Witness Testimony of Gregory D. Kutz, Forensic Audits and Investigative Service, U.S. Government Accountability Office
Service-Disabled Veteran-Owned Small Business Program: Additional Improvements to Fraud Prevention Controls Are Needed
Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly, and Members of the Subcommittees:
Thank you for the opportunity to discuss the fraud prevention controls within the Service-Disabled Veteran-Owned Small Business (SDVOSB) program at the Department of Veterans Affairs (VA). Today’s testimony summarizes our report, released today, on the design of VA’s fraud prevention controls within the SDVOSB verification program, including recent improvements in controls. The SDVOSB program is intended to provide federal set-aside and sole-source contracts to small businesses owned and controlled by one or more service-disabled veterans. About $10.8 billion in contracts were awarded in fiscal year 2010 to firms that self-certified as SDVOSBs in the Central Contractor Registration (CCR), according to the Small Business Administration (SBA). VA’s SDVOSB contracts accounted for $3.2 billion, or about 30 percent of the $10.8 billion in governmentwide SDVOSB contracts during fiscal year 2010. As of October 2011, VA’s VetBiz Vendor Information Pages database shows that the agency has verified the eligibility of more than 5,000 SDVOSB firms. In addition, more than 15,000 firms also self-certified their SDVOSB eligibility in CCR.
In audits of the SDVOSB program conducted in 2009 and 2010, we identified weaknesses in fraud prevention controls that allowed ineligible firms to receive about $100 million in SDVOSB contracts. These weaknesses included a lack of governmentwide controls, which allowed ineligible firms to receive contracts by self-certifying that they were legitimate SDVOSB firms. In addition, we found the absence of continued monitoring of firm eligibility and an ineffective process for investigating and prosecuting firms abusing the program. We also found that VA had made limited progress enacting an effective verification program as required by the Veterans Benefits, Health Care, and Information Technology Act of 2006. To improve governmentwide program controls, we recommended that SBA and VA explore the feasibility of expanding the use of VA’s verified VetBiz database to the rest of the federal government. SBA and VA generally agreed with our recommendation.
After the Veterans Benefits, Health Care, and Information Technology Act of 2006 was passed, Congress passed laws further intended to strengthen the SDVOSB program within VA and governmentwide. The Veterans Small Business Verification Act requires VA to verify a firm’s eligibility before including that firm in the database and permits VA to request additional documentation substantiating veteran ownership and control of a firm in order to establish eligibility. Furthermore, Congress also passed the Small Business Jobs Act of 2010, which facilitates prosecution of firms that willfully seek and receive small business awards through misrepresentation of their status, including SDVOSBs.
Today’s testimony summarizes our report on the design of VA’s fraud prevention controls within the SDVOSB verification program, including recent VetBiz verification efforts, instituted in response to the Veterans Small Business Verification Act. The report is being released today as a separate product. To conduct this work, we reviewed prior findings from GAO audits and investigations of the SDVOSB program. We reviewed applicable guidance on internal control standards from GAO’s Standards for Internal Control in the Federal Government, the fraud prevention framework, VA’s Office of Inspector General (OIG) report, and VA’s Verification Process Guidelines and internal control policies. We also interviewed VA officials and reviewed related documents. In addition, we conducted undercover tests to assess initial screening controls of an individual’s service-disabled veteran status within VA’s verification process. The undercover tests were limited in scope to providing a fictitious firm controlled by an individual whose Social Security number was not listed as a service-disabled veteran in VA’s database of service-disabled veterans. Our assessment is part of an ongoing review of fraud prevention controls for the entire SDVOSB program. This testimony focuses on the design of VA’s SDVOSB verification controls within its Center for Veterans Enterprise (CVE) office. With the exception of undercover tests to assess initial screening controls, we did not test the effectiveness of VA’s fraud prevention controls or attempt to project the extent of fraud and abuse. Additional information on our scope and methodology is available in the issued report.
We conducted the work related to the report from July 2011 to October 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We performed our investigative work, limited to our undercover tests, in accordance with the standards prescribed by the Council of the Inspectors General on Integrity and Efficiency.
VA’s fraud prevention controls for the SDVOSB program within VA have improved since the Veterans Small Business Verification Act was enacted. Specifically, VA has made progress in implementing an enhanced initial SDVOSB verification process that reduces the risk that ineligible firms will receive VA contracts. However, further enhancements could do more to reduce the program’s vulnerability. Improvements in the areas of preventive controls, detection and monitoring, and investigations and prosecutions could be made within VA’s VetBiz verification process. With a comprehensive framework in place, VA can be more confident that the billions of dollars meant to provide VA contracting opportunities to our nation’s service-disabled veteran entrepreneurs make it to the intended beneficiaries. In an effort to improve controls, in our report, we made recommendations to improve fraud prevention controls in the areas of prevention, detection and monitoring, and investigations and prosecutions. VA generally agreed with the recommendations.
VA’s SDVOSB Program Controls Have Improved, but Vulnerabilities Remain
VA’s fraud prevention controls for the SDVOSB program have improved since the Veterans Small Business Verification Act was enacted, but additional enhancements would further reduce the vulnerabilities we identified in the areas of preventive controls, monitoring and detection, and investigations and prosecutions. These are also the components of GAO’s fraud prevention framework (see fig. 1). First, preventive controls are an effective and efficient way of preventing ineligible firms from being verified. Second, active and continual monitoring of verified SDVOSB firms is necessary to detect any changes in their status that may affect eligibility. Third, investigations and prosecution is a strong deterrent for those considering misrepresenting their SDVOSB status.
Figure 1: GAO’s Fraud Prevention Framework
Additional Improvements to Preventive Controls Are Needed
VA has enhanced deterrents to ineligible firms becoming verified through VetBiz. As of April 2011, VA had established verification guidelines, including a requirement to search the exact names of company principals in the Excluded Parties List System, and developed a risk assessment model to examine applications. VA also updated its data systems to limit manual data entries. Its process of verifying service-disabled veteran status allowed VA to prevent two fictitious ineligible SDVOSB applications submitted by GAO from being verified. Specifically, we submitted two fictitious companies for verification, listing the names and Social Security numbers of the majority owners who were not service-disabled veterans. VA’s controls appropriately identified that our company owners were not service-disabled veterans and rejected our applications. VA also hired additional CVE staff to conduct initial file reviews and site visits. Additionally, VA has conducted announced site visits at high-risk firms before they receive VetBiz approval. Finally, VA created a quality review team to inspect a subset of initial file examination decisions. VA’s enhanced deterrents under new guidelines have resulted in VA’s denial of verification to over 1,800 firms under the new verification guidelines, according to VA.
Even with these enhanced deterrents, program weakness and vulnerabilities remain within VA’s SDVOSB program. During our interviews with CVE officials, we found that CVE had not performed a systematic assessment of the qualifications of its staff. In addition, CVE staff and contracting officials had not received fraud awareness training. VA also did not have formal processes or procedures for considering all SBA status protest decisions related to an applicant, and was not validating applicants’ self-reported information. VA also did not have a formal process for selecting high-risk companies for unannounced site visits or using information from previously denied SDVOSB applications to prevent individuals and fraudulent companies from repeated attempts at breaching VA controls. Additionally, we found that VA was not requesting that denied companies reassess their self-certified SDVOSB status in CCR. By addressing the identified vulnerabilities, VA could further improve its fraud prevention controls.
Additional Improvements to Detection and Monitoring Controls Are Needed
VA has developed some controls that may help identify firms in the VetBiz-verified database that do not meet SDVOSB eligibility requirements, such as a reverification initiative designed to review previously verified SDVOSB firms under new controls. VA has also developed a process for interested parties to protest a firm’s status, and instituted random announced site visits of verified SDVOSB firms. However, even with enhanced controls, certain weaknesses and vulnerabilities remain because of VA’s focus on initial eligibility verification. For example, VA does not monitor firms’ continued compliance with North American Industry Classification System size standards, nor does it have contact with contracting officials to determine whether the required percentage of work on SDVOSB contracts has been performed. VA also does not systematically data mine existing contract awards for review and further inspection. VA also does not have a formal process for selecting companies for unannounced site visits to contract performance locations and does not have a formal process for interviewing contracting officials. Finally, VA has not formalized its quality assurance process for selecting verified companies for unannounced site visits to determine if the verification process is effective. Further improvements in these areas would increase the design of detection and monitoring controls within the verification process.
Additional Improvements to Investigations and Prosecutions Are Needed
VA has taken some actions to debar firms violating SDVOSB program requirements. VA may debar an ineligible firm in accordance with the Veterans Benefits, Health Care, and Information Technology Act of 2006, which requires that any business determined to have misrepresented its status as an SDVOSB shall be debarred from contracting for a reasonable period of time, as determined by VA. VA instituted a debarment committee in September 2010 specifically to debar firms violating SDVOSB regulations. As of October 2011, the committee had debarred one SDVOSB firm and related individuals that had misrepresented their status as an SDVOSB. Several other debarment actions are currently pending or are being litigated. Additionally, CVE officials have sent about 70 referrals to the VA OIG for potential fraudulent actions by firms receiving SDVOSB contracts. VA OIG is currently investigating these cases.
We identified certain weaknesses and vulnerabilities in the investigation and prosecution controls during our site visits. The debarment of only one firm and related individuals suggests that there is room for additional action given the 1,800 firms rejected by VA during its verification process and the 70 firms referred to VA OIG for potentially fraudulent actions. Additionally, VA does not have specific procedures for CVE staff to refer companies to the debarment committee or VA OIG, and has no specific guidelines documenting how VA is implementing debarments or outlining the debarment committee’s decision process. Providing more emphasis on debarments and investigations could further help VA deter firms from attempting to fraudulently gain access to its SDVOSB program.
In conclusion, VA has made progress in implementing a valid verification program to deter ineligible firms from becoming verified and receiving SDVOSB contracts. However, additional improvements can be made, particularly in monitoring and detection and investigations and prosecutions. Specifically, developing a robust unannounced site visit process for verified firms and aggressively pursuing debarments and prosecutions of firms found to have violated program rules will further enhance fraud prevention controls. With a comprehensive framework in place, VA can be more confident that the billions of dollars meant to provide VA contracting opportunities to our nation’s service-disabled veteran entrepreneurs make it to the intended beneficiaries.
To minimize the risk of fraud and abuse within VA’s SDVOSB program, in the report released today, we recommended that the Secretary of Veterans Affairs take 13 actions in the following three areas:
- Improve VA’s preventive controls to provide reasonable assurance that only eligible firms gain access to the VetBiz database.
- Strengthen VA’s detection and monitoring controls over verified firms.
- Strengthen VA’s investigative and prosecutorial actions for firms violating SDVOSB program laws and regulations.
VA generally concurred with our recommendations and noted a number of significant actions planned or taken since the time of our site visits and development of our findings, which, according to VA, address many of the identified vulnerabilities.
According to VA officials, VA has recently made improvements of its preventive controls. For example, VA officials stated that CVE staff and most contractors assisting with the application evaluation are now required to receive Certified Fraud Examiner training, and additional VetBiz training has been provided to contracting officials. VA officials also stated VA has recently strengthened the agency’s monitoring and detection of verified SDVOSB firms. Specifically, VA officials stated that VA conducts unannounced visits to verified companies either randomly or during the course of a high-risk SDVOSB reverification assessment. Finally, VA officials stated that VA recently strengthened the investigative and prosecutorial actions by creating guidelines for referring firms to VA OIG and the debarment committee. We plan to follow up on actions taken by VA as part of our ongoing work and will report back to the subcommittees on our findings.
Chairmen Stutzman and Johnson, Ranking Members Braley and Donnelly, and Members of the Subcommittees, this completes my prepared statement. I would be pleased to answer any questions that you may have at this time.
If you or your staff have any questions about this testimony, please contact Gregory D. Kutz at (202) 512-6722 or firstname.lastname@example.org. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement.
Related GAO Products
Service-Disabled Veteran-Owned Small Business Program: Additional Improvements to Fraud Prevention Controls Are Needed. GAO‑12‑152R. Washington, D.C.: October 26, 2011.
Service-Disabled Veteran-Owned Small Business Program: Preliminary Information on Actions Taken by Agencies to Address Fraud and Abuse and Remaining Vulnerabilities. GAO‑11‑589T. Washington, D.C.: July 28, 2011.
Department of Veterans Affairs: Agency Has Exceeded Contracting Goals for Veteran-Owned Small Businesses, but It Faces Challenges with Its Verification Program. GAO‑10‑458. Washington, D.C.: May 28, 2010.
Service-Disabled Veteran-Owned Small Business Program: Fraud Prevention Controls Needed to Improve Program Integrity. GAO‑10‑740T. Washington, D.C.: May 24, 2010.
Service-Disabled Veteran-Owned Small Business Program: Case Studies Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of Dollars in Contracts. GAO‑10‑306T. Washington, D.C.: December 16, 2009.
Service-Disabled Veteran-Owned Small Business Program: Case Studies Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of Dollars in Contracts. GAO‑10‑255T. Washington, D.C.: November 19, 2009.
Service-Disabled Veteran-Owned Small Business Program: Case Studies Show Fraud and Abuse Allowed Ineligible Firms to Obtain Millions of Dollars in Contracts. GAO‑10‑108. Washington, D.C.: October 23, 2009.
 GAO, Service-Disabled Veteran-Owned Small Business Program: Additional Improvements to Fraud Prevention Controls Are Needed, GAO‑12‑152R (Washington D.C.: Oct. 26, 2011).
 CCR is the primary contractor registrant database for the U.S. federal government. CCR collects, validates, stores, and disseminates data in support of agency acquisition missions.
 See the list of related GAO products at the end of this testimony.
 The act requires VA to institute controls over its SDVOSB contracts. The requirement to maintain a database of VA-verified SDVOSBs and Veteran-Owned Small Businesses (VOSB) became effective June 2007. The act also requires that VA only use its set-aside and sole-source award authority for SDVOSB firms listed in the database and to debar for a reasonable period of time, as determined by VA, firms that misrepresent SDVOSB and VOSB status. Pub. L. No. 109-461, § 502, 120 Stat. 3403, 3431 - 3435 (2006).
 Veterans Small Business Verification Act, Pub. L. No. 111-275, § 104, 124 Stat. 2864, 2867 – 2868 (2010).
 Small Business Jobs Act of 2010, Pub. L. No. 111-240, § 1341, 124 Stat. 2504, 2543 - 2544 (2010).
 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD‑00‑21.3.1 (Washington, D.C.: November 1999).
 GAO, Service-Disabled Veteran-Owned Small Business Program: Fraud Prevention Controls Needed to Improve Program Integrity, GAO‑10‑740T (Washington, D.C.: May 24, 2010).
 VA OIG, Office of Audit and Evaluations, Department of Veteran Affairs: Audit of Veteran-Owned and Service-Disabled Veteran-Owned Small Business Programs, 10-02436-234 (July 25, 2011).