From the U.S. Government Accountability Office, www.gao.gov Transcript for: Comptroller General Testifies to U.S. Senate on GAO's 2015 High Risk List Description: In his February 11, 2015, testimony to the U.S. Senate, Comptroller General Gene Dodaro provides an update of GAO's 2015 High Risk List. Related GAO Work: GAO-15-290: High-Risk Series: An Update; GAO-15-371T: GAO's 2015: High-Risk Series: An Update; and GAO-15-373T: GAO's 2015: High-Risk Series: An Update Released: February 2015 [First Screen] [Silence] Committee on Homeland Security and Governmental Affairs, U.S. Senate [Second Screen] [Silence] Updating GAO's High Risk List [Third Screen] [Silence] Comptroller General Gene Dodaro's Opening Statement February 11, 2015 [Chairman:] It is the tradition of this committee to swear in witnesses. So Mr. Dodaro and any other GAO employee that might assist in the testimony, please rise. Raise your right hand. Do you swear the testimony you will give before this committee will be the truth, the whole truth, and nothing but the truth, so help you God? [GAO employees:] I do, yes. [Chairman:] Please be seated. Mr. Dodaro. [Gene Dodaro:] Thank you very much, Mr. Chairman. Good morning to you, ranking member Senator Carper and members of the committee. I'm very pleased to be here today to discuss the update to GAO's high-risk list. We provide this update with the beginning of each new Congress to help the Congress set its priorities for oversight and to help the administration focus on some of the areas that we consider to be of highest risk for either fraud, waste, abuse, or mismanagement, or in need of broad-base transformation across the government. This year we're reporting solid, steady progress in the vast majority of the high-risk areas that we've had on the list to date. We are also providing ratings for the first time against each high-risk area's status in getting off the list. In order to get off the list, you need to meet five criteria: You need to have top leadership commitment; you need to have the capacity, the resources, and the people with the right skills to get off the list; you have to have a good corrective action plan that goes to the root cause of the problems; you have to have a monitoring effort with interim milestones and metrics to make sure you're making progress; and then you have to demonstrate that you're actually beginning to fix the problem. You don't have to have 100 percent fixed in order to get off the list, but you have to have tangible progress that you're on the right path and you're actually fixing the problem. Now, of the 30 areas that were on the list based on our last update, 18 of those areas have at least partially met each of the five criteria for coming off the list; 11 of those areas have fully met at least one or more of the criteria, partially met the others. So there is good, steady progress as we report. In two areas, we report enough progress that we're actually narrowing the scope of the high-risk area. First, in FDA's oversight of medical devices in the areas of recalls, we were concerned that they weren't consistently applying recall criteria -- actually ensuring that the recalls were effective -- and did not analyze recall data over time to identify potential trends that warranted some alerts to the industry. They are now doing that. They have analyzed 10 years of data; they are ensuring greater consistency in having recalls; they're documenting the effective nature of the recalls that have occurred; and also we have seen progress in their ability to process new device requests. In the past, they were slow to implement legislation that provided a dual-track process where certain devices that were similar to those on the market could go to an expedited review, but those that were really truly new had to go through a more stringent criteria. They were slow to implement the act, they have now corrected that, and they're on track to implement the legislation by this year. So those areas are being deemphasized. They still have issues in ensuring the adequacy and the safety of medical products and devices in a global marketplace. Right now 80 percent of the active ingredients for prescription drugs, 40 percent of finished drugs, and about half medical devices come from about 150 countries around the world. And so that we've encouraged them to move from an oversight process focused on overseeing domestic production to overseeing what's now a global marketplace for drugs and devices, and also to focus on drug storages. They still have work to do in that area, and that's something of concern. And these are life-sustaining and life-critical drugs that are of concern. We've also seen enough progress in the contract management area of DOD to warrant narrowing that area, particularly as it relates to contracting tools and techniques. This is to ensure that they don't use undefinitized contracts and time and materials contracts, which are more risky to the government but they ensure more competition. They have -- excuse me -- better oversight over that process now, but the remaining areas they need to fix are service acquisitions. They have to ensure they have an acquisition workforce commensurate with the challenges associated with that, and they have to make improvements in operational contracting where they're using contracting to support military operations in the theatre. We've also noted improvements in the Department of Homeland Security management functions. That area has been on the list for a number of years. We're