oversight

Audit of the U.S. Office of Personnel Management's Fiscal Year 2016 Improper Payments Reporting

Published by the Office of Personnel Management, Office of Inspector General on 2017-05-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

        U.S. OFFICE OF PERSONNEL MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




                Final Audit Report
        AUDIT OF THE U.S. OFFICE OF PERSONNEL
       MANAGEMENT’S FISCAL YEAR 2016 IMPROPER
                PAYMENTS REPORTING

                                            Report Number 4A-CF-00-17-012
                                                                May 11, 2017




                                                                 --CAUTION--
This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may
contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act,
5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on
the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
            EXECUTIVE SUMMARY 

  Audit of the U.S. Office of Personnel Management’s Fiscal Year 2016 Improper Payments
                                          Reporting
Report No. 4A-CF-00-17-012                                                                                                                      May 11, 2017



Why Did We Conduct the Audit?                            What Did We Find?
The objective of our audit was to
determine if the U.S. Office of                          1. We determined that OPM is in compliance with IPERA’s six
Personnel Management (OPM) is                               requirements for FY 2016, as identified in the chart below:
compliant with the Improper Payments
Information Act, as amended by the
                                                                  Performance
Improper Payments Elimination and                                     and
                                                                 Accountability
Recovery Act of 2010 (IPERA) and the                                Report/                         Improper
                                                                    Agency            Risk          Payment    Corrective    Reduction   Recovery     Total Non-
Improper Payments Elimination and                               Financial Report   Assessment       Estimate   Action Plan    Targets     Efforts    Compliances

Recovery Improvement Act of 2012                       OPM                                                                                               0
(IPERIA), for Fiscal Year (FY) 2016.

                                                             Compliance            Non compliance
What Did We Audit?
The Office of the Inspector General
completed a compliance audit on OPM’s                    2. IPERIA includes additional reporting requirements. We
FY 2016 improper payments reporting,                        determined that OPM is not in compliance with IPERIA’s Do Not
as defined in the U.S. Office of                            Pay Initiative reporting requirements for FY 2016. Specifically,
Management and Budget’s guidance and                        Retirement Services:
corresponding reporting instructions.
Our audit was conducted from                                    	 Did not report the Do Not Pay Initiative results for the Do
November 29, 2016, through                                         Not Pay tool in the alternative reporting table, “FY 2016
March 2, 2017, at OPM headquarters,                                Death Match Statistics”, in the FY 2016 Agency Financial
located in Washington D.C.                                         Report.

                                                                	 Could not provide documentation to support more than
                                                                   17,000 backlogged records in the Do Not Pay Portal.

                                                                	 Could not provide documentation to support the analysis
                                                                   and conclusion from their review of each of the 17,000
                                                                   backlogged records that had been investigated.

                                                         3. We identified three areas - Internal Control Assessments, Risk
______________________                                      Assessments, and Improper Payment Root Causes - where
Michael R. Esser                                            OPM can improve on its internal controls over improper
Assistant Inspector General for Audits                      payments reporting.
                                                                   i
                      This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or
                        proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 522a.
                                    ABBREVIATIONS

AFR                                    Agency Financial Report
FY                                     Fiscal Year
IPERA                                  Improper Payments Elimination and Recovery Act of 2010
IPERIA                                 Improper Payments Elimination and Recovery Improvement Act of
                                       2012
OCFO                                   Office of the Chief Financial Officer
OMB                                    U.S. Office of Management and Budget
OPM                                    U.S. Office of Personnel Management
PAR                                    Performance and Accountability Report




                                                           ii
       This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or
         proprietary information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 522a.
                                    TABLE OF CONTENTS


                                                                                                                                          Page

                EXECUTIVE SUMMARY ......................................................................................... i 


                ABBREVIATIONS…………………………….. ....................................................... ii 


    I.          BACKGROUND ..........................................................................................................1 


    II.         OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................5 


    III.        AUDIT FINDINGS AND RECOMMENDATIONS.................................................7


                1. IPERA Reporting Requirements ..............................................................................7 


                2. Do Not Pay Initiative Reporting ..............................................................................7 


                3. Areas of Improvement ...........................................................................................12 

                   A. Internal Control Assessments ..........................................................................12 

                   B. Risk Assessments.............................................................................................14 

                   C. Improper Payment Root Causes.......................................................................16 


                APPENDIX I               Status of Prior OIG Audit Recommendations. 


                APPENDIX II The Office of the Chief Financial Officer’s response to the draft 

                            report, dated April 12, 2017. 


                REPORT FRAUD, WASTE, AND MISMANAGEMENT




This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                           I. BACKGROUND
This final audit report details the findings, conclusions, and recommendations resulting from our
compliance audit of the U.S. Office of Personnel Management’s (OPM) Fiscal Year (FY) 2016
Improper Payments Reporting. The audit was performed by OPM’s Office of the Inspector
General, as authorized by the Inspector General Act of 1978, as amended.

On July 22, 2010, and January 10, 2013, the President signed into law the Improper Payments
Elimination and Recovery Act of 2010 (IPERA) and the Improper Payments Elimination and
Recovery Improvement Act of 2012 (IPERIA), respectively, which amended the Improper
Payments Information Act of 2002. IPERIA redefined the definition of “significant improper
payments” and strengthened executive branch agency reporting requirements.

The U.S. Office of Management and Budget (OMB) has issued improper payments guidance to
assist agencies in implementing the laws, including OMB Circular A-123 Appendix C,
Management's Responsibility for Internal Controls, and OMB Circular A-136, Financial
Reporting Requirements. Routine updates are issued by OMB, including an update to OMB
Circular A-123 through Memorandum M-15-02 on October 20, 2014, and a revision to OMB
Circular A-136 on October 7, 2016.

An agency’s program is deemed susceptible to significant improper payments1 if the total
amount of overpayments plus underpayments in the program exceeds both 1.5 percent of
program outlays and $10,000,000 of all program or activity payments made during the fiscal year
reported or, $100,000,000 regardless of improper payments percentage of total program outlays.

Under OMB guidance, agencies must have performed the following with respect to improper
payments reporting:

    a.     “Published an AFR [Agency Financial Report] or PAR [Performance and Accountability
           Report] for the most recent fiscal year and posted that report and any accompanying
           materials required by OMB on the agency website;

    b.     Conducted a program specific risk assessment for each program or activity that
           conforms with Section 3321 note of Title 31 U.S.C. (if required);

    c.     Published improper payment estimates for all programs and activities identified as
           susceptible to significant improper payments under its risk assessment (if required);

    d.     Published programmatic corrective action plans in the AFR or PAR (if required);

1
 An improper payment is any payment that should not have been made or that was made in an incorrect amount
under statutory, contractual, administrative, or other legally applicable requirements.


                                                          1                                    Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     e.	 Published, and is meeting2, annual reduction targets for each program assessed to be at
         risk and estimated for improper payments (if required and applicable); and

     f.	    Reported a gross improper payment rate of less than 10 percent for each program and
            activity for which an improper payment estimate was obtained and published in the AFR
            or PAR.”

If an agency does not meet one or more of these reporting requirements, it is not compliant with
IPERA.

In addition, OMB Circulars A-123 Appendix C and A-136, require agencies to:

       	 Categorize their improper payment estimates based on OMB’s new improper payment
          categories;

       	 Perform risk assessments on all low risk programs at least once every three years to
          assess their risk for improper payments;

       	 Develop indicators of improper payments for programs with the most egregious cases,
          compliance for which is determined by OMB;

      	 Identify the accountable official that oversees efforts to reduce improper payments for
         high-priority programs;

      	 Describe alternative improper payments measurements;

      	 Expand payment recapture audits to all types of payments and activities with more than
         $1 million in annual outlays if cost effective;

      	 Improve corrective action plans to include incorporating lessons learned;

      	 Recover improper payments by conducting recovery audits on programs that expend $1
         million or more annually if conducting such audits is cost-effective;

      	 Distribute funds recovered through payment recapture audits for authorized purposes;

      	 Establish internal controls to reduce improper payment rates; and

      	 Use the Do Not Pay List3 to verify eligibility for Federal payments in order to help
         reduce and eliminate payment errors before they occur.

2
  “A program will have met a reduction target if the improper payment rate for that program in the current year falls
within plus or minus 0.1 percentage points of the reduction target set in the previous year's AFR or PAR.”
3
  The “Do Not Pay List” is an initiative to prevent Federal agencies from making certain improper payments by
directing agencies to review current pre-payment and pre-award procedures to ensure the recipients are eligible.

                                                                   2	                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Each agency’s Inspector General is required to review improper payments reporting in the AFR
or PAR to determine compliance with IPERIA. OMB requires that the Inspector General review
the agency’s annual AFR or PAR, which includes evaluating the accuracy and completeness of
agency reporting, and evaluating agency performance in reducing and recapturing improper
payments. In addition, the OIG is required to determine if the agency’s corrective action plans
are robust and focused on the appropriate root causes of improper payments, effectively
implemented, and prioritized within the agency, to allow it to meet reduction targets. The
Inspector General is required to complete its review and determination within 180 days of the
agency’s AFR publication.

Two of OPM’s earned benefit programs, Retirement Services and the Federal Employees Health
Benefits Program, are by definition susceptible to significant improper payments.

OPM’s reported improper payments and overpayments recaptured for FY 2016 are summarized
in the following tables below:

                                     Table 1: FY 2016 Improper Payments Summary4
                                                     Gross                                                                        2016
                                Total
                                                   Improper             Overpayments              Underpayments                 Improper
       Program                 Outlays
                                                   Payments              ($ millions)               ($ millions)                Payments
                             ($ millions)
                                                  ($ millions)                                                                   Percent
      Retirement
                              82,013.20               304.21                  237.16                      67.05                   0.37%
       Services
       Federal
                              49,820.21                97.05                   95.98                      1.07                    0.19%
     Employees
    Health Benefits


                                Table 2: FY 2016 Overpayments Recaptured Summary5
                                                                                                    FY 2016 Improper Payment
                               FY 2016 Amount Identified for Recovery
       Program                                                                                          Amount Recovered
                                          ($ in millions)
                                                                                                          ($ in millions)
     Retirement
                                                        224.22                                                      203.60
       Services
       Federal
     Employees                                           95.98                                                      39.64
    Health Benefits


4
    Data collected from Table 1 “Improper Payment Reduction Outlook” on page 138 of OPM’s FY 2016 AFR.
5
    Data collected from Table 4 “Overpayments Recaptured outside of Payment Recapture Audits ($ in millions)” on
    page 149 of OPM’s FY 2016 AFR.

                                                                   3                                 Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Status of Previous Audit Recommendations

During the audit of OPM’s FY 2015 Improper Payments Reporting, Report No.
4A-CF-00-16-026, we determined that OPM’s reporting of improper payments was non-
compliant with IPERIA reporting requirements and noted an area of improvement. We issued
six recommendations where OPM could improve on its oversight controls over improper
payments reporting. Based on the testing performed in this year’s audit, we determined that
recommendation 2 could be closed. The remaining recommendations are still open, as outlined
in Appendix I.




                                                                   4                                 Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
II. OBJECTIVE, SCOPE, AND METHODOLOGY

OBJECTIVE

The objective of our audit was to determine if OPM is compliant with the Improper Payment
Information Act, as amended by IPERIA, for FY 2016. The recommendations included in this
report address the objective.

SCOPE AND METHODOLOGY

We conducted this compliance audit in accordance with generally accepted government auditing
standards as established by the Comptroller General of the United States. These standards
require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objective.

The scope of our audit covered OPM’s FY 2016 improper payments reporting in OPM’s AFR.
We performed our audit from November 29, 2016, through March 2, 2017, at OPM
headquarters, located in Washington, D.C.

To accomplish our audit objective noted above, we:

           •	 Reviewed OPM’s website to ensure that the AFR was published;

           •	 Reviewed and analyzed FY 2016 risk assessments conducted by OPM’s Office of the
              Chief Financial Officer (OCFO) to determine if their methodology was logical and if
              the results were valid;

           •	 Analyzed OPM’s corrective actions to address the open audit recommendations
              identified in the FY 2013, FY 2014 and FY 2015 Improper Payments Reporting final
              audit reports;

           •	 Reviewed and analyzed supporting documentation to ensure the offices of Healthcare
              and Insurance and Retirement Services’ improper payments estimates methodologies
              were logical, and recalculated the improper payments estimates to verify the estimates
              reported;

           •	 Reviewed Healthcare and Insurance and Retirement Services’ corrective actions in
              the AFR to ensure they discussed robust and effective corrective actions to reduce
              improper payments;

                                                          5	                                   Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
            •	 Compared OPM’s FY 2015 AFR projected improper payments estimate for FY 2016
               to OPM’s FY 2016 AFR actual improper payment rate to ensure reduction targets for
               Healthcare and Insurance and Retirement Services were met;

            •	 Reviewed Healthcare and Insurance and Retirement Services’ improper payments
               estimates to determine if the gross improper payment rate was less than 10 percent in
               the AFR;

            •	 Obtained and reviewed source documentation for all numerical data on improper
               payments as documented in the AFR tables;

            •	 Assessed the reasonableness of OPM’s plan to recapture improper payments; and

            •	 Interviewed program representatives from the OCFO, Healthcare and Insurance, and
               Retirement Services.

In planning our work and gaining an understanding of the internal controls over OPM’s improper
payments reporting process, we considered, but did not rely on, OPM’s internal control structure
to the extent necessary to develop our audit procedures. These procedures were mainly
substantive in nature. We gained an understanding of management procedures and controls to
the extent necessary to achieve our audit objectives. The purpose of our audit was not to provide
an opinion on internal controls but merely to evaluate controls over the improper payments
reporting.

Our audit included such tests and analysis of OPM’s improper payments reporting process,
including documented policies and procedures, numerical data and narratives reported in the
AFR, and other applicable information, as we considered necessary under the circumstances.
The results of our review and testing indicate that with respect to the items reviewed, OPM is in
compliance with IPERA. However, OPM is not in compliance with IPERIA’s improper
payments reporting requirements for the Do Not Pay Initiative. In addition, OPM could
strengthen the internal controls over its improper payments reporting process for three areas.

We did not sample improper payments for testing. In conducting the audit, we relied to varying
degrees on computer-generated data. Due to the nature of the audit, we did not verify the
reliability of the data generated by the systems involved. However, while utilizing the
computer-generated data during our audit, nothing came to our attention to cause us to doubt its
reliability. We believe that the data was sufficient to achieve our audit objective




                                                                   6	                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
III. AUDIT FINDINGS AND RECOMMENDATIONS
 The sections below detail the results of our audit on OPM’s FY 2016 improper payments
 reporting for compliance with IPERA and IPERIA.

 1.	 IPERA Reporting Requirements

       Based on our review of OPM’s FY 2016 AFR and other documentation provided by the
       agency, we determined that OPM is in compliance with the six reporting requirements of
       IPERA:

     Criteria for Compliance                                                                                                             Criteria
                                                                                                                                          Met?
     1) Published and posted its FY 2016 AFR on Agency website                                                                            Yes
     2) Conducted program-specific risk assessments                                                                                       Yes
     3) Published improper payment estimates for all programs and activities identified as
                                                                                                                                            Yes
        susceptible to significant improper payments under its risk assessment
     4) Published programmatic corrective action plans in the AFR                                                                           Yes
     5) Published, and is meeting, annual reduction targets for each program assessed to be at
                                                                                                                                            Yes
        risk and measured for improper payments
     6) Reported a gross improper payment rate of less than 10 percent for each program or
                                                                                                                                            Yes
        activity for which an improper payment estimate was obtained and published in the AFR

 2.	 Do Not Pay Initiative Reporting

                  We found that OPM did not properly report their results for the Do Not Pay Initiative
                  in the FY 2016 AFR. Specifically, we determined that Retirement Services:

                       	 Did not report the Do Not Pay Initiative results for the Do Not Pay tool6 in the
                          alternative reporting table, “FY 2016 Death Match Statistics” in the FY 2016
                          AFR as illustrated below:




                  Source: OPM’s FY 2016 Agency Financial Report, page 151


 6
   The U.S. Department of Treasury provides Federal agencies with various methods and an array of data sources
 (e.g., Death Master File) to use during pre-award, pre-payment, pre-enrollment, and at the time of payment to verify
 and re-verify eligibility.

                                                            7	                                   Report No. 4A-CF-00-17-012
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                      	 Could not provide documentation to support the over 17,000 backlogged
                         records in the Do Not Pay Portal7.

                      	 Could not provide documentation to support the analysis and conclusion from
                         their review of each of the 17,000 backlogged records that they investigated.

     The U.S. Office of Management and Budget’s (OMB) Circular No. A-136 states “IPERIA
     requires pre-payment and pre-award reviews by each agency to determine program or award
     eligibility and to prevent improper payments before the release of any Federal funds.”
     OPM's Retirement Services administers annuity payments on a recurring monthly basis to
     eligible individuals. Retirement Services' process for investigating potential improper
     payments occurs after the initial annuity payment. However, because annuity payments are
     recurring, the reviews performed by Retirement Services can be considered both pre- and
     post-payment reviews until the payments are stopped. In addition, the Do Not Pay tool can
     be utilized for pre-award and pre-payment eligibility verification at the time of payment or
     “any time in the payment lifecycle.” Below is the U.S. Department of Treasury's illustration
     of how agencies can utilize the Do Not Pay tool in the payment lifecycle:




     Source: https://donotpay.treas.gov/images/DNPCircle2015.png




7
  The Do Not Pay Portal is a multi-functional analytical tool and a data shop that provides users with a secure online
single entry point to check multiple data sources (e.g., Credit Alert System, Death Master File, List of Excluded
Individuals and Entities, Office of Foreign Assets Control, and System for Award Management Entity Registration
Records).

                                                                   8	                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
      Consequently, the Do Not Pay tool could have led to the prevention of future Retirement
      Services improper annuity payments.

      OMB Circular A-136 also requires agencies to provide a brief narrative discussing the
      agency's actions attributable to the Do Not Pay Initiative and report the results in Table 7, or
      an alternative table format after approval from OMB. Retirement Services provisionally
      added and utilized the Do Not Pay tool along with their OMB-approved alternative tools, the
      Death Master File8 and Consolidated Death Match9. In addition and as required, OPM's FY
      2016 AFR described the work conducted with the Do Not Pay tool, investigating 17,000
      records, which was similar to the work that was done with the Death Master File and
      Consolidated Death Match - identifying potential deceased individuals and improper
      payments. Since this work was performed, and described in the AFR, it should have been
      included in the alternative table, FY 2016 Death Match Statistics, along with the
      Consolidated Death Match and Death Master File results. In fact, this would have been the
      perfect way to demonstrate that this work was duplicative of the work already done by
      Retirement Services with the Death Master File, as they claim.

      The Office of the Chief Financial Officer's Work Instruction for Reporting Improper 

      Payments for the Agency Financial Report states: 


            	 “[Retirement Services' Resource Management] chief and the Deputy Assistant
               Director are ultimately responsible for the collection and reporting of the data
               reported in the AFR.”

            	 “[Retirement Services' Quality Assurance] is responsible for providing the data for
               Tables 1-4 of the AFR.”

            	 “[Policy and Internal Control] will review, validate and update the information
               reported, including the tables. In order to facilitate an appropriate review process a
               [Policy and Internal Control] analyst [or] auditor will provide a first line update,
               review, and validation and the [Policy and Internal Controls] chief or designate will
               provide a second line review and validation.”



  8
    The Death Master File is a U.S. Social Security Administration file that contains data of potential deceased
  individuals. The file is matched against annuity payments on a yearly basis.
  9
    The Consolidated Death Match is a U.S. Social Security Administration file that contains data of potential
  deceased individuals. The file is matched against annuity payments on a weekly basis.




                                                                   9	                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     OPM believes it cannot leverage the Do Not Pay tool for pre-award and pre-payment reviews
     because the timing of Retirement Services payments limits them to post-payment reviews.
     However, as discussed above, annuity payments are recurring, and therefore reviews that are
     done after the initial payment can still be considered pre-payment. In addition, OPM stated
     that it “already receives [a] robust and comprehensive [Death Master File] under a separate
     agreement with [the U.S. Social Security Administration],” and since the Do Not Pay tool
     and Death Master File have the same source, it would be a duplicate effort for Retirement
     Services. While this may be the case, OPM did not provide or document any evidence of the
     review described in the AFR, so we have no basis to concur with this statement.

     The OIG's position is that OMB requires agencies to report in their AFR on all tools being
     utilized to reduce improper payments. As a result, OPM did not comply with IPERIA's
     Do Not Pay Initiative reporting requirements as they did not report in the AFR the
     effectiveness of using the Do Not Pay tool to reduce Retirement Services' improper
     payments.

     Recommendation 1

     We recommend that OPM evaluate the Do Not Pay tool to determine if it is beneficial in
     reducing Retirement Services’ improper payments, document the results of this evaluation,
     and report the results in the FY 2017 AFR.

     OPM’s Response:

     OPM does not concur with the recommendation. “OPM already receives the robust and
     comprehensive [Death Master File] under a separate agreement with the [U.S. Social
     Security Administration]. OPM has an automated process to match against the data
     provided in the [Death Master File] and Consolidated Death Match, while the [Do Not
     Pay] portal is a manual process requiring each case to be validated. Since the same data
     source is used, this would be a duplicate effort. In conclusion, this is not a cost effective
     approach to address improper payments for [Retirement Services] which manages over 2.5
     million recurring annuity payments.”

     OIG Comment:

     OPM states that the only Do Not Pay tool applicable to the Retirement Services payments is
     the Death Master File, and this file is already received from the U.S. Social Security
     Administration and matched against annuity payments. Despite this, in FY 2016 they
     conducted a manual match of over 17,000 records in the Do Not Pay portal using this tool.

                                                                   10                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     Since the results of this effort were not documented, and Retirement Services could not show
     us evidence that the two files were in fact duplicates, we maintain that they should evaluate
     the Do Not Pay tool for usefulness and document the results.

     Recommendation 2

     We recommend that Retirement Services adhere to OMB's Do Not Pay Initiative reporting
     requirements when reporting on the Do Not Pay results in OPM’s AFR.

     OPM’s Response:

     OPM does not concur with the recommendation. “OPM does not plan to utilize the [Do
     Not Pay] portal, the table associated with the tool would not be applicable for the FY 2017
     AFR. OPM has received OMB approval to report improper payment data via an alternative
     table. This alternative table provides greater granularity and transparency to the general
     public and communicates the results from using the [Death Master File].”

     OIG Comment:

     As stated in Recommendation 1, we are recommending that OPM conduct an evaluation of
     the Do Not Pay tool. If the results of that evaluation demonstrate that the tool is not
     beneficial in identifying and reducing improper payments, we would agree that it need not be
     used. Therefore, when OPM reports the results of the Do Not Pay tool in the FY 2017 AFR,
     it should meet OMB’s Do Not Pay Initiative reporting requirements.

     Recommendation 3

     We recommend that Retirement Services strengthen their internal controls to ensure that the
     improper payments information is supported, reviewed, validated, and maintained prior to
     issuance to the OCFO.

     OPM’s Response:

     OPM concurs with the recommendation and will revise its procedures.




                                                                   11                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     Recommendation 4 (Rolled Forward from FY 2014 and FY 2015)

     We recommend that the OCFO strengthen their procedures to ensure that the improper
     payments information reported in OPM’s AFR is supported, reviewed, and validated for
     accuracy prior to the information’s inclusion in the AFR.

     OPM’s Response:

     OPM concurs with the recommendation and will revise its procedures.


3. Areas of Improvement

     A. Internal Control Assessments

           For the FY 2016 AFR, the OCFO conducted internal control assessments over two
           programs that are susceptible to improper payments - the Federal Employee Health
           Benefits Program and Retirement Services. We identified the following issues with the
           internal control assessments:

                      	     There was no documented support for the methodology used by the OCFO to
                             conduct the internal control assessments. As a result, we found seven
                             instances where attributes were applied to Retirement Services and not to the
                             Federal Employees Health Benefits Program, and two instances where
                             attributes were applied to the Federal Employees Health Benefits Program
                             and not to Retirement Services. Details regarding the attributes were
                             provided separately from this report. Although it is up to management's
                             discretion regarding which attributes to apply, there should be documented
                             procedures outlining the methodology utilized to conduct the assessments.

                      	     There was insufficient documentation to support the results of the internal
                             control assessments. Details regarding the insufficient documentation were
                             provided separately from this report.

                      	     The OCFO failed to publish accurate results in the FY 2016 AFR, because
                             they did not correct all of the errors identified in the FY 2015 AFR Table 14,
                             Status of Internal Controls.

           OMB Memorandum M-15-02, Circular A-123, Appendix C, outlines five standards and
           accompanying attributes that agencies can utilize in assessing internal control over

                                                                   12 	                              Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
           improper payments. In addition, the agency's management has discretion in determining
           the breadth and depth of the scope of assessing internal control over improper payments.

           The U.S. Government Accountability Office's Standards for Internal Control in the
           Federal Government states that “[i]nternal control comprises the plans, methods, policies,
           and procedures used to fulfill the mission, strategic plan, goals, and objectives of the
           entity. Internal control serves as the first line of defense in safeguarding assets. In short,
           internal control helps managers achieve desired results through effective stewardship of
           public resources.”

           As a result of having insufficient documentation and no documented methodology, it is
           difficult to confirm the accuracy of the results. Therefore, there is an increased likelihood
           that OPM could have reported inaccurate results in the FY 2016 AFR.

           Recommendation 5

           We recommend that the OCFO implement policies and procedures for the annual internal
           control assessments, to include, but not be limited to, describing the methodology utilized
           and the documentation needed to address the methodology.

           OPM’s Response:

           OPM concurs with the recommendation and will implement policies and procedures
           for the annual internal control assessments.

           Recommendation 6 (Rolled Forward from FY 2015)

           We recommend that in the FY 2017 AFR, OCFO correct all of the errors identified in the
           FY 2015 AFR Table 14, Status of Internal Controls.

           OPM’s Response:

           OPM concurs with the recommendation and will provide the correct information in the
           FY 2017 AFR.




                                                                   13                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
           Recommendation 7 (Rolled Forward from FY 2013 and FY 2014)

           We recommend that the OCFO strengthen its oversight controls over the improper
           payments data reported in the AFR to ensure that it accurately reflects supporting
           documentation.

           OPM’s Response:

           OPM concurs with the recommendation and will revise its work instruction.

     B. Risk Assessments

           For the FY 2016 AFR, the OCFO conducted risk assessments of OPM programs to
           include Federal Investigative Services (now the National Background Investigations
           Bureau), Federal Employees’ Group Life Insurance, Payroll, Purchase Cards, Travel
           Card, Travel Reimbursements, and the Vendor Payments programs. OPM has made
           significant improvements by ensuring the risk assessments contained all nine required
           risk factors and that the scoring methodology was clear and logical.

           For FY 2016, we identified the following issues with OCFO’s risk assessment results for
           the Federal Employees’ Group Life Insurance, Vendor Payments, Travel Card, Travel
           Reimbursements, Federal Investigative Services, Payroll, and Purchase Cards programs:

                      	 There were seven instances where the risk attributes’ score point values were
                         calculated incorrectly. Details regarding the seven instances were provided
                         separately from this report.

                      	 There was missing or insufficient documentation to support the results
                         reported in OPM’s FY 2016 Agency Financial Report. Details regarding the
                         missing and insufficient documentation were provided separately from this
                         report.

                      	 There was a lack of understanding of the documentation needed to address the
                         risk assessment attributes by OCFO’s analysts who conducted the risk
                         assessments. For example, question 15 states “Results from prior improper
                         payment work…Prior reviews of program risk for improper payments indicate
                         high risk.” To assess this attribute, some analysts used the OIG’s “U.S. Office
                         of Personnel Management’s Fiscal Year (FY) 2015 Improper Payments
                         Reporting” audit report, Report Number 4A-CA-00-16-026, while others used

                                                                   14 	                              Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                            OCFO’s FY 2015 risk assessment results. The analysts should have used
                            OCFO’s FY 2015 risk assessment results to address the risk attribute.

           OMB Memorandum M-15-02, Circular A-123, Appendix C, states that “[t]he agency is
           responsible for maintaining the documentation to demonstrate that the following steps (if
           applicable) were satisfied. Step 1: Review all programs and activities and identify those
           that are susceptible to significant improper payments.”

           OMB Memorandum M-15-02, Circular A-123, Appendix C, also states “[a]s part of this
           review, the agency Inspector General may also evaluate the accuracy and completeness
           of agency reporting, and evaluate agency performance in reducing and recapturing
           improper payments.”

           The U.S. Government Accountability Office's Standards for Internal Control in the
           Federal Government states that “[m]anagement clearly documents internal control and all
           transactions and other significant events in a manner that allows the documentation to be
           readily available for examination ... Documentation and records are properly managed
           and maintained.”

           OCFO's Policy and Internal Controls office stated that each risk assessment received a
           review from the Chief of the Policy and Internal Controls office or by a designate prior to
           issuance of the AFR.

           Without proper documentation to support the risk attribute points assessed and by
           incorrectly calculating risk attribute points, it is difficult to confirm the accuracy of the
           results. Therefore, there is an increased likelihood that OPM could have reported
           inaccurate results in the FY 2016 AFR for the following programs10: Federal
           Investigative Services, Purchase Cards, Vendor Payments, Federal Employees’ Group
           Life Insurance, and Payroll.

           Recommendation 8

           We recommend that OPM implement policies and procedures to document the risk
           assessment process, to include but not be limited to, the objective of each risk attribute
           and outlining the types of documentation needed to fulfill the risk attribute.



10
 The OIG was able to verify that OPM's Travel Card and Travel Reimbursements risk assessments are low risk
programs susceptible to improper payments as reported in the FY 2016 AFR.

                                                                   15                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
           OPM’s Response:

           OPM concurs with the recommendation and will create a work instruction for 

           conducting the risk assessments.


           Recommendation 9 (Rolled Forward from FY 2015)
           We recommend that OPM re-evaluate the risk assessments performed on the Federal
           Investigative Services, Purchase Cards, Vendor Payments, Federal Employees’ Group
           Life Insurance and Payroll programs prior to the issuance of OPM’s FY 2017 AFR.

           OPM’s Response:

           OPM concurs with the recommendation. “[OPM] will update the FY 2016 risk
           assessments for the Federal Investigative Services (now the National Background
           Investigations Bureau), Purchase Cards, Vendor Payments, Federal Employees' Group
           Life Insurance, and Payroll, to ensure that the results are supported by appropriate
           supporting documentation and to ensure that the criteria are addressed consistently.”

     C. Improper Payment Root Causes

           Retirement Services has made improvements in FY 2016 by properly categorizing
           improper payments related to death data; however, they were unable to fully categorize
           the following improper payments root causes in Table 2, "Improper Payment Root Cause
           Category Matrix," of the FY 2016 AFR: Federal employees retirement system's disability
           offset for social security disability, delayed reporting of eligibility, unauthorized dual
           benefits or overlapping payments between benefit paying agencies, and fraud.

           In the FY 2016 AFR, OPM acknowledges that they are aware of the major contributors of
           improper payments but are unable to provide the level of granularity needed to fully
           fulfill OMB Circular A-136 requirements. As a result, the remaining balance of these
           improper payments were placed in “Other Reason.” In addition, OPM is fully committed
           to identifying the root causes of improper payments and has actively engaged the
           Information Technology group to explore methods to further break out root causes
           identified in work processes.

           OMB Memorandum M-15-02, Circular A-123, Appendix C, requires agencies to report
           improper payment estimates based on 13 categories and defines each category.
           Reporting information based on these categories was required for FY 2015 reporting and
           beyond.

                                                                   16                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
           OMB Memorandum M-15-02 also states that “[t]hese new categories will: (1) prove
           more pertinent to the vast array of programs across the Federal landscape; (2) help
           agencies better present the different categories of improper payments in their programs
           and the percentage of the total improper payment estimate that each category represents;
           and (3) provide more granularity on improper payment estimates—thus leading to more
           effective corrective actions at the program level and more focused strategies for reducing
           improper payments at the government-wide level.”

           The OIG believes OPM should continue efforts in providing transparency and granularity
           in the retirement benefits program's improper payments in order to better present the root
           causes of improper payments in the AFR.

           Recommendation 10 (Rolled Forward from FY 2015)

           We recommend that OPM continue to implement controls to identify and evaluate the
           improper payment estimates root causes, to ensure that the root causes for the retirement
           benefits program’s improper payments are properly categorized in OPM’s annual AFR.

           OPM’s Response:

           OPM does not concur with the recommendation. “OPM has sufficient controls in place
           to identify improper payments. After many meetings with OCFO, [Retirement
           Services], and [Office of the Chief Information Officer] personnel, we have concluded
           that there are reporting limitations with the current legacy system. This constraint is
           prohibiting OPM from expanding the root causes categorization per OMB’s A-123,
           Appendix C.”

           OIG Comment:

           Without documentation to support OPM’s analysis over its legacy system, we currently
           cannot validate that the current legacy system is prohibiting OPM from expanding the
           root causes categorization. Once we receive documentation during the audit resolution
           process, we will make a determination.




                                                                   17                                Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                  APPENDIX I

                                                                                                   Recommendation
     FY 2015 Improper Payments Reporting Recommendations                                                                                      Current Status
                                                                                                       History

Recommendation 1: We recommended that OPM implement controls to
identify and evaluate the improper payment estimates root causes, to ensure                                                      Open, see Recommendation 10 in this
that the root causes for the retirement benefits program’s improper payments                               FY 2015                             report.
are properly categorized in OPM’s annual Agency Financial Report.



Recommendation 2: We recommended that the OCFO revise the risk
assessment methodology to ensure the score point values are clearly defined
and logical, and ensure that all required risk factors are included in the risk                            FY 2015                    Closed on February 28, 2017.
assessment tool (i.e., the Improper Payment Information Act Scoring Guide)
used to conduct the assessment over OPM’s programs.


Recommendation 3: We recommended that the OCFO re-evaluate the risk
assessments performed over the Federal Investigative Services, Federal
                                                                                                                                  Open, see Recommendation 9 in this
Employees’ Group Life Insurance, Vendor Payments, Travel Card, and Payroll                                 FY 2015
                                                                                                                                                report.
programs to ensure that programs are not susceptible to significant improper
payments.

Recommendation 4: We recommended that the OCFO strengthen their
procedures to ensure that the improper payments information reported in                                Rolled forward             Open, see Recommendation 4 in this
OPM’s Agency Financial Report is supported, reviewed, and validated for                                from FY 2014                             report.
accuracy prior to the information’s inclusion in the Agency Financial Report.

Recommendation 5: We recommended that the OCFO strengthen its oversight                                Rolled forward
                                                                                                                                  Open, see Recommendation 7 in this
controls over the improper payments data reported in the Agency Financial                            from FY 2013 and
                                                                                                                                                report.
Report to ensure that it accurately reflects supporting data.                                            FY 2014

Recommendation 6: We recommended that in the FY 2016 Agency Financial
                                                                                                                                  Open, see Recommendation 6 in this
Report, OCFO correct all of the errors identified in the FY 2015 Agency                                    FY 2015
                                                                                                                                                report.
Financial Report Table 14, Status of Internal Controls.




                                                                                                                  Report No. 4A-CF-00-17-012
             This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
             information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                    APPENDIX II




Thank you for the opportunity to respond to your draft audit report on the Office of Personnel
Management’s (OPM) reporting on improper payments under the Improper Payments
Elimination and Recovery Improvement Act of 2012 (IPERIA). Reducing improper payments is
an important priority for the Administration and OPM is firmly committed to this priority. We
recognize the benefit from the external evaluation conducted by your office and the important
part it plays in improving our program and reporting efforts.

OPM has prioritized reducing improper payments as one of its key efforts to reduce
waste, fraud, abuse, and inefficiencies in Federal programs. Collectively, the Office of
the Chief Financial Officer (OCFO), Retirement Services (RS) and Healthcare and
Insurance (HI) organizations believe our cumulative efforts over the past few years
continue to result in significant improvements in OPM’s improper payment program.
The Improper Payment Working Group continues to be the focal point for coordinating
these improvements in our program.

We concur with 7 of the 10 recommendations in the draft report as discussed below. We
are providing comments on some of the factual information set forth in your draft report
and ask that those changes be incorporated in your final report.

Please note that OPM disagrees with the OIG’s finding that we are not in compliance
with IPERIA’s Do Not Pay (DNP) Initiative reporting requirements for FY 2016.
According to Public Law 112-248, Section 5 DNP Initiative (2) … At a minimum and



                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
before issuing any payment and award, each agency shall review as appropriate the
following databases to verify eligibility of the payment and award: Death Management
File (DMF) of the Social Security Administration (SSA) …. As explained in its Annual
Financial Reports (AFR), OPM already receives and utilizes the robust and
comprehensive DMF under a separate agreement with SSA. Therefore, OPM is following
the guidance of the law since it matches against the DMF database, which is the same
data source used by DNP. OPM reports these improper payment results via an OMB
approved alternative table which the OIG acknowledged.

Furthermore, OPM has elaborated below in Recommendation #1 and in previous AFRs,
“while other Programs can leverage some of the DNP tools for pre-award and pre-
payments, RS is limited to post-payments since simply being on the DNP list does not
disqualify an annuitant from being paid an annuity.”

Responses to your recommendations are provided below.

Recommendation #1: We recommend that OPM evaluate the DNP tool to determine if it is
beneficial in reducing Retirement Services’ (RS) improper payments and report the results in the
FY 2017 AFR.

Management Response to Recommendation #1: Management does not concur with this
recommendation.

OMB’s memorandum of April 12, 2012, Reducing Improper Payments through the DNP list,
required federal agencies to submit a draft and final report (after OMB review) on how they plan
to use DNP to reduce improper payments. OPM’s plan submitted to OMB, as required by the
memorandum, concluded that we did not see a benefit for use of DNP for pre-payment reviews
for the retirement program.

As stated in previous AFRs, “while other Programs can leverage some of the DNP tools for pre-
award and pre-payments, RS is limited to post-payments since simply being on the DNP list does
not disqualify an annuitant from being paid an annuity.” The only conditions under which an
annuitant would surrender his or her payment are enumerated in Title 5 U.S. Code Section 8312.
Per Title 5, payments of annuity may not be made to individuals who have been convicted of
having committed certain national security offenses. These criminal offenses include treason,
espionage, delivering defense information to aid a foreign government, sabotage, and a number
of similar offenses. Payments of survivor annuities or lump sum death benefits are also
prohibited, as a matter of longstanding general public policy, to a survivor or beneficiary who
intentionally caused the death of the employee or Member, former employee or Member, or
annuitant.

In addition, current data sources available in the DNP portal include credit alert system, death
master file (DMF), list of excluded individuals and entities, office of foreign assets control,
                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
system of award management (SAM), SAM exclusion records and Treasury offset program.
However, only the DMF database is relevant to RS. OPM already receives the robust and
comprehensive DMF under a separate agreement with the SSA. OPM has an automated process
to match against the data provided in the DMF and Consolidated Death Match, while the DNP
portal is a manual process requiring each case to be validated. Since the same data source is
used, this would be a duplicate effort. In conclusion, this is not a cost effective approach to
address improper payments for RS which manages over 2.5 million recurring annuity payments.

Recommendation #2: We recommend that RS adhere to OMB’s DNP Initiative reporting
requirements when reporting on the DNP results in OPM’s AFR.

Management Response to Recommendation #2: Management does not concur with this
recommendation.

Since OPM does not plan to utilize the DNP portal, the table associated with the tool would not
be applicable for the FY 2017 AFR. OPM has received OMB approval to report improper
payment data via an alternative table. This alternative table provides greater granularity and
transparency to the general public and communicates the results from using the DMF.

Recommendation #3: We recommend that RS strengthen their internal controls to ensure that
the improper payments information is supported, reviewed, validated and maintained prior to
issuance to the OCFO.

Management Response to Recommendation #3: Management concurs with this
recommendation and will revise its procedures accordingly.

Recommendation #4: (Rolled-Forward from FY 2014 and FY 2015)
We recommend that the OCFO strengthen their procedures to ensure that the improper payments
information reported in OPM's AFR is supported, reviewed, and validated for accuracy prior to
the information's inclusion in the AFR.

Management Response to Recommendation #4: Management concurs with this
recommendation and will revise its procedures accordingly.

Recommendation #5: We recommend that the OCFO implement policies and procedures for
the annual internal control assessments, to include but not limited to, describing the methodology
utilized and the documentation needed to address the methodology.

Management Response to Recommendation #5: Management concurs with the
recommendation to implement policies and procedures for the annual internal control
assessments.



                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
OIG Finding related to Recommendation # 5: “...we found seven instances where attributes
were applied to Retirement Services and not to the Federal Employee Health Benefits Program
and two instances where attributes were applied to the Federal Employee Health Benefits
Program and not to Retirement Services.”

Management Response to OIG Finding related to Recommendation # 5:
Management disagrees with this part of the OIG’s finding. Addressing each attribute listed in
OMB Circular A-123, Appendix C is neither required nor cost effective. Attributes are
characteristics of a particular internal control standard that may or may not be present in any
given organization or operation. Per General Accounting Office’s Green Book, “Attributes
provide further explanation of the principle and documentation requirements and may explain
more precisely what a requirement means and what it is intended to cover, or include examples
of procedures that may be appropriate for an entity.” Every attribute will not be present in every
situation. The fact that certain attributes were applied to RS but not to HI, as stated in the
finding, does not indicate a flaw in our methodology. Furthermore, there is no requirement or
even expectation that the internal control structures of two different programs would have all the
same attributes. OMB points this out in OMB Circular A-123, Appendix C, Section C.2, where
it states that, “It is important to note that the five standards and attributes below should be
applied to the specific facts and circumstances of the various agency operations and programs.”

Recommendation #6: (Rolled-Forward from FY 2015) We recommend that in the FY 2017
AFR, OCFO correct all of the errors identified in the FY 2015 AFR Table 14, Status of Internal
Controls.

Management Response to Recommendation #6: Management concurs with the
recommendation and will provide the corrected information as a footnote to the appropriate
Table in the FY 2017 AFR.

Recommendation #7: (Rolled Forward from FY2013 and FY 2014) We recommend that the
OCFO strengthen its oversight controls over the improper payments data reported in the AFR to
ensure that it accurately reflects supporting documentation.

Management Response to Recommendation #7: Management concurs with this
recommendation and will revise its related work instruction accordingly.

Recommendation #8: We recommend OPM implement policies and procedures to document
the risk assessment process, to include but not limited to, the objective of each risk attribute and
outlining the types of documentation needed to fulfill the risk attribute.

Management Response to Recommendation #8: Management concurs with the
recommendation and will create a work instruction detailing the procedures for conducting risk
assessments.


                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Recommendation #9: (Rolled Forward from FY 2015) We recommend that OCFO re-evaluate
the risk assessments performed on Federal Investigative Services, Purchase Cards, Vendor
Payments, Federal Employees' Group Life Insurance and Payroll programs prior to the issuance
of OPM's FY 2017 AFR.

Management Response to Recommendation #9: Management concurs with the
recommendation.

We will update the FY 2016 risk assessments for the Federal Investigative Services (now the
National Background Investigations Bureau), Purchase Cards, Vendor Payments, Federal
Employees' Group Life Insurance, and Payroll, to ensure that the results are supported by
appropriate supporting documentation and to ensure that the criteria are addressed consistently.

Recommendation #10: (Rolled Forward from FY 2015): We recommend that OPM continue
to implement controls to identify and evaluate the improper payment estimates root causes, to
ensure that the root causes for the retirement benefits program’s improper payments are properly
categorized in OPM’s annual AFR.

Management Response to Recommendation #10: Management does not concur with this
recommendation.

OPM has sufficient controls in place to identify improper payments. After many meetings with
OCFO, RS, and OCIO personnel, we have concluded that there are reporting limitations with the
current legacy system. This constraint is prohibiting OPM from expanding the root causes
categorization per OMB’s A-123, Appendix C.

Thank you again for the opportunity to respond to the draft report. If you have any
questions regarding our response, please contact                        , Chief Policy and
Internal Controls at                or                    @opm.gov.


cc:

Daniel K. Marella 

Deputy Chief Financial Officer 


                      

Chief, Policy and Internal Controls 


Kenneth Zawodny, Jr. 

Associate Director, Retirement Services


Alan Spielman 

                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Director, Healthcare and Insurance

Mark W. Lambert
Associate Director, Merit System Accountability and Compliance

Janet L. Barnes
Director, Internal Oversight and Compliance




                                                                                                     Report No. 4A-CF-00-17-012
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                        




            Report Fraud, Waste, and Mismanagement


                                Fraud, waste, and mismanagement in Government
                               concerns everyone: Office of the Inspector General
                              staff, agency employees, and the general public. We
                                 actively solicit allegations of any inefficient and
                              wasteful practices, fraud, and mismanagement related
                                to OPM programs and operations. You can report
                                         allegations to us in several ways:



       By Internet:                 http://www.opm.gov/our-inspector-general/hotline-to-report-fraud-waste-
                                    or-abuse


        By Phone:                   Toll Free Number:                               (877) 499-7295
                                    Washington Metro Area:                          (202) 606-2423


           By Mail:                 Office of the Inspector General
                                    U.S. Office of Personnel Management
                                    1900 E Street, NW
                                    Room 6400
                                    Washington, DC 20415-1100
    
   
                                                                                                                        
                                                                                                                        
                                                                                                  Report No. 4A-CF-00-17-012

                                                             -- CAUTION --

This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version
 may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the
 Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made
publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless
                                                             authorized by the OIG.