Material weaknesses in internal control discussed in this report resulted in ineffective controls over financial reporting. In addition to the material weaknesses discussed in appendix II that contributed to our disclaimer of opinion on the accrual-based consolidated financial statements, we found the following three other material weaknesses in internal control.
The federal government continues to make progress under the requirements of the Improper Payments Information Act of 2002 (IPIA)39 in reporting on the nature and extent of improper payments.40 Federal entities reported estimates of improper payment amounts that totaled $125.4 billion in fiscal year 2010, which represented about 5.5 percent of $2.3 trillion of reported outlays for the related programs. The $125.4 billion estimate is an increase of $16.2 billion from the prior year estimate of $109.2 billion.41 Increases in reported estimates of improper payments were mostly attributable to four major programs: (1) Department of Labor's Unemployment Insurance program, (2) Department of the Treasury's Earned Income Tax Credit Program, (3) Department of Health and Human Services' (HHS) Medicaid program, and (4) HHS' Medicare Advantage program. The increases in the estimates for these programs primarily related to an increase in reported program outlays and, for the Unemployment Insurance and Earned Income Tax Credit programs, increases in reported error rates. Reported error rates declined in certain significant programs, including the Medicaid and Medicare Advantage programs, as well as the Department of Transportation's Federal Aid Highway program and Social Security Administration's Supplemental Security Income program. It is important to note that reported improper payment estimates include overpayments, underpayments, and payments for which adequate documentation was not found, and they may include amounts of payments for years prior to the current fiscal year.
While progress has been made in meeting the requirements of IPIA, the federal government still faces challenges in determining the full extent to which improper payments occur and to reasonably assure that appropriate actions are taken to reduce improper payments. For example, three federal entities did not report estimated improper payment amounts for fiscal year 2010 for 7 risk-susceptible programs that had aggregate outlays of at least $85 billion. Of these 7 programs, 6 risk-susceptible programs had reported improper payment estimated amounts in fiscal year 2008, but not in fiscal year 2009. Some entities cited insufficient documentation, incorrect computations, and changes in program requirements as causes of improper payments. Entity auditors also reported a variety of control deficiencies and challenges, such as financial systems limitations and contract monitoring issues that could allow improper payments to occur. Corrective actions needed to reduce improper payments may be unique to specific entities and programs. Furthermore, until the federal government has implemented effective processes to determine the full extent to which improper payments occur and reasonably assure that appropriate actions are taken across entities and programs to effectively reduce improper payments, the federal government will not have reasonable assurance that the use of taxpayer funds is adequately safeguarded.
On November 20, 2009, the President issued Executive Order 13520, Reducing Improper Payments, which further heightened awareness of the need to reduce improper payments and eliminate waste, fraud, and abuse in federal programs. The order focuses on transparency, holding entities accountable, and creating incentives to reduce improper payments. The President also issued a March 10, 2010 memorandum on Finding and Recapturing Improper Payments that expands the use of payment recapture audits (recovery audit) for detecting and recapturing payment errors; and a June 18, 2010 memorandum directing that a 'Do Not Pay List' be established to prevent improper payments from being made to ineligible recipients. Moreover, Congress passed the Improper Payments Elimination and Recovery Act of 2010 (IPERA),42 which amends IPIA to expand upon the required steps for executive branch entities to identify, estimate, and report improper payment information. IPERA established additional requirements related to manager accountability, recovery auditing, compliance and noncompliance determinations and reporting, and an opinion on internal controls over improper payments. In general, the revised improper payment requirements established by IPERA become effective when OMB issues its implementing guidance, which is required no later than January 22, 2011. We view these actions as positive steps toward improving transparency over and reducing improper payments; however, it is too soon to determine whether the activities called for in the Executive Order, Presidential memoranda, and IPERA will achieve their goal of reducing improper payments while continuing to ensure that federal programs serve and provide access to intended beneficiaries.
Although progress has been made, serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. We have reported information security as a high-risk area across government since February 1997. During fiscal year 2010, federal entities reported control deficiencies related to preventing, limiting, or detecting unauthorized access to computing resources. Specifically, control deficiencies were identified related to (1) security management; (2) access to computer resources (data, equipment, and facilities) being reasonable and restricted to authorized individuals; (3) changes to information system resources being authorized and systems being configured and operating as intended; (4) segregation of incompatible duties; and (5) contingency planning for protecting information resources, minimizing the risk of unplanned interruptions, and providing for recovery of critical operations.
Such information security control deficiencies unnecessarily increase the risk that the reliability and availability of data that are recorded in or transmitted by federal financial management systems could be compromised. A primary reason for these deficiencies is that federal entities generally have not yet fully institutionalized comprehensive security management programs, which are critical to identifying information security control deficiencies, resolving information security problems, and managing information security risks on an ongoing basis. The federal government has taken important actions to improve information security, such as issuing extensive guidance on information security, reducing the number of federal access points to the Internet, and establishing security configurations for certain desktop computers. However, until entities identify and resolve information security control deficiencies and manage information security risks on an on-going basis, federal data and systems, including financial information, will remain at risk.
During fiscal year 2010, material weaknesses and systemic deficiencies continued to affect the federal government's ability to effectively manage its tax collection activities. Due to errors and delays in recording taxpayer information, assessments, payments, and other activities, the federal government's records did not always reflect the correct amount that taxpayers owed and this contributed to the federal government's inability to timely release federal tax liens against taxpayers who fully satisfied or were otherwise relieved of their tax liability.' Such errors and delays may cause undue burden and frustration to taxpayers who either have already paid taxes owed or who owe significantly lower amounts. In addition, these deficiencies indicate that internal controls over the financial reporting process were not effective to (1) ensure that reported amounts of taxes receivable and tax assessments were accurate on an ongoing basis and could be relied upon by management as a tool to aid in making and supporting resource allocation decisions and (2) support timely and reliable financial statements, accompanying notes, and required supplemental and other accompanying information without extensive supplemental procedures and adjustments.
39Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002), as amended by the Improper Payments Elimination And Recovery Act of 2010, Pub. L. No. 111-204, 124 Stat. 2224 (July 22, 2010). The IPIA requires federal executive branch entities to review all programs and activities, identify those that may be susceptible to significant improper payments, estimate and report the annual amount of improper payments for those programs, and implement actions to reduce improper payments. (Back to Content)
40 IPIA defines an improper payment as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any payment to an ineligible recipient, any payment for an ineligible service, any duplicate payment, payments for services not received, and any payment that does not account for credit for applicable discounts. (Back to Content)
41 In their fiscal year 2010 Performance and Accountability Reports (PAR) and Annual Financial Reports (AFR), select federal entities updated their fiscal year 2009 improper payment estimates to reflect changes since issuance of their fiscal year 2009 PARs and AFRs. These updates increased the governmentwide improper payment estimate for fiscal year 2009 from $98.7 billion to $109.2 billion. (Back to Content)
42 Pub. L. No. 111-204, 124 Stat. 2224 (July 22, 2010). (Back to Content)