Skip to Highlights
Highlights

Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Service Support Mechanism--commonly known as the "E-rate" program--has been a significant federal source of technology funding for schools and libraries. FCC designated the Universal Service Administrative Company (USAC) to administer the program. As requested, GAO examined the system of internal controls in place to safeguard E-rate program resources. This report discusses (1) the internal controls FCC and USAC have established and (2) whether the design of E-rate's internal control structure appropriately considers program risks. GAO reviewed the program's key internal controls, risk assessments, and policies and procedures; assessed the design of the internal control structure against federal standards for internal control; and interviewed FCC and USAC officials.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Communications Commission 1. To improve internal controls over the E-rate program, the Federal Communications Commission should, based on the findings of the risk assessment, conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed.
Closed - Implemented
Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. The Universal Service Administration Company (USAC) is the administrator of the E-rate program. In 2010, GAO found the design of the E-rate program's internal control structure may not appropriately consider program risks. For example, USAC's application review process incorporates multiple types and levels of reviews, but it was not clear whether this design was effectively and efficiently targeting resources to risks. In addition, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources were appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it had never conducted a robust risk assessment of the E-rate program's core processes. Without an overall risk assessment, FCC and USAC might not know how to appropriately balance their resources to better target risks and best ensure that the program fulfills its overall goal of providing technology funding to schools and libraries. Therefore, GAO recommended that FCC use the findings of a risk assessment of the E-rate program to conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed. In 2017, we confirmed that, in response to our recommendation, and after having hired a contractor to conduct a robust risk assessment of the E-rate program, FCC worked with USAC to consider the findings of the risk assessment and examine the overall design of E-rate's internal control structure. Their examination of the risk assessment resulted in the USAC Corrective Action Plan for Schools & Libraries Risk Assessment, which specifies steps to improve internal controls. Recommended program changes include, for example, that USAC provide more robust, step-by-step training materials on its website for both applicants and service providers to use; that USAC maintain a relatively fixed E-rate application window that is the same year to year; that USAC and FCC create a clear and standalone escalation procedures document to allow E-rate application reviewers to escalate questions or inquiries about complex eligibility or cost allocation decisions; and that USAC and its subcontractors create a robust and strategic succession planning program to prepare the next level of review managers. The Corrective Action Plan lists over a hundred recommended actions and links them to specific tasks or larger efforts to implement them, such as a Business Process Reengineering effort being conducted by a consulting firm contractor for USAC. As a result of this examination of the E-rate program's internal control structure, FCC should be able to make changes to the overall design of the E-rate program's internal control structure that will allow it to better target and address program risks.
Federal Communications Commission 2. To improve internal controls over the E-rate program, the Federal Communications Commission should implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures.
Closed - Implemented
Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Services Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. In 2010, GAO determined that FCC and the Universal Service Administration Company (USAC) (the program administrator) had used the results of beneficiary audits to identify and report beneficiary noncompliance with E-rate program rules. However, we found that FCC and USAC had not effectively used the information gained from beneficiary audits to assess and modify the E-rate program's internal controls. For example, although FCC and USAC had taken actions to address audit findings, the same rule violations, such as reimbursements for ineligible services or for services at higher rates than authorized, were repeated in each funding year in which audits were completed. Furthermore, FCC and USAC had not analyzed the findings from beneficiary audits to determine whether corrective actions implemented by beneficiaries in response to previous audits were effective. GAO determined that a systematic approach to considering the results of beneficiary audits could help identify opportunities for improving internal controls. Therefore, GAO recommended that FCC implement a systematic approach to assess internal controls that appropriately considers the results of beneficiary audits and that is supported by a documented and approved set of policies and procedures. In 2017, GAO confirmed that, in response to our recommendation, FCC and USAC developed policies and procedures for a systematic approach for assessing internal controls by considering the results of beneficiary audits. In response to GAO's recommendation, USAC stated that the primary focus of audits had been on the correction of individual findings and that less attention had been placed on understanding the cause of repeat findings or implementing actions to prevent the cause from occurring across all beneficiaries. USAC therefore instituted a process for conducting an annual analysis of the cause of audit findings. That process has evolved over time as USAC decided to combine the root cause analysis with a similar initiative by its Internal Audit Division . The two efforts were merged into one continuous, cross-functional process starting toward the end of 2015 and moving into 2016. By July 2016, USAC had developed a common audit findings and corrective action plans for all of the Universal Service Fund programs, including the E-rate program. Although the process has evolved, USAC has continued to follow audit finding analysis procedures and report on its findings, for example, submitting reports to FCC in 2015, 2016, and 2017. As a result of the institution of these analysis procedures, FCC has a documented process in place for effectively using the information gained from beneficiary audits to assess and modify the E-rate program's internal controls.
Federal Communications Commission 3. To improve internal controls over the E-rate program, the Federal Communications Commission should develop policies and procedures to periodically monitor the internal control structure of the E-rate program, including evaluating the costs and benefits of internal controls, to provide continued reasonable assurance that program risks are targeted and addressed.
Closed - Implemented
Since 1998, the Federal Communications Commission's (FCC) Schools and Libraries Universal Support Mechanism, known as the E-rate program, has been a significant federal source of technology funding for schools and libraries. The Universal Service Administration Company (USAC) is the administrator of the E-rate program. In 2010, GAO found the design of the E-rate program's internal control structure may not appropriately consider program risks. For example, USAC's application review process incorporates multiple types and levels of reviews, but it was not clear whether this design was effectively and efficiently targeting resources to risks. In addition, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources were appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it had never conducted a robust risk assessment of the E-rate program's core processes. Without an overall risk assessment, FCC and USAC might not know how to appropriately balance their resources to better target risks and best ensure that the program fulfills its overall goal of providing technology funding to schools and libraries. Therefore, GAO recommended that FCC use the findings of a risk assessment of the E-rate program to conduct a thorough examination of the overall design of E-rate's internal control structure to ensure that the procedures and administrative resources related to internal controls are aligned to provide reasonable assurance that program risks are appropriately targeted and addressed. In 2017, we confirmed that, in response to our recommendation, and after having hired a contractor to conduct a robust risk assessment of the E-rate program, FCC worked with USAC to consider the findings of the risk assessment and examine the overall design of E-rate's internal control structure. Their examination of the risk assessment resulted in the USAC Corrective Action Plan for Schools & Libraries Risk Assessment, which specifies steps to improve internal controls. Recommended program changes include, for example, that USAC provide more robust, step-by-step training materials on its website for both applicants and service providers to use; that USAC maintain a relatively fixed E-rate application window that is the same year to year; that USAC and FCC create a clear and standalone escalation procedures document to allow E-rate application reviewers to escalate questions or inquiries about complex eligibility or cost allocation decisions; and that USAC and its subcontractors create a robust and strategic succession planning program to prepare the next level of review managers. The Corrective Action Plan lists over a hundred recommended actions and links them to specific tasks or larger efforts to implement them, such as a Business Process Reengineering effort being conducted by a consulting firm contractor for USAC. As a result of this examination of the E-rate program's internal control structure, FCC should be able to make changes to the overall design of the E-rate program's internal control structure that will allow it to better target and address program risks.
Federal Communications Commission 4. To improve internal controls over the E-rate program, the Federal Communications Commission should conduct a robust risk assessment of the E-rate program.
Closed - Implemented
In 2010, we found that the Federal Communications Commission (FCC) had taken steps to revise the E-rate program's internal controls to address problems they had identified as well as concerns raised by external auditors and others. However, we found that FCC's actions regarding internal controls generally tended to be reactive rather than proactive, and that FCC had not conducted a robust risk assessment of the E-rate program's design and core activities and functions. We found the E-rate program's internal control structure to be a product of accretion and not clearly targeted to reasonably and effectively address programmatic risks. Therefore, we recommended that FCC conduct a robust risk assessment of the E-rate program. In response, in 2012, the Universal Service Administrative Company (USAC), the not-for-profit program administrator of E-rate put out a Solicitation for Bids for a firm to conduct a risk assessment of the E-rate program. On April 29, 2014, FCC approved USAC's request to contract with Ernst & Young to conduct the E-rate risk assessment. In June 2014, we were informed by an FCC official that USAC had awarded the contract to Ernst & Young. As a result of this risk assessment being conducted, FCC and USAC will better understand how to appropriately balance their resources to better target program risks and best ensure that the program fulfills its goals of providing technology funding to schools and libraries across the country. Because the administrative costs of the E-rate program come out of the E-rate funding available for schools and libraries, a well-designed internal controls structure will help ensure that internal controls are not using more resources than necessary and, therefore, not reducing the amount of funding available to program beneficiaries

Full Report