This is the accessible text file for GAO report number GAO-03-119 entitled 'High-Risk Series: An Update' which was released on January 01, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. January 2003: High-Risk Series: An Update: GAO-03-119: This Series This report entitled High-Risk Series: An Update is part of a special GAO series, first issued in 1993 and periodically updated. In this 2003 report, GAO identifies areas at high risk due to either their greater vulnerabilities to waste, fraud, abuse, and mismanagement or major challenges associated with their economy, efficiency, or effectiveness. This series also includes reports on three crosscutting high-risk areas: strategic human capital management, protecting information systems supporting the federal government and the nation’s critical infrastructures, and federal real property. A companion series, Performance and Accountability Series: Major Management Challenges and Program Risks, contains separate reports covering each cabinet department, most major independent agencies, and the U.S. Postal Service. It also includes a governmentwide perspective on transforming the way the government does business in order to meet 21st century challenges and address long-term fiscal needs. A list of all of the reports in this series is included at the end of this report. GAO Highlights: Highlights of GAO-03-119, a report to Congress on GAO’s High-Risk Series Why Area is High Risk: GAO’s audits and evaluations identify federal programs and operations that are high risk, in some cases, due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. Increasingly, we also are identifying high-risk areas to focus on major economy, efficiency, or effectiveness challenges. Since 1990, GAO has periodically reported on government operations that it has designated as high risk. In this 2003 update for the new 108th Congress, GAO presents the status of high-risk areas included in our last report made in January 2001 and identifies new high-risk areas warranting attention by the Congress and the administration. Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of our national government, and ensure the ability of government to deliver on its promises. What GAO Found: In 2001, GAO identified 23 high-risk areas. Since then, demonstrable progress has been made in virtually all of them. Federal departments and agencies, and the Congress as well, have shown a growing commitment to addressing management challenges and have taken new steps to correct the root causes of the problems. In two areas, the Supplemental Security Income program and the asset forfeiture programs managed by the Departments of Justice and the Treasury, GAO has determined that sufficient progress has been made to remove the high-risk designation. GAO has increasingly used the high-risk designation to draw attention to the challenges faced by government programs and operations in need of broad-based transformation. For example, in 2001, GAO designated as high risk strategic human capital management across government and the U.S. Postal Service’s transformation and fiscal outlook. Since then, the President has made human capital a top initiative of his Management Agenda, while the Congress enacted key governmentwide human capital reforms as it created the Department of Homeland Security (DHS). In addition, a promising Postal Service transformation plan has been produced and the President formed a commission to focus on Postal Service transformation. With these positive results in mind, for 2003, GAO has designated three additional areas as high risk based on challenges involving broad-based transformation and/or the need for legislative solutions. The first new high-risk area is implementing and transforming DHS, which is high risk because of the sheer size of the undertaking, the fact that DHS’s proposed components already face a wide array of existing challenges, and the prospect of serious consequences for the nation should DHS fail to adequately address its management challenges and program risks. A related homeland security challenge will be to protect information systems supporting the federal government as well as the nation’s critical infrastructures; information security has been a high-risk area since 1997 and has been expanded this year to include both of these concerns. The second new high-risk area involves federal disability programs, primarily those at the Social Security Administration and the Department of Veterans Affairs. Already growing, disability programs are poised to surge as baby-boomers age, yet the programs remain mired in outdated economic, workforce, and medical concepts and are not well-positioned to provide meaningful and timely support to disabled Americans. The third new high-risk area involves federal real property, based on long-standing problems such as excess and underutilized property and deteriorating facilities, as well as increased security challenges from the threat of terrorism. As appropriate, GAO also continues to identify more traditional high-risk areas. For example, this year’s fourth new high-risk area involves the Medicaid program, in part because of growing concerns about inadequate fiscal oversight to prevent inappropriate program spending. What Remains to be done: This report contains GAO’s views on what remains done for each high-risk area to bring about lasting solutions. Perseverance by the administration in implementing GAO’s recommended solutions and continued oversight by the Congress both will be important. www.gao.gov/cgi-bin/getrpt?GAO-03-119. To view the full report, click on the link above. For more information, contact George H. Stalcup at (202) 512-9490 or stalcupg@gao.gov. GAO’s 2003 High-Risk List: GAO’s 2003 high-risk list is shown in the following table. Information on each of these areas is presented in separate highlights pages included at the end of this report. These highlights pages show the names of GAO executives to contact for more information on the high- risk areas and Internet links to reports in the accompanying GAO series, Performance and Accountability Series: Major Management Challenges and Program Risks, where the high-risk areas are also discussed. 2003 high-risk areas: Addressing Challenges In Broad-based Transformations; Year designated high-risk: [Empty]. 2003 high-risk areas: * Strategic Human Capital Management[A]; Year designated high-risk: 2001. 2003 high-risk areas: * U.S. Postal Service Transformation Efforts and Long-Term Outlook[A]; Year designated high-risk: 2001. 2003 high-risk areas: * Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures; Year designated high-risk: 1997. 2003 high-risk areas: * Implementing and Transforming the New Department of Homeland Security; Year designated high-risk: 2003. 2003 high-risk areas: * Modernizing Federal Disability Programs[A]; Year designated high-risk: 2003. 2003 high-risk areas: * Federal Real Property[A]; Year designated high- risk: 2003. 2003 high-risk areas: Ensuring Major Technology Investments Improve Services; Year designated high-risk: [Empty]. 2003 high-risk areas: * FAA Air Traffic Control Modernization; Year designated high-risk: 1995. 2003 high-risk areas: * IRS Business Systems Modernization; Year designated high-risk: 1995. 2003 high-risk areas: * DOD Systems Modernization; Year designated high-risk: 1995. 2003 high-risk areas: Providing Basic Financial Accountability; Year designated high-risk: [Empty]. 2003 high-risk areas: * DOD Financial Management; Year designated high- risk: 1995. 2003 high-risk areas: * Forest Service Financial Management; Year designated high-risk: 1999. 2003 high-risk areas: * FAA Financial Management; Year designated high- risk: 1999. 2003 high-risk areas: * IRS Financial Management; Year designated high- risk: 1995. 2003 high-risk areas: Reducing Inordinate Program Management Risks; Year designated high-risk: [Empty]. 2003 high-risk areas: * Medicare Program[A]; Year designated high-risk: 1990. 2003 high-risk areas: * Medicaid Program[A]; Year designated high-risk: 2003. 2003 high-risk areas: * Earned Income Credit Noncompliance; Year designated high-risk: 1995. 2003 high-risk areas: * Collection of Unpaid Taxes; Year designated high-risk: 1990. 2003 high-risk areas: * DOD Support Infrastructure Management; Year designated high-risk: 1997. 2003 high-risk areas: * DOD Inventory Management; Year designated high- risk: 1990. 2003 high-risk areas: * HUD Single-Family Mortgage Insurance and Rental Assistance Programs; Year designated high-risk: 1994. 2003 high-risk areas: * Student Financial Aid Programs; Year designated high-risk: 1990. 2003 high-risk areas: Managing Large Procurement Operations More Efficiently; Year designated high-risk: [Empty]. 2003 high-risk areas: * DOD Weapon Systems Acquisition; Year designated high-risk: 1990. 2003 high-risk areas: * DOD Contract Management; Year designated high- risk: 1992. 2003 high-risk areas: * Department of Energy Contract Management; Year designated high-risk: 1990. 2003 high-risk areas: * NASA Contract Management; Year designated high- risk: 1990. [End of table] Source: GAO. [A] Additional authorizing legislation is likely to be required as one element of addressing this high-risk area. Transmittal Letter: Historical Perspective: Overview of Progress in Addressing High-Risk Areas: High-Risk Designations Removed: Progress Being Made in Remaining High-Risk Areas: Progress in Addressing Transformation Challenges: New High-Risk Areas: Adding Three Broad-Based High-Risk Areas: New High-Risk Area Identified Based on Fiscal Oversight Vulnerabilities: Highlights of High-Risk Areas: Performance and Accountability and High-Risk Series: This is a work of the U.S. Government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. It may contain copyrighted graphics, images or other materials. Permission from the copyright holder may be necessary should you wish to reproduce copyrighted materials separately from GAO’s product. Transmittal Letter January 2003: The President of the Senate The Speaker of the House of Representatives: Since 1990, GAO has periodically reported on government operations that it identifies as “high risk.” This effort, which was supported by the Senate Committee on Governmental Affairs and the House Committee on Government Reform, has brought a much needed focus to problems that are impeding effective government and costing the government billions of dollars. To help, GAO has made hundreds of recommendations to improve these high-risk operations. Moreover, GAO’s focus on high-risk problems contributed to the Congress enacting a series of governmentwide reforms to address critical human capital challenges, strengthen financial management, improve information technology practices, and instill a more results-oriented government. GAO’s high-risk status reports are provided at the start of each new Congress. This update should help the Congress and the administration in carrying out their responsibilities while improving government for the benefit of the American people. It summarizes progress made in correcting high-risk problems, actions under way, and further actions that GAO believes are needed. In this update, GAO has determined that sufficient progress has been made to remove the high-risk designation from two areas, and has designated four new areas as high risk. GAO’s high-risk program has increasingly focused on those major programs and operations that need urgent attention and transformation in order to ensure that our national government functions in the most economical, efficient, and effective manner possible. Further, the administration has looked to GAO’s program in shaping governmentwide initiatives such as the President’s Management Agenda, which has at its base many of the areas GAO had previously designated as high risk. As in prior GAO high-risk update reports, federal programs and operations are also emphasized when they are at high risk because of their greater vulnerabilities to fraud, waste, abuse, and mismanagement. The high- risk program has served to bring “light” to these areas as well as “heat” to prompt needed “actions.” This has been clearly evidenced by the many actions that have occurred in connection with strategic human capital management and Postal Service transformation, the two most recent additions to GAO’s high-risk list prior to this update. Copies of this series are being sent to the President, the congressional leadership, other Members of the Congress, the Director of the Office of Management and Budget, and the heads of major departments and agencies. David M. Walker Comptroller General of the United States Signed by David M. Walker: [End of section] Historical Perspective: In 1990, we began a program to report on government operations that we identified as “high risk.” Since then, generally coinciding with the start of each new Congress, we have periodically reported on the status of progress to address high-risk areas and updated our high-risk list. Our previous high-risk update was in January 2001.[Footnote 1] Overall, our high-risk program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the government has taken high-risk problems seriously and has made long- needed progress toward correcting them. In some cases, progress has been sufficient for us to remove the high-risk designation. The overall changes to our high-risk list over the past 13 years are shown in table 1. Areas removed from the high-risk list over that same period are shown in table 2. Table 1: Overall Changes to GAO’s High-Risk List, 1990 to 2003: Changes 1990-2003: Original high-risk list in 1990; Number of areas: 14. Changes 1990-2003: High-risk areas added since 1990; Number of areas: 24. Changes 1990-2003: High-risk areas removed since 1990; Number of areas: 13. Changes 1990-2003: High-risk list in 2003; Number of areas: 25. [End of table] Source: GAO. Table 2: Areas Removed from GAO’s High-Risk List, 1990 to 2003: Area: Pension Benefit Guaranty Corporation; Year designated high risk: 1990; Year removed: 1995. Area: State Department Management of Overseas Real Property; Year designated high risk: 1990; Year removed: 1995. Area: Federal Transit Administration Grant Management; Year designated high risk: 1990; Year removed: 1995. Area: Bank Insurance Fund; Year designated high risk: 1991; Year removed: 1995. Area: Resolution Trust Corporation; Year designated high risk: 1990; Year removed: 1995. Area: Customs Service Financial Management; Year designated high risk: 1991; Year removed: 1999. Area: The Year 2000 Computing Challenge; Year designated high risk: 1997; Year removed: 2001. Area: The 2000 Census; Year designated high risk: 1997; Year removed: 2001. Area: Superfund Program; Year designated high risk: 1990; Year removed: 2001. Area: Farm Loan Programs; Year designated high risk: 1990; Year removed: 2001. Area: National Weather Service Modernization; Year designated high risk: 1995; Year removed: 2001. Area: Supplemental Security Income; Year designated high risk: 1997; Year removed: 2003. Area: Asset Forfeiture Programs; Year designated high risk: 1990; Year removed: 2003. [End of table] Source: GAO. Seven of the 13 areas removed from the list over the years were among the 14 programs and operations we determined to be high risk at the outset of our efforts to monitor such programs. These results demonstrate that the sustained attention and commitment by the Congress and agencies to resolve serious, long-standing high-risk problems has paid off, as root causes of the government’s exposure for half of our original high-risk list have been successfully addressed. Historically, high-risk areas have involved traditional vulnerabilities due to their greater susceptibility to fraud, waste, abuse, and mismanagement. As our high-risk program has evolved, we have increasingly designated areas as high risk to draw attention to areas associated with the economy, efficiency, effectiveness, and accountability of government programs and operations. Perseverance by the administration is needed in implementing our recommended solutions for addressing these high-risk areas. Continued congressional oversight and, in some cases, additional authorizing legislative action will also be key to achieving progress, particularly in addressing challenges in broad-based transformations. To determine which federal government programs and functions should be designated as high risk, we used our guidance document, Determining Performance and Accountability Challenges and High Risks.[Footnote 2] In determining whether a government program or operation is high risk, we consider whether it involves national significance or a management function that is key to performance and accountability. We also consider whether the risk is: * inherent, which may arise when the nature of a program creates susceptibility to fraud, waste, and abuse; or: * a systemic problem, which may arise when the programmatic; management support; or financial systems, policies, and procedures established by an agency to carry out a program are ineffective, creating a material weakness. Further, we consider qualitative factors, such as whether the risk: * involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens’ rights; or: * could result in significantly impaired service; program failure; public injury or loss of life; or significantly reduced economy, efficiency, or effectiveness. Before making a high-risk designation, we also consider the corrective measures an agency may have planned or under way to resolve a material control weakness and the status and effectiveness of these actions. When legislative and agency actions, including those in response to our recommendations, result in significant progress toward resolving a high-risk problem, we remove the high-risk designation. Key determinants here include a demonstrated strong commitment to and top leadership support for addressing problems, the capacity to do so, a corrective action plan, and demonstrated progress in implementing corrective measures. The next section discusses how we applied these criteria in determining what areas to remove and to add since our last update in January 2001. [End of section] Overview of Progress in Addressing High-Risk Areas: Since our January 2001 report, federal departments and agencies and the Congress have taken additional steps to address areas we designated as high risk. In two cases, progress has been sufficient for the high-risk designation to be removed. For virtually every other high-risk area, important steps have been taken to resolve risks and implement our recommendations, but more needs to be done before these areas can be removed from the high-risk list. Overall, we are impressed with the level of commitment shown by top officials and anticipate continued progress. Importantly, our high-risk program has helped the executive branch and the Congress to galvanize efforts to seek lasting solutions to high- risk problems. For example, our program helped shape the administration’s focus on governmentwide initiatives such as the President’s Management Agenda (PMA), which has at its base many of the areas we had previously designated as being high risk. Moreover, our program has helped draw attention to the need to effectively manage the risks associated with several important broad-based transformations under way in government today, such as those at the Department of Defense (DOD), Internal Revenue Service (IRS), Postal Service, Department of Education, Department of Housing and Urban Development (HUD), and Federal Aviation Administration (FAA), where success will be critical to the nation and its citizens. For 2003, we have designated four new high-risk areas. Three of these involve major challenges in addressing broad-based transformations, or are areas where legislative solutions may be called for. The fourth area, Medicaid, is being added to the high-risk list, in part because of growing concern about inadequate fiscal oversight efforts to prevent inappropriate program spending. Table 3: Changes to GAO’s High-Risk List, 2001 to 2003: Changes 2001-2003: High-risk list in 2001; Number of areas: 23. Changes 2001-2003: High-risk areas added in 2003; Number of areas: 4. Changes 2001-2003: High-risk areas removed in 2003; Number of areas: 2. Changes 2001-2003: High-risk list in 2003; Number of: areas 25. [End of table] Source: GAO. High-Risk Designations Removed: For this 2003 high-risk update, we determined that two high-risk areas warranted removal from the list. They are the Social Security Administration’s (SSA) Supplemental Security Income (SSI) program and the asset forfeiture programs managed by the Departments of Justice and the Treasury. We will, however, continue to monitor these programs, as appropriate, to ensure that the improvements we have noted are sustained. Supplemental Security Income: We designated SSI a high-risk program in 1997, after several years of reporting on specific instances of abuse and mismanagement, increasing overpayments, and poor recovery of outstanding SSI overpayments. SSA’s actions since then included developing a major SSI legislative proposal with numerous overpayment deterrence and recovery provisions. The ensuing enacted legislation directly addressed a number of our prior recommendations and provides SSA with additional tools to obtain applicant income and resource information from financial institutions; imposes a period of ineligibility for applicants who transfer assets to qualify for SSI benefits; and authorizes the use of credit bureaus, private collection agencies, interest levies, and other means to recover overpayments. SSA also obtained separate legislative authority to recover overpayments from former SSI recipients who currently receive Social Security benefits. In addition, SSA initiated a number of internal administrative actions to further strengthen SSI program integrity, including using tax refund offsets for collecting SSI overpayments and more frequent automated matches to identify ineligible SSI recipients living in nursing homes and other institutions. In addition, SSA increased the number of SSI financial redeterminations that it conducted and the level of resources and staff in the Office of Inspector General devoted to investigating SSI fraud and abuse. Finally, SSA revised its field office work credit and measurement system to better reward staff for time spent developing fraud referrals. In fiscal year 2002, SSA increased its collection of overpayments by $150 million over the prior fiscal year. (See our Performance and Accountability report on the Social Security Administration.[Footnote 3]): Asset Forfeiture Programs: We first reported asset forfeiture programs operated by the Departments of Justice and the Treasury as a high-risk area in 1990 because of shortcomings in the management of and accountability for seized and forfeited property and the potential for cost reduction through administrative improvements and consolidation of the programs’ postseizure management and disposition of noncash seized property. We have subsequently reported that actions taken by Treasury’s Customs Service and Justice’s Marshals Service to address our recommendations have improved the management of and accountability for seized and forfeited property. We also reported that Justice’s Drug Enforcement Administration and Federal Bureau of Investigation (FBI) have taken many actions to address our recommendations to improve physical safeguards over drugs and firearms evidence and strengthen accountability for such evidence. In addition, the Treasury Forfeiture Fund and Justice’s Asset Forfeiture Fund and Seized Asset Deposit Fund have strengthened their financial management and accountability over seized and forfeited property, in part evidenced by the unqualified opinions on these entities’ financial statements over the past several years. With respect to consolidating noncash asset management and disposition activities, Treasury and Justice are moving toward sharing Web site locations for Internet sales, sharing selected vehicle storage and warehouse facilities, and exploring opportunities to jointly contract for specific services in high-volume areas. The departments’ substantial progress in improving the management of and accountability for seized and forfeited property, and their demonstrated commitment to communicate and coordinate where joint efforts could help reduce costs and eliminate duplicative activities, are sufficient for us to remove the high-risk designation from asset forfeiture programs. (See our Performance and Accountability reports on the Departments of Justice and the Treasury.[Footnote 4]): Progress Being Made in Remaining High-Risk Areas: For virtually all other areas that remain on our 2003 high-risk list, there has been important progress, although not yet enough progress to remove these areas from the list. Top administration officials have expressed their commitment to maintaining momentum in seeing that high- risk areas receive adequate attention and oversight. A concerted effort by agencies and ongoing attention by the Office of Management and Budget (OMB) is critical, as our experience over the past 13 years has shown that perseverance is required to fully resolve high-risk areas. The Congress, too, will continue to play an important role through its oversight and, where appropriate, through legislative action targeted at the problems and designed to address high-risk areas. Examples of agencies’ progress follow: * DOD has undertaken a number of initiatives to transform its forces and improve its business operations. As part of its transformation process, the Secretary of Defense and senior civilian and military leaders have committed to adopt a capabilities-based approach to planning based on clear goals and to improve the linkage between strategy and investments. At the same time, DOD has embarked on a series of efforts to improve its business processes, including support infrastructure reforms to include base closures, information technology modernization, and logistics reengineering. Further, in acknowledging DOD’s numerous ongoing financial difficulties, the Secretary of Defense has laid out an 8-year plan to reform financial management and accountability and instituted new contract management policies and programs aimed at increasing the importance given to these processes. Although DOD recognizes the need for internal transformation and budget reform, its goals are challenging, and its strategic plan is currently not set up to allow DOD to implement and measure progress toward achieving its performance goals in an integrated fashion. Additionally, DOD has not kept pace with the changing capabilities and productivity of the modern business environment. Effecting departmental transformation also requires cultural transformation and business process reengineering, which take years to accomplish, and a commitment from both the executive and legislative branches of government. (See “Highlights of High-Risk Areas,” p. 28.): * IRS continues to make important progress. For example, IRS (1) has developed and is using a modernization blueprint, commonly called an enterprise architecture, to guide and constrain its systems modernization projects and (2) is investing incrementally in them; both of which are leading practices of successful public-and private-sector organizations. In other actions, IRS has worked aggressively to address financial management issues not solely dependent on systems modernization for resolution and, in 2002, produced reliable annual financial statements (for the third consecutive year) only 6 weeks after the end of the fiscal year. Also, IRS has made progress in revamping both its organizational performance and human capital management systems. It has implemented and used a new strategic planning, budgeting, and performance management process. It has also rolled out a new employee evaluation system designed to align performance expectations and incentives with agencywide strategic goals. Top management has further demonstrated its commitment by taking actions to address other problems. For example, IRS is in various stages of planning and implementing a strategy to improve productivity in collecting taxes, and the Commissioner of Internal Revenue and the Treasury Assistant Secretary for Tax Policy have convened a joint task force to develop recommendations to better administer the earned income credit. However, more needs to be done to address risks associated with the growing scope and complexity of modernization and the internal control weaknesses in IRS’s financial management. Further, concerns remain about trends in the collection of unpaid taxes and the level of earned income credit noncompliance. Finally, IRS needs to continue its efforts to strengthen its approaches to managing its human capital. (See “Highlights of High-Risk Areas,” p. 28.): * The Department of Education has made important progress in, and demonstrated its commitment to, addressing long-standing issues that have made student financial aid programs vulnerable to fraud, waste, abuse, and mismanagement. Education established a team of senior managers to formulate strategies and direct initiatives to address key financial and management problems throughout the agency. Under one financial aid program initiative, names of defaulted borrowers were matched with the Department of Health and Human Services’ National Directory of New Hires database. This resulted in the collection of $269 million in fiscal year 2002 alone. Education has also conducted sample matches of income reported on student aid applications with federal tax returns. Expanding this initiative is contingent upon legislation that would increase IRS’s ability to share information with other agencies. Progress has also been made in other areas. Education’s Office of Federal Student Aid can now better integrate and use its existing data on student loans and grants, and changes have been implemented aimed at strengthening financial management departmentwide. However, additional work is needed to both prevent and collect defaulted student loans and to better demonstrate systems integration progress. Furthermore, it is too soon to determine whether changes made to improve financial management and address internal control weaknesses will prove effective. (See “Highlights of High-Risk Areas,” p. 28.): * HUD continues to work at overcoming weaknesses in its Single-Family Mortgage Insurance and Rental Housing Assistance program areas. HUD’s progress in its single-family insurance programs includes, for example, implementation of new processes to review lenders and appraisers and new incentives to improve the performance of its property disposition contractors. In its rental housing assistance programs, HUD has, among other things, initiated efforts to ensure that rental housing assistance is properly calculated and recipients are eligible, and improved processes to ensure that housing providers comply with the department’s housing quality standards. However, many of HUD’s strategies for resolving its high-risk problems represent new initiatives in the early stages of implementation, and significant problems remain. For example, HUD has not yet fully implemented an assessment system for calculating key financial indicators to determine lenders’ soundness and risk exposure. Further, HUD now estimates that rental assistance overpayments--some $2 billion out of $19 billion in assistance in fiscal year 2000--are greater than previously estimated. (See “Highlights of High-Risk Areas,” p. 28.): FAA is moving to rectify serious, long-standing material weaknesses in its financial management systems. Its new general, property, and cost accounting systems--a departmentwide initiative--are expected to give FAA the ability to produce reliable financial statements that accurately assign costs to its programs and projects and account for the cost of its property. Whether the new accounting system will fully remedy FAA’s financial management deficiencies will not be determined until it is fully implemented and subsequently subjected to a financial statement audit. FAA has also worked to address weaknesses in its Air Traffic Control Modernization efforts. For example, the agency has implemented a framework for improving its software processes, developed a systems architecture, institutionalized cost estimating practices, and improved its investment management practices. However, more needs to be done in each of these areas to achieve needed improvements. (See “Highlights of High-Risk Areas,” p. 28.): Progress in Addressing Transformation Challenges: As part of our move toward focusing on broad-based management challenges, we have designated as high risk key areas where transformation was needed or under way and where legislative action would be helpful. We have seen important progress in three of these areas as well. Strategic Human Capital Management: Since we designated strategic human capital management as a governmentwide high-risk area in January 2001, the Congress and the executive branch have taken a number of steps to address the challenges identified. Among these steps were the following: * In August 2001, the President placed the strategic management of human capital at the top of the President’s Management Agenda (PMA). * OMB began assessing agencies according to standards for success for each part of the PMA, including the strategic management of human capital. The first agency assessment was published in February 2002. Subsequent assessments, published in June and September 2002, reported on both the status and progress of agencies’ efforts in strategic human capital management. * In December 2001, the Office of Personnel Management (OPM) released a human capital scorecard to assist agencies in responding to the human capital standards for success contained in the PMA. * In the fall of 2002, OPM began realigning its organizational structure and appointed four new associate directors with proven human capital expertise to lead federal efforts. * In October 2002, OMB and OPM approved revised standards for success in the human capital area of the PMA, reflecting language developed in collaboration with us. * In November 2002, the Congress passed the Homeland Security Act of 2002, which created the Department of Homeland Security and provided the department with significant flexibility to design a modern human capital management system. This legislation also included additional significant provisions relating to governmentwide human capital management, such as direct hire authority, the ability to use categorical ranking in the hiring of applicants instead of the “rule of three,” the creation of Chief Human Capital Officers (CHCO) positions and a CHCO Council, expanded voluntary early retirement and buy-out authority, a requirement to discuss human capital approaches in Government Performance and Results Act reports and plans, a provision allowing executives to receive their total performance bonus in the year in which it is awarded, and other flexibilities. Although considerable momentum is building and progress has been made over the past 2 years, it remains clear that today’s federal human capital strategies are not yet appropriately constituted to meet current and emerging challenges or to drive needed transformation across the federal government. The basic problem, which continues today, has been the long-standing lack of a consistent strategic approach to marshalling, managing, and maintaining the human capital needed to maximize government performance and assure its accountability. Specifically, agencies across the federal government continue to face challenges in four key areas: * Leadership: Top leadership in the agencies must provide the sustained, committed, and inspired attention needed to address human capital and related organization transformation issues. * Strategic Human Capital Planning: Agencies’ human capital planning efforts need to be more fully and demonstrably integrated with mission and critical program goals. * Acquiring, Developing, and Retaining Talent: Additional efforts are needed to improve recruiting, hiring, professional development, and retention strategies to ensure that agencies have needed talent. * Results-Oriented Organizational Cultures: Agencies continue to lack organizational cultures that promote high performance and accountability, and that empower and include employees in setting and accomplishing programmatic goals. Importantly, although strategic human capital management remains high risk governmentwide, federal employees are not the problem. Rather, the problem is a set of policies that are viewed by many as outdated, over- regulated, and not strategic. Human capital weaknesses in the federal government did not emerge overnight and will not be quickly or easily addressed. Committed, sustained, and inspired leadership and persistent attention on behalf of all interested parties will continue to be essential to build on the progress that has been and is being made, if lasting reforms are to be successfully implemented. Reaching and maintaining a strategic approach to human capital management will take considerable effort on the part of the Congress, agency leadership, OPM, and OMB. Ultimately, the Congress may wish to consider legislative reforms to existing civil service laws. Key questions include the degree to which legislative changes are needed to design a modern human capital management system for the federal government. Although momentum continues to build for comprehensive reform, agencies need to use currently available flexibilities. (See “Highlights of High-Risk Areas,” p. 28.): U.S. Postal Service: In April 2001, we identified the U.S. Postal Service’s transformation efforts and long-term outlook as high risk due to growing financial, operational, and human capital challenges. Since then, these challenges have continued, and the Service has struggled to fulfill its primary mission of providing universal postal service at reasonable rates while remaining self-supporting from postal revenues. The events of September 11, 2001, and subsequent use of the mail to transmit anthrax have introduced new issues related to mail safety and security that also must be addressed. These challenges, as well as the need to address the uncertainty about the Service’s future role, require urgent attention to ensure that the Service will be able to fulfill its mission in the 21st century. In response to our high-risk designation, the Service released its Transformation Plan in April 2002. In this plan, the Service outlined actions it deemed necessary to deal with transformation issues both (1) in the short term, under its current authority and through moderate regulatory and legislative reforms, and (2) in the longer term, through fundamental structural transformation. To achieve its fundamental structural transformation, the Service proposed moving to a Commercial Government Enterprise business model. We reported that the development of the Transformation Plan was a good first step in raising key postal reform issues. Implementing the plan is a new challenge for the Service--in part because consensus has yet to be reached on legislative reforms--and therefore we have now added this implementation to the list of the Service’s major challenges. The other challenges include (1) controlling costs and improving productivity under the Service’s existing authority, (2) addressing unresolved financial issues, (3) developing strategies to address human capital issues, and (4) providing complete and reliable financial and performance information in a timely and transparent manner. Opportunities exist for the Service to address these major management challenges and make further progress in its transformation efforts. For example, the results of a recent financial analysis by OPM may lead to a reduction in the Service’s pension liability and related annual payments if the Congress takes legislative action in this area. This additional “breathing room” could allow the Service to address other financial challenges, such as its outstanding debt, substantial postretirement health obligations, and its capital freeze. The Service also anticipates a large number of upcoming retirements, which would provide an opportunity to realign the Service’s workforce and infrastructure to meet its future operational needs. Committed leadership and sustained attention to addressing the Service’s management challenges will be critical to achieving its transformation. Addressing the Service’s various challenges through comprehensive legislative reform will require consensus among various stakeholders-- something that has been very difficult to achieve, in part because the Service’s numerous stakeholders have divergent needs and concerns. Since 1996, the Congress has considered postal reform legislation many times; however, none of the reform proposals has been passed. More recently, in December 2002, the President established a nine-member Commission on the United States Postal Service to propose a vision for the future of the Postal Service and recommend the legislative and administrative reforms needed to ensure the viability of postal services. The Commission is expected to submit its report to the President by July 31, 2003. (See “Highlights of High-Risk Areas,” p. 28.): Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures: We have designated information security as a high-risk area across government since 1997 because of continuing evidence indicating significant, pervasive weaknesses in the controls over computerized federal operations. Moreover, related risks continue to escalate, in part due to the government’s increasing reliance on the Internet and on commercially available information technology. In addition, we continue to report significant information security weaknesses in 24 major federal agencies.[Footnote 5] Since our last high-risk report, efforts to correct information security weaknesses and improve federal information security have accelerated both at individual agencies and at the governmentwide level, including implementing government information security reform legislation enacted by the Congress in October 2000, implementing a related annual reporting process, and developing guidance and tools for agencies to self-assess their information security programs. On December 17, 2002, the Federal Information Security Management Act of 2002 was enacted, to permanently authorize and strengthen the information security program, evaluation, and reporting requirements established by government information security reform legislation. This legislation is an essential step to sustaining agency efforts to identify and correct significant weaknesses. Nonetheless, further information security improvement efforts are needed at the agency level and governmentwide. It is important that these efforts be guided by a comprehensive strategy and that this strategy address certain key issues including: * delineating the roles and responsibilities of the numerous entities involved in federal information security; * providing more specific guidance to agencies on the controls that they need to implement; * having agencies’ performance monitored by the agencies themselves, as well as by the Congress and the executive branch; * providing adequate technical expertise and allocating sufficient resources; and: * expanding research in the area of information systems protection. In our January 2001 high-risk update report, we also began to highlight the increasing importance of the federal government’s efforts to protect our nation’s critical public and private computer-dependent infrastructure (such as national defense, power distribution, and water supply), as outlined in Presidential Decision Directive 63. This year, we are broadening this high-risk issue to highlight the increased importance of protecting the information systems that support these critical infrastructures, referred to as cyber critical infrastructure protection or cyber CIP. Since our 2001 report, terrorist attacks and threats have further underscored the need to manage CIP activities that enhance the security of the cyber and physical public and private infrastructures that are essential to national security, national economic security, and/or national public health and