Material weaknesses in internal control discussed in this report resulted in ineffective controls over financial reporting. In addition to the material weaknesses discussed in appendix II that contributed to our disclaimer of opinion on the accrual-based consolidated financial statements, we found the following three other material weaknesses in internal control.
During fiscal year 2011, the federal government continued to make progress in reporting on improper payments. Entities reported on 12 additional programs’ improper payments estimated amounts in fiscal year 2011 when compared to fiscal year 2010.41 Most notably, the Department of Health and Human Services (HHS) reported an estimated improper payment amount for Medicare Part D of $1.7 billion. Nevertheless, the federal government continues to face challenges in determining the full extent of improper payments. For example, 3 federal entities did not report fiscal year 2011 estimated improper payment amounts for 4 risk-susceptible programs, including HHS’s Children’s Health Insurance Program and Temporary Assistance for Needy Families. The Improper Payments Information Act of 2002 (IPIA),42 as amended by the Improper Payments Elimination and Recovery Act of 2010 (IPERA),43 requires federal executive branch entities to (1) review all programs and activities, (2) identify those that may be susceptible to significant improper payments,44 (3) estimate and report the annual amount of improper payments for those programs, and (4) implement actions to reduce improper payments. IPERA also established additional requirements related to recovery auditing. OMB issued implementing guidance in fiscal year 2011.
Federal entities reported estimates of improper payment amounts that totaled $115.3 billion in fiscal year 2011, a decrease from the prior year revised estimate of $120.6 billion.45 These estimates represented about 4.7 percent and 5.3 percent of reported outlays for the associated programs in fiscal years 2011 and 2010, respectively. Decreases in reported estimates of improper payments were mostly attributable to three major programs: (1) Department of Labor’s Unemployment Insurance program, (2) Department of the Treasury’s Earned Income Tax Credit Program, and (3) HHS’ Medicare Advantage program. The decreases in the estimates for these programs primarily related to a decrease in reported outlays for the Unemployment Insurance program and decreases in reported error rates46 for the Earned Income Tax Credit and Medicare Advantage programs. It is important to note that reported improper payment estimates include overpayments, underpayments, and payments for which adequate documentation was not found, and may also include amounts of payments for years prior to the current fiscal year.
Entity auditors reported some internal control deficiencies over financial reporting, such as financial system limitations and information system control weaknesses, that significantly increase the risk that improper payments may occur and not be detected promptly. Until the federal government has implemented effective processes to determine the full extent to which improper payments occur and reasonably assure that appropriate actions are taken across entities and programs to effectively reduce improper payments, the federal government will not have reasonable assurance that the use of taxpayer funds is adequately safeguarded.
Although progress has been made, serious and widespread information security control deficiencies reported during fiscal year 2011 continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Specifically, control deficiencies were identified related to (1) security management; (2) access to computer resources (data, equipment, and facilities); (3) changes to information system resources; (4) segregation of incompatible duties; and (5) contingency planning. We have reported information security as a high-risk area across government since February 1997.
Such information security control deficiencies unnecessarily increase the risk that the reliability and availability of data that are recorded in or transmitted by federal financial management systems could be compromised. A primary reason for these deficiencies is that federal entities generally have not yet fully institutionalized comprehensive security management programs, which are critical to identifying information security control deficiencies, resolving information security problems, and managing information security risks on an ongoing basis. The federal government has taken important actions to improve information security, such as deploying continuous monitoring capabilities, and enhancing performance measures and reporting processes. However, until entities identify and resolve information security control deficiencies and manage information security risks on an ongoing basis, federal data and systems, including financial information, will remain at risk.
During fiscal year 2011, material weaknesses and systemic deficiencies continued to affect the federal government's ability to effectively manage its tax collection activities. Due to errors and delays in recording taxpayer information, assessments, payments, and other activities, the federal government’s records did not always reflect the correct amount that taxpayers owed and this contributed to the federal government’s inability to timely release federal tax liens against taxpayers who fully satisfied or were otherwise relieved of their tax liability. Such errors and delays may cause undue burden and frustration to taxpayers who either have already paid taxes owed or who owe significantly lower amounts. In addition, deficiencies in internal control over tax refunds increased the risk of the federal government issuing duplicate or otherwise erroneous tax refunds to which individuals or businesses are not entitled. Collectively, these deficiencies indicate that internal controls over the financial reporting process were not effective in (1) ensuring that reported amounts of taxes receivable and tax assessments were accurate on an ongoing basis and could be relied upon by management as a tool to aid in making and supporting resource allocation decisions; (2) supporting timely and reliable financial statements, accompanying notes, and required supplemental and other accompanying information without extensive supplemental procedures and adjustments; and (3) safeguarding the federal government’s resources.
41Of the 12 programs, 3 programs have been excluded from the governmentwide totals to avoid distortion of the governmentwide error rate because those programs were refining their estimating methodologies. (Back to Content)
42 Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). (Back to Content)
43 Pub. L. No. 111-204, 124 Stat. 2224 (July 22, 2010). (Back to Content)
44 Improper payments are defined as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts. (Back to Content)
45 In their fiscal year 2011 Performance and Accountability Reports (PAR) and Annual Financial Reports (AFR), 4 federal entities updated their fiscal year 2010 improper payment estimates to reflect changes since issuance of their fiscal year 2010 PARs and AFRs. These updates decreased the governmentwide improper payment estimate for fiscal year 2010 from $125.4 billion to $120.6 billion. (Back to Content)
46 Reported error rates reflect the estimated improper payments as a percentage of total program outlays. (Back to Content)