very pleased with the leadership commitment of that department, the secretary, deputy secretary, undersecretary for management. And they have a very good corrective action plan and they're starting to make progress. They've received clean opinions on their financial statements for 2 years in a row right now. And -- but there are other areas that they need to fix. They fixed about 9 of the 30 areas that we've identified and they've agreed need to be fixed. So they have to fix the remaining 21 areas, but they have a good plan. They just need to execute the plan over a period of time, particularly in the acquisition area and some remaining areas in financial management, particularly on internal controls. Now, we are adding two new areas. First is VA's provision of healthcare services to our veterans. We've been very concerned about this area and really have five sort of overarching themes of concern. One is ambiguous policies and inconsistent processes over time. The fact that they have inadequate oversight and accountability mechanisms; they have information technology challenges that they have to solve; there's inadequate training of VA staff; and unclear resource needs and allocation processes. And I can talk more about this in Q&A session. Congress has passed legislation providing them with additional money -- $15 billion -- but the legislation has to be implemented effectively. And as Senator Johnson has mentioned, you know, we have over 100 recommendations that we've made to the VA that have not yet been fully implemented, and they need to do so. The other area new that we're adding is IT acquisitions and operations. The report that we're providing today outlines a litany of failed IT modernizations in the government where, after hundreds of million dollars of dollars -- and in some cases billions of dollars -- have been spent, but the effort has been terminated or failed. There's even a longer list of areas that have cost overruns, schedule slippages, or provide less functionality than initially intended, thereby not really improving operations in the agencies that much. Congress passed some legislation late last year -- the Federal Information Technology Reform Act -- that gives CIO's additional authorities and puts in place, in statute, a number of good practices that we've had identified but has to be implemented effectively. Typically we've found these areas -- that they lack discipline in requirements management and project management to actually manage IT acquisitions effectively. We also talk about operations. $58 billion of the $80 billion that's spent each year on operations and support of legacy systems that we believe may not be needed, may be duplicative, and may no longer be performing as efficiently and effectively as possible, particularly given opportunities in the marketplace to get IT services at less cost. In this area over the last five years alone, we've made 737 recommendations and only 23 percent have been fully implemented. So, again, Congress has made efforts in VA and IT, but the efforts need to be monitored. Congressional oversight is imperative, in my opinion, and the agencies need to make reforms. We're expanding two areas. One is in tax administration. We had been focused on the tax gap, which the annual latest estimate is $385 billion between taxes owed and taxes paid. But identity theft has become a growing problem, so we're adding that to the list. IRS was successful in stopping about $24 billion last year, but they missed on their estimate about $5.8 billion in fraud. We have some potential areas to remedy the situation and recommendations for the Congress and the IRS that we can talk about in the Q&A session. Last area is cybersecurity. We initially designated computer security across the entire federal government. It's the first time we ever did it across federal government in 1997. We added critical infrastructure protection, because most of the private sector has the computer assets--most of the assets are in the private sector, in 2003. But now we're adding privacy as this issue as more personally-identifiable information's being collected. The number of incidents at the federal government level involving inadequate controls over IT--controls over the personally-identifiable information--has more than doubled. In the last 5 years, there have been a lot of high-profile incidents in the private sector as well. Privacy law was passed in 1974. We believe it needs to be updated to provide greater controls, and we can talk about our recommendations. In closing, I'd like to recognize that the progress that we did note in many of the areas was due to the Congress taking action, passing legislation -- five bills alone in cybersecurity area, but more is needed as we've talked about in that area. Top leaders in the agencies and OMB have been focused on this area. I have regular meetings with OMB Deputy for Management, Beth Cobert, and top officials in the agencies to discuss the high-risk areas and what needs to be done specifically to get off the list and to make continued progress. I appreciate the opportunity to be here today to discuss this further and look forward to working with this committee. Fixing these high-risk problems has the potential to save billions of dollars, improve services to the public, and enhance trust and confidence in the federal government's activities. So thank you very much for the opportunity to be here. I'd be happy to answer questions. [Last Screen] [Silence] GAO logo www.gao.gov/highrisk