High-Risk Areas: Benefits to Be Gained by Continued Emphasis on
Addressing High-Risk Areas (Testimony, 03/04/97, GAO/T-AIMD-97-54).

Pursuant to a congressional request, GAO discussed major government
programs and operations GAO has identified as high-risk areas, focusing
on high-risk areas related to the Internal Revenue Service (IRS) and the
Medicare and Supplemental Security Income (SSI) programs.

GAO noted that: (1) overall, legislative and agency actions have
resulted in progress toward fixing these high-risk areas and
establishing a solid foundation to help ensure greater progress; (2)
however, because these areas involve long-standing problems which are
difficult to fix, additional corrective measures are necessary to remove
the high-risk designation; (3) GAO's audits of the IRS' financial
statements, however, have identified many significant weaknesses in IRS'
accounting for revenue and accounts receivable, as well as for funds
provided to carry out IRS' operations; (4) IRS has improved payroll
processing and accounting for administrative operations and is working
on solutions to revenue and accounts receivable accounting problems; (5)
in addition, IRS is hampered in efficiently and effectively managing its
huge inventory of accounts receivable due to inadequate management
information; (6) further, while IRS' efforts to reduce filing fraud have
resulted in some success, especially through more rigid screening in the
electronic filing program, this continues to be a high-risk area; (7)
the Customs Service has made considerable progress in correcting major
management and organizational structure weaknesses GAO pointed to in its
1992 high-risk report; (8) Medicare, the nation's second largest social
program, is inherently vulnerable to and a perpetually attractive target
for exploitation; (9) the Congress and the President have been seeking
to introduce changes to Medicare to help control program costs, which
were $197 billion in fiscal year 1996; (10) a newly designated high-risk
area involves overpayments in the SSI program, which provided about $22
billion in federal benefits to recipients between January 1, 1996, and
October 31, 1996; (11) one root cause of SSI overpayments is the Social
Security Administration's difficulty in corroborating financial
eligibility information that program beneficiaries self report and that
affects their benefit levels; (12) in September 1996, GAO reported that
during the previous 2 years, serious information security control
weaknesses had been reported for 10 of the 15 largest federal agencies;
(13) GAO had made dozens of recommendations for improvement to
individual agencies, and they have started acting on may of them; and
(14) the year 2000 problem poses the high risk that computer systems
throughout government will fail to run or malfunction because computer *

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-54
     TITLE:  High-Risk Areas: Benefits to Be Gained by Continued 
             Emphasis on Addressing High-Risk Areas
      DATE:  03/04/97
   SUBJECT:  Internal controls
             Financial management systems
             Risk management
             Debt collection
             Accounts receivable
             Health care programs
             Computer security
             Congressional oversight
             Federal social security programs
             Program abuses
IDENTIFIER:  IRS Tax System Modernization Program
             Supplemental Security Income Program
             HCFA Medicare Transaction System
             IRS Compliance 2000 Initiative
             Medicare Program
             IRS FedState Electronic Filing Program
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Oversight, Committee on Ways and Means,
House of Representatives

For Release on Delivery
Expected at
10 a.m.
Tuesday,
March 4, 1997

HIGH-RISK AREAS - BENEFITS TO BE
GAINED BY CONTINUED EMPHASIS ON
ADDRESSING HIGH-RISK AREAS

Statement of Gene L.  Dodaro
Assistant Comptroller General
Accounting and Information Management Division

GAO/T-AIMD-97-54

GAO/AIMD-97-54T


(918899)


Abbreviations
=============================================================== ABBREV

  CFO - Chief Financial Officer
  GPRA - Government Performance and Results Act
  HCFA - Health Care Financing Administration
  HUD - Department of Housing and Urban Development
  IRS - Internal Revenue Service
  MTS - Medicare Transaction System
  NASA - National Aeronautics and Space Administration
  OMB - Office of Management and Budget
  SSA - Social Security Administration
  SSI - Supplemental Security Income

============================================================ Chapter 0

Madam Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss major government programs
and operations we have identified as high risk because of
vulnerabilities to waste, fraud, abuse, and mismanagement.  In 1990,
we began a special effort to focus attention on such areas, and over
the past several years we have made hundreds of recommendations to
get at the heart of high-risk problems and help improve this
situation.  On February 12, 1997, we issued our latest series of
high-risk reports.\1

Overall, legislative and agency actions have resulted in progress
toward fixing these high-risk areas and establishing a solid
foundation to help ensure greater progress.  However, because these
areas involve long-standing problems that are difficult to fix,
additional corrective measures are necessary to remove the high-risk
designation. 

Today, at the Subcommittee's request, we will focus on high-risk
areas related to the Internal Revenue Service (IRS) and the Medicare
and Supplemental Security Income (SSI) programs.  While this
statement provides a brief synopsis of these areas, more detailed
statements on these three topics are also being issued today.  In
addition, this statement will discuss other high-risk areas that
affect agencies under the Subcommittee's jurisdiction, including the
Customs Service's financial management, information security
weaknesses, and the possibility of serious computer disruptions in
service to the public due to the Year 2000 Problem. 

As the key message of this testimony, I would like to emphasize the
importance of the Subcommittee using recent legislative management
reforms to help oversee these agencies' actions to fully and
effectively remedy their high-risk problems.  These include

  -- the 1995 Paperwork Reduction Act and the 1996 Clinger-Cohen Act,
     which provide a basis for agencies to better manage investments
     in information technology;

  -- the expanded Chief Financial Officers (CFO) Act of 1990, which
     requires agencies to prepare financial statements that can pass
     the test of an independent audit and provide decisionmakers more
     reliable financial information; and

  -- the 1993 Government Performance and Results Act (GPRA), which
     requires agencies to measure performance and focus on results. 


--------------------
\1 The 25 areas that are the current focus of our high-risk
initiative are listed in attachment I, and the reports in our 1997
high-risk series are listed in attachment II. 


   ENSURING ALL REVENUES ARE
   COLLECTED AND ACCOUNTED FOR
---------------------------------------------------------- Chapter 0:1

In 1995, IRS reported collecting $1.4 trillion from taxpayers,
disbursing $122 billion in tax refunds, and managing an estimated
accounts receivable inventory of $113 billion in delinquent taxes. 
The reliability of IRS' financial information is critical to
effectively manage the collection of revenue to fund the government's
operations. 

Our audits of IRS' financial statements, however, have identified
many significant weaknesses in IRS' accounting for revenue and
accounts receivable, as well as for funds provided to carry out IRS'
operations.  IRS has improved payroll processing and accounting for
administrative operations and is working on solutions to revenue and
accounts receivable accounting problems.  But much remains to be
done, and effective management follow-through is paramount to
achieving fully the goals of the CFO Act. 

In addition, IRS is hampered in efficiently and effectively managing
its huge inventory of accounts receivable due to inadequate
management information.  The root cause here is IRS' antiquated
information systems and outdated business processes, which handle
over a billion tax returns and related documents annually.  IRS has
undertaken many initiatives to deal with its accounts receivable
problems, including correcting errors in its tax receivable
masterfile and attempting to speed up aspects of the collection
process.  Efforts such as these appear to have had some impact on
collections and the tax debt inventory, but many of the efforts are
long-term in nature and demonstrable results may not be available for
some time. 

Further, while IRS' efforts to reduce filing fraud have resulted in
some success--especially through more rigid screening in the
electronic filing program--this continues to be a high-risk area. 
IRS' goal is to increase electronic filings, which would strengthen
its fraud detection capabilities.  But to effectively achieve its
electronic filing goal, IRS must (1) identify those groups of
taxpayers who offer the greatest opportunity for filing
electronically and (2) develop strategies focused on alleviating
impediments that have inhibited those groups from participating in
the program. 

In attempting to overhaul its timeworn, paper-intensive approach to
tax return processing, IRS has spent or obligated over $3 billion on
its tax systems modernization, which has encountered severe
difficulties.  Currently, funding for tax systems modernization has
been curtailed, and IRS and the Department of the Treasury are taking
several steps to address modernization problems and implement our
recommendations.  However, much more progress is needed to fully
resolve serious underlying management and technical weaknesses. 

