This is the accessible text file for GAO report number GAO-03-167T entitled 'Financial Management: Strategies to Address Improper Payments at HUD, Education, and Other Federal Agencies' which was released on October 3, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. United States General Accounting Office: GAO: Testimony: Before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, House of Representatives: For Release on Delivery: Expected at 2:00 p.m.: Thursday, October 3, 2002: Financial Management: Strategies to Address Improper Payments at HUD, Education, and Other Federal Agencies: Statement of Linda Calbom: Director, Financial Management and Assurance: GAO-03-167T: Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss (1) how internal control weaknesses we have noted make the departments of Housing and Urban Development (HUD) and Education vulnerable to, and in some cases have resulted in, improper and questionable payments and (2) strategies these and other federal agencies can use to better manage their improper payments. We are reporting our findings on HUD for the first time today. We previously reported our Education findings in a number of reports and testimonies. [Footnote 1] In addition, we issued an executive guide, Strategies to Manage Improper Payments: Learning from Public and Private Sector Organizations, [Footnote 2] last October, which we will also focus on in this testimony. The federal government of the United States - the largest and most complex organization in the world - expends approximately $2 trillion a year. As the steward of taxpayer dollars, it is accountable for how its agencies and grantees spend those funds, and is responsible for safeguarding against improper payments by the government - payments that should not have been made or that were made for incorrect or excessive amounts. Improper payments are a widespread and significant problem receiving increased attention not only in the federal government but also among states, foreign governments, and private sector companies. As you know, the President's Management Agenda, Fiscal Year 2002, included five governmentwide initiatives, one of which is improved financial performance. This financial management initiative calls for the administration to establish a baseline on the extent of erroneous payments. [Footnote 3] Under it, agencies were to include information on improper payment rates in their 2003 budget submissions to the Office of Management and Budget (OMB), including actual and target rates if available for benefit and assistance programs over $2 billion annually. Legislation that you sponsored, Mr. Chairman, and which is currently being considered by the Senate (H.R. 4878), calls for more stringent requirements in the areas of improper payment review and reporting than the President's Management Agenda. Specifically, it requires agency heads to (1) review all programs and activities that they administer, and identify those areas that may be susceptible to improper payments, (2) estimate the annual amount of improper payments, and (3) where they exceed the lesser of 1 percent of the total program budget or $1 million annually, report actions the agency is taking to reduce improper payments. In our executive guide, we identified practices that government and private sector organizations in the United States. and abroad have used to combat improper payments. Despite a climate of increased scrutiny, most improper payments associated with federal programs continue to go unidentified as they drain taxpayer resources away from the missions and goals of our government. They occur for many reasons, including insufficient oversight or monitoring, inadequate eligibility control, and automated system deficiencies. However, one point is clear based on our study - the root causes of improper payments can typically be traced to a breakdown in or lack of internal control. Collectively, internal controls are an integral component of an organization's management that provides reasonable assurance that the organization achieves the objectives of (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations. Internal controls are not one event, but a series of activities that occur throughout an entity's operations and on an ongoing basis. People make internal controls work, and responsibility for good internal controls rests with all managers. Both HUD and Education have histories of financial management problems, including serious internal control weaknesses, which have affected their ability to provide reliable financial information to decision makers both inside and outside the agencies and to maintain the financial integrity of their operations. Because of this, we have designated Education's student financial assistance programs and HUD's single family and multifamily housing programs as high-risk areas for waste, fraud, abuse, and mismanagement. [Footnote 4] We have also identified weak internal controls as a major factor contributing to improper payments at other agencies and have issued reports and testimonies on this topic, including several to this subcommittee on the Department of Defense's purchase card and travel card programs. [Footnote 5] In order to carry out our improper payments reviews at HUD and Education, we identified disbursement processes at those agencies that would be highly susceptible to improper payments. [Footnote 6] Based on this analysis, we focused our reviews on (1) HUD's purchase card and multifamily property payment processes and (2) Education's grants and loans, purchase card, and third party draft payment processes. [Footnote 7] Our work at both of these agencies was designed to (1) determine if the existing controls provided reasonable assurance that improper payments would not occur or would be detected in the normal course of business and (2) determine if expenditures were properly supported as a valid use of government funds. Our work at Education was also designed to determine if computer equipment purchased with purchase cards and third party drafts was being included in Education's inventory and appropriately safeguarded. Our work at Education is complete, but our HUD work is ongoing. In the second phase of that work, we will continue to review multifamily disbursements and will also assess single family program payments to management and marketing contractors that maintain and sell single family houses owned by HUD. We will also follow up on physical control of computer equipment as we did at Education. To accomplish our two separate reviews of HUD and Education, we used data mining techniques [Footnote 8] and other computer analyses to identify unusual transactions and payment patterns that may be indicative of improper payments. Our review included the $181.4 billion in grants and loans disbursed by Education from May 1998 through September 2000, $214 million of payments made by HUD during fiscal year 2001 for goods and services to support multifamily properties, $22 million of purchase cards purchases made by Education from May 1998 through September 2000, and $10 million of purchase cards purchases made by HUD during fiscal year 2001. [Footnote 9] We conducted our work in accordance with generally accepted government auditing standards, as well with investigative standards established by the President's Council on Integrity and Efficiency. In my testimony today I will discuss: * poor controls over purchase cards and how they resulted in some fraudulent, improper, and questionable purchases at HUD and Education; * the failure of controls over Education's grants disbursement process to detect certain improper payments; * the lack of monitoring of a key HUD contractor and how it resulted in improper payments; and; * strategies that HUD, Education, and other federal agencies can use to manage improper payments. Poor Controls over Purchase Cards Resulted in Some Fraudulent, Improper, and Questionable Purchases at HUD and Education: The benefits of using purchase cards versus traditional contracting and payment processes are lower transaction processing costs and less "red tape" for both the government and the vendor community. We support the use of a well-controlled purchase card program to streamline the government's acquisition processes. However, it is important that agencies have adequate internal controls in place to protect the government from fraud, waste, and abuse. We found that both HUD and Education lacked fundamental internal controls over their purchase card programs that would have minimized the risk of improper purchases. For example, both agencies had inconsistent and inadequate pre-approval and review processes for purchase card transactions - key preventive and detective controls. Combined with a lack of monitoring, environments were created at HUD and Education where improper purchases could be made with little risk of detection. Inadequate controls over these expenditures, along with the inherent risk of fraud and abuse associated with purchase cards, likely contributed to the $4.0 million of fraudulent, improper, and questionable purchases we identified at HUD and Education through our data mining efforts. According to our Standards for Internal Control in the Federal Government, [Footnote 10] transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. Although pre-approval and review of transactions by persons in authority is the principal means of assuring that transactions are valid, we found that the pre-approval and review process for purchase card purchases was inadequate at both HUD and Education. During our review of HUD and Education's purchase card programs, we found that department personnel did not consistently obtain pre-approval prior to making some or all purchases, as required by the departments' policies. According to HUD's October 30, 1995, purchase card policy, the approving official is required to establish a pre-approval process for each cardholder to ensure that purchases have the necessary technical approval or clearance before purchases are made and that all transactions are appropriate and for official use only. However, during our review we found that only the Information Technology Office routinely obtained authorization prior to purchasing items with the purchase card. Similarly, at the Department of Education, we found that 10 of its 14 offices did not require cardholders to obtain authorization prior to making some or all purchases, although Education's policy required that all requests to purchase items over $1,000 be made in writing to the applicable department executive officer. One of the most important internal controls in the purchase card process is the review of supporting documentation and approval of each purchase by the approving official. Approving officials at both HUD and Education are required to review each monthly statement of purchases along with the applicable supporting documentation and certify that these purchases were appropriate, in accordance with department regulations, and a valid use of government funds. Based on our testing of both HUD and Education's approving officials' review of monthly purchase card statements, we found that this key control was not an effective means of detecting improper purchases. At HUD, we selected a stratified random sample of 222 purchase card transactions made during fiscal year 2001, and found that $1.4 million, or about 77 percent, of the $1.8 million of sampled purchases lacked adequate support for the approving official to determine what was purchased, whether the purchase was previously authorized, and if there was a legitimate government need for the items purchased. [Footnote 11] We found similar problems at Education. To test the effectiveness of Education's approving officials' review, we analyzed 5 months of cardholder statements and found that 37 percent of the 903 monthly cardholder statements we reviewed were not approved by the appropriate official. These 338 unapproved statements totaled about $1.8 million. Another control that is effective in helping to prevent improper purchases is the blocking of certain merchant category codes (MCC). This control, available as part of the agencies' purchase card contracts with the card issuing financial institutions, allows agencies to prohibit certain types of purchases that are clearly not business related, such as purchases from jewelry stores or entertainment establishments. During our reviews, we noted that, initially, neither HUD nor Education was effectively using the MCC's as a preventive control. HUD was not blocking any MCCs and Education blocked only four MCCs. As a result, there were almost no restrictions on the types of purchases employees could make during the period of our audit. Both agencies took action to block more of the MCCs after we began our reviews of their purchase card programs. Our Standards for Internal Control in the Federal Government state that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. Internal control monitoring should assess the quality of performance over time and ensure that findings of audits and other reviews are promptly resolved. Program and operational managers should monitor the effectiveness of control activities as part of their regular duties. HUD's purchase card policy requires the department to perform annual program reviews and report the results, including findings and recommendations, to the purchase card program administrator. However, HUD officials could locate only one such report. This November 2001 report, prepared by a consultant, identified problems that were similar to the findings previously reported [Footnote 12] by the Office of Inspector General (OIG) in February 1999. Both reports documented problems with weak internal controls and insufficient supporting documentation. The consultant's report also noted that HUD was not performing the periodic program reviews required by its policies and that employees were making improper split purchases. HUD management agreed with the findings in the OIG report and developed and implemented an action plan to address the identified weaknesses. According to HUD OIG staff, its recommendations were implemented and have been closed. However, based on our findings, corrective actions taken at that time were not fully effective. At the time of our review, Education did not have a monitoring system for purchase card activity to determine whether its staff was complying with key aspects of the purchase card program. We also found that approving officials at Education did not use monitoring reports that were available from its purchase card contractor to identify unusual or unauthorized purchases. However, as I will discuss later, the department subsequently issued new policies and procedures that, among other things, establish a quarterly quality review of a sample of purchase card transactions to ensure compliance with key aspects of the department's policy. The types of internal control weaknesses that I have just described created environments where improper purchases could be made with little risk of detection and likely contributed to the $4 million of fraudulent, improper, and questionable purchases we identified through our data mining efforts at both HUD and Education. We also found that property purchased with purchase cards was not always recorded in Education's property records, which likely contributed to missing or stolen property. This could also be an issue at HUD based on our preliminary inquiries into its property management system. I will now provide a few examples of how employees used their purchase cards to make fraudulent, improper, and questionable purchases. We considered fraudulent purchases to be those that were unauthorized and intended for personal use. Improper payments include errors, such as duplicate payments and miscalculations; payments for services not rendered; multiple payments to the same vendor for a single purchase to circumvent existing single purchase limits - known as split purchases; and payments resulting from fraud and abuse. We defined questionable transactions as those that, while authorized, were for items purchased at excessive costs, for questionable government need, or both, as well as transactions for which the departments could not provide adequate supporting documentation to enable us to determine whether the purchases were valid. In May 2002, we provided HUD with 5,459 transactions, totaling about $3.8 million in which the (1) payee appeared to be an unusual vendor to be engaging in commerce with the agency, (2) purchase was made on either a holiday or weekend, or (3) purchase appeared to be a split purchase. As of September 2002, HUD was able to provide adequate support for 3,428 of these questionable transactions, totaling about $1.5 million. HUD could not provide adequate supporting documentation to enable us to assess the propriety of the remaining 2,031 transactions totaling about $2.3 million, or 38 percent of the total questionable transactions and 61 percent of the total dollars requested. For these transactions, HUD could not provide support to determine what was purchased, whether it was authorized, and whether there was a legitimate government need for the item purchased. These purchases included (1) 1,183 questionable vendor transactions totaling about $869,000, (2) 31 purchases made on holidays totaling about $10,000, (3) 264 weekend purchases totaling about $354,000; and (4) 541 potential improper split transactions totaling about $1 million. Some examples of questionable vendor transactions for which we did not receive adequate support included (1) over $27,000 to various department stores, such as Best Buy, Circuit City, Dillard's, JC Penny, Lord & Taylor, Macys, and Sears, (2) over $8,900 to several music and audio stores, including Sound Craft Systems, J&R's Music Store, Guitar Source, and Clean Cuts Music, and (3) over $9,700 to various restaurants, such as Legal Sea Foods, Levis Restaurant, The Cheesecake Factory, and TGI Fridays. Additional examples of questionable or improper purchases we found included $25,400 of "no show" hotel charges for HUD employees who did not attend scheduled training and $21,400 of purchases from vendors where it appears the vendors were out of business prior to the purchases. Because HUD was unable to provide adequate documentation for these purchases, we consider them to be questionable uses of government funds and therefore potentially improper purchases. In order to identify potential improper payments in Education's purchase card program, we requested supporting documentation for (1) 338 monthly statements totaling $1.8 million that our testing of the approval function identified as not properly approved, and (2) other transactions, identified using data mining techniques, that appeared unusual. Education was unable to provide adequate supporting documentation to enable us to determine the validity of purchases totaling over $218,000. Education could not provide any support for more than $152,000 of these purchases nor could it specify what was purchased, why it was purchased, or whether these purchases were appropriate. For the remaining $66,000, Education was able to provide only limited supporting documentation. As a result, we were unable to assess the validity of these payments, and we consider these purchases to be potentially improper. These inadequately supported or unsupported purchases included charges to various hotels for more than $3,000, purchases of computer equipment and software totaling more than $22,000, and charges for various college and other training courses totaling about $51,000. Numerous other purchases were made from home electronics and appliance stores as well as toy, book, and furniture stores. In our review of the documentation Education did provide, we identified some fraudulent, improper, and questionable purchases. Examples of these include the following: * In one instance, a cardholder made several fraudulent purchases from two Internet sites for pornographic services. As a result, Education management issued a termination letter, prompting the employee to resign. * Over several years, an Education employee made improper charges totaling $11,700 for herself and a coworker to attend college classes that were unrelated to Education's mission, such as biology, music, and theology. [Footnote 13] This same individual also had numerous questionable charges for other college classes totaling $24,060. * There were restaurant charges totaling $4,427 from a Year 2000 focus group meeting in San Juan, Puerto Rico, for meals for nonfederal employees. We referred additional charges of this same nature totaling approximately $45,000 to Education's OIG. [Footnote 14] Another type of improper purchase we identified is the "split purchase," which we defined as purchases made on the same day from the same vendor that appear to circumvent single purchase limits. Federal Acquisition Regulation prohibits splitting a transaction into more than one segment to avoid the requirement to obtain competitive bids for purchases over the $2,500 micro-purchase limit. At HUD, we identified 88 improper purchases totaling about $112,000 where employees made multiple purchases from a single vendor on the same day in excess of the $2,500 micro-purchase threshold. For example, one cardholder purchased nine personal digital assistants and the related accessories from a single vendor on the same day in two separate transactions just 5 minutes apart. Because the total purchase price of $3,788 exceeded the cardholder's single purchase limit of $2,500, the purchase was split into two transactions of $2,388 and $1,400, respectively. We identified 451 additional purchases totaling $893,000 where HUD employees made multiple purchases from a vendor on the same day in excess of $2,500. Although we were unable to determine whether these purchases were improper, based on the available supporting documentation, these transactions share similar characteristics with the 88 split purchases we identified. We also found improper split purchases at Education. For example, one cardholder from Education purchased two computers from the same vendor at essentially the same time. Because the total cost of these computers exceeded the cardholder's $2,500 single purchase limit, the total of $4,184.90 was split into two purchases of $2,092.45 each. We found 27 additional purchases totaling almost $120,000 where Education employees improperly made multiple purchases from a vendor on the same day. In addition to poor internal controls over the purchase card program, we found that Education lacked appropriate physical controls and segregation of duties over computer equipment purchased with purchase cards and third party drafts. According to the Education Inspector General, the department had not taken a comprehensive physical inventory for at least 2 years before our review. Further, one office lacked appropriate segregation of duties where responsibility for receiving, bar coding, securing the equipment, and delivering computers to the end users was done by only two individuals. According to our Standards for Internal Control in the Federal Government, an agency must establish physical control to secure and safeguard vulnerable assets. Such assets should be periodically counted and compared to control records. Recording the items purchased in property records is an important step to ensuring accountability and financial control over these assets and, along with periodic inventory counts, to preventing theft or improper use of government property. At Education, we found that employees regularly purchased computers using their purchase cards, which was a violation of the department's policy prohibiting the use of purchase cards for this purpose. From May 1998 through September 2000, the period covered by our audit, Education made purchases totaling more than $2.9 million from personal computer and computer- related equipment vendors. To determine whether this computer equipment was appropriately recorded in the department's inventory, we compared serial numbers obtained from the department's largest computer vendor to those in the asset management system and identified 384 pieces of computer equipment, including desktop computers, printers, and scanners, that were not in the property records. We conducted an unannounced inventory to determine whether the equipment was actually missing or inadvertently omitted from the property records. Although we found 143 pieces of equipment during this inventory that were not recorded on Education's books, and an additional 62 items were later found by Education, department officials have been unable to locate the remaining 179 pieces of missing equipment costing over $200,000. They surmised that some of these items may have been surplused; however, there is no documentation to determine whether this assertion is valid. According to Education officials, new policies were implemented that do not allow individual offices to purchase computer equipment without the consent of the Office of the Chief Information Officer. In addition, the new policies were designed to maintain control over the procurement of computers and related equipment, including: * purchasing computers from preferred vendors that apply the department's inventory bar code label and record the serial number of each computer on a computer disk that is sent directly to the Education official in charge of the property records; * loading the computer disk containing the bar code, serial number, and description of the computer into the property records; and; * having an employee verify that the computers received from the vendor match the serial numbers and bar codes on the shipping documents and the approved purchase orders. While these are very positive steps, a continued lack of adequate physical control could negate the effectiveness of these new procedures. For example, during a follow-up visit to Education, we found that the doors to the various rooms used to store computer equipment waiting to be installed were both unlocked and unattended. Without enhanced physical security, Education will continue to be at risk for further computer equipment losses. We also have concerns about HUD's accountability for computer and related equipment purchased with purchase cards because of the large volume of purchases for which it did not have appropriate documentation. In these cases, HUD likely does not know what was purchased, why it was purchased, whether there was a legitimate government need for the item purchased, and where the item is now. For example, HUD employees used their purchase cards to purchase portable assets such as computer equipment and digital cameras, totaling over $74,500, for which they have provided either no support or inadequate support. Further, in its purchase card remedial action plan, which I will discuss further shortly, HUD stated that not all property is entered in its automated property inventory system. When these purchases are not entered in an agency's inventory system, they become more vulnerable to loss or theft. In our follow-up work, we plan to determine whether these items are included in HUD's inventory and are being appropriately safeguarded. Effectiveness of Remedial Action Plans and Other Recent Steps to Curb Purchase Card Abuse Is Mixed: In April 2002, OMB issued a memorandum requiring all agencies to develop remedial action plans to manage the risk associated with purchase card usage. Agencies were required to submit their plans to the Office of Federal Procurement Policy no later than June 1, 2002. Both HUD and Education submitted their plans to OMB on time. While Education's plan was accepted by OMB and addressed the findings and recommendations in our September 2001 interim report and final Education report, HUD's plan was rejected because it lacked a timeline for when the corrective actions would be implemented. This plan also did not address key weaknesses we identified. HUD submitted a new plan to OMB on August 28, 2002. While the revised remedial action plan includes a broad timeline for when each objective will be completed, we found that it still does not adequately address key control weaknesses we identified, in part because it lacks specific steps necessary to fully address identified problem areas. For example, HUD's plan recognizes that monitoring of purchasing activities and the frequency of internal audits are areas that need improvement. However, the plan does not address developing and implementing a robust review and approval function for purchase card transactions, focusing on identifying split purchases and other inappropriate transactions. Further, this plan does not timely address some of the other serious weaknesses we found. For example, the revised remedial plan does not require the program administration staff to begin designing a monitoring plan to assess HUD's compliance with key aspects of its purchase card policy until the second quarter of fiscal year 2003 and does not give an estimated completion date for when this key internal control will be implemented. Additionally, the revised plan does not specifically identify who is responsible for developing or implementing any of the proposed improvements. We will be issuing a separate letter to HUD that will include recommendations to address these and other issues we identified during our review of its purchase card program. In contrast, Education's plan specifically addresses the findings and recommendations in our September 2001 interim report and final Education reports. These recommendations included (1) emphasizing policies on appropriate use of the purchase card and cardholder and approving official responsibilities, (2) ensuring that approving officials are trained on how to perform their responsibilities, and (3) ensuring that approving officials review purchases and their supporting documentation before certifying the statements for payment. Education took actions to respond to these recommendations, such as (1) reducing monthly and single purchase spending limits, (2) blocking over 300 MCCs, (3) implementing a new approval process, and (4) issuing new policies and procedures. However, during our follow-up work at Education, we found that weaknesses remained that continued to leave the department vulnerable to fraudulent and improper payments and lost assets. For example, the effectiveness of the department's new approval process was minimized because approving officials were not ensuring that adequate supporting documentation existed for all purchases. According to Education, it has since implemented a quarterly monitoring program to assess compliance with key aspects of the purchase card program. As discussed in our Executive Guide, which I will cover later, managing improper payments is a continuous cycle and includes, among other things, constant monitoring of the effectiveness of implemented controls and adjustments to these controls as warranted by monitoring results. Controls over Education's Grants Disbursement Process Failed to Detect Certain Improper Payments: Education's grant and loan disbursement process relies on computer systems application controls, or edit checks, to help ensure the propriety of payments. We focused our review on these edit checks and related controls because they are key to helping prevent or detect improper payments in an automated process. As we testified in July 2001, [Footnote 15] controls over grant and loan disbursements at Education did not include a key edit check or follow-up process that would help identify schools that were disbursing Pell Grants to ineligible students. To identify improper payments that may have resulted from the absence of these controls, we performed a variety of tests, including a test to identify students 70 years of age and older because we did not expect large numbers of older students to be receiving Pell Grants. [Footnote 16] Our review also built upon earlier work where we identified abuses in the Pell Grant program. [Footnote 17] Based on the initial results of our tests and because of the problems we identified in the past, we expanded our review of seven schools that had disproportionately high numbers of older students to include recipients 50 years of age and older. We found that three schools fraudulently disbursed about $2 million in Pell Grants to ineligible students, and another school improperly disbursed about $1.4 million in Pell Grants to ineligible students. We also identified 31 other schools that had similar disbursement patterns to those making the payments to ineligible students. These 31 schools disbursed approximately $1.6 million of Pell Grants to potentially ineligible students. We provided information on these schools to Education for follow-up. Education's staff and officials told us that they have performed ad hoc reviews in the past to identify schools that disbursed Pell Grants to ineligible students and have recovered some improper payments as a result. However, Education did not have a formal, systematic process in place specifically designed to identify schools that may be improperly disbursing Pell Grants. In our September 2001 interim report, we recommended that the Secretary of Education (1) establish appropriate edit checks to identify unusual grant and loan disbursement patterns and (2) design and implement a formal, routine process to investigate unusual disbursement patterns identified by the edit checks. Education subsequently implemented an age limit edit check of 75 years of age or older. If the student's date of birth indicates that he or she is 75 years of age or older, the system edit will reject the application and the school will not be authorized to give the student federal education funds until the student either submits a corrected date of birth or verifies that it is correct. However, without also looking for unusual patterns and following up, the edit may not be very effective, other than to correct data entry errors or confirm older students applying for aid. Education also implemented a new system, called the Common Origination and Disbursement (COD) system, which became operational in April 2002. Education officials told us that this integrated system will replace the separate systems Education has used for Pell Grants, direct loans, and other systems containing information on student aid, and it will integrate with applicant data in the application processing system. The focus of COD is to improve program and data integrity. If properly implemented, a byproduct of this new system should be improved controls over grant and loan disbursements. According to Education officials, they will be able to use COD to identify schools with characteristics like those we identified. However, until there is a mechanism in place to investigate schools once unusual patterns are identified, Education will continue to be vulnerable to the types of improper Pell Grant payments we identified during our review. We performed several additional tests of Education's disbursements to identify potentially improper grant and loan payments that may not have been detected because of missing or ineffective edit checks. In addition to Pell Grant payments to students 70 years of age and older, we identified $28.8 million of other potentially improper grant and loan payments made by more than 1,800 schools to students who (1) were much older or younger than would be expected, (2) had social security numbers (SSN) that were either not in Social Security Administration (SSA) database or were in SSA death records, or (3) received Pell Grants in excess of statutory limits. Based on supporting documentation provided to us by Education, we determined that $20.3 million of these payments were proper. However, Education did not provide adequate supporting documentation to enable us to determine the validity of the remaining $8.5 million of payments made by these schools. Although Education officials told us that they requested supporting documentation from the approximately 1,800 schools that disbursed these funds, over 1,000 schools did not provide the documentation, and documentation provided by some of the schools was inadequate for independent verification of the validity of these payments. According to Education officials, if a school that did not provide support or provided inadequate support had only a small number of potential improper payments, the department did not follow up because it did not consider doing so a wise use of its resources. We agree that Education should weigh the costs of resources required to follow up on potential improper payments with the benefits that could be obtained when making such decisions. However, 20 of the schools that did not provide support or provided inadequate support had from 20 to 138 instances of these potential improper payments totaling $1.5 million. While the amount of improper and potentially improper grant and loan payments we identified is relatively insignificant compared to the billions of dollars disbursed for these programs annually, it represents a control risk that could easily be exploited to a greater extent. As I will discuss later, once such a risk has been identified, appropriate control activities need to be implemented to respond to it. In addition to the recommendations that I have already discussed, we previously recommended that Education (1) conduct on-site investigations, including interviews of school personnel and students, at the 28 schools with characteristics similar to those we found that improperly disbursed Pell Grants to determine whether the grants were properly disbursed, (2) follow up with the schools that had high concentrations of the $12 million in potential improper payments for which the department did not provide adequate supporting documentation, and (3) implement a process to verify borrowers' SSNs and dates of birth submitted by schools to Loan Origination System (LOS). While Education has implemented a process to verify borrowers' SSNs and dates of birth submitted by schools to LOS, the other two recommendations remain open. Lack of Monitoring of a Key HUD Contractor Resulted in Improper Payments: Internal control standards state that monitoring should assess the quality of performance over time and ensure that review findings are promptly resolved. Due to a lack of monitoring, the internal controls of the HUD multifamily housing program's payment processes do not provide reasonable assurance that improper payments would be identified and corrected in the normal course of business. As we testified in July 2002, HUD has a limited ability to effectively monitor its contractors and as I am about to discuss, this left HUD vulnerable to abusive billing practices by its property management firms. [Footnote 18] HUD contracts with two property management firms, which are given a great deal of autonomy, to manage the operation of its multifamily properties, [Footnote 19] including apartment projects, nursing homes, and hospitals. These management firms are charged with initiating property renovations, hiring on-site staff, selecting vendors and certifying the acceptable delivery and performance of these activities. The vendors that provide the goods and services at the HUD properties submit their invoices to the property management firm for payment by HUD. The management firm forwards the invoices and required supporting documentation to another HUD contractor that maintains the department's property management system, provides a limited cursory review of the supporting documentation, and pays the vendors. HUD pre-approval for payment of these goods and services is not required when (1) the vendor's estimate will cost less than agreed upon dollar thresholds, which, depending upon the property management company, are as high as $50,000, or (2) an emergency situation exists that affects or endangers the health and/or safety of residents or property. The property manager is also not required to obtain competitive bids when the work is done to correct an emergency situation. Generally, the contractor that pays the vendors obtains a daily E-mail authorization from HUD prior to disbursing the funds. However, unless the amount exceeds the predetermined thresholds, HUD does not routinely review documentation supporting the payments and does not verify that the work was actually performed. Given the fairly broad delegation of authority to these contractors, it is important that HUD have effective processes for monitoring performance and the propriety of payment. We found that HUD did not comply with its monitoring policy to perform quarterly, on-site inspections and management reviews of its multifamily housing projects and had incomplete guidance on how to do so. Inspections and reviews were not conducted at the majority of multifamily properties and HUD could not provide documentation for some of the limited reviews and inspections that HUD officials said were performed. We found no on-site inspection guidance in the multifamily handbook, which establishes the policies and procedures to be followed by the multifamily staff. In two instances where HUD did conduct and document reviews of one of the property management firms, it did not follow up on or promptly resolve its findings. Based on these two reviews of the purchasing practices of the property management firm, HUD documented concerns about the (1) amount of money being disbursed to a limited number of construction companies with little control in place to ensure fair and reasonable prices and (2) unusually high number of emergency renovations made by this management firm. Yet HUD continued to authorize payments of over $8 million to these construction companies after it was known that the property management firm was not selecting these companies in accordance with provisions of its contract that required obtaining competitive quotes from several vendors, even for purchases below the $50,000 pre-approval threshold. Obtaining competitive quotes helps ensure that the government pays a reasonable price for goods and services. The property management firm told HUD that the vendors it used were the only ones that would work in the neighborhoods where the properties were located, and that other vendors did not feel comfortable with HUD's vendor payment process. HUD's staff accepted this explanation without independent verification. Had HUD followed up on their findings, it may have discovered what we found - funds being disbursed for alleged emergency goods and services that were not received or performed. Using computerized data mining techniques, we analyzed the $214 million of multifamily property payments made during fiscal year 2001 to identify potentially improper payments that could have resulted from HUD's lack of contractor oversight. The majority of the questionable disbursements identified by our analyses were for transactions initiated by one of the two management firms. Hence, we concentrated our efforts on HUD disbursements for this firm's transactions. Based on our data mining and reviews of the supporting documentation, we determined that a vice president and maintenance director of this property management firm, on numerous occasions circumvented HUD controls by (1) alleging that construction renovations were emergencies, thus not requiring multiple bids or HUD pre-approval, and (2) splitting renovations into multiple projects to stay below the $50,000 threshold of HUD-required approval. Over 18 months HUD authorized and paid for approximately $10 million of renovations, of which each invoice was for less than $50,000, at two properties where the above-mentioned maintenance director was employed. HUD did not verify that any of the construction renovations were actually performed or determine whether the emergency expenditures constituted such a classification. The following examples of improprieties, which are now being investigated by the HUD OIG and our Office of Special Investigations, could have been prevented or detected had HUD performed its contractor monitoring responsibilities. During June 2001, the maintenance director of the property management company falsified documents that indicated that 15,000 square feet of concrete sidewalk, at a cost of $227,500, was replaced and classified these repairs as an emergency. To remain below the HUD threshold of $50,000, the property management maintenance director had the vendor submit five separate invoices, each for $45,500, for the replacement of 3,000 square feet of concrete sidewalk in front of five buildings. HUD's contractor paid all five invoices. Based on our site visits and conversation with the maintenance director, we determined the square footage billed for sidewalk replacement had not actually been replaced. Figure 1 illustrates how only portions (the lighter shaded sections) of the sidewalk were replaced and not the entire sidewalk as was listed on the paid invoices. Figure 1: HUD Improper Payments: [See PDF for image] This figure is a photograph of the sidewalk referenced in the above paragraph. [End of figure] With the assistance of an independent construction firm, we hired, we determined that only about one-third of the work HUD paid for was actually performed. As a result, more than $164,000 of the $227,500 billed and paid for "emergency" installation of concrete sidewalk appears to be fraudulent. At this same property, we found instances where HUD paid construction companies for certain apartment renovations, deemed "emergency repairs," that were not made. Three of the 10 tenants we interviewed told us that some work listed on the invoice that the property management firm submitted was not performed at their homes. For instance, while an invoice indicated that the apartment floor and closet doors had been replaced at a cost of $10,400, the tenant stated that the floors and doors were never replaced. On several other occasions, HUD paid the same amount to perform "emergency renovations" of apartments of varying sizes and, more than likely, in differing degrees of disrepair. For example, HUD paid three identical $32,100 invoices for the emergency renovation of a one bedroom (600square feet), a two bedroom (800 square feet) and a three bedroom (1000 square feet) apartment. All three invoices listed the exact work performed. For example, each invoice listed a $4,500 cabinet fee, yet the one bedroom unit had five fewer cabinets than the three bedroom dwelling. We and the independent construction firm we hired questioned the validity of the same charge for units of varying sizes and the likelihood of numerous apartments being in identical condition and in need of the same extensive renovations. When confronted with these disparities, the property management company's maintenance director told us that although he did not have any documentation to support it, he kept mental notes of work that was billed and not performed and had the construction company perform additional unbilled renovations, rather than revising original emergency invoices. Our review of the maintenance director's files found multiple "boilerplate" copies of signed receiving reports, indicating that acceptable emergency work had been done, that had yet to be awarded to vendors, further evidence of ongoing improprieties. We will be providing formal recommendations to HUD to address these issues, as well as other acquisition management challenges, in a separate report to be issued in November 2002. Strategies to Manage Improper Payments: Now I would like to talk about some of the things that HUD, Education, and other federal agencies can do to address their improper payments comprehensively. As we recently reported, [Footnote 20] our review of improper payments reported in agency financial statements over the past 3 years shows some change in individual agencies and programs, but little change in the total amount over the period. While the total reported amount has decreased from about $20.7 billion in fiscal year 1999 to $19.1 billion in fiscal year 2001, these figures do not give a true picture of the level of improper payments in federal programs and activities. As significant as the $19 billion in improper payments is, the actual extent of improper payments government wide is unknown, likely to be billions of dollars more, and will likely grow without concerted, coordinated efforts by agencies, the administration, and the Congress. As we have seen, weak or nonexistent internal controls can result in a variety of improper payments that can affect an agency's ability to achieve its goals. Attacking the problem of improper payments requires strategies tailored to the organization involved and its particular risks. To identify effective practices and provide case illustrations and other information for federal agencies to consider when addressing improper payments, we contacted public and private sector organizations and talked with them about actions they had taken and considered effective in reducing improper payments. Participants were the Department of Health and Human Services' Health Care Financing Administration; [Footnote 21] the Social Security Administration; the Department of Veterans Affairs; the states of Illinois, Texas, and Kentucky; the governments of Australia, New Zealand, and the United Kingdom; and three private sector corporations. Our executive guide, Strategies to Manage Improper Payments: Learning from Public and Private Sector Organizations, issued last year, highlights the actions taken by these organizations. We categorized the actions into the five components of internal control outlined in the Comptroller General's Standards for Internal control in the Federal Government. We defined these components as follows: * Control environment - creating a culture of accountability by establishing a positive and supportive attitude toward improvement and achievement of established program outcomes. * Risk assessment - performing comprehensive reviews and analyses of program operations to determine if risks exist and if so, their nature and extent. * Control activities - taking actions to address identified risk areas and help ensure that management's decisions and plans are carried out and program objectives are met. * Information and communications - using and sharing relevant, reliable and timely financial and nonfinancial information in managing activities related to improper payments. * Monitoring - tracking improvement initiatives over time, and identifying additional actions needed to further improve program efficiency and effectiveness. I will address each of these control activities briefly in turn, giving examples that illustrate their use in combating improper payments. While I will discuss these activities separately, it is important to remember that managing improper payments typically requires continuous interaction among these areas. Control Environment: Instilling a Culture of Accountability: Perhaps the most significant of the elements critical to identifying, developing and implementing activities to reduce improper payments is the control environment. Top officials, whether in government or the private sector, and oversight bodies such as legislatures, set the stage for change with clearly established expectations and demands for improvement. Many of the officials we met with in the course of our work told us that without the clearly established demands and expectations for improvement by top management and legislators, little would have happened to effectively reduce fraud and errors in their programs. In addition, while top management sets the tone for cultural change, all personnel must buy into this change and work to achieve its overall goals. The cultural change fostered by an effective control environment stresses the importance of improvement and efficient and effective program operations while maintaining a balance with concerns about privacy and information security in a world where computers and electronic data are indispensable to making payments. In the oversight and legislative arena, it involves initiatives such as those in the President's Management Agenda, as I discussed earlier and legislation such as that introduced by you, Mr. Chairman, which requires comprehensive improper payment reviews and reporting. Interest in the amount of improper payments at the organizations that participated in our study often resulted from program, audit or media reports of misspent funds or fraudulent activities. As the magnitude of improper payments became known, government officials and legislative bodies faced increased pressure to reduce them. In Texas, for instance, the legislature was instrumental in changing in the state's benefit programs after reports of improper payments in the Medicaid program that ranged from $365 million to $730 million as well as in the Temporary Assistance to Needy Families and Food Stamps programs, estimated at a total of $222.4 million. Lawmakers sought to reduce these improper payments by mandating specific actions that included use of computer technology to deter fraud and abuse. The government has led the way in setting the stage for changes in the United Kingdom. Following Comptroller and Auditor General reports stating that the government did not know enough about the level of fraud in its benefits programs, Parliament required the Department of Work and Pensions (DWP) to improve measurement of fraud in its programs. DWP conducted a benefit review from which the government estimated that $3 billion per year were lost to known fraud. The government further noted that if all suspicions of fraud were well founded, the figure could be as high as $10 billion per year. DWP proposed a strategy to reform the welfare system and reduce improper payments. Through the process, Parliament has stayed actively involved, enacting legislation to allow data sharing between government agencies and departments. In addition, the Treasury requires departments to disclose irregular expenditures arising from erroneous benefit awards and fraud by claimants. Further, the Comptroller and Auditor General qualified his opinion on DWP's fiscal years 1995 through 2000 financial statements because of the level of fraud and error identified in the benefit programs. This served to reinforce the message that high levels of improper payments are unacceptable. At the day-to-day level, improper payments resulting from miscalculation and other errors often receive inadequate attention. Centrelink, a "one-stop shop" that pays a variety of Australian government benefits, found through audit reports that up to 30 percent of its work was rework. The organization's management responded by implementing a "Getting it Right" strategy in 2000, setting out the roles and responsibilities of managers and team leaders as well as minimum standards for the staff to apply when making payment decisions. Centrelink distributed posters and mouse pads to reinforce the "Getting it Right" message. Centrelink's Chief Executive Officer has stated that she expects the implementation of the strategy to result in a reduction of improper payments as well as continued timeliness in payments to beneficiaries. Study participants successfully used the following strategies to create a control environment that instilled a culture of accountability over improper payments, and could also be used at federal agencies: * Provide leadership in setting and maintaining the agency's ethical code of conduct and in ensuring proper behavior under the code. * Provide a cultural framework for managing risk by engaging everyone in the organization in the risk management process. * Increase accountability by establishing goals for reducing improper payments for major programs. * Foster an atmosphere that regards improper payments as unacceptable. Among the organizations we studied, pressures from oversight entities and top management were instrumental in creating change. The President's Management Agenda and the previously mentioned legislation help define and communicate the need for improvement. By being transparent in redefining the culture, oversight entities and top management can set expectations and obtain agreement on the need for change from individuals managing day-to-day program activities. This culture of accountability is necessary to begin the critical next step in managing improper payments, the risk assessment process. Risk Assessment: Determining the Nature and Extent of the Problem: Strong systems of internal control provide reasonable assurance that programs are operating as intended and are achieving expected outcomes. A key step in gaining this assurance is conducting a risk assessment. This involves comprehensively reviewing and analyzing program operations to determine where risks lie and what they are, and then measuring the potential or actual effect of those risks on program operations. The information developed during a risk assessment forms the foundation from which management can determine the corrective actions needed and provides baseline information for measuring progress. Specific methodologies for managing risk vary by organization depending on mission and the difficulty in quantifying and defining risk levels. In addition, because economic, governmental, industrial, regulatory, and operating conditions continually change, risk assessments should be updated to identify and address any new risks. The organizations that participated in our study found that conducting risk assessments to determine the nature of their improper payments was essential to helping them focus on the most significant problem and determine what needed to be done to address it. While many federal agencies do not perform risk assessments, some do. The Department of Health and Human Services, for example, began reporting an annual estimate of improper payments in the Medicare fee- for-service program in 1996. In fiscal year 2001, it reported estimated improper Medicare fee-for-service payments of $12.1 billion, or about 6.3 percent of such benefits. This analysis and reporting has led to the implementation of several initiatives to identify and reduce improper payments, including working with medical providers to ensure that medical records support billed services. HUD also measures improper payments in its housing assistance programs, reporting $1.87 billion in fiscal year 2000 and $2 billion in fiscal year 2001. HUD has taken actions to identify the risks associated with these programs and is working to refine the procedures currently used to obtain more useful information. HUD has not, however, done risk assessments in other disbursement areas. A thorough risk assessment allows organizations to target high-risk areas, focusing limited resources where the greatest exposure exists. The Illinois Department of Public Aid (IDPA), for instance, found that it had a payment accuracy rate of 95 percent. Its payment accuracy review identified errors and their causes that allowed IDPA to focus its attention on the 5 percent of inaccurate payments. In doing so, it discovered that of the $37.2 million spent for nonemergency transportation services, $11.55 million, or 31 percent, was estimated to be in error. This discovery led to a series of actions to address this problem. Government agencies in other countries have also used payment accuracy reviews to identify high-risk areas. For instance, the United Kingdom's DPW uses the results of rolling program reviews to determine levels of fraud and error in its Income Support and Jobseeker's Allowance benefit programs. These reviews quantify the amount of fraud and error affecting benefit claims and are used to target areas for prevention and detection. Participants in our study used the following strategies successfully to assess risk and determine the nature and extent of improper payments. We believe that federal agencies should also consider these strategies to address improper payments. * Institute a systematic process to estimate the level of improper payments being made by the organization. * Based on this process, determine where risks exist, what those risks are, and the potential or actual effect of those risks on program operations. * Use the results of the risk assessment to target high-risk areas and focus resources where the greatest exposure exists. * Reassess risks on a recurring basis to evaluate the effect of changing conditions, both external and internal, on program operations. Assessing risk allows an organization to set goals and target its efforts to reduce improper payments. Having developed such a framework, an organization can then proceed to determine which control activities to implement to reduce risks and, ultimately, fraud and errors. Control Activities: Taking Action to Address Identified Risk Areas: Control activities are the policies, procedures, techniques, and mechanisms that are designed to help ensure that management's decisions and plans are carried out. Once an organization has identified and quantified the risks in its operations, and management has set a goal for reducing the risks, the organization must take action to achieve that goal. Control activities used by organizations to address improper payments vary depending on risks faced; objectives; managerial judgment; size and complexity of the organization; the operational environment; sensitivity of data; and requirements for system reliability, availability, and performance. Control activities can include both prepayment and post payment mechanisms. Given the large volume of federal payments, it is generally more efficient to prevent improper payments rather than attempt to recover overpayments that have already been made. Recognizing, however, that some overpayments are inevitable, agencies should adopt effective detection techniques to identify and recover them. These techniques can range from sophisticated computer analyses of program data to post award contract audits and are dictated by the type of payment activity that presents the most risk in a particular organization. They include the following: * data sharing, which allows organizations to compare information from different sources to help ensure that payments are appropriate; * data mining, which analyzes data for relationships that were previously unknown; * neural networking, which analyzes associations and patterns among data elements; * recovery auditing, which is the practice of identifying and recovering overpayments using payment file information; * contract audits, which verify that payments are being made in accordance with contract terms and applicable regulations, and; * prepayment investigations, in which contradictory information is investigated before payment is made. Data sharing, data mining, and neural networking techniques are powerful internal control tools that provide useful, timely access to information. Using these techniques can provide potentially significant savings by identifying reporting errors and misinformation before payments are made or by detecting improper payments already made. However, more extensive use of personal information in an evolving technological environment raises new questions about privacy and how it should be protected. In the federal arena, these techniques must be implemented consistent with the protections of the Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, and other privacy statutes. These techniques