Improper Payments:

Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing

GAO-08-77: Published: Nov 9, 2007. Publicly Released: Dec 10, 2007.

Additional Materials:

Contact:

Kay L. Daly
2025166906
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Agencies are required to report improper payment information under the Improper Payments Information Act of 2002 (IPIA) and recovery auditing information under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act. Since the first year of implementation, fiscal year 2004, limited improper payments reporting by the United States Agency for International Development (USAID) and the National Aeronautics and Space Administration (NASA) and concerns raised by NASA's auditors about its risk assessment process prompted scrutiny from the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, during several oversight hearings. Because the subcommittee noted that USAID's and NASA's performance and accountability report (PAR) reporting on improper payments and recovery auditing was minimal, GAO was asked to review both agencies' IPIA risk assessment methodologies, recovery auditing procedures, and actions under way to improve their IPIA and recovery audit reporting.

For the first 3 years of IPIA implementation, fiscal years 2004 through 2006, USAID and NASA performed various procedures to conduct their risk assessments. Many of these procedures are positive steps to address the requirements of IPIA. At the same time, GAO identified numerous deficiencies in the procedures that warrant further improvement. For example, neither USAID nor NASA had developed a systematic process to (1) identify risks that exist in their payment activities or (2) evaluate the results of their payment stream reviews, such as weighting and scoring the effectiveness of existing internal control over payments made and results from external audits. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments. A lack of detailed written guidance for both agencies may have contributed to the deficiencies identified. Due to inadequacies in their risk assessment process, USAID and NASA cannot be certain that they had no programs or activities susceptible to significant improper payments, and ultimately, had effectively implemented IPIA. Although USAID and NASA have reported on steps taken to recoup improper contract payments, GAO found several weaknesses in their recovery auditing procedures for fiscal years 2004 through 2006. In particular, USAID and NASA did not report recovery auditing information for each fiscal year, documentation was lacking or not adequately supported, and neither agency adhered to all of the reporting requirements outlined in Office of Management and Budget's (OMB's) implementing guidance. Other weaknesses noted were agency-specific. For example, USAID recovery auditing procedures were comprised of reviews of certain Office of Inspector General and external audit reports over USAID grant and contract programs. However, the methodology used for conducting those audits may not have constituted a recovery auditing program as defined by OMB guidance, and thus may be insufficient for this purpose. NASA, on the other hand, used IPIA contract payment review results to report amounts recovered for fiscal year 2005. However, the payment reviews were limited in scope and did not provide an adequate representation of the extent of contract overpayments. Due to a lack of, or insufficient, documentation, along with identified weaknesses, the validity and accuracy of the reported recovery amounts are questionable. While USAID and NASA have experienced significant challenges in their first 3 years of IPIA implementation, both agencies have taken steps to strengthen their risk assessment process and, ultimately, IPIA reporting. For example, USAID has developed an agencywide payment database that will be used to research and data mine for potential improper payments. NASA hired two different contractors to develop a methodology for conducting a risk assessment and testing of payment transactions. Actions are also under way to improve recovery auditing efforts. However, improvements are still needed to address some of the weaknesses identified related to conducting risk assessments and performing recovery auditing procedures.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should expand existing IPIA guidance to include detailed procedures for addressing the four key steps--perform risk assessment, estimate improper payments, implement a corrective action plan, annually report--that OMB requires agencies to perform in meeting the improper payment reporting requirements.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: On July 9, 2010, USAID updated its improper payment guidance, Performance Procedures for Reviewing Program Activities, Identifying and Reporting Improper Payments and included this guidance as a mandatory reference in its agencywide payable management guidance, Automated Directive System (ADS) Chapter 630 Payables Management, Section 630. 