Behind IRS, the Customs Service is the next highest revenue
collector.  The Customs Service has made considerable progress in
correcting major management and organizational structure weaknesses
we pointed to in our 1992 high-risk report.  In 1995, we reported
that Customs had taken several actions to address these problems,
including revising its planning process, improving controls over
identification and collection of revenues owed, aggressively pursuing
delinquent receivables, and embarking on an agencywide reorganization
plan.  As a result, we narrowed the scope of our high-risk work at
Customs to focus only on its financial management problems. 

Since 1995, Customs has continued to take actions to address its
financial management and internal control weaknesses.  These include,
for example, statistically sampling compliance of commercial
importations through ports of entry to better focus enforcement
efforts and to project and report duties, taxes, and fees lost due to
noncompliance.  However, Customs still has not fully corrected
significant problems in these areas.  For example, audits of Customs'
financial statements under the CFO Act disclose that Customs
continues to lack adequate assurance that all revenue due is
collected, has weaknesses in readily detecting duplicate and
excessive drawback payments, and lacks integrated core financial
systems.  These problems diminish Customs' ability to reasonably
ensure that (1) duties, taxes, and fees on imports are properly
assessed and collected and refunds of such amounts are valid and (2)
core financial systems provide reliable information for managing
operations. 

We have made numerous recommendations to Customs to address its
financial management weaknesses and have assisted in developing
corrective actions.  It will be important for top management at
Customs to provide continuing support to ensure that the planned
financial management improvements are properly implemented. 


   CONTROLLING FRAUD, WASTE,
   ABUSE, AND MISMANAGEMENT IN
   BENEFIT PROGRAMS
---------------------------------------------------------- Chapter 0:2

Medicare--the nation's second largest social program--is inherently
vulnerable to and a perpetually attractive target for exploitation. 
The Congress and the President have been seeking to introduce changes
to Medicare to help control program costs, which were $197 billion in
fiscal year 1996.  At the same time, they are concerned that the
Medicare program loses significant amounts due to persistent
fraudulent and wasteful claims and abusive billings, which could be
from $6 billion to as much as $20 billion, based on 1996 outlays. 
The Congress passed the Health Insurance Portability and
Accountability Act of 1996 to add funding for program safeguard
efforts and make the penalties for Medicare fraud more severe. 
Effective implementation of this legislation and other agency actions
are key to mitigating many of Medicare's vulnerabilities to fraud and
abuse. 

Also, the Health Care Financing Administration (HCFA), which runs the
Medicare program, has begun to acquire a new claims processing
system--the Medicare Transaction System (MTS)--to provide, among
other things, better protection from fraud and abuse.  In the past,
we have reported on risks associated with this project, including (1)
HCFA's plan to implement the system in a single stage rather than
incrementally, (2) difficulty in defining requirements, (3)
inadequate investment analysis, and (4) significant schedule
problems.  HCFA has responded to these concerns by changing its
single-stage approach to one under which the system will be
implemented incrementally and working to resolve other reported
problems. 

A newly designated high-risk area involves overpayments in the SSI
program, which provided about $22 billion in federal benefits to
recipients between January 1, 1996, and October 31, 1996.  SSI
overpayments have grown to over $1 billion per year, which is about 5
percent of total benefit payments.  Also, criticisms have been raised
regarding the Social Security Administration's (SSA) ability to
effectively manage SSI workloads and internal control weaknesses that
leave the program susceptible to fraud, waste, and abuse.  For
example, in August 1996, we reported that about 3,000 current and
former prisoners in 13 county and local jail systems had been
erroneously paid $5 million in SSI benefits, primarily because SSA
lacked timely and complete information. 

One root cause of SSI overpayments is SSA's difficulty in
corroborating financial eligibility information that program
beneficiaries self report and that affects their benefit levels.  In
addition, determining whether an impairment qualifies a claimant for
disability benefits can often be difficult, especially in cases
involving applicants with mental impairments and other
hard-to-diagnose conditions. 


   ADDRESSING GOVERNMENTWIDE
   INFORMATION TECHNOLOGY ISSUES
---------------------------------------------------------- Chapter 0:3

In addition to the difficulties agencies have in managing large
computer systems modernization efforts, our high-risk effort
identified two governmentwide information technology issues that
affect agencies under the Committee's purview:  information security
and the Year 2000 Problem. 


      INFORMATION SECURITY
-------------------------------------------------------- Chapter 0:3.1

Information systems security weaknesses pose high risk of
unauthorized access and disclosure of sensitive data.  Many federal
operations that rely on computer networks are attractive targets for
individuals or organizations with malicious intentions.  Examples of
such operations include law enforcement, import entry processing, and
various financial transactions. 

Since June 1993, we have issued over 30 reports describing serious
information security weaknesses at major federal agencies.  For
example, our financial audits at IRS and the Customs Service have
identified poor computer controls.  IRS cannot ensure that the
confidentiality and accuracy of taxpayer data are protected and that
the data are not manipulated for purposes of individual gain.  The
Customs Service continues to have problems that diminish its ability
to reasonably ensure that sensitive data maintained in automated
systems are adequately protected from unauthorized access and
modification. 

In September 1996, we reported that during the previous 2 years,
serious information security control weaknesses had been reported for
10 of the 15 largest federal agencies.  We have made dozens of
recommendations for improvement to individual agencies, and they have
started acting on many of them. 

In addition, we have recommended ways for the Office of Management
and Budget (OMB) to enhance its ability to oversee and improve
federal information security programs.  We suggested steps that OMB
can take to (1) effectively use opportunities to aid in overseeing
and improving agency information security programs, such as annual
financial audits and the newly created Chief Information Officers
Council,and (2) increase the expertise of its staff in information
security management issues. 


      THE YEAR 2000 PROBLEM
-------------------------------------------------------- Chapter 0:3.2

The Year 2000 Problem poses the high risk that computer systems
throughout government will fail to run or malfunction because
computer equipment and software were not designed to accommodate the
change of date at the new millennium.  For example, IRS' tax systems
could be unable to process returns, which in turn could jeopardize
the collection of revenue and the entire tax processing system.  Or
SSA's disability insurance process could experience major disruptions
if the interface with various state systems failed, thereby causing
delays and interruptions in disability payments to citizens. 

We recently issued a guide, Year 2000 Computing Crisis:  An
Assessment Guide (GAO/AIMD-10.1.14, exposure draft), to provide
agencies a framework and a checklist for assessing their readiness to
achieve year 2000 compliance.  It provides information on the scope
of the challenge, and offers a structured approach for reviewing the
adequacy of agency planning and management of the year 2000 program. 


   CONTINUING CONGRESSIONAL
   OVERSIGHT USING NEW MANAGEMENT
   TOOLS IS KEY
---------------------------------------------------------- Chapter 0:4

Continued congressional oversight, such as this hearing by the
Subcommittee, will add essential impetus to make improvements and
ensure more progress in addressing the high-risk areas just discussed
and, thus, to achieve greater benefits.  Effective and sustained
follow-through by agency managers is necessary to resolve specific
high-risk problems and implement broader management reforms, which
the Congress has established to achieve better financial and
information management and measure the results of program operations. 

The Subcommittee can focus on agencies' progress in fixing specific
high-risk problems and implementing this legislative framework
through the following three efforts. 

  -- Apply a framework of modern technology management, as required
     by the 1995 Paperwork Reduction Act and the Clinger-Cohen Act of
     1996. 

This framework is based on practices followed by leading
public-sector and private-sector organizations that have successfully
used technology to dramatically improve performance and meet
strategic goals.  These laws fundamentally revamp and modernize
federal information management practices by emphasizing the
involvement of senior executives in information management decisions,
establishing senior-level Chief Information Officers, tightening
controls over technology spending, redesigning inefficient work
processes, and using performance measures to assess technology's
contribution to achieving mission results.  These management
practices provide agencies--such as IRS for tax systems
modernization--a proven, practical means of addressing the federal
government's information problems, maximizing benefits from
technology spending, and controlling the risks of systems development
efforts. 

  -- Improve financial reporting and make other financial management
     improvements, as called for by the expanded Chief Financial
     Officers Act. 

The landmark CFO Act spelled out a long overdue and ambitious agenda
to help resolve financial management problems.  This act has prompted
many improvements at IRS, the Customs Service, and other agencies to
provide reliable financial information for managing government
programs.  Fully and effectively implementing the CFO Act is critical
to achieving full accountability and providing relevant information
on the government's true financial status. 

