On June 21, 2006, the OIG issued Audit Report 6-25, Audit of the SBA’s Implementation of the Improper Payments Information Act (IPIA). The objective of the audit was to determine whether the SBA had developed an “erroneous payment” identification, reporting, and reduction program that was in compliance with the IPIA, and whether management could rely on the existing erroneous payment activities to provide several of the basic components of an effective internal control program required by the Office of Management and Budget’s Circular A-123. Generally, the OIG found that the SBA had not fully documented detailed procedures for its erroneous payment processes. As a result, the current program did not consistently satisfy all elements of a comprehensive program to manage and reduce erroneous payments. Specifically, the OIG found that the SBA did not establish uniform procedures for risk assessment and reporting for key program areas. Each SBA program was allowed to establish its own risk assessment process using the IPIA and OMB memorandum 03-13 as guidance. Thus, each SBA program office developed their own procedures and did not consistently identify high-risk areas of vulnerability in relation to improper payments. For example, for FY 2004, the SBA reported on four programs identified as risk susceptible. Those four programs were 504 Certified Development Companies, 7(a) guaranteed loans, disaster loans, and Small Business Investment Companies.
The OIG identified issues with three of the programs’ risk assessments and improper payment reports. Under the 504 Certified Development Companies, risk assessments were not documented and transaction analyses were not performed to support the low risk conclusions made by the SBA. As a result, the SBA could not provide assurance that necessary corrective actions were taken to reduce or prevent improper payments in the 504 CDC loan program.
In the 7(a) Guaranteed Loans program, the SBA had started the implementation of a comprehensive review program to satisfy FY 2005 improper payments reporting requirements for the guaranty purchase process. However, the 7(a) guaranteed loan program did not maintain complete risk assessment documentation for it improper payment review in FY 2004, and did not adequately identify the precise reasons for improper payments in the program. Lastly, the Small Business Investment Companies program did make an estimate of its improper payments, but that estimate did not utilize statistical sampling procedures as required by OMB guidance.
The OIG made three recommendations to the Chief Financial Officer: (1) Require that systematic annual risk assessments be conducted and documented on all SBA programs and activities as appropriate, to identify improper payment risks that would possibly exceed OMB’s $10 million threshold for improper payment reporting; (2) instruct all SBA program offices required to report on their improper payment activities, to submit complete improper payment estimation and reduction reports that adequately address all of the elements required by OMB, and (3) develop Procedural Notices or Standard Operating Procedures to be used as internal guidance, as appropriate, when changes to the IPIA requirements are issued by the OMB for the erroneous payment estimation and reporting process.