are an example of the types of activities that our study participants found useful. For example, in 1995, the United Kingdom formalized data matching between government organizations. It reported that through March of 2000, it had saved about $450 million dollars. Further, from April 1999 through March 2000, data matches identified 217,000 inconsistencies for investigation, resulting in another $53 million in benefit savings. In the United States, SSA shares information with federal agencies through more than 15 data matches to prevent and detect fraud. SSA estimates that it saves approximately $1.5 billion each year for other agencies through data these data matches. In its own programs, SSA estimates that it saves $350 million annually for Old Age and Survivors Insurance and Disability Insurance and $325 million annually for Supplemental Security Income through the use of data matching. While data matching or sharing gives an organization the means to compare data from different sources, data mining offers a tool to review and analyze diverse data. The IDPA, for instance, had identified one of its risk areas as health care providers who were billing in excess of 24 hours in a single day. Using its data mining capability, the Illinois OIG identified 18 providers who had billed in excess of 24 hours for at least 1 day during a 6-month period. A number of these providers were already under investigation for other program violations. As a result of this analysis, the OIG planned to refer serious cases to law enforcement agencies and take administrative action against less serious violators. Neural networking analyzes associations and patterns among data elements, allowing an organization to find relationships that can result in new queries. In Texas, models used with neural networking technology identified fraudulent patterns from large volumes of medical claims and patient and provider history data. Such models can help identify perpetrators of both known and unknown fraud schemes by analyzing utilization trends, patterns, and complex interrelationships in the data. The state currently has models for physicians and dentists and plans to initiate a model for pharmacies. Recovery auditing, which came into use about 30 years ago, has a long- standing record in the private sector, and more recently, in the federal government. [Footnote 22] More extensive use of recovery auditing could offer federal agencies an opportunity to prevent and detect improper payments. One private sector company that participated in our study contracted with a recovery audit firm to review its accounts payable files. The company's own systems had found no errors in these files, yet the review resulted in the recovery of $8 million in improper payments. Subsequently, the company began to use recovery auditing techniques on accounts payable information to prevent improper payments, through such things as identifying potential duplicate payments. During our visit, this system identified and avoided a duplicate payment of $136,000 from the reports generated by the recovery audit software. In addition, as a result of using recovery auditing before payments are made, the company identified and stopped the processing of $41 million in duplicative wire payments. The particular software this company uses also identifies the employees making the errors so that they can be trained appropriately. The organizations that participated in our study used the following strategies successfully to identify and address risks. We believe these same strategies could be used successfully by federal agencies. * Based on an analysis of the specific risks facing the organization, and taking into consideration the nature of the organization and the environment in which it operates, determine which types of control activities would be most effective in addressing the identified risks. * Where in-house expertise is not available, investigate the possibility of contracting activities out to firms that specialize in specific areas, such as recovery auditing and neural networking. * Perform cost-benefit analyses of potential control activities before implementation to help ensure that the cost is not greater than the potential benefit. * Ensure that personnel involved in developing, maintaining, and implementing control activities have the requisite skills and knowledge, recognizing that staff expertise needs to be frequently updated in evolving areas such as information technology and fraud investigation. * Recognize and consider the importance of privacy and information security issues when developing and implementing control activities. An agency's internal control activities should be flexible, weigh costs and benefits, and be tailored to an agency's needs. Once control activities are in place, the internal control cycle continues with the prompt communication of information that managers need to help them carry out these activities and run their operations efficiently and effectively. Information and Communications: Using and Sharing Knowledge to Manage Improper Payments: Those responsible for managing and controlling program operations need relevant, reliable, and timely financial and nonfinancial information to make operating decisions, monitor performance, and allocate resources. This information can be obtained through a variety of sources using a wide range of data collection methodologies. The organizations that participated in our study used internal and external sources to obtain the information they needed. Further, these sources varied widely, from multiple computer databases to periodic meetings. The need for information and communication also extends beyond organizational boundaries. Many of the governmental programs with improper payments are benefit programs that involve recipients and providers of services. Organizations in our study developed educational programs to assist these participants in understanding eligibility and other requirements, and for service providers, information on issues including common claim filing errors. For instance, in 1997 Texas implemented several initiatives to educate new medical providers before they enroll in the Texas Medicaid program. Each new provider receives a hand-delivered package with information on claim filing, helpful tips, and instructions on how to use the automated phone system for inquiries. Three months after the provider is enrolled, a field representative from Medicaid evaluates a sample of the provider's claims and revisits the provider to answer questions and discuss any problems noted in the claims sample. In another example, Australia's Health Insurance Commission (HIC) implemented a feedback program to provide medical practitioners with regular information about their own benefit authorization, patient demographics, and comparative statistical information showing services rendered and the dollar value of benefits paid. All 32,000 practitioners receive correspondence once a year from HIC. While at first most practitioners did not realize that HIC was able to accumulate and analyze this information, the program has now become an effective deterrent to wrongdoing as well as a desired source of information to medical providers. Some practitioners have asked for additional information or statistics prior to the annual feedback report. HIC has since established an on-line feedback and statistics site for general practitioners, 2,100 of whom accessed their reports online in 1999. Coordination and cooperation with local law enforcement and other sources outside an agency can also establish an infrastructure conducive to preventing and detecting fraud. The IDPA OIG established a Fraud and Abuse Executive (FAE) whose objective is to be a conduit among internal and external parties for all fraud issues. As a result of cooperation between the Illinois State Police, one bank, and the FAE, thousands of dollars in fraudulent payments were stopped and a number of perpetrators were arrested. Organizations that participated in our study used the following strategies to help them effectively use and share knowledge to manage improper payments. These strategies could also be used by federal agencies. * Determine what information is needed by managers to meet and support initiatives aimed at reducing improper payments. * Ensure that necessary information provided to managers is accurate and timely. * Provide managers with timely feedback on applicable performance measures so they can use the information to manage their programs effectively. * Develop educational programs to assist program participants in understanding program requirements. * Ensure that there are adequate means of communicating with, and obtaining information from, external stakeholders that may have a significant effect on improper payment initiatives. * Develop working relationships with other organization to share information and pursue potential instances of fraud or other wrongdoing. Communications are effective when information flows up, down, and across an organization. In addition to internal communications, management should ensure that there are adequate means to give and obtain information from external parties who could have an effect on the agency's goals. Moreover, effective information technology management is critical. Managers need operational and financial data to monitor whether they are meeting their agency's goals with appropriate resources. Monitoring: Tracking the Success of Improvement Initiatives: Monitoring focuses on assessing the quality of an organization's performance over time and on promptly resolving problems identified either through separate program evaluations or audits. Evaluation of an organization's programs and its successes in meeting its established goals and in identifying additional actions is an integral element of performance measurement and continued improvement in operations. Once an organization has identified its risks related to improper payments and undertaken activities to reduce these risks through internal controls, monitoring performance allows the organization to gauge how well its efforts are working. When Illinois had assessed the risk of improper payments in its Medicaid program, based on the results, it implemented initiatives to improve payment accuracy. To monitor the effect of the new initiatives, the state uses random claims sampling to test the accuracy of payments. The goal of the project, which reviews 1,800 claims per year, is to ensure that every paid claim faces an equal chance of random review. This approach not only provides periodic estimates of payment accuracy rates but helps deter future erroneous and fraudulent billings. Performance measures are key to monitoring progress in addressing improper payments. The government of New Zealand, for instance, requires audited statements of objectives and service performance to be included along with financial statements. These statements include performance measures related to improper payments. Work and Income New Zealand (WINZ), a government agency that provides income support and employment assistance to eligible people, has established performance measures for entitlement accuracy, services to reduce benefit crime, and debt management. WINZ's financial statements are the main accountability reports used by Parliament to monitor the agency's performance. In addition, Parliament uses the audited information to make informed decisions on resource allocation, and through a monitoring body, to hold the entity's chief executive officer responsible if performance standards are not met. Participants in our study used the following strategies successfully to track the success of improvement initiatives. We believe the strategies would be effective for federal agencies as well. * Establish agency-specific goals and measures for reducing improper payments. * Using baseline information for comparison, periodically monitor the progress in achieving the established performance measures. * Make the results of performance reviews widely available to permit independent evaluations of the success of efforts to reduce improper payments. * Ensure timely resolution of problems identified by audits and other reviews. * Adjust control activities, as necessary, based on the results of monitoring activities. Organizations should monitor the control activities they use to address improper payments continuously, ingraining them in their operations. This kind of ongoing monitoring enables organizations to measure how well they are doing, track performance measures, and adjust control activities based on the results. Monitoring should also include policies and procedures for communicating review results to appropriate individuals in the organization so any problems can be resolved. Conclusions: In closing, Mr. Chairman, I want to emphasize that high levels of improper payments need not and should not be an accepted cost of running federal programs. The organizations that participated in our study found that they could effectively and efficiently manage improper payments by (1) changing their organization's control environments or cultures, (2) performing risk assessments, (3) implementing activities to reduce fraud and errors, (4) providing relevant, reliable and timely information and communication to management on results and (5) monitoring performance over time. While HUD, Education, and other agencies have taken some steps in these areas, effectively addressing improper payments requires a comprehensive strategy that permeates the entire organization. Implementing such a comprehensive strategy at federal agencies will not be easy or quick. It will require continued strong support from the President, the Congress, top-level administration appointees, and agency officials. The effort must include a willingness to dedicate personnel and money to implement the changes. This could involve performing needs assessments and hiring individuals with the necessary skills and knowledge to turn planned actions into reality. In addition, many actions that proved successful for organizations in our study involved computer assisted analyses of data. Implementing some of these practices could involve funding for computer software or hardware, and additional staff or training. In addition, it is important that the results of actions taken to address improper payments be openly communicated not only to the Congress and agency management, but to the public. This transparency demonstrates the importance that government places on the need for change at the same time it openly communicates performance results. It also acts as an incentive for agencies to be ever vigilant in their efforts to address wasteful spending that results from weak controls that lead to improper payments. Mr. Chairman, this concludes my statement. I would be happy to answer any questions you or other Members of the Subcommittee may have. Contact and Acknowledgments: For information about this statement, please contact Linda Calbom, Director, Financial Management and Assurance, at (202) 512-9508 or at calboml@gao.gov. Individuals making key contributions to this statement include Dan Blair, Don Campbell, Lisa Crye, Anh Dang, Bonnie Derby, Kelly Lehr, Carla Lewis, Sharon Loftin, Irving McMasters, Diane Morris, Andy O'Connell, Russell Rowe, Ruth Walk, Brooke Whittaker, and Doris Yanger. [End of section] Footnotes: [1] U.S. General Accounting Office, Financial Management: Internal Control Weaknesses Leave Department of Education Vulnerable to Improper Payments, GAO-01-585T (Washington, D.C.: Apr 3, 2001); Financial Management: Poor Internal Control Exposes Department of Education to Improper Payments, GAO-01-997T (Washington, D.C.: July 24, 2001); and Education Financial Management: Weak Internal Controls Led to Instances of Fraud and Other Improper Payments, GAO-02-406, (Washington, D.C.: Mar 28, 2002). [2] U.S. General Accounting Office, Strategies to Manage Improper Payments: Learning from Public and Private Sector Organizations, GAO-02- 69G (Washington, D.C.: October 2001). [3] Because of the similarity of the Office of Management and Budget’s definition of erroneous payments to our definition of improper payments, we consider the terms synonymous. [4] U.S. General Accounting Office, Major Management Challenges and Program Risks, Department of Housing and Urban Development, GAO-01-248 (Washington, D.C.: January 2001); Major Management Challenges and Program Risks, Department of Education GAO-01-245 (Washington, D.C.: January 2001); and High-Risk Series: An Update, GAO-01-263, (Washington, D.C.: January 2001). [5] U.S. General Accounting Office, Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse, GAO-01-995T (Washington, D.C.: July 30, 2001); Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse, GAO-02-32 (Washington, D.C.: Nov 30, 2001); Purchase Cards: Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse, GAO-02- 506T (Washington, D.C.: Mar 13, 2002); and Government Purchase Cards: Control Weaknesses Expose Agencies to Fraud and Abuse, GAO-02-676T (Washington, D.C.: May 1, 2002). [6] We did not focus on HUD’s rental housing assistance program because HUD is estimating improper payments for the program, and the HUD OIG and GAO have performed extensive work in that area. [7] Our testimony today generally will not address third party drafts, since Education eliminated that payment process in fiscal year 2001. However, we will discus the results of our inventory of computers and computer equipment purchased with third party drafts. [8] Data mining for improper payments involves using computer-aided auditing techniques to identify hidden patterns and relationships in data that are indicators of unusual transactions, which may be improper payments. [9] Due to separate congressional requests, the period of our review at Education differed from that for HUD. [10] Standards for Internal Control in the Federal Government (GAO/AIMD- 00-21.3.1), which was prepared to fulfill our statutory requirement the Federal Managers’ Financial Integrity Act, provides an overall framework for establishing and maintaining internal control and for identifying and addressing major management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. [11] Based on our testing, we estimate that $4,678,689 (plus or minus $678,806) of the total $10 million in purchase card transactions made during fiscal year 2001 lacked adequate supporting documentation. Our estimate is based on a 95 percent confidence level and a tolerable error rate of $1,059,046 (10 percent of the population total of $10,590,461). [12] Department of Housing and Urban Development Office of Inspector General, Commercial Credit Card Program, 99-DP-166-0001 (Washington, D.C.: Feb 1, 1999). [13] The Government Employees Training Act, 5 U.S.C. 4103 and 4107, requires that training be related to an employee's job and prohibits expenditures to obtain a college degree unless necessitated by retention or recruitment needs, which was not the case here. [14] These additional estimated charges were identified by an Education official. Under 31 U.S.C. 1345, appropriated funds may not be used to pay the costs of non-federal individuals to attend meetings unless otherwise specifically authorized by law. 5 U.S.C. 5703 allows the federal government to pay the costs of non-federal individuals to attend meetings if the attendees are providing direct services to the government. Education could not provide us with evidence that this was the case. [15] U.S. General Accounting Office, Financial Management: Poor Internal Control Exposes Department of Education to Improper Payments, GAO-01-997T (Washington, D. C.: July 24, 2001). [16] A Pell Grant is a form of financial aid that is awarded to undergraduate students who have not earned bachelor's or professional degrees, and who are enrolled in degree or certificate programs. [17] U.S. General Accounting Office, Student Financial Aid Programs: Pell Grant Program Abuse, GAO/T-OSI-94-8 (Washington, D.C.: Oct 27, 1993). [18] U.S. General Accounting Office, HUD Management: HUD’s High-Risk Program Areas and Management Challenges, GAO-02-869T (Washington, D.C.: July 24, 2002). [19] In addition, HUD and the Massachusetts Housing Finance Agency have an agreement for the disposition and interim management of select HUD- owned multifamily properties in Boston. This pilot project was not implemented for other state housing agencies. [20] U.S. General Accounting Office, Financial Management: Coordinated Approach Needed to Address the Government’s Improper Payments Problems, GAO-02-749 (Washington, D.C.: Aug 9, 2002). [21] The Health Care Financing Administration was renamed the Centers for Medicare and Medicaid Services in July 2002. [22] Section 831 of Pub.L. 107-107 requires executive agencies that enter into contracts totaling greater than $500 million in a fiscal year to have a program for recovering any amounts erroneously paid to contractors, including the use of recovery audits. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Jeff Nelligan, Managing Director, AndersonP1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: