This is the accessible text file for GAO report number GAO-08-77 entitled 'Improper Payments: Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing' which was released on December 10, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate: United States Government Accountability Office: GAO: November 2007: Improper Payments: Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing: GAO-08-77: GAO Highlights: Highlights of GAO-08-77, a report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: Agencies are required to report improper payment information under the Improper Payments Information Act of 2002 (IPIA) and recovery auditing information under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act. Since the first year of implementation, fiscal year 2004, limited improper payments reporting by the United States Agency for International Development (USAID) and the National Aeronautics and Space Administration (NASA) and concerns raised by NASA’s auditors about its risk assessment process prompted scrutiny from this subcommittee during several oversight hearings. Because the subcommittee noted that USAID’s and NASA’s performance and accountability report (PAR) reporting on improper payments and recovery auditing was minimal, GAO was asked to review both agencies’ IPIA risk assessment methodologies, recovery auditing procedures, and actions under way to improve their IPIA and recovery audit reporting. What GAO Found: For the first 3 years of IPIA implementation, fiscal years 2004 through 2006, USAID and NASA performed various procedures to conduct their risk assessments. Many of these procedures are positive steps to address the requirements of IPIA. At the same time, GAO identified numerous deficiencies in the procedures that warrant further improvement. For example, neither USAID nor NASA had developed a systematic process to (1) identify risks that exist in their payment activities or (2) evaluate the results of their payment stream reviews, such as weighting and scoring the effectiveness of existing internal control over payments made and results from external audits. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments. A lack of detailed written guidance for both agencies may have contributed to the deficiencies identified. Due to inadequacies in their risk assessment process, USAID and NASA cannot be certain that they had no programs or activities susceptible to significant improper payments, and ultimately, had effectively implemented IPIA. Although USAID and NASA have reported on steps taken to recoup improper contract payments, GAO found several weaknesses in their recovery auditing procedures for fiscal years 2004 through 2006. In particular, USAID and NASA did not report recovery auditing information for each fiscal year, documentation was lacking or not adequately supported, and neither agency adhered to all of the reporting requirements outlined in OMB’s implementing guidance. Other weaknesses noted were agency- specific. For example, USAID recovery auditing procedures were comprised of reviews of certain OIG and external audit reports over USAID grant and contract programs. However, the methodology used for conducting those audits may not have constituted a recovery auditing program as defined by OMB guidance, and thus may be insufficient for this purpose. NASA, on the other hand, used IPIA contract payment review results to report amounts recovered for fiscal year 2005. However, the payment reviews were limited in scope and did not provide an adequate representation of the extent of contract overpayments. Due to a lack of, or insufficient, documentation, along with identified weaknesses, the validity and accuracy of the reported recovery amounts are questionable. While USAID and NASA have experienced significant challenges in their first 3 years of IPIA implementation, both agencies have taken steps to strengthen their risk assessment process and, ultimately, IPIA reporting. For example, USAID has developed an agencywide payment database that will be used to research and data mine for potential improper payments. NASA hired two different contractors to develop a methodology for conducting a risk assessment and testing of payment transactions. Actions are also under way to improve recovery auditing efforts. However, improvements are still needed to address some of the weaknesses identified related to conducting risk assessments and performing recovery auditing procedures. What GAO Recommends: GAO is making a total of 10 recommendations to help improve USAID’s and NASA’s efforts to implement IPIA and the Recovery Auditing Act. USAID did not specifically respond to the recommendations, but provided a technical comment, which GAO addressed. NASA concurred with the recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.GAO-08-77]. For more information, contact McCoy Williams at (202) 512-9095 or williamsm1@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: USAID's and NASA's Risk Assessment Processes and Documentation Could Be Improved: Weaknesses Found in Recovery Auditing Procedures Raise Questions About the Validity and Accuracy of Reported Recovery Audit Amounts: USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment Processes and Recovery Auditing Procedures, but Challenges Remain: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Types of Payment Streams Identified during United States Agency for International Development's Risk Assessment: Appendix III: Types of Payment Streams Identified during National Aeronautics and Space Administration's Risk Assessment: Appendix IV: Comments from the United States Agency for International Development: Appendix V: Comments from the National Aeronautics and Space Administration: Appendix VI: GAO Contact and Staff Acknowledgments: Table: Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for Fiscal Years 2004 to 2006: Figures: Figure 1: USAID's Major Payment Streams for Fiscal Year 2004: Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004: Abbreviations: CMP: Cash Management and Payment: DCAA: Defense Contract Audit Agency: DOJ: Department of Justice: FP-AF: fixed-priced contracts with award fees: IPIA: Improper Payments Information Act of 2002: NASA: National Aeronautics and Space Administration: OCFO: Office of Chief Financial Officer: OIG: Office of Inspector General: OMB: Office of Management and Budget: PAR: performance and accountability report: PMA: President's Management Agenda: USAID: United States Agency for International Development: [End of section] United States Government Accountability Office: Washington, DC 20548: November 9, 2007: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn: Ranking Member: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security Committee on Homeland Security and Governmental Affairs: United States Senate: Fiscal year 2006 marked the third year that federal executive branch agencies, including the United States Agency for International Development (USAID) and the National Aeronautics and Space Administration (NASA), were required to report improper payment information under the Improper Payments Information Act of 2002 (IPIA)[Footnote 1] and information about their efforts to recover improper payments made to contractors under section 831 of the National Defense Authorization Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act.[Footnote 2] As we reported in March 2007,[Footnote 3] the total reported governmentwide improper payment estimate was about $42 billion for fiscal year 2006. As the steward of taxpayer dollars, the federal government is accountable for how its agencies and awardees spend hundreds of billions of taxpayer dollars and is responsible for safeguarding those funds against improper payments as well as having mechanisms in place to recoup those funds when improper payments occur. IPIA and the Recovery Auditing Act provide an impetus for applicable agencies to systematically address improper payment activity annually, and to identify and recover contract overpayments. Since fiscal year 2000, we have issued a number of reports and testimonies aimed at raising the level of attention given to improper payments. Our work over the past several years has demonstrated that improper payments are a long-standing, widespread, and significant problem in the federal government. IPIA has increased visibility over improper payments by requiring executive branch agency heads, based on guidance from the Office of Management and Budget (OMB),[Footnote 4] to identify programs and activities susceptible to significant improper payments,[Footnote 5] estimate amounts improperly paid, and report on the amounts of improper payments and their actions to reduce them. Similarly, the Recovery Auditing Act requires agencies to systematically identify and recover contract overpayments. This act requires, among other things, that all executive branch agencies entering into contracts with a total value exceeding $500 million in a fiscal year have cost-effective programs for identifying errors in paying contractors and for recovering amounts erroneously paid. Since fiscal year 2004, agencies have been required by OMB to report on IPIA and recovery auditing efforts in their performance and accountability reports (PAR). For the first 3 years of IPIA implementation, fiscal years 2004 through 2006, USAID and NASA have reported that none of their programs and activities were susceptible to significant improper payments and either did not report any or provided minimal information on recovery auditing activities. Although USAID and NASA differ in size, with annual budgets exceeding $10 billion and $16 billion, respectively, both agencies awarded over 75 percent of their total budget to contractors or grantees[Footnote 6]--thereby increasing the risk of improper payments made to awardees. In particular, at NASA, we have previously reported[Footnote 7] on long-standing weaknesses and vulnerabilities in its contract management. Since 1990, we have designated NASA's contract management as high-risk principally because NASA lacked a modern financial management system to provide accurate and reliable information on contract spending and placed little emphasis on product performance, cost controls, and program outcomes. The lack of an effective financial management system is also included as a financial management weakness that contributed to NASA receiving a disclaimer of opinion on its financial statements for the past 3 fiscal years. NASA's Office of Inspector General (OIG) has also identified financial management and the contract and acquisition process as being among the most serious management and performance challenges. At USAID, we have reported[Footnote 8] on weaknesses associated with its contract management and oversight of U.S. assistance to Afghanistan. For example, we found that during fiscal year 2004, USAID did not consistently require contractors to fulfill contract provisions or provide adequate contract oversight, including holding contractors to stipulated requirements and conducting required reviews of contractor performance. We also have previously reported on control weaknesses in USAID's ability to collect agencywide obligation and expenditure data and long-standing challenges associated with USAID's financial management and reporting, including a lack of complete, reliable, and timely information needed to make sound, cost-effective decisions.[Footnote 9] OIG and external audit reports have also identified weaknesses related to contract management and oversight in Iraq. USAID's OIG reported[Footnote 10] that the agency made about $8 million in payments to a contractor for security services in Iraq without a valid obligation, including not obtaining the minimum documentation required and signing a contract prior to making these payments. The OIG determined that without an effective funds control system, USAID cannot prevent overspending or ensure compliance with various laws enacted to control and guide the implementation of federal fiscal policy. In addition, on the basis of its review of a $1.33 billion cost-plus reconstruction contract issued by USAID, the Special Inspector General for Iraq Reconstruction found insufficient contract oversight that resulted in inconsistent contract management, inadequate contractor direction, and ineffective performance assessments.[Footnote 11] In addition to these previously reported weaknesses in USAID and NASA operations, limited improper payments reporting by the two agencies in fiscal year 2004 and concerns raised by NASA's auditors regarding its risk assessment process prompted scrutiny from your subcommittee during several oversight hearings on governmentwide improper payments. [Footnote 12] Because of congressional concern that USAID's and NASA's PAR reporting on improper payments had not improved in the second year of IPIA implementation, and both agencies reported minimal recovery auditing information, you asked us to determine (1) the extent to which USAID and NASA performed the required risk assessments to identify programs and activities that were susceptible to significant improper payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID and NASA have taken to recoup improper payments through recovery audits, and (3) actions USAID and NASA have under way to improve their IPIA and recovery audit reporting. To address each of these objectives, we reviewed improper payments and recovery auditing legislation and OMB implementing guidance. We also reviewed USAID's and NASA's fiscal years 2004 through 2006 PARs and external audit reports and interviewed agency officials about their risk assessment methodologies, recovery auditing activities, and efforts completed and under way to meet the reporting requirements of IPIA and the Recovery Auditing Act. To assess the reliability of USAID's and NASA's IPIA and recovery auditing reporting, we talked to agency officials about data quality control procedures and reviewed relevant documentation. We determined the data were sufficiently reliable for the purposes of this report. We conducted our work from September 2006 through August 2007 in accordance with generally accepted government auditing standards. See appendix I for more details on our scope and methodology. Results in Brief: While both USAID and NASA took steps to assess their payment activities for risk, including conducting a review of select payment streams[Footnote 13] for improper payments, we identified numerous deficiencies in their procedures. USAID and NASA lacked a systematic method to review and analyze program operations to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations. For example, neither USAID nor NASA had developed a process to (1) identify risks that exist in their payment activities or (2) evaluate the results of their payment stream reviews, such as weighting and scoring the effectiveness of existing internal control over payments made and results from external audits. Other weaknesses related to USAID, NASA, or both included a lack of established criteria for payment transaction reviews at the agency component level and no review of grant program payments to ensure awardees have safeguarded federal funds from improper payments. As a result of the inadequacies we identified in their risk assessment process, USAID and NASA cannot be certain that they have no programs or activities susceptible to significant improper payments, and ultimately, have not yet effectively implemented IPIA. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments. Although USAID and NASA have reported on steps taken to recoup improper contract payments, we found that recovery auditing procedures were not consistently performed for each of the 3 fiscal years reviewed. We also noted that documentation was lacking or did not adequately support reported recovery amounts and that neither agency adhered to all of the reporting requirements outlined in OMB's implementing guidance. For example, USAID and NASA did not report on recovery auditing activities in their fiscal year 2004 PARs. NASA reported that it was in the process of awarding a recovery audit contract. USAID reported on the dollar amount of contracts reviewed, but for the sole purpose of addressing IPIA reporting requirements and concluding that its grant and contract payment activities were not susceptible to significant improper payments. For fiscal years 2005 and 2006, USAID recovery auditing procedures consisted of reviews of certain OIG and external audit reports of USAID. However, the methodology used for conducting those audits may not have constituted a recovery audit as defined by OMB guidance, and thus may be insufficient for this purpose. Also, USAID was unable to provide documentation of audit findings to support any of the recovery auditing amounts included in its PARs. Because of these limitations, we were unable to determine the validity of USAID's recovery auditing activities and accuracy of reported recovery amounts. NASA, on the other hand, used IPIA contract payment review results to report amounts recovered for fiscal year 2005. However, the payment reviews were limited in scope and did not provide an adequate representation of the extent of contract overpayments. For fiscal year 2006, NASA used a contractor to perform a recovery audit. Although the contractor identified about $121 million in potential contract overpayments, NASA officials told us that based on their review, they identified a small portion of that amount as "valid contract claims" totaling $256,255 with subsequent recoveries totaling $139,420. NASA officials determined that a vast majority of the claims submitted by the contractor were not improper as they related to cost-type contracts with provisional billing rates included in the contract terms, and were subject to a final or closeout audit that likely would have identified those payments reported by the contractor. In addition, we noted that both agencies did not adhere to all of the recovery auditing reporting requirements outlined in OMB guidance, including that the agencies had no description of a corrective action plan to address the root causes of payment error or no disclosure of the description and justification of the classes of contracts excluded from recovery auditing. While USAID and NASA experienced significant challenges in their first 3 years of implementing IPIA and the Recovery Auditing Act, both agencies have taken steps to strengthen their risk assessment process and actions are under way to improve recovery audit efforts. For example, for its fiscal year 2007 risk assessment, USAID developed a database that compiles all of its payment disbursements made worldwide. USAID told us that it will use this database to annually identify its payment streams and corresponding volume and dollar amounts by mission or geographic location, data mine for duplicate payments, research other payment anomalies, and perform tests of transactions. USAID also stated that it plans to leverage the agency's work related to internal controls under OMB Circular No. A-123 requirements[Footnote 14] to assess control activities for IPIA purposes. For recovery auditing, USAID hired a contractor to carry out a recovery audit over all contract payments for fiscal year 2007. However, because the contractor identified minimal contract overpayments based on its limited review of USAID's fiscal year 2005 contract payments, the recovery auditor determined that it would not be profitable to continue its work at USAID. Going forward, USAID plans to work with its OIG to enhance in- house recovery auditing procedures as performed in past years. Overall, we believe these actions under way will better position USAID to identify and target high-risk areas and determine the effectiveness of control activities to reduce risks of improper payments. However, we note that USAID's current plans still lack a systematic method to determine if risks of improper payments exist, what those risks are, and the potential or actual impact of those risks on operations. NASA hired a consulting firm to develop a methodology for conducting its fiscal year 2007 risk assessment for IPIA reporting. The consultant categorized the agency's disbursements within specific programs and activities as opposed to payment streams as done by NASA in previous years. Based on its work, the consultant identified 30 programs with approximately $10.8 billion in disbursements to include in NASA's review for determining risk level. The consultant then determined that 5 of the 30 programs were at risk for being susceptible to significant improper payments. NASA subsequently hired another consulting firm to conduct statistical sampling and testing of five different payment categories included in the five programs to determine if the programs were susceptible to significant improper payments, thus requiring NASA to estimate and report on the amounts of improper payments and actions to reduce them. From its review, the consulting firm reported that no significant improper payments were found, but recommended various actions for NASA to take to eliminate future errors. NASA plans to report these results in its fiscal year 2007 PAR. The work of the contractors represents a great enhancement in NASA's risk assessment methodology, when compared to prior years. In addition, NASA hired a recovery auditing firm to perform a recovery audit of its fixed priced contracts, similar to previous years. However, NASA has determined that its interim and closeout audits--including the withholding of final funds until the audit is complete--and adjustments to future billings for ongoing contracts, decrease the risk of contract overpayments, and therefore, consistent with OMB guidance, has excluded other contract types from its recovery auditing program. Although consistent with OMB guidance, NASA's universe of contract dollars subject to a recovery auditing program continues to remain relatively small, less than 20 percent of its total value of contracts. For its fiscal year 2007 PAR, NASA anticipates reporting interim results of initial recoveries related to contract overpayments. Because the contractor had just begun work to develop and execute an approach for conducting the recovery audit, we were unable to determine the reasonableness of the auditors' methodology by the end of our fieldwork. We make a total of 10 recommendations to USAID and NASA to help improve their efforts to implement IPIA and the Recovery Auditing Act by focusing on performing risk assessments and reporting on efforts to recover improper payments. We provided a draft of this report to USAID and NASA for comment. USAID did not specifically respond to our recommendations, but provided a technical comment which we incorporated into this report. NASA concurred with our recommendations and also provided technical comments on the draft, which have been incorporated as appropriate. Both agencies' comments, along with our evaluation, are discussed in the Agency Comments and Our Evaluation section of this report. Their comments are also reprinted in their entirety in appendixes IV and V. Background: IPIA was passed in November 2002 with the major objective of enhancing the accuracy and integrity of federal payments. IPIA requires executive branch agency heads to review their programs and activities annually and identify those that may be susceptible to significant improper payments. For each program and activity agencies identify as susceptible, the act requires them to estimate the annual amount of improper payments and to report those estimates to the Congress. The act further requires that for programs for which estimated improper payments exceed $10 million, agencies are to report annually to the Congress on the actions they are taking to reduce those payments. The act also requires the Director of OMB to prescribe guidance for agencies to use in implementing IPIA. OMB's implementing guidance[Footnote 15] requires the use of a systematic method for the annual review and identification of programs and activities that are susceptible to significant improper payments. However, this guidance also allows for annual reviews (also known as risk assessments) to be conducted less often than annually for programs where improper payment baselines are already established, are in the process of being measured, or are scheduled to be measured by an established date--which is inconsistent with the express requirement of IPIA. In addition, OMB's guidance defines significant improper payments as those in any particular program that exceed both 2.5 percent of program payments and $10 million annually.[Footnote 16] It requires agencies to estimate improper payments annually using statistically valid techniques for each susceptible program or activity. The guidance also allows agencies to use alternative sampling methodologies[Footnote 17] and requires agencies to report on and provide a justification for using these methodologies in their PARs. For those agency programs determined to be susceptible to significant improper payments and with estimated annual improper payments greater than $10 million, IPIA and related OMB guidance require each agency to annually report the results of its efforts to reduce improper payments. In August 2004, OMB established Eliminating Improper Payments as a new program-specific initiative under the President's Management Agenda (PMA). This separate PMA program initiative began in the first quarter of fiscal year 2005. Previously, agency efforts related to improper payments were tracked along with other financial management activities as part of the Improving Financial Performance initiative of the PMA. The objective of establishing a separate initiative for improper payments was to ensure that agency managers are held accountable for meeting the goals of IPIA and are therefore dedicating the necessary attention and resources to meeting IPIA requirements. With this initiative, 15 agencies[Footnote 18] are to measure their improper payments annually, develop improvement targets and corrective actions, and track the results annually to ensure the corrective actions are effective. This list does not include USAID or NASA, which are nevertheless covered under IPIA and thus are required to address improper payments for their programs and activities. However, both USAID and NASA stated that they consulted with OMB, although infrequently, about procedures planned or under way for the first 3 years of IPIA implementation. In addition, applicable agencies are required by OMB guidance to report their efforts to recoup contract-related improper payments under section 831 of the National Defense Authorization Act for Fiscal Year 2002,[Footnote 19] commonly referred to as the Recovery Auditing Act. This legislation provides an impetus for applicable agencies to systematically identify and recover contract overpayments for executive branch agencies entering into contracts with a cumulative total value exceeding $500 million in a fiscal year. Furthermore, the law authorizes federal agencies to retain recovered funds to cover in-house administrative costs as well as to pay other contractors, such as collection agencies. Recovery auditing is a method that agencies can use to recoup detected (as opposed to estimated) improper payments. As such, recovery auditing is a detective control to help determine whether contractor payments were proper. Specifically, it focuses on the identification of erroneous invoices, discounts offered but not received, improper late penalty payments, incorrect shipping costs, and multiple payments for single invoices. Recovery auditing can be conducted in-house or contracted out to recovery audit firms. The techniques used in recovery auditing offer the opportunity for identifying weaknesses in agency internal controls, which can be modified or upgraded to be more effective in preventing improper payments before they occur during subsequent contract outlays. Agencies that are required to undertake recovery audit programs were directed by OMB to provide annual reports on their recovery audit efforts, along with improper payment reporting detailed in an appendix to their PAR. Specifically, OMB's implementing guidance[Footnote 20] requires that agencies include in the PAR: * a general description and evaluation of the steps taken to carry out a recovery auditing program; * the total cost of the agency's recovery auditing program; * the total amount of contracts subject to review, the actual amount of contracts reviewed, the amounts identified for recovery, and the amounts actually recovered in the current year; * a corrective action plan to address the root causes of payment error; * a general description and evaluation of any management improvement program carried out; and: * a description and justification of the classes of contracts excluded from recovery auditing review by the agency head. USAID's and NASA's Risk Assessment Processes and Documentation Could Be Improved: For the first 3 years of IPIA implementation--fiscal years 2004 through 2006--both agencies performed various procedures to conduct their risk assessments. Many of these procedures are positive steps to address the requirements of IPIA. At the same time, we identified numerous deficiencies in the procedures that warrant further improvement. Specifically, we found that both agencies lacked a systematic method to determine if risk of improper payments existed in their programs or activities, what those risks were, or the potential or actual impact of those risks on operations. For example, USAID and NASA had not developed a standardized process to evaluate the results of their reviews, such as weighting and scoring the results of risk conditions to determine susceptibility. As such, the various procedures performed did not provide meaningful results or may not have adequately depicted the agencies' risk of improper payments. In addition, we noted USAID and NASA had not assessed the effectiveness of internal controls relied upon and weaknesses existed in payment reviews performed at the agency component level. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments. Overview of USAID's and NASA's IPIA Reporting for the First 3 Years of Implementation: Fiscal year 2004 marked the first year in which all executive branch agencies were required to report improper payment information in their PARs under IPIA. Both USAID and NASA conducted a review of their payment streams as part of their risk assessment process to identify significant improper payments. OMB's implementing guidance includes a broad definition of programs and activities subject to IPIA,[Footnote 21] which encompasses a review of payment activities. We found during our review of fiscal year 2006 PARs that agencies generally used one of two approaches to conduct their risk assessments--a review of program operations or a review of payment streams.[Footnote 22] Although agencies are allowed under OMB's implementing guidance to determine their program and activity inventory for the purposes of performing a risk assessment, the two approaches can produce different results. In particular, a review of payment streams identifies the susceptibility of improper payments for specific payment types that could relate to multiple programs within an organization. On the other hand, a review of distinct programs would identify the susceptibility of improper payments for the different payment types included in a particular program. Depending on the volume and dollar amount of payments or size of a program, an agency could determine based on OMB's current definition of significant improper payments--exceeding $10 million and 2.5 percent of program payments--that it had significant improper payments using one approach but not with the other, greatly impacting its risk assessment results. Implementing a payment stream approach, USAID and NASA did not identify any risk-susceptible programs or activities for fiscal year 2004. This continued into fiscal year 2005 for both agencies. For fiscal year 2006, USAID identified two high-risk payment streams as part of its risk assessment--cash transfers and contracts, grants, and cooperative agreements.[Footnote 23] However, the identification of these two payment streams did not result from a systematic process in place to identify high-risk programs, but rather was due to the high ratio of disbursements for these two payment streams to total agency outlays (about 77 percent for fiscal year 2006). On the other hand, NASA continued to assert for fiscal year 2006 that it had no programs susceptible to significant improper payments although it did not perform a risk assessment for that year. The following is a description of USAID's and NASA's risk assessment processes for fiscal years 2004 through 2006. Details of the weaknesses we identified in these processes are included later in this section. USAID's Risk Assessment: At USAID, the Cash Management and Payment (CMP) division within the Office of the Chief Financial Officer (OCFO) has the responsibility of executing and meeting the requirements of IPIA for the agency. For fiscal year 2004, CMP identified a universe of 11 payment streams[Footnote 24] totaling about $7.6 billion as part of its IPIA risk assessment. See appendix II for a description of each payment stream. For fiscal year 2004, these payment streams consisted of program, operating, and other fund disbursements made from headquarters and its 38 accounting stations[Footnote 25] that conduct cash management activities for approximately 70 mission offices[Footnote 26] located overseas. Two of the 11 payment streams--cash transfers and contracts, grants, and cooperative agreements--totaled $6.8 billion, or 90 percent of total outlays. USAID's payment streams are shown in figure 1. Figure 1: USAID's Major Payment Streams for Fiscal Year 2004 (dollars in millions): [See PDF for image] This figure is a pie-chart, depicting the following data: USAID's Major Payment Streams for Fiscal Year 2004 (dollars in millions): Contracts, grants, and cooperative agreements[B]: $5,179.4 (68%); Cash Transfers: $1,639.1 (22%); Other: $767.6 (10%). Source: GAO analysis of USAID's fiscal year 2004 payment stream outlays. [A] The Other category consists of the remaining nine payment streams: payroll, mission allowances, travel, transportation, training, other operating expenses, payments to other agencies, credit-financing funds, and revolving funds. [B] For fiscal year 2004, contract payments totaled about $1.9 billion, grant payments totaled about $1.7 billion, and cooperative agreement payments totaled about $1.4 billion of the payment stream. In addition, USAID officials told us that its interagency agreement payment activity represented a small portion of this payment stream totaling about $155 million or 3 percent for the same year. [End of figure] USAID's risk assessment for fiscal year 2004 consisted of a two-pronged review--payments made from headquarters and payments from the 38 mission accounting stations. According to USAID, approximately 75 percent of payments are made at headquarters and 25 percent from the mission offices. For the headquarters' risk assessment, USAID stated it performed a review of all 11 payment streams; however, it did not perform any risk assessment procedures for two of the payment streams- -training and transportation--because each of these payment streams' total outlays did not exceed $10 million, and therefore, would not have met OMB's dual criteria for estimating and reporting improper payments. As part of its risk assessment process, USAID officials told us that they conducted interviews with management and various operation managers responsible for the payment types to determine internal controls over payment activity. USAID also stated it performed sampling of its fiscal year 2003 travel transactions and reviewed 25 percent of all travel transactions above $2,500 that had been identified as risk susceptible. In addition, USAID met with the OIG and stated that it reviewed certain OIG reports and external audit reports with recommendations, such as Defense Contract Audit Agency (DCAA) audit reports and Single Audit Act[Footnote 27] reports, to identify internal control weaknesses over grant funds. Lastly, USAID stated that it relied on routine prepayment and postpayment review activities which are designed to help ensure the accuracy and validity of payments made. For example, according to USAID policy, voucher examiners review and process vouchers that contractors submit to USAID for payment; the examiners determine that a valid obligation exists, check mathematical accuracy, and ascertain that proper approvals and authorizations have taken place. For the mission accounting stations' risk assessment, USAID required that 4 of the 11 payment streams[Footnote 28] be reviewed since it had access to the payment activity for the remaining 7 payment streams and incorporated those payments into the headquarters risk assessment. Also, similar to headquarters, the mission accounting stations were not required to review payment streams with total outlays less than $10 million. USAID provided general guidance to the controllers of each mission accounting station on IPIA and OMB implementing guidance, and included a memorandum from the Deputy CFO to each controller explaining actions needed to conduct the risk assessment, along with a template for each mission accounting station to complete on their review of the payment transactions. USAID incorporated the results of these payment reviews in the headquarters' risk assessment to determine overall risk for the agency. For the fiscal year 2005 and 2006 risk assessments, USAID leveraged the work completed for fiscal year 2004, its baseline year, and compared total outlays for each subsequent fiscal year to fiscal year 2004, to determine whether significant changes in reported outlays had occurred. USAID determined that there had been no significant changes and thus applied analytical procedures--consisting of multiplying fiscal year 2004 payment stream percentages of the total fiscal year 2004 net outlay and fiscal years 2005 and 2006 total outlay amounts--to estimate the dollar amount of each payment stream for each of the given years. Using this information, USAID stated that it relied on its reviews of OIG and external audit reports, prepayment and postpayment reviews, and A-123 internal control reviews to ensure the risk of improper payments was minimized. No payment reviews were performed at the mission accounting stations for fiscal years 2005 and 2006 because USAID had determined that payments made by the missions were not high-risk, based on the results of its fiscal year 2004 risk assessment and the quantitative and qualitative procedures performed. USAID officials also informed us that they reviewed various external audit reports and relied on the agency's routine pre-and postpayment reviews. For example, USAID performs data mining of all payment transactions using vendor information and dollar value to identify potential duplicate payments. NASA's Risk Assessment: At NASA, the OCFO is responsible for executing and meeting the requirements of IPIA for the agency. For fiscal years 2004 through 2006, NASA identified six payment streams as part of its IPIA risk assessment--firm-fixed-price contracts, incentive-fee contracts, award- fee contracts, cost-plus-fixed-fee contracts, other contracts, and grants, totaling about $12 billion annually. See appendix III for a description of each payment stream. These payment streams represent procurement actions[Footnote 29] and grant awards made at NASA's headquarters and its nine centers[Footnote 30] located around the country. For its risk assessment, NASA did not identify a universe of outlays for all types of payment streams such as travel, training, and payroll, for our period of review, fiscal years 2004 through 2006. NASA did provide us with a schedule of six payment streams representing procurement and grant data reported in NASA's annual procurement reports. Figure 2 provides a breakdown of NASA's major payment streams with fiscal year 2004 amounts. Figure 2: NASA's Reported Major Payment Streams for Fiscal Year 2004 (dollars in millions): [See PDF for image] This figure is a pie-chart, depicting the following data: NASA's Reported Major Payment Streams for Fiscal Year 2004 (dollars in millions): Award-fee contracts: $5,605.0 (47%); Incentive-fee contracts: $3,166.0 (27%); Firm-fixed-price contracts: $1,471.0 (12%); Grants: $630.2 (5%); Cost-plus-fixed-fee contracts: $574.0 (5%); Other contracts[A]: $460.0 (4%). Source: NASA. [A] The Other contracts payment stream includes miscellaneous expenditures such as fixed-price redetermination, economic price adjustment, labor-hour, and time-and-material contracts. [End of figure] NASA's risk assessment included a review of payments made from headquarters and the centers, although it did not include a review of all payment streams. Specifically, for fiscal years 2004 and 2005, NASA only performed a review of its firm-fixed-price payment stream, representing a small portion (about 12 percent for fiscal year 2004 and 20 percent for fiscal year 2005) of total reported payment streams. NASA stated that it excluded its various cost-type contracts because (1) these contracts are subject to interim and closeout audits performed by DCAA, (2) these contract payments may be adjusted in future billings to correct previous errors, and (3) 5 to 10 percent of the cost contract value is withheld until the closeout audit is completed. NASA officials told us that NASA will include cost-type contracts in its fiscal year 2007 risk assessment. Regarding the exclusion of grant payments, NASA stated that these payments are subject to Single Audit Act reviews as well as periodic reviews for compliance with cash management, financial management system, or financial reporting requirements. NASA's review of its firm-fixed-price payment stream included selecting a sample of firm-fixed-price payment transactions made during one quarter, at headquarters, and each center. NASA provided its centers instructions, consisting of an e-mail from the improper payments coordinator, on the scope of payment transactions to be reviewed. On the basis of the results of each center's review, NASA reported in its fiscal years 2004 and 2005 PARs that it had no programs and activities susceptible to significant improper payments. For fiscal year 2006, NASA OCFO officials told us that it did not perform a risk assessment of all of its programs and activities due to turnover of its headquarters staff responsible for IPIA and recovery auditing. Instead, NASA relied on its recovery auditing work for fiscal year 2006 to determine that no programs and activities were susceptible to significant improper payments. USAID and NASA Lacked Systematic Processes for Conducting Their Risk Assessments: We found numerous deficiencies in USAID's and NASA's procedures. Both agencies lacked a systematic method to determine if risk of improper payments existed in their programs or activities, what those risks were, or the potential or actual impact of those risks on operations. As such, the various procedures performed did not provide meaningful results or may not have adequately depicted the agencies' risk of improper payments. In addition, we noted USAID and NASA had not assessed the effectiveness of internal controls relied upon and weaknesses existed in payment reviews performed at the agency component level. A lack of detailed written guidance may have contributed to the deficiencies we identified. Although USAID had general guidance in its payables management directive that reiterated IPIA requirements, no procedures existed on how to conduct a risk assessment and evaluate those results. In addition, NASA had not developed any guidance that could direct steps performed to ensure it met applicable IPIA requirements. OMB guidance provides that agencies annually perform risk assessments of their programs and activities, but offers limited information on how to conduct a risk assessment, thus allowing agencies broad flexibility for determining a methodology to employ to meet IPIA requirements. In our November 2006 report,[Footnote 31] we recommended, and OMB agreed, that the IPIA implementing guidance be expanded to describe in greater detail factors that agencies should consider when conducting their annual risk assessments. The OMB guidance, though, has not yet been updated to describe risk factors agencies should consider when conducting their annual risk assessments. While OMB does not require agencies to develop agency-specific guidance related to IPIA, during our review of agencies' internal IPIA guidance, we noted that nine agencies[Footnote 32] had developed either guidance or a tool, such as a schedule, survey, or questionnaire, to facilitate their compliance with IPIA. As the risk assessment is a key step in gaining assurance that programs and activities are operating as intended and that they are achieving expected outcomes, it is critical that agencies develop a comprehensive approach for determining the extent and level of risk of improper payments in order to identify the nature and type of corrective action needed. Lack of Identified Risk Factors: For the first 3 years of IPIA implementation, significant flaws existed in USAID's and NASA's processes to identify risk in their payment activities. For example, neither agency had established or considered risk factors to assist them in identifying programs and activities vulnerable to improper payments, such as assessments of internal control, audit report findings, and human capital risks related to staff turnover, training, or experience. We noted that some agencies have developed factors or risk conditions that directly or indirectly affect the likelihood of improper payments within a program or activity. We noted from our review of fiscal year 2006 PARs or annual reports that 13 agencies reported that one of the risk factors they considered during the assessment included internal and external reviews, such as results from identified system or program weaknesses, and OIG and Single Audit Act reports. Similarly, 13 agencies reported that an assessment of internal controls was another type of risk factor used during their process. Although there is no requirement for agencies to identify risk factors as part of their risk assessment process, this type of identification is consistent with our previous recommendation that OMB establish risk factors in its guidance for agencies to consider and consistent with our Standards for Internal Control in the Federal Government[Footnote 33] and executive guide on strategies to manage improper payments,[Footnote 34] which provides a framework for conducting a comprehensive risk assessment. Our executive guide identifies the following four strategies that should be considered when determining the nature and extent of improper payments: * institute a systematic process to estimate the level of improper payments being made by the organization; * based on this process, determine where risks exist, what those risks are, and the potential or actual impact of those risks on program operations; * use risk assessment results to target high-risk areas and focus resources where the greatest exposure exists; and: * reassess risks on a recurring basis to evaluate the impact of changing conditions, both external and internal, on program operations. While USAID and NASA did perform procedures that addressed some of the common risk factors identified by other agencies, there was no established process in place to identify the types of risk specific to the payment streams reviewed during the assessment process. Had both agencies made a more concerted effort to identify particular risk factors, additional procedures may have been considered, facilitating a more in-depth review and analysis of their payment streams or program operations. We also found that USAID and NASA had not developed a standardized process to evaluate the results of actions they completed as part of their risk assessments, such as weighting and scoring the results of risk conditions to determine susceptibility. As such, the various procedures performed did not provide meaningful results or adequately depict the agencies' risk of improper payments. For example, both agencies reported performing one or more of the following steps--assessing internal controls, reviewing external audits, and conducting payment reviews--yet neither agency developed a process that identified the potential or actual impact of those results, and ultimately risks, on their agency operations. Assessing the results or risk conditions identified during the risk assessment plays a major role in determining the overall risk level of an agency's operations as risk conditions do not have an equal effect on all programs or activities. Some risk conditions may affect a program or activity to a greater or lesser degree. Likewise, not all risk conditions may be relevant to each program or activity. Therefore, assigning a weight to each risk condition would accurately reflect the level of importance and influence each risk condition has on a specific program or activity. We view findings from OIG and external audits as valuable information that agencies can use to identify areas vulnerable to improper payments. OIG and external audits, such as performance audits, provide an objective and systematic examination of evidence for the purpose of providing an assessment of the performance of a government organization, program, activity, or function. As part of its risk assessment, USAID reported conducting a review of OIG and external audits, while NASA did not. Yet, as previously stated, USAID did not have a process in place to evaluate the potential or actual impact of those risks on operations. For both USAID and NASA, we identified various GAO, OIG, and Single Audit Act audit reports as well as Department of Justice (DOJ) investigation reports that highlighted fraud, questioned costs, and internal control weaknesses, that may not have been adequately considered during the risk assessment process. Some examples of findings from investigations and audits for fiscal years 2004 through 2006 follow. USAID: * USAID could not provide a complete accounting of $405 million primarily used to support maternal and child health efforts in Africa, Asia, Latin America, and the Caribbean.[Footnote 35] * A vendor agreed to pay $1.2 million to settle potential claims that it overcharged USAID in three contracts for overseas economic development work.[Footnote 36] * Two vendors agreed to pay a total of $1.31 million to settle allegations that they knowingly submitted more than 100 false claims for reimbursement, overstating the charges actually incurred for freight and insurance.[Footnote 37] NASA: * A contractor paid the government $615 million, including $106.7 million to NASA, to resolve criminal and civil allegations that the company improperly used another contractor's information to procure contracts for launch services worth billions of dollars.[Footnote 38] * A contractor paid a former NASA electrical subcontractor up to $2 million in unsupported costs. In addition, two of the contractor's senior procurement officials admitted to soliciting and receiving kickbacks from the subcontractor in exchange for bid information and assistance in the approval of change orders. A civil settlement amount of $1.4 million was reached between NASA and the contractor.[Footnote 39] * NASA's OIG found various weaknesses in NASA's acquisition and contracting processes such as a lack of a reliable financial management system to track contract spending, inadequate control over government property held by contractors, and procurement process abuses by NASA employees and contractors.[Footnote 40] Key Internal Controls Not Assessed for Effectiveness: As part of their risk assessments, USAID and NASA reported that they relied on pre-and postpayment controls over payment transactions to identify risk. Although USAID and NASA provided us with some general internal controls over various payment streams, neither had documented the controls or the effectiveness of those controls to ensure proper reliance for purposes of conducting a risk assessment.[Footnote 41] In addition, USAID officials told us that they had interviewed management and various program managers to assess internal controls. However, USAID had not developed a list of, or series of questions--such as a standard questionnaire--to ensure consistency regarding the types of questions asked across agency operations and that focused discussions on specific issues related to improper payments and internal controls. Similarly, NASA told us that it relied on postpayment controls over its various cost-type contracts, thus excluding over 80 percent of its procurement dollars, and ultimately the related contract payments. Yet, NASA performed no independent assessments[Footnote 42] of these postpayment controls and was not knowledgeable of specific procedures DCAA performed during its contract audits. As previously mentioned, NASA officials told us that they will include cost-type contracts in NASA's fiscal year 2007 risk assessment. Weaknesses in Payment Reviews: Although USAID and NASA performed select payment reviews as part of their risk assessment, we found no established criteria for conducting these reviews and the reviews were limited in scope in some instances, as well as inconsistently performed. Because of the lack of guidance and insufficient review, USAID and NASA cannot be certain that these payment reviews adequately support that payments made were not susceptible to significant improper payments. For its fiscal year 2004 risk assessment, USAID instructed its 38 mission accounting stations to perform payment reviews of their payroll, travel, allowances, and other payment streams totaling about $159 million. Although USAID provided its mission accounting stations with general guidance regarding IPIA and a template to use when performing their payment reviews, there were no detailed instructions on specific characteristics or attributes of the payment transactions that the mission accounting stations should review to identify improper payments. USAID told us that the mission accounting stations had flexibility in tailoring the extent of their risk assessments and sampling methodology because they collectively represent only 25 percent of USAID's total disbursements and each mission (1) differs based on the nature of its programs and the volume of payment activity and (2) performs 100 percent of payment reviews as part of its normal course of business. Therefore, some mission accounting stations may have conducted statistical or nonstatistical sampling while others performed 100 percent payment reviews. As a result, such payment review results may not be comparable among mission accounting stations or representative of their payment activity. USAID stated that it was not possible to verify or validate any of the information received from the mission accounting stations since they used stand-alone accounting systems that were not integrated with headquarter's accounting system during our period of review. From these payment reviews, the mission accounting stations collectively identified about $258,973 in improper payments for fiscal year 2004. On the basis of the fiscal year 2004 mission risk assessment results and other quantitative and qualitative analysis performed, USAID determined that payments made from mission accounting stations were low-risk and therefore it did not conduct separate payment reviews for fiscal years 2005 and 2006. For its fiscal years 2005 and 2006 payment reviews at headquarters, USAID stated it relied on its reviews of OIG and external audit reports, pre-and postpayment reviews, and A-123 internal control reviews. However, we were unable to verify that all payment streams were included in the reviews and could not evaluate any procedures performed as USAID was unable to provide documentation that supported these actions or their results. We identified similar weaknesses in NASA's payment reviews. For example, NASA also lacked established criteria for payment transaction reviews conducted by its centers for purposes of IPIA, including specific characteristics or attributes of the payment transactions that the centers should review to identify improper payments. This led to inconsistent application of the methodology that centers were asked to use to conduct their payment reviews. For example, one NASA center selected payment transaction amounts of $100,000 or greater rather than the 15 percent of its first quarter payments consistent with the other centers and as requested by NASA headquarters. The same center also noted that it reviewed documentation to determine whether or not the payments complied with Prompt Payment Act[Footnote 43] provisions, rather than IPIA requirements. When we brought it to their attention, NASA OCFO officials said that the center could have erroneously tested according to the wrong act. On the basis of its testing of transactions, NASA reported that it identified $70,599 in improper payments for fiscal year 2004 from its examination of $14.6 million in firm-fixed-price contract payments and identified $617,442 in improper payments for fiscal year 2005 based on its examination of $82.5 million of those same types of contract payments. However, we noted that NASA did not verify the results of its centers' payment reviews. Furthermore, NASA's independent auditor reported in fiscal year 2004 that the agency may not have fully complied with IPIA requirements because NASA did not consider payments other than firm-fixed-price contract payments as part of the risk assessment process or prepare an estimate of improper payments. Therefore, the total improper payment amounts reported may not be accurate, especially given the inconsistencies we identified. For fiscal year 2006, according to OCFO officials, NASA did not conduct any payment reviews or overall risk assessment of its payment activities due to headquarters staff turnover responsible for IPIA. Instead, it relied on its recovery audit work performed during the year to conclude it had no programs and activities susceptible to significant improper payments. The adequacy of such a determination is questionable because the scope of review under the Recovery Auditing Act targets a specific type of payment--contracts--whereas the scope of review under IPIA includes a review of all programs and activities that are subject to different reporting requirements if they are found to be susceptible to significant improper payments. Furthermore, OMB guidance under the Recovery Auditing Act allows agencies to exclude certain classes of contracts from consideration,[Footnote 44] which is not permitted under IPIA. Under IPIA, all programs and activities are subject to review. Although NASA reported its payment reviews were statistically based, its minimal coverage of the firm-fixed-price payment stream was inconsistent with OMB guidance that directs that agencies use a 12- month period to report improper payment information. Specifically, for fiscal years 2004 and 2005, NASA identified a small universe of firm- fixed-price procurement payments as the basis for each year's payment reviews. Already representing a small percentage of total reported payment streams--12 percent for fiscal year 2004 and 20 percent for fiscal year 2005--NASA OCFO further narrowed the scope of dollars to be reviewed by instructing its centers to select statistical samples of only 15 percent of its firm-fixed-price contract payments made during a 3-month period, January 1 to March 31 of each year. NASA was unable to provide an explanation for the basis of these limited reviews. Despite NASA's reported use of statistical sampling to conduct its payment reviews, its small sample population and minimal coverage of the firm- fixed-price payment stream compared to total procurement dollars does not adequately represent NASA's total contract activity, which accounts for about 85 percent of NASA's annual budget. Furthermore, NASA excluded grant program payments, totaling about $630 million for fiscal year 2004, from its risk assessment review. OMB guidance requires that agencies include federal awards subject to the Single Audit Act, as amended, as part of their review to address IPIA reporting requirements. In its fiscal year 2004 audit report, NASA's auditors reported that the agency may not have fully complied with IPIA requirements as it did not explicitly consider payments other than firm- fixed-price as part of the risk assessment process or prepare an estimate of improper payments. The auditors also reported that NASA noted that audit efforts by nonfederal auditors with respect to grantees and by government auditors with respect to certain NASA contracts aid in identifying and mitigating improper payments. While single audits could be a source of improper payment information, we previously reported that single audits, by themselves, may lack the level of detail necessary for achieving IPIA compliance.[Footnote 45] Specifically, single audits generally focus on the largest dollar amounts in an auditee's portfolio. Thus, all programs identified as susceptible to improper payments at the federal level may not receive extensive coverage under a single audit. Consequently, both the depth and level of detail of single audit results are, generally, insufficient to identify improper payments, estimate improper payments, or both. USAID and NASA Lacked Sufficient Documentation to Support Their Risk Assessment Processes: While OMB guidance requires agencies to maintain documentation of their risk assessment, USAID and NASA were unable to support a majority of the actions highlighted earlier in this report regarding their risk assessment processes. Given the lack of documentation and deficiencies we found relating to USAID's and NASA's risk assessments, we have no basis to determine whether steps performed supported both agencies' conclusions that no programs and activities were susceptible to significant improper payments. Our Standards for Internal Control in the Federal Government[Footnote 46] provides that internal control and all transactions and other significant events need to be clearly documented and readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals. Also, all documentation and records should be properly managed and maintained. At USAID, we noted a documentation requirement in its policy directive related to IPIA reporting, yet the agency was unable to provide us the following for each of the 3 fiscal years: * documentation to support interviews of program managers regarding program operations and internal control; * testing of headquarters payment transactions, including sampling plans of statistical samples used to test travel and other payment transactions, a list of sample transactions selected, key attributes tested, and evaluation of those results; and: * a list of external audit reports reviewed, their findings, and impact on the risk assessment process. Furthermore, we found discrepancies when tracing lead schedules to supporting documentation and inadequate documentation of USAID's duplicate payment reviews. For example, as part of its duplicate payment reviews, USAID did not document the search criteria used to identify potential duplicate payments, the range of payments reviewed to prevent overlapping or reviewing the same payments in subsequent reviews, and the potential duplicate payments flagged and their resolutions. Similarly, NASA provided us minimal supporting documentation of its payment reviews for fiscal year 2004 and could not provide almost half of the documentation for fiscal year 2005. NASA told us that each year's payment reviews were based on a statistical sample of payments made at headquarters and its centers. However, NASA could not provide us a copy of its sampling plans, list of transactions selected, sample results, and subsequent evaluation. NASA relied almost entirely on these payment reviews to support its conclusion that it had no programs and activities susceptible to significant improper payments for fiscal years 2004 and 2005, yet could not provide documentation to support its conclusions. For fiscal year 2006, NASA acknowledged that it did not perform a risk assessment due to staff