This is the accessible text file for GAO report number GAO-09-442 entitled 'Improper Payments: Significant Improvements Needed in DOD's Efforts to Address Improper Payment and Recovery Auditing Requirements' which was released on July 30, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: July 2009: Improper Payments: Significant Improvements Needed in DOD's Efforts to Address Improper Payment and Recovery Auditing Requirements: GAO-09-442: GAO Highlights: Highlights of GAO-09-442, a report to congressional requesters. Why GAO Did This Study: The Department of Defense (DOD) is required, as are other federal executive agencies, to report improper payment information under the Improper Payments Information Act of 2002 (IPIA) and recovery auditing information under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act. The DOD Office of Inspector General has previously reported deficiencies at DOD related to these acts and GAO’s prior work on DOD’s reporting of its fiscal year 2006 travel improper payments estimate also identified shortcomings. Because of these and other long-standing weaknesses, the subcommittee asked GAO to examine DOD’s fiscal year 2007 improper payment and recovery audit reporting to determine whether adequate processes existed to address both statutory requirements. To complete this work, GAO reviewed DOD’s annual reports, conducted site visits, and met with cognizant DOD officials. What GAO Found: DOD’s process for addressing IPIA requirements had significant weaknesses. For example, as shown in the figure below, DOD did not conduct risk assessments for all of its payment activities as $322 billion in agency outlays were excluded from the amounts assessed. For those payment activities reviewed, DOD assessed the risk of improper payments occurring as low despite the department’s long-standing financial management weaknesses and could not provide documentation supporting the methodologies used and the final risk level. GAO also found that DOD did not estimate improper payments for commercial pay under IPIA requirements, its largest payment activity. Further, the Office of the Comptroller’s oversight and monitoring activities were inadequate because they did not include verifying the accuracy and completeness of the information in the agency’s financial report (AFR). Figure: DOD's Fiscal Year 2007 Payment Population Subjected to the Risk Assessment and Estimation Processes under IPIA: [Refer to PDF for image: horizontal bar graph] Agency outlays: $815 billion; Risk assessments done: $493 billion; Risk assessments not done: $322 billion; Estimates done for five payment activities[A]: $152.7 billion; Estimates not done for one payment activity-commercial pay: $340.3 billion. Source: GAO analysis of DOD fiscal year 2007 payment activity outlays. [A] The five payment activities include civilian pay, military health benefits, military pay, military retirement pay, and travel pay. [End of figure] In addition to not estimating improper payments for commercial pay, DOD’ s processes for identifying and recovering commercial overpayments were inadequate, because they were not designed for this purpose as required by the Recovery Auditing Act. For example, GAO found that contract closeout processes were designed to ensure that applicable administrative actions had been completed (e.g., all classified documents were disposed of) and not to specifically identify contract overpayments. DOD also lacked detailed guidance on how to conduct a recovery audit program and did not fully address the recovery auditing reporting requirements in its AFR, such as disclosing the total cost associated with its recovery auditing activities. The Office of the Comptroller also did not verify the accuracy and completeness of the recovery audit information in the AFR, which resulted in $20.5 billion being excluded from its universe of commercial payments. DOD stated that its processes were sufficient to address the requirements of both acts, but since then has taken some actions, such as updating relevant guidance. Until these critical deficiencies are addressed, DOD will be unable to determine the extent to which improper payments exist and are subsequently recovered. What GAO Recommends: GAO made 13 recommendations aimed at improving DOD’s efforts to strengthen its improper payment and recovery auditing processes. DOD concurred with only one of our recommendations and provided technical comments which we incorporated as appropriate. GAO continues to believe the recommendations are appropriate to meet the intent of both acts and improve management of these key activities. View [hyperlink, http://www.gao.gov/products/GAO-09-442] or key components. For more information, contact Kay L. Daly at (202) 512-9095 or dalykl@gao.gov. [End of section] Contents: Letter: Background: Significant Weaknesses Existed in DOD's Efforts to Address IPIA Requirements: Much Work Remains at DOD to Effectively Address the Recovery Auditing Act Requirements: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope and Methodology: Appendix II: List of DOD Agencies and Military Service Components Included in the IPIA Survey: Appendix III: DOD's Fiscal Year 2007 Improper Payment Sample Plans by Program: Appendix IV: Comments from the Department of Defense: Appendix V: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Fiscal Years 2004-2008 Improper Payment Estimates: Table 2: Recovery Audit Results for Fiscal Years 2004 through 2008: Table 3: DOD's Key Postpayment Processes to Identify Commercial Overpayments for Recovery in Fiscal Year 2007: Table 4: Military Health Benefits Program Sample Plans: Table 5: Military Pay Program Sample Plans: Table 6: Civilian Pay Program Sample Plans: Table 7: Military Retirement Program Sample Plans: Table 8: Travel Pay Program Sample Plans: Figures: Figure 1: IPIA Required Steps to Identify, Estimate, Reduce, and Report Improper Payment Information: Figure 2: DOD's Fiscal Year 2007 Payment Population Subjected to the Risk Assessment Process under IPIA: Figure 3: DOD's Fiscal Year 2007 Payment Population Subjected to the Risk Assessment and Estimation Processes under IPIA: Abbreviations: AFR: Agency Financial Report: BAM: Business Activity Monitoring: BRAC: Base Realignment and Closure: CAM: Contract Audit Manual: CAPS-Clipper: Commercial Accounts Payable System-Clipper: CAPS-W: Commercial Accounts Payable System-Windows: CAS: Cost Accounting Standards: CDS: Contractor Debt System: DCAA: Defense Contract Audit Agency: DCMA: Defense Contract Management Agency: DOD: Department of Defense: DODD: Department of Defense Directive: DOD OIG: Department of Defense Office of the Inspector General: DFARS: Defense Federal Acquisition Regulation Supplement: DFAS: Defense Finance and Accounting Services: FAR: Federal Acquisition Regulation: FMR: Financial Management Regulation: IAPS: Integrated Accounts Payable System: IPIA: Improper Payments Information Act: IPOD: Improper Payments Online Database: MOCAS: Mechanization of Contract Administration Services: OMB: Office of Management and Budget: One Pay: Standard Accounting and Reporting System-One Pay: PAR: Performance and Accountability Report: SBR: Statement of Budgetary Resources: TMA: TRICARE Management Activity: [End of section] United States Government Accountability Office: Washington, DC 20548: July 29, 2009: The Honorable Thomas R. Carper: Chairman: The Honorable John McCain: Ranking Member: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn, M.D. United States Senate: The Department of Defense (DOD) spends hundreds of billions of dollars on its mission to defend the United States from attack upon its territory and secure its interests abroad. With an annual appropriation exceeding $500 billion in fiscal year 2009, and supplemental funding of about $77 billion for that same year to support overseas military operations, DOD has been entrusted with more of the taxpayers' dollars than any other federal agency. Given its size and mission, it is the largest and most complex organization to manage in the world. As a steward of taxpayer dollars, DOD is accountable for how it spends and safeguards these funds against improper payments[Footnote 1] as well as having mechanisms in place to recoup those funds when improper payments occur. DOD is required, as are other executive agencies, to report improper payment information under the Improper Payments Information Act (IPIA) of 2002.[Footnote 2] IPIA requires executive agencies, aided by guidance from the Office of Management and Budget (OMB),[Footnote 3] to annually identify programs and activities susceptible to significant improper payments, estimate amounts improperly paid under those programs and activities, and report on the amounts improperly paid and their actions to reduce improper payments.[Footnote 4] Similarly, agencies are also required to report on their efforts to recover overpayments made to contractors under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act.[Footnote 5] This act requires, among other things, that all executive branch agencies entering into contracts with a total value exceeding $500 million in a fiscal year have cost- effective programs for identifying errors in paying contractors and for recovering amounts erroneously paid. Since fiscal year 2004, agencies have been required by OMB to report on IPIA and recovery auditing efforts in their performance and accountability reports (PAR). For years, we have reported on long-standing weaknesses and the lack of adequate transparency and appropriate accountability across DOD's major business areas, resulting in billions of dollars of wasted resources annually.[Footnote 6] In our January 2009 High-Risk Update,[Footnote 7] we identified various DOD high-risk areas, including contract management (designated in 1992) and financial management (designated in 1995), that make the department vulnerable to improper payments. DOD's contract management weaknesses, such as ineffective oversight, increase the risk that DOD will pay more than the value of the goods delivered or services performed. Financial management deficiencies adversely affected the department's ability to control costs; ensure basic accountability; prevent and detect fraud, waste, and abuse; and represent a significant obstacle to achieving an unqualified opinion on the U.S. government's consolidated financial statements. Given DOD's size, complexity, and history of financial management weaknesses, you asked us to examine DOD's fiscal year 2007 improper payment and recovery auditing reporting--the most current data available at the time of the request--to determine whether DOD had adequate processes in place to address IPIA and Recovery Auditing Act reporting requirements. To address these objectives, we reviewed applicable improper payment and recovery auditing legislation, related OMB guidance, and past GAO and DOD Office of Inspector General (DOD OIG) reports. We also reviewed improper payment and recovery audit information reported in DOD's agency financial report (AFR)[Footnote 8] for fiscal years 2004 through 2008. We obtained supporting documentation and performed independent assessments, including statistical sampling analysis, to determine the accuracy and completeness of DOD's reported fiscal year 2007 improper payment and recovery audit information. We also inquired about any improvements and other changes made in the fiscal year 2008 improper payments and recovery auditing processes. We conducted site visits at two Defense Finance and Accounting Service (DFAS) locations (DFAS-Kansas City and DFAS-Columbus).[Footnote 9] During our site visits, we conducted walkthroughs to understand the process for identifying, estimating, and reporting improper payment estimates as well as the processes for identifying and recovering overpayments. In addition, we interviewed knowledgeable agency officials about their processes to prevent, detect, and reduce improper payments; recover and report commercial overpayments; and oversee and monitor these various efforts at a departmentwide level. We obtained supporting documentation and performed independent assessments, including legal analysis, to determine the adequacy of the processes to meet IPIA and Recovery Auditing Act requirements and related OMB guidance. To assess the reliability of data reported in DOD's fiscal year 2007 AFR, we reviewed DOD's supporting improper payment and recovery audit information as well as data from systems that produced payment information, and interviewed knowledgeable agency officials about procedures used to assume the quality of the data. We determined that the data were sufficiently reliable for the purposes of this report. We conducted this performance audit from June 2008 to July 2009 in accordance with generally accepted government auditing standards.[Footnote 10] Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. See appendix I for more details on the scope and methodology. Background: Our work over the past several years has demonstrated that improper payments are a long-standing, widespread, and significant problem in the federal government.[Footnote 11] In December 2007, we reported on DOD's fiscal year 2006 travel program improper payment estimates.[Footnote 12] We found that (1) the improper payment estimate was understated by at least $4 million, (2) several weaknesses in DOD's sampling methodology did not result in statistically valid estimates of travel improper payments at the component level, and (3) limited guidance and oversight by the Office of the Comptroller contributed to the unreliable assessment of improper payments for the travel program. The DOD OIG also has issued reports for the past few years highlighting weaknesses in the department's efforts to report on improper payment information.[Footnote 13] The DOD OIG reported that the department had not implemented guidance to address the use of valid statistical sampling in determining programs and activities susceptible to significant improper payments. In January 2008, it reported that DFAS had not conducted adequate research to determine if contractor refunds were improper and, in some cases, had not reported improper payments associated with these refunds.[Footnote 14] The DOD OIG continues to report that the department has not fully complied with the requirements of IPIA and OMB's implementing guidance and does not have adequate controls to fully implement a recovery audit program.[Footnote 15] Overview of IPIA, the Recovery Auditing Act, and OMB Implementing Guidance: Guidance for reporting under IPIA and the Recovery Auditing Act is provided in Appendix C of OMB Circular No. A-123. IPIA requires agencies to perform four key steps in meeting the improper payment reporting requirements as shown in figure 1. Figure 1: IPIA Required Steps to Identify, Estimate, Reduce, and Report Improper Payment Information: [Refer to PDF for image: illustration] Improper Payments - Required Steps: 1. Perform risk assessment: Annually review all programs and activities to identify those susceptible to significant improper payments, defined by OMB as exceeding $10 million and 2.5 percent of program payments. 2. Estimate improper payments: Estimate improper payments for programs susceptible to significant improper payments. 3. Implement a plan: Implement a plan to reduce improper payments for any program or activity exceeding $10 million in estimated improper payments. 4. Annually report: Annually report improper payment estimates and actions to reduce them. Source: GAO. [End of figure] OMB's implementing guidance instructs agencies to carry out the four key steps under IPIA, with one exception. For the first step--perform a risk assessment--OMB guidance allows agency programs deemed not risk- susceptible to conduct a risk assessment generally every 3 years. Further, agencies need not conduct formal risk assessments for those programs in which improper payment baselines are already established, are in the process of being measured, or will be measured by an established date. However, OMB guidance does state that if a program experiences a significant change in legislation, a significant increase in funding level, or both, agencies are required to reassess the program's risk susceptibility during the next annual cycle, even if it is less than 3 years from the last assessment. As we have previously testified before your Subcommittee[Footnote 16] this is inconsistent with the express terms of IPIA, which require that agencies annually review all of their programs and activities. OMB then requires that agencies estimate the gross total of both over- and underpayments for those programs and activities identified as susceptible. These estimates shall be based on a statistically random sample of sufficient size to yield an estimate with a 90 percent confidence interval of plus or minus 2.5 percentage points. If an agency cannot determine whether a payment was proper because of insufficient documentation, Appendix C to OMB Circular No. A-123 requires that the payment be considered improper. The guidance further requires that agencies develop corrective action plans that include a discussion of the causes of the improper payments identified, corrective actions taken for each different type or cause of error, and the results of actions taken to address those causes. In addition, OMB Circular No. A-136, Financial Reporting Requirements requires agencies to report, in table format, improper payment estimates and related outlay amounts for the prior year, current year, and the following 3 years. As part of this reporting, OMB encourages agencies to report underpayment and overpayment amounts, if available. The Recovery Auditing Act requires each executive branch agency that annually enters into contracts with a total value of $500 million or more to use recovery audits and recovery activities as part of a cost- effective recovery auditing program. The law authorizes federal agencies to retain recovered funds to cover actual administrative expenses as well as to pay other contractors, such as collection agencies. OMB guidance requires, among other things, that agencies include in their annual reporting a general description and evaluation of the steps taken to carry out a recovery auditing program, the total amount of contracts subject to review, the actual amount of contracts reviewed, the amounts identified for recovery, and the amounts actually recovered in a current year. Further, OMB Circular No. A-136 requires agencies to report cumulative amounts identified for recovery and amounts actually recovered as a part of their current year reporting. Organizational Responsibility for IPIA Reporting at the Department of Defense: The responsibility for assessing and reporting DOD's improper payments information rests with the Office of the Under Secretary of Defense (Comptroller) (Office of the Comptroller). The Accounting and Finance Policy Directorate within the Office of the Comptroller is responsible for carrying out the day-to-day activities involved in meeting IPIA requirements. To collect improper payment information including risk assessments, improper payment estimates, and corrective actions, the Accounting and Finance Policy Directorate sends out an improper payment survey (IPIA survey)[Footnote 17] to all DOD agencies and military services requesting improper payment information for the current fiscal year (see appendix II for a list of the 33 agencies and military services).[Footnote 18] The agencies and services are required to submit improper payment estimates to the Accounting and Finance Policy Directorate for all DOD payment activities identified under IPIA. The Accounting and Finance Policy Directorate then aggregates and reports the improper payment information in DOD's annual AFR. Since implementation of IPIA, DOD has reported improper payment estimates for the following payment activities for fiscal years 2004- 2008 as shown in table 1 below. Table 1: Fiscal Years 2004-2008 Improper Payment Estimates: Payment activity: Civilian pay[A]; 2004: Not reported[B]; 2005: Not reported[B]; 2006: $16.7 million; 2007: $74.6 million; 2008: $73.9 million. Payment activity: Commercial pay; 2004: Not reported[B]; 2005: Not reported[B]; 2006: $550.0 million; 2007: Not reported[C]; 2008: Not reported[C]. Payment activity: Military health benefits; 2004: $99.6 million; 2005: $87.8 million; 2006: $83.5 million; 2007: $88.6 million; 2008: $178.0 million. Payment activity: Military pay[A]; 2004: Not reported[B]; 2005: $432.0 million; 2006: $65.9 million; 2007: $416.4 million; 2008: $434.6 million. Payment activity: Military retirement; 2004: $66.0 million; 2005: $49.3 million; 2006: $49.4 million; 2007: $48.7 million; 2008: $44.0 million. Payment activity: Travel pay; 2004: Not reported[B]; 2005: Not reported[B]; 2006: $29.4 million; 2007: $43.6 million; 2008: $103.0 million. Payment activity: Totals; 2004: $165.6 million; 2005: $569.1 million; 2006: $794.9 million; 2007: $671.9 million; 2008: $833.5 million. Source: GAO analysis of DOD's fiscal years 2004 through 2008 PARs or AFRs. [A] Beginning in fiscal year 2007, military and civilian improper payments included estimated and actual amounts. [B] DOD did not report improper payment estimates for these payment activities because it determined that they were not susceptible to significant improper payments. [C] DOD changed its approach, which resulted in its not calculating an estimate for improper payments for this payment activity. Instead, DOD decided to annually report actual overpayments discovered via its recovery auditing program. [End of table] Organizational Responsibility for Recovery Auditing Reporting at the Department of Defense: Similarly to improper payment reporting, the Office of the Comptroller is responsible for identifying and annually reporting recovery audit information in DOD's AFR, while its Accounting and Finance Policy Directorate is responsible for carrying out the day-to-day activities. DOD's recovery auditing process over contract and vendor payments (commercial payments) encompasses several organizations including DFAS offices and external contractors, which are discussed later in this report.[Footnote 19] These organizations are required to compile and submit the universe of commercial payments, commercial overpayments identified for recovery, and commercial payments actually recovered to the Accounting and Finance Policy Directorate. It in turn aggregates and reports the recovery audit information in DOD's annual AFR. DOD's reported recovery audit information for fiscal years 2004-2008 is shown in table 2 below. Table 2: Recovery Audit Results for Fiscal Years 2004 through 2008 (amounts in millions): Fiscal year: 2004[A]; Agency-reported amount subject to review for fiscal year reporting: Not reported[B]; Agency-reported actual amount reviewed and reported in fiscal year: Not reported[B]; Agency-reported overpayments identified for recovery in fiscal year: Not reported[B]; Agency-reported amount recovered in fiscal year: $6.3. Fiscal year: 2005[A]; Agency-reported amount subject to review for fiscal year reporting: $222,800.0; Agency-reported actual amount reviewed and reported in fiscal year: $222,800.0; Agency-reported overpayments identified for recovery in fiscal year: $469.5[C]; Agency-reported amount recovered in fiscal year: $414.9[C]. Fiscal year: 2006[A]; Agency-reported amount subject to review for fiscal year reporting: $299,400.0; Agency-reported actual amount reviewed and reported in fiscal year: $299,400.0; Agency-reported overpayments identified for recovery in fiscal year: $170.0; Agency-reported amount recovered in fiscal year: $133.3. Fiscal year: 2007[D, E]; Agency-reported amount subject to review for fiscal year reporting: $189,300.0; Agency-reported actual amount reviewed and reported in fiscal year: $189,300.0; Agency-reported overpayments identified for recovery in fiscal year: $24.6; Agency-reported amount recovered in fiscal year: $19.6. Fiscal year: 2008[D]; Agency-reported amount subject to review for fiscal year reporting: $331,192.0; Agency-reported actual amount reviewed and reported in fiscal year: $331,192.0; Agency-reported overpayments identified for recovery in fiscal year: $53.3; Agency-reported amount recovered in fiscal year: $41.7. Source: GAO analysis of DOD's fiscal years 2004 through 2008 PARs or AFRs. [A] Prior to fiscal year 2007, DOD generally reported recovery audit amounts resulting from contractor-identified and DOD-identified overpayments. [B] For fiscal year 2004, OMB did not require agencies to report on this information as part of their recovery auditing reporting. [C] In fiscal year 2005, the amount identified for recovery includes both underpayments (67 percent) and overpayments (33 percent). Also, the amounts recovered include both recouped amounts and disbursements for underpayments. [D] Beginning in July 2007, DOD excluded contractor-identified vendor overpayments from its recovery audit reporting since these overpayments did not result from DOD's recovery auditing efforts. [E] In fiscal year 2007, DOD excluded vendor payments from its recovery audit reporting. [End of table] Significant Weaknesses Existed in DOD's Efforts to Address IPIA Requirements: DOD's processes to conduct risk assessments, estimate improper payments, and develop corrective actions to reduce improper payments for its fiscal year 2007 IPIA reporting had significant weaknesses. A lack of detailed guidance as well as inadequate monitoring and oversight of DOD's improper payment activities also existed, raising doubts about the accuracy of the information reported. Risk Assessment Process, Guidance, and Documentation Need Improvements: DOD's risk assessment process was inadequate to ensure that appropriate consideration was given to the risks associated with its payment activities, thus not allowing management appropriate visibility of its vulnerabilities. DOD lacked detailed guidance on how to conduct a risk assessment, including identifying the universe of activities, determining if risks exist, identifying what those risks are, and evaluating the results, as required by our internal control standards.[Footnote 20] Recognizing that the internal guidance and documentation needed to be improved, in December 2008, DOD issued a new Financial Management Regulation (FMR) chapter--Volume 4, Chapter 14, Improper Payments--to expand existing guidance to address IPIA requirements, by clarifying the agencies' and military services' responsibilities for reporting improper payment information, broken down by payment activity. Although we did not determine the adequacy of these changes as the scope of our audit was fiscal year 2007, we noted that DOD did not require its agencies and military services to document their risk methodologies, including risk factors considered, the potential or actual impact on their program operations, and the rationale for assessing risk as either low, medium, or high. While nine DOD components conducted risk assessments for their six payment activities totaling about $493 billion in fiscal year 2007, [Footnote 21] we found an additional $322 billion in outlays reported in DOD's Statement of Budgetary Resources (SBR) that had not been assessed[Footnote 22] although IPIA requires that agencies annually review all programs and activities (see figure 2). According to Office of the Comptroller officials, the six payment activities it assessed covered all DOD outlays for fiscal year 2007 and the $322 billion difference in outlays represented IPIA reporting differences related to payroll payments for three of its six payment activities (net outlays reported for IPIA purposes versus gross outlays reported for SBR purposes), intragovernmental payments, and payments resulting from classified activities. While DOD officials stated that it reconciled the $322 billion difference to the SBR (with the exception of classified activities), these officials did not provide us with this reconciliation to enable us to independently substantiate this difference. Further, these officials could not reconcile the $493 billion in outlays for the six payment activities to an alternative source, such as the SBR. Based on this comparison, DOD had not reviewed all of its programs and activities. Office of the Comptroller officials told us that DOD agencies and the military services were required to reconcile their payment activities with their budget data for fiscal year 2008 to ensure that all payment activities had been accounted for at the component level. Figure 2: DOD's Fiscal Year 2007 Payment Population Subjected to the Risk Assessment Process under IPIA: [Refer to PDF for image: horizontal bar graph] Agency outlays: $815 billion; Risk assessments done: $493 billion; Risk assessments not done: $322 billion. Source: GAO analysis of DOD fiscal year 2007 payment activity outlays. [End of figure] In addition, DOD did not have sufficient documentation to support the level of assessed risk for the six payment activities it did evaluate as required by OMB guidance and our internal control standards. [Footnote 23] For example, none of the nine components that conducted risk assessments described their methodology or rationale for the level of risk assigned to each applicable payment activity. For the six risk assessments conducted, DOD had determined the risk of having significant improper payments was low, based on OMB criteria. However, given the lack of supporting documentation and evidence for the risk assessments and DOD's history of long-standing weaknesses, including GAO's designation of eight individual DOD areas as high risk,[Footnote 24] the low risk levels are not based on sufficient analysis and are likely unrealistic and not reflective of the wide range of vulnerabilities that exist within DOD. Office of the Comptroller officials told us that the department calculates improper payment estimates for the majority of the payment activities under IPIA, regardless of risk level assessed in determination of susceptibility to significant improper payments, because of the large volume and high dollar amounts of the transactions. DOD did not rely on the results of the risk assessments to determine whether to address the remaining IPIA requirements. Although DOD did not rely on its risk assessments, the implementation of IPIA requires agencies to make decisions as to how to proceed based on the completion of risk assessments, which is the first step. Therefore, DOD's failure to conduct adequate risk assessments could negatively impact its ability to gain the information it needs to make decisions as it proceeds through the remaining steps to ensure proper implementation of IPIA requirements. As we previously reported, the information developed during a risk assessment forms the foundation or basis upon which management can determine the nature and type of corrective actions needed.[Footnote 25] It also gives management baseline information for measuring progress in reducing improper payments. Until the department recognizes the importance of performing comprehensive risk assessments, the reported information will not provide meaningful results or adequately depict DOD's risk of improper payments, thus not providing the level of transparency envisioned by IPIA. Improper Payment Estimate Was Not Developed for DOD's Largest Payment Activity: DOD had neither established a methodology to estimate nor had it estimated the amount of improper payments for commercial pay--its largest payment activity with total outlays of $340.3 billion (see figure 3). While DOD, in general, developed statistically valid sampling methodologies and estimated improper payment amounts for its remaining five payment activities,[Footnote 26] collectively the proportion of these five payment activities to DOD's reported payment population subject to IPIA was about one-third of the total. See appendix III for a description of the sampling plans for DOD's five payment activities. OMB guidance requires that for any programs and activities identified as susceptible to significant improper payments, agencies must develop a statistically valid methodology to estimate the annual amount of improper payments, including a gross total of both under-and overpayments. Although DOD assessed all six payment activities to be at low risk for improper payments, it chose to develop improper payment estimates for five of the six payment activities based on the large volume or high dollar amounts of the transactions. However, DOD did not estimate improper payments for commercial pay despite the large volume and high dollar amounts of the transactions. Figure 3: DOD's Fiscal Year 2007 Payment Population Subjected to the Risk Assessment and Estimation Processes under IPIA: [Refer to PDF for image: horizontal bar graph] Agency outlays: $815 billion; Risk assessments done: $493 billion; Risk assessments not done: $322 billion; Estimates done for five payment activities[A]: $152.7 billion; Estimates not done for one payment activity-commercial pay: $340.3 billion. Source: GAO analysis of DOD fiscal year 2007 payment activity outlays. [A] The five payment activities include civilian pay, military health benefits, military pay, military retirement pay, and travel pay. [End of figure] According to DOD officials, the department decided not to establish a statistically valid methodology or calculate an estimate for commercial improper payments under IPIA because (1) its past attempts to estimate commercial improper payments had resulted in improper payment estimates that were lower than the actual amount of overpayments identified, and (2) it would create duplicate reporting of improper commercial payments as this type of information was captured as part of DOD's efforts to address Recovery Auditing Act requirements, which DOD officials believed resulted in a better measurement because it represented actual overpayments. However, in fiscal year 2006, DOD estimated $550 million in improper payments, which was nearly 30 percent higher than the $426 million of actual under-and overpayment amounts reported to address Recovery Auditing Act requirements. Regarding DOD's point that reporting commercial improper payments under IPIA and the Recovery Auditing Act would create duplicate reporting, we disagree. DOD could leverage the results from its existing Recovery Auditing Act processes used to identify actual commercial under-and overpayments to develop its statistical sampling methodology to enhance the reported estimate. This approach is similar to DOD's existing statistical sampling methodologies, which also include actual amounts for calculating improper payment estimates of civilian and military pay. As we previously reported, the scope of review under IPIA differs from that of the Recovery Auditing Act.[Footnote 27] Specifically, the scope of review under the Recovery Auditing Act targets agency- identified contract overpayments,[Footnote 28] whereas the scope of review under IPIA targets both under-and overpayments, including agency- and contractor-identified improper payments. Further, while OMB guidance allows agencies to exclude certain classes of contracts from their recovery auditing reporting, no such exclusions exist for IPIA. [Footnote 29] Establishing a well-designed statistical sampling methodology to estimate DOD's improper commercial payments would not only facilitate compliance with IPIA requirements, but also help address a current data void on the extent of improper payments made to contractors and vendors. For example, based on our review of DOD's fiscal year 2007 data of commercial payment errors, we identified $62 million in commercial improper payments and another $92 million of potential improper payments, which were not identified by DOD's current Recovery Auditing Act processes.[Footnote 30] DCAA and the DOD OIG also identified payment errors not captured by DOD. For example, in August 2007, DCAA reported that a contractor had overbilled--and DOD had overpaid--award fees[Footnote 31] totaling about $267 million.[Footnote 32] Because DOD had not established a methodology to estimate improper payments for its commercial payment activity, these and other types of payment errors that meet the definition of improper payments were not reported, and thus, lacked the level of transparency and accountability called for under IPIA. Further, without an across-the-board, systematic estimate of the extent of improper commercial payments, DOD management could not determine (1) if improper commercial payments were significant enough to require corrective actions, (2) how much investment in new internal controls would be cost-justified, or (3) the effectiveness of any prior corrective actions. Corrective Actions Not Always Linked to Causes: Although DOD reported the corrective actions taken or planned to reduce improper payments for its five payment activities that met its reporting threshold, the corrective actions for three of the five payment activities--military pay, civilian pay, and travel pay-- generally did not address the root causes of the improper payments. For travel pay, we found that with the exception of one agency component, root causes had not been reported in DOD's AFR, even though a description of the corrective actions taken had been disclosed. OMB guidance requires that, for all programs and activities with estimated improper payments exceeding $10 million, agencies must report on the root causes of the improper payments identified, actions taken to prevent or reduce those root causes, and the results of actions taken. For example, DOD reported that inaccurate or untimely reporting of entitlement data on such areas as time and attendance, personnel actions, and pay allowances was the primary cause for the improper payments for military and civilian pay. As actions to address these causes, DOD reported that it had developed performance metrics and goals to track the timeliness and accuracy of payments and that senior leadership had participated in quarterly meetings to discuss problem areas and find solutions to mitigate the risk of improper payments. While these actions measured entitlement performance, focused attention on the effectiveness of existing processes, and facilitated the sharing of information, it was unclear how these specific actions would address the root causes that led to inaccurate or untimely reporting and whether those actions would reduce improper payments. Conversely, for travel pay, we found that except for the U.S. Army Corps of Engineers, DOD agencies and military services did not report the associated root causes contributing to improper travel payments, even though corrective actions were disclosed in the AFR. The U.S. Army Corps of Engineers reported that the primary causes of improper travel payments included traveler input errors and inadequate supervisory review of travel vouchers. The Office of the Comptroller told us that the root causes and corrective actions implemented or underway were not fully disclosed in the AFR due to report formatting constraints, preventing the inclusion of all detailed information. However, when we reviewed the underlying support, we found that this documentation also lacked details as to (1) the corrective actions taken or planned and generally mirrored the corrective actions reported in the DOD's AFR, (2) the root causes for improper travel payments, and (3) the results, if any, of the corrective actions taken. Accurately characterizing and publicly reporting the root causes and associated corrective actions to reduce improper payments enables agencies and others with oversight and monitoring responsibilities to measure progress over time and determine whether further action is needed to minimize future improper payments, thus enhancing accountability over the reduction of improper payments by ensuring that effective corrective actions are taken. Inadequate Monitoring and Oversight of DOD's Improper Payment Activities: The Office of the Comptroller's monitoring and oversight of DOD's improper payment activities were inadequate because they did not include verifying the accuracy and completeness of the information reported in DOD's AFR as required by DOD guidance. Specifically, the Office of the Comptroller issued a memorandum in November 2006 that required the Project Officer for Improper Payments and Recovery Auditing to, among other things, verify that DOD's reported information was accurate, complete, and meets or exceeds the minimum OMB reporting requirements. In addition, our internal control standards for monitoring provide that processes should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations and include regular management and supervisory activities, comparisons, and reconciliations. Further, our internal control standards provide that controls should include a wide range of diverse activities including verification of information and be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators.[Footnote 33] During our review and analysis of DOD agencies' and services' IPIA survey responses, we found that the project officer had not conducted adequate follow-up to ensure that (1) the information provided was accurate and complete and sufficient to support risk assessment conclusions, and (2) reported corrective actions planned or underway addressed the root causes of the improper payments. For example, DOD agencies and military services did not provide supporting documentation for their risk assessment methodologies and conclusions, including the risk factors considered as part of this assessment and how they arrived at the final determination of risk for applicable payment activities. Yet we found no evidence that the Office of the Comptroller conducted appropriate follow-up as part of its oversight and monitoring responsibilities to ensure payment activities had been consistently assessed and provided some level of comparability among DOD agencies and military services. We previously reported on similar instances of lack of oversight and review by the Office of the Comptroller over IPIA reporting for DOD's travel payment activity.[Footnote 34] In that report, we found that the IPIA survey excluded about $5.1 billion in the universe of travel payments for fiscal year 2006 and that only $824 million of the total travel payments had been reported in DOD's annual report for the same period. We noted that these discrepancies would have been brought to management's attention in a timely manner if monitoring activities, such as periodic reconciliations and comparisons, had been performed. Office of the Comptroller officials told us that the DOD agencies and the military services performed verification reviews prior to submission of their improper payment information, providing assurances that the reported information was accurate and complete. As a result, they did not believe it was necessary for the project officer to independently validate this information despite the requirement in the November 2006 memorandum to do so. However, based on our findings discussed earlier in this report, the oversight and monitoring activities performed by the agencies and services, as well as the Office of the Comptroller, were inadequate. Without adequate monitoring and oversight, DOD is at risk of inaccurately reporting the extent of its improper payments, not taking the steps needed to reduce improper payments, and ultimately not meeting IPIA requirements. Much Work Remains at DOD to Effectively Address the Recovery Auditing Act Requirements: DOD's recovery audit program[Footnote 35] was inadequate because it leveraged existing processes that were not specifically designed to identify and recover overpayments as stipulated in the Recovery Auditing Act. Further, DOD's internal guidance lacked detailed instructions to effectively address recovery auditing requirements. We also found that DOD's reported recovery audit information for fiscal year 2007 was unreliable, as the reported amounts were incomplete and not fully supported. In addition, we determined that DOD's monitoring and oversight activities were inadequate to ensure the accuracy and completeness of the reported recovery audit information. Processes and Guidance Were Inadequate to Effectively Implement Recovery Auditing Requirements: The majority of DOD's processes used to identify and recover commercial (contractor and vendor) overpayments were inadequate because they were not specifically designed to do so as required by OMB guidance (see table 3 for these processes). Specifically, only DFAS's Internal Review and DOD's two external recovery audits were specifically designed to identify and recover commercial overpayments.[Footnote 36] We also found that DFAS suspended its Internal Review postpayment audit of contract payments--its largest payment activity--for fiscal year 2007, but did not disclose this limitation in its fiscal year 2007 AFR. DFAS officials told us that its Internal Review contract postpayment audits were suspended and that there was a reallocation of staff resources to support base realignment and closure (BRAC) initiatives,[Footnote 37] specifically auditing the records of affected DFAS sites that processed commercial payments from 2006 through 2008. According to DFAS officials, to compensate for this suspension, DOD relied on existing prepayment controls to identify contract overpayments, such as daily manual reviews of a random sample of invoices with thresholds of $500,000 or more. In January 2009, Internal Review officials informed us that the office had reinstituted efforts to conduct audits of contract payments. Internal Review's current audit covers the "catch up" period of payments made between April 2006 and March 2008, and the audit results are expected by the end of fiscal year 2009. Table 3: DOD's Key Postpayment Processes to Identify Commercial Overpayments for Recovery in Fiscal Year 2007: DOD internal postpayment process: Component: DFAS; Process: Office of Internal Review audits of commercial payments; Description of process: Internal Review has a nonstatutory audit function and is responsible for conducting postpayment audits of commercial pay (contract and vendor payments) to identify and detect erroneous payments. It applies detective software logic against the contract and vendor payments data. Internal Review audits DOD's contract payment system, the Mechanization of Contract Administration Services (MOCAS) as well as DOD's four largest vendor pay systems. For MOCAS, prior to BRAC, Internal Review received the complete universe of all payments on a monthly basis and ran the data mining logic. For the vendor pay systems, prior to BRAC, Internal Review applied a threshold between $200 and $500 dollars to its payment universe and then ran the erroneous payment detection logic; Designed to identify commercial overpayments for recovery (Yes/No): Yes. Component: DFAS; Process: Contract reconciliations; Description of process: Contract reconciliations involve reconstructing a contract to determine the source and reason for an error or discrepancy, including comparing data among the contract, disbursement, and accounting records.These reconciliations are generally performed at the request of the contractor, vendor, or DCMA; Designed to identify commercial overpayments for recovery (Yes/No): No. Component: DCMA and DCAA; Process: DCAA interim and final voucher reviews; Description of process: For contractors enrolled in the direct billing program, whereby the contractor submits vouchers for payment without prior review, DCAA performs an annual, cursory review of a nonstatistical selection of paid vouchers. If a contractor is not enrolled in the direct billing program, DCAA is required to review and approve contractor interim vouchers for payment and suspend payment of questionable costs. DCAA is required to review final vouchers and send them to the administrative contracting officer. [Contract Audit Manual (CAM) 6-1007.6; FAR § 42.803; DFARS § 242.803; DFARS § 242.803(b)(i)(B); DODD 5105.36, paras. 5.4 and 5.5; and DOD FMR vol. 10, ch. 10, para. 100202]; Designed to identify commercial overpayments for recovery (Yes/No): No. Component: DCMA and DCAA; Process: DCAA incurred cost audits; Description of process: DCAA determines allowability of the contractors' claimed costs incurred and submitted by contractors for reimbursement under cost-reimbursable, fixed-price incentive, and other types of flexibly priced contracts and compliance with contract terms, FAR, and CAS, if applicable. [FAR §§ 42.101, 42.803(b), and DFARS § 242.803]; Designed to identify commercial overpayments for recovery (Yes/No): No. Component: DCMA and DCAA; Process: DCMA and DCAA contract closeout process; Description of process: The closeout process is conducted at the end of a contract and involves multiple steps. For example, DCAA reviews final completion vouchers and the cumulative allowable cost worksheet and may review a contract closing statement. [DFARS § 242.803(b)(i)(D); CAM 6- 711.3(a) and (d); CAM 6-708.2(d)]; Designed to identify commercial overpayments for recovery (Yes/No): No. DOD internal postpayment process: Component: TRICARE Management Activity (TMA)[A]; Process: TMA Recovery Audit; Description of process: TMA hired a recovery audit contractor to identify overpayments made to hospitals for medical services provided to DOD beneficiaries. The contractor specialized in identifying overpayments to hospitals that failed to submit amended cost reports; Designed to identify commercial overpayments for recovery (Yes/No): Yes. Component: Navy[B]; Process: Navy Telecommunications Recovery Audit; Description of process: Navy hired a recovery audit contractor to identify overpayments made in its telecommunications program; Designed to identify commercial overpayments for recovery (Yes/No): Yes. Source: GAO's analysis. [A] Although the contract was terminated in February 2007, overpayments were still collected in fiscal year 2007. The contractor identified about $30 million in overpayments for the period of 1992 through 1997, of which $27 million had been collected as of fiscal year 2008, including $700,000 in fiscal year 2007. DCAA assumed responsibility for this process after the contract was terminated and recently identified $6 million in overpayments for the period of 1998 through 2004. However, no amounts have yet been recovered. [B] The contractor encountered problems during the audit with data access and quality, which contributed to the difficulty in identifying and recovering improper payments. Although the Navy projected savings of approximately 21 percent from the recovery audit, no improper payments were recovered through this effort. In 2007, DOD OIG reported that other recovery audit contractors experienced instances of data access issues and recommended that DOD remove impediments caused by proprietary records, and allow timely access to data. DOD did not concur with this recommendation. [End of table] According to DOD officials, the existing processes were adequately designed to fulfill the requirements of the Recovery Auditing Act and OMB guidance and thus, no further actions were needed. However, we found the majority of the existing processes were not specifically designed to identify overpayments. For example, DFAS's contract reconciliations were performed upon request to resolve previously identified discrepancies, including possible overpayments, within DOD's contract, disbursement, and accounting records such as to correct funding classification or lines of accounting errors. Because a contract reconciliation would be performed only if an error related to a specific contract was found, contracts and the associated disbursements that did not have identified errors would not be subject to this review. As a result, this process was not intended to identify new, undetected contract overpayments as envisioned by the Recovery Auditing Act. In addition, we noted that DCMA's and DCAA's contract closeout processes were designed to ensure that applicable administrative actions had been completed during the course of a contract (e.g., all classified documents were disposed of) and not to specifically identify contract overpayments. The DOD OIG has reported instances where the department was unable to reconcile and close out contracts due to missing documentation and staff turnover.[Footnote 38] Further, although DOD considered DCAA contract audits an integral part of its recovery audit program, DCAA officials pointed out that because recovery auditing is a review of DOD components' books and records, DCAA would generally have no role since its audits primarily focus on contractors' records.[Footnote 39] Moreover, based on our review, DOD's internal guidance did not identify the applicable payment and accounting systems to be reviewed, the frequency of this review, and the applicable roles and responsibilities at DFAS and the military services processing commercial payments, including coordination of these efforts. We found no discussion on how DOD would leverage existing audits to identify commercial overpayments performed at military service audit agencies, such as the Army Audit Agency. Further, the guidance did not include specific actions that addressed OMB's recovery auditing reporting requirements, including actions to develop a corrective action plan to address the root causes of payment errors and steps to measure the total cost of the agency's recovery auditing program. In fiscal year 2009, DOD acknowledged the need to clarify and update its guidance and has efforts underway to revise the recovery auditing chapter. DOD further reported in its fiscal year 2007 AFR that it had actions underway to implement a Business Activity Monitoring (BAM) service to provide a real-time or near real-time automated mechanism for analyzing transactions to prevent and reduce the risk of duplicate payments and other types of errors. DFAS believes this new process will reduce the need for internal postpayment reviews of commercial payments by identifying errors before payment occurs. DFAS anticipates DOD-wide implementation of BAM during fiscal year 2009. Until the department establishes processes specifically designed to address recovery auditing and updates its internal guidance, it will be unable to determine the extent to which contract overpayments exist and are subsequently recovered to fulfill the Recovery Auditing Act requirements. DOD Reported Recovery Audit Information for Fiscal Year 2007 Was Incomplete: DOD did not fully address OMB recovery auditing reporting requirements in its AFR, such as disclosing the total costs associated with its recovery auditing activities and the associated recovered amounts related to overpayments made to vendors. DOD's guidance did not include the specific recovery auditing reporting requirements identified in OMB's guidance. The following describes the status of DOD's actions on each of the nine reporting elements under OMB's recovery auditing reporting requirements: * A general description and evaluation of the steps taken to carry out a recovery auditing program. - DOD reported a general description of the steps taken to implement its recovery auditing program, but did not provide an evaluation. * The total cost of the agency's recovery auditing program. - DOD informed us that it did not report total costs because it was unable to calculate the amount. DOD officials told us that the agency did not have cost accountants and thus lacked the expertise needed to calculate the total cost of the agency's recovery auditing program, particularly the costs of the agency's internal recovery efforts (agency salaries and expenses). * The total amount of contracts subject to review. - DOD did not report the full amount subject to review. Specifically, DOD excluded from its AFR $20.5 billion of its commercial payment universe for fiscal year 2007. According to Office of the Comptroller officials, it did not include $20.5 billion for the U.S. Army Corps of Engineers and Army Europe in the universe of commercial payments because of an oversight error. The $20.5 billion represents commercial payments processed by Army Europe and the U.S. Army Corps of Engineers. If the $20.5 billion amount had been included, the total universe of reported commercial payments would have increased to $340.3 billion. * The actual amount of contracts reviewed. - As stated above, DOD excluded $20.5 billion from the full amount actually reviewed because of an oversight error. * The amounts identified for recovery. - DOD reported the overpayments identified for recovery for contractors, but not for vendors. DFAS officials told us that they did not report for vendor payments the amounts identified for recovery and actually recovered because the department did not have a process to separate and quantify DOD-identified vendor overpayments from contractor-identified vendor overpayments. In July 2007, DFAS introduced an automated process--the Contractor Debt System (CDS)--to track DOD-identified overpayments to vendors, but CDS was not fully deployed by the time DOD issued its fiscal year 2007 AFR.[Footnote 40] * The amounts actually recovered in the current year. - DOD reported the associated recovered amounts for contractor overpayments, but did not report similar information for vendors. As stated above, DOD did not report this information because it lacked the processes needed to distinguish between DOD-identified and contractor- identified vendor overpayments. * A corrective action plan to address the root causes of payment errors. - DOD did not report on its corrective action plan to address the root causes of payment errors. We requested--but DOD did not provide--its corrective action plan to reduce commercial overpayments. * A general description and evaluation of any management improvement program carried out as part of its recovery auditing program. - DOD reported a general description of an initiative--Business Activity Monitoring service--it planned to implement to reduce overpayments. However, DOD did not report a general evaluation of this initiative, because it had not been implemented. * A description and justification of the classes of contracts excluded from recovery auditing review by the agency head. - This reporting element is not applicable as DOD officials told us that the department reviewed all classes of contracts as part of its recovery auditing program. DOD also could not substantiate the reported $18.9 million of DFAS recovered contract overpayments for fiscal year 2007, because it did not maintain the underlying documentation that supported the amount. DOD was unable to recreate the documentation because the system data reflected real-time information and changed daily. Although the Office of the Comptroller reported commercial overpayment data for the Navy for fiscal year 2008, it did not do so for fiscal year 2007 and was unable to confirm whether it should have reported comparable data for that period. Office of the Comptroller officials told us that they did not follow up with the Navy to determine why it did not report recovery audit information for fiscal year 2007. Our internal control standards related to control activities state that all transactions and other significant events need to be clearly documented and should be readily available for examination, and that documentation and records should be properly managed and maintained.[Footnote 41] Until DOD reports the required information and ensures the accuracy of the information it does report, the extent to which Congress, OMB, and other oversight bodies can rely on this information to make informed decisions is questionable. Inadequate Monitoring and Oversight of DOD's Recovery Auditing Activities: The Office of the Comptroller's oversight and monitoring of DOD's recovery auditing activities were inadequate as they indicated that they had not verified the accuracy and completeness of the information reported in DOD's AFR. These activities were generally limited to compiling data received from DOD agencies and the military services and performing a fluctuation analysis of these data to identify changes in amounts between the current and prior year. We found that the roles and responsibilities for the Recovery Auditing Project Officer, who was tasked with overseeing DOD's recovery auditing efforts, were not documented in the November 2006 memorandum from the Office of the Comptroller establishing the position.[Footnote 42] In addition, the project officer devoted minimal time--about 10 percent for fiscal year 2007--to overseeing DOD's recovery auditing efforts, and frequent turnover occurred with this position. Between fiscal years 2007 and 2008 we noted that four different people had been assigned to oversee DOD's recovery auditing program.[Footnote 43] Our internal control standards for monitoring provide that processes should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations and include regular management and supervisory activities, comparisons, and reconciliations. Further, our internal control standards provide that controls should include a wide range of diverse activities including verification of information and be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators.[Footnote 44] Also, excessive turnover could significantly impact the department's ability to sustain the knowledge, skills, and experience needed to effectively oversee implementation of the Recovery Auditing Act requirements. Office of the Comptroller officials acknowledged that the recovery audit data submitted by the DOD agencies and military services were not independently validated to ensure that the information was accurate, complete, and met the minimum reporting requirements. In December 2007, DOD established a recovery auditing working group comprised of representatives from the DOD agencies and military service components to identify best practices for recovery auditing; however, this group has yet to meet. At the DOD component level, we were informed that Navy, on its own initiative, established a working group in fiscal year 2008 to identify and recover commercial overpayments and report this information to the Office of the Comptroller. Without adequate monitoring and oversight, the department does not have adequate assurance that its future reporting under the Recovery Auditing Act will be accurate and complete. Conclusions: DOD has not established the mechanisms--processes and detailed implementing guidance--needed to effectively implement the requirements for both IPIA and the Recovery Auditing Act. The department reports that its payment activities are at low risk for improper payments without adequate supporting analysis and documentation and despite its history of long-standing financial management weaknesses. Because addressing IPIA requirements is a sequential process, DOD's failure to conduct comprehensive risk assessments, which is the first step, has adversely affected decisions made to address subsequent steps in the process. DOD has not accurately portrayed the full extent of improper payments or the associated root causes. As a result, any corrective actions taken are likely to fall short of fixing the problems that resulted in these errors. With regard to recovery efforts, DOD continues to rely on processes that are inadequate for identifying the extent of overpayments to contractors and vendors and ensuring that these amounts are recovered. Until the department takes definitive action to fulfill the requirements of these acts and implement preventive internal controls, it is at risk of making improper payments and wasting taxpayer funds. Recommendations for Executive Action: To improve DOD's efforts to address improper payment and recovery auditing requirements, we recommend that the Secretary of Defense direct the DOD Comptroller to take the following 13 actions. For IPIA, the DOD Comptroller should: * Establish and implement a systematic approach, as a part of the risk assessment process, to ensure all programs and activities are reviewed to determine susceptibility to improper payments. * Develop and implement detailed guidance for conducting risk assessments, including the steps to determine if risk exists, what those risks are, and the potential or actual impact of those risks on program operations. * Require DOD agencies and the military services to document the risk assessment methodology used, including the risk factors considered, and the rationale for assessing the risk level for the payment activity. * Develop and implement a statistically valid methodology to estimate and report commercial improper payments (contract and vendor over-and underpayments). This methodology should include all payment errors regardless of the source of the error--DOD, contractors, or vendors--as required by IPIA. * Identify and fully disclose the root causes of improper payments annually in the AFR. * Identify and fully disclose the corrective actions, and monitor the corrective actions to ensure that they address applicable root causes. * Perform oversight and monitoring activities to ensure the accuracy and completeness of the improper payment data submitted by the DOD agencies and the military services for inclusion in the AFR. For Recovery Auditing Act, the DOD Comptroller should: * Establish and implement processes specifically designed to identify and recover commercial overpayments. * Develop and implement detailed guidance to assist DOD agencies and the military services in effectively carrying out recovery audits and activities, including the payment and accounting systems to be reviewed, the frequency of these reviews, applicable roles and responsibilities, and reporting requirements. * Establish and implement a process to identify costs related to the department's recovery auditing program, including costs for employees' salaries. * Establish and implement a process to identify and report vendor overpayments and the associated recovered amounts. * Maintain documentation to support the amounts reported in the AFR to allow for independent evaluation of this information. * Perform oversight and monitoring activities to ensure the accuracy and completeness of the recovery auditing data submitted by the DOD agencies and the military services for inclusion in the AFR. Also, document the roles and responsibilities of the Recovery Auditing Project Officer. Agency Comments and Our Evaluation: DOD provided written comments on a draft of this report which are reprinted in their entirety in appendix IV. DOD also provided technical comments that we have incorporated as appropriate. In its written comments, DOD disagreed with all but 1 of our 13 recommendations designed to strengthen its improper payment and recovery auditing processes. DOD stated that generally the actions envisioned by our recommendations were already being accomplished within the department or were not required by OMB and thus, such direction from GAO was not necessary. We disagree. While DOD presently has efforts underway, as noted in this report, it has not yet established the processes and detailed guidance for effectively implementing either IPIA or the Recovery Auditing Act. In its comments, DOD did not provide any new evidence that was not considered in our report. Accordingly, we continue to believe that our recommendations are critical for DOD to enhance its efforts to minimize improper payments and recover those that are made. The following paragraphs illustrate the nature of DOD's comments and our analysis of its key points. DOD's Processes To Address IPIA Requirements: DOD disagreed with our three recommendations aimed at enhancing DOD's risk assessment processes. We recommended the DOD Comptroller require DOD agencies and the military services to establish and implement risk assessment methodologies, along with documentation of key factors considered and the rationale for assessing the risk level for the payment activity. DOD stated that such direction was not necessary as it had established IPIA program baselines and measures and reports on all of its IPIA programs annually in accordance with OMB guidance. As described in our report, DOD's risk assessment process was inadequate to ensure that appropriate consideration was given to the risks associated with its payment activities as we found an additional $322 billion in DOD outlays that had not been assessed under IPIA. For payment activities assessed, DOD did not require its agencies and military services to document their risk methodologies, including risk factors considered, the potential or actual impact on their program operations, and the rationale for assessing risk as either low, medium, or high. As such, none of the nine DOD components that conducted risk assessments described their methodology or rationale for the low level of risk assigned to each applicable payment activity. Given the lack of supporting documentation and evidence for the risk assessments as well as DOD's history of long-standing internal control weaknesses, including GAO's prior designation of eight functional DOD areas as high risk, the low risk levels are not based on sufficient analysis, are likely unrealistic, and are not reflective of the wide range of vulnerabilities that exist within DOD. DOD also disagreed with our recommendation that it develop and implement a statistically valid methodology to estimate and report commercial improper payments (contract and vendor over-and underpayments). DOD stated that it has followed guidance provided by OMB and that commercial improper payments are to be identified, recovered and reported in accordance with the Recovery Auditing Act. As described in our report, DOD stated that reporting improper commercial payments under IPIA would create duplicate reporting because this information was captured as part of DOD's efforts to address Recovery Auditing Act requirements. However, we disagree because those actions are not sufficient to address IPIA. Both acts must be addressed with regard to commercial payment activity. Each act has a different scope of review and reporting requirements. Based on the improper payment definition under IPIA and OMB's guidance that instructs agencies to develop a statistically valid estimate, the statistical sampling requirement would apply to commercial payments under IPIA. Developing an across-the-board, systematic estimate of the extent of improper payments gives management baseline information for measuring progress in reducing improper payments and how much investment in new internal controls would be cost-justified. DOD disagreed with our two recommendations to identify and fully disclose in the AFR the root causes of improper payments and the corrective actions, including monitoring those actions to ensure that they address applicable root causes. DOD commented that the AFR was not the appropriate forum for this detailed level information and that it had procedures in place to identify, fully disclose, and monitor corrections. We have two main concerns with DOD's responses to these recommendations. First, DOD did not consistently follow OMB reporting requirements to identify root causes and related corrective actions and the underlying documentation of the reported corrective actions lacked details as to the corrective actions taken or planned and the corresponding results, if any. Second, because of the inherent responsibility to be a good steward for public resources, it is important that corrective actions and the effectiveness of such be openly communicated or available not only to the Congress and agency management but also to the general public. Balancing the benefits of summarizing information with reporting compliance and user needs is critical. Corrective actions cannot be effectively monitored and assessed unless the detailed corrective actions are known and tied to the root cause(s) of improper payments that they are intended to address. DOD's Processes To Address Recovery Auditing Act Requirements: We made five recommendations aimed at strengthening DOD's recovery audit processes related to establishing and implementing processes specifically designed to identify and recover commercial payments, developing detailed guidance to carry out recovery audits and activities, identifying costs related to its recovery auditing program, implementing a process to identify and report vendor overpayments and associated recovered amounts, and maintaining documentation to support reported amounts. DOD concurred with our recommendation to identify the cost related to its recovery audit program. DOD disagreed with the other four recovery auditing recommendations because it believed the agency had already established and implemented such processes. However, as we point out in this report, the majority of DOD's processes aimed at identifying and recovering improper payments were inadequate because the primary purpose of these processes were not to identify commercial improper payments as required by the Recovery Auditing Act. For example, DCMA and DCAA's contract closeout processes were designed to ensure that applicable administrative actions had been completed during the course of a contract (e.g., all classified documents were disposed of) and not to specifically identify contract overpayments. In addition, DOD's current FMR guidance (dated December 2005) did not include specific elements that would be necessary to effectively carry out a recovery auditing program. Further, DOD had not established a process to fully identify and report vendor overpayments. This problem continued to exist as DOD acknowledged in its fiscal year 2008 AFR that while it was able to identify DOD-identified overpayments for its DFAS component, it was unable to identify and report vendor overpayments for all of its components and that efforts would continue until all DOD components achieved this capability. DOD's Oversight and Monitoring Efforts To Address IPIA and Recovery Auditing Act Requirements: DOD disagreed with our two recommendations related to oversight and monitoring and commented that they were duplicative, except for the additional language related to documenting the roles and responsibilities of the Recovery Auditing Project Officer. We clarified our recommendations related to oversight and monitoring to emphasize the need of these activities for both IPIA and the Recovery Auditing Act. As we stated in our report, the DOD Office of the Comptroller's oversight and monitoring of improper payment and recovery auditing activities were inadequate as the office did not verify the accuracy and completeness of information received from DOD agencies and military service components and reported in its AFR. We are sending copies of this report to interested congressional committees; the Secretary of Defense; and the Director, Office of Management and Budget. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-9095 or by e-mail at dalykl@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix V. Signed by: Kay L. Daly, Director: Financial Management and Assurance: [End of section] Appendix I: Objectives, Scope and Methodology: The objectives of this report were to determine whether the Department of Defense (DOD) had adequate controls in place to address the Improper Payments Information Act (IPIA) and the Recovery Auditing Act requirements.[Footnote 45]To determine whether DOD adequately addressed IPIA requirements, we reviewed the applicable legislation and related OMB implementing guidance.[Footnote 46] We further reviewed DOD's agency financial reports (AFR) for fiscal years 2004 through 2008, internal DOD improper payment guidance,[Footnote 47] and prior GAO [Footnote 48] and DOD Office of Inspector General (DOD OIG) reports [Footnote 49] on improper payments. We reviewed these documents to understand DOD's efforts to address IPIA requirements and to identify previously reported issues with DOD's improper payment reporting. In addition, we performed the following work: * To assess DOD's IPIA risk assessment process to identify payment activities susceptible to significant improper payments, we reviewed our Standards for Internal Control in the Federal Government and executive guide on Strategies to Manage Improper Payments: Learning from Public and Private Sector Organizations as guidance to assess DOD's internal controls over disbursements. We interviewed agency officials such as the Project Officer for Improper Payment and Recovery Auditing, and obtained and reviewed fiscal year 2007 IPIA responses, where available. We also compared the amounts reported as the basis for improper payments to other documentation such as the President's Budget and Statement of Budgetary Resources to determine whether all DOD outlays were subject to improper payment assessments. * To assess the statistical validity of DOD's reported improper payment estimates for fiscal year 2007, we conducted an independent analysis of its sampling methodologies, including a review of the sampling plans for each DOD agency and military service component. In addition, we performed an independent assessment of DOD's IPIA processes, including a legal analysis of the improper payment definition in relation to DOD's classification of commercial payment errors (contract and vendor payments) as either improper or proper to determine whether DOD had reached appropriate conclusions. In addition, we interviewed the IPIA Project Officer, Defense Finance Accounting Service (DFAS)-Kansas City, and DFAS-Columbus officials, to identify, estimate, and reduce improper payments and reviewed supporting documentation, when available, in order to gain an understanding of DOD's IPIA process. We also interviewed DOD OIG officials to discuss their findings and recommendations related to DOD's efforts to address IPIA requirements. * To assess DOD's corrective action plans to reduce improper payments, we interviewed agency officials, reviewed corrective actions to reduce improper payments, and reviewed corrective action plans to determine whether appropriate linkages existed between the root causes of improper payments and specific corrective action steps. We also performed an analysis of DOD's improper payment error rates to determine whether the improper payment error rates for DOD payment activities had changed from fiscal year to fiscal year. * To assess the accuracy and completeness of DOD's reported fiscal year 2007 improper payment amounts, we recalculated summary amounts included on DOD's IPIA survey and traced those amounts to supporting documentation. To determine whether DOD had adequately addressed the Recovery Auditing Act requirements, we reviewed applicable legislation and related OMB implementing guidance,[Footnote 50] DOD's AFR for fiscal years 2004 through 2008, internal DOD recovery auditing guidance,[Footnote 51] and prior GAO[Footnote 52] and DOD OIG reports[Footnote 53] on recovery auditing. We interviewed agency officials such as the Recovery Auditing Project Officer, the Director of Internal Review, and the Chief of DFAS's Debt Management Office regarding DOD's process to identify and recover commercial overpayments and reviewed accompanying and supporting documentation, when available. We also interviewed Defense Contract Audit Agency (DCAA) and Defense Contract Management Agency (DCMA) officials such as the DCAA Headquarters Program Manager of the Policy Programs Division and DMCA contract specialists to determine their role in DOD's recovery auditing process and reviewed applicable guidance.[Footnote 54]0Further, we interviewed DOD OIG officials such as the DOD OIG Program Director and the Audit Project Manager at DFAS-Columbus to discuss their findings and recommendations related to DOD's efforts to address recovery auditing requirements. Also, we interviewed Department of the Navy officials regarding results of the recovery audit performed to identify overpayments made in its telecommunications program. In addition, we interviewed TRICARE Management Activity (TMA) officials to obtain clarification and supporting documentation on the healthcare-recovered amounts reported in DOD's AFR. To assess the accuracy and completeness of DOD's reported fiscal year 2007 recovery audit information, we reviewed DFAS and TMA supporting documentation submitted to the Office of the Comptroller to substantiate amounts reported in the AFR. We traced these schedules and total amounts submitted to the Office of the Comptroller back to various supporting breakdowns (at the transaction level). In addition, we recalculated and verified the accuracy of the recovery audit amounts in DOD's summary recovery auditing table. We conducted site visits at two of the five DFAS processing center locations (Kansas City, Missouri and Columbus, Ohio). We selected the DFAS-Kansas City site because it was responsible for receiving IPIA survey information from other DFAS sites, compiling the information, and checking the information for accuracy and completeness. As part of this site visit, we obtained an understanding of DFAS's process for conducting monthly postpayment reviews of military and civilian pay to identify improper payments. In addition, we selected the DFAS-Columbus site because it processed a majority of DOD's commercial payments--the agency's largest payment activity--on behalf of the DOD agencies and military services. Also, DFAS-Columbus was the only DFAS site that processed DOD contract payments. At the DFAS-Columbus site, we obtained an understanding of the commercial prepayment and postpayment controls in place affecting IPIA and Recovery auditing requirements. To determine the reliability of DOD's improper payment and recovery audit information, we interviewed knowledgeable agency officials, such as the DFAS-Indianapolis Director of Accounts Payable and DFAS- Indianapolis Accounts Receivable specialists, to ascertain the procedures used to assume the quality of the data. We reviewed DOD's commercial payment activity from its contract and vendor pay systems and its Improper Payments Online Database (IPOD) that stored the improper payment information. We also traced data back to supporting documentation, including DOD's fiscal year 2007 IPIA survey, the AFR, and the recovery auditing activity schedule. We performed a data reliability assessment of DOD's statistical sampling methodologies for the fiscal year 2007 reported improper payment estimates, (see appendix III). We concluded that the data were reliable for our purposes. We conducted our audit work from June 2008 to June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions, based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We obtained written comments on a draft of this report from the Under Secretary of Defense (Comptroller) and have summarized these comments in the Agency Comments and Our Evaluation section of this report. [End of section] Appendix II: List of DOD Agencies and Military Service Components Included in the IPIA Survey: 1. Department of the Army: 2. Department of the Navy: 3. Department of the Air Force: 4. United States Marine Corps, Assistant Deputy Commandant for Programs and Resources: 5. Inspector General of the Department of Defense: 6. Defense Advanced Research Projects: 7. Defense Contract Audit Agency: 8. Defense Finance and Accounting Service: 9. Defense Intelligence Agency: 10. Defense Logistics Agency: 11. Defense Security Service: 12. Missile Defense Agency: 13. National Security Agency/Central Security Service: 14. Defense Commissary Agency: 15. Defense Contract Management Agency: 16. Defense Information Systems Agency: 17. Defense Legal Services Agency: 18. Defense Security Cooperation Agency: 19. Defense Threat Reduction Agency: 20. Pentagon Force Protection Agency: 21. National Geospatial Intelligence Agency: 22. United States Army Corps of Engineers: 23. American Forces Information Services: 24. Defense Technology Security Administration: 25. Department of Defense Education Activity: 26. Department of Defense Test Resource Management Center: 27. Defense Technical Information Center: 28. Defense Prisoner of War/Missing Personnel Office: 29. Department of Defense Counterintelligence Field Activity: 30. Defense Human Resources Activity: 31. Office of Economic Adjustment: 32. TRICARE Management Activity: 33. Washington Headquarters Services: [End of section] Appendix III: DOD's Fiscal Year 2007 Improper Payment Sample Plans by Program: In its fiscal year 2007 Agency Financial Report (AFR), the Department of Defense (DOD) reported on five payment activities as part of its Improper Payments Information Act (IPIA) reporting: military pay, military health benefits, civilian pay, military retirement, and travel pay. The information reported in DOD's AFR is compiled from the IPIA survey submitted by the DOD agencies and military services. DOD agencies and military services used related confidence levels over different ranges (generally, as prescribed in OMB guidance) to plan and estimate improper payment amounts reported in DOD's fiscal year 2007 AFR. We reviewed the sample plans for each of the five payment activities, at the component level, and determined those methodologies generally complied with the Office of Management and Budget's (OMB) implementing guidance.[Footnote 55] OMB guidance requires that applicable agencies estimate the gross total of both over-and underpayments for those programs and activities identified as susceptible to significant improper payments.[Footnote 56] OMB also requires that the estimates be based on a statistically valid random sample of sufficient size to yield an estimate with a 90 percent confidence interval of plus or minus 2.5 percentage points around the estimate of the percentage of improper payments. Alternatively, agencies may use a 95 percent confidence interval of plus or minus 3.0 percentage points around the estimate of the percentage of improper payments to estimate improper payments for agency programs. If an agency cannot determine whether a payment was proper because of insufficient documentation, OMB guidance requires that the payment be considered an error. A brief description of each payment activity's methodology reported in its sampling plan is provided below. 1. Military Health Benefits Program: The military health benefits program consists of disbursements for the medical care of active duty military personnel, retirees, their family members, and family members of deceased service members. TRICARE Management Activity (TMA) processed all military health benefit payments for DOD. To estimate military health benefits improper payments, TMA selected samples from the two populations of its contract payments, as shown in table 4 below. The contract samples were drawn on a quarterly basis and stratified by dollar value. For both contract types sampled, denied payment samples were based on the amount billed and nondenied payment samples were based on government costs. Table 4: Military Health Benefits Program Sample Plans: Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Next Generation Managed Care Support Contracts; 15,433,902; Annual payment sample size: Nondenied claims valued at $100 to $100k: 9,481 claims; Confidence interval: Nondenied claims: 90%+/-1%. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Next Generation Managed Care Support Contracts; 15,433,902; Annual payment sample size: 100% review of Nondenied claims greater than $100k: 1,750 claims; Confidence interval: Not applicable. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Next Generation Managed Care Support Contracts; 15,433,902; Annual payment sample size: Denied claims valued at $100 to $100k: 3,055 claims; Confidence interval: Denied claims: 80% +/-2%. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Next Generation Managed Care Support Contracts; 15,433,902; Annual payment sample size: 100% review of denied claims greater than $100k: 885 claims; Confidence interval: Not applicable. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Dual Eligibility Fiscal Intermediary Contract; 44,607,708; Annual payment sample size: Nondenied claims valued at $1 to $25k: 4,737 claims; Confidence interval: Nondenied claims: 90%+/-1%. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Dual Eligibility Fiscal Intermediary Contract; 44,607,708; Annual payment sample size: 100% review of Nondenied claims greater than $25k: 1,463 claims; Confidence interval: Not applicable. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Dual Eligibility Fiscal Intermediary Contract; 44,607,708; Annual payment sample size: Denied claims valued at $1 to $500k: 1,557 claims; Confidence interval: Denied claims: 80% +/-2%. Components: TRICARE management activity; Annual universe of payments (Population): TRICARE Dual Eligibility Fiscal Intermediary Contract; 44,607,708; Annual payment sample size: 100% review of denied claims greater than $500k: 385 claims; Confidence interval: Not applicable. Source: GAO's analysis of DOD's sampling plans. [End of table] 2. Military Pay Program: The military pay program consists of military payroll disbursements. The Defense Finance and Accounting Services (DFAS) processed all military payroll payments for DOD. To estimate improper payments, DFAS- Kansas City conducted monthly postpayment reviews to determine the accuracy of net military pay using a simple random attribute sample and summed monthly results to calculate an annual estimate. In addition to its statistical sample, the military pay program's estimate of improper payments included actual data on improper payment amounts. Table 5 shows information reported in the sampling plan for military pay. Table 5: Military Pay Program Sample Plans: Components: DFAS; Annual universe of payments (Population): Active Duty: 17,034,781; Annual payment sample size: 7,400; Confidence interval: 95% +/-2.5%. Components: DFAS; Annual universe of payments (Population): Reserve & Guard: 5,062,463; Annual payment sample size: 13,400; Confidence interval: 95% +/-2.5%. Source: GAO's analysis of DOD's sampling plans. [End of table] 3. Civilian Pay Program: The civilian pay program consists of civilian payroll disbursements. DFAS, Army, and Navy processed civilian payments in fiscal year 2007. DFAS-Kansas City conducted monthly postpayment reviews to determine the accuracy of net pay using simple random attribute samples. In addition to monthly samples, DFAS added actual improper payment data to further enhance its estimate. DFAS monthly results were summed to calculate the annual estimate. Army's sample plan consisted of annual postpayment reviews and analysis of a sample of disbursements, and Navy's sample plan consisted of a statistical sample of Military Sealift Command Civilian Mariners payments. Table 6 shows detailed sampling plans for each component of the civilian pay program. Table 6: Civilian Pay Program Sample Plans: Components: DFAS; Annual universe of payments (Population): 7,655,277; Annual payment sample size: 6,350; Confidence interval: 95% +/-2.5%. Components: Army; Annual universe of payments (Population): 15,128; Annual payment sample size: 15,128; Confidence interval: n/a. Components: Navy; Annual universe of payments (Population): $404,522,148; Annual payment sample size: $404,522,148; Confidence interval: n/a. Source: GAO's analysis of DOD's sampling plans. [End of table] 4. Military Retirement Program: The military retirement program consists of disbursements to military retirees and annuitants. DFAS processed all military retirement payments for DOD. DFAS-Cleveland performed monthly postpayment reviews to determine the accuracy of payments using simple random samples. Three samples were conducted to assess the accuracy of payments--one for deceased retirees, the other for retired accounts, and the third for annuitant accounts, as shown in table 7. The deceased retirees sample is designed to identify retiree payments going to deceased individuals, while the retired and annuitant samples identify whether regular payments are accurate. Table 7: Military Retirement Program Sample Plans: Components: DFAS; Annual universe of payments (Population): Deceased retiree account postpayment reviews: 40,392; Annual payment sample size: 1,656; Confidence interval: 90% +/-2.5%. Components: DFAS; Annual universe of payments (Population): Retired account postpayment reviews: 2,004,706; Annual payment sample size: 3,000; Confidence interval: 95% +/-2.5%. Components: DFAS; Annual universe of payments (Population): Annuitant account postpayment reviews: 288,749; Annual payment sample size: 3,000; Confidence interval: 95% +/-2.5%. Source: GAO's analysis of DOD's sampling plans. [End of table] 5. Travel Pay Program: The following components processed travel payments: DFAS, Army, Navy, and Air Force. Table 8 shows detailed sample plans for each component of the travel pay program. DFAS-Indianapolis conducted random monthly reviews to determine accuracy of payments and summed monthly results to arrive at an annual sample.[Footnote 57]Army travel pay consisted of Army Korea,[Footnote 58] Army Europe, and the Army Corps of Engineers. Army Europe and Army Corps of Engineers components conducted monthly postpayment reviews of travel payments. Army Korea did not provide sampling results. Navy conducted a statistical sample of travel payments processed through its system. Air Force conducted post audit reviews of a random sample of travel payments. Table 8: Travel Pay Program Sample Plans: Components: DFAS; Annual universe of payments (Population): 2,251,075; Annual payment sample size: 43,635; Confidence interval: 95% +/-2.5%. Components: Army; Annual universe of payments (Population): Army Europe: 80,816; Annual payment sample size: 10% of all vouchers: 8,081 & 100% of vouchers over $2,500: 8,331; Confidence interval: 99% +/-1.0%. Components: Army; Annual universe of payments (Population): Corps of Engineers: 165,643; Annual payment sample size: Corps of Engineers: 452; Confidence interval: 95% +/-2.0%. Components: Navy; Annual universe of payments (Population): $651,374,570; Annual payment sample size: $565,218,446; Confidence interval: 90% +/-1.4%. Components: Air Force; Annual universe of payments (Population): 1,211,307; Annual payment sample size: 186; Confidence interval: 90%. Source: GAO's analysis of DOD's sampling plans. [End of table] [End of section] Appendix IV: Comments from the Department of Defense: Under Secretary Of Defense: Comptroller: 1100 Defense Pentagon: Washington, DC 20301-1100: June 29, 2009: Ms. Kay L. Daly: Director, Financial Management and Assurance: Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Ms. Daly, This is the Department of Defense (DoD) response to the Government Accountability Office (GAO) draft report, "Improper Payments. Significant Improvements Needed in DoD's Efforts to Address Improper Payment and Recovery Auditing Requirements," dated June 4, 2009 (GAO Code 195140). The Department concurs with one of the recommendations in the draft report and corrective action will he implemented for FY 2010 reporting. The Department does not concur with the remaining recommendations and our response is attached. My point of contact on this matter is Ms. Sally Beecroft. She may be reached by email at sally.beecroft@osd.mil or telephone at (703) 602- 0193. Signed by: Robert F. Hale: Attachment: As stated. [End of letter] GAO Draft Report Dated June 2009: GAO-09-442 (GAO Code 195140, Formerly 195113): "Improper Payments: Significant Improvements Needed In DOD'S Efforts To Address Improper Payment And Recovery Auditing Requirements" Department Of Defense Comments To The GAO Recommendations: Recommendation 1: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to establish and implement a systematic approach, as a part of the risk assessment process, to ensure all programs and activities are reviewed to determine susceptibility to improper payments. (Page 36/GAO Draft Report) DOD Response: Nonconcur. The Department established IPIA program baselines, and measures and reports on all of its IPIA programs annually in accordance with OMB guidance. Risk assessments are required for programs that are not being reported in order to make a determination whether or not the program is at risk for significant improper payments and initiate/resume reporting; or a significant event has occurred that requires program reevaluation. The OMB Circular A- 123, Appendix C guidance states, "Agencies need not conduct formal risk assessments for those programs in which improper payment baselines are already established, are in the process of being measured, or will be measured by an established date." Recommendation 2: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to develop and implement detailed guidance for conducting risk assessments, including the steps to determine if risk exists, what those risks are, and the potential or actual impact of those risks on program operations. (Page 36/GAO Draft Report) DOD Response: Nonconcur. The Department established IPIA program baselines, and measures and reports on all of its IPIA programs annually in accordance with OMB guidance. Risk assessments are required for programs that are not being reported in order to make a determination whether or not the program is at risk for significant improper payments and initiate/resume reporting; or a significant event has occurred that requires program reevaluation. The OMB Circular A- 123, Appendix C guidance states, "Agencies need not conduct formal risk assessments for those programs in which improper payment baselines are already established, are in the process of being measured, or will be measured by an established date. Recommendation 3: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to require DoD agencies and the military services to document the risk assessment methodology used, including the risk factors considered, and the rationale for assessing the risk level for the payment activity. (Page 36/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department established IPIA program baselines, and measures and reports on all of its IPIA programs annually in accordance with OMB guidance. Risk assessments are required for programs that are not being reported in order to make a determination whether or not the program is at risk for significant improper payments and initiate/resume reporting; or a significant event has occurred that requires program reevaluation. The OMB Circular A- 123, Appendix C guidance states, "Agencies need not conduct formal risk assessments for those programs in which improper payment baselines are already established, are in the process of being measured, or will be measured by an established date. Recommendation 4: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to develop and implement a statistically valid methodology to estimate and report commercial improper payments (contract and vendor over- and underpayments). (Page 36/GAO Draft Report) DOD Response: Nonconcur. The Department followed guidance provided by OMB for reporting commercial payments. Commercial improper payments are to be identified, recovered and reported in accordance with the Recovery Auditing Act (Section 831 of Public Law 107-107) and in accordance with OMB Circular A-123, Appendix C, Part II. Neither the law nor the regulation require or suggest statistical sampling for this category of payments. Recovery auditing allows for full recovery of any identified and substantiated improper payments. Statistical sampling only allows for recovery of improper payments identified in the sample population and it is impossible to recover from an extrapolation of the sample population. It omits the balance of possible improper payments that were not a part of the sample, thus precluding recovery of a great deal more of taxpayer funds. Recommendation 5: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to identify and fully disclose the root causes of improper payments annually in the Agency's Financial Report (AFR). (Page 36/GAO Draft Report) DOD Response: Nonconcur. We do not agree that the AFR is the appropriate forum for detail level information. The Department documents the root causes of improper payments, publishes summary level information annually in the AFR, and detail level information is more appropriately provided to the Component responsible for corrective action. Recommendation 6: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to identify and fully disclose the corrective actions, and monitor the corrective actions to ensure that they address applicable root causes. (Page 36/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department has procedures in place to identify, fully disclose, and monitor corrective actions to ensure these actions address applicable root causes of improper payments. Recommendation 7: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to perform oversight and monitoring activities to ensure the accuracy and completeness of the data submitted by the DoD agencies and the military services for inclusion in the AFR. (Page 36/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Accounting and Finance Policy Directorate performs oversight and monitoring activities to ensure the accuracy and completeness of the data submitted by DoD Components for inclusion in the AFR. Recommendation 8: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to establish and implement processes specifically designed to identify and recover commercial overpayments. (Page 37/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department has established and implemented processes specifically designed to identify and recover improper commercial payments. Recommendation 9: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to develop and implement detailed guidance to assist DoD agencies and the military services in effectively carrying out recovery audits and activities, including the payment and accounting systems to be reviewed, the frequency of these reviews, applicable roles and responsibilities, and reporting requirements. (Page 37/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department developed and published the Financial Management Regulation (FMR) Volume 10, Chapter 22, "Recovery Auditing," in December 2005 to assist DoD Components in effectively carrying out recovery audits and activities. An update to this chapter is currently in Departmental coordination. We anticipate that the updated will be published by the end of FY 2009 for FY 2010 reporting. Recommendation 10: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to establish and implement a process to identify costs related to the department's recovery auditing program, including costs for employees' salaries. (Page 37/GAO Draft Report) DOD Response: Concur. The Department will establish and implement a process to identify costs related to the Department's recovery auditing program, including costs for employees' salaries. We plan to begin implementation for FY 2010 reporting. Recommendation 11: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to establish and implement a process to identify and report vendor overpayments and the associated recovered amounts. (Page 37/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department has established and implemented processes specifically designed to identify and recover commercial (which includes vendor) overpayments and the associated recovered amounts. Recommendation 12: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to maintain documentation to support the amounts reported in the AFR to allow for independent evaluation of this information. (Page 37/GAO Draft Report) DOD Response: Nonconcur. Such direction is not necessary because it is already being accomplished. The Department maintains documentation to support the amounts reported in the AFR. Recommendation 13: The GAO recommends that the Secretary of Defense direct the DoD Comptroller to perform oversight and monitoring activities to ensure the accuracy and completeness of the data submitted by the DoD agencies and the military services for inclusion in the AFR. Also, document the roles and responsibilities of the Recovery Auditing Project Officer. (Page 37/GAO Draft Report) DOD Response: Recommendation 13 is a duplicate of 7 except for the last sentence. Nonconcur with the final sentence. The roles and responsibilities of the Recovery Auditing Project Officer already are documented. [End of section] Appendix V: GAO Contacts and Staff Acknowledgments: GAO Contact: Kay L. Daly, (202) 512-9095 or dalykl@gao.gov: Acknowledgments: In addition to the contact named above, Carla Lewis, Assistant Director; Sharon Byrd; Francis Dymond; Vanessa Estevez; Patrick Frey; Jason Kirwan; Crystal Lazcano; Sophie Simonard-Norman; Pamela Valentine; and David Yoder made key contributions to this report. [End of section] Footnotes: [1] Improper payments are defined as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It also includes any payment to an ineligible recipient or ineligible service, duplicate payments, payments for services not received, and any payment for an incorrect amount. [2] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). [3] Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments (Aug. 10, 2006). [4] OMB's guidance defines significant improper payments as those in any particular program that exceed both 2.5 percent of program payments and $10 million annually. For improper payment estimates exceeding $10 million, IPIA and OMB guidance requires agencies to develop action plans to reduce improper payments. [5] National Defense Authorization Act for Fiscal Year 2002, Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001), codified at 31 U.S.C. §§ 3561-3567. [6] GAO, High-Risk Series: Defense Contract Pricing, [hyperlink, http://www.gao.gov/products/GAO/HR-93-8] (Washington, D.C.: December 1992); High-Risk Series, [hyperlink, http://www.gao.gov/products/GAO/HR-95-1] (Washington, D.C.: February 1995); High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-07-310] (Washington, D.C.: January 2007). [7] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [8] Prior to fiscal year 2007, executive branch agencies were required to report improper payment information in their PAR. Beginning with fiscal year 2007, OMB established a pilot program for the AFR in which select agencies alternatively presented their PAR information, including improper payment and recovery audit information, in a condensed format. DOD is one of nine agencies that issued an AFR for fiscal year 2008. [9] DFAS is responsible for providing professional, financial, and accounting services to DOD and other federal agencies. It delivers mission-essential payroll, contract and vendor pay, and accounting services. Five DFAS offices--Columbus, Indianapolis, Cleveland, Limestone, and Rome--processed contract and vendor payments. DFAS- Columbus processes DOD's largest payment activity, commercial payments. For our period of review, DFAS-Kansas City was responsible for identifying and estimating improper payments for military and civilian pay. DFAS-Kansas City was closed in July 2008 due to a base realignment and closure decision. [10] We initiated preliminary audit work under a separate job code in February 2008 and orally briefed your subcommittee on this work in June 2008. [11] GAO, DOD Travel Cards: Control Weaknesses Led to Millions in Fraud, Waste, and Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-04-825T] (Washington, D.C.: June 9, 2004); Financial Management: Challenges in Meeting Requirements of the Improper Payments Information Act, [hyperlink, http://www.gao.gov/products/GAO-05-417] (Washington, D.C.: Mar. 31, 2005); Improper Payments: Agencies' Fiscal Year 2005 Reporting Under the Improper Payments Information Act Remains Incomplete, [hyperlink, http://www.gao.gov/products/GAO-07-92] (Washington, D.C.: Nov. 14, 2006); Improper Payments: Incomplete Reporting under the Improper Payments Information Act Masks the Extent of the Problem, [hyperlink, http://www.gao.gov/products/GAO-07-254T] (Washington, D.C.: Dec. 5, 2006); Improper Payments: Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements Continue, [hyperlink, http://www.gao.gov/products/GAO-07-635T] (Washington, D.C.: Mar. 29, 2007); Improper Payments: Status of Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements, [hyperlink, http://www.gao.gov/products/GAO-08-438T] (Washington, D.C.: Jan. 31, 2008); and Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-09-628T] (Washington, D.C.: Apr. 22, 2009). [12] GAO, DOD Travel Improper Payments: Fiscal Year 2006 Reporting Was Incomplete and Planned Improvement Efforts Face Challenges, [hyperlink, http://www.gao.gov/products/GAO-08-16] (Washington, D.C.: Dec. 14, 2007). [13] DOD OIG Report, Identification and Reporting of DOD Erroneous Payments, D-2005-100 (Aug. 17, 2005); Identification and Reporting of Improper Payments through Recovery Auditing, D-2007-110 (July 9, 2007); and Identification and Reporting of Improper Payments by the Defense Logistics Agency, D-2008-096 (May 20, 2008). [14] DOD OIG Report, Identification and Reporting of Improper Payment Refunds from DOD Contractors, D-2008-043 (Jan. 31, 2008). [15] DOD OIG Report, D-2007-110. [16] GAO, Improper Payments: Status of Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements, [hyperlink, http://www.gao.gov/products/GAO-08-438T] (Washington, D.C.: Jan. 31, 2008). [17] The IPIA annual survey requires agencies and military services to perform a risk assessment of all programs and activities that may be susceptible to erroneous payments and to report improper payment information. The agency and military services' submissions are to be based on fiscal year disbursements, and identify both the gross totals of overpayments and underpayments and the methodology used to estimate improper payments. [18] For fiscal year 2007, the Accounting and Finance Policy Directorate distributed the survey to 33 entities. Of the 33 entities, 22 reported that they did not process payments for fiscal year 2007 and deferred to their applicable payment processing center responsible for conducting the risk assessment. The remaining 11 entities either processed their own payments or were DOD payment processing centers. Only 9 of those 11 DOD entities reported conducting risk assessments for one or more of the six payment activities reviewed under IPIA. [19] Contract payments include disbursements for complex, multi-year purchases with high dollar amounts, such as weapon systems. Vendor payments include purchases for day-to-day goods and services, such as food, fuel, and transportation. [20] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. (Washington, D.C.: November 1999). [21] The nine components were the Departments of the Army, the Navy, and the Air Force; the United States Marine Corps; the Defense Finance and Accounting Service; the Defense Security Service; the National Geospatial Intelligence Agency; the United States Army Corps of Engineers; and the TRICARE Management Activity. These components reported on one or more of the following six payment activities: civilian pay, commercial pay, military health benefits, military pay, military retirement pay, and travel pay. [22] DOD's Statement of Budgetary Resources for fiscal year 2007 reported gross outlays of about $815 billion. The Statement of Budgetary Resources is prepared independently from the DOD office responsible for addressing IPIA requirements. [23] Appendix C to OMB Circular No. A-123, pt. I(E); [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [24] [hyperlink, http://www.gao.gov/products/GAO-09-271]. [25] [hyperlink, http://www.gao.gov/products/GAO-07-92]. [26] For the military health benefits payment activity, the confidence level TRICARE Management Agency used to test the denied claims component was 80 percent, instead of the 90 percent confidence level required by OMB guidance. However, we determined that the impact of this deviation was immaterial. For the travel payment activity, DFAS performed a duplicate review for one of its component systems, the Integrated Automated Travel System. We previously reported that these duplicate reviews could not be used to estimate the value of improper payments to the entire population. We recommended, and DOD agreed, to establish and implement procedures to report a valid improper payment estimate for the population. See GAO, DOD Travel Improper Payments: Fiscal Year 2006 Reporting Was Incomplete and Planned Improvement Efforts Face Challenges, [hyperlink, http://www.gao.gov/products/GAO-08-16] (Washington, D.C.: Dec. 14, 2007). We determined that for fiscal year 2008, DFAS had developed a statistically valid methodology for the travel payment activity. [27] [hyperlink, http://www.gao.gov/products/GAO-08-77]. [28] Appendix C to OMB Circular No. A-123, pt. II (D)(2). [29] Examples of classes of contracts that OMB allows agencies to exclude from recovery auditing activities include cost-type contracts that have not been completed and whose payments are subject to further adjustment by the government and cost-type contracts that have been completed and subjected to a final contract audit. [30] The $62 million comprised various types of contractor-caused overpayments, including payments of duplicate invoices, invoice amounts with errors, and payments made to the wrong contractor due to errors in how the contractor entered its information. DFAS officials told us that these payment errors are not considered improper payments because the errors were not made or caused by DFAS. This distinction based on the source of the error is not supported by IPIA or OMB guidance. The $92 million of potential improper payments included payments made by DFAS prior to the receipt of a contract modification and payments subject to court rulings and other legal settlements. [31] An award fee is an amount that the contractor may earn, in whole or in part, during contract performance that is sufficient to provide motivation for excellence in such areas as quality, timeliness, and cost-effective management. [32] DCAA, Report on Evaluation of Over Payments and Associated Interest, Audit Report No. 3711-2007A17900011 (Aug. 31, 2007). DCAA performed an audit after the contractor notified DCMA and DCAA of potential duplicate billing errors. These payment errors occurred over a 5-year period from July 2002 through July 2007. Subsequently the contractor reimbursed DOD for the $267 million through an offset against a current invoice that DOD had not yet paid and wrote the government a check for $28 million in interest. [33] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [34] [hyperlink, http://www.gao.gov/products/GAO-08-16]. [35] OMB defines a recovery audit program as an agency's overall plan for the performance of recovery audits and recovery activities. The head of the agency will determine the manner and combination of recovery audits and activities that are expected to yield the most cost- effective recovery audit program for the agency. [36] See Appendix C to OMB Circular No. A-123, pt. II. OMB guidance identifies the following types of overpayments or payment errors that a recovery audit should target: duplicate payments; errors on invoices or financing requests; failure to reduce payments by applicable sales discounts, cash discounts, rebates, or other allowances; payments for items not received; mathematical or other errors in determining payment amounts and executing payments; and failure to obtain credit for returned merchandise. [37] BRAC is the process DOD has used to reorganize its installation infrastructure to more efficiently and effectively support its forces, increase operational readiness, and facilitate new ways of doing business. According to DFAS, its largest vendor pay systems reviewed as part of the BRAC examination include Commercial Accounts Payable System- Windows (CAPS-W), Commercial Accounts Payable System-Clipper (CAPS- Clipper), Standard Accounting and Reporting System-One Pay (One Pay), and Integrated Accounts Payable System (IAPS). [38] DOD OIG Reports, Financial Management Contracts Classified as Unreconcilable by the Defense Finance and Accounting Service Columbus Contract NO. F30602-81-C-0153, D-2005-040 (Mar. 14, 2005) and Financial Management Contracts Classified as Unreconcilable by the Defense Finance and Accounting Service Columbus Contract DCAA09-81-G-2008/ 0031, D-2005-047 (Apr. 1, 2005). [39] We note that DCAA's voucher reviews and incurred cost audits might find some payments that are overpayments under the Recovery Auditing Act such as payments that are unallowable because they are duplicates. However, DCAA's work is not designed to detect all overpayments under the Recovery Auditing Act. [40] CDS is a debt collection and reporting system used by the DFAS- Columbus Debt Management Office to track new and existing contractor debt owed to the government. [41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [42] On July 10, 2009, DOD informed us that the roles and responsibilities of the Recovery Auditing Project Officer would be included in its revised chapter in the DOD Financial Management Regulation, Volume 10, Chapter 22, "Recovery Auditing". DOD anticipates that the updated chapter will be published by the end of the fiscal year 2009. [43] For fiscal year 2007, the Project Officer for Improper Payments and Recovery Auditing had dual responsibility for overseeing DOD's improper payment and recovery auditing activities. In November 2007, DOD established the Recovery Auditing Project Officer position to oversee DOD's recovery audit program. The Office of the Comptroller informed us that the Recovery Auditing Project Officer estimated that up to 25 percent of her time was devoted to overseeing recovery auditing activities, as this was an added responsibility to other duties she was assigned in the Office of the Comptroller. From March 2008 to August 2008, due to staff turnover, DOD reverted back to one person who had dual improper payment and recovery auditing responsibilities. For this time period, the Project Officer for Improper Payments and Recovery Auditing told us that she devoted only 10 percent of her time to overseeing recovery auditing activities. Again, in September 2008, the Office of the Comptroller filled the Recovery Auditing Project Officer position and that person devoted between 35-40 percent of her time to overseeing recovery auditing activities at DOD. [44] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [45] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002); and National Defense Authorization Act for Fiscal Year 2002, Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001), codified at 31 U.S.C. §§ 3561-3567. [46] Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments (Aug. 10, 2006). [47] DOD's Financial Management Regulation (FMR) Volume 4, Chapter 14, Improper Payments. [48] GAO, DOD Travel Cards: Control Weaknesses Led to Millions in Fraud, Waste, and Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-04-825T] (Washington, D.C.: June 9, 2004); Financial Management: Challenges in Meeting the Requirements of the Improper Payments Information Act, [hyperlink, http://www.gao.gov/products/GAO-05-417] (Washington, D.C.: Mar. 31, 2005); Improper Payments: Agencies' Fiscal Year 2005 Reporting Under the Improper Payments Information Act Remains Incomplete, [hyperlink, http://www.gao.gov/products/GAO-07-92] (Washington, D.C.: Nov. 14, 2006); Improper Payments: Incomplete Reporting under the Improper Payments Information Act Masks the Extent of the Problem, [hyperlink, http://www.gao.gov/products/GAO-07-254T] (Washington, D.C.: Dec. 5, 2006); Improper Payments: Agencies' Efforts to Address Improper Payments and Recovery Auditing Requirements Continue, [hyperlink, http://www.gao.gov/products/GAO-07-635T] (Washington, D.C.: Mar. 29, 2007); and Improper Payments: Status of Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements, [hyperlink, http://www.gao.gov/products/GAO-08-438T] (Washington, D.C.: Jan. 31, 2008). [49] DOD OIG Reports, Identification and Reporting of DOD Erroneous Payments, D-2005-100 (Aug. 17, 2005); Identification and Reporting of Improper Payments through Recovery Auditing, D-2007-110 (July 9, 2007); and Identification and Reporting of Improper Payments by the Defense Logistics Agency, D-2008-096 (May 20, 2008). [50] See Appendix C to OMB Circular No. A-123, pt. II. [51] DOD FMR, Volume 5, Chapter 1 and Volume 10, Chapters 1, 18, 20, and 22. [52] GAO, Contract Management: Recovery Auditing Offers Potential to Identify Overpayments, [hyperlink, http://www.gao.gov/products/GAO/NSIAD-99-12] (Washington, D.C.: Dec. 3, 1998); Contract Management: DOD is Examining Opportunities to further Use Recovery Auditing, [hyperlink, http://www.gao.gov/products/GAO/NSIAD-99-78] (Washington, D.C.: Mar. 17, 1999); Recovery Auditing: Reducing Overpayments, Achieving Accountability, and the Government Waste Corrections Act of 1999, [hyperlink, http://www.gao.gov/products/GAO/T-NSIAD-99-213] (Washington, D.C.: June 29, 1999); and Contract Management: DOD Could Benefit From the Use of Internal Recovery Auditing, [hyperlink, http://www.gao.gov/products/GAO/NSIAD-00-66R] (Washington, D.C.: Mar. 10, 2000). [532] DOD OIG, Financial Management: DOD Recovery Audit Program, D-2005- 101 (Aug. 17, 2005); Identification and Reporting of Improper Payments Through Recovery Auditing, D-2007-110 (July 9, 2007). [54] [0] DCAA Contract Audit Manual chapter 6 and DCMA Guidebook Contract Closeout. [55] For military health benefits, its sample of denied claims used a confidence level of 80 percent, which was not in accordance with OMB guidance. However, we determined that this deviation was immaterial. [56] Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments (Aug. 10, 2006). [57] For its other travel payment system, the Integrated Automated Travel System, DFAS performed a duplicate payment review for fiscal year 2007. We previously reported that these duplicate reviews cannot be used to estimate the value of improper payments to the entire population. DOD agreed with our recommendation to establish and implement procedures to report a valid improper payment estimate for the population. See GAO, DOD Travel Improper Payments: Fiscal Year 2006 Reporting Was Incomplete and Planned Improvement Efforts Face Challenges, [hyperlink, http://www.gao.gov/products/GAO-08-16] (Washington, D.C.: Dec. 14, 2007). We determined for fiscal year 2008 that DFAS had developed a statistically valid methodology to estimate its travel improper payments. [58] Army Korea did not submit its IPIA Survey response in time to be included in the fiscal year 2007 AFR. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: