This is the accessible text file for GAO report number GAO-15-36 entitled 'Improper Payments: DOE's Risk Assessments Should Be Strengthened' which was released on December 23, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Subcommittee on Financial and Contracting Oversight, Committee on Homeland Security and Governmental Affairs, U.S. Senate: December 2014: Improper Payments: DOE's Risk Assessments Should Be Strengthened: GAO-15-36: GAO Highlights: Highlights of GAO-15-36, a report to the Subcommittee on Financial and Contracting Oversight, Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: Improper payments are a significant problem in the federal government. To address this problem, IPERA requires that federal agencies review their programs and identify those that are susceptible to significant improper payments-—a process known as a risk assessment. DOE's history of inadequate management and oversight of its contractors led GAO to designate DOE's contract management as a high-risk area vulnerable to fraud, waste, abuse, and mismanagement. However, DOE reported that it does not have any programs susceptible to significant improper payments. GAO was asked to review DOE's internal control environment, as it relates to IPERA, to determine whether the department was at low risk for significant improper payments. This report examines the extent to which DOE assessed its programs' risks for improper payments in fiscal years 2011 through 2013. GAO reviewed IPERA, analyzed all risk assessments and related information for this period, and interviewed DOE officials and six contractors selected to represent the types of contractor payments made. What GAO Found: The Department of Energy (DOE) developed a process to assess its programs for risks of improper payments, but its assessments do not fully evaluate risk. To comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA), in fiscal year 2011, DOE directed its programs to develop risk assessments using eight qualitative risk factors, such as recent major changes in program funding, and report quantitative information on improper payments. GAO found that 26 of 55 programs did not prepare risk assessments in 2011 and that the quantitative information reported, including the estimated amount of improper payments, was not reliable because, for example, it did not include information for all programs. In reviewing DOE's 2011 risk assessments, GAO also found the following: * DOE did not always include a clear basis for risk determinations. At least 6 of the 29 programs that prepared risk assessments did not take into account the eight qualitative risk factors, making the basis of their risk determinations unclear. At most, the assessments for 23 programs took into account the risk factors. However, support for their determinations varied widely, and some did not contain enough information to identify how the program arrived at its risk determination, which is inconsistent with federal standards for internal control. DOE's guidance directs personnel to prepare a risk assessment that considers these eight factors but does not provide further direction on what to include. Absent such direction, DOE personnel may not have a consistent understanding of how to complete their risk assessments. * DOE did not fully evaluate other relevant risk factors. DOE's risk assessments did not fully evaluate other relevant risk factors, such as weaknesses in key controls for preventing and detecting improper payments—including inadequate subcontractor oversight. GAO found that some risk assessments included information from internal control evaluations, but many did not. DOE guidance does not instruct personnel to consider weaknesses in key controls for preventing and detecting improper payments. Without providing specific examples of other relevant risk factors in guidance and directing personnel to consider them when performing risk assessments, DOE will not have reasonable assurance that each of its programs fully evaluates risks. Based on its 2011 assessments, DOE was not required under IPERA to prepare risk assessments or report on the amount of improper payments in 2012 and 2013. However, not fully considering program risks in its 2011 assessments and including unreliable data raises questions about whether the 2011 assessments were reliable. What GAO Recommends: GAO recommends that DOE take steps to improve its risk assessments including revising guidance on how programs are to address risk factors and providing examples of other risk factors likely to contribute to improper payments and directing programs to consider those factors. DOE concurred with GAO's recommendations. View [hyperlink, http://www.gao.gov/products/GAO-15-36]. For more information, contact David C. Trimble at (202) 512-3841 or trimbled@gao.gov. [End of section] Contents: Letter: Background: DOE Developed a Process for Assessing Improper Payment Risks, but Those Assessments Do Not Fully Evaluate Risk: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Energy: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: CFO: Office of the Chief Financial Officer: DCAA: Defense Contract Audit Agency: DOE: Department of Energy: IG: Office of the Inspector General: IPERA: Improper Payments Elimination and Recovery Act of 2010: IPERIA: Improper Payments Elimination and Recovery Improvement Act of 2012: IPIA: Improper Payments Information Act of 2002: M&O: management and operating: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: December 23, 2014: The Honorable Claire McCaskill: Chairman: The Honorable Ron Johnson: Ranking Member: Subcommittee on Financial and Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: Improper payments--payments that under statutory, contractual, administrative, or other legally applicable requirements should not have been made or were made in an incorrect amount--are a long- standing, widespread, and significant problem in the federal government.[Footnote 1] The federal government reported a total of $106 billion in estimated improper payments in fiscal year 2013 alone. [Footnote 2] To try to address this problem, the Improper Payments Information Act of 2002 (IPIA), as amended by the Improper Payments Elimination and Recovery Act of 2010 (IPERA), requires, among other things, that federal agencies review their programs and identify those that are susceptible to significant improper payments--a process known as a risk assessment.[Footnote 3] Specifically, IPERA required agencies to conduct risk assessments for all federal programs and activities in fiscal year 2011 and at least once every 3 years thereafter for programs and activities deemed not risk susceptible. [Footnote 4] Under IPERA, improper payments are considered "significant" if they exceed both 1.5 percent of program payments and $10 million, or if the payments exceed $100 million regardless of the percentage of program payments.[Footnote 5] Much of our reporting on improper payments over the past decade has focused on large programs, such as Medicare and Medicaid, or other programs and activities that involve a significant volume of payments made to a number of individuals. We have reviewed programs where payment eligibility decisions were made by entities other than the federal government, such as state or local governments. We have also reported on improper payment challenges at federal agencies such as the Department of Defense that rely on contractors to accomplish their missions and, consequently, contract annually for hundreds of billions of dollars in goods and services.[Footnote 6] As the largest contracting agency in the federal government outside of the Department of Defense, the Department of Energy (DOE) relies primarily on contractors to carry out its diverse missions and operate its laboratories and other facilities, spending approximately 90 percent of its annual budget on contracts and large capital asset projects. DOE's history of inadequate management and oversight of its contractors led us in 1990 to designate DOE's contract management, including both contract administration and project management, as a high-risk area vulnerable to fraud, waste, abuse, and mismanagement. [Footnote 7] In January 2009, to recognize progress made at DOE's Office of Science, we narrowed the focus of the department's high-risk designation to two DOE program elements--the National Nuclear Security Administration[Footnote 8] and Office of Environmental Management. [Footnote 9] In fiscal year 2011, DOE reported in its Agency Financial Report that it did not have any programs susceptible to significant improper payments and that it has maintained an overall improper payments rate of less than 1 percent. Because DOE reported that it did not have any programs susceptible to significant improper payments in 2011, the department was not required under IPERA to prepare risk assessments in fiscal years 2012 and 2013. For those years, DOE again reported that it did not have any programs susceptible to significant improper payments and that it maintained an overall improper payment rate of less than 1 percent. In this context, you requested that we review DOE's internal control environment, as it relates to IPERA, to determine whether the department was at low risk for significant improper payments. This report examines the extent to which DOE assessed its programs' risks for improper payments in fiscal year 2011 through 2013. In conducting our work, we reviewed IPERA and IPIA requirements, OMB and DOE implementing guidance, our executive guide for helping agencies identify effective strategies to manage improper payments in their programs,[Footnote 10] and Standards for Internal Control in the Federal Government[Footnote 11] and compared them with risk assessments and other IPERA-related information that DOE prepared for fiscal years 2011, 2012, and 2013. We reviewed DOE documents and met with DOE officials to determine how DOE organized its programs for the purposes of IPERA compliance over the 3-year period. For all risk assessments prepared for each DOE program, we analyzed the documentation and supporting analyses, as well as reports of actual improper payments DOE identified through the normal course of business, for fiscal years 2011 through 2013. We reviewed each risk assessment to determine its adherence to DOE's IPERA guidance and whether it provided a basis for the risk determination, among other things. We interviewed DOE headquarters officials from the Office of the Chief Financial Officer (CFO) regarding their roles in reviewing risk assessments and providing guidance on preparing risk assessments. We also interviewed officials from DOE's Office of the Inspector General (IG) regarding their roles in reporting on DOE's IPERA implementation and overseeing DOE's strategy for ensuring that contract audits are performed. We also interviewed DOE field CFO officials at DOE's Oak Ridge, Tennessee, and Albuquerque, New Mexico locations,[Footnote 12] and we interviewed DOE contracting officers and contractor CFO and internal audit officials at six contractor locations--East Tennessee Technology Park, Los Alamos National Laboratory, Oak Ridge Associated Universities, Oak Ridge National Laboratory, Sandia National Laboratory, and Y-12 National Security Complex. At these sites, we obtained perspectives from over 70 DOE and contractor officials involved with IPERA reporting, including those that had prepared or reviewed improper payment risk assessments. We also discussed the guidance and direction provided by DOE to payment sites in implementing IPERA, as well as consistency across DOE payment sites in preparing risk assessments. We selected these sites because they are representative of the types of contractor payments made by DOE. A more detailed description of our objective, scope, and methodology is presented in appendix I. We conducted this performance audit from August 2013 to December 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Background: This section discusses DOE's missions and spending, contract types, contract oversight, IPERA risk assessment and IG requirements, and the roles and responsibilities of organizations involved in DOE's IPERA activities. DOE's Missions and Spending: DOE's missions include developing, maintaining, and securing the nation's nuclear weapons capability; cleaning up the environmental damage resulting from more than 60 years of producing nuclear weapons; and conducting basic energy and science research and development. The department carries out these diverse missions at 85 different sites across the country, including major laboratories and field facilities. With a DOE workforce of about 15,000 employees and in excess of 100,000 contractor staff, the department relies primarily on its contractors to manage and operate its sites and accomplish its missions. DOE oversees the work of its contractors through its staff and program offices at DOE headquarters and its field offices. For example, DOE contracting officers provide oversight and ensure contractors are in compliance with the terms of their contracts. In fiscal year 2013, DOE spent about 90 percent of its total annual budget, or $24 billion of $26.4 billion, on contracts.[Footnote 13] A significant share of this spending, about $17.1 billion in fiscal year 2013, was for management and operating (M&O) contracts,[Footnote 14] which are used by DOE generally for the purposes of managing DOE laboratories and other government-owned or government-controlled facilities. DOE's M&O contracts, among other things, provide contractors with the authority to draw money directly from DOE-funded accounts to pay for contract performance.[Footnote 15] In contrast, for the less common non-M&O contracts, DOE relies on more traditional bill payment methods--which include receipt of an invoice, payment approval and authorization, and disbursement of funds. In addition to conducting work through its contractors, DOE manages a number of grant and loan programs--which accounted for about $2.4 billion of DOE spending in fiscal year 2013.[Footnote 16] DOE also includes the Federal Energy Regulatory Commission and the Power Marketing Administrations.[Footnote 17] Contract Types: Federal agencies can choose among a number of different types of contracts to procure goods and services, including fixed-price, time- and-materials, and cost-reimbursement contracts. The choice of contract type is a principal means for agencies to divide the risk of cost overruns between the government and the contractor. For example, under a firm-fixed-price contract, the contractor assumes most of the cost risk; by accepting responsibility for completing a specified amount of work for a fixed price, the contractor earns a profit if the total costs it incurs in performing the contract are less than the contract price, but loses money if its total costs exceed the contract price. Under a time-and-materials contract, by contrast, the government bears the risk of cost overruns because payment is based on the number of labor hours billed at a fixed hourly rate that includes wages, overhead, general administrative costs, profit, and the costs of materials if applicable. However, time-and-materials contracts include a ceiling price that the contractor exceeds at its own risk, meaning there is no guarantee that costs above the ceiling price will be reimbursed by the government. Under cost-reimbursement types of contracts, the government assumes the cost risk because it pays the contractor's allowable costs incurred, to the extent prescribed by the contract, although these contracts also establish a ceiling that the contractor exceeds at its own risk. In fiscal year 2013, about 90 percent, or $21.7 billion, of DOE's total contract spending was on cost-reimbursement type contracts that include contractor fees, according to DOE officials. This includes cost-plus-fixed-fee, cost-plus-incentive-fee, and cost-plus- award-fee contracts. Under these types of contracts, the federal agency reimburses a contractor for all allowable costs and also pays a fee that is either fixed at the outset of the contract or adjustable based on objective or subjective performance criteria set out in the contract. Cost-reimbursement types of contracts place the primary risk of cost overruns on the government because of the potential for the government to pay more than the contract's estimated cost and because the government must reimburse the contractor's costs of performance up to the contract cost ceiling regardless of whether the end item or service is completed. In a September 2009 report, we concluded that cost-reimbursement types of contracts are suitable only when the agency's requirements cannot be defined sufficiently or the cost of the work cannot be estimated with sufficient accuracy to allow for the use of any type of fixed-price contract.[Footnote 18] Cost- reimbursement type contracts allow the agency to contract for work that might otherwise present too great a risk to contractors. Contract Oversight: The choice of a contract type--and whether the contract is an M&O contract or not--will also affect the types of internal control and contract auditing activities needed to help protect the government's interests and reduce the risk of improper payments. Under federal standards for internal control,[Footnote 19] control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. Control activities include both preventive and detective controls. Preventive controls--such as invoice review prior to payment--are controls designed to prevent improper payments (errors and fraud), waste, and mismanagement. Detective controls--such as incurred cost audits--are designed to identify errors or improper payments after the payment is made. Incurred cost audits are intended to examine contractors' cost representations and reach an opinion on whether the costs are allowable, allocable to government contracts, and reasonable in accordance with the contract and applicable government acquisition regulations.[Footnote 20] We have previously concluded that a sound system of internal controls contains a balance of both preventive and detective controls that is appropriate for the agency's operations.[Footnote 21] DOE's contracting activities for both M&O and non-M&O contracts are governed by federal law and regulations, including the Federal Acquisition Regulation as supplemented by the Department of Energy Acquisition Regulation. The contracting cycle consists of activities throughout the acquisition process, including preaward, award, and contract administration and management. Prior to contract award, an agency generally identifies a need and develops a requirements package. Under the Federal Acquisition Regulation, the agency generally determines the method of acquisition; solicits and evaluates bids or proposals; determines the adequacy of the contractor's accounting system; and ultimately negotiates a price and contract terms, resulting in the contract award. After contract award, the Federal Acquisition Regulation generally requires the agency to perform activities related to contract administration and management, which involves monitoring the contractor's performance, as well as reviewing and approving (or disapproving) the contractor's requests for payments. Contract auditing assists in achieving prudent contracting by providing those responsible for government procurement with financial information and advice relating to contractual matters and the effectiveness, efficiency, and economy of contractors' operations. Depending on the contract type, various contract audit activities can occur in the preaward, award, and administration and management phases of a contract. For example, before awarding a cost-reimbursement or other non-fixed-price type contract, the Federal Acquisition Regulation requires agency contracting officers to determine the adequacy of a contractor's accounting system. After certain types of contracts are awarded, contract audits--including incurred cost audits--are intended to be a key control to help ensure that contractors are charging the government in accordance with applicable laws, regulations, and contract terms. At DOE, the requirements and responsibility for conducting contract and other audits--including incurred cost audits and audits of subcontractor costs--vary, depending on whether the contract is an M&O or a non-M&O type contract, as follows: * M&O contracts. In its M&O contracts, DOE does not require contractors to submit invoices; instead, the agency provides contractors with the authority to draw funds directly from federal accounts to pay for contract performance. Therefore, DOE does not rely on traditional invoice reviews prior to payment as a means of helping prevent improper payments. Instead, DOE relies on a combination of audits of contractor accounting systems and certain detective controls. Specifically, using a process known as the Cooperative Audit Strategy,[Footnote 22] DOE relies on its M&O contractors to perform the audit work necessary to ensure that their accounting systems are adequate and that they are charging DOE for only those costs that are allowable under the contract. As part of DOE's Cooperative Audit Strategy, M&O contractors are required to maintain an internal audit organization that is responsible for performing operational and financial audits, including incurred cost audits, and assessing the adequacy of management control systems.[Footnote 23] In addition, M&O contractors are required to provide adequate audit coverage of subcontractors where costs incurred are a factor in determining the amount payable.[Footnote 24] M&O contractors are also required to submit an annual Statement of Costs Incurred and Claimed that includes the contractor's certification that the costs claimed represent allowable contract costs. To support this statement, the contractors' internal audit organization conducts an annual incurred cost audit. Among other things, in conducting the annual incurred cost audit, the internal auditors are expected to develop a sampling methodology that will allow them to test selected transactions to determine whether the associated costs are allowable under the contracts' terms and to make projections regarding the total amount of unallowable costs based on the testing results. According to DOE's Financial Management Handbook, under the Cooperative Audit Strategy, DOE's IG is required to annually perform an assessment of these statements for the 10 M&O contractors who incurred and claimed the most costs annually. For the remaining M&O Statements of Costs Incurred and Claimed, the IG is required to perform assessments on a rotational basis, meaning the IG reviews a few each year until it completes all of the remaining ones and then starts over again. DOE officials cite the Cooperative Audit Strategy as a key internal control. * Non-M&O contracts. Non-M&O contractors do not fall under DOE's Cooperative Audit Strategy and therefore are not required to submit an annual Statement of Costs Incurred and Claimed, maintain an internal audit organization, or provide audit coverage of subcontracts. Instead, DOE relies on traditional bill payment methods, which include prepayment review of invoices, for its non-M&O contracts. DOE also relies on contract audits--including incurred cost audits--for detecting improper payments. The Defense Contract Audit Agency (DCAA) has traditionally been the primary auditor for non-M&O contracts-- performing preaward and annual incurred cost audits to ensure that non- M&O contractor costs are allowable under the contract. According to DOE's acquisition guide, the majority of DOE's contract dollars have traditionally been spent on M&O contracts, and DCAA services were used for the few other DOE contracts that were typically of small dollar value.[Footnote 25] More recently, however, DOE has expanded its use of non-M&O contracts. Regardless of the approach used, DOE contracting officers are responsible for determining whether costs incurred are allowable under the contract.[Footnote 26] During the course of conducting incurred cost audits, auditors sometimes question the allowability of certain costs. Based on this information, contracting officers may eventually decide to disallow certain costs. Before moving to disallow costs, however, the Federal Acquisition Regulation requires agencies to "make every reasonable effort" to reach a satisfactory settlement with the contractor.[Footnote 27] IPERA Risk Assessment and IG Requirements: Under IPERA and OMB's implementing guidance, which together provide the specific requirements for assessing and reporting on improper payments,[Footnote 28] federal agencies are required to review all programs and activities that they administer and identify any program that may be susceptible to significant improper payments--a process known as a risk assessment. Agencies must institute a systematic method of reviewing and assessing their programs, which may take the form of either a quantitative analysis based on a statistical sample or a qualitative evaluation. IPERA requires that agencies, in performing their risk assessments, take into account those risk factors that are likely to contribute to significant improper payments, such as: 1. whether the program or activity reviewed is new to the agency; 2. the complexity of the program or activity reviewed, particularly with respect to determining correct payment amounts; 3. the volume of payments made annually; 4. whether payments or payment eligibility decisions are made outside of the agency, for example, by a state or local government, or a regional federal office; 5. recent major changes in program funding, authorities, practices, or procedures; 6. the level, experience, and quality of training for personnel responsible for making program eligibility determinations or certifying that payments are accurate; and: 7. significant deficiencies in the audit reports of the agency including but not limited to the agency Inspector General or the Government Accountability Office report audit findings or other relevant management findings that might hinder accurate payment certification. OMB's implementing guidance added an eighth risk factor, directing agencies to consider the results from prior improper payment work. For the purposes of this report, we will refer to these as the eight risk factors.[Footnote 29] It is important to note that these eight risk factors do not necessarily represent all of the risks for improper payments across all federal agency programs. OMB's guidance describes these risk factors as the minimum that agencies should consider. Under IPERA, an agency's assessment of risk factors likely to contribute to significant improper payments may include other risk factors, as appropriate, specific to the program or activity being assessed. We have reported on the importance of risk assessments for managing improper payments and best practices for conducting them. As described in our executive guide for helping agencies identify effective strategies to manage improper payments in their programs,[Footnote 30] a risk assessment is a comprehensive review and analysis of program operations to determine if risks exist and the nature and extent of the risks identified. The information an agency develops during a risk assessment forms the foundation or basis upon which agency management can determine the nature and type of corrective actions needed, and it gives management baseline information for measuring progress in reducing improper payments. In addition, reducing improper payments, according to our executive guide, requires a strategy appropriate to the organization involved and its particular risks. Under IPERA, agencies were required to conduct risk assessments for all federal programs and activities in fiscal year 2011 and at least once every 3 years thereafter for programs and activities deemed not risk susceptible. As discussed previously, DOE reported in fiscal year 2011 that it did not have any programs susceptible to significant improper payments. However, we note that, in fiscal years 2012 and 2013, the department elected to conduct certain risk assessment related activities that were not required under IPERA. Under IPERA, if, in its risk assessment, an agency finds that a program is susceptible to significant improper payments, the agency must conduct annual statistical sampling of payment transactions to estimate improper payments, publicly report the results, and implement corrective actions to reduce future improper payments. Because DOE reported in fiscal years 2011 through 2013 that none of its programs were susceptible to significant improper payments, under IPERA, the department was not required to take these additional steps. Under IPERA, however, all agencies are required to identify and recover improper overpayments by conducting recovery audits, also known as payment recapture audits, for agency programs that expend $1 million or more annually, if such audits would be cost-effective.[Footnote 31] OMB requires agencies, including DOE, to report annually on their recovery auditing efforts in their Performance and Accountability Reports or their Agency Financial Reports. Additionally, IPERA requires that each fiscal year, as first implemented in fiscal year 2011, the IG of each agency determine whether the agency is in compliance with certain criteria in IPERA and submit a report on that determination to the head of the agency and others.[Footnote 32] Specifically, IGs are to determine whether agencies: 1. published a Performance and Accountability Report or Agency Financial Report for the most recent fiscal year and posted that report and any accompanying materials required by OMB on the agency website; 2. conducted a program-specific risk assessment for each program or activity that conforms with IPERA (if required); 3. published improper payment estimates for all programs and activities identified as susceptible to significant improper payments under its risk assessment (if required); 4. published programmatic corrective action plans in the Performance and Accountability Report or Agency Financial Report (if required); 5. published, and has met, annual reduction targets for each program assessed to be at risk and measured for improper payments; 6. reported a gross improper payment rate of less than 10 percent for each program and activity for which an improper payment estimate was obtained and published in the Performance and Accountability Report or Agency Financial Report; and: 7. reported information on its efforts to recapture improper payments. [Footnote 33] In its fiscal year 2011 report on IPERA compliance, DOE's IG reported that the department had not met the OMB criteria in its implementation guidance for compliance under IPERA.[Footnote 34] Among other things, the IG reported that DOE, in its review of programs to determine whether any might be susceptible to significant improper payments, had inconsistently executed its risk assessments. The IG recommended, among other things, that DOE implement policies and procedures to ensure oversight and communication of the application of the improper payment definition by its sites and adherence to the prescribed guidance. DOE concurred with this recommendation. In subsequent reports on IPERA compliance for fiscal years 2012 and 2013, the IG found that DOE had complied with all requirements of IPERA. Roles and Responsibilities of Organizations Involved in DOE's IPERA Activities: DOE's Office of the CFO, hereafter referred to as the DOE headquarters CFO, is responsible for issuing IPERA guidance and consolidating and reporting improper payments information annually in DOE's Agency Financial Report. DOE's contractors, along with other DOE field office staff, provide information that is the basis for DOE's IPERA risk assessment and reporting activities. In addition to having contractor internal auditors, DOE has M&O contractor CFOs who play a role in assessing risk and reporting improper payment information. Generally, contractor CFOs assist in preparing the payment sites' risk assessment and improper payment data. DOE's 11 field CFOs, in cooperation with DOE contracting officers, are responsible for overseeing contactor and other activities in the field and assist DOE's headquarters CFO in implementing IPERA requirements. DOE Developed a Process for Assessing Improper Payment Risks, but Those Assessments Do Not Fully Evaluate Risk: DOE developed a process to assess its programs for risks of improper payments in fiscal year 2011 that included both a qualitative risk assessment and quantitative information on improper payments. However, based on our evaluation of the department's fiscal year 2011 risk assessment process, we found that DOE did not prepare risk assessments for all of its programs, and the quantitative information reported was not reliable; DOE's risk assessments did not always include a clear basis for the risk determination; and DOE's risk assessments did not fully evaluate other relevant risk factors. In addition, because DOE found its programs to be at low risk for significant improper payments in fiscal year 2011, the department was not required to prepare risk assessments again until fiscal year 2014. In fiscal years 2012 and 2013, although not required, DOE directed its sites to prepare an overall risk assessment rating and information on the amount of actual improper payments identified through the normal course of business. However, we found that the information reported in fiscal years 2012 and 2013 constituted less information on improper payments risk than what was provided in fiscal year 2011, and the information reported provided limited insight into the risk of improper payments. In Fiscal Year 2011, DOE Developed a Process for Assessing Improper Payment Risks: To comply with IPERA, DOE developed a process in fiscal year 2011 to assess its programs' risks for improper payments. DOE defined its programs as including both the sites responsible for making payments on behalf of DOE (hereafter referred to as payment sites) and its grant and loan programs. Specifically, in 2011, DOE identified 55 payment sites as programs. Of those sites, 38 were contractor sites, which include sites such as DOE laboratories, weapons production facilities and major cleanup sites. The remaining 17 payment sites were managed by DOE. These sites include local DOE site offices and the Oak Ridge Financial Service Center (collectively referred to as DOE field office sites); the department's four Power Marketing Administrations; and the Federal Energy Regulatory Commission. To aid in its compliance with IPERA, DOE issued guidance in fiscal year 2011 that directed payment sites to (1) develop a site-specific risk assessment that takes into account, at a minimum, the eight risk factors, (2) prepare a statistically valid estimate of the annual amount of improper payments, and (3) submit a copy of the risk assessment and improper payments estimate to the DOE headquarters CFO. DOE's fiscal year 2011 guidance did not specify who would be responsible for evaluating the risks of DOE's grant and loan programs, but DOE officials told us that DOE headquarters was responsible for performing this function. DOE officials told us that under this process, cognizant DOE field CFO offices reviewed payment site risk assessments before they were submitted to the headquarters CFO. Based on the risk assessments and statistical sampling information that payment sites submitted to the headquarters CFO, DOE determined in 2011 that it did not have any programs susceptible to significant improper payments. Additionally, DOE reported in its Fiscal Year 2011 Agency Financial Report that its estimate of the annual amount of improper payments from statistical sampling was $17.5 million out of $31.2 billion in total outlays, which represents an overall improper payment rate of .06 percent. [Footnote 35] For 2011, DOE Did Not Prepare Risk Assessments for All Its Programs, and the Quantitative Information That Programs Reported Was Not Reliable: DOE did not prepare risk assessments for nearly half of its payment sites for fiscal year 2011, and the quantitative information that payment sites reported for improper payments was not reliable. In addition, DOE did not prepare risk assessments for its grant and loan programs for fiscal year 2011. Nearly Half of DOE's Payment Sites Did Not Prepare Risk Assessments for 2011: We found that 26 of the 55 payment sites that DOE had designated as programs for fiscal year 2011 did not prepare risk assessments. Of these 26 sites, 11 sites did not submit either a qualitative assessment or quantitative information, and 15 submitted quantitative information on the site's estimated amount of improper payments but did not provide a qualitative assessment of risk, as required by DOE guidance. IPERA requires federal agencies to assess the risk of all programs for significant improper payments.[Footnote 36] DOE had a process and guidance in place for conducting risk assessments, and DOE's fiscal year 2011 guidance directed each payment site to complete a risk assessment that, at a minimum, considered the eight risk factors. DOE's guidance also states that each site will provide a copy of the risk assessment to the DOE headquarters CFO to support their conclusions. However, 26 sites did not prepare and submit risk assessments as required (i.e.,10 non-M&O contractor payment sites, 11 DOE field office sites, and 5 M&O contractor sites).[Footnote 37] DOE officials said the 10 non-M&O payment sites did not prepare risk assessments for fiscal year 2011 because they were covered as part of the risk assessments conducted by the cognizant DOE field office that year.[Footnote 38] In reviewing risk assessments, we found that 3 of the 10 non-M&O payment sites were discussed in the assessment by a cognizant DOE field office site--the Richland Office. However, the discussion of the non-M&O sites did not constitute a risk assessment for those sites because the Richland Office only made limited mention of the internal controls used by these 3 non-M&O sites, rather than a more robust assessment of the risk factors. Moreover, we found no evidence that the remaining 7 non-M&O sites were assessed by the cognizant field office site--in part, because many of the other cognizant field office sites did not prepare risk assessments in 2011. DOE officials told us that the Oak Ridge Office, which prepared a risk assessment in 2011, was the cognizant DOE field office that covered the risk assessments for some of the non-M&O contracts. However, we found that its risk assessment did not address the eight risk factors as they relate to the specific payment processes and controls at the non-M&O contractor sites.[Footnote 39] For example, at the time of the fiscal year 2011 reporting, the Oak Ridge payment site oversaw USA Repository Services LLC, a non-M&O payment site, but the Oak Ridge risk assessment does not mention the contractor or discuss any of the processes and controls specific to that contractor. Assessing risk at the non-M&O contractors is important because many of the prepayment review processes and controls that impact the risk associated with making an improper payment reside at the non-M&O contractor site. For example, upon receipt of an invoice, DOE officials at the non-M&O site are responsible for verifying that the goods and services reflected on the invoice have been received. Regardless of whether the cognizant DOE field site's risk assessment covered these non-M&O contractors, not having completed risk assessments for these non-M&O contractor sites limited the information DOE needed to assess the risk for all of its programs. For the 11 DOE field office sites that did not prepare and submit risk assessments as required, DOE officials said that the 11 sites did not have to prepare risk assessments. Absent their inclusion in a risk assessment prepared for some other program or activity within DOE, this statement is not consistent with IPERA, and again not having completed risk assessments for these 11 field sites limited the information DOE needed to assess the risk for all of its programs. DOE officials further explained that they believe the 5 M&O contractor sites did prepare risk assessments for fiscal year 2011, but the DOE officials were unable to locate those risk assessments in their files. As discussed later in this report, in fiscal year 2012, all but 4 payment sites prepared and submitted risk assessment ratings and, in fiscal year 2013, all payment sites prepared and submitted risk assessment ratings. In July 2014, DOE issued its IPERA risk assessment guidance for fiscal year 2014 with a number of revisions. One revision directs DOE field office sites to consider the payment processes of the non-M&O contractors they oversee when completing required risk assessments. However, the guidance does not specify that those sites should address the eight risk factors as they relate to the non-M&O sites. Without directing field office sites in guidance to address the eight risk factors as they relate to the non-M&O contractor risk assessments, the sites cannot fully assess the risk of improper payments, and DOE cannot fully understand its risks for improper payments and take corrective actions to mitigate such risks in the future. Quantitative Information Reported for Improper Payments for 2011 Was Not Reliable: The quantitative information on the amount of improper payments DOE reported in its Fiscal Year 2011 Agency Financial Report was not reliable because it was not complete and did not match the total information submitted by payment sites. As discussed previously, DOE determined for 2011 that it did not have any programs susceptible to significant improper payments based on both the qualitative risk assessments prepared by the payment sites as well as the statistical sampling information that some payment sites submitted to the headquarters CFO. DOE reported in its Fiscal Year 2011 Agency Financial Report that its estimate of the annual amount of improper payments from statistical sampling was $17.5 million out of $31.2 billion in total outlays. However, our review could not verify the accuracy of the $17.5 million reported for two reasons. First, 13 payment sites did not submit to DOE quantitative information on their estimated improper payments or their outlays, so the information reported was incomplete. Second, for payment sites that submitted their information to DOE, the totals for the quantitative information submitted did not equal the amount reported in DOE's Agency Financial Report. In addition, we did not evaluate the sampling methodology that DOE used to estimate its improper payments in fiscal year 2011 because the DOE IG previously reported on this issue and found problems with DOE's methodology.[Footnote 40] In its fiscal year 2011 report on IPERA compliance, the DOE IG found that DOE used a nonstatistical sampling method to arrive at its estimated improper payment rate. The IG recommended that DOE develop a system of controls to help ensure the sampling methodologies used at the sites align with the methodology required in the department's IPERA reporting guidance. At that time, DOE concurred with the recommendation. However, according to DOE officials, DOE decided not to conduct statistical sampling in later years because IPERA does not require that agencies perform statistical sampling as part of a risk assessment. DOE Headquarters Did Not Prepare Risk Assessments for Its Grant and Loan Programs for Fiscal Year 2011: DOE did not prepare required risk assessments for its grant and loan programs for fiscal year 2011. As discussed previously, DOE officials told us that DOE headquarters was responsible for evaluating the risks of its grant and loan programs for improper payments for 2011. However, DOE headquarters officials told us that they did not prepare the required risk assessments for these programs for 2011. DOE headquarters officials said they did not conduct a risk assessment on grant programs for 2011 because they were awaiting more detailed guidance from OMB on how to assess grant programs under IPERA-- specifically, whether to assess risk at the primary or the subrecipient level. In terms of the loan programs, DOE officials said that they held discussions with OMB and identified strong financial controls and oversight associated with the Federal Financing Bank that administers DOE's loan payments and determined that the existence of these controls provided a low risk of improper payments in the loans area.[Footnote 41] Therefore, DOE officials concluded that a separate risk assessment for loans was not warranted for fiscal year 2011. However, DOE did not provide documentation to support this conclusion. Moreover, this is inconsistent with IPERA and OMB's implementing guidance, which requires federal agencies to review all programs for significant improper payments, and DOE's 2011 guidance, which directs each payment site to complete a risk assessment. In July 2014, DOE issued its IPERA risk assessment guidance for fiscal year 2014 with a number of revisions. One revision directs payment sites with cognizance over grants to report their known improper grant payments. Another revision directs DOE's Loan Guarantee Program Office to prepare a risk assessment for DOE's loan programs. In August 2014, DOE officials told us that cognizant payment sites will now be responsible for considering grant payments in their risk assessments, and that payment sites and the DOE Loan Office will explicitly address the risk factors for grant and loan programs, respectively. If implemented effectively, this revision to DOE's guidance could address our findings related to DOE not fully assessing its grant and loan programs. DOE's Fiscal Year 2011 Risk Assessments Did Not Always Include a Clear Basis for the Risk Determination: DOE's fiscal year 2011 risk assessments did not always include a clear basis for their risk determinations. For the 29 payment sites that prepared risk assessments for fiscal year 2011, we analyzed them to determine whether the risk assessments took into account the eight risk factors.[Footnote 42] Based on our analysis of the risk assessment documentation provided, we found that some payment sites did not take into account the eight risk factors. For those that did, the support for their conclusions varied widely, and some assessments did not contain enough information for us to determine how the payment sites arrived at their risk determination. Based on our analysis, we determined that at least 6 of the 29 sites that prepared risk assessments did not take into account the eight risk factors, making the basis of their risk assessment determinations unclear. For example, one site's risk assessment did not address the eight factors and instead noted that it conducted a 100 percent payment review for all invoices and thus determined that its risk of improper payments was low. However, the risk assessment did not provide any information as to the results of its invoice reviews. In another instance, a site's risk assessment consisted of two sentences noting that its account volume of payments had not changed significantly and that its funding, authorities, practices, and procedures, as well as the level and quality of training of its personnel had not changed significantly. Based on this, the site concluded it had a low amount of improper payments and had controls in place to identify and record them. In a third instance, a site's risk assessment contained information on its internal controls indicating that many of its payment processes were high risk. Specifically, this risk assessment rated each of the subprocesses associated with payroll administration, payables management, and travel administration as high or medium risk. For example, under the payables management subprocess, some of the high-risk areas that were noted include the unauthorized approval of invoices; payments made without an approved invoice; and invalid payees established in the payee data file. Nonetheless, this site concluded that its risk of improper payments was low, but it provided no additional clarification on how it arrived at this conclusion. Through our analysis, we also determined that at most the 23 remaining payment sites submitted risk assessments that took into account the eight risk factors. However, support for their conclusions varied widely, and some assessments did not contain enough information for us to determine how the payment sites arrived at their risk determination, raising questions about who at DOE was responsible for reviewing and approving risk assessments for consistency. DOE's guidance directs its sites to submit a risk assessment to DOE headquarters that incorporates the eight factors in support of their risk determination. However, its guidance does not provide further direction on what should be provided in the assessment to address each risk factor. DOE officials told us that they left it up to the payment sites to determine how to address the eight risk factors. As a result, we found that the support provided to address each risk factor was inconsistent, ranging from several paragraphs of narrative to one sentence answers or "yes or no" responses. In some cases, we could not determine how payment sites considered the eight risk factors to arrive at a risk determination. For example, in one case, the risk assessment was a table populated with a designation of high, medium, or low for each of the eight risk factors by specific payment functions, such as accounts payable, travel, and payroll. In this example, it was not clear how the site arrived at the risk designations for each of the specific payment functions or how the site weighted each risk designation to arrive at a risk determination for the program. DOE's fiscal year 2011 IPERA guidance directed each site to provide a copy of the risk assessment to support its risk designation, but it did not specify how sites were to document the basis for their risk determinations. Under the Standards for Internal Control in the Federal Government, internal controls and all transactions and other significant events need to be clearly documented. Based on our review of DOE's risk assessments, the documentation they contained did not always provide a clear basis for the risk determinations. Instead, like the discussion of risk factors, the support for risk determinations was inconsistent, ranging from several paragraphs of narrative to mere designations of high, medium, or low risk with no accompanying documentation. Absent clarification in guidance of how payment sites are to address the eight risk factors and document the basis for their risk rating determinations, DOE personnel may not have a consistent understanding of how to complete risk assessments. In addition, DOE'S fiscal year 2011 IPERA guidance did not specify who at DOE was responsible for reviewing and approving risk assessments for consistency with IPERA requirements and OMB and DOE guidance. Under the federal standards for internal control, federal agencies are to employ internal control activities, such as reviews by management at the functional or activity level, and such activities include approvals, authorizations, verifications, and reconciliations. As previously mentioned, DOE officials told us that cognizant DOE field CFOs reviewed payment site risk assessments. However, given the level of inconsistency we found in our review of payment site risk assessments, it is unclear who was reviewing the assessments. Without clarifying in guidance who at DOE is responsible for reviewing and approving risk assessments for consistency across sites, DOE may not have reasonable assurance that the assessments are receiving the same level of oversight at each site. As discussed previously, DOE issued new IPERA risk assessment guidance in July 2014 with a number of revisions. Among other things, these revisions are aimed at addressing inconsistencies in the risk assessments. One revision directs payment sites to include a brief explanation for each risk factor. DOE officials also told us in August 2014 that their IPERA training covers how payment sites are to perform risk assessments. However, the 2014 guidance does not specify how payment sites should address each factor and what documentation they are to include in support of their risk determinations, which is inconsistent with federal standards for internal control. As mentioned earlier, without clarifying in guidance how payment sites are to address the eight risk factors and document the basis for their risk rating determinations, DOE cannot be assured that its personnel have a consistent understanding of how to complete risk assessments. The 2014 guidance also does not clarify who at DOE is responsible for reviewing and approving risk assessments for consistency. Also mentioned earlier, without clarifying in guidance who at DOE is responsible for reviewing and approving risk assessments consistent with federal standards for internal control, DOE may not have reasonable assurance that the assessments are receiving the same level of oversight at each site. In addition, while DOE provided training for its payment sites for its fiscal year 2011 IPERA reporting, given the number of deficiencies we identified with that process, clarifying the guidance could help prevent inconsistencies in future risk assessments. DOE's Fiscal Year 2011 Risk Assessments Did Not Fully Evaluate Other Relevant Risk Factors: DOE's risk assessments did not fully evaluate other relevant risk factors. As previously stated, the eight risk factors do not necessarily represent all of the risks for improper payments across all federal agency programs, and OMB's guidance describes these risk factors as the minimum that agencies should consider. DOE's 2011 IPERA guidance requires that programs consider, at a minimum, the eight risk factors, but it does not require programs to consider other factors that are specific to the program being assessed. In particular, DOE's guidance does not require programs to consider, as part of their risk assessments, weaknesses in key controls for preventing and detecting improper payments. Control activities such as prepayment reviews and matching invoices with receiving reports are important for preventing improper payments,[Footnote 43] and contract audits--including subcontract audits and annual incurred cost audits--are intended to be a key control for detecting improper payments. However, the DOE IG found in April 2013 that, from 2010 to 2012, subcontracts with a total value in excess of $906 million had either not been audited by M&O contractors or had audits that did not meet audit standards.[Footnote 44] The report further noted that the insufficient audit coverage substantially increases the risk that improper payments will be incurred and not detected in a timely manner. In addition, DOE officials told us that contract audits, particularly for non-M&O contracts, are not always performed in a timely manner. DCAA has traditionally performed contract audits for DOE's non-M&O contracts; however, a significant backlog of audits at the Department of Defense has impacted DCAA's ability to perform work for other agencies, including DOE.[Footnote 45] Untimely contract audits, regardless of the cause, represent a risk that improper payments will not be identified in a timely manner. However, DOE's 2011 guidance did not require that programs consider risk factors related to internal control weaknesses--such as untimely contract audits or inadequate subcontractor oversight. DOE's fiscal year 2011 IPERA guidance states that programs must have an effective system of internal control to prevent and detect improper payments and to recover overpayments. The guidance also states that key controls should be tested as part of OMB Circular A-123 evaluations. A-123 is OMB's Circular on reporting for internal controls and certain financial risks.[Footnote 46] DOE officials said that during DOE's IPERA training, sites have been instructed to consider the results of the A-123 evaluations, which include evaluation of key risks and controls, when determining susceptibility to high risk of improper payments. In addition, DOE officials said that DOE headquarters CFO officials have reviewed A-123 results across the department when determining the department's overall risk. However, DOE does not require programs to consider weaknesses in its internal controls as part of its risk assessment. In our review of DOE's fiscal year 2011 risk assessments, of the 29 sites that did risk assessments, at most, 10 included information stating that the results of A-123 evaluations were considered as part of the risk assessments. Information from A-123 evaluations on internal controls could potentially provide information relevant to assessing the risk of improper payments. However, based on the documentation provided in the fiscal year 2011 risk assessments, it was not clear how many sites considered the results of their A-123 evaluations and for those that did, how those results were factored into the risk assessment. In implementing Standards for Internal Control in the Federal Government, management is responsible for developing the detailed policies, procedures, and practices to fit agency operations and to ensure that they are an integral part of operations. In addition, according to our executive guide on strategies for managing improper payments, reducing improper payments requires a strategy appropriate to the organization involved and its particular risks.[Footnote 47] However, DOE's 2011 IPERA guidance did not direct sites to augment the eight risk factors for a qualitative evaluation with other risk factors that might be appropriate to a program and its particular risks, so many of the payment sites did not fully consider other risk factors. In its July 2014 updated IPERA risk assessment guidance, DOE recognized the need to address other risk factors relevant to agencies' operating environments. One revision directs payment sites to consider a ninth risk factor: Evaluate the inherent risk of improper payments due to the nature of the agency's programs/operations. The guidance states that this new risk factor was added based on a 2014 draft revision of OMB's improper payments guidance.[Footnote 48] However, it is unclear how DOE's guidance will be implemented by the department's payment sites because the guidance does not provide specific examples of potential inherent risks for improper payments--such as untimely contract audits or inadequate subcontractor oversight--that all payment sites should consider and this is not consistent with federal standards for internal control and effective strategies included in GAO's executive guide. Without providing in its guidance specific examples of other risk factors that present inherent risks likely to contribute to improper payments and directing payment sites to consider those other factors when performing their improper payment risk assessments, DOE will not have reasonable assurance that its payment sites consistently consider other relevant risk factors to fully evaluate risks. For Fiscal Years 2012 and 2013, DOE Directed Programs to Report Less Information on Improper Payment Risks: In fiscal years 2012 and 2013, we found that DOE directed programs to report less information on improper payment risks. Specifically, DOE required fewer payment sites to report under IPERA and, for those sites that were required to report, we found that DOE requested less information on the risks of improper payments. DOE reported that it did not have any programs susceptible to significant improper payments in 2011. As previously discussed, we found that DOE did not fully consider program risks in its fiscal year 2011 risk assessments and included unreliable data, which raises questions about whether the 2011 assessments were reliable. Nonetheless, because of its 2011 determination that it did not have programs susceptible to significant improper payments, the department was not required under IPERA to prepare risk assessments in 2012 and 2013. DOE elected to conduct certain risk assessment related activities in fiscal years 2012 and 2013. However, we found the risk assessment and other related information that sites reported provided limited insight into the department's risk of improper payments. In electing to conduct certain risk assessment related activities in fiscal years 2012 and 2013, DOE required fewer sites to report and allowed the remaining sites to provide more limited information on risk. Specifically, for fiscal years 2012 and 2013, DOE's guidance redefined its programs, reducing the number from 55 to 43 payment sites by combining certain contractor payment sites with payment sites managed by DOE. According to DOE officials, for the purposes of IPERA reporting, cognizant DOE field offices--which are themselves payment sites--are now responsible for assessing risk for all non-M&O contracts. In addition, DOE's fiscal year 2012 and 2013 guidance did not direct sites to submit risk assessments. Instead, the guidance directed sites to (1) prepare an overall risk assessment rating for the site of high, medium, or low based on the eight risk factors and the amount of actual improper payments identified through the normal course of business; (2) submit the overall risk rating and known improper payment information to DOE headquarters CFO; and (3) maintain any detailed risk assessment support or other detailed support for the known improper payments data. DOE's guidance included a reporting template listing the eight risk factors and a place for payment sites to indicate their overall risk rating, which DOE prepopulated with a low risk rating. The template also included tables to report information on known improper payments. According to DOE's fiscal years 2012 and 2013 guidance, known improper payments include, among other things, payments identified by a contractor's internal accounting practices or those identified during the course of IG audits.[Footnote 49] Based on our review of the reporting templates that were submitted by payment sites in fiscal years 2012 and 2013, we found that 4 payment sites did not submit a reporting template in 2012, but that all sites submitted a reporting template in 2013. In addition, we found that the overall risk assessment rating for each payment site provides limited insight into DOE's risk for improper payments. Although DOE's 2012 and 2013 guidance directed sites to maintain support for their overall risk assessments rating, it did not require sites to submit supporting documentation for their risk ratings. The low risk designation that all of the sites provided in both years without supporting documentation did not provide information on how those sites considered the eight risk factors, how they weighed each factor against the others, or how they considered the eight factors in relation to their improper payments data to arrive at their overall risk rating. We also found that DOE's reporting of a program's amount of improper payments for fiscal years 2012 and 2013 also provided limited insight into DOE's risk of improper payments. IPERA and OMB guidance do not require DOE to report total known improper payments and, although not required to, DOE reports its total known improper payments annually in its Agency Financial Report.[Footnote 50] DOE cites this reporting as evidence in determining that its programs, and the department as a whole, are at low risk for improper payments. For example, in its Fiscal Year 2013 Agency Financial Report, DOE reported that it had identified $21.8 million in improper payments made in fiscal year 2012 out of $46.5 billion in total outlays.[Footnote 51] In reporting this number, DOE did not report the full extent of its improper payments as it did not disclose information on prior year improper payments. In addition, DOE did not disclose information on settled costs, as shown in the following: * Prior year improper payments. According to DOE officials, the amount of DOE's total known improper payments does not include known improper payments identified in prior years. This means that improper payments that occurred in prior fiscal years but were not identified until a later reporting year are not included. Thus, the $21.8 million in improper payments that DOE reported in its Fiscal Year 2013 Agency Financial Report only includes improper payments made and identified during fiscal year 2012. Therefore, DOE's reporting does not provide the full extent of DOE's total improper payments. Specifically, DOE pays contractors throughout the year for services performed, and those charges are subject to incurred cost audits to ensure that they are allowable under the terms of the contract. If charges are ultimately found to be unallowable by DOE, those charges are considered improper payments under IPERA. The process for ultimately determining that costs are unallowable can take a considerable amount of time, and the amount of money involved can be significant. For example, in April 2012 and October 2012, the IG reported about $4.4 million in disallowed costs identified in fiscal year 2012 related to prior year payments.[Footnote 52] However, this $4.4 million was not included when DOE reported its known improper payments for fiscal year 2012 in DOE's Fiscal Year 2013 Agency Financial Report. * Settled costs. DOE's IG and contractor internal auditors have the ability to question costs they find to be potentially unallowable under the terms of a contract. Once costs have been questioned, DOE must ultimately make a determination whether to allow or disallow those costs. Before disallowing costs, the Federal Acquisition Regulation requires agencies to "make every reasonable effort" to reach a satisfactory settlement with the contractor. In one settlement agreement we reviewed, the contractor agreed to reimburse DOE for $10 million in questioned costs, referring to them as "potential unallowable costs." Because those costs are not explicitly identified as unallowable in the settlement agreement, DOE does not consider them improper under IPERA and therefore does not disclose them in its reporting. DOE officials told us that their reporting of current year known improper payments in their Agency Financial Report is consistent with OMB guidance. We recognize that DOE is reporting more information than is required. However, citing an amount of improper payments without further explanation is potentially misleading to external stakeholders, including Congress and the public. According to federal standards for internal control, effective communications should occur in a broad sense with information flowing down, across, and up the organization.[Footnote 53] Management should ensure there are adequate means of communicating with, and obtaining information from, external stakeholders that may have a significant impact on the agency achieving its goals. By not disclosing more information in its IPERA reporting about total known improper payments, DOE does not allow readers, including congressional and public stakeholders, to fully understand what the total known improper payments amount represents and the extent to which this improper payments total could potentially be more pervasive. Conclusions: Recognizing the importance of assessing the risks of improper payments, DOE issued new guidance in 2014 to address payment processes involving non-M&O contractors, to clarify the way payment sites address risk factors, and to consider inherent risks of improper payments due to the nature of the agency's programs/operations. These are positive steps, but further efforts could help to more fully assess DOE's risk of improper payments and make more effective use of DOE and contractor resources. Specifically, DOE's 2014 guidance directs DOE field sites to consider the payment processes of the non- M&O contractors they oversee when completing required risk assessments. However, the guidance does not specify that those sites should address the eight risk factors as they relate to the non-M&O sites. We found that risk assessments for non-M&O payment sites were not always conducted in fiscal year 2011. Without directing in its guidance that sites address the eight risk factors as they relate to the non-M&O contractor risk assessments, the sites cannot fully assess the risk of improper payments, and DOE cannot fully understand its risks for improper payments and take corrective actions to mitigate such risks in the future. In addition, DOE's 2014 guidance directs payment sites to include a brief explanation for each risk factor supporting the risk rating. However, the 2014 guidance does not specify how payment sites should address each factor and what supporting documentation to include as the basis for their risk rating determinations, which is inconsistent with federal standards for internal control. Without clarifying in guidance how payment sites are to address the eight risk factors and document the basis for their risk rating determinations, DOE cannot be assured that its personnel have a consistent understanding of how to complete risk assessments. In addition, the 2014 guidance does not clarify who at DOE is responsible for reviewing and approving risk assessments for consistency. Without clarifying in guidance who at DOE is responsible for reviewing and approving risk assessments consistent with federal standards for internal control, DOE may not have reasonable assurance that the assessments are receiving the same level of oversight at each site. Furthermore, DOE's 2014 guidance directs payment sites to consider an additional, ninth risk factor on inherent risks, in its risk assessments beyond the previous eight risk factors that need to be considered to be consistent with federal standards for internal controls and GAO's executive guide. However, it is unclear how DOE's guidance will be implemented by the department's payment sites because the guidance does not provide specific examples of potential inherent risks for improper payments--such as untimely contract audits or inadequate subcontractor oversight--that all payment sites should consider, and this is not consistent with GAO's executive guide. Without providing specific examples in guidance of other risk factors that present inherent risks likely to contribute to improper payments and directing payment sites to consider those other factors when performing their improper payment risk assessments, DOE will not have reasonable assurance that its payment sites consistently consider other relevant risk factors. Finally, DOE annually reports the amount of its total known improper payments and cites this amount as a key reason why its programs and the department as a whole are low risk. However, this amount provides limited insight on the extent of improper payments and is potentially misleading. By disclosing additional information in its IPERA reporting, DOE could better position readers, including congressional and public stakeholders, to fully understand what the total known improper payments amount represents and the extent to which improper payments could potentially be more pervasive. Recommendations for Executive Action: To help improve its ability to assess the risk of improper payments and make more effective use of DOE and contractor resources, we recommend the Secretary of Energy direct the department's Chief Financial Officer to take the following four actions to revise the department's IPERA guidance: * direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure sites implement it; * clarify how payment sites are to address risk factors and document the basis for their risk rating determinations and take steps to ensure sites implement it; * clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it; and: * provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments, in addition to the eight risk factors, direct payment sites to consider those when performing their improper payment risk assessments, and take steps to ensure sites implement it. To provide better transparency regarding its total known improper payments reported under IPERA, we recommend the Secretary of Energy direct the department's Chief Financial Officer to improve public reporting on the amount of total known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring. Agency Comments and Our Evaluation: We provided a draft of this report to DOE for comment. In its initial comments, DOE had concerns with our recommendation to disclose more information on its total known improper payments number included in its Agency Financial Report. In reviewing DOE's initial comments, it was clear there was a misunderstanding about the intent of the recommendation. Subsequently, we discussed the recommendation with DOE officials, clarified our intent, and modified the recommendation to ensure that DOE discloses information on the extent of improper payments that could be occurring. In its final comments, reproduced in appendix II, DOE concurred with all five of our recommendations. DOE also provided technical comments that were incorporated, as appropriate. We are sending copies of this report to the appropriate congressional committees, the Secretary of the Department of Energy, and other interested parties. In addition, the report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-3841 or trimbled@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III. Signed by: David C. Trimble: Director, Natural Resources and Environment: [End of section] Appendix I: Objective, Scope, and Methodology: This report examines the extent to which the Department of Energy (DOE) assesses its programs' risks for improper payments. To determine this, we reviewed the Improper Payments Elimination and Recovery Act of 2010 (IPERA).[Footnote 54] For additional context, we also reviewed the Improper Payments Information Act of 2002[Footnote 55] and the Improper Payments Elimination and Recovery Improvement Act of 2012. [Footnote 56] We examined the Office of Management and Budget's (OMB) and DOE's IPERA guidance. We reviewed relevant effective practices for conducting risk assessments as described in our executive guide on strategies for managing improper payments.[Footnote 57] Given the relevance and stated importance of DOE's Cooperative Audit Strategy, we analyzed the strategy and related documents, including the DOE Office of Inspector General (IG) Audit Manual, the DOE Financial Management Handbook, contractor incurred cost audits, and IG reviews of those audits. We interviewed key officials with the DOE headquarters Office of the Chief Financial Officer (CFO). Specifically, we met with officials from the Office of Financial Control and Reporting within the Office of the CFO, which carries out DOE's efforts to comply with IPERA by issuing guidance and consolidating and reporting information annually in DOE's Agency Financial Report. We discussed DOE's process for implementing IPERA, including how payment site risk assessments were reviewed and approved by DOE and how headquarters conducted risk assessments on the grant and loan programs. We interviewed IG officials to discuss their role in overseeing DOE's IPERA implementation and DOE's strategy to oversee the auditing of its contractors' incurred costs. We reviewed the IG's fiscal year 2011, 2012, and 2013 IPERA compliance audits, including how they were conducted and their findings, conclusions, and recommendations. We determined that these reports were sufficiently reliable for the purposes of using them to support our results. For fiscal years 2011 through 2013, we analyzed DOE's IPERA reporting, including qualitative risk assessments and quantitative information. We choose to review fiscal years 2011 through 2013 because those were the years subject to IPERA requirements for which we had available documentation. We reviewed each risk assessment to determine if it (1) contained narrative responses specifically taking into account the eight factors; (2) provided a basis for the risk determination; and (3) if it was a DOE field office, whether it specifically addressed the eight risk factors with regard to any non-M&O contractors they oversee. We also determined if the risk assessment documented consideration of evaluations conducted pursuant to OMB Circular A-123. [Footnote 58] To assess the reliability of financial data used in DOE's payment site risk assessments, we compared the figures reported in all payment site risk assessments associated with known improper payments and outlays with the aggregated figures contained in DOE's Fiscal Year 2011 Agency Financial Report. Where applicable and appropriate, we also compared the figures reported in payment site risk assessments with the back-up documentation provided by various specific DOE payment sites (or "programs"). We assessed the reliability of financial data used in DOE's payment site risk assessments. To gain additional context related to documenting these analyses, we also reviewed our Standards for Internal Control in the Federal Government.[Footnote 59] We visited two DOE field CFOs in Oak Ridge, Tennessee, and Albuquerque, New Mexico, and with officials from DOE's Oak Ridge Financial Service Center. We chose these two locations because they oversee IPERA reporting for M&O and non-M&O contracts that accounted for about 28 percent of DOE's IPERA reported outlays in fiscal year 2013. In addition, we selected the Oak Ridge Financial Services Center to visit because it handles all payments made to non-M&O contracts. DOE's 11 field CFO's, in cooperation with site-located contracting officers, oversee contactor and other activities in the field and assist DOE headquarters in carrying out IPERA. We discussed how DOE payment sites were implementing IPERA and how payment site risk assessments were reviewed by DOE. During these trips, we also met with six contractor site locations overseen by these field CFOs. These six contractor locations include the following: * East Tennessee Technology Park; * Los Alamos National Laboratory; * Oak Ridge Associated Universities; * Oak Ridge National Laboratory; * Sandia National Laboratory; and: * Y-12 National Security Complex. We choose to visit these payment sites because they represent a cross section of the types of contractor payments made at DOE and because they accounted for about 38 percent of DOE's total outlays in fiscal year 2013. At each payment site, we met with contractor CFO and internal audit officials, as well as the cognizant DOE contracting officer. During our meetings, we obtained perspectives from over 70 DOE and contractor officials involved with IPERA reporting, including those that had prepared or reviewed improper payment risk assessments. We also discussed the guidance and direction provided by DOE to payment sites in implementing IPERA, as well as consistency across DOE payment sites in preparing risk assessments. We reviewed prior GAO and IG reports that identified deficiencies in DOE internal controls, such as subcontract audits and annual incurred cost audits, including how they were conducted and their findings, conclusions, and recommendations. We also reviewed the IG's fiscal year 2011, 2012, and 2013 IPERA compliance audits, including how they were conducted and their findings, conclusions, and recommendations. We interviewed IG officials to discuss their prior reports and their role in overseeing DOE's IPERA implementation and DOE's strategy to oversee the auditing of its contractors' incurred costs. We determined that these reports were sufficiently reliable for the purposes of using them to support our results. [End of section] Appendix II: Comments from the Department of Energy: Department of Energy: Washington, DC 20585: December 17, 2014: Mr. David Trimble: Director: Natural Resources and Environment: Government Accountability Office: Washington, DC 20458: Dear Mr. Trimble: Thank you for the opportunity to review the Government Accountability Office's (GAO) draft -report entitled Improper Payments: DOE's Risk Assessments Should Be Strengthened, GAO-15-36. We are pleased that GAO recognizes the improvements the Department of Energy (DOE) made in the Improper Payments Elimination and Recovery Act (IPERA) program since FY 2011 as indicated by the fact that all program payment sites submitted risk assessment ratings in FY 2013 and 2014 and by the expanded and strengthened reporting requirements in the DOE FY 2014 IPERA risk assessment guidance. We concur with the recommendations and will implement them in FY 2015. DOE will enhance its FY 2015 guidance for federal payment reporting sites and will include additional disclosures for prior-year improper payments that are not required to be reported under current IPERA guidance. Please note that DOE complies with Office of Management and Budget and IPERA improper payment reporting requirements. Our responses to each recommendation and other technical and general comments are provided in the enclosure. If you have any questions or would like to discuss, please contact me at 202-586-4171. Sincerely, Signed by: Alison L. Doone: Deputy Chief Financial Officer: Enclosure: Response to Report Recommendations: Recommendation 1: Direct field office sites with responsibility for non-M&O contractor risk assessments to address risk factors as they relate to those sites and take steps to ensure the sites implement it. Management Response: DOE concurs with this recommendation. The DOE FY 2014 IPERA guidance instructed federal payment reporting sites to consider non-M&O contractor risk factors as they related to their sites. DOE will enhance its FY 2015 guidance by providing instructions for federal payment reporting sites to clearly identify in risk assessments the consideration of risks related to non-M&O contractors. Recommendation 2: Clarify how payment sites are to address risk factors and document the basis for this risk rating determination and take steps to ensure the sites implement it. Management Response: DOE concurs with this recommendation. DOE will include this recommendation in the FY 2015 IPERA guidance. Recommendation 3: Clarify who is responsible at DOE for reviewing and approving risk assessments for consistency across sites and take steps to ensure those entities implement it. Management Response: DOE concurs with this recommendation. DOE will include this recommendation in the FY 2015 IPERA guidance. Recommendation 4: Provide specific examples of other risk factors that present inherent risks likely to contribute to significant improper payments in addition to the eight risk factors and direct payment sites to consider those when performing their improper payment risk assessment and take steps to ensure the sites implement it. Management Response: DOE concurs with this recommendation. DOE will include this recommendation in the FY 2015 IPERA guidance. Recommendation 5: To provide better transparency regarding its total known improper payments reported under IPERA, we recommend the Secretary of Energy direct the department's Chief Financial Officer to improve public reporting on the amount of known improper payments by disclosing additional information regarding this amount and the extent to which improper payments could be occurring. Management Response: DOE concurs with this recommendation. DOE will include additional disclosures for prior-year improper payments that are not required to be reported under current IPERA guidance. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: David C. Trimble, (202) 512-3841 or trimbled@gao.gov: Staff Acknowledgments: In addition to the individual named above, Diane LoFaro (Assistant Director), Cheryl Arvidson, Vaughn Baltzly, Mark Braza, Mark Keenan, Jason Kirwan, Phillip McIntyre, Jeanette Soares, Kiki Theodoropoulos, Nicholas Weeks, and William Woods made key contributions to this report. [End of section] Footnotes: [1] Improper payments include overpayments and underpayments and any payment to an ineligible recipient, any payment for an ineligible service, any duplicate payment, payments for services not received, and any payment that does not account for credit for applicable discounts. The Office of Management and Budget (OMB) has also instructed agencies to report as improper any payment whose correctness cannot be determined due to lacking or insufficient documentation. [2] See [hyperlink, http://www.paymentaccuracy.gov]. [3] IPIA, Pub. L. No. 107-300 (Nov. 26, 2002), as amended by IPERA, Pub. L. No. 111-204 (July 22, 2010), and codified as amended at 31 U.S.C. § 3321 note. This report refers to both IPIA, as amended, and the portions of IPERA that do not amend IPIA as "IPERA." IPIA and IPERA were further amended in January 2013 by the Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA), Pub. L. No. 112-248 (Jan. 10, 2013). Most of the significant changes made by IPERIA are either outside the scope of this report or had yet to be implemented at the time of our review. [4] IPIA established the requirement that agencies review annually all programs and activities they administer and identify those which may be susceptible to significant improper payments--that is, to develop risk assessments--starting in fiscal year 2004 but did not specify risk factors agencies were to consider in developing their assessments. Moreover, OMB's implementing guidance requires agencies to reassess a program's risk during the next annual cycle, even if it is less than 3 years from the last risk assessment, if a program experiences a significant change in legislation and/or a significant increase in funding. [5] IPERIA amended IPERA to apply this threshold for significant improper payments beginning in fiscal year 2014. However, OMB guidance had already instructed agencies to use this standard beginning in fiscal year 2013. Prior to that point, the threshold was 2.5 percent of program payments and $10 million, or $100 million regardless of the percentage. [6] GAO, Contract Audits: Role in Helping Ensure Effective Oversight and Reducing Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-11-331T] (Washington, D.C.: Feb. 1, 2011). [7] GAO, High Risk: Letter to Congressional Committees Identifying GAO's Original High Risk Areas, [hyperlink, http://www.gao.gov/products/GAO/OCG-90-1] (Washington, D.C.: Jan. 23, 1990). [8] The National Nuclear Security Administration is a semiautonomous agency within DOE and is the entity tasked with managing the nation's nuclear security programs. [9] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: Feb. 14, 2013). Together, the National Nuclear Security Administration and the Office of Environmental Management accounted for almost 65 percent of DOE's fiscal year 2012 discretionary funding of more than $26 billion. In 2013, we further narrowed the focus of DOE's high-risk designation to major contracts and projects, those with values of at least $750 million, to acknowledge progress made in managing smaller value efforts. [10] GAO, Strategies to Manage Improper Payments: Learning From Public and Private Sector Organizations, [hyperlink, http://www.gao.gov/products/GAO-02-69G] (Washington, D.C.: October 2001). This executive guide is intended to identify effective practices and provide case illustrations and other information for federal agencies' consideration when developing strategies and planning and implementing actions to manage improper payments in their programs. In producing this guide, we contacted a number of private and public sector organizations, which we identified primarily through extensive research on financial management practices, and obtained information on actions that they took and considered effective in reducing improper payments. [11] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [12] We selected these two locations because they oversee IPERA reporting for different types of contracts that accounted for about 28 percent of DOE's IPERA reported outlays in fiscal year 2013, among other reasons. In addition, we selected the Oak Ridge Financial Service Center because it handles all federal payments. [13] When we refer to spending in this context, we mean obligations incurred during the fiscal year. An obligation is a definite commitment that creates a legal liability of the government for the payment of goods and services ordered or received, or a legal duty on the part of the United States that could mature into a legal liability by virtue of actions on the part of the other party beyond the control of the United States. Payment may be made immediately or in the future. An agency incurs an obligation, for example, when it places an order, signs a contract, awards a grant, purchases a service, or takes other actions that require the government to make payments to the public or from one government account to another. GAO, A Glossary of Terms Used in the Federal Budget Process, [hyperlink, http://www.gao.gov/products/GAO-05-734SP] (Washington, D.C.: September 2005). [14] M&O contracts are agreements under which the government contracts for the operation, maintenance, or support, on its behalf, of a government-owned or -controlled research, development, special production, or testing establishment wholly or principally devoted to one or more of the major programs of the contracting federal agency. Federal Acquisition Regulation, 48 C.F.R. § 17.601. [15] It is the policy of DOE to finance M&O contracts through advance payments and the use of special financial institution accounts--under which checks written by the contractor one day are covered by the federal government overnight. [16] The source of the $2.4 billion in DOE spending for fiscal year 2013 is [hyperlink, http://www.usaspending.gov]. [17] The Federal Energy Regulatory Commission is an independent federal agency, officially organized as part of DOE, and the principal agency that regulates the electricity industry. The Power Marketing Administrations--Bonneville, Western Area, Southeastern, and Southwestern--generally sell electricity generated by other federal agencies in wholesale markets mostly to publicly and cooperatively owned utilities that, in turn, sell the electricity to retail consumers [18] GAO, Contract Management: Extent of Federal Spending under Cost- Reimbursement Contracts Unclear and Key Controls Not Always Used, [hyperlink, http://www.gao.gov/products/GAO-09-921] (Washington, D.C.: Sept. 30, 2009). [19] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [20] Defense Contract Audit Agency, Contract Audit Manual, 6-102. The Defense Contract Audit Agency provides audit and financial advisory services to the Department of Defense and other federal entities responsible for acquisition and contract administration such as DOE. [21] [hyperlink, http://www.gao.gov/products/GAO-11-331T]. [22] DOE implemented the Cooperative Audit Strategy in 1992. [23] The IG is the cognizant audit party for DOE's M&O contractors. [24] Department of Energy, Department of Energy Acquisition Regulation Acquisition Letter: Management and Operating Contractors' Audit Coverage of Cost-reimbursement Subcontracts, No. AL 2014-01 (Washington, D.C.: Oct. 16, 2013). According to this policy, M&O contractors provide adequate audit coverage of cost-type subcontracts by ensuring they adopt a documented approach for conducting audits with a reasonable threshold for selecting subcontracts and perform or obtain audits that meet the requirements of the Institute of Internal Auditors standards. [25] Department of Energy Acquisition Guide, Chapter 42, Audit Requirement for Non-M&O Contracts, July 2013. [26] Federal Acquisition Regulation. 48 C.F.R. subpart 42.8. [27] Federal Acquisition Regulation, 48 C.F.R. § 42.801(a). [28] For the period covered by our audit, the applicable OMB guidance was Memorandum No. M-11-16, Issuance of Revised Parts I and II to Appendix C of OMB Circular A-123 (Apr. 14, 2011). OMB has since issued updated guidance, applicable beginning with fiscal year 2014 reporting. OMB, Memorandum No. M-15-02, Appendix C to Circular No. A- 123, Requirements for Effective Estimation and Remediation of Improper Payments (Oct. 20, 2014). [29] OMB's updated guidance directs agencies to consider a ninth risk factor: the inherent risk of improper payments due to the nature of the agency's programs or operations. DOE issued its internal guidance in July 2014, which includes this ninth risk factor. [30] [hyperlink, http://www.gao.gov/products/GAO-02-69G]. [31] Recovery audits were not required under IPIA, but were required under the Recovery Auditing Act. Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001), formerly codified at 31 U.S.C. §§ 3561-3567, repealed by IPERA § 2(h)(6) (repeal retained only 31 U.S.C. § 3562(a)).Specifically, agencies were required to carry out a cost-effective program of recovery audits to identify errors in paying contractors and recover improper payments to them, if they entered into contracts with a total value that exceeded $500 million in a fiscal year. IPERA generally repealed the Recovery Auditing Act, expanded the scope for recovery audits beyond commercial payments to include all programs and activities, and lowered the threshold of annual outlays requiring agencies to conduct recovery audits--from $500 million in annual agency contracting to $1 million in annual program expenditures. [32] IPERA requires IGs to submit their reports to the heads of their agencies; the Committee on Homeland Security and Governmental Affairs of the United States Senate; the Committee on Oversight and Governmental Reform of the House of Representatives; and the Comptroller General. [33] This criterion is included in OMB's guidance but not in IPERA. [34] Department of Energy Office of Inspector General, Performance Audit of the Department of Energy's Improper Payment Reporting in the Fiscal Year 2011 Agency Financial Report, OAS-FS-12-07 (Washington, D.C.: Mar. 15, 2012). [35] For the purposes of IPERA reporting, the information on improper payments and outlays in DOE's Agency Financial Report is for the previous fiscal year. Therefore, the improper payments and outlays reported in DOE's Fiscal Year 2011 Agency Financial Report were made and identified in fiscal year 2010. [36] As we said earlier, IPERA required risk assessments for all federal programs and activities in fiscal year 2011 and at least once every 3 years thereafter for programs and activities deemed not risk susceptible. [37] According to DOE officials, the Oak Ridge Office and the Oak Ridge Financial Service Center are the same payment site. However, DOE's fiscal year 2011 guidance lists these as separate payment sites, and we are, therefore, reporting them separately. [38] One cognizant DOE field office, the Office of River Protection, completed risk assessments for three non-M&O payment sites. [39] Since 2005, the Oak Ridge Financial Service Center in the Oak Ridge Office has served as the payment center for processing all vendor and miscellaneous disbursements made by DOE, including payments to non-M&O contractors upon receipt of an invoice. [40] Department of Energy Office of Inspector General, OAS-FS-12-07. The IG found that the most common sampling methodologies observed were: (1) sites did not perform statistical sampling; (2) in lieu of sampling the population, sites reported actual improper payments based on alternative methodologies for identifying improper payments; (3) sites reported a combination of statistical sampling and actual improper payments identified via alternative testing methodologies; and (4) sites performed statistical sampling, but not in accordance with the DOE issued guidance. [41] The Federal Financing Bank is a government corporation, created by statute in 1973, under the general supervision of the Secretary of the Treasury. The bank was established to centralize and reduce the cost of federal borrowing, as well as federally assisted borrowing from the public. [42] To conduct our analysis, we reviewed all of the risk assessments submitted to DOE by its payment sites. We determined whether the risk assessment took into account the eight risk factors. We also identified examples where it was not clear how the payment site arrived at its risk determination. Given that DOE did not define how sites should interpret each of the eight risk factors, our analysis required some judgments. We chose to make a conservative assessment and generally determined that sites had taken into the account the eight factors if we determined that the assessment mentioned the eight factors or included language relevant to the eight risk factors. See appendix I for more details on how we conducted this analysis. [43] [hyperlink, http://www.gao.gov/products/GAO-11-331T]. [44] U.S. Department of Energy Office of Inspector General, Special Report: Management and Operating Contractors' Subcontract Audit Coverage, DOE/IG-0885 (Washington, D.C.: Apr. 17, 2013). As discussed previously, M&O contractors are contractually obligated to provide adequate audit coverage of cost-reimbursement-type subcontracts. [45] In December 2012, we found that DCAA had a backlog of approximately 25,000 incurred cost audits as of the end of fiscal year 2011, some dating as far back as 1996. GAO, Defense Contracting: DOD Initiative to Address Audit Backlog Shows Promise, but Additional Management Attention Needed to Close Aging Contracts, [hyperlink, http://www.gao.gov/products/GAO-13-131] (Washington, D.C.: Dec. 18, 2012). [46] OMB Circular No. A-123, OMB's guidance implementing the law commonly known as the Federal Managers' Financial Integrity Act, 31 U.S.C. § 3512(c), (d), requires, among other things, that agencies and individual federal managers take systematic and proactive measures to develop and implement appropriate, cost-effective internal control for results-oriented management and assess the adequacy of internal control in federal programs and operations. [47] [hyperlink, http://www.gao.gov/products/GAO-02-69G]. [48] As noted above, this revision has since been issued in final form as OMB Memorandum No. M-15-02. [49] DOE guidance lists the following categories through which improper payments are identified: (1) postpayment review, (2) payment recapture audits, (3) IG audits/reviews, (4) self-reported overpayments, (5) reports from the public, (6) contract close-out reviews, (7) single audit reports, (8) grant close-out reviews, (9) DCAA contract audits, and (10) other monitoring activities/reviews. [50] IPERA and OMB guidance do not generally require agencies to report their total known improper payments. For payment recapture purposes, IPERA and OMB guidance require that agencies report on the amounts of overpayments recovered, outstanding, and determined to not be collectible, including the percent such amounts represent of the total overpayments of the agency. [51] For the purposes of IPERA reporting, the information on improper payments and outlays in DOE's Agency Financial Report is for the previous fiscal year. Therefore, the improper payments and outlays reported in DOE's Fiscal Year 2013 Agency Financial Report were made and identified in fiscal year 2012. [52] U.S. Department of Energy Office of Inspector General, Semi- Annual Report to Congress: October 1, 2011 through March 31, 2012, DOE/IG-0062 (Washington, D.C.: Apr. 26, 2012) and U.S. Department of Energy Office of Inspector General, Semi-Annual Report to Congress: April 1, 2012 through September 30, 2012, DOE/IG-0063 (Washington, D.C.: Oct. 26, 2012). [53] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [54] Pub. L. No. 111-204 (July 22, 2010). [55] Pub. L. No. 107-300 (Nov. 26, 2002). [56] Pub. L. No. 112-248 (Jan. 10, 2013). Collectively, all three of these laws have been codified, as amended, as a note to section 3321 of Title 31, United States Code. [57] [hyperlink, http://www.gao.gov/products/GAO-02-69G]. [58] OMB Circular No. A-123, OMB's guidance implementing the law commonly known as the Federal Managers' Financial Integrity Act, 31 U.S.C. § 3512(c), (d), requires, among other things, that agencies and individual federal managers take systematic and proactive measures to develop and implement appropriate, cost-effective internal control for results-oriented management and assess the adequacy of internal control in federal programs and operations. [59] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]