Testimony of Kathleen S. Tighe, Inspector General U.S. Department of Education Before the Committee on Oversight and Government Reform U.S. House of Representatives March 5, 2013 Chairman Issa, Ranking Member Cummings, and members of the Committee, I am pleased to be here today to discuss opportunities to reduce waste and improve efficiency at the U.S. Department of Education (Department). As requested, I am focusing my testimony on the issue of audit resolution and recommendations made in Office of Inspector General (OIG) reports that the Department has not yet implemented. I want to thank the Committee for its work in highlighting the issue of unimplemented OIG recommendations over the last several years and for holding this hearing to further shine a spotlight on an issue that is such a vital part of good government. As you know, the mission of my office is to promote effectiveness, efficiency, and integrity in Departmental programs and operations. We do this by conducting independent audits, inspections, investigations, and other reviews. When we identify problems or weaknesses, we make recommendations on actions the Department should take to correct those weaknesses or fix those problems. The goal of our work is not simply to identify problems, but also to encourage improvements and corrective actions. That is what audit resolution and followup are all about. They are important mechanisms for helping management improve the performance of the Department and its programs. For the purposes of this testimony, we use “audit resolution and 1 followup” to refer to the Department’s activities in response to formal recommendations in OIG audits, inspections, and other reviews. 1 Unimplemented recommendations are a by-product of ineffective audit resolution and followup processes, which hamper an agency’s ability to increase program and operational efficiency and prevent waste. Since 2002, we have issued six audit reports related to audit resolution and followup. We have also produced five letters for this Committee since 2007 on recommendations made in OIG audit reports that the Department had not yet implemented. Our most recent letter, provided to the Committee in December 2012, focused on high-priority short- term and long-term recommendations that the Department has not yet implemented. Today, I will discuss information on the Department’s audit resolution and followup processes, the challenges it faces, and the findings of our recent work involving audit resolution and followup. I will also discuss the information included in our December 2012 letter to this Committee. Background on the Department’s Audit Resolution and Followup Processes The Office of Management and Budget (OMB) Circular A-50, “Audit Followup,” issued in 1982, provides the policies and procedures for use by executive agencies when considering audit reports, such as those the OIG issues. It requires agencies to establish systems to ensure the prompt and proper resolution and implementation of audit recommendations and provides that 1 The Department is also responsible for resolving recommendations in other products related to Department programs and operations, including those issued by the Government Accountability Office and by non-Federal auditors (such as independent public accountants and State auditors). 2 agency heads are responsible for designating a top management official to oversee audit followup, including resolution and corrective actions. At the Department, the Chief Financial Officer is the designated Audit Followup Official and is charged with the timely resolution of audit reports and ensuring that appropriate corrective actions have been taken on agreed-upon audit recommendations. OMB Circular A-50 requires agencies to resolve audits within 6 months of issuance. It also requires OIG to review and generally agree with the Department’s proposed corrective action on recommendations made in an audit report before the audit can be considered resolved. There are generally two types of OIG audits—internal and external. Internal audits identify deficiencies and recommend improvements in Department operations and programs to ensure that the Department is using Federal education funds effectively and efficiently and accomplishing program goals. External audits are of external entities that receive funding from the Department, such as State educational agencies (SEAs), local educational agencies (LEAs), institutions of higher education, contractors, and nonprofit organizations. External OIG audit reports generally include recommendations for Department management to require the external entity to take corrective action. These recommendations may be monetary, which recommend that the entity return funds to the Department, or nonmonetary, which recommend that the entity improve operations or internal controls. The audit resolution process begins with the issuance of a final audit report. An internal audit is generally considered resolved when the Department and OIG agree on a corrective action plan for each recommendation. An external audit is considered resolved when the Department issues 3 a program determination letter on the audit report to the external entity, which is agreed to by OIG. Upon resolution, the Department is responsible for ensuring that the corrective actions are actually taken. When the corrective actions for a recommendation have been implemented, the recommendation is considered completed. An audit is considered closed when the Department ensures that all corrective actions have been implemented, including that funds are repaid or settlement made. 2 Challenges in Audit Resolution and Followup As mentioned previously, since 2002, we have issued six audit reports on the Department’s audit resolution and followup processes, most recently in 2012. These reports have noted longstanding challenges in these areas, including the following: • Untimely resolution of audits, particularly external audits, that has (1) impacted the potential recovery of funds due to the statute of limitations 3 applicable to monetary recommendations made in audits of entities (such as SEAs and LEAs) and (2) delayed corrective actions by auditees. Specifically, our 2012 audit of the Department’s resolution process for OIG external audits found the following: 2 As required by the Inspector General Act of 1978, as amended, the OIG provides information in its Semiannual Reports to Congress on audit reports issued, audit reports that are not yet resolved, and audit reports that have been resolved but for which corrective actions have not been implemented for at least a year after issuance of the final audit report. 3 The General Education Provisions Act (GEPA) establishes a statute of limitations for programs administered by the Department, including SEA and LEA recipients. The Department cannot seek recovery of funds that were spent more than 5 years before an auditee receives a program determination letter. The funds recovered must also be proportional to the extent of harm to the Federal interest that the violation caused. Examples of Federal interest include serving eligible beneficiaries, providing authorized services, and complying with expenditure requirements. GEPA does not apply to programs authorized under the Higher Education Act of 1965. 4 o 90 percent of the OIG audits with final report issuance dates from January 1, 2007, through December 31, 2010, had not been resolved within OMB’s 6-month deadline. 53 of these audits were overdue for resolution by an average of 1,078 days and included questioned costs that totaled $568 million. Due to the running of the statute of limitations, the Department lost the opportunity to recover $415 million of these costs. o Two years later (January 17, 2012), 42 percent of the audits were still unresolved. o The percentage of external OIG audits not resolved timely increased during each calendar year from 2007 through 2010. • Ineffective internal controls over audit resolution and followup, such as the failure to ensure compliance with OMB Circular A-50. • A lack of the following: staff to conduct resolution activities, training so that staff had sufficient knowledge to effectively conduct resolution activity, organizational priority placed on audit resolution activities, and overall accountability. Another challenge for the Department is repeat findings, which are far too common, particularly in our information technology security work and in our financial statement audit work. Repeat findings are deficiencies that have been identified in previous work and remain unaddressed and thus are again identified in subsequent work. The following are examples of some of our repeat findings: • In our FY 2012 Federal Information Security Management Act review, we found that 6 of the 11 security control areas we reviewed—risk management, configuration management, remote access management, identity and access management, security 5 training, and contingency planning—contained repeat findings from OIG and contractor reports issued during the prior 3 years. • Since 2009, audits of the Department’s and the Federal Student Aid office’s (FSA) financial statements by OIG’s independent financial auditors found significant repeat deficiencies relating to credit reform estimation and financial reporting processes and controls surrounding information systems. Improved processes and an increased emphasis on the timely implementation of corrective actions can help significantly reduce the occurrence of repeat findings. Recent Department Actions to Address Audit Resolution and Followup During our 2012 audit of the Department’s external audit resolution processes, we found that one office within the Department had developed an internal action plan that was intended to improve its overall audit resolution process. The action plan included elements such as a quality assessment tool designed to improve the audit resolution specialists’ ability to prepare quality resolution documentation, a tracking tool to monitor the status of audits throughout the resolution process, additional training for audit resolution specialists, an internal Web site to make audit resolution resources and tools readily available to audit resolution specialists, and hiring additional staff to perform audit resolution activities. If implemented throughout the Department, we believe these changes could decrease the volume of audits overdue for resolution and improve the overall timeliness of resolution activities for external OIG audits. In response to the findings of the 2012 audit, the Department proposed a series of short-term actions to address many of the specific recommendations in the report. In addition, the Deputy 6 Secretary has established a cross-agency team to review the audit resolution process. Members of this team agreed that the first critical business task would be focusing on resolving all overdue OIG external audits. As of February 1, 2013, the Department reported that the team is on track to resolve these audits by May 31, 2013. Department leaders have asked my office to participate in an advisory capacity on this team, and we have agreed to do so. We will be monitoring the Department’s progress and will evaluate the effectiveness of the Department’s improved audit followup process and corrective actions to address audit recommendations. Summary of December 2012 Letter to the Committee In December 2012, the Committee on Oversight and Government Reform requested information from OIG related to our work plan process and high-priority recommendations. We told the Committee the major initiatives in our work plan that we intend to undertake this year. We also identified short-term and long-term recommendations that, if fully implemented, will address weaknesses or deficiencies in Departmental programs and operations. Our recommendations affect key areas important to the Department’s ability to effectively achieve its mission: Federal student aid, improper payments, information technology security, and charter schools as follows: Federal Student Aid—Fraud Rings In 2011, we issued a report that brought to the Department’s attention a serious fraud vulnerability in distance education programs: “fraud rings,” which are large, loosely affiliated groups of criminals who seek to exploit distance education programs in order to fraudulently obtain Federal student aid. Because all aspects of distance education take place through the Internet (admission, student aid, course instruction), students are not 7 required to present themselves in person at any point and institutions are not required to verify prospective and enrolled students’ identities; thus, fraud ringleaders are able to use the identities of others (with or without their consent) to target distance education programs. Fraud rings mainly target lower cost institutions, because the Federal student aid awards are sufficient to pay institutional charges (such as tuition), and the student receives the award balance to use for other educational expenses, such as books, room and board, and commuting. Our report offered nine specific recommended actions for the Department to take to address this fraud. Although the Department agreed to all of these recommendations, most have not yet been implemented. In January 2013, we provided the Department the results of our risk analysis related to student aid fraud rings, which for the time period 2009 to 2012, estimated a probable loss of more than $187 million in Federal student aid funds as a result of these criminal enterprises. 4 Short-Term Recommendation: Seek a statutory change to the cost of attendance calculation for students enrolled in distance education programs under the Higher Education Act of 1965 to limit the allowance for room and board and other costs that distance education program participants do not incur as a result of their studies. Long-Term Recommendation: Establish edits in the Department’s student aid systems, such as verification of an applicant’s identity and high school graduation status, and to flag potential fraud ring participants and implement controls in the Department’s Personal Identification Number delivery system. 4 During this time period, $509.9 billion in Title IV aid was distributed. 8 Federal Student Aid—Default Management In 2012, we issued an alert report that identified significant problems with FSA’s process for managing defaulted student loans. Specifically, we found that the Debt Management Collection System 2 (DMCS2) was unable to accept transfer of certain defaulted student loans from FSA’s loan servicers. Since DMCS2 was implemented in October 2011, the Title IV Additional Servicers and ACS Education Solutions, LLC, have accumulated more than $1.1 billion in defaulted student loans that should be transferred to the Department for management and collection. DMCS2 has been unable to accept transfer of these loans and, as a result, the Department is hampered in pursuing collection remedies and borrowers are unable to take steps to remove their loans from default status. The inability of DMCS2 to accept these transfers also contributed to a material weakness in internal control over financial reporting that was identified in FSA’s Fiscal Year 2012 financial statement audit. Based on our interaction with FSA officials to date, FSA has yet to implement effective corrective action to bring these affected loans into collection and to correct the problems with DMCS2. Short-Term Recommendation: Identify problems related to DMCS2 loan transfers, the source of each problem, and the entire population of loans adversely affected and establish dates for resolving the cause of each identified problem related to DMCS2 loan transfers. 9 Long-Term Recommendation: Determine whether DMCS2 can become a fully operational system that will meet all of the baseline functional system requirements. Information Technology Security The Department collects, processes, and stores a large amount of personally identifiable information regarding employees, students, and other program participants. OIG has identified repeated problems in information technology security and noted increasing threats and vulnerabilities to Department systems and data. OIG’s information technology audits and other reviews have identified management, operational, and technical security controls that need improvement to adequately protect the confidentiality, integrity, and availability of Department systems and data. We have repeatedly recommended that the Department strengthen its controls and develop monitoring capabilities designed to help safeguard Department systems and data from unauthorized access, misuse, and fraud. Further, since 2009, audits of the Department’s and FSA’s financial statements by OIG’s independent financial auditors found significant repeat deficiencies involving controls over information technology security. In addition, our work has found that Department privileged accounts have been compromised by keylogger 5 software that could have been used to infect and even extract data from Department systems. Based on the Department’s flawed mitigation process, 5 Keylogging is the action of tracking the keys struck on a keyboard. Keylogger software logs and monitors all activities on the computer where it is installed. Criminals typically use keyloggers to capture user identification and password of unwitting individuals for various fraudulent purposes. 10 we have little assurance as to whether sensitive data has been exfiltrated by unauthorized individuals from Department systems. Short-Term Recommendation: We have recommended that the Department implement two-factor authentication—a key safeguard against keylogger usage— for all users with access to Departmental systems. Although the Department has made progress on implementing two-factor authentication for Department employees, it has not yet done so for all contractors and other authorized users. Long-Term Recommendation: The Department and FSA must determine why information technology initiatives are not effectively implemented and managed to ensure successful system integration, system and data security, and identification and mitigation of fraudulent activity. Improper Payments In FY 2011, the OMB designated the Federal Pell Grant program a “high-priority” program because the FY 2010 Pell improper payments estimate of $1,005 million (a rate of 3.12 percent) exceeded the OMB threshold of $750 million. As required with this designation, the Department coordinated with OMB to establish and execute a plan to implement high-priority program requirements, including designating accountable officials and establishing supplemental measures to report. As a result of the Department executing its plan, the FY 2011 Pell Grant improper payment rate fell to 2.72 percent, with estimated improper payments of $993 million. The FY 2012 improper payment rate also fell, dropping to 2.49 percent, with estimated improper payments of $829 million. Although the Department is making progress, it can do more. In 2010, the Department 11 implemented the Internal Revenue Service Data Retrieval Tool (IRS DRT), which allows Federal student aid applicants and, as needed, parents of applicants, to transfer certain tax return information from an IRS Web site directly to their online Free Application for Federal Student Aid (FAFSA). However, only 26 percent of all FAFSAs submitted for the 2012–2013 academic year used the IRS DRT. Use of the tool is optional, so people intent on defrauding the program by providing false income information likely would not select the IRS option. Because the IRS DRT is not mandatory, institutions retain the burden of verifying an applicant’s income. Short-Term Recommendation: Study Pell Grant program recipients who do not use the IRS DRT and who are not selected for verification to determine whether the Department has adequate controls in place or needs to implement additional controls to mitigate the risk of improper payments to this population of Pell Grant recipients. Long-Term Recommendation: Since 1997, we have recommended implementation of an IRS income data match that would allow the Department to match the information provided on FAFSAs with the income data the IRS maintains. While the Higher Education Act of 1965 has been amended to reflect this requirement, the Internal Revenue Code has not been similarly amended. Amending the Internal Revenue Code to permit this match could help identify income inconsistencies and eliminate an area of fraud and abuse within the student financial assistance programs. 12 Charter Schools Charter schools are nonsectarian, publicly funded schools of choice exempt from certain State and local regulations. In return for reduced governmental regulation, charter schools agree to be held accountable for their academic and financial performance. A total of 42 States and the District of Columbia have enacted laws allowing the establishment of charter schools, and the laws differ from State to State. State charter school laws assign authorizers to approve charter school applications, oversee and ensure compliance, review and renew contracts, and close charter schools. State charter school laws allow for various types of authorizers, which can include institutions of higher education, independent chartering boards, school districts or LEAs, and not-for-profit organizations. OIG has conducted a significant amount of investigative work involving charter schools. These investigations have found that authorizers often fail to provide adequate oversight to ensure that charter schools properly use and account for Federal funds. Further, in September 2012, we completed an audit of the Department’s oversight and monitoring of the Charter Schools Program’s SEA and non-SEA Planning and Implementation Grants. We determined that the Department did not effectively oversee and monitor the grants and did not have an adequate process to ensure SEAs effectively oversaw and monitored their subgrantees. Short-Term Recommendation: Develop and implement a risk-based approach for selecting non-SEA grantees for monitoring activities. Long-Term Recommendation: Provide necessary guidance and training to SEAs on how to develop and implement procedures to ensure SEAs have 13 effective monitoring and fiscal controls for tracking the use of funds by charter schools. Conclusion OIG audits, inspections, investigations, and other reviews identify fraud, waste, and abuse; provide information on the effectiveness of internal controls; and evaluate the appropriateness of Federal funds usage. The results of our work can serve as a tool for Department management in its daily operations, long-term strategic planning, and overall risk management. However, our work is effective only if the Department implements timely corrective actions to address identified deficiencies or weaknesses that hamper its ability to carry out its mission. We see that the Department is planning to take steps to improve its audit resolution and followup processes, and we will closely monitor and report on its progress. Once again, I want to thank the Committee for highlighting the issue of unimplemented OIG recommendations and helping make audit resolution a priority for all Federal agencies. This concludes my written statement. I am happy to answer any of your questions. 14
Statement of Inspector General Kathleen Tighe on OIG recommendations that the Department has not yet implemented, Committee on Government Oversight and Government Reform, March 05, 2013. PDF (82K)
Published by the Department of Education, Office of Inspector General on 2013-03-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)