What GAO Found The Department of State is responsible for coordinating U.S. assistance supporting international efforts to combat illicit narcotics, a role fulfilled by the Bureau of International Narcotics and Law Enforcement Affairs (INL). Fentanyl Seized in Nuevo Leon, Mexico GAO previously identified challenges State and INL face in determining the effectiveness of assistance they provide to foreign partners. Performance management can help INL identify whether the billions of dollars appropriated to help meet its mission are spent effectively and help achieve its goals. In September 2023, GAO found that INL's efforts to implement assistance to Mexico had been hampered by incomplete performance management efforts. As a result, the U.S. government could not demonstrate that the more than $3 billion of assistance it had provided to Mexico was spent effectively and helped achieve goals. GAO made three recommendations to INL to better ensure that it spends such assistance effectively. INL has taken steps to address these recommendations but has not fully implemented them. GAO also previously identified challenges State and INL face in monitoring and evaluating projects. For example, in March 2023, GAO found that State had not conducted a comprehensive evaluation of the collective efforts of U.S. agencies to combat cybercrime and ensure that programs were achieving intended goals. GAO recommended that INL conduct a comprehensive evaluation of capacity building efforts to counter cybercrime. State officials said that INL planned to conduct such an evaluation. INL has taken steps to address this recommendation but has not fully implemented it. In addition, GAO previously identified challenges INL faces in managing fraud risk in assistance to Mexico. Specifically, in March 2021, GAO found that INL had not fully assessed the potential risks of fraud in assistance to Mexico and made three recommendations to INL to help improve efforts in this area. While INL has developed a preliminary anti-fraud strategy for that assistance, it has not yet issued or implemented a final anti-fraud strategy. Why GAO Did This Study Combatting transnational crime and drug trafficking are long-standing national security priorities for the U.S., and the opioid crisis has been a public health emergency since 2017. Hundreds of thousands of Americans have died from misusing drugs, with more than 66 percent of these deaths involving synthetic opioids such as fentanyl. According to the Office of National Drug Control Policy, criminal organizations in Mexico supply most of the illicitly manufactured fentanyl smuggled into the U.S. INL's mission is to keep Americans safe by countering crime, illegal drugs, and instability abroad. This statement discusses four key areas where State and INL have faced challenges implementing programs overseas: (1) performance management, (2) program monitoring, (3) program evaluation, and (4) fraud risk management. This statement is based on GAO's prior work on a variety of State and INL programs. For that work, GAO analyzed State documents and data and interviewed agency officials. For a full list of the reports, see Related GAO Products at the conclusion of this statement.

What GAO Found Unusually long processing times in fiscal year 2023 had various negative effects on U.S. passport applicants. Processing of routine passport applications took more than 4 weeks longer than before the COVID-19 pandemic and expedited applications took more than 2 weeks longer. These delays' effects on passport applicants included delayed or cancelled travel. Several factors contributed to the processing delays. One primary factor was staff shortages stemming from a hiring freeze in fiscal year 2017. Other factors included unexpected fluctuations in application volume. For example, State received 21.6 million applications in fiscal year 2023, nearly 2 million more than it had expected. Backlog of Passport Applications at National Passport Center, Portsmouth, NH, 2023 State implemented short-term measures to mitigate the processing backlog in fiscal year 2023. For example, State required passport specialists to work up to 24 hours of overtime per month in fiscal year 2023. State data show that specialists worked more than 250,000 hours of overtime during the fiscal year. State is developing a long-term plan, known as the Transformation Roadmap, for projects to modernize processing and avoid future delays, but it has not identified milestones or resource needs for all of the projects. As of November 2024, State had developed 83 projects that included improving information technology and opening six new passport agencies. As of December 2024, State had defined milestones to measure progress for 24 projects it considered necessary for the roadmap's success, but it has not done so for the remaining 59. In addition, State has not identified the resources needed to fully implement the roadmap. State officials told GAO that the greatest risks to implementing the roadmap were insufficient staffing and funding. GAO's prior work has shown that defining milestones for agency reform efforts and determining planned projects' costs (e.g., staffing, funding, and other resources) are critical to the reforms' and projects' success. Taking such actions would better position State to complete its efforts to reduce the likelihood of future delays in passport processing and their negative effects on U.S. travelers and the travel industry. Why GAO Did This Study Issuance of U.S. passports is among the State Department's most visible and important public services. Moreover, its timeliness in adjudicating passport applications and issuing passports affects American citizens as well as the travel and leisure industry. In fiscal year 2023, State experienced a passport processing backlog, which led to substantially longer processing times than before the COVID-19 pandemic. GAO was asked to review State's passport processing backlog. In addition, a House Report included a provision for GAO to study passport processing times. This report examines (1) the time frames for State's processing of passport applications in fiscal year 2023 and the effects of processing delays on applicants; (2) factors that contributed to processing delays in fiscal year 2023; (3) State's actions to mitigate the backlog; and (4) the extent of State's long-term planning to prevent future delays. GAO reviewed State passport processing data and documents related to managing delays. GAO also interviewed State officials and visited or met with staff at four processing centers. GAO selected these centers on the basis of factors such as size, location, and volume of applications processed in 2023.

What GAO Found The Small Business Administration's (SBA) Community Navigator Pilot Program aimed to expand access to small business assistance resources for underserved communities. The program, which operated from December 2021 to May 2024, awarded grants to “hubs”—nonprofits, local governments, and other entities that partnered with smaller organizations, called “spokes” (see figure). Overview of SBA Community Navigator Pilot Program SBA data suggest the program served a higher proportion of clients from high-minority, high-poverty, and low-income areas compared to other SBA business assistance programs. Challenges that navigators identified included collecting sensitive client data and building effective partner networks. The Navigator Program aligned with one and partially aligned with four leading practices for pilot program design. SBA established clear, measurable program objectives, such as increasing use of SBA services among underserved business owners, and developed a data gathering strategy and assessment methodology. However, GAO identified opportunities for SBA to evaluate the pilot and mitigate broader program risks: Evaluation. SBA does not plan to evaluate outcomes of the pilