SMALL BUSINESS ADMINISTRATION
Opportunities to Improve Management of Fraud Risks, Improper Payments, and Contracting Programs
Statement of Courtney LaFountain, Acting Director, Financial Markets and Community Investment
Before the Committee on Small Business & Entrepreneurship, U.S. Senate
For Release on Delivery Expected at 2:30 p.m. ET
United States Government Accountability Office
A testimony before the Committee on Small Business and Entrepreneurship, U.S. Senate
For more information, contact: Courtney LaFountain, lafountainc@gao.gov
What GAO Found
Since June 2020, GAO has made dozens of recommendations to help the Small Business Administration (SBA) better manage fraud risks, improve its estimates of improper payments, and oversee its contracting programs. This testimony discusses SBA’s efforts to address 42 of these, of which SBA has implemented 17.
· Fraud risks. GAO has found that some SBA programs—particularly its COVID-19 pandemic relief programs—have been susceptible to fraud. SBA established these programs quickly to respond to the adverse economic conditions small businesses faced, but the speed of implementation came at the expense of appropriate safeguards. SBA has implemented most GAO recommendations in this area—for example, by implementing oversight plans, conducting fraud risk assessments, and developing a fraud strategy. GAO has estimated that the additional controls SBA put in place for its pandemic-relief programs collectively had saved the government more than $30 billion as of the end of fiscal year 2025.
However, it is imperative for SBA to advance its fraud prevention and detection efforts, such as by expanding use of data analytics and improving its process for referring potential fraud to SBA’s Office of Inspector General. Furthermore, examining fraudsters and fraud schemes that emerged during the pandemic can help agencies identify fraud mitigation controls that can be implemented both in emergency environments and during normal operations.
· Improper payments. GAO has also previously identified problems related to SBA’s estimates of improper payments, particularly for its pandemic relief programs. An improper payment occurs when a payment should not have been made or was made in the incorrect amount. SBA has implemented one GAO recommendation in this area but has not implemented three others. These include expanding and documenting its overpayment review procedures and expanding its overpayment tracking process. Developing reliable improper payment estimates is essential for understanding and addressing financial vulnerabilities in SBA’s programs in a timely manner.
· Contracting assistance programs. SBA has addressed several GAO recommendations related to oversight of its contracting programs, including the 8(a) Business Development Program. For example, the agency has improved its documentation of compliance reviews of small business subcontracting plans. However, SBA has not addressed 14 recommendations intended to address critical risk management and cybersecurity issues associated with its small business certification platform.
In addition, SBA’s independent financial statement auditor issued a disclaimer of opinion on SBA’s fiscal year 2024 financial statements. The auditor reported material weaknesses in SBA’s controls over pandemic relief programs for the fifth consecutive year. For example, the auditor found that SBA did not sufficiently design the review process for Paycheck Protection Program (PPP) loan forgiveness. GAO supports the auditor’s recommendations to address these weaknesses and urges SBA to work toward obtaining a clean financial statement audit opinion.
Why GAO Did This Study
Since spring 2020, SBA has made or guaranteed more than $1 trillion in loans and grants and assisted more than 10 million small businesses adversely affected by the COVID-19 pandemic, primarily through PPP and the COVID-19 Economic Injury Disaster Loan program. SBA also continued to support small businesses through its contracting assistance and small business research programs.
This testimony discusses the status of selected GAO recommendations to SBA related to fraud risks, improper payments, and contracting assistance programs, as well as issues related to SBA’s financial statements.
This testimony is based on prior GAO reports issued from June 2020 through March 2025 that assessed SBA’s implementation of four pandemic relief programs, SBA improper payments, financial statements, and contracting assistance programs. Details on GAO’s methodology can be found in the individual reports cited.
Chair Ernst, Ranking Member Markey, and Members of the Committee:
Thank you for the opportunity to discuss the status of selected recommendations we have made to the Small Business Administration (SBA) and issues related to its financial accounting.
Since spring 2020, SBA has done much to help small businesses adversely affected by the COVID-19 pandemic. SBA made or guaranteed more than $1 trillion in loans and grants and assisted more than 10 million small businesses, primarily through the Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) program. SBA also continued to operate programs supporting federal contracting opportunities for small businesses and overseeing agencies’ small business research programs.
Although these efforts helped millions of small businesses, we have identified significant program integrity risks, potential for fraud, and the need for improved management and oversight of SBA’s pandemic relief programs. Our concerns about SBA’s implementation of PPP and COVID-19 EIDL led us to include emergency loans for small businesses on our High-Risk List in March 2021.[1]
Beyond financial impacts, fraud erodes public trust in government and hinders agencies’ efforts to execute their missions and program objectives effectively and efficiently. Investigations, prosecutions, and efforts to recover fraudulently disbursed funds are ongoing. Congress has passed legislation to extend the statute of limitations for fraud for some pandemic-relief programs, which will give law enforcement, investigators, and prosecutors more time to uncover potential fraud and to develop cases.
Furthermore, by examining fraudsters and fraud schemes that emerged during the pandemic, agencies can identify fraud mitigation controls that can be implemented both in emergency environments and during normal operations.
We have also issued reports citing concerns about improper payments and weaknesses in the management of some SBA contracting programs, such as the 8(a) Business Development Program.
In this statement, I will discuss (1) the status of selected fraud-related recommendations for SBA programs, including pandemic relief programs; (2) concerns identified by SBA’s independent financial statement auditor; (3) SBA’s actions to address improper payments; and (4) SBA’s management of its contracting programs.
For this statement, we relied primarily on our body of work issued from June 2020 through March 2025 on SBA’s implementation of four pandemic relief programs.[2] For those reports, we reviewed SBA documentation and analyzed program data. We interviewed officials from SBA and other federal agencies, such as the Department of the Treasury. We also reviewed our recent work on SBA’s improper payments and the opinions of SBA’s independent financial statement auditor.[3] More detailed information on our scope and methodology can be found in the individual reports we cite.
We conducted the work on which this statement is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
SBA’s Pandemic Relief Programs
Paycheck Protection Program. Congress established PPP in the CARES Act to help small businesses affected by the COVID-19 pandemic.[4] In total, Congress provided approximately $814 billion in commitment authority.[5] PPP loans were made by lenders and guaranteed 100 percent by SBA. The loans carried a 1 percent interest rate and were fully forgivable if certain conditions were met—for example, at least 60 percent of the loan forgiveness amount had to be for payroll expenses to qualify for full loan forgiveness.
According to SBA, as of May 31, 2021 (when SBA stopped accepting new applications), lenders had made about 11.8 million PPP loans totaling about $800 billion.[6]
COVID-19 Economic Injury Disaster Loan Program. Congress temporarily expanded eligibility for SBA’s EIDL program, which provides low-interest loans of up to $2 million for expenses that cannot be met because of a disaster. Congress also created emergency EIDL advances, a new program component.[7] In total, Congress appropriated $50 billion in loan credit subsidies for the cost of COVID-19 EIDL loans and $55 billion for advances.[8] The $50 billion in credit subsidies would enable SBA to provide about $470 billion in COVID-19 EIDL loans.[9]
As of April 2022, SBA had approved about 3.9 million loans totaling about $378 billion. SBA also approved about 6.8 million advances totaling about $27.5 billion.
Restaurant Revitalization Fund. The Restaurant Revitalization Fund provided awards (which did not need to be repaid) to assist small businesses in the food service industry affected by the pandemic.[10] Recipients could use the awards for eligible expenses such as payroll, business debt, maintenance, or construction of outdoor seating. The program accepted applications from May 3, 2021, through June 30, 2021.
As of June 30, 2021, the Restaurant Revitalization Fund had provided $28.6 billion in awards to assist about 101,000 small businesses.
Shuttered Venue Operators Grants. The Shuttered Venue Operators Grant program provided grants to small businesses in the live performing arts and entertainment sectors affected by the pandemic.[11] Recipients could use the funds for eligible expenses such as payroll, rent or mortgage payments, and utilities. This program accepted applications from April 26, 2021, through August 20, 2021.[12]
As of July 5, 2022, Shuttered Venue Operators Grants had provided about $14.6 billion in grants to about 23,000 small businesses.
Fraud Risk Management
The objective of fraud risk management is to ensure program integrity by continuously and strategically mitigating both the likelihood and effects of fraud, while also facilitating a program’s mission. The Fraud Risk Framework provides a comprehensive set of leading practices that serve as a guide for agency managers to use when developing efforts to combat fraud in a strategic, risk-based manner.[13] The framework organizes the leading practices within four components: (1) Commit, (2) Assess, (3) Design and Implement, and (4) Evaluate and Adapt.
In June 2016, the Fraud Reduction and Data Analytics Act of 2015 required the Office of Management and Budget (OMB) to establish guidelines for federal agencies to create controls to identify and assess fraud risks to design and implement antifraud control activities. The act further required OMB to incorporate the leading practices from the Fraud Risk Framework in the guidelines.[14] The Payment Integrity Information Act of 2019 repealed the Fraud Reduction and Data Analytics Act but maintained the requirement for OMB to provide guidelines to agencies in implementing the Fraud Risk Framework.[15]
In its 2016 Circular No. A-123 guidelines, OMB directed agencies to adhere to the Fraud Risk Framework’s leading practices.[16] In October 2022, OMB issued a Controller Alert reminding agencies that they must establish financial and administrative controls to identify and assess fraud risks.[17] In addition, the alert reminded agencies that they should adhere to the leading practices in the Fraud Risk Framework as part of their efforts to effectively design, implement, and operate an internal control system that addresses fraud risks.
Small Business Innovation Research and Small Business Technology Transfer Programs
The Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs were established to enable federal agencies to support research and development (R&D) projects carried out by small businesses.[18] Under the Small Business Act, federal agencies with an extramural budget for R&D exceeding $100 million are required to participate in the SBIR program. Those with such obligations of $1 billion or more are required to participate in the STTR program.[19] According to SBA, which oversees the programs, 11 federal agencies and their components participate in SBIR or in both programs.
Since the inception of the programs, federal agencies have invested over $68 billion in SBIR/STTR awards for R&D and to commercialize technologies.[20]
Payment Integrity Information Act of 2019
The Payment Integrity Information Act of 2019 requires agencies to manage improper payments by identifying risks, taking corrective actions, and estimating and reporting on improper payments in programs they administer. The act also requires each agency’s inspector general to issue an annual report on compliance with applicable criteria from the act.
