GAO-12-205T, Service-Disabled Veteran-Owned Small Business Program: Additional Improvements to Fraud Prevention Controls Are Needed


This is the accessible text file for GAO report number GAO-12-205T 
entitled 'Service-Disabled Veteran-Owned Small Business Program: 
Additional Improvements to Fraud Prevention Controls Are Needed' which 
was released on November 30, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Subcommittees on Economic Opportunity and Oversight and 
Investigations, Committee on Veterans' Affairs, House of 
Representatives: 

For Release on Delivery: 
Expected at 10:00 a.m. EST:
Wednesday, November 30, 2011: 

Service-Disabled Veteran-Owned Small Business Program: 

Additional Improvements to Fraud Prevention Controls Are Needed: 

Statement of Gregory D. Kutz, Director: 
Forensic Audits and Investigative Service: 

GAO-12-205T: 

Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly, 
and Members of the Subcommittees: 

Thank you for the opportunity to discuss the fraud prevention controls 
within the Service-Disabled Veteran-Owned Small Business (SDVOSB) 
program at the Department of Veterans Affairs (VA). Today's testimony 
summarizes our report, released today, on the design of VA's fraud 
prevention controls within the SDVOSB verification program, including 
recent improvements in controls.[Footnote 1] The SDVOSB program is 
intended to provide federal set-aside and sole-source contracts to 
small businesses owned and controlled by one or more service-disabled 
veterans. About $10.8 billion in contracts were awarded in fiscal year 
2010 to firms that self-certified as SDVOSBs in the Central Contractor 
Registration (CCR), according to the Small Business Administration 
(SBA).[Footnote 2] VA's SDVOSB contracts accounted for $3.2 billion, 
or about 30 percent of the $10.8 billion in governmentwide SDVOSB 
contracts during fiscal year 2010. As of October 2011, VA's VetBiz 
Vendor Information Pages database shows that the agency has verified 
the eligibility of more than 5,000 SDVOSB firms. In addition, more 
than 15,000 firms also self-certified their SDVOSB eligibility in CCR. 

In audits of the SDVOSB program conducted in 2009 and 2010, we 
identified weaknesses in fraud prevention controls that allowed 
ineligible firms to receive about $100 million in SDVOSB contracts. 
[Footnote 3] These weaknesses included a lack of governmentwide 
controls, which allowed ineligible firms to receive contracts by self-
certifying that they were legitimate SDVOSB firms. In addition, we 
found the absence of continued monitoring of firm eligibility and an 
ineffective process for investigating and prosecuting firms abusing 
the program. We also found that VA had made limited progress enacting 
an effective verification program as required by the Veterans 
Benefits, Health Care, and Information Technology Act of 2006. 
[Footnote 4] To improve governmentwide program controls, we 
recommended that SBA and VA explore the feasibility of expanding the 
use of VA's verified VetBiz database to the rest of the federal 
government. SBA and VA generally agreed with our recommendation. 

After the Veterans Benefits, Health Care, and Information Technology 
Act of 2006 was passed, Congress passed laws further intended to 
strengthen the SDVOSB program within VA and governmentwide. The 
Veterans Small Business Verification Act requires VA to verify a 
firm's eligibility before including that firm in the database and 
permits VA to request additional documentation substantiating veteran 
ownership and control of a firm in order to establish 
eligibility.[Footnote 5] Furthermore, Congress also passed the Small 
Business Jobs Act of 2010, which facilitates prosecution of firms that 
willfully seek and receive small business awards through 
misrepresentation of their status, including SDVOSBs.[Footnote 6] 

Today's testimony summarizes our report on the design of VA's fraud 
prevention controls within the SDVOSB verification program, including 
recent VetBiz verification efforts, instituted in response to the 
Veterans Small Business Verification Act. The report is being released 
today as a separate product.[Footnote 7] To conduct this work, we 
reviewed prior findings from GAO audits and investigations of the 
SDVOSB program. We reviewed applicable guidance on internal control 
standards from GAO's Standards for Internal Control in the Federal 
Government,[Footnote 8] the fraud prevention framework,[Footnote 9] 
VA's Office of Inspector General (OIG) report,[Footnote 10] and VA's 
Verification Process Guidelines and internal control policies. We also 
interviewed VA officials and reviewed related documents. In addition, 
we conducted undercover tests to assess initial screening controls of 
an individual's service-disabled veteran status within VA's 
verification process. The undercover tests were limited in scope to 
providing a fictitious firm controlled by an individual whose Social 
Security number was not listed as a service-disabled veteran in VA's 
database of service-disabled veterans. Our assessment is part of an 
ongoing review of fraud prevention controls for the entire SDVOSB 
program. This testimony focuses on the design of VA's SDVOSB 
verification controls within its Center for Veterans Enterprise (CVE) 
office. With the exception of undercover tests to assess initial 
screening controls, we did not test the effectiveness of VA's fraud 
prevention controls or attempt to project the extent of fraud and 
abuse. Additional information on our scope and methodology is 
available in the issued report. 

We conducted the work related to the report from July 2011 to October 
2011 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. We 
performed our investigative work, limited to our undercover tests, in 
accordance with the standards prescribed by the Council of the 
Inspectors General on Integrity and Efficiency. 

Summary: 

VA's fraud prevention controls for the SDVOSB program within VA have 
improved since the Veterans Small Business Verification Act was 
enacted. Specifically, VA has made progress in implementing an 
enhanced initial SDVOSB verification process that reduces the risk 
that ineligible firms will receive VA contracts. However, further 
enhancements could do more to reduce the program's vulnerability. 
Improvements in the areas of preventive controls, detection and 
monitoring, and investigations and prosecutions could be made within 
VA's VetBiz verification process. With a comprehensive framework in 
place, VA can be more confident that the billions of dollars meant to 
provide VA contracting opportunities to our nation's service-disabled 
veteran entrepreneurs make it to the intended beneficiaries. In an 
effort to improve controls, in our report, we made recommendations to 
improve fraud prevention controls in the areas of prevention, 
detection and monitoring, and investigations and prosecutions. VA 
generally agreed with the recommendations. 

VA's SDVOSB Program Controls Have Improved, but Vulnerabilities Remain: 

VA's fraud prevention controls for the SDVOSB program have improved 
since the Veterans Small Business Verification Act was enacted, but 
additional enhancements would further reduce the vulnerabilities we 
identified in the areas of preventive controls, monitoring and 
detection, and investigations and prosecutions. These are also the 
components of GAO's fraud prevention framework (see fig. 1). First, 
preventive controls are an effective and efficient way of preventing 
ineligible firms from being verified. Second, active and continual 
monitoring of verified SDVOSB firms is necessary to detect any changes 
in their status that may affect eligibility. Third, investigations and 
prosecution is a strong deterrent for those considering 
misrepresenting their SDVOSB status. 

Figure 1: GAO's Fraud Prevention Framework: 

[Refer to PDF for image: illustration] 

Potential fraud, waste, and abuse: 

Implementation of Prevention controls: leads to: 

Smaller amount of Potential fraud, waste, and abuse: 

Implementation of detection and monitoring (lessons learned influence 
future use of prevention controls): leads to: 

Smaller amount of Potential fraud, waste, and abuse: 

Implementation of investigations and prosecutions (lessons learned 
influence future use of prevention controls). 

Source: GAO. 

[End of figure] 

Additional Improvements to Preventive Controls Are Needed: 

VA has enhanced deterrents to ineligible firms becoming verified 
through VetBiz. As of April 2011, VA had established verification 
guidelines, including a requirement to search the exact names of 
company principals in the Excluded Parties List System, and developed 
a risk assessment model to examine applications. VA also updated its 
data systems to limit manual data entries. Its process of verifying 
service-disabled veteran status allowed VA to prevent two fictitious 
ineligible SDVOSB applications submitted by GAO from being verified. 
Specifically, we submitted two fictitious companies for verification, 
listing the names and Social Security numbers of the majority owners 
who were not service-disabled veterans. VA's controls appropriately 
identified that our company owners were not service-disabled veterans 
and rejected our applications. VA also hired additional CVE staff to 
conduct initial file reviews and site visits. Additionally, VA has 
conducted announced site visits at high-risk firms before they receive 
VetBiz approval. Finally, VA created a quality review team to inspect 
a subset of initial file examination decisions. VA's enhanced 
deterrents under new guidelines have resulted in VA's denial of 
verification to over 1,800 firms under the new verification 
guidelines, according to VA. 

Even with these enhanced deterrents, program weakness and 
vulnerabilities remain within VA's SDVOSB program. During our 
interviews with CVE officials, we found that CVE had not performed a 
systematic assessment of the qualifications of its staff. In addition, 
CVE staff and contracting officials had not received fraud awareness 
training. VA also did not have formal processes or procedures for 
considering all SBA status protest decisions related to an applicant, 
and was not validating applicants' self-reported information. VA also 
did not have a formal process for selecting high-risk companies for 
unannounced site visits or using information from previously denied 
SDVOSB applications to prevent individuals and fraudulent companies 
from repeated attempts at breaching VA controls. Additionally, we 
found that VA was not requesting that denied companies reassess their 
self-certified SDVOSB status in CCR. By addressing the identified 
vulnerabilities, VA could further improve its fraud prevention 
controls. 

Additional Improvements to Detection and Monitoring Controls Are 
Needed: 

VA has developed some controls that may help identify firms in the 
VetBiz-verified database that do not meet SDVOSB eligibility 
requirements, such as a reverification initiative designed to review 
previously verified SDVOSB firms under new controls. VA has also 
developed a process for interested parties to protest a firm's status, 
and instituted random announced site visits of verified SDVOSB firms. 
However, even with enhanced controls, certain weaknesses and 
vulnerabilities remain because of VA's focus on initial eligibility 
verification. For example, VA does not monitor firms' continued 
compliance with North American Industry Classification System size 
standards, nor does it have contact with contracting officials to 
determine whether the required percentage of work on SDVOSB contracts 
has been performed. VA also does not systematically data mine existing 
contract awards for review and further inspection. VA also does not 
have a formal process for selecting companies for unannounced site 
visits to contract performance locations and does not have a formal 
process for interviewing contracting officials. Finally, VA has not 
formalized its quality assurance process for selecting verified 
companies for unannounced site visits to determine if the verification 
process is effective. Further improvements in these areas would 
increase the design of detection and monitoring controls within the 
verification process. 

Additional Improvements to Investigations and Prosecutions Are Needed: 

VA has taken some actions to debar firms violating SDVOSB program 
requirements. VA may debar an ineligible firm in accordance with the 
Veterans Benefits, Health Care, and Information Technology Act of 
2006, which requires that any business determined to have 
misrepresented its status as an SDVOSB shall be debarred from 
contracting for a reasonable period of time, as determined by VA. VA 
instituted a debarment committee in September 2010 specifically to 
debar firms violating SDVOSB regulations. As of October 2011, the 
committee had debarred one SDVOSB firm and related individuals that 
had misrepresented their status as an SDVOSB. Several other debarment 
actions are currently pending or are being litigated. Additionally, 
CVE officials have sent about 70 referrals to the VA OIG for potential 
fraudulent actions by firms receiving SDVOSB contracts. VA OIG is 
currently investigating these cases. 

We identified certain weaknesses and vulnerabilities in the 
investigation and prosecution controls during our site visits. The 
debarment of only one firm and related individuals suggests that there 
is room for additional action given the 1,800 firms rejected by VA 
during its verification process and the 70 firms referred to VA OIG 
for potentially fraudulent actions. Additionally, VA does not have 
specific procedures for CVE staff to refer companies to the debarment 
committee or VA OIG, and has no specific guidelines documenting how VA 
is implementing debarments or outlining the debarment committee's 
decision process. Providing more emphasis on debarments and 
investigations could further help VA deter firms from attempting to 
fraudulently gain access to its SDVOSB program. 

Conclusions: 

In conclusion, VA has made progress in implementing a valid 
verification program to deter ineligible firms from becoming verified 
and receiving SDVOSB contracts. However, additional improvements can 
be made, particularly in monitoring and detection and investigations 
and prosecutions. Specifically, developing a robust unannounced site 
visit process for verified firms and aggressively pursuing debarments 
and prosecutions of firms found to have violated program rules will 
further enhance fraud prevention controls. With a comprehensive 
framework in place, VA can be more confident that the billions of 
dollars meant to provide VA contracting opportunities to our nation's 
service-disabled veteran entrepreneurs make it to the intended 
beneficiaries. 

To minimize the risk of fraud and abuse within VA's SDVOSB program, in 
the report released today, we recommended that the Secretary of 
Veterans Affairs take 13 actions in the following three areas: 

* Improve VA's preventive controls to provide reasonable assurance 
that only eligible firms gain access to the VetBiz database. 

* Strengthen VA's detection and monitoring controls over verified 
firms. 

* Strengthen VA's investigative and prosecutorial actions for firms 
violating SDVOSB program laws and regulations. 

VA generally concurred with our recommendations and noted a number of 
significant actions planned or taken since the time of our site visits 
and development of our findings, which, according to VA, address many 
of the identified vulnerabilities. 

According to VA officials, VA has recently made improvements of its 
preventive controls. For example, VA officials stated that CVE staff 
and most contractors assisting with the application evaluation are now 
required to receive Certified Fraud Examiner training, and additional 
VetBiz training has been provided to contracting officials. VA 
officials also stated VA has recently strengthened the agency's 
monitoring and detection of verified SDVOSB firms. Specifically, VA 
officials stated that VA conducts unannounced visits to verified 
companies either randomly or during the course of a high-risk SDVOSB 
reverification assessment. Finally, VA officials stated that VA 
recently strengthened the investigative and prosecutorial actions by 
creating guidelines for referring firms to VA OIG and the debarment 
committee. We plan to follow up on actions taken by VA as part of our 
ongoing work and will report back to the subcommittees on our findings. 

Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly, 
and Members of the Subcommittees, this completes my prepared 
statement. I would be pleased to answer any questions that you may 
have at this time. 

GAO Contacts: 

If you or your staff have any questions about this testimony, please 
contact Gregory D. Kutz at (202) 512-6722 or kutzg@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this statement. 

[End of section] 

Related GAO Products: 

Service-Disabled Veteran-Owned Small Business Program: Additional 
Improvements to Fraud Prevention Controls Are Needed. [hyperlink, 
http://www.gao.gov/products/GAO-12-152R]. Washington, D.C.: October 
26, 2011. 

Service-Disabled Veteran-Owned Small Business Program: Preliminary 
Information on Actions Taken by Agencies to Address Fraud and Abuse 
and Remaining Vulnerabilities. [hyperlink, 
http://www.gao.gov/products/GAO-11-589T]. Washington, D.C.: July 28, 
2011. 

Department of Veterans Affairs: Agency Has Exceeded Contracting Goals 
for Veteran-Owned Small Businesses, but It Faces Challenges with Its 
Verification Program. [hyperlink, 
http://www.gao.gov/products/GAO-10-458]. Washington, D.C.: May 28, 
2010. 

Service-Disabled Veteran-Owned Small Business Program: Fraud 
Prevention Controls Needed to Improve Program Integrity. [hyperlink, 
http://www.gao.gov/products/GAO-10-740T]. Washington, D.C.: May 24, 
2010. 

Service-Disabled Veteran-Owned Small Business Program: Case Studies 
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of 
Dollars in Contracts. [hyperlink, 
http://www.gao.gov/products/GAO-10-306T]. Washington, D.C.: December 
16, 2009. 

Service-Disabled Veteran-Owned Small Business Program: Case Studies 
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of 
Dollars in Contracts. [hyperlink, 
http://www.gao.gov/products/GAO-10-255T]. Washington, D.C.: November 
19, 2009. 

Service-Disabled Veteran-Owned Small Business Program: Case Studies 
Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of 
Dollars in Contracts. [hyperlink, 
http://www.gao.gov/products/GAO-10-108]. Washington, D.C.: October 23, 
2009. 

[End of section] 

Footnotes: 

[1] GAO, Service-Disabled Veteran-Owned Small Business Program: 
Additional Improvements to Fraud Prevention Controls Are Needed, 
[hyperlink, http://www.gao.gov/products/GAO-12-152R] (Washington D.C.: 
Oct. 26, 2011). 

[2] CCR is the primary contractor registrant database for the U.S. 
federal government. CCR collects, validates, stores, and disseminates 
data in support of agency acquisition missions. 

[3] See the list of related GAO products at the end of this testimony. 

[4] The act requires VA to institute controls over its SDVOSB 
contracts. The requirement to maintain a database of VA-verified 
SDVOSBs and Veteran-Owned Small Businesses (VOSB) became effective 
June 2007. The act also requires that VA only use its set-aside and 
sole-source award authority for SDVOSB firms listed in the database 
and to debar for a reasonable period of time, as determined by VA, 
firms that misrepresent SDVOSB and VOSB status. Pub. L. No. 109-461, � 
502, 120 Stat. 3403, 3431-3435 (2006). 

[5] Veterans Small Business Verification Act, Pub. L. No. 111-275, � 
104, 124 Stat. 2864, 2867 - 2868 (2010). 

[6] Small Business Jobs Act of 2010, Pub. L. No. 111-240, � 1341, 124 
Stat. 2504, 2543 - 2544 (2010). 

[7] [hyperlink, http://www.gao.gov/products/GAO-12-152R]. 

[8] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[9] GAO, Service-Disabled Veteran-Owned Small Business Program: Fraud 
Prevention Controls Needed to Improve Program Integrity, [hyperlink, 
http://www.gao.gov/products/GAO-10-740T] (Washington, D.C.: May 24, 
2010). 

[10] VA OIG, Office of Audit and Evaluations, Department of Veteran 
Affairs: Audit of Veteran-Owned and Service-Disabled Veteran-Owned 
Small Business Programs, 10-02436-234 (July 25, 2011). 

[End of section] 

GAO�s Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO�s commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO�s website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select �E-
mail Updates.� 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO�s 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at www.gao.gov. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548.