Recommendation: ODCFO should update the CAP template provided in its guidance to assist components in developing CAPs to include the year deficiencies are first identified data element defined in the Implementation Guide for OMB Circular A-123. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ODCFO should update the NFR Database with a field to record the year deficiencies are first identified. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ODCFO should incorporate appropriate steps to improve its CAP review process, including ensuring that (1) data elements not included in CAPs are appropriately identified and communicated to components and resolved, (2) NFRs are appropriately linked to the correct CAPs to address them, and (3) components document their rationale for accepting the risk associated with certain deficiencies and appropriately identify such instances in the NFR Database. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ODCFO should update DOD guidance to instruct DOD and components to document root-cause analysis when needed to address deficiencies auditors identified. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: ODCFO should include appropriate steps in its monthly NFR Database review process to evaluate and follow-up on previously identified exceptions to ensure that they are resolved timely. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that state Medicaid programs have written policies and procedures that specify the extent to which covered entities can use 340B drugs for Medicaid beneficiaries, are designed to effectively identify if 340B drugs were used, and if so, how they should be excluded from Medicaid rebate requests. The policies and procedures should be made publically available and cover FFS, managed care, and all of the dispensing methods for outpatient drugs. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: HHS concurred with this recommendation and in August 2020 stated that it is developing guidance to state Medicaid programs directing them to strengthen policies and procedures related to 340B drugs for Medicaid beneficiaries.

Recommendation: The Administrator of HRSA should incorporate assessments of covered entities' compliance with state Medicaid programs' policies and procedures regarding the use and identification of 340B drugs into its audit process, working with CMS as needed to obtain states' policies and procedures. (Recommendation 2)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS did not concur with this recommendation and, as of August 2020, did not plan to take any actions to implement the recommendation. As noted in our report, covered entities' compliance with state Medicaid programs' policies and procedures is fundamental to preventing duplicate discounts. Thus, we continue to believe that HRSA's audit process should include an assessment of covered entities' compliance with state Medicaid programs' policies and procedures related to 340B drugs as it is necessary to identify potential duplicate discounts and to ensure covered entities' compliance with 340B Program requirements.

Recommendation: The Administrator of HRSA should require covered entities to work with affected drug manufacturers regarding repayment of identified duplicate discounts in Medicaid managed care. (Recommendation 3)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS did not concur with this recommendation and, as of August 2020, did not plan to take any actions to implement the recommendation. As noted in our report, HRSA officials told us that covered entities' obligations for preventing duplicate discounts are the same for Medicaid fee-for-service and managed care. Thus, we continue to believe that when duplicate discounts related to Medicaid managed care have been identified, the agency should require covered entities to work with manufacturers to remedy them as they do for duplicate discounts related to Medicaid fee-for-service to help ensure compliance with 340B Program requirements.

Recommendation: The Administrator of HRSA should ensure that the information it uses to verify nonprofit status for all nongovernmental hospitals that participate in the 340B Program is reliable—for example, by requiring and reviewing the submission of official documentation hospitals must already maintain or by ensuring the reliability of the data the agency uses. (Recommendation 1)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS concurred with this recommendation and in June 2020, reiterated that HRSA believes that the information it uses to determine nonprofit status is reliable, because hospital administrators attest to its accuracy. However, as discussed in our report, neither HRSA nor the agency that collects the data has evaluated the reliability of the data for verifying nonprofit status. Without ensuring it is using reliable information, HRSA cannot effectively determine if nongovernmental hospitals participating, or seeking to participate, in the 340B Program meet the statutory eligibility requirements.

Recommendation: The Administrator of HRSA should implement a process to verify that every nongovernmental hospital that participates in the 340B Program has a contract with a state or local government as required by statute. (Recommendation 2)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS did not concur with this recommendation and, as of June 2, 2020, did not plan to take any actions to implement the recommendation. HHS noted that requiring all covered entities to submit a state or local government contract would create a significant burden for covered entities. However, as we noted in our report, HRSA already requires hospitals to maintain copies of their state or local government contracts. Therefore, it is unclear how implementing a process to verify the existence of those contracts would represent a significant burden. Without this information, HRSA does not have reasonable assurance that nongovernmental hospitals have the statutorily required contracts to participate in the 340B Program.

Recommendation: The Administrator of HRSA should provide more specific guidance for 340B Program auditors on how to determine if nongovernmental hospitals' contracts with state and local governments require the provision of health care services to low-income individuals not eligible for Medicaid or Medicare. (Recommendation 4)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS concurred with this recommendation and in June 2020, indicated that HRSA had updated its audit guidance and procedures to more clearly specify that contracts must contain requirements for the provision of health care services to low-income individuals. However, these documents do not contain any specific guidance on how auditors are to evaluate whether contracts require these services. Without more specific guidance for auditors' review of contracts, HRSA lacks reasonable assurance that the audits are appropriately identifying deficiencies in nongovernmental hospitals' contracts with state or local governments.

Recommendation: The Administrator of HRSA should require nongovernmental hospitals participating in the 340B Program to demonstrate that they have contracts with state or local governments in effect prior to the beginning of their audits' periods of review and should apply consistent and appropriate consequences for hospitals that are unable to do so. (Recommendation 6)

Agency: Department of Health and Human Services: Public Health Service: Health Resources and Services Administration
Status: Open

Comments: HHS concurred with this recommendation. As noted in our report, HRSA updated its draft audit procedures for fiscal year 2020 audits in September 2019 to specify that auditors should look for effective dates that cover the entire audit period. While this is an important step, HRSA must also show that it has ceased accepting retroactive contract documentation, and has applied consistent and appropriate consequences when auditors find that nongovernmental hospitals did not have contracts in effect prior to the beginning of their audit periods. As of June 2020, HHS indicated that HRSA had not taken these actions. Allowing hospitals that are unable to demonstrate that they have contracts in place that cover their audits' periods of review to continue to participate without consequences undermines the effectiveness of HRSA's audit process and increases the risk that ineligible hospitals will receive discounts under the program.

Recommendation: We recommend that the Director, DCMA, in collaboration with the Director, DCAA, develop a mechanism to monitor and assess whether contractor business systems reviews are being completed in a timely manner. (Recommendation 1)

Agency: Department of Defense: Defense Contract Management Agency
Status: Open

Comments: DCMA concurred with our recommendation and the department notified us in March 2019 that collaboration between DCMA and DCAA to develop a mechanism to increase oversight and improve management of contractor business system audits and determinations had begun. In September 2019, DCMA and DCAA provided lists of the business system reviews planned to be conducted during fiscal year 2020, showing that the data needed for oversight of all CBS reviews is available between the two agencies. Further, an April 2019 DCMA memorandum indicated that DCAA data on planned reviews for fiscal years 2019 and 2020 had been transferred to DCMA and that administrate contracting officers were to conduct risk assessments to identify additional reviews for DCAA to complete in the future. In August 2020, DCMA and DCAA specified the sources of the data provided earlier; DCAA data is collected through its strategic workload and resource initiative and inputted into the DCAA Management Information System while DCMA business system review data continues to be maintained by the functional offices responsible for those reviews. Both agencies stated that progress against planned reviews is tracked and status is reported to management at regular intervals. DCMA also noted a series of new tools designed to enhance surveillance of contractor business systems and implementation of corrective actions. These steps indicate progress towards increased insight into both the completion CBS review and the follow-up that occurs afterward. However It remains unclear to what extent data sharing between DCAA and DCMA to support CBS review planning has been formalized and will continue or the extent to which DCMA headquarters uses this data to assess implementation of its policies for the conduct of CBS reviews.

Recommendation: To further ensure that the new campaigns under LB&I's new approach for addressing tax compliance are implemented successfully, the Commissioner should document lessons learned from stakeholder input and past performance.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of February 2020, IRS officials said LB&I has developed and deployed the Campaign Development Form and the LB&I Taxpayer Registry to capture stakeholder input and feedback. The form documents all actions and a decision made on a particular campaign and is used to monitor real-time performance. While this will help IRS document lessons learned moving forward, IRS officials have not said how they would document lessons learned in the past.

Recommendation: The Commissioner of Internal Revenue should track the results of large partnerships audits: (a) define a large partnership based on asset size and number of partners; (b) revise the activity codes to align with the large partnership definition; and (c) separately account for field audits and campus audits.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS has taken actions to implement GAO's September 2014 recommendation, but the definition IRS provided is not likely to help it analyze results from audits of the very large partnerships that GAO's report covered. In September 2017, IRS defined large partnerships as those with assets of $10 million or more, without regard to the number of partners. With changes to the Tax Equity and Fiscal Responsibility Act of 1982 partnership audit procedures and enactment of the Bipartisan Budget Act of 2015 (BBA) (sections 1101 and 1102 of Public Law 114-74), IRS officials said that the number of partners is no longer a critical factor when defining a large partnership. IRS is correct that the number of partners is no longer relevant to this statutory definition of large partnership. The recently eliminated Electing Large Partnerships audit procedures had defined large partnerships as those with 100 or more direct partners in a taxable year. Even so, IRS's new definition of large partnerships is limited compared to large corporations. IRS has defined eight asset categories for tracking large corporation audit results while it has one for large partnerships, which vary widely based on asset amounts and complex structures. As GAO reported, during tax years 2002 through 2011, the number of large partnerships with 100 or more direct and indirect partners as well as $100 million or more in assets more than tripled to 10,099, some of which had assets exceeding $5 billion. In tax year 2011, more than two-thirds of these large partnerships had at least 100 or more pass-through entities as direct and indirect partners. Until IRS develops a more expansive definition of large partnerships, IRS may have challenges analyzing the results from its audits of large partnerships. As of January 2020, IRS had revised its activity codes to create a category for its large partnership definition as well as created a reporting and monitoring structure for its new definition to track the results from auditing large partnerships. IRS also created reports to regularly track audit results (e.g., dollar amounts, hours, number of returns, campus versus field locations) for this one category. IRS officials said they plan to use the reports to analyze audit results to identify opportunities to better plan and use resources in auditing large partnerships but this outcome may not be possible with the statutory changes governing partnerships. Given the challenges involving such audits, IRS officials said they have started efforts to better select partnership returns for audits based on compliance risk. They said these efforts will extend at least through fiscal year 2021. Thus, IRS does not yet know whether the audit results will be sufficient to analyze ways to better plan and use IRS audit resources as well as to analyze noncompliance risk for its new definition. IRS's analysis may not be able to achieve these ends with only one asset category to cover the wide range of asset amounts above $10 million.

Recommendation: The Commissioner of Internal Revenue should analyze the audit results by these activity codes and types of audits to identify opportunities to better plan and use IRS resources in auditing large partnerships.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS created a reporting and monitoring structure for its new large partnership definition to track the results from auditing large partnerships. IRS also created reports to regularly track audit results (e.g., dollar amounts, hours, number of returns, campus versus field locations) for this one category. IRS officials said they plan to use the reports to analyze audit results to identify opportunities to better plan and use resources in auditing large partnerships but this outcome may not be possible with the statutory changes governing partnerships. Thus, IRS does not yet know whether the audit results will be sufficient to analyze ways to better plan and use IRS audit resources as well as to analyze noncompliance risk for its new definition. IRS's analysis may not be able to achieve these ends with only one asset category to cover the wide range of asset amounts above $10 million. Given these and other challenges involving such audits, IRS officials said they have started efforts to better select partnership returns for audits based on compliance risk. They said these efforts will extend at least through fiscal year 2021.

Recommendation: In order to improve NMB's planning and make the most effective use of its limited resources, the Chairman of the National Mediation Board should develop and fully implement key components of an information security program in accordance with the Federal Information Security Management Act of 2002.

Agency: National Mediation Board
Status: Open

Comments: In February 2020, we determined that NMB had taken some steps to further implement key information security practices, but had not fully implemented this recommendation. We reported in GAO-20-236 that NMB continued to only partially follow the eight key information security practices in accordance with the Federal Information Security Management Act (FISMA). NMB must take other steps, such as providing risk assessment documentation of its enterprise network for fiscal year 2019. NMB officials stated that the agency plans to address several of these practices by the end of fiscal year 2020. They further noted that they hired a Chief Information Officer and planned to hire additional staff and employ contractors to aid in these efforts.

Recommendation: In order to improve NMB's planning and make the most effective use of its limited resources, the Chairman of the National Mediation Board should establish a privacy program that includes conducting privacy impact assessments and issuing system of record notices for systems that contain personally identifiable information.

Agency: National Mediation Board
Status: Open

Comments: In February 2020, we reported in GAO-20-236 that NMB had taken some steps to implement information privacy practices, such as designating a privacy officer. However, NMB must take additional steps, such as specifying whether a system of records notice would be developed, as required by the Office of Management and Budget.

Recommendation: To improve transparency of and accountability for Medicaid non-DSH supplemental payments, Congress should consider requiring the Administrator of CMS to (1) improve state reporting of non-DSH supplemental payments, including requiring annual reporting of payments made to individual facilities and other information that the agency determines is necessary to oversee non-DSH supplemental payments; (2) clarify permissible methods for calculating non-DSH supplemental payments; and (3) require states to submit an annual independent certified audit verifying state compliance with permissible methods for calculating non-DSH supplemental payments.

Agency: Congress
Status: Open

Comments: No legislation enacted as of February 2020. However, CMS has taken some administrative actions, which are underway, to improve its oversight of non-DSH supplemental payments. In November 2019, CMS issued a proposed rule that the agency said would promote state accountability, improve federal oversight, and strengthen fiscal integrity of the Medicaid program. Among other things, the proposed rule would require states to report on non-DSH supplemental payments on a facility-specific basis, as well as specify data sources, data standards, and acceptable methods for demonstrating compliance for non-DSH supplemental payment calculations. GAO plans to continue to monitor congressional action and the status of the proposed rule, as well as review a final rule, if one is issued, to determine the extent to which they improve state reporting of non-DSH supplemental payments, clarify permissible methods for calculating non-DSH supplemental payments, and require audits to verify that states use permissible methods to calculate non-DSH supplemental payments.