8(a) Business Development Program
The 8(a) Business Development Program supports small businesses owned and controlled by socially and economically disadvantaged individuals and entities. It is SBA’s largest program to support contracting. The program generally provides up to 9 years of developmental support, such as business counseling and mentoring, contracting guidance, and access to capital and surety bond guarantees.[21] The program also sets aside federal contracting opportunities for participants.
SBA Has Taken Steps to Address Fraud Risk in Some Programs, but Additional Work Remains
We have previously found that some SBA programs—particularly its pandemic relief programs—have been susceptible to fraud risks.[22] SBA established PPP and COVID-19 EIDL quickly to respond to the adverse economic conditions small businesses faced. However, the speed of implementation came at the expense of appropriate financial and other safeguards, which left the programs susceptible to fraud.[23]
As the programs matured and SBA implemented our recommendations, SBA improved its oversight and incorporated lessons learned from PPP and COVID-19 EIDL into its other relief programs, the Restaurant Revitalization Fund and Shuttered Venue Operators Grants.
SBA still has opportunities to advance its fraud prevention and detection efforts, such as by expanding use of data analytics and providing guidance to agencies participating in certain programs. Addressing material weaknesses in internal controls reported by its financial statement auditor could also help prevent fraud in SBA’s programs.
SBA Has Implemented Most of Our Pandemic-Related Fraud Risk Recommendations
We have made a number of recommendations to SBA to improve oversight and fraud risk management of its pandemic programs, including 13 detailed below.[24] SBA has implemented nine of these recommendations. However, it is still in the process of implementing four others, which are related to responding to potentially fraudulent or ineligible awards, enhancing the use of data analytics to prevent and detect fraud, and improving its process for referring potential fraud cases to SBA’s Office of the Inspector General (OIG).
Incorporating oversight plans—implemented. SBA officials said they initially put limited safeguards in place when launching PPP to expedite the loan approval process. This was consistent with a mandate from Congress, reinforced by Treasury, to provide rapid support for small businesses. In June 2020, we found that SBA had not provided details on how it would review loans of more than $2 million and did not have plans for reviewing loans of less than $2 million.[25] We therefore recommended that SBA develop and implement plans to identify and respond to PPP risks to help ensure program integrity, achieve program effectiveness, and address potential fraud.
Consistent with our recommendation, in December 2020, SBA implemented an oversight plan with multiple layers of review. It also hired a contractor with expertise in fraud detection to help conduct these reviews. SBA incorporated controls from this plan when it launched the Restaurant Revitalization Fund and Shuttered Venue Operators Grant programs.
Similarly, because SBA did not have a plan for responding to COVID-19 EIDL risks, we recommended in March 2021 that SBA implement a comprehensive oversight plan for that program to help ensure program integrity, achieve program effectiveness, and address potential fraud.[26] In August 2022, SBA provided an oversight plan describing controls it had implemented or planned to implement for COVID-19 EIDL loans.
We estimated that SBA’s additional controls it put in place for its pandemic-relief programs collectively had saved the government more than $30 billion as of the end of fiscal year 2025.
Assessing fraud risks—implemented. Conducting a fraud risk assessment is a leading practice in strategically managing fraud risks.[27] Such assessments can, for example, help program officials determine whether certain controls are effectively designed and implemented to reduce the likelihood or impact of a fraud risk to a tolerable level. They also can help agencies prioritize risks and allocate resources. Because SBA moved quickly to establish PPP and COVID-19 EIDL, it did not conduct formal risk assessments for either program. Accordingly, in March 2021, we made two recommendations that SBA conduct a comprehensive fraud risk assessment for each program.[28]
In response, SBA hired a contractor in October 2021 to conduct these assessments. The contractor found that SBA had implemented additional fraud prevention controls since the start of the programs. These controls included cross-referencing applicant information with Treasury’s Do Not Pay list and introducing a set of automated screening rules.[29] However, the assessment also noted that the programs remained susceptible to fraud risks that required further enhancements to the current mitigation strategies. The contractor identified 25 active fraud risks in PPP and 21 in COVID-19 EIDL. It made four recommendations to help SBA establish a fraud governance process and inform its fraud tolerance approach.
In addition, we reported in March 2021 that SBA had not designated a dedicated entity to lead fraud risk management activities, which contributed to the lack of a timely fraud risk assessment of the programs.[30] In February 2022, SBA designated such an entity, which is responsible for the oversight and coordination of SBA’s fraud risk prevention, detection, and response activities.
SBA has since made some changes to its fraud governance structure. According to SBA, the agency created an Office of Enterprise Integrity in January 2024, led by its Chief Risk Officer, that is responsible for overseeing SBA’s enterprise risk management and fraud risk management functions. The Chief Risk Officer is responsible for ensuring that risk management activities across SBA are coordinated, internal controls are designed and implemented to ensure accuracy in SBA’s financial reporting, and SBA is complying with laws and regulations.
Developing a strategy for managing fraud risks—implemented. In March 2021, we recommended that, once SBA had completed a comprehensive fraud risk assessment for PPP and COVID-19 EIDL, it should also document an antifraud strategy for each program.[31]
As discussed in our Fraud Risk Framework, an antifraud strategy describes the agency’s approach for addressing the prioritized fraud risks identified during a fraud risk assessment.[32] The antifraud strategy describes how the agency will prevent, detect, and respond to fraud, as well as monitor risks. Without an antifraud strategy based on the results of a fraud risk assessment, SBA was not positioned to ensure that it was strategically addressing the most significant fraud risks in either program.
In August 2023, SBA finalized a fraud risk management strategy that identified approaches to prevent, detect, and respond to instances of active and potential fraud in PPP and COVID-19 EIDL. For example, the strategy described data analytic methods for reviewing the PPP loan portfolio to manage fraud risks by reducing false positives, prioritizing identified fraud typologies and behaviors, and uncovering areas of fraud risk not previously identified. For COVID-19 EIDL, the strategy described SBA’s efforts to use advanced data analytics, machine learning technologies, and cross-program data analytics to screen for potential fraud and ineligibility.
Analyzing portfolio-level data—implemented. We recommended in January 2021 that SBA develop and implement portfolio-level data analytics across COVID-19 EIDL program loans and advances to detect potentially ineligible and fraudulent applications.[33] SBA fully implemented this recommendation by developing and implementing data analytics. For example, SBA identified applications submitted with foreign telephone area codes, which is an indicator of ineligibility.
In addition, in July 2022, we found that SBA had not proactively used data analytics or information from enforcement entities to identify potentially fraudulent Restaurant Revitalization Fund award recipients.[34] Therefore, we recommended that SBA develop and implement data analytics across these awards. SBA has fully addressed this recommendation. Specifically, it conducted data analytics for the program that included cross-checking recipient identifiers (such as address and tax identification number) against recipients flagged for fraud or identity theft.
Using enforcement data—implemented. We recommended in July 2022 that SBA develop, document, and implement procedures to use enforcement data on suspected fraud in other SBA programs, such as PPP, to identify potential fraud by Restaurant Revitalization Fund recipients.[35] SBA has fully addressed this recommendation. In April 2024, SBA provided us with documentation demonstrating that it uses enforcement data from a variety of sources—including the Department of Justice and SBA’s OIG—to flag potentially fraudulent awards. In addition, SBA ran monthly cross-program analysis to identify all Restaurant Revitalization Fund awards associated with PPP loans that had been flagged because of enforcement activity.
Developing a plan to respond to improper awards—not implemented. In July 2022, we recommended that SBA develop and implement a plan to respond to potentially fraudulent and ineligible Restaurant Revitalization Fund awards in a prompt and consistent manner.[36] SBA disagreed with this recommendation, stating that its planned efforts were sufficient. However, in April 2024, SBA officials said they had prioritized reviewing flagged Restaurant Revitalization Fund awards and had conducted initial reviews of all flagged awards for which recipients had submitted post-award reports. This recommendation will remain unaddressed until SBA provides us with documentation of its procedures for prioritizing flagged awards and evidence of implementing these procedures.
Identifying fraud across multiple programs—not implemented. We found in May 2023 that SBA had used data analytics to facilitate fraud detection for PPP and COVID-19 EIDL.[37] However, it had not fully leveraged information to help prevent fraud and identify applicants who tried to defraud multiple programs. We therefore recommended that SBA (1) develop and use mechanisms to facilitate cross-program data analytics and (2) identify external data sources that can facilitate the verification of applicant information and the detection of potential fraud across its programs. SBA agreed with these two recommendations.
As of November 2024, SBA’s Fraud Risk Management Board—which oversees and coordinates SBA’s fraud risk prevention, detection, and response activities—continued to work on policies related to program office actions for cross-program analysis results, management of inventory, and parameters of operation. One SBA office began performing cross-program data analytics using taxpayer identification numbers for new loan approvals. In addition, SBA reported that it has engaged with other federal agencies regarding data sharing to improve its fraud risk management capabilities. We will continue to monitor SBA's progress in this area, and we have ongoing work examining data sharing efforts between the Internal Revenue Service and SBA.
Improving fraud referrals to SBA’s OIG—not implemented. SBA developed and implemented oversight plans for PPP and COVID-19 EIDL that include automated and manual reviews to help identify and refer potentially fraudulent loans and advances to the SBA OIG. This four-step approach involves (1) initial automated screening that compares each file with several public- and private-sector databases, (2) data analytics to examine anomalies, (3) human-led review of files not cleared through data analytics, and (4) referral of files identified as likely fraudulent to the OIG.
Our March 2025 review found a weakness in step four—SBA’s process for referring cases of likely fraud to its OIG.[38] We recommended that SBA develop a plan for referring potential or likely fraud for the COVID-19 EIDL program. SBA agreed with the recommendation and noted that it has worked with the OIG to put an effective process in place. We will review the evidence of this process once SBA provides it and will continue to monitor SBA's efforts in this area.
SBA Can Take Steps to Manage Fraud Risks in Small Business Research Programs
We reported on fraud risks for the SBIR/STTR programs in September 2024 and found control vulnerabilities and fraud risks with a range of financial and other impacts.[39] We consequently made four recommendations to SBA to address these concerns, none of which have yet been implemented.
Identifying, sharing, and reporting fraud-related convictions—not implemented. SBA uses several tools—including its monthly program manager meetings, annual survey to participating agencies, and listing of fraud convictions and civil liabilities on SBIR.gov—to monitor and support agencies’ fraud, waste, and abuse prevention efforts.[40] However, we identified opportunities for SBA to better leverage these tools. We made two recommendations that SBA expand it methods and sources to identify, share, and report fraud-related convictions and its findings on SBIR.gov. SBA agreed with the recommendations. In March 2025, SBA officials told us that SBA would continue to report final adjudicated fraud-related settlements, convictions, and findings of civil liability on SBIR.gov. SBA also planned to add related information to its program guidance. We will continue to monitor the status of SBA’s updates to its guidance.
Providing guidance on risk assessments—not implemented. Most of the agencies that participate in SBIR/STTR had not conducted fraud risk assessments in alignment with our leading practices. Some of those agencies identified lack of guidance, training, and resources as related challenges with respect to conducting program-specific fraud assessments. We therefore made two recommendations in September 2024 that SBA provide guidance to participating agencies to conduct comprehensive SBIR/STTR program fraud risk assessments that include all key elements.[41] SBA agreed and said it would provide training to program managers and reinforce the information in its program guidance. SBA told us in August 2025 that it had provided the training to program managers. We will continue to monitor the status of SBA’s updates to its guidance.
SBA’s Financial Statement Auditor Has Raised Concerns
In November 2024, SBA’s independent financial statement auditor issued a disclaimer of opinion on SBA’s fiscal year 2024 financial statements.[42] The financial statement auditor reported that material weaknesses existed in SBA’s controls over its pandemic relief programs that contributed to SBA’s inability to support a significant number of transactions and account balances related to these programs. For example, the auditor found that SBA had not sufficiently designed the review process for PPP loan forgiveness. SBA also had not adequately designed and implemented controls to ensure that COVID-19 EIDL loans were issued to eligible borrowers and were accurately recorded.
The auditor also identified concerns about SBA’s controls beyond its pandemic relief programs. For example, the auditor found weaknesses that limited SBA’s ability to effectively manage its information system risks. Collectively, these deficiencies increased the risk of unauthorized use, modification, or destruction of financial data.
According to SBA, it has made efforts to strengthen internal controls. In January 2025, SBA finalized a remediation strategy for its financial statement audit. Among other things, the strategy identifies the highest priority target areas, remediation steps, and target dates to complete those steps.
In September 2025, the SBA OIG reviewed SBA’s new strategy.[43] It found that some elements would substantially address related audit recommendations but that the strategy did not fully prioritize other material weaknesses, such as those related to certain pandemic relief programs. For example, SBA’s OIG reported that SBA had not developed a plan to perform a comprehensive review of all COVID-19 EIDL transactions flagged for eligibility concern. SBA also had not prioritized addressing the auditor’s recommendations related to the material weaknesses for the other pandemic-relief programs. According to SBA’s OIG, although SBA acknowledged the importance of its pandemic relief programs, SBA’s strategy instead concentrated resources on other areas. The OIG made four recommendations to enhance the strategy’s implementation.
We support the recommendations the financial statement auditor provided to address control weaknesses related to SBA’s pandemic relief programs, as well as the OIG’s recommendations to enhance SBA’s financial audit remediation strategy. We encourage SBA to address these recommendations and continue to work toward obtaining a clean financial statement audit opinion.
SBA Has Taken Some Steps to Manage Improper Payments, but Additional Work Remains
An improper payment occurs when a payment should not have been made or was made in the incorrect amount.[44] These payments can stem from various causes, including fraud. Developing reliable improper payment estimates is essential for understanding and addressing financial vulnerabilities.
SBA Reported Improper Payment Estimates, but Work Remains on Overpayments
We have previously identified problems related to SBA’s estimates of improper payments, particularly for its pandemic relief programs. Accordingly, we made four recommendations to address these concerns, one of which has been implemented and three of which have not.
Estimating improper payments in pandemic relief programs—implemented. In November 2020, we reported that the lack of initial safeguards for PPP contributed to the increased risk of improper payments.[45] Because of concerns about the timely reporting of improper payments, we recommended that SBA expeditiously estimate improper payments and report estimates and error rates for PPP. In response to our recommendation, SBA began reporting an estimated improper payment rate and amount for PPP in its fiscal year 2022 agency financial report.
SBA has continued reporting these estimates, but some of the estimates remain high. For example, in March 2025, we reported that SBA’s estimated improper payment rates in fiscal year 2024 for three pandemic relief programs—the Restaurant Revitalization Fund, PPP Loan Forgiveness, and PPP Loan Guaranty Purchases—were at least 24 percent.[46]
Documenting and tracking overpayment reviews—not implemented. In November 2024, we reported on SBA’s efforts to identify and recover overpayments in PPP and COVID-19 EIDL.[47] We found that SBA’s loan review processes for these programs were not effectively identifying overpayments, and that SBA did not have sufficient processes to track identified overpayments and subsequent recoveries. We made three recommendations to SBA, including that it expand and document overpayment review procedures and expand its tracking process. SBA partially agreed with these recommendations, and we will continue to monitor its progress in addressing them.
SBA’s OIG Has Raised Concerns About SBA’s Improper Payment Reporting
SBA’s OIG reported in May 2025 that SBA was not in compliance with the Payment Integrity Information Act of 2019 and related OMB requirements.[48]
The OIG found that SBA did not comply with eight of the act’s 10 criteria for fiscal year 2024. For example, it found that SBA did not report an improper payment estimate for the Shuttered Venue Operators Grant program as required, and did not design and implement adequate review procedures to produce reliable sample results used to develop improper payment estimates for several programs, including PPP Loan Forgiveness and PPP Loan Guaranty Purchases.
We have ongoing work for this committee examining SBA’s improper payment estimation methods and recovery audits for its pandemic relief and standard programs. We will continue to monitor SBA’s actions to address these issues.
SBA Has Taken Steps to Improve Administration of Contracting Programs
We have reported on challenges related to SBA’s oversight of its contracting programs, including the 8(a) program.[49] SBA has addressed seven of the 21 recommendations we have made to address these challenges.
Reporting on procurement center representatives—implemented. SBA’s procurement center representatives advocate for small businesses when agencies are procuring goods and services. In a June 2020 report, we found that SBA did not maintain complete documentation to support data on the activities of these representative; these data are used to oversee the representatives and assess their performance.[50] Storing the complete documentation would help SBA verify the accuracy of the reports. SBA also did not submit required reports to Congress on the agency’s rationale for assigning the representatives to cover buying activities. We made two recommendations that SBA address these issues. In early 2021, SBA began using a central repository to store its data and submitted the required report to Congress.
Documenting reviews of small business subcontracting plans—implemented. Contractors that receive certain federal contracts are required to have small business subcontracting plans. Under these plans, contractors must make a good-faith effort to offer subcontracting opportunities to small businesses. Contracting officers are required to provide SBA staff with an opportunity to review the proposed contract. However, in a May 2020 report, we found that SBA could not provide documentation or information on almost all compliance reviews conducted by SBA in fiscal years 2016 through 2018.[51] We recommended that SBA address these issues. In response, SBA issued two guidance memos in November 2020. These memos instructed SBA staff to use a single electronic repository to store compliance review information and to conduct performance reviews.
Submitting 8(a) Business Development Program annual reports—implemented. In a 2022 report, we found that SBA had not submitted any of its required annual 8(a) program reports to Congress on time for 2016 to 2021.[52] We made two recommendations to SBA related to documenting its report process and developing a plan to address report delays. In response to our recommendations, SBA updated its standard operating procedures for the program to include a chapter on submitting the annual report, including a timeline for completing the report on time. SBA also developed a process map to help streamline report development.
Accurately documenting nonmanufacturer rule waiver reviews—implemented. In December 2023, we reported on issues related to SBA’s oversight of waivers to the nonmanufacturer rule.[53] We found that SBA data on these waivers included inaccurate or incomplete information, and that SBA did not have policies on how management should review analysts’ decisions. We made two recommendations that SBA address these issues. In response to our recommendations, SBA updated its program guidelines in July 2025 to address these concerns.
Identifying and addressing risks associated with the small business certification platform—not implemented. In a November 2024 report, we found problems with SBA’s management of the Unified Certification Platform project, which is intended to allow small businesses to more efficiently apply for and maintain certifications to SBA’s contracting assistance programs, including the 8(a) program.[54] We identified critical management gaps in the project. For example, SBA did not have a project-level risk management strategy or a risk mitigation plan, and did not fully identify and document risks. These issues increased the likelihood of a successful cyberattack. Consequently, we made 14 recommendations, including that SBA expeditiously address critical risk management and cybersecurity issues. SBA agreed with three, partially agreed with three, and disagreed with the other eight recommendations. We are monitoring SBA’s efforts to address our recommendations.
Chair Ernst, Ranking Member Markey, and Members of the Committee, this concludes my statement. I would be pleased to respond to any questions you may have.
GAO Contact and Staff Acknowledgments
If you or your staff have any questions about this testimony, please contact Courtney LaFountain, Acting Director, Financial Markets and Community Investment, at lafountainc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. GAO staff who made key contributions to this testimony are Marshall Hamlett (Assistant Director), Daniel Newman (Analyst in Charge), Seto Bagdoyan, Marcia Carlsen, Dan Flavin, Hannah Padilla, Jennifer Schwartz, and Jessica Sandler. Key contributors to the previous work discussed in this statement are listed in each of the cited reports.
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
A. Nicole Clowers, Managing Director, CongRel@gao.gov
General Inquiries
[1]GAO, High-Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas, GAO‑21‑119SP (Washington, D.C.: Mar. 2, 2021). We provided updates on this high-risk area in April 2023 and February 2025. See GAO, High-Risk Series: Efforts Made to Achieve Progress Need to Be Maintained and Expanded to Fully Address All Areas, GAO-23-106203 (Washington, D.C.: Apr. 20, 2023), and High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO-25-107743 (Washington, D.C.: Feb. 25, 2025).
[2]These programs are PPP, COVID-19 EIDL, the Restaurant Revitalization Fund, and Shuttered Venue Operators Grants. For more information, see GAO, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts, GAO‑20‑625 (Washington, D.C.: June 25, 2020); COVID-19: Urgent Actions Needed to Better Ensure an Effective Federal Response, GAO‑21‑191 (Washington, D.C.: Nov. 30, 2020); COVID-19: Critical Vaccine Distribution, Supply Chain, Program Integrity, and Other Challenges Require Focused Federal Attention, GAO‑21‑265 (Washington, D.C.: Jan. 28, 2021); COVID-19: Sustained Federal Action Is Crucial as Pandemic Enters Its Second Year, GAO‑21‑387 (Washington, D.C.: Mar. 31, 2021); Economic Injury Disaster Loan Program: Additional Actions Needed to Improve Communication with Applicants and Address Fraud Risks, GAO‑21‑589 (Washington, D.C.: July 30, 2021); COVID-19: Current and Future Federal Preparedness Requires Fixes to Improve Health Data and Address Improper Payments, GAO‑22‑105397 (Washington, D.C.: Apr. 27, 2022); Restaurant Revitalization Fund: Opportunities Exist to Improve Oversight, GAO‑22‑105442 (Washington, D.C.: July 14, 2022); COVID Relief: SBA Could Improve Communications and Fraud Risk Monitoring for Its Arts and Entertainment Venues Grant Program, GAO‑23‑105199 (Washington, D.C.: Oct. 11, 2022); COVID Relief: Fraud Schemes and Indicators in SBA Pandemic Programs, GAO‑23‑105331 (Washington, D.C.: May 18, 2023); COVID-19 Relief: SBA and DOL Should Improve Processes to Identify and Recover Overpayments, GAO-25-106199 (Washington, D.C.: Nov. 13, 2024); and COVID-19 Relief: Improved Controls Needed for Referring Likely Fraud in SBA's Pandemic Loan Programs, GAO-25-107267 (Washington, D.C.: Mar. 24, 2025).
[3]GAO, Improper Payments: Information on Agencies’ Fiscal Year 2024 Estimates, GAO‑25‑107753 (Washington, D.C.: Mar. 11, 2025).
[4]The CARES Act established PPP as part of SBA’s 7(a) lending program.
[5]American Rescue Plan Act of 2021, Pub. L. No. 117-2, § 5001(d), 135 Stat. 4, 85.
[6]Totals exclude canceled loans. According to SBA, canceled loans may include, but are not limited to, duplicative loans, loans not closed for any reason, and loans fully paid off.
[7]CARES Act, Pub. L. No. 116-136, §§ 1107(a)(6), 1110, 134 Stat. 281, 302, 306. The advances could be used toward payroll, sick leave, and other business obligations. Borrowers did not have to repay them, even if they were subsequently denied the COVID-19 EIDL loan.
[8]SBA provided advances using the $10 billion that Congress appropriated under the CARES Act. On April 16, 2020, SBA announced that the lending authority for COVID-19 EIDL loans and the funding for EIDL advances had been exhausted. Under the Paycheck Protection Program and Health Care Enhancement Act, Congress appropriated another $10 billion for advances and $50 billion in loan credit subsidy for COVID-19 EIDL loans. Additionally, Congress made agricultural enterprises eligible for COVID-19 EIDL loans and advances. SBA began accepting new applications from only agricultural enterprises on May 4, 2020. On June 15, 2020, SBA reopened the application portal to all eligible applicants. In the Consolidated Appropriations Act, 2021, Congress appropriated an additional $20 billion for targeted EIDL advances to eligible entities located in low-income communities with 300 or fewer employees that experienced an economic loss of greater than 30 percent. Qualifying entities could receive up to $10,000 in targeted advances. The American Rescue Plan Act of 2021 appropriated an additional $10 billion for the targeted EIDL advances. It also appropriated $5 billion for a newly created EIDL advance program that provided up to $5,000 to business entities that qualified for the targeted EIDL advances but also met criteria for being smaller (employs less than 10 employees) and more economically harmed (economic loss greater than 50 percent) than the original targeted EIDL advances. The act also appropriated $70 million for COVID-19 EIDL loans.
[9]The distributed amount for COVID-19 EIDL exceeded the net appropriated funding due to the COVID-19 EIDL loan credit subsidy. The subsidy covers the government’s cost of extending or guaranteeing credit and represents the estimated long-term cost of providing loans, taking into account expected future performance, including loan repayments, prepayments, and defaults. The subsidy amount was roughly 14 percent of the cost of each disaster loan in fiscal year 2020 and roughly 9 percent in fiscal year 2021.
[10]Pub. L. No. 117-2, § 5003, 135 Stat. 4, 85.
[11]Consolidated Appropriations Act, 2021, Pub. L. No. 116-260, § 324, 134 Stat. 1182, 2022.
[12]The application portal initially opened on April 8, 2021, but shut down the same day because of a software problem, reopening on April 26, 2021.
[13]GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO‑15‑593SP (Washington, D.C.: July 28, 2015).
[14]Pub. L. No. 114-86, 130 Stat. 546 (2016).
[15]Pub. L. No. 116-17, § 2(a), Stat. 113, 131 – 132 (2020), codified at 31 U.S.C. § 3357. The act requires these guidelines to remain in effect, subject to modification by OMB as necessary and in consultation with GAO.
[16]Office of Management and Budget, Management’s Responsibility for Enterprise Risk Management and Internal Control, OMB Circular No. A-123 (Washington, D.C.: July 15, 2016).
[17]Office of Management and Budget, Establishing Financial and Administrative Controls to Identify and Assess Fraud Risk, CA-23-03 (Washington, D.C.: Oct. 17, 2022).
[18]15 U.S.C. § 638.
[19]15 U.S.C. § 638(f)(1), (n)(1)(A). Agencies’ R&D programs generally include funding for two types of R&D: intramural and extramural. Intramural R&D is conducted by employees of a federal agency in or through government-owned, government-operated facilities. Extramural R&D is generally conducted by nonfederal employees outside of federal facilities.
[20]SBIR and STTR started in 1982 and 1992, respectively.
[21]To assist small businesses adversely affected by the COVID-19 pandemic, Congress
allowed businesses in the 8(a) program on or before September 9, 2020, the option to
extend their participation in the program for 1 year.
[22]Fraud involves obtaining something of value through willful misrepresentation.
[23]For example, see GAO, Small Business Administration: COVID-19 Loans Lack Controls and Are Susceptible to Fraud, GAO-21-117T (Washington, D.C.: Oct. 1, 2020).
[24]GAO has made additional recommendations to SBA that could help prevent or identify fraud in its programs.
[29]Treasury’s Do Not Pay service is an analytics tool that helps federal agencies detect and prevent improper payments.
[30]As discussed in our Fraud Risk Framework, designating an entity to design and oversee fraud risk management activities is a leading practice. In carrying out its role, the antifraud entity, among other things, manages the fraud risk-assessment process.
[39]GAO, Small Business Research Programs: Opportunities Exist for SBA and Agencies to Reduce Vulnerabilities to Fraud, Waste, and Abuse, GAO‑24‑105470 (Washington, D.C.: Sept. 9, 2024).
[40]SBIR.gov is SBA’s primary government-wide website for the SBIR/STTR programs.
[41]GAO‑24‑105470.
[42]Small Business Administration, Office of Inspector General, Independent Auditors’ Report on SBA’s Fiscal Year 2024 Financial Statements, 25-05 (Washington, D.C.: Nov. 15, 2024). SBA’s auditor also had issued a disclaimer of opinion on SBA’s financial statements for fiscal years 2020 through 2023.
[43]Small Business Administration, Office of Inspector General, SBA’s Controls to Address Financial Statements Audit Disclaimers and Material Weaknesses, 25-25 (Washington, D.C.: Sept. 29, 2025).
[44]An improper payment is defined by law as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts. 31 U.S.C. § 3351(4). When an executive agency’s review is unable to discern whether a payment was proper because of insufficient or lack of documentation, that payment must also be included in the improper payment estimate. 31 U.S.C. § 3352(c)(2)(A).
[46]The estimated improper payment rate for the Restaurant Revitalization Fund was 30.3 percent (about $8.7 billion of the $28.6 billion in awards), the second-largest estimated improper payment rate reported for a federal program in fiscal year 2024. GAO‑25‑107753.
[48]Small Business Administration, Office of Inspector General, Independent Auditors’ Report on SBA’s Fiscal Year 2024 Compliance with the Payment Integrity Information Act of 2019, 25-15 (Washington, D.C.: May 15, 2025).
[49]In June 2025, the SBA Administrator announced a review of fraud in the 8(a) program. According to SBA, the audit would be led by its Office of General Contracting and Business Development, beginning with high-dollar and limited-competition contracts and going back over a period of 15 years, in collaboration with various federal agencies that award contracts to 8(a) participants.
[50]GAO, Small Business Contracting: Better Documentation and Reporting Needed on Procurement Center Representatives, GAO-20-462 (Washington, D.C.: June 30, 2020).
[51]GAO, Small Business Subcontracting: Oversight of Contractor Compliance with Subcontracting Plans Needs Improvement, GAO‑20‑464 (Washington, D.C.: May 28, 2020).
[52]GAO, Small Business Administration: Recent Changes to the 8(a) Program’s Financial Thresholds Need Evaluation, GAO‑22‑104512 (Washington, D.C.: Aug. 30, 2022).
[53]The nonmanufacturer rule allows federal agencies to award contracts to small business contractors to supply products manufactured by another small business if the contractors do not manufacture those products themselves. If no small business manufacturers exist, federal agencies can request a waiver from SBA, allowing a small business to supply the product of any sized manufacturer. 15 U.S.C. § 637(a)(17), 15 U.S.C. § 637(a)(17)(B)(iv). GAO, Small Business Contracting: SBA Could Improve Oversight of Individual Waiver Requests to the Nonmanufacturer Rule, GAO‑24‑106196 (Washington, D.C.: Dec. 14, 2023).
[54]GAO, IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System, GAO‑25‑106963 (Washington, D.C.: Nov. 6, 2024).