safety. At the federal level, cyber CIP activities are perhaps the most critical component of a department or agency’s overall information security program. Since 2001, a number of significant actions have occurred to better position the nation to protect its critical infrastructures, including the following: * In October 2001, the President established the President’s Critical Infrastructure Protection Board to coordinate cyber-related federal efforts for protecting our nation’s critical infrastructures. * In July 2002, the President and his Office of Homeland Security issued the National Strategy for Homeland Security, which identifies protecting critical infrastructures and intelligence and warning as critical components. * In September 2002, the Protection Board released a comment draft of a National Strategy to Secure Cyberspace. The board issued this draft because the National Strategy for Homeland Security states that the administration will complete cyber and physical infrastructure protection plans to serve as the baseline for a future comprehensive national infrastructure protection plan. * On November 25, 2002, the President signed the Homeland Security Act of 2002, which established the Department of Homeland Security and, within it, the Directorate of Information Analysis and Infrastructure Protection. Although these actions taken are major steps to more effectively protect our nation’s critical infrastructures, further actions are needed to fully address our recommendations concerning CIP challenges, including: * completing a comprehensive and coordinated national CIP strategy, * improving analysis and warning capabilities, and: * improving information sharing on threats and vulnerabilities. (See “Highlights of High-Risk Areas,” p. 28.): [End of section] New High-Risk Areas: Adding Three Broad-Based High-Risk Areas: The new use of the high-risk designation to draw attention to the challenges faced by government programs and operations in need of broad-based transformation has led to important progress. With these positive results in mind, for 2003, we have designated three additional such areas as high risk: implementing and transforming the new Department of Homeland Security (DHS), modernizing federal disability programs, and federal real property. Implementing and Transforming the New Department of Homeland Security: We designated implementation and transformation of the new Department of Homeland Security as high risk based on three factors. First, the implementation and transformation of DHS is an enormous undertaking that will take time to achieve in an effective and efficient manner. Second, components to be merged into DHS already face a wide array of existing challenges. Finally, failure to effectively carry out its mission would expose the nation to potentially very serious consequences. In the aftermath of September 11, invigorating the nation’s homeland security missions has become one of the federal government’s most significant challenges. DHS, with an anticipated budget of almost $40 billion and an estimated 170,000 employees, will be the third largest government agency; not since the creation of DOD more than 50 years ago has the government sought an integration and transformation of this magnitude. In DOD’s case, the effective transformation took many years to achieve, and even today, the department continues to face enduring management challenges and high-risk areas that are, in part, legacies of its unfinished integration. Effectively implementing and transforming DHS may be an even more daunting challenge. DOD at least was formed almost entirely from agencies whose principal mission was national defense. DHS will combine 22 agencies specializing in various disciplines: law enforcement, border security, biological research, disaster mitigation, and computer security, for instance. Further, DHS will oversee a number of non- homeland-security activities, such as Coast Guard’s marine safety responsibilities and the Federal Emergency Management Agency’s (FEMA) natural disaster response functions. Yet only in the effective integration and collaboration of these entities will the nation achieve the synergy that can help provide better security against terrorism. The magnitude of the responsibilities, combined with the challenge and complexity of the transformation, underscores the perseverance and dedication that will be required of all DHS’s leaders, employees, and stakeholders to achieve success. Further, it is well recognized that mergers of this magnitude in the public and private sector carry significant risks, including lost productivity and inefficiencies. Generally, successful transformations of large organizations, even those undertaking less strenuous reorganizations and with less pressure for immediate results, can take from 5 to 7 years to achieve. Necessary management capacity and oversight mechanisms must be established. Moreover, critical aspects of DHS’s success will depend on well-functioning relationships with third parties that will take time to establish and maintain, including those with state and local governments, the private sector, and other federal agencies with homeland security responsibilities, such as the Department of State, the FBI and the Central Intelligence Agency, DOD, and the Department of Health and Human Services (HHS). Creating and maintaining a structure that can leverage partners and stakeholders will be necessary to effectively implement the national homeland security strategy. The new department is also being formed from components with a wide array of existing major management challenges and program risks. For instance, one DHS directorate’s responsibility includes the protection of critical information systems that we already consider a high risk. In fact, many of the major components merging into the new department, including the Immigration and Naturalization Service (INS), the Transportation Security Administration (TSA), Customs Service, FEMA, and the Coast Guard, face at least one major problem, such as strategic human capital risks, critical information technology challenges, or financial management vulnerabilities; they also confront an array of challenges and risks to program operations. For example, TSA has had considerable challenges in meeting deadlines for screening baggage, and the agency has focused most of its initial security efforts on aviation security, with less attention to other modes of transportation. INS has had difficulty in tracking aliens due to unreliable address information. Customs must meet challenges from the potential threats of weapons of mass destruction smuggled in cargo arriving at U.S. ports, and the Coast Guard faces the challenges inherent in a massive fleet modernization. DHS’s national security mission is of such importance that the failure to address its management challenges and programs risks could have serious consequences on our intergovernmental system, our citizens’ health and safety, and our economy. Overall, our designation of the implementation and transformation of DHS as a high-risk area stems from the importance of its mission and the nation’s reliance on the department’s effectiveness in meeting its challenges for protecting the country against terrorism. (See “Highlights of High-Risk Areas,” p. 28.): Modernizing Federal Disability Programs: This new high-risk area encompasses a range of federal disability programs. Federal disability programs have experienced significant growth over the past decade and are expected to grow even more steeply as more baby boomers reach their disability-prone years. In particular, SSA and the Department of Veterans Affairs (VA) oversee five major disability programs providing cash assistance to individuals with physical or mental conditions that reduced their earnings capacity, collectively paying more than $100 billion in cash benefits to more than 13 million beneficiaries in 2001.[Footnote 6] In recent years, scientific advances and economic and social changes, paradoxically, have redefined the relationship between impairments and work. Advances in medicine and technology have reduced the severity of some medical conditions and have allowed individuals to live with greater independence and function in work settings. Moreover, the nature of work has changed in recent decades as the national economy has moved away from manufacturing-based jobs to service-and knowledge-based employment. Yet federal disability programs remain mired in concepts from the past and are poorly positioned to provide meaningful and timely support for Americans with disabilities. Indeed, SSA and VA are struggling to provide accurate, timely, and consistent disability decisions to program applicants. We have added modernizing federal disability programs to our 2003 high-risk list based on the following concerns. Federal disability programs are grounded in outmoded concepts. Despite opportunities afforded by medical and technological advancements and the growing expectations that people with disabilities can and want to work, federal disability programs remain grounded in an approach that equates medical conditions with the incapacity to work. The legislation for SSA’s and VA’s disability programs requires that the assessment of eligibility be based on the presence of medically determinable physical and mental impairments. However, these assessments do not always reflect recent medical and technological advances and their impact on medical conditions that affect the ability to work. Likewise, the criteria used to assess disability have not incorporated changes in the labor market that have affected the skills needed to perform work and the settings in which work occurs. By using outdated information, the agencies risk overcompensating some individuals while undercompensating or denying compensation entirely to others. While relying upon outmoded assumptions about impairment and work, the agencies have experienced difficulty in managing disability programs. In spite of years of efforts to improve the management of their disability programs, both SSA and VA continue to face significant challenges. The processes these agencies use to determine disability adversely affect each agency’s ability to efficiently, equitably, and effectively serve their beneficiaries. Both SSA and VA have experienced increasing processing times for disability claims over the past several years, with claimants waiting more than 4 months for an initial decision and for more than 1 year for a decision on appeal of a denied claim. Although SSA has recently implemented several short-term initiatives not requiring statutory or regulatory changes to reduce processing times, it is still evaluating strategies for longer-term solutions. VA has demonstrated some recent progress based on newly implemented initiatives, but the agency is far from achieving its own goals for timeliness. The inconsistencies in disability decisions across adjudicative levels and locations in both agencies have raised questions about the fairness, integrity, and cost of these programs. Although both agencies have taken steps to provide training and enhance communication to improve the consistency of decisions, variations in allowances rates continue and a significant number of denied claims are still awarded on appeal. In addition, both SSA and VA have experienced challenges with implementing effective quality assurance systems. After failing in its attempts since 1994 to redesign a more comprehensive quality assurance system, SSA has recently begun a new quality management initiative. VA has taken a number of recent actions to correct problems with its quality assurance system and its measure of decision accuracy in 2002 has shown improvement. However, it is still well below the agency’s strategic goal for accuracy. Both SSA and VA lack comprehensive plans for addressing program growth. For example, between 1991 and 2001, the number of beneficiaries and their family members receiving Disability Insurance (DI) benefits, the largest of the five disability programs administered by SSA and VA, increased from 4.5 million to 6.9 million, as total cash benefits increased more than 70 percent (in 2001 dollars) during this time period to nearly $60 billion. By 2010, SSA expects that the number of DI beneficiaries and their eligible family members will increase by more than one-third over 2001 levels. (See figure 1.) Similarly, VA expects the number and complexity of its disability claims to increase due to veterans’ increased awareness of service-connected disabilities and recent legislative changes. Likewise, the disability rolls have been increasingly characterized by conditions that result in extended entitlement periods. Mental impairments and musculoskeletal conditions--conditions that people can survive with for decades--are currently more common qualifying conditions for people receiving benefits than in years past. However, SSA and VA have not sufficiently prepared for this growth and need specific plans for addressing future disability needs. Figure 1: Growth in DI Beneficiaries: [See PDF for image] Note: Figures after 2001 are estimates based on the intermediate assumptions of the Trustees of the Social Security trust funds. [End of figure] SSA also faces the challenge of supporting disability beneficiaries’ return to work. SSA has experienced limited success in doing so, in spite of changes in medicine, technology, society, and the nature of work, all of which have increased the potential for some people with disabilities to return to the labor force. Although SSA has taken a number of actions to improve its return-to-work practices, the agency still needs to develop, as we have recommended, a comprehensive return- to-work strategy that focuses at the outset on an evaluation of what is needed for an individual to return to work. Given the projected slowdown in the growth of the nation’s labor force, it is imperative that those who can work are supported in their efforts to do so. Developing comprehensive and sustainable solutions to the problems facing federal disability programs in the 21ST century will require agencies to significantly broaden their current efforts. Indeed, no single agency has the span of authority to fully address the issues involved. Although some solutions can be developed and implemented within the regulatory process, others will require legislative action. Fundamentally, agencies’ efforts need to be marked by consultation and cooperation with the legislative branch and by cross-agency cooperation. Success in improving operations and key outcomes--such as increased employment--will involve partnerships with agencies such as the Department of Labor, the Department of Education, HHS, and perhaps between SSA and VA themselves. (See “Highlights of High-Risk Areas,” p. 28.): Federal Real Property: Over 30 federal agencies control hundreds of thousands of real property assets--including both facilities and land--in the United States and abroad. These assets are worth about $328 billion, according to the fiscal year 2001 financial statements of the U.S. government.[Footnote 7] Unfortunately, much of this vast and valuable asset portfolio presents significant management challenges and reflects an infrastructure based on the business model and technological environment of the 1950s. Many assets are no longer effectively aligned with, or responsive to, agencies’ changing missions and are therefore no longer needed. Furthermore, many assets are in an alarming state of deterioration; restoration and repair needs are estimated by agencies to be in the tens of billions of dollars. For example, the Department of the Interior has a deferred maintenance backlog that its Inspector General estimated in April 2002 to be as much as $8 billion to $11 billion, and General Services Administration (GSA) data has shown a $5.7 billion repair and maintenance backlog in its buildings. Compounding these problems are the lack of reliable governmentwide data for strategic asset management, a heavy reliance on costly leasing instead of ownership to meet new space needs, and the cost and challenge of protecting these assets against potential terrorism. To address these challenges, the Congress and the administration have undertaken several efforts, including Defense Base Realignment and Closures Commissions and the President’s Commission to Study Capital Budgeting. In addition, the Congress, OMB, and GSA have also recognized the need for and developed legislative proposals in recent years that were designed to address some of the problems. Although some of these efforts and other work by individual real-property-holding agencies have had some success, much remains to be done governmentwide. In most cases, the effectiveness of current and planned initiatives has yet to be determined. Despite these efforts and the sincerity with which the federal real property community has embraced the need for reform, the problems have persisted and have been exacerbated by competing stakeholder interests in real property decisions, various legal and budget-related disincentives to achieving businesslike outcomes, the need for better capital planning among real-property-holding agencies, and the lack of a strategic governmentwide focus on federal real property issues. Given the persistence of these problems and the various obstacles that have impeded progress in resolving them, we are designating federal real property as a new high-risk area. Resolving these long-standing problems will require high-level attention and effective leadership by the Congress and the administration. Also, because of the breadth and complexity of the issues involved, the long-standing nature of the problems, and the intense debate about potential solutions that will likely ensue, current structures and processes may not be adequate to address the problems. Given this, there is a need for a comprehensive and integrated transformation strategy for federal real property, and an independent commission or governmentwide task force may be needed to develop this strategy. Such a strategy could be based on input from agencies, the private sector, and other interested groups. The strategy should also reflect the lessons learned and leading practices of public and private organizations that have attempted to reform their real property practices. These organizations have recognized that real property, like capital, people, technology, and information, is a valuable resource that, if managed well, can support the accomplishment of their missions and the achievement of their business objectives. In addition, as these organizations are recognizing, the workplace of the future will differ from today’s work environment. For the federal government, technological advancements, electronic government, flexible workplace arrangements, changing public needs, opportunities for resource sharing, and security concerns will call for a new way of thinking about the federal workplace and the government’s real property needs. Realigning the government’s real property assets with agency missions, taking into account the requirements of the future federal role and workplace, will be critical to improving the government’s performance and ensuring accountability within expected resource limits. If actions resulting from the transformation strategy comprehensively address the problems and are effectively implemented, agencies will be better positioned to recover asset values, reduce operating costs, improve facility conditions, enhance safety and security, and achieve mission effectiveness. (See “Highlights of High- Risk Areas,” p. 28.): New High-Risk Area Identified Based on Fiscal Oversight Vulnerabilities: In addition to our expanded focus on challenges associated with the economy, efficiency, and effectiveness of government programs and operations in need of broad-based transformation, we will continue to identify high-risk areas based on the more traditional focus on fraud, waste, abuse, and mismanagement. For such problems, our focus will continue to be on identifying the root causes behind the vulnerabilities, as well as actions needed on the part of the agencies involved and, if appropriate, the Congress. For this update, we have designated one such new high-risk area. Medicaid Program: Growing concern about the size, growth, and fiscal oversight of the Medicaid program has led us to include the program on our 2003 high- risk list. Medicaid pays for both acute health care and long-term care services for over 44 million low-income Americans and is the third largest social program in the federal budget (after Social Security and Medicare). Financed jointly by the federal government and the states, Medicaid consists of more than 50 distinct “state” programs that together cost $228 billion in fiscal year 2001, accounts for more than 20 percent of states’ total expenditures, and is projected to double in spending in a decade. The federal government pays from half to more than three-fourths of each state’s Medicaid expenditures. The Centers for Medicare & Medicaid Services (CMS) faces major challenges in managing this program of vast size, growth, and diversity. Protecting the program’s fiscal integrity is critically important. It is especially challenging because the federal government’s financial liability for the Medicaid program is linked to reported state expenditures. Our work in recent years finds that federal and state oversight efforts have often been inadequate to prevent inappropriate spending, thereby increasing federal spending unnecessarily. Over the last decade, for example, some states have found ways to inappropriately leverage federal funds. Although CMS and the Congress have acted to curb certain financing schemes, states have found new statutory and regulatory loopholes to create the illusion that they have made large Medicaid payments to certain health care providers in order to generate excessive federal matching payments. Some of the schemes have cost the federal government several billions of dollars each year. We are also concerned that states’ receipt of waivers--where the Secretary of HHS waives certain statutory provisions and allows testing of new health care delivery and coverage ideas--may continue to increase the federal government’s financial liability beyond what it would have been without the waivers.[Footnote 8] For example, two states’ waivers approved in 2002 are estimated to cost the federal government an extra $330 million or more than it would have paid in the absence of the waivers. HHS is currently considering approval of similar waivers by additional states. Another area of concern involves federal and state efforts to ensure that payments are accurate and appropriate. Like other health care payers, Medicaid is vulnerable to waste, fraud, and abuse by providers who submit inappropriate claims. The hundreds of millions of dollars in improper payments that a few states have identified in recent years suggests that states have the potential for considerable savings through increased efforts to safeguard program payments. The exploitation of Medicaid not only penalizes taxpayers, but also jeopardizes the viability of a program that over 44 million low-income Americans depend on for essential health and long-term care services. To better protect Medicaid dollars, CMS must take the steps needed to strengthen federal and state fiscal oversight to ensure that the federal government pays only its valid share of proper program expenditures. (See “Highlights of High-Risk Areas,” p. 28.): [End of section] Highlights of High-Risk Areas: Overall, the government continues to take high-risk problems seriously and is making long-needed progress toward correcting them. The Congress has also acted to address several individual high-risk areas through hearings and legislation. Continued perseverance in addressing high- risk areas will ultimately yield significant benefits. Lasting solutions to high-risk problems offers the potential to save billions of dollars, dramatically improve service to the American public, strengthen public confidence and trust in the performance and accountability of our national government, and ensure the ability of government to deliver on its promises. We have prepared highlights of each of the 25 current high-risk areas showing (1) why the area is high risk, (2) the actions that have been taken and that are under way to address the problem since our last update report and the issues that are yet to be resolved, and (3) what remains to be done to address the risk. These highlights are presented on the following pages. Also, comprehensive discussions of 22 of the high-risk areas are included in the relevant department or agency report in the accompanying special GAO series entitled the Performance and Accountability Series: Major Management Challenges and Program Risks. The individual high-risk area highlights provide a link to the relevant reports in this series. Comprehensive discussions of the 3 crosscutting high-risk areas--strategic human capital management, protecting information systems supporting the federal government and the nation’s critical infrastructures, and federal real property--are presented in separate reports as part of this series. GAO Highlights: High-Risk Series High-Risk Series Strategic Human Capital Management: Highlights of a high-risk area discussed in the GAO report entitled High-Risk Series: Strategic Human Capital Management (GAO-03-120) Why Area is High Risk: In its January 2001 High-Risk Update (GAO-01-263), GAO designated strategic human capital management as a governmentwide high-risk area. The basic problem, which continues today, has been the long-standing lack of a consistent strategic approach to marshaling, managing, and maintaining the human capital needed to maximize government performance and assure its accountability. This report is part of a special series of reports on governmentwide and agency-specific challenges. What GAO Found: Leading public organizations here and abroad have found that strategic human capital management must be the centerpiece of any serious change management initiative and efforts to transform the cultures of government agencies. Unfortunately, the federal government’s strategic human capital approaches are not yet well positioned to enable the needed transformation. Since we designated strategic human capital management as a governmentwide high-risk area in January 2001, Congress has taken a number of steps to address the challenges identified, including granting agencies significant new authorities for managing their human capital as part of the Homeland Security Act of 2002. The strategic management of human capital was also placed at the top of the President’s Management Agenda. Individual agencies have also taken action to address their specific challenges. Despite the considerable progress over the past 2 years, it remains clear that today’s federal human capital strategies are not appropriately constituted to meet current and emerging challenges or to drive the needed transformation across the federal government. Specifically, agencies continue to face challenges in four key areas: *Leadership: Top leadership in the agencies must provide the committed and inspired attention needed to address human capital and related organization transformation issues. Strategic Human Capital Planning: Agencies’ human capital planning efforts need to be more fully and demonstrably integrated with mission and critical program goals. Acquiring, Developing, and Retaining Talent: Additional efforts are needed to improve recruiting, hiring, professional development, and retention strategies to ensure that agencies have the needed talent. Results-Oriented Organizational Cultures: Agencies continue to lack organizational cultures that promote high performance and accountability and empower and include employees in setting and accomplishing programmatic goals. Importantly, although strategic human capital management remains high – risk governmentwide, federal employees are not the problem. Rather, the problem is a set of policies and practices that are not strategic, and viewed by many as outdated and over-regulated. In the final analysis, modern, effective, and credible human capital strategies will be essential in order to maximize the performance and assure the accountability of the government for the benefit of the American people. What Remains to be Done: Reaching and maintaining an approach to human capital management that is strategic will take considerable effort from the Congress, agencies, the Office of Personnel Management, and the Office of Management and Budget. Ultimately, Congress will need to consider additional legislative reforms to existing civil service laws. While momentum continues to build for comprehensive civil service reform, agencies need to use currently available flexibilities to recruit, hire, develop, retain, and hold employees accountable for mission accomplishment. www.gao.gov/cgi-bin/getrpt?GAO-03-120. For additional information about this high-risk area, click on the link above or contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. [End of section] GAO Highlights: High-Risk Series High-Risk Series U.S. Postal Service: Transformation Efforts and Long-Term Outlook: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the U.S. Postal Service (GAO-03-118) Why Area is High Risk: In April 2001, GAO designated the U.S. Postal Service’s (the Service) transformation and long-term outlook as high risk because of growing financial and operational difficulties, including the following: The fiscal year 2001 outlook changed from a $480 million to a $2 billion–$3 billion deficit. Growth in expenses outpaced the growth in revenues. Capital spending was deferred. Weakened cash flow increased borrowing pressures, as debt levels approached the statutory borrowing limit. Also, human capital issues, such as the wave of impending retirements, performance-based compensation, and labor-management relations, needed to be addressed. What GAO Found: The Service’s current business model, which relies on increasing mail volumes to mitigate rate increases and cover costs, is at risk as competition and technological alternatives increase. In fiscal years 2001 and 2002, despite multiple rate increases and cost-cutting efforts, the Service incurred large deficits as total mail volume declined. The figure below shows that mail volume growth for First-Class Mail and Standard Mail—mail classes that generate over three-fourths of the Service’s revenue—has been slowing. Growth in Key Mail Classes Is Slowing [See PDF for image] [End of figure] Other major challenges facing the Service include: Long-standing difficulty in cutting costs, particularly related to its workforce and infrastructure, and in sustaining productivity gains; Unknown safety and security needs; Cash flow from operations that is insufficient to fund capital expenditures and reduce borrowing pressure; Liabilities that continue to exceed assets, and postretirement health obligations that are growing; Succession planning for the large number of upcoming retirements. To address its high-risk designation, the Service issued its Transformation Plan (the Plan) in April 2002. The Plan outlined steps to guide it in carrying out its future mission and proposed a new business model to achieve its long-term transformation. The Plan was a good first step; however, concerns remain about its full implementation, as no consensus has been reached on the Service’s future. Effective leadership and sustained attention by the Service will be key to effectively carrying out its transformation. Opportunities exist (for example, the upcoming retirements) for the Service and its leadership to address these challenges. A recent analysis may lead to a significant reduction in its pension liability, which would improve the Service’s financial outlook and allow it to address other financial challenges and align its workforce and infrastructure to meet future needs. What Remains to Be Done: GAO believes the Service should: Work with Congress, the Presidential Commission, and stakeholders to implement its Plan, including legislation to address issues related to its mission and role for the 21st century; governance structure; accountability mechanisms; and human capital matters. Develop strategies to align its infrastructure and workforce to support its business model; Continue efforts to cut costs and improve productivity; and Address long-term financial concerns, such as outstanding debt and postretirement health obligations. www.gao.gov/cgi-bin/getrpt?GAO-03-118 For additional information about this high-risk area, click on the link above or contact Bernard L. Ungar at (202) 512-2834 or ungarb@gao.gov. [End of section] GAO Highlights: High-Risk Series Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures: Highlights of a high-risk area discussed later in this report (GAO-03-121) Why Area is High Risk: Since GAO designated computer security in the federal government as high risk in 1997, evidence of pervasive weaknesses has been continuing. Also, related risks have been escalating, in part because of the dramatic increases in computer interconnectivity and increasing dependence on computers to support critical operations and infrastructures, such as power distribution, water supply, national defense, and emergency services. This year, GAO expanded this high risk area to include protecting the information systems that support our nation’s critical infrastructures, referred to as cyber critical infrastructure protection or cyber CIP. Among other reasons for designating cyber CIP high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to protect these infrastructures could adversely affect our national security, economic security, and/or public health and safety. What GAO Found: Since January 2001, efforts to improve federal information security have accelerated at individual agencies and at the governmentwide level. For example, implementation of Government Information Security Reform legislation (GISRA) enacted by the Congress in October 2000 was a significant step in improving federal agencies’ information security programs and addressing their serious, pervasive information security weaknesses. In Implementing GISRA, agencies have noted benefits, including increased management attention to and accountability for information security. Although improvements are under way, recent audits of 24 of the largest federal agencies continue to identify significant information security weaknesses that put critical federal operations and assets in each of these agencies at risk (see figure below). Over the years, various working groups have been formed, special reports written, federal policies issued, and organizations created to address the nation’s critical infrastructure challenges. In 1998, the President issued Presidential Decision Directive 63 (PDD 63), which described a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. To accomplish its goals, PDD 63 designated and established organizations to provide central coordination and support. This directive has since been supplemented by Executive Order 13231, which established the President’s Critical Infrastructure Protection Board and the President’s National Strategy for Homeland Security. While the actions taken to date are major steps to more effectively protect our nation’s critical infrastructures, GAO has made numerous recommendations over the last several years concerning CIP challenges. In response to these challenges, improvements have been made and efforts are in progress, but more work is needed to address them. Information Security Weaknesses at 24 Major Agencies [See PDF for image] [End of figure] What Remains to Be Done: Among other actions essential to sustaining federal information security improvements are the agencies’ development of effective risk management programs and the development of a comprehensive strategy to guide agencies’ efforts. Further actions to improve CIP include developing a national CIP strategy and improving analysis and warning capabilities and information sharing on threats and vulnerabilities. www.gao.gov/cgi-bin/getrpt?GAO-03-121. For additional information about this high-risk area, click on the link above or contact Robert F. Dacey at (202) 512-3317 or daceyr@gao.gov. [End of section] GAO Highlights: High-Risk Series Implementing and Transforming the New Department of Homeland Security: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Homeland Security (GAO-03-102) Why Area is High Risk: GAO has designated implementing and transforming the new Department of Homeland Security (DHS) as a high risk area for three reasons. First, the implementation and transformation of DHS is an enormous undertaking that will take time to achieve in an effective and efficient manner. Second, components being merged into DHS already face a wide array of existing challenges. Finally, failure to effectively carry out its mission exposes the nation to potentially very serious consequences. What GAO Found: Effectively implementing and transforming the Department of Homeland Security will be a daunting challenge. The Department will combine 22 agencies with an estimated 170,000 employees specializing in various disciplines: law enforcement, border security, biological research, disaster mitigation, and computer security, for instance. Further, DHS will oversee a number of non-homeland security activities, such as the Coast Guard’s marine safety responsibilities and the Federal Emergency Management Agency’s (FEMA) natural disaster response functions. Yet, only in the effective integration and collaboration of these entities will the nation achieve the synergy that can help provide better security. The magnitude of the responsibilities, combined with the challenge and complexity of the transformation, underscore the perseverance and dedication that will be needed from DHS’s leaders, employees, and stakeholders to achieve success. It is well recognized that mergers of this magnitude in the public and private sector carry significant risks, including lost productivity and inefficiencies. Generally, successful transformations of large organizations, even those undertaking less strenuous reorganizations and with less pressure for immediate results, can take from 5 to 7 years to achieve. Necessary management capacity and oversight mechanisms must be established. Moreover, critical aspects of DHS’s success will depend on well-functioning relationships with third parties that will take time to establish and maintain, including those with states and local governments, the private sector, and other federal agencies with homeland security responsibilities, such as the State Department, the Federal Bureau of Investigation, the Central Intelligence Agency, the Defense Department, the Transportation Department, and the Department of Health and Human Services. Creating and maintaining a structure that can leverage partners and stakeholders will be needed to effectively implement the national homeland security strategy. The new department also is being formed from components with a wide array of existing major management challenges and program risks. For instance, one DHS directorate’s responsibility includes the protection of critical information systems that GAO already considers a high risk. In fact, many of the major components merging into the new department— including the Immigration and Naturalization Service, the Transportation Security Administration, Customs Service, FEMA, and the Coast Guard—face at least one major problem, such as strategic human capital risks, information management technology challenges, or financial management vulnerabilities; they also confront an array of program operations challenges and risks. DHS’s national security mission is of such importance that the failure to effectively address its management challenges and program risks could have serious consequences on our intergovernmental system, our citizens’ health and safety, and our economy. What Needs to Be Done: The long-term solution to this high risk area necessitates that DHS effectively integrate the 22 incoming agencies and nearly $40 billion budget in order to achieve the synergy for providing better security against terrorism. Necessary management capacity, priority setting, and oversight mechanisms must be established to cope with inherent risks associated with major mergers. In addition, creating and maintaining a structure that can leverage partners and stakeholders will be essential to effectively implementing the national homeland security strategy. Finally, DHS must confront a wide array of existing major management challenges and program risks in its incoming agencies to ensure success. www.gao.gov/cgi-bin/getrpt?GAO-03-102. For additional information about this high-risk area, click on the link above or contact Randall Yim at (202) 512-3580 or yimr@gao.gov, or Patricia Dalton at (202) 512-6806 or daltonp@gao.gov. [End of Section] GAO Highlights: High-Risk Series Modernizing Federal Disability Programs: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Social Security Administration (GAO-03-117) and the Department of Veterans Affairs (GAO-03-110) Why Area is High Risk: Disability programs have been growing and are poised to grow even more rapidly as more baby boomers reach their disability prone years. This growth is taking place despite greater opportunities for people with disabilities to work. Moreover, this growth is occurring at the same time that agencies such as the Social Security Administration (SSA) and the Department of Veterans Affairs (VA) are struggling to provide timely and consistent disability decisions. While the agencies are taking some actions to address these problems in the short term, longer-term solutions are likely to require fundamental changes including legislative action. What GAO Found: GAO’s work examining the challenges facing federal disability programs has found that these programs are not well positioned to provide meaningful and timely support for Americans with disabilities. In particular, SSA’s and VA’s programs are based on concepts from the past. These outdated concepts persist despite scientific advances and economic and social changes that have redefined the relationship between impairments and the ability to work. Advances in medicine and technology have reduced the severity of some medical conditions and have allowed individuals to live with greater independence and function in work settings. Moreover, the nature of work has changed as the national economy has become increasingly knowledge-based. At the same time, the projected slowdown in growth of the nation’s labor force makes it imperative that those who can work are supported in their efforts to do so. Beyond these outmoded design issues, the agencies also face longstanding challenges to improve the quality and timeliness of disability decisions. As the result of this work, GAO has added modernizing federal disability programs to its 2003 high-risk list based on the following concerns: SSA and VA Programs Remain Grounded in Outmoded Concepts of Disability. Disability criteria have not been updated to reflect the current state of science, medicine, technology and labor market conditions. As a result, both agencies need to reexamine the medical and vocational criteria they use to determine whether individuals are eligible for benefits. Using outdated information, the agencies risk overcompensating some individuals while undercompensating or denying compensation entirely to others. Agencies Have Difficulties Managing Disability Programs. Both SSA and VA have experienced (1) lengthy processing times for disability claims, (2) inconsistencies in disability decisions across adjudicative levels and locations, and (3) challenges with implementing effective quality assurance systems. The agencies have made some progress addressing some of these challenges, but much more work needs to be done. Agencies Need Adequate Plans for Addressing Program Growth. Between 1991 and 2001, the SSA Disability Insurance rolls increased by more than 50 percent and growth is expected to continue. Similarly, VA expects the number of its disability claims to increase. However, SSA and VA have not sufficiently prepared for this growth and will need specific plans for addressing future disability needs. Developing effective and sustainable solutions to problems facing federal disability programs will require consultation and cooperation between the executive and legislative branches as well as cross-agency efforts, and will likely require statutory as well as regulatory and management actions. What Remains to Be Done: GAO believes that SSA and VA should take the lead in examining the fundamental causes of program problems such as outmoded disability criteria and seek both management and legislative solutions as appropriate to bring their programs in line with the current state of science, medicine, technology and labor market conditions. At the same time, these agencies should continue to develop and implement strategies for improving the accuracy, timeliness, and consistency of disability decision- making. Further, both agencies should pursue more effective quality assurance systems. www.gao.gov/cgi-bin/getrpt?GAO-03-117. www.gao.gov/cgi-bin/getrpt?GAO-03-110. For additional information about this high-risk area, click on the link above or contact Robert E. Robertson (SSA programs) at (202) 512-7215 or robertsonr@gao.gov or Cynthia Bascetta (VA programs) at (202) 512-7101 or bascettac@gao.gov. [End of section] GAO Highlights: High-Risk Series Federal Real Property: Highlights of a high-risk area discussed in the GAO report entitled High-Risk Series: Federal Real Property (GAO-03-122) Why Area is High Risk: Long-standing problems with excess and underutilized real property, deteriorating facilities, unreliable real property data, and costly space challenges are shared by several agencies. These factors have multibillion-dollar cost implications and can seriously jeopardize mission accomplishment. Federal agencies face many challenges securing real property due to the threat of terrorism. What GAO Found: Over 30 agencies control hundreds of thousands of real property assets worldwide, including facilities and land, which are worth hundreds of billions of dollars. Unfortunately, much of this vast, valuable portfolio reflects an infrastructure based on the business model and technological environment of the 1950s. Many of the assets are no longer effectively aligned with, or responsive to, agencies’ changing missions and are therefore no longer needed. Further, many assets are in an alarming state of deterioration; agencies have estimated restoration and repair needs to be in the tens of billions of dollars. Compounding these problems are the lack of reliable governmentwide data for strategic asset management, a heavy reliance on costly leasing instead of ownership to meet new needs, and the cost and challenge of protecting these assets against potential terrorism. To address these challenges, Congress and the administration have undertaken several efforts, including Defense Base Realignment and Closures Commissions, the President’s Commission to Study Capital Budgeting, and various legislative initiatives. While some of these efforts and other work by individual real property-holding agencies have had some success, much remains to be done governmentwide. Furthermore, despite these efforts, the problems have persisted and have been exacerbated by competing stakeholder interests in real property decisions; various legal and budget-related disincentives to businesslike outcomes; the need for better capital planning among agencies; and the lack of a strategic, governmentwide focus on real property issues. Given the persistence of the problems and related obstacles, we have added federal real property as a new high-risk area. Resolving these problems will require high-level attention and effective leadership by both Congress and the administration. Also, because of the breadth and complexity of the issues, the long-standing nature of the problems, and the intense debate that will likely ensue, current structures and processes may not be adequate to address the problems. Thus, there is a need for a comprehensive, integrated transformation strategy for real property. Realigning the government’s real property, taking into account future workplace needs, will be critical to improving the government’s performance and ensuring accountability within expected resource limits. [See PDF for image] [End of figure] What Remains to Be Done: There is a need for a comprehensive and integrated real property transformation strategy that could identify how best to realign and rationalize federal real property and dispose of unneeded assets; address significant real property repair and restoration needs; develop reliable, useful real property data; resolve the problem of heavy reliance on costly leasing; and minimize the impact of terrorism on real property. An independent commission or governmentwide task force may be needed to develop this strategy. If resulting actions address the problems and are effectively implemented, agencies will be better able to recover asset values, reduce operating costs, improve facility conditions, enhance safety and security, and achieve mission effectiveness. www.gao.gov/cgi-bin/getrpt?GAO-03-122. For additional information about this high-risk area, click on the link above or contact John H. Anderson, Jr. at (202) 512-2834 or AndersonJ@gao.gov. [End of figure] GAO Highlights: High-Risk Series Federal Aviation Administration Air Traffic Control Modernization: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Transportation (GAO-03-108) Why Area is High Risk: After 2 decades and $35 billion, FAA’s air traffic control modernization program is far from complete. While FAA has made important progress in addressing weaknesses that GAO identified, more remains to be done. In the meantime, major FAA projects continue to face challenges that could affect the agency’s ability to meet cost, schedule, and/or performance expectations. Key projects include the Standard Terminal Automation Replacement System, Next-Generation Air/Ground Communications System, and Wide Area Augmentation System. What GAO Found: Faced with growing air traffic and aging equipment, in 1981 FAA initiated an ambitious effort to modernize its air traffic control system. This effort involves acquiring a vast network of radar, navigation, communications, and information processing systems, as well as new air traffic control facilities— and is expected to cost over $50 billion through fiscal year 2007. However, over the past 2 decades, many of the projects that make up the modernization program have experienced cost overruns, schedule delays, and performance shortfalls of large proportions. GAO initially designated FAA’s modernization program as high risk in 1995. GAO’s work over the years has identified root causes of the modernization program’s problems, including immature software acquisition capabilities, lack of a complete systems architecture, inadequate cost estimating and accounting practices, ineffective investment management practices, and an organizational culture that impaired the acquisition process. FAA has made important progress in addressing these weaknesses. For example, the agency has implemented a framework for improving its software processes, developed a systems architecture, institutionalized cost estimating practices, and improved its investment management practices. However, more remains to be done in each of these areas. [See PDF for image] [End of figure] What Remains to Be Done: GAO has made over 30 specific recommendations to address the root causes of FAA’s problems. While the agency has made progress on these recommendations, more must be done to institutionalize mature software acquisition processes, enforce the systems architecture, and implement effective investment management processes. With FAA expecting to spend about $16 billion through fiscal year 2007 on new air traffic control systems, these actions are as critical as ever. www.gao.gov/cgi-bin/getrpt?GAO-03-108. For additional information about this high-risk area, click on the link above or contact Joel C. Willemssen at (202) 512-6408 or willemssenj@gao.gov. [End of section] GAO Highlights: High-Risk Series Internal Revenue Service Business Systems Modernization: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of the Treasury (GAO-03-109) Why Area is High Risk: The Internal Revenue Service’s (IRS) multibillion-dollar Business Systems Modernization program is critical to the success of the agency’s efforts to transform its manual, paper-intensive business operations and fulfill its obligations under the IRS Restructuring and Reform Act. While IRS has made important progress in establishing long overdue modernization management capabilities, and in acquiring the foundational system infrastructure and the system applications that will permit the agency to operate more effectively and efficiently, significant challenges and risks remain. What GAO Found: In 1995, after finding numerous and severe management and technical program control weaknesses, GAO designated IRS’s systems modernization activities as high risk. At that time, GAO made a series of recommendations, including limiting modernization activities and spending until the weaknesses were corrected. IRS responded slowly. In light of IRS’s response and additional recommendations made by GAO as part of its ongoing support to Congress in overseeing systems modernization, GAO’s 2001 high-risk report noted that despite improvements, key management controls were still lacking. GAO also observed that until they were in place, the risks of project cost, schedule, and performance shortfalls would remain and would, in fact, increase as IRS began to build and deploy systems. Since that time IRS has made significant progress. For example, IRS has developed and is using a modernization blueprint, commonly called an enterprise architecture, to guide and constrain its modernization projects, and is investing incrementally in its projects, both of which are leading practices of successful public and private-sector organizations. Nevertheless, the program remains at risk for two reasons: Scope and complexity of modernization are growing. As IRS proceeds, the number of projects underway and the complexity of the tasks associated with those projects that are moving beyond design and into development, continue to expand. Modernization management capacity is still maturing. IRS has yet to fully implement a strategic approach to ensuring that it has sufficient human capital resources, and it has yet to fully implement process controls in such areas as estimating costs and defining performance based contracts What Remains to Be Done: IRS acknowledges its challenges and risks, and it is taking action to address them. It is important for IRS to fully implement essential modernization management capabilities, including cost estimation, performance based contracting, and strategic management of human capital. This is especially important now, as IRS’s fiscal year 2003 spending plan aims to fund the later, more complex and demanding stages of several key projects. It is therefore essential that IRS move quickly to fully implement our remaining recommendations. www.gao.gov/cgi-bin/getrpt?GAO-03-109. For additional information about this high-risk area, click on the link above or contact Robert F. Dacey at (202) 512-3317 or daceyr@gao.gov. [End of figure] GAO Highlights: High-Risk Series Department of Defense Systems Modernization: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Defense (GAO-03-98) Why Area is High Risk: To transform its business operations, the Department of Defense (DOD) is spending billions of dollars to modernize its information technology systems. However, pervasive modernization management weaknesses increase the risk that these efforts will not be successful. Within some components of DOD, modernization management improvements have occurred, but the department as a whole remains far from where it needs to be in order to effectively and efficiently manage something the size and significance of its DOD-wide systems modernization program. What GAO Found: Since GAO first designated DOD’s systems modernization as a high risk in 1995, DOD has had limited success in modernizing its information technology environment because it has yet to fully implement GAO’s recommendations aimed at addressing its underlying modernization management weaknesses. DOD acknowledges that it needs to correct these weaknesses and has agreed to implement most of GAO’s recommendations. However, progress in doing so since GAO’s 2001 high-risk report has been mixed. To its credit, DOD is taking steps to develop integrated modernization blueprints, commonly called enterprise architectures, and it has revised its investment management guidance. Also, it has engaged DOD’s executive leadership in the modernization through such bodies as the Defense Practice Implementation Board. However, much remains to be accomplished before DOD will have effectively mitigated the risks it faces in modernizing its systems. At the same time, DOD continues to invest heavily in information technology, with about $26 billion planned for fiscal year 2003. Key modernization management improvements that DOD needs to make include: Establish and use enterprise architectures. DOD lacks an integrated set of enterprise architectures for its financial and related business functions, which is a recognized best practice, thus preventing DOD and its component organizations from investing billions of dollars in a way that promotes system interoperability, limits duplication, and optimizes institutional performance. Institute effective investment management practices. DOD components are not consistently following best practices in managing its information technology investments as portfolios of competing investment options. Also, DOD is committing to billion-dollar information technology projects without adequate economic justification and without reducing the investments’ inherent risk by breaking them into a series of smaller projects. Consistently implement effective acquisition processes. DOD components’ implementation of acquisition management best practices is uneven, as are its proactive efforts to improve these processes, which limits DOD’s ability to consistently deliver promised system capabilities on time and within budget. What Remains to Be Done: As GAO has reported, the key to effecting meaningful change is executive management leadership and commitment to and use of a proven management framework. Accordingly, DOD needs to (1) treat these areas as management priorities and (2) implement frameworks for modernizing its systems that are grounded in legislative requirements, federal guidance, and the practices and successes of leading public and private-sector institutions. Although DOD agrees with these recommendations, its progress in implementing them has been mixed. The backing of senior management, as shown by DOD’s successful Year 2000 effort, will play a large role in what is accomplished. www.gao.gov/cgi-bin/getrpt?GAO-03-98. For additional information about this high-risk area, click on the link above or contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] GAO Highlights: High-Risk Series Department of Defense Financial Management: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Defense (GAO-03-98) Why Area is High Risk: Since 1995, the Department of Defense’s (DOD) financial management has been on GAO’s list of high-risk areas vulnerable to waste, fraud, abuse, and mismanagement. Taken together, DOD’s financial management deficiencies represent the single largest obstacle to achieving an unqualified opinion on the U. S. government’s consolidated financial statements. DOD continues to face financial management problems that are pervasive, complex, long-standing, and deeply rooted in virtually all its business operations. DOD’s financial management deficiencies adversely affect the department’s ability to control costs, ensure basic accountability, anticipate future costs and claims on the budget, measure performance, maintain funds control, prevent fraud, and address pressing management issues. What GAO Found: GAO recently reported on fundamental flaws in DOD’s financial management systems, processes, and overall internal control environment that resulted in government travel card delinquency rates for the Army and Navy that were nearly double those of federal civilian agencies; numerous instances of potential fraud and abuse, including purchases of a wide range of goods and services unrelated to official business; $146 million in illegal adjustments to amounts appropriated by the Congress; an inability to ensure the Congress that the $1.1 billion in funds it received for spare parts were used for that purpose; managing and reporting on the funding associated with the Air Force’s contracted depot maintenance that resulted in understating the dollar value of year-end carryover work by tens of millions of dollars; and excessing and selling critical inventory items such as unused sets of chemical and biological protective garments for about $3 each, while at the same time procuring hundreds of thousands of other such garments for over $200 per set. Previous administrations over the past 12 years have attempted to address these problems in various ways, but have largely been unsuccessful despite good intentions and significant effort. The results of DOD’s past stove-piped approaches to financial management reform are perhaps most evident in its business systems environment— recently estimated to include over 1,700 systems and system development projects—many of which evolved in piecemeal fashion to accommodate different organizations, each with its own policies and procedures. Overhauling DOD’s financial management operations represents a major management challenge that goes far beyond financial accounting to the very fiber of the department’s range of business operations and management culture. To his credit, on September 10, 2001, the Secretary of Defense recognized the far-reaching nature of DOD’s existing financial management problems and announced a broad initiative intended to “transform the way the department works and what it works on.” DOD’s current initiative to overhaul its business systems is more far-reaching and comprehensive than in the past. DOD’s goals for reforming this high-risk area have long-term application and are not just patchwork fixes. However, the challenges remaining are daunting. DOD’s well-intentioned transformation initiative will succeed only with the right incentives, transparency, and accountability. Most importantly, it will require a number of years of sustained leadership, spanning successive administrations, to be successful. What Remains to Be Done: Keys to effective reform are an integrated approach, sustained leadership, accountability for reform tied to the Secretary, results- oriented performance measures, appropriate incentives and consequences, enterprisewide system architecture and investment control, and effective oversight and monitoring. www.gao.gov/cgi-bin/getrpt?GAO-03-98. For additional information about this high-risk area, click on the link above or contact Gregory D. Kutz at (202) 512-9505 or kutzg@gao.gov. [end of section] GAO Highlights: High-Risk Series Forest Service Financial Management: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Agriculture (GAO-03-96) Why Area is High Risk: Although the Forest Service received an unqualified opinion on its fiscal year 2002 financial statements, it took extraordinary effort. The Forest Service has not proven it can sustain this outcome and continues to have serious material internal control weaknesses. What GAO Found: In 1999, we designated financial management of the U.S. Department of Agriculture’s (USDA) Forest Service as “high risk” on the basis of serious financial and accounting weaknesses. Again in our January 2001 report, we reiterated our concerns. In December 2002, the Forest Service received an unqualified opinion on its fiscal year 2002 financial statements. While the Forest Service has reached an important milestone, it has not yet proved it can sustain this outcome, and it has not reached the end goal of routinely having timely, accurate, and useful financial information. As described in the following table, the Forest Service still has long-standing material control weaknesses in, among other things, its two major assets—fund balance with the Department of the Treasury (Treasury) and property, plant, and equipment. Forest Service Material Internal Control Weaknesses: Financial management area; Condition reported by auditor: Fund balance with the Treasury: The Forest Service had a large backlog of unreconciled items that needed to be researched and corrected. To bring the fund balance with the Treasury account into balance with Treasury records as of September 30, 2002, the Forest Service made a $107 million adjustment. General and software application controls: Inadequate internal controls existed in the general computer control environment and in specific software applications. Accrued liabilities: The proposed methodology for estimating certain liabilities, such as grants, was inaccurate and would have understated both accrued liabilities and related expenses. Sampling methodologies were used to project the year-end balance. Payroll process: Users were allowed to submit their time sheets for approval to an employee who was not the designated supervisor. In addition, time sheets lacked adequate evidence of supervisory review. Property, plant, and equipment: Property cost and related information (e.g., useful life) were not accurately recorded. Source: GAO analysis. [End of table] What Remains to Be Done: As recommended by its financial statement auditor, the Forest Service should continue to improve its internal controls over reconciliations of its records with the Treasury’s records, improve internal controls over the general computer control environment and specific software applications, develop a new methodology for estimating certain liabilities and maintain supporting documentation, improve automated and manual controls over payroll processes, and continue to improve its internal controls over initial recording of its property, plant, and equipment. www.gao.gov/cgi-bin/getrpt?GAO-03-96. For additional information about this high-risk area, click on the link above or contact McCoy Williams at (202) 512-6906. [End of section] GAO Highlights: High-Risk Series Federal Aviation Administration Financial Management: Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of Transportation (GAO-03-108) Why Area is High Risk: The Federal Aviation Administration (FAA) lacked accountability for billions of dollars in assets and expenditures due to weaknesses in its financial reporting, property, and cost accounting systems. Substantial problems with the general accounting system required 850 adjustments totaling $41 billion in 2001. Weaknesses in property accounting meant the agency could not accurately and routinely account for property totaling $11.7 billion. Finally, FAA lacked the cost information necessary to make effective decisions about resource needs and adequately account for its activities and major projects, such as the air traffic control modernization program. What GAO Found: Since FAA financial management was designated high risk in 1999, FAA has made significant progress in addressing its financial accountability weaknesses. Three major systems initiatives in process are designed to address specific identified needs. However, these systems must be fully installed and effectively integrated with one another and with other FAA systems and tested in actual use. By the end of 2003, FAA expects to implement a new DOT departmentwide general accounting system called Delphi. This new system is designed to eliminate overall financial management deficiencies that limit FAA’s ability to report on and manage its assets and operations. In addition, as a component of its Delphi system, FAA expects to implement a new property accounting system module and complete the installation of a cost accounting system in 2003. The property system is needed to accurately and routinely account for FAA’s property, while the cost accounting system is required to assign basic financial costs to its program activities and projects. Subsequent to implementation, FAA’s financial statement audit will provide an assessment of the effectiveness of FAA’s new general accounting system, the reliability of its property amounts and related internal controls, and its ability to account for costs of its program activities and major projects. Until these systems are fully tested and assessed in actual integrated operations, the reliability of FAA’s financial information will remain uncertain. Diagram Showing Way in Which FAA’s New Systems [See PDF for image] Note: GAO diagram based on FAA information. [End of figure] What Remains to Be Done: FAA has made significant progress in improving the accuracy and reliability of its financial information. To continue this progress, it must implement and successfully integrate and test its new accounting systems in actual operational use, including * The new general accounting system module, * The new property accounting system module, * Its new cost accounting system. These changes are expected to be implemented by the end of 2003. www.gao.gov/cgi-bin/getrpt?GAO-03-108. For additional information about this high-risk area, click on the link above or contact Linda Calbom at (202) 512-9508 or calboml@gao.gov. [end of section] GAO Highlights: High-Risk Series Internal Revenue Service Financial Management Highlights of a high-risk area discussed in GAO’s Performance and Accountability Series report on the Department of the Treasury (GAO-03-109) Why Area is High Risk: The Internal Revenue Service (IRS) is responsible for collecting about $2 trillion annually, or about 95 percent of the government’s revenue. However, IRS lacks the information it needs to measure the full cost of administering the Internal Revenue Code and to report meaningful, cost based performance information. Congress and IRS therefore lack the information to determine whether IRS has appropriate levels of funding and staff and is using its resources effectively. These issues concerning IRS’s financial management—a high-risk area since 1995— adversely affect the agency’s ability to effectively fulfill its responsibilities as the nation’s tax collector. What GAO Found: In fiscal year 2002, for the third consecutive year, IRS was able to produce annual financial statements that were reliable, in GAO’s opinion, and was able to produce the fiscal year 2002 financial statements 6 weeks after the end of the fiscal year. To achieve this, IRS made fundamental changes in how it processed transactions, maintained its records, and reported its results. However, this also required IRS to continue to rely on costly, resource-intensive processes to compensate for serious internal control and systems deficiencies. IRS has continued to act on and has shown strong commitment to resolving the financial management issues GAO has identified, and has made notable progress on several. In particular, IRS has worked aggressively to address issues not solely dependent on systems modernization for their resolution, and has made important progress in addressing deficiencies in controls over budgetary activity, accountability over property and equipment, taxpayer receipts and data, and computer security. At the same time, IRS recognizes that resolving a number of its financial management issues depends on the success of its systems modernization efforts. The challenge will be for IRS to continue the improvements made in recent years and, more importantly, to develop long-term solutions to address the internal control and systems deficiencies GAO has identified. IRS’s primary remaining internal control weaknesses are in the following areas: Accountability over property and equipment. IRS continues to lack an integrated property management system that records property acquisitions and disposals as they occur and links costs on accounting records to property records. Management of tax receipts and taxpayer data. IRS’s internal controls do not adequately protect against loss of tax receipts from theft and inappropriate disclosure of taxpayer information. Management of unpaid tax assessments. IRS continues to lack a subsidiary ledger for unpaid assessments that would allow it to produce timely and useful information. IRS employs a time- consuming, resource intensive process to produce an annual balance of taxes receivable and other unpaid assessments for its financial statements, but this balance is only reliable as of the last day of the fiscal year. Additionally, IRS continues to record erroneous and untimely information in taxpayer accounts, increasing the risk of unnecessary taxpayer burden. Computer security. IRS continues to have serious weaknesses in its computer security controls designed to protect its computing resources from unauthorized use, modification, loss, and disclosure. IRS has also not taken sufficient steps to ensure that computer security deficiencies identified at one facility are addressed at other facilities. What Remains to Be Done: GAO has provided IRS with management and operational recommendations that address (1) IRS’s systems modernization plans to resolve weaknesses in financial management systems and (2) needed improvements in controls over how IRS records transactions, maintains