Telecommunications:

FCC Should Assess the Design of the E-rate Program's Internal Control Structure

GAO-10-908: Published: Sep 29, 2010. Publicly Released: Oct 29, 2010.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Service Support Mechanism--commonly known as the "E-rate" program--has been a significant federal source of technology funding for schools and libraries. FCC designated the Universal Service Administrative Company (USAC) to administer the program. As requested, GAO examined the system of internal controls in place to safeguard E-rate program resources. This report discusses (1) the internal controls FCC and USAC have established and (2) whether the design of E-rate's internal control structure appropriately considers program risks. GAO reviewed the program's key internal controls, risk assessments, and policies and procedures; assessed the design of the internal control structure against federal standards for internal control; and interviewed FCC and USAC officials.

FCC and USAC have established many internal controls for the E-rate program's core processes: (1) processing applications and making funding commitment decisions, (2) processing invoices requesting reimbursement, and (3) monitoring the effectiveness of internal controls though audits of schools and libraries that receive E-rate funding (beneficiaries). E-rate's internal control structure centers around USAC's complex, multilayered application review process. USAC has expanded the program's internal control structure over time to address the program's complexity and to address risks as they became apparent. In addition, USAC has contracted with independent public accountants to audit beneficiaries to identify and report beneficiary noncompliance with program rules. The design of E-rate's internal control structure may not appropriately consider program risks. GAO found, for example, that USAC's application review process incorporates a number of different types and levels of reviews, but that it was not clear whether this design was effectively and efficiently targeting resources to risks. Similarly, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources are appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it has never conducted a robust risk assessment of the E-rate program's core processes, although it has conducted risk assessments for other purposes, such as financial reporting. A risk assessment involving a critical examination of the entire E-rate program could help determine whether modifications to business practices and the internal control structure are needed to appropriately address the risks identified and better align program resources to risks. The internal control structure--once assessed and possibly adjusted on the basis of the results of a robust risk assessment--should then be periodically monitored to ensure that the control structure does not evolve in a way that fails to appropriately align resources to risks. The results of beneficiary audits are used to identify and report on E-rate compliance issues, but GAO found that the information gathered from the audits has not been effectively used to assess and modify the E-rate program's internal controls. As a result, the same rule violations have been repeated each year for which beneficiary audits have been completed. For example, of 64 beneficiaries that had been audited more than once over a 3-year period, GAO found that 36 had repeat audit findings of the same rule violation. GAO found that the current beneficiary audit process lacks documented and approved policies and procedures. Without such policies and procedures, management may not have the assurance that control activities are appropriate and properly applied. Documented and approved policies and procedures could contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate program's internal controls and in identifying opportunities to modify existing controls. GAO recommends that FCC conduct a robust risk assessment of the E-rate program, conduct a thorough examination of the overall design of E-rate's internal control structure, implement a systematic process to assess internal controls that appropriately considers beneficiary audit findings, and establish procedures to periodically monitor controls. FCC agreed with GAO's recommendations.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. The Universal Service Administration Company (USAC) is the administrator of the E-rate program. In 2010, GAO found the design of the E-rate program's internal control structure may not appropriately consider program risks. For example, USAC's application review process incorporates multiple types and levels of reviews, but it was not clear whether this design was effectively and efficiently targeting resources to risks. In addition, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources were appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it had never conducted a robust risk assessment of the E-rate program's core processes. Without an overall risk assessment, FCC and USAC might not know how to appropriately balance their resources to better target risks and best ensure that the program fulfills its overall goal of providing technology funding to schools and libraries. Therefore, GAO recommended that FCC use the findings of a risk assessment of the E-rate program to conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed. In 2017, we confirmed that, in response to our recommendation, and after having hired a contractor to conduct a robust risk assessment of the E-rate program, FCC worked with USAC to consider the findings of the risk assessment and examine the overall design of E-rate's internal control structure. Their examination of the risk assessment resulted in the USAC Corrective Action Plan for Schools & Libraries Risk Assessment, which specifies steps to improve internal controls. Recommended program changes include, for example, that USAC provide more robust, step-by-step training materials on its website for both applicants and service providers to use; that USAC maintain a relatively fixed E-rate application window that is the same year to year; that USAC and FCC create a clear and standalone escalation procedures document to allow E-rate application reviewers to escalate questions or inquiries about complex eligibility or cost allocation decisions; and that USAC and its subcontractors create a robust and strategic succession planning program to prepare the next level of review managers. The Corrective Action Plan lists over a hundred recommended actions and links them to specific tasks or larger efforts to implement them, such as a Business Process Reengineering effort being conducted by a consulting firm contractor for USAC. As a result of this examination of the E-rate program's internal control structure, FCC should be able to make changes to the overall design of the E-rate program's internal control structure that will allow it to better target and address program risks.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.

    Agency Affected: Federal Communications Commission

  2. Status: Closed - Implemented

    Comments: Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Services Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. In 2010, GAO determined that FCC and the Universal Service Administration Company (USAC) (the program administrator) had used the results of beneficiary audits to identify and report beneficiary noncompliance with E-rate program rules. However, we found that FCC and USAC had not effectively used the information gained from beneficiary audits to assess and modify the E-rate program's internal controls. For example, although FCC and USAC had taken actions to address audit findings, the same rule violations, such as reimbursements for ineligible services or for services at higher rates than authorized, were repeated in each funding year in which audits were completed. Furthermore, FCC and USAC had not analyzed the findings from beneficiary audits to determine whether corrective actions implemented by beneficiaries in response to previous audits were effective. GAO determined that a systematic approach to considering the results of beneficiary audits could help identify opportunities for improving internal controls. Therefore, GAO recommended that FCC implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures. In 2017, GAO confirmed that, in response to our recommendation, FCC and USAC developed policies and procedures for a systematic approach for assessing internal controls by considering the results of beneficiary audits. In response to GAO's recommendation, USAC stated that the primary focus of audits had been on the correction of individual findings and that less attention had been placed on understanding the cause of repeat findings or implementing actions to prevent the cause from occurring across all beneficiaries. USAC therefore instituted a process for conducting an annual analysis of the cause of audit findings. That process has evolved over time as USAC decided to combine the root cause analysis with a similar initiative by its Internal Audit Division . The two efforts were merged into one continuous, cross-functional process starting toward the end of 2015 and moving into 2016. By July 2016, USAC had developed a common audit findings and corrective action plans for all of the Universal Service Fund programs, including the E-rate program. Although the process has evolved, USAC has continued to follow audit finding analysis procedures and report on its findings, for example, submitting reports to FCC in 2015, 2016, and 2017. As a result of the institution of these analysis procedures, FCC has a documented process in place for effectively using the information gained from beneficiary audits to assess and modify the E-rate program's internal controls.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.

    Agency Affected: Federal Communications Commission

  3. Status: Closed - Implemented

    Comments: Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. The Universal Service Administration Company (USAC) is the administrator of the E-rate program. In 2010, GAO found the design of the E-rate program's internal control structure may not appropriately consider program risks. For example, USAC's application review process incorporates multiple types and levels of reviews, but it was not clear whether this design was effectively and efficiently targeting resources to risks. In addition, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources were appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it had never conducted a robust risk assessment of the E-rate program's core processes. Without an overall risk assessment, FCC and USAC might not know how to appropriately balance their resources to better target risks and best ensure that the program fulfills its overall goal of providing technology funding to schools and libraries. Therefore, GAO recommended that FCC use the findings of a risk assessment of the E-rate program to conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed. In 2017, we confirmed that, in response to our recommendation, and after having hired a contractor to conduct a robust risk assessment of the E-rate program, FCC worked with USAC to consider the findings of the risk assessment and examine the overall design of E-rate's internal control structure. Their examination of the risk assessment resulted in the USAC Corrective Action Plan for Schools & Libraries Risk Assessment, which specifies steps to improve internal controls. Recommended program changes include, for example, that USAC provide more robust, step-by-step training materials on its website for both applicants and service providers to use; that USAC maintain a relatively fixed E-rate application window that is the same year to year; that USAC and FCC create a clear and standalone escalation procedures document to allow E-rate application reviewers to escalate questions or inquiries about complex eligibility or cost allocation decisions; and that USAC and its subcontractors create a robust and strategic succession planning program to prepare the next level of review managers. The Corrective Action Plan lists over a hundred recommended actions and links them to specific tasks or larger efforts to implement them, such as a Business Process Reengineering effort being conducted by a consulting firm contractor for USAC. As a result of this examination of the E-rate program's internal control structure, FCC should be able to make changes to the overall design of the E-rate program's internal control structure that will allow it to better target and address program risks.

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.

    Agency Affected: Federal Communications Commission

  4. Status: Closed - Implemented

    Comments: In 2010, we found that the Federal Communications Commission (FCC) had taken steps to revise the E-rate program's internal controls to address problems they had identified as well as concerns raised by external auditors and others. However, we found that FCC's actions regarding internal controls generally tended to be reactive rather than proactive, and that FCC had not conducted a robust risk assessment of the E-rate program's design and core activities and functions. We found the E-rate program's internal control structure to be a product of accretion and not clearly targeted to reasonably and effectively address programmatic risks. Therefore, we recommended that FCC conduct a robust risk assessment of the E-rate program. In response, in 2012, the Universal Service Administrative Company (USAC), the not-for-profit program administrator of E-rate put out a Solicitation for Bids for a firm to conduct a risk assessment of the E-rate program. On April 29, 2014, FCC approved USAC's request to contract with Ernst & Young to conduct the E-rate risk assessment. In June 2014, we were informed by an FCC official that USAC had awarded the contract to Ernst & Young. As a result of this risk assessment being conducted, FCC and USAC will better understand how to appropriately balance their resources to better target program risks and best ensure that the program fulfills its goals of providing technology funding to schools and libraries across the country. Because the administrative costs of the E-rate program come out of the E-rate funding available for schools and libraries, a well-designed internal controls structure will help ensure that internal controls are not using more resources than necessary and, therefore, not reducing the amount of funding available to program beneficiaries

    Recommendation: To improve internal controls over the E-rate program, the Federal Communications Commission should conduct a robust risk assessment of the E-rate program.

    Agency Affected: Federal Communications Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2019

Jul 29, 2019

Mar 7, 2019

Feb 13, 2019

Dec 12, 2018

Nov 14, 2018

Oct 3, 2018

Sep 28, 2018

Sep 7, 2018

Jan 9, 2018

Looking for more? Browse all our products here