Skip to main content

Improper Payments: DOE's Risk Assessments Should Be Strengthened

GAO-15-36 Published: Dec 23, 2014. Publicly Released: Dec 23, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Department of Energy (DOE) developed a process to assess its programs for risks of improper payments, but its assessments do not fully evaluate risk. To comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA), in fiscal year 2011, DOE directed its programs to develop risk assessments using eight qualitative risk factors, such as recent major changes in program funding, and report quantitative information on improper payments. GAO found that 26 of 55 programs did not prepare risk assessments in 2011 and that the quantitative information reported, including the estimated amount of improper payments, was not reliable because, for example, it did not include information for all programs. In reviewing DOE's 2011 risk assessments, GAO also found the following:

DOE did not always include a clear basis for risk determinations . At least 6 of the 29 programs that prepared risk assessments did not take into account the eight qualitative risk factors, making the basis of their risk determinations unclear. At most, the assessments for 23 programs took into account the risk factors. However, support for their determinations varied widely, and some did not contain enough information to identify how the program arrived at its risk determination, which is inconsistent with federal standards for internal control. DOE's guidance directs personnel to prepare a risk assessment that considers these eight factors but does not provide further direction on what to include. Absent such direction, DOE personnel may not have a consistent understanding of how to complete their risk assessments.

DOE did not fully evaluate other relevant risk factors . DOE's risk assessments did not fully evaluate other relevant risk factors, such as weaknesses in key controls for preventing and detecting improper payments—including inadequate subcontractor oversight. GAO found that some risk assessments included information from internal control evaluations, but many did not. DOE guidance does not instruct personnel to consider weaknesses in key controls for preventing and detecting improper payments. Without providing specific examples of other relevant risk factors in guidance and directing personnel to consider them when performing risk assessments, DOE will not have reasonable assurance that each of its programs fully evaluates risks.

Based on its 2011 assessments, DOE was not required under IPERA to prepare risk assessments or report on the amount of improper payments in 2012 and 2013. However, not fully considering program risks in its 2011 assessments and including unreliable data raises questions about whether the 2011 assessments were reliable.

Why GAO Did This Study

Improper payments are a significant problem in the federal government. To address this problem, IPERA requires that federal agencies review their programs and identify those that are susceptible to significant improper payments—a process known as a risk assessment. DOE's history of inadequate management and oversight of its contractors led GAO to designate DOE's contract management as a high-risk area vulnerable to fraud, waste, abuse, and mismanagement. However, DOE reported that it does not have any programs susceptible to significant improper payments.

GAO was asked to review DOE's internal control environment, as it relates to IPERA, to determine whether the department was at low risk for significant improper payments. This report examines the extent to which DOE assessed its programs' risks for improper payments in fiscal years 2011 through 2013.

GAO reviewed IPERA, analyzed all risk assessments and related information for this period, and interviewed DOE officials and six contractors selected to represent the types of contractor payments made.

Recommendations

GAO recommends that DOE take steps to improve its risk assessments including revising guidance on how programs are to address risk factors and providing examples of other risk factors likely to contribute to improper payments and directing programs to consider those factors. DOE concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Energy To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure sites implement it.
Closed – Implemented
As of May 2017, DOE had revised its improper payments guidance. The revised guidance directs field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites. The guidance further requires each site Chief Financial Officer to certify to the accuracy of improper payments and risk rating. In June 2018, we met with DOE officials and they provided copies of risk assessments covering all non-M&O contractors, indicating DOE's continuing steps to ensure that field office sites with responsibility for non-M&O contractor risk assessments have addressed risk factors as they relate to those sites.
Department of Energy To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify how payment sites are to address risk factors and document the basis for their risk rating determinations and take steps to ensure sites implement it.
Closed – Implemented
In June 2019, DOE issued its Annual Payment Integrity Requirements and Guidance for fiscal year 2019 that includes detailed instructions for how sites must address risk factors and document the basis for risk rating determinations. Sites are required to include rationales for ratings, list specific supporting documentation for each risk factor, and provide contact information for staff involved in the risk determination. In addition, the guidance for fiscal year 2019 includes requirements for quality assurance reviews to ensure the risk assessments have adhered to the prescribed format and guidance and to ensure consistency among the sites.
Department of Energy To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it.
Closed – Implemented
As of May 2017, DOE had revised its improper payments guidance to require site Chief Financial Officers and the Director of Risk Management of the Loan Programs Office to provide a signed certification to DOE's Director of the Office of Finance and Accounting certifying to the accuracy of improper payments and the risk assessment and rating submitted. The guidance provides templates for these certifications. In June 2018, we met with DOE officials and they provided signed copies of fiscal year 2017 certifications from all payment reporting sites showing the official (the site CFO) responsible for reviewing and approving risk assessments.
Department of Energy To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, the Secretary of Energy should direct the department's Chief Financial Officer to revise the department's IPERA guidance and provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments, in addition to the eight risk factors, direct payment sites to consider those when performing their improper payment risk assessments, and take steps to ensure sites implement it.
Closed – Implemented
As of May 2017, DOE had revised its improper payments guidance. In addition to the required OMB risk factors, the guidance added the following additional risk factors to be included in the risk assessments: (1) contractor payment processing oversight and (2) segregation of duties. The guidance states these factors have been added to ensure that inherently high-risk areas that can contribute to a site's susceptibility to significant improper payments are properly evaluated. In June 2018, we met with DOE officials and they provided copies of several recent risk assessments that cover the additional risk factors. We also discussed and officials provided documentation on DOE's quality assurance process for reviewing risk assessments to ensure sites are implementing the guidance.
Department of Energy To provide better transparency regarding its total known improper payments reported under IPERA, the Secretary of Energy should direct the department's Chief Financial Officer to improve public reporting on the amount of total known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring.
Closed – Implemented
As of May 2017, DOE had added supplemental information to its fiscal year 2016 Agency Financial Report. In June 2018, we met with DOE officials and discussed the information on total known improper payments. DOE's Agency Financial Report table on payment recapture indicates that payments include those made in previous years through Statements of Cost Incurred and Claimed, Single Audits, and contract closeouts.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Allowable costsContract administrationContract oversightContractor paymentsErroneous paymentsFederal agenciesInternal auditsInternal controlsInvoicesOverpaymentsRisk assessmentRisk factorsRisk management