Improper Payments: Weaknesses in USAID's and NASA's
Implementation of the Improper Payments Information Act and
Recovery Auditing (09-NOV-07, GAO-08-77).						 
                                                                 
Agencies are required to report improper payment information
under the Improper Payments Information Act of 2002 (IPIA)
and recovery auditing information under section 831 of the
National Defense Authorization Act for Fiscal Year 2002,
commonly known as the Recovery Auditing Act. Since the first
year of implementation, fiscal year 2004, limited improper
payments reporting by the United States Agency for International
Development (USAID) and the National Aeronautics and Space
Administration (NASA) and concerns raised by NASA's auditors
about its risk assessment process prompted scrutiny from the
Senate Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security,
during several oversight hearings. Because the subcommittee
noted that USAID's and NASA's performance and accountability
report (PAR) reporting on improper payments and recovery
auditing was minimal, GAO was asked to review both agencies'
IPIA risk assessment methodologies, recovery auditing
procedures, and actions under way to improve their IPIA and
recovery audit reporting.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-77						        
    ACCNO:   A78088						        
  TITLE:     Improper Payments: Weaknesses in USAID's and NASA's
Implementation of the Improper Payments Information Act and
Recovery Auditing	 
Facilities							 
     DATE:   11/09/2007 
  SUBJECT:   Aerospace contracts
             Audits
             Contractor payments
             Contracts
             Erroneous payments
             Financial management
             Financial records
             GAO High Risk Series
             Government contracts
             Overpayments
             Payments
             Questionable payments
             Refunds to government
             Reporting requirements

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-77



This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected].

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to the Subcommittee on Federal Financial Management, Government 
Information, Federal Services, and International Security, Committee on 
Homeland Security and Governmental Affairs, U.S. Senate:

United States Government Accountability Office:
GAO:

November 2007:

Improper Payments:

Weaknesses in USAID's and NASA's Implementation of the Improper 
Payments Information Act and Recovery Auditing:

GAO-08-77: 

GAO Highlights:

Highlights of GAO-08-77, a report to the Subcommittee on Federal 
Financial Management, Government Information, Federal Services, and 
International Security, Committee on Homeland Security and Governmental 
Affairs, U.S. Senate. 

Why GAO Did This Study:

Agencies are required to report improper payment information under the 
Improper Payments Information Act of 2002 (IPIA) and recovery auditing 
information under section 831 of the National Defense Authorization Act 
for Fiscal Year 2002, commonly known as the Recovery Auditing Act. 
Since the first year of implementation, fiscal year 2004, limited 
improper payments reporting by the United States Agency for 
International Development (USAID) and the National Aeronautics and 
Space Administration (NASA) and concerns raised by NASAï¿½s auditors 
about its risk assessment process prompted scrutiny from this 
subcommittee during several oversight hearings. Because the 
subcommittee noted that USAIDï¿½s and NASAï¿½s performance and 
accountability report (PAR) reporting on improper payments and recovery 
auditing was minimal, GAO was asked to review both agenciesï¿½ IPIA risk 
assessment methodologies, recovery auditing procedures, and actions 
under way to improve their IPIA and recovery audit reporting. 

What GAO Found:

For the first 3 years of IPIA implementation, fiscal years 2004 through 
2006, USAID and NASA performed various procedures to conduct their risk 
assessments. Many of these procedures are positive steps to address the 
requirements of IPIA. At the same time, GAO identified numerous 
deficiencies in the procedures that warrant further improvement. For 
example, neither USAID nor NASA had developed a systematic process to 
(1) identify risks that exist in their payment activities or (2) 
evaluate the results of their payment stream reviews, such as weighting 
and scoring the effectiveness of existing internal control over 
payments made and results from external audits. Furthermore, risk 
assessment documentation maintained by USAID and NASA was lacking or 
insufficient to support their conclusions that no programs or 
activities were susceptible to significant improper payments. A lack of 
detailed written guidance for both agencies may have contributed to the 
deficiencies identified. Due to inadequacies in their risk assessment 
process, USAID and NASA cannot be certain that they had no programs or 
activities susceptible to significant improper payments, and 
ultimately, had effectively implemented IPIA. 

Although USAID and NASA have reported on steps taken to recoup improper 
contract payments, GAO found several weaknesses in their recovery 
auditing procedures for fiscal years 2004 through 2006. In particular, 
USAID and NASA did not report recovery auditing information for each 
fiscal year, documentation was lacking or not adequately supported, and 
neither agency adhered to all of the reporting requirements outlined in 
OMBï¿½s implementing guidance. Other weaknesses noted were agency-
specific. For example, USAID recovery auditing procedures were 
comprised of reviews of certain OIG and external audit reports over 
USAID grant and contract programs. However, the methodology used for 
conducting those audits may not have constituted a recovery auditing 
program as defined by OMB guidance, and thus may be insufficient for 
this purpose. NASA, on the other hand, used IPIA contract payment 
review results to report amounts recovered for fiscal year 2005. 
However, the payment reviews were limited in scope and did not provide 
an adequate representation of the extent of contract overpayments. Due 
to a lack of, or insufficient, documentation, along with identified 
weaknesses, the validity and accuracy of the reported recovery amounts 
are questionable. 

While USAID and NASA have experienced significant challenges in their 
first 3 years of IPIA implementation, both agencies have taken steps to 
strengthen their risk assessment process and, ultimately, IPIA 
reporting. For example, USAID has developed an agencywide payment 
database that will be used to research and data mine for potential 
improper payments. NASA hired two different contractors to develop a 
methodology for conducting a risk assessment and testing of payment 
transactions. Actions are also under way to improve recovery auditing 
efforts. However, improvements are still needed to address some of the 
weaknesses identified related to conducting risk assessments and 
performing recovery auditing procedures. 

What GAO Recommends:

GAO is making a total of 10 recommendations to help improve USAIDï¿½s and 
NASAï¿½s efforts to implement IPIA and the Recovery Auditing Act. USAID 
did not specifically respond to the recommendations, but provided a 
technical comment, which GAO addressed. NASA concurred with the 
recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.GAO-08-77]. For more information, contact McCoy 
Williams at (202) 512-9095 or [email protected]. 

[End of section] 

Contents:

Letter:

Results in Brief:

Background:

USAID's and NASA's Risk Assessment Processes and Documentation Could Be 
Improved:

Weaknesses Found in Recovery Auditing Procedures Raise Questions About 
the Validity and Accuracy of Reported Recovery Audit Amounts:

USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment 
Processes and Recovery Auditing Procedures, but Challenges Remain:

Conclusions:

Recommendations for Executive Action:

Agency Comments and Our Evaluation:

Appendix I: Objectives, Scope, and Methodology:

Appendix II: Types of Payment Streams Identified during United States 
Agency for International Development's Risk Assessment:

Appendix III: Types of Payment Streams Identified during National 
Aeronautics and Space Administration's Risk Assessment:

Appendix IV: Comments from the United States Agency for International 
Development:

Appendix V: Comments from the National Aeronautics and Space 
Administration:

Appendix VI: GAO Contact and Staff Acknowledgments:

Table:

Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for 
Fiscal Years 2004 to 2006:

Figures:

Figure 1: USAID's Major Payment Streams for Fiscal Year 2004:

Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004:

Abbreviations:

CMP: Cash Management and Payment: 

DCAA: Defense Contract Audit Agency: 

DOJ: Department of Justice: 

FP-AF: fixed-priced contracts with award fees: 

IPIA: Improper Payments Information Act of 2002: 

NASA: National Aeronautics and Space Administration: 

OCFO: Office of Chief Financial Officer: 

OIG: Office of Inspector General: 

OMB: Office of Management and Budget: 

PAR: performance and accountability report: 

PMA: President's Management Agenda: 

USAID: United States Agency for International Development: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548:

November 9, 2007:

The Honorable Thomas R. Carper: 
Chairman: 
The Honorable Tom Coburn: 
Ranking Member: 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security Committee on Homeland 
Security and Governmental Affairs: 
United States Senate: 

Fiscal year 2006 marked the third year that federal executive branch 
agencies, including the United States Agency for International 
Development (USAID) and the National Aeronautics and Space 
Administration (NASA), were required to report improper payment 
information under the Improper Payments Information Act of 2002 
(IPIA)[Footnote 1] and information about their efforts to recover 
improper payments made to contractors under section 831 of the National 
Defense Authorization Act for Fiscal Year 2002, commonly known as the 
Recovery Auditing Act.[Footnote 2] As we reported in March 
2007,[Footnote 3] the total reported governmentwide improper payment 
estimate was about $42 billion for fiscal year 2006. As the steward of 
taxpayer dollars, the federal government is accountable for how its 
agencies and awardees spend hundreds of billions of taxpayer dollars 
and is responsible for safeguarding those funds against improper 
payments as well as having mechanisms in place to recoup those funds 
when improper payments occur. IPIA and the Recovery Auditing Act 
provide an impetus for applicable agencies to systematically address 
improper payment activity annually, and to identify and recover 
contract overpayments.

Since fiscal year 2000, we have issued a number of reports and 
testimonies aimed at raising the level of attention given to improper 
payments. Our work over the past several years has demonstrated that 
improper payments are a long-standing, widespread, and significant 
problem in the federal government. IPIA has increased visibility over 
improper payments by requiring executive branch agency heads, based on 
guidance from the Office of Management and Budget (OMB),[Footnote 4] to 
identify programs and activities susceptible to significant improper 
payments,[Footnote 5] estimate amounts improperly paid, and report on 
the amounts of improper payments and their actions to reduce them. 
Similarly, the Recovery Auditing Act requires agencies to 
systematically identify and recover contract overpayments. This act 
requires, among other things, that all executive branch agencies 
entering into contracts with a total value exceeding $500 million in a 
fiscal year have cost-effective programs for identifying errors in 
paying contractors and for recovering amounts erroneously paid. Since 
fiscal year 2004, agencies have been required by OMB to report on IPIA 
and recovery auditing efforts in their performance and accountability 
reports (PAR).

For the first 3 years of IPIA implementation, fiscal years 2004 through 
2006, USAID and NASA have reported that none of their programs and 
activities were susceptible to significant improper payments and either 
did not report any or provided minimal information on recovery auditing 
activities. Although USAID and NASA differ in size, with annual budgets 
exceeding $10 billion and $16 billion, respectively, both agencies 
awarded over 75 percent of their total budget to contractors or 
grantees[Footnote 6]--thereby increasing the risk of improper payments 
made to awardees. In particular, at NASA, we have previously 
reported[Footnote 7] on long-standing weaknesses and vulnerabilities in 
its contract management. Since 1990, we have designated NASA's contract 
management as high-risk principally because NASA lacked a modern 
financial management system to provide accurate and reliable 
information on contract spending and placed little emphasis on product 
performance, cost controls, and program outcomes. The lack of an 
effective financial management system is also included as a financial 
management weakness that contributed to NASA receiving a disclaimer of 
opinion on its financial statements for the past 3 fiscal years. NASA's 
Office of Inspector General (OIG) has also identified financial 
management and the contract and acquisition process as being among the 
most serious management and performance challenges.

At USAID, we have reported[Footnote 8] on weaknesses associated with 
its contract management and oversight of U.S. assistance to 
Afghanistan. For example, we found that during fiscal year 2004, USAID 
did not consistently require contractors to fulfill contract provisions 
or provide adequate contract oversight, including holding contractors 
to stipulated requirements and conducting required reviews of 
contractor performance. We also have previously reported on control 
weaknesses in USAID's ability to collect agencywide obligation and 
expenditure data and long-standing challenges associated with USAID's 
financial management and reporting, including a lack of complete, 
reliable, and timely information needed to make sound, cost-effective 
decisions.[Footnote 9]

OIG and external audit reports have also identified weaknesses related 
to contract management and oversight in Iraq. USAID's OIG 
reported[Footnote 10] that the agency made about $8 million in payments 
to a contractor for security services in Iraq without a valid 
obligation, including not obtaining the minimum documentation required 
and signing a contract prior to making these payments. The OIG 
determined that without an effective funds control system, USAID cannot 
prevent overspending or ensure compliance with various laws enacted to 
control and guide the implementation of federal fiscal policy. In 
addition, on the basis of its review of a $1.33 billion cost-plus 
reconstruction contract issued by USAID, the Special Inspector General 
for Iraq Reconstruction found insufficient contract oversight that 
resulted in inconsistent contract management, inadequate contractor 
direction, and ineffective performance assessments.[Footnote 11]

In addition to these previously reported weaknesses in USAID and NASA 
operations, limited improper payments reporting by the two agencies in 
fiscal year 2004 and concerns raised by NASA's auditors regarding its 
risk assessment process prompted scrutiny from your subcommittee during 
several oversight hearings on governmentwide improper payments. 
[Footnote 12] Because of congressional concern that USAID's and NASA's 
PAR reporting on improper payments had not improved in the second year 
of IPIA implementation, and both agencies reported minimal recovery 
auditing information, you asked us to determine (1) the extent to which 
USAID and NASA performed the required risk assessments to identify 
programs and activities that were susceptible to significant improper 
payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID 
and NASA have taken to recoup improper payments through recovery 
audits, and (3) actions USAID and NASA have under way to improve their 
IPIA and recovery audit reporting.

To address each of these objectives, we reviewed improper payments and 
recovery auditing legislation and OMB implementing guidance. We also 
reviewed USAID's and NASA's fiscal years 2004 through 2006 PARs and 
external audit reports and interviewed agency officials about their 
risk assessment methodologies, recovery auditing activities, and 
efforts completed and under way to meet the reporting requirements of 
IPIA and the Recovery Auditing Act. To assess the reliability of 
USAID's and NASA's IPIA and recovery auditing reporting, we talked to 
agency officials about data quality control procedures and reviewed 
relevant documentation. We determined the data were sufficiently 
reliable for the purposes of this report. We conducted our work from 
September 2006 through August 2007 in accordance with generally 
accepted government auditing standards. See appendix I for more details 
on our scope and methodology.