turnover, and thus no documentation existed. Nevertheless, NASA still reported that it had no programs and activities of significant risk based on recovery audit work performed on its research and development contracts. Had NASA adequately documented its IPIA efforts from the previous fiscal years, it would have been better positioned to address IPIA requirements for fiscal year 2006. Thus, documentation becomes even more essential during periods of staff transition. The magnitude of the lack of documentation issue was evident in the NASA auditor's report on compliance with laws and regulations for fiscal year 2006. In that report, the auditor raised concerns about the lack of documentation to support the agency's IPIA efforts. Specifically, the auditor reported that NASA had potentially violated certain requirements of IPIA as management was unable to provide sufficient documentation to support performance of an annual review of all programs and activities it administers to identify those that may be susceptible to significant improper payments. Weaknesses Found in Recovery Auditing Procedures Raise Questions About the Validity and Accuracy of Reported Recovery Audit Amounts: Although USAID and NASA have reported on steps taken to recoup improper contract payments, we found several weaknesses in their recovery auditing procedures for fiscal years 2004 through 2006. In particular, USAID and NASA did not report recovery auditing information for each fiscal year, documentation was lacking or not adequately supported, and neither agency adhered to all of the reporting requirements outlined in OMB's implementing guidance. Due to a lack of, or insufficient, documentation, along with identified weaknesses, the validity and accuracy of the reported recovery amounts are questionable. Recovery Audit Information Not Reported or Lacked Supporting Documentation in Most Instances: USAID and NASA did not fully report on recovery audit activities for each of the 3 fiscal years under review. Specifically, USAID and NASA did not report recovery audit information in their fiscal year 2004 PARs. NASA reported that it was in the process of awarding a recovery audit contract, while USAID reported on the dollar amount of contracts reviewed, but for the sole purpose of addressing IPIA reporting requirements and concluding that its grant and contract payment activities were not susceptible to significant improper payments. Consequently, OMB did not recognize USAID or NASA as reporting fiscal year 2004 recovery audit information when it reported on governmentwide recovery audit efforts for that year. For fiscal year 2005, USAID again leveraged the work used to address IPIA requirements to satisfy the requirements of the Recovery Auditing Act. USAID reported about $5.9 million in questioned costs identified through OIG audits of grants and contracts. Of this amount, about $5.8 million (98 percent) had been recovered. While USAID reported this information in its PAR, the agency was unable to provide us a list of the audit reports reviewed and specific findings that supported the amounts identified and actually recovered, raising questions about their validity and accuracy. Likewise, NASA leveraged the results of its IPIA work to address the recovery auditing requirements. However, as we stated earlier, the scope of review was limited in nature as NASA only tested 15 percent of its firm-fixed-price contract payments over a 3-month period and could not provide almost half of the documentation to support the dollar value sampled. On the basis of its limited testing, NASA identified and recovered only $617,442 in contract overpayments. For fiscal year 2006, USAID reviewed questioned costs identified through OIG audits of grants and contracts as it had done in the previous fiscal year. USAID reported about $9.1 million in questioned costs identified through OIG audits of grants and contracts and DCAA contract audits. Of this amount, about 99 percent had been recovered. Again, USAID was unable to provide documentation of the specific audit reports and findings to support the recovery audit amounts. In addition to the lack of documentation for both fiscal years 2005 and 2006, the audit reports used may not have been designed to identify the types of payment errors that would be identified through a recovery audit, as USAID stated that some of the audit findings resulted from DCAA contract audits. OMB guidance differentiates procedures performed under a recovery audit versus a contract audit. OMB guidance defines a recovery audit as a review and analysis of the agency's books, supporting documents, and other available information supporting its payments that is specifically designed to identify overpayments to contractors that are due to payment errors.[Footnote 47] On the other hand, contract audits are normally performed for the purpose of determining if amounts claimed by the contractor are in compliance with the terms of the contract and applicable laws and regulations and are not designed to specifically identify payment errors as described under recovery audits. If the DCAA and OIG audit reports used by USAID to identify the recovery auditing amounts were not specifically designed to identify payment errors, as defined by OMB, the reported recovery audit amounts for fiscal years 2005 and 2006 may not accurately reflect payment errors for purposes of recovery auditing and thus, may be misstated. NASA used a recovery audit firm for fiscal year 2006 to review contract payments made from fiscal years 1997 through 2005, totaling $57.4 billion. Of this amount, the recovery audit firm identified over $121 million in potential contract overpayments. However, based on NASA's review and conclusion that most of the potential contract overpayments identified by the recovery audit firm were not erroneous, it reported significantly lower recovery audit amounts--$256,255 in contract overpayments identified for recovery and $139,420 in actual recoveries. See table 1 for recovery audit amounts reported by USAID and NASA for fiscal years 2004 through 2006. Table 1: USAID's and NASA's Reported Recovery Auditing Amounts for Fiscal Years 2004 to 2006: Agency: USAID; Fiscal year 2004: Agency-reported amount identified for recovery: did not report; Fiscal year 2004: Agency-reported amount recovered: did not report; Fiscal year 2005: Agency-reported amount identified for recovery: $5,900,000; Fiscal year 2005: Agency-reported amount recovered: $5,782,000; Fiscal year 2006: Agency-reported amount identified for recovery: $17,100,000; Fiscal year 2006: Agency-reported amount recovered: $17,090,000. Agency: NASA; Fiscal year 2004: Agency-reported amount identified for recovery: did not report; Fiscal year 2004: Agency-reported amount recovered: did not report; Fiscal year 2005: Agency-reported amount identified for recovery: $617,442; Fiscal year 2005: Agency-reported amount recovered: $617,442; Fiscal year 2006: Agency-reported amount identified for recovery: $256,255; Fiscal year 2006: Agency-reported amount recovered: $139,420. Sources: OMB and USAID and NASA PARs for fiscal years 2004 through 2006. [End of table] We asked NASA officials about the significant difference in its reported recovery audit amounts when compared to the recovery auditor's reported amounts. According to NASA, the firm's recovery auditing work covered all contract types from fiscal years 1997 through 2005. Upon further review of the contractor's submitted claims, NASA determined that a vast majority of the claims submitted by the contractor were not erroneous as they related to cost-type contracts with provisional billing rates included in the contract terms, which were subject to a final or closeout audit that would likely have identified those improper payments reported by the contractor. Thus, NASA officials stated that only a small portion ($256,255) of the $121 million in potential contract overpayments represented "valid contract claims" or contract overpayments that would be pursued for recovery. OMB guidance[Footnote 48] for recovery auditing allows agencies to exclude classes of contracts and contract payments from recovery audit activities when they have determined that recovery audits are "inappropriate or are not a cost-effective method for identifying and recovering erroneous payments." Examples OMB provides as classes of contracts and contract payments that may be excluded include: * cost-type contracts that have not been completed where payments are interim, provisional, or otherwise subject to further adjustment by the government in accordance with the terms and conditions of the contract; * cost-type contracts that were completed, subjected to a final contract audit and, prior to final payment of the contractor's final voucher, all prior interim payments made under the contract were accounted for and reconciled; and: * other contracts that provide for contract financing payments or other payments that are interim, provisional, or otherwise subject to further adjustment by the government in accordance with the terms and conditions of the contract. Although NASA's exclusion of the bulk of the recovery audit firm's potential contract overpayments (primarily related to cost-type contracts) was consistent with OMB guidance, which allows agencies to exclude these classes of contracts, limiting its universe to firm- fixed-price contracts may not be the best use of resources. These types of contracts typically provide the least amount of risk of improper payments as firm-fixed-price contracts are generally not subject to fluctuations in contractor costs, thereby decreasing the risk level of improper payments made by agencies. However, NASA officials told us that because its cost-type contract payments are subject to extensive reviews via contract audits and internal reviews, further examination under a recovery auditing program would not provide any additional value and could be, to some extent, duplicative in nature. USAID and NASA Did Not Adhere to Applicable OMB Recovery Auditing Reporting Requirements: There are several reporting requirements that agencies are required to follow when reporting recovery auditing information, such as a description and justification of the classes of contracts excluded from recovery auditing and a corrective action plan to address the root causes of any payment errors. Agencies are also required to report, in table format, various amounts related to contracts subject to review and actually reviewed, contract amounts identified for recovery and actually recovered, and prior-year amounts. From our review, we found that USAID's and NASA's reporting of recovery auditing information did not meet the OMB reporting requirements. Although we noted improvement in both agencies' fiscal year 2006 reporting of recovery auditing information when compared to the previous fiscal year, USAID and NASA still had not addressed all key elements. For example, both USAID and NASA provided a general description of the steps taken to carry out their recovery auditing program for fiscal year 2006 and presented, in table format, the various recovery auditing amounts on contracts subject to review, identified for recovery, and actually recovered.[Footnote 49] However, we found no description of a corrective action plan to address the root causes of payment error. In addition, for fiscal year 2005, NASA only reported on recovery audit results for its firm-fixed-price contract overpayments, but this information and its exclusion of other contract types were not disclosed in NASA's PARs. Without adequate disclosure, this type of presentation may lead to a mischaracterization of the extent to which contract overpayments exist. USAID and NASA Have Taken Steps to Strengthen Their Risk Assessment Processes and Recovery Auditing Procedures, but Challenges Remain: While USAID and NASA have experienced significant challenges in their first 3 years of IPIA implementation, both agencies have taken steps to strengthen their risk assessment processes and ultimately, IPIA reporting. Actions are also under way to improve recovery auditing efforts. However, improvements are still needed to address some of the weaknesses related to conducting risk assessments and performing recovery auditing procedures. Actions Under Way to Enhance Risk Assessment Process, but Additional Steps Needed: USAID has taken several steps to strengthen its process for identifying programs and activities that may be susceptible to improper payments, but additional steps are needed to adequately address IPIA reporting requirements. USAID has developed a new IPIA database that is intended to compile all of its payment disbursements made worldwide. The new, interactive tool will interface with its core accounting system, Phoenix, which will enable USAID to annually identify its payment streams and corresponding volume and dollar amounts by mission or geographic location, data mine for duplicate payments, research other payment anomalies, and perform tests of transactions. USAID told us that since August 2006, when Phoenix was fully implemented agencywide, its monitoring capabilities and testing of payment transactions had increased significantly now that its headquarters staff has access to all disbursement activity regardless of where the payments were made. Going forward, USAID also stated it plans to work more closely with the OIG, including working with the OIG to develop a statistical sampling methodology for testing its payment streams agencywide as part of its risk assessment process. USAID also stated that it will periodically contact OMB for input and feedback related to its risk assessment process and results. Other steps USAID plans to implement include (1) leveraging the agency's assessment of internal control under OMB Circular No. A-123 requirements[Footnote 50] to determine whether control activities in place are effectively preventing improper payments; (2) increasing accountability among managers responsible for addressing IPIA reporting requirements by including IPIA responsibilities in their work plans, which are tied to the managers' performance assessments; and (3) improving its documentation of steps performed to comply with OMB guidance and internal policy. If these actions are properly implemented, we believe these actions will address some of our concerns related to conducting an assessment of internal control and testing of payment transactions. Specifically, these actions will better position USAID to identify and target high-risk areas, determine the effectiveness of control activities to reduce the risk of improper payments, and provide accountability among managers responsible for executing IPIA activities. With regard to manager accountability, we noted that no specific standards have been developed for rating employee performance against responsibilities related to IPIA and that no performance awards or disciplinary actions exist as incentives for reducing improper payments, which may not achieve the desired effect.[Footnote 51] Lastly, USAID still lacks a systematic method to determine if risk of improper payments exists, what those risks are, and the potential or actual impact of those risks on operations. For example, while USAID has developed various quantitative and qualitative procedures as part of its risk assessment process, it still has not taken the first step of identifying and documenting risk factors that should be considered to ensure that the procedures performed adequately address areas within the agency that may be susceptible to improper payments. Furthermore, USAID has not developed an overall approach to then evaluate the work performed, including weighting and scoring the results of its quantitative and qualitative analysis, and thus provide a basis for making a final determination of its risk level for assessing improper payments under IPIA. We believe that implementation of these types of strategies to identify the nature and extent of improper payments is consistent with our framework for conducting risk assessments and will provide a comprehensive review and analysis of program operations. NASA has made significant strides since its first year of IPIA implementation to improve its approach for conducting risk assessments and other IPIA reporting requirements. NASA hired a consulting firm for 2 months (February 2007 through March 2007) to develop a methodology for conducting its fiscal year 2007 risk assessment. The consultant categorized the agency's fiscal year 2006 disbursements, including cost- type contracts and grant payments, by programs instead of by payment streams, as was done by NASA in previous years. On the basis of its review of disbursements, the consulting firm established a materiality level of $80 million. All programs with total disbursements greater than $80 million were included in the program universe for further review. The consultant identified 30 programs with approximately $10.8 billion in disbursements to include in the scope of review for determining risk level. To assess the risk level of the programs, the consultant examined agency documentation and conducted (1) site visits; (2) interviews of program managers, other agency personnel, and NASA OIG; and (3) walk- throughs of program operations. On the basis of these steps, the consultant identified seven risk conditions[Footnote 52] and developed a risk matrix to evaluate and score each risk condition, using a 5 point scale--with 1 point indicating low risk and 5 points indicating high risk. Following a calculation of the key risk factors that considered the frequency of risk, severity of risk, and the overall risk score, 5 of the 30 programs were deemed to be at risk for being susceptible to significant improper payments. The 5 programs are (1) Mars Exploration, (2) Solar System Research, (3) Space Shuttle Program, (4) International Space Station Program, and (5) Institutions and Management. NASA subsequently hired another consulting firm to conduct statistical sampling from April 2007 through September 2007 of the 5 programs to determine if the programs are susceptible to significant improper payments and thus would need to estimate and report on the amounts of improper payments and actions to reduce them. Within each of these 5 programs, the consulting firm identified five payment categories that were subject to detailed testing; they were travel expense reimbursement, payroll and employee benefits, grant payments, government purchase cards, and procurement and contracts. From its review, the consulting firm found approximately $884,243 of improper payments during the period of October 1, 2005, through September 30, 2006.[Footnote 53] Although the consulting firm reported that no significant improper payments were found, it recommended various actions for NASA to take, including continuing to ensure that internal controls--automated and manual--are operating effectively relating to the receipt and processing of vendor invoices to ensure timely payment. The consulting firm submitted its final report with recommendations for improvement on October 23, 2007, in time for inclusion in NASA's fiscal year 2007 PAR. During our review, NASA acknowledged weaknesses in its IPIA reporting for fiscal years 2004 through 2006 and stated that its risk assessment procedures did not adequately address OMB guidance. However, NASA felt confident that it had made significant gains with its IPIA reporting for fiscal year 2007. Although we did not perform a detailed review of its methodology--the work was ongoing during our fieldwork--NASA, with the assistance of outside contractors, appears to have developed an extensive methodology for conducting a risk assessment to identify programs and activities susceptible to significant improper payments. The steps taken thus far appear to align with our framework for conducting a risk assessment to determine the nature and extent of improper payments. Recovery Auditing Efforts Have Begun: In June 2006, USAID engaged the services of a recovery auditing firm to perform recovery auditing activities for its fiscal year 2007 PAR reporting. For the fiscal year 2007 reporting period, the recovery auditor's scope of review included payments made at headquarters for fiscal years 2003 through 2005. For payments made from mission accounting stations that were captured in USAID's core accounting system, the recovery auditors performed analytical procedures and concluded that no further work was warranted. The recovery auditors developed a three-tier process to identify the following types of potential contract overpayments: * first tier--potential duplicate payments; * second tier--amounts paid that exceeded the obligation or any adjustments not properly accounted for, and: * third tier--invoices and payment vouchers with errors, including general and administrative rate variances. From its review,[Footnote 54] the recovery auditor identified 300 contracts, comprising 2,900 invoices, that warranted further review. The recovery auditor also reported that it randomly sampled an additional 900 invoices for review, but did not identify the number of contracts. On the basis of its work, the auditors referred $3 million of potential contract overpayments to USAID for review. From its review, USAID determined that of the $3 million, approximately $11,000 constituted actual overpayments related to discount claims that had not been taken and decided it would initiate collection efforts. However, we were provided no documentation of the resolution of remaining contract payments determined not to be improper. After completing a limited review of fiscal year 2005 payments, the recovery auditor decided to discontinue its recovery auditing work at USAID as the results of its limited review revealed that the continuation of audit work would not be economically feasible or profitable. For its fiscal year 2007 PAR reporting, USAID stated it will report on the work performed by the recovery auditor. Going forward, USAID plans to conduct an in-house recovery auditing program as done in previous years, but stated it would work with the OIG to enhance procedures and address requirements in OMB's guidance. While the hiring of a recovery auditor did not identify a significant amount of contract overpayments, additional steps would help USAID ensure that its in-house recovery auditing program is consistent with the requirements of the Recovery Auditing Act and specifically designed to identify overpayments to contractors that are due to payment error. For fiscal year 2007, NASA recompeted its contract for recovery auditing services and hired another recovery auditing firm in August 2007. NASA stated that the scope of review will include only fiscal year 2006 fixed price contract payments valued at $1,000 or more. Although consistent with OMB guidance, NASA's universe of contract dollars subject to a recovery auditing program continues to remain relatively small, less than 20 percent of the total value of its contracts. As part of its recovery auditing procedures, the contractor will interview agency personnel and review applicable documentation to gain an understanding of NASA's payment processes. NASA anticipates reporting interim results of initial recoveries of contract overpayments in its fiscal year 2007 PAR. Because the recovery auditor had just begun work to develop and execute an approach for conducting the recovery audit, we were unable to determine the reasonableness of its methodology by the end of our fieldwork. Conclusions: Measuring improper payments and designing and implementing actions to reduce them are not simple tasks and will not be easily accomplished. USAID and NASA, under the umbrella of OMB's leadership, are working on this issue. Further, while internal control should be maintained as the front-line defense against improper payments, recovery auditing holds promise as a cost-effective means of identifying contractor overpayments. Preventing, identifying, and recovering improper payments in that order are what is needed across government. Both USAID and NASA have taken positive steps towards better implementation of improper payments and recovery auditing requirements for fiscal year 2007. Fulfilling the requirements of IPIA and the Recovery Auditing Act will require sustained attention to implementation and oversight to monitor whether desired results are being achieved. Recommendations for Executive Action: We are making a total of 10 recommendations to USAID and NASA to help improve their efforts to implement IPIA and the Recovery Auditing Act by focusing on performing risk assessments and reporting on efforts to recover improper payments. Specifically, we recommend that the Administrator, USAID, * expand existing IPIA guidance to include detailed procedures for addressing the four key steps--perform risk assessment, estimate improper payments, implement a corrective action plan, annually report- -that OMB requires agencies to perform in meeting the improper payment reporting requirements; * develop a risk assessment tool, such as a risk assessment matrix, to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations; * use the risk assessment tool to institute a systematic approach to identify programs and activities susceptible to significant improper payments under IPIA; * maintain documentation of actions performed to address IPIA and the Recovery Auditing Act requirements; * develop a comprehensive recovery auditing program that is specifically designed to identify overpayments to contractors that are due to payment errors; and: * adhere to OMB's guidance for reporting recovery auditing information in the annual PAR. We recommend that the Administrator, NASA, * develop IPIA guidance to include detailed procedures for addressing the four key steps--perform risk assessment, estimate improper payments, implement a corrective action plan, annually report--that OMB requires agencies to perform in meeting the improper payment reporting requirements; * as part of this guidance, incorporate the risk assessment methodology developed by NASA's consulting firm to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations; * maintain documentation of actions performed to address IPIA and Recovery Auditing Act requirements; and: * adhere to OMB's guidance for reporting recovery auditing information in its annual PAR. Agency Comments and Our Evaluation: We requested comments on a draft of this report from the Administrators of USAID and NASA or their designees. These comments are reprinted in their entirety in appendixes IV and V of this report. USAID did not specifically respond to our recommendations. However, USAID suggested expanding the definition of its Credit-Financing payment stream to provide more details on the purpose and use of this funding mechanism, which we incorporated as suggested. NASA concurred with all four of our recommendations and indicated that it would develop IPIA guidance to include detailed procedures to address the four key steps of IPIA, including incorporating the risk assessment methodology developed by its consulting firm. NASA noted that it has centralized its IPIA and Recovery Auditing Act activities at the NASA Headquarters OCFO (which will include responsibility for maintaining documentation to support its activities) and stated that it will report recovery auditing information in its PAR in accordance with OMB guidance. NASA also provided technical comments on the draft, which have been incorporated as appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its date. At that time, we will send copies of this report to the Administrators of USAID and NASA and other interested parties. Copies will also be available to others upon request. In addition, the report is available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions regarding this report, please contact me at (202) 512-9095 or at williamsm1@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report are listed in appendix VI. Signed by: McCoy Williams: Director, Financial Management and Assurance: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of this review were to determine (1) the extent to which USAID and NASA performed the required risk assessments to identify programs and activities that were susceptible to significant improper payments for fiscal year 2004 through fiscal year 2006, (2) steps USAID and NASA have taken to recoup improper payments through recovery audits, and (3) actions USAID and NASA have under way to improve their IPIA and recovery audit reporting. The scope of our review included two agencies, USAID and NASA. To determine the extent to which USAID and NASA performed the required risk assessments for fiscal years 2004 through 2006, we reviewed improper payment legislation and OMB implementing guidance[Footnote 55]. For both agencies, we reviewed their PARs for fiscal years 2004 through 2006; reviewed internal guidance consisting of policies and procedures to address cash disbursements, accounts payable, and contract management; interviewed agency officials about the risk assessment process; and, when available, obtained and reviewed supporting documentation. In addition, we reviewed criteria for conducting risk assessments in our Standards for Internal Control in the Federal Government[Footnote 56] and executive guide on Strategies to Manage Improper Payments: Learning from Public and Private Sector Organizations[Footnote 57]. We also reviewed other agencies' PARs and internal IPIA guidance to identify examples of risk factors used and procedures followed when conducting their risk assessment process. To determine steps USAID and NASA took to recoup improper payments through recovery audits, we reviewed the Recovery Auditing Act and Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments.[Footnote 58] For both agencies, we reviewed their PARs for fiscal years 2004 through 2006 and internal guidance over contract management and debt collection activities. We also interviewed agency officials and their recovery audit contractor about recovery auditing efforts and when available, obtained and reviewed supporting documentation for recovery auditing amounts reported in the PARs. To determine actions USAID and NASA had under way to improve their IPIA and recovery audit reporting, we interviewed agency officials and when available, obtained supporting documentation of plans for fiscal year 2007 reporting. We also reviewed the agencies' fiscal year 2006 PARs, Request for Proposal documents, and Statements of Work documents for hired contractors. To assess the reliability of USAID's and NASA's IPIA and recovery auditing reporting, we talked to agency officials about data quality control procedures and reviewed relevant documentation. For example, to determine the reliability of USAID's payment inventory data for fiscal year 2004, we tied USAID's total payment streams to the Statement of Budgetary Resources included in the financial section of the agency's PAR. For NASA, we applied alternative analytical procedures to assess the reliability of NASA's payment data, as we did not receive a breakout of the payment streams to tie directly to the Statement of Budgetary Resources. We compared procurement obligations contained in the annual procurement reports with NASA's net outlays in the Statement of Budgetary Resources for fiscal year 2006. We matched the percentage of obligations with information contained in our fiscal year 2007 High- Risk Series,[Footnote 59] and found that fiscal year 2006 net outlays comprised approximately 85 percent of obligations. We determined the data were sufficiently reliable for the purposes of this report. We requested comments on a draft of this report from the Administrators of USAID and NASA or their designees. Written comments were received from the Counselor to the Agency, USAID, and Deputy Administrator, NASA, on October 26, 2007. USAID's and NASA's comments are reprinted in appendixes IV and V. We conducted our work from September 2006 through August 2007 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Types of Payment Streams Identified during United States Agency for International Development's Risk Assessment: For fiscal years 2004 through 2006, USAID based its improper payment risk assessments on 11 payment streams--(1) Payroll, (2) Mission Allowances, (3) Cash Transfers, (4) Travel, (5) Transportation, (6) Training, (7) Other Operating Expenses, (8) Payments to Other Agencies, (9) Credit-Financing Funds, (10) Revolving Funds, and (11) Contracts, Grants, and Cooperative Agreements. A description of the 11 payment streams, along with a definition of each, follow. 1. Payroll. This payment stream consists of all U.S. direct hire base pay and related expenses, foreign national direct hire payroll, retirement and benefits, all personal services contractor's payroll, and all foreign national personal services contractor's payroll, retirement, and benefits. 2. Mission Allowances. This payment stream consists of employee allowances, cost of living, educational allowances, and home service transfer allowances. 3. Cash Transfers. This payment stream consists of the agency's cash transfers to the benefiting foreign countries as well as foreign organizations. These payments are made and deposited via the U.S. Treasury and/or the Federal Reserve Bank into the foreign government's account as designated in the official agreement or treaty between the U.S. and the foreign government. 4. Travel. This payment stream represents all travel expenses, including travel costs incurred for educational language training, evacuation, postassignment travel to field, home leave and rest and relaxation, site visits to mission offices, conferences, seminars, and meetings, and other operational travel. 5. Transportation. This payment stream consists of all transportation and freight costs incurred to missions or headquarters and from missions or headquarters. 6. Training. This payment stream consists of all costs incurred to obtain technical and professional training, such as language training, certification training for contract, project, and financial offices, training support costs, and other technical and professional training. 7. Other Operating Expenses. This payment stream consists of other expenses incurred by USAID to perform its work. Examples of other operating expenses are supplies, local travel, conferences, and other miscellaneous expenses that are deemed necessary for the successful performance of USAID's work. 8. Payments to Other Agencies. This payment stream consists of all payments made to other federal agencies for services and/or goods received. Outlays include rental payments to the General Services Administration for office and warehouse rent, payments to the Office of Personnel Management for background investigation services, and payments to the Defense Contract Audit Agency for federal audit services. 9. Credit-Financing Funds. This payment stream is principally intended for credit enhancement purposes and may be used where (a) the agency's sustainable development objectives may best be achieved effectively using credit, and (b) the risks of default may be reasonably estimated and managed. It is a financing tool to be used in addition to or in lieu of grant funding where appropriate. Credit financing funds agreements will be utilized only when the partner is a non-sovereign entity. No sovereign loan guarantees are permissible under existing credit financing authorities. Credit financing shall be a demand-driven initiative, with operating units having primary responsibility for designing, authorizing, and implementing activities in support of approved strategic objectives and within administration and congressional priorities for assistance. Credit financing operations require a clear separation of responsibility for assessing the developmental soundness and the financial soundness of each activity, with the latter responsibilities entrusted to a credit review board within the agency. Credit financing shall not be used unless it is probable that the transaction would not go forward without it, taking into consideration whether such financing is available for the term needed and at a reasonable cost. 10. Revolving Funds. This payment stream was created for a one-time purchase of land and a building in fiscal year 2004. There were no payments made from this account in either fiscal year 2005 or fiscal year 2006. 11. Contracts, Grants, and Cooperative Agreements. * Contract. A mutually binding legal relationship obligating the seller to furnish the supplies or services (including construction) and the buyer to pay for them. It includes all types of commitments that obligate the government to an expenditure of appropriated funds and that, except as otherwise authorized, are in writing. In addition to bilateral instruments, contracts include (but are not limited to) awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; orders, such as purchase orders, under which the contract becomes effective by written acceptance or performance; and bilateral contract modifications. Contracts do not include grants and cooperative agreements. * Grant. A financial support to accomplish a public purpose in the form of money, or property in lieu of money from the federal government to an eligible recipient. * Cooperative Agreement.[Footnote 60] A financial support to accomplish a public purpose in the form of money, or property in lieu of money, from the federal government to an eligible recipient. [End of section] Appendix III: Types of Payment Streams Identified during National Aeronautics and Space Administration's Risk Assessment: For fiscal years 2004 and 2005, NASA based its improper payment risk assessments on six payment streams--(1) firm-fixed-price contracts, (2) incentive-fee contracts, (3) award-fee contracts, (4) cost-plus-fixed- fee, (5) other contracts, and (6) grants. NASA did not conduct a risk assessment for fiscal year 2006. Instead, NASA relied on its recovery auditing work to determine that no programs and activities were susceptible to significant improper payments. A description of the six payment streams, along with a definition of each, follow. 1. Firm-fixed-price contracts provide for a price that is not subject to any adjustment on the basis of the contractor's cost experience in performing the contract. This contract type places upon the contractor maximum risk and full responsibility for all costs and resulting profit or loss. It provides maximum incentive for the contractor to control costs and perform effectively and imposes a minimum administrative burden upon the contracting parties. The contracting officer may use a firm-fixed-price contract in conjunction with an award-fee incentive and performance or delivery incentives when the award fee or incentive is based solely on factors other than cost. The contract type remains firm-fixed-price when used with these incentives. 2. Incentive-fee contracts: a. Cost-plus-incentive-fee is a cost-reimbursement contract that provides for an initially negotiated fee to be adjusted later by a formula based on the relationship of total allowable costs to total target costs. This contract type specifies a target cost, a target fee, minimum and maximum fees, and a fee adjustment formula. After contract performance, a fee payable to the contractor is determined in accordance with the formula. The formula provides, within limits, for increases in the fee above the target fee when total allowable costs are less than target costs, and decreases in the fee below the target fee when total allowable costs exceed target costs. This increase or decrease is intended to provide an incentive for the contractor to manage the contract effectively. When total allowable cost is greater than or less than the range of costs within which the fee-adjustment formula operates, the contractor is paid total allowable costs, plus the minimum or maximum fee. b. Fixed-price incentive contract is a fixed-price contract that provides for adjusting profit and establishing a final contract price by application of a formula based on the relationship of total final negotiated cost to the total target cost. The final price is subject to a price ceiling, negotiated at the outset. There are two types of fixed- price incentive contracts--firm target and successive target contracts. 3. Award-fee contracts: a. Cost-plus-award-fee is a cost-reimbursement contract that provides for a fee consisting of (a) a base amount fixed at inception of the contract, and (b) an award amount that the contractor may earn in whole or in part during performance and that is sufficient to provide motivation for excellence in such areas as quality, timeliness, technical ingenuity, and cost-effective management. The amount of the award fee to be paid is determined by the government's judgmental evaluation of the contractor's performance in terms of the criteria stated in the contract. This determination and methodology for determining the award fee are unilateral decisions made solely at the discretion of the government. b. Fixed-price contracts with award fees (FP-AF), a fixed price consisting of all estimated costs and profit is established at contract award along with an additional, separate award fee amount. The fixed price is paid for satisfactory performance; the award fee, if any, is earned, for performance beyond that required. Procurement officer approval is required for this type of contract. FP-AF combinations are used when the government, although wanting to provide an incentive to the contractor to deliver at an excellent or outstanding technical level, is unable to define that level in quantitative terms, or when metrics are not available or their use is not practical. 4. Cost-plus-fixed-fee is a cost-reimbursement contract that provides for payment to the contractor of a negotiated fee that is fixed at the inception of the contract. The fixed fee does not vary with actual cost, but may be adjusted as a result of changes in the work to be performed under the contract. This contract type permits contracting for efforts that might otherwise present too great a risk to contractors, but it provides the contractor only a minimum incentive to control costs. 5. Other contracts: a. Fixed-price redetermination provides for both a firm fixed price for an initial period of contract deliveries or performance, and prospective redetermination, at a stated time or times during performance, of the price for subsequent periods of performance. b. Fixed-price contracts with economic price adjustment provide for upward and downward revision of the stated contract price upon the occurrence of specified contingencies. Economic price adjustments are of three general types: adjustments based on established prices, adjustments based on actual costs of labor or material, and adjustments based on cost indexes of labor or materials. c. Cost, or cost-no-fee, is a contract where the contractor is reimbursed allowable, allocable, and reasonable costs but receives no fee. Generally, cost contracts are used for research and development work performed by nonprofits and educational institutions, for facilities contracts, and for research and development or production contracts with for-profit contracts when they expect to derive some commercial benefit from the contracts. These contracts provide little incentive to the institution or contractor to control costs. d. Cost-sharing contracts are cost-reimbursement contracts in which the contractor receives no fee and is reimbursed only for an agreed-upon portion of its allowable costs. e. Labor-hour contracts are a variation of the time-and-materials contract, differing only in that materials are not supplied by the contractor. f. Time-and-materials contracts provide for acquiring supplies or services on the basis of (a) direct labor hours at specified fixed hourly rates that include wages, overhead, general and administrative expenses, and profit, and (b) actual cost for materials. g. Other is a designation for any other contract types that are not separately listed in the NASA annual procurement report. It is not a federal acquisition regulation-recognized contract type. h. Combination is not a separate contract type; it notes that a particular contract consists of more than one contract type, e.g., a cost-plus-award-fee contract and a cost-incentive-fee contract. 6. Grant is an award of financial assistance, including cooperative agreements, in the form of money or property in lieu of money, by the federal government to an eligible grantee. The term does not include technical assistance which provides services instead of money, or other assistance in the form of revenue sharing, loans, loan grantees, interest subsidies, insurance, or direct appropriations. Also, the term does not include assistance, such as a fellowship or other lump sum award, which the grantee is not required to account for. [End of section] Appendix IV: Comments from the United States Agency for International Development: USAID: From The American People: U.S. Agency for International Development: 1300 Pennsylvania Avenue, NW: Washington, DC 20523: [hyperlink, http://www.usaid.gov]: October 26, 2007: Mr. McCoy Williams: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Williams: I am pleased to provide the U.S. Agency for International Development's (USAID) formal response on the draft GAO report entitled Improper Payments: Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing (GAO-08-77). The Office of the Chief Financial Officer reviewed the draft GAO report (GAO-08-77) and has one recommendation at this time. Please expand the Credit-Financing Funds definition located on page 60 to the following: 9. Credit Financing is principally intended for credit enhancement purposes and may be used where (a) the Agency's sustainable development objectives may best be achieved effectively using credit, and (b) the risks of default may be reasonably estimated and managed. It is a financing tool to be used in addition to or in lieu of grant funding where appropriate. Credit financing funds agreements will be utilized only when the partner is a non-sovereign entity. No sovereign loan guarantees are permissible under existing Credit Financing authorities. Credit Financing shall be a demand-driven initiative, with Operating Units having primary responsibility for designing, authorizing, and implementing activities in support of approved strategic objectives and within Administration and Congressional priorities for assistance. Credit Financing operations require a clear separation of responsibility for assessing the developmental soundness and the financial soundness of each activity, with the latter responsibilities entrusted to a credit review board within the Agency. Credit financing shall not be used unless it is probable that the transaction would not go forward without it, taking into consideration whether such financing is available for the term needed and at a reasonable cost. The Office of the Chief Financial Officer acknowledges that the Agency will have 60 days to respond to GAO's Recommendations for Executive Action once the final report is issued. Thank you for the opportunity to respond to the GAO final report and for the courtesies extended by your staff in the conduct of this review. Sincerely, Signed by: Mosina H. Jordan: Counselor to the Agency: [End of section] Appendix V: Comments from the National Aeronautics and Space Administration: National Aeronautics and Space Administration: Office of the Administrator: Washington, DC 20546-0001: October 25, 2007: Mr. McCoy Williams: Director: Financial Management and Assurance: United States Government Accountability Office: Washington, DC 20548: Dear Mr. Williams: Thank you for the opportunity to review and comment on the draft report entitled "Improper Payments: Weaknesses in USAID's and NASA's Implementation of the Improper Payments Information Act and Recovery Auditing" (GAO-08-77), dated November 2007. NASA appreciates the GAO noting that, "NASA has made significant strides since its first year of IPIA implementation to improve its approach for conducting risk assessments and other IPIA reporting requirements." Also, GAO notes that "NASA...appears to have developed an extensive methodology for conducting a risk assessment to identify programs and activities susceptible to significant improper payments. The steps taken thus far appear to align with our framework for conducting a risk assessment to determine the nature and extent of improper payments." In its draft report, the GAO makes four recommendations to NASA aimed at improving the Agency's efforts to implement the IPIA and the Recovery Auditing Act by focusing on performing risk assessments and reporting on efforts to recover improper payments. Recommendation 1: Develop IPIA guidance to include detailed procedures for addressing the four key steps – perform risk assessment, estimate improper payments, implement a corrective action plan, annually report – that OMB requires agencies to perform in meeting the improper payment reporting requirements. Response: NASA concurs with this recommendation. As noted in the GAO report, the steps NASA has taken so far are intended to align with the GAO framework for conducting a risk assessment. We will now prepare detailed procedures as recommended to address the four key steps in this process – perform risk assessment, estimate improper payments, implement a corrective action plan, and annually report. We anticipate completing this documentation during the second quarter of FY 2008. Recommendation 2: As part of this guidance, incorporate the risk assessment methodology developed by NASA's consulting firm to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations. Response: NASA concurs with this recommendation. NASA is pleased with the methodology developed by its consultant for conducting the risk assessment for FY 2007 and will include that methodology in its guidance procedures in response to GAO's Recommendation 1. Recommendation 3: Maintain documentation of actions performed to address IPIA and Recovery Auditing Act requirements. Response: NASA concurs with this recommendation. In FY 2007, NASA changed its approach for complying with IPIA requirements and has now centralized its activities at NASA Headquarters in the Office of the Chief Financial Officer (OCFO). NASA has redirected resources more effectively to achieve consistency and effective management of the program. Maintaining appropriate documentation is being accomplished by the OCFO at NASA Headquarters. Recommendation 4: Adhere to OMB's guidance for reporting recovery auditing information in its annual PAR. Response: NASA concurs with this recommendation. NASA is prepared to adhere to OMB's guidance for reporting recovery auditing information in its annual PAR. Technical comments to the draft report have been provided to GAO separately. My point of contact for this matter is Mr. Frank E. Petersen, III, Director of the Office of Quality Assurance, OCFO. He may be contacted by telephone at (202) 358-4772 or by e-mail at Frank.Petersen-1@nasa.gov. Sincerely, Signed by: Shana Dale: Deputy Administrator: [End of section] Appendix VI: GAO Contact and Staff Acknowledgments: GAO Contact: McCoy Williams, (202) 512-9095 or williamsm1@gao.gov: Acknowledgments: In addition to the contact named above, Carla Lewis, Assistant Director; Francine DelVecchio; Lisa M. Galvan-Trevino; Estela Guerrero; James Maziasz; Christina Quattrociocchi; Heather Rasmussen; Donell Ries; Chris Rodriguez; and Viny Talwar made key contributions to this report. [End of section] Footnotes: [1] Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). [2] National Defense Authorization Act for Fiscal Year 2002, Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001) (codified at 31 U.S.C. §§ 3561-3567). [3] GAO, Improper Payments: Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements Continue, GAO-07-635T (Washington, D.C.: Mar. 29, 2007). [4] OMB Circular No. A-123 Appendix C, Requirements for Effective Measurement and Remediation of Improper Payments (Aug. 10, 2006). [5] IPIA defines improper payments as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any payment to an ineligible recipient, any payment for an ineligible service, any duplicate payment, payments for services not received, and any payment that does not account for credit for applicable discounts. [6] In general, the term contractors refers to contract activities while the term grantees refers to assistance activities such as grants and cooperative agreements. See appendixes II and III for a further description of these funding mechanisms. [7] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007); Financial Management Systems: Additional Efforts Needed to Address Key Causes of Modernization Failures, GAO-06-184 (Washington, D.C.: Mar. 15, 2006). [8] GAO, Afghanistan Reconstruction: Despite Some Progress, Deteriorating Security and Other Obstacles Continue to Threaten Achievement of U.S. Goals, GAO-05-742 (Washington, D.C.: July 28, 2005). [9] GAO, Global Health: USAID Supported a Wide Range of Child and Maternal Health Activities, but Lacked Detailed Spending Data and a Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.: Apr. 20, 2007); Financial Management: Sustained Effort Needed to Resolve Long-Standing Problems at U.S. Agency for International Development, GAO-03-1170T (Washington, D.C.: Sept. 24, 2003); Major Management Challenges and Program Risks: U.S. Agency for International Development, GAO-03-111 (Washington, D.C.: January 2003); Major Management Challenges and Program Risks: U.S. Agency for International Development, GAO-01-256 (Washington, D.C.: Jan. 1, 2001); and Financial Management: Inadequate Accounting and System Project Controls at AID, GAO/AFMD-93-19 (Washington, D.C.: May 24, 1993). [10] U.S. Agency for International Development, Office of Inspector General, Audit of USAID's Compliance With Federal Regulations in Awarding the Contract for Security Services in Iraq to Kroll Government Services International Inc., A-267-05-005-P (Washington, D.C.: Jan. 6, 2005). [11] Special Inspector General for Iraq Reconstruction, Quarterly Report and Semiannual Report to the United States Congress, (Arlington, VA: July 30, 2007). [12] Hearing before the Subcommittee on Federal Financial Management, Government Information, and International Security, Committee on Homeland Security and Governmental Affairs, United States Senate, Improper Payments: Where Are Truth and Transparency in Federal Financial Reporting, July 12, 2005 and Reporting Improper Payments: A Report Card on Agencies' Progress, March 9, 2006. Hearing before the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs, United States Senate, Eliminating and Recovering Improper Payments, March 29, 2007. [13] OMB's implementing guidance includes a broad definition of programs and activities subject to IPIA and allows agencies to determine their program and activity inventory for the purposes of performing a risk assessment. Two approaches agencies commonly use to carry out their risk assessments include a review of program operations or a review of payment activity or streams. [14] In December 2004, OMB revised its Circular No. A-123, Management's Responsibility for Internal Control, to provide guidance to federal managers on improving the accountability and effectiveness of federal programs and operations by establishing, assessing, correcting, and reporting on management controls. [15] In August 2006, OMB revised its IPIA implementing guidance. The revision consolidates into Appendix C to OMB Circular No. A-123 three memorandums previously issued by OMB. These memorandums are: M-03-07, "Programs to Identify and Recover Erroneous Payments to Contractors," (Jan. 16, 2003); M-03-12, "Allowability of Contingency Fee Contracts for Recovery Audits," (May 8, 2003); and M-03-13, "Improper Payments Information Act of 2002 (Public Law 107-300)," (May 21, 2003). The revised guidance is effective for agencies' fiscal year 2006 improper payment estimating and reporting in the PARs or annual reports. [16] IPIA does not mention the "exceeding the 2.5 percent of program payments" threshold that OMB uses for identifying and estimating improper payments. [17] An example of an alternative sampling methodology includes developing an annual error rate for a component of the program. [18] The 15 agencies include 14 that were previously required to report improper payments information under OMB Circular No. A-11, plus the Department of Homeland Security. According to OMB, these 15 agencies have programs and activities with the highest risk of improper payments. With this PMA initiative, OMB has stated that it can better ensure that those taxpayer dollars most susceptible to risk for improper payments receive the greatest amount of focus and review. [19] Pub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001) (codified at 31 U.S.C. §§ 3561-3567). [20] See footnote 4. [21] OMB's IPIA guidance states that the term program includes activities or sets of activities recognized as programs by the public, OMB, or the Congress, as well as those that entail program management or policy direction. It also includes the activities engaged in by an agency in support of its programs. [22] We noted that for their risk assessments, five agencies used a combination of programs and payment streams. [23] USAID includes interagency agreements as part of the contracts, grants, and cooperative agreements payment stream. [24] The 11 payment streams were (1) payroll, (2) mission allowances, (3) cash transfers, (4) travel, (5) transportation, (6) training, (7) other operating expenses, (8) payments to other agencies, (9) credit- financing funds, (10) revolving funds, and (11) contracts, grants, and cooperative agreements. [25] According to USAID officials, mission accounting stations perform accounting services for other mission offices. [26] Mission offices are organizational units within USAID that operate under decentralized program authorities, allowing them to design and implement programs and negotiate and execute agreements. [27] Pub. L. No. 98-502, 98 Stat. 2327 (Oct. 19, 1984) (codified, as amended, at 31 U.S.C. §§ 7501-7507). Under the Single Audit Act, as amended, and implementing guidance, independent auditors audit state and local governments and nonprofit organizations that expend federal awards to assess, among other things, compliance with laws, regulations, and the provisions of contracts or grant agreements material to the entities' major federal programs. Organizations are required to have single audits if they annually expend $500,000 or more in federal funds. [28] The four payment streams are payroll, travel, allowances, and other. [29] NASA defines a procurement action as any contractual action to obtain supplies, services, or construction that increases or decreases funds. A procurement action thus may be a new procurement or a modification, such as a supplemental agreement, change order, or termination to an existing contract that changes the total amount of funds obligated. [30] NASA centers are organizational components that support the agency's space exploration objectives, scientific initiatives, and aeronautics research. [31] GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the Improper Payments Information Act Remains Incomplete, GAO-07-92 (Washington, D.C.: Nov. 14, 2006). [32] The nine agencies are the Departments of Agriculture, Commerce, Defense, Energy, Homeland Security, Interior, Justice, and Treasury, and the Social Security Administration. [33] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999). [34] GAO, Strategies to Manage Improper Payments: Learning From Public and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October 2001). [35] GAO, Global Health: USAID Supported a Wide Range of Child and Maternal Health Activities, but Lacked Detailed Spending Data and a Proven Method for Sharing Best Practices, GAO-07-486 (Washington, D.C.: Apr. 20, 2007). [36] Department of Justice, USAID Vendor Agrees to Pay $1.2 Million To Settle Overcharging Claim (Washington, D.C.: Dec. 28, 2005). [37] U.S. Agency for International Development, Office of Inspector General, $1.31 Million Recovered From Companies That Defrauded USAID (Washington, D.C.: Oct. 14, 2005). [38] National Aeronautics and Space Administration, Office of Inspector General, Semiannual Report, April 1, 2006-September 30, 2006 (Washington, DC). [39] National Aeronautics and Space Administration, Office of Inspector General, Semiannual Report, October 1, 2004-March 31, 2005 (Washington, DC). [40] National Aeronautics and Space Administration, Office of Inspector General, Letter to Honorable Thad Cochran, Committee on Appropriations (Washington, D.C.: Dec. 20, 2005). [41] Internal controls and legal requirements applicable to agency payment processes are set out in Title 7, Fiscal Guidance, of GAO's Policy and Procedures Manual for Guidance of Federal Agencies (Washington, D.C.: May 18, 1993). [42] NASA's officials stated that the contracting officer generally reviews DCAA's audits of NASA contracts, but did not know what the reviews entailed or their frequency. [43] 31 U.S.C. §§ 3901-3907. [44] See Appendix C to OMB Circular No. A-123, pt. II(D)(2). [45] GAO-07-92. [46] GAO/AIMD-00-21.3.1. [47] Payment errors are errors resulting from duplicate payments; errors on invoices or financing requests; failure to reduce payments by applicable sales discounts, cash discounts, rebates, or other allowances; payments for items not received; mathematical or other errors in determining payment amounts and executing payments; and the failure to obtain credit for returned merchandise. [48] See footnote 4. [49] NASA headquarters and the Stennis Space Flight center contract payments were excluded from its table presentation of recovery audit amounts reported in the fiscal year 2006 PAR. According to NASA, headquarters payments were included with the Goddard Space Flight center payment information. Also, the Stennis Space Flight center was included in the recovery audit firm's scope of review, but NASA inadvertently excluded the center from its table presentation. NASA told us the Stennis Space Flight center had no reportable amounts for recovery for fiscal year 2006. [50] See footnote 14. [51] We did not review USAID's implementation of laws and policies under which accountable officers, such as payment certifying officers, are held financially liable for improper payments. See 31 U.S.C. § 3528(a). [52] The seven risk conditions include (1) financial processing and internal controls, (2) internal monitoring and assessments, (3) external monitoring and assessments, (4) human capital risk, (5) programmatic risk, (6) nature of program payments, and (7) contract/ grant management. [53] According to the consulting firm's report, it statistically tested 1,517 payment transactions totaling $71.8 million which is .7 percent of the total value of payments included in the 5 payment categories, which totaled approximately $10 billion. [54] The recovery auditors reported that the contracts and data reviewed for USAID for fiscal years 2003 through 2005 equaled approximately $3 billion. [55] OMB's implementing guidance effective for fiscal years 2004 and 2005 was OMB Memorandum M-03-13 "Improper Payments Information Act of 2002 (Public Law 107-300)" (May 21, 2003). For fiscal year 2006 reporting, agencies were required to follow Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments. [56] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1. (Washington, D.C.: November 1999). [57] GAO, Strategies to Manage Improper Payments: Learning From Public and Private Sector Organizations, GAO-02-69G (Washington, D.C.: October 2001). [58] OMB's guidance also includes a section on recovery auditing requirements. [59] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007). [60] The involvement of USAID's program office dictates the type of financial support instrument to be awarded. If the program office is substantially involved (i.e., start to finish) in the award process, the instrument awarded is called a cooperative agreement. If the program office is not substantially involved (i.e., only involved when needed) in the award process, the instrument awarded is called a grant. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, DC 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, jarmong@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548: