The Government Accountability Office said Wednesday that federal agencies have made “strong, steady progress” in reducing the potential for waste and fraud — but not enough to remove any items from the latest version of its High Risk List.
Listen to Gene Dodaro, Comptroller General, GAO on In Depth with Francis Rose
Instead, GAO added two new areas this year: federal IT acquisition writ-large, and health care in the Department of Veterans Affairs. The compilation of questionably- managed federal business areas, which GAO issues every two years, now includes a total of 32 topics, including several items which have been on the list since GAO first began publishing it in 1990.
“We’re having the silver anniversary for six of these issues, managed by five agencies. That’s totally unacceptable,” said Rep. Jason Chaffetz (R-Utah), the chairman of the Oversight and Government Reform Committee. “To get off the list, you just have to meet five criteria and show some progress. These are achievable goals, and for these issues to be ongoing for 25 years is a problem we’ve got to solve.”
But based on a new five-criteria rating mechanism, which GAO introduced this year in order to measure agencies’ partial progress toward getting off the list, there is reason to be optimistic that the number will actually shrink by the next update, Gene Dodaro, the U.S. comptroller general told reporters Wednesday morning.
“Of the 30 areas that were on the list before, 18 have at least partially met all five of our criteria for removal, and 11 of those 18 have fully met one or more of the criteria,” Dodaro said. “It’s a bit of an urban legend that if you get on the GAO High Risk List you can never get off, even if none came off this year. They need to show leadership commitment, the capacity to fix the problem, have an action plan that addresses the root causes, have a monitoring plan, and they need to demonstrate progress. They really don’t need to have a 100 percent fix, but they need to demonstrate some tangible results.”
With respect to the addition of federal IT to the list, Dodaro said GAO is concerned about a pattern of missteps relating to both the acquisition and operations of government technology systems. Of the $80 billion spent on federal IT each year, he said, $58 billion goes to continue the operation of legacy systems, many of which appear to be outdated and overlapping with one another’s capabilities.
“We’re concerned that’s not being managed effectively,” Dodaro said. “As it relates to new acquisitions, we see a litany of failed government efforts where after millions or billions of dollars and several years have been spent, the program’s been cancelled. There’s a lot of cost growth and schedule slippages in other areas, and ultimately, in many cases, the systems are developed with less functionality than intended and therefore they don’t make any improvement in executing the agency’s mission.”
Only 23 percent of IT recommendations implemented
Dodaro said GAO has made a total of 737 recommendations over the past five years to improve federal IT, but only 23 percent have been implemented. He said last year’s passage of the Federal Information Technology Acquisition Reform Act (FITARA) should help matters, but only if it’s implemented effectively.
“Congress has done its job. It’s up to the agencies now to successfully execute,” he said.
GAO used a similar rationale in adding veterans’ health care to the 2015 list. Congress passed the Veterans Access, Choice and Accountability Act last year, giving VA $15 billion to hire more clinicians and pay for private sector medical care. But GAO says VA will need careful oversight to make sure the extra funding isn’t wasted and that the root cause of a series of patient access scandals that came to light last year are resolved.
Since 2010, GAO has made 167 recommendations to improve VA patients’ access to care — only 20 percent have been implemented.
“In a number of these cases, VA agreed to implement our recommendations, but they weren’t actually implemented,” Dodaro said. “I’ve just met with Secretary (Robert) McDonald, and he’s agreed to implement them. Most of them are access to care issues, where they don’t have good scheduling systems, and the IT system that supports the scheduling system is 30-years old. It’s one of the IT failures we point out in our report. They don’t have good data in a lot of areas to decide whether it’s cheaper to keep a patient in the VA or to send them to outside care. This is really important, because Congress has just given them $10 billion to make those decisions, and they don’t have the data to make those decisions.”
In this year’s update to the list, GAO also made some tweaks around the edges to a handful of longstanding items of concern — either narrowing the scope of problem areas because agencies have made progress, or tacking on additional worries to existing areas.
On the plus side, the Defense Department continued to chip away at GAO’s concerns about contract management. GAO says the department’s Better Buying Power program has helped DoD fix concerns with the improper use of time-and-materials and noncompetitive contracts, so the new high risk list takes the “contracting technique” subcategory out of the to-do list.
Expanded focus on cyber, IRS
But that’s just one of four DoD contract management concerns GAO’s had in the past, and three sub-areas are still problematic, Dodaro said.
“They still need to fix service acquisition, they have to ensure they have an acquisition workforce that’s commensurate with the challenges associated with that, and they have to make improvements in operational contracting where they’re using contractors to support military operations in the theater,” Dodaro said.
Similarly, GAO remains concerned about the Food and Drug Administration’s oversight over how the globalization of the pharmaceutical industry is affecting patient safety and whether it is ensuring that shortages of critical drugs don’t occur in the U.S. But the new report says the FDA has made major progress in monitoring medical device recalls, so the FDA is off the hook for two of the four subcategories GAO had tagged in past editions of the list.
On the downside, GAO decided it needed to expand its focus on two areas that have been longstanding items on the risk list: federal cybersecurity and tax enforcement.
IT security has been on the watchlist since 1997 and was the first item GAO ever identified as a govenmentwide concern. GAO expanded the category this year to also include concerns about data breaches that expose personally-identifiable information (PII).
“The number of incidents has more than doubled over the past five years to over 27,000, and that’s just reports by the federal agencies involving PII,” Dodaro said. “Our privacy laws were passed in 1974, and they need to be updated. We have a number of suggestions for both Congress and the executive branch agencies.”
As to the IRS item, GAO has long been concerned about uncollected taxes, which it estimates at $385 billion per year. But this year’s update includes a new focus area on fraud due to identity theft.
“Last year, the IRS stopped about $24 billion in potential fraud, but they missed about $5.8 billion. So we’re concerned, and we’re going to be talking with the Congress about a number of recommendations,” Dodaro said.
Meetings with deputy secretaries working
Many other items on this year’s list are familiar fixtures too. The Defense Department alone is responsible for eight of them, including financial management and weapons systems acquisition. But Dodaro said most of GAO’s concerns are imminently fixable given the right amount of management attention, and even though the high risk list has been around for a quarter century, that management attention has been increasing, he said.
“Back in the Bush Administration, GAO started having meetings with OMB and the agencies on the high risk list, but it was basically at the level of assistant secretaries and below,” he said. “I told OMB a couple years ago that if they could get the heads of their agencies and their deputy secretaries for management to these meetings, I would personally participate so that we can focus on what needs to be done to make improvement. We’ve been doing that for the past couple years, and elevating it to the top agency leaders has done a lot to contribute to the progress we’ve seen over the past couple years. It’s really, really important.”
And though Congress has made it habit to use the high risk list to berate agencies for underperformance, Dodaro said Capitol Hill has a role too. The list this year includes asterisks beside each area in which GAO thinks congressional action is necessary.
“Financing the nation’s surface transportation system is one example, and Postal Service reform is another,” he said. “One of the reasons I was very convinced to put IT reform and VA health care on this year’s list is that I believe neither one of them will be fully fixed during this administration’s watch. So it’s very important to have continuity and an ongoing focus on these problems.”