oversight

Statement of Inspector General Kathleen Tighe on OIG recommendations that the Department has not yet implemented, Committee on Government Oversight and Government Reform, March 05, 2013. PDF (82K)

Published by the Department of Education, Office of Inspector General on 2013-03-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                      Testimony of Kathleen S. Tighe, Inspector General
                                  U.S. Department of Education
                                             Before the
                       Committee on Oversight and Government Reform
                                  U.S. House of Representatives
                                           March 5, 2013



Chairman Issa, Ranking Member Cummings, and members of the Committee, I am pleased to be

here today to discuss opportunities to reduce waste and improve efficiency at the

U.S. Department of Education (Department). As requested, I am focusing my testimony on the

issue of audit resolution and recommendations made in Office of Inspector General (OIG)

reports that the Department has not yet implemented. I want to thank the Committee for its work

in highlighting the issue of unimplemented OIG recommendations over the last several years and

for holding this hearing to further shine a spotlight on an issue that is such a vital part of good

government.



As you know, the mission of my office is to promote effectiveness, efficiency, and integrity in

Departmental programs and operations. We do this by conducting independent audits,

inspections, investigations, and other reviews. When we identify problems or weaknesses, we

make recommendations on actions the Department should take to correct those weaknesses or fix

those problems. The goal of our work is not simply to identify problems, but also to encourage

improvements and corrective actions. That is what audit resolution and followup are all about.

They are important mechanisms for helping management improve the performance of the

Department and its programs. For the purposes of this testimony, we use “audit resolution and




                                                  1
followup” to refer to the Department’s activities in response to formal recommendations in OIG

audits, inspections, and other reviews. 1



Unimplemented recommendations are a by-product of ineffective audit resolution and followup

processes, which hamper an agency’s ability to increase program and operational efficiency and

prevent waste. Since 2002, we have issued six audit reports related to audit resolution and

followup. We have also produced five letters for this Committee since 2007 on

recommendations made in OIG audit reports that the Department had not yet implemented. Our

most recent letter, provided to the Committee in December 2012, focused on high-priority short-

term and long-term recommendations that the Department has not yet implemented.



Today, I will discuss information on the Department’s audit resolution and followup processes,

the challenges it faces, and the findings of our recent work involving audit resolution and

followup. I will also discuss the information included in our December 2012 letter to this

Committee.



Background on the Department’s Audit Resolution and Followup Processes


The Office of Management and Budget (OMB) Circular A-50, “Audit Followup,” issued in

1982, provides the policies and procedures for use by executive agencies when considering audit

reports, such as those the OIG issues. It requires agencies to establish systems to ensure the

prompt and proper resolution and implementation of audit recommendations and provides that



1
 The Department is also responsible for resolving recommendations in other products related to Department
programs and operations, including those issued by the Government Accountability Office and by non-Federal
auditors (such as independent public accountants and State auditors).

                                                       2
agency heads are responsible for designating a top management official to oversee audit

followup, including resolution and corrective actions. At the Department, the Chief Financial

Officer is the designated Audit Followup Official and is charged with the timely resolution of

audit reports and ensuring that appropriate corrective actions have been taken on agreed-upon

audit recommendations. OMB Circular A-50 requires agencies to resolve audits within 6 months

of issuance. It also requires OIG to review and generally agree with the Department’s proposed

corrective action on recommendations made in an audit report before the audit can be considered

resolved.



There are generally two types of OIG audits—internal and external. Internal audits identify

deficiencies and recommend improvements in Department operations and programs to ensure

that the Department is using Federal education funds effectively and efficiently and

accomplishing program goals. External audits are of external entities that receive funding

from the Department, such as State educational agencies (SEAs), local educational agencies

(LEAs), institutions of higher education, contractors, and nonprofit organizations. External

OIG audit reports generally include recommendations for Department management to require

the external entity to take corrective action. These recommendations may be monetary, which

recommend that the entity return funds to the Department, or nonmonetary, which recommend

that the entity improve operations or internal controls.



The audit resolution process begins with the issuance of a final audit report. An internal audit is

generally considered resolved when the Department and OIG agree on a corrective action plan

for each recommendation. An external audit is considered resolved when the Department issues



                                                 3
a program determination letter on the audit report to the external entity, which is agreed to by

OIG. Upon resolution, the Department is responsible for ensuring that the corrective actions are

actually taken. When the corrective actions for a recommendation have been implemented, the

recommendation is considered completed. An audit is considered closed when the Department

ensures that all corrective actions have been implemented, including that funds are repaid or

settlement made. 2



Challenges in Audit Resolution and Followup


As mentioned previously, since 2002, we have issued six audit reports on the Department’s audit

resolution and followup processes, most recently in 2012. These reports have noted

longstanding challenges in these areas, including the following:



     •    Untimely resolution of audits, particularly external audits, that has (1) impacted the
          potential recovery of funds due to the statute of limitations 3 applicable to monetary
          recommendations made in audits of entities (such as SEAs and LEAs) and (2) delayed
          corrective actions by auditees. Specifically, our 2012 audit of the Department’s
          resolution process for OIG external audits found the following:




2
 As required by the Inspector General Act of 1978, as amended, the OIG provides information in its Semiannual
Reports to Congress on audit reports issued, audit reports that are not yet resolved, and audit reports that have been
resolved but for which corrective actions have not been implemented for at least a year after issuance of the final
audit report.
3
  The General Education Provisions Act (GEPA) establishes a statute of limitations for programs administered by
the Department, including SEA and LEA recipients. The Department cannot seek recovery of funds that were spent
more than 5 years before an auditee receives a program determination letter. The funds recovered must also be
proportional to the extent of harm to the Federal interest that the violation caused. Examples of Federal interest
include serving eligible beneficiaries, providing authorized services, and complying with expenditure requirements.
GEPA does not apply to programs authorized under the Higher Education Act of 1965.

                                                           4
            o 90 percent of the OIG audits with final report issuance dates from January 1,
               2007, through December 31, 2010, had not been resolved within OMB’s 6-month
               deadline.

                      53 of these audits were overdue for resolution by an average of 1,078 days
                       and included questioned costs that totaled $568 million.

                      Due to the running of the statute of limitations, the Department lost the
                       opportunity to recover $415 million of these costs.

            o Two years later (January 17, 2012), 42 percent of the audits were still unresolved.

            o The percentage of external OIG audits not resolved timely increased during each
               calendar year from 2007 through 2010.

    •   Ineffective internal controls over audit resolution and followup, such as the failure to
        ensure compliance with OMB Circular A-50.


    •   A lack of the following: staff to conduct resolution activities, training so that staff had
        sufficient knowledge to effectively conduct resolution activity, organizational priority
        placed on audit resolution activities, and overall accountability.



Another challenge for the Department is repeat findings, which are far too common, particularly

in our information technology security work and in our financial statement audit work. Repeat

findings are deficiencies that have been identified in previous work and remain unaddressed and

thus are again identified in subsequent work. The following are examples of some of our repeat

findings:



   •    In our FY 2012 Federal Information Security Management Act review, we found that 6
        of the 11 security control areas we reviewed—risk management, configuration
        management, remote access management, identity and access management, security

                                                 5
        training, and contingency planning—contained repeat findings from OIG and contractor
        reports issued during the prior 3 years.


    •   Since 2009, audits of the Department’s and the Federal Student Aid office’s (FSA)
        financial statements by OIG’s independent financial auditors found significant repeat
        deficiencies relating to credit reform estimation and financial reporting processes and
        controls surrounding information systems.



Improved processes and an increased emphasis on the timely implementation of corrective

actions can help significantly reduce the occurrence of repeat findings.



Recent Department Actions to Address Audit Resolution and Followup


During our 2012 audit of the Department’s external audit resolution processes, we found that one

office within the Department had developed an internal action plan that was intended to improve

its overall audit resolution process. The action plan included elements such as a quality

assessment tool designed to improve the audit resolution specialists’ ability to prepare quality

resolution documentation, a tracking tool to monitor the status of audits throughout the resolution

process, additional training for audit resolution specialists, an internal Web site to make audit

resolution resources and tools readily available to audit resolution specialists, and hiring

additional staff to perform audit resolution activities. If implemented throughout the

Department, we believe these changes could decrease the volume of audits overdue for

resolution and improve the overall timeliness of resolution activities for external OIG audits.



In response to the findings of the 2012 audit, the Department proposed a series of short-term

actions to address many of the specific recommendations in the report. In addition, the Deputy

                                                   6
Secretary has established a cross-agency team to review the audit resolution process. Members

of this team agreed that the first critical business task would be focusing on resolving all overdue

OIG external audits. As of February 1, 2013, the Department reported that the team is on track

to resolve these audits by May 31, 2013. Department leaders have asked my office to participate

in an advisory capacity on this team, and we have agreed to do so. We will be monitoring the

Department’s progress and will evaluate the effectiveness of the Department’s improved audit

followup process and corrective actions to address audit recommendations.



Summary of December 2012 Letter to the Committee



In December 2012, the Committee on Oversight and Government Reform requested information

from OIG related to our work plan process and high-priority recommendations. We told the

Committee the major initiatives in our work plan that we intend to undertake this year. We also

identified short-term and long-term recommendations that, if fully implemented, will address

weaknesses or deficiencies in Departmental programs and operations. Our recommendations

affect key areas important to the Department’s ability to effectively achieve its mission: Federal

student aid, improper payments, information technology security, and charter schools as follows:



       Federal Student Aid—Fraud Rings


       In 2011, we issued a report that brought to the Department’s attention a serious fraud

       vulnerability in distance education programs: “fraud rings,” which are large, loosely

       affiliated groups of criminals who seek to exploit distance education programs in order to

       fraudulently obtain Federal student aid. Because all aspects of distance education take

       place through the Internet (admission, student aid, course instruction), students are not

                                                 7
           required to present themselves in person at any point and institutions are not required to

           verify prospective and enrolled students’ identities; thus, fraud ringleaders are able to use

           the identities of others (with or without their consent) to target distance education

           programs. Fraud rings mainly target lower cost institutions, because the Federal student

           aid awards are sufficient to pay institutional charges (such as tuition), and the student

           receives the award balance to use for other educational expenses, such as books, room

           and board, and commuting. Our report offered nine specific recommended actions for

           the Department to take to address this fraud. Although the Department agreed to all of

           these recommendations, most have not yet been implemented.



           In January 2013, we provided the Department the results of our risk analysis related to

           student aid fraud rings, which for the time period 2009 to 2012, estimated a probable loss

           of more than $187 million in Federal student aid funds as a result of these criminal

           enterprises. 4

                     Short-Term Recommendation: Seek a statutory change to the cost of

                     attendance calculation for students enrolled in distance education programs under

                     the Higher Education Act of 1965 to limit the allowance for room and board and

                     other costs that distance education program participants do not incur as a result of

                     their studies.

                     Long-Term Recommendation: Establish edits in the Department’s student aid

                     systems, such as verification of an applicant’s identity and high school graduation

                     status, and to flag potential fraud ring participants and implement controls in the

                     Department’s Personal Identification Number delivery system.
4
    During this time period, $509.9 billion in Title IV aid was distributed.

                                                              8
Federal Student Aid—Default Management


In 2012, we issued an alert report that identified significant problems with FSA’s process

for managing defaulted student loans. Specifically, we found that the Debt Management

Collection System 2 (DMCS2) was unable to accept transfer of certain defaulted student

loans from FSA’s loan servicers. Since DMCS2 was implemented in October 2011, the

Title IV Additional Servicers and ACS Education Solutions, LLC, have accumulated

more than $1.1 billion in defaulted student loans that should be transferred to the

Department for management and collection. DMCS2 has been unable to accept transfer

of these loans and, as a result, the Department is hampered in pursuing collection

remedies and borrowers are unable to take steps to remove their loans from default status.

The inability of DMCS2 to accept these transfers also contributed to a material weakness

in internal control over financial reporting that was identified in FSA’s Fiscal Year 2012

financial statement audit. Based on our interaction with FSA officials to date, FSA has

yet to implement effective corrective action to bring these affected loans into collection

and to correct the problems with DMCS2.

       Short-Term Recommendation: Identify problems related to DMCS2 loan

       transfers, the source of each problem, and the entire population of loans adversely

       affected and establish dates for resolving the cause of each identified problem

       related to DMCS2 loan transfers.




                                          9
                  Long-Term Recommendation: Determine whether DMCS2 can become a fully

                  operational system that will meet all of the baseline functional system

                  requirements.



         Information Technology Security


         The Department collects, processes, and stores a large amount of personally identifiable

         information regarding employees, students, and other program participants. OIG has

         identified repeated problems in information technology security and noted increasing

         threats and vulnerabilities to Department systems and data. OIG’s information

         technology audits and other reviews have identified management, operational, and

         technical security controls that need improvement to adequately protect the

         confidentiality, integrity, and availability of Department systems and data.

         We have repeatedly recommended that the Department strengthen its controls and

         develop monitoring capabilities designed to help safeguard Department systems and data

         from unauthorized access, misuse, and fraud. Further, since 2009, audits of the

         Department’s and FSA’s financial statements by OIG’s independent financial auditors

         found significant repeat deficiencies involving controls over information technology

         security. In addition, our work has found that Department privileged accounts have been

         compromised by keylogger 5 software that could have been used to infect and even extract

         data from Department systems. Based on the Department’s flawed mitigation process,



5
 Keylogging is the action of tracking the keys struck on a keyboard. Keylogger software logs and monitors all
activities on the computer where it is installed. Criminals typically use keyloggers to capture user identification and
password of unwitting individuals for various fraudulent purposes.



                                                          10
we have little assurance as to whether sensitive data has been exfiltrated by unauthorized

individuals from Department systems.

       Short-Term Recommendation: We have recommended that the Department

       implement two-factor authentication—a key safeguard against keylogger usage—

       for all users with access to Departmental systems. Although the Department has

       made progress on implementing two-factor authentication for Department

       employees, it has not yet done so for all contractors and other authorized users.

       Long-Term Recommendation: The Department and FSA must determine why

       information technology initiatives are not effectively implemented and managed

       to ensure successful system integration, system and data security, and

       identification and mitigation of fraudulent activity.



Improper Payments


In FY 2011, the OMB designated the Federal Pell Grant program a “high-priority”

program because the FY 2010 Pell improper payments estimate of $1,005 million (a rate

of 3.12 percent) exceeded the OMB threshold of $750 million. As required with this

designation, the Department coordinated with OMB to establish and execute a plan to

implement high-priority program requirements, including designating accountable

officials and establishing supplemental measures to report. As a result of the Department

executing its plan, the FY 2011 Pell Grant improper payment rate fell to 2.72 percent,

with estimated improper payments of $993 million. The FY 2012 improper payment rate

also fell, dropping to 2.49 percent, with estimated improper payments of $829 million.

Although the Department is making progress, it can do more. In 2010, the Department


                                         11
implemented the Internal Revenue Service Data Retrieval Tool (IRS DRT), which allows

Federal student aid applicants and, as needed, parents of applicants, to transfer certain tax

return information from an IRS Web site directly to their online Free Application for

Federal Student Aid (FAFSA). However, only 26 percent of all FAFSAs submitted for

the 2012–2013 academic year used the IRS DRT. Use of the tool is optional, so people

intent on defrauding the program by providing false income information likely would not

select the IRS option. Because the IRS DRT is not mandatory, institutions retain the

burden of verifying an applicant’s income.

       Short-Term Recommendation: Study Pell Grant program recipients who do not

       use the IRS DRT and who are not selected for verification to determine whether

       the Department has adequate controls in place or needs to implement additional

       controls to mitigate the risk of improper payments to this population of Pell Grant

       recipients.

       Long-Term Recommendation: Since 1997, we have recommended

       implementation of an IRS income data match that would allow the Department to

       match the information provided on FAFSAs with the income data the IRS

       maintains. While the Higher Education Act of 1965 has been amended to reflect

       this requirement, the Internal Revenue Code has not been similarly amended.

       Amending the Internal Revenue Code to permit this match could help identify

       income inconsistencies and eliminate an area of fraud and abuse within the

       student financial assistance programs.




                                         12
Charter Schools


Charter schools are nonsectarian, publicly funded schools of choice exempt from certain

State and local regulations. In return for reduced governmental regulation, charter

schools agree to be held accountable for their academic and financial performance. A

total of 42 States and the District of Columbia have enacted laws allowing the

establishment of charter schools, and the laws differ from State to State. State charter

school laws assign authorizers to approve charter school applications, oversee and ensure

compliance, review and renew contracts, and close charter schools. State charter school

laws allow for various types of authorizers, which can include institutions of higher

education, independent chartering boards, school districts or LEAs, and not-for-profit

organizations. OIG has conducted a significant amount of investigative work involving

charter schools. These investigations have found that authorizers often fail to provide

adequate oversight to ensure that charter schools properly use and account for Federal

funds. Further, in September 2012, we completed an audit of the Department’s oversight

and monitoring of the Charter Schools Program’s SEA and non-SEA Planning and

Implementation Grants. We determined that the Department did not effectively oversee

and monitor the grants and did not have an adequate process to ensure SEAs effectively

oversaw and monitored their subgrantees.

       Short-Term Recommendation: Develop and implement a risk-based approach

       for selecting non-SEA grantees for monitoring activities.

       Long-Term Recommendation: Provide necessary guidance and training to

       SEAs on how to develop and implement procedures to ensure SEAs have




                                         13
               effective monitoring and fiscal controls for tracking the use of funds by charter

               schools.



Conclusion


OIG audits, inspections, investigations, and other reviews identify fraud, waste, and abuse;

provide information on the effectiveness of internal controls; and evaluate the appropriateness of

Federal funds usage. The results of our work can serve as a tool for Department management in

its daily operations, long-term strategic planning, and overall risk management. However, our

work is effective only if the Department implements timely corrective actions to address

identified deficiencies or weaknesses that hamper its ability to carry out its mission. We see that

the Department is planning to take steps to improve its audit resolution and followup processes,

and we will closely monitor and report on its progress.



Once again, I want to thank the Committee for highlighting the issue of unimplemented OIG

recommendations and helping make audit resolution a priority for all Federal agencies. This

concludes my written statement. I am happy to answer any of your questions.




                                                14