3.4.2 Improper Payments Act Reporting. USAID's improper payment guidance provides detailed procedures to address the four key steps of the Improper Payments Information Act (IPIA): (1) perform risk assessment, (2) estimate improper payments, (3) implement a corrective action plan, and (4) annually report improper payment estimates and actions to reduce them. These actions sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should develop a risk assessment tool, such as a risk assessment matrix, to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: In its fiscal year 2009 agency financial report (AFR), USAID reported on establishing a risk assessment tool that considered probability and impact of risk; and provided for assessing risks as low, medium, or high. USAID identified the following six risk factors were to be considered in assessing risks for each its programs: (1) total value of disbursements, (2) total number of disbursement transactions, (3) total number of unique contractors and vendors, (4) total value of cancelled and return payments, (5) total value of interest payments, and (6) degree of maturity or stability. In addition, USAID developed a Risk Assessment Questionnaire for its overseas mission offices to complete. The questionnaire focused on the responsibility and identification of program areas; the tracking and recovery of improper payments; and implementation of corrective action plans and controls in place to eliminate or minimize improper payments. These actions sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should use the risk assessment tool to institute a systematic approach to identify programs and activities susceptible to significant improper payments under IPIA.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: In its fiscal year 2009 agency financial report (AFR), USAID reported on its implementation of a risk assessment methodology. Specifically, USAID reported on its implementation of a risk assessment methodology that consisted of weighting and scoring each of USAID's 27 program areas based on risk factors; probability and impact of risk; and by assigning a rating of low, medium, or high. USAID reported it populated a risk matrix that captured the risk condition of each of its programs. Under this process, USAID assigned a score to each risk condition and applied weighting formulas to determine an overall risk score for each of its programs. USAID used this information to identify each programs' susceptibility to improper payments. These actions to provide a systematic approach to identify programs and activities susceptible to significant improper payments sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should maintain documentation of actions performed to address IPIA and the Recovery Auditing Act requirements.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: On July 9, 2010, USAID updated its Performance Procedures for Reviewing Program Activities, Identifying and Reporting Improper Payments. This updated guidance was included as a mandatory reference in its agencywide payable management guidance, Automated Directive System (ADS) Chapter 630 Payables Management, Section 630. 3.4.2 Improper Payments Act Reporting. Both sets of guidance provide that the Cash Management and Payments division within the Chief Financial Office is to maintain documentation related to the review, examination, and estimating of improper payments. USAID's improper payment guidance also provides that documentation should be maintained in accordance with the ADS Chapter 502, the USAID Records Management Program. USAID officials also informed us that documentation to support IPIA and recover audit activities was to be maintained on the agency's shared drive. Our review of USAID documentation related to its improper payment and recovery auditing testing confirmed that USAID's actions sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should develop a comprehensive recovery auditing program that is specifically designed to identify overpayments to contractors that are due to payment errors.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: In fiscal year 2009 USAID engaged a team of external contractors to establish a cost-effective recovery audit program for identifying errors made in paying contractors in compliance with the revised OMB Circular A-123, Appendix C Part II Recovery Auditing Act. As part of this process, USAID's contractor team developed a methodology to carry out its required recovery auditing activities, FY 2009 Recovery Auditing Sample Methodology, dated as of September 30, 2009. USAID's Recovery audit program calls for an extensive, agency-wide post-payment test and review process for identifying overpayments to contractors, including quarterly assessments, and a 4-tier review process to identify potential contract overpayments resulting from duplicate payments; errors on invoices or financing requests; failure to reduce payments by applicable sales discounts, cash discounts, rebates, or other allowances; payments for items not received; mathematical or other errors in determining payment amounts and executing payments; and the failure to obtain credit for return merchandise. The review process also called for grouping the results into 4 tiers: potential duplicate payments; interest payments; cancelled payments; and payments made to contractors during the reporting period.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, USAID, should adhere to OMB's guidance for reporting recovery auditing information in the annual PAR.