According to the Office of Management and Budget (OMB) report, Improving the Accuracy and Integrity of Federal Payments, February 2006, the government-wide improper payment total reported for fiscal year (FY) 2005 was $37.3 billion. The report also found that the amount reported for FY 2005 was approximately $7.8 billion less than the $45.1 billion reported in FY 2004. Despite this improvement, improper payments remain a significant problem in the federal government.

Improper payments are payments that should not have been made or payments that were made for an incorrect amount because of errors, poor business practices, or intentional fraud or abuse. Improper payments include: (1) payments to an ineligible recipient, (2) payments for an ineligible service, (3) duplicate payments, (4) payments for services not rendered, and (5) payments that do not account for credit for applicable discounts.

The President’s Management Agenda, August 2001, is a strategy for improving the management and performance of the federal government, and includes five government‑wide initiatives, one of which is “Improved Financial Performance.”¹ Included in this initiative are requirements for the identification and reduction of improper payments within the federal government. In recent years, legislation has been enacted to address this problem followed by implementation of guidance from OMB. This legislation requires that government agencies conduct program inventories and assess each program’s risk for making improper payments. In addition, government agencies are to report on progress made in identifying and recovering improper payments.

Background

Two federal laws address the prevention, identification, and recovery of improper payments. Pub. L. No. 107-300 (2002), the Improper Payments Information Act of 2002 (IPIA), requires the heads of federal agencies to annually: (1) review all programs and activities to identify those susceptible to significant improper payments, (2) estimate the amount of improper payments, and (3) report the estimate to Congress. In addition, for improper payments estimated in excess of $10 million, the agency must report the actions it is taking to reduce improper payments and include a discussion of the potential causes, a statement on whether the agency's information system and infrastructure are adequate to reduce improper payments, and a description of the steps taken to ensure agency managers are held accountable for reducing improper payments.

Pub. L. No. 107-107 (2001), the National Defense Authorization Act for FY 2002 (NDAA), Subchapter VI - Recovery Audits, requires all agencies that enter into contracts totaling more than $500 million in a fiscal year to carry out a cost‑effective program to identify errors in payments and recover amounts erroneously paid. These actions are known as "recovery audits."

Between January and May 2003, OMB issued three memoranda that provided additional guidance related to the IPIA and the NDAA.² In August 2006, these three memoranda were consolidated into OMB Circular A‑123, Appendix C, Requirements for Effective Measurement and Remediation of Improper Payments, which became effective immediately for the FY 2006 Performance and Accountability Report (PAR).³

OMB Circular A-123, Appendix C requires that “when an agency’s review is unable to discern whether a payment was proper as a result of insufficient or lack of documentation, this payment must also be considered an error.” ⁴ OMB Circular A-123, Appendix C details the IPIA information that should be included within an agency’s PAR, which changed so that agencies with improper payment estimates less than $10 million are no longer required to complete the entire IPIA section of the PAR. Instead, these agencies are required to report only the improper payment estimate totals.

For recovery auditing, OMB Circular A-123, Appendix C permits contingency fee contracts, which allow a portion of recovered funds to be used to pay recovery audit contractors. OMB Circular A-123, Appendix C also provides guidance on the disposition of recovered amounts and directs affected agencies to submit annual reports detailing recovery audit activities. Additionally, the guidance states that "agency Inspectors General and other external agency auditors are encouraged to assess the effectiveness of agencies' recovery audit programs."

OMB issued Circular A-136 - Revised July 2006, Financial Reporting Requirements, which superseded Memorandum M‑04‑20, FY 2004 Performance and Accountability Reports and Reporting Requirements for the Financial Report of the United States Government, July 2004. Memorandum M-04-20 directed agencies to include the following recovery audit information, beginning in the FY 2004 PAR: (1) a discussion of each agency’s recovery audit effort, (2) the amount of recoveries expected, (3) the actions taken to recover them, and (4) the business processes changed and internal controls instituted or strengthened to prevent future occurrences. OMB Circular A‑136 requires agencies to include the following additional information in the annual IPIA report:

• Accomplishments in the area of funds management past the primary recipient, including the status on projects and results of any reviews, which are applicable to grant-making agencies with risk-susceptible grant programs.

• The reduction outlook table, which should include: (1) all risk‑susceptible programs, whether or not improper payments were identified; (2) dates when measurements are expected to be provided; (3) the baseline measurement year; (4) separate dollar amount estimates if the estimates correspond to both newly and previously established measurements; (5) estimates for the future 3 years; and (6) a report on current year activity and previous year activity, if applicable.

• The contract types that were excluded from the recovery audit review and an explanation for their exclusion.

• A table detailing the recovery audit effort, including the amount subject to review, the actual amount reviewed and reported on, the amount identified for recovery, the percentage of amount identified over the actual amount reviewed, the amount recovered, and the amount recovered in previous years.

OMB Circular A-123 revision, Management’s Responsibility for Internal Control, dated December 2004, effective FY 2006, requires agencies to annually submit an overall statement of assurance as to the adequacy and effectiveness of internal controls within the agency, and a statement of assurance over the effectiveness of the internal controls over financial reporting. Agencies are to document the internal controls over financial reporting in hard copy or electronic forms and include documentation of tests of internal controls, internal control deficiencies, and suggestions for improvement.

Department of Justice Guidance

In March 2006, the Department of Justice’s (DOJ) Justice Management Division (JMD) issued guidance on recovery audit programs and the IPIA in Financial Management Policies and Procedures Bulletin 06‑11 (Bulletin 06‑11). This department‑wide bulletin supports guidance set forth in the IPIA, the NDAA, and OMB circulars and memoranda. Bulletin 06‑11 requires each component to "review all programs and activities administered, and identify those susceptible to significant improper payments. This includes payments from federal awards made by recipients and subrecipients subject to the Single Audit Act Amendments of 1996." Further, Bulletin 06-11 requires that "each component must ensure that its risk assessment, required under the IPIA, contain, at a minimum: (1) the results from the most recent financial statement audit, including any material weaknesses or reportable conditions; (2) the effect of those weaknesses or conditions on its risk of making improper payments; and (3) a description of the corrective actions taken to address those weaknesses or conditions.”

Bulletin 06-11 also requires that “the risk assessment should also include a review of systems, procedures, policies, and practices, including oversight, that help prevent or correct improper payments. It also can include, but is not limited to, independent audit reports, internal control reviews, Inspector General reviews, results of recovery audit activities, other internal reviews, and the results of the internal audit program or any other mechanism implemented to analyze susceptible risk."

JMD combines all of the components’ annual IPIA reports and summarizes them in DOJ’s annual PAR. The annual IPIA report is required to include:

• a description of the risk assessment performed and a list of risk‑susceptible programs;

• the statistical sampling process conducted to estimate the improper payment rate for each program identified, if applicable;

• the corrective action plan for reducing improper payments, and the corrective action plan for grant-making agencies with risk‑susceptible grant programs, including a discussion of accomplishments in the area of funds stewardship past the primary recipient;

• estimates of improper payments in future years;

• a description of the recovery audit program, including a table detailing the recovery audit effort, the amount subject to review, the actual amount reviewed and reported on, the amounts identified for recovery, the percentage of amounts identified over the actual amount reviewed, the amount recovered, and the amount recovered in previous years;

• the steps planned and taken to ensure management is held accountable for reducing improper payments;

• a description of whether the information system and infrastructure are adequate to reduce improper payments; and if not, a description of the resources requested to improve its information systems and infrastructure;

• any statutory or regulatory barriers that may limit the corrective actions in reducing improper payments; and

• additional comments on overall efforts, specific programs, best practices, or common challenges identified. ⁵

Bulletin 06-11 further requires each component to carry out a cost‑effective recovery audit program to prevent, identify, and recover improper payments. Each recovery audit program must include a comprehensive review of prior payments to determine whether they were improper. Further, the recovery audit program must:

• look for several types of improper payments, including: (1) duplicate payments, (2) payments made that were not in accordance with an applicable contract, (3) payments made for incorrect amounts, (4) payments for which allowable discounts were not taken, and (5) payments made for goods not received or services not rendered;

• encompass, at a minimum, all payments made from FY 2003 forward; and

• include the component’s grant programs, if applicable.

Recovery audits may be performed by component employees, by other departments or agencies of the federal government acting on behalf of the component, or by contractors performing recovery audit services under contracts awarded by the agency. Each component is required to develop and implement written policies and procedures for its recovery audit program, in accordance with the framework set forth in Bulletin 06‑11.

In May 2003, the Director, JMD Finance Staff, implemented a department‑wide recovery audit contract, which all components are required to use unless a waiver is granted. Requests for waivers must be forwarded to the Director and include a complete description of the proposed alternate recovery audit program and its cost.

Bulletin 06-11 further requires each component to complete a quarterly report on recovery audit activities. The report is due within 5 working days following the end of each quarter and should include the type and total amount of improper payments identified, the total amount recovered, and the total amount outstanding. Components are to report separate totals for amounts attributable to internal agency activities and also those attributable to recovery audit contractors. Additionally, the report should include the identified causes for improper payments, as well as the corrective actions taken, business processes changed, and internal controls instituted and strengthened to prevent future occurrences. Finally, descriptions of the recovery audit program and planned recovery audit activities for the following quarter are to be included within the quarterly report.

Prior Audit

In April 2005, the Office of the Inspector General (OIG) issued an audit report on the Department of Justice Process for Identifying, Preventing, and Recovering Improper and Erroneous Payments, Audit Report Number 05‑19. The scope of this audit included four DOJ components: (1) the Federal Bureau of Prisons (BOP), (2) Office of Justice Programs (OJP), (3) Federal Bureau of Investigation (FBI), and (4) United States Marshals Service (USMS). At each of the components, the auditors reviewed the reports submitted in accordance with the IPIA and assessed each component’s efforts for preventing, identifying, and quantifying improper payments. Additionally, the auditors reviewed the recovery audit efforts at each of the selected components. The audit revealed that:

• The USMS and OJP risk assessments were not adequate to completely measure the risk of improper payments for all programs the components administered.

• The BOP, OJP, and USMS IPIA reports did not contain a complete description of the risk assessment performed.

• Weaknesses were identified in certain FBI and USMS policies and procedures used to prevent improper payments.

• None of the risk assessments included an analysis or consideration of any material weaknesses, reportable conditions, or non‑compliance matters resulting from the components’ annual financial statement audits.

• The FBI, OJP, and USMS did not have processes in place to determine the full extent of improper payments.

• The BOP and OJP initiated recovery audit programs but had not implemented written policies and procedures. Additionally, the FBI and USMS had not initiated any type of formalized recovery audit program.

• JMD did not have an official reporting mechanism in place to monitor each component’s recovery audit activities. Additionally, JMD’s recovery audit guidance was not adequate to ensure consistency among the components related to progress in implementing and maintaining a recovery audit program.

The OIG provided the recommendations to these conditions. At the time of this audit, all 22 recommendations had been agreed upon, 13 have been fully implemented, and 9 are in the process of being implemented.

Audit Approach

This audit was requested by JMD. Based on the magnitude of the government-wide improper payments identified in the February 2006 OMB report and the findings identified in the April 2005 OIG audit report, we conducted a follow‑up audit, which included the: (1) Offices, Boards and Divisions (OBDs);⁶ (2) Federal Prison Industries (FPI); (3) Drug Enforcement Administration (DEA); and (4) Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). The purpose of the audit was to assess the selected component’s processes for preventing, identifying, and recovering improper and erroneous payments. Specifically, the objectives of the audit were to determine whether the components established:

• policies and procedures for preventing improper and erroneous payments,

• policies and procedures for identifying improper and erroneous payments, and

• methods to recover improper and erroneous payments.

During this audit, we reviewed current laws, regulations, guidance, and policies to obtain an understanding of the requirements with which federal agencies must comply. We also conducted interviews with component management; reviewed policies and procedures related to preventing, identifying, and recovering improper payments; and analyzed reports submitted to JMD to determine whether the components complied with applicable laws and regulations. Specifically, we reviewed the FY 2005 IPIA reports submitted by the components to JMD. The information in these reports was analyzed in conjunction with Bulletin 06-11, dated March 2006. We used this approach in order to identify any necessary enhancements for full compliance in the FY 2006 IPIA reporting period.

1. The five initiatives of the President’s Management Agenda are further detailed in Appendix II of this report.

2. These three Memoranda included: (1) Memorandum M-03-07, Programs to Identify and Recover Erroneous Payments to Contactors, January 2003; (2) Memorandum M‑03‑12, Allowability of Contingency Fee Contracts for Recovery Audits, May 2003; and (3) Memorandum M‑03‑13, Implementation Guidance for the Improper Payments Information Act of 2002, P.L. 107-300, May 2003.

3. The PAR is an annual report that provides information on an agency’s actual performance and progress in achieving the goals in its strategic plan and performance budget.

4. The scope of this audit did not include improper payments identified when an agency was unable to discern whether the payment was proper due to insufficient or lack of documentation. This type of improper payment was first defined in Office of Management and Budget Circular A-123, Appendix C, Requirements for Effective Measurement and Remediation of Improper Payments, August 2006.

5. The Annual Improper Payments Information Act Report is detailed in Appendix V.

6. In order to assess the OBDs, we selected a sample of six sub‑components of the OBDs to review and conclude upon compliance with the IPIA and the NDAA. The sub‑components selected included the: (1) Regime Crimes Liaison Office (RCLO), (2) Office on Violence Against Women (OVW), (3) Civil Division (CIV), (4) Office of Community Oriented Policing Services (COPS), (5) Executive Office for Immigration Review (EOIR), and (6) Wireless Management Office (WMO). The methodology for the selection of the OBD subcomponents is detailed in Appendix I.