Most Selected Agencies Improved Procedures to Help Ensure Risk Assessments of All Programs and Activities
GAO-18-36: Published: Nov 16, 2017. Publicly Released: Nov 16, 2017.
What GAO Found
GAO's review of the 24 Chief Financial Officers Act of 1990 (CFO Act) agencies' fiscal years 2014 through 2016 agency financial reports (AFR) and performance and accountability reports (PAR) found that these agencies generally adhered to the Office of Management and Budget's (OMB) improper payment risk assessment reporting directives. However, GAO found instances of nonadherence, including the following:
There were two instances of nonadherence to OMB's directive for agencies to report the basis for how they grouped programs and activities, both of which occurred in fiscal year 2014. All agencies that completed risk assessments adhered to this directive for fiscal years 2015 and 2016.
The Improper Payments Information Act of 2002, as amended, identifies seven risk factors and OMB guidance includes two additional risk factors that agencies are to consider when conducting risk assessments. For fiscal years 2015 and 2016 reporting, OMB directed agencies to report the risk factors considered in their risk assessments. However, GAO found six agencies that did not report one or more of the nine risk factors in their AFRs or PARs.
OMB's revised guidance for fiscal year 2017 no longer directs agencies to report on their risk assessments. OMB staff stated that their primary motivation for removing such reporting was to reduce the administrative burden. After GAO notified OMB of the importance of certain data, OMB staff plan to direct agencies to provide additional data, including a listing of risk assessed programs and activities, on www.paymentaccuracy.gov for reporting beginning in fiscal year 2017. OMB staff also plan to revise the guidance for fiscal year 2018 for agencies to report the other risk assessment information in their AFRs or PARs.
GAO also found that three of the nine selected agencies (the Departments of Energy and Justice and the U.S. Agency for International Development) that it reviewed had designed and documented control activities to help ensure that all programs and activities were assessed every 3 years. For the remaining six agencies, GAO found that the agencies did not properly design control activities for this purpose. Specifically, GAO found the following:
Three agencies—the Department of Commerce, the National Science Foundation, and the Nuclear Regulatory Commission—did not have documented procedures for conducting risk assessments during fiscal years 2014 through 2016 but subsequently documented them.
Three agencies—the Departments of the Interior (Interior) and State (State) and the National Aeronautics and Space Administration (NASA)—documented procedures for conducting risk assessments but did not include all programs and activities in their risk assessments. Interior later drafted revisions to its procedures and State updated its procedures to include them.
Without properly designed and documented control activities, there is a risk that an agency may not identify all programs and activities that require a risk assessment, which could result in the agency failing to develop and report improper payment estimates for programs and activities that should have been identified as susceptible to significant improper payments.
Why GAO Did This Study
Reported improper payment estimates totaled over $1.2 trillion government-wide from fiscal years 2003 through 2016. Agencies are statutorily required to perform improper payment risk assessments to identify programs and activities that may be susceptible to significant improper payments and are required to report an improper payment estimate for ones that are susceptible to significant improper payments.
GAO was asked to review federal agencies' improper payment risk assessments. This report examines the extent to which (1) the 24 CFO Act agencies followed OMB guidance for reporting on improper payment risk assessments and (2) selected CFO Act agencies properly designed control activities to include all of their programs and activities in an improper payment risk assessment at least once every 3 years, as statutorily required. GAO analyzed the 24 CFO Act agencies' AFRs and PARs and reviewed the procedures at 9 selected agencies. GAO selected 9 agencies that did not report improper payment estimates in fiscal year 2015, except for those estimates that were mandated to be reported pursuant to the Disaster Relief Appropriations Act, 2013. For this review, GAO did not evaluate the quality of improper payment risk assessments completed.
What GAO Recommends
GAO recommends that NASA revise its procedures to help ensure that all programs and activities are assessed for susceptibility to significant improper payments at least once every 3 years. NASA concurred with the recommendation.
For more information, contact Beryl H. Davis at (202) 512-2623 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of NASA should take steps to revise the agency's procedures for conducting improper payment risk assessments to include the activities of its Office of Inspector General in its risk assessment process to help ensure that all programs and activities are assessed for susceptibility to significant improper payments at least once every 3 years as required by the Improper Payments Information Act of 2002. (Recommendation 1)
Agency Affected: National Aeronautics and Space Administration