In addition, improved reporting and internal controls, as called for
by the CFO Act, can produce substantial savings in high-risk areas. 
For example, better data and controls can help reduce the billions of
dollars now lost annually in the Medicare program due to fraudulent
and abusive claims and help decrease the $1 billion in overpayments
that the SSI program experiences each year. 

  -- Use the Government Performance and Results Act to measure
     performance and focus on results, which can help to pinpoint
     opportunities for improved performance and increased
     accountability. 

GPRA requires agencies to set goals, measure performance, and report
on their accomplishments.  Under GPRA, every major federal agency
must now ask itself basic questions about performance to be measured
and how performance information can be used to make improvements. 
For instance, performance measures would be useful for (1) reaching
agreement with the Congress on and monitoring acceptable levels of
errors in benefit programs (errors which may never be totally
eliminated but can be much better controlled) and (2) assessing the
results of tax enforcement initiatives, delinquent tax collection
activities, and filing fraud reduction efforts. 


-------------------------------------------------------- Chapter 0:4.1

Without additional attention to resolving problems in the high-risk
areas that we have discussed today, the government will continue to
miss important opportunities to ensure effective revenue collection
operations, have well controlled and operated information systems,
and save billions of dollars.  We will continue to identify other
ways for agencies to more effectively manage and control these and
other high-risk areas and to make recommendations for improvements
that can be implemented to overcome the root causes of these
problems. 

Madam Chairman, this concludes my statement.  I will be happy to
respond to any questions. 


AREAS DESIGNATED HIGH RISK
=========================================================== Appendix I


   PROVIDING FOR ACCOUNTABILITY
   AND COST-EFFECTIVE MANAGEMENT
   OF DEFENSE PROGRAMS
--------------------------------------------------------- Appendix I:1

Financial management (1995)
Contract management (1992)
Inventory management (1990)
Weapon systems acquisition (1990)
Defense infrastructure (1997)


   ENSURING ALL REVENUES ARE
   COLLECTED AND ACCOUNTED FOR
--------------------------------------------------------- Appendix I:2

IRS financial management (1995)
IRS receivables (1990)
Filing fraud (1995)
Tax Systems Modernization (1995)
Customs Service financial management (1991)
Asset forfeiture programs (1990)


   OBTAINING AN ADEQUATE RETURN ON
   MULTIBILLION DOLLAR INVESTMENTS
   IN INFORMATION TECHNOLOGY
--------------------------------------------------------- Appendix I:3

Tax Systems Modernization (1995)
Air traffic control modernization (1995)
Defense's Corporate Information Management initiative (1995)
National Weather Service modernization (1995)
Information security (1997)
The Year 2000 Problem (1997)


   CONTROLLING FRAUD, WASTE, AND
   ABUSE IN BENEFIT PROGRAMS
--------------------------------------------------------- Appendix I:4

Medicare (1990)
Supplemental Security Income (1997)


   MINIMIZING LOAN PROGRAM LOSSES
--------------------------------------------------------- Appendix I:5

HUD (1994)
Farm loan programs (1990)
Student financial aid programs (1990)


   IMPROVING MANAGEMENT OF FEDERAL
   CONTRACTS AT CIVILIAN AGENCIES
--------------------------------------------------------- Appendix I:6

Department of Energy (1990)
NASA (1990)
Superfund (1990)

Also, planning for the 2000 Decennial Census was designated high risk
in February 1997. 


1997 HIGH-RISK SERIES
================================================== Appendix Attachment

An Overview (GAO/HR-97-1)

Quick Reference Guide (GAO/HR-97-2)

Defense Financial Management (GAO/HR-97-3)

Defense Contract Management (GAO/HR-97-4)

Defense Inventory Management (GAO/HR-97-5)

Defense Weapon Systems Acquisition (GAO/HR-97-6)

Defense Infrastructure (GAO/HR-97-7)

IRS Management (GAO/HR-97-8)

Information Management and Technology (GAO/HR-97-9)

Medicare (GAO/HR-97-10)

Student Financial Aid (GAO/HR-97-11)

Department of Housing and Urban Development (GAO/HR-97-12)

Department of Energy Contract Management (GAO/HR-97-13)

Superfund Program Management (GAO/HR-97-14)









The entire series of 14 high-risk reports is numbered
GAO/HR-97-20SET. 

*** End of document. ***