GAO-10-637T, Centers for Medicare and Medicaid Services: Pervasive Internal Control Weaknesses Hindered Effective Contract Management


This is the accessible text file for GAO report number GAO-10-637T 
entitled 'Centers For Medicare And Medicaid Services: Pervasive 
Internal Control Weaknesses Hindered Effective Contract Management' 
which was released on April 28, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Ad Hoc Subcommittee on Contracting Oversight, Committee on 
Homeland Security and Governmental Affairs, U.S. Senate: 

United States Government Accountability Office: 
GAO: 

For Release on Delivery: 
Expected at 2:30 p.m. EDT:
Wednesday, April 28, 2010: 

Centers For Medicare And Medicaid Services: 

Pervasive Internal Control Weaknesses Hindered Effective Contract 
Management: 

Statement of Kay L. Daly:
Director:
Financial Management and Assurance: 

GAO-10-637T: 

GAO Highlights: 

Highlights of GAO-10-637T, a testimony before the Ad Hoc Subcommittee 
on Contracting Oversight, Committee on Homeland Security and 
Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

In November 2007, GAO reported significant deficiencies in internal 
control over certain contracts the Centers for Medicare and Medicaid 
Services (CMS) awarded under the Federal Acquisition Regulation (FAR). 
This Subcommittee and others in Congress asked GAO to perform an in-
depth review of CMS’s contract management practices. This testimony is 
based on GAO’s October 2009 report on these issues and summarizes 
GAO’s findings on the extent to which CMS (1) implemented effective 
control procedures over contract actions, (2) established a strong 
contract management control environment, and (3) implemented GAO’s 
2007 recommendations. 

GAO used a statistical random sample of 2008 CMS contract actions to 
assess CMS internal control procedures. The results were projected to 
the population of 2008 CMS contract actions. GAO reviewed contract 
file documentation and interviewed senior acquisition management 
officials. 

What GAO Found: 

GAO reported in October 2009 that pervasive deficiencies in CMS 
contract management internal control increased the risk of improper 
payments or waste. Specifically, based on a statistical random sample 
of 2008 CMS contract actions, GAO estimated that at least 84.3 percent 
of fiscal year 2008 contract actions contained at least one instance 
where a key control was not adequately implemented. For example, CMS 
used cost reimbursement contracts without first ensuring that the 
contractor had an adequate accounting system, as required by the FAR. 
These deficiencies were due in part to a lack of agency-specific 
policies and procedures to help ensure proper contracting expenditures. 

These control deficiencies stemmed from a weak overall control 
environment characterized primarily by inadequate strategic planning 
for staffing and funding resources. CMS also did not accurately 
capture data on the nature and extent of its contracting, hindering 
CMS’s ability to manage its acquisition function by identifying areas 
of risk. Finally, CMS did not track, investigate, and resolve contract 
audit and evaluation findings for purposes of cost recovery and future 
award decisions. A positive control environment sets the tone for the 
overall quality of internal control and provides the foundation for 
effective contract management. Without a strong control environment, 
the specific control deficiencies GAO identified will likely persist. 

As of the date of GAO’s October 2009 report, CMS had not substantially 
addressed seven of the nine recommendations made by GAO in 2007 to 
improve internal control over contracting and payments to contractors. 

Table: GAO’s 2009 Assessment of CMS Actions to Address Prior 
Recommendations: 

GAO recommendation: 1. Develop policies for pre-award contract 
activities; 
GAO assessment: No action taken. 

GAO recommendation: 2. Develop policies regarding cognizant federal 
agency responsibilities; 
GAO assessment: Actions insufficient. 

GAO recommendation: 3. Develop policies that clarify roles and 
responsibilities during the invoice review process; 
GAO assessment: Completed. 

GAO recommendation: 4. Develop guidelines regarding sufficient detail 
to support contractor invoices; 
GAO assessment: No action taken. 

GAO recommendation: 5. Establish criteria for negative certification 
for payment of invoices; 
GAO assessment: No action taken. 

GAO recommendation: 6. Provide training on the invoice review policies; 
GAO assessment: Actions insufficient. 

GAO recommendation: 7. Develop a centralized tracking mechanism for 
employee training; 
GAO assessment: Completed. 

GAO recommendation: 8. Develop a plan to reduce the backlog of 
contracts eligible for closeout; 
GAO assessment: Actions insufficient. 

GAO recommendation: 9. Review the questionable payments identified in 
GAO’s 2007 report; 
GAO assessment: Actions insufficient. 

Source: GAO. See GAO-10-60 for further details. 

[End of table] 

To the extent that CMS has continuing weaknesses in contracting 
activities, it will continue to put billions of taxpayer dollars at 
risk of improper payments or waste. 

What GAO Recommends: 

GAO’s October 2009 report included 10 recommendations to improve 
oversight and strengthen CMS’s control environment and reaffirmed 7 
recommendations from our November 2007 report. CMS concurred with the 
new recommendations, but generally disagreed with GAO’s assessment of 
progress on the 2007 recommendations. GAO’s analysis confirmed only 
limited progress at that time. 

View [hyperlink, http://www.gao.gov/products/GAO-10-637T] or key 
components. For more information, contact Kay L. Daly at (202) 512-
9095 or dalykl@gao.gov. 

[End of section] 

Madam Chairman and Members of the Subcommittee: 

I am pleased to be here today to discuss contract management at the 
Centers for Medicare and Medicaid Services (CMS), a component of the 
Department of Health and Human Services (HHS). CMS administers 
Medicare and Medicaid, two programs included on our high-risk list, 
[Footnote 1] and other programs such as the State Children's Health 
Insurance Program. CMS relies extensively on contractors to assist in 
carrying out its basic mission, including program administration, 
management, and oversight of its health programs. In fiscal year 2008, 
the most recent fiscal year for which data were available at the time 
we completed our work, CMS reported that it obligated $3.6 billion 
under contracts for a variety of goods and services. CMS's 
acquisitions include contracts to administer, oversee, and audit 
claims made under the Medicare program; provide information technology 
systems; provide program management and consulting services; and 
operate the 1-800 Medicare help line. 

In November 2007, we reported[Footnote 2] pervasive deficiencies in 
internal control over certain contracts used by CMS for start-up 
administrative services to implement programs enacted under the 
Medicare Prescription Drug, Improvement, and Modernization Act of 2003 
(MMA).[Footnote 3] We reported that CMS's internal control 
deficiencies resulted in millions of dollars of questionable payments 
to certain contractors, primarily because CMS did not obtain adequate 
support for billed costs. Internal control--the plans, methods, and 
procedures used to meet missions, goals, and objectives--is the first 
line of defense in safeguarding assets and preventing and detecting 
fraud and errors and helps government program managers achieve desired 
results through effective stewardship of public resources. 

Because of concerns about the implications that these weaknesses may 
have on all CMS contracts generally subject to the requirements of the 
Federal Acquisition Regulation (FAR),[Footnote 4] we were asked to 
perform a comprehensive, in-depth review of internal controls over 
CMS's contract management practices. My remarks today are based on the 
findings and recommendations included in our subsequent report issued 
in October 2009.[Footnote 5] That report addressed the extent to which 
(1) CMS implemented effective internal control procedures over 
contract actions to help ensure proper contracting expenditures and 
(2) CMS established a strong control environment for contract 
management. Our report also discussed the extent to which CMS 
implemented the recommendations we made in 2007 to improve internal 
control over contracting and payments to contractors. For this 
testimony, because of the relatively short time between the request to 
testify and the hearing date, we did not have sufficient time to 
update the status of CMS's actions to implement our prior 
recommendations. 

Scope and Methodology: 

To address the extent to which CMS implemented control procedures over 
contract actions, we focused on contracts that were generally subject 
to the FAR (i.e., FAR-based),[Footnote 6] which represented about $2.5 
billion, or about 70 percent, of total obligations awarded in fiscal 
year 2008. The FAR is the governmentwide regulation containing the 
rules, standards, and requirements for the award, administration, and 
termination of government contracts. Based on the standards for 
internal control,[Footnote 7] FAR requirements, and agency policies, 
we identified and evaluated 11 key internal control procedures 
[Footnote 8] over contract actions, ranging from ensuring contractors 
had adequate accounting systems prior to the use of a cost 
reimbursement contract to certifying invoices for payment. Contract 
actions include new contract awards and modifications to existing 
contracts. We conducted our tests on a statistically random sample 
[Footnote 9] of 102 FAR-based contract actions CMS made in fiscal year 
2008 and projected the results of our statistical sample 
conservatively by reporting the lower bound of our two-sided, 95 
percent confidence interval. We tested a variety of contract actions 
including a range of dollars obligated, different contract types 
(fixed price, cost reimbursement, etc.), and the types of goods and 
services procured. The actions in the sample ranged from a $1,000 firm-
fixed price contract for newspapers to a $17.5 million modification of 
an information technology contract valued at over $500 million. For 
each contract action in the sample, we determined if the 11 key 
internal control procedures were implemented by reviewing the contract 
file supporting the action and, where applicable, by obtaining 
additional information from the contracting officer or specialist or 
senior acquisition management. We also tested the reliability of the 
data contained in CMS's two acquisition databases. 

To address the extent to which CMS established a strong control 
environment for contract management, we obtained and reviewed 
documentation regarding contract closeout, acquisition planning, and 
other management information and interviewed officials in the Office 
of Acquisition and Grants Management (OAGM) about its contract 
management processes. We also evaluated the extent to which CMS had 
addressed recommendations we made in our 2007 report.[Footnote 10] We 
used the internal control standards as a basis for our evaluation of 
CMS's contract management control environment. Appendix I of our 
October 2009 report provides additional details of our scope and 
methodology. 

