Telecommunications:

FCC Should Assess the Design of the E-rate Program's Internal Control Structure

GAO-10-908: Published: Sep 29, 2010. Publicly Released: Oct 29, 2010.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Service Support Mechanism--commonly known as the "E-rate" program--has been a significant federal source of technology funding for schools and libraries. FCC designated the Universal Service Administrative Company (USAC) to administer the program. As requested, GAO examined the system of internal controls in place to safeguard E-rate program resources. This report discusses (1) the internal controls FCC and USAC have established and (2) whether the design of E-rate's internal control structure appropriately considers program risks. GAO reviewed the program's key internal controls, risk assessments, and policies and procedures; assessed the design of the internal control structure against federal standards for internal control; and interviewed FCC and USAC officials.

FCC and USAC have established many internal controls for the E-rate program's core processes: (1) processing applications and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls though audits of schools and libraries that receive E-rate funding (beneficiaries). E-rate's internal control structure centers around USAC's complex, multilayered application review process. USAC has expanded the program's internal control structure over time to address the program's complexity and to address risks as they became apparent. In addition, USAC has contracted with independent public accountants to audit beneficiaries to identify and report beneficiary noncompliance with program rules. The design of E-rate's internal control structure may not appropriately consider program risks. GAO found, for example, that USAC's application review process incorporates a number of different types and levels of reviews, but that it was not clear whether this design was effectively and efficiently targeting resources to risks. Similarly, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources are appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it has never conducted a robust risk assessment of the E-rate program's core processes, although it has conducted risk assessments for other purposes, such as financial reporting. A risk assessment involving a critical examination of the entire E-rate program could help determine whether modifications to business practices and the internal control structure are needed to appropriately address the risks identified and better align program resources to risks. The internal control structure--once assessed and possibly adjusted on the basis of the results of a robust risk assessment--should then be periodically monitored to ensure that the control structure does not evolve in a way that fails to appropriately align resources to risks. The results of beneficiary audits are used to identify and report on E-rate compliance issues, but GAO found that the information gathered from the audits has not been effectively used to assess and modify the E-rate program's internal controls. As a result, the same rule violations have been repeated each year for which beneficiary audits have been completed. For example, of 64 beneficiaries that had been audited more than once over a 3-year period, GAO found that 36 had repeat audit findings of the same rule violation. GAO found that the current beneficiary audit process lacks documented and approved policies and procedures. Without such policies and procedures, management may not have the assurance that control activities are appropriate and properly applied. Documented and approved policies and procedures could contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate program's internal controls and in identifying opportunities to modify existing controls. GAO recommends that FCC conduct a robust risk assessment of the E-rate program, conduct a thorough examination of the overall design of E-rate's internal control structure, implement a systematic process to assess internal controls that appropriately considers beneficiary audit findings, and establish procedures to periodically monitor controls. FCC agreed with GAO's recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should conduct a robust risk assessment of the E-rate program.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Apr 23, 2014

    Mar 10, 2014

    Jan 6, 2014

    May 23, 2013

    May 22, 2013

    May 21, 2013

    Apr 24, 2013

    Apr 18, 2013

    Feb 28, 2013

    Feb 22, 2013

    Looking for more? Browse all our products here