Results in Brief:

While both USAID and NASA took steps to assess their payment activities 
for risk, including conducting a review of select payment 
streams[Footnote 13] for improper payments, we identified numerous 
deficiencies in their procedures. USAID and NASA lacked a systematic 
method to review and analyze program operations to determine if risks 
exist, what those risks are, and the potential or actual impact of 
those risks on program operations. For example, neither USAID nor NASA 
had developed a process to (1) identify risks that exist in their 
payment activities or (2) evaluate the results of their payment stream 
reviews, such as weighting and scoring the effectiveness of existing 
internal control over payments made and results from external audits. 
Other weaknesses related to USAID, NASA, or both included a lack of 
established criteria for payment transaction reviews at the agency 
component level and no review of grant program payments to ensure 
awardees have safeguarded federal funds from improper payments. As a 
result of the inadequacies we identified in their risk assessment 
process, USAID and NASA cannot be certain that they have no programs or 
activities susceptible to significant improper payments, and 
ultimately, have not yet effectively implemented IPIA. Furthermore, 
risk assessment documentation maintained by USAID and NASA was lacking 
or insufficient to support their conclusions that no programs or 
activities were susceptible to significant improper payments.

Although USAID and NASA have reported on steps taken to recoup improper 
contract payments, we found that recovery auditing procedures were not 
consistently performed for each of the 3 fiscal years reviewed. We also 
noted that documentation was lacking or did not adequately support 
reported recovery amounts and that neither agency adhered to all of the 
reporting requirements outlined in OMB's implementing guidance. For 
example, USAID and NASA did not report on recovery auditing activities 
in their fiscal year 2004 PARs. NASA reported that it was in the 
process of awarding a recovery audit contract. USAID reported on the 
dollar amount of contracts reviewed, but for the sole purpose of 
addressing IPIA reporting requirements and concluding that its grant 
and contract payment activities were not susceptible to significant 
improper payments.

For fiscal years 2005 and 2006, USAID recovery auditing procedures 
consisted of reviews of certain OIG and external audit reports of 
USAID. However, the methodology used for conducting those audits may 
not have constituted a recovery audit as defined by OMB guidance, and 
thus may be insufficient for this purpose. Also, USAID was unable to 
provide documentation of audit findings to support any of the recovery 
auditing amounts included in its PARs. Because of these limitations, we 
were unable to determine the validity of USAID's recovery auditing 
activities and accuracy of reported recovery amounts. NASA, on the 
other hand, used IPIA contract payment review results to report amounts 
recovered for fiscal year 2005. However, the payment reviews were 
limited in scope and did not provide an adequate representation of the 
extent of contract overpayments. For fiscal year 2006, NASA used a 
contractor to perform a recovery audit. Although the contractor 
identified about $121 million in potential contract overpayments, NASA 
officials told us that based on their review, they identified a small 
portion of that amount as "valid contract claims" totaling $256,255 
with subsequent recoveries totaling $139,420. NASA officials determined 
that a vast majority of the claims submitted by the contractor were not 
improper as they related to cost-type contracts with provisional 
billing rates included in the contract terms, and were subject to a 
final or closeout audit that likely would have identified those 
payments reported by the contractor. In addition, we noted that both 
agencies did not adhere to all of the recovery auditing reporting 
requirements outlined in OMB guidance, including that the agencies had 
no description of a corrective action plan to address the root causes 
of payment error or no disclosure of the description and justification 
of the classes of contracts excluded from recovery auditing.

While USAID and NASA experienced significant challenges in their first 
3 years of implementing IPIA and the Recovery Auditing Act, both 
agencies have taken steps to strengthen their risk assessment process 
and actions are under way to improve recovery audit efforts. For 
example, for its fiscal year 2007 risk assessment, USAID developed a 
database that compiles all of its payment disbursements made worldwide. 
USAID told us that it will use this database to annually identify its 
payment streams and corresponding volume and dollar amounts by mission 
or geographic location, data mine for duplicate payments, research 
other payment anomalies, and perform tests of transactions. USAID also 
stated that it plans to leverage the agency's work related to internal 
controls under OMB Circular No. A-123 requirements[Footnote 14] to 
assess control activities for IPIA purposes. For recovery auditing, 
USAID hired a contractor to carry out a recovery audit over all 
contract payments for fiscal year 2007. However, because the contractor 
identified minimal contract overpayments based on its limited review of 
USAID's fiscal year 2005 contract payments, the recovery auditor 
determined that it would not be profitable to continue its work at 
USAID. Going forward, USAID plans to work with its OIG to enhance in- 
house recovery auditing procedures as performed in past years. Overall, 
we believe these actions under way will better position USAID to 
identify and target high-risk areas and determine the effectiveness of 
control activities to reduce risks of improper payments. However, we 
note that USAID's current plans still lack a systematic method to 
determine if risks of improper payments exist, what those risks are, 
and the potential or actual impact of those risks on operations.

NASA hired a consulting firm to develop a methodology for conducting 
its fiscal year 2007 risk assessment for IPIA reporting. The consultant 
categorized the agency's disbursements within specific programs and 
activities as opposed to payment streams as done by NASA in previous 
years. Based on its work, the consultant identified 30 programs with 
approximately $10.8 billion in disbursements to include in NASA's 
review for determining risk level. The consultant then determined that 
5 of the 30 programs were at risk for being susceptible to significant 
improper payments. NASA subsequently hired another consulting firm to 
conduct statistical sampling and testing of five different payment 
categories included in the five programs to determine if the programs 
were susceptible to significant improper payments, thus requiring NASA 
to estimate and report on the amounts of improper payments and actions 
to reduce them. From its review, the consulting firm reported that no 
significant improper payments were found, but recommended various 
actions for NASA to take to eliminate future errors. NASA plans to 
report these results in its fiscal year 2007 PAR. The work of the 
contractors represents a great enhancement in NASA's risk assessment 
methodology, when compared to prior years. In addition, NASA hired a 
recovery auditing firm to perform a recovery audit of its fixed priced 
contracts, similar to previous years. However, NASA has determined that 
its interim and closeout audits--including the withholding of final 
funds until the audit is complete--and adjustments to future billings 
for ongoing contracts, decrease the risk of contract overpayments, and 
therefore, consistent with OMB guidance, has excluded other contract 
types from its recovery auditing program. Although consistent with OMB 
guidance, NASA's universe of contract dollars subject to a recovery 
auditing program continues to remain relatively small, less than 20 
percent of its total value of contracts. For its fiscal year 2007 PAR, 
NASA anticipates reporting interim results of initial recoveries 
related to contract overpayments. Because the contractor had just begun 
work to develop and execute an approach for conducting the recovery 
audit, we were unable to determine the reasonableness of the auditors' 
methodology by the end of our fieldwork.

We make a total of 10 recommendations to USAID and NASA to help improve 
their efforts to implement IPIA and the Recovery Auditing Act by 
focusing on performing risk assessments and reporting on efforts to 
recover improper payments.

We provided a draft of this report to USAID and NASA for comment. USAID 
did not specifically respond to our recommendations, but provided a 
technical comment which we incorporated into this report. NASA 
concurred with our recommendations and also provided technical comments 
on the draft, which have been incorporated as appropriate. Both 
agencies' comments, along with our evaluation, are discussed in the 
Agency Comments and Our Evaluation section of this report. Their 
comments are also reprinted in their entirety in appendixes IV and V.

Background:

IPIA was passed in November 2002 with the major objective of enhancing 
the accuracy and integrity of federal payments. IPIA requires executive 
branch agency heads to review their programs and activities annually 
and identify those that may be susceptible to significant improper 
payments. For each program and activity agencies identify as 
susceptible, the act requires them to estimate the annual amount of 
improper payments and to report those estimates to the Congress. The 
act further requires that for programs for which estimated improper 
payments exceed $10 million, agencies are to report annually to the 
Congress on the actions they are taking to reduce those payments.

The act also requires the Director of OMB to prescribe guidance for 
agencies to use in implementing IPIA. OMB's implementing 
guidance[Footnote 15] requires the use of a systematic method for the 
annual review and identification of programs and activities that are 
susceptible to significant improper payments. However, this guidance 
also allows for annual reviews (also known as risk assessments) to be 
conducted less often than annually for programs where improper payment 
baselines are already established, are in the process of being 
measured, or are scheduled to be measured by an established date--which 
is inconsistent with the express requirement of IPIA. In addition, 
OMB's guidance defines significant improper payments as those in any 
particular program that exceed both 2.5 percent of program payments and 
$10 million annually.[Footnote 16] It requires agencies to estimate 
improper payments annually using statistically valid techniques for 
each susceptible program or activity. The guidance also allows agencies 
to use alternative sampling methodologies[Footnote 17] and requires 
agencies to report on and provide a justification for using these 
methodologies in their PARs. For those agency programs determined to be 
susceptible to significant improper payments and with estimated annual 
improper payments greater than $10 million, IPIA and related OMB 
guidance require each agency to annually report the results of its 
efforts to reduce improper payments.

In August 2004, OMB established Eliminating Improper Payments as a new 
program-specific initiative under the President's Management Agenda 
(PMA). This separate PMA program initiative began in the first quarter 
of fiscal year 2005. Previously, agency efforts related to improper 
payments were tracked along with other financial management activities 
as part of the Improving Financial Performance initiative of the PMA. 
The objective of establishing a separate initiative for improper 
payments was to ensure that agency managers are held accountable for 
meeting the goals of IPIA and are therefore dedicating the necessary 
attention and resources to meeting IPIA requirements. With this 
initiative, 15 agencies[Footnote 18] are to measure their improper 
payments annually, develop improvement targets and corrective actions, 
and track the results annually to ensure the corrective actions are 
effective. This list does not include USAID or NASA, which are 
nevertheless covered under IPIA and thus are required to address 
improper payments for their programs and activities. However, both 
USAID and NASA stated that they consulted with OMB, although 
infrequently, about procedures planned or under way for the first 3 
years of IPIA implementation.

In addition, applicable agencies are required by OMB guidance to report 
their efforts to recoup contract-related improper payments under 
section 831 of the National Defense Authorization Act for Fiscal Year 
2002,[Footnote 19] commonly referred to as the Recovery Auditing Act. 
This legislation provides an impetus for applicable agencies to 
systematically identify and recover contract overpayments for executive 
branch agencies entering into contracts with a cumulative total value 
exceeding $500 million in a fiscal year. Furthermore, the law 
authorizes federal agencies to retain recovered funds to cover in-house 
administrative costs as well as to pay other contractors, such as 
collection agencies.

Recovery auditing is a method that agencies can use to recoup detected 
(as opposed to estimated) improper payments. As such, recovery auditing 
is a detective control to help determine whether contractor payments 
were proper. Specifically, it focuses on the identification of 
erroneous invoices, discounts offered but not received, improper late 
penalty payments, incorrect shipping costs, and multiple payments for 
single invoices. Recovery auditing can be conducted in-house or 
contracted out to recovery audit firms. The techniques used in recovery 
auditing offer the opportunity for identifying weaknesses in agency 
internal controls, which can be modified or upgraded to be more 
effective in preventing improper payments before they occur during 
subsequent contract outlays.

Agencies that are required to undertake recovery audit programs were 
directed by OMB to provide annual reports on their recovery audit 
efforts, along with improper payment reporting detailed in an appendix 
to their PAR. Specifically, OMB's implementing guidance[Footnote 20] 
requires that agencies include in the PAR:

* a general description and evaluation of the steps taken to carry out 
a recovery auditing program;

* the total cost of the agency's recovery auditing program;

* the total amount of contracts subject to review, the actual amount of 
contracts reviewed, the amounts identified for recovery, and the 
amounts actually recovered in the current year;

* a corrective action plan to address the root causes of payment error;

* a general description and evaluation of any management improvement 
program carried out; and:

* a description and justification of the classes of contracts excluded 
from recovery auditing review by the agency head.

USAID's and NASA's Risk Assessment Processes and Documentation Could Be 
Improved:

For the first 3 years of IPIA implementation--fiscal years 2004 through 
2006--both agencies performed various procedures to conduct their risk 
assessments. Many of these procedures are positive steps to address the 
requirements of IPIA. At the same time, we identified numerous 
deficiencies in the procedures that warrant further improvement. 
Specifically, we found that both agencies lacked a systematic method to 
determine if risk of improper payments existed in their programs or 
activities, what those risks were, or the potential or actual impact of 
those risks on operations. For example, USAID and NASA had not 
developed a standardized process to evaluate the results of their 
reviews, such as weighting and scoring the results of risk conditions 
to determine susceptibility. As such, the various procedures performed 
did not provide meaningful results or may not have adequately depicted 
the agencies' risk of improper payments. In addition, we noted USAID 
and NASA had not assessed the effectiveness of internal controls relied 
upon and weaknesses existed in payment reviews performed at the agency 
component level. Furthermore, risk assessment documentation maintained 
by USAID and NASA was lacking or insufficient to support their 
conclusions that no programs or activities were susceptible to 
significant improper payments.

Overview of USAID's and NASA's IPIA Reporting for the First 3 Years of 
Implementation:

Fiscal year 2004 marked the first year in which all executive branch 
agencies were required to report improper payment information in their 
PARs under IPIA. Both USAID and NASA conducted a review of their 
payment streams as part of their risk assessment process to identify 
significant improper payments. OMB's implementing guidance includes a 
broad definition of programs and activities subject to IPIA,[Footnote 
21] which encompasses a review of payment activities. We found during 
our review of fiscal year 2006 PARs that agencies generally used one of 
two approaches to conduct their risk assessments--a review of program 
operations or a review of payment streams.[Footnote 22] Although 
agencies are allowed under OMB's implementing guidance to determine 
their program and activity inventory for the purposes of performing a 
risk assessment, the two approaches can produce different results. In 
particular, a review of payment streams identifies the susceptibility 
of improper payments for specific payment types that could relate to 
multiple programs within an organization. On the other hand, a review 
of distinct programs would identify the susceptibility of improper 
payments for the different payment types included in a particular 
program. Depending on the volume and dollar amount of payments or size 
of a program, an agency could determine based on OMB's current 
definition of significant improper payments--exceeding $10 million and 
2.5 percent of program payments--that it had significant improper 
payments using one approach but not with the other, greatly impacting 
its risk assessment results.

Implementing a payment stream approach, USAID and NASA did not identify 
any risk-susceptible programs or activities for fiscal year 2004. This 
continued into fiscal year 2005 for both agencies. For fiscal year 
2006, USAID identified two high-risk payment streams as part of its 
risk assessment--cash transfers and contracts, grants, and cooperative 
agreements.[Footnote 23] However, the identification of these two 
payment streams did not result from a systematic process in place to 
identify high-risk programs, but rather was due to the high ratio of 
disbursements for these two payment streams to total agency outlays 
(about 77 percent for fiscal year 2006). On the other hand, NASA 
continued to assert for fiscal year 2006 that it had no programs 
susceptible to significant improper payments although it did not 
perform a risk assessment for that year. The following is a description 
of USAID's and NASA's risk assessment processes for fiscal years 2004 
through 2006. Details of the weaknesses we identified in these 
processes are included later in this section.

USAID's Risk Assessment:

At USAID, the Cash Management and Payment (CMP) division within the 
Office of the Chief Financial Officer (OCFO) has the responsibility of 
executing and meeting the requirements of IPIA for the agency. For 
fiscal year 2004, CMP identified a universe of 11 payment 
streams[Footnote 24] totaling about $7.6 billion as part of its IPIA 
risk assessment. See appendix II for a description of each payment 
stream. For fiscal year 2004, these payment streams consisted of 
program, operating, and other fund disbursements made from headquarters 
and its 38 accounting stations[Footnote 25] that conduct cash 
management activities for approximately 70 mission offices[Footnote 26] 
located overseas. Two of the 11 payment streams--cash transfers and 
contracts, grants, and cooperative agreements--totaled $6.8 billion, or 
90 percent of total outlays. USAID's payment streams are shown in 
figure 1.

Figure 1: USAID's Major Payment Streams for Fiscal Year 2004 (dollars 
in millions):

[See PDF for image] 

This figure is a pie-chart, depicting the following data: 

USAID's Major Payment Streams for Fiscal Year 2004 (dollars in 
millions): 
Contracts, grants, and cooperative agreements[B]: $5,179.4 (68%); 
Cash Transfers: $1,639.1 (22%); 
Other: $767.6 (10%). 

Source: GAO analysis of USAID's fiscal year 2004 payment stream 
outlays. 

[A] The Other category consists of the remaining nine payment streams: 
payroll, mission allowances, travel, transportation, training, other 
operating expenses, payments to other agencies, credit-financing funds, 
and revolving funds.

[B] For fiscal year 2004, contract payments totaled about $1.9 billion, 
grant payments totaled about $1.7 billion, and cooperative agreement 
payments totaled about $1.4 billion of the payment stream. In addition, 
USAID officials told us that its interagency agreement payment activity 
represented a small portion of this payment stream totaling about $155 
million or 3 percent for the same year.

[End of figure] 

USAID's risk assessment for fiscal year 2004 consisted of a two-pronged 
review--payments made from headquarters and payments from the 38 
mission accounting stations. According to USAID, approximately 75 
percent of payments are made at headquarters and 25 percent from the 
mission offices. For the headquarters' risk assessment, USAID stated it 
performed a review of all 11 payment streams; however, it did not 
perform any risk assessment procedures for two of the payment streams-
-training and transportation--because each of these payment streams' 
total outlays did not exceed $10 million, and therefore, would not have 
met OMB's dual criteria for estimating and reporting improper payments. 
As part of its risk assessment process, USAID officials told us that 
they conducted interviews with management and various operation 
managers responsible for the payment types to determine internal 
controls over payment activity. USAID also stated it performed sampling 
of its fiscal year 2003 travel transactions and reviewed 25 percent of 
all travel transactions above $2,500 that had been identified as risk 
susceptible. In addition, USAID met with the OIG and stated that it 
reviewed certain OIG reports and external audit reports with 
recommendations, such as Defense Contract Audit Agency (DCAA) audit 
reports and Single Audit Act[Footnote 27] reports, to identify internal 
control weaknesses over grant funds. Lastly, USAID stated that it 
relied on routine prepayment and postpayment review activities which 
are designed to help ensure the accuracy and validity of payments made. 
For example, according to USAID policy, voucher examiners review and 
process vouchers that contractors submit to USAID for payment; the 
examiners determine that a valid obligation exists, check mathematical 
accuracy, and ascertain that proper approvals and authorizations have 
taken place.

For the mission accounting stations' risk assessment, USAID required 
that 4 of the 11 payment streams[Footnote 28] be reviewed since it had 
access to the payment activity for the remaining 7 payment streams and 
incorporated those payments into the headquarters risk assessment. 
Also, similar to headquarters, the mission accounting stations were not 
required to review payment streams with total outlays less than $10 
million. USAID provided general guidance to the controllers of each 
mission accounting station on IPIA and OMB implementing guidance, and 
included a memorandum from the Deputy CFO to each controller explaining 
actions needed to conduct the risk assessment, along with a template 
for each mission accounting station to complete on their review of the 
payment transactions. USAID incorporated the results of these payment 
reviews in the headquarters' risk assessment to determine overall risk 
for the agency.

For the fiscal year 2005 and 2006 risk assessments, USAID leveraged the 
work completed for fiscal year 2004, its baseline year, and compared 
total outlays for each subsequent fiscal year to fiscal year 2004, to 
determine whether significant changes in reported outlays had occurred. 
USAID determined that there had been no significant changes and thus 
applied analytical procedures--consisting of multiplying fiscal year 
2004 payment stream percentages of the total fiscal year 2004 net 
outlay and fiscal years 2005 and 2006 total outlay amounts--to estimate 
the dollar amount of each payment stream for each of the given years. 
Using this information, USAID stated that it relied on its reviews of 
OIG and external audit reports, prepayment and postpayment reviews, and 
A-123 internal control reviews to ensure the risk of improper payments 
was minimized. No payment reviews were performed at the mission 
accounting stations for fiscal years 2005 and 2006 because USAID had 
determined that payments made by the missions were not high-risk, based 
on the results of its fiscal year 2004 risk assessment and the 
quantitative and qualitative procedures performed. USAID officials also 
informed us that they reviewed various external audit reports and 
relied on the agency's routine pre-and postpayment reviews. For 
example, USAID performs data mining of all payment transactions using 
vendor information and dollar value to identify potential duplicate 
payments.

NASA's Risk Assessment:

At NASA, the OCFO is responsible for executing and meeting the 
requirements of IPIA for the agency. For fiscal years 2004 through 
2006, NASA identified six payment streams as part of its IPIA risk 
assessment--firm-fixed-price contracts, incentive-fee contracts, award-
fee contracts, cost-plus-fixed-fee contracts, other contracts, and 
grants, totaling about $12 billion annually. See appendix III for a 
description of each payment stream. These payment streams represent 
procurement actions[Footnote 29] and grant awards made at NASA's 
headquarters and its nine centers[Footnote 30] located around the 
country. For its risk assessment, NASA did not identify a universe of 
outlays for all types of payment streams such as travel, training, and 
payroll, for our period of review, fiscal years 2004 through 2006. NASA 
did provide us with a schedule of six payment streams representing 
procurement and grant data reported in NASA's annual procurement 
reports. Figure 2 provides a breakdown of NASA's major payment streams 
with fiscal year 2004 amounts.

Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004 
(dollars in millions):

[See PDF for image] 

This figure is a pie-chart, depicting the following data: 

NASA's Reported Major Payment Streams for Fiscal Year 2004 (dollars in 
millions): 
Award-fee contracts: $5,605.0 (47%); 
Incentive-fee contracts: $3,166.0 (27%); 
Firm-fixed-price contracts: $1,471.0 (12%); 
Grants: $630.2 (5%); 
Cost-plus-fixed-fee contracts: $574.0 (5%); 
Other contracts[A]: $460.0 (4%). 

Source: NASA. 

[A] The Other contracts payment stream includes miscellaneous 
expenditures such as fixed-price redetermination, economic price 
adjustment, labor-hour, and time-and-material contracts.

[End of figure]

NASA's risk assessment included a review of payments made from 
headquarters and the centers, although it did not include a review of 
all payment streams. Specifically, for fiscal years 2004 and 2005, NASA 
only performed a review of its firm-fixed-price payment stream, 
representing a small portion (about 12 percent for fiscal year 2004 and 
20 percent for fiscal year 2005) of total reported payment streams. 
NASA stated that it excluded its various cost-type contracts because 
(1) these contracts are subject to interim and closeout audits 
performed by DCAA, (2) these contract payments may be adjusted in 
future billings to correct previous errors, and (3) 5 to 10 percent of 
the cost contract value is withheld until the closeout audit is 
completed. NASA officials told us that NASA will include cost-type 
contracts in its fiscal year 2007 risk assessment. Regarding the 
exclusion of grant payments, NASA stated that these payments are 
subject to Single Audit Act reviews as well as periodic reviews for 
compliance with cash management, financial management system, or 
financial reporting requirements. NASA's review of its firm-fixed-price 
payment stream included selecting a sample of firm-fixed-price payment 
transactions made during one quarter, at headquarters, and each center. 
NASA provided its centers instructions, consisting of an e-mail from 
the improper payments coordinator, on the scope of payment transactions 
to be reviewed. On the basis of the results of each center's review, 
NASA reported in its fiscal years 2004 and 2005 PARs that it had no 
programs and activities susceptible to significant improper payments. 
For fiscal year 2006, NASA OCFO officials told us that it did not 
perform a risk assessment of all of its programs and activities due to 
turnover of its headquarters staff responsible for IPIA and recovery 
auditing. Instead, NASA relied on its recovery auditing work for fiscal 
year 2006 to determine that no programs and activities were susceptible 
to significant improper payments.

USAID and NASA Lacked Systematic Processes for Conducting Their Risk 
Assessments:

We found numerous deficiencies in USAID's and NASA's procedures. Both 
agencies lacked a systematic method to determine if risk of improper 
payments existed in their programs or activities, what those risks 
were, or the potential or actual impact of those risks on operations. 
As such, the various procedures performed did not provide meaningful 
results or may not have adequately depicted the agencies' risk of 
improper payments. In addition, we noted USAID and NASA had not 
assessed the effectiveness of internal controls relied upon and 
weaknesses existed in payment reviews performed at the agency component 
level.

A lack of detailed written guidance may have contributed to the 
deficiencies we identified. Although USAID had general guidance in its 
payables management directive that reiterated IPIA requirements, no 
procedures existed on how to conduct a risk assessment and evaluate 
those results. In addition, NASA had not developed any guidance that 
could direct steps performed to ensure it met applicable IPIA 
requirements. OMB guidance provides that agencies annually perform risk 
assessments of their programs and activities, but offers limited 
information on how to conduct a risk assessment, thus allowing agencies 
broad flexibility for determining a methodology to employ to meet IPIA 
requirements. In our November 2006 report,[Footnote 31] we recommended, 
and OMB agreed, that the IPIA implementing guidance be expanded to 
describe in greater detail factors that agencies should consider when 
conducting their annual risk assessments. The OMB guidance, though, has 
not yet been updated to describe risk factors agencies should consider 
when conducting their annual risk assessments.

While OMB does not require agencies to develop agency-specific guidance 
related to IPIA, during our review of agencies' internal IPIA guidance, 
we noted that nine agencies[Footnote 32] had developed either guidance 
or a tool, such as a schedule, survey, or questionnaire, to facilitate 
their compliance with IPIA. As the risk assessment is a key step in 
gaining assurance that programs and activities are operating as 
intended and that they are achieving expected outcomes, it is critical 
that agencies develop a comprehensive approach for determining the 
extent and level of risk of improper payments in order to identify the 
nature and type of corrective action needed.

Lack of Identified Risk Factors:

For the first 3 years of IPIA implementation, significant flaws existed 
in USAID's and NASA's processes to identify risk in their payment 
activities. For example, neither agency had established or considered 
risk factors to assist them in identifying programs and activities 
vulnerable to improper payments, such as assessments of internal 
control, audit report findings, and human capital risks related to 
staff turnover, training, or experience. We noted that some agencies 
have developed factors or risk conditions that directly or indirectly 
affect the likelihood of improper payments within a program or 
activity. We noted from our review of fiscal year 2006 PARs or annual 
reports that 13 agencies reported that one of the risk factors they 
considered during the assessment included internal and external 
reviews, such as results from identified system or program weaknesses, 
and OIG and Single Audit Act reports. Similarly, 13 agencies reported 
that an assessment of internal controls was another type of risk factor 
used during their process.

Although there is no requirement for agencies to identify risk factors 
as part of their risk assessment process, this type of identification 
is consistent with our previous recommendation that OMB establish risk 
factors in its guidance for agencies to consider and consistent with 
our Standards for Internal Control in the Federal Government[Footnote 
33] and executive guide on strategies to manage improper 
payments,[Footnote 34] which provides a framework for conducting a 
comprehensive risk assessment. Our executive guide identifies the 
following four strategies that should be considered when determining 
the nature and extent of improper payments:

* institute a systematic process to estimate the level of improper 
payments being made by the organization;

* based on this process, determine where risks exist, what those risks 
are, and the potential or actual impact of those risks on program 
operations;

* use risk assessment results to target high-risk areas and focus 
resources where the greatest exposure exists; and:

* reassess risks on a recurring basis to evaluate the impact of 
changing conditions, both external and internal, on program operations.

While USAID and NASA did perform procedures that addressed some of the 
common risk factors identified by other agencies, there was no 
established process in place to identify the types of risk specific to 
the payment streams reviewed during the assessment process. Had both 
agencies made a more concerted effort to identify particular risk 
factors, additional procedures may have been considered, facilitating a 
more in-depth review and analysis of their payment streams or program 
operations. We also found that USAID and NASA had not developed a 
standardized process to evaluate the results of actions they completed 
as part of their risk assessments, such as weighting and scoring the 
results of risk conditions to determine susceptibility. As such, the 
various procedures performed did not provide meaningful results or 
adequately depict the agencies' risk of improper payments.

For example, both agencies reported performing one or more of the 
following steps--assessing internal controls, reviewing external 
audits, and conducting payment reviews--yet neither agency developed a 
process that identified the potential or actual impact of those 
results, and ultimately risks, on their agency operations. Assessing 
the results or risk conditions identified during the risk assessment 
plays a major role in determining the overall risk level of an agency's 
operations as risk conditions do not have an equal effect on all 
programs or activities. Some risk conditions may affect a program or 
activity to a greater or lesser degree. Likewise, not all risk 
conditions may be relevant to each program or activity. Therefore, 
assigning a weight to each risk condition would accurately reflect the 
level of importance and influence each risk condition has on a specific 
program or activity.

We view findings from OIG and external audits as valuable information 
that agencies can use to identify areas vulnerable to improper 
payments. OIG and external audits, such as performance audits, provide 
an objective and systematic examination of evidence for the purpose of 
providing an assessment of the performance of a government 
organization, program, activity, or function. As part of its risk 
assessment, USAID reported conducting a review of OIG and external 
audits, while NASA did not. Yet, as previously stated, USAID did not 
have a process in place to evaluate the potential or actual impact of 
those risks on operations. For both USAID and NASA, we identified 
various GAO, OIG, and Single Audit Act audit reports as well as 
Department of Justice (DOJ) investigation reports that highlighted 
fraud, questioned costs, and internal control weaknesses, that may not 
have been adequately considered during the risk assessment process. 
Some examples of findings from investigations and audits for fiscal 
years 2004 through 2006 follow.

USAID:

* USAID could not provide a complete accounting of $405 million 
primarily used to support maternal and child health efforts in Africa, 
Asia, Latin America, and the Caribbean.[Footnote 35]

* A vendor agreed to pay $1.2 million to settle potential claims that 
it overcharged USAID in three contracts for overseas economic 
development work.[Footnote 36]

* Two vendors agreed to pay a total of $1.31 million to settle 
allegations that they knowingly submitted more than 100 false claims 
for reimbursement, overstating the charges actually incurred for 
freight and insurance.[Footnote 37]

NASA:

* A contractor paid the government $615 million, including $106.7 
million to NASA, to resolve criminal and civil allegations that the 
company improperly used another contractor's information to procure 
contracts for launch services worth billions of dollars.[Footnote 38]

* A contractor paid a former NASA electrical subcontractor up to $2 
million in unsupported costs. In addition, two of the contractor's 
senior procurement officials admitted to soliciting and receiving 
kickbacks from the subcontractor in exchange for bid information and 
assistance in the approval of change orders. A civil settlement amount 
of $1.4 million was reached between NASA and the contractor.[Footnote 
39]

* NASA's OIG found various weaknesses in NASA's acquisition and 
contracting processes such as a lack of a reliable financial management 
system to track contract spending, inadequate control over government 
property held by contractors, and procurement process abuses by NASA 
employees and contractors.[Footnote 40]

Key Internal Controls Not Assessed for Effectiveness:

As part of their risk assessments, USAID and NASA reported that they 
relied on pre-and postpayment controls over payment transactions to 
identify risk. Although USAID and NASA provided us with some general 
internal controls over various payment streams, neither had documented 
the controls or the effectiveness of those controls to ensure proper 
reliance for purposes of conducting a risk assessment.[Footnote 41] In 
addition, USAID officials told us that they had interviewed management 
and various program managers to assess internal controls. However, 
USAID had not developed a list of, or series of questions--such as a 
standard questionnaire--to ensure consistency regarding the types of 
questions asked across agency operations and that focused discussions 
on specific issues related to improper payments and internal controls. 
Similarly, NASA told us that it relied on postpayment controls over its 
various cost-type contracts, thus excluding over 80 percent of its 
procurement dollars, and ultimately the related contract payments. Yet, 
NASA performed no independent assessments[Footnote 42] of these 
postpayment controls and was not knowledgeable of specific procedures 
DCAA performed during its contract audits. As previously mentioned, 
NASA officials told us that they will include cost-type contracts in 
NASA's fiscal year 2007 risk assessment.

Weaknesses in Payment Reviews:

Although USAID and NASA performed select payment reviews as part of 
their risk assessment, we found no established criteria for conducting 
these reviews and the reviews were limited in scope in some instances, 
as well as inconsistently performed. Because of the lack of guidance 
and insufficient review, USAID and NASA cannot be certain that these 
payment reviews adequately support that payments made were not 
susceptible to significant improper payments.

For its fiscal year 2004 risk assessment, USAID instructed its 38 
mission accounting stations to perform payment reviews of their 
payroll, travel, allowances, and other payment streams totaling about 
$159 million. Although USAID provided its mission accounting stations 
with general guidance regarding IPIA and a template to use when 
performing their payment reviews, there were no detailed instructions 
on specific characteristics or attributes of the payment transactions 
that the mission accounting stations should review to identify improper 
payments. USAID told us that the mission accounting stations had 
flexibility in tailoring the extent of their risk assessments and 
sampling methodology because they collectively represent only 25 
percent of USAID's total disbursements and each mission (1) differs 
based on the nature of its programs and the volume of payment activity 
and (2) performs 100 percent of payment reviews as part of its normal 
course of business. Therefore, some mission accounting stations may 
have conducted statistical or nonstatistical sampling while others 
performed 100 percent payment reviews. As a result, such payment review 
results may not be comparable among mission accounting stations or 
representative of their payment activity. USAID stated that it was not 
possible to verify or validate any of the information received from the 
mission accounting stations since they used stand-alone accounting 
systems that were not integrated with headquarter's accounting system 
during our period of review. From these payment reviews, the mission 
accounting stations collectively identified about $258,973 in improper 
payments for fiscal year 2004. On the basis of the fiscal year 2004 
mission risk assessment results and other quantitative and qualitative 
analysis performed, USAID determined that payments made from mission 
accounting stations were low-risk and therefore it did not conduct 
separate payment reviews for fiscal years 2005 and 2006. For its fiscal 
years 2005 and 2006 payment reviews at headquarters, USAID stated it 
relied on its reviews of OIG and external audit reports, pre-and 
postpayment reviews, and A-123 internal control reviews. However, we 
were unable to verify that all payment streams were included in the 
reviews and could not evaluate any procedures performed as USAID was 
unable to provide documentation that supported these actions or their 
results.

We identified similar weaknesses in NASA's payment reviews. For 
example, NASA also lacked established criteria for payment transaction 
reviews conducted by its centers for purposes of IPIA, including 
specific characteristics or attributes of the payment transactions that 
the centers should review to identify improper payments. This led to 
inconsistent application of the methodology that centers were asked to 
use to conduct their payment reviews. For example, one NASA center 
selected payment transaction amounts of $100,000 or greater rather than 
the 15 percent of its first quarter payments consistent with the other 
centers and as requested by NASA headquarters. The same center also 
noted that it reviewed documentation to determine whether or not the 
payments complied with Prompt Payment Act[Footnote 43] provisions, 
rather than IPIA requirements. When we brought it to their attention, 
NASA OCFO officials said that the center could have erroneously tested 
according to the wrong act.

On the basis of its testing of transactions, NASA reported that it 
identified $70,599 in improper payments for fiscal year 2004 from its 
examination of $14.6 million in firm-fixed-price contract payments and 
identified $617,442 in improper payments for fiscal year 2005 based on 
its examination of $82.5 million of those same types of contract 
payments. However, we noted that NASA did not verify the results of its 
centers' payment reviews. Furthermore, NASA's independent auditor 
reported in fiscal year 2004 that the agency may not have fully 
complied with IPIA requirements because NASA did not consider payments 
other than firm-fixed-price contract payments as part of the risk 
assessment process or prepare an estimate of improper payments. 
Therefore, the total improper payment amounts reported may not be 
accurate, especially given the inconsistencies we identified. For 
fiscal year 2006, according to OCFO officials, NASA did not conduct any 
payment reviews or overall risk assessment of its payment activities 
due to headquarters staff turnover responsible for IPIA. Instead, it 
relied on its recovery audit work performed during the year to conclude 
it had no programs and activities susceptible to significant improper 
payments. The adequacy of such a determination is questionable because 
the scope of review under the Recovery Auditing Act targets a specific 
type of payment--contracts--whereas the scope of review under IPIA 
includes a review of all programs and activities that are subject to 
different reporting requirements if they are found to be susceptible to 
significant improper payments. Furthermore, OMB guidance under the 
Recovery Auditing Act allows agencies to exclude certain classes of 
contracts from consideration,[Footnote 44] which is not permitted under 
IPIA. Under IPIA, all programs and activities are subject to review.

Although NASA reported its payment reviews were statistically based, 
its minimal coverage of the firm-fixed-price payment stream was 
inconsistent with OMB guidance that directs that agencies use a 12- 
month period to report improper payment information. Specifically, for 
fiscal years 2004 and 2005, NASA identified a small universe of firm- 
fixed-price procurement payments as the basis for each year's payment 
reviews. Already representing a small percentage of total reported 
payment streams--12 percent for fiscal year 2004 and 20 percent for 
fiscal year 2005--NASA OCFO further narrowed the scope of dollars to be 
reviewed by instructing its centers to select statistical samples of 
only 15 percent of its firm-fixed-price contract payments made during a 
3-month period, January 1 to March 31 of each year. NASA was unable to 
provide an explanation for the basis of these limited reviews. Despite 
NASA's reported use of statistical sampling to conduct its payment 
reviews, its small sample population and minimal coverage of the firm- 
fixed-price payment stream compared to total procurement dollars does 
not adequately represent NASA's total contract activity, which accounts 
for about 85 percent of NASA's annual budget.

Furthermore, NASA excluded grant program payments, totaling about $630 
million for fiscal year 2004, from its risk assessment review. OMB 
guidance requires that agencies include federal awards subject to the 
Single Audit Act, as amended, as part of their review to address IPIA 
reporting requirements. In its fiscal year 2004 audit report, NASA's 
auditors reported that the agency may not have fully complied with IPIA 
requirements as it did not explicitly consider payments other than firm-
fixed-price as part of the risk assessment process or prepare an 
estimate of improper payments. The auditors also reported that NASA 
noted that audit efforts by nonfederal auditors with respect to 
grantees and by government auditors with respect to certain NASA 
contracts aid in identifying and mitigating improper payments. While 
single audits could be a source of improper payment information, we 
previously reported that single audits, by themselves, may lack the 
level of detail necessary for achieving IPIA compliance.[Footnote 45] 
Specifically, single audits generally focus on the largest dollar 
amounts in an auditee's portfolio. Thus, all programs identified as 
susceptible to improper payments at the federal level may not receive 
extensive coverage under a single audit. Consequently, both the depth 
and level of detail of single audit results are, generally, 
insufficient to identify improper payments, estimate improper payments, 
or both.

USAID and NASA Lacked Sufficient Documentation to Support Their Risk 
Assessment Processes:

While OMB guidance requires agencies to maintain documentation of their 
risk assessment, USAID and NASA were unable to support a majority of 
the actions highlighted earlier in this report regarding their risk 
assessment processes. Given the lack of documentation and deficiencies 
we found relating to USAID's and NASA's risk assessments, we have no 
basis to determine whether steps performed supported both agencies' 
conclusions that no programs and activities were susceptible to 
significant improper payments. Our Standards for Internal Control in 
the Federal Government[Footnote 46] provides that internal control and 
all transactions and other significant events need to be clearly 
documented and readily available for examination. The documentation 
should appear in management directives, administrative policies, or 
operating manuals. Also, all documentation and records should be 
properly managed and maintained.

At USAID, we noted a documentation requirement in its policy directive 
related to IPIA reporting, yet the agency was unable to provide us the 
following for each of the 3 fiscal years:

* documentation to support interviews of program managers regarding 
program operations and internal control;

* testing of headquarters payment transactions, including sampling 
plans of statistical samples used to test travel and other payment 
transactions, a list of sample transactions selected, key attributes 
tested, and evaluation of those results; and:

* a list of external audit reports reviewed, their findings, and impact 
on the risk assessment process.

Furthermore, we found discrepancies when tracing lead schedules to 
supporting documentation and inadequate documentation of USAID's 
duplicate payment reviews. For example, as part of its duplicate 
payment reviews, USAID did not document the search criteria used to 
identify potential duplicate payments, the range of payments reviewed 
to prevent overlapping or reviewing the same payments in subsequent 
reviews, and the potential duplicate payments flagged and their 
resolutions.

Similarly, NASA provided us minimal supporting documentation of its 
payment reviews for fiscal year 2004 and could not provide almost half 
of the documentation for fiscal year 2005. NASA told us that each 
year's payment reviews were based on a statistical sample of payments 
made at headquarters and its centers. However, NASA could not provide 
us a copy of its sampling plans, list of transactions selected, sample 
results, and subsequent evaluation. NASA relied almost entirely on 
these payment reviews to support its conclusion that it had no programs 
and activities susceptible to significant improper payments for fiscal 
years 2004 and 2005, yet could not provide documentation to support its 
conclusions. For fiscal year 2006, NASA acknowledged that it did not 
perform a risk assessment due to staff turnover, and thus no 
documentation existed. Nevertheless, NASA still reported that it had no 
programs and activities of significant risk based on recovery audit 
work performed on its research and development contracts. Had NASA 
adequately documented its IPIA efforts from the previous fiscal years, 
it would have been better positioned to address IPIA requirements for 
fiscal year 2006. Thus, documentation becomes even more essential 
during periods of staff transition.

The magnitude of the lack of documentation issue was evident in the 
NASA auditor's report on compliance with laws and regulations for 
fiscal year 2006. In that report, the auditor raised concerns about the 
lack of documentation to support the agency's IPIA efforts. 
Specifically, the auditor reported that NASA had potentially violated 
certain requirements of IPIA as management was unable to provide 
sufficient documentation to support performance of an annual review of 
all programs and activities it administers to identify those that may 
be susceptible to significant improper payments.

Weaknesses Found in Recovery Auditing Procedures Raise Questions About 
the Validity and Accuracy of Reported Recovery Audit Amounts:

Although USAID and NASA have reported on steps taken to recoup improper 
contract payments, we found several weaknesses in their recovery 
auditing procedures for fiscal years 2004 through 2006. In particular, 
USAID and NASA did not report recovery auditing information for each 
fiscal year, documentation was lacking or not adequately supported, and 
neither agency adhered to all of the reporting requirements outlined in 
OMB's implementing guidance. Due to a lack of, or insufficient, 
documentation, along with identified weaknesses, the validity and 
accuracy of the reported recovery amounts are questionable.

Recovery Audit Information Not Reported or Lacked Supporting 
Documentation in Most Instances:

USAID and NASA did not fully report on recovery audit activities for 
each of the 3 fiscal years under review. Specifically, USAID and NASA 
did not report recovery audit information in their fiscal year 2004 
PARs. NASA reported that it was in the process of awarding a recovery 
audit contract, while USAID reported on the dollar amount of contracts 
reviewed, but for the sole purpose of addressing IPIA reporting 
requirements and concluding that its grant and contract payment 
activities were not susceptible to significant improper payments. 
Consequently, OMB did not recognize USAID or NASA as reporting fiscal 
year 2004 recovery audit information when it reported on governmentwide 
recovery audit efforts for that year.

For fiscal year 2005, USAID again leveraged the work used to address 
IPIA requirements to satisfy the requirements of the Recovery Auditing 
Act. USAID reported about $5.9 million in questioned costs identified 
through OIG audits of grants and contracts. Of this amount, about $5.8 
million (98 percent) had been recovered. While USAID reported this 
information in its PAR, the agency was unable to provide us a list of 
the audit reports reviewed and specific findings that supported the 
amounts identified and actually recovered, raising questions about 
their validity and accuracy. Likewise, NASA leveraged the results of 
its IPIA work to address the recovery auditing requirements. However, 
as we stated earlier, the scope of review was limited in nature as NASA 
only tested 15 percent of its firm-fixed-price contract payments over a 
3-month period and could not provide almost half of the documentation 
to support the dollar value sampled. On the basis of its limited 
testing, NASA identified and recovered only $617,442 in contract 
overpayments.

For fiscal year 2006, USAID reviewed questioned costs identified 
through OIG audits of grants and contracts as it had done in the 
previous fiscal year. USAID reported about $9.1 million in questioned 
costs identified through OIG audits of grants and contracts and DCAA 
contract audits. Of this amount, about 99 percent had been recovered. 
Again, USAID was unable to provide documentation of the specific audit 
reports and findings to support the recovery audit amounts. In addition 
to the lack of documentation for both fiscal years 2005 and 2006, the 
audit reports used may not have been designed to identify the types of 
payment errors that would be identified through a recovery audit, as 
USAID stated that some of the audit findings resulted from DCAA 
contract audits.

OMB guidance differentiates procedures performed under a recovery audit 
versus a contract audit. OMB guidance defines a recovery audit as a 
review and analysis of the agency's books, supporting documents, and 
other available information supporting its payments that is 
specifically designed to identify overpayments to contractors that are 
due to payment errors.[Footnote 47] On the other hand, contract audits 
are normally performed for the purpose of determining if amounts 
claimed by the contractor are in compliance with the terms of the 
contract and applicable laws and regulations and are not designed to 
specifically identify payment errors as described under recovery 
audits. If the DCAA and OIG audit reports used by USAID to identify the 
recovery auditing amounts were not specifically designed to identify 
payment errors, as defined by OMB, the reported recovery audit amounts 
for fiscal years 2005 and 2006 may not accurately reflect payment 
errors for purposes of recovery auditing and thus, may be misstated.

NASA used a recovery audit firm for fiscal year 2006 to review contract 
payments made from fiscal years 1997 through 2005, totaling $57.4 
billion. Of this amount, the recovery audit firm identified over $121 
million in potential contract overpayments. However, based on NASA's 
review and conclusion that most of the potential contract overpayments 
identified by the recovery audit firm were not erroneous, it reported 
significantly lower recovery audit amounts--$256,255 in contract 
overpayments identified for recovery and $139,420 in actual recoveries. 
See table 1 for recovery audit amounts reported by USAID and NASA for 
fiscal years 2004 through 2006.

Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for 
Fiscal Years 2004 to 2006:

Agency: USAID; 
Fiscal year 2004: Agency-reported amount identified for recovery: did 
not report; 
Fiscal year 2004: Agency-reported amount recovered: did not report; 
Fiscal year 2005: Agency-reported amount identified for recovery: 
$5,900,000; 
Fiscal year 2005: Agency-reported amount recovered: $5,782,000; 
Fiscal year 2006: Agency-reported amount identified for recovery: 
$17,100,000; 
Fiscal year 2006: Agency-reported amount recovered: $17,090,000.

Agency: NASA; 
Fiscal year 2004: Agency-reported amount identified for recovery: did 
not report; 
Fiscal year 2004: Agency-reported amount recovered: did not report; 
Fiscal year 2005: Agency-reported amount identified for recovery: 
$617,442; 
Fiscal year 2005: Agency-reported amount recovered: $617,442; 
Fiscal year 2006: Agency-reported amount identified for recovery: 
$256,255; 
Fiscal year 2006: Agency-reported amount recovered: $139,420.

Sources: OMB and USAID and NASA PARs for fiscal years 2004 through 2006.

[End of table]

We asked NASA officials about the significant difference in its 
reported recovery audit amounts when compared to the recovery auditor's 
reported amounts. According to NASA, the firm's recovery auditing work 
covered all contract types from fiscal years 1997 through 2005. Upon 
further review of the contractor's submitted claims, NASA determined 
that a vast majority of the claims submitted by the contractor were not 
erroneous as they related to cost-type contracts with provisional 
billing rates included in the contract terms, which were subject to a 
final or closeout audit that would likely have identified those 
improper payments reported by the contractor. Thus, NASA officials 
stated that only a small portion ($256,255) of the $121 million in 
potential contract overpayments represented "valid contract claims" or 
contract overpayments that would be pursued for recovery.

OMB guidance[Footnote 48] for recovery auditing allows agencies to 
exclude classes of contracts and contract payments from recovery audit 
activities when they have determined that recovery audits are 
"inappropriate or are not a cost-effective method for identifying and 
recovering erroneous payments." Examples OMB provides as classes of 
contracts and contract payments that may be excluded include:

* cost-type contracts that have not been completed where payments are 
interim, provisional, or otherwise subject to further adjustment by the 
government in accordance with the terms and conditions of the contract;

* cost-type contracts that were completed, subjected to a final 
contract audit and, prior to final payment of the contractor's final 
voucher, all prior interim payments made under the contract were 
accounted for and reconciled; and:

* other contracts that provide for contract financing payments or other 
payments that are interim, provisional, or otherwise subject to further 
adjustment by the government in accordance with the terms and 
conditions of the contract.

Although NASA's exclusion of the bulk of the recovery audit firm's 
potential contract overpayments (primarily related to cost-type 
contracts) was consistent with OMB guidance, which allows agencies to 
exclude these classes of contracts, limiting its universe to firm- 
fixed-price contracts may not be the best use of resources. These types 
of contracts typically provide the least amount of risk of improper 
payments as firm-fixed-price contracts are generally not subject to 
fluctuations in contractor costs, thereby decreasing the risk level of 
improper payments made by agencies. However, NASA officials told us 
that because its cost-type contract payments are subject to extensive 
reviews via contract audits and internal reviews, further examination 
under a recovery auditing program would not provide any additional 
value and could be, to some extent, duplicative in nature.

USAID and NASA Did Not Adhere to Applicable OMB Recovery Auditing 
Reporting Requirements:

There are several reporting requirements that agencies are required to 
follow when reporting recovery auditing information, such as a 
description and justification of the classes of contracts excluded from 
recovery auditing and a corrective action plan to address the root 
causes of any payment errors. Agencies are also required to report, in 
table format, various amounts related to contracts subject to review 
and actually reviewed, contract amounts identified for recovery and 
actually recovered, and prior-year amounts.

From our review, we found that USAID's and NASA's reporting of recovery 
auditing information did not meet the OMB reporting requirements. 
Although we noted improvement in both agencies' fiscal year 2006 
reporting of recovery auditing information when compared to the 
previous fiscal year, USAID and NASA still had not addressed all key 
elements. For example, both USAID and NASA provided a general 
description of the steps taken to carry out their recovery auditing 
program for fiscal year 2006 and presented, in table format, the 
various recovery auditing amounts on contracts subject to review, 
identified for recovery, and actually recovered.[Footnote 49] However, 
we found no description of a corrective action plan to address the root 
causes of payment error. In addition, for fiscal year 2005, NASA only 
reported on recovery audit results for its firm-fixed-price contract 
overpayments, but this information and its exclusion of other contract 
types were not disclosed in NASA's PARs. Without adequate disclosure, 
this type of presentation may lead to a mischaracterization of the 
extent to which contract overpayments exist.

USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment 
Processes and Recovery Auditing Procedures, but Challenges Remain:

While USAID and NASA have experienced significant challenges in their 
first 3 years of IPIA implementation, both agencies have taken steps to 
strengthen their risk assessment processes and ultimately, IPIA 
reporting. Actions are also under way to improve recovery auditing 
efforts. However, improvements are still needed to address some of the 
weaknesses related to conducting risk assessments and performing 
recovery auditing procedures.

Actions Under Way to Enhance Risk Assessment Process, but Additional 
Steps Needed:

USAID has taken several steps to strengthen its process for identifying 
programs and activities that may be susceptible to improper payments, 
but additional steps are needed to adequately address IPIA reporting 
requirements. USAID has developed a new IPIA database that is intended 
to compile all of its payment disbursements made worldwide. The new, 
interactive tool will interface with its core accounting system, 
Phoenix, which will enable USAID to annually identify its payment 
streams and corresponding volume and dollar amounts by mission or 
geographic location, data mine for duplicate payments, research other 
payment anomalies, and perform tests of transactions. USAID told us 
that since August 2006, when Phoenix was fully implemented agencywide, 
its monitoring capabilities and testing of payment transactions had 
increased significantly now that its headquarters staff has access to 
all disbursement activity regardless of where the payments were made.

Going forward, USAID also stated it plans to work more closely with the 
OIG, including working with the OIG to develop a statistical sampling 
methodology for testing its payment streams agencywide as part of its 
risk assessment process. USAID also stated that it will periodically 
contact OMB for input and feedback related to its risk assessment 
process and results. Other steps USAID plans to implement include (1) 
leveraging the agency's assessment of internal control under OMB 
Circular No. A-123 requirements[Footnote 50] to determine whether 
control activities in place are effectively preventing improper 
payments; (2) increasing accountability among managers responsible for 
addressing IPIA reporting requirements by including IPIA 
responsibilities in their work plans, which are tied to the managers' 
performance assessments; and (3) improving its documentation of steps 
performed to comply with OMB guidance and internal policy. If these 
actions are properly implemented, we believe these actions will address 
some of our concerns related to conducting an assessment of internal 
control and testing of payment transactions. Specifically, these 
actions will better position USAID to identify and target high-risk 
areas, determine the effectiveness of control activities to reduce the 
risk of improper payments, and provide accountability among managers 
responsible for executing IPIA activities.

With regard to manager accountability, we noted that no specific 
standards have been developed for rating employee performance against 
responsibilities related to IPIA and that no performance awards or 
disciplinary actions exist as incentives for reducing improper 
payments, which may not achieve the desired effect.[Footnote 51] 
Lastly, USAID still lacks a systematic method to determine if risk of 
improper payments exists, what those risks are, and the potential or 
actual impact of those risks on operations. For example, while USAID 
has developed various quantitative and qualitative procedures as part 
of its risk assessment process, it still has not taken the first step 
of identifying and documenting risk factors that should be considered 
to ensure that the procedures performed adequately address areas within 
the agency that may be susceptible to improper payments. Furthermore, 
USAID has not developed an overall approach to then evaluate the work 
performed, including weighting and scoring the results of its 
quantitative and qualitative analysis, and thus provide a basis for 
making a final determination of its risk level for assessing improper 
payments under IPIA. We believe that implementation of these types of 
strategies to identify the nature and extent of improper payments is 
consistent with our framework for conducting risk assessments and will 
provide a comprehensive review and analysis of program operations.

NASA has made significant strides since its first year of IPIA 
implementation to improve its approach for conducting risk assessments 
and other IPIA reporting requirements. NASA hired a consulting firm for 
2 months (February 2007 through March 2007) to develop a methodology 
for conducting its fiscal year 2007 risk assessment. The consultant 
categorized the agency's fiscal year 2006 disbursements, including cost-
type contracts and grant payments, by programs instead of by payment 
streams, as was done by NASA in previous years. On the basis of its 
review of disbursements, the consulting firm established a materiality 
level of $80 million. All programs with total disbursements greater 
than $80 million were included in the program universe for further 
review. The consultant identified 30 programs with approximately $10.8 
billion in disbursements to include in the scope of review for 
determining risk level.

To assess the risk level of the programs, the consultant examined 
agency documentation and conducted (1) site visits; (2) interviews of 
program managers, other agency personnel, and NASA OIG; and (3) walk- 
throughs of program operations. On the basis of these steps, the 
consultant identified seven risk conditions[Footnote 52] and developed 
a risk matrix to evaluate and score each risk condition, using a 5 
point scale--with 1 point indicating low risk and 5 points indicating 
high risk. Following a calculation of the key risk factors that 
considered the frequency of risk, severity of risk, and the overall 
risk score, 5 of the 30 programs were deemed to be at risk for being 
susceptible to significant improper payments. The 5 programs are (1) 
Mars Exploration, (2) Solar System Research, (3) Space Shuttle Program, 
(4) International Space Station Program, and (5) Institutions and 
Management.

NASA subsequently hired another consulting firm to conduct statistical 
sampling from April 2007 through September 2007 of the 5 programs to 
determine if the programs are susceptible to significant improper 
payments and thus would need to estimate and report on the amounts of 
improper payments and actions to reduce them. Within each of these 5 
programs, the consulting firm identified five payment categories that 
were subject to detailed testing; they were travel expense 
reimbursement, payroll and employee benefits, grant payments, 
government purchase cards, and procurement and contracts. From its 
review, the consulting firm found approximately $884,243 of improper 
payments during the period of October 1, 2005, through September 30, 
2006.[Footnote 53] Although the consulting firm reported that no 
significant improper payments were found, it recommended various 
actions for NASA to take, including continuing to ensure that internal 
controls--automated and manual--are operating effectively relating to 
the receipt and processing of vendor invoices to ensure timely payment. 
The consulting firm submitted its final report with recommendations for 
improvement on October 23, 2007, in time for inclusion in NASA's fiscal 
year 2007 PAR.

During our review, NASA acknowledged weaknesses in its IPIA reporting 
for fiscal years 2004 through 2006 and stated that its risk assessment 
procedures did not adequately address OMB guidance. However, NASA felt 
confident that it had made significant gains with its IPIA reporting 
for fiscal year 2007. Although we did not perform a detailed review of 
its methodology--the work was ongoing during our fieldwork--NASA, with 
the assistance of outside contractors, appears to have developed an 
extensive methodology for conducting a risk assessment to identify 
programs and activities susceptible to significant improper payments. 
The steps taken thus far appear to align with our framework for 
conducting a risk assessment to determine the nature and extent of 
improper payments.

Recovery Auditing Efforts Have Begun:

In June 2006, USAID engaged the services of a recovery auditing firm to 
perform recovery auditing activities for its fiscal year 2007 PAR 
reporting. For the fiscal year 2007 reporting period, the recovery 
auditor's scope of review included payments made at headquarters for 
fiscal years 2003 through 2005. For payments made from mission 
accounting stations that were captured in USAID's core accounting 
system, the recovery auditors performed analytical procedures and 
concluded that no further work was warranted. The recovery auditors 
developed a three-tier process to identify the following types of 
potential contract overpayments:

* first tier--potential duplicate payments;

* second tier--amounts paid that exceeded the obligation or any 
adjustments not properly accounted for, and:

* third tier--invoices and payment vouchers with errors, including 
general and administrative rate variances.

From its review,[Footnote 54] the recovery auditor identified 300 
contracts, comprising 2,900 invoices, that warranted further review. 
The recovery auditor also reported that it randomly sampled an 
additional 900 invoices for review, but did not identify the number of 
contracts. On the basis of its work, the auditors referred $3 million 
of potential contract overpayments to USAID for review. From its 
review, USAID determined that of the $3 million, approximately $11,000 
constituted actual overpayments related to discount claims that had not 
been taken and decided it would initiate collection efforts. However, 
we were provided no documentation of the resolution of remaining 
contract payments determined not to be improper. After completing a 
limited review of fiscal year 2005 payments, the recovery auditor 
decided to discontinue its recovery auditing work at USAID as the 
results of its limited review revealed that the continuation of audit 
work would not be economically feasible or profitable. For its fiscal 
year 2007 PAR reporting, USAID stated it will report on the work 
performed by the recovery auditor. Going forward, USAID plans to 
conduct an in-house recovery auditing program as done in previous 
years, but stated it would work with the OIG to enhance procedures and 
address requirements in OMB's guidance. While the hiring of a recovery 
auditor did not identify a significant amount of contract overpayments, 
additional steps would help USAID ensure that its in-house recovery 
auditing program is consistent with the requirements of the Recovery 
Auditing Act and specifically designed to identify overpayments to 
contractors that are due to payment error.

For fiscal year 2007, NASA recompeted its contract for recovery 
auditing services and hired another recovery auditing firm in August 
2007. NASA stated that the scope of review will include only fiscal 
year 2006 fixed price contract payments valued at $1,000 or more. 
Although consistent with OMB guidance, NASA's universe of contract 
dollars subject to a recovery auditing program continues to remain 
relatively small, less than 20 percent of the total value of its 
contracts. As part of its recovery auditing procedures, the contractor 
will interview agency personnel and review applicable documentation to 
gain an understanding of NASA's payment processes. NASA anticipates 
reporting interim results of initial recoveries of contract 
overpayments in its fiscal year 2007 PAR. Because the recovery auditor 
had just begun work to develop and execute an approach for conducting 
the recovery audit, we were unable to determine the reasonableness of 
its methodology by the end of our fieldwork.

Conclusions:

Measuring improper payments and designing and implementing actions to 
reduce them are not simple tasks and will not be easily accomplished. 
USAID and NASA, under the umbrella of OMB's leadership, are working on 
this issue. Further, while internal control should be maintained as the 
front-line defense against improper payments, recovery auditing holds 
promise as a cost-effective means of identifying contractor 
overpayments. Preventing, identifying, and recovering improper payments 
in that order are what is needed across government. Both USAID and NASA 
have taken positive steps towards better implementation of improper 
payments and recovery auditing requirements for fiscal year 2007. 
Fulfilling the requirements of IPIA and the Recovery Auditing Act will 
require sustained attention to implementation and oversight to monitor 
whether desired results are being achieved.

Recommendations for Executive Action:

We are making a total of 10 recommendations to USAID and NASA to help 
improve their efforts to implement IPIA and the Recovery Auditing Act 
by focusing on performing risk assessments and reporting on efforts to 
recover improper payments. Specifically, we recommend that the 
Administrator, USAID,

* expand existing IPIA guidance to include detailed procedures for 
addressing the four key steps--perform risk assessment, estimate 
improper payments, implement a corrective action plan, annually report-
-that OMB requires agencies to perform in meeting the improper payment 
reporting requirements;

* develop a risk assessment tool, such as a risk assessment matrix, to 
determine if risks exist, what those risks are, and the potential or 
actual impact of those risks on program operations;

* use the risk assessment tool to institute a systematic approach to 
identify programs and activities susceptible to significant improper 
payments under IPIA;

* maintain documentation of actions performed to address IPIA and the 
Recovery Auditing Act requirements;

* develop a comprehensive recovery auditing program that is 
specifically designed to identify overpayments to contractors that are 
due to payment errors; and:

* adhere to OMB's guidance for reporting recovery auditing information 
in the annual PAR.

We recommend that the Administrator, NASA,

* develop IPIA guidance to include detailed procedures for addressing 
the four key steps--perform risk assessment, estimate improper 
payments, implement a corrective action plan, annually report--that OMB 
requires agencies to perform in meeting the improper payment reporting 
requirements;

* as part of this guidance, incorporate the risk assessment methodology 
developed by NASA's consulting firm to determine if risks exist, what 
those risks are, and the potential or actual impact of those risks on 
program operations;

* maintain documentation of actions performed to address IPIA and 
Recovery Auditing Act requirements; and:

* adhere to OMB's guidance for reporting recovery auditing information 
in its annual PAR.

Agency Comments and Our Evaluation:

We requested comments on a draft of this report from the Administrators 
of USAID and NASA or their designees. These comments are reprinted in 
their entirety in appendixes IV and V of this report. USAID did not 
specifically respond to our recommendations. However, USAID suggested 
expanding the definition of its Credit-Financing payment stream to 
provide more details on the purpose and use of this funding mechanism, 
which we incorporated as suggested. NASA concurred with all four of our 
recommendations and indicated that it would develop IPIA guidance to 
include detailed procedures to address the four key steps of IPIA, 
including incorporating the risk assessment methodology developed by 
its consulting firm. NASA noted that it has centralized its IPIA and 
Recovery Auditing Act activities at the NASA Headquarters OCFO (which 
will include responsibility for maintaining documentation to support 
its activities) and stated that it will report recovery auditing 
information in its PAR in accordance with OMB guidance. NASA also 
provided technical comments on the draft, which have been incorporated 
as appropriate.

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its date. At that time, we will send copies of this report to the 
Administrators of USAID and NASA and other interested parties. Copies 
will also be available to others upon request. In addition, the report 
is available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov].

If you or your staffs have any questions regarding this report, please 
contact me at (202) 512-9095 or at [email protected]. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Major contributors to this 
report are listed in appendix VI.

Signed by: 

McCoy Williams: 
Director, Financial Management and Assurance:

[End of section]

Appendix I: Objectives, Scope, and Methodology:

The objectives of this review were to determine (1) the extent to which 
USAID and NASA performed the required risk assessments to identify 
programs and activities that were susceptible to significant improper 
payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID 
and NASA have taken to recoup improper payments through recovery 
audits, and (3) actions USAID and NASA have under way to improve their 
IPIA and recovery audit reporting. The scope of our review included two 
agencies, USAID and NASA.

To determine the extent to which USAID and NASA performed the required 
risk assessments for fiscal years 2004 through 2006, we reviewed 
improper payment legislation and OMB implementing guidance[Footnote 
55]. For both agencies, we reviewed their PARs for fiscal years 2004 
through 2006; reviewed internal guidance consisting of policies and 
procedures to address cash disbursements, accounts payable, and 
contract management; interviewed agency officials about the risk 
assessment process; and, when available, obtained and reviewed 
supporting documentation. In addition, we reviewed criteria for 
conducting risk assessments in our Standards for Internal Control in 
the Federal Government[Footnote 56] and executive guide on Strategies 
to Manage Improper Payments: Learning from Public and Private Sector 
Organizations[Footnote 57]. We also reviewed other agencies' PARs and 
internal IPIA guidance to identify examples of risk factors used and 
procedures followed when conducting their risk assessment process.

To determine steps USAID and NASA took to recoup improper payments 
through recovery audits, we reviewed the Recovery Auditing Act and 
Appendix C to OMB Circular No. A-123, Requirements for Effective 
Measurement and Remediation of Improper Payments.[Footnote 58] For both 
agencies, we reviewed their PARs for fiscal years 2004 through 2006 and 
internal guidance over contract management and debt collection 
activities. We also interviewed agency officials and their recovery 
audit contractor about recovery auditing efforts and when available, 
obtained and reviewed supporting documentation for recovery auditing 
amounts reported in the PARs.

To determine actions USAID and NASA had under way to improve their IPIA 
and recovery audit reporting, we interviewed agency officials and when 
available, obtained supporting documentation of plans for fiscal year 
2007 reporting. We also reviewed the agencies' fiscal year 2006 PARs, 
Request for Proposal documents, and Statements of Work documents for 
hired contractors.

To assess the reliability of USAID's and NASA's IPIA and recovery 
auditing reporting, we talked to agency officials about data quality 
control procedures and reviewed relevant documentation. For example, to 
determine the reliability of USAID's payment inventory data for fiscal 
year 2004, we tied USAID's total payment streams to the Statement of 
Budgetary Resources included in the financial section of the agency's 
PAR. For NASA, we applied alternative analytical procedures to assess 
the reliability of NASA's payment data, as we did not receive a 
breakout of the payment streams to tie directly to the Statement of 
Budgetary Resources. We compared procurement obligations contained in 
the annual procurement reports with NASA's net outlays in the Statement 
of Budgetary Resources for fiscal year 2006. We matched the percentage 
of obligations with information contained in our fiscal year 2007 High- 
Risk Series,[Footnote 59] and found that fiscal year 2006 net outlays 
comprised approximately 85 percent of obligations. We determined the 
data were sufficiently reliable for the purposes of this report. We 
requested comments on a draft of this report from the Administrators of 
USAID and NASA or their designees. Written comments were received from 
the Counselor to the Agency, USAID, and Deputy Administrator, NASA, on 
October 26, 2007. USAID's and NASA's comments are reprinted in 
appendixes IV and V. We conducted our work from September 2006 through 
August 2007 in accordance with generally accepted government auditing 
standards.

[End of section]

Appendix II: Types of Payment Streams Identified during United States 
Agency for International Development's Risk Assessment:

For fiscal years 2004 through 2006, USAID based its improper payment 
risk assessments on 11 payment streams--(1) Payroll, (2) Mission 
Allowances, (3) Cash Transfers, (4) Travel, (5) Transportation, (6) 
Training, (7) Other Operating Expenses, (8) Payments to Other Agencies, 
(9) Credit-Financing Funds, (10) Revolving Funds, and (11) Contracts, 
Grants, and Cooperative Agreements. A description of the 11 payment 
streams, along with a definition of each, follow.

1. Payroll. This payment stream consists of all U.S. direct hire base 
pay and related expenses, foreign national direct hire payroll, 
retirement and benefits, all personal services contractor's payroll, 
and all foreign national personal services contractor's payroll, 
retirement, and benefits.

2. Mission Allowances. This payment stream consists of employee 
allowances, cost of living, educational allowances, and home service 
transfer allowances.

3. Cash Transfers. This payment stream consists of the agency's cash 
transfers to the benefiting foreign countries as well as foreign 
organizations. These payments are made and deposited via the U.S. 
Treasury and/or the Federal Reserve Bank into the foreign government's 
account as designated in the official agreement or treaty between the 
U.S. and the foreign government.

4. Travel. This payment stream represents all travel expenses, 
including travel costs incurred for educational language training, 
evacuation, postassignment travel to field, home leave and rest and 
relaxation, site visits to mission offices, conferences, seminars, and 
meetings, and other operational travel.

5. Transportation. This payment stream consists of all transportation 
and freight costs incurred to missions or headquarters and from 
missions or headquarters.

6. Training. This payment stream consists of all costs incurred to 
obtain technical and professional training, such as language training, 
certification training for contract, project, and financial offices, 
training support costs, and other technical and professional training.

7. Other Operating Expenses. This payment stream consists of other 
expenses incurred by USAID to perform its work. Examples of other 
operating expenses are supplies, local travel, conferences, and other 
miscellaneous expenses that are deemed necessary for the successful 
performance of USAID's work.

8. Payments to Other Agencies. This payment stream consists of all 
payments made to other federal agencies for services and/or goods 
received. Outlays include rental payments to the General Services 
Administration for office and warehouse rent, payments to the Office of 
Personnel Management for background investigation services, and 
payments to the Defense Contract Audit Agency for federal audit 
services.

9. Credit-Financing Funds. This payment stream is principally intended 
for credit enhancement purposes and may be used where (a) the agency's 
sustainable development objectives may best be achieved effectively 
using credit, and (b) the risks of default may be reasonably estimated 
and managed. It is a financing tool to be used in addition to or in 
lieu of grant funding where appropriate. Credit financing funds 
agreements will be utilized only when the partner is a non-sovereign 
entity. No sovereign loan guarantees are permissible under existing 
credit financing authorities. Credit financing shall be a demand-driven 
initiative, with operating units having primary responsibility for 
designing, authorizing, and implementing activities in support of 
approved strategic objectives and within administration and 
congressional priorities for assistance. Credit financing operations 
require a clear separation of responsibility for assessing the 
developmental soundness and the financial soundness of each activity, 
with the latter responsibilities entrusted to a credit review board 
within the agency. Credit financing shall not be used unless it is 
probable that the transaction would not go forward without it, taking 
into consideration whether such financing is available for the term 
needed and at a reasonable cost.

10. Revolving Funds. This payment stream was created for a one-time 
purchase of land and a building in fiscal year 2004. There were no 
payments made from this account in either fiscal year 2005 or fiscal 
year 2006.

11. Contracts, Grants, and Cooperative Agreements.

* Contract. A mutually binding legal relationship obligating the seller 
to furnish the supplies or services (including construction) and the 
buyer to pay for them. It includes all types of commitments that 
obligate the government to an expenditure of appropriated funds and 
that, except as otherwise authorized, are in writing. In addition to 
bilateral instruments, contracts include (but are not limited to) 
awards and notices of awards; job orders or task letters issued under 
basic ordering agreements; letter contracts; orders, such as purchase 
orders, under which the contract becomes effective by written 
acceptance or performance; and bilateral contract modifications. 
Contracts do not include grants and cooperative agreements.

* Grant. A financial support to accomplish a public purpose in the form 
of money, or property in lieu of money from the federal government to 
an eligible recipient.

* Cooperative Agreement.[Footnote 60] A financial support to accomplish 
a public purpose in the form of money, or property in lieu of money, 
from the federal government to an eligible recipient.

[End of section]

Appendix III: Types of Payment Streams Identified during National 
Aeronautics and Space Administration's Risk Assessment:

For fiscal years 2004 and 2005, NASA based its improper payment risk 
assessments on six payment streams--(1) firm-fixed-price contracts, (2) 
incentive-fee contracts, (3) award-fee contracts, (4) cost-plus-fixed- 
fee, (5) other contracts, and (6) grants. NASA did not conduct a risk 
assessment for fiscal year 2006. Instead, NASA relied on its recovery 
auditing work to determine that no programs and activities were 
susceptible to significant improper payments. A description of the six 
payment streams, along with a definition of each, follow.

1. Firm-fixed-price contracts provide for a price that is not subject 
to any adjustment on the basis of the contractor's cost experience in 
performing the contract. This contract type places upon the contractor 
maximum risk and full responsibility for all costs and resulting profit 
or loss. It provides maximum incentive for the contractor to control 
costs and perform effectively and imposes a minimum administrative 
burden upon the contracting parties. The contracting officer may use a 
firm-fixed-price contract in conjunction with an award-fee incentive 
and performance or delivery incentives when the award fee or incentive 
is based solely on factors other than cost. The contract type remains 
firm-fixed-price when used with these incentives.

2. Incentive-fee contracts:

a. Cost-plus-incentive-fee is a cost-reimbursement contract that 
provides for an initially negotiated fee to be adjusted later by a 
formula based on the relationship of total allowable costs to total 
target costs. This contract type specifies a target cost, a target fee, 
minimum and maximum fees, and a fee adjustment formula. After contract 
performance, a fee payable to the contractor is determined in 
accordance with the formula. The formula provides, within limits, for 
increases in the fee above the target fee when total allowable costs 
are less than target costs, and decreases in the fee below the target 
fee when total allowable costs exceed target costs. This increase or 
decrease is intended to provide an incentive for the contractor to 
manage the contract effectively. When total allowable cost is greater 
than or less than the range of costs within which the fee-adjustment 
formula operates, the contractor is paid total allowable costs, plus 
the minimum or maximum fee.

b. Fixed-price incentive contract is a fixed-price contract that 
provides for adjusting profit and establishing a final contract price 
by application of a formula based on the relationship of total final 
negotiated cost to the total target cost. The final price is subject to 
a price ceiling, negotiated at the outset. There are two types of fixed-
price incentive contracts--firm target and successive target contracts.

3. Award-fee contracts:

a. Cost-plus-award-fee is a cost-reimbursement contract that provides 
for a fee consisting of (a) a base amount fixed at inception of the 
contract, and (b) an award amount that the contractor may earn in whole 
or in part during performance and that is sufficient to provide 
motivation for excellence in such areas as quality, timeliness, 
technical ingenuity, and cost-effective management. The amount of the 
award fee to be paid is determined by the government's judgmental 
evaluation of the contractor's performance in terms of the criteria 
stated in the contract. This determination and methodology for 
determining the award fee are unilateral decisions made solely at the 
discretion of the government.

b. Fixed-price contracts with award fees (FP-AF), a fixed price 
consisting of all estimated costs and profit is established at contract 
award along with an additional, separate award fee amount. The fixed 
price is paid for satisfactory performance; the award fee, if any, is 
earned, for performance beyond that required. Procurement officer 
approval is required for this type of contract. FP-AF combinations are 
used when the government, although wanting to provide an incentive to 
the contractor to deliver at an excellent or outstanding technical 
level, is unable to define that level in quantitative terms, or when 
metrics are not available or their use is not practical.

4. Cost-plus-fixed-fee is a cost-reimbursement contract that provides 
for payment to the contractor of a negotiated fee that is fixed at the 
inception of the contract. The fixed fee does not vary with actual 
cost, but may be adjusted as a result of changes in the work to be 
performed under the contract. This contract type permits contracting 
for efforts that might otherwise present too great a risk to 
contractors, but it provides the contractor only a minimum incentive to 
control costs.

5. Other contracts:

a. Fixed-price redetermination provides for both a firm fixed price for 
an initial period of contract deliveries or performance, and 
prospective redetermination, at a stated time or times during 
performance, of the price for subsequent periods of performance.

b. Fixed-price contracts with economic price adjustment provide for 
upward and downward revision of the stated contract price upon the 
occurrence of specified contingencies. Economic price adjustments are 
of three general types: adjustments based on established prices, 
adjustments based on actual costs of labor or material, and adjustments 
based on cost indexes of labor or materials.

c. Cost, or cost-no-fee, is a contract where the contractor is 
reimbursed allowable, allocable, and reasonable costs but receives no 
fee. Generally, cost contracts are used for research and development 
work performed by nonprofits and educational institutions, for 
facilities contracts, and for research and development or production 
contracts with for-profit contracts when they expect to derive some 
commercial benefit from the contracts. These contracts provide little 
incentive to the institution or contractor to control costs.

d. Cost-sharing contracts are cost-reimbursement contracts in which the 
contractor receives no fee and is reimbursed only for an agreed-upon 
portion of its allowable costs.

e. Labor-hour contracts are a variation of the time-and-materials 
contract, differing only in that materials are not supplied by the 
contractor.

f. Time-and-materials contracts provide for acquiring supplies or 
services on the basis of (a) direct labor hours at specified fixed 
hourly rates that include wages, overhead, general and administrative 
expenses, and profit, and (b) actual cost for materials.

g. Other is a designation for any other contract types that are not 
separately listed in the NASA annual procurement report. It is not a 
federal acquisition regulation-recognized contract type.

h. Combination is not a separate contract type; it notes that a 
particular contract consists of more than one contract type, e.g., a 
cost-plus-award-fee contract and a cost-incentive-fee contract.

6. Grant is an award of financial assistance, including cooperative 
agreements, in the form of money or property in lieu of money, by the 
federal government to an eligible grantee. The term does not include 
technical assistance which provides services instead of money, or other 
assistance in the form of revenue sharing, loans, loan grantees, 
interest subsidies, insurance, or direct appropriations. Also, the term 
does not include assistance, such as a fellowship or other lump sum 
award, which the grantee is not required to account for.

[End of section]

Appendix IV: Comments from the United States Agency for International 
Development:

USAID: 
From The American People: 

U.S. Agency for International Development: 
1300 Pennsylvania Avenue, NW: 
Washington, DC 20523: 
[hyperlink, http://www.usaid.gov]: 

October 26, 2007: 

Mr. McCoy Williams: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, D.C. 20548: 

Dear Mr. Williams: 

I am pleased to provide the U.S. Agency for International Development's 
(USAID) formal response on the draft GAO report entitled Improper 
Payments: Weaknesses in USAID's and NASA's Implementation of the 
Improper Payments Information Act and Recovery Auditing (GAO-08-77).

The Office of the Chief Financial Officer reviewed the draft GAO report 
(GAO-08-77) and has one recommendation at this time. Please expand the 
Credit-Financing Funds definition located on page 60 to the following:

9. Credit Financing is principally intended for credit enhancement 
purposes and may be used where (a) the Agency's sustainable development 
objectives may best be achieved effectively using credit, and (b) the 
risks of default may be reasonably estimated and managed. It is a 
financing tool to be used in addition to or in lieu of grant funding 
where appropriate. Credit financing funds agreements will be
utilized only when the partner is a non-sovereign entity. No sovereign 
loan guarantees are permissible under existing Credit Financing 
authorities. Credit Financing shall be a demand-driven initiative, with 
Operating Units having primary responsibility for designing, 
authorizing, and implementing activities in support of approved 
strategic objectives and within Administration and Congressional 
priorities for assistance. Credit Financing operations require a clear 
separation of responsibility for assessing the developmental soundness 
and the financial soundness of each activity, with the latter 
responsibilities entrusted to a credit review board within the Agency. 
Credit financing shall not be used unless it is probable that the 
transaction would not go forward without it, taking into consideration 
whether such financing is available for the term needed and at a 
reasonable cost.

The Office of the Chief Financial Officer acknowledges that the Agency 
will have 60 days to respond to GAO's Recommendations for Executive 
Action once the final report is issued. Thank you for the opportunity 
to respond to the GAO final report and for the courtesies extended by 
your staff in the conduct of this review.

Sincerely, 

Signed by: 

Mosina H. Jordan: 
Counselor to the Agency: 

[End of section]

Appendix V: Comments from the National Aeronautics and Space 
Administration:

National Aeronautics and Space Administration: 
Office of the Administrator: 
Washington, DC 20546-0001: 

October 25, 2007: 

Mr. McCoy Williams: 
Director: 
Financial Management and Assurance: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Williams: 

Thank you for the opportunity to review and comment on the draft report 
entitled "Improper Payments: Weaknesses in USAID's and NASA's 
Implementation of the Improper Payments Information Act and Recovery 
Auditing" (GAO-08-77), dated November 2007. 

NASA appreciates the GAO noting that, "NASA has made significant 
strides since its first year of IPIA implementation to improve its 
approach for conducting risk assessments and other IPIA reporting 
requirements." Also, GAO notes that "NASA...appears to have developed 
an extensive methodology for conducting a risk assessment to identify 
programs and activities susceptible to significant improper payments. 
The steps taken thus far appear to align with our framework for 
conducting a risk assessment to determine the nature and extent of 
improper payments." 

In its draft report, the GAO makes four recommendations to NASA aimed 
at improving the Agency's efforts to implement the IPIA and the 
Recovery Auditing Act by focusing on performing risk assessments and 
reporting on efforts to recover improper payments. 

Recommendation 1: Develop IPIA guidance to include detailed procedures 
for addressing the four key steps ï¿½ perform risk assessment, estimate 
improper payments, implement a corrective action plan, annually report 
ï¿½ that OMB requires agencies to perform in meeting the improper payment 
reporting requirements. 

Response: NASA concurs with this recommendation. As noted in the GAO 
report, the steps NASA has taken so far are intended to align with the 
GAO framework for conducting a risk assessment. We will now prepare 
detailed procedures as recommended to address the four key steps in 
this process ï¿½ perform risk assessment, estimate improper payments, 
implement a corrective action plan, and annually report. We anticipate 
completing this documentation during the second quarter of FY 2008. 

Recommendation 2: As part of this guidance, incorporate the risk 
assessment methodology developed by NASA's consulting firm to determine 
if risks exist, what those risks are, and the potential or actual 
impact of those risks on program operations. 

Response: NASA concurs with this recommendation. NASA is pleased with 
the methodology developed by its consultant for conducting the risk 
assessment for FY 2007 and will include that methodology in its 
guidance procedures in response to GAO's Recommendation 1.
Recommendation 3: Maintain documentation of actions performed to 
address IPIA and Recovery Auditing Act requirements. 

Response: NASA concurs with this recommendation. In FY 2007, NASA 
changed its approach for complying with IPIA requirements and has now 
centralized its activities at NASA Headquarters in the Office of the 
Chief Financial Officer (OCFO). NASA has redirected resources more 
effectively to achieve consistency and effective management of the 
program. Maintaining appropriate documentation is being accomplished by 
the OCFO at NASA Headquarters. 

Recommendation 4: Adhere to OMB's guidance for reporting recovery 
auditing information in its annual PAR. 

Response: NASA concurs with this recommendation. NASA is prepared to 
adhere to OMB's guidance for reporting recovery auditing information in 
its annual PAR. 

Technical comments to the draft report have been provided to GAO 
separately. 

My point of contact for this matter is Mr. Frank E. Petersen, III, 
Director of the Office of Quality Assurance, OCFO. He may be contacted 
by telephone at (202) 358-4772 or by e-mail at [email protected]. 

Sincerely, 

Signed by: 

Shana Dale: 
Deputy Administrator: 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

McCoy Williams, (202) 512-9095 or [email protected]: 

Acknowledgments: 

In addition to the contact named above, Carla Lewis, Assistant 
Director; Francine DelVecchio; Lisa M. Galvan-Trevino; Estela Guerrero; 
James Maziasz; Christina Quattrociocchi; Heather Rasmussen; Donell 
Ries; Chris Rodriguez; and Viny Talwar made key contributions to this 
report. 

[End of section] 

Footnotes: 

[1] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). 

[2] National Defense Authorization Act for Fiscal Year 2002, Pub. L. 
No. 107-107, div. A, title VIII, ï¿½ 831, 115 Stat. 1012, 1186 (Dec. 28, 
2001) (codified at 31 U.S.C. ï¿½ï¿½ 3561-3567). 

[3] GAO, Improper Payments: Agencies' Efforts to Address Improper 
Payment and Recovery Auditing Requirements Continue, GAO-07-635T 
(Washington, D.C.: Mar. 29, 2007). 

[4] OMB Circular No. A-123 Appendix C, Requirements for Effective 
Measurement and Remediation of Improper Payments (Aug. 10, 2006). 

[5] IPIA defines improper payments as any payment that should not have 
been made or that was made in an incorrect amount (including 
overpayments and underpayments) under statutory, contractual, 
administrative, or other legally applicable requirements. It includes 
any payment to an ineligible recipient, any payment for an ineligible 
service, any duplicate payment, payments for services not received, and 
any payment that does not account for credit for applicable discounts. 

[6] In general, the term contractors refers to contract activities 
while the term grantees refers to assistance activities such as grants 
and cooperative agreements. See appendixes II and III for a further 
description of these funding mechanisms. 

[7] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007); Financial Management Systems: Additional Efforts Needed 
to Address Key Causes of Modernization Failures, GAO-06-184 
(Washington, D.C.: Mar. 15, 2006). 

[8] GAO, Afghanistan Reconstruction: Despite Some Progress, 
Deteriorating Security and Other Obstacles Continue to Threaten 
Achievement of U.S. Goals, GAO-05-742 (Washington, D.C.: July 28, 
2005). 

[9] GAO, Global Health: USAID Supported a Wide Range of Child and 
Maternal Health Activities, but Lacked Detailed Spending Data and a 
Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.: 
Apr. 20, 2007); Financial Management: Sustained Effort Needed to 
Resolve Long-Standing Problems at U.S. Agency for International 
Development, GAO-03-1170T (Washington, D.C.: Sept. 24, 2003); Major 
Management Challenges and Program Risks: U.S. Agency for International 
Development, GAO-03-111 (Washington, D.C.: January 2003); Major 
Management Challenges and Program Risks: U.S. Agency for International 
Development, GAO-01-256 (Washington, D.C.: Jan. 1, 2001); and Financial 
Management: Inadequate Accounting and System Project Controls at AID, 
GAO/AFMD-93-19 (Washington, D.C.: May 24, 1993). 

[10] U.S. Agency for International Development, Office of Inspector 
General, Audit of USAID's Compliance With Federal Regulations in 
Awarding the Contract for Security Services in Iraq to Kroll Government 
Services International Inc., A-267-05-005-P (Washington, D.C.: Jan. 6, 
2005). 

[11] Special Inspector General for Iraq Reconstruction, Quarterly 
Report and Semiannual Report to the United States Congress, (Arlington, 
VA: July 30, 2007). 

[12] Hearing before the Subcommittee on Federal Financial Management, 
Government Information, and International Security, Committee on 
Homeland Security and Governmental Affairs, United States Senate, 
Improper Payments: Where Are Truth and Transparency in Federal 
Financial Reporting, July 12, 2005 and Reporting Improper Payments: A 
Report Card on Agencies' Progress, March 9, 2006. Hearing before the 
Subcommittee on Federal Financial Management, Government Information, 
Federal Services, and International Security, Committee on Homeland 
Security and Governmental Affairs, United States Senate, Eliminating 
and Recovering Improper Payments, March 29, 2007. 

[13] OMB's implementing guidance includes a broad definition of 
programs and activities subject to IPIA and allows agencies to 
determine their program and activity inventory for the purposes of 
performing a risk assessment. Two approaches agencies commonly use to 
carry out their risk assessments include a review of program operations 
or a review of payment activity or streams. 

[14] In December 2004, OMB revised its Circular No. A-123, Management's 
Responsibility for Internal Control, to provide guidance to federal 
managers on improving the accountability and effectiveness of federal 
programs and operations by establishing, assessing, correcting, and 
reporting on management controls. 

[15] In August 2006, OMB revised its IPIA implementing guidance. The 
revision consolidates into Appendix C to OMB Circular No. A-123 three 
memorandums previously issued by OMB. These memorandums are: M-03-07, 
"Programs to Identify and Recover Erroneous Payments to Contractors," 
(Jan. 16, 2003); M-03-12, "Allowability of Contingency Fee Contracts 
for Recovery Audits," (May 8, 2003); and M-03-13, "Improper Payments 
Information Act of 2002 (Public Law 107-300)," (May 21, 2003). The 
revised guidance is effective for agencies' fiscal year 2006 improper 
payment estimating and reporting in the PARs or annual reports. 

[16] IPIA does not mention the "exceeding the 2.5 percent of program 
payments" threshold that OMB uses for identifying and estimating 
improper payments. 

[17] An example of an alternative sampling methodology includes 
developing an annual error rate for a component of the program. 

[18] The 15 agencies include 14 that were previously required to report 
improper payments information under OMB Circular No. A-11, plus the 
Department of Homeland Security. According to OMB, these 15 agencies 
have programs and activities with the highest risk of improper 
payments. With this PMA initiative, OMB has stated that it can better 
ensure that those taxpayer dollars most susceptible to risk for 
improper payments receive the greatest amount of focus and review. 

[19] Pub. L. No. 107-107, div. A, title VIII, ï¿½ 831, 115 Stat. 1012, 
1186 (Dec. 28, 2001) (codified at 31 U.S.C. ï¿½ï¿½ 3561-3567). 

[20] See footnote 4. 

[21] OMB's IPIA guidance states that the term program includes 
activities or sets of activities recognized as programs by the public, 
OMB, or the Congress, as well as those that entail program management 
or policy direction. It also includes the activities engaged in by an 
agency in support of its programs. 

[22] We noted that for their risk assessments, five agencies used a 
combination of programs and payment streams. 

[23] USAID includes interagency agreements as part of the contracts, 
grants, and cooperative agreements payment stream. 

[24] The 11 payment streams were (1) payroll, (2) mission allowances, 
(3) cash transfers, (4) travel, (5) transportation, (6) training, (7) 
other operating expenses, (8) payments to other agencies, (9) credit- 
financing funds, (10) revolving funds, and (11) contracts, grants, and 
cooperative agreements. 

[25] According to USAID officials, mission accounting stations perform 
accounting services for other mission offices. 

[26] Mission offices are organizational units within USAID that operate 
under decentralized program authorities, allowing them to design and 
implement programs and negotiate and execute agreements. 

[27] Pub. L. No. 98-502, 98 Stat. 2327 (Oct. 19, 1984) (codified, as 
amended, at 31 U.S.C. ï¿½ï¿½ 7501-7507). Under the Single Audit Act, as 
amended, and implementing guidance, independent auditors audit state 
and local governments and nonprofit organizations that expend federal 
awards to assess, among other things, compliance with laws, 
regulations, and the provisions of contracts or grant agreements 
material to the entities' major federal programs. Organizations are 
required to have single audits if they annually expend $500,000 or more 
in federal funds. 

[28] The four payment streams are payroll, travel, allowances, and 
other. 

[29] NASA defines a procurement action as any contractual action to 
obtain supplies, services, or construction that increases or decreases 
funds. A procurement action thus may be a new procurement or a 
modification, such as a supplemental agreement, change order, or 
termination to an existing contract that changes the total amount of 
funds obligated. 

[30] NASA centers are organizational components that support the 
agency's space exploration objectives, scientific initiatives, and 
aeronautics research. 

[31] GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under 
the Improper Payments Information Act Remains Incomplete, GAO-07-92 
(Washington, D.C.: Nov. 14, 2006). 

[32] The nine agencies are the Departments of Agriculture, Commerce, 
Defense, Energy, Homeland Security, Interior, Justice, and Treasury, 
and the Social Security Administration. 

[33] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999). 

[34] GAO, Strategies to Manage Improper Payments: Learning From Public 
and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October 
2001). 

[35] GAO, Global Health: USAID Supported a Wide Range of Child and 
Maternal Health Activities, but Lacked Detailed Spending Data and a 
Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.: 
Apr. 20, 2007). 

[36] Department of Justice, USAID Vendor Agrees to Pay $1.2 Million To 
Settle Overcharging Claim (Washington, D.C.: Dec. 28, 2005). 

[37] U.S. Agency for International Development, Office of Inspector 
General, $1.31 Million Recovered From Companies That Defrauded USAID 
(Washington, D.C.: Oct. 14, 2005). 

[38] National Aeronautics and Space Administration, Office of Inspector 
General, Semiannual Report, April 1, 2006-September 30, 2006 
(Washington, DC). 

[39] National Aeronautics and Space Administration, Office of Inspector 
General, Semiannual Report, October 1, 2004-March 31, 2005 (Washington, 
DC). 

[40] National Aeronautics and Space Administration, Office of Inspector 
General, Letter to Honorable Thad Cochran, Committee on Appropriations 
(Washington, D.C.: Dec. 20, 2005). 

[41] Internal controls and legal requirements applicable to agency 
payment processes are set out in Title 7, Fiscal Guidance, of GAO's 
Policy and Procedures Manual for Guidance of Federal Agencies 
(Washington, D.C.: May 18, 1993). 

[42] NASA's officials stated that the contracting officer generally 
reviews DCAA's audits of NASA contracts, but did not know what the 
reviews entailed or their frequency. 

[43] 31 U.S.C. ï¿½ï¿½ 3901-3907. 

[44] See Appendix C to OMB Circular No. A-123, pt. II(D)(2). 

[45] GAO-07-92. 

[46] GAO/AIMD-00-21.3.1. 

[47] Payment errors are errors resulting from duplicate payments; 
errors on invoices or financing requests; failure to reduce payments by 
applicable sales discounts, cash discounts, rebates, or other 
allowances; payments for items not received; mathematical or other 
errors in determining payment amounts and executing payments; and the 
failure to obtain credit for returned merchandise. 

[48] See footnote 4. 

[49] NASA headquarters and the Stennis Space Flight center contract 
payments were excluded from its table presentation of recovery audit 
amounts reported in the fiscal year 2006 PAR. According to NASA, 
headquarters payments were included with the Goddard Space Flight 
center payment information. Also, the Stennis Space Flight center was 
included in the recovery audit firm's scope of review, but NASA 
inadvertently excluded the center from its table presentation. NASA 
told us the Stennis Space Flight center had no reportable amounts for 
recovery for fiscal year 2006. 

[50] See footnote 14. 

[51] We did not review USAID's implementation of laws and policies 
under which accountable officers, such as payment certifying officers, 
are held financially liable for improper payments. See 31 U.S.C. ï¿½ 
3528(a). 

[52] The seven risk conditions include (1) financial processing and 
internal controls, (2) internal monitoring and assessments, (3) 
external monitoring and assessments, (4) human capital risk, (5) 
programmatic risk, (6) nature of program payments, and (7) contract/ 
grant management. 

[53] According to the consulting firm's report, it statistically tested 
1,517 payment transactions totaling $71.8 million which is .7 percent 
of the total value of payments included in the 5 payment categories, 
which totaled approximately $10 billion. 

[54] The recovery auditors reported that the contracts and data 
reviewed for USAID for fiscal years 2003 through 2005 equaled 
approximately $3 billion. 

[55] OMB's implementing guidance effective for fiscal years 2004 and 
2005 was OMB Memorandum M-03-13 "Improper Payments Information Act of 
2002 (Public Law 107-300)" (May 21, 2003). For fiscal year 2006 
reporting, agencies were required to follow Appendix C to OMB Circular 
No. A-123, Requirements for Effective Measurement and Remediation of 
Improper Payments. 

[56] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999). 

[57] GAO, Strategies to Manage Improper Payments: Learning From Public 
and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October 
2001). 

[58] OMB's guidance also includes a section on recovery auditing 
requirements. 

[59] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007). 

[60] The involvement of USAID's program office dictates the type of 
financial support instrument to be awarded. If the program office is 
substantially involved (i.e., start to finish) in the award process, 
the instrument awarded is called a cooperative agreement. If the 
program office is not substantially involved (i.e., only involved when 
needed) in the award process, the instrument awarded is called a grant. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, DC 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548: 

*** End of document. ***