Department of Homeland Security: Challenges in Implementing the  
Improper Payments Information Act and Recovering Improper	 
Payments (19-SEP-07, GAO-07-913).				 
                                                                 
The federal government is accountable for how its agencies and	 
grantees spend more than $2 trillion of taxpayer dollars and is  
responsible for safeguarding those funds against improper	 
payments as well as for recouping those funds when improper	 
payments occur. The Congress enacted the Improper Payments	 
Information Act of 2002 (IPIA) and the Recovery Auditing Act to  
address these issues. Fiscal year 2006 marked the third year that
agencies were required to report improper payment and recovery	 
audit information in their Performance and Accountability	 
Reports. The Department of Homeland Security (DHS) reported	 
limited information during these 3 years. GAO was asked to (1)	 
determine the extent to which DHS has implemented the		 
requirements of IPIA, (2) identify actions DHS has under way to  
improve IPIA compliance and reporting, and (3) determine what	 
efforts DHS has in place to recover improper payments. To	 
accomplish this, GAO analyzed DHS's internal guidance and action 
plans, and reviewed information reported in its Performance and  
Accountability Reports. 					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-913 					        
    ACCNO:   A76488						        
  TITLE:     Department of Homeland Security: Challenges in	      
Implementing the Improper Payments Information Act and Recovering
Improper Payments						 
     DATE:   09/19/2007 
  SUBJECT:   Audit reports					 
	     Erroneous payments 				 
	     Financial analysis 				 
	     Financial management				 
	     Internal audits					 
	     Internal controls					 
	     Noncompliance					 
	     Payments						 
	     Program abuses					 
	     Program management 				 
	     Reporting requirements				 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     GAO High Risk Series				 
	     Individuals and Households Program 		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-913

   

     * [1]Results in Brief
     * [2]Background

          * [3]Improper Payments Information Act of 2002
          * [4]Recovery Auditing Act
          * [5]OMB Guidance and Initiatives

     * [6]DHS Has Made Some Progress in Implementing the Requirements

          * [7]DHS's Efforts to Meet IPIA Requirements
          * [8]Required Risk Assessments Not Completed for All Programs for
          * [9]Grant Programs Continue to Present a Challenge for IPIA Impl

     * [10]While DHS Has Developed Plans to Address IPIA Requirements a

          * [11]DHS Has Developed a Corrective Action Plan for Compliance wi
          * [12]DHS Has a Broader Initiative to Resolve Internal Control Wea
          * [13]DHS Has Developed Plans to Reduce Improper Payments for FEMA

     * [14]DHS's Efforts to Comply with the Recovery Auditing Act and t

          * [15]Recovery Auditing Efforts at DHS Could Be Improved
          * [16]DHS's Internal Guidance for Recovering Improper Payments Has

     * [17]Conclusions
     * [18]Recommendations for Executive Action
     * [19]Agency Comments and Our Evaluation
     * [20]GAO Contact
     * [21]Staff Acknowledgments
     * [22]GAO's Mission
     * [23]Obtaining Copies of GAO Reports and Testimony

          * [24]Order by Mail or Phone

     * [25]To Report Fraud, Waste, and Abuse in Federal Programs
     * [26]Congressional Relations
     * [27]Public Affairs

                 United States Government Accountability Office

Report to Congressional Requesters

GAO

September 2007

DEPARTMENT OF HOMELAND SECURITY

Challenges in Implementing the Improper Payments Information Act and Recovering
                               Improper Payments

GAO-07-913

DEPARTMENT OF HOMELAND SECURITY

Challenges in Implementing the Improper Payments Information Act and
Recovering Improper Payments

  What GAO Found

DHS has made some progress in implementing IPIA requirements, but much
more work remains for the agency to become compliant with IPIA. For
example, while DHS has made progress in identifying its programs, for
fiscal year 2006, the agency did not perform the required first step--a
risk assessment--on approximately $13 billion of its more than $29 billion
in disbursements subject to IPIA. Until DHS fully assesses its programs,
the potential magnitude of improper payments is unknown.

     o For the remaining $16 billion, DHS determined that two programs--
       Individuals and Households Program (IHP) assistance payments and
       disaster-related vendor payments--were at high risk for issuing
       improper payments and reported related estimates.
     o For the $13 billion for which no risk assessment was performed, DHS
       has encountered challenges with IPIA implementation. Of this amount,
       over $6 billion relates to payments for grant programs. Developing a
       plan to assess risk and potentially test grant payments is important
       given that the DHS Office of Inspector General, GAO, and other
       auditors have identified weaknesses in grant programs. This will allow
       DHS to gain a better understanding of its risk for improper payments
       and potentially reduce future improper payments.

DHS has actions under way to improve IPIA reporting and compliance, but
does not plan to be fully compliant in fiscal year 2007. DHS has prepared
a plan to address its noncompliance with IPIA, which included updating its
guidance to focus on program identification and risk assessments to build
a foundation for a sustainable IPIA program. In addition, DHS has
developed plans to reduce improper payments related to its two identified
high-risk programs. However, until DHS fully completes the required risk
assessments for all of its programs and then estimates for
risk-susceptible programs, it is not known whether other programs have
significant improper payments that also need to be addressed.

In addition, DHS's efforts to recover improper payments could be improved.
According to DHS, four of its components meet the criteria for recovery
auditing as specified in the Recovery Auditing Act. These four components
make at least $4 billion of contractor payments each fiscal year. DHS
encountered problems that kept it from reporting on recovery audit efforts
during fiscal year 2006 for three of the four components, and did not
perform recovery auditing at the fourth component. In March 2007, DHS
revised its guidance to clarify what is expected; however, ongoing
oversight will be necessary to monitor the components' progress. In
addition, DHS has reported limited information on its efforts to recover
specific improper payments identified during its testing of high-risk
programs. Although DHS is not currently required to do so, reporting this
information would provide a more complete picture of the agency's actions
to recover payments that it has identified as being improper.

                 United States Government Accountability Office

Contents

Letter 1
[28]Results in Brief 3
[29]Background 6
DHS Has Made Some Progress in Implementing the Requirements [30]of IPIA,
but Remains Noncompliant 10
While DHS  Has Developed  Plans to  Address IPIA  Requirements and  Reduce
Improper Payments, Full Implementation Will Be [31]Longer Term 19
DHS's Efforts to Comply with the Recovery Auditing Act and to [32]Recover
Improper Payments Need to Be Enhanced 28
[33]Conclusions 31
[34]Recommendations for Executive Action 32
[35]Agency Comments and Our Evaluation 32
: DHS Fiscal Year 2006 IPIA Programs (based on fiscal year
[36]2005 disbursements)

[37]Appendix I Scope and Methodology

Appendix II Comments from the Department of Homeland Security

Appendix III Prior-Year IPIA Reporting by DHS and Its Independent Auditor

[38]Appendix IV DHS Grant Programs

[39]Appendix V Corrective Action Plans for High-Risk Programs

[40]Appendix VI GAO Contact and Staff Acknowledgments

Tables

Page i GAO-07-913 DHS Improper Payments

Table 2: Summary of DHS's Corrective Action Plan for IPIA

[41]Compliance as  of  June  7,  2007 21  Table  3:  Summary  of  Critical
Milestones in DHS's Corrective Action

[42]Plan for IPIA Compliance Related to  Fiscal Year 2007 22 [43]Table  4:
Recovery Audit Results for Fiscal Years 2004 through 2006 30 [44]Table  5:
Prior-Year IPIA Reporting by  DHS 37 [45]Table 6:  DHS Grant Programs  and
Related Information 39 Table 7:  DHS's Incomplete Critical Milestones  for
Its IHP

[46]Corrective Action Plan, Status  as of May 14,  2007 44 Table 8:  DHS's
Incomplete Critical Milestones for Its Disaster-

Related Vendor Payments Corrective Action Plan, Status

[47]as of May 14, 2007 45

  Figure

Figure 1:  Required  Steps  to  Identify,  Estimate,  Reduce,  and  Report
[48]Improper Payment Information

                                 Abbreviations

CBP             Customs and Border Protection                              
CFDA            Catalog of Federal Domestic Assistance                     
CFO             chief financial officer                                    
CIS             Citizenship and Immigration Services                       
COTR            contracting officer technical representative               
CPO             chief procurement officer                                  
DHS             Department of Homeland Security                            
FAC             Federal Audit Clearinghouse                                
FAM             Federal Air Marshals                                       
FEMA            Federal Emergency Management Agency                        
FLETC           Federal Law Enforcement Training Center                    
FYHSP           Future Years Homeland Security Program                     
GPO             Office of Grant Policy and Oversight                       
GT              Office of Grants and Training                              
ICE             Immigration and Customs Enforcement                        
ICOFR           Internal Controls over Financial Reporting                 
IFMIS                   Integrated Financial Management Information System 
IHP             Individuals and Households Program                         
IPIA            Improper Payments Information Act of 2002                  

    IT              information technology                                   
    NEMIS                   National Emergency Management Information System 
    NFIP            National Flood Insurance Program                         
    OCFO            Office of the Chief Financial Officer                    
    OFM             Office of Financial Management                           
    OGC             Office of General Counsel                                
    OIG             Office of Inspector General                              
    OMB             Office of Management and Budget                          
    PAR             Performance and Accountability Report                    
    PMA             President's Management Agenda                            
    PMO             Program Management Office                                
    S&T             Science and Technology                                   
    TAFS            Treasury Appropriation Fund Symbol                       
    TSA             Transportation Security Administration                   
    USCG            United States Coast Guard                                
    USSS            United States Secret Service                             
    US-VISIT            United States Visitor and Immigrant Status Indicator 
                    Technology                                               

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

September 19, 2007

The Honorable Joseph I. Lieberman
Chairman
The Honorable Susan M. Collins
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Thomas R. Carper
Chairman
The Honorable Tom Coburn
Ranking Member
Subcommittee on Federal Financial Management, Government Information,
Federal Services, and International Security
Committee on Homeland Security and Governmental Affairs
United States Senate

Over the past several years, our work has shown that improper payments
continue to be a substantial problem for federal agencies. As the steward
of taxpayer dollars, the federal government is accountable for how its
agencies and grantees spend more than $2 trillion of taxpayer dollars each
year and is responsible for safeguarding those funds against improper
payments. Fiscal year 2004 marked the first year in which agencies were
required to report improper payments ^[49]1 information in their
Performance and Accountability Reports (PAR) under the Improper Payments
Information Act of 2002 (IPIA). ^[50]2 As a result, federal agencies
reported an estimated $46 billion in improper payments for fiscal year
2004. Although governmentwide reported amounts of estimated improper
payments decreased between fiscal year 2004 and fiscal year 2006, the
reported amount in fiscal year 2006 included more than $800 million as a
result of
improper disaster-related payments made by the Federal Emergency
Management Agency (FEMA) within the Department of Homeland Security (DHS)
in response to the 2005 Gulf Coast hurricanes. Since its establishment in
March 2003, DHS, whose annual budget generally tops $30 billion, has yet
to comply with IPIA. Moreover, during fiscal year 2006, its independent
auditors continued to report significant internal control weaknesses such
as weaknesses in financial management and oversight, and a weak control
environment. A weak internal control environment increases an agency's
susceptibility to improper payments.

^1Improper payments are defined as any payment that should not have been
made or that was made in an incorrect amount (including overpayments and
underpayments) under statutory, contractual, administrative, or other
legally applicable requirements. It includes any payment to an ineligible
recipient, any payment for an ineligible service, any duplicate payment,
payments for services not received, and any payment that does not account
for credit for applicable discounts.

^2Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002).

Generally, agencies, including DHS, must perform four key steps to address
the specific improper payment reporting requirements found in IPIA and
related Office of Management and Budget (OMB) guidance--

(1)        perform a risk assessment of all programs and activities, (2)
           estimate improper payments for risk-susceptible programs and
           activities,

                (3)     implement a plan to reduce improper payments for
                        programs with estimates exceeding $10 million, and
                        (4) annually report improper payment estimates and
                        actions to reduce them. In addition, agencies that
                        enter into contracts with a total value exceeding
                        $500 million in a fiscal year are required under
                        section 831 of the National Defense Authorization Act
                        for Fiscal Year 2002, commonly known as the Recovery
                        Auditing Act, to have cost-effective programs for
                        identifying errors in payments to contractors and for
                        recovering amounts erroneously paid. ^[51]3 
								
Given the reported condition of DHS's internal controls and reported
noncompliance with IPIA, you asked us to conduct a review of the department's
implementation of IPIA. Specifically, our objectives were to (1) determine
the extent to which DHS has implemented the requirements of IPIA, (2) identify
actions DHS has under way to improve IPIA compliance and reporting, and (3)
determine what efforts DHS has in place to recover improper payments. To address
these objectives, we reviewed applicable improper payments legislation, OMB
guidance, and agency Office of Inspector General (OIG) reports. We also reviewed
improper payment information reported in DHS's PARs over the past 3 fiscal year
(2004-2006). In addition, we analyzed DHS's regulations and methodology for
identifying programs and activities highly susceptible to improper payments,
interviewed officials from the Office of the Chief Financial Officer (OCFO),
reviewed workpapers prepared by DHS's 
independent auditor, and summarized the results of this review. In
addition, we reviewed DHS's plans to reduce improper payments and become
compliant with IPIA and the Recovery Auditing Act.

