FINANCIAL ADMINISTRATION MEMORANDUM NO
April 11, 2007
FINANCIAL ADMINISTRATION MEMORANDUM NO. 2007-004 (II.J)
To: Director, Office of Acquisition and Property Management
Bureau Assistant Directors, Administration
Chief Executive Officer, National Business Center
Bureau Finance Officers
Bureau Procurement Officers
From: Mona S. Williams /s/
Focus Leader, Asset and Debt Management
Office of Financial Management
Subject: Risk Assessments and Recovery Audits for Improper Payments
The
purpose of this Financial Administration Memorandum (FAM) is to establish the
requirements for conducting risk assessments and recovery audits for improper
payments.
Appendix C to OMB Circular A-123 provides guidance for conducting recovery
audits and risk assessments to fulfill the requirements under the Improper
Payments Information Act of 2002 (IPIA) and the National Defense Authorization
Act for FY 2002, Subchapter VI – Recovery Audits. The laws require each agency
to annually identify programs and activities susceptible to improper payments,
estimate the amount of improper payments, report that estimate to Congress, and
for agencies that enter into contracts totaling more than $500 million in a
fiscal year, to carry out a cost effective program to identify errors in
payments and recover amounts erroneously paid.
Risk Assessments:
Appendix C to OMB Circular A-123 states that annual risk assessments are
required for all agency programs where the level of risk is unknown until the
risk level is determined and the baseline estimates are established (if
applicable). It also states that for agency programs deemed not risk
susceptible, risk assessments are required every three years unless the programs
experience a significant change in legislation and/or significant increases in
funding level. Programs experiencing significant changes must undergo a risk
assessment during the next annual cycle.
The
Department has been conducting annual risk assessments of programs exceeding
$100 million in annual outlays. These risk assessments have shown that the
Department is at low risk for improper payments. Therefore, the Department's
annual risk assessment requirement is now converted to a three-year risk
assessment. The next Departmental risk assessment will be for FY2009 and
will be conducted every three years hence. Programs requiring a more frequent
risk assessment will be identified separately, and notification of such risk
assessments will be issued under a separate data call.
Guidance on conducting risk assessments is included at Attachment 1.
Recovery Audits:
Appendix C to OMB Circular A-123 requires agencies to have a cost effective
program of internal control to prevent, detect, and recover overpayments to
contractors resulting from payment errors. A required element of such a program
is the use of recovery audits and recovery activities. A recovery audit is a
review and analysis of the agency's books, contracts and modifications, vendor
correspondence, payment transaction records, vendor master files, paid history
files, purchase orders, invoice files, and other available information
supporting payments that is specifically designed to identify overpayments to
contractors due to payment errors. It is not an audit in the traditional sense.
Recovery audits may be performed by agency employees, by other departments or
agencies of the U.S. Government acting on behalf of the agency, or by
contractors performing recovery audit services under contracts awarded by the
agency. It cannot be performed by the Inspector General and other agency
external auditors that carry out management's recovery audit program.
The Department requires annual recovery audits of all payments made to vendors
and reports on recovery auditing activities annually in the IPIA portion of the
Management's Discussion and Analysis section of the PAR. The Department
currently outsources recovery audit services but does not preclude bureaus from
performing recovery audits with in-house resources. Bureaus and Departmental
offices have negotiated their own task orders with a Federal government
contracting agent. Any appropriate type of contract, including contingency
contracts, may be used to obtain the services of recovery audit contractors. A
recovery audit contingency contract is a contract in which the recovery audit
contractor is paid a portion of the amount recovered. The amount the contractor
is paid is generally a percentage of the recoveries and is based on the amount
actually collected, based on the evidence discovered and reported by the
recovery audit contractor to the appropriate agency official. Contingency fee
contracts preclude payment to the contractor until the recoveries are collected.
Recovery audit contractors may review payments/payment data and contracts to
determine improper payments, and they may communicate with vendors to verify the
validity of potential payment errors. They also analyze the reasons for
erroneous payments and recommend cost effective controls to prevent such future
erroneous payments. Contractors are prohibited from using or sharing sensitive
information that has not been released for use by the general public except for
the purpose of fulfilling the recovery audit contract. In addition, recovery
audit contractors are required to take steps to safeguard the confidentiality of
sensitive information that has not been released for use by the general public.
All recovery audit contractor personnel sign non-disclosure agreements prior to
being assigned to do recovery audit work for the Department.
Attachment 2 contains a description of the Department’s current recovery audit
contractor’s activities.
Questions on risk assessments or recovery audits should be directed to Dorothy
Sugiyama at (202) 208-5789.
Prior
Financial Administration Memoranda on this subject:
None
Attachments