Veterans Health Care and IT Acquisition Added to GAO's High-Risk List

Agencies have made “solid, steady progress” in addressing the vast majority of the Government Accountability Office’s high-risk areas, but concerns remain over the low percentage of recommendations actually implemented, the watchdog told Congress on Wednesday,

Comptroller General Gene Dodaro, in releasing the 2015 update of the list to the Senate Homeland Security and Governmental Affairs Committee, added two new areas: Managing risks while improving health care delivered by the Veterans Affairs Department and improving management of information technology purchasing governmentwide.

The reaction among senators was bipartisan enthusiasm for GAO’s work. “One reason GAO is the subject of our third hearing,” said new Chairman Sen. Ron Johnson, R-Wis., “is that during the last two years the high-risk list has saved $40 billion.” He called GAO “this committee’s favorite agency” and promised to fully fund it since it “now has its lowest staff level since World War II.”

Ranking member Sen. Tom Carper, D-Del., said, “My wife’s a big believer in to-do lists, and GAO has provided an incredibly important to-do list.” Carper welcomed Dodaro as partner in reducing waste and improving efficiency.

The high-risk list, which has been compiled at the start of each Congress since 1990, was expanded on Wednesday to 32 areas of concern, with a new ratings system. In 18 of the previous 30 areas, agencies “at least partially met” criteria for getting off the high-risk list—criteria that include leadership commitment, agency capacity, an action plan, monitoring efforts and demonstrated progress.

The report said managers in 11 areas met at least one of the criteria for removal and partially met all others. It cited progress sufficient enough to narrow the scope of two high-risk issues—enhanced Food and Drug Administration oversight of medical products and Defense Department contract management.

Johnson was less optimistic about VA health care—the subject of a scandal last summer that cost top officials their jobs—and the unresolved personal privacy questions that prevent progress on information sharing to beef up cybersecurity. “My staff found that of 100 GAO recommendations, agencies have not implemented 80 percent,” Johnson said. “My hope is that this hearing results in some kind of control so that things are actually implemented.”

Over the past five years, Dodaro testified, GAO made 737 recommendations, and only 23 percent were implemented.

In the high-risk area of tax administration at the Internal Revenue Service, Dodaro cited enough progress to narrow issues, but announced that GAO has expanded the category to include identity theft—which cost the government some $5.8 billion in fiscal 2013.

At the VA, Dodaro said, the areas of concern include “ambiguous policies, inadequate oversight and accountability, IT challenges, inadequate training and unclear resource needs.” He also predicted some implementation challenges to the $15 billion in new money Congress provided last year. Dodaro has met with Secretary Robert McDonald, he said, and discussed such issues as the patient care scheduling program, which relies on software that is 30 years old.

In the IT acquisition area, Dodaro said GAO will be monitoring implementation of the 2014 Federal IT Acquisition Reform Act and agency efforts to reduce cost overruns and wasteful obsolete purchases.

In Defense contract management, the comptroller general praised the tools and techniques the Pentagon has deployed to reduce time-and-materials contracts and sharpen oversight. “But we need to fix services acquisition, and build an acquisition workforce commensurate with the challenges,” he said.

Of the new additions in veterans health care and cybersecurity, he added, “Neither will be solved under this administration, so it’s important that we have continuity.”

He pointed to three key ingredients to getting off the list-- leadership engagement, as at Homeland Security, IRS and NASA, “a good plan in place and engagement from Congress.” He also cited Homeland Security as a role model for continuing progress despite changing leadership—after he sent department officials a 29-page letter on how to get off the high-risk list.

Sen. Claire McCaskill, D-Mo., marked the change in Senate leadership, saying, “A GAO report is the same whether you’re a Democrat in the majority or a Republican in the minority.” She asked Dodaro about how his agency deals with the uncertainties of budget stalemates and threatened shutdowns, to which he replied, “Trying to run the GAO under a continuing resolution is a difficult process.”

Sen. Heidi Heitkamp, D-N.D., told Dodaro she was frustrated at the lack of a “systematic process” for making sure agencies take GAO’s list seriously. “We need more of a focus on implementation, or we’ll be back in a year talking to each other,” she said. “To the extent you need us to play bad cop, we’re ready.”

A press conference before the morning hearing included the two top leaders of the House Oversight and Government Reform Committee, which planned its own hearing with Dodaro Wednesday afternoon. “While some federal programs have implemented the necessary reforms to reduce their high risk status, it is concerning that six programs have remained on the list for twenty-five years,” said Chairman Rep. Jason Chaffetz, R-Utah. “It is important that we carefully review programs with perpetual ‘high risk’ status to see why the GAO’s recommendations are not being implemented and what steps need to be taken to mitigate risk.”

Ranking member Rep. Elijah Cummings, D-Md., added, “If there is one thing we should take away from GAO’s new report today, it is that we need to focus much greater effort on combating cyberattacks and preventing data breaches, which are a clear and present danger to our national and economic security. Congress and the executive branch must do all we can to mitigate risks at federal agencies and ensure that American consumers are protected when they provide their personal information to private companies.”