic date to DHS
Ensure roles and responsibilities with regard to invoice May 2007 50%
receipt, approval, and payment of contracting officer technical
representatives (COTR), project officers, and accounting technicians are
clearly defined by conducting a review of policies, procedures, and job
descriptions.
Review procurement language to ensure consistency May 2007 50% and
adequacy for similar goods and services related to product substitution
and pricing variances.
Formalize the process of receipt, issue, and follow-up May 2007 50% on
invoices with COTRs and project officers by finance office.
Train accounting technicians, project officers, and June 2007 50% COTRs on
the importance of an invoice review and approval process and expectations
regarding supporting documentation, prompt pay, product substitution,
price variances, and unsupported amounts.
Initiate a quality assurance sampling process for June 2007 50% invoices
on a periodic basis with emphasis on adherence to metrics published in the
fiscal year 2006 PAR.
Enter into a contract with a recovery audit firm. June 2007 0%
Identify vendor payments eligible for recoupment July 2007 50% (recovery).
Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for
FEMA's Disaster Relief Fund Vendor Payments as of May 14, 2007.
DHS identified three primary root causes for why these two programs-- IHP
assistance payments and disaster-related vendor payments--are at
high risk of issuing improper payments. According to DHS, these root
causes include the following.
o People--FEMA employees were not properly trained.
o Processes--The nature of FEMA's work responding to disasters explains
the reliance on people that are not trained in finance requirements
and are dispersed throughout areas with limited infrastructure.
o Policies--Policies were cited as possibly inadequate for instructing
employees on the proper supporting documentation. There is a need for
clear policy and procedural guidelines that sets standard operating
procedures for all FEMA employees, especially those outside the
finance area.
DHS also noted that human capital is the principal requirement to execute
these two corrective action plans; however, according to DHS, exact
requirements are not estimable at this time. These plans, if properly
executed, should help reduce future improper payments in these programs by
strengthening internal controls. With regard to system improvements, as we
have previously recommended, ^[90]1 DHS needs to conduct effective testing
to provide reasonable assurance that the system will function in a
disaster recovery environment.
^1GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).
Appendix VI: GAO Contact and Staff Acknowledgments
GAO Contact
McCoy Williams, (202) 512-9095 or [91][email protected]
Staff Acknowledgments
In addition to the contact named above, the following individuals also
made significant contributions to this report: Casey Keplinger, Assistant
Director; Verginie Amirkhanian; Sharon Byrd; Francine
DelVecchio; Francis Dymond; Gabrielle Fagan; Jacquelyn Hamilton; and Laura
Stoddard.
(195102)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
[92]is through GAO's Web site (www.gao.gov). Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[93]www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [94]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [95][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [96][email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, D.C. 20548
Public Affairs
Susan Becker, Acting Managing Director, [97][email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
PRINTED ON
RECYCLED PAPER
References
Visible links
87. http://www.gao.gov/
88. mailto:[email protected]
91. mailto:[email protected]
92. http://www.gao.gov/
93. http://www.gao.gov/
94. http://www.gao.gov/fraudnet/fraudnet.htm
95. mailto:[email protected]
96. mailto:[email protected]
97. mailto:[email protected]
*** End of document. ***