Page:M-21-19 Memorandum for Heads of Executive Departments and Agencies.pdf/16

 #whether the program reviewed is new to the agency;
 * 1) the complexity of the program reviewed;
 * 2) the volume of payments made through the program reviewed;
 * 3) whether payments or payment eligibility decisions are made outside of the agency, such as by a State or local government;
 * 4) recent major changes in program funding, authorities, practices, or procedures;
 * 5) the level, experience, and quality of training for personnel responsible for making program eligibility determinations or certifying that payments are accurate;
 * 6) significant deficiencies in the audit report or other relevant management findings of the agency that might hinder accurate payment certification;
 * 7) similarities (a combination of outlays, mission, payment process, etc.) to other programs that have reported IP and UP estimates or been deemed susceptible to significant IPs;
 * 8) the accuracy and reliability of IP and UP estimates previously reported for the program, or other indicator of potential susceptibility to IPs and UPs identified by the OIG of the executive agency, the Government Accountability Office, other audits performed by or on behalf of the Federal, State, or local government, disclosures by the executive agency, or any other means;
 * 9) whether the program lacks information or data systems to confirm eligibility or provide for other payment integrity needs; and
 * 10) the risk of fraud as assessed by the agency under the Standards for Internal Control in the Federal Government published by the Government Accountability Office (commonly known as the ‘Green Book’).

The risk factors above are provided as examples only, it is the agency’s responsibility to determine the risk factors and the associated scoring or risk factor weighting methodology that should be considered for each individual program and risk.

2. Programs with annual outlays above $10,000,000, must conduct an IP risk assessment at least once every three years UNLESS the program moves to Phase 2 and is reporting IPs plus UPs above the statutory threshold. A program should not operate in both Phases at once, meaning, if a program is operating in Phase 2, and reporting an annual IP estimate, the program should not also be spending resources to conduct an IP risk assessment during that same year. To the extent possible, data used for conducting an IP risk assessment in a given program should coincide with the FY being reported (for example, the IP risk assessment reported in the FY 2021 Annual Data Call would be based on data from FY 2021 (October 2020 through September 2021).

a) Conducting an off-cycle IP risk assessment If a program that is on a three-year IP risk assessment cycle experiences a significant change in legislation and/or a significant increase in its funding level, agencies may need to reassess the program’s risk susceptibility during the next annual cycle, even if it is less than three years from the last IP risk assessment. Examples of events that may trigger an off-cycle risk assessment include but are not limited to, national disasters, national emergencies, or a change to program structure that increases payment integrity risk. The agency will determine whether the factor is significant enough to cause the program to become likely to make IPs and UPs that would collectively be above the statutory threshold. Rh