Recommendation: The Administrator of FEMA should plan and conduct regular fraud risk assessments of PA emergency work grants to determine a fraud risk profile that aligns with leading practices as provided in the Fraud Risk Framework. Specifically, this process should include (1) identifying inherent fraud risks to PA grant funds, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, (4) examining the suitability of existing fraud controls, and (5) documenting the fraud risk profile. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should designate one entity as the lead entity with responsibility for providing oversight of agency-wide efforts to manage fraud risks to PA emergency work grants, including managing the fraud risk assessment process, consistent with leading practices. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key training and guidance documents for the PA grant program to include information on where and how to report suspected fraud, and direct PA recipients to include such information in key training and guidance documents they provide to subrecipients. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key resources, such as training and guidance documents, FEMA makes available to PA applicants to ensure these resources consistently communicate information on the highest fraud risks to PA emergency work grant funds and applicants' responsibilities for managing those risks. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should implement program-specific antifraud training for PA staff who work directly with PA applicants; this training should include information on the highest fraud risks to PA emergency work grants. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct and coordinate with the Chief Executive Officer of USAC to comprehensively assess fraud risks to the E-rate program, including implementing their respective plans for developing periodic fraud risk assessments, examining the suitability of existing fraud controls, and compiling fraud risk profiles following the timelines described in this report. The assessments should be informed by the key fraud risks identified in this report from closed court cases, prior risk assessments, and OIG reports, among other sources. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should ensure that FCC and USAC follow the leading practices in GAO's Fraud Risk Framework when designing and implementing data-analytics activities to prevent and detect fraud as part of their respective antifraud strategies for the E-rate program. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct the Chief Executive Officer of USAC to clearly define and fully document the data fields in all relevant E-rate program computer systems to help improve FCC's ability to understand and use data to manage fraud risks. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should ensure that FCC's Office of Managing Director follows the leading practices in GAO's fraud risk framework related to a dedicated entity's management of its antifraud activities, such as serving as the repository of knowledge on fraud risks and coordinating antifraud initiatives. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was undertaking further improvements of its fraud risk management program consistent with this recommendation. FCC did not indicate a completion date. We will continue to monitor FCC's progress related to establishing a dedicated antifraud management entity.

Recommendation: The Chairman of FCC should plan regular fraud-risk assessments tailored to the high-cost program and assess these risks to determine the program's fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC stated that USAC will conduct a fraud risk assessment of the high-cost program, but did not specify a time-frame for this effort. We will continue to review FCC and USAC's progress toward completing this assessment, and any steps taken to routinize this assessment.

Recommendation: The Chairman of FCC should design and implement an antifraud strategy for the high-cost program with specific control activities, based upon the results of fraud-risk assessments and a corresponding fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC reported it will ensure the results of the high-cost program's fraud risk assessment, along with other efforts to implement the GAO fraud risk framework, result in an overall fraud risk strategy. FCC did not indicate a completion date for these efforts, and we will continue to track FCC progress in this area.

Recommendation: The Chairman of FCC should assess the model-based support mechanism to determine the extent to which it produces reliable cost estimates. (Recommendation 4)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC did not specify a time-frame for this effort. We will continue to review FCC's efforts related to this recommendation, including FCC efforts, if any, to verify the model's cost estimates.

Recommendation: The Chairman of FCC should consider whether to make use of the model-based support mechanism mandatory depending on the results of the assessment. (Recommendation 5)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC indicated that any such improvements may help facilitate the transition of carriers from legacy support mechanisms to the model-based support mechanism. FCC did not provide a time-frame for completion of this effort. We will continue to monitor FCC's progress and efforts in regard to this recommendation.

Recommendation: The Chief Operating Officer of Federal Student Aid should obtain data in order to verify income information for borrowers reporting zero income on IDR applications. For example, Education could pursue access to federal data sources or obtain access to an appropriate private data source. (Recommendation 1)

Agency: Department of Education: Office of Federal Student Aid
Status: Open

Comments: Education generally agreed with this recommendation. Education stated that the President's fiscal year 2020 budget request includes a proposal that Congress pass legislation allowing the IRS to disclose tax return information directly to the department for the purpose of administering certain federal student financial aid programs. According to the agency, such legislation, if enacted, would allow borrowers to more easily certify their income on an annual basis to maintain enrollment in IDR plans, and allow the department to use the information to mitigate improper payments to borrowers as a result of misreported income data. Section 3 of the Fostering Undergraduate Talent by Unlocking Resources for Education Act (FUTURE Act), enacted in December 2019, provided Education with statutory authority to access certain Internal Revenue Service data for the purpose of determining eligibility for IDR plans, among other things (Public Law 116-91). As of August 2020, Education had begun planning for the implementation of the legislation. The Congressional Budget Office estimated that use of this authority to verify eligibility for IDR plans could result in over $2 billion in savings for 2020-2029.

