This is the accessible text file for GAO report number GAO-10-908 entitled 'Telecommunications: FCC Should Assess the Design of the E- rate Program's Internal Control Structure' which was released on October 29, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2010: Telecommunications: FCC Should Assess the Design of the E-rate Program's Internal Control Structure: GAO-10-908: GAO Highlights: Highlights of GAO-10-908, a report to congressional requesters. Why GAO Did This Study: Since 1998, the Federal Communications Commission’s (FCC) Schools and Libraries Universal Service Support Mechanism—commonly known as the “E- rate” program—has been a significant federal source of technology funding for schools and libraries. FCC designated the Universal Service Administrative Company (USAC) to administer the program. As requested, GAO examined the system of internal controls in place to safeguard E-rate program resources. This report discusses (1) the internal controls FCC and USAC have established and (2) whether the design of E-rate’s internal control structure appropriately considers program risks. GAO reviewed the program’s key internal controls, risk assessments, and policies and procedures; assessed the design of the internal control structure against federal standards for internal control; and interviewed FCC and USAC officials. What GAO Found: FCC and USAC have established many internal controls for the E-rate program’s core processes: (1) processing applications and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls though audits of schools and libraries that receive E-rate funding (beneficiaries). E-rate’s internal control structure centers around USAC’s complex, multilayered application review process. USAC has expanded the program’s internal control structure over time to address the program’s complexity and to address risks as they became apparent. In addition, USAC has contracted with independent public accountants to audit beneficiaries to identify and report beneficiary noncompliance with program rules. The design of E-rate’s internal control structure may not appropriately consider program risks. GAO found, for example, that USAC’s application review process incorporates a number of different types and levels of reviews, but that it was not clear whether this design was effectively and efficiently targeting resources to risks. Similarly, GAO found no controls in place to periodically check the accuracy of USAC’s automated invoice review process, again making it unclear whether resources are appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it has never conducted a robust risk assessment of the E-rate program’s core processes, although it has conducted risk assessments for other purposes, such as financial reporting. A risk assessment involving a critical examination of the entire E-rate program could help determine whether modifications to business practices and the internal control structure are needed to appropriately address the risks identified and better align program resources to risks. The internal control structure—once assessed and possibly adjusted on the basis of the results of a robust risk assessment—should then be periodically monitored to ensure that the control structure does not evolve in a way that fails to appropriately align resources to risks. The results of beneficiary audits are used to identify and report on E- rate compliance issues, but GAO found that the information gathered from the audits has not been effectively used to assess and modify the E-rate program’s internal controls. As a result, the same rule violations have been repeated each year for which beneficiary audits have been completed. For example, of 64 beneficiaries that had been audited more than once over a 3-year period, GAO found that 36 had repeat audit findings of the same rule violation. GAO found that the current beneficiary audit process lacks documented and approved policies and procedures. Without such policies and procedures, management may not have the assurance that control activities are appropriate and properly applied. Documented and approved policies and procedures could contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate program’s internal controls and in identifying opportunities to modify existing controls. What GAO Recommends: GAO recommends that FCC conduct a robust risk assessment of the E-rate program, conduct a thorough examination of the overall design of E-rate’s internal control structure, implement a systematic process to assess internal controls that appropriately considers beneficiary audit findings, and establish procedures to periodically monitor controls. FCC agreed with GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-908] or key components. For more information, contact Mark Goldstein at (202) 512- 2834 or goldsteinm@gao.gov. [End of section] Contents: Letter: Background: FCC and USAC Have Put Many Internal Controls in Place for the E-rate Program: Design of E-rate's Internal Control Structure May Not Appropriately Consider Program Risks: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: E-rate Program Application, Funding, and Reimbursement Processes: Appendix III: Analysis of Selected E-rate Program Beneficiaries: Appendix IV: E-rate Program Full-Time-Equivalent Positions: Appendix V: Comments from the Federal Communications Commission: Appendix VI: Comments from the Universal Service Administrative Company: Appendix VII: GAO Contact and Staff Acknowledgments: Tables: Table 1: Results of USAC's Automated Validation Process, Calendar Years 2006 through 2009: Table 2: E-rate Application and Invoice Review Full-Time-Equivalent Positions, Calendar Years 2006 through 2009: Figures: Figure 1: E-rate Application Review Process: Figure 2: E-rate Invoice Review Process: Figure 3: Phases of USAC's Beneficiary Audit Process from 2006 to 2009: Abbreviations: COMAD: commitment adjustment: CPATS: Consolidated Post Audit Tracking System: FCC: Federal Communications Commission: FMFIA: Federal Managers' Financial Integrity Act of 1982: FTE: full-time-equivalent: IPATS: Improper Payment Audit Tracking System: IPIA: Improper Payments Information Act of 2002: ISTARS: Invoice Streamlined Tracking and Application Review System: MOU: memorandum of understanding: NCES: National Center for Education Statistics: NECA: National Exchange Carrier Association: NPRM: Notice of Proposed Rulemaking: OMB: Office of Management and Budget: PIA: Program Integrity Assurance: STARS: Streamlined Tracking and Application Review System: USAC: Universal Service Administrative Company: [End of section] United States Government Accountability Office: Washington, DC 20548: September 29, 2010: The Honorable Henry A. Waxman: Chairman: The Honorable John D. Dingell: Chairman Emeritus: The Honorable Joe Barton: Ranking Member: Committee on Energy and Commerce: House of Representatives: The Honorable Bart Stupak: Chairman: The Honorable Michael Burgess: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Energy and Commerce: House of Representatives: The Honorable Greg Walden: House of Representatives: Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Service Support Mechanism--commonly known as the "E-rate" program[Footnote 1]--has been a significant federal source of technology funding for schools and libraries[Footnote 2] across the nation. Specifically, the E-rate program provides about $2 billion each year toward telecommunications services, Internet access, and data transmission wiring and components used for educational purposes. Schools and libraries apply each year for E-rate funding. Once an application is approved, the program reimburses a discounted portion of the cost of services or equipment. FCC designated the Universal Service Administrative Company (USAC), a not-for-profit corporation, to administer the E-rate program. USAC uses a subcontractor, Solix, Inc., a for-profit company, to carry out certain key aspects of the program, such as reviewing and approving funding applications and invoices. In the 13 years since FCC established the E-rate program, some instances of waste, fraud, and abuse on the part of program participants have come to light as a result of whistleblowers, audits, and criminal investigations, and a small number of E-rate participants have been convicted of defrauding the program. Historically, requests for E-rate discounts have exceeded the amount of funding available; thus, any excess payments to participants due to error, waste, fraud, or abuse represent funds that would otherwise have gone to eligible entities seeking support. Internal controls--that is, the plans, methods, and procedures that an entity puts in place to reduce the risk that a program will not achieve its goals and objectives--serve as the first line of defense in safeguarding program resources. In this context, you asked us to examine the system of internal controls in place for the E-rate program. This report addresses the following questions: (1) What actions have FCC and USAC taken to establish internal controls in the E-rate program? (2) Does the design of the E- rate program's internal control structure appropriately consider program risks? To answer these questions, we reviewed previous reports and studies of the E-rate program, including GAO reports and FCC Inspector General reports. We also reviewed legislation, regulations, FCC orders, and guidance pertaining to the E-rate program. We reviewed documentation of the program's key internal controls and risk assessments, and related policies and procedures. Specifically, we reviewed the design of the program's key internal controls for (1) processing applications and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls through audits of schools and libraries. We assessed the design of these internal controls against GAO's Standards for Internal Control in the Federal Government.[Footnote 3] We spoke with FCC, USAC, and Solix officials about program risks, the design and functioning of internal controls, and how internal controls are monitored and assessed. We also spoke with FCC and USAC officials about their audit processes and about audits of schools and libraries performed from 2006 to 2010. We obtained data from USAC on the results of its application and invoice review processes and audits. We met with experts at USAC and Solix to update our prior assessments of the data systems and determined that the data obtained from USAC were sufficiently reliable for the purposes of our review. See appendix I for additional information on our scope and methodology. We conducted this performance audit from August 2009 to September 2010 in accordance with generally accepted government auditing standards. These standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: The E-rate program provides eligible schools, school districts, libraries, and consortia[Footnote 4] with discounts on telecommunications services, Internet access, and data transmission wiring and components used for educational purposes.[Footnote 5] The program is funded through statutorily mandated payments into the Universal Service Fund by companies that provide interstate and international telecommunications services.[Footnote 6] Many of these companies, in turn, pass on their contribution costs to their subscribers through a line item on subscribers' telephone bills. FCC capped funding for E-rate at $2.25 billion per year, and program funds are used to cover the program's administrative costs, including the administrative services performed by USAC and Solix.[Footnote 7] Eligible schools and libraries may apply annually for program support and will qualify for a discount of 20 to 90 percent on the cost of eligible services, based on indicators of need.[Footnote 8] Based on the broad direction in the Telecommunications Act of 1996,[Footnote 9] FCC defined two general types of services that are eligible for E-rate discounts: * Priority 1 services include telecommunications services, such as local, long-distance, and wireless (e.g., cellular) telephone services, as well as data links (e.g., T-1 lines) and Internet access services, such as Web hosting and e-mail services--all of which receive first priority for the available funds under FCC's rules. * Priority 2 services include the cabling, components, routers, switches, and network servers that are necessary to transport information to individual classrooms, public rooms in a library, or eligible administrative areas, as well as basic maintenance of internal connections, such as the repair and upkeep of eligible hardware and basic technical support.[Footnote 10] USAC annually updates a list of specific, eligible products and services and the conditions under which they are eligible. The list is finalized by FCC after a public comment period and posted on USAC's Web site.[Footnote 11] Items ineligible for E-rate discounts include, among other things, end-user products and services, such as Internet content; Web-site content maintenance fees; end-user personal computers; and end-user software. FCC delegated to USAC the day-to-day administration of the E-rate program, subject to FCC rules and under FCC oversight.[Footnote 12] USAC has, in turn, subcontracted certain key aspects of E-rate program operations to Solix.[Footnote 13] The primary responsibilities of Solix staff include reviewing applications and processing invoices for reimbursement.[Footnote 14] About 20,000 schools and libraries applied for E-rate support in 2009, although Solix processes about 40,000 applications per funding year because schools and libraries can submit multiple applications in a single funding year (e.g., an applicant can submit separate applications for Priority 1 and Priority 2 services). The process for participating in the E-rate program, which is lengthy and complicated, is summarized in the following four main steps: 1. The applicant submits to USAC a description of the services for which the applicant is requesting a discount so that service providers (i.e., telecommunications companies or equipment providers) can bid through open competition. The applicant must also confirm that it has developed an approved technology plan that provides details on how it intends to integrate technology into its educational goals and curricula, as well as how it will pay for the costs of acquiring and maintaining the technology.[Footnote 15] 2. Once the service description has been available to potential bidders for 28 days, the applicant selects the most cost-effective service provider from the bids received and submits a Form 471 (Description of Services Ordered and Certification) application for the discounted service,[Footnote 16] which is processed by Solix. The applicant then calculates its discount level, certifies that it is an eligible entity, and certifies that it will abide by applicable laws and regulations. 3. Solix reviews the application and issues a funding commitment decision letter to the applicant and selected service provider. The decision letter indicates whether the application has been approved or denied.[Footnote 17] 4. If approved, the applicant--now a beneficiary--must confirm that services have started or have been delivered. After the service provider has submitted a bill, either the beneficiary or the service provider submits a reimbursement request form for Solix to process. The beneficiary or service provider can then be compensated from the Universal Service Fund for the discounted portion of the services. See appendix II for an overview of the E-rate program application, invoice, and reimbursement processes. A memorandum of understanding (MOU) between FCC and USAC assigns USAC the responsibility for implementing effective internal controls over the operation of the E-rate program.[Footnote 18] Through the MOU, FCC directed USAC to implement an internal control structure for the E- rate program that is consistent with the standards and guidance contained in the Office of Management and Budget's (OMB) Circular No. A-123, Management's Responsibility for Internal Control,[Footnote 19] including a methodology for assessing, documenting, and reporting on internal controls. In February 2008, USAC engaged an independent public accounting firm to assist in establishing a formal internal control review program. USAC placed responsibility for implementing this program under the direction of a senior manager of internal controls, a position it created in late 2008. USAC also created a Senior Management Council to support the implementation of the program.[Footnote 20] Under the MOU, USAC is also responsible for periodically reporting on its internal control activities to FCC's Office of Managing Director and Office of Inspector General. FCC also directed USAC to implement a comprehensive audit program to (1) ensure that Universal Service Fund monies are used for their intended purposes; (2) ensure that all Universal Service Fund contributors make the appropriate contributions in accordance with FCC rules; and (3) detect and deter potential waste, fraud, and abuse. To ensure compliance with FCC rules, USAC has periodically selected beneficiaries to audit. USAC also has conducted audits that were used to develop statistical estimates of error rates under the Improper Payments Information Act of 2002 (IPIA).[Footnote 21] From 2001 through 2006, USAC and other auditors conducted approximately 350 audits of E-rate program beneficiaries as part of the oversight of the E-rate program. Since 2006, USAC has conducted approximately 760 audits for both oversight and IPIA purposes. USAC is responsible for responding to the results of findings from audits of program beneficiaries, including recommendations to recover funds that may have been improperly disbursed to beneficiaries. We have produced a number of E-rate reports since the program was implemented in 1998, some of which addressed internal controls. [Footnote 22] In 2000, we reported that the application and invoice review procedures needed strengthening and made recommendations to improve internal control processes. In response to our recommendations and the findings of other parties that have reviewed USAC's processes, such as the FCC Inspector General, USAC has implemented a number of internal controls. In 2005, we reported that FCC had been slow to address problems raised by audit findings and had not made full use of the audit findings as a means to understand and resolve problems within the program.[Footnote 23] During the course of our work, in 2004, FCC concluded that a standardized, uniform process for resolving audit findings was necessary and directed USAC to submit to FCC a proposal for resolving all audit findings and recommendations. FCC also instructed USAC to specify deadlines in its proposals "to ensure audit findings are resolved in a timely manner."[Footnote 24] USAC submitted its Proposed Audit Resolution Plan to FCC in October 2004. Although FCC has not formally approved the plan, since 2004 it has periodically issued directives and guidance to USAC to clarify aspects of the plan's design and implementation. A number of our reports have also found that the E-rate program lacks performance goals and measures, and we have recommended that FCC define annual, outcome- oriented performance goals for the program that are linked to its overarching goal of providing services to schools and libraries. While FCC has undertaken various efforts to address this recommendation, [Footnote 25] it has not yet established meaningful goals and performance measures for the E-rate program. In our 2009 E-rate report, we found that some nonparticipating schools and libraries elected not to apply to the program because they considered the process to be too burdensome (e.g., too complex, time- consuming, or resource-intensive). We also found that a substantial amount of funding was denied because applicants did not correctly carry out application procedures.[Footnote 26] In March 2010, an FCC task force released a National Broadband Plan that acknowledges the complexity inherent in the E-rate program and recommends, among other things, that FCC streamline the application process.[Footnote 27] For example, the National Broadband Plan notes that E-rate's procedural complexities can sometimes result in applicant mistakes and unnecessary administrative costs as well as deter eligible entities from applying. In the National Broadband Plan, the task force suggests that FCC can ease the burden on applicants for Priority 1 services that enter into multiyear contracts, and that applications for small amounts could be streamlined with a simplified application similar to the "1040EZ" form the Internal Revenue Service makes available to qualifying taxpayers. In May 2010, as part of its efforts to begin implementing the vision of the National Broadband Plan, FCC released a Notice of Proposed Rulemaking (NPRM) to solicit comments about potential changes to the E-rate program.[Footnote 28] FCC stated in the NPRM that it is time to reexamine what is working well in the current program and what can be improved. On September 23, 2010, FCC adopted an order (the order had not yet been released at the time our report was issued) in response to the May 2010 NPRM. According to FCC's press release, the order improves the ability of schools and libraries to connect to the Internet in the most cost-effective way, allows schools to provide Internet access to the local community after school hours, indexes the E-rate funding cap to inflation, and streamlines the E-rate application process.[Footnote 29] FCC and USAC Have Put Many Internal Controls in Place for the E-rate Program: According to GAO's standards for internal control, "control activities" are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives and help ensure that actions are taken to reasonably address program risks. For our review of the design of E-rate's internal control structure, we classified the control activities into three broad areas: (1) processing applications for discounted service and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls through audits of schools and libraries. We found that FCC and USAC have established a number of internal controls in each of these three areas. Processing Applications and Making Funding Commitment Decisions: E-rate's internal control structure centers around USAC's complex, multilayered, Program Integrity Assurance (PIA) application review process. This process entails the specific internal controls that are applied to applications as they undergo the initial review for eligibility as well as a layered review process to ensure that the initial review was conducted appropriately and that the correct funding decision was reached. As applicants submit their Form 471 applications for discounted service, Solix assigns each applicant to a PIA reviewer who examines the form. USAC's funding year 2009 PIA Form 471 Review Procedures manual contains approximately 700 pages of detailed instructions and flowcharts for Solix's PIA reviewers to follow in addressing the various parts of the Form 471. The procedures are meant to ensure that the applicant, service provider, and requested services are eligible under the program, and that the applicant is in compliance with all of the E-rate rules. For example: * To verify that an applicant is eligible for the program, the manual directs the PIA reviewer through a potential 39-step process that involves confirming information about the applicant either through USAC-approved, third-party sources or by contacting the applicant directly for documentation to support eligibility.[Footnote 30] To verify that the service provider is eligible to provide telecommunications services for the program, the reviewer is to determine that FCC has registered the service provider as an approved telecommunications provider. * As a part of verifying that an applicant's requested discount rate is accurate, the automated application system will trigger an "exception" if the discount rate on the application meets certain conditions. The manual provides instructions to the reviewer on what procedures to follow to verify that the discount rate is appropriate. * To verify that the requested services are eligible for E-rate funding, the reviewer is to determine whether products and services requested in an application for discount qualify for support. This determination can be based on the categorization and information in FCC's annual Eligible Services List, a more detailed list of specific equipment that USAC maintains, or consultation with a team of Solix technical experts. In addition to the specific internal control procedures that are part of the initial PIA review, USAC maintains a multilevel application review process as part of its internal control structure. Figure 1 illustrates the E-rate application review process. Figure 1: E-rate Application Review Process: [Refer to PDF for image: illustration] Application filed: PIA final review (all applications): 3 possible review options: 1) go directly to PIA initial review, or: Heightened scrutiny reviews: * Selective Review Team: Applications that are identified as high risk are referred to this review team, which performs a combination of detailed reviews of the applicant’s budget, technology plan, competitive bidding process, and resources necessary to support the telecommunications service for which the applicant is requesting a discount. This team also performs endowment and consortium reviews for certain applications. * Special Compliance Review Team: This team performs reviews that are tailored to address specific issues and allegations, many of which originate from sources outside of the PIA application review process, such as the Whistleblower Hotline, FCC Office of the Inspector General audits, law enforcement investigations, and press reports. It can refer applications to other review teams that it believes can perform the most appropriate review to address the issue, such as the selective review team. PIA initial review (all applications): 3 options: Go directly to Funding commitment decision, or: * Solix QA review (sample): * USAC QA review (sample): Funding commitment decision. Source: GAO analysis of FCC and USAC information. QA - quality assurance [End of figure] Over time, USAC has expanded its application review process by adding more types of reviews--such as "cost-effectiveness" and "special compliance" reviews--to address specific risks. The PIA initial and final reviews, selective reviews, and quality assurance reviews were components of the original application review process and are still part of the current internal control structure. Solix staff perform these reviews. USAC staff then follow up with an independent quality assurance review process for each of the other types of reviews. * Regular PIA Review: As part of the multilevel process, all applications undergo an initial review and a separate final review. The PIA process is partially automated but involves a significant amount of manual review as well. Issues that are identified as potential errors or violations of program rules, either in the automated system or by manual review, trigger exceptions that are addressed by the Solix initial reviewer. The PIA process can trigger dozens of different types of exceptions, each representing a potential type of error or issue within an application that must be resolved before reaching a funding decision. After the initial review is completed, a final review is conducted by a more experienced reviewer. If the final reviewer finds an error by the initial reviewer, the application is returned to the initial reviewer for further work. As part of the regular PIA review process, after final reviews, a portion of the applications that are ready for commitment is then sampled by the Solix Quality Assurance Team. If the Solix quality assurance reviewer finds an error or issue during the review, the reviewer returns the application to the initial reviewer to address the issue. Finally, USAC conducts independent quality assurance reviews. For these reviews, USAC staff select a sample of applications for review, including some that were selected for Solix's quality assurance review, to determine the accuracy of the application review process. Like the Solix quality assurance reviewer, USAC staff return the application back to the appropriate reviewer for further review if they discover an issue or error. * Selective Review: High-risk applications, identified through either automated aspects of the PIA system or by a PIA reviewer, undergo an additional, more detailed review from Solix's selective review team. The selective review team obtains additional information from the applicant and uses that information to help determine eligibility for E-rate funding. Applications meeting certain criteria may also go through other reviews by the selective review team. For example, the selective review team reviews applications from consortia of schools and libraries to determine whether members of the consortia are aware of their financial obligations to participate in the program, or examines applications from private schools to ensure that they do not have endowments exceeding $50 million, which would make them ineligible for E-rate funding under the statute.[Footnote 31] Applications that undergo selective reviews are also subject to final reviews and may be selected for Solix and USAC quality assurance reviews. Since the PIA review process was implemented, USAC has expanded the process in response to internal control concerns. In addition to selective reviews, USAC has implemented "special compliance" and "cost- effectiveness" reviews. Special compliance reviews, established in 1999, are tailored to address specific issues and allegations, many of which originate outside of the PIA application review process, such as from the Whistleblower Hotline, FCC Office of Inspector General audits, law enforcement investigations, and press reports.[Footnote 32] These reviews are performed by a separate team, similar to the selective review team, and constitute the additional heightened scrutiny review process that supplements the regular PIA review process. USAC created the cost-effectiveness review team in 2005 as a separate team within the PIA review team in response to an FCC order directing USAC to reduce fraud, waste, and abuse.[Footnote 33] In the order, FCC also sought comments on the benefits of establishing benchmarks to determine whether a service requested under the E-rate program is cost-effective, as defined by program requirements. In response, USAC developed cost benchmarks for eligible products and services. The cost-effectiveness team reviews applications that have been flagged by the PIA review process as exceeding these cost benchmarks. Some applications are reviewed by more than one of these teams. For example, the special compliance team may determine that a review by the cost-effectiveness team or the selective review team will best address specific issues of concern in an application. Processing Invoices Requesting Reimbursement: Much of the E-rate invoice review process is automated and incorporates steps to help ensure accuracy. The invoice forms that beneficiaries and service providers file contain general information about the funding request, such as the application and funding request number for which they are seeking reimbursement, the billing frequency and billing date, the date of service delivery, and the discounted amount billed to USAC. Both the beneficiary and the service provider must certify on their forms that the information they are providing is accurate. When an invoice is filed, Solix runs nightly systemic checks of the individual lines on the invoice using an automated validation process that compares the information in the invoice line with the information in the system for the associated funding request. The automated process triggered an average of 166 edit checks from calendar years 2006 through 2009 that served to approve an invoice line for full or partial payment, reject the invoice line, or send the invoice line for a manual review.[Footnote 34] Similar to the PIA application review process, the manual review process for an invoice line includes an initial and final review from Solix staff, and can be selected for a Solix quality assurance review and a USAC quality check before a final payment decision. A completed invoice line--an invoice line for which Solix has either approved or denied payment--is forwarded to USAC for final approval.[Footnote 35] Once the line item is approved, USAC generates a payment to the service provider. [Footnote 36] Figure 2 illustrates the E-rate invoicing process. Figure 2: E-rate Invoice Review Process: [Refer to PDF for image: illustration] Provider or beneficiary submits an invoice: Automated validation process: 3 review paths: 1) go directly to approved for total or partial payment; or: 2) go directly to denial; or: 3) Manual review: to final review, or: On hold (If placed on hold, invoice lines are released, when approved, by whichever reviewer placed the hold). From final review to: Solix QA (sample): USAC QC (sample): 1) approved for total or partial payment; or: 2) denial: USAC approval of decision. QA - quality assurance. QC - quality check. Source: GAO analysis of FCC and USAC information. [End of figure] See appendix IV for more information about the USAC and Solix staffing resources dedicated to E-rate application and invoice reviews. Monitoring the Effectiveness of Internal Controls through Audits of Schools and Libraries: USAC contracted with independent public accountants from 2006 to 2009 to perform audits used to estimate, under IPIA, the amount of improper payments that are made to program beneficiaries.[Footnote 37] These audits also were used to test compliance with program eligibility requirements and program rules. The beneficiary audit process has four phases--audit performance, audit resolution, audit response, and audit follow-up (see figure 3). Figure 3: Phases of USAC's Beneficiary Audit Process from 2006 to 2009: [Refer to PDF for image: illustration] Audit performance: * USAC contracts with independent public accounting firms to audit program beneficiaries; * USAC and FCC’s Inspector General select program beneficiaries on a random basis for audit; * USAC provides auditors with relevant information on the beneficiaries selected for audit, such as eligibility information and the amount and nature of reimbursements; * Auditors perform audits and issue preliminary draft audit reports to program beneficiaries; * Auditors consider information provided by program beneficiaries in response to the preliminary draft audit report (e.g., additional documentation in support of reimbursements received) and any written responses to the preliminary findings[A]; * USAC contracts with separate audit firms to perform selected quality assurance reviews of the beneficiary audits[B]; * Auditors issue final audit reports to USAC. Audit resolution[C]: * USAC and the program beneficiaries review the final audit reports; * Program beneficiaries may provide USAC with written responses to audit findings; * USAC prepares a statement for the Schools & Libraries Committee of USAC’s Board of Directors regarding whether it concurs with the findings listed in the audit reports[D]; * The Schools & Libraries Committee reviews and approves final audit reports and USAC’s management response. Audit response: * USAC contacts the program beneficiaries to discuss the audit findings and may obtain documentation not previously provided to the auditor that results in modification or elimination of the audit findings; * Program beneficiaries that received noncompliant audit opinions provide USAC with action plans for addressing audit findings; * USAC prepares a corrective action plan to address findings of noncompliant audit opinions; * USAC communicates final audit results and, if necessary, requires corrective actions by program beneficiaries. Audit follow-up: * Program beneficiaries that received noncompliant audit opinions may periodically communicate with USAC on the status of their corrective actions; * USAC obtains documentation from program beneficiaries verifying that corrective actions were taken; * USAC resolves improper payments by pursuing collection of the amounts deemed improperly paid or by offsetting the amount owed against outstanding funding commitments[E]; * USAC transfers to FCC responsibility for collection of improper payments if beneficiaries have not made restitution within 60 days after USAC issues first demand letter[F]; * FCC reviews audit reports and corrective action plans and may, at its discretion, direct USAC to take an alternative action; * FCC reviews and approves USAC decisions to close audit findings. Source: GAO analysis of USAC audit process. [A] USAC officials told us that the auditor decides whether the documentation is sufficient to eliminate or modify a finding that is included in the draft report. If the auditee does not meet deadlines for providing documentation, the auditor finalizes the draft report and indicates that no response was received. [B] The task orders USAC issued to the auditors that perform the quality assurance reviews state that the auditors will (1) assess whether the audit firms complied with generally accepted government auditing standards in planning and conducting the audit and reporting the results and (2) compare the findings and conclusions of the audit results data entered by the audit firms into USAC's audit database with the firm's audit documentation. [C] Before formally responding to audit findings, USAC--in conjunction with FCC in certain circumstances--determines whether the audit findings constitute violations of FCC rules. Once these determinations have been made and the Schools & Libraries Committee of USAC's Board of Directors has approved an audit report, USAC provides beneficiaries with information relevant to the audit findings in an effort to prevent future rule violations, seeks recovery of funds from beneficiaries that have violated FCC rules, and takes action to prohibit future disbursements to beneficiaries that have been found to be significantly noncompliant with FCC rules. [D] The Schools & Libraries Committee has the power and authority to act on behalf of USAC regarding the performance and administration of various program functions, including the performance of beneficiary audits. [E] USAC officials told us that they seek recovery of an improper payment from a service provider when the service provider is found to have caused the improper payment. [F] USAC and FCC temporarily halt efforts to collect improperly disbursed funds when a beneficiary files an appeal. [End of figure] During the audit response and audit follow-up phases, USAC provides periodic reports to its Board of Directors, FCC, and the FCC Inspector General on the status of audit findings and corrective and recovery actions. For example, USAC prepares a monthly report on the status of all monetary and nonmonetary audit findings and a semiannual report on the status of all audit recoveries. According to USAC officials, USAC created a Performance Assessment and Reporting unit in January 2009 that has, among other things, developed an audit process that uses the results of beneficiary audits to evaluate and report on whether schools and libraries have complied with E-rate program requirements and to estimate the amount of improper payments. Design of E-rate's Internal Control Structure May Not Appropriately Consider Program Risks: The overall design of the E-rate program is complex, and FCC's changes to the program over time through orders and guidance have made it more so. This increasing complexity, in turn, has led USAC to expand the E- rate program's internal control structure over time to address program complexity and to address risks to the program as they became apparent. Although USAC has performed financial reporting and fraud risk assessments, USAC has not conducted a robust risk assessment of the E-rate program and, consequently, may not be efficiently using its resources to reasonably target program risks. E-rate Program Lacks Meaningful Goals and a Robust Risk Assessment: In July 1998, we testified before the Senate Committee on Commerce, Science, and Transportation about the implementation of the E-rate program and recommended that FCC develop goals, measures, and performance targets for E-rate.[Footnote 38] We have continued to note FCC's lack of goals and adequate performance measures for E-rate for more than a decade. Most recently, we recommended in our March 2009 report that FCC review the purpose and structure of the E-rate program and prepare a report to the appropriate congressional committees identifying FCC's strategic vision for the program. As we have previously mentioned, FCC released an NPRM in May 2010 seeking comment on several proposed reforms of the E-rate program but has not addressed our recommendations regarding goals and performance measures or identifying a strategic vision for the program. FCC's lack of goals and performance measures affects the internal control structure of the program because, as set forth in GAO's Standards for Internal Control in the Federal Government,[Footnote 39] a precondition to risk assessment is the establishment of clear, consistent agency objectives. When clear program objectives are established up front, the internal control structure can then be designed around the fundamental risk that program objectives will not be met. When we testified before the committee in 1998, we stated that USAC had not finalized all of the necessary procedures and related internal controls for E-rate, even though USAC was close to issuing the first funding commitment letters. FCC had worked to quickly establish the E- rate program so that schools and libraries could begin benefiting from the program. However, this effort resulted in FCC establishing the program without clear objectives and quickly designing an internal control structure to help prevent and detect fraud, waste, and abuse. This internal control structure, however, was not designed on the basis of a robust risk assessment of the E-rate program. To date, FCC has not conducted a robust risk assessment of the E-rate program that is based on the program's core processes and business practices. Although USAC has undertaken several efforts to assess risk, these efforts have been in relation to assessing risk for other purposes, such as Universal Service Fund financial reporting, and not to assess risk specifically in the E-rate program. Most recently, in February 2008, USAC hired an independent public accounting firm to conduct an assessment of USAC's internal controls under OMB Circular No. A-123. However, the 2008 internal control review focused primarily on the Universal Service Fund and on USAC's internal controls regarding financial reporting, not programmatic activities. The accounting firm that performed the review made recommendations to USAC that included overall changes to USAC's administration of the Universal Service Fund and the other universal service programs. Some of the accounting firm's recommendations specifically addressed the E- rate program. For example, the review discussed the challenge that USAC encounters in overseeing Solix from a remote location[Footnote 40] and made recommendations to enhance USAC's oversight of Solix's operations.[Footnote 41] Although USAC took actions to address the recommendations in the 2008 review, the review had not focused on the overall internal control structure of the E-rate program. USAC officials told us that its own internal controls team again assessed USAC's controls beginning in the fourth quarter of 2009. However, USAC officials noted that the scope of the testing was similar to that conducted by the public accounting firm in 2008. Consequently, USAC's assessment, like that of the public accounting firm, was performed in relation to Universal Service Fund financial reporting--not to the overall internal control structure of the E-rate program. In addition to these activities, in 2009, USAC completed a fraud risk assessment for FCC. The purpose of this assessment was to help USAC managers and staff assess the adequacy of existing controls and determine whether additional fraud countermeasures were required. As with the 2008 internal control review, the fraud risk assessment focused on the Universal Service Fund as a whole, not on the E-rate program specifically, although part of the review did examine E-rate program administration. The review examined 24 control measures that were in place for the program. The review determined that 4 of those control measures addressed risks that were "moderate," while 12 addressed risks that were "low" and 8 that were "very low."[Footnote 42] In addition, USAC's Internal Audit Division produced a risk register for the E-rate program that identified risks; applied a "gross risk analysis"; noted the mitigating controls; and then calculated the "residual risk," given the mitigating controls. According to documentation, the risk register was based on Internal Audit Division interviews with USAC staff in 2008. These various efforts to assess risk--that is, the 2008 review of internal controls, USAC's update of that review, and the fraud risk assessment--illustrate that FCC and USAC management are conscientious about having an internal control structure in place that safeguards program funding and resources. However, these prior efforts have not risen to the level of the risk assessment that is intended under the GAO standards for internal control. Ideally, under those standards, FCC would first establish clear objectives for the E-rate program, and management would then comprehensively identify risks to meeting those objectives. The assessments undertaken to date, while important to proper stewardship of government funds, have focused primarily on financial reporting requirements and the specific internal controls that were already in place, which have developed and evolved over time around the rules that govern the program. To date, FCC has not directed USAC to undertake a robust risk assessment that would involve a critical examination of the entire E-rate program to determine whether modifications to business practices and internal controls are necessary to cost-effectively address programmatic risks. Internal Controls Have Grown Over Time, and Multiple Layers of Application Reviews May Not Effectively Target Risk: Lacking a robust risk assessment, USAC has responded to risks largely by expanding the PIA process. The processes within these review levels have grown increasingly complex, and it is unclear whether these reviews appropriately target risk. For example, subjecting every application to multiple layers of review may not be the most efficient or effective method to address programmatic risks. As we have previously described, all applications are subject to at least two reviews, the initial and final PIA reviews. USAC implemented the final reviews, as well as the two levels of quality assurance reviews, to find potential errors in the initial reviews and assess the integrity of the PIA review process. However, we found large discrepancies in the number of returns triggered by the final reviewer's evaluation of the initial reviewer's actions in response to each exception. One type of exception triggered final reviewers to return 4,722 applications to the initial reviewer during funding years 2006 through 2009. This exception, which related to determining the eligibility of telecommunications service, comprised 62 percent of all final review returns during the period. At the same time, errors related to 13 other exceptions were the source of either zero or 1 return by a final reviewer. These data suggest that the design of the internal controls could be inefficiently using resources. It may be possible to target the internal controls toward applications that trigger exceptions that are more likely to be returned by final reviewers and those that are more likely to trigger an adjustment to an application's eligibility or funding commitment. The PIA review process has also become more complex in response to USAC's efforts to ensure that the applicant has complied with FCC rules as they have changed and evolved. For example, each year, USAC or Solix may propose to eliminate exceptions targeting issues that are no longer of concern or add exceptions to the PIA review process to address new areas of concern. However, from funding years 2006 through 2009, the total number of exceptions in the PIA process grew from 67 to 84 (about a 25 percent increase). The increasing complexity of the review process is also illustrated by the procedures involved in determining service and equipment eligibility. USAC maintains a list of approved services and equipment that are eligible for an E-rate discount. This list is based on broader guidance that USAC posts annually for applicants. It has grown from approximately 6,000 to 8,000 eligible items--about a 32 percent increase from funding years 2006 through 2009.[Footnote 43] In addition, USAC has developed a complex process to determine whether the services and equipment requested in applications are eligible, conditionally eligible, or partially eligible. For example, if a school with a 75 percent discount rate applies for a piece of equipment that will only be used for eligible purposes 60 percent of the time, then, under FCC rules, only 60 percent of the cost of the equipment is eligible for a 75 percent discount. In determining service and equipment eligibility, PIA reviewers rely on a detailed list that includes guidance on the specific makes and models of thousands of products. Solix has hired a small number of staff with technical backgrounds to further assist PIA reviewers in resolving technical questions about the eligibility of services or equipment. This approach of adding controls to address risks as they become apparent, or to address rule changes coming from FCC, leads to an accretion of internal controls that affects the overall internal control structure over time. While it is appropriate to respond to findings of risk and add internal controls as the program progresses, FCC and USAC have not done enough to proactively address internal controls or to step back and examine how the internal control structure has evolved. Without assessing risk and the internal control structure, USAC cannot be sure whether it is appropriately allocating resources to reasonably target risks. Automated Invoice Review Process May Not Appropriately Target Risk: The internal control structure around the E-rate invoicing process is more limited than the structure around the application review process, but it is again not clear that the controls in place appropriately target risks. For example, there is no further review of the 91 percent of invoice lines--and almost 60 percent of dollars requested-- that pass through the automated review process without further manual review (see table 1). According to GAO's internal control standards, control activities should be regularly monitored to ensure that they are working as intended.[Footnote 44] However, there is no process or procedure for confirming that Solix's automated validation process accurately reimburses providers and beneficiaries because USAC does not have a process for conducting random accuracy checks of completed invoice lines that have not been manually reviewed. These payments are not compared with an actual bill of service, unless such a comparison is done as part of a beneficiary audit.[Footnote 45] USAC officials indicated that on occasion, they pull some automated final payment determinations to verify their accuracy. However, USAC has no official procedure or process in place requiring it to verify these data or to track the results. Also, USAC officials could not determine how often or how many invoices they pull for verification. Neither USAC nor Solix regularly conducts random quality assurance checks of sample invoice lines that the automated validation process has approved or rejected to help verify the accuracy of the automated process. Therefore, there is no verification that the items or services for which service providers or beneficiaries are seeking reimbursement were actually included in the list of the items or services Solix approved and committed to fund. Table 1: Results of USAC's Automated Validation Process, Calendar Years 2006 through 2009: Dollars in millions. Calendar year: 2006; Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 349,529; Not manually reviewed: Amount: $1,293; Manually reviewed: Number: 30,548; Manually reviewed: Amount: $901; Total: Number: 380,077; Total: Amount: $2,164. Calendar year: 2007; Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 405,439; Not manually reviewed: Amount: $1,459; Manually reviewed: Number: 39,070; Manually reviewed: Amount: $1,031; Total: Number: 444,509; Total: Amount: $2,490. Calendar year: 2008; Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 414,692; Not manually reviewed: Amount: $1,434; Manually reviewed: Number: 41,811; Manually reviewed: Amount: $985; Total: Number: 456,503; Total: Amount: $2,419. Calendar year: 2009; Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 408,789; Not manually reviewed: Amount: $1,385; Manually reviewed: Number: 44,229; Manually reviewed: Amount: $1,046; Total: Number: 453,018; Total: Amount: $2,431. Calendar year: Total; Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 1,578,449; Not manually reviewed: Amount: $5,570; Manually reviewed: Number: 155,658; Manually reviewed: Amount: $3,963; Total: Number: 1,734,107; Total: Amount: $9,503. Percentage of total number/amount: Invoice lines processed, by number and dollar value: Not manually reviewed: Number: 91%; Not manually reviewed: Amount: 59%; Manually reviewed: Number: 9%; Manually reviewed: Amount: 42%. Source: USAC. Note: Totals may not add because of rounding. [End of table] The invoice review process provides another opportunity, in addition to the application review process, to identify whether the beneficiary has requested reimbursement for eligible equipment and services. However, the invoice review process closely examines only a limited number of invoices to determine what services are being funded. Specifically, about 9 percent of invoice lines undergo a manual review; although, to USAC's credit, the manual reviews do appear to target risk by representing about 42 percent of dollars requested (see table 1).[Footnote 46] Invoice lines are generally chosen for a special manual review because they are considered to be "high risk." A reviewer may determine that the manually reviewed invoice lines be fully paid, partially paid, denied, or placed "on hold."[Footnote 47] An invoice is put on hold during a manual review either as a result of the procedures for a specific type of review or as a result of instructions by the USAC or Solix group requesting special review. Most of the edits that trigger an invoice for manual review require that the reviewer obtain a copy of the actual bill of service. All invoice lines that receive a manual review also receive a secondary, final review. In addition, Solix and USAC sample manually reviewed invoice lines for a quality assurance review prior to payment. [Footnote 48] In response to our work, USAC stated in its comments on our draft report that it has begun to develop a process to randomly sample invoices that are only reviewed through the automated process. USAC stated that it expects this process to supplement its new Payment Quality Assurance program that was put in place in August 2010, which will randomly test the accuracy of E-rate disbursements for the purpose of estimating rates of improper payments. We also found that USAC does not have a single document or procedures manual that documents the invoice review process. Policies and procedures are forms of controls that help to ensure that management's directives to mitigate risks are carried out. Control activities are essential for proper stewardship and accountability for government resources and for achieving effective and efficient program results. We requested an invoice review procedures manual from USAC. USAC officials provided a collection of stand-alone documents that each cover various parts of the process and procedures. The numerous individual documents that USAC officials provided in response to our request included descriptions of the procedures a reviewer would follow to manually review an invoice line as well as the procedures for a second or final review. We also obtained descriptions of the automatic validation process and the Solix and USAC quality assurance review procedures. USAC officials noted that the various documents are housed electronically in a central location. However, the documents being housed electronically in a central location differs from the lengthy and detailed PIA procedures manual, which provides, in a single document, an overview of the application review process as well as detailed descriptions of activities a reviewer must follow to address a specific exception. The procedures manual also goes on to explain the multiple layers of the application review process. In response to our work, USAC has stated that it plans to create a single manual that documents the entire invoice review process. Audit Findings Are Not Effectively Considered in Assessing Internal Controls of the E-rate Program: Although FCC and USAC use the results of beneficiary audits to identify and report beneficiary noncompliance, they have not effectively used the information gained from audits to assess and modify the E-rate program's internal controls. A systematic approach to considering the results of beneficiary audits could help identify opportunities for improving internal controls. Lessons learned from an analysis of audit results could, for example, lead to modifications of the application and invoice approval processes as well as modifications to the nature, extent, or scope of the beneficiary audits. Furthermore, the audit process that USAC currently uses is not governed by a set of documented and approved policies and procedures. The process used is a combination of the procedures contained in an audit resolution plan drafted in 2004 and other procedures developed and implemented since 2004. GAO's standards for internal control provide that when identifying and assessing risks, management should consider the findings from audits, the history of improper payments, and the complexity of the program. These standards also state that management should consider audit findings when assessing the effectiveness of internal controls, including determining the extent to which internal controls are being monitored, assessing whether appropriate policies and procedures exist, and assessing whether they are properly maintained and periodically updated. We obtained information from USAC management on audits that had been completed to identify how and to what extent the results of beneficiary audits were considered in assessing internal controls for the E-rate program. USAC officials provided us with management reports on the results of E-rate beneficiary audits completed in 2006, 2007, and 2008.[Footnote 49] These reports identified the nature and extent of beneficiary noncompliance with E-rate requirements. However, the information did not demonstrate whether USAC had identified and assessed the specific E-rate program risks and core causes of beneficiary noncompliance. USAC officials also provided us with a list of suggested actions that could be taken to prevent and reduce improper payments across all of the Universal Service Fund programs, along with estimates of the resources that would be required to implement these actions. The list, which USAC initially provided to FCC in response to its request, included a suggested action to perform assessments of USAC's internal controls in accordance with applicable OMB guidance.[Footnote 50] However, the information provided to us did not explain how the suggested actions would address specific program risks. Moreover, assessment of internal controls with identification of risks and vulnerabilities should occur before specific, targeted actions can be identified. USAC officials told us that they performed assessments of internal controls for 2008 and 2009. However, as we describe in this report, these assessments primarily focused on USAC's controls over financial reporting and were not designed to identify and address specific E-rate program risks and vulnerabilities. We found that, although FCC and USAC have taken actions to address audit findings, the same rule violations, such as reimbursements for ineligible services or for services at higher rates than authorized, were repeated in each funding year for which beneficiary audits were completed.[Footnote 51] Furthermore, we found that FCC and USAC have not analyzed the findings from beneficiary audits to determine whether corrective actions implemented by beneficiaries in response to previous audits were effective. We analyzed the audit findings from 3 years' worth of audits to identify the extent of repeat findings. Of the 655 beneficiaries that were audited from 2006 through February 2010, 64 were audited more than once. Of those 64 beneficiaries, 36 had repeat audit findings of the same program rule violation, such as those that we previously mentioned, in each of the audited years. [Footnote 52] Instances of repeat audit findings and the likelihood that they would be identified in successive audits are examples of the risks and vulnerabilities that, once identified and assessed, could inform the E-rate program's internal controls, including providing data about where modifications to the nature, extent, or scope of beneficiary audits are most needed. Moreover, goals and metrics for reducing the rate of program rule violations by beneficiaries and service providers are important elements to provide incentives and focus on properly identifying and assessing the E-rate program's internal controls and monitoring the effect that implemented control strategies have on beneficiary compliance. However, according to FCC officials, they have not developed specific goals and do not have metrics to measure progress made.[Footnote 53] Timely resolution of audit findings and approval of beneficiary audit reports are important components of a systematic process for assessing and continuously modifying internal controls for the E-rate program. We found that the beneficiary audit process did not result in the timely resolution of audit findings and approval of audit reports. For example, the average time between when USAC received a draft audit report and when the USAC board's Schools & Libraries Committee approved the final audit report was approximately 224 days.[Footnote 54] As of April 2010, nearly 20 percent of these audits had not been approved by the committee. According to USAC officials, internal reviews of all audit findings, as well as quality assurance reviews and other internal processes, can take several months. However, this means that the results of 1 year's audits are not available to be used in assessing internal controls until after the following year. According to USAC officials, the increases in the number and timing of IPIA beneficiary audits have adversely affected their ability to effectively complete audit follow-up work in a timely manner. To begin to address this issue, FCC and USAC officials met with OMB staff to discuss the approach used to develop estimates of improper payments and modifications to the methodology used that would also address workload issues. FCC and USAC officials stated that beginning in fiscal year 2011, the improper payments estimate for the program will be based on tests of a sample of monthly disbursements using the USAC- designed Payment Quality Assurance program. Also according to these officials, beginning in fiscal year 2011, beneficiary audits will be performed using a USAC-designed compliance audit program. We also found that FCC and USAC do not have documented and approved policies and procedures for the beneficiary audit process. Without documented and approved policies and procedures, management may lack assurance that control activities are appropriate, actually applied, and applied properly. Policies and procedures could also contribute positively to a systematic process for considering audit results when assessing the program's internal controls and in identifying opportunities for modifications to existing controls. We determined that FCC and USAC's audit process currently used for the E-rate program is essentially a combination of procedures contained in the 2004 draft audit resolution plan, periodic directives from FCC to USAC, and procedures that USAC management have implemented (either formally or informally) over the last 6 years. As of August 2010, FCC had not approved the draft audit resolution plan. According to USAC officials, USAC has implemented most aspects of the plan and refined and revised it over time. However, our work showed that the procedures set forth in the various documents are not consistent with one another or with USAC's current practices for addressing audit findings. For example, the draft audit resolution plan states that a response to audit findings will be developed within 60 days of receipt of a final audit report, yet the deadline is 30 days according to the Schools & Libraries Division's audit response procedures. Also, the audit resolution plan states that USAC's Audit Committee will review and approve the final beneficiary audit reports and USAC's proposed response. However, in April 2006 USAC's Board of Directors approved modifications to the Audit Committee's charter to remove this responsibility.[Footnote 55] Furthermore, two USAC divisions have overlapping responsibilities for maintaining the audit results database. It is unclear from these various procedures who, for example, is responsible for maintaining information on the status of audit findings (e.g., open or closed) and the recovery of improper payments. Other inconsistencies may exist between the processes used and the processes that management believes are in use to address audit findings. Program officials have acknowledged the importance of documented and approved policies and procedures for the beneficiary audit process and are taking action to address this need. USAC officials stated that in September 2009, they began an initiative to update and streamline existing policies and procedures, including those related to the beneficiary audit process. According to these officials, procedures were updated and approved in July 2010 specific to the Schools & Libraries Division's responsibilities for audit response and follow- up. USAC officials stated that all other existing audit process policies and procedures are scheduled to be completed and submitted to FCC for review and approval by December 2010. Conclusions: Since the establishment of the E-rate program, FCC and USAC have taken steps to revise the program's internal controls to address problems they have identified as well as concerns raised by external auditors, such as GAO, the FCC Inspector General, and others. However, FCC and USAC have generally been reactive, rather than proactive, regarding internal controls, and they have not conducted a robust risk assessment of the program's design and core activities and functions. The continuing lack of performance goals and measures in the E-rate program limits FCC's ability to efficiently identify and address problems with the program, indicates a lack of strategic vision for the program, and affects the program's internal control structure. The E-rate program's internal control structure is a product of accretion and is not clearly targeted to reasonably and effectively address programmatic risks. Because the administrative costs for the program (i.e., the costs to fund USAC and Solix operations) come out of the Universal Service Fund, an internal control structure that has not been well-designed could be using more resources than necessary and, thus, could be reducing the amount of program dollars available to beneficiaries. Without an overall assessment, FCC and USAC might not know how to appropriately balance their resources to better target risks and best ensure that the program fulfills its overall goal of providing technology funding to schools and libraries. Following that, periodic examinations of the design of the E-rate program's internal control structure can help ensure that it is well-designed and - operated, is appropriately updated to meet changing conditions, and provides reasonable assurance that the internal controls appropriately address risk across the entire E-rate program. In addition, although FCC uses beneficiary audits as an oversight tool to assist in assessing schools' and libraries' compliance with E-rate program requirements, these audit results could also help inform systematic assessments of the program's internal control structure. Using this information as part of a continuous improvement effort could help strengthen internal controls by better targeting the nature, extent, or scope of the beneficiary audits. Maximizing the use of beneficiary audits as a core safeguard of Universal Service Fund monies would require a sustained FCC and USAC effort. Our work has shown that sustained efforts can best be supported by documented policies and procedures that address the timely and appropriate resolution of audit findings and consideration of the results of audits when assessing a program's internal controls. Finally, it is important to note that the overall design of E-rate's internal control structure is complex because the E-rate program itself is complex. The National Broadband Plan's recommendation to streamline aspects of the program opens the door for both an examination of the program as a whole and of its internal control structure. A broad evaluation of the E-rate program's procedures and internal controls would present opportunities for FCC to improve the design of the program to ease the administrative burden on schools and libraries and to better address the risks of fraud, waste, and abuse. Recommendations for Executive Action: To improve internal controls over the E-rate program, we recommend that the Federal Communications Commission take the following four actions: * conduct a robust risk assessment of the E-rate program; * based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed; * implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures; and: * develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed. Agency Comments and Our Evaluation: We provided a draft of this report to the Federal Communications Commission and the Universal Service Administrative Company for their review and comment. In its written comments, FCC agreed with our recommendations. FCC stated that it intends to work closely with USAC and provide the appropriate directives concerning the implementation of a risk assessment. FCC's full comments are reprinted in appendix V. In its written comments, USAC noted that it was pleased that we had recognized that FCC and USAC have implemented many internal controls for processing E-rate applications and making E-rate funding commitments. However, USAC stated that it does not believe that the facts, viewed in their full context, support some of our conclusions. USAC does not agree with our conclusion that the E-rate program has not been subjected to a robust risk assessment. USAC believes that we too narrowly construed the review performed by an independent public accounting firm in 2008 when we determined that the review focused on the risks associated with financial reporting. USAC states that the 2008 review did assess and test specific internal controls for the E- rate program. We agree that some E-rate internal controls were in fact assessed and tested; nonetheless, the focus of the public accounting firm's work was neither the E-rate program nor its programmatic aspects. No risk assessment that USAC has undertaken to date has been the type of risk assessment that we envision under the first recommendation we make in this report. Such an assessment would consider the existing design of the E-rate program as a whole, including the roles of FCC, USAC, beneficiaries, and service providers; whether the design and mix of preventive and detective controls already in place for the E-rate program are appropriate; and whether the program lacks internal controls that are needed. USAC also does not agree with our findings regarding its analysis of audit findings, including repeat audit findings; the timeliness of its beneficiary audit process; and the division of responsibility within USAC for maintaining the audit results database. We continue to believe that USAC could analyze audit findings on a timely basis and use the information to address risks and reduce instances of repeat audit findings. USAC's comments are reprinted in Appendix VI, followed by our full response to USAC. We made no changes to our recommendations based on USAC's comments, although we did add material to the report to acknowledge some of the internal control changes that USAC discusses in its letter, including its new Payment Quality Assurance program and USAC's plans to implement new internal controls in its invoicing process in response to our work. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the appropriate congressional committees, the Chairman of the Federal Communications Commission, the Acting Chief Executive Officer of the Universal Service Administrative Company, and other interested parties. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me at (202) 512-2834 or goldsteinm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report are listed in appendix VII. Signed by: Mark. L. Goldstein: Director, Physical Infrastructure: [End of section] Appendix I: Objectives, Scope, and Methodology: Our report addresses the following questions: (1) What actions have the Federal Communications Commission (FCC) and the Universal Service Administrative Company (USAC) taken to establish internal controls in the E-rate program? (2) Does the design of the E-rate program's internal control structure appropriately consider program risks? This appendix describes the various procedures that we undertook to answer these questions. We conducted the following background research that helped inform each of our reporting objectives: * We reviewed prior GAO reports on the E-rate program; provisions of the Telecommunications Act of 1996; FCC regulations, orders, and other documents related to the administration of the E-rate program; the memorandum of understanding (MOU) between FCC and USAC; risk assessments conducted on the E-rate program; internal and external audits and reports concerning USAC and the E-rate program; and documents from FCC and USAC regarding the structure and operation of the program. * We interviewed officials from FCC's Office of Managing Director, Wireline Competition Bureau, and Office of Inspector General to learn what efforts have been made to address internal controls and concerns about fraud, waste, and abuse within the program. We also interviewed officials from USAC's Schools & Libraries Division to understand their roles and responsibilities in relation to FCC and USAC's subcontractor, Solix, Inc., as well as the overall structure of the E- rate program. We interviewed staff at the independent public accounting firm that conducted the 2008 internal controls review for USAC to learn more about the 2008 review and the firm's conclusions related to the E-rate program. We also spoke with a former USAC official to understand more fully the history of implementing internal controls for the program. Analysis of the E-rate Application and Invoice Processes: To understand the internal control structure within the application and invoice review processes and understand the risks addressed by the internal control components, we reviewed internal USAC and Solix procedures and guidance, and interviewed USAC and Solix staff. * We reviewed documentation of the program's key internal controls and risk assessments, and related policies and procedures. Specifically, we reviewed the design of the program's key internal controls for (1) processing applications and making funding commitments, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls through audits of schools and libraries. We assessed the design of these internal controls against GAO's Standards for Internal Control in the Federal Government. [Footnote 56] * We spoke with FCC, USAC, and Solix officials about program risks, the design and functioning of internal controls, and how internal controls are monitored and assessed. To determine the results of various reviews within the overall application and invoice review process, we requested and reviewed the following data for funding years 2006 through 2009. * Record-level data of all applications, including the name and identification number of the applicant, the original requested amount, the amount committed, and the exceptions that were triggered by USAC's Program Integrity Assurance (PIA) review process. These data were from the Streamlined Tracking and Application Review System (STARS), which is used to process applications for funding and to track information collected during the application review process. * Record-level and summary data from the Invoice Streamlined Tracking and Application Review System (ISTARS), including a summary of data for each type of edit that can be flagged during the automated validation process. These data included a description of the edit; the number of occurrences; the total dollar amount without the E-rate discount; the total dollar amounts requested, approved, and modified; the total percentage of the modification as part of the undiscounted amount; the total number of invoice lines with edits; and the total number of invoice lines without edits. * Summary data for the results of various reviews that make up the application review process, including the final review, quality assurance reviews, and the heightened scrutiny reviews. For the final and quality assurance reviews, we reviewed data on the number of returns that were triggered by the reviews and the exception(s) associated with each return. The heightened scrutiny review data included the total number of applications or applicants reviewed, categorized by funding determinations (i.e., modifications, withdrawals, denials, and full approvals), and the total dollar amount associated with each type of determination. To provide these data, Solix performed queries on the system and provided the resulting reports to us between December 2009 and May 2010. Data from the STARS and ISTARS systems can change on a daily basis as USAC processes applications for funding and reimbursement, applicants request adjustments to requested or committed amounts, and other actions are taken. As a result, the data we obtained and reported on in this report reflect the amounts at the time that Solix produced the data and could be somewhat different if we were to perform the same analyses with data produced at a later date. To assess the reliability of the data, we contacted experts at USAC and Solix to determine whether major changes in how data are processed have been made since GAO determined that the STARS system was reliable in 2007. We also clarified that ISTARS and STARS share the same platform and security, and that data can be accessed across both systems. For the summary data for the heightened scrutiny reviews, we also reviewed descriptions from USAC on how each team processes its data. We did not include an analysis of some of the data that we requested. For example, we did not include an analysis of data from the application review process in this report, because limitations with the data process did not allow us to produce a relevant analysis within our available time frame. Similarly, we did not include an analysis of the invoice data that summarized the invoice edits by type of edit because limitations with the data process did not allow us to produce a relevant analysis within our available time frame. With these exceptions, we determined the data were sufficiently reliable for the purposes of our review. Analysis of the E-rate Audit Process: We interviewed USAC and FCC officials and reviewed USAC's policies and procedures governing its audit process, including the process for reporting audit results and the status of audit follow-up to USAC's Board of Directors and FCC. We also reviewed applicable regulations, FCC orders and directives, as well as provisions of the MOU between FCC and USAC. Furthermore, we analyzed data in USAC's audit tracking systems on beneficiary audits performed between 2006 and 2010. To do so, we obtained an understanding of how beneficiary audit data are processed and maintained for each phase of the audit process in USAC's Improper Payment Audit Tracking System (IPATS) and Consolidated Post Audit Tracking System (CPATS).[Footnote 57] We interviewed USAC officials about the quality of the data maintained in these database systems. CPATS was implemented in 2009; thus, numerous CPATS data elements for prior years' Improper Payments Information Act of 2002 (IPIA) beneficiary audits were blank. Therefore, we appropriately modified our analysis of the audit data and determined that these data were sufficiently reliable for our purposes. Specifically, we (1) calculated the average number of days between draft audit report and board approval of the final audit report, using data from audits performed in 2009 and 2010; (2) evaluated the frequency of reported audit findings from audits performed in 2006 through 2010; and (3) evaluated the frequency with which schools and libraries were audited in 2006 through 2010 to determine whether there were repeat audit findings in successive audits. We conducted this performance audit from August 2009 to September 2010 in accordance with generally accepted government auditing standards. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: E-rate Program Application, Funding, and Reimbursement Processes: [Refer to PDF for image: illustration] Applicant: 1) Assesses technology needs to develop technology plan; 2) Files form describing products and services sought; USAC: 3) Acknowledges receipt of form and posts to Web site; Service provider: Obtains service provider’s identification number and annually certifies it will comply with FCC rules; 4) Searches and responds to applicant requests; 5) Applicant Selects service provider; 6) USAC Posts the annual eligible services list after FCC approves it. 7) Applicant Calculates discount percentage and selects eligible services; 8) Applicant Submits application for program support; 9) USAC Acknowledges receipt; 10) USAC Reviews applications; may request additional information or documentation from applicant; 11) Applicant Responds to reviewer’s requests (Occurs only under certain circumstances); 12) USAC Makes funding decision; issues funding decision commitment letters; * If denied, Applicant or Service Provider may appeal decision (Occurs only under certain circumstances); 13) Partially or fully funded: Service Provider Consults with applicant to determine invoicing method; 14) Service Provider Begins providing services; 15) Service Provider May provide discounts on applicant’s bills and invoice USAC directly (Occurs only under certain circumstances); 16) Applicant Begins receiving services; submits form confirming receipt of services; 17) USAC Acknowledges receipt of form and may review some forms; 18) Applicant May pay service provider full cost of services; jointly request reimbursement of discounted portion (Occurs only under certain circumstances); 19) USAC Reimburses service provider for discounted portion (Occurs only under certain circumstances); 20) Service Provider May remit discount amount to applicant, if appropriate (Occurs only under certain circumstances); 21) Applicant May receive reimbursement from service provider (Occurs only under certain circumstances). Source: GAO analysis of FCC and USAC information. (Occurs only under certain circumstances) [End of section] Appendix III: Analysis of Selected E-rate Program Beneficiaries: We did not conduct any transaction testing related to the E-rate application process; however, we did conduct follow-up to audit work performed for our March 2009 E-rate report.[Footnote 58] For that report, we determined the percentage of eligible entities participating in the E-rate program by performing a matching analysis using funding year 2005 data from USAC and school year 2005 or 2005- 2006 data from the Department of Education's National Center for Education Statistics (NCES). At the end of our matching analysis, we found that we could not match a number of schools and libraries from USAC's database to schools and libraries from the NCES data. We found various reasons that could explain some of the nonmatching schools and libraries. For example, schools often submit multiple applications, some of which may only cover specific school buildings that would then not show up as a match to a particular school, even though the building is a subpart of an eligible school. We determined that the issue of the nonmatched schools was an issue of internal controls, which was not the subject of our 2009 E-rate report, and would best be handled during our internal controls work. Therefore, for this report, we selected the 1,208 private schools from our list of nonmatching schools for further examination because we determined that private schools present a greater risk of fraud for the E-rate program. We subsequently determined that we would focus our follow-up analysis on the 408 private schools from our funding year 2005 list that had also applied for E-rate support in funding year 2008. We sent USAC a list of 274 private schools that received funding year 2008 funding commitments and asked USAC to reverify the eligibility of each entity to participate in the E-rate program using USAC's PIA Form 471 Review Procedures manual. USAC was able to verify the eligibility of 265 of these private schools through their Form 471 review procedures manual, which includes matching the schools to the NCES database, other acceptable third-party documentation, or documentation provided by the school itself. We were able to determine the eligibility of an additional 5 private schools from the NCES database. We did not assess USAC's procedures or make our own assessment of the adequacy of the documentation provided by the schools. USAC determined that 4 private schools within the scope of our request could not be validated as eligible for the program, including 3 schools that were confirmed as being closed. USAC determined these schools to be ineligible for funding as a result of the revalidation process initiated by our request. USAC officials noted that they verify that a school has been closed by receiving confirmation from the applicant or a valid third party, such as a state E-rate coordinator. According to USAC officials, once USAC staff confirm that the school is closed, the staff will provide USAC's invoicing team with the entity number and closed date. The invoicing team will place the entity on watch to prevent any invoices from being paid. Based on the closing date provided by the applicant or third party, USAC may also send a commitment adjustment (COMAD) referral to the COMAD team, which will adjust any previous commitments or recover funds in the cases where payments were made after the closed date. [End of section] Appendix IV: E-rate Program Full-Time-Equivalent Positions: During calendar years 2006 through 2009, Solix and USAC dedicated between 21.5 and 22.5 full-time-equivalent (FTE) positions annually for the invoice review process. In the same period, they dedicated 131.5 to 149.5 FTEs annually for the application review process (see table 2).[Footnote 59] Table 2: E-rate Application and Invoice Review Full-Time-Equivalent Positions, Calendar Years 2006 through 2009: FTE: Application review; Full-time-equivalent positions, by calendar year: 2006: 134.0; 2007: 141.0; 2008: 131.5; 2009: 149.5; Total: 556.0. FTE: Invoice review; Full-time-equivalent positions, by calendar year: 2006: 21.5; 2007: 22.5; 2008: 22.5; 2009: 22.5; Total: 89.0. FTE: Total; Full-time-equivalent positions, by calendar year: 2006: 155.5; 2007: 163.5; 2008: 154.0; 2009: 172.0; Total: 645.0. Source: USAC. [End of table] [End of section] Appendix V: Comments from the Federal Communications Commission: Federal Communications Commission: Washington, D.C. 20554: September 20, 2010: Mr. Mark Goldstein: Director, Physical Infrastructure: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Thank you for the opportunity to review the draft Government Accountability Office (GAO) Report regarding assessment of the design of the Schools and Libraries Universal Service program, also known as the E-Rate program. Pursuant to section 254 of the Communications Act of 1934, as amended (the Act), the Commission designated "telecommunications services" and certain additional services eligible for support under the E-rate program.[Footnote 1] Since the inception of the E-rate program, schools and libraries have received billions of dollars in funding commitments.[Footnote 2] As a result, Internet access is nearly universal in the nation's schools and libraries. Today, about 97% of public schools have access to the Internet. [Footnote 3] In classrooms, more and more students have access to Internet-connected computers, and 94% of instructional rooms have at least some Internet access.[Footnote 4] In addition, in-school use of the Internet and technology by students is growing rapidly.[Footnote 5] The Commission is dedicated to achieving the universal service goals of section 254 of the Act, and therefore welcomes suggestions on making additional improvements to the E-Rate program. In its draft report, the GAO offers four recommendations to improve the E-rate program. First, the GAO recommends that the Commission conduct a robust risk assessment of the E-rate program that is based on the program's core practices and business practices.[Footnote 6] Next, the GAO recommends, based on the findings of the risk assessment, the FCC conduct a thorough examination of the overall design of E-rate's internal control structure to ensure the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.[Footnote 7] Third, the GAO recommends the FCC implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.[Footnote 8] Finally, the GAO recommends the FCC develop policies and procedures to monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.[Footnote 9] We appreciate GAO's recognition of the Commission's conscientious efforts to date in developing internal control structures to safeguard the integrity of the E-rate program.[Footnote 10] Specifically, as GAO states, progress has been made in assessing risk in the program related to financial reporting pursuant to Office of Management and Budget Circular No. A-123 and the FCC's fraud risk assessment. [Footnote 11] Despite these efforts, GAO has recognized that the internal control structure of the E-rate program can be further improved. We agree. In particular, as GAO's first two recommendations suggest, the E-rate program's internal controls would benefit from a robust risk assessment accompanied by a subsequent examination of the overall design of the E-rate's internal control structure. Such a risk assessment should be designed to provide a critical examination of the entire E-rate program to determine if modifications to business practices and internal controls are necessary to cost-effectively address programmatic risks.[Footnote 12] As in the past, the Commission intends to work closely with the Universal Service Administrative Company (USAC) and provide the appropriate directives concerning the implementation of this risk assessment. Further, the Commission is committed to use this risk assessment to examine ways to improve the E-rate application review process and program invoicing. For example, a holistic risk assessment will provide the opportunity to ensure USAC is allocating resources to reasonably target risks in the application process and improve the Program Integrity Assurance (PIA) application review process.[Footnote 13] The assessment could also provide an opportunity to examine whether controls need to be in place, such as, a process for ensuring items or services reimbursed to providers were included in the list of related commitments. The Office of Managing Director (OMD) will further instruct USAC to develop a comprehensive procedures manual that documents the invoice review process to better mitigate risks.[Footnote 14] As GAO recommends, the Commission is also committed to developing a systematic approach to assess internal controls that considers the results of E-rate program beneficiary audits supported by a documented approved set of policies and procedures.[Footnote 15] Consistent with this recommendation, OMD regularly reviews beneficiary audit findings per guidance set forth in the Office of Management and Budget Circular A-50 and the Commission's own internal directive.[Footnote 16] This process includes: (1) reviewing USAC's management response to an audit; (2) reviewing USAC's planned corrective action and implementation plan, and (3) providing an OMD response and Wireline Competition Bureau response where necessary.[Footnote 17] Also, in order for OMD to consider a finding closed, USAC provides OMD with supporting documentation to prove action has been taken. The corrective actions are summarized and monitored on a monthly basis and USAC provides OMD with a status update of all open findings and recommendations. Going forward, GAO's recommendations will support the Commission's efforts to make additional improvements in this area. OMD will work with USAC to ensure that clear polices and procedures addressing a systematic review of internal controls based on beneficiary audit findings are incorporated into USAC's written audit policies, procedures, and procurement. OMD will also further instruct USAC to establish goals and performance measures to track the timeliness of the completion of audits from the date fieldwork is completed until the date that the USAC Board of Directors approves the audit report. Further, OMD will renew its efforts to see that meaningful performance measures are developed for USAC's senior executives that reflect USAC leadership's responsibility for effectively and efficiently targeting and addressing risks in the E- rate and other programs. Finally, as recommended by GAO, OMD plans to oversee and direct the development of polices and procedures to periodically monitor the internal control structure of the E-Rate program to provide continued reasonable assurance that program risks are targeted and addressed. [Footnote 18] These policies and procedures will assist in assuring control activities are appropriate, actually applied, and applied properly. Such policies and procedures also contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate's program's internal controls and identifying opportunities for modification. Once again, we appreciate GAO's recommendations. We agree that the Commission should continue to assess the design of the E-Rate program's internal control structure so that program is achieving the important universal service goals of providing needed technology to the nation's schools and libraries. We look forward to working with you on this in the future. Sincerely, Signed by: Steven VanRoekel: Managing Director: Appendix V Footnotes: [1] 47 U.S.C. § 254(c)(1), (c)(3); 47 C.F.R. §§ 54.502, 54.503. [2] See Universal Service Administrative Company, Schools and Libraries Division website, [hyperlink, http://www.usac.org/sl/tools/commitments-search/Default.aspx] (1998 - 2010 data). [3] Federal Communications Commission, Connecting America: The National Broadband Plan at 236 (rel. Mar. 16, 2010) (National Broadband Plan), available at [hyperlink, http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC296935A1.pdf]. [4] National Broadband Plan at 236. [5] See id. [6] Government Accountability Office, FCC Should Assess the Design of the E-rate Program's Internal Control Structure at 17 (Sept. 2010) (GAO Draft Report). [7] GAO Draft Report at 29. [8] See id. [9] GAO Draft Report at 29. [10] See id. at 18-19. [11] See id. [12] Office of Management and Budget, Management's Responsibility for Internal Control, Circular No. A-123 (Dec. 21, 2004). [13] GAO Draft Report at 21. [14] See id. at 21-23. [15] See id. at 23-28. [16] Office of Management and Budget, Audit Follow-up, Circular A-50 (Sept. 29, 1982); FCC Directive, FCCINT, 1013.1C. [17] See id. [18] GAO Draft Report at 29. [End of section] Appendix VI: Comments from the Universal Service Administrative Company: Note: GAO comments supplementing those in the report text appear at the end of this appendix. USAC: Universal Service Administrative Company: Schools & Libraries Division: Melvin R. Blackwell, Vice President: 2000 L Street, NW, Suite 200: Washington DC 20035: Voice: 202-776-0200: Fax: 202-776-0080: [hyperlink, http://www.usac.org] Via Electronic Mail: September 20, 2010: Mark L. Goldstein: Director, Physical Infrastructure Issues: U.S. Government Accountability Office: 441 G Street, NW Room 2T23: Washington, DC 20548: Re: Response to Draft Report to Congressional Requestors on the Design of the E-rate Program's Internal Control Structure: Dear Mr. Goldstein: This letter responds to the draft Government Accountability Office's (GAO's) Report to Congressional Requestors, titled: "FCC Should Assess the Design of the E-rate Program's Internal Control Structure." The federal Universal Service Schools and Libraries Program (commonly referred to as the E-rate program) is administered by the Universal Service Administrative Company (USAC). USAC would like to recognize the professional work of the GAO staff on this project. USAC submits this response to explain and clarify certain findings in the GAO report as they relate to USAC and its role as administrator of the E- rate program. This response has been organized to correspond to the following sections of the GAO report: "FCC and USAC Have Put Many Internal Controls in Place for E-rate," and "The Design of E-rate's Internal Control Structure May Not Appropriately Consider Program Risks." FCC and USAC Have Put Many Internal Controls in Place for E-rate Processing Applications and Making Funding Commitments: USAC is pleased that GAO recognizes that USAC and the Federal Communications Commission (FCC or the Commission) have implemented many internal controls for processing E-rate applications and in making funding commitments. USAC's internal control structure is indeed robust and has evolved and expanded over time in order to address program risks. USAC would like to clarify several issues raised in this section of the report. USAC is the not-for-profit corporation designated by the Commission to administer the E-rate program. USAC employs a contractor, Solix, Inc. (Solix), to assist with reviewing and processing E-rate applications and invoices. USAC carefully oversees all aspects of Solix's work for the E-rate program. USAC and Solix work closely together on a daily basis to ensure that all E-rate applications and invoices are processed in accordance with FCC and USAC approved procedures. Additionally, there is a comprehensive performance agreement in place with incentives and penalties applicable to Solix's performance. USAC's internal control structure for the E-rate program centers on its comprehensive, multi-layered application review process. USAC employs a four-level quality assurance process to ensure correct funding decisions. All applications undergo an initial review by a Solix reviewer and then undergo a separate final review by a more experienced Solix reviewer. A portion of the applications are then sampled by the Solix Quality Assurance Team. Finally, USAC staff conducts independent quality assurance reviews. USAC's independent review uses samples from both applications that have, as well as applications that have not, undergone review by Solix's Quality Assurance Team. USAC staff also conducts extensive educational and outreach efforts to assist applicants in complying with program rules. This outreach is an important part of the internal controls of the E-rate program and includes, hosting large-scale training events, offering one-on-one assistance, providing short web-based videos, issuing weekly newsletters, and conducting monthly stakeholder calls. USAC's outreach and educational efforts have not only improved the E-rate program application process, but have also greatly reduced appeals to both USAC and the Commission in recent years. As discussed in the GAO report, the primary internal control to ensure that applicants fulfill program requirements is the Program Integrity Assurance (PIA) review process. Each year, USAC undertakes a significant review and analysis of the PIA application review process to ensure the procedures reflect current Commission rules and guidance and that it continues to provide a rigorous set of internal controls to protect the integrity of the Universal Service Fund (USF). All PIA reviewers are trained and tested on the PIA procedures annually and must receive a passing score of 100% before being allowed to process applications. USAC works with FCC staff to modify PIA procedures, as necessary, in order to ensure compliance with Commission rules and guidance, to protect program integrity, and to streamline procedures where such modifications have been determined to simplify the application process. As the report correctly notes, the number of exceptions generated through the PIA process grew between 2006 and 2009. However, these additional exceptions (or controls) were added to implement directives contained in Commission orders and to strengthen the application review process. USAC has also developed many tools to assist reviewers with quickly accessing information that is needed to reach funding decisions. These tools play an important role in USAC's ability to issue timely funding decisions. It is also important to note that despite the additional exceptions added to the PIA review process over the last few years, in July 2010, USAC issued a record number of funding decisions earlier in the processing period than in any other funding year. Specifically, funding decisions for Funding Year 2010 totaling nearly $950 million represented nearly double the amount from the same period in 2007. In short, as recognized in the report, USAC has established a strong, multi-layered internal control environment for the E-rate program that has evolved over time to address changes in program rules. The Design of E-rate's Internal Control Structure May Not Appropriately Consider Program Risks: The GAO report concludes that the E-rate program has not been subjected to a robust risk assessment and thus, USAC may not be efficiently using its resources to reasonably target program risks. The report also concludes that the results from E-rate beneficiary audits have not been used effectively by FCC and USAC to assess and modify the E-rate program's internal controls. USAC does not believe that the facts viewed in their full context support these conclusions. USAC has conducted assessments to target risk factors associated with beneficiary compliance with E-rate program rules. After the conclusion of Round 1 of the FCC Office of Inspector (OIG) USF audit program audits, for example, USAC carefully reviewed and analyzed the audit findings to determine areas of noncompliance. (USAC is in the process of conducting similar analysis of the results from the FCC OIG USF audit program Round 2 and 3 audits.) The results of the analysis of Round 1 audits demonstrate that most of the non- compliant audit findings were related to beneficiary conduct and were unrelated to USAC's internal controls for the E-rate program. [See comment 1] As a result of this review and analysis, USAC instituted many measures to address beneficiary program rule violations and reduce the risks associated with noncompliance with program rules. For example, during the 2008 fall annual training sessions conducted by USAC for applicants, nearly one-third of session time was devoted to discussing beneficiary audits to assist applicants in increasing awareness of the requirements for properly and efficiently complying with audit process requirements. Additionally, USAC targeted the USAC designed and staffed Helping Applicants to Succeed (HATS) program to provide focused, in-person training to applicants that have been denied funding requests or have received non-compliant audit findings. As a result of the high number of adverse findings related to Children's Internet Protection Act (CIPA) compliance, USAC modified the PIA process for reviewing CIPA compliance by seeking further information from a portion of the applicant community prior to issuing funding commitments. To mitigate the most prevalent audit finding, failure to retain required documentation, USAC created and posted the "E-rate Binder" on its web site to provide guidance to applicants on proper retention of E-rate program required documentation. USAC uses a variety of educational and outreach tools, including webinars, tip sheets and newsletters to address other common audit findings and provide best practices to assist applicants with program rule compliance. USAC also conducts heightened review for certain applications and invoices to further protect program integrity. In addition, USAC believes that GAO's assessment that Grant Thomton's 2008 internal controls report focused only on the risks associated with financial reporting for the USF is too narrow. Specific internal controls for the E-rate program were assessed and tested by Grant Thornton in 2008. First, Grant Thornton drafted a process narrative titled: "USAC Schools and Libraries Program — Pre-Commitment and Post- Commitment Process Narrative." This was an overview that identified key internal controls in the process. Next, Grant Thornton assessed the effectiveness of the controls identified. The assessment included an examination of 14 internal controls related to the processing of applications and invoices. Twelve of the 14 controls passed and two resulted in control deficiencies. The review was documented on a risk control matrix, which details the control attributes, test procedures, and results. The two deficiencies were remediated in 2009. In the second quarter of 2009, USAC hired three full-time employees to expand and institutionalize the internal controls program that was initiated by Grant Thornton. The internal controls team updated the E-rate program process narrative to reflect current operations and changes in the control environment and subsequently reviewed the effectiveness of the controls identified. No control deficiencies were noted during the 2009 review. [See comment 2] The GAO report also addresses USAC's process for reviewing E-rate program invoices prior to approval for payment. The E-rate invoice review process is a combination of manual and automated reviews designed to protect USF integrity. Each year USAC receives more than 450,000 invoice lines, representing approximately $2.4 billion of program disbursements, all of which undergo an automated review. The automated review process is designed with built-in parameters for accuracy, protection and consistency. The invoices submitted and reviewed via the automated process must pass dozens of accuracy and integrity tests on the data submitted for payment. Among other control points, these tests are conducted to ensure that payments are made only to eligible service providers and do not exceed committed amounts. Reference checks are also conducted to ensure proper service delivery dates, contract dates, deadlines and other factors programmed into the automated review of each request submitted. To ensure that the automated process is functioning properly, any modifications to the automated system require several reviews for validity and extensive testing to ensure proper system operation. An elaborate code test, system test, and user acceptance test is conducted on system modifications to ensure proper controls function after any change. This process contributes to the assurance of proper system operation and reduces the likelihood of errors. Additionally, 9% of the invoice lines, representing 42% of the invoice dollars, are subject to a second manual review process to assess compliance with program rules. The manual invoice review has concentrated on areas where statistical measurements have indicated a likelihood of higher program risk or rules violation. The invoice review process has worked to protect USF integrity and ensure compliance with E-rate program rules. In the 761 audits of E-rate beneficiaries conducted under the FCC OIG USF audit program, no invoice processing errors were identified. USAC agrees with GAO's recommendation that a formal process should be implemented to randomly sample invoices that are only reviewed through the automated process. USAC is developing a process that will institute an additional check of the automated process by randomly selecting invoice payments for additional review. This process will be in place by the end of calendar year 2010. The random sample of automated invoices will compare approved items with items delivered and paid to ensure that the automated review is functioning as designed and that payments are made accurately. This plan will help remediate concerns about payments that would normally pass through the automated system without any manual review. USAC also expects that this process will supplement the newly created Payment Quality Assurance (PQA) Program, which is discussed in further detail below. The PQA Program will randomly test the accuracy of USAC payments disbursed through the E-rate program as well as the other three universal service programs. USAC also agrees with the GAO's recommendation that there should be a single manual that documents the entire invoice review process. Although, USAC does have a comprehensive set of policies and procedures in place for reviewing and processing invoices, USAC acknowledges that such documents are maintained in electronic form and not in one manual. USAC will implement this recommendation and will create such a manual by the end of the calendar year 2010. The GAO report made several observations concerning the beneficiary audit process. USAC's process for conducting and approving beneficiary audit reports has four phases: audit performance, audit resolution, audit response and audit-follow-up. The beneficiary audit process is very thorough and can take six to eight months to complete due to the many steps involved, including providing the beneficiary with the opportunity to respond to any audit findings. The process is intended to produce final audit reports that are accurate. GAO notes in its report that the average time between when USAC received a draft audit report and when USAC's Schools & Libraries Committee approves the final audit report is approximately 224 days. In fact, USAC statistics show that the entire audit process beginning with the announcement of the audit to the beneficiary through conclusion of the audit, (including time waiting for the beneficiary to provide requested information, preparation of the audit report by the audit firm, and final review and approval by the Schools & Libraries Committee) takes an average of 239 days. The Schools & Libraries Committee acts in a timely fashion to complete its review and approval process of beneficiary final audit reports, including holding special meetings for the purpose of approving such reports. According to USAC statistics, the actual time between when USAC receives the final audit report from the outside auditors to the time it takes the Schools & Libraries Committee to approve the audit report is approximately 64 days. As of May 2010, 760 of the audit reports from the FCC OIG USF Audit Program have been reviewed and deemed final by the Schools & Libraries Committee.[Footnote 1] [See comment 3] USAC does not believe that GAO's assessment that USAC has not carefully reviewed and analyzed repeated audit findings for the same beneficiary takes into account the structure of the FCC OIG USF audit program. Over the past three years, USAC has audited 761 beneficiaries under the FCC OIG's USF audit program. However, the mandated timeline for completing these audits was very short and the method used by the FCC OIG for selecting the 761 auditees led to instances of the same beneficiary being audited for two or more years in a row. These conditions made it very difficult for the auditee to address and rectify non-compliant findings discovered in the first audit before the second audit was complete, which resulted in beneficiaries receiving repeat audit findings in subsequent audits. As a result of these repeated audit findings, USAC has taken measures to address these findings and to assist beneficiaries in complying with program rules as outlined above. [See comment 4] Additionally, to further improve USAC's beneficiary audit program, this summer, USAC, in conjunction with the FCC Office of Managing Director, launched the PQA Program.[Footnote 2] PQA is designed to mitigate many of the structural and process issues that were identified during the FCC OIG USF audit program. For example, the PQA reviews will be based on recent funding disbursements, thereby increasing the likelihood that the beneficiary has retained the necessary paperwork to support the funding level received, and the PQA process does not require an on-site visit and will be conducted remotely. This new audit approach will decrease audit-related costs incurred by the USF and lessen the burden on the beneficiary. Initial reports from the field indicate that beneficiaries are able to comply with the information requests in a timely manner and are able to produce the requested documents. USAC will be monitoring this program closely over the coming months to determine its effectiveness and whether additional measures are required to address any findings resulting from this program. Finally, regarding GAO's observation that no single USAC division has responsibility for maintaining the audit results database, USAC further clarifies that USAC's Internal Audit Division (IAD) is responsible for USAC's audit programs and for oversight and management of all aspects of the audit programs, including, reporting, quality assurance and audit management. Although the reporting roles between USAC's Schools and Libraries Division (SLD) and the USAC Performance Assessment and Reporting (PAR) team appear to overlap as stated in the GAO report, each have separate responsibilities. USAC IAD is responsible for ensuring that all audit records are entered into the USAC Consolidated Post Audit Tracking System (CPATS), while USAC SLD is responsible for entering and updating audit recovery data into CPATS. USAC's PAR team is responsible for performing quality assurance on the CPATS data from both divisions and reporting to the FCC pursuant to the September 2008 Memorandum of Understanding between the FCC and USAC. This separation of duties among the three divisions provides checks and balances and helps ensure the accuracy and integrity of audit-related data. [See comment 5] USAC appreciates the opportunity to submit its response to the draft report on the internal controls structure of the E-rate program. Sincerely, Signed by: Melvin R. Blackwell: Vice President: Appendix VI Footnotes: [1] There is one audit report that will be presented to the Schools and Libraries Committee for review and approval at the October 2010 board meeting. [2] USAC has also launched a new USF beneficiary and contributor audit program in consultation with the FCC Office of Managing Director. Following are GAO's comments on the Universal Service Administrative Company's letter dated September 20, 2010. GAO Comments: 1. As stated in our report, USAC had not analyzed the findings from beneficiary audits to determine whether corrective actions implemented by beneficiaries in response to previous audits were effective. We also stated that, consistent with our standards for internal control in the federal government, repeat audit findings (information that would be available to USAC from analysis of the audits) are examples of the risks and vulnerabilities which, once identified and assessed, could provide information about where modifications to the nature, extent, or scope of beneficiary audits are most needed. This is consistent with the objectives of internal controls in the federal government and FCC's and USAC's responsibilities to establish and maintain internal controls that appropriately safeguard program funding and resources. We recognize that USAC cannot be held responsible for the conduct of beneficiaries; however, USAC is responsible for recognizing the risks that beneficiaries will not comply with program rules and for implementing controls that appropriately target those risks. Therefore, beneficiary conduct that affects such things as the commitment of funds and payments to beneficiaries must be part of USAC's assessment of program controls and are not, as stated by USAC, unrelated to USAC's internal controls for the E-rate program. 2. Our work included consideration of the 2008 internal control review consistent with our standards and audit objectives. As stated in our report, the 2008 internal control work the independent public accounting firm performed was a review of USAC's controls for all four Universal Service Fund programs and was not specific to any single program, including E-rate. Further, the review did not address program risks associated with beneficiary self-certification of key information, nor did it consider the nature, extent, and scope of beneficiary audits or the results from those audits. A comprehensive assessment focused on the E-rate program would consider the existing design of the E-rate program as a whole, including the roles of FCC, USAC, beneficiaries, and service providers; whether the design and mix of preventive and detective controls already in place for the E-rate program are appropriate; and whether the program lacks internal controls that are needed. With respect to the 2009 internal control assessment performed by USAC's own staff, as stated in our report, this assessment was also not designed to identify and address specific E-rate program risks and vulnerabilities. 3. We do not agree with USAC's statements concerning the timeliness of its beneficiary audit process. The measurements USAC provides--239 days and 64 days--exclude weekends and holidays and therefore do not portray the entire processing time.[Footnote 60] In our report, we stated that the beneficiary audit process did not result in the timely resolution of audit findings and approval of audit reports and, to illustrate, we analyzed USAC data for a 3-year period and found that the average time between when USAC received draft audit reports and when final audit reports were approved was approximately 224 days. We focused on the amount of time after USAC receives draft audit reports because this is the period that is used to review the audit reports, have quality control procedures performed by others, and approve the reports. Also, as discussed in our report, we found that USAC was not effectively analyzing the audit findings although the findings could have been used to provide information about where modifications to the nature, extent, or scope of beneficiary audits were most needed. Therefore, this time period covers the time taken for the process steps that are relevant to identification of an issue that requires management attention to ensure that the results of audits are timely considered when assessing and modifying the program's internal controls. 4. Our work did take into account the structure of the Universal Service Fund audit approach. Instances of repeat audit findings and the likelihood that they would be identified in successive audits are examples of the risks and vulnerabilities that, once identified and assessed, could inform the E-rate program's internal controls. We recognize that the timing of some of the audits may have made it difficult for some audited beneficiaries to address and rectify non- compliant findings discovered in the first audit before a second audit was completed. However, we found beneficiaries with repeat audit findings from audits conducted in the first and third years of the 3- year period, which should have been sufficient time to avoid repeated findings. In any case, it is incumbent on USAC to analyze the results of beneficiary audits to identify instances of repeat audit findings and assess whether corrective actions were effective. 5. As we stated in our report, it is unclear from USAC's procedures who is responsible for maintaining information on the status of audit findings. We also reported that we found other inconsistencies between activities in practice versus written procedures regarding the audit process. It will be important that these inconsistencies are addressed by the updated audit process policies and procedures that USAC told us it expects to complete by December 2010. [End of section] Appendix VII: GAO Contact and Staff Acknowledgments: GAO Contact: Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: Staff Acknowledgments: In addition to the contact named above, Faye Morrison and Robert Owens (Assistant Directors), Frederick Evans, John Finedore, Natasha Guerra, Christopher Howard, Bonnie Pignatiello Leer, Scott McNulty, Sara Ann Moessbauer, Joshua Ormond, Steven Putansu, Amy Rosewarne, Matt Shaffer, Betty Ward-Zukerman, and Mindi Weisenbloom made key contributions to this report. [End of section] Footnotes: [1] "E-rate" is an abbreviated term for education rate. [2] Throughout this report, we refer to schools and libraries that apply to the program as "applicants," whether or not they eventually receive any funding from the program. We refer to schools and libraries that have received commitments or funding as "beneficiaries." [3] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards provide the overall framework for establishing and maintaining internal control in the federal government. [4] Eligible schools, school districts, and libraries may apply individually or may form a consortium for the purposes of applying for E-rate funding. See 47 C.F.R. § 54.501. [5] In section 254 of the Communications Act of 1934, as added by the Telecommunications Act of 1996, Congress instructed FCC to establish support mechanisms with the goal of ensuring the delivery of affordable telecommunications service to all Americans, including consumers in high-cost areas, low-income consumers, eligible schools and libraries, and rural health care providers. The 1996 Act instructed FCC to establish a universal service mechanism to ensure that schools and libraries have affordable access to telecommunications services to use for educational purposes at discounted rates. See 47 U.S.C. § 254(h). [6] FCC has determined that the Universal Service Fund is a permanent indefinite appropriation (i.e., funding appropriated or authorized by law to be collected and available for specified purposes without further congressional action). See 47 U.S.C. § 254(d) and 47 C.F.R. § 54.706. [7] See 47 C.F.R. § 54.507. [8] These indicators include the percentage of students eligible for free or reduced-price lunches through the National School Lunch Program or a federally approved alternative mechanism and include whether the entity is located in a rural area. See 47 C.F.R.§ 54.505. [9] 47 U.S.C. § 254(h). [10] Priority 2 services are funded with what remains after commitments have been made for all approved requests for Priority 1 services in a given year. See 47 C.F.R. § 54.507(g). Requests for Priority 2 services are prioritized by the discount level of the applicant, with funding going first to applicants with the highest discount level--90 percent--and then to applicants at each descending discount level until the funding is exhausted. According to FCC, the rules of priority equitably provide the greatest assurance of support to schools and libraries with the greatest level of economic disadvantage and ensure that all eligible applicants filing during a period specified by USAC receive at least some support. See Federal- State Joint Board on Universal Service, Fifth Order on Reconsideration and Fourth Report and Order, 13 FCC Rcd 14915 (1998). [11] See USAC's Web address: [hyperlink, http://www.usac.org/sl/tools/eligible-services-list.aspx] (last accessed on July 1, 2010). [12] USAC also carries out the day-to-day activities of the Universal Service Fund's High Cost, Low Income, and Rural Health Care programs. The High Cost program assists customers living in high-cost, rural, or remote areas through financial support to telephone companies, thereby lowering rates for local and long-distance service. The Low Income program assists qualifying low-income consumers through discounted installation and monthly telephone services and free toll-limitation service. The Rural Health Care program assists health care providers located in rural areas through discounts for telecommunications services. [13] Solix, Inc. was established in 2005 as an independent administrative process outsourcing firm--a spin-off of the National Exchange Carrier Association (NECA). USAC is a wholly owned, independent subsidiary of the association. NECA's Board of Directors, by FCC regulation, is prohibited from participating in the functions of USAC. See 47 C.F.R. § 54.703. [14] Applicants perceive all of their contacts and form submissions to be with USAC. Solix staff refer to themselves as USAC staff when interacting with applicants. [15] Before services begin, the plan must be approved by a USAC- certified technology plan approver. However, applicants that seek discounts only for basic local, cellular, personal communication service, long-distance telephone service, or voice mail are not required to prepare technology plans. See 47 C.F.R. § 54.504(b)(2)(iii)(c). [16] The data collected on Form 471 are used to verify that schools and libraries are receiving the appropriate discounts, complying with the eligibility requirements, and taking the required steps that are necessary to use the discounted services effectively. All schools and libraries ordering services eligible for universal service discounts must file this form, individually or as part of a consortium. Recently, FCC's Wireline Competition Bureau sought comment on revisions to this form and Form 470 (Description of Services Requested and Certification) under the Paperwork Reduction Act. See Wireline Competition Bureau Seeks Comment on Revisions to FCC Forms 470 and 471 Under the Paperwork Reduction Act, 25 FCC Rcd 8515 (2010). The purpose of Form 470 is to open a competitive bidding process for E-rate eligible services. [17] An approved applicant submits confirmation that the discounted services either have been initiated or will soon be initiated by the service provider, the discounted service is covered by the technology plan, and the applicant is in compliance with requirements of the Children's Internet Protection Act and the Neighborhood Children's Internet Protection Act. Under these two acts, Congress imposed new conditions on schools and libraries with Internet access that request discounted services under the E-rate program. See 47 U.S.C. §§ 254(h)(5), (6); 254(l). An applicant or service provider can appeal a denial of funds or discount amount to USAC or FCC. [18] Memorandum of Understanding between the Federal Communications Commission and the Universal Service Administrative Company (Sept. 9, 2008). [19] OMB Circular No. A-123 provides guidance to executive agencies on evaluating and reporting on their systems of internal controls, consistent with the requirements of §§ 3512(c) and (d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982 (FMFIA)). Circular No. A-123 relies on GAO's standards for internal control in the federal government, which are promulgated pursuant to FMFIA. See Office of Management and Budget, Management's Responsibility for Internal Control, Circular No. A-123 (Washington, D.C.: Dec. 21, 2004). [20] The Senior Management Council is comprised of members of USAC's senior leadership, including the chief operating officer and the vice presidents of the divisions responsible for each of the Universal Service Fund programs. The council is charged with, among other things, establishing the internal control program's scope and methodology and monitoring USAC's progress in implementing corrective actions. [21] See Pub. L. No. 107-300; 116 Stat. 2350 (Nov. 26, 2002), as amended by the Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111-204, 124 Stat. 2224 (July 22, 2010). IPIA requires federal agencies to review the programs and activities that they administer and identify those that may be susceptible to significant erroneous payments. For those programs or activities that are determined to be susceptible to significant improper payments, the agency must develop an estimate of improper payments; report the estimate to Congress; and, for programs and activities with estimated improper payments exceeding $10 million, report on corrective actions taken to address the improper payments. [22] Our most recent report about the E-rate program addressed funding trends, the rate of program participation, the views of participants about the program, and the development of goals and performance measures for the program. See GAO, Telecommunications: Long-Term Strategic Vision Would Help Ensure Targeting of E-rate Funds to Highest-Priority Uses, [hyperlink, http://www.gao.gov/products/GAO-09-253] (Washington, D.C.: Mar. 27, 2009). Our reports addressing internal controls of the E-rate program include the following: Telecommunications: Greater Involvement Needed by FCC in the Management and Oversight of the E-rate Program, [hyperlink, http://www.gao.gov/products/GAO-05-151] (Washington, D.C.: Feb. 9, 2005); Schools and Libraries Program: Application and Invoice Review Procedures Need Strengthening, [hyperlink, http://www.gao.gov/products/GAO-01-105] (Washington, D.C.: Dec. 15, 2000); Schools and Libraries Program: Actions Taken to Improve Operational Procedures Prior to Committing Funds, [hyperlink, http://www.gao.gov/products/GAO/RCED-99-51] (Washington, D.C.: Mar. 5, 1999); and Schools and Libraries Corporation: Actions Needed to Strengthen Program Integrity Operations before Committing Funds, [hyperlink, http://www.gao.gov/products/GAO/T-RCED-98-243] (Washington, D.C.: July 16, 1998). [23] See [hyperlink, http://www.gao.gov/products/GAO-05-151]. While our 2005 report did not address internal controls over applications and invoices, it did address the structure of the E-rate program, noting that the structure was unusual to the federal government and that FCC had not done enough to proactively manage and provide a framework of government accountability for the program. FCC established its MOU with USAC in response to our 2005 report. [24] Schools and Libraries Universal Service Support Mechanism, Fifth Report and Order and Order, 19 FCC Rcd 15808, 15833, para. 74 (2004). [25] FCC officials noted that they have incorporated measures for USAC's performance into the MOU, revised Forms 470 and 471 to capture more broadband use information, hired a consulting firm to conduct a random survey of program beneficiaries to gain additional information on the services used by schools and libraries, and sought comment on goals and performance measures for E-rate in a 2008 Notice of Inquiry. [26] [hyperlink, http://www.gao.gov/products/GAO-09-253]. [27] Federal Communications Commission, Connecting America: The National Broadband Plan (Washington, D.C.: March 2010). [28] Schools and Libraries Universal Support Mechanism; A National Broadband Plan for Our Future, Notice of Proposed Rulemaking, 25 FCC Rcd 6872 (2010). [29] FCC Enables High-Speed, Affordable Broadband for Schools, and Libraries, news release, (Sept. 23, 2010). [30] We conducted a limited examination of USAC's procedures for verifying private schools. See appendix III for a description of this work. [31] See 47 U.S.C. § 254(h)(4). [32] USAC established the Whistleblower Hotline in 1999. It allows applicants, service providers, contributors, and others to alert USAC to instances where program funds are being misapplied and where potential program rule violations may exist. [33] Schools and Libraries Universal Service Support Mechanism, Third Report and Order and Second Further Notice of Proposed Rulemaking, 18 FCC Rcd 26912 (2003). [34] An invoice line is subjected to multiple edits during the automated batch validation process. The number of edits actually flagged every year may vary, depending on such factors as whether USAC requests a special review or whether the invoice line contains incorrect information. [35] The completed invoice line is first forwarded to either a provider or beneficiary invoice payment file--files that allow Solix to accumulate information from completed invoice lines and the associated payment decisions that are ready for final processing. Solix simultaneously prepares the two payment files and sends them to USAC twice a week for review and approval. Once approved, the file is used to generate payments to service providers. [36] FCC rules require USAC to pay reimbursement for discounted services to service providers and not directly to beneficiaries. Service providers may apply the discount rate to the beneficiary's bill before sending it to the beneficiary, in which case the beneficiary pays only the nondiscounted portion and the service provider invoices USAC directly to obtain reimbursement. Alternatively, beneficiaries may pay for services in full and submit a form to USAC to request reimbursement. If that is the case, USAC is still required to send the reimbursement to the service provider that will, in turn, pass the funds to the beneficiary. See 47 C.F.R. § 54.514. [37] Prior to 2006, beneficiary audits were performed primarily by USAC's internal auditors. Beginning in 2006, the beneficiary audits performed for IPIA reporting purposes were performed by independent auditors managed by USAC's internal audit staff. [38] [hyperlink, http://www.gao.gov/products/GAO/T-RCED-98-243]. [39] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [40] USAC is located in Washington, D.C.; Solix is located in New Jersey. [41] The independent public accounting firm's review also included other findings and recommendations that addressed weaknesses in the E- rate program related to financial reporting requirements. [42] USAC's fraud risk assessment contained few details. In the document, USAC provided a risk assessment rating of control measures but did not explain how it determined these rankings or the likelihood and significance of the risks each control was created to address. [43] During funding years 2006 through 2009, 84 items on USAC's eligible services list had no date or had an inaccurate date regarding when the item was added to the list. As a result, we did not include those items in our analysis. It is possible that there are additional inaccurate records, but our review of the data showed no other obvious errors. [44] The key objective of federal agencies in designing and reviewing payment processes, whether automated or manual, is to make sure that they can rely on the quality of their systems and processes to ensure that invoices authorized for payment are legal, proper, valid, and correct. This objective includes providing reasonable assurance that the payment process includes confirmation of the receipt and acceptance of the service or equipment ordered and legal entitlement to the amount billed. See GAO, Streamlining the Payment Process While Maintaining Effective Internal Control, GAO/AIMD-21.3.2 (Washington, D.C.: May 2000). [45] USAC must approve Solix's final determination before payments are sent to providers. [46] One invoice line can flag multiple edits. All edits need to be cleared for an invoice line to be paid. [47] The automated validation process does not place an invoice line on hold. [48] For quality checks, USAC samples high-dollar items for review. In fiscal year 2009, Solix reviewed about 2.3 percent of invoice lines and USAC reviewed about 1.6 percent. [49] The scope of the beneficiary audits completed in 2006, 2007, and 2008 covered disbursements from October 1, 2004, through June 30, 2007. As of August 2010, USAC had not completed its analysis and report on the results of beneficiary audits completed in 2009 and through February 2010 that covered the funding disbursement period from July 1, 2007, through June 30, 2008. [50] OMB Circular No. A-123. [51] According to USAC officials, actions to address rule violations included (1) discussing the audit process and program rule violations resulting from audits during annual training offered to applicants; (2) instituting a Helping Applicants to Succeed program to provide targeted, in-person training for applicants found through an audit to have been noncompliant with program rules; (3) using a variety of outreach tools, including webinars, tip sheets, and newsletters, to address common audit findings and provide best practices to avoid them; and (4) creating an E-rate binder template and example table of contents to provide applicants with a structured approach to maintaining and retaining necessary E-rate documentation, the lack of which has been identified as a repeat audit finding. [52] These results may not be representative of the population of audits conducted or of all beneficiaries because beneficiaries were selected without regard to their history of audit results. Consequently, further FCC and USAC analysis of these repeat audit findings would be necessary to establish the rate at which repeat violations occur and how these results project to the population of program beneficiaries. [53] USAC officials told us that, as part of its performance-based compensation program, USAC has goals for its senior managers to maintain E-rate improper payment rates attributable to errors by USAC and its contractors at less than 1 percent per year. As part of this program, USAC also has a goal of reducing improper payment rates attributable to beneficiaries and service providers. [54] The average time is calculated for the 280 audits completed from June 2009 through February 2010 and approved by the Schools & Libraries Committee as of March 2010. The range of days between receipt of a draft audit report and approval was 49 to 363 days, with a median value of 229 days. The total number of audits completed and approved through May 2010 was 345. [55] Audit Committee meeting minutes for April 2006 stated that there was a consensus among staff and committee members that review of individual audit reports has not been a productive use of the committee's time, since these audit reports were also being reviewed and approved after substantive discussion by programmatic (e.g., Schools & Libraries) and executive committees of the board that had the appropriate subject matter expertise. [56] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards provide the overall framework for establishing and maintaining internal control in the federal government. [57] Auditors input audit results into IPATS, which USAC uses to track the status of IPIA beneficiary audits and the resolution of audit findings. Certain data elements are transferred from IPATS to CPATS once audits have been reviewed and approved by USAC's Board of Director's Schools & Libraries Committee. CPATS is used to document the results of audit resolution activities and the status of efforts to follow up on financial and nonfinancial audit findings. [58] GAO, Telecommunications: Long-Term Strategic Vision Would Help Ensure Targeting of E-rate Funds to Highest-Priority Uses, [hyperlink, http://www.gao.gov/products/GAO-09-253] (Washington, D.C.: Mar. 27, 2009). [59] These data do not include FTEs for E-rate activities that occur after funding commitments are issued for applications (such as appeals or bankruptcy proceedings) or for E-Rate activities that occur after reimbursements are issued for invoices (such as requests for service delivery extensions and attempts to collect improperly disbursed payments). [60] We found that USAC's calculations exclude weekends and holidays. When weekends and holidays are included, the entire audit process took an average of 334 days rather than 239. When weekends and holidays are included, the average time it took to approve a final audit report is 96 days rather than 64. Moreover, when we used updated data that USAC provided on approved audits including the additional audits that had been completed since our review, we found that the average time between when USAC received a draft audit report and when the report was approved was 242 days, which is comparable to the 224 days that we use in our report. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: