FCC Should Assess the Design of the E-rate Program's Internal Control Structure

In a September 29 report, GAO found that the design of E-rate's internal control structure may not appropriately consider program risks.

GAO found, for example, that the Universal Service Administrative Company's application review process incorporates a number of different types and levels of reviews, but that it was not clear whether this design was effectively and efficiently targeting resources to risks. Similarly, GAO found no controls in place to periodically check the accuracy of USAC's automated invoice review process, again making it unclear whether resources are appropriately aligned with risks. While USAC has expanded and adjusted its internal control procedures, it has never conducted a robust risk assessment of the E-rate program's core processes, although it has conducted risk assessments for other purposes, such as financial reporting. A risk assessment involving a critical examination of the entire E-rate program could help determine whether modifications to business practices and the internal control structure are needed to appropriately address the risks identified and better align program resources to risks. The internal control structure--once assessed and possibly adjusted on the basis of the results of a robust risk assessment--should then be periodically monitored to ensure that the control structure does not evolve in a way that fails to appropriately align resources to risks. The results of beneficiary audits are used to identify and report on E-rate compliance issues, but GAO found that the information gathered from the audits has not been effectively used to assess and modify the E-rate program's internal controls. As a result, the same rule violations have been repeated each year for which beneficiary audits have been completed. For example, of 64 beneficiaries that had been audited more than once over a 3-year period, GAO found that 36 had repeat audit findings of the same rule violation.

GAO found that the current beneficiary audit process lacks documented and approved policies and procedures. Without such policies and procedures, management may not have the assurance that control activities are appropriate and properly applied. Documented and approved policies and procedures could contribute positively to a systematic process for considering beneficiary audit findings when assessing the E-rate program's internal controls and in identifying opportunities to modify existing controls.

GAO recommends that FCC conduct a robust risk assessment of the E-rate program, conduct a thorough examination of the overall design of E-rate's internal control structure, implement a systematic process to assess internal controls that appropriately considers beneficiary audit findings, and establish procedures to periodically monitor controls.

The Federal Communications Commission agreed with GAO's recommendations.

(GAO-10-908)