Recommendation: The Chief Operating Officer of Federal Student Aid should implement data analytic practices, such as data matching, and follow-up procedures to review and verify that borrowers reporting zero income on IDR applications do not have sources of taxable income at the time of their application. (Recommendation 2)

Agency: Department of Education: Office of Federal Student Aid
Status: Open

Comments: Education agreed with this recommendation, and from January to March 2020 initiated a pilot program with three of its loan servicers to conduct additional verification of income or family size information on IDR plan applications for a random sample of borrowers each month. When initiated, the pilot focused on IDR borrowers who self-certified that they had no income or who reported certain family sizes. According to Education, selected borrowers would be asked to provide documentation to their servicers to support the income or family size reported on their IDR application. In the event errors were identified, servicers would work with the borrowers to update their applications. If these reviews resulted in changes to a borrower's monthly payment amount, the borrower would be expected to begin paying the new amount within the next 60 days. According to Education, as of the end of March 2020 when the pilot was put on hold, participating servicers selected 48,855 borrowers for verification. The verification pilot was put on hold as it implemented student loan relief for borrowers under the CARES Act in response to the COVID-19 global pandemic (Public Law 116-136). Specifically, on March 27, 2020, the CARES Act was enacted, which suspended student loan payments due, interest accrual, and involuntary collections for Direct and Federal Family Education Loans held by Education through September 30, 2020. According to Education, the Department suspended all IDR recertifications during this period. On August 8, 2020, the President issued a presidential memorandum directing the Secretary of Education to extend this relief to borrowers through December 31, 2020. Education reported that it will weigh options for resuming the pilot against other critical priorities and available resources, noting that its long-term strategy is to fully implement the authorities granted under the FUTURE Act, which provides Education with statutory authority to access certain Internal Revenue Service data for the purpose of determining eligibility for IDR plans, among other things (Public Law 116-91). GAO will continue to monitor Education's actions in this area, and will close the recommendation when Education provides documentation that it has implemented data analytic practices and follow-up procedures to review and verify that borrowers reporting zero income on IDR applications do not have sources of taxable income at the time of their application.

Recommendation: The Chief Operating Officer of Federal Student Aid should implement data analytic practices, such as data mining, and follow-up procedures to review and verify family size entries in IDR borrower applications. For example, Education could review and verify all borrower reports of family size or a subset identified as being most susceptible to fraud or error. (Recommendation 3)

Agency: Department of Education: Office of Federal Student Aid
Status: Open

Comments: Education agreed with this recommendation, and from January to March 2020 established a pilot program with three of its loan servicers to conduct additional verification of income or family size information on IDR plan applications for a random sample of borrowers each month. When initiated, the pilot focused on IDR borrowers who self-certified that they had no income or who reported certain family sizes. According to Education, selected borrowers would be asked to provide documentation to their servicers to support the income or family size reported on their IDR application. Education noted that under the pilot, loan servicers were required to request additional information from borrowers to verify family sizes greater than five; specifically, a statement listing each family member residing with the borrower and for whom the borrower pays at least 51 percent of the support. In the event errors were identified, servicers would work with the borrowers to update their applications. If these reviews resulted in changes to a borrower's monthly payment amount, the borrower would be expected to begin paying the new amount within the next 60 days. According to Education, as of the end of March 2020 when the pilot was put on hold, participating servicers selected 48,855 borrowers for verification. The verification pilot was put on hold as Education implemented student loan relief for borrowers under the CARES Act in response to the COVID-19 global pandemic (Public Law 116-136). Specifically, on March 27, 2020, the CARES Act was enacted, which suspended student loan payments due, interest accrual, and involuntary collections for Direct and Federal Family Education Loans held by Education through September 30, 2020. According to Education, the Department suspended all IDR recertifications during this period. On August 8, 2020, the President issued a presidential memorandum directing the Secretary of Education to extend this relief to borrowers through December 31, 2020. Education reported that it will weigh options for resuming the pilot against other critical priorities and available resources, noting that its long-term strategy is to fully implement the authorities granted under the FUTURE Act, which provides Education with statutory authority to access certain Internal Revenue Service data for the purpose of determining eligibility for IDR plans, among other things (Public Law 116-91). GAO will continue to monitor Education's actions in this area, and will close the recommendation when Education provides documentation that it has implemented data analytic practices and follow-up procedures to review and verify family size entries in IDR borrower applications.

Recommendation: EXIM's chief operating officer should direct EXIM's Credit Review and Compliance Division to assess and document the practicality of incorporating into its preauthorization Character, Reputational, and Transaction Integrity (CRTI) reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants, and, if practical, implement relevant approaches—such as manual searches or batch matching. (Recommendation 1)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In June 2020, we met with EXIM to discuss its efforts to assess the practicality of incorporating into its preauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants. Prior to the discussion, EXIM provided some information on its efforts. As part of the June 2020 discussion, we requested that EXIM provide additional information on its assessment. EXIM agreed to do so. We will provide an update on the status of this recommendation when we confirm what actions EXIM has taken in response to this recommendation.

Recommendation: EXIM's chief operating officer should direct EXIM's Credit Review and Compliance Division to assess and document the practicality of incorporating into its postauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants and participants, and, if practical, implement relevant approaches—such as manual searches or batch matching. (Recommendation 2)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In June 2020, we met with EXIM to discuss its efforts to assess the practicality of incorporating into its postauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants and participants. Prior to the discussion, EXIM provided some information on its efforts. As part of the June 2020 discussion, we requested that EXIM provide additional information on its assessment. EXIM agreed to do so. We will provide an update on the status of this recommendation when we confirm what actions EXIM has taken in response to this recommendation.

Recommendation: The Administrator of the Food and Nutrition Service should establish a process to plan and conduct regular fraud risk assessments for the school meals programs that align with the leading practices in the Fraud Risk Framework. (Recommendation 1)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: As of September 12, 2019, USDA stated that it will undertake, over the course of the next year, a re-evaluation of its existing research and oversight activity to measure and assess fraud risk, its efforts to manage that risk, and its work to minimize the occurrence and impact of fraudulent activity on the school meal programs. USDA also stated that it will look to GAO's Fraud Risk Framework as a model for this effort. USDA expects this effort to include some new activity, such as a deeper examination of the underlying causes of program error in the agency's periodic studies of improper payments. USDA also views this as an opportunity to clarify and highlight how the agency's existing approach to risk management currently addresses fraud risk. USDA agrees that it is appropriate to review and refine its existing controls on a regular basis and recognizes that a more formalized assessment of fraud risk is likely to uncover gaps in existing activity that point to opportunities for further agency action. USDA commits to the development of a response to the effort that is appropriate to the scale of the identified risk and the broader mission of the school meal programs. In September 2020, USDA stated that it has been reviewing agency research and administrative data, as well as conducting new analysis. USDA is concluding work on its risk assessment and plans to circulate it within the agency for review soon. We will continue to monitor USDA's progress in this area.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The Director of ICE should build on existing efforts to use data analytics by employing techniques, such as network analysis, to identify potential fraud indicators in schools petitioning for certification. (Recommendation 2)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should develop an implementation plan for the project aimed at strengthening background checks for DSOs; that plan should outline how the project will be executed, monitored, and controlled. (Recommendation 5)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should implement mandatory DSO training and verify that the training is completed. (Recommendation 6)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should complete the development and implementation of its plans for mandatory fraud-specific training for DSOs. (Recommendation 7)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FNS should present the uncertainty around its retailer trafficking estimates in future reports by, for example, including the full range of the estimates in the report body and executive summary. (Recommendation 1)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS generally agreed with this recommendation, and stated that it will present the uncertainty around the retailer trafficking estimates in the executive summary and main body of all future trafficking reports, instead of presenting the information in appendices, as it did in past reports. In August 2020, FNS stated that it has made this change to the next trafficking report, which is in clearance at USDA. GAO will consider this recommendation implemented when FNS issues its this report.

Recommendation: The Administrator of FNS should continue efforts to improve the agency's retailer trafficking estimates by evaluating (1) whether the factors used to identify stores for possible investigation could help address the bias in its sample, and (2) the accuracy of its assumption of the percentage of SNAP benefits that are trafficked by different types of stores. (Recommendation 2)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS generally agreed with this recommendation. FNS stated that it will evaluate whether incorporating additional factors, such as the Watch List score used to identify stores for possible investigation, could improve its estimation methodology. FNS also stated that it will work with the USDA OIG to better understand the methodology the OIG uses to estimate the share of benefits that are trafficked by a retailer who is prosecuted for trafficking, and determine whether it is feasible to apply a similar methodology to the transaction data maintained by FNS in order to improve the accuracy of its assumptions about the percentage of SNAP benefits that are trafficked. In August 2020, FNS noted that it will evaluate the feasibility of this revised methodology for the trafficking estimates covering years 2018 through 2020. GAO will consider this recommendation implemented when FNS provides information on the results of this evaluation.

Recommendation: The Administrator of FNS should assess the benefits and costs of reauthorizing a sample of high-risk stores more frequently than other stores, use the assessment to determine the appropriate scope and time frames for reauthorizing high-risk stores moving forward, and document this decision in policy and on its website. (Recommendation 3)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS generally agreed with this recommendation. In August 2020, FNS stated that it included a sample of 471 high-risk stores that had not yet reached their 5-year reauthorization cycle in its fiscal year 2020 reauthorization pool. Once fiscal year 2020 reauthorizations are complete, FNS will analyze the outcomes of these reauthorizations to determine the benefits and costs of reauthorizing some high-risk stores more frequently. At that point, FNS will determine the appropriate scope and time frames for reauthorizing high-risk stores moving forward. GAO will consider this recommendation implemented when FNS completes this work.

Recommendation: The Administrator of FNS should move forward with plans to increase penalties for retailer trafficking. (Recommendation 4)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS generally agreed with this recommendation. In August 2020, FNS reported that it has developed a proposed rule to accomplish this change. The agency expects the proposed rule to be published in December 2020.

Recommendation: The Administrator of FNS should establish performance measures for its trafficking prevention activities. (Recommendation 5)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS generally agreed with this recommendation. In August 2020, FNS reported that the agency has assessed existing data to develop strategies for trafficking prevention, and is taking a two-pronged approach. First, the agency stated that it has updated training materials and guidance to make them more accessible for staff. Second, the agency stated that it is continuing to assess store applications and reauthorizations for business integrity, including prior fraud and other criminal offenses by store owners or managers, as described in regulations and policy. However, FNS did not indicate whether the agency currently has plans to establish performance measures for its trafficking prevention activities.

Recommendation: The Director of OMB should enhance the guidelines for agencies to establish the controls required by FRDAA, by clarifying the difference between FRDAA and ERM requirements, and through collaboration with agencies to determine what additional information agencies need to implement the controls. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA. However, OMB and the other agencies subject to PIIA essentially must satisfy the same requirements established under FRDAA, including adhering to OMB's related guidelines. OMB has not updated its published guidelines for FRDAA as we recommended. If OMB takes additional actions to supplement guidelines under PIIA, we will review the guidelines to determine whether it addresses our recommendation.

Recommendation: The Director of OMB should enhance FRDAA reporting guidelines by directing agencies to report complete and detailed information on each of the reporting elements specified by FRDAA, which should include information related to financial and nonfinancial fraud. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA, but maintained similar reporting requirements for federal agencies regarding fraud risks and also extended the time line for reporting by a year. OMB did not update its previous reporting guidance for FRDAA as we recommended. If OMB takes additional actions to supplement reporting guidelines under PIIA, we will review the guidelines to determine whether it addresses our recommendation.

Recommendation: Building on ongoing efforts, the Administrator of FNS should develop and implement additional methods to widely distribute information to state agencies on an ongoing basis about successful efforts to adopt data analytics and strategies to leverage existing data, technology, and staff resources to enhance data analytics. (Recommendation 1)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS agreed with this recommendation. The agency noted that it has been moving in the general direction of this recommendation and would build on current efforts to address it but noted that state readiness and technical capabilities are limiting factors in the adoption of data analytics.

Recommendation: The Secretary of Veterans Affairs should ensure that VA's Director of the Office of Acquisition and Logistics, in consultation with VA's Office of Small and Disadvantaged Business Utilization, takes measures to ensure that VA contracting staff adhere to the requirements for documenting the required Vendor Information Pages searches in contract files. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA reported that it was beginning a process to update its contracting system to automate the inclusion of documentation of Vendor Information Pages searches in contract files. VA is also now tracking compliance rates. VA plans to provide GAO an update in fall 2020.

Recommendation: The Secretary of Veterans Affairs should ensure that the Director of the Office of Acquisition and Logistics conducts a fraud risk assessment for the Veterans First program. (Recommendation 5)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA provided GAO with a draft fraud risk assessment, and also reported that it is developing measures to mitigate identified risks. VA has not yet provided a date by which it plans to finalize its risk assessment and risk mitigation measures.

Recommendation: The Secretary of Veterans Affairs should ensure that the Director of the Office of Acquisition and Logistics directs the Risk Management and Compliance Service to share, through guidance, training, or other methods, subcontracting limitation risks and monitoring practices with contracting officers and their management. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA provided draft lists of subcontracting limitations risks, as well as draft monitoring guidance and tools. After these items are finalized, VA plans to post them on a portal accessible to all VA contracting staff, but has yet to provide a date by which it expects to take this step.

Recommendation: Congress should consider designating an agency to regularly collect and maintain specified cost-related data from credit allocating agencies and periodically assess and report on LIHTC project development costs. (Matter for Congressional Consideration 1)

Agency: Congress
Status: Open

Comments: As of August 2020, Congress had not designated an agency to regularly collect and maintain data on LIHTC project development costs.

Recommendation: IRS's Associate Chief Counsel, in consultation with Treasury's Assistant Secretary for Tax Policy, should require general contractor cost certifications for LIHTC projects to verify consistency with the developer cost certification. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that requiring general contractor cost certifications would help address a known fraud risk.

Recommendation: To help allocating agencies analyze development cost trends and drivers and make comparisons to other agencies, IRS's Commissioner of the Small Business/Self-Employed Division should encourage allocating agencies and other LIHTC stakeholders to collaborate on the development of more standardized cost data, considering information in this report about variation in data elements, definitions, and formats. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that greater standardization of LIHTC cost data would facilitate analysis of cost drivers and cost-management practices.

Recommendation: IRS's Associate Chief Counsel, in consultation with Treasury's Assistant Secretary for Tax Policy, should communicate to credit allocating agencies how to collect information on and review LIHTC syndication expenses, including upper-tier partnership expenses. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that communicating expectations about the collection and review of syndication expenses would enhance program transparency and allocating agency financial assessments.

Recommendation: Congress should consider legislation to require that returns prepared electronically but filed on paper include a scannable code printed on the return. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: Congress introduced the Acting on the Annual Duplication Report Act of 2019 on July 18, 2019. If enacted this legislation would require returns prepared electronically but filed on paper include a scannable code. Congress had not passed the legislation as of February 2020.

Recommendation: Based on the assessment in recommendation 2, the Commissioner of Internal Revenue should implement the most cost-effective method to digitize information provided by taxpayers who file returns on paper. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS agreed with this recommendation and in December 2019 indicated that it plans to begin scanning and digitizing individual tax returns filed on paper beginning in October 2021. According to IRS, digitizing paper returns at intake would allow IRS to reduce processing time, use the same RRP fraud filters on all paper and electronic forms, and allow more pre-refund audits or investigations, among other benefits.

Recommendation: The Commissioner of Internal Revenue should evaluate the costs and benefits of expanding RRP to analyze individual returns not claiming refunds to support other enforcement activities. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS agreed with this recommendation and told us expanding the use of RRP is an agency goal. In December 2019, IRS officials reported that internal IRS offices are collaborating on identifying priorities for expanding use of RRP to support other enforcement activities, such as pre-refund audits and investigations, and improve detection and treatment of fraud and noncompliance.

Recommendation: Based on the assessment in recommendation 4, the Commissioner of Internal Revenue should expand RRP to support identified activities. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of June 2019, IRS has not yet completed its analysis of the costs and benefits of expanding RRP, and therefore has not taken action to expand RRP based on this assessment. IRS agreed with the recommendation but noted that it must first evaluate opportunities to expand RRP. Implementing this recommendation could help IRS streamline the detection and treatment of fraud as well as promote voluntary compliance with tax laws.

Recommendation: Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.

Recommendation: The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials had developed a draft policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, as we recommended. IRS officials stated that once this policy is approved, it will be used to develop a plan to perform risk assessments for these authentication channels. IRS's continued attention to this recommendation will help ensure that it is aware of emerging threats to the tax environment.

Recommendation: Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that they will develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication by May 2020. Until IRS develops and implements this plan, these authentication channels may be more vulnerable to fraudulent activity, including unauthorized attempts to access taxpayer information.

Recommendation: The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that the agency intends to implement this recommendation by spring 2020. Officials noted that developing a systemic solution for collecting data on all authentication outcomes is complex and involves multiple IRS business divisions. Until IRS fully addresses this recommendation, it will have limited insight into the number of taxpayers who fail authentication and the reason for failure.

Recommendation: The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS stated that it has planned enhancements to its authentication data collection procedures in AMS. Officials stated that by June 2020, they intend to implement improvements for ensuring data quality of authentication outcomes. Until IRS fully implements our recommendation, it will be limited in conducting systematic data analysis on taxpayer authentication outcomes.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials told us that IRS has explored options that will allow the agency to more effectively record, track, and monitor authentication outcomes. IRS officials said that they are developing and testing a tool to document Taxpayer Protection Program interactions, outcomes of taxpayer authentication, and the reasons for authentication failures. Officials stated that IRS plans to have this tool implemented by spring 2020, one year later than originally planned. Officials stated that the delay is due to additional technical programming to fully develop the tool. We will follow up on IRS's actions to determine the extent to which they implement our recommendation.

Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to implement this recommendation. Efforts include developing plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials told us that they plan to work with external partners to perform additional testing on its new authentication platform this year, including a usability study to understand user experience. IRS officials also stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. IRS's timely implementation of NIST's guidance is critical to help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to develop plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. As noted in our report, IRS's timely implementation of NIST's new guidance is critical, as it can help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: The Acting Commissioner of Internal Revenue should assess options for improving enforcement of late W-2 filing penalties, for example, by mailing notices before the next filing deadline. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of October 2019, IRS continues to disagree with this recommendation. IRS stated that it does not have all the information required for calculating and sending late penalty notifications prior to the beginning of the next filing season. However, in its response, IRS did not consider other options that could be available prior to finalizing penalty calculations, such as communicating with the employers earlier in the process. As noted in our report, quickly responding to employers that filed late increases the potential for compliance, thereby increasing the availability of W-2 data for systemic verification to detect and prevent fraud and noncompliance. We continue to believe that assessing the options for improving enforcement of late W-2 filing penalties, such as through earlier communication, would help IRS identify potential opportunities to encourage compliance with the W-2 filing deadline and verify more wage information before releasing refunds. We will continue to discuss options with IRS regarding this recommendation.

Recommendation: The Acting Commissioner of Internal Revenue should develop an evaluation plan to fully assess the benefits and costs, including taxpayer burden, of modifying the February 15 refund hold, and determine how this effort informs IRS's overall compliance strategy for refundable tax credits and fraud risk management. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has assessed the benefits of modifying the refund hold, but it has not assessed the costs, as GAO recommended in January 2018. In November 2018, IRS provided its assessment of the February 15 refund hold. In it, IRS reiterated its findings regarding the benefits of the refund hold. These benefits included potential savings if IRS modified the hold to include all taxpayers, extended the hold to a later date when more W-2 data are available, or made both changes. However, IRS did not include any assessment of costs to achieve these potential savings, such as the costs for IRS to review any additional returns that would be identified under a modified refund hold. It did not assess taxpayer burden, either. IRS also did not determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. In January 2019, IRS took actions to hold more returns beyond the February 15 refund hold date using a risk-based selection method. Nevertheless, without a complete assessment of the benefits and costs, including taxpayer burden, IRS is making a decision based upon incomplete information. Further, if Congress or Treasury considered making any changes, they too would have incomplete information on which to direct IRS's actions.

Recommendation: Based on the benefits and costs assessment in Recommendation 3, the Acting Commissioner of Internal Revenue should use IRS's existing authority to modify the refund hold such that it minimizes the risk of releasing fraudulent or noncompliant refunds. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has taken actions consistent with our recommendations by modifying its filters to hold more returns claiming the Earned Income Tax Credit (EITC) or Additional Child Tax Credit (ACTC) beyond the February 15 refund hold date based on a risk-based selection method. In addition, in May 2019, IRS officials told us they are making similar changes for the 2020 filing season to hold more high-risk returns not claiming EITC or ACTC until W-2 data are available. This action, if taken, would be consistent with our recommendations. In 2018, IRS assessed the benefits of modifying the refund hold, however, it did not assess or document the costs, including taxpayer burden, or determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. Completing these actions, along with the planned modifications, would fully address our recommendations, which would enable IRS to make decisions based on completed information.

Recommendation: The Acting Commissioner of Internal Revenue should assess the benefits and costs of additional uses and applications of W-2 data for pre-refund compliance checks, such as addressing underreporting, employment fraud, and other fraud or noncompliance before issuing refunds. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided results for a pilot encouraging voluntary compliance through expanded systemic verification using W-2 data. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. If IRS determines that the benefits outweigh the costs of adopting this practice based on the pilot results, or assesses additional options to address other fraud and noncompliance before issuing refunds, it would satisfy our recommendation. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: Based on the assessment in Recommendation 5, the Acting Commissioner of Internal Revenue should implement any identified changes to improve pre-refund compliance checks. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided an evaluation of a pilot it conducted during tax year 2019. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. IRS told us they intend to continue the pilot during tax year 2020. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the Information Sharing and Analysis Center (ISAC) pilot better aligns with leading practices for effective pilot design. This should include (1) establishing criteria for assessing whether the pilot's objectives have been met before making decisions about its scalability and whether, how, and when to when to proceed to full implementation; and (2) developing a data analysis plan that identifies data sources and criteria necessary for effectively evaluating the pilot. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS transitioned the Information Sharing and Analysis Center (ISAC) from a pilot to full implementation in October 2018. As of June 2020, we have requested documentation from IRS related to this transition to determine if it is consistent with the recommendation to align with leading practices. We will continue to monitor ISAC activities.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the ISAC Partnership develops an outreach plan to expand membership and improve states' and industry partners' understanding of the ISAC's benefits. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The ISAC annual report released in April 2018 cites plans to continue to grow member participation from private sector and other government agencies and to provide opportunities to deepen members' participation with clear guidelines. As of June 2020, we have requested additional information about participation levels and ongoing outreach efforts. Developing an outreach plan to broaden membership to non-Security Summit members of industry and financial institutions would further promote stakeholders collaborating and sharing fraud information.

Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

Agency: Department of Homeland Security
Status: Open

Comments: We reported that the Department of State and DHS's U.S. Citizenship and Immigration Services (USCIS) have not jointly assessed applicant fraud risks across the U.S. Refugee Admissions Program (USRAP), consistent with federal internal control standards and leading practices for fraud risk management. Specifically, we reported that although State and USCIS perform a number of fraud risk management activities and have responded to individual instances of applicant fraud in the program, these efforts do not position State and USCIS to assess fraud risks program-wide for USRAP or know if their controls are appropriately targeted to the areas of highest risk in the program. Therefore, we recommended that the Secretaries of Homeland Security and State conduct regular joint assessments of applicant fraud risk across USRAP. USCIS concurred with our recommendation. In response, State reported that it will work together with USCIS to conduct joint risk assessments by jointly developing a risk assessment framework. According to DHS and State documentation, the departments finalized a joint framework in January 2018. In February 2019, DHS and State provided us with the interim progress report on their efforts to conduct an assessment of applicant fraud risk across USRAP. In June 2019, USCIS reported that DHS and State have completed the planned analysis and the draft report is being prepared for leadership review and clearance. DHS estimated that the report will be completed by September 30, 2020. To fully address the recommendation, State and USCIS should jointly conduct regular fraud risk assessments across USRAP.

Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State and DHS's U.S. Citizenship and Immigration Services (USCIS) have not jointly assessed applicant fraud risks across the U.S. Refugee Admissions Program (USRAP), consistent with federal internal control standards and leading practices for fraud risk management. Specifically, we reported that although State and USCIS perform a number of fraud risk management activities and have responded to individual instances of applicant fraud in the program, these efforts do not position State and USCIS to assess fraud risks program-wide for USRAP or know if their controls are appropriately targeted to the areas of highest risk in the program. Therefore, we recommended that the Secretaries of Homeland Security and State conduct regular joint assessments of applicant fraud risk across USRAP. USCIS concurred with our recommendation. In response, State reported that it will work together with USCIS to conduct joint risk assessments by jointly developing a risk assessment framework. According to DHS and State documentation, the departments finalized a joint framework in January 2018. In February 2019, DHS and State provided us with the interim progress report on their efforts to conduct an assessment of applicant fraud risk across USRAP. In June 2019, USCIS reported that DHS and State have completed the planned analysis and the draft report is being prepared for leadership review and clearance. DHS estimated that the report will be completed by September 30, 2020. To fully address the recommendation, State and USCIS should jointly conduct regular fraud risk assessments across USRAP.

Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred in principle with this recommendation, stating that it already had an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide. In February 2020, DOE issued an update to its Financial Management Handbook that included additional procedures to address intra-governmental payment and collection transactions. However, neither the prior version of the Financial Management Handbook nor the additional information includes invoice review procedures. The Financial Management Handbook refers users to the DOE Acquisition Guide for procedures for invoice review. However, the Acquisition Guide states that it is intended to offer general guiding principles for approving officials to consider when reviewing and analyzing cost elements included in contract invoices--as opposed to detailed procedures for invoice review--and does not require sites to establish well-documented invoice review operating procedures, as we recommended.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: In its comments on a draft of the report in March 2017, DOE partially agreed with the recommendation. In its written comments on the report, DOE stated that it considered the recommendation to be closed without corrective action and that it would rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG) to design and oversee financial fraud risk management activities. However, we disagree that relying in part on the OIG to design and oversee fraud risk management activities meets best practices because, according to GAO's Fraud Risk Framework, the dedicated entity should not include the OIG so that the OIG can maintain its independence. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE expects to establish a new group in fiscal year 2020 that will oversee DOE's fraud risk management activities. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred with the substance of the recommendation; however they considered the recommendation to be closed without corrective action because DOE believed that its risk assessments met the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that were tailored to its programs and, therefore, do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, the framework is expected to include changes to DOE's process to develop its fraud risk profile, beginning in fiscal year 2020. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE concurred with this recommendation but considered the recommendation closed without corrective action because DOE had implemented the updated OMB Circular A-123 and because DOE's antifraud strategy was embedded in the DOE internal control program. However, DOE officials told us that they had not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to develop an antifraud strategy in fiscal year 2021. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE stated that it concurred in principle with the recommendation, but that it had implemented the recommendation. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE did not agree to implement this recommendation because officials believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: In the event that Congress again requires an agency to provide affected individuals with identity theft insurance in response to a breach of sensitive personal data, Congress should consider permitting the agency to determine the appropriate level of that insurance.

Agency: Congress
Status: Open

Comments: As of July 2020, Congress had not enacted legislation for which our Matter for Congressional Consideration would be applicable.

Recommendation: The Director of the Office of Management and Budget should, to the extent feasible, conduct an analysis of the effectiveness of the various identity theft services relative to alternatives, and revise OMB's guidance to federal agencies in light of this analysis.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As we reported in GAO-19-230, we contacted OMB several times between May 2018 and early March 2019 to update the status of this recommendation, and again in July 2020, but as of July 2020, OMB had not responded with an update.

Recommendation: The Director of the Office of Management and Budget should explore options to address the risk of duplication in federal agencies' provision of identity theft services in response to data breaches, and take action if viable options are identified.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: No executive action identified. As of July 2020, OMB had not responded to GAO's request for an update.

Recommendation: To ensure effective and appropriate recovery of DI overpayments and administration of penalties and sanctions, the Acting Commissioner of the Social Security Administration should clarify its policy for assessing the reasonableness of expenses used in determining beneficiaries' repayment amounts to help ensure that withholding plans are consistently established across the agency and accurately reflect individuals' ability to pay.

Agency: Social Security Administration
Status: Open

Comments: As of June 2020, SSA reported taking a number of steps to address this recommendation. According to SSA, it updated its guidance in 2017 to help ensure that staff consistently process various requests from overpaid individuals. SSA also reported that it is taking additional steps to update instructions on how staff should consider whether expenses reported by individuals are reasonable when approving withholding plans. The agency expects these instructions to be complete by the end of fiscal year 2021. We will close this recommendation once SSA releases additional guidance on assessing the reasonableness of expenses.

Recommendation: To ensure effective and appropriate recovery of DI overpayments and administration of penalties and sanctions, the Acting Commissioner of the Social Security Administration should adjust the minimum withholding rate to 10 percent of monthly DI benefits to allow quicker recovery of debt.

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA agreed with this recommendation and in 2017 estimated that this change would result in an additional $213 million in collections over a 5-year period. The fiscal year 2021 President's budget submission contained a legislative proposal to make this change, and budgets since 2017 have contained similar proposals. As of June 2020, SSA reported that it plans to continue to submit similar legislative proposals. SSA also included the proposal in its regulatory agenda, noting that the change can also be implemented via regulatory change. We will close this recommendation once SSA achieves resolution from Congress on its legislative proposal or from its own regulatory efforts.

Recommendation: To ensure effective and appropriate recovery of DI overpayments and administration of penalties and sanctions, the Acting Commissioner of the Social Security Administration should consider adjusting monthly withholding amounts according to cost of living adjustments or charging interest on debts being collected by withholding benefits. Should SSA determine that it is necessary to do so, it could pursue legislative authority to use recovery tools that it is currently unable to use.

Agency: Social Security Administration
Status: Open

Comments: Although SSA initially disagreed with this recommendation, the agency reassessed its response in June 2019 and decided to take additional actions. As of June 2020, SSA is developing a system to track debts (the Debt Management Product) which will have the ability to store, track, and apply interest and penalties to overpayment debts. SSA also reports that it is seeking a regulatory change to clarify procedures to charge interest on debts. While SSA is pursuing these measures to position itself to charge interest on debts, the agency has not yet decided whether it will ultimately do so. We will close this recommendation once SSA makes a decision on how to proceed with charging interest on overpayment debts.

Recommendation: To ensure states have appropriate and current guidance to assist them in designing and administering Medicaid NEMT, the Secretary of HHS should direct CMS to assess current Medicaid NEMT guidance and update that guidance as needed.

Agency: Department of Health and Human Services
Status: Open

Comments: As of July 2019, HHS officials reported that they are waiting for a policy decision from leadership concerning non-emergency medical transportation. GAO will continue to monitor and update the status of this recommendation.

Recommendation: Congress should consider granting Labor the additional authority it is seeking to access wage data to help verify claimants' reported income and help ensure the proper payment of benefits.

Agency: Congress
Status: Open

Comments: No legislation introduced as of March 20120. The Workers' Compensation Reform Act of 2015 (S. 2051, title V) was introduced in the 114th Congress. It would have allowed DOL to access wage data, as GAO suggested in April 2013, from the National Directory of New Hires to improve the integrity of the Federal Employees' Compensation Act program, among other actions. If similar legislation were introduced in the 116th Congress and enacted, this legislation could help to prevent and detect improper payments in the Federal Employees' Compensation Act program.