This testimony is based on our October 2009 performance audit, which 
was conducted from July 2008 to September 2009 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Background: 

Except for certain Medicare claims processing contracts, CMS contracts 
are generally required to be awarded and administered in accordance 
with general government procurement laws[Footnote 11] and regulations 
such as the FAR; the Health and Human Services Acquisition Regulations 
(HHSAR);[Footnote 12] the Cost Accounting Standards (CAS);[Footnote 
13] and the terms of the contract. 

Since 1998, CMS's obligations to fiscal intermediaries, carriers, and 
Medicare Administrative Contractors (contractors that primarily 
process Medicare claims) have decreased approximately 16 percent. In 
contrast, obligations for other-than-claims processing contract 
activities, such as the 1-800 help line, information technology and 
financial management initiatives, and program management and 
consulting services, have increased 466 percent. These trends may be 
explained in part by recent changes to the Medicare program, including 
the movement of functions, such as the help line, data centers, and 
certain financial management activities, from the fiscal 
intermediaries and carriers to specialized contractors. 

MMA required CMS to transition its Medicare claims processing 
contracts, which generally did not follow the FAR, to the FAR 
environment through the award of contracts to Medicare Administrative 
Contractors. CMS projected that the transition, referred to as 
Medicare contracting reform, would produce administrative cost savings 
due to the effects of competition and contract consolidation as well 
as produce Medicare trust fund savings due to a reduction in the 
amount of improper benefit payments. Additionally, the transition 
would subject millions of dollars of CMS acquisitions to the rules, 
standards, and requirements for the award, administration, and 
termination of government contracts in the FAR. Obligations to the new 
Medicare Administrative Contractors were first made in fiscal year 
2007. CMS is required to complete Medicare contracting reform by 2011. 
As of September 1, 2009, 19 contracts had been awarded[Footnote 14] to 
Medicare Administrative Contractors, totaling about $1 billion in 
obligations. 

The Standards for Internal Control in the Federal Government[Footnote 
15] provide the overall framework for establishing and maintaining 
internal control and for identifying and addressing areas at greatest 
risk of fraud, waste, abuse, and mismanagement. These standards 
provide that--to be effective--an entity's management should establish 
both a supportive overall control environment and specific control 
activities directed at carrying out its objectives. As such, an 
entity's management should establish and maintain an environment that 
sets a positive and supportive attitude towards control and 
conscientious management. A positive control environment provides 
discipline and structure as well as the climate supportive of quality 
internal control, and includes an assessment of the risks the agency 
faces from both external and internal sources. Control activities are 
the policies, procedures, techniques, and mechanisms that enforce 
management's directives and help ensure that actions are taken to 
address risks. The standards further provide that information should 
be recorded and communicated to management and oversight officials in 
a form and within a time frame that enables them to carry out their 
responsibilities. Finally, an entity should have internal control 
monitoring activities in place to assess the quality of performance 
over time and ensure that the findings of audits and other reviews are 
promptly resolved. 

Control activities include both preventive and detective controls. 
Preventive controls--such as invoice review prior to payment--are 
controls designed to prevent errors, improper payments, or waste, 
while detective controls--such as incurred cost audits--are designed 
to identify errors or improper payments after the payment is made. A 
sound system of internal control contains a balance of both preventive 
and detective controls that is appropriate for the agency's 
operations. While detective controls are beneficial in that they 
identify funds that may have been inappropriately paid and should be 
returned to the government, preventive controls such as accounting 
system reviews[Footnote 16] and invoice reviews help to reduce the 
risk of improper payments or waste before they occur. A key concept in 
the standards is that control activities selected for implementation 
be cost beneficial. Generally it is more effective and efficient to 
prevent improper payments. A control activity can be preventive, 
detective, or both based on when the control occurs in the contract 
life cycle. 

Additional, detailed background information is available in our 
related report, GAO-10-60. 

Pervasive Deficiencies in Control Procedures at the Contract Level 
Increase the Risk of Improper Payments or Waste: 

Our October 2009 report identified pervasive deficiencies in internal 
control over contracting and payments to contractors. Specifically, as 
a result of our work, we estimated that at least 84.3 percent[Footnote 
17] of FAR-based contract actions made by CMS in fiscal year 2008 
contained at least one instance in which 1 of 11 key controls was not 
adequately implemented. Not only was the number of internal control 
deficiencies widespread, but also many contract actions had more than 
one deficiency. We estimated that at least 37.2 percent[Footnote 18] 
of FAR-based contract actions made in fiscal year 2008 had three or 
more instances in which a key control was not adequately implemented. 
The internal control deficiencies occurred throughout the contracting 
process and increased the risk of improper payments or waste. These 
deficiencies were due in part to a lack of agency-specific policies 
and procedures to ensure that FAR requirements and other control 
objectives were met. CMS also did not take appropriate steps to ensure 
that existing policies were properly implemented or maintain adequate 
documentation in its contract files. Further, CMS's Contract Review 
Board process had not been properly or effectively implemented to help 
ensure proper contract award actions.[Footnote 19] These internal 
control deficiencies are a manifestation of CMS's weak overall control 
environment, which is discussed later. Additional, detailed 
information on our testing of key internal controls is available in 
our October 2009 report. 

The high percentage of deficiencies indicates a serious failure of 
control procedures over FAR-based acquisitions, thereby creating a 
heightened risk of improper payments or waste. Highlights of the 
control deficiencies we noted included the following. 

* We estimated that at least 46.0 percent of fiscal year 2008 CMS 
contract actions did not meet the FAR requirements applicable to the 
specific contract type awarded.[Footnote 20] For example, we found 
that CMS used cost reimbursement contracts without first ensuring that 
the contractor had an adequate accounting system. According to the 
FAR, a cost reimbursement contract may be used only when the 
contractor's accounting system is adequate for determining costs 
applicable to the contract.[Footnote 21] To illustrate, of the 
contract awards in our sample, we found nine cases in which cost 
reimbursement contracts were used without first ensuring that the 
contractor had an adequate accounting system. In addition to these 
nine cases, during our review of contract modifications we observed 
another six cases in which cost reimbursement contracts were used even 
though CMS was aware that the contractor's accounting system was 
inadequate at the time of award. In one instance, the contracting 
officer was aware that a contractor had an inadequate accounting 
system resulting from numerous instances of noncompliance with 
applicable Cost Accounting Standards. Using a cost reimbursement 
contract when a contractor does not have an adequate accounting system 
hinders the government's ability to fulfill its oversight duties 
throughout the contract life cycle and increases risk of improper 
payments and the risk that costs billed cannot be substantiated during 
an audit. 

* We estimated that for at least 40.4 percent of fiscal year 2008 
contract actions, CMS did not have sufficient support for provisional 
indirect cost rates[Footnote 22] nor did it identify instances when a 
contractor billed rates higher than the rates that were approved for 
use.[Footnote 23] Provisional indirect cost rates provide agencies 
with a mechanism by which to determine if the indirect costs billed on 
invoices are reasonable for the services provided until such time that 
final indirect cost rates can be established, generally at the end of 
the contractor's fiscal year. When the agency does not maintain 
adequate support for provisional indirect rates, it increases its risk 
of making improper payments. 

* We estimated that for at least 52.6 percent of fiscal year 2008 
contract actions, CMS did not have support for final indirect cost 
rates or support for the prompt request of an audit of indirect costs. 
[Footnote 24] The FAR states that final indirect cost rates, which are 
based on a contactor's actual indirect costs incurred during a given 
fiscal year, shall be used in reimbursing indirect costs under cost 
reimbursement contracts.[Footnote 25] The amounts a contractor billed 
using provisional indirect cost rates are adjusted annually for final 
indirect cost rates, thereby providing a mechanism for the government 
to timely ensure that indirect costs are allowable and allocable to 
the contract. CMS officials told us that they generally adjust for 
final indirect cost rates during contract closeout at the end of the 
contract performance rather than annually mainly due to the cost and 
effort the adjustment takes. However, CMS did not promptly close out 
its contracts and had not made progress in reducing the backlog of 
contracts eligible for closeout. Specifically, in 2007, we reported 
that CMS's backlog was 1,300 contracts, of which 407 were overdue for 
closeout as of September 30, 2007. This backlog continued to increase, 
and CMS officials stated that as of July 29, 2009, the total backlog 
of contracts eligible for closeout was 1,611, with 594 overdue based 
on FAR timing standards.[Footnote 26] Not annually adjusting for final 
indirect cost rates increases the risk that CMS is paying for costs 
that are not allowable or allocable to the contract. Furthermore, 
putting off the control activity until the end of contract performance 
increases the risk of overpaying for indirect costs during contract 
performance and may make identification or recovery of any unallowable 
costs during contract closeout more difficult due to the passage of 
time. 

* We estimated that for at least 54.9 percent of fiscal year 2008 
contract actions, CMS did not promptly perform or request an audit of 
direct costs.[Footnote 27] Similar to the audit of indirect costs, 
audits of direct costs allow the government to verify that the costs 
billed by the contractor were allowable, reasonable, and allocable to 
the contract. Not annually auditing direct costs increases the risk 
that CMS is paying for costs that are not allowable or allocable to 
the contract. 

* We estimated that for at least 59.0 percent of fiscal year 2008 
contract actions, the project officer did not always certify the 
invoices.[Footnote 28] CMS's Acquisition Policy Notice 16-01 requires 
the project officer to review each contractor invoice and recommend 
payment approval or disapproval to the contracting officer. This 
review is to determine, among other things, if the expenditure rate is 
commensurate with technical progress and whether all direct cost 
elements are appropriate, including subcontracts, travel, and 
equipment. We noted in our 2007 report[Footnote 29] that CMS used 
negative certification--a process whereby it paid contractor invoices 
without knowing whether they were reviewed and approved--in order to 
ensure invoices were paid in a timely fashion. In October 2009 we 
reported that negative certification continued to be CMS's policy to 
process contractor invoices for payment. This approach, however, 
significantly reduces the incentive for contracting officers, 
specialists, and project officers to review the invoice prior to 
payment. For example, in one case, although a contractor submitted 
over 100 invoices for fiscal year 2008,[Footnote 30] only 8 were 
certified by the project officer. The total value of the contract 
through January 2009 was about $64 million. In addition, based on a 
cursory review of the fiscal year 2008 invoices submitted for payment, 
we found instances in which the contracting officer or specialist did 
not identify items that were inconsistent with the terms of the 
contract or acquisition regulations. For example, we found two 
instances where the contractor billed, and CMS paid, for items 
generally disallowed by HHSAR.[Footnote 31] Reviewing invoices prior 
to payment is a preventive control that may result in the 
identification of unallowable billings, especially on cost 
reimbursement and time and materials invoices, before the invoices are 
paid. CMS increases its risk of improper payments when it does not 
properly review and approve invoices prior to payment. 

Weak Control Environment Hindered CMS's Ability to Manage Its FAR-
based Acquisition Process: 

The control deficiencies we identified in the statistical sample 
discussed in our October 2009 report stemmed from a weak overall 
control environment. CMS's control environment was characterized by 
the lack of (1) strategic planning to identify necessary staffing and 
funding; (2) reliable data for effectively carrying out contract 
management responsibilities; and (3) follow-up to track, investigate, 
and resolve contract audit and evaluation findings for purposes of 
cost recovery and future award decisions. A positive control 
environment sets the tone for the overall quality of an entity's 
internal control, and provides the foundation for an entity to 
effectively manage contracts and payments to contractors. Without a 
strong control environment, the control deficiencies we identified 
will likely persist. Following is a summary of the weaknesses we found 
in CMS's overall control environment: 

* Limited analysis of contract management workforce and related 
funding needs. OAGM management had not analyzed its contract 
management workforce and related funding needs through a 
comprehensive, strategic acquisition workforce plan. Such a plan is 
critical to help manage the increasing acquisition workload and meet 
its contracting oversight needs. We reported in November 2007[Footnote 
32] that staff resources allocated to contract oversight had not kept 
pace with the increase in CMS contract awards. In our 2009 report, we 
found a similar trend continued into 2008. While the obligated amount 
of contract awards had increased 71 percent since 1998, OAGM staffing 
resources--its number of full time equivalents (FTE)--had increased 26 
percent. This trend presents a major challenge to contract award and 
administration personnel who must deal with a significantly increased 
workload without additional support and resources. In addition, 
according to its staff and management, OAGM faced challenges in 
meeting the various audit requirements necessary to ensure adequate 
oversight of contracts that pose more risk to the government, 
specifically cost reimbursement contracts, as well as in performing 
the activities required of a cognizant federal agency (CFA).[Footnote 
33] 

Although officials told us they could use more audit funding, we found 
that OAGM management had yet to determine what an appropriate funding 
level should be. Without knowing for which contractors additional CFA 
oversight was needed, CMS did not have reliable information on the 
number of audits and reviews that must be performed annually or the 
depth and complexity of those audits. Without this key information, 
CMS could not estimate an adequate level of needed audit funding. The 
risks of not performing CFA duties are increased by the fact that 
other federal agencies that use the same contractors rely on the 
oversight and monitoring work of the CFA. A shortage of financial and 
human resources creates an environment that introduces vulnerabilities 
to the contracting process, hinders management's ability to sustain an 
effective overall control environment, and ultimately increases risk 
in the contracting process. 

* Lack of reliable contract management data. Although CMS had 
generally reliable information on the basic attributes of each 
contract action, such as vendor name and obligation amount, CMS lacked 
reliable management information on other key aspects of its FAR-based 
contracting operations. For example, in our October 2009 report we 
identified acquisition data errors related to the number of certain 
contract types awarded, the extent of competition achieved, and total 
contract value. Standards for internal control provide that for an 
agency to manage its operations, it must have relevant, reliable, and 
timely information relating to the extent and nature of its 
operations, including both operational and financial data, and such 
information should be recorded and communicated to management and 
others within the agency who need it and in a form and within a time 
frame that enables them to carry out their internal control and 
operational responsibilities. The acquisition data errors were due in 
part to a lack of sufficient quality assurance activities over the 
data entered into the acquisition databases. Without accurate data, 
CMS program managers did not have adequate information to identify, 
monitor, and correct or mitigate areas that posed a high risk of 
improper payments or waste. 

* Lack of follow-up to resolve contract audit and evaluation findings. 
CMS did not track, investigate, and resolve contract audit and 
evaluation findings for purposes of cost recovery and future award 
decisions. Tracking audit and evaluation findings strengthens the 
control environment in part because it can help assure management that 
the agency's objectives are being met through the efficient and 
effective use of the agency's resources. It can also help management 
determine whether the entity is complying with applicable acquisition 
laws and regulations. Contract audits and evaluations can add 
significant value to an organization's oversight and accountability 
structure, but only if management ensures that the results of these 
audits and evaluations are promptly investigated and resolved. For 
example, in an audit report dated September 30, 2008, the Defense 
Contract Audit Agency[Footnote 34] questioned approximately $2.1 
million of costs that CMS paid to a contractor in fiscal year 2006. As 
discussed in our October 2009 report, OAGM management confirmed that 
no action had been taken at that time to investigate and recover the 
challenged costs. 

GAO Has Made Numerous Recommendations to Improve CMS's Contract 
Management Controls: 

Seven of Nine GAO 2007 Recommendations Were Substantially Unresolved: 

As we reported in October 2009, CMS management had not taken 
substantial actions to address our 2007 recommendations to improve 
internal control in the contracting process. Only two of GAO's nine 
2007 recommendations had been fully addressed. Table 1 summarizes our 
assessment of the status of CMS's actions to address our 
recommendations. 

Table 1: GAO's October 2009 Assessment of Status of CMS Actions Taken 
to Address 2007 Recommendations: 

GAO recommendation: 1. Develop policies for pre-award contract 
activities; 
GAO assessment: No action taken. 

GAO recommendation: 2. Develop policies regarding cognizant federal 
agency responsibilities; 
GAO assessment: Actions insufficient. 

GAO recommendation: 3. Develop policies that clarify roles and 
responsibilities during the invoice review process; 
GAO assessment: Completed. 

GAO recommendation: 4. Develop guidelines regarding sufficient detail 
to support contractor invoices; 
GAO assessment: No action taken. 

GAO recommendation: 5. Establish criteria for negative certification 
for payment of invoices; 
GAO assessment: No action taken. 

GAO recommendation: 6. Provide training on the invoice review policies; 
GAO assessment: Actions insufficient. 

GAO recommendation: 7. Develop a centralized tracking mechanism for 
employee training; 
GAO assessment: Completed. 

GAO recommendation: 8. Develop a plan to reduce the backlog of 
contracts eligible for closeout; 
GAO assessment: Actions insufficient. 

GAO recommendation: 9. Review the questionable payments identified in 
GAO’s 2007 report; 
GAO assessment: Actions insufficient. 

Source: GAO. See GAO-10-60 for further details. 

[End of table] 

GAO Made 10 Additional Recommendations in October 2009 to Further 
Improve CMS Contract Management: 

In addition to reaffirming the 7 substantially unresolved 2007 
recommendations, our October 2009 report included 10 recommendations 
to further improve oversight and strengthen CMS's control environment. 
Specifically, we made recommendations for additional procedures or 
plans to address the following 10 areas: 

* document compliance with FAR requirements for different contract 
types; 

* document provisional indirect cost rates in the contract file; 

* specify what constitutes timely performance of (or request for) 
audits of contractors' billed costs; 

* specify circumstances for the use and content of negotiation 
memorandums, including any required secondary reviews; 

* specify Contract Review Board documentation, including resolution of 
issues identified during the CRB reviews; 

* conduct periodic reviews of contract files to ensure invoices were 
properly reviewed by both the project officer and contracting officer 
or specialist; 

* develop a comprehensive strategic acquisition workforce plan, with 
resource needs to fulfill FAR requirements for comprehensive 
oversight, including CFA duties; 

* revise the verification and validation plan to require all relevant 
acquisition data errors be corrected and their resolution documented; 

* develop procedures for tracking contract audit requests and the 
resolution of audit findings; and: 

* develop procedures that clearly assign roles and responsibilities 
for the timely fulfillment of CFA duties. 

In commenting on a draft of our October 2009 report, CMS and HHS 
agreed with each of our 10 new recommendations and described steps 
planned to address them. CMS also stated that the recommendations will 
serve as a catalyst for improvements to the internal controls for its 
contracting function. CMS also expressed concerns about our assessment 
of key internal controls and disagreed with our conclusions on the 
status of CMS's actions to address our November 2007 recommendations. 
CMS stated its belief that "virtually all" of the errors we identified 
in our statistical sample related to "perceived documentation 
deficiencies." CMS also expressed concern that a reasonable amount of 
time had not yet elapsed since the issuance of our November 2007 
report to allow for corrective actions to have taken place. 

However, as discussed in greater detail in our October 2009 report 
response to agency comments, nearly 2 years had elapsed between our 
November 2007 and October 2009 reports and CMS had made little 
progress in addressing the recommendations from our November 2007 
report. Further, a significant number of our October 2009 report 
findings, including weaknesses in the control environment, were based 
on observations and interviews with OAGM officials and reviews of 
related documentation such as policies and strategic plans. Finally, 
the deficiencies we identified negatively impact the key controls 
intended to help ensure compliance with agency acquisition regulations 
and the FAR. 

In conclusion, Madam Chairman, while we have not updated the status of 
any CMS actions to address our October 2009 findings and 
recommendations, the extent to which control weaknesses in CMS's 
contracting activities continue, raises questions concerning whether 
CMS management has established an appropriate "tone at the top" to 
effectively manage these key activities. Until CMS management 
addresses our previous recommendations in this area, along with taking 
action to address the additional deficiencies identified in our 
October 2009 report, its contracting activities will continue to pose 
significant risk of improper payments, waste, and mismanagement. 
Further, the deficiencies we identified are likely to be exacerbated 
by the rise in obligations for non-claims processing contract awards 
as well as CMS's extensive reliance on contractors to help achieve its 
mission objectives. It is imperative that CMS address its serious 
contract-level control deficiencies and take action on our 
recommendations to improve overall environment controls or CMS will 
continue to place billions of taxpayer dollars at risk of fraud, or 
otherwise improper contract payments. We commend the Subcommittee for 
its continuing oversight and leadership in this important area and 
believe that hearings such as the one being held today will be 
critical to ensuring that CMS's continuing contract management 
weaknesses are resolved without further delay and that overall risks 
to the government are substantially reduced. 

Madam Chairman and Members of the Subcommittee, this concludes my 
prepared statement. I would be happy to answer any questions that you 
may have at this time. 

GAO Contacts and Acknowledgments: 

For further information regarding this testimony, please contact Kay 
L. Daly at (202) 512-9095 or dalykl@gao.gov. In addition, contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this statement. Individuals who made 
key contributions to this testimony are Marcia Carlsen and Phil 
McIntyre (Assistant Directors), Sharon Byrd, Richard Cambosos, 
Francine DelVecchio, Abe Dymond, John Lopez, Ron Schwenn, Omar Torres, 
Ruth Walk, and Danietta Williams. 

[End of section] 

Footnotes: 

[1] GAO, High Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 22, 
2009). 

[2] GAO, Centers for Medicare and Medicaid Services: Internal Control 
Deficiencies Resulted in Millions of Dollars of Questionable Contract 
Payments, [hyperlink, http://www.gao.gov/products/GAO-08-54] 
(Washington, D.C.: Nov. 15, 2007). 

[3] Pub. L. No. 108-173, 117 Stat. 2066 (Dec. 8, 2003). 

[4] 48 C.F.R. ch. 1. 

[5] GAO, Centers for Medicare and Medicaid Services: Deficiencies in 
Contract Management Internal Control Are Pervasive, [hyperlink, 
http://www.gao.gov/products/GAO-10-60] (Washington, D.C.: Oct. 23, 
2009). 

[6] Certain CMS contracts, such as the claims administration contracts 
referred to as fiscal intermediaries and carriers, generally are not 
subject to FAR requirements. 

[7] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[8] We determined a control to be "key" based on our review of the 
standards for internal control as well as the FAR, Health and Human 
Services Acquisition Regulations, and agency policies and whether 
inadequate implementation would significantly increase the risk of 
improper payments or waste. 

[9] We selected a stratified random sample of 102 contract actions 
from a population of 2,441 total contract actions recorded in CMS's 
procurement system, PRISM, during fiscal year 2008. 

[10] [hyperlink, http://www.gao.gov/products/GAO-08-54]. 

[11] Title 41, United States Code. 

[12] 48 C.F.R. ch. 3. 

[13] 48 C.F.R. ch. 99. These standards are mandatory for use by all 
executive agencies and by contractors and subcontractors in 
estimating, accumulating, and reporting costs in connection with 
pricing and administration of, and settlement of disputes concerning, 
all negotiated prime contract and subcontract procurements with the 
U.S. government in excess of $500,000. Certain contracts or 
subcontracts are exempt from CAS, such as those that are fixed price 
or those with a small business. Additionally, contractors that 
received less than $50 million in net awards in the prior accounting 
period are subject to only certain CAS standards, known as modified 
coverage. The FAR incorporates the CAS, see 48 C.F.R. §30.101(b). 

[14] Of the 19 contracts awarded, 6 were under protest and were not 
yet operational as of September 1, 2009. 

[15] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[16] An accounting system review is used to determine whether a 
contractor's accounting system is adequate for determining costs 
applicable to a contract. 

[17] Based on the results of our work, we are 95 percent confident 
that the percentage of contract actions that did not meet at least one 
control test is at least 84.3 percent. 

[18] Based on the results of our work, we are 95 percent confident 
that the percentage of contract actions that did not meet three or 
more control tests is at least 37.2 percent. 

[19] CMS's OAGM established the Contract Review Board as a key control 
procedure to help ensure contract award actions are in conformance 
with law, established policies and procedures, and sound business 
practices. 

[20] We identified 25 contract actions to which FAR requirements 
specific to the contract type awarded applied, of which 16 contract 
actions did not meet the control test. Based on the results of our 
work, we are 95 percent confident that the total percentage of 
contract actions that did not meet the control test is at least 46.0 
percent. 

[21] 48 C.F.R. §§ 16.104(h), 16.301-3. 

[22] The FAR states that provisional indirect cost rates shall be used 
in reimbursing indirect costs such as fringe benefits or overhead 
costs under cost reimbursement contracts and are used to prevent 
substantial overpayment or underpayment of indirect costs. 48 C.F.R. § 
42.703-1(b). Provisional indirect cost rates, sometimes called a 
materials handling rate, may also be used on some time and materials 
(T&M) contracts. 48 C.F.R. §§ 16.307(a)(1), 52.216-7. 

[23] We identified 62 contract actions to which provisional indirect 
cost rates applied, of which 36 contract actions did not meet the 
control test. Based on the results of our work, we are 95 percent 
confident that the total percentage of contract actions that did not 
meet the control test is at least 40.4 percent. 

[24] We identified 34 contract actions to which final indirect cost 
rates applied, of which 23 contract actions did not meet the control 
test. Based on the results of our work, we are 95 percent confident 
that the total percentage of contract actions that did not meet the 
control test is at least 52.6 percent. 

[25] 48 C.F.R. § 42.703-1(b). 

[26] 48 C.F.R. § 4.804 states that firm fixed price contracts should 
be closed within 6 months; contracts requiring the settlement of 
indirect costs rates, such as cost reimbursement contracts, should be 
closed within 36 months; and all other contracts should be closed 
within 20 months. These time frames begin in the month in which the 
contracting official receives evidence of physical completion of the 
contract. Generally, files for contracts using simplified acquisition 
procedures should be considered closed when the contracting officer 
receives evidence of receipt of property and final payment. 

[27] We identified 36 contract actions to which an audit of direct 
costs applied, of which 25 contract actions did not meet the control 
test. Based on the results of our work, we are 95 percent confident 
that the total percentage of contract actions that did not meet the 
control test is at least 54.9 percent. 

[28] We identified 90 contract actions to which certification of 
invoices applied, of which 61 contract actions did not meet the 
control test. Based on the results of our work, we are 95 percent 
confident that the total percentage of contract actions that did not 
meet the control test is at least 59.0 percent. 

[29] [hyperlink, http://www.gao.gov/products/GAO-08-54]. 

[30] The contractor submitted separate invoices for different contract 
line items, which resulted in the high number of invoices in 1 fiscal 
year. 

[31] 48 C.F.R. § 315.404-4(d)(4). The HHSAR generally disallows 
facilities capital cost of money. In cases when the contractor 
includes the cost in its proposal, the agency is required to reduce 
the amount of the profit objective by an equivalent amount. In the two 
instances where CMS paid facilities capital cost of money, the cost 
was either expressly disallowed by 48 C.F.R. § 52.215-17 or the profit 
objective was not reduced. 

[32] [hyperlink, http://www.gao.gov/products/GAO-08-54], p. 18. 

[33] A CFA is a contracting role established in the FAR. The FAR 
defines the CFA as the agency responsible for establishing forward 
pricing rates, final indirect cost rates (when not accomplished by a 
designated contract auditor), and administering cost accounting 
standards for all contracts in a business unit. 48 C.F.R. §§ 2.101. 
See 48 C.F.R. §§ 42.302(a), 42.703-1, 30.601. Generally, the CFA is 
the agency with the largest dollar amount of negotiated contracts, 
including options, with the contractor. The CFA concept provides an 
efficient way for contractors to receive a streamlined set of audits 
and reviews, thereby enabling them to receive and perform government 
contracts. 

[34] Within the Department of Defense (DOD), the Defense Contract 
Audit Agency (DCAA) performs contract audits, including those required 
to fulfill DOD's responsibilities as a cognizant federal agency. When 
requested and for a fee, DCAA will perform contract audits for other 
agencies. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: