GAO has said that the 24 CFO Act agencies generally comply with OMB’s improper payment risk assessment reporting directives, although there are exceptions.

GAO reviewed the nine risk factors identified in the 2002 Improper Payments Act and by OMB guidance, finding that six of the agencies did not report on one or more of them in their agency financial reports and performance and accountability reports over 2014-2016.

It said that Commerce, National Science Foundation and Nuclear Regulatory Commission did not have documented procedures for conducting risk assessments during fiscal years 2014 through 2016 but subsequently documented them; and that Interior, State and NASA documented procedures for conducting risk assessments but did not include all programs and activities in their risk assessments. Interior later drafted revisions to its procedures and State updated its procedures to include them, it said.

“Without properly designed and documented control activities, there is a risk that an agency may not identify all programs and activities that require a risk assessment, which could result in the agency failing to develop and report improper payment estimates for programs and activities that should have been identified as susceptible to significant improper payments,” GAO said.