Pub. L. No. 107-107, div. A, title VIII, S 831, 115 Stat. 1012, 1186 (Dec.
28, 2001) (codified at 31 U.S.C. SS 3561-3567).

To assess the reliability of data reported in DHS's PARs related to
improper payments and recovery audit efforts, we (1) reviewed existing
information about the data and the system that produced them and
(2) interviewed agency officials knowledgeable about the data. We
determined that the data were sufficiently reliable for the purposes of
this report. We conducted our work from October 2006 through June 2007 in
accordance with generally accepted government auditing standards. See
appendix I for more details on our scope and methodology.

                                Results in Brief

DHS has made some progress over the last 3 fiscal years in attempting to
fully implement IPIA requirements, but much more work remains to be done.
Although DHS has made progress in identifying its programs, for fiscal
year 2006, DHS had not yet performed the required first step--a risk
assessment--on programs with approximately $13 billion of its more than
$29 billion in disbursements subject to IPIA. For the remaining $16
billion in DHS disbursements subject to IPIA, DHS determined that two
programs were at high risk for issuing improper payments--the Individuals
and Households Program (IHP) assistance payments and disaster-related
vendor payments. DHS performed statistical sample testing of these
programs and estimated FEMA improper payments (step 2) from September 2005
through March 2006 of $450 million (8.56 percent) of IHP assistance
payments and $319 million (7.44 percent) of disaster-related vendor
payments. ^[52]4

DHS has developed plans to reduce future improper payments for these two
programs (step 3) and reported these estimates in its fiscal year 2006 PAR
(step 4). However, DHS's independent auditor found that the time
period covered for testing and reporting (i.e., September 2005 through
March 2006) was not in accordance with OMB's implementing guidance, which
also contributed to DHS's inability to meet the requirements of IPIA.
While DHS concluded that none of its other programs that DHS subjected to
a risk assessment met OMB's criteria for susceptibility to significant
improper payments, the basis for this conclusion was limited in scope. For
example, DHS only tested programs with disbursements greater than $100
million and did not perform a qualitative risk assessment of all program
operations such as an assessment of internal controls, oversight and
monitoring activities, and results from external audits. ^[53]5

^4U.S. Department of Homeland Security, Performance and Accountability
Report Fiscal Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also
reported estimated improper payments for all of fiscal year 2006 for these
two programs. However, DHS calculated the fiscal year 2006 estimates by
applying the estimated error percentage rates from the September 2005
through March 2006 testing to the fiscal year 2006 outlay figures. The
estimated error percentage rates for the September 2005 through March 2006
testing have a 90 percent confidence interval of plus or minus 2.32
percentage points for IHP assistance payments and plus or minus 2.62
percentage points for disaster-related vendor payments based on
statistically valid cluster samples. See IPIA reporting details in DHS's
fiscal year 2006 PAR.

For the programs with $13 billion in payments for which no risk assessment
was performed in fiscal year 2006, DHS has encountered challenges with
IPIA implementation. Of this amount, over $6 billion relates to payments
for grant programs, including $3 billion in payments made for the National
Flood Insurance Program (NFIP). Performing risk assessments of grant
programs and testing grant payments can be difficult because of the many
layers of grant recipients, as well as the types of recipients and number
of grant programs. During fiscal year 2006, DHS awarded grants to over 5
million recipients for 70 different grant programs. Developing a plan to
assess risk and potentially test grant payments is important given the
fact that the DHS OIG has identified weaknesses in grant programs and
considers grants management to be one of DHS's major management
challenges. Another challenge for DHS is that we recently added the NFIP,
one of DHS's largest grant programs, to our highrisk list in March 2006.
^[54]6 Assessing grant programs, and if necessary, performing IPIA
testing, will allow DHS to gain an understanding of its risk for improper
payments and potentially reduce future improper payments.

DHS has actions under way to improve IPIA reporting and compliance, but
does not plan to be compliant in fiscal year 2007 and will likely not be
compliant in fiscal year 2008. Actions under way include developing plans
to reduce improper payments related to its two identified high-risk
disaster-related programs and preparing departmentwide corrective action
plans to address internal control weaknesses and noncompliance issues,
including those related to IPIA. In addition, DHS recently updated its
guidance for implementing IPIA and plans to focus on program
identification and risk assessments to build a foundation for a
sustainable IPIA program, rather than aiming for compliance during fiscal
year 2007. The agency also plans to hold workshops for its components on
sample testing and reporting to ensure that they have a consistent
understanding of what is expected with regard to IPIA testing and
reporting. While DHS's plans appear to address IPIA compliance issues,
implementation will take significant time and effort as DHS has already
missed some key milestones related to the identification of IPIA programs
for each agency component. Solidifying its identification of IPIA programs
and completing a thorough risk assessment process will be important first
steps to adequately address IPIA reporting requirements.

^5For those programs with disbursements between $10 million and $100
million, DHS components were instructed to complete a qualitative risk
assessment--a series of questions to qualitatively ascertain whether a
program is at high risk for issuing improper payments.

^6GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January
2007). We placed the National Flood Insurance Program (NFIP) on our
high-risk list in March 2006 because it is unlikely that the NFIP will
generate sufficient revenues to repay the billions borrowed from the
Department of the Treasury to cover flood claims from the 2005 hurricanes.

Lastly, we identified several weaknesses in DHS's efforts to recover known
improper payments and to comply with the Recovery Auditing Act. According
to DHS, four of its components--Immigration and Customs Enforcement (ICE),
Customs and Border Protection (CBP), U.S. Coast Guard (USCG), and
FEMA--meet the criteria for recovery auditing as specified in the Recovery
Auditing Act (i.e., each has over $500 million in annual contractor
payments). ^[55]7 DHS began recovery auditing efforts during fiscal year
2004, hiring an independent contractor who conducted recovery audit work
at two major components, ICE and CBP; however, DHS was not able to report
on these efforts for that year because initial findings were not available
in time to be included in its annual PAR. DHS continued these efforts in
fiscal year 2005 and its contractor identified more than $2.1 million of
improper payments and recovered more than $1.2 million (over 50 percent of
identified improper payments). However, when DHS attempted to expand its
recovery audit efforts to USCG, it encountered problems with obtaining
disbursement data. In addition, DHS reported that delays in obtaining
security clearances for contract personnel severely hampered completion of
recovery audit work at CBP and ICE during fiscal year 2006. As a result,
DHS did not report on recovery audits during fiscal year 2006.

^7DHS as a whole meets the criteria for recovery auditing as specified in
the Recovery Auditing Act, but the agency has identified specific
components that individually meet the requirements and focuses its
recovery auditing efforts on those components.

In March 2007, DHS revised its guidance for recovery auditing for fiscal
year 2007--noting the disbursement data and security clearance issues
encountered in previous years--emphasizing timelines to help ensure that
all applicable components are able to complete recovery audits and report
on their efforts going forward. This guidance clarifies what is expected
of components; however, ongoing oversight by the OCFO will be necessary to
help ensure that the components are progressing with their recovery
auditing efforts and will be able to successfully report on results at
year end. In addition, DHS has not yet reported on its efforts to recover
improper payments identified during its testing of FEMA's disaster-related
vendor payments and has reported limited information on its efforts to
recover identified improper IHP assistance payments. DHS is currently not
required to report on these efforts, but reporting this information would
provide a more complete picture of the agency's actions to recover
payments that it has identified as being improper.

We are making four recommendations to DHS to help improve its efforts to
implement IPIA and recover improper payments by focusing on performing
risk assessments and reporting on efforts to recover improper payments.

We provided a draft of this report to DHS for comment. DHS concurred with
our recommendations, and its comments, along with our evaluation, are
discussed in the Agency Comments and Our Evaluation section of this
report. The comments are also reprinted in their entirety in appendix II.

                                   Background

Our work over the past several years has demonstrated that improper
payments are a long-standing, widespread, and significant problem in the
federal government. IPIA has increased visibility over improper payments
by requiring executive branch agency heads to identify programs and
activities susceptible to significant improper payments, estimate amounts
improperly paid, and report on the amounts of improper payments and their
actions to reduce them. Similarly, the Recovery Auditing Act provides an
impetus for applicable agencies to systematically identify and recover
contract overpayments. As the steward of taxpayer dollars, the federal
government is accountable for how its agencies and grantees spend hundreds
of billions of taxpayer dollars and is responsible for safeguarding those
funds against improper payments as well as having mechanisms in place to
recoup those funds when improper payments occur.

  Improper Payments Information Act of 2002

IPIA was enacted in November 2002 with the major objective of enhancing
the accuracy and integrity of federal payments. IPIA requires executive
branch agency heads to review their programs and activities annually and
identify those that may be susceptible to significant improper payments.
For each program and activity agencies identify as susceptible, the act
requires them to estimate the annual amount of improper payments and to
submit those estimates to the Congress. The act further requires that for
programs for which estimated improper payments exceed $10 million,
agencies are to report annually to the Congress on the actions they are
taking to reduce those payments.

The act also requires the Director of OMB to prescribe guidance for
agencies to use in implementing IPIA. OMB issued implementing guidance
^[56]8 which requires the use of a systematic method for the annual review
and identification of programs and activities that are susceptible to
significant improper payments. The guidance defines significant improper
payments as those in any particular program that exceed both 2.5 percent
of program payments and $10 million annually. ^[57]9 It requires agencies
to estimate improper payments annually using statistically valid
techniques for each susceptible program or activity. For those agency
programs determined to be susceptible to significant improper payments and
with estimated annual improper payments greater than $10 million, IPIA and
related OMB guidance require each agency to annually report the results of
its efforts to reduce improper payments. OMB has stated that having
high-quality risk assessments is critical to meeting the objectives of
identifying improper payments and is essential for performing corrective
actions to eliminate payment errors. ^[58]10 Figure 1 provides an overview
of the four key steps OMB requires agencies to perform in meeting the
improper payment reporting requirements.

^8Appendix C to OMB Circular No. A-123 consolidates three memorandums
previously issued by OMB. These memorandums are: M-03-07, "Programs to
Identify and Recover Erroneous Payments to Contractors" (Jan. 16, 2003);
M-03-12, "Allowability of Contingency Fee Contracts for Recovery Audits"
(May 8, 2003); and M-03-13, "Improper Payments Information Act of 2002
(Public Law 107-300)" (May 21, 2003).

^9IPIA does not mention the "exceeding the 2.5 percent of program payments"
threshold that OMB uses for identifying and estimating improper payments.

^10OMB, Improving the Accuracy and Integrity of Federal Payments (Washington,
D.C.: Jan. 31, 2007).

Figure 1:  Required  Steps  to  Identify,  Estimate,  Reduce,  and  Report
Improper Payment Information

                             Recovery Auditing Act
									  
In addition, under certain conditions, applicable agencies are required to
report on their efforts to recover improper payments made to contractors
under section 831 of the National Defense Authorization Act for Fiscal
Year 2002, commonly known as the Recovery Auditing Act. This legislation
contains a provision that requires executive branch agencies entering into
contracts with a total value exceeding $500 million in a fiscal year to
have cost-effective programs for identifying errors in paying contractors
and for recovering amounts erroneously paid. The act further states that a
required element of such a program is the use of recovery audits and
recovery activities. The law authorizes federal agencies to retain
recovered funds to cover actual administrative costs as well as to pay
other contractors, such as collection agencies. Agencies that are required
to undertake recovery audit programs were directed by OMB to provide
annual reports on their recovery audit efforts, along with improper
payment reporting details, in an appendix to their PARs.

OMB Guidance and   In August 2006, OMB revised its IPIA implementing       
                      guidance. The revision                                  
Initiatives        consolidates into Appendix C of OMB Circular No. A-123, 
                      Management's                                            
                      Responsibility for Internal Control, all guidance for   
                      improper payments                                       
                      [59]and recovery auditing reporting.11 While            
                      inconsistent with the language in                       
                      IPIA, the revised guidance allows for risk assessments  
                      to be conducted                                         
                      less often than annually for programs where improper    
                      payment baselines                                       
                      are already established, are in the process of being    
                      measured, or are                                        
                      scheduled to be measured by an established date.        
                      Although OMB kept its                                   
                      criteria for defining significant improper payments as  
                      those exceeding                                         
                      both 2.5 percent of program payments and $10 million,   
                      OMB added that it                                       
                      may determine on a case-by-case basis that certain      
                      programs that do not                                    
                      meet the threshold may be subject to the annual         
                      reporting requirement.                                  
                      Additionally, the revised guidance allows agencies to   
                      use alternative                                         
                      sampling methodologies and requires agencies to report  
                      on and provide a                                        
                      [60]justification for using these methodologies in      
                      their PARs.12 This revised                              
                      guidance is effective for agencies' fiscal year 2006    
                      improper payment                                        
                      estimating and reporting in the PARs or annual reports. 
                      Other OMB guidance states that agencies must describe   
                      their corrective                                        
                      [61]actions for reducing the estimate rate and amount   
                      of improper payments.13                                 
                      Related to corrective actions, OMB's implementing       
                      guidance for IPIA                                       
                      requires that agencies implement a plan to reduce       
                      erroneous payments,                                     
                      [62]including identifying the following.14              
                      Root causes--For all programs and activities with       
                    o erroneous payments                                      
                      exceeding $10 million, agencies shall identify the      
                      reasons their programs and activities are at risk of
erroneous payments and put in place a corrective action plan to reduce
erroneous payments.

^11OMB Circular No. A-123 provides a central reference point for guidance to
federal managers on improving the accountability and effectiveness of
federal programs and operations by establishing, assessing, correcting,
and reporting on internal control. The circular emphasizes the need for
integrated and coordinated internal control assessments that synchronize
all internal control-related activities. For prior improper payments
guidance, see footnote 8.

^12An example of an alternative sampling methodology includes developing an
annual error rate for a component of the program.

^13OMB Circular No. A-136, Financial Reporting Requirements, S II.5.7 (June 29,
                                     2007).

^14Appendix C of OMB Circular No. A-123.

     o Reduction targets--Targets are necessary for future improper payment
       levels and a timeline within which the targets will be reached.
     o Accountability--Ensure that their managers and accountable officers
       (including the agency head) are held accountable for reducing improper
       payments. Agencies shall assess whether they have the information
       systems and other infrastructure needed to reduce improper payments to
       minimal cost-effective levels, and identify any statutory or
       regulatory barriers that may limit agencies' corrective actions in
       reducing improper payments.

OMB has also established Eliminating Improper Payments as a
programspecific initiative under the President's Management Agenda (PMA).
This separate PMA program initiative began in the first quarter of fiscal
year 2005. Previously, agency efforts related to improper payments were
tracked along with other financial management activities as part of the
Improving Financial Performance initiative of the PMA. The objective of
establishing a separate initiative for improper payments was to ensure
that agency managers are held accountable for meeting the goals of IPIA
and are therefore dedicating the necessary attention and resources to
meeting IPIA requirements. This program initiative establishes an
accountability framework for ensuring that federal agencies initiate all
necessary financial management improvements for addressing this
significant and widespread problem. Specifically, agencies are to measure
their improper payments annually, develop improvement targets and
corrective actions, and track the results annually to ensure the
corrective actions are effective.

DHS Has Made Some Progress in Implementing the Requirements of IPIA, but Remains
Noncompliant

While DHS has taken actions over the last 3 fiscal years to implement IPIA
requirements, much more work needs to be done. In each of the last 3
fiscal years, DHS was unable to perform risk assessments for all of its
programs and activities--the first step of IPIA implementation. This and
other issues, such as concerns about program identification and testwork
performed, contributed to DHS's reported noncompliance with IPIA over the
last 3 fiscal years. Until DHS is able to fully assess its programs, the
potential magnitude of improper payments cannot be estimated.

For fiscal year 2006, DHS did not perform risk assessments on programs
with $13 billion of its $29 billion of payments subject to IPIA. Over $6
billion of this amount related to payments for grant programs. Performing
risk assessments of grant programs and testing grant payments
can be difficult because of the many layers of grant recipients, as well
as the type of recipients and number of grant programs. However,
developing a plan to assess risk and potentially test grant payments is
important because of financial management weaknesses reported at DHS
grantees and concerns about DHS's grants management process. Developing a
plan will also allow DHS to gain an understanding of its risk with respect
to grant payments and potentially reduce future improper payments.

  DHS's Efforts to Meet IPIA Requirements

To comply with the requirements of IPIA and related guidance from OMB, DHS
initiated a plan in fiscal year 2004 to reduce its susceptibility to
issuing improper payments by having each of its organizational elements
complete a risk assessment of major programs ^[63]15 by assigning each one
an overall risk score. Based on this assessment, none of DHS's programs
were found to be high risk; however, DHS's independent auditor reported
that the agency was not in compliance with IPIA mainly because it had not
yet instituted a systematic method of reviewing all programs and
identifying those it believed were susceptible to significant erroneous
payments.

In fiscal year 2005, the auditor again reported noncompliance issues
regarding the adequacy of the agency's risk assessments. Based on DHS's
guidance, each component selected its largest program and completed
statistical testing. DHS regarded this quantitative selection as its risk
assessment process and did not incorporate qualitative factors. As with
fiscal year 2004, DHS reported that it did not identify any programs or
activities as being susceptible to significant improper payments and its
auditors again reported that DHS was not in compliance with IPIA.

The DHS OCFO worked with components during fiscal year 2006 to continue to
refine the population of improper payment programs by having the
components group Treasury Appropriation Fund Symbols (TAFS) ^[64]16 into
logical, recognizable programs. After identifying the
population of disbursements for fiscal year 2006 IPIA testing, DHS
components provided the necessary payment data to a contractor with
expertise in statistical testing. The contractor constructed stratified
sampling plans and samples for DHS components to perform IPIA testing for
DHS's risk assessment process. This testing was expanded from fiscal year
2005 to include, based on DHS's revised guidance, all DHS programs issuing
more than $100 million of IPIA-relevant payments. ^[65]17 Two programs
were found to be high risk. However, despite these efforts, DHS's
independent auditor found that the agency was still not in compliance with
IPIA as reported in its fiscal year 2006 PAR, primarily because not all
programs subject to IPIA were tested, and the population of disbursements
tested for some programs was not complete. Appendix III contains
additional information about DHS's prior year IPIA PAR reporting and
compliance issues reported by its independent auditor.

^15OMB's implementing guidance defines a "program" as activities or sets of
activities recognized as programs by the public, OMB, or the Congress, as
well as those that entail program management or policy direction. This
definition includes, but is not limited to, all grants, regulatory
activities, research and development activities, direct federal programs,
procurements including capital assets and service acquisition, and credit
programs. It also includes the activities engaged in by the agency in
support of its programs.

^16OMB Circular No. A-11, Preparation, Submission, and Execution of the
Budget (revised July 2, 2007), defines TAFS as a summary account
established in the Treasury for each appropriation and fund.

  Required Risk Assessments Not Completed for All Programs for Fiscal Year

Although DHS made progress in identifying its programs in fiscal year
2006, the agency did not perform a risk assessment for all programs and
activities--covering approximately $13 billion of its more than $29
billion in disbursements subject to IPIA. According to DHS, this was
primarily due to a lack of resources, guidance, and experience in
performing this work. This was a major factor in the independent auditors'
finding that DHS was noncompliant with IPIA for fiscal year 2006. DHS
performed risk assessments (step 1) for programs accounting for
approximately $16 billion of the $29 billion in disbursements subject to
IPIA review. Of this $16 billion covered by risk assessments,
approximately $7 billion related to FEMA's disaster relief programs that
were found to be at high risk for issuing significant improper payments
and therefore steps 2 through 4 were completed to estimate improper
payments, develop a plan to reduce improper payments, and report this
information. This testing resulted in estimated improper payments issued
by FEMA from September 2005 through March 2006 of $450 million (8.56
percent) of IHP
assistance payments and $319 million (7.44 percent) of disaster-related
vendor payments. ^[66]18 Although the necessary IPIA work--steps 1 and 2--
was completed for the two DHS high-risk programs, the time period covered
for testing and reporting (i.e., September 2005 through March 2006) was
not in accordance with OMB's implementing guidance, also contributing to
DHS's reported noncompliance with IPIA. ^[67]19 The remaining programs
with disbursements totaling $9 billion in disbursements were not found to
be at risk for issuing significant improper payments and therefore DHS did
not report improper payments for these programs. For some of its
nondisaster programs, DHS performed statistical sample testing for those
programs with disbursements greater than $100 million, without first
performing a qualitative risk assessment such as an assessment of internal
controls, oversight and monitoring activities, and results from external
audits. While this approach is perhaps better than not doing any
assessment, DHS officials concurred that it could be considered an
inefficient use of resources, if a program is not at high risk.

^17DHS excluded payroll, intragovernmental, and travel payments from IPIA
testing. According to DHS, these payments were excluded because of the
following reasons:
(1) payroll was excluded because DHS identified it as having a low level
of risk due to the strong internal controls that result from payroll
payments being administered by a third party, the National Finance Center;
(2) intragovernmental payments were excluded as these do not result in net
gains or losses to the federal government; and (3) travel payments are a
small population and while they were not tested separately for IPIA
purposes, they were tested as part of internal control reviews by
individual components. In addition, purchase card transactions for the
entire department were tested centrally by the U.S. Coast Guard (USCG)
during fiscal year 2006.

Table 1 shows DHS's population of programs identified for IPIA testing and
the status of DHS's IPIA risk assessment process performed in fiscal year
2006.

^18U.S. Department of Homeland Security, Performance and Accountability
Report Fiscal Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also
reported estimated improper payments for all of fiscal year 2006 for these
two programs. However, DHS calculated the fiscal year 2006 estimates by
applying the estimated error percentage rates from the September 2005
through March 2006 testing to the fiscal year 2006 outlay figures. The
estimated error percentage rates for the September 2005 through March 2006
testing have a 90 percent confidence interval of plus or minus 2.32
percentage points for IHP assistance payments and plus or minus 2.62
percentage points for disaster-related vendor payments based on
statistically valid cluster samples. See IPIA reporting details in DHS's
fiscal year 2006 PAR.

^19According to DHS, the agency chose to use this time period because it was
the period of greatest payment activity following the 2005 Gulf Coast
hurricanes.

     Table 1: DHS Fiscal Year 2006 IPIA Programs (based on fiscal year 2005
                                 disbursements)

Dollars in millions

Risk assessment for fiscal  year 2006 DHS  IPIA program IPIA  population^b
Performed^c Not performed^d

          Customs and Border Protection (CBP) Custodial^a 1,116 $ 1,116
                         Other CBP programs 1,713 1,713
                       Federal Air Marshals (FAM) 318 318
Federal Emergency Management Agency (FEMA) disaster-related programs:
                         Disaster Relief 7,133 7,133^e
                         Cerro Grande Fire Claims 14 14
                     FEMA nondisaster programs 4,803 4,803
        Federal Law Enforcement Training Center (FLETC) programs 139 139
            Office of Grants and Training (GT) programs 3,136 3,136
        Immigration and Customs Enforcement (ICE) and ICE components:^f
                          Salaries & Expenses 953 953
                               Technology 829 829
                       Federal Protective Service 548 548
                                US-VISIT 208 208
                             Other programs 649 649
                Transportation Security Administration (TSA):
                     Original IPIA programs^g 3,414 1,384^g
                             Revised IPIA programs:
                               Grant programs 343
                            Nongrant programs 1,687
                            U.S. Coast Guard (USCG):
                         Operating Expenses 2,741 2,741
    Acquisition, Construction & Improvements (reported as Contracts) 867 867
                                Other^h 620 620
              U.S. Secret Service (USSS) Operating Expenses 83 83

          Total IPIA program disbursements $ 29,284 $ 16,239 $ 13,045

Sources: DHS fiscal year 2006 IPIA programs (based on fiscal year 2005
disbursement populations) and GAO analysis of information provided by and
reported by DHS.

^aCBP collects import duties, taxes, and fees on merchandise arriving in the
United States from foreign countries, and subsequently transfers these
receipts to other entities. Receipts of import duties and related refunds
are presented in the statement of custodial activity in the DHS financial
statements. CBP tested the custodial program as part of remediating the
Custodial Revenue and Drawback material weakness. According to DHS, while
this testing did not follow Appendix C to OMB Circular No. A-123, it did
support the conclusion that this program is not at high risk for issuing
improper payments as no significant improper payments as defined by OMB
were identified.

^bThese disbursement amounts represent the original amounts provided by the
DHS Program Management Office to the individual DHS components. Actual
amounts used by the components as they performed additional analysis and
testing may differ. Also, according to DHS, the disbursement amounts were
based on Standard Form (SF) 133 outlay figures, and DHS found this to be
problematic. DHS will address these problems during fiscal year 2007.

^cUnless otherwise noted, a risk assessment was performed for the IPIA
program and the program was found to be not at high risk for issuing
significant improper payments.

^dA risk assessment was not performed for the IPIA program and, according to
its independent auditor, this contributed to DHS's noncompliance with IPIA
in fiscal year 2006.

^eA risk assessment was performed for the IPIA program and the
program--which includes IHP assistance and disaster-related vendor
payments--was found to be at high risk for issuing significant improper
payments. Additional work was completed to estimate improper payments,
develop a plan to reduce improper payments, and report this information.

^fICE components include U.S. Citizenship and Immigration Services, the
Management Directorate, the Science & Technology Directorate, the Office
of Intelligence and Analysis, and the Border and Transportation Security
Directorate, because ICE is the financial management provider for these
components.

^gBased on additional information provided by DHS, USCG is TSA's
accounting provider. USCG staff consolidated the TSA IPIA programs into
one entitywide program which was then split into grant and nongrant
segments. A risk assessment was performed for these two segments and
neither was found to be at risk for significant improper payments. The
reason for the consolidation was concern over insufficient time to
complete testing of multiple TSA programs. According to DHS, components in
the future will need to provide ample justification and receive formal DHS
OCFO concurrence before program definitions can be changed.

^hAccording to USCG, once all payroll amounts are deducted, the total would
be under $100 million.

Since DHS did not perform the required first step--a risk assessment--on
programs with approximately $13 billion of its more than $29 billion in
disbursements subject to IPIA, it is unknown whether these programs are at
high risk for issuing improper payments.

  Grant Programs Continue to Present a Challenge for IPIA Implementation
  
DHS encountered challenges implementing IPIA for the programs with $13
billion of disbursements for which no risk assessment or testing was
performed in fiscal year 2006. Over $6 billion of this amount related to
payments for grant programs. The remaining $7 billion related primarily to
FEMA nondisaster programs and TSA programs not categorized as grant or
nongrant programs, and USCG operating expenses. DHS's grant programs
include the NFIP, which had disbursements of over $3 billion that should
have been included in DHS's IPIA population for review in fiscal year
2006. As we have previously reported, measuring improper payments and
designing and implementing actions to reduce or eliminate them are not
simple tasks, particularly for grant programs that rely on quality
administration efforts at the state level. ^[68]20 DHS has an even greater
challenge in the diversity of recipients for its grants which include
state and local governments, individuals, and other entities. During
fiscal year 2006, DHS awarded grants to over 5 million recipients ^[69]21
for 70 different grant programs, including state and local governments,
nonprofits, and other entities and individuals. Although disbursements
made related to these grants are subject to IPIA, as DHS has noted,
performing risk assessments of grant programs and testing grant payments
are difficult because of the many layers of grant recipients, as well as
the type of recipients and number of grant programs.

Developing a plan to assess risk and potentially test grant payments is
important because of noted financial management weaknesses of DHS
grantees. For example, DHS's independent auditors and the DHS OIG have
reported grants management weaknesses in part because the agency did not
adequately follow up on audit findings pertaining to grantees' potential
improper payments. In addition, the DHS OIG identified grants management
as a major management challenge facing the department. We have also
identified the NFIP as a high-risk program. ^[70]22 A list of DHS's grant
programs is presented in appendix IV. Appendix IV also shows the primary
types of recipients and fiscal year 2006 award information for each grant
program, as well as the component that administers the program. Given the
identified weaknesses and the high-dollar amount, as well as the inherent
risk associated with grant programs, it is important for DHS to assess
grant programs for susceptibility to significant improper payments in
accordance with IPIA. Assessing and, if necessary, testing these grant
programs will allow DHS to gain an understanding of its risk in this area
related to improper payments and potentially reduce future improper
payments.

During fiscal year 2006, DHS completed a risk assessment by performing
sample testing for grants administered by the Transportation Security
Administration (TSA) with disbursements of about $343 million; however,
the department was unable to perform an assessment of its grants programs
administered by the Office of Grants and Training (GT). Of the
approximately $13 billion for which DHS did not perform a risk assessment,
over $3 billion related to grant programs administered by GT. ^[71]23 In
addition to the NFIP, FEMA also administers other grant programs which,
with the exception of IHP, ^[72]24 were not tested during fiscal year
2006. DHS identified three IPIA programs within GT, including Domestic
Preparedness, State and Local Programs, and Firefighter Assistance Grants,
totaling $3.1 billion of fiscal year 2005 disbursements for fiscal year
2006 IPIA testing; however, GT did not perform an assessment or complete
statistical sample testing on these grants programs. In its fiscal year
2006 PAR, DHS reported that one complication that was not overcome was how
to extend statistical sample testing to grant recipients. DHS also had
difficulty testing its grant programs because of the large number of grant
programs identified for testing based on DHS's guidance for fiscal year
2006 program identification and risk assessment methodology, which
required that all programs with total disbursements exceeding $100 million
be selected and statistically tested. DHS reported that one of the
problems with its fiscal year 2006 IPIA methodology was that its risk
assessments were based on strictly quantitative factors, instead of both
qualitative and quantitative factors. Although OMB has not yet provided
guidance as we have previously recommended, ^[73]25 DHS issued internal
guidance recognizing the need to consider qualitative factors.

^20GAO, Improper Payments: Federal and State Coordination Needed to Report
National Improper Payment Estimates on Federal Programs, GAO-06-347
(Washington, D.C.: Apr. 14, 2006).

^21This amount includes both individual grant recipients as well as states
and other entities.

^22GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January
2007). We placed the National Flood Insurance Program (NFIP) on our
high-risk list in March 2006 because the NFIP will unlikely generate
sufficient revenues to repay the billions borrowed from the Department of
the Treasury to cover flood claims from the 2005 hurricanes.

One such qualitative factor that DHS could consider as part of its risk
assessment process are the results of Single Audit Act, as amended,
^[74]26 reports related to its grantees. During fiscal year 2006, DHS's
independent
auditors reported that the agency was not in compliance with the Single
Audit Act. According to the independent auditors' report, FEMA and TSA are
required to comply with certain provisions of OMB Circular No. A-133,
which requires agencies awarding grants to ensure they receive grantee
reports timely and to follow-up on grantee single audit findings. Although
certain procedures have been implemented to monitor grantees and their
audit findings, the auditors noted that DHS did not have procedures in
place to comply with these provisions in OMB Circular No. A-133 and follow
up on questioned costs ^[75]27 and other matters identified in these
reports. TSA has developed a corrective action plan to establish a new
system and processes to track and review single audit reports, but FEMA
has not completely developed its corrective action plans due to the
previously mentioned organizational changes during fiscal year 2007. We
identified 37 DHS grantees--with awards totaling $2.1 billion--that had
single audit findings related to questioned costs for fiscal year 2005.
Some examples of questioned costs described in audit reports follow.

^23During fiscal year 2007, FEMA underwent a reorganization and GT became a
part of FEMA. Therefore, the grant functions for both components are now
consolidated under FEMA.

^24IHP payments are included in disaster assistance grants administered by
FEMA.

^25GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the
Improper Payments Information Act Remains Incomplete, GAO-07-92
(Washington, D.C.: Nov. 14, 2006).

^2631 U.S.C. SS 7501-7507. Under the Single Audit Act, as amended, and
implementing guidance, independent auditors audit state and local
governments and nonprofit organizations that expend federal awards to
assess, among other things, compliance with laws, regulations, and the
provisions of contracts or grant agreements material to the entities'
major federal programs. Organizations are required to have single audits
if they expend $500,000 or more in federal awards.

     o One single audit report questioned $353,000 in unallowable charges for
       salaries and benefits due to a lack of adequate documentation.
     o One grantee had expenditures that did not have appropriate supporting
       documentation, with the questioned amount totaling almost $80,000.
     o Another grantee had costs of about $72,000 that were improperly
       charged to the grant program.

          o A third grantee over-claimed reimbursement amounts of about
            $4,000.
          o The DHS OIG also conducts audits relating to the programs and
            operations of DHS, including grant programs. The DHS OIG reviews
            several factors to determine which activities to audit, including
            current or potential dollar magnitude, and reports or allegations
            of impropriety or problems in implementing the programs. The
            objectives of these grant program audits include determining
            whether the grantee accounted for and expended funds according to
            federal regulations and DHS guidelines. For certain grantees, the
            DHS OIG has found questioned costs such as excessive charges,
            duplicate payments, ineligible contractor costs, unsupported
            contractor and labor costs, and other expenditures. The following
            are examples of DHS OIG findings from fiscal years 2005 through
            2007.

     o The DHS OIG found that one particular grantee had questioned costs of
       more than $1.8 million.

^27A "questioned" cost is a finding which,  at the time of the audit, is  not
supported by adequate documentation or is unallowable.

o The DHS OIG has also found instances where the grantee did not follow
all federal procurement standards or DHS guidelines in awarding contracts,
and needed improvements in procedures to make payments to subgrantees. One
instance involved awarding contracts totaling more than $14 million and
another instance involved more than $8 million in contract work.

In an effort to address the agency's noncompliance with the Single Audit
Act, as amended, DHS's Office of Grant Policy and Oversight (GPO) told us
that it instituted an informal oversight process for single audits during
fiscal year 2007 and is in the process of developing formal procedures.
According to GPO, the development of this process is an attempt to address
some of the grants management concerns that have been identified at DHS by
its auditors and the DHS OIG. This monitoring process will help DHS to
focus on audit findings at grantees and could help DHS with performing a
risk assessment over grant programs for IPIA purposes by providing
qualitative criteria.

While DHS Has Developed Plans to Address IPIA Requirements and Reduce Improper
Payments, Full Implementation Will Be Longer Term

DHS has taken steps to address IPIA requirements, but the agency does not
plan to be compliant in fiscal year 2007 and will likely not be compliant
in fiscal year 2008. During fiscal year 2007, DHS prepared, and continues
to refine, a departmentwide corrective action plan to address internal
control weaknesses and noncompliance issues, including IPIA; however, the
agency continues to encounter challenges in developing a plan to fully
perform a risk assessment process. DHS used this corrective action plan to
update its guidance and, according to DHS officials, the agency plans to
focus on program identification and risk assessments during fiscal year
2007. Although DHS does not expect to be compliant in fiscal year 2007,
focusing on these areas will help the agency build a solid foundation for
its IPIA program.

In addition to its overall corrective action plan to comply with IPIA,
DHS, as required by IPIA and related OMB implementing guidance, has
developed plans to reduce improper payments related to the two high-risk
programs it has identified thus far. These plans include reducing manual
processing, improving system interfaces, and clarifying roles and
responsibilities. If properly executed, these plans should help reduce
future improper payments in these programs by strengthening internal
controls. With regard to system improvements, as we have previously
recommended, ^[76]28 DHS needs to conduct effective testing to provide
reasonable assurance that the system will function in a disaster recovery
environment.

  DHS Has Developed a Corrective Action Plan for Compliance with IPIA, but
  Implementation Challenges Remain

DHS has developed a corrective action plan to address the findings of its
independent auditor, ^[77]29 including its noncompliance with IPIA. In its
most recent audit report for fiscal year 2006, the auditor recommended
that DHS follow OMB guidance ^[78]30 to complete the necessary
susceptibility assessments, perform testwork over all material programs,
and institute sampling techniques to allow for statistical projection of
the results of its improper payments testing.

In its IPIA corrective action plan, DHS documented the root causes that it
believes have resulted in its noncompliance, and analyzed the key success
factors, key performance measures, verification and validation procedures,
risks, impediments, dependencies with other corrective actions, resources
required, and critical milestones needed to become compliant with IPIA;
however, implementation will take significant time and effort. DHS cited
its lack of resources, guidance, and experience with IPIA to execute risk
assessments as root causes for its noncompliance with IPIA. The corrective
action plan identified the following items related to IPIA, including root
causes.

^28GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).

^29OMB Circular No. A-50, Audit Followup (revised Sept. 29, 1982), requires
agencies to develop corrective action plans to address audit findings,
stating that corrective action taken by management on audit findings and
recommendations is essential to improving the effectiveness and efficiency
of government operations. According to OMB's guidance, each agency is
required to establish systems to assure the prompt and proper resolution
and implementation of audit recommendations.

^30OMB Memorandum M-03-13, along with other improper payment guidance, was
consolidated into Appendix C of OMB Circular No. A-123. Appendix C was in
effect for fiscal year 2006.

Table 2: Summary of DHS's Corrective Action Plan for IPIA Compliance as of June
                                    7, 2007

                                Area Description

Root cause  o Lack of program-level financial reporting

     o Lack of experience and guidance with IPIA to execute risk assessments,
       which led to the absence of proper risk assessments
     o Difficulty in testing DHS grant programs
     o Hurricane Katrina effects that highlight internal control weaknesses
       over disbursements at FEMA

Key success factors  o Define IPIA compliance criteria                     
                        o Define IPIA programs                                
                        o Complete a rigorous risk assessment                 
                        o Develop sample test plans and execute sample        
                          testing                                             
                        o Establish a review program to ensure that an        
                          independent party reviews preparer responses        
                        o Develop a corrective action plan based on test      
                          results                                             
                        o Have components update these corrective action      
                          plans periodically                                  
Key performance      o 100% identification of DHS population of programs   
measures               for IPIA work                                       
                        o 100% completion of risk assessments by components   
                        o 100% completion of IPIA sample testing by July 31,  
                          2007, for all components' high-risk programs        
                        o 100% oversight of component corrective action plans 
                          for high-risk programs                              
                        o IPIA compliance guidance for fiscal year 2007       
                          issued by May 31, 2007                              
                        o Completion of supplemental sample payment testing   
                          that confirms that corrective action plan targets   
                          for high-risk programs are being met or exceeded    
                        o Increase recoupment (recovery) for identified       
                          improper payments                                   
                        o Completion of secondary control of recovery audit   
                          for components with IPIA total disbursement         
                          populations above $500 million                      
                        o Submission of corrective action plans for all       
                          high-risk IPIA programs by September 15, 2007       

Verification and             Confirm improper payment sample test          
validation                 o populations tie to an independent verifiable  
                                source                                        
                              o Assess the operating effectiveness of sample  
                                test results                                  
                              o Confirm claimed recovery amounts are          
                                reflected in general ledger postings          
                              o Review recovery audit contract reports        
                                against general ledger balances to confirm    
                                comprehensiveness of work                     
                              o Test common high-risk factors identified by   
                                sample test results after performing a        
                                cost-benefit analysis                         
Risks, impediments, and      Grant impediment: legal and political         
dependencies            o  o restrictions, lack of guidance Budgetary and  
                                financial system impediment                   
                              o FEMA risk: breakdown of controls and scale of 
                                disbursements for Hurricane Katrina           
                              o Guidance risk: clarification of requirements  
                                in Appendix C to OMB Circular No. A-123 would 
                                be helpful                                    
                              o Sample design impediment: the trial balance   
                                data used for IPIA analysis does not readily  
                                yield true IPIA disbursement population       
                                amounts                                       
                              o Recovery audit impediment: security- and      
                                staffing-related issues have hampered the     
                                ability of recovery audit contractors         

    Area Description

Resources required

     o DHS OCFO has hired contractor support to review DHS IPIA compliance
       guidance, provide IPIA training, review DHS component-completed risk
       assessments, and develop testing sample sizes to include in DHS
       component-developed test plans
     o DHS components will conduct the risk assessments and develop their own
       test plans for high-risk programs
     o FEMA hired contractor support to design and implement an improper
       payment test plan for Hurricane Katrina-related payments for
       individual housing programs, contracts, mission assignments, and
       grants
     o FEMA also hired a contractor to assist with IPIA program definitions
       and risk assessments for all FEMA programs

Source: DHS Office of Financial Management, Improper Payments Information
Act Corrective Action Plan Summary Report (as of June 7, 2007).

