Appendix A4. M-18-20 - Appendix C to Circular No. A-123, Requirements for Payment Integrity Improvement

APP A4. M-18-20- Appendix C.pdf

Third National Survey of WIC Participants (NSWP-III)

Appendix A4. M-18-20 - Appendix C to Circular No. A-123, Requirements for Payment Integrity Improvement

OMB: 0584-0641

Document [pdf]
Download: pdf | pdf
APPENDIX A4
M-18-20-APPENDIX C TO CIRCULAR NO. A-123 REQUIREMENTS FOR
PAYMENT INTEGRITY IMPROVEMENT

EXECUTIVE OFFICE OF THE PRESIDENT 

OFFICE OF MANAGEMENT AND BUDGET 

WASHINGTON , D .C.

20503 


June 26, 2018
THE DIRECTOR

M-18-20
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

.j,~ 


FROM: 	

M_ick Mulvaney
Director

SUBJECT: 	

Transmittal of Appendix C to OMB Circular A-123, Requirements for Payment
Integrity Improvement

Jr'r'1­

This Administration has made reducing improper payments and protecting taxpayer
money a top priority. We are also committed to reducing administrative burden so that agencies
can focus on preventing improper payments and ensuring taxpayer money is serving its intended
purpose. Requirements for payment integrity should be more than a compliance exercise,
therefore, this guidance aims to ensure that federal agencies focus on prevention and have the
proper incentives to improve their improper payments rates.
The goal of this revised version of OMB Circular A-123 ' s Appendix C is to transform the
improper payment compliance framework to create a more unified, comprehensive, and less
burdensome set of requirements.
Appendix C to OMB Circular A-123 (which was last updated in October 2014 as OMB
Memorandum M-15-02) is hereby modified. Unless otherwise noted in the guidance, the
requirements found in Appendix Care effective starting in Fiscal Year 2018. OMB will continue
to work closely with agencies and Inspectors General to provide further implementation
guidance as needed.
Please contact Heather Pajak ([email protected]) in OMB's Office of Federal 

Financial Management with any questions regarding this guidance. 

Attachment 


APPENDIX C
Requirements for Payment Integrity

Improvement


TABLE OF CONTENTS
INTRODUCTION ............................................................................................................................... 5

OVERVIEW ...................................................................................................................................... 6

PART I – DEFINITIONS AND DETERMINATIONS ............................................................................. 8

Which agencies are required to comply with the requirements of IPIA, IPERA, and IPERIA? 8

A) Defining Improper Payments and Programs or Activities......................................................... 8

What is an improper payment? ........................................................................................... 8

What is a payment for an ineligible good or service?......................................................... 9

What constitutes an improper loan or loan guarantee payment? ........................................ 9

What is a program or activity?............................................................................................ 9

Significant Improper Payments............................................................................................... 10

When is a program susceptible to significant improper payments under IPIA?............... 10

What steps is an agency required to take to determine whether a program is susceptible to

significant improper payments?........................................................................................ 10

C) Risk Assessments..................................................................................................................... 11

When must agencies conduct risk assessments?............................................................... 11

How should agencies conduct improper payment risk assessments? ............................... 11

Must agencies include payments to employees in improper payment risk assessments?. 13

Must agencies include payments related to charge cards in improper payment risk

assessments? ..................................................................................................................... 13

Must agencies review intra-governmental transactions? .................................................. 14

D) Sampling and Estimation......................................................................................................... 14

1) How should a program obtain a statistically valid estimate of the annual amount of

improper payments?.......................................................................................................... 14

2) May agencies use a non-statistically valid sampling and estimation approaches? .............. 19

3)

What information should agencies provide to persons or entities producing improper

payment estimates? ........................................................................................................... 20


4)

Are agencies allowed to rely upon self-reporting by recipients of agency payments when 

estimating improper payments? ........................................................................................ 21


5)

Are agencies allowed to implement an estimation approach that excludes improper

payments that have been subsequently corrected and recovered from the annual estimate?

........................................................................................................................................... 21


6)

Should data used for estimating improper payments coincide with the fiscal year being

reported in the AFR or PAR?............................................................................................ 21


7)

What are Federally-funded, State-administered programs, and may agencies consider

other approaches for these types of programs?................................................................. 22


PART II – REPORTING .................................................................................................................. 23

A) Improper Payment Reporting .................................................................................................. 23

What reporting and deliverable requirements should agencies be aware of? ................... 23

1

Where can agencies find detailed reporting requirements for improper payments? ........ 23

Are programs that are identified as susceptible to significant improper payments, and that

annually report improper payment estimates, permanently subject to improper payments

reporting requirements? .................................................................................................... 23

Are programs and activities that have been deemed susceptible to significant improper

payments outside of the standard risk assessment designation (e.g. OMB Circular A-11, 

Exhibit 57 or the Disaster Relief Appropriations Act) permanently subject to improper

payments reporting requirements?.................................................................................... 24

Is there additional guidance for programs deemed susceptible to significant improper

payments under the Disaster Relief Appropriations Act of 2013 or the Bipartisan Budget

Act of 2018??.................................................................................................................... 25

B) HIGH-PRIORITY PROGRAM REQUIREMENTS .............................................................................. 25

How does OMB determine high-priority programs as required under IPERIA? ............. 25

What are the additional requirements for high-priority programs? .................................. 25

What are the additional requirements for high-priority programs regarding corrective

actions? ............................................................................................................................. 26

Are there any additional reporting requirements for agencies that have high-priority

programs?.......................................................................................................................... 26

What are the requirements for establishing semi-annual or quarterly actions for reducing

improper payments in high-priority programs? ................................................................ 26

Which tools should agencies use to identify semi-annual or quarterly actions? .............. 27

When will agencies report semi-annual or quarterly actions? .......................................... 27

C) ROOT CAUSE CATEGORIES FOR IMPROPER PAYMENTS ............................................................. 27

What categories should agencies use when reporting improper payment estimates? ...... 27

How should agencies treat the reporting of improper payments made as a result of fraud?

........................................................................................................................................... 31

PART III – PREVENTION AND RECOVERY.................................................................................... 32

A) Preventing and Reducing Improper Payments ........................................................................ 32

How should programs prevent and reduce improper payments?...................................... 32

What factors should be assessed when developing a plan to improve the prevention and 

reduction of improper payments? ..................................................................................... 32

When and how should programs establish reduction targets? .......................................... 33

Who should be accountable for improving the prevention and reduction of improper

payments? ......................................................................................................................... 33

B) Internal Control Over Payment Integrity ................................................................................. 34

1) What are the criteria as to when an agency should initially be required to obtain an 

opinion on internal control over payment integrity?......................................................... 34

How does Enterprise Risk Management apply to improper payments? ........................... 35

3)

How do internal control standards apply to improper payments? .................................... 36

2

Payment Recapture Audits...................................................................................................... 39

1) What are the definitions used for payment recapture auditing in this guidance? ............. 39

2)

What are the general agency requirements for implementing a payment recapture audit 

program? ........................................................................................................................... 40


3)

Should agencies establish targets for their payment recapture audit programs? .............. 40


4)

What is the scope for payment recapture audit programs? ............................................... 40


5)

What criteria could an agency consider in determining whether a payment recapture audit

is cost-effective? ............................................................................................................... 41


6)

What should an agency do if it determines that a payment recapture audit program would 

not be cost-effective? ........................................................................................................ 42


7)

Should the agency follow any particular procedures when conducting payment recapture

audits of grants payments?................................................................................................ 43


8)

Can Federal agencies provide money to States and Local governments for Financial

Management Improvement efforts?.................................................................................. 43


9)

Who may perform payment recapture audits? .................................................................. 43


10) May contractors perform payment recapture audit services? ........................................... 43

11) Are there any specific requirements when using a contracted payment recapture auditing

firm?.................................................................................................................................. 44

12) Are there any prohibitions when using a payment recapture audit contractor?................ 44

13) Who performs recovery activities once the improper payments are discovered and 

verified? ............................................................................................................................ 45

14) What is the proper disposition of recovered amounts?..................................................... 45

15) Are agencies authorized to implement Financial Management Improvement Programs? 48

16) What are the reporting requirements for payment recapture audits?................................ 48

17) How are improper payment estimates different from payment recapture audit efforts? .. 48

PART IV – COMPLIANCE WITH THE IMPROPER PAYMENT REQUIREMENTS.............................. 49

A. RESPONSIBILITIES OF AGENCY INSPECTORS GENERAL .............................................................. 49

1) How often should each agency Inspector General review improper payment performance

to determine whether the agency is in compliance under IPERA?................................... 49

2)	 When should the agency Inspector General complete its review of agency compliance 

under IPERA? ................................................................................................................... 49

3)	 What should each agency Inspector General review to determine if an agency is in

compliance under IPERA?................................................................................................ 49

4)	 What should the agency Inspector General include in its compliance review and report?

........................................................................................................................................... 50

5)	 How should the agency Inspector General determine compliance with reduction targets?

........................................................................................................................................... 51


3

6)	 Who should the agency Inspector General notify when it has completed its determination

of whether an agency is in compliance under IPERA?..................................................... 52

B. RESPONSIBILITIES FOR AGENCIES .............................................................................................. 53

1) What are the requirements for agencies not compliant under IPERA? ............................ 53

2)

What should the agency do to be compliant under IPERA?............................................. 54


PART V – THE DO NOT PAY INITIATIVE ..................................................................................... 56

A) Background.............................................................................................................................. 56

B) Scope and Applicability........................................................................................................... 56

C) Definitions................................................................................................................................ 58

General Guidance.................................................................................................................... 60

1) What is the “Do Not Pay” Initiative?................................................................................... 60

2) What is the Treasury Working System? .............................................................................. 61

Does the Treasury Working System identify whether a payment is proper or improper? 61

What does the Treasury Working System offer to user agencies? ................................... 61

How should agencies effectively use the Treasury Working System? ............................. 62

Which payments are matched through Treasury’s Working System?.............................. 63

Roles and Responsibilities ...................................................................................................... 64

What are OMB’s responsibilities relating to the DNP Initiative? .................................... 64

What is Treasury responsible for in the DNP Initiative?.................................................. 64

What are original source agencies responsible for in the DNP Initiative? ....................... 65

What are payment-certifying agencies responsible for in the DNP Initiative? ................ 65

What are agencies’ Senior Agency Officials for Privacy responsible for in the DNP

Initiative? .......................................................................................................................... 66

Databases in the DNP Initiative.............................................................................................. 66

What databases are included in the DNP Initiative?......................................................... 66

How do agencies propose additional databases for designation? ..................................... 67

How are additional government databases designated for inclusion in the DNP Initiative?

........................................................................................................................................... 67

What are the requirements regarding the use or access of commercial databases?.......... 68

Use, Maintenance, Duplication, and Redisclosure of Records ............................................... 70

Retention and Destruction of Records .................................................................................... 70

Procedural Safeguards ............................................................................................................ 70

Correction of Data................................................................................................................... 71

Computer Matching Agreements for Do Not Pay .................................................................. 72

General Guidance on Matching Programs and Review by Data Integrity Boards ................. 73

Cost Benefit Analysis ............................................................................................................. 74

Public Availability of Computer Matching Agreements ........................................................ 75

Federal Improper Payments Coordination Act (FIPCA) of 2015........................................... 75

Requirements for Inspectors General in the Do Not Pay Initiative ........................................ 76


4

INTRODUCTION

As defined in 31 U.S.C. § 3321 note, the term ”improper payment”­
"(A) means any payment that should not have been made or that was made in an
incorrect amount (including overpayments and underpayments) under statutory, contractual,
administrative, or other legally applicable requirements; and
"(B) includes any payment to an ineligible recipient, any payment for an ineligible
good or service, any duplicate payment, any payment for a good or service not received
(except for such payments where authorized by law), and any payment that does not
account for credit for applicable discounts. 1
In the broadest sense, improper payments fall into three categories: intentional fraud and abuse,
unintentional payment errors, and instances where the documentation for a payment is so
insufficient that the reviewer is unable to discern whether a payment is proper. While all
improper payments are harmful to the integrity and reputation of federal payment systems and
the Federal Government as a whole, not all improper payments result in a monetary loss to the
Federal Government.
Through this guidance and data available on www.paymentaccuracy.gov, the Office of
Management and Budget (OMB) will continue to strengthen its focus on the prevention of
improper payments that result in a monetary loss to the Federal Government and continue its
collaborative work across the Federal Government to report, assess, analyze, and improve the
prevention of improper payments.

Unless otherwise noted, the requirements found in this guidance are effective for fiscal year (FY)
2018 and beyond. This guidance implements the requirements from the following laws:
• Improper Payments Information Act of 2002 (IPIA) 2;
• Improper Payments Elimination and Recovery Act of 2010 (IPERA); and
• Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA)
Issuance of this guidance hereby modifies Appendix C to OMB Circular A-123 (2014). This
guidance replaces OMB Memorandum M-12-11, Reducing Improper Payments through the “Do
Not Pay List,” OMB Memorandum M-13-20, Protecting Privacy while Reducing Improper
Payments with the Do Not Pay Initiative, and OMB Memorandum M-15-02, Appendix C to
Circular No. A-123, Requirements for Effective Estimation and Remediation of Improper
Payments.

1

See section 2(g)(2) of the Improper Payments Information Act of 2002.

Unless otherwise indicated, from this point forward in the guidance the term “IPIA” will imply “IPIA, as amended

by IPERA and IPERIA.”


2

5

Throughout the Appendix, the terms “Must” and “Will” denote a requirement that management
will comply in all cases. “Should” indicates a presumptively mandatory requirement except in
circumstances where the requirement is not relevant for the Agency. “May” or “Could” indicate
best practices that may be adopted at the discretion of management.

OVERVIEW
Before the passage of IPIA, there was no overarching government-wide framework for
measuring Federal improper payments and improving payment integrity. Between 2002 and
2009, as more agencies began measuring and reporting improper payment estimates for their
programs, it became increasingly clear that Federal improper payments represented a significant
management challenge. As a result, the Federal Government built a robust infrastructure of
legislative and administrative requirements with which agencies must comply in order to prevent
improper payments. These requirements are described in detail herein. The following
paragraphs of this section provide a cursory overview of some of the key Appendix C
requirements.
Programs or Activities NOT Susceptible to Significant Improper Payments. IPERA requires that
all programs or activities not currently reporting an annual improper payment estimate assess
their risk for improper payments. If an agency determines that a program or activity is not
susceptible to significant improper payments, the agency must re-assess that program’s improper
payment risk at least once every three years.
Programs or Activities Susceptible to Significant Improper Payments. If an agency determines a
program to be susceptible to significant improper payments, the agency is required to estimate
and report improper payments for that program annually.
Annual Improper Payment Estimates. In accordance with IPERA, programs that are determined
to be susceptible to significant improper payments must produce a statistically valid estimate of
the improper payment made.
Annual Reporting. Most improper payments reporting requirements are met through annual data
requests from OMB and/or an agency’s Agency Financial Report (AFR) or Performance and
Accountability Report (PAR). 3 Agencies should consult OMB Circular A-136 for details on
annual payment integrity reporting.
High-Priority Programs. IPERIA requires OMB to designate the programs with the most
egregious cases of improper payments as high-priority; and requires those programs to submit
semi-annual or quarterly actions to reduce improper payments, as a tool for tracking progress.
Preventing Improper Payments. Programs susceptible to significant improper payments must
identify the root causes of the improper payments and implement appropriate corrective actions
to prevent and reduce improper payments.
3

Per OMB Circular No. A-136, agencies may choose either to produce a consolidated PAR or to produce a separate
AFR and Annual Performance Report (APR).

6

Internal Control Over Payments. As agencies implement Appendix C, they should approach
improper payments with an Enterprise Risk Management framework in mind and link agency
efforts in establishing internal controls and preventing improper payments.
Payment Recapture Audits. One fundamental requirement that agencies must meet is to recover
any Federal dollars that are a monetary loss to the Government unless legislation specifically
prevents such recovery. IPERA requires any program that expends at least $1 million during the
year to implement payment recapture audits, if cost effective to the agency, in order to recover
improper payments. The requirement to conduct payment recapture audits is independent of
whether a program is susceptible to significant improper payments.
Annual Inspector General Compliance Review. IPERA adds an important component of
accountability to the entire spectrum of improper payment efforts. Every year, each agency
Inspector General reviews its agency improper payment reporting in the agency’s AFR or PAR
and any accompanying material such as that provided on paymentaccuracy.gov to determine if
the agency complies with IPERA and OMB guidance.
The Do Not Pay Initiative. The Do Not Pay (DNP) Initiative supports Federal agencies in
identifying and preventing improper payments. The DNP Initiative encompasses multiple
resources that are designed to help Federal agencies review payment eligibility for purposes of
identifying and preventing improper payments.

7

PART I – DEFINITIONS AND DETERMINATIONS

Which agencies are required to comply with the requirements of IPIA, IPERA, and
IPERIA?
Section 102 of title 31, United States Code, broadly defines the agencies required to comply with
IPIA, IPERA, and IPERIA as “a[ny] department, agency, or instrumentality in the executive
branch of the United States Government.”
A) Defining Improper Payments and Programs or Activities
What is an improper payment?
An improper payment is any payment that should not have been made or that was made in an
incorrect amount under statutory, contractual, administrative, or other legally applicable
requirements.
Incorrect amounts are overpayments or underpayments that are made to eligible recipients
(including inappropriate denials of payment or service, any payment that does not account for
credit for applicable discounts, 4 payments that are for an incorrect amount, and duplicate
payments). An improper payment also includes any payment that was made to an ineligible
recipient or for an ineligible good or service, or payments for goods or services not received
(except for such payments authorized by law).
In addition, when an agency’s review is unable to discern whether a payment was proper as a
result of insufficient or lack of documentation, this payment should also be considered an
improper payment. When establishing documentation requirements for payments, agencies
should ensure that all documentation requirements are necessary and should refrain from
imposing additional burdensome documentation requirements.
Interest or other fees that may result from an underpayment by an agency are not considered an
improper payment if the interest was paid correctly. These payments are generally separate
transactions and may be necessary under certain statutory, contractual, administrative, or other
legally applicable requirements.
A “questioned cost” 5 should not be considered an improper payment until the transaction has
been completely reviewed and is confirmed to be improper.

4

Applicable discounts are only those discounts where it is both advantageous and within the agency’s control to
claim them.
5
The term ‘questioned cost’ is defined under the Uniform Guidance, 2 C.F.R. Part 200.84, as follows: “Questioned
cost means a cost that is questioned by the auditor because of an audit finding: (a) Which resulted from a violation
or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used
to match Federal funds; (b) Where the costs, at the time of the audit, are not supported by adequate documentation;
or (c) Where the costs incurred appear unreasonable and do not reflect the actions a prudent person would take in the
circumstances.”

8

The term “payment” in this guidance means any disbursement or transfer of Federal funds
(including a commitment for future payment, such as cash, securities, loans, loan guarantees, and
insurance subsidies) to any non-Federal person, non-Federal entity, or Federal employee, that is
made by a Federal agency, a Federal contractor, a Federal grantee, or a governmental or other
organization administering a Federal program or activity.
The term “payment” includes disbursements made pursuant to prime contracts awarded under the
Federal Acquisition Regulation and Federal awards subject to the 2 C.F.R. Part 200 – Uniform
Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards
(Uniform Guidance) that are expended by recipients.
What is a payment for an ineligible good or service?
A payment for an ineligible good or service includes a payment for any good or service that is
not permitted under any provision of a contract, grant, cooperative agreement, lease or other
funding mechanism. In addition, ineligible goods and services may include goods and services
not received.
What constitutes an improper loan or loan guarantee payment?
Under a direct loan program, improper payments may include disbursements to borrowers or
other payments by the Government to non-Federal entities that are based on incomplete,
inaccurate, or fraudulent information. They may also include disbursements or other payments
that are duplicative, in an incorrect amount, or for purposes other than those allowed by law,
program regulations, or agency policy.
Under a loan guarantee program, an improper payment may include payments by the
Government to non-Federal entities for defaults, delinquencies, interest and other subsidies, or
other payments that are based on incomplete, inaccurate, or fraudulent information. They may
also include duplicate payments, payments in an incorrect amount, or any payments that are not
in compliance with law, program regulations, or agency policy.
What is a program or activity?
As it relates to improper payments, IPIA anticipates that agencies will examine the risk of, and
feasibility of recapturing, improper payments in all programs and activities administered. The
term “program” includes activities or sets of activities recognized as programs by the public,
OMB, or Congress, as well as those that entail program management or policy direction. 6 This
definition includes, but is not limited to, all grants including competitive grant programs and
block/formula grant programs, non-competitive grants such as single-source awards, regulatory
activities, research and development activities, direct Federal programs, all types of
procurements (including capital assets and service acquisition), and credit programs. It also
includes the activities engaged in by the agency in support of its programs.

6

The term “program” in this guidance implies “program and activity.”

9

For the purposes of this guidance, each Federal agency, is authorized to determine the definition
of “program” that most clearly identifies and reports improper payments for their agency. For
Federal awards subject to the Single Audit Act or otherwise listed in the Catalog of Federal
Domestic Assistance (CFDA), agencies may consider using the groupings in the Compliance
Supplement for Single Audits (referred to as “clusters of programs”) and the CFDA. Agencies
may also consider using the grouping by program activity as defined in OMB Circular A-11 and
used to comply with the Digital Accountability and Transparency Act of 2014 (DATA Act).
Agencies should not put programs or activities into groupings that may mask significant
improper payment rates by the large size or scope of a grouping. In addition, agencies should
not report subcomponents of a large program in an effort to reduce the size and fall below the
statutory thresholds. For transparency, agencies may report the basis for these groupings in the
agency’s AFR or PAR.

Significant Improper Payments
When is a program susceptible to significant improper payments under IPIA?
For the purposes of this guidance, “significant improper payments” are defined as gross annual
improper payments (i.e., the total amount of overpayments and underpayments) in the program
exceeding (1) both 1.5 percent of program outlays and $10,000,000 of all program or activity
payments made during the fiscal year reported or (2) $100,000,000 (regardless of the improper
payment percentage of total program outlays).
What steps is an agency required to take to determine whether a program is susceptible
to significant improper payments?
Agencies are required to follow these steps to determine whether the program or activity is
susceptible to significant improper payments and to provide annual estimates of improper
payments. 7 The agency is responsible for maintaining the documentation to demonstrate that the
following steps (if applicable) were satisfied.
a.	 Risk Assessments: Review all programs and activities and identify those that are 

susceptible to significant improper payments. (See Part I.C. – Risk Assessments)

b.	 Sampling and Estimation: Obtain a statistically valid estimate of the annual amount of
improper payments in programs and activities for those programs that were identified in
the risk assessment as susceptible to significant improper payments. (See Part I.D. –
Sampling and Estimation)

7

Improper payment rates referenced here and throughout this guidance should be based on dollars rather than
number of occurrences. In other words, the improper payment rate should be the amount in improper payments
divided by the amount in program outlays for a given program in a given fiscal year (rather than the number of
improper payments divided by the total number of payments).

10

C) Risk Assessments
When must agencies conduct risk assessments?
For programs that are deemed to be not susceptible to significant improper payments (See Part
I.B.1. for thresholds), agencies must perform risk assessments at least once every three years.
However, if a program that is on a three year risk assessment cycle experiences a significant
change in legislation and/or a significant increase in its funding level, agencies may need to re­
assess the program’s risk susceptibility during the next annual cycle, even if it is less than three
years from the last risk assessment.
For newly established programs, a risk assessment should be completed after the first 12 months
of the program. If the first 12 months do not coincide with the fiscal year the program should
consult with OMB to determine the most appropriate timeframe for assessment.
Programs already reporting an improper payment estimate under Part I.B of this guidance do not
need to perform an additional improper payment risk assessment as the quantitative method used
for reporting the annual estimate fulfills the risk assessment requirement under IPERA.
How should agencies conduct improper payment risk assessments?
a.	 Systematic Method. All agencies should institute a systematic method of reviewing all
programs once every three years 8 with the end goal of determining whether the program is or
is not susceptible to significant improper payments.
b.	 Risk Factors: In accordance with IPERA, when conducting improper payment risk
assessments, agencies should take into account those risk factors that are likely to contribute
to a susceptibility of significant improper payments, 9 such as:
i. Whether the program or activity reviewed is new to the agency;
ii.	 The complexity of the program or activity reviewed, particularly with respect to
determining correct payment amounts;
iii. The volume of payments made annually;
iv. Whether payments or payment eligibility decisions are made outside of the agency,
for example, by a State or local government, or a regional Federal office;
v. Recent major changes in program funding, authorities, practices, or procedures;
vi.	 The level, experience, and quality of training for personnel responsible for making
program eligibility determinations or certifying that payments are accurate; and

8

A cycle of improper payment risk assessment occurring once every three years is contingent upon no significant
legislative or programmatic changes occurring, as well as no significant funding increases and/or any change that
would result in substantial program impact. If such change(s) occur, the program must perform a risk assessment as
part of its next risk assessment cycle.
9
Risk factors likely to contribute to improper payments should be taken into account when designing a systematic
method for evaluating improper payment risk regardless of which method (quantitative or qualitative) is used to
evaluate whether the program or activity is susceptible to significant improper payments.

11

vii. Significant deficiencies in the audit reports of the agency including, but not limited

to, the agency Inspector General or the Government Accountability Office (GAO)
audit report findings, or other relevant management findings that might hinder
accurate payment certification.
c.	 Quantitative Method: Improper payment risk assessments conducted prior to FY 2020 may
use qualitative or quantitative methods. Beginning in FY 2020, programs with outlays for a
12-month period exceeding $5 billion should use a quantitative evaluation as the systematic
method for review. If a program used a qualitative method prior to FY 2020, the program
may consider continuing to use that method unless the IPERA compliance review has
identified that the previously used qualitative method did not reasonably support whether the
program’s improper payments were above or below the statutory threshold established under
IPIA. Newly established programs with outlays exceeding $5 billion in a 12-month period
may use a qualitative or quantitative method for the first improper payment risk
assessment. 10
In cases where a quantitative improper payment risk assessment is conducted, it could take
one of several forms, such as:
i.	 A statistical assessment similar to what is required for the regular improper payment
estimate. (See Part I.A.B)
ii.	 A non-statistical assessment where a subset of the population is sampled non-randomly
and then its ratio of improper payments is projected to the annual outlays. Examples of
non-statistical improper payment risk assessments include, but are not limited to:
a.	 Reviewing a sample of one month's worth of data for a program and then project
the results of that sample out to the full year.
b.	 Reviewing a sample of the riskiest segment of a program and then project the
results of that sample out to the whole population.
c.	 Reviewing a percentage of the years outlays and projecting those results out to
the whole population.
d.	 Leveraging the results of an agency’s recapture program and other audit/review
programs; known improper payments are aggregated and projected out to the
whole population, as necessary, if the scope of the audit/review programs did
not cover the entire population.
Any simple projection calculation would be the improper payments in a sample divided by
the outlays in that sample, and then that ratio multiplied by the total annual outlays for that
population. Quantitative risk assessments can be enacted with the assistance of a qualified
statistician, but do not need to be.
d.	 Qualitative Method: For programs with outlays for a 12-month period less than or equal to $5
billion this systematic method could be a quantitative evaluation or a qualitative method
(e.g., a risk-assessment questionnaire). When appropriate, agencies may leverage other
10

If the program uses a qualitative risk assessment the first year the program may consider continuing to use that
method unless the IPERA compliance review has identified that the previously used qualitative method did not
reasonably support whether the program’s improper payments were above or below the statutory threshold
established under IPIA.

12

existing processes to help implement this systematic method. For example, if a program
chose to develop and implement an improper payment risk-assessment questionnaire, the
program might consider leveraging another existing similar tool, such as an internal control
questionnaire. If a qualitative method is used it must be designed to accurately determine
whether the program is or is not susceptible to significant improper payments.
e.	 Other Programs Susceptible to Significant Improper Payments. OMB may determine on a
case-by-case basis (e.g., if an audit report raises questions about an agency’s risk assessment
or improper payments results) that certain programs that do not meet the threshold
requirements described above may still be subject to the annual improper payment reporting
requirements. OMB may also determine on a case-by-case basis that certain programs must
conduct a quantitative risk assessment regardless of program outlays or agency Inspector
General agreement that a qualitative approach is appropriate.
Must agencies include payments to employees in improper payment risk assessments?
Yes. IPERIA amended the definition of “payment” in IPIA to include payments made to Federal
employees, in addition to payments made to non-Federal persons or entities. Therefore, agencies
must include payments made to employees (including salary, locality pay, travel pay, and other
payments to Federal employees) in the risk assessments and, if applicable, in improper payment
estimates (the following fiscal year).
For improper payment reporting purposes, when a shared service provider is responsible for the
actual disbursements of payments to employees (for example, payroll) on behalf of a customer
agency, the customer agency and shared service provider 11 should assess only the portions of the
process that are within their respective control. For example, if the shared service provider is
making the payments on behalf of the agency, the agency would likely assess their processes up
to providing the information to the shared service provider and the shared service provider would
likely assess their process from that point until the payment is made.
Must agencies include payments related to charge cards in improper payment risk
assessments?
Yes. Agencies should include such payments in risk assessments and, if applicable, in improper
payment estimates (the following year). Agencies may leverage guidance in OMB Circular A­
123, Appendix B—Improving the Management of Government Charge Card Programs—and
OMB Memorandum M-13-21—Implementation of the Government Charge Card Abuse
Prevention Act of 2012—when performing these risk assessments. Agencies may also leverage
other reviews, including agency Inspector General reviews performed under the Government
Charge Card Abuse Prevention Act of 2012.

11

Shared service providers can leverage service organization internal control reports such as Reports on Controls at
a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (also known as SOC 1
Reports) or other OMB A-123 assessments.

13

Must agencies review intra-governmental transactions?
No. IPIA does not require agencies to include payments made by a Federal agency to another
Federal agency. Therefore, agencies are not obligated to review intra-governmental transactions.
However, any agency may review such payments, and must do so if directed by OMB.

D) Sampling and Estimation
1) How should a program obtain a statistically valid estimate of the annual amount of
improper payments?
Obtaining a statistically valid estimate should occur in the fiscal year following the fiscal year in
which the risk assessment was conducted under Part I.C. if the results of the risk assessment
indicated that the program was susceptible to significant improper payments.
Programs reporting improper payments for the first time and programs revising their current
methodology should conform to the process and content described below in steps 1 and 2. Once
a program has submitted a methodology to OMB the program does not need to resubmit a
methodology plan - unless an update to the plan is warranted. Programs that are currently using
methodologies submitted to OMB under the previous version of OMB Circular A-123’s
Appendix C do not need to resubmit a methodology plan—unless an update to the plan is
warranted. Programs should consider updating their plan if the program undergoes any
significant changes such as legislative, funding, structural, etc. 12 A sampling and estimation plan
checklist should accompany all sampling and estimation plans submitted to OMB. 13
An agency submitting multiple plans may submit them in one document if all of the plans are
statistically valid (as described below).
Step 1: Process. All programs and activities susceptible to significant improper payments
should design and implement appropriate statistical sampling and estimation methods to
produce statistically valid improper payment estimates. In doing so, agencies should
conform to the following process:
a.	 Annual Estimated Amount. For all programs and activities susceptible to significant
improper payments, agencies should determine an annual estimated amount of
improper payments made in those programs and activities. When calculating a
program’s annual improper payment amount, agencies should only utilize the amount
paid improperly. For example, if a $100 payment was due, but a $110 payment was
made erroneously, then the amount applied to the annual estimated improper payment
amount should be $10, rather than the payment amount of $110. Similarly, if a $100
payment was due, but a $90 payment was made erroneously, then the amount applied
to the annual estimated improper payment amount should be $10, rather than the
12

See Step 2.g below for examples of methodology plan updates that should or should not be resubmitted to OMB.
Programs submitting a sampling and estimation plan under this guidance should contact OMB to obtain the most
current checklist.
13

14

payment amount of $90. Agencies are required to determine an annual estimate that
is a gross total of both over and underpayments (i.e., overpayments plus
underpayments). However, in addition to the gross total, agencies are also allowed to
calculate and disclose in their AFRs or PARs the net total (i.e., overpayments minus
underpayments).
b.	 Statistical Sampling and Estimation Plans. Agencies are responsible for designing
and documenting their sampling and estimation plan(s). Each plan should be
prepared by a statistician 14 (either an agency employee or a contractor) and submitted
to OMB no later than June 30 of the fiscal year for which the estimate is being
produced (e.g., the sampling methodology to be used for the FY 2018 reporting cycle
must be submitted by June 30, 2018). The sampling and estimation plan must be
accompanied by a document certifying that the methodology will yield a statistically
valid improper payment estimate (See Part I.D.1.e).
c.	 Census Measurement Plans. Agencies may elect to perform a census instead of
statistical sampling and estimate plan. Agencies are responsible for designing and
documenting their census measurement plan(s); however, a census is not required to
be prepared by statistician since population estimates and sampling errors are not
applicable to this approach. Each plan should be submitted to OMB no later than
June 30 of the fiscal year for which the error rate is being produced (e.g., the census
methodology to be used for the FY 2018 reporting cycle must be submitted by June
30, 2018). The agency may also include a summary of their census measurement
plan in its AFR or PAR. The census measurement plan must be accompanied by a
document certifying that the methodology will yield a valid improper payment rate.
(See Part I.D.1.e).
d.	 Sampling plans are encouraged to utilize modern technology and computer software
to aid in improper payment estimates when possible. Sampling plans that review
100% of data using data analytics to identify potential improper payments that are
then further investigated manually to determine if those potential improper payments
are, in fact, improper, are utilizing a computer-assisted census (100% sampling plan).
e.	 Certification. IPERA requires agencies to produce statistically valid estimates of
improper payments (or to use a non-statistically valid methodology approved by
OMB), and therefore each plan must be accompanied by a certification stating that
the methodology will produce a statistically valid estimate. The certification should
be signed by an agency official of the agency’s choosing (e.g., this could be the Chief
Financial Officer, his/her Deputy, a program official, etc.). Upon receipt, OMB will
review the documents (i.e., the proposed statistical sampling plan and the
accompanying signed certification) to verify that they are complete and include all the
requisite components listed in Step 2 below. It is important to note that OMB will not
be issuing a formal approval to the agency for the statistically valid sampling plan—
14

This person should have training and experience designing statistical samples and using statistical methods to
calculate population estimates and sampling errors from a probability sample. This person would generally have an
advanced degree in statistics, biostatistics, mathematics, a quantitative social science, or a similar field.

15

rather, it is the agency’s responsibility to produce a statistically valid methodology.
The signed certification will serve as evidence that the agency believes the
methodology is statistically sound. OMB does reserve the right to raise questions
about the particular methodology, should the need arise.
f.	 Working with other Entities. Agencies may consider working with entities—such as
grant recipients—that are subject to Single Audits to leverage audits to assist in the
process to estimate an improper payment rate and amount.
g.	 Incorporating Recommendations. Whenever possible, agencies should incorporate
refinements to their improper payment methodologies based on recommendations
from agency staff or auditors (such as their agency Inspector General, GAO, or
private auditors).
Step 2: Content of Statistical Sampling and Estimation Plans. Agencies should clearly
and concisely describe the statistical methods that will be used to design and draw the
sample and produce an improper payment estimate for the program in question. The
plans should explain and justify why the proposed methodology is appropriate for the
program in question—this explanation must be supported by accurate statistical formulas,
tables, and any additional materials to demonstrate how the sampling and estimation will
be conducted and the appropriateness of those statistical methods for the program.
Agency sampling and estimation plans must be complete and internally consistent. The
following aspects must be clearly addressed:
a.	 Probability Sampling. Improper payment estimates should generally be based on
probability samples and should provide estimates of the sampling error for the
amount of the improper payments. Agencies may use simple random samples if those
are appropriate, but many agencies have employed more complex stratified 15 or
multi-stage or clustered samples in order to obtain estimates of different components
of the program that are more actionable than can be afforded by simpler sample
designs. Depending on the nature and distribution of the payments made by a
program, many agencies also use unequal probabilities of selection to capture larger
payments with higher probability (i.e., probability proportionate to size). If the
universe of payments for a program or a component/stratum of the program is small,
agencies may review a complete census of payments in those cases and would not
have any sampling error for that component or stratum. In the case of a census plan,
a statistician would not need to be consulted.
b.	 Assumptions about the amount of Improper Payments. The agency may use their
initial determination of the potential improper payment in their risk assessment,
above, to aid in determining the sample size. Since most agencies have been
conducting ongoing reviews of their improper payments for some time, they should
15

Stratification could be based on dollar amount, but any stratification that breaks a population into smaller
subgroups that have different improper payment risks would be appropriate. For example, in a payroll system where
annuities are paid, it might be appropriate to stratify the population of payments into new accounts (where most of
the risk might be) and established accounts (which might have less risk of being improperly paid).

16

utilize results from previous years and make appropriate adjustments to the sample
size and even the sample design based on previous findings in order to obtain a more
efficient sample or obtain more precise estimates of improper payments by program
component.
c.	 Appropriate Sample Sizes. Because of the imprecision of the risk assessment (See
Part I.A.C), agencies should ensure that they select a sample that will meet their
target precision rates. For initial estimates of improper payments, agencies should
take a conservative approach and use higher estimated improper payments in their
sample size calculations to ensure that they will meet the precision targets. As noted
above, since most agencies have been conducting ongoing reviews of their improper
payments for some time, they should utilize results from previous years and make
appropriate adjustments to the sample size. Agencies should include the
mathematical formula(s) used to compute their sample sizes in their methodologies.
d.	 Precision. IPERIA requires that all improper payment estimation plans be statistically
valid or obtain approval from the director of OMB. OMB categorizes sampling plans
into three groups:
1.	 Statistically Valid and Rigorous Plans
a.	 These plans are statistically valid (i.e. are based on unbiased randomized
sampling and produce valid point estimates and confidence intervals
around those estimates).
b.	 These plans obtain a +/-3% or better margin of error at the 95%
confidence level for the improper payment percentage estimate. (E.g. if an
agency estimates $10,000 of improper payments out of $50,000 in outlays,
it should have a margin of error of at least +/- $1500 at the 95%
confidence level (for a confidence interval of $8500 to $11500, or 17% to
23% of the outlays))
c.	 Agencies should see these types of plans as the target for improper
payment plans.
d.	 These plans are self-certified by each agency and do not require OMB
approval, although they must still be submitted to OMB by June 30th.
e.	 These plans should count reduction targets as being met if the 95%
confidence interval includes the reduction target (See Part IV.A.5).
f.	 Plans that use a census measurement plan would be counted as
‘statistically valid and rigorous’.
g.	 These plans are constructed in consultation with a statistician.
h.	 These plans cover the entire population for a program for the given Fiscal
Year.
2.	 Statistically Valid
a.	 These plans are statistically valid (i.e. are based on unbiased randomized
sampling and produce valid point estimates and confidence intervals
around those estimates).
17

b.	 These plans obtain a wider than +/-3% margin of error at the 95%
confidence level for the improper payment percentage estimate.
c.	 Agencies should work towards improving these plans to meet the
requirements for statistically valid and rigorous plans outlined above.
d.	 These plans are self-certified by each agency and do not require OMB
approval, although they must still be submitted to OMB by June 30th.
e.	 These plans should count reduction targets as being met only if their
estimated improper payment rate is lower than or equal to the reduction
target (See Part IV.A.5).
f.	 These plans are constructed in consultation with a statistician.
3.	 Non-Statistically Valid Plans
a.	 These plans use a non-statistically valid plan (i.e. does not meet the
requirements outlined above).
b.	 These plans must be approved by the Director of OMB. The agency must
clearly state the reasons why it cannot obtain a statistically valid estimate
when asking for approval.
c.	 These plans should count reduction targets as being met only if their
estimated improper payment rate is lower than or equal to the reduction
target (See Part IV.A.5).
d.	 For more information on non-statistically valid plans, see Question 2,
below.
e.	 These plans are constructed in consultation with a statistician.
f.	 These plans should be submitted by January 30th of the FY being sampled
(E.g., a plan measuring improper payments for FY2019 should be
submitted by January 30th, 2019).
e.	 Sample Design Documentation. Agency sampling and estimation plans should
generally provide sufficient documentation of the sample design so that a qualified
statistician would be able to replicate what was done or so that OMB, agency
Inspector General, or GAO personnel can evaluate the design. Agencies should
clearly identify the frame or source for sampling payments and document its accuracy
and completeness. All stages of selection, any stratification, and/or any clustering
should be clearly described. Explicit strata should be clearly defined, as should any
variables used for implicit stratification. Tables should generally be provided
showing the size of the universe and sample by strata (if applicable). Sampling plans
should also specify whether cases are selected with equal or unequal probabilities and
how the probabilities of selection are determined when they are unequal.
f.	 Documentation of Estimation Formulas. Agency sampling and estimation plans
should include documentation of the statistical formulas that will be used to estimate
the amount of improper payments (and the associated confidence intervals for the
sample) and to project those results to the entire program. Documentation should
include appropriate citations for these formulas. Agency sampling and estimation

18

plans must be complete and internally consistent (for instance, estimation formulas
must appropriately reflect the complexity of the sample design).
g.	 Updates and Changes to Agency Plans. Agencies should update their sampling and
estimation plans, as needed, to reflect the current design and methods being used and
incorporate refinements based on previous results, consultations with others, and/or
recommendations from Inspectors General, GAO, or OMB. Any updated plans will
need to be submitted to OMB no later than June 30 of the fiscal year for which the
estimate is being produced (e.g., the sampling methodology to be used for the FY
2014 reporting cycle must be submitted by June 30, 2014). The plans should include
all the components described in Steps 1 and 2 above. A plan that is being updated or
changed should include some language explaining why the plan is changing and how
the plan is different from the one previously submitted. Agencies should err on the
side of caution and resubmit their plans if they are in doubt as to whether or not they
need to.
The following are some examples for when an agency should or should not resubmit
a sampling and estimation plan to OMB:
i.	 A program changes the mathematical formula it uses to produce its
estimate—Resubmission needed.
ii.	 A program greatly increases its population universe by adding several new
types of payments—Resubmission needed.
iii.	 A newly identified program that is susceptible to improper payments
based on current risk assessment results-New submission needed.
iv.	 A program has an increase or decrease in sample size of less than 5% of
the previous sample size because of natural fluctuation in the population
size—Resubmission not needed
v.	 A program adds new strata or changes strata variables—Resubmission
needed.
vi.	 A program removes strata with no payment activity—Resubmission not
needed.
2) May agencies use a non-statistically valid sampling and estimation approaches?
IPERIA allows for non-statistically valid sampling plans if—and only if—an agency is unable to
meet the standard expectations for statistically valid sampling plans as outlined above. Agencies
must obtain OMB approval for non-statistically valid sampling plans. Non-statistically valid
plans must also be accompanied by a checklist. Agencies should submit an explanation and
justification to OMB for instances where a program is not able to produce a statistically valid
plan.
Non-statistically valid sampling plans should adhere to the following guidelines:
a.	 Non-statistically valid plans should be produced in consultation with a trained statistician,
just as a statistically valid plan should be.
19

b.	 Non-statistically valid plans should explain what structural problems are preventing them
from implementing a statistically valid plan, and how and when the agency plans to
resolve these.
c.	 Non-statistically valid plans should be temporary, not permanent plans, with frequent
investigation into whether or not a non-statistically valid plan is still necessary.
d.	 Agencies expecting to use a non-statistical sampling plan for an upcoming FY should
submit that plan by January 30th of that year beginning in FY19 (e.g. an agency planning
on using a non-statistical plan for a program for FY19 should plan should submit their
initial draft to OMB by January 30th, 2019).
e.	 Agencies expecting to implement non-statistically valid plans should be in
communication with OMB during the first quarter of the fiscal year, well before the
January 30th deadline for the year so that they have sufficient time to revise or rewrite
plans according to OMB’s guidance.
Example of a scenario where a non-statistically valid plan might be approved by OMB:
1.	 An agency has a program with an established improper payment review plan, that
samples 1/3 of the population each year over a period of three years (say 16 to 17 states
each year on a rotating basis). The plan is statistically valid for each one year estimate,
but produces a non-statistically valid three-year estimate for improper payments because
it does not cover its entire population each year. The agency should work with
statisticians to project their improper payments on a yearly basis and to develop an
improved methodology where each state would be sampled each year.
Each non-statistically valid plan must clearly and convincingly demonstrate that obtaining a
statistically valid plan is infeasible.
Additionally, OMB may conditionally approve a non-statistically valid plan for a set amount of
time (typically one fiscal year), while the agency corrects structural or resource-related problems
preventing it from implementing a statistically valid plan. An agency requesting such
conditional approval should be prepared to present OMB with the rationale for why they cannot
meet the statistically valid plan requirements and what steps they are taking to make a
statistically valid plan possible.
3)	 What information should agencies provide to persons or entities producing improper
payment estimates?
IPERIA requires OMB to instruct agencies to give persons or entities producing improper
payment estimates access to all necessary payment data, including access to relevant
documentation. In order to produce accurate improper payment estimates, agencies must provide
full documentation to persons or entities producing their improper payment estimates. In
addition, this documentation must be maintained for the length of time required by the National
Archives and Records Administration for the particular type of material being held in order for
20

post-payment audits to be performed and to allow internal and external auditors to replicate
reported results. For specific records retention requirements, agencies may contact their Senior
Agency Official, a listing of which can be found at http://www.archives.gov/records­
mgmt/agency/sao-list.html.
4)	 Are agencies allowed to rely upon self-reporting by recipients of agency payments when
estimating improper payments?
IPERIA requires OMB to explicitly bar agencies from relying on self-reporting by the recipients
of agency payments as the sole source basis for improper payments estimates. Specifically,
agencies should not base their improper payment estimates solely on self-reporting of actual
improper payments by the sub-agencies that made the payments or individuals or entities who
received the payments. In other words, agencies may not use self-reporting by recipients of
actual improper payments in lieu of a statistical estimate.
However, agencies may continue to utilize sub-agencies and recipients of Federal funding to
assist in the improper payment rate estimation process if the methodology is statistically valid
(or, in the case of non-statistically valid sampling and estimation plans, if approved by OMB)
and if the appropriate checks and balances are in place, including Federal oversight to ensure the
integrity of the process. For example, a Federal agency overseeing a Federally-funded, Stateadministered program may choose to ensure that a structured sampling methodology and
procedures are prescribed for states’ use for estimating and reporting improper payments using
information from a variety of sources, 16 and not just from the beneficiaries of the program.
Therefore, self-reported improper payments may be reported, but only in addition to the agency’s
statistical estimates.
5)	 Are agencies allowed to implement an estimation approach that excludes improper
payments that have been subsequently corrected and recovered from the annual
estimate?
IPERIA requires agencies to include all identified improper payments in the reported estimate,
regardless of whether the improper payment has been or is being recovered. Agencies may report
this amount separately in their AFR or PAR.
6)	 Should data used for estimating improper payments coincide with the fiscal year being
reported in the AFR or PAR?
To the extent possible, data used for estimating improper payments in a given program should
coincide with the fiscal year being reported (for example, the estimate reported in the FY 2018
AFR or PAR would be based on data from FY 2018). However, agencies may utilize a different
12-month reporting period with approval from OMB. This request for approval should be
submitted to OMB no later than June 30 in the fiscal year for which the estimate is being
reported and should be documented in responses to OMB data requests and/or in the AFR or
16

These sources should be reliable and the information provided should be accurate and complete. Documentation
of data reliability testing should be maintained by the sources.

21

PAR. For example, the estimate reported in the FY 2018 AFR or PAR could be based on data
from FY 2017, if approved by OMB.
As another example, the estimate reported in the FY 2018 AFR or PAR could be based on data
from the last two quarters of FY 2017 and the first two quarters of FY 2018, if approved by
OMB. For consistency purposes, the agency should continue using the same time period for
subsequent reporting years, unless a different time period is proposed by the agency and
approved by OMB. Therefore, agencies do not need to re-submit a request for approval every
year, only when they are planning to change their reporting time period.
7)	 What are Federally-funded, State-administered programs, and may agencies consider
other approaches for these types of programs?
Federally-funded, State-administered programs (e.g., Medicaid, Unemployment Insurance,
Temporary Assistance for Needy Families, Title I Local Educational Agencies, Child and Adult
Care Food Program) receive at least part of their funding from the Federal Government, but are
administered, managed, and operated at the State or local level. Where programs are
administered at the State level, statistically valid estimates of improper payments may be
provided at the State level either for all States or for all sampled States annually. If the improper
payment estimates are provided at the State level, these State-level estimates may then be used to
generate a national improper payment dollar estimate and rate. However, agencies may submit a
plan to OMB for approval to provide national level estimates for State-administered programs
based on a systematic selection of such states each year. See Part I.D for sampling and
estimation plan guidance.
Non-statistically valid sampling and estimation plans, such as those described in Part I.A.2
above, must be approved by OMB in advance of implementation. The justification to use this
type of approach must include a description of the States or local entities to be selected each
year, the methodology for generating annual national estimates, and a justification for using the
proposed plan rather than an estimate based on a random statistical sample.

22

PART II – REPORTING

A) Improper Payment Reporting
What reporting and deliverable requirements should agencies be aware of?
At a minimum, agencies should be aware of the following potential reporting requirements:
a) January 30th or June 30th - Sampling and estimation plan submission (See Part I.A.D)
b) March 31st - Relief from reporting request (See Part II.A.3)
c) May 15th - Agency Inspector General annual IPERA compliance audit reports (See Part
IV.A)
d) June 14th or August 13th - Agency reports for IPERA non-compliance (See Part IV.B.1)
e) November 1st - Payment recapture audit contractor recommendation reporting (See Part
III.C.16)
f) November 15th - Annual reporting in an agency AFR or PAR
g) Varies (Typically Mid-October) - OMB data requests
h) Quarterly or Semi-Annually - High-priority program reporting requirements (See Part
II.A.1)
i) No Specific Due Date - Recapture audit cost effectiveness (See Part II.C.6)
Where can agencies find detailed reporting requirements for improper payments?
Agencies should report to the President and Congress through AFRs or PARs and/or in the
format required through data requests from OMB. Detailed AFR or PAR improper payment
reporting requirements can be found within OMB Circular A-136.
OMB approval of some improper payment requirements (e.g., reduction targets) occurs through
OMB’s review of data requests and/or the improper payment reporting within each agency’s
AFR or PAR. Improper payment information from data requests from OMB and/or AFRs and
PARs is also analyzed for inclusion in OMB’s government-wide reporting on payment integrity
and publication on paymentaccuracy.gov.
Are programs that are identified as susceptible to significant improper payments, and
that annually report improper payment estimates, permanently subject to improper
payments reporting requirements?
No. If an agency’s program has documented a minimum of two consecutive years of improper
payments that are below the statutory thresholds - or otherwise can demonstrate that the program
is no longer susceptible to significant improper payments described in Section I.B. - the agency
may request relief from the annual reporting requirements for this program or activity.
This request must be submitted in writing to OMB. In addition, the request should include an
assertion from the agency’s Office of Inspector General that it concurs with the agency’s request
23

for relief and agrees that the program is no longer susceptible to significant improper payments.
Requests may be submitted without an assertion from the agency’s Office of Inspector General,
if the agency notes the reason(s) the Office of Inspector General would not provide an assertion.
The request for approval must be submitted to OMB no later than March 31 in the fiscal year for
which the agency is requesting to halt reporting (e.g., a request to halt reporting for a program
beginning with the FY 2019 reporting cycle must be submitted by March 31, 2019).
OMB will not grant automatic approval. Rather, OMB will review the request and will also take
into account the following criteria:
a.	 Burden—does measuring and reporting improper payments lead to a heavy burden (e.g.,
in terms of funding, program staff hours, etc.)?
b.	 Legislative considerations—are there any legislative requirements or recent changes that
affect the program’s ability or inability to estimate and report improper payments?
c.	 Audit findings—are there any audit findings (i.e., by the Inspectors General or GAO) that
point to reasons why the program might need to continue measuring and reporting
improper payments?
d.	 Ongoing risk mitigation strategies—are there any appropriate controls, policies, or
corrective actions that have been put in place to mitigate the risk of fraud and error in the
program?
e.	 OIG Concurrence – does the agency’s Office of Inspector General concur with the
agency’s request for relief? If the agency’s Office of Inspector General does not concur
with the agency request, what are the reasons why the program should still be considered
susceptible to significant improper payment?
f.	 Other considerations—are there any other key factors that should be considered in
deciding whether or not to grant relief from measuring and reporting improper payments?
In order to expedite OMB’s review, agencies should consider the five criteria above and discuss
them, if appropriate, in the written request. If OMB approves the request, the agency should
incorporate that program or activity into its risk assessment cycle. However, if significant
legislative changes occur, if program funding is significantly increased, or if any other change
results in substantial program impact, agencies should perform a risk assessment of this program
as part of its next reporting cycle, even if it has been less than three years since the last risk
assessment. If the risk assessment indicates that the program is again susceptible to significant
improper payments, the agency will return to the full estimation and reporting process as
required by IPIA.
Are programs and activities that have been deemed susceptible to significant improper
payments outside of the standard risk assessment designation (e.g. OMB Circular A-11,
Exhibit 57 or the Disaster Relief Appropriations Act) permanently subject to improper
payments reporting requirements?
No. Programs that have been deemed to be susceptible to significant improper payments without
allowing the program to first perform a risk assessment should be treated the same way that other

24

susceptible to significant improper payments programs are treated and therefore such programs
may request relief from reporting in accordance with the guidance described in Part II.A.3 above.
Is there additional guidance for programs deemed susceptible to significant improper
payments under the Disaster Relief Appropriations Act of 2013 or the Bipartisan
Budget Act of 2018??
Yes. For further guidance on Hurricane Sandy-related improper payment requirements, please
refer to OMB Memorandum M-13-07, Accountability for Funds Provided by the Disaster Relief
Appropriations Act, issued on March 12, 2013. Additional guidance on emergency supplemental
appropriations to respond to hurricanes, wildfires, and other disasters under the Bipartisan
Budget Act of 2018 can be found in OMB Memorandum M-18-14, Implementation of Internal
Controls and Grant Expenditures for the Disaster Related Appropriations, issued on March 30,
2018.
B) HIGH-PRIORITY PROGRAM REQUIREMENTS
How does OMB determine high-priority programs as required under IPERIA?
Per IPERIA, OMB will identify a list of high-priority programs for greater levels of oversight
and review. OMB will utilize improper payment reporting in an agency’s AFR or PAR to make
this determination.
The threshold for high-priority program determinations for FY 2018 reporting, and for
subsequent years, is $2 billion in estimated improper payments as reported in the AFR or PAR,
regardless of the improper payment rate estimate.
OMB may revise this threshold in future years and, if so, will notify agencies of the new
threshold and if any programs should be added or removed (based on reporting errors above or
below the new threshold) from the high-priority list.
If a program is identified as high-priority but in subsequent years reports an improper payment
estimate below $2 billion, it will no longer be considered a high-priority program.
In addition, OMB may determine that a program is high-priority for reasons other than exceeding
the dollar threshold established above. If this occurs, OMB will notify the agency.
What are the additional requirements for high-priority programs?
Under IPERIA, high-priority programs have the following additional requirements:
a. Tailor corrective actions (see Part II.B.3)
b. Publically report actions to prevent and recover improper payments (see Part II.B.4)
c. Develop semi-annual or quarterly actions to reduce improper payments (see Part II.B.5)

25

What are the additional requirements for high-priority programs regarding corrective
actions?
High-priority programs are already required to develop corrective actions, see Part III.A.1 below.
However, IPERIA requires agencies to tailor their corrective actions for high-priority programs.
Therefore, when describing corrective actions in the agency AFR or PAR, any agency that has
any programs identified as high-priority should explain how it has specifically tailored its
corrective actions for high-priority programs to better reflect the unique processes, procedures,
and risks involved in each specific program.
Are there any additional reporting requirements for agencies that have high-priority
programs?
Yes. IPERIA requires each agency that has any programs identified as high-priority to report to
their agency Inspector General, and make available to the public (including availability through
the internet): (1) any action the agency has taken—or plans to take—to recover improper
payments; and (2) any action the agency intends to take to prevent future improper payments. In
order to avoid duplication and reduce the number of agency reports related to improper
payments, agencies should fulfill this requirement by including this information in their AFRs or
PARs and/or include this information on paymentaccuracy.gov.
Inspectors General should review this information (as described in the above paragraph) when
they conduct their annual compliance reviews (see Part IV). OMB will make the AFRs and
PARs available on paymentaccuracy.gov.
As required by IPERIA, the agency should not include any referrals the agency made or
anticipates making to the Department of Justice, or any information provided in connection with
such referrals. In addition, this requirement should not prohibit any referral or information being
made available to an Inspector General as otherwise provided by law.
What are the requirements for establishing semi-annual or quarterly actions for

reducing improper payments in high-priority programs?

IPERIA requires agencies with high-priority programs to establish semi-annual or quarterly
actions for reducing improper payments. OMB will post this information to
paymentaccuracy.gov to fulfil IPERIA reporting requirements.
These actions should focus on higher risk areas within the high-priority programs and report on
root causes of improper payments that agencies are currently working to resolve through their
respective corrective action plans. In addition, the actions should use available and accessible
information (e.g., claims, payments, files) for the current year rather than previous years to the
extent possible. Lastly, these actions do not have to meet the statistical requirements of section
I.D.

26

Which tools should agencies use to identify semi-annual or quarterly actions?
Agencies should draw on their current corrective action plans (which are required to be updated
annually as part of each agency’s AFR or PAR) to determine the most reasonable actions to
report to OMB on a semi-annual or quarterly basis.
When identifying actions, agencies should focus on areas that will provide the greatest rate of
return on investment to the federal government.
When will agencies report semi-annual or quarterly actions?
Agencies should develop semi-annual or quarterly actions within 180 days of a program being
deemed high-priority and submit them to OMB for review. Agencies will be responsible for
submitting updates to the actions on a regular basis thereafter.
Figure 1. Timeline for Initial High-Priority Program Action Submission and Publication

C) ROOT CAUSE CATEGORIES FOR IMPROPER PAYMENTS
What categories should agencies use when reporting improper payment estimates?
Agencies with programs that are reporting an improper payment estimate should report
information based on the categories described below and any additional guidance provided
through data requests from OMB and/or in OMB Circular A-136.
27

These categories: (1) help agencies present the different categories of improper payments in their
programs and the percentage of the total improper payment estimate that each category
represents; and (2) provide granularity on improper payment estimates—thus leading to more
effective corrective actions at the program level and more focused strategies for preventing
improper payments.
The matrix below provides a cross-tabulation framework for the way in which each program
should categorize and report its improper payment estimate.
Table 1: Matrix of Improper Payment Categories ($ in millions)

In the matrix, columns A and B include two categories based on the type of improper payment,
and rows 1 through 14 include fourteen categories based on the reason(s) why the improper
payment was made (each category is explained in more detail below). The matrix has a total of
27 cells (i.e., coordinates A1 through B14, where B13 is not to be used, as indicated by the ‘X’ in
cell B13 in the matrix). Each program must distribute its total improper payment estimate
(which is based on dollars, as opposed to number of occurrences) across the 27 cells in the
matrix—with the understanding, of course, that not every cell will apply to every program.
For example, suppose a program reported $100 million in estimated improper payments. Here is
an example of how the table might be filled out:
28

•	 If $70 million were overpayments caused by the inability to authenticate eligibility due to
inability to access data, then that amount would go in cell A2.
•	 If $10 million were underpayments caused by process errors at State agencies

administering the program, then that amount would go in cell B10.

•	 If $20 million were cases where there was insufficient documentation to determine if
payments were proper or improper, in which case it is assumed those are overpayments,
then that amount would go in cell A13.
Ultimately, the amounts placed across the different cells in the matrix need to add up to the total
reported estimated improper payment amount for that given program. Please note that, taken by
themselves, the amounts placed in each cell do not need to meet the statistical requirements
described above in section I.A.9, step 2. Also note that, although there are 27 cells in the matrix
above, agencies should only fill in relevant cells, and may leave cells blank if they are not
relevant to the program’s estimated improper payments. Finally, it is important to note that in
cases where the agency believes more than one cell might be suitable to any given improper
payment category, the agency should determine which cell it believes to be the true root cause
(i.e., do NOT use more than one category for an improper payment)
All categories found in the matrix are described as follows:
a.	 Overpayments (column A) and Underpayments (column B): An overpayment is a
payment that is evidently higher than it should have been (including a duplicate
payment), and an underpayment is a payment that is evidently lower than it should have
been.
b.	 Program Design or Structural Issue (row 1): A situation in which improper payments are
the result of the design of the program or a structural issue. For example, a scenario in
which a program has a statutory (or regulatory) requirement to pay benefits when due,
regardless of whether or not all the information has been received to confirm payment
accuracy.
c.	 Inability to Authenticate Eligibility (rows 2 and 3): A situation in which an improper
payment is made because the agency is unable to authenticate eligibility criteria. These
types of errors include but are not limited to:
i.	 Inability to Access Data (row 2) – A situation in which the data needed exists but
the agency does not have access to it. For example, this could also be a situation
where statutory constraints prevent a program from being able to access
information that would help prevent improper payments (for example, not
confirming a recipient’s earnings or work status through existing databases due to
statutory constraints). Another example could be a situation where a beneficiary
has failed to report information to an agency that is needed for determining
eligibility (for example, a beneficiary failing to provide an agency with
information on earnings, and the agency does not have access to databases
containing the earnings information).

29

ii.	

Data Needed Does Not Exist (row 3) - A situation in which no database or dataset
currently in existence that the program could use to check eligibility prior to
making the payment. This could be a situation where recipient eligibility of a
government benefit is dependent on the length of time a child spent with their
guardian – no database or dataset is currently in existence containing this type of
information.

d.	 Failure to Verify Data (rows 4-8): A situation where the agency (Federal, State, or local),
or another party administering Federal dollars, fails to verify appropriate data to
determine whether or not a recipient should be receiving a payment, even though such
data exist in government or third-party databases. In these situations the data needed
exists and the agency or other party administrating Federal dollars has access to it but did
not check the payment against that data prior to making the payment. For reporting
purposes, the kind of data in question would include, but are not limited to, the following:
i.	 Death Data (row 4)—failure to verify that an individual is deceased, and the
agency pays that individual.
ii.	 Financial Data (row 5)—failure to verify that an individual’s or household’s
financial resources (for example, current income or assets) do not meet the
threshold to qualify him or her for a benefit, and the agency makes a benefit
payment to that individual or household.
iii.	 Excluded Party Data (row 6)—failure to verify that an individual or entity has
been excluded from receiving Federal payments, and the agency pays that
individual or entity.
iv.	 Prisoner Data (row 7)—failure to verify that an individual is incarcerated and
ineligible for receiving a payment, and the agency pays that individual.
v.	 Other Eligibility Data (row 8)—any other type of data not already listed above,
causing the agency to make an improper payment as a result.
e.	 Administrative or Process Errors (Rows 9-11): Errors caused by incorrect data entry,
classifying, or processing of applications or payments. For example, an eligible
beneficiary receives a payment that is too high or too low due to a data entry mistake
(such as transposing a number), or an agency enters an incorrect invoice amount into its
financial system. These types of errors can be made by:
i.	 Federal Agency (row 9)
ii.	 State or Local Agency (row 10)
iii.	 Other Party (row 11)—for example, a participating lender, or any other type of
organization administering Federal dollars that is not a Federal or State agency.
f.	 Medical Necessity (row 12): A situation in which a medical provider delivers a service or
item that does not meet coverage requirements for medical necessity (for example,
providing a power wheelchair to a patient whose medical record does not support
meeting coverage requirements for a power wheelchair).
g.	 Insufficient Documentation to Determine (row 13): A situation where there is a lack of
supporting documentation necessary to verify the accuracy of a payment identified in the
improper payment testing sample. For example, a program does not have documentation
30

to support a beneficiary’s eligibility for a benefit and without that particular
documentation the agency is unable to discern that the payment was for the correct
amount or went to the right recipient.
h.	 Other Reason (row 14): If none of the above categories apply, include any other reasons
for the improper payment under this category—and please explain the reasons in more
detail either in footnotes or in the narrative below the table. In instances where agencies
are able to identify improper payments resulting from fraud, they should report those
dollar amounts in this row.
How should agencies treat the reporting of improper payments made as a result of
fraud?
When agencies are reviewing the root causes of improper payments, or - in the case of highpriority programs - analyzing areas for semi-annual or quarterly actions, agencies should be
mindful of maintaining a focus on fraudulent activity within the program. For instance,
improper payments made as a result of fraud (e.g., intentionally making false claims to receive
a government benefit or contract payment) may have an impact on agency outlays, and may
also be something that agencies can reduce through improved pre-payment reviews and
additional safeguards. Agencies should refer matters involving possible fraudulent activities to
the appropriate authorities as determined by specific agency policy (e.g., the agency’s Office of
Inspector General or the Department of Justice). Transactions determined by management to
be anomalous or indicative of potential fraud and subsequently referred to the agency’s
Inspector General or the Department of Justice should not be categorized as fraud until the
appropriate judicial or adjudicative process makes that determination. Classifying transactions
as fraud prior to that determination being made by an appropriate judicial or adjudicative
process could negatively impact an agency’s ability to assess internal control effectiveness. The
circumstances contributing to the anomalous transaction could indicate an internal control
weakness that resulted in a mistake that should be analyzed by management and, if necessary,
corrected.

31

PART III – PREVENTION AND RECOVERY

A) Preventing and Reducing Improper Payments
How should programs prevent and reduce improper payments?
All programs reporting an improper payment estimate should identify the reasons their programs
and activities are at risk of improper payments. All programs and activities as determined to have
improper payments exceeding the susceptible to significant improper payment thresholds (See
Part I.B.1) must put in place a corrective action plan to prevent and reduce the improper payment
amount.
Corrective actions developed and implemented by agencies should be responsive to the root
causes of the improper payments. A root cause is something that would directly lead to an
improper payment, and if corrected, would prevent the improper payment. When developing
corrective actions, agencies should ensure they have identified a true root cause of an improper
payment as it is critical to understand the true root cause of a problem in order to formulate
effective corrective actions. Distinguishing between what constitutes a root cause that created an
error versus an internal control problem that did not catch an error is critical when creating
corrective actions to address improper payments. In addition, the actions should be proportional
to the severity of the associated amount and rate of the root cause.
Agencies should be able to measure the effectiveness and progress of each individual corrective
action on an annual basis. Agencies may measure the effectiveness and progress of corrective
actions by assessing the results of actions taken to address the root causes, such as the
performance and outcomes of these processes. Agencies should annually review their existing
corrective actions to determine if any existing action can be intensified or expanded, resulting in
a high-impact, high return-on-investment in terms of reduced or prevented improper payments.
Agencies should also annually review their existing corrective actions to determine whether the
original intent of the corrective action is still achieving its intended purpose and result.
In many cases, agencies will implement long-term, multi-year corrective actions that will be
implemented and refined on a continuous basis (e.g., the corrective action is in place for many
years, though it may be refined from year to year). For those actions, agencies should identify
annual benchmarks that can be used to demonstrate the progress of the implementation and/or
the initial impact on improper payment prevention and reduction. For corrective actions already
in place, agencies should be able to describe how they evaluate the effectiveness of these actions
and the evaluation results.
What factors should be assessed when developing a plan to improve the prevention and
reduction of improper payments?
In accordance with IPERA, when developing plans to prevent and reduce improper payments,
agencies should assess whether the organizations have the internal controls, human capital,
information systems, and other infrastructure needed to reduce improper payments to minimal
cost-effective levels. When developing a plan to improve the prevention and reduction of
32

improper payments, agencies should also be mindful of any statutory or regulatory barriers
which may limit the agencies’ corrective actions in reducing improper payments.
When and how should programs establish reduction targets?
When compiling plans to reduce improper payments, agencies should set reduction targets for
future improper payment levels and a timeline within which the targets will be reached.
Programs reporting an improper payment estimate are required to set an out year reduction
target. Reduction targets must be approved by the Director of OMB (this approval process will
take place during the OMB review and approval process of data requests from OMB and/or the
agencies draft AFRs and PARs).
Reduction targets for out years will likely be lower than the current year improper payment
estimates unless otherwise approved by OMB. If an agency establishes a reduction target that
does not decrease (e.g., a target that is constant or increasing), the reason(s) for establishing such
a target must be clearly explained by the agency (a constant reduction target at 0% does not
require an explanation). Reduction targets should be a balance between being aggressive and
realistic. In addition, agencies are encouraged to revisit and, if necessary, revise their out year
targets on an annual basis.
OMB does not expect the program to publish a reduction target until a full baseline has been
established and reported. If a program had a 24-month reporting cycle where no changes occur,
the program will most likely be considered to have established a baseline. Examples of
situations in which a program may need more than 24 months to fully establish (or reestablish)
an improper payment rate baseline could include but are not limited to:
a.	 state-administered programs with a “rolling rate” in which only a fraction of the states
report each year,
b. significant changes in funding, significant legislative changes,
c. significant changes to a sampling and estimation plan, or
d.	 anything that would cause the prior year estimate used to develop the out-year reduction
target to be significantly incomparable to the current year estimate.
Who should be accountable for improving the prevention and reduction of improper
payments?
Agencies should ensure that managers and accountable officers (including the agency head),
programs and program officials, and where applicable States and local partners, are held
accountable for reducing improper payments. In addition, for programs that are not implemented
directly by Federal or State agencies or government, agencies may also consider establishing
these accountability mechanisms. For example, non-Federal entities could include colleges that
disburse grants and loans to students, or banks that disburse loans to students.

33

B) Internal Control Over Payment Integrity
1)	 What are the criteria as to when an agency should initially be required to obtain an
opinion on internal control over payment integrity?
As agencies implement the requirements described in this guidance, they should approach
improper payments with an internal control framework integrated with Enterprise Risk
Management in mind. The July 2016 update to OMB Circular No. A-123 17 created requirements
for agencies to implement Enterprise Risk Management. Agencies should consult this guidance,
along with the GAO Green Book, 18 when designing their internal control framework for
managing payment integrity risk. IPERA introduced the concept of internal control over
improper payments. Agencies should first be given the opportunity to establish, maintain, and
assess internal controls before a requirement to obtain an audit opinion on internal control over
improper payments. Each agency reporting improper payments may summarize the status of
internal control over improper payments within the agency’s AFR or PAR or in their internal
control plan using a narrative explaining efforts undertaken to provide reasonable assurance that
controls are in place and working. The primary purpose of the summary is to provide a
thoughtful, risk based analysis linking agency efforts in establishing internal controls and
reducing improper payment rates. Agencies should leverage existing internal control plans and
may address the internal control standards provided in Part III.B.3 below.
OMB may utilize the agency internal control summaries to monitor progress and ensure that
planned actions result in the outcome of reducing improper payment rates. In addition, OMB
may review the status of an agency’s internal control over improper payments against the
following factors to determine when an agency should be required to obtain an internal control
over payment integrity audit:
a.	 Current Condition of Internal Control over Payment Integrity: The current
condition of internal control over improper payments can be assessed by a number of
factors, including recent audit findings (e.g., financial statement, performance, or
compliance audit results) and the nature of material weaknesses or scope of
management’s control. In addition, management’s overall assurance statement required
by Section 2 of the Federal Managers Financial Integrity Act should inform agency
internal control plans. However, no separate assurance statement for internal control
over improper payments is required.
b.	 Agency Demonstration of Progress: If the agency is not demonstrating measurable
improvements in its internal control, OMB may encourage progress by requiring an audit
of internal controls over payment integrity, as it may assist agencies to identify and
prioritize corrective actions to long-standing internal control weaknesses. In addition,
17

See OMB Memorandum M-16-17, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk
Management and Internal Control, available at
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf
18
See GAO-14-704G: Published: Sep 10, 2014, Standards for Internal Control in the Federal Government, available
at https://www.gao.gov/assets/670/665712.pdf

34

innovative and cost-effective audit resolution approaches such as the Cooperative Audit
Resolution and Oversight Initiative (CAROI) 19 will be encouraged to address internal
control weaknesses related to improper payments.
In deciding when to require an opinion on internal control over improper payments, the facts and
circumstances of individual agencies will be considered on a case-by-case basis. It is expected
that Inspectors General or firms contracted with to provide an audit opinion will work to
leverage resources deployed as part of financial statement or performance audits and an efficient
and cost-effective audit approach will be developed.
How does Enterprise Risk Management apply to improper payments?
OMB Circular No. A-123 defines Enterprise Risk Management as an effective agency-wide
approach to addressing the full spectrum of the organization’s external and internal risks by
understanding the combined impacts of risks as an interrelated portfolio, rather than addressing
risks only within silos. Enterprise Risk Management provides an enterprise-wide, strategicallyaligned portfolio view of organizational challenges that provides better insight on how to most
effectively prioritize resource allocations to ensure successful mission delivery. While agencies
cannot respond to all risks related to achieving strategic objectives and performance goals, they
must identify, measure and assess risks related to mission delivery. In the context of improper
payments, the Enterprise Risk Management framework can be used to assist in the management
of payment integrity risk. Management is required to manage their payment integrity risk to an
agency achieving its strategic, operations, reporting, or compliance objectives. While the extent
of this may differ among agencies, ensuring the integrity of federal payments is fundamental to
the core mission for agencies. Below are a few examples of how payment integrity risk cuts
across an agency’s strategic, operations, reporting and compliance objectives.
•
•
•
•

Strategic – Achieve payment integrity in core programs and mission
Operations – Ensuring payments to eligible recipients, managing fraud risk
Reporting – Manage data integrity risk related to AFR, paymentaccuracy.gov reporting
Compliance – Improper Payments Legislation, OMB Guidance, Privacy Laws

Risk tolerance is the acceptable level of variance in performance relative to the achievement of
objectives. It is generally established at the program, objective or component level. In setting
risk tolerance levels, management considers the relative importance of the related objectives and
aligns risk tolerance with risk appetite. Risk appetite is the broad-based amount of risk an
organization is willing to accept in pursuit of its mission/vision. It is established by the
organization’s most senior level leadership and serves as the guidepost to set strategy and select
objectives. In the context of Enterprise Risk Management and the management of payment
integrity risk, agency senior management may consider the acceptable amount of risk of
improper payments to still achieve mission objectives.
The Extended Enterprise consists of interdependent relationships, parent-child relationships, and
relationships external to an agency. It recognizes that no Agency is self-contained, and risk
19

CAROI is described in detail at http://www.agacgfm.org/AGA/ToolsResources/documents/CAROI.pdf.

35

drivers can arise out of organizations that extend beyond the enterprise. These relationships give
risk to a need for assurance that risk is being managed in that relationship both appropriately and
as planned. In the context of Enterprise Risk Management and the management of payment
integrity risk, the extended enterprise includes state, local governments, other departments and
agencies, or third party service providers. Although agency’s have less control, they still
maintain responsibility for managing risk to payment integrity that comes from the extended
enterprise.
The Risk Environment is beyond the boundary of the extended enterprise. The environment
generates risks that cannot be controlled, or constrain the way the organization is permitted to
take on or address risk. In the context of Enterprise Risk Management and the management of
payment integrity risk, this could include current and future legislation related to payment
integrity, the current and future state of the economy, or public perception of agencies and the
role government. Like the extended enterprise, despite having little or no control, agencies retain
the responsibility for the management of risk that comes from the greater risk environment.
3)	 How do internal control standards apply to improper payments?
Robust internal control processes should lead to fewer improper payments. Establishing and
maintaining effective internal controls—including an internal control system that prevents
improper payments from being made and promptly detects and recovers any improper payments
that are made—should be a priority. It is important to note that the five standards and attributes
below should be applied to the specific facts and circumstances of the various agency operations
and programs. In other words, agencies are not expected to address each attribute listed below.
Agencies should use the attributes listed as a guide in evaluating each of the five standards, and
should consider other attributes that may be applicable to its particular circumstances.
In addition, management has discretion in determining the breadth and depth of the scope of
assessing internal control over improper payments. These standards and attributes can be
implemented to fit the circumstances, conditions, and risks relevant to the situation of each
agency. For example, one agency’s program might lend itself to effective improper payment
detection controls at the point of agency disbursement, while another program might be primarily
administered by state or local entities where the appropriateness of a disbursement can only be
determined at the state or local level. In these cases, agencies should describe efforts to provide
oversight to state and local governments.
a.	 Control Environment. The foundation for an internal control system. It provides the
discipline and structure to help an entity achieve its objectives. In the context of payment
integrity, agency has created a control environment that instills a cultural framework of
accountability over improper payments by:
i.	 Fostering an atmosphere in which reducing improper payments are a top
management priority.
ii.	 Providing a cultural framework for managing risk by engaging key stakeholders
in the risk management process.

36

iii.	

iv.	

v.	

Increasing accountability and providing leadership in setting and maintaining the
agency’s ethical code of conduct and laying out defined consequences for
violations.
Clearly defining key areas of authority and responsibility and establishing
appropriate lines of reporting within and external to the agency (e.g., program
offices or state governments).
Ensuring that personnel involved in developing, maintaining, and implementing
control activities have the requisite skills and knowledge, recognizing that staff
expertise needs to be frequently updated in evolving areas such as information
technology and fraud investigation.

b.	 Risk Assessment. Assesses the risks facing the entity as it seeks to achieve its objectives.
This assessment provides the basis for developing appropriate risk responses. In the
context of payment integrity, the agency has determined the nature and extent of
improper payments by:
i.	 Establishing well defined goals and objectives for eliminating improper payments
and execution of corrective actions.
ii.	 Determining where risks exist, what those risks are, and the potential or actual
impact of those risks on program goals, objectives, and operations.
iii.	 Using risk-assessment results to target high-risk areas and focus resources where
the greatest exposure exists and return on investment can be maximized.
iv.	 Reassessing risks on a periodic basis to evaluate the impact of changing

conditions, both external and internal, on program operations.

v.	 Establishing an inventory of root causes of improper payments and internal
control deficiencies to develop corrective action plans for risk-susceptible
programs. The inventory should include an explanation of how root causes were
identified, prioritized, and analyzed to ensure corrective actions produce the
highest return on investment for resolving improper payment control deficiencies.
c.	 Control Activities. The actions management establishes through policies and procedures
to achieve objectives and responds to risks in the internal control system, which includes
the entity’s information system. In the context of payment integrity, the agency has
developed control activities to help management achieve the objective of reducing
improper payments by:
i.	 Establishing internal control activities that are responsive to management’s
objectives to mitigate risks of improper payments (e.g., policies and procedures
related to transaction authorization and approvals of program activities).
ii.	 Implementing pre-award and pre-payment reviews where detailed criteria are
evaluated before funds are expended.
iii.	 Utilizing data analytics tools, such as Treasury’s Working System, to compare
information from different sources to help ensure that payments are appropriate.
iv.	 Performing cost-benefit analyses of potential control activities before
implementation to help ensure that the cost of those activities to the organization
is not greater than the potential benefit of the control.

37

d.	 Information and Communications. The quality information management and personnel
communicate and use to support the internal control system. In the context of payment
integrity, the agency has effectively used and shared knowledge to manage improper
payments by:
i.	 Determining what information is needed by managers to meet and support
initiatives aimed at preventing, reducing, and recapturing improper payments.
ii.	 Ensuring that needed information is provided to managers in an accurate and
timely manner.
iii.	 Providing managers with timely feedback on applicable performance measures so
they can use the information to effectively manage their programs.
iv.	 Developing educational programs to assist program participants in understanding
program requirements.
v.	 Ensuring that there are adequate means of communicating with, and obtaining
information from, external stakeholders that may have a significant impact on
improper payment initiatives.
vi.	 Developing working relationships with other organizations to share information
and pursue potential instances of waste, fraud and abuse.
vii.	 Making the results of performance reviews widely available to permit
independent evaluations of the success of efforts to reduce improper payments.
e.	 Monitoring. Activities management establishes and operates to assess the quality of
performance over time and promptly resolve the findings of audits and other reviews. In
the context of payment integrity, the agency has assessed the success of improper
payment initiatives by:
i.	 Adhering to existing laws and OMB guidance to institute a statistical
methodology to estimate the level of improper payments being made by the
agency’s programs.
ii.	 Using an internal control assessment methodology that includes testing of control
design and operating effectiveness and the evaluation of the significance of
internal control deficiencies related to improper payments.
iii.	 Establishing program-specific targets for reducing improper payments in
programs that measure and report annual improper payment estimates.
iv.	 Assessing the progress of implementation of corrective actions over time and
ensuring that the root causes of improper payment internal control deficiencies are
resolved.
v.	 Considering the possibility of engaging contractors that specialize in specific
areas where in-house expertise is not available, such as payment recapture audits
and fraud detection analytics.
vi.	 Remediating identified internal control deficiencies on a timely basis.
vii.	 Adjusting control activities, as necessary, based on the results of monitoring
activities. The agency should periodically test the controls to ensure they are
effective in identifying, preventing, and recapturing improper payments.
viii.	 Understanding any statutory or regulatory barriers that may limit the agency’s
corrective actions in reducing improper payments and actions taken by the agency
to mitigate the barriers' effects.

38

Payment Recapture Audits
IPERIA requires identification of current and historical rates and amounts of improper payment
recoveries (or, in cases in which improper payments are identified solely on the basis of a
sample, recovery rates and amounts estimated on the basis of the applicable sample), including a
list of agency recovery audit contract programs and specific information of amounts and
payments recovered by recovery audit contractors.
1) What are the definitions used for payment recapture auditing in this guidance?
For purposes of this guidance the following terms and definitions are used:
a.	 Post-Award Audit refers to a post-award examination of the accounting and financial
records of a payment recipient that is performed by an agency official, or an authorized
representative of the agency official, pursuant to the audit and records clauses
incorporated in the contract or award. A post-award audit is normally performed by an
internal or external auditor that serves in an advisory capacity to the agency official. A
post-award audit, as distinguished from a payment recapture audit, is normally performed
for the purpose of determining if amounts claimed by the recipient are in compliance with
the terms of the award or contract, and with applicable laws and regulations. Such
reviews involve the recipient’s accounting records, including the internal control systems.
A post-award audit may also include a review of other pertinent records (e.g., reviews to
determine if a proposal was complete, accurate, and current); and reviews of recipients’
systems established for identifying and returning any improper payments received under
its Federal awards.
b.	 Payment Recapture Audit is a review and analysis of an agency's or program’s
accounting and financial records, supporting documentation, and other pertinent
information supporting its payments, that is specifically designed to identify
overpayments. It is not an audit in the traditional sense covered by Government Auditing
Standards. Rather, it is a detective and corrective control activity designed to identify
and recapture overpayments, and, as such, is a management function and responsibility.
c.	 Payment Recapture Audit Program is an agency's overall plan for risk analysis and the
performance of payment recapture audits and recovery activities. The agency head will
determine the manner and/or combination of payment recapture activities to use that are
expected to yield the most cost-effective results (see definition below).
d.	 Cost-Effective Payment Recapture Audit Program is one in which the benefits (i.e.,
recaptured amounts) exceed the costs (e.g., staff time and resources, or payments for the
payment recapture audit contractor) associated with implementing and overseeing the
program.
e.	 Payment Recapture Audit Contingency Contract is a contract for payment recapture audit
services in which the contractor is paid for its services as a percentage of overpayments
actually collected. The contractor must provide clear evidence of overpayments to the
39

appropriate agency official. More information on contingency contracts can be found in
the remaining questions of section I.D.
f.	 Recapture Activity is any activity by an agency to attempt to identify and recover

overpayments identified by a payment recapture audit or a post-award audit.

g.	 Financial Management Improvement Program is an agency-wide program to address the
deficiencies in an agency's internal controls over payments identified during the course of
implementing a payment recapture audit program, or other agency activities and reviews.
The first priority of such a program is to address problems that contribute directly to
agency improper payments and other instances of waste, fraud, and abuse.
2)	 What are the general agency requirements for implementing a payment recapture audit
program?
Agencies should have a cost-effective program of internal control to prevent, detect, and recover
overpayments. A program of internal control may include policies and activities such as
prepayment reviews, a requirement that all relevant documents be made available before making
payment, and performance of post-award audits. Effective internal controls could include
payment recapture auditing techniques such as data matching with Federal, State, and local
databases; and data mining and predictive modeling to identify improper payments. However,
for agencies that have programs and activities that expend more than $1 million in a fiscal year, a
payment recapture audit program is a required element of their internal controls over payments if
conducting such audits is cost-effective. These payment recapture audits should be implemented
in a manner designed to ensure the greatest financial benefit to the Federal government.
3)	 Should agencies establish targets for their payment recapture audit programs?
Yes, all agencies are required to establish annual targets for their payment recapture audit
programs that will drive their annual performance. Agencies should develop their own payment
recapture targets for review by OMB (this review process will take place during the review of
OMB data requests and the review and approval process of draft AFRs or PARs). Agencies are
encouraged to set targets that show an increase in recoveries over time, and OMB reserves the
right to notify specific agencies that they need to establish stricter targets. An agency may set
different payment recapture targets for the different types of payments it makes (for example, a
given agency might set a target that encompasses all contract payments lumped together, and
another target that encompasses all grant payments lumped together), or for each program.
Lastly, agencies may also identify and implement additional metrics beyond these targets to
evaluate their payment recapture audit programs, but these metrics should not be used as a
substitute for establishing annual recovery targets.
4)	 What is the scope for payment recapture audit programs?
a.	 All programs and activities that expend $1 million or more annually—including grant,
benefit, loan and contract programs—should be considered for payment recapture audits.

40

b.	 Agencies should review their different types of programs and activities and prioritize
conducting payment recapture audits on those categories that have a higher potential for
overpayments and recoveries. Agencies should utilize known sources of improper
payment information and give priority to recent payments and to payments made in
programs identified as susceptible to significant improper payments. Possible sources of
improper payment information include: statistical samples and risk assessments, agency
post-payment reviews, prior payment recapture audits, Office of Inspector General
reviews, Government Accountability Office reports, self-reported errors, reports from the
public, audit reports, and the results of the agency audit resolution and follow-up process.
c.	 Agencies should conduct a payment recapture audit program in a manner that will ensure
the greatest financial benefit for the government.
d.	 Agencies may exclude payments from certain programs and activities from payment
recapture audit activities if the agency determines that payment recapture audits are not a
cost-effective method for identifying and recapturing improper payments or if other
mechanisms to identify and recapture over payments are already in place.
e.	 The payment recapture audit contractor may, with the consent of the employing agency,
notify entities (including individuals) of potential overpayments made to such entities,
respond to questions concerning potential overpayments, and take other administrative
actions with respect to overpayment claims made or to be made by the agency. However,
the payment recapture audit contractor will not have the authority to make determinations
relating to whether any overpayment occurred and whether to compromise, settle, or
terminate overpayment claims.
f.	 To the extent possible, any underpayments identified through the payment recapture audit
process should also be corrected by the agencies. Agencies may include provisions that
authorize payments to payment recapture auditors for underpayments identified.
g.	 Payment recapture auditing activities should not duplicate other audits of the same
(recipient or agency) records that specifically employ payment recapture audit techniques
to identify and recapture overpayments. At a minimum, agencies should coordinate with
their Inspectors General and other organizations with audit jurisdiction over agency
programs and activities.
h.	 Instances of potential fraud discovered through payment recapture audit and recapture
activities should be reported immediately to the appropriate parties as determined by
specific agency policy. Such parties may include, but are not limited to, the Office of
Inspector General or the Department of Justice.
5)	 What criteria could an agency consider in determining whether a payment recapture
audit is cost-effective?
An agency may consider the following criteria in determining whether a payment recapture audit
is cost-effective:
41

a.	 The likelihood that identified overpayments will be recaptured. For example:
i.	 Whether laws or regulations allow recovery;
ii.	 Whether the recipient of the overpayment is likely to have resources to repay
overpayments from non-Federal funds;
iii.	 Whether the evidence of overpayment is clear and convincing (e.g., the same
exact invoice was paid twice) as opposed to whether the recipient of an apparent
overpayment has grounds to contest, and the agency’s assessment of the strength
of the recipient’s counterargument; and
iv.	 Whether the overpayment is truly an improper payment that can be recovered
rather than a failure to properly document compliance.
b.	 The likelihood that the expected recoveries will be greater than the costs incurred to
identify and recover the overpayments. For example:
i.	 Can efficient techniques such as sophisticated software and matches be used to
identify significant overpayments at a low cost per overpayment or will laborintensive manual reviews of paper documentation be required?
ii.	 Are tools available to efficiently perform the payment recapture audit and
minimize payment recapture audit costs? Payment recapture audits are generally
most efficient and effective where there is a central electronic database (e.g., a
database that contains information on transactions and eligibility information)
where sophisticated software can be used to perform matches and analysis to
identify recoverable overpayments (e.g., duplicate payments).
iii.	 How expensive will attempts to recover some or all of the overpayments be,
particularly in complex financial situations, and when recipients may contest the
assertion of an overpayment, especially when litigation is anticipated (in which
situations, the agency should consult with its counsel and, as appropriate, with the
Department of Justice)?
Agencies are encouraged to use limited scope pilot payment recapture audits in areas deemed of
highest risk (e.g., based on IPIA risk assessments or estimation process) to assess the likelihood
of cost-effective payment recapture audits on a larger scale.
6)	 What should an agency do if it determines that a payment recapture audit program
would not be cost-effective?
If an agency determines that it would be unable to conduct a cost-effective payment recapture
audit program for certain programs and activities that expend more than $1 million, then it
should notify OMB and the agency’s Inspector General of this decision and include any analysis
used by the agency to reach this decision. The notification may take place in a memo that is
submitted to OMB and the agency Inspector General via email. OMB may review these
materials and determine that the agency should conduct a payment recapture audit to review
these programs and activities. This analysis will need to be repeated and resubmitted to OMB
and to the agency’s Inspector General only if circumstances change within the program that
might make a payment recapture audit cost-effective.

42

If the agency has excluded any programs or activities from review under its payment recapture
audit program because the agency has determined a payment recapture audit program is not costeffective, the agency should report the justification and a summary of the analysis that is used to
determine that conducting a payment recapture audit program for the program or activity was not
cost effective (i.e., a discussion of the analysis conducted to determine that a payment recapture
audit program would not be cost-effective)
7)	 Should the agency follow any particular procedures when conducting payment
recapture audits of grants payments?
Agencies with grant programs should consider payment recapture auditing contracts at the grant
recipient level. Federal agencies should work with State and local governments to ensure that
they have enough resources to conduct payment recapture audits (for example, through direct
funding, allowable administrative expenses, or contingency contracts). Whenever applicable,
agencies should leverage work already being carried out outside of payment recapture audits.
For example, agencies are encouraged to rely on and use the audit work already being carried out
under the Single Audit Act and the Uniform Guidance for federal assistance (2 CFR 200 Subpart
F). Generally, Federal agencies should not look to pass-through entities for repayment of
improper payments identified by payment recapture audits for funds they pass-through until
repayment has been made by the sub-recipient or the final payee. Federal agencies should also
coordinate among themselves to reach partnerships with grant recipients to ensure a coordinated,
cost-effective approach to implement these payment recapture audit requirements. The
cognizant agency assignment model used in the Single Audit or cost allocation processes can
help in streamlining the coordination between the Federal agencies and grant recipients.
8)	 Can Federal agencies provide money to States and Local governments for Financial
Management Improvement efforts?
Yes. Many programs are Federally-funded but State-administered, and Federal agencies should
support State efforts to reduce improper payments in these programs. As authorized in IPERA
and this guidance, agencies may use up to 25 percent of funds recovered under a payment
recapture audit program to support Financial Management Improvement Programs, including
making a portion of this funding available to State and local governments to support their
Financial Management Improvement Programs.
9)	 Who may perform payment recapture audits?
Payment recapture audits may be performed by employees of the agency, by any other
department or agency of the Federal government acting on behalf of the agency, by non-Federal
entities (as defined in the Uniform Guidance, 2 C.F.R. Subpart A, Part 200.69) expending
Federal awards, by contractors performing payment recapture audit services under contracts
awarded by the executive agency, or any combination of these options.
10) May contractors perform payment recapture audit services?

43

Yes. With respect to contracts with private sector contractors performing payment recapture
audits, agencies may utilize a number of options, including a contingency contract with a private
sector contractor, to conduct payment recapture audit services. With the passage of IPERA,
agencies are allowed and encouraged to utilize contingency contracts for private sector
contractors to implement the authorities under the new law to review all types of payments and
activities.
However, certain types of payments recovered may not be available to pay the payment
recapture audit costs (for instance, amounts recovered due to interim improper payments made
under ongoing contracts if these amounts are still needed to make subsequent payments under the
contract, please refer to Part III.C.14 below for more details). Therefore, agencies would need to
establish other funding arrangements (such as through appropriations) when making payments to
private sector payment recapture audit contractors in such cases where recoveries cannot be used
to pay contingency fee contracts.
11) Are there any specific requirements when using a contracted payment recapture
auditing firm?
Agencies should require contractors to become familiar with the agency’s specific policies and
procedures, and take steps to safeguard the confidentiality of sensitive financial information that
has not been released for use by the general public and any information that could be used to
identify a person.
At a minimum, each contract for payment recapture audit services should require the contractor
to:
a.	 Provide periodic reports to the agency on conditions giving rise to overpayments (e.g.,
root causes of overpayments) identified by the auditor and any recommendations on how
to mitigate such conditions. If requested, the agency should provide the results of such
analyses and related recommendations to its Office of Inspector General;
b.	 Notify the agency of any overpayment identified by the contractor pertaining to the
agency or to any other agency or agencies that are beyond the scope of the contracts; and
c.	 Report to the agency and the agency’s Office of Inspector General credible evidence of
fraud or vulnerabilities to fraud, and conduct appropriate training of contractor personnel
on identification of fraud.
Agencies may allow payment recapture auditors to establish a presence on, or visit, the property,
premises, or offices of any subject of payment recapture audits. Such physical presence is not
prohibited, and may in fact allow the payment recapture auditor to do a more thorough review of
the subject’s payments, and related documentation and payment files.
12) Are there any prohibitions when using a payment recapture audit contractor?
In addition to provisions that describe the scope of payment recapture audits (and any other
provisions required by law, regulation, or agency policy), any contract with a private sector firm
44

for payment recapture audit services should include provisions that prohibit the payment
recapture audit contractor from:
a.	 Requiring production of any records or information by the agency’s contractors. Only
duly authorized employees of the agency can compel the production of information or
records from the agency's contractors, in accordance with applicable contract terms and
agency regulations;
b.	 Using or sharing sensitive financial information with any individual or organization,
whether associated with the Federal government or not, that has not been officially
released for use by the general public, except for an authorized purpose of fulfilling the
payment recapture audit contract; and
c.	 Disclosing any information that identifies an individual, or reasonably can be used to
identify an individual, for any purpose other than as authorized for fulfilling its
responsibilities under the payment recapture audit contract.
13) Who performs recovery activities once the improper payments are discovered and
verified?
The actual collection activity may be carried out by Federal agencies or non-Federal entities
expending Federal awards, as appropriate. However, agencies or non-Federal entities may use
another private sector entity, such as a private collection agency, to perform this function, if this
practice is permitted by statute. As noted above, the payment recapture audit contractor may not
perform the collection activity, unless it meets the definition of a private collection agency, and
the agency involved has statutory authority to utilize private collection agencies. Agencies
should ensure that applicable laws and regulations governing collection of amounts owed to the
Federal government are followed.
14) What is the proper disposition of recovered amounts?
Funds collected under a payment recapture audit program can be used for the following
purposes:
a. Recaptured overpayments from expired discretionary fund accounts that were
appropriated after enactment of IPERA (i.e., July 22, 2010) should be available to the
agency to reimburse the actual expenses incurred by the agency for the following
purposes:
i.	 To reimburse the actual expenses incurred by the agency for the administration of
the program (including payments made to other agencies that carry out payment
recapture audit services on behalf of the agency); and
ii.	 To pay contractors for payment recapture audit services.
b.	 Recaptured overpayments from expired discretionary fund accounts that were 

appropriated after enactment of IPERA (i.e., July 22, 2010) that are not used to 

reimburse expenses of the agency or pay payment recapture audit contractors—as

45

described above in Part III.D.14.a—should be used for: a financial management
improvement program, the original purpose of the funds, Inspectors General activities, or
returned to the Treasury as miscellaneous receipts or returned to trust or special fund
accounts. Each agency should determine the actual percentage of recovered
overpayments used for the purposes outlined here (up to the maximum amount allowed in
the law and this guidance). Specifically:
i.	 Up to 25 percent of the recaptured funds may be used for the financial
management improvement program described below in Part III.D.15. This
funding should be credited, if applicable, for that purpose identified by the agency
head to any agency appropriations and funds that are available for obligation at
the time of collection. These funds should be used to supplement and not
supplant any other amounts available for that purpose, and should remain
available until expended. Such funds can go to non-Federal entities such as State
and local governments if the agency determines that is the best disposition of the
funds to support its financial management improvement program.
ii.	 Up to 25 percent of the recaptured funds may be used for the original purpose.
This funding should be credited to the appropriation or fund, if any, available for
obligation at the time of collection for the same general purposes as the
appropriation or fund from which the overpayment was made, and should remain
available for the same period of availability and purposes as the appropriation or
fund to which credited. If the appropriation from which the overpayment was
made has expired, the funds should be newly available for the same time period as
the funds were originally available for obligation. However, any funds that are
recovered more than five fiscal years after the last fiscal year in which the funds
were available for obligation should be deposited in the Treasury as
miscellaneous receipts.
iii. Up to 5 percent of the recaptured funds should be available to the agency
Inspector General. The agency Inspector General may use this funding to carry
out the law’s requirements, and perform other activities relating to investigating
improper payments or auditing internal controls associated with payments.
However, the funding should remain available for the same period of availability
and purposes as the appropriation or fund to which it is credited.
iv. The remainder of the recaptured, expired discretionary funds that were
appropriated after enactment of IPERA (i.e., July 22, 2010)——that are not
applied in accordance with the preceding 14.a.i, 14.a.ii, 14.b.i, 14.b.ii, and 14.b.iii
should be deposited in the Treasury as miscellaneous receipts. Unless the
remainder of the recaptured, expired discretionary account funds are from trust
and special fund accounts, such funds should be credited to the expired account
from which the overpayment was made.
c.	 Recaptured overpayments from unexpired discretionary fund accounts that were
appropriated after enactment of IPERA (i.e., July 22, 2010) should be credited to the
account from which the overpayments were made, and such amounts should be available
for the purposes of the account and the purposes outlined in 14.a., but are not available
for any purposes outlined above in 14.b.

46

d.	 Recaptured overpayments from mandatory fund accounts should be credited to the
account from which the overpayments were made, and such amounts should be available
for the purposes of the account and the purposes outlined above in 14.a, but are not
available for any purposes outlined above in 14.b.
e.	 In the case of recaptured overpayments from expired or unexpired discretionary fund
accounts that were appropriated before enactment of IPERA (i.e., July 22, 2010),
agencies have the same authorities as before IPERA was enacted. Therefore, in this case
recaptured overpayments may be applied in accordance with the preceding 14.a, but
should not be applied in accordance with the preceding 14.b. The remainder should be
credited to the expired account from which the overpayment was made.
f.	 In the case of closed accounts, the budgetary resources are cancelled, and all recaptured
overpayments should be deposited in the Treasury as miscellaneous receipts.
g.	 Contingency fee contracts should preclude any payment to the payment recapture audit
contractor until the recoveries are actually collected by the agency.
h.	 All funds collected and all direct expenses incurred as part of the payment recapture audit
program should be accounted for specifically. The identity of all funds recovered should
be maintained as necessary to facilitate the crediting of recovered funds to the correct
appropriations and to identify applicable time limitations associated with the appropriated
funds recovered.
i.	 Overpayments that are identified by the payment recapture auditor, but that are
subsequently determined not to be collectable or not to be improper, should not be
considered “collected” for the disposition purposes outlined above.
j.	 Some programs and payments have separate statutory authority or requirements to
conduct payment recapture audits, and thus are not required to follow the disposition of
recovered funds outlined above for funds recovered from these programs and payments.
For instance, under Section 302 of Division B of the Tax Relief and Health Care Act
(Section 1893 of the Social Security Act; 42 U.S.C. 1395ddd) and Section 6411 of the
Patient Protection and Affordable Care Act (Pub. L. No. 111-148), the Department of
Health and Human Services is required to conduct reviews of certain Medicare program
payments to identify and recover improper payments, and States are required to conduct
similar reviews under Medicaid. In a similar example, under the authority of 31 U.S.C.
3726, the General Services Administration audits agency transportation payments for
improper payments. Agencies with oversight of such programs and payments may
choose to follow the disposition uses outlined in this guidance—provided that is
consistent with any other applicable statutory requirements—but are not required to do
so. Disposition of payments associated with loans and loan guarantees must conform to
the requirements of the Federal Credit Reform Act of 1990, as amended (2 U.S.C. 661a
et. seq.)

47

15) Are agencies authorized to implement Financial Management Improvement Programs?
Yes. IPERA authorizes agencies to implement “financial management improvement programs.”
Such programs should take the information obtained from the payment recapture audit program
(as well as other audits, reviews, or information that identify weaknesses in an agency’s internal
controls), and ensure that actions are taken to improve the agency’s internal controls to address
problems that directly contribute to agency improper payments. In conducting its financial
management improvement programs, agency heads may also seek to reduce errors and waste in
programs and activities other than where funds are recaptured.
16) What are the reporting requirements for payment recapture audits?
Agencies should annually report information on their payment recapture audit program through
data requests from OMB and/or in their AFRs or PARs.
In addition, by November 1, agencies are required to complete a separate, annual report to OMB
as well as the Senate Committee on Homeland Security and Governmental Affairs and the House
Committee on Oversight and Government Reform. This report should describe any
recommendations identified by the payment recapture auditor on how to mitigate conditions
giving rise to overpayments, and any corrective actions the agency took during the preceding
fiscal year to address the auditor recommendations. This report should describe agency efforts
during the previous fiscal year (for example, for the November 1, 2017 report, the agency would
describe recommendations and actions between October 1, 2016, and September 30, 2017;
subsequent reports would describe efforts for subsequent fiscal years). This report is required
only for Federal agencies utilizing external contractors to conduct their payment recapture audits
and only in instances where these contractors have provided any recommendations, as described
above. This report is not required for state agencies utilizing contractors to conduct their
payment recapture audits
17) How are improper payment estimates different from payment recapture audit efforts?
Improper payment estimates evaluate a small number of payments in a program or activity to
determine if the payments were improper or proper. The results of these reviews are then
extrapolated to the universe of payments in a program or activity to determine the program or
activity’s annual improper payment amount and rate. Payment recapture audits are not statistical
samples, and instead are targeted examinations of high-risk payments which most likely can be
cost-effectively recaptured (e.g., cash collected from the final payee exceeding collection costs).

48

PART IV – COMPLIANCE WITH THE IMPROPER PAYMENT REQUIREMENTS

Part II provides guidance to assist Inspectors General and agency management in implementing
improper payment requirements.
A. RESPONSIBILITIES OF AGENCY INSPECTORS GENERAL
1)	 How often should each agency Inspector General review improper payment
performance to determine whether the agency is in compliance under IPERA?
Each agency Inspector General under “a[ny] department, agency, or instrumentality in the
executive branch of the United States” as defined in Title 31, Section 102 of the United States
Code should annually review agency improper payment reporting in the agency’s annual AFR or
PAR, and accompanying materials, to determine if the agency is in compliance under IPERA.
2)	 When should the agency Inspector General complete its review of agency compliance
under IPERA?
An agency Inspector General should review the agency’s annual AFR or PAR, and
accompanying materials, 20 and complete its review and determination and submit its final report
by May 15th of the following year. If May 15th falls on a weekend, the review, determination,
and report should be completed by the next business day.
3)	 What should each agency Inspector General review to determine if an agency is in
compliance under IPERA?
To determine compliance under IPERA, the agency Inspector General should review the
agency’s AFR or PAR (and any accompanying information) for the most recent fiscal year.
Compliance under IPERA means that the agency has:
a.	 Published an AFR or PAR for the most recent fiscal year and posted that report and any
accompanying materials required by OMB on the agency website;
b.	 Conducted a program specific risk assessment for each program or activity that conforms
with Section 3321 note of Title 31 U.S.C. (if required);
c.	 Published improper payment estimates for all programs and activities identified as
susceptible to significant improper payments under its risk assessment (if required);
d.	 Published programmatic corrective action plans in the AFR or PAR (if required);
e.	 Published, and is meeting, annual reduction targets (See Part IV.A.5, below) for each
program assessed to be at risk and estimated for improper payments (if required and
applicable); and
f.	 Reported a gross improper payment rate of less than 10 percent for each program and
activity for which an improper payment estimate was obtained and published in the AFR
or PAR.
20

Accompanying materials or information may vary by agency but examples could include but are not limited to an
errata report, a reference to data on an external website (such as paymentaccuracy.gov), or a reference to a related
agency public report to fulfill reporting requirements (such as a reference to a report containing corrective action
plans, sampling and estimation plans, high priority program actions, other data, etc.).

49

If an agency does not meet one or more of these requirements, then it is not compliant under
IPERA.
4)	 What should the agency Inspector General include in its compliance review and
report?
The report should contain a high-level summary toward the beginning of the report that (a)
clearly states the agency’s compliance status (i.e., compliant or non-compliant) and (b) indicates
which of the six requirements the agency complied with and which requirements the agency did
not comply with.
To assist readers with understanding the conclusions within the report, the following table should
also be included toward the beginning of the report:
Table 2. IPERA Compliance Reporting Table

This table should include the criteria assessed by the agency Inspector General as well as the
name of each program assessed. Within the table, each agency Inspector General should
indicate, for each criteria, whether the program was compliant or non-compliant. For instances
where a particular criteria does not apply (such as instances where the program is only in the risk
assessment phase) the agency Inspector General may place NA. For the Publish an AFR or PAR
criteria which applies at an agency level, if the agency is compliant then the programs are all
compliant. However, if the agency is found non-compliant for this criteria and the reason relates
to specific program(s) the agency Inspector General could indicate this within the table. 21

21

For example, there have been instances where a program is omitted or significantly misrepresented in the AFR or
PAR and it is to such an extreme that an agency Inspector General found the overall AFR or PAR was in need of a
restatement and because of that one program the agency Inspector General found the agency non-compliant with this
criteria.

50


In determining compliance, the agency Inspector General should evaluate the accuracy and
completeness of agency reporting, and evaluate agency performance in reducing and recapturing
improper payments. For example, when determining compliance, the agency Inspector General
should evaluate whether the program improper payment rate estimates are accurate and whether
the sampling and estimation plan used is appropriate given program characteristics. In addition,
the agency Inspector General should evaluate the corrective action plans and determine whether
the corrective actions are focused on the true root cause and are actually reducing the improper
payments, and whether they are effectively implemented. The agency Inspector General should
evaluate the root cause category classification and determine whether the agency has accurately
classified the true root causes of improper payments. As part of its report, the agency Inspector
General should include its evaluation of agency efforts to prevent and reduce improper
payments, and any recommendations for actions to further improve: the agency’s or program’s
performance in reducing improper payments; corrective actions; or internal controls.
Finally, as part of the annual compliance review, for agencies that have high-priority programs,
the agency Inspector General should: review the assessment of the level of risk, 22 evaluate the
quality of the improper payment estimates and methodology, and review the oversight or
financial controls used to identify and prevent improper payments under the program.
5)	 How should the agency Inspector General determine compliance with reduction
targets?
Examples of Meeting Reduction Target:
Program A has a plan that meets or exceeds the 95/3 guidance for sampling methodology. It

has a 15% point estimate with a 2.79% precision rate, so it has a confidence interval of 12.21%

to 17.79%.

Because it meets the 95/3 guidance for statistically valid and robust, it should be counted as

meeting its reduction target as long as the lower bound for its confidence interval (12.21%) is

equal to or less than the reduction target.

Program B is statistically valid, but fails to meet the 95/3 guidance for sampling methodology. 

It has a point estimate of 15% with a margin of error of 6.40%, so it has a confidence interval of

8.60% to 21.40%.

Because it is statistically valid, but non-rigorous, in order to meet its reduction target, its point

estimate must be lower than or equal to its reduction target.

Program C is a non-statistically valid plan because it does not meet the qualifications for a

statistically valid plan (as outlined above). It has an estimate of 15%, but no confidence interval.

Because it is non-statically valid, in order to meet its reduction target, its estimate must be lower

than or equal to its reduction target.


22

For high-priority programs already reporting an improper payment estimate, the agency Inspector General is not
expected to evaluate an agency’s assessment of risk within a risk assessment; rather the assessment of risk would be
done when evaluating the quality of the estimate.

51

The following figure shows possible scenarios for whether or not these three programs would be
considered as having met different reduction targets:
Figure 2. Reduction Target Compliance Matrix

6)	 Who should the agency Inspector General notify when it has completed its
determination of whether an agency is in compliance under IPERA?
Each fiscal year, the agency Inspector General should determine whether the agency is in
compliance under IPERA. Once it has completed its assessment, the agency Inspector General
must submit its results to:
a. The agency head;
b. The Senate Committee on Homeland Security and Governmental Affairs;
c. The House Committee on Oversight and Government Reform;
d. The Comptroller General; and
e. The OMB Controller.

52

B. RESPONSIBILITIES FOR AGENCIES
1)	 What are the requirements for agencies not compliant under IPERA?
In accordance with IPERA, noncompliant agencies must complete several actions, as described
below:
a.	 For agencies that are not compliant for one fiscal year, within 90 23 days of the
determination of non-compliance, the agency should submit a plan to the Senate
Committee on Homeland Security and Governmental Affairs, the House Committee on
Oversight and Government Reform, and the OMB, describing the actions that the agency
will take to become compliant. The plan should include:
i.	 Measurable milestones to be accomplished in order to achieve compliance for
each program or activity;
ii.	 The designation of a senior agency official who should be accountable for the
progress of the agency in coming into compliance for each program or activity;
and
iii.	 The establishment of an accountability mechanism, such as a performance
agreement, with appropriate incentives and consequences tied to the success of
the senior agency official in leading agency efforts to achieve compliance for each
program and activity.
b.	 For agencies that are not compliant for two consecutive fiscal years for the same
program or activity, the Director of OMB will review the program and determine if
additional funding would help the agency come into compliance. This process will
unfold as part of the annual development of the President’s Budget. Agencies with
programs or activities that are non-compliant for two consecutive years should create and
submit proposals to OMB during their next budget submission that will bring the agency
into compliance. If the Director of OMB determines that additional funding would help
the agency become compliant, the agency should obligate an amount of additional
funding determined by the Director of OMB to intensify compliance efforts. When
providing additional funding for compliance efforts, the agency should:
i.	 Exercise reprogramming or transfer authority to provide additional funding to
meet the level determined by the Director of OMB; and
ii.	 Submit a request to Congress for additional reprogramming or transfer authority if
additional funding is needed to meet the full level of funding determined by the
Director of OMB.
c.	 For agencies that are not compliant for three consecutive fiscal years for the same
program or activity, within 30 24 days of the determination of non-compliance, the agency
will submit to the Senate Committee on Homeland Security and Governmental Affairs,

23

90 days from the May 15th due date in Part IV.A.2 is August 13th. If August 13th falls on a weekend, the review,

determination, and report should be completed by the next business day.

24
30 days from the May 15th due date in Part IV.A.2 is June 14th. If June 14th falls on a weekend, the review,

determination, and report should be completed by the next business day.


53

the House Committee on Oversight and Government Reform, and OMB the following, in
order to bring the program or activity in question into compliance:
i.	 Reauthorization proposals for each (discretionary) program or activity that has not
been in compliance for three or more consecutive fiscal years; or
ii.
Proposed statutory changes necessary to bring the program or activity into
compliance.
If the two criteria above will not bring the program into compliance with IPERA, then the
agency must state why and state what the agency is doing to achieve compliance instead.
d.	 For agencies that are not compliant for four or more consecutive fiscal years for the
same program or activity, within 30 days of the determination of non-compliance, the
agency will submit to the Senate Committee on Homeland Security and Governmental
Affairs, the House Committee on Oversight and Government Reform, and OMB a report
detailing the activities taken to complete the requirements for one, two, three, four, etc.
years of non-compliance. 25 In addition, this report should include a description of any of
the requirements above that were fulfilled in years one, two, or three that are still relevant
and being pursued as a means to prevent and reduce improper payments. When
discussing corrective actions, the agency should also include descriptions of any new
corrective actions.
In addition, OMB may require agencies that are not compliant under the law (for one, two, three,
or more years in a row) to complete additional requirements beyond those requirements listed
above. For example, if a program is not compliant with the law, OMB may determine that the
agency must re-evaluate or re-prioritize its corrective actions, intensify and expand existing
corrective action plans, or implement or pilot new tools and methods to prevent improper
payments. OMB will notify agencies of additional required actions as needed. Lastly, agencies
should share any plans or proposals required by this section with their respective Inspectors
General.
2)	 What should the agency do to be compliant under IPERA?
The compliance requirements under IPERA are listed below with additional information for each
to assist the agency in achieving compliance.
a.	 Published an AFR or PAR for the most recent fiscal year and posted that report and any
accompanying materials required by OMB on the agency website;
i.	 An agency should publish their AFR or PAR in accordance with the specific
guidance related to improper payments in the Payment Integrity Reporting section
within OMB Circular A-136. In addition, the AFR or PAR should include all
applicable requirements from OMB Circular A-123, Appendix C. Agencies
should ensure that their AFRs or PARs are complete and accurate. For example, if
an agency completes the root cause category matrix the agency should ensure that
the root cause category classification accurately classifies the true root causes of
improper payments.

25

30 days from the May 15th due date in Part IV.A.2 is June 14th. If June 14th falls on a weekend, the review,
determination and report should be completed by the next business day.

54

b.	 Conducted a program specific risk assessment for each program or activity that conforms
with IPIA, as amended (if required);
i.	 An agency should ensure that the program or activity based risk assessments are
conducted in accordance with Part I.C. For example, when an agency conducts an
improper payment risk assessment, the agency should ensure that it has
considered appropriate risk factors and the agency should ensure that the result of
the assessment is reasonably supported whether the program or activity is or is not
susceptible to significant improper payments.
c.	 Published improper payment estimates for all programs and activities identified as
susceptible to significant improper payments under its risk assessment (if required);
i.	 An agency should ensure that the program or activity has produced and published
an improper payment estimate in accordance with the Payment Integrity
Reporting section of OMB Circular A-136. For example, agencies should ensure
that the program improper payment rate estimates are accurate and that the
sampling and estimation plan used is appropriate given program characteristics.
d.	 Published programmatic corrective action plans in the AFR or PAR (if required);
i.	 An agency should ensure that the program or activity has produced and published
corrective actions plan in accordance with the Payment Integrity Reporting
section of OMB Circular A-136. For example, Agencies should ensure that each
corrective action is specifically aimed toward the true root cause and specifically
focused on preventing improper payments. Agencies should also ensure that the
actions are effectively implemented and appropriately prioritized within the
agency to reduce and prevent improper payments.
e.	 Published, and is meeting, annual reduction targets for each program assessed to be at
risk and estimated for improper payments (if required and applicable); and
i.	 An agency should ensure that the program or activity has produced and published
reduction targets in accordance with the Payment Integrity Reporting section of
OMB Circular A-136. An agency should ensure that their improper payment
reduction targets are the appropriate balance of aggressive and realistic given the
program characteristics.
f.	 Reported a gross improper payment rate of less than 10 percent for each program and
activity for which an improper payment estimate was obtained and published in the AFR
or PAR.

55

PART V – THE DO NOT PAY INITIATIVE

Part V discusses the requirements set forth in IPERIA, as amended by the Bipartisan Budget Act
of 2013 and the Federal Improper Payments Coordination Act of 2015 (FIPCA) as it relates to
the Do Not Pay (DNP) Initiative.

A) Background
The DNP Initiative includes multiple resources designed to help agencies determine eligibility to
confirm that the right recipient obtains the right payment for the right reason at the right time.
IPERIA provides the Federal Government with new tools and authorities to help agencies
effectively implement the DNP Initiative.
Section 5(e)(3) of IPERIA requires OMB to provide guidance to agencies on reimbursement of
costs between agencies, retention and timely destruction of records, and prohibiting the
duplication and redisclosure of records. Furthermore, under IPERIA, OMB must also provide
guidance to help improve the effectiveness and responsiveness of agency Data Integrity Boards
(DIBs). Part V of this Appendix addresses all of these points and replaces OMB Memorandum
M-12-11, Reducing Improper Payments through the “Do Not Pay List” and OMB Memorandum
M-13-20, Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative.
In 1988, Congress amended the Privacy Act of 1974 26 to establish procedural safeguards
pertaining to agencies’ use of computer matching programs. 27 The following year, OMB issued
guidance to help agencies interpret the law and meet the new requirements. 28 Since releasing
the original computer matching guidance, OMB has issued other guidance documents on
computer matching. 29 This part of the Appendix supplements the existing OMB documents and
provides new guidance to help agencies protect privacy while reducing improper payments with
the DNP Initiative.

B) Scope and Applicability
Part V of this Appendix implements Section 5 of IPERIA and applies to agencies’ activities
related to the DNP Initiative. 30 Some of the requirements in this Appendix apply to all DNP
26

5 U.S.C. § 552a.

Computer Matching and Privacy Protection Act of 1988, Pub. L. No.100-503, 102 Stat. 2507 (1988).

28
Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy

Protection Act of 1988, 54 Fed. Reg. 25818-29 (June 19, 1989), available at

https://www.whitehouse.gov/sites/default/files/omb/inforeg/final_guidance_pl100-503.pdf.
29
See OMB Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal
Privacy (Dec. 20, 2000), available at https://www.whitehouse.gov/omb/memoranda_m01-05/; see also OMB
Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,
available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf.
30
FIPCA expanded the Do Not Pay Initiative to State and local governments and the legislative and judicial
branches of the Federal Government. However, this Appendix does not serve as guidance for State and local
governments or the legislative and judicial branches of the Federal Government.
27

56

Initiative activities (indicated by the term “DNP Initiative”), while other requirements are
specific to Treasury’s Working System (indicated by the term “Treasury’s Working System”), as
defined in section C. As required by section 5(e)(3)(B) of IPERIA, this guidance also clarifies
some issues regarding matching programs in general.
Although this Appendix creates new policy requirements, nothing in this document extends the
legal requirements of the Privacy Act to information or activities that would not otherwise be
covered under the statute. 31 IPERIA does not modify the definitions in the Privacy Act. Agencies
should consult with their counsel and Senior Agency Official for Privacy to determine whether
an activity is covered by the requirements in the Privacy Act and the corresponding requirements
in this Appendix.
While IPERIA does not explicitly amend the definitions in the Privacy Act, it nonetheless
changes how the Privacy Act applies for purposes of the DNP Initiative. 32 Specifically, IPERIA
establishes new standards and procedures that apply to matching programs conducted
exclusively for purposes of the DNP Initiative. The DNP-specific standards and procedures do
not apply to other efforts to combat improper payments or matching programs that are not part of
the DNP Initiative. For all matching programs, agencies should continue to follow the existing
standards and procedures in law and OMB policies unless directed otherwise in this guidance. In
particular, agencies should follow OMB’s Final Guidance Interpreting the Provisions of Public
Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 33 OMB Circular A­
130, 34 OMB Circular A-108, 35 and OMB Memorandum M-01-05, Guidance on Inter-Agency
Sharing of Personal Data – Protecting Personal Privacy. 36

31

As provided in OMB guidance, agencies should consider applying the matching principles in contexts other than
those covered by the matching requirements. See OMB Memorandum M-01-05, Guidance on Inter-Agency Sharing
of Personal Data – Protecting Personal Privacy (Dec. 20, 2000) (“Although this guidance applies directly only to
programs covered by the Matching Act, agencies should consider applying these principles in other data sharing
contexts.”).
32
For example, section 5(e)(2)(D) of IPERIA provides that, for the purposes of IPERIA, section 552a(o)(1) of the
Privacy Act should be applied by substituting “between the source agency and the recipient agency or non-Federal
agency or an agreement governing multiple agencies” for “between the source agency and the recipient agency or
non-Federal agency” in the matter preceding subparagraph (A).
33
Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy
Protection Act of 1988, 54 Fed. Reg. 25818-29 (June 19, 1989), available at
https://www.whitehouse.gov/sites/default/files/omb/inforeg/final_guidance_pl100-503.pdf.
34
OMB Circular A-130, Federal Agency Responsibilities for Maintaining Records About Individuals, available at
https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
35
OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy
Act, available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a­
108.pdf
36
OMB Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
(Dec. 20, 2000), available at https://www.whitehouse.gov/omb/memoranda_m01-05/.

57

C) Definitions
a.	 The terms “agency,” “individual,” “maintain,” “record,” “system of records,” “routine
use,” “recipient agency,” “non-Federal agency,” and “source agency,” as used in Part V
of this Appendix, are defined in the Privacy Act. 37
b.	 Computer matching agreement. The term “computer matching agreement” (CMA)
means a written agreement between a source agency and a recipient agency (or multiple
source and/or recipient agencies, as appropriate) or a non-Federal agency that allows the
parties to engage in a matching program. In a Do Not Pay matching program, original
source agencies need not be a party to a computer matching agreement between Treasury
and a payment-issuing agency. Computer matching agreements are described in more
detail in the Privacy Act, 5 U.S.C. § 552a(o), and in OMB guidance. 38
c.	 Data Integrity Board. The term “Data Integrity Board” (DIB) means the board of senior
personnel designated by the head of an agency that is responsible for reviewing the
agency’s proposals to conduct or participate in a matching program, and for conducting
an annual review of all matching programs in which the agency has participated.
d.	 Do Not Pay Initiative. The term “Do Not Pay Initiative” (DNP Initiative) means the
initiative codified by section 5 of IPERIA to facilitate Federal agencies’ review of
payment or award eligibility for purposes of identifying and preventing improper
payments. The initiative may include other activities, as designated by OMB.
e.	 Do Not Pay matching program. The term “Do Not Pay matching program” (DNP
matching program) means a matching program (as defined in this Appendix) that is
conducted for purposes of the Do Not Pay Initiative and involves at least one of the six
databases enumerated in section 5(a)(2) of IPERIA, as amended, and/or a database
designated by OMB pursuant to Part V, section F of this Appendix. Do Not Pay
matching programs are subject to alternative standards and procedures (as provided in
this Appendix) that are different from the standards and procedures that apply to
matching programs outside of the Do Not Pay Initiative.
f.	 Federal benefit program. The term “Federal benefit program” is defined in the Privacy
Act 39 and refers to any program administered or funded by the Federal Government, or
by any agent or State on behalf of the Federal Government, providing cash or in-kind
assistance in the form of payments, grants, loans, or loan guarantees to individuals.

37

See 5 U.S.C. § 552a(a)(1)-(5), (7), (9) - (11).

See Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy

Protection Act of 1988, 54 Fed. Reg. 25818, 25826 (June 19, 1989).

39
See 5 U.S.C. § 552a(a)(12).

38

58

g.	 Inspector General. The term “Inspector General” means any Inspector General
described in subparagraph (A), (B), or (I) of section 11(b)(1) of the Inspector General Act
of 1978 40 and any successor Inspector General.
h.	 Matching program. The term “matching program” is defined in the Privacy Act 41 and
generally refers to a computerized comparison of records from two or more automated
systems of records, or an automated system of records and automated records maintained
by a non-Federal agency (or agent thereof). A matching program pertains to either
Federal benefit programs or Federal personnel or payroll records. A Federal benefit
match is performed for purposes of determining or verifying eligibility for payments
under Federal benefit programs, or recouping payments or delinquent debts under Federal
benefit programs. A matching program involves not just the matching activity itself, but
also the investigative follow-up and ultimate action, if any.
i.	 Multilateral computer matching agreement. The term “multilateral computer matching
agreement” (multilateral CMA) means a computer matching agreement that involves
more than two agencies. 42 For the purposes of a Do Not Pay matching program involving
Treasury’s Working System, a multilateral CMA involves Treasury and more than one
payment-issuing agency.
j.	 Original Source agency. The term “original source agency” means a Federal agency that
discloses records from a system of records to another agency in order to allow that
agency to use the records in a matching program with a payment-issuing agency. For the
40

5 U.S.C. App.

The term “matching program”(A) means any computerized comparison of—(i) two or more automated systems of

records or a system of records with non-Federal records for the purpose of—

(I) establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory
requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with
respect to, cash or in-kind assistance or payments under Federal benefit programs, or
(II) recouping payments or delinquent debts under such Federal benefit programs…
(B) but does not include—
(i) matches performed to produce aggregate statistical data without any personal identifiers; (ii) matches
performed to support any research or statistical project, the specific data of which may not be used to make
decisions concerning the rights, benefits, or privileges of specific individuals; (iii) matches performed, by
an agency (or component thereof) which performs as its principal function any activity pertaining to the
enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement
investigation of a named person or persons for the purpose of gathering evidence against such person or
persons; (iv) matches of tax information… (v) matches—
(I) using records predominantly relating to Federal personnel that are performed for routine administrative
purposes…
(II) conducted by an agency using only records from systems of records maintained by that agency;
if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse
 
action against Federal personnel; or (vi) matches performed for foreign counterintelligence purposes or to
produce background checks for security clearances of Federal personnel or Federal contractor personnel;
(vii) matches performed incident to a levy described in section 6103(k)(8) of the Internal Revenue Code of
1986; (viii) matches performed pursuant to section 202(x)(3) or 1611(e)(1) of the Social Security Act (42
U.S.C. 402(x)(3), 1382(e)(1));
42
The term “multilateral” simply refers to an agreement with multiple parties; it does not refer to an agreement that
involves databases outside the United States that are not under the control of a Federal (or non-Federal) agency.
41

59

purposes of a Do Not Pay matching program involving Treasury’s Working System, an
original source agency discloses records to Treasury in order to allow Treasury to engage
in a Do Not Pay matching program with payment-issuing agencies. In a Do Not Pay
matching program, original source agencies need not be a party to a computer matching
agreement between Treasury and a payment-issuing agency.
k.	 Payment-issuing agency. The term “payment-issuing agency” means a Federal agency
that has the authority to issue a payment or award and engages in a matching program for
the purposes of determining or verifying eligibility for the payment or award under a
Federal benefit program or of recouping the payment under a Federal benefit program.
Generally, the payment-issuing agency will be the agency that benefits from the matching
program. The payment-issuing agency is responsible for conducting the cost-benefit
analysis and meeting the reporting and publication requirements in the matching
provisions of the Privacy Act. If more than one payment-issuing agency is a party to a
matching program, the payment-issuing agency may assign these responsibilities
described in this Appendix.43
l.	 Treasury’s Working System. The term “Treasury’s Working System” means the Do Not
Pay Initiative functions performed by the Department of the Treasury that are authorized
by section 5 of IPERIA. Treasury’s Working System includes Treasury’s system of
records for Do Not Pay, as well as other activities such as investigation activities for
fraud and systemic improper payments detection through analytic technologies and other
techniques.

General Guidance
1) What is the “Do Not Pay” Initiative?
IPERIA, as amended by the Bipartisan Budget Act of 2013 and the Federal Improper Payments
Coordination Act of 2015 (FIPCA), requires agencies to ensure that a thorough review of
available databases occurs prior to the release of Federal funds to help verify eligibility and
prevent certain improper payments. The Do Not Pay (DNP) Initiative provides resources for
agencies to review payment or award eligibility for purposes of identifying and preventing
improper payments. The DNP Initiative encompasses multiple resources to support agencies in
checking entity eligibility for awards or payment and emphasizes central portals housed at
agencies that allow agencies to check award and payment information against multiple databases
at once. Examples of central portals include Treasury’s Working System and the Integrated
Award Environment (IAE) System for Award Management (SAM) maintained by the General
Services Administration (GSA).
The DNP Initiative also incorporates other agency entities and activities that best promote
program integrity based on program authorities and cost effectiveness. Five agencies with
programs susceptible to improper payments– the Department of Health and Human Services
43

For guidance on the publication and reporting requirements of the Privacy Act, see OMB Circular A-130,
Appendix I.

60

(HHS), the Internal Revenue Service (IRS), the Social Security Administration (SSA), the
Department of Defense (DOD), and the Department of Labor (DOL) – have their own robust
internal payment integrity programs and can best address improper payments in their respective
programs. This initiative may include other activities, as designated by OMB.
Some databases can be accessed through several different channels. For example, the IAE
maintained by GSA will continue to provide central access to SAM, where the procurement and
grant community currently accesses information –such as excluded parties, vendor information,
representations, and certifications – to check contractor and recipient eligibility prior to award as
required by the FAR and the Uniform Guidance. 44 Agencies should review their end-to-end
payment process from pre-award to disbursement and identify how these central portals can
support their internal control processes if they are not doing so already.
2) What is the Treasury Working System?
The Treasury Working System is the legislatively mandated and OMB designated source of
centralized data and analytic services for the DNP Initiative for all Federal payments. The
Treasury Working System includes a system of records for DNP (Do Not Pay portal) that allows
agencies to perform pre-payment reviews as well as other activities such as investigation
activities for fraud and systemic improper payments detection through analytic technologies and
other techniques. The results of these checks provide information that an agency should consider
as part of their efforts to prevent improper payments. The Treasury Working System is only one
component of an agency’s end-to-end internal control environment designed to mitigate
improper payments.
Does the Treasury Working System identify whether a payment is proper or improper?
Treasury’s Working System does not tell an agency whether a payment is proper or improper. It
will highlight records that may require further research. Treasury’s Working System is just one
tool to help agencies mitigate or eliminate improper payments by flagging payees who may not
be eligible to receive Federal payments or engage in Federal programs. Leveraging and
incorporating Treasury’s Working System into agency end-to-end internal control and risk
management processes and practices will strengthen program integrity. Agencies must still apply
their internal policies, regulatory requirements, legal obligations, and procedures to adjudicate
findings and ultimately determine whether payees are eligible and payments are proper.
What does the Treasury Working System offer to user agencies?
The Treasury Working System offers user agencies four different functionalities by which they
can perform searches of databases at various times during the payment process. For the payment
integration function, agencies receive matches through the Treasury Working System and are
44

The GSA IAE also provides agencies with central access to the Federal Awardee Performance and Integrity
Information System (FAPIIS), the Past Performance Information Retrieval System (PPIRS), and other database
systems that support the integrity of the Federal award process as mandated by statute, the FAR or the Uniform
Guidance; full access to some of the data in these award related systems in the IAE is restricted by statute, the FAR,
or the Uniform Guidance .

61

required to record adjudication results for these matches in the system. For the online single
search, batch matching, and continuous monitoring functions, agencies receive matches through
the DNP working system but are not required to record adjudication results for these matches in
the system.
a.	 Payment Integration. The payment integration functionality matches agency payment

files that are sent to Treasury at the time of payment. Federal agencies are required to use
the payment integration function unless they receive a waiver from OMB. To obtain a
waiver, agencies should submit a memo to OMB with evidence that payment integration
is either burdensome (e.g., large amount of false positives) or duplicative of current
agency functionality. In their request, agencies should demonstrate how existing data
matching processes meet the requirements in IPERIA. To reduce the number of falsepositives, agencies should work with Treasury to develop business rules to refine the
matching process and improve the effectiveness of Treasury’s Working System.
b.	 Online single search. Through online single search, an agency can match a single entity

against the authorized and available databases for that agency in the DNP working
system.
c.	 Batch matching. Batch matching is a similar process in which an agency can match

multiple entities against the authorized and available databases at one time. Online single
search and batch matching can be conducted either before or after a payment is made, as
decided by the agency.
d.	 Continuous monitoring. Continuous monitoring matches an agency’s file of entities

against the authorized and available data sources on an ongoing basis whenever the data
is updated.
How should agencies effectively use the Treasury Working System?
It is essential that agencies have a clear understanding of their current operating environment
prior to implementing Treasury’s Working System, as appropriate. Agencies must understand
their current end-to-end payment process from pre-award to disbursement, applicable regulatory
or statutory requirements, and how other Federal-wide portals are used in maintaining the
integrity of the Federal award process. This will include existing award and payment policies,
types of payments, volume and size of payments, risk of improper payments, risk of fraud, and
any existing mitigating controls. Once agencies have a clear understanding of their current
operating environment, agencies should assess how Treasury’s Working System could support or
supplement existing controls in their payment process. DNP staff can assist agencies in
determining how best to implement Treasury’s Working System. Considerations for how best to
use Treasury’s Working System include:
a.	 Streamlining existing data matching processes. Agencies are encouraged to identify

specific data sources that are relevant to their needs. In addition, agencies that currently
match against data sources through arrangements with the source agency should assess
whether matching through Treasury’s Working System would be more efficient, less
costly, or could free agency data analysts for other efforts that safeguard federal
62

payments.
b.	 Screening payees before a payment is made. Agencies that provide recurring benefits

payments are encouraged to assess whether utilizing the continuous monitoring or match
matching functionalities could prevent future improper payments. If an agency identifies
that a benefit recipient is no longer eligible, they can reduce the risk of having to recover
future overpayments by using these functionalities to detect a recipient’s change in
eligibility before a payment is made.
c.	 Data quality assessments. Agencies can use DNP Analytics Services to understand the

quality of their payment data and detect anomalous payment patterns and trends.
Agencies that maintain lists of benefit recipients can utilize continuous monitoring to
ensure that these lists are current and do not include names of entities no longer eligible
for government awards. Agencies could also consider using the analytics services in
identifying anomalies in payment files that may need further exploration in either the
System for Award Management or DNP in order to ensure appropriate payments are
issued in a timely manner.
d.	 Tailoring the results of matching to program requirements. During the process of

adjudicating matches received through payment integration, agencies are encouraged to
identify “false positives” or improper matches and provide these back to the Treasury
Working System. Working with Treasury to develop business rules that will account for
program-specific requirements in returning matching results will reduce the number of
“false positives” in the future.
e.	 Using Analytics Services to develop solutions for program-specific improper payment

challenges. Agencies needing support to address improper payments that cannot be
addressed through Treasury’s Working System can use DNP Analytics Services. These
services can assist agencies in developing data-centric solutions to strengthen existing
controls or create and implement new controls that are program specific.
Agencies should have documented policies and procedures for determining whether a data match
including those produced from Treasury’s Working System represented an improper payment.
This includes verifying a match against a secondary data source, and providing individuals an
opportunity to contest the matching results prior to taking adverse action.
IPERIA requires payments and awards be reviewed, before their issuance, against specific data
sources if those sources are applicable to verify eligibility of the payment and award. Utilizing
Treasury’s Working System for pre-payments and the GSA System for Award Management for
pre-award is an easy way to demonstrate how an agency’s data matching processes meet the
requirements in IPERIA, the FAR, and the Uniform Guidance.
Which payments are matched through Treasury’s Working System?
The payment integration functionality is part of Treasury’s payment issuance process. However,
payments that are made through other means—such as non-Treasury disbursing offices (NTDOs)
or contractors—are not automatically matched. Further, certain federal payments flow through
63

various entities—such as state or local governments—before ultimately being spent for their
intended purposes. For example, benefits for USDA’s Supplemental Nutrition Assistance
Program are funded by the Federal Government, but states are responsible for determining
individual and household eligibility for the program, calculating the amount of monthly benefits,
and issuing benefits on an electric benefit transfer card. In these cases, only the payment from the
Federal Agency disbursing office to the first recipient is required to be matched, and subsequent
payments—such as those disbursed by state and local agencies and contractors to the ultimate
recipients—are not required to be matched through DNP’s payment integration process, though
they may go through other agency-specific reviews.

Roles and Responsibilities
What are OMB’s responsibilities relating to the DNP Initiative?
OMB is responsible for:
a.	 Implementing the DNP Initiative and providing guidance, oversight, and continued
assistance to agencies.
b.	 Establishing a working system for the lifecycle of a payment as part of the DNP
Initiative.
c.	 Designating additional databases for inclusion in the DNP Initiative, including
Treasury’s Working System.
d. Submitting annual reports to Congress regarding the operation of the DNP Initiative.
What is Treasury responsible for in the DNP Initiative?
Treasury is responsible for:
a.	 Hosting a working system (Treasury’s Working System) for the DNP Initiative that
includes a system of records for DNP that allows agencies to perform pre-payment
eligibility reviews, as required in IPERIA.
b.	 Developing memoranda of understanding (MOUs) with original source agencies, as
described in this Appendix, and periodically reviewing the MOUs to determine whether
the terms are sufficient.
c.	 Entering into CMAs with payment-issuing (or payment-certifying) agencies, as

described in this Appendix.

d.	 Periodically reassessing whether all of the data in Treasury’s Working System are
relevant and necessary to meet the objectives in section 5 of IPERIA and deleting or
expunging any data that are not.
e.	 Taking reasonable steps to ensure that records in Treasury’s Working System are
sufficiently accurate, complete, and up-to-date as is reasonably necessary to ensure
fairness to the individual records subjects.
f.	 Coordinating with original source agencies to develop a process that allows individuals
to request the correction of data.
g.	 Providing a process for payment-issuing (or payment-certifying) agencies to request
additional databases for inclusion in the DNP Initiative.
64

h.	 Preparing and submitting to OMB a written assessment to document the suitability of
any commercial databases that could be designated for use in Treasury’s Working
System.
i.	 Maintaining a central DNP Business Center website that provides transparency into
DNP’s computer matching activities on behalf of agencies. Information could include
links to published CMAs, system of records notices, or privacy impact assessments, as
relevant to DNP’s work.
j.	 Complying with all applicable requirements in the Privacy Act and other applicable
laws, regulations, and policies, as well as with the terms of all relevant CMAs and
MOUs.
k. Submitting periodic reports to OMB.
What are original source agencies responsible for in the DNP Initiative?
Original source agencies are responsible for:
a.	 Ensuring that they have sufficient legal authority and specific designation from OMB
(except as provided by law) before disclosing records to Treasury for inclusion in
Treasury’s Working System.
b.	 Entering into a written MOU with Treasury that describes how Treasury may use the
records in question and provides rules for protecting and correcting the information and
for the retention and destruction of records.
c.	 Confirming that Treasury has the appropriate level of security controls before sharing
any records with Treasury.
d.	 Coordinating with Treasury to develop a process that allows individuals to request the
correction of data, and promptly reviewing any request for correction.
e.	 Complying with all applicable requirements in the Privacy Act and other applicable
laws, regulations, and policies, as well as with the terms of all relevant MOUs.
What are payment-certifying agencies responsible for in the DNP Initiative?
Payment-certifying agencies are responsible for:
a.	 Ensuring that they have sufficient legal authority to engage in a matching program for
purposes of the DNP Initiative.
b. Entering into CMAs with Treasury, as described in this Appendix.
c.	 Conducting the cost-benefit analysis and meeting the reporting and publication 

requirements in the matching provisions of the Privacy Act.

d.	 Ensuring that they only match against data sources that are relevant and necessary for
the specific matching purpose.
e.	 Have sufficient documented policies and procedures to determine whether a DNP match
represented an improper payment, including verifying a DNP match against a secondary
source and providing individuals an opportunity to contest the matching results prior to
taking adverse action.
f.	 Making determinations about the disbursement of payments or awards, consistent with
legal authority.
65

g.	 Complying with all applicable requirements in the Privacy Act and other applicable
laws, regulations, and policies, as well as with the terms of all relevant CMAs.
What are agencies’ Senior Agency Officials for Privacy responsible for in the DNP
Initiative?
Agencies’ Senior Agency Official for Privacy are responsible for:
a.	 Developing a training program for the agency’s DIB to ensure that all members of the
DIB are properly trained and prepared to fulfill their duties with respect to all matching
activities at the agency.
b.	 Periodically reviewing the effectiveness and responsiveness of the agency’s DIB to
determine whether the DIB needs additional support or instruction.

Databases in the DNP Initiative
What databases are included in the DNP Initiative?
Section 5(a)(2) of IPERIA, as amended, lists the following data sets that should be included
in the DNP Initiative:
1.	 the death records maintained by the Commissioner of the Social Security Administration
(SSA),
2.	 GSA System for Award Management (SAM) Exclusion Records (formerly known as the
Excluded Parties List System or EPLS),
3. Treasury’s Offset Program (TOP) Debt Check Database,
4.	 the Department of Housing and Urban Development’s Credit Alert System or Credit
Alert Interactive Voice Response System (CAIVRS) that is comprised of records from
HUD, Department of Justice (DOJ), Small Business Administration (SBA), Department
of Education, Department of Agriculture (USDA), and Veterans Affairs (VA),
5.	 the Department of Health and Human Services Office of the Inspector General’s List of
Excluded Individuals/Entities (LEIE),
6. prisoner data maintained in the Prisoner Update Processing System (PUPS) by SSA,
In addition, on November 24, 2017, OMB designated the following six databases 45 for
inclusion under the DNP Initiative:
1.	 the Department of the Treasury’s Office of Foreign Assets Control’s Specially

Designated National List (OFAC List);

2.	 data from the GSA System for Award Management sensitive financial data from entity
registration records (including those records formerly housed in the legacy Excluded
Parties List System);
3. the Internal Revenue Service’s (IRS) Automatic Revocation of Exemption List (ARL);
4. the IRS’s Exempt Organization Select Check (EO Select Check);
45

https://www.federalregister.gov/documents/2017/11/24/2017-25416/designation-of-databases-for-treasurys­
working-system-under-the-do-not-pay-initiative

66

5. the IRS’s e-Postcard database; and
6. the commercial database American InfoSource (AIS) Deceased Data
On December 18, 2015, the Federal Improper Payments Coordination Act (FIPCA) of 2015 was
signed into law. FIPCA requires the Secretaries of State (State) and Defense (Defense) to
establish a procedure to provide information relating to the deaths of individuals to each Federal
agency for which the Director of OMB determines receiving and using such information would
be relevant and necessary. Consistent with the roles described in this Appendix, OMB has
directed State and Defense to make this information available for use by Federal agencies in
Treasury’s Working System.
How do agencies propose additional databases for designation?
Agencies that wish to suggest additional databases (either commercial databases or government
databases) for use in Treasury’s Working System should identify them to Treasury. Treasury will
work with the requesting agency and the original source agency to provide feedback and evaluate
the database for inclusion in the working system prior to making a recommendation to OMB.
When evaluating a Federal database for inclusion, Treasury should consider the evaluation
criteria below. When evaluating a commercial database for inclusion, Treasury’s Senior Agency
Official for Privacy should prepare and submit a written assessment to document the suitability
of the commercial database for use in the DNP Initiative. The assessment should include all
applicable information that is required in a CMA and explain how the database meets all
applicable requirements in this Appendix.
How are additional government databases designated for inclusion in the DNP

Initiative?

Section 5(b)(1)(B) of IPERIA provides that OMB may designate additional databases for
inclusion in the DNP system, in consultation with the appropriate agencies. Treasury may only
use or access additional databases for Treasury’s Working System once OMB has officially
designated such databases for inclusion, except as provided by law. Before designating
additional databases, OMB will publish a 30-day notice of the designation proposal in the
Federal Register asking for public comment. At the conclusion of the 30-day comment period, if
OMB decides to finalize the designation, OMB will publish a notice in the Federal Register to
officially designate the database for inclusion in the DNP Initiative. In addition, Treasury will
update the central DNP Initiative website to notify all agencies that additional databases are
available for use.
When considering additional databases for designation, OMB will consider:
a.
b.
c.
d.
e.	

Statutory or other limitations on the use and sharing of specific data;
Privacy restrictions and risks associated with specific data;
Likelihood that the data will strengthen program integrity across programs and agencies;
Benefits of streamlining access to the data through Treasury’s Working System;
Costs associated with expanding or centralizing access, including modifications needed
to systems interfaces or other capabilities in order to make data accessible; and
f. Other policy and stakeholder considerations, as appropriate.
67

OMB will only consider the inclusion of data in the DNP Initiative if the data are relevant and
necessary to meet the objectives of section 5 of IPERIA. In the case of Treasury’s Working
System, Treasury should periodically reassess whether all data in Treasury’s Working System
meet this standard and delete or expunge any data that do not.
An OMB designation is not sufficient to allow agencies to provide records to Treasury for
Treasury’s Working System. Agencies must also have legal authority to disclose records. This
Appendix alone does not provide agencies with such authority. Whenever OMB designates
additional databases for inclusion in Treasury’s Working System, the designation is subject to
the original source agency’s determination that it has the necessary legal authority to share the
data with Treasury. In addition, prior to sharing any records, original source agencies should
confirm that Treasury affords the appropriate level of security controls, comparable to those
employed by the source agency. Original source agencies should develop a MOU with Treasury
that describes all restrictions on the use of a particular dataset, and all security controls and other
requirements. Treasury should describe all of these restrictions, security controls, and
requirements in the CMAs with payment-issuing agencies, as applicable.
What are the requirements regarding the use or access of commercial databases?
a.	 Use of or Access to Commercial Databases. Section 5(d)(2)(C) of IPERIA provides that

the DNP Initiative may include the use of or access to commercial databases. Some
commercial databases would be useful tools to help the Federal Government meet the
objectives in the DNP Initiative. However, commercial databases may also present new
or increased privacy risks, such as databases with inaccurate or out-of-date information.
b.	 General Standards for the Use of or Access to Commercial Databases. Commercial
databases are subject to the requirements in section F(3) of this Appendix. Treasury may
only use or access commercial databases for the DNP Initiative if OMB has officially
designated such databases for inclusion following a period of public notice and comment
as described in this Appendix. Please see requirements for written assessment of the
suitability of a commercial database below.
c.	 Applicability of the Matching Requirements. In general, a matching program is a
computerized comparison involving records from two or more automated systems of
records, or an automated system of records and automated records maintained by a nonFederal agency (or agent thereof). Thus, a matching activity involving an automated
system of records and a commercial database that is not part of a system of records would
generally not be subject to the computer matching requirements.
However, OMB has provided that agencies should not adopt data exchange practices that
deliberately avoid the reach of the Privacy Act where compliance would otherwise be
required. Furthermore, as stated in OMB Memorandum M-01-05, Guidance on InterAgency Sharing of Personal Data – Protecting Personal Privacy, agencies should
consider applying the computer matching principles in data sharing contexts other than

68

those covered by the computer matching requirements.
d.	 Written Assessment of the Suitability of a Commercial Database. Before OMB
considers designating a commercial database for use or access in the DNP Initiative,
Treasury’s Senior Agency Official for Privacy should prepare and submit a written
assessment to document the suitability of the commercial database for use in the DNP
Initiative. The written assessment should describe the need to use or access the data,
explain how the data will be used or accessed, provide a description of the data (including
each data element that will be used or accessed), and explain how the database meets all
applicable requirements in this Appendix. Commercial data may only be used or
accessed for the DNP Initiative when the commercial data in question would meeting the
following general standards:
1.	 Information in commercial databases must be relevant and necessary to meet
the objectives described in section 5 of IPERIA.
2.	 Information in commercial databases must be sufficiently accurate, up-to-date,
relevant, and complete to ensure fairness to the individual record subjects.
3.	 Information in commercial databases must not contain information that
describes how any individual exercises rights guaranteed by the First
Amendment, unless use of the data is expressly authorized by statute.
In addition to the general standards provided above, Treasury should meet the following
specific requirements whenever agencies use or access a commercial database as part of
Treasury's Working System:
1.	 Treasury should establish rules of conduct for persons involved in the use of
or access to commercial databases and instruct each person with respect to
such rules, including penalties for noncompliance, as appropriate.
2.	 Treasury should establish appropriate administrative, technical, and physical
safeguards to ensure the security and confidentiality of information in
commercial databases when such information is under Treasury's control.
e.	 Pilot Programs. Treasury may use or access data sources, including commercial
databases, as part of a pilot program without satisfying the requirements in this section of
the Appendix. A pilot program involves a small-scale use or access of commercial data
in order to gather information on which to base a decision about seeking broader use or
access. A pilot program should terminate after a maximum of 6 months. No agency may
stop any payments or awards or take any other adverse action against an individual as a
result of a pilot program.
f.	 Compliance with Law. Agencies are reminded that commercial databases used in the
DNP Initiative may constitute a system of records or become part of a system of records,
subject to all applicable requirements in the Privacy Act. In addition to the Privacy Act,
agencies should comply with all applicable requirements in the Paperwork Reduction
Act, the Federal Records Act, the Information Quality Act, and other applicable laws,
regulations, and policies.
69

Use, Maintenance, Duplication, and Redisclosure of Records
Any records provided from an original source agency to Treasury for purposes of Treasury’s
Working System should not be used, maintained, duplicated, or redisclosed for any purpose other
than those described in section 5 of IPERIA or this Appendix, except where required by law. All
uses of the records should be clearly described in the MOU between Treasury and the original
source agency, as well as in Treasury’s system of records notice for DNP. At a minimum,
original source agencies should specify in the MOU that all limitations on the use, maintenance,
duplication, or disclosure of the records at the original source agency also apply to Treasury. In
addition, Treasury should ensure that all routine uses listed in Treasury’s Working System
system of records notice are appropriate and properly tailored for every dataset to which they
apply in Treasury’s Working System. MOUs are not required for Treasury to maintain public
government data sources.
Recipient agencies should only allow Treasury to match against data sources in Treasury’s
Working System that are relevant and necessary for the specific matching purpose (e.g., they
should not match against citizenship data if citizenship is not relevant to the payment or award in
question). The specific terms of the DNP matching program should be described in the CMA
and reviewed by each payment-issuing agency’s DIB. All parties to the CMA are responsible for
adhering to these terms.

Retention and Destruction of Records
Agencies are required to follow all applicable guidelines from the National Archives and
Records Administration (NARA) and other applicable requirements. Original source agencies
should specify in the MOU that Treasury will abide by the same rules for the retention and
destruction of records that apply to the original source agencies. The rules should not change
simply because records are provided to Treasury. As required in the Privacy Act, the relevant
agencies’ DIBs should annually review agency recordkeeping and disposal policies and practices
for conformance with the statute.

Procedural Safeguards
a.	 General Due Process Requirements. Section 5(e)(4) of IPERIA requires OMB to

establish procedures providing for the correction of data in order to ensure compliance
with the Privacy Act. The Privacy Act, at 5 U.S.C. 552a(p), establishes certain due
process requirements that individuals whose records are used in a matching program
should be afforded when matches uncover adverse information about them. As provided
in section 5(e)(6) of IPERIA, nothing in IPERIA should be construed to affect the rights
of an individual under the Privacy Act at 5 U.S.C. 552a(p).
b.	 Verification of Adverse Information. Before adverse action is taken against an
individual, any adverse information that agencies discover should be subjected to
investigation and verification, unless an agency’s DIB waives this requirement pursuant
to the Privacy Act at 5 U.S.C. 552a(p)(1)(A)(ii). Verification requires a confirmation of
the specific information that would be used as the basis for an adverse action against an
70

individual. Absolute confirmation is not required; a reasonable verification process that
yields sufficient confirmatory data will provide the agency with a reasonable basis for
taking action. In each case, agencies should document the specific information on which
any determination about an individual is based.
c.	 Notice and Opportunity to Contest. Once agencies have verified the adverse
information, they should provide the individual with notice and an opportunity to contest
before taking adverse action. The notice should inform the individual of the relevant
information and give him or her an opportunity to provide an explanation. Individuals
should have 30 days to respond to a notice of adverse action, unless a statute or
regulation provides a different period of time.
d.	 Stopping a Payment or Award. Except as provided by law, only the agency with 

authority to issue a payment or award may decide to stop the payment or award. 

IPERIA does not provide Treasury with such authority. However, when the payment

certifying agency certifies a payment to Treasury for disbursement, the Disbursing

Official, consistent with his or her responsibility to ensure that payments are issued

accurately and correctly, may act on behalf of the certifying agency to stop a payment

(i.e., not disburse the payment) only as directed by the certifying agency, in accordance

with criteria and instructions specified by the certifying agency.


Correction of Data
a.	 Accuracy of Records in Treasury’s Working System. Because the records in Treasury’s
Working System will be used to help agencies make determinations about individuals,
Treasury should take all reasonable steps to ensure that records in Treasury’s Working
System are sufficiently accurate, complete, and up-to-date as is reasonably necessary to
ensure fairness to the individual record subjects. Treasury’s MOU with original source
agencies should describe the means by which the original source agencies will ensure that
the records provided to Treasury meet these standards. Treasury’s Senior Agency
Official for Privacy should periodically review agreements put in place with government
and commercial data sources to determine whether they are sufficient.
b.	 Correction of Data. Section 5(e)(4) of IPERIA requires OMB to establish procedures
providing for the correction of data in order to ensure compliance with the Privacy Act.
Treasury should coordinate with original source agencies to develop a process that allows
individuals to request the correction of data. The process should meet the following general
requirements:
1.	 If a request for correction is made directly to Treasury, Treasury should promptly

inform the original source agency (or agencies) of the request. The original source
agency should promptly review the request and determine whether corrections should
be made to the data in question. Original source agencies should follow their existing
process for handling such requests. Some original source agencies have laws,
regulations, or policies that govern how individuals may request corrections to
records in a system of records. Thus, original source agencies may not be able to
71

make corrections to records solely based on information provided by Treasury.
However, original source agencies should review all information provided by
Treasury and, if appropriate, contact the individual making the request.
2.	 If a request for correction is made to an original source agency, the original source
agency should determine whether corrections should be made to the data and
promptly inform Treasury of the determination if the data are included in Treasury's
Working System. Whenever an original source agency determines that corrections are
needed to data, the data should be corrected at both the original source agency and in
Treasury's Working System. Treasury and the original source agency should take
reasonable steps to avoid discrepancies between two versions of the same dataset.
The data correction process should be described on Treasury’s DNP website, in
Treasury’s DNP system of records notice, and in all relevant MOUs and CMAs.
c.	 Reporting to OMB. Treasury should annually report to OMB the total number of
requests made to Treasury for the correction of data in Treasury's Working System. In
addition, Treasury should report to OMB the number of such requests that actually led to
corrections of records.

Computer Matching Agreements for Do Not Pay
a.	 Multilateral CMAs. Section 5(e)(2)(D) of IPERIA authorizes CMAs “governing
multiple agencies” for purposes of the DNP Initiative. 46 Agencies’ default for a matching
program should always be traditional CMAs between one source agency and one
recipient agency. However, in certain circumstances there may be advantages to using a
multilateral CMA.
b.	 Considerations for the Use of Multilateral CMAs. Agencies may consider using
multilateral CMAs if both the matching purpose and the specific data elements that will
be matched are sufficiently similar across all of the agencies to allow all parties to satisfy
the requirements in a single, clear CMA. In making this determination, agencies should
consider whether using a multilateral CMA would lead to unnecessary complexities or
inefficiencies that may offset the benefits. For example, it is possible that a multilateral
CMA would make it more cumbersome for the agencies to alter or amend the CMA.
c.	 Reporting and Publication Requirements. Whenever agencies use a multilateral CMA,
each of the payment-issuing agencies is responsible for meeting the reporting and
publication requirements associated with the matching program. However, the paymentissuing agencies may designate a single agency to report the CMA to OMB and Congress
and publish the notice in the Federal Register on behalf of the other agencies, so long as
such designation is clear in the report and notice. Each agency’s DIB should review the
designation and determine that the arrangement is sufficient to meet the requirements in

46

As a matter of policy, OMB has also allowed agencies to use multilateral CMAs for non-DNP matching
programs, as appropriate.

72

the Privacy Act and provide adequate notice to the public.
d.	 Termination Date of CMAs for DNP. Section 5(e)(2)(C) of IPERIA provides that a
CMA for a DNP matching program should have a termination date of less than 3 years.
Furthermore, during the 3-month period leading up to the scheduled termination of a
CMA, agencies may renew the CMA for a DNP matching program for a maximum of 3
years. The CMA may be re-established thereafter. These new termination periods apply
only to DNP matching programs. Before a matching program may be renewed, each
party should certify that the matching program has been conducted in compliance with
the CMA, and the participating agencies’ DIBs should review the request and determine
that the matching program will be conducted without change.
e.	 Additional Guidance on CMAs for DNP. If agencies currently have CMAs with
Treasury (or any other agency) that involve records that will be provided to Treasury’s
Working System, the agencies may be required to develop new CMAs in order to
accommodate the DNP framework. Like system of records notices, CMAs should be
written at the departmental or agency level, even if the records involved are maintained
by a component. For example, Treasury would enter into a CMA on behalf of the IRS,
even if the match involved only IRS records.

General Guidance on Matching Programs and Review by Data Integrity
Boards
a.	 General Guidance on Matching Programs. The matching requirements of the Privacy
Act should apply to all matching activities that involve a subset of records from a system
of records when the subset of records itself would meet the definition of “system of
records” in the Privacy Act (i.e., it is a group of any records under the control of any
agency from which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the individual), so
long as the other qualifications in the statute are met.
b.	 General Guidance for DIBs. Agencies’ DIBs are responsible for approving or
disapproving proposed matching programs based on an assessment of the adequacy of the
CMA and other relevant information. When DIBs review a proposed matching program,
they should assess the CMA to ensure that it fully complies with the Privacy Act, as well
as any other applicable laws, regulations, and policies. When making a determination,
DIBs should document in writing their reasons for approving or disapproving a matching
program. This documentation should be provided to the appropriate agency officials.
c.	 Training for DIBs. The Senior Agency Official for Privacy should ensure that all
members of the DIB are properly trained and prepared to fulfill their duties. Agency
privacy officials should develop an annual training program that all members of the DIB
should be required to complete, as appropriate. All DIB members should understand the
requirements in the Privacy Act, other relevant laws, and OMB, NIST, and NARA
guidance.

73

d.	 Effectiveness and Responsiveness of DIBs. Agencies’ DIBs should meet often enough
to ensure that matching programs are carried out efficiently, expeditiously, and in
conformance with the law. At a minimum, DIBs should meet annually to evaluate
ongoing matching programs and consider whether any modifications are warranted. In
addition, DIBs should review matching proposals presented to them expeditiously so as
not to cause delays to necessary programs. Each Senior Agency Official for Privacy
should periodically review the effectiveness and responsiveness of the agency’s DIB to
determine whether additional support or instruction is needed.
e.	 60-Day Deadline for Review of a CMA for DNP. Section 5(e)(2)(B) of IPERIA requires
DIBs to respond to a proposed CMA for the DNP Initiative no later than 60 days after the
proposal has been presented to the DIB. This 60-day deadline should apply to new
CMAs, as well as requests for the renewal of an established CMA. The 60-day clock
begins as soon as the agency provides the DIB with the information that the DIB will
need to reach an informed decision about the matching program. Although the 60-day
deadline in the law applies only to DNP matching programs, agencies are encouraged to
adopt this timeframe as a general practice, as appropriate.
In most cases, the DIB’s response to the proposal must be a definitive approval or
disapproval of the matching program. If DIBs have questions about the proposal, those
questions must be submitted to agency officials by day 30 of the 60-day period, if
possible. Agency officials must be available to answer any questions from DIBs in a
timely manner. If circumstances do not permit the DIB to definitively approve or
disapprove the DNP matching program within 60 days, the DIB must provide a brief
letter to the head of the agency (or to the Inspector General in cases where the Inspector
General proposed the matching program) describing the necessity for the delay.
f.	 Reporting to OMB. Agencies should report to OMB the specific number of days that it
takes the DIB to approve or disapprove each proposed DNP matching program.

Cost Benefit Analysis
a.	 Specific Estimate of Savings Not Required for DNP. The Privacy Act requires agencies
to perform a cost-benefit analysis for a proposed matching program. This cost-benefit
analysis normally includes a specific estimate of any savings, which is included as part of
the justification for the matching program in the CMA. However, section 5(e)(2)(E) of
IPERIA provides that agencies’ cost-benefit analyses for a DNP matching program need
not contain a specific estimate of any savings.
b.	 Cost-Benefit Analysis Still Required. Although agencies need not provide a specific
estimate of savings, they should perform a basic analysis of the potential costs and
benefits of any proposed DNP matching program, unless the cost-benefit analysis is not
required pursuant to the Privacy Act at 5 U.S.C. 552a(u)(4)(B)-(C). This analysis should
allow the agency to explain in the CMA why it has good reason to believe that the DNP
matching program would provide cost savings (or why the matching activity would be

74

justified on other grounds).
c.	 DIBs Review All Available Data. When an agency proposes to renew a DNP matching
program (or proposes a new DNP matching program that is similar to a previously
approved matching program), the agency’s DIB must review all available data that was
reported to OMB or Congress, including specific data about costs and benefits.

Public Availability of Computer Matching Agreements
a.	 Publication of CMAs on a Public Website. Section 5(e)(3)(C) of IPERIA requires OMB
to establish rules regarding what constitutes making a DNP Initiative CMA available
upon request to the public. The statute provides that these rules must include requiring
publication of the CMA on a public website.
As a responsibility of hosting the DNP system of records, Treasury must maintain a
central DNP website that includes all of the relevant information about Treasury’s
Working System. In particular, Treasury must post (or provide direct links to) all of the
CMAs, system of records notices, and privacy impact assessments that pertain to
Treasury’s Working System.
b.	 Removing or Redacting Sensitive Information in CMAs. Whenever agencies make
CMAs or other materials available to the public, they should consider removing or
redacting any unnecessary personally identifiable information, as appropriate. In
addition, agencies should consider removing or redacting any information that could
present security risks, such as specific information about security controls for a system
(e.g., password length or complexity).

Federal Improper Payments Coordination Act (FIPCA) of 2015
On December 18, 2015, FIPCA was signed into law. FIPCA requires the Secretaries of the
Departments of State and Defense to establish a procedure to provide information relating to the
deaths of individuals to each Federal agency that the Director of OMB determines such
information would be relevant and necessary. Consistent with this Appendix, Defense and State
have included this death information in Treasury’s Working System for use by Federal agencies.
Finally, Section 2 of FIPCA permits States and the judicial and legislative branches to access the
DNP Initiative for the purpose of verifying payment or award eligibility for payments once OMB
has determined that the DNP Initiative is appropriately established for that entity. OMB remains
committed to reducing improper payments and systemic fraud in the administration of federallyfunded, state-administered programs. Accordingly, the OMB Director will work with Treasury
and States to help determine whether the DNP Initiative should be appropriately established for
particular States.

75

Requirements for Inspectors General in the Do Not Pay Initiative
The Inspector General Empowerment Act of 2016, Public Law 114-317, amended Section 6 of
the Inspector General Act of 1978 (5 U.S.C. App.), as amended. For purposes of section 552a of
title 5, United States Code, or any other provision of law, a computerized comparison of two or
more automated Federal systems of records, or a computerized comparison of a Federal system
of records with other records or non-Federal records, performed by an agency Inspector General
or by an agency in coordination with an agency Inspector General in conducting an audit,
investigation, inspection, evaluation, or other review authorized under this Act should not be
considered a matching program.

76


File Typeapplication/pdf
File TitleM-l8-20
SubjectTransmittal of Appendix C to 0MB Circular A-123 5 Requirements for Payment Integrity Improvement
AuthorOMB
File Modified2018-07-18
File Created2018-06-26

© 2024 OMB.report | Privacy Policy