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: In its fiscal year 2009 agency financial report, USAID reported on its recovery auditing program activities consistent with the reporting requirements contained in OMB Circular No. A-136, revised June 10, 2009. Specifically, its reporting included information on its recovery auditing efforts and identification of amounts reviewed, amounts identified for recovery, and amounts recovered for current and prior years. These actions sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, NASA, should develop IPIA guidance to include detailed procedures for addressing the four key steps--perform risk assessment, estimate improper payments, implement a corrective action plan, annually report--that OMB requires agencies to perform in meeting the improper payment reporting requirements.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: NASA's Procedural Requirements for Improper Payments and Loss of Funds (NPR 9050.4) Chapter 3, dated 09/30/2008, contains requirements for compliance with the Improper Payments Information Act (IPIA). This chapter also addresses accountable officials' responsibilities for ensuring payments are proper and their liability for improper payments. Further, NASA issued Procedural Guidance for IPIA, dated December 2009, which contains procedures for addressing the four key IPIA steps-perform risk assessment, estimate improper payments, implement a corrective action plan, and annually report.These actions sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, NASA, should as part of guidance, incorporate the risk assessment methodology developed by NASA's consulting firm to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: NASA issued Procedural Guidance for the Improper Payments Information Act (IPIA), dated December 2009 which incorporated a risk assessment methodology. The guidance included steps to (1) determine scope of programs subject to a risk assessment, (2) develop the risk matrix elements, (3) evaluate the risk condition, and (4) populate the risk matrix. Further, NASA reported that in fiscal year 2009 it developed a web-based questionnaire to capture and measure risk conditions in its programs. Based on the results of the questionnaire, interviews with process owners, and financial management reports, NASA reported that it populated the risk matrix with qualitative data for each program and risk condition to determine the level of susceptibility to improper payments. The established guidance and reported actions taken address the key elements of a risk assessment methodology for improper payments and sufficiently address our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, NASA, should maintain documentation of actions performed to address IPIA and Recovery Auditing Act requirements.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: NASA issued its Procedural Guidance for IPIA and OMB Circular A-123, Appendix C, dated December 2009, that incorporate procedures for maintaining documentation related to Improper Payments Information Act (IPIA) testing. This includes maintaining management reports detailing significant issues identified during testing, recommendations for improvement, and a corrective to develop remediation activities. For recovery auditing, NASA issued its Recovery Audit Program Administrative Guidance, dated February 19, 2008, that incorporate procedures for maintaining documentation related to the payment errors and recovered funds at the NASA Shared Service Center (NSSC). The NSSC is required to provide a monthly accounting of all identified debts, amounts collected, and disposition of those funds. In addition, a corrective action plan must be maintained detailing various elements related to the overpayments identified including the (1) payment error identified, (2) root cause of error, (3) planned actions to address deficiency, (4) responsible official, (5) target completion date, and (6) actual completed date. In addition, NASA told us that it maintains centralized documentation that address IPIA and recovery auditing requirements at NASA headquarters in the Office of the Chief Financial Officer (OCFO)/Quality Assurance Division. NASA provided documentation related to its improper payment and recovery auditing testing. Our review of the documentation provided showed that NASA's actions sufficiently addressed our recommendation.

    Recommendation: To help improve efforts to implement IPIA and the Recovery Auditing Act by focusing on performance risk assessments and reporting on efforts to recover improper payments, the Administrator, NASA, should adhere to OMB's guidance for reporting recovery auditing information in its annual PAR.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: NASA reported on its recovery auditing program in its fiscal year 2009 agency financial report (AFR). NASA's recovery auditing reporting was consistent with the reporting requirements contained in OMB Circular No. A-136, Revised June 10, 2009. NASA's reporting included information on recovery auditing efforts, including data on amounts reviewed, amounts identified for recovery, and amounts recovered for current and prior years. These actions sufficiently address our recommendation.

    Mar 27, 2014

    Mar 13, 2014

    Mar 12, 2014

    Feb 27, 2014

    Dec 23, 2013

    Dec 16, 2013

    Dec 12, 2013

    Dec 11, 2013

    Looking for more? Browse all our products here