DHS also identified critical milestones in its corrective action plan for
IPIA compliance, including due dates and status. However, these efforts
remain ongoing and DHS has already missed some milestones. For example,
while DHS initially planned for each component to identify its IPIA
programs and disbursement populations by January 2007, this milestone was
delayed until June 2007. As of July 8, 2007, according to DHS, the agency
was waiting for one component to submit its list of programs, and DHS was
in the process of reviewing submissions from the other components. Because
of such delays, DHS does not expect to be in compliance with IPIA in
fiscal year 2007 and will likely be noncompliant in fiscal year 2008.
DHS's updated critical milestones as of June 7, 2007, related to fiscal
year 2007 are presented in table 3.

Table 3: Summary of  Critical Milestones in  DHS's Corrective Action  Plan
for IPIA Compliance Related to Fiscal Year 2007

                                                             Completion       
                                                             status according 
Topic                                            Due date to DHS           
Guidance and training:                                                     
    Update fiscal year 2007 IPIA PAR idance 2/1/2007           Completed-100% 
                                  gu                                          
Hold corrective action plan       on program or fiscal      Completed-100% 
workshopidentification and risk   year 5/30/2007                           
assessments f2007                                                          
Hold corrective action plan       on sample 007 6/29/2007   Planning-25%   
workshoptesting and reporting for                                          
fiscal year 2                                                              
Program identification:                                                    
Program identification for fiscal 2007 6/15/2007           In progress-50% 
                                year                                          
Risk assessment:                                                           

 A-123 pilot for FEMA for fiscal year 2006 IPIA work 11/15/2007 In progress-50%

                                                             Completion       
                                                             status according 
Topic                                            Due date to DHS           
Sample testing:                                                            
Develop sample test plans for  cal year 2007 IPIA          In progress-50% 
fiswork                        6/28/2007                                   

Complete sample test plans for fiscal year 2007 8/31/2007  Not started-0%  
IPIA work                                                                  
Generate programwide error estimates for fiscal 9/14/2007  Not started-0%  
year 2007 IPIA work                                                        
Error analysis/corrective actions for high-risk                            
programs:                                                                  
Implement corrective action plans for fiscal    11/15/2007  Completed-100% 
year                                                                       
2006 IPIA work                                                             
Develop corrective action plans with projected  8/31/2007  Not started-0%  
error                                                                      
rate improvement for fiscal year 2007 IPIA work                            
Implement corrective action plans for fiscal    11/15/2007 Not started-0%  
year                                                                       
2007 IPIA work                                                             
Recovery audit/collections:                                                
Sign contract with recovery audit firm for      10/2/2006   Completed-100% 
fiscal year                                                                
2007                                                                       
Receive progress updates and final report for   9/30/2007  In progress-50% 
fiscal                                                                     
year 2007 IPIA work                                                        
PAR reporting:                                                             
Provide OMB with a draft fiscal year 2007 PAR   10/19/2007 Not started-0%  
and                                                                        
address all OMB feedback                                                   

Source: DHS Office of Financial Management, IPIA Corrective Action Plan
Summary and Detailed Reports (as of June 7, 2007).

DHS's planning and assessment process to develop its IPIA corrective
action plan enabled the agency to update its guidance for its components
and, according to DHS, the agency plans to focus on program identification
and risk assessments during fiscal year 2007. Strengthening risk
assessments and identifying potential improper payments are also important
in order for DHS to begin taking steps to reduce improper payments and
ultimately improve the integrity of the payments it makes. According to
DHS officials, the department has been working in close consultation with
OMB, sharing guidance documents, program test plans and results, and
recovery audit status reports. Regardless of whether DHS is able to fully
complete these efforts in fiscal year 2007, focusing on these areas will
help the agency build a solid foundation for a sustainable IPIA program.

The updated guidance was issued in May 2007 and is to be in effect for
fiscal year 2007 reporting. In this revised guidance, DHS clarifies how
its components should identify their population of programs. In addition,
DHS requires its components to perform a comprehensive risk assessment in
order to identify programs susceptible to significant improper payments.
DHS has designed a detailed methodology to conduct the IPIA risk
assessment, and this methodology is outlined in the May 2007 guidance. The
methodology, which includes qualitative criteria, as we have previously
discussed, involves the creation of a program risk matrix based upon
specific risk elements that affect the likelihood of improper payments.
Further, the guidance states that a program may be selected for testing
even if it does not meet the quantitative or qualitative assessments,
noting that it is entirely possible that the risk assessment process may
not identify a program as high risk, but component management may believe
a program is high risk due to a high-level public profile or known
financial or regulatory issues (such as a high-profile contract). For
those programs found to be at high risk for issuing improper payments, the
guidance also provides instructions for estimating improper payments,
implementing a plan to reduce improper payments, and reporting on this
information. Each of these procedures outlined in the May 2007 guidance
includes instructions to submit information or documentation to the
Internal Controls over Financial Reporting (ICOFR) Program Management
Office (PMO). ^[79]31

DHS's May 2007 guidance for fiscal year 2007 also outlines possible
alternative approaches for testing grants. One possible alternative is the
complete documentation of the component's grant management process and the
testing of internal controls. According to DHS, this approach helps the
component identify specific weaknesses within the grant process, rather
than sampling payments at random to determine potential errors. A second
alternative is to perform a risk assessment on the program's grant
portfolio. This alternative helps the program identify specific grants
that may be more susceptible to improper payments. The identified grants
would then be subject to improper payment sampling. If a component wishes
to consider alternative approaches to grant sampling, an explanatory
memorandum must be submitted to the ICOFR PMO for review and approval. If
approved by the ICOFR PMO, DHS will submit the alternative approach
request to OMB for review and approval. Also, OMB
has reported ^[80]32 that the Chief Financial Officers (CFO) Council
^[81]33 continues to play a critical role in efforts to address and reduce
improper payments through its Improper Payments Transformation Team. This
group has been collaborating with nongovernmental entities to consolidate
governmentwide best practices; enumerate legislative and regulatory
barriers that hinder program integrity efforts; and develop forums where
federal and state stakeholders from the program, audit, and financial
communities work together to solve program integrity challenges. These
activities could provide guidance to help DHS determine how to best test
its grant programs.

^31The ICOFR PMO,  as discussed in  the next  section of this  report, is  an
office within the DHS OCFO.

DHS also plans to hold workshops for its components on statistical sample
testing and reporting to ensure that they have a consistent understanding
of what is expected with regard to IPIA testing and reporting. Although
DHS does not expect to be in compliance with IPIA in fiscal year 2007,
completing a thorough risk assessment process is an important first step.

  DHS Has a Broader Initiative to Resolve Internal Control Weaknesses across the
  Department

In addition to developing the corrective action plans described, DHS has a
broader initiative to resolve material internal control weaknesses and
build management assurances across the department. During fiscal year
2007, DHS established the ICOFR PMO as a new office within the DHS OCFO.
The ICOFR PMO is responsible for departmentwide implementation of OMB
Circular No. A-123. In March 2007, DHS issued the ICOFR Playbook, which
outlines the department's strategy and processes to resolve material
weaknesses and build management assurances and incorporates the
departmentwide corrective action plans, which contain more detailed
information. The ICOFR PMO is responsible for the ICOFR Playbook and,
according to DHS, the agency will update the ICOFR Playbook each year,
establishing milestones and focus areas that will be tracked during the
year. One section of the ICOFR Playbook relates to IPIA testing, and it
discusses the actions taken by DHS in fiscal year 2006 to meet IPIA
requirements. This section also states that DHS will develop policies and
procedures to integrate the requirements of OMB's implementing guidance
for IPIA into annual component management
assurances of compliance with significant laws and regulations, as part of
DHS management's assertion on internal controls over financial reporting
and in an effort to strengthen internal controls to support DHS's mission.
In addition to management providing an assertion on internal controls over
financial reporting, DHS is required to obtain a related auditor's
opinion. ^[82]34 Incorporating IPIA into this guidance will increase the
likelihood of successful implementation and could also strengthen related
internal controls.

^32OMB, Improving the Accuracy and Integrity of Federal Payments
(Washington, D.C.: Jan. 31, 2007).

^33The CFO Council is an organization comprised of the CFOs and Deputy CFOs
of the 24 CFO Act agencies, and senior officials in OMB and the Department
of the Treasury who work collaboratively to improve financial management
in the U.S. government.

The ICOFR Playbook draws attention to the process of addressing IPIA
requirements across the department. By successfully addressing the
requirements of IPIA, DHS will be in a better position to take steps to
reduce improper payments, as the ultimate goal of IPIA reporting is to
improve the integrity of payments that the agency makes. Further, DHS has
testified that to ensure the long-term effectiveness of the department's
efforts to reduce improper payments, DHS requested resources in its fiscal
year 2008 budget to hire additional staff so that it can enhance risk
assessment procedures and conduct oversight and review of component test
plans.

  DHS Has Developed Plans to Reduce Improper Payments for FEMA's Two
  Disaster-Related Programs, but Effects Remain Unknown

In addition to its overall corrective action plan to comply with IPIA,
DHS, as required by IPIA and related OMB implementing guidance, has
developed plans to reduce improper payments related to the two high-risk
programs it identified in its fiscal year 2006 testing--FEMA's IHP
assistance payments and disaster-related vendor payment programs. These
plans highlighted improving internal controls to prevent improper payments
in each of these programs.

FEMA's testing of its two high-risk disaster-related programs identified
several key internal control weaknesses, including ineffective system
controls to review data for potential duplications and inconsistently
applied standards for supporting evidence and documentation. To address
these findings, FEMA initiated corrective action plans aimed at reducing
improper payments by strengthening internal controls. These plans included
validating Social Security numbers during telephone registration,
increasing IT systems capabilities to handle high volume during a
catastrophic disaster, and enhancing post-payment reviews. Our prior
reporting ^[83]35 also identified significant internal control
deficiencies in the IHP program.

^34 31 U.S.C. 3516(f)(2).

To address OMB's reporting requirements on actions for reducing improper
payments, DHS included in its fiscal year 2006 PAR corrective action plans
for IHP assistance payments and disaster-related vendor payments. For each
of the two high-risk programs, DHS prepared a schedule of corrective
action plans with target completion dates. For the IHP program, DHS
included corrective action plans that were already completed in addition
to those in process and planned. DHS has also established critical
milestones for reducing improper, disaster-related vendor payments. During
fiscal year 2007, DHS updated and tracked its corrective action plan
critical milestones. Details of these corrective action plan critical
milestones can be found in appendix V.

Based on DHS's updated corrective action plan report for IHP, as of May
14, 2007, DHS had not completed certain critical milestones by the
identified target date. These milestones included system interface
improvements and certain contract awards. Missing these established
critical milestones delays strengthening internal controls that are
necessary to reduce future improper payments, and therefore it is
important that DHS stays on track in implementing its corrective action
plans.

DHS also noted that human capital is the principal requirement to execute
these two corrective action plans; however, according to DHS, exact
requirements are not estimable at this time. With regard to system
improvements, as we have previously recommended, ^[84]36 DHS needs to
conduct effective testing to provide reasonable assurance that the system
will function in a disaster recovery environment.

^35See, for example, GAO, Expedited Assistance for Victims of Hurricanes
Katrina and Rita: FEMA's Control Weaknesses Exposed the Government to
Significant Fraud and Abuse, GAO-06-655 (Washington, D.C.: June 16, 2006);
Hurricanes Katrina and Rita Disaster Relief: Improper and Potentially
Fraudulent Individual Assistance Payments Estimated to Be Between $600
Million and $1.4 Billion, GAO-06-844T (Washington, D.C.: June 14, 2006);
and Expedited Assistance for Victims of Hurricanes Katrina and Rita:
FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse, GAO-06-403T (Washington, D.C.: Feb. 13, 2006).

^36GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).

DHS's Efforts to Comply with the Recovery Auditing Act and to Recover Improper
Payments Need to Be Enhanced

For the last 3 years, DHS has contracted with a recovery auditing firm to
perform recovery audit work to comply with the Recovery Auditing Act;
however, activities in this area could be improved. Specifically, DHS
encountered problems that kept it from reporting on recovery audit efforts
during fiscal year 2006. DHS was not able to report recovery audit results
in fiscal year 2006 for three of the four components it identified as
meeting the criteria for recovery auditing as specified in the Recovery
Auditing Act (i.e., over $500 million in contractor payments) due to
problems obtaining disbursement data and delays in obtaining security
clearances for contract personnel. In addition, DHS did not perform
recovery auditing efforts at the fourth component identified as meeting
the criteria. Further, DHS has not yet reported on its efforts to recover
improper payments identified during its testing of FEMA's disaster-related
vendor payments and has reported limited information on its efforts to
recover identified improper IHP assistance payments.

In March 2007, DHS revised its internal guidance for recovery auditing for
fiscal year 2007 to discuss the issues encountered in previous years and
to emphasize timelines to help ensure that all applicable components are
able to report. This guidance clarifies what is expected of applicable
components, but ongoing oversight within the OCFO will be necessary to
ensure that components are progressing with their recovery auditing
efforts and will be able to successfully report on the results of these
efforts at year end. In addition, DHS's updated guidance does not require
components to report on efforts to recover improper payments identified
during IPIA testing. Reporting this information in the annual PAR would
provide a more complete picture of the agency's actions to recover
payments that it has identified as being improper.

               Recovery Auditing Efforts at DHS Could Be Improved

As an executive branch agency, DHS is required to perform recovery audits
under certain conditions as specified by the Recovery Auditing Act.
Beginning with fiscal year 2004, OMB required that applicable agencies
publicly report on their recovery auditing efforts as part of their PAR
reporting of improper payment information. Agencies are required to
discuss any contract types excluded from review and justification for
doing so. Agencies are also required to report, in table format, various
amounts related to contracts subject to review and actually reviewed,
contract amounts identified for recovery and actually recovered, and
prior-year amounts.

DHS took steps to identify and recover improperly disbursed funds by
hiring an independent contractor who conducted recovery audit work at two
major components, ICE and CBP. DHS began recovery auditing efforts during
fiscal year 2004 but was not able to report on these efforts for that year
because initial findings were not available in time to be included in the
annual PAR. This recovery audit work continued during fiscal year 2005 and
covered all fiscal year 2004 disbursements to contractors from these two
components, ultimately identifying more than $2.1 million of improper
payments and recovering more than $1.2 million, as reported in DHS's
fiscal year 2005 PAR. While DHS was able to recover about 55 percent of
improper payments identified through its recovery audit efforts, based on
our review of other agencies, we have previously questioned ^[85]37
whether agency amounts identified for recovery should have been much
higher, which would thereby significantly decrease the agencyspecific and
overall high rate of recovery.

According to DHS's fiscal year 2006 PAR reporting, recovery audit contract
work over fiscal year 2005 disbursements began in fiscal year 2005 at CBP
and ICE, and DHS extended its recovery audit work to include USCG in
fiscal year 2006. Delays in obtaining security clearances for contract
personnel severely hampered completion of recovery audit work at CBP and
ICE. Delays in supplying needed disbursement information hindered recovery
audit work at USCG. As a result, DHS was not able to provide conclusive
recovery audit summary results for fiscal year 2006 PAR reporting.
According to DHS, four of its components--ICE, CBP, USCG, and FEMA--meet
the criteria for recovery auditing as specified in the Recovery Auditing
Act (i.e., each has over $500 million in contractor payments). ICE, CBP,
and USCG entered into the same recovery audit contract. FEMA's recovery
audit work in fiscal year 2006 was part of a pilot study on internal
controls over improper payments for IHP assistance and disaster-related
vendor payments. In the aftermath of Hurricane Katrina, DHS and FEMA, with
the assistance of a contractor, conducted an internal controls assessment
related to improper IHP assistance and disaster-related vendor payments.
Although this assessment identified improper payments, DHS has not yet
reported on its efforts to recover improper payments identified during its
testing of FEMA's disaster-related vendor payments and has reported
limited information, such as the dollar amount of improper payments
approved
for recovery and the amount returned to FEMA, related to its efforts to
recover improper IHP payments.

^37GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the
Improper Payments Information Act Remains Incomplete, GAO-07-92
(Washington, D.C.: Nov. 14, 2006).

Of the 3 years agencies have been required to report on recovery audits in
table format, DHS was only able to report required recovery audit data in
its fiscal year 2005 PAR. ^[86]38 Table 4 presents DHS's recovery audit
efforts and results for fiscal years 2004 through 2006.

  Table 4: Recovery Audit Results for Fiscal Years 2004 through 2006
  PAR    Agency-reported Agency-reported Agency-reported Agency-reported
                  amount actual                                     
  fiscal      subject to amount reviewed amount          amount     Related    
              review for             and identified for  recovered             
                  fiscal                                                       
  year    year reporting     reported in recovery in      in fiscal components 
                             fiscal year fiscal year           year            
  2004    (not reported)  (not reported)  (not reported)       (not CBP, ICEa  
                                                          reported)            
  2005    $3,232,300,000  $3,232,300,000      $2,191,000 $1,207,000 CBP, ICE   
  2006    (not reported)  (not reported)  (not reported)       (not CBP, ICE,  
                                                          reported) and USCGb  

Sources: DHS Performance  and Accountability Reports  for 2004, 2005,  and
2006.

^aDHS contracted for recovery  audit work at CBP  and ICE; however, DHS  was
not  able  to  provide  recovery  audit  results  for  fiscal  year   2003
disbursements in its fiscal year 2004 PAR.

^bDHS contracted for recovery audit work at CBP, ICE, and USCG; however, DHS
was not  able to  provide  recovery audit  results  for fiscal  year  2005
disbursements in its fiscal year 2006 PAR.

  DHS's Internal Guidance for Recovering Improper Payments Has Been Revised but
  Additional Information Could Be Reported

DHS has recently revised and clarified its internal guidance related to
recovery auditing for fiscal year 2007 to discuss prior issues and
emphasize timelines to help ensure that all applicable components are able
to complete recovery audits and report on their efforts. The new guidance
requires that applicable DHS components provide the ICOFR PMO with a
general description and evaluation of the steps taken to carry out a
recovery auditing program. Components are required to include a discussion
of any security clearance requirements and show that there is sufficient
time to allow contractors to complete audit recovery work in time to meet
PAR reporting deadlines. Every update should include the total amount of
contracts subject to review, the actual amount of contracts reviewed, the
amount identified for recovery, and the amounts actually recovered in the
current year. The year-end update should include a
corrective action plan to address the root causes of payment errors. A
general description and evaluation of any management improvements to
address flaws in a component's internal controls over contractor payments
discovered during the course of implementing a recovery audit program, or
other control activities over contractor payments, is also required. This
guidance applies to the four DHS components--CBP, FEMA, ICE, and
USCG--that meet Recovery Auditing Act criteria. In addition, according to
DHS, the ICOFR PMO may expand recovery audit contracting to other
components as the benefits of this work become clearer. Although DHS's
guidance clarifies what is expected of components, ongoing oversight
within the OCFO will be necessary to ensure that the components are
progressing with their recovery auditing efforts and will be able to
successfully report on results at year end.

^38Subsequent to issuing its fiscal year 2006 PAR, DHS reported recovery
audit amounts to OMB for inclusion in OMB's governmentwide reporting of
fiscal year 2006 recovery auditing information.

In addition to specific recovery audit work to identify improper payments
made to contractors, DHS also identifies improper payments through its
IPIA testing. For example, as discussed previously, DHS's testing in
fiscal year 2006 of its two high-risk programs identified improper IHP
assistance payments and disaster-related vendor payments made by FEMA.
However, DHS's internal guidance does not require components to include
information in its annual PAR related to its efforts to recover improper
payments identified during IPIA testing and, as a result, DHS has not yet
reported on its efforts to recover improper disaster-related vendor
payments identified and has reported limited information on its efforts to
recover identified improper IHP assistance payments. Having components
report this information in the annual PAR would provide a more complete
picture of the agency's actions to recover payments that it has identified
as being improper.

                                  Conclusions

Although DHS has made some progress in implementing the requirements of
IPIA, challenges remain in ensuring that all DHS programs and activities,
including grant programs, have been reviewed to determine their
susceptibility to significant improper payments and tested, if applicable.
As DHS continues to improve its IPIA efforts and identify and test its
high-risk programs, the agency should be better able to identify, and
ultimately strengthen controls, to reduce improper payments.

While preventive internal controls should be maintained as the agency's
front-line defense against making improper payments, recovery auditing
holds promise as a cost-effective means of identifying contractor
overpayments. In addition, reporting on efforts to recover any other
specific improper payments identified would provide a more complete
picture of the agency's actions to recover payments that it has identified
as being improper. With the ongoing imbalance between revenues and outlays
across the federal government, and the Congress's and the American
public's increasing demands for accountability over taxpayer funds,
identifying, reducing, and recovering improper payments become even more
critical.

Recommendations for Executive Action

To help improve its efforts to implement IPIA and recover improper
payments, we recommend that the Secretary of Homeland Security direct the
Chief Financial Officer to take the following actions.

(1)
           Maintain oversight and control over critical milestones identified
           in the DHS corrective action plan for IPIA compliance so that DHS
           components stay on track, specifically in regard to identifying
           programs and performing risk assessments and any related testing.

(2)
           Require all applicable components to determine and document how
           they plan to assess their grant programs to determine whether they
           are at high risk for issuing significant improper payments, and,
           if necessary, test these grant programs.

(3)
           Provide oversight and monitor the progress of all applicable DHS
           components to successfully perform and report on their recovery
           auditing efforts.

(4)
           Similar to the required reporting on efforts to recover improper
           payments made to contractors under the Recovery Auditing Act,
           develop procedures for reporting in its annual PAR on the results
           of yearly efforts to recover any other known improper payments
           identified under IPIA, by the DHS OIG, or other external auditors.

                       Agency Comments and Our Evaluation

We requested comments on a draft of this report from the Secretary of
Homeland Security. These comments are reprinted in appendix II. DHS
concurred with the recommendations in our report. DHS noted that
significant actions under way include strengthening the department's
financial management and oversight functions to improve the DHS control
environment and implementing risk assessments to build a foundation for a
sustainable IPIA program.

As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its date. At that time, we will send copies of this report to the
Secretary of Homeland Security and other interested parties. Copies will
also be made available to others upon request. In addition, this report
will also be [87]available at no charge on GAO's Web site at
http://www.gao.gov.

If you or your staff have any questions regarding this report, please
[88]contact me at (202) 512-9095 or at [email protected]. Contact points
for our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made contributions to this
report are listed in appendix VI.

McCoy Williams
Director, Financial Management and Assurance

                       Appendix I: Scope and Methodology

To determine to what extent the Department of Homeland Security (DHS) has
implemented the requirements of the Improper Payments Information Act of
2002 (IPIA), we compared the IPIA legislation, and the related Office of
Management and Budget (OMB) implementing guidance, with DHS improper
payment risk assessment methodologies, and IPIA Performance and
Accountability Report (PAR) information for fiscal years 2004 through
2006. To analyze DHS risk assessment compliance with IPIA, we obtained and
reviewed documents regarding its regulations and methodology for
identifying programs and activities highly susceptible to improper
payments. We reviewed DHS's PARs, Office of Inspector General (OIG)
semiannual reports to the Congress, and GAO reports for fiscal years 2004
through 2006 for improper payment information. We also reviewed procedures
performed by DHS's independent financial statement auditor related to
DHS's compliance with IPIA.

We reviewed the programs that DHS identified as its IPIA population and
analyzed the risk assessments that were performed during fiscal year 2006.
This allowed us to determine which components did not perform a risk
assessment and which programs were not covered. During our review, we
noted that the Office of Grants and Training (GT), a DHS component, did
not perform an assessment or complete payment statistical sample testing
on its grants programs for fiscal year 2006 as required of all DHS
programs issuing more than $100 million of IPIA relevant payments in
fiscal year 2005. To analyze improper payments related to DHS grantees and
highlight the importance of performing IPIA testing in this area, we
obtained and reviewed fiscal year 2005 single audit reports of these
entities. We used fiscal year 2005 reports because that is the most recent
year for which complete audit results have been posted to the Federal
Audit Clearinghouse (FAC). ^[89]1 We also reviewed GAO reports and DHS OIG
Financial Assistance (Grants) Reports for fiscal year 2005 through fiscal
year 2007 to identify weaknesses reported at DHS grantees. In addition, we
reviewed DHS OIG Management Reports (audits and inspections) for fiscal
year 2005 through fiscal year 2007 that were related to grants and DHS OIG
semiannual reports to the Congress for fiscal years 2005 and 2006 to
identify questioned costs related to DHS grantees.

^1The FAC's primary purposes are to (1) disseminate audit information to
federal agencies and the public, (2) support OMB oversight and assessment
of federal award audit requirements, (3) assist federal cognizant and
oversight agencies in obtaining OMB Circular No. A-133 data and reporting
packages, and (4) help auditors and auditees minimize the reporting burden
of complying with Circular No. A-133 audit requirements.

To identify what actions DHS has under way to improve IPIA compliance and
reporting, we interviewed DHS staff in the Office of the Chief Financial
Officer and reviewed DHS corrective action plans and the Internal Controls
Over Financial Reporting (ICOFR) Playbook. We also reviewed DHS's IPIA
implementing guidance for fiscal year 2007--revised in March 2007 and May
2007--and determined whether it was consistent with IPIA requirements. We
discussed these revisions with improper payment and financial management
officials from DHS to inquire about what is currently being implemented
and what will be implemented in the future to ensure compliance with DHS's
revised internal guidance.

To determine what efforts DHS has in place to recover improper payments,
we compared section 831 of the National Defense Authorization Act for
Fiscal Year 2002, commonly known as the Recovery Auditing Act, and the
related OMB implementing guidance, with DHS recovery auditing procedures
and PAR-reported information for fiscal year 2006. We also reviewed DHS
PARs, OIG semiannual reports to the Congress, and GAO reports for fiscal
years 2004 through 2006 for recovery audit information.

To assess the reliability of data reported in DHS's PARs related to
improper payments and recovery audit efforts, we (1) reviewed existing
information about the data and the system that produced them and

(2) interviewed agency officials knowledgeable about the data. Based on
these assessments, we determined that the data were sufficiently reliable
for the purposes of this report. We conducted our work from October 2006
through June 2007 in accordance with generally accepted government
auditing standards. We requested comments on a draft of this report from
the Secretary of Homeland Security or his designee. The Director,
Departmental GAO/OIG Liaison Office, provided written comments, which are
presented in the Agency Comments and Our Evaluation section of this report
and are reprinted in appendix II.

Appendix II: Comments from the Department of Homeland Security

Appendix III: Prior-Year IPIA Reporting by DHS and Its Independent Auditor

  Table 5 presents information on prior-year IPIA reporting by DHS, including
             compliance issues reported by the independent auditor.

                   Table 5: Prior-Year IPIA Reporting by DHS

Fiscal                                                                     
year   Description of DHS IPIA PAR       Compliance issues reported by the 
          reporting                         independent auditor               
2004   DHS's PAR presented a completed   The independent auditor reported  
          IPIA risk matrix for all          that DHS did not comply           
          DHS programs exceeding $100       with IPIA. Specifically, DHS did  
          million in nonpayroll             not                               
          annual disbursements. Programs    o properly define programs and    
          were defined using the Future     activities,  o institute a        
          Years Homeland Security Program   systematic method of reviewing    
          (FYHSP) system. If a program did  all programs and identifying      
          not reach a $100 million          those it believed were            
          nonpayroll fiscal year 2005       susceptible to significant        
          operating budget level, the       erroneous payments, and  o        
          program was judged too small to   properly sample or compute the    
          be at risk for annually issuing   estimated dollar amount of        
          $10 million in improper payments. improper payments.                
          According to DHS, payroll                                           
          disbursements were excluded                                         
          because of                                                          
          their repetitive, stable nature   The auditor recommended that DHS  
          and the extensive internal        follow the guidance provided in   
          controls they are subjected to by OMB M-03-13 in fiscal year 2005,  
          the National Finance Center. An   including reexamining the         
          overall risk score was assigned   definition of a program,          
          to each FYHSP by evaluating       completing the necessary          
          internal control, human capital,  susceptibility assessments,       
          programmatic risk, and            instituting sampling techniques   
          materiality of operating budget   to allow for statistical          
          risk factors. The fiscal year     projection of the results, and    
          2004 risk matrix identified no    providing information for proper  
          highrisk IPIA programs.           disclosure in its PAR.            

2005 DHS defined IPIA programs by Treasury Appropriation Fund Symbol
(TAFS). This change in program definition reflected the absence of FYHSP
detail and the presence of TAFS detail at the transaction level and
avoided testing issues stemming from FYHSP cost allocations. Each
component sample tested major payment categories for the largest TAFS
provided that total disbursements exceeded $100 million exclusive of
payroll and intragovernmental payments. An exception was made for one
component, FEMA, which tested a TAFS that was involved in an improper
payment related OIG finding for the Individuals and Households Program
(IHP). Fiscal year 2005 sample testing identified no high-risk IPIA
programs.

The auditor identified the following instances of noncompliance with IPIA
at DHS. Specifically, DHS did not

     o institute a systematic method of reviewing all programs and
       identifying those it believed were susceptible to significant
       erroneous payments; and
     o perform testwork to evaluate improper payments for all material
       programs; testing was only performed over the TAFS with the largest
       disbursements for each component or the largest TAFS maintained by an
       internal DHS accounting service provider.

The auditor recommended that DHS follow the guidance provided in OMB
M-03-13 in fiscal year 2006, including completing the necessary
susceptibility assessments, performing testwork over all material
programs, and instituting sampling techniques to allow for statistical
projection of the results.

Appendix III: Prior-Year IPIA Reporting by DHS and Its Independent Auditor

Fiscal                                                                     
year   Description of DHS IPIA PAR reporting Compliance issues reported by 
                                                the independent auditor       
2006   DHS defined IPIA programs by          The auditor identified the    
          management-identified                 following instances of        
          groupings of TAFS. These groupings    noncompliance with IPIA at    
          were designed to                      DHS and its components.       
          meet the draft Appendix C definition  o Not all programs subject to 
          of an IPIA program (Appendix C was    IPIA were tested, and the     
          issued August 10, 2006). Sample test  population of disbursements   
          plans were designed by a statistical  tested for some programs was  
          team which used stratified sampling   not complete.  o In some      
          techniques. Sample sizes both in      cases, the samples tested     
          number of payments and amount of      were not statistically        
          payments increased dramatically       derived, and thus, identified 
          compared with previous years. Two     errors could not be           
          programs were found to be at high     statistically projected to    
          risk for issuing improper             the entire population of      
          payments--FEMA's IHP and              disbursements (including the  
          disaster-related vendor payments.     untested portion).  o In some 
          Corrective action plans were          cases, the personnel          
          developed for each. IPIA problems     performing the testwork were  
          included (1) required sample testing  not knowledgeable or trained  
          was not completed for all programs,   on the purpose or procedures  
          (2) sample test design                to be performed.              
          was hampered by the use of SF-133     o The time period from which  
          outlay figures during IPIA program    disbursements were selected   
          identification, (3) risk assessments  for testwork was not always   
          were based on strictly quantitative   in compliance with IPIA       
          factors, and (4) recovery audit       requirements. For example,    
          results were not complete enough to   the auditor noted that one    
          report in the PAR.                    component limited the time    
                                                period of disbursement        
                                                samples to October 2005       
                                                through March 2006. (Note:    
                                                  The actual time period also 
                                                  included September 2005 but 
                                                the auditors did not note     
                                                this as an exception).        
                                                o Centralized monitoring was  
                                                not performed over the IPIA   
                                                  results to ensure that IPIA 
                                                testing was completed for all 
                                                         required programs in 
                                                          accordance with the 
                                                                 department's 
                                                requirements.                 
                                                The auditor recommended that  
                                                DHS follow the guidance       
                                                provided in OMB M-03-13 in    
                                                fiscal year 2007, including   
                                                completing the necessary      
                                                susceptibility assessments,   
                                                performing testwork over all  
                                                material programs, and        
                                                instituting sampling          
                                                techniques to allow for       
                                                statistical                   
                                                projection of the results of  
                                                its improper payments         
                                                testing.                      

              Source: DHS Performance and Accountability Reports.

                        Appendix IV: DHS Grant Programs

Table 6 provides  a list of  DHS grant programs,  primary recipients,  and
award information for fiscal year 2006.

Table 6: DHS Grant Programs and Related Information
                                                                          Number
                                                of awards                Average
                   CFDA          Primary        in fiscal Fiscal year      award
                                                          2006          
DHS component   number        recipients    year 2006        award     amount
                   Program                                     amount   
Citizenship &   97.009                                               
1  Immigration     Cuban/Haitian Nonprofit              2 $10,292,085 $5,146,043
                   Entrant                                              
Services (CIS)     Program    organizations                          
Federal         97.017        States and                             
2  Emergency       Pre-Disaster  Indian                74 126,245,825  1,706,025
                   Mitigation                                           
 Management Agency  Competitive  tribal                               
                       Grants                                         
(FEMA)--Nondisaster              governments                          
3               97.023 Community States                64     7,500,000  117,188
                      Assistance                                          
           Program State Support                                      
                Services Element                                      
4          97.024 Emergency Food Community              1            151,473,765
                             and                                     151,473,765
          Shelter National Board groups                               
                         Program                                      
5          97.025 National Urban State and            100    39,482,142  394,821
                          Search local                                    
             and Rescue Response governments                              
                          System                                      
6               97.026 Emergency Individuals       3,424a    1,421,511       415
                      Management                                             
        Institute (EMI) Training                                      
                      Assistance                                      
7         97.027 EMI Independent Individuals   3,729,647a      884,090       < 1 
                           Study                                                 
                         Program                                      
8            97.028 EMI Resident Individuals      13,605a    3,006,705       221
                     Educational                                             
                         Program                                      
9                97.029 Flood    States and            83    17,473,353  210,522
                  Mitigation                                              
                  Assistance     communities                              
                 97.041 National                                          
10                    Dam Safety States                51     3,374,476   66,166
                         Program                                      
11            97.045 Cooperating States and            86    54,139,208  629,526
                     Technical                                            
                     Partners    communities                              
                          97.047 State and                                
12                  Pre-Disaster Indian               178  134,880,496   757,756
                      Mitigation                                          
                                 tribal                               
                                 governments                          
13                    97.070 Map States and            69     9,769,657  141,589
                   Modernization                                          
              Management Support communities                              
14             97.082 Earthquake State, local,          3       850,000  283,333
                      Consortium and                                      
                                 Indian tribal                        
                                 governments                          
                97.095 Safe Kids                                          
15                     Worldwide Communities            1       199,480  199,480

Appendix IV: DHS Grant Programs Appendix IV: DHS Grant Programs Appendix IV: DHS
                                 Grant Programs

                                                                            Number
                                                of awards                  Average 
               CFDA                 Primary            in Fiscal year        award 
                                                   fiscal 2006                     
  DHS component   number Program    recipients   year      award amount     amount 
                                                 2006                              
16 FEMA--Disaster   97.022 Flood    Individuals   30,995a   848,691,742     27,382 
                      Insurance                                                    
Assistance     97.030 Community                                                 
17                    Disaster      Local             153 1,270,501,241  8,303,930 
                        Loans       governments                                    
18                  97.032 Crisis   States             26    96,148,654  3,698,025 
                     Counseling                                                    
19                97.033 Disaster   Individuals        7a       360,611     51,516 
                  Legal Services                                                   
20                  97.034 Disaster States             33   392,016,043 11,879,274 
                       Unemployment                                                
                     Assistance                                                    
21                  97.036 Disaster State,         66,797 8,138,441,132    121,838 
                     Grants--Public local, and                                     
                   Assistance (also Indian                                         
                           includes tribal                                         
                          Emergency governments                                    
                         Assistance                                                
                           and Fire                                                
                       Suppression)                                                
22                  97.039 Hazard   State,          1,268   401,694,926    316,794 
                     Mitigation     local, and                                     
                                    Indian                                         
                                    tribal                                         
                                    governments                                    
23                   97.046 Fire    State and         319    68,143,552    213,616 
                     Management     Indian                                         
                     Assistance     tribal                                         
                                    governments                                    
24                 97.048 Disaster  Individuals  866,268a 2,637,939,099      3,045 
                       Housing                                                     
                      Assistance to                                                
                        Individuals                                                
                  and Households in                                                
                       Presidential                                                
                           Declared                                                
                   Disaster Zonesb                                                 
                       97.049       States and                                     
25                  Presidential    other             123 4,773,963,866 38,812,714 
                      Declared                                                     
                           Disaster entities                                       
                       Assistance--                                                
                  Disaster Housing                                                 
                  Operations for                                                   
                  Individuals and                                                  
                  Households b                                                     
                       97.050                                                      
26                  Presidential    Individuals  706,760a 2,247,028,347      3,179 
                      Declared                                                     
                           Disaster                                                
                      Assistance to                                                
                   Individuals and                                                 
                  Households--Other                                                
                       Needsb                                                      
27                97.084 Hurricane  Private             1    66,000,000 66,000,000 
                  Katrina Case      nonprofit                                      
                         Management entities                                       
                         Initiative                                                
                       Program                                                     
28                97.092 Repetitive States,            39     9,821,659    251,837 
                       Flood Claims Indian                                         
                                    tribal                                         
                                    governments,                                   
                                    and                                            
                                    communities                                    
29                 97.098 Disaster  State and           1       950,000    950,000 
                      Donations     local                                          
                         Management governments                                    
                            Program                                                
30 FEMA--Chemical  97.040 Chemical  State,             21    65,010,240  3,095,726 
                      Stockpile     local, and                                     
Programs               Emergency Indian                                         
                       Preparedness tribal                                         
                       Program      governments                                    

                                                                       Number
                                              of awards               Average 
                CFDA                Primary          in Fiscal year     award 
                                                 fiscal 2006                  
    DHS component   number Program  recipients  year       award       amount 
                                                2006      amount              
     FEMA--U.S.     97.001 Pilot                                              
  31 Fire           Demonstration   Nonfederal        8   1,184,999   148,125 
                    or                                                        
     Administration    Earmarked    entitiesc                                 
                       Projects                                               
                        97.016      Fire                                      
  32                 Reimbursement  departments       2       1,243       622 
                          for                                                 
                    Firefighting on                                           
                            Federal                                           
                       Property                                               
  33                97.018 National Individuals  5,948a   1,464,314       246 
                    Fire Academy                                              
                       Training                                               
                      Assistance                                              
  34                97.019 National Individuals 75,107a   5,236,342        70 
                    Fire Academy                                              
                        Educational                                           
                            Program                                           
  35                 97.043 State   States           48   1,344,000    28,000 
                     Fire Training                                            
                    Systems Grants                                            
                    97.093 Fire     Private                                   
  36                Service         nonprofit         1      50,000    50,000 
                    Hazardous                                                 
                          Materials entities                                  
                       Preparedness                                           
                     and Response                                             
                        97.094      State and                                 
  37                  Prevention    local             7      21,000     3,000 
                       Advocacy                                               
                     Resources and  governments                               
                         Data                                                 
                       Exchange                                               
                        Program                                               
                           Training State and                                 
  38                97.097 Resource local             9      93,000    10,333 
                           and                                                
                           Data     governments                               
                           Exchange                                           
                         97.081 Law                                           
  39 Federal Law        Enforcement Individuals  1,579a   1,136,880       720 
                           Training                                           
     Enforcement      and Technical                                           
     Training            Assistance                                           
     Center (FLETC)                                                           
     Office of         97.005 State State and                                 
  40 Grants and           and Local local            13  82,207,860 6,323,682 
                           Homeland                                           
     Training (GT)d        Security                                           
                           Training governments                               
                            Program                                           
  41                97.007 Homeland State and         4  16,692,768 4,173,192 
                       Security     local                                     
                       Preparedness governments                               
                          Technical                                           
                      Assistance                                              
                        Program                                               
  42                 97.008 Urban   State and         0           0         0 
                    Areas Security  local                                     
                      Initiativee   governments                               
                             97.042 State,                                    
  43                      Emergency local, and       58 177,655,500 3,063,026 
                         Management                                           
                      Performance   Indian                                    
                        Grants      tribal                                    
                                    governments                               
                             97.044 Fire                                      
  44                  Assistance to departments   4,246 270,622,058    63,736 
                       Firefighters                                           
  45                97.053 Citizen  State and         3   1,295,000   431,667 
                    Corps e         local                                     
                                    governments                               
  46                  97.056 Port   Seaports         99 168,052,500 1,697,500 
                    Security Grant  and                                       
                        Program     terminals                                 
                        97.057                                                
  47                 Intercity Bus  Bus systems      36   9,603,000   266,750 
                       Security                                               
                        Grants                                                

                                                                          Number
                                            of awards                    Average
             CFDA               Primary            in Fiscal year 2006     award
                                               fiscal                    
  DHS component   number        recipients     year     award amount      amount
                  Program                      2006                      
                  97.059 Truck                                           
48                Security      Commercial          1        4,801,500 4,801,500
                  Program                                                
                                motor carriers        
                                and national          
                                transportation        
                                community             
                  97.067                                               
49                Homeland      State and           56 1,670,921,920  29,837,891
                  Security      local                                  
                  Grant                                                
                     Program    governments                              
                  97.068        State and                                
50                Competitive   local                   11  28,809,000 2,619,000
                  Training                                               
                     Grants     governments           
                     97.071     Local and                                        
51                Metropolitan  Indian                 0               0       0 
                     Medical                                                     
                    Response    tribal                                           
                    System e                                                     
                                governments           
                  97.073 State  State and                                        
52                Homeland      local                  0               0       0 
                  Security                                                       
                    Programe    governments                                      
53                97.074 Law    State and              0               0       0 
                  Enforcement   local                                            
                    Terrorism   governments           
                   Prevention                         
                    Programe                          
                  97.075 Rail                                            
54                and Transit   Transportation        21  143,240,948  6,820,998
                  Security                                               
                  Grant Program systems                                  
                  97.078 Buffer State and                                
55                Zone          local                 62    72,965,000 1,176,855
                  Protection                                             
                      Plan      governments           
                         97.083                                          
56                 Staffing for Local                  243  99,394,888   409,032
                  Adequate Fire                                          
                  and Emergency communities                              
                       Response                                          
57                97.089 Real   States and               2   6,000,000 3,000,000
                  ID Program    other                                    
                                entities              
Information    97.079 Public                                               
58 Analysis and   Alert Radios  Schools            77,035       1,828,045     24
                  for                                                         
Infrastructure    Schools                          
Protection                                         
Science &      97.061        U.S.                                     
59 Technology     Centers for   institutions             8  24,570,000 3,071,250
                  Homeland                                               
(S&T)            Security    of higher             
                                education             
                  97.062                                                    
60                Scholars and  Individuals       383a      10,436,453    27,249
                  Fellows                                                   
                         97.069                                             
61                     Aviation U.S.                    36  11,824,817   328,467
                       Research institutions                                
                         Grants                                             
                                of higher             
                                education             
                  97.077                                                    
62                Homeland      Nonfederal                  5 1,298,590  259,718
                  Security                                                  
                       Testing, entities              
                    Evaluation,                       
                            and                       
                  Demonstration                       
                       of                             
                  Technologies                        
                  97.086                                                    
63                Homeland      Federal and                10 9,626,326  962,633
                  Security                                                  
                      Outreach, nonfederal            
                     Education,                       
                            and                       
                    Technical   entities                                    
                   Assistance                                               
                  97.091        State and                                   
64                Homeland      local                  52   45,661,986   878,115
                  Security                                                  
                    Biowatch    governments           
                     Program                          

Appendix IV: DHS Grant Programs

                                                                             Number
                                               of awards                    Average 
             CFDA               Primary        in fiscal Fiscal year          award 
                                                         2006                       
  DHS component   number        recipients     year 2006    award amount     amount 
                  Program                                                           
Transportation    97.072                                                         
65 Security         National    Transportation        17       2,132,055    125,415 
                   Explosives                                                       
 Administration       Detection systems                                             
      (TSA)         Canine Team                                                     
                     Program                                                        
                  97.090 Law    State and                                           
66                Enforcement   local                274      67,804,209    247,461 
                  Officer                                                           
                  Reimbursement governments                                         
                    Agreement                                                       
                     Program                                                        
                         97.100                                                     
67                      Airport State, local,          7     240,447,289 34,349,613 
                        Checked or                                                  
                        Baggage                                                     
                    Screening   other public                                        
                     Program                                                        
                                entities                                            
                  97.012                                                            
68 U.S. Coast     Boating       States and            79      87,667,046  1,109,709 
Guard          Safety                                                            
                  Financial                                                         
(USCG)             Assistance   nonprofit                                           
                                organizations                                       
U.S. Secret    97.015 Secret                     n/af                            
69 Service        Service       Sworn members                        n/a        n/a 
                  Training                                                          
(USSS)             Activities   of a law                                            
                                enforcement                                         
                                agency                                              
                  97.076        Private                                             
70                National      nonprofit              1       5,445,000  5,445,000 
                  Center for                                                        
                    Missing and entities                                            
                      Exploited                                                     
                    Children                                                        
Total-all DHS                                  5,585,670 $24,849,239,441            
components                                                                          
Awards to                                      5,433,723                            
individualsa                                                                        
Awards to others                                 151,947                            

Sources: Fiscal Year  2006 Funded  Award Summary for  DHS Grant  Programs;
Schedule of DHS Programs as of May 9, 2007.

^aThis amount reflects either individual claims, payments to individuals, or
individuals that received training.

^bThis grant  program is  part  of the  Individuals and  Households  Program
(IHP).

Nonfederal entities  include  state, local  government,  private,  public,
profit  or   nonprofit  organizations,   Indian  Tribal   government,   or
individuals specified in a U.S. appropriation statute.

^dGT was incorporated into FEMA as of March 31, 2007.

^eThis grant  program  is  incorporated into  the  Homeland  Security  Grant
Program.

^fAccording to DHS, the USSS provides  training as part of its routine  work
and does not report this information separately.

Appendix V: Corrective Action Plans for High-Risk Programs

Table 7 describes the details of the open corrective action plan critical
milestones as of May 14, 2007, as reported by DHS, for reducing improper
IHP assistance payments.

Table 7:  DHS's  Incomplete Critical  Milestones  for Its  IHP  Corrective
Action Plan, Status as of May 14, 2007

                         Completion Target status according Topic date to DHS

If the Office of General Counsel (OGC) approves, September 0% provide the
contractor with requirements and obtain 2006 information from them
regarding their ability to prepopulate insurance data in applicant files.

Improve the National Emergency Management November 50% Information System
(NEMIS) accounts receivable-- 2006 Integrated Financial Management
Information System (IFMIS) interface.

Ensure compliance with rules and regulations  is part December 50% of  the
annual NEMIS audit. 2006

Explore alternate  receipt  posting  possibilities using  March  2007  25%
electronic files.

Award contract(s) for  up to 6,000  call center agents  March 2007 50%  to
private sector business(es).

           Note: The previous items were past due as of May 14, 2007.

Conduct a second round of IPIA testing on Hurricane June 2007 50% Katrina
IHP payments made between March and September 2006.

Put in  place  a contract  for  data verification  and  pre-September  50%
population of verified data. 2007

Make appropriate updates to NEMIS to ensure September 50% maximum use of
technology to reduce manual 2007 processing.

Improve communications  with  and  messaging  to  September  50%  disaster
victims. 2007

Clarify with OGC if FEMA can get legislative backing December 50% to allow
the collection of insurance policy data. 2007

Limit access  to  NEMIS to  users  authorized  via the  January  2008  47%
Integrated Security and Access Control System.

       Integrate shelter tracking mechanisms into NEMIS. January 2008 25%

Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for
FEMA's IHP as of May 14, 2007.

Based on DHS's updated corrective action plan report for IHP, as of May
14, 2007, DHS had not completed certain critical milestones by the
identified target date. These milestones included system interface

improvements and certain contract awards. Missing these established
critical milestones only delays strengthening internal controls that are
necessary to reduce future improper payments. It is important that DHS
stays on track in implementing its corrective action plans.

DHS has also established critical milestones for reducing improper
disaster-related vendor payments. Table 8 describes the details of the
open corrective action plan critical milestones as of May 14, 2007, as
reported by DHS for reducing improper disaster-related vendor payments.

Table 8:  DHS's Incomplete  Critical Milestones  for Its  Disaster-Related
Vendor Payments Corrective Action Plan, Status as of May 14, 2007

                         Completion Target status according Topic date to DHS

Ensure roles and responsibilities with regard to invoice May 2007 50%
receipt, approval, and payment of contracting officer technical
representatives (COTR), project officers, and accounting technicians are
clearly defined by conducting a review of policies, procedures, and job
descriptions.

Review procurement language to ensure consistency May 2007 50% and
adequacy for similar goods and services related to product substitution
and pricing variances.

Formalize the process of receipt, issue, and follow-up May 2007 50% on
invoices with COTRs and project officers by finance office.

Train accounting technicians, project officers, and June 2007 50% COTRs on
the importance of an invoice review and approval process and expectations
regarding supporting documentation, prompt pay, product substitution,
price variances, and unsupported amounts.

Initiate a quality assurance sampling process for June 2007 50% invoices
on a periodic basis with emphasis on adherence to metrics published in the
fiscal year 2006 PAR.

         Enter into a contract with a recovery audit firm. June 2007 0%

Identify vendor payments eligible for recoupment July 2007 50% (recovery).

Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for
FEMA's Disaster Relief Fund Vendor Payments as of May 14, 2007.

DHS identified three primary root causes for why these two programs--  IHP
assistance payments and disaster-related vendor payments--are at
high risk of issuing improper payments. According to DHS, these root
causes include the following.

     o People--FEMA employees were not properly trained.
     o Processes--The nature of FEMA's work responding to disasters explains
       the reliance on people that are not trained in finance requirements
       and are dispersed throughout areas with limited infrastructure.
     o Policies--Policies were cited as possibly inadequate for instructing
       employees on the proper supporting documentation. There is a need for
       clear policy and procedural guidelines that sets standard operating
       procedures for all FEMA employees, especially those outside the
       finance area.

DHS also noted that human capital is the principal requirement to execute
these two corrective action plans; however, according to DHS, exact
requirements are not estimable at this time. These plans, if properly
executed, should help reduce future improper payments in these programs by
strengthening internal controls. With regard to system improvements, as we
have previously recommended, ^[90]1 DHS needs to conduct effective testing
to provide reasonable assurance that the system will function in a
disaster recovery environment.

^1GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the
Individuals and Households Program to Fraud and Abuse; Actions Needed to
Reduce Such Problems in Future, GAO-06-1013 (Washington, D.C.: Sept. 27,
2006).

Appendix VI: GAO Contact and Staff Acknowledgments

GAO Contact

McCoy Williams, (202) 512-9095 or [91][email protected]

Staff Acknowledgments 

In addition to the contact named above, the following individuals also
made significant contributions to this report: Casey Keplinger, Assistant
Director; Verginie Amirkhanian; Sharon Byrd; Francine
DelVecchio; Francis Dymond; Gabrielle Fagan; Jacquelyn Hamilton; and Laura
Stoddard.

(195102)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
[92]is through GAO's Web site (www.gao.gov). Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[93]www.gao.gov and select "Subscribe to Updates."

                             Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs 

Contact:

Web site: [94]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [95][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [96][email protected] (202) 512-4400  U.S.
Government Accountability Office,  441 G  Street NW,  Room 7125  Relations
Washington, D.C. 20548

Public Affairs

Susan Becker, Acting Managing Director, [97][email protected] (202) 512-4800
U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room  7149
Washington, D.C. 20548

  PRINTED ON

RECYCLED PAPER

References

Visible links
  87. http://www.gao.gov/
  88. mailto:[email protected]
  91. mailto:[email protected]
  92. http://www.gao.gov/
  93. http://www.gao.gov/
  94. http://www.gao.gov/fraudnet/fraudnet.htm
  95. mailto:[email protected]
  96. mailto:[email protected]
  97. mailto:[email protected]
*** End of document. ***