Telecommunications:

FCC Should Assess the Design of the E-rate Program's Internal Control Structure

GAO-10-908: Published: Sep 29, 2010. Publicly Released: Oct 29, 2010.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Service Support Mechanism--commonly known as the "E-rate" program--has been a significant federal source of technology funding for schools and libraries. FCC designated the Universal Service Administrative Company (USAC) to administer the program. As requested, GAO examined the system of internal controls in place to safeguard E-rate program resources. This report discusses (1) the internal controls FCC and USAC have established and (2) whether the design of E-rate's internal control structure appropriately considers program risks. GAO reviewed the program's key internal controls, risk assessments, and policies and procedures; assessed the design of the internal control structure against federal standards for internal control; and interviewed FCC and USAC officials.

FCC and USAC have established many internal controls for the E-rate program's core processes: (1) processing applications and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls though audits of schools and libraries that receive E-rate funding (beneficiaries). E-rate's internal control structure centers around USAC's complex, multilayered application review process. USAC has expanded the program's internal control structure over time to address the program's complexity and to address risks as they became apparent. In addition, USAC has contracted with independent public accountants to audit beneficiaries to identify and report beneficiary noncompliance with program rules. The design of E-rate's internal control structure may not appropriately consider program risks. GAO found, for example, that USAC's application review process incorporates a number of different types and levels of reviews, but that it was not clear whether this design was effectively and efficiently targeting resources to risks. Similarly, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources are appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it has never conducted a robust risk assessment of the E-rate program's core processes, although it has conducted risk assessments for other purposes, such as financial reporting. A risk assessment involving a critical examination of the entire E-rate program could help determine whether modifications to business practices and the internal control structure are needed to appropriately address the risks identified and better align program resources to risks. The internal control structure--once assessed and possibly adjusted on the basis of the results of a robust risk assessment--should then be periodically monitored to ensure that the control structure does not evolve in a way that fails to appropriately align resources to risks. The results of beneficiary audits are used to identify and report on E-rate compliance issues, but GAO found that the information gathered from the audits has not been effectively used to assess and modify the E-rate program's internal controls. As a result, the same rule violations have been repeated each year for which beneficiary audits have been completed. For example, of 64 beneficiaries that had been audited more than once over a 3-year period, GAO found that 36 had repeat audit findings of the same rule violation. GAO found that the current beneficiary audit process lacks documented and approved policies and procedures. Without such policies and procedures, management may not have the assurance that control activities are appropriate and properly applied. Documented and approved policies and procedures could contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate program's internal controls and in identifying opportunities to modify existing controls. GAO recommends that FCC conduct a robust risk assessment of the E-rate program, conduct a thorough examination of the overall design of E-rate's internal control structure, implement a systematic process to assess internal controls that appropriately considers beneficiary audit findings, and establish procedures to periodically monitor controls. FCC agreed with GAO's recommendations.

Recommendations for Executive Action

  1. Status: Open

    Comments: In April 2014, FCC approved USAC's hiring of a contractor to conduct a risk assessment of the E-rate program. FCC plans to implement this recommendation after the risk assessment is completed and the results of the risk assessment can be used to inform the examination of the internal control structure.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.

    Agency Affected: Federal Communications Commission

  2. Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.

    Agency Affected: Federal Communications Commission

  3. Status: Open

    Comments: In April 2014, FCC approved the hiring of a contractor to conduct a risk assessment of the E-rate program. In July 2014, an FCC official said that the agency planning to take action on this recommendation before the risk assessment is completed.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.

    Agency Affected: Federal Communications Commission

  4. Status: Closed - Implemented

    Comments: In 2010, we found that the Federal Communications Commission (FCC) had taken steps to revise the E-rate program's internal controls to address problems they had identified as well as concerns raised by external auditors and others. However, we found that FCC's actions regarding internal controls generally tended to be reactive rather than proactive, and that FCC had not conducted a robust risk assessment of the E-rate program's design and core activities and functions. We found the E-rate program's internal control structure to be a product of accretion and not clearly targeted to reasonably and effectively address programmatic risks. Therefore, we recommended that FCC conduct a robust risk assessment of the E-rate program. In response, in 2012, the Universal Service Administrative Company (USAC), the not-for-profit program administrator of E-rate put out a Solicitation for Bids for a firm to conduct a risk assessment of the E-rate program. On April 29, 2014, FCC approved USAC's request to contract with Ernst & Young to conduct the E-rate risk assessment. In June 2014, we were informed by an FCC official that USAC had awarded the contract to Ernst & Young. As a result of this risk assessment being conducted, FCC and USAC will better understand how to appropriately balance their resources to better target program risks and best ensure that the program fulfills its goals of providing technology funding to schools and libraries across the country. Because the administrative costs of the E-rate program come out of the E-rate funding available for schools and libraries, a well-designed internal controls structure will help ensure that internal controls are not using more resources than necessary and, therefore, not reducing the amount of funding available to program beneficiaries

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should conduct a robust risk assessment of the E-rate program.

    Agency Affected: Federal Communications Commission

 

Explore the full database of GAO's Open Recommendations »

Dec 2, 2014

Sep 17, 2014

Jul 22, 2014

Jun 23, 2014

Apr 23, 2014

Mar 10, 2014

Jan 6, 2014

May 23, 2013

May 22, 2013

May 21, 2013

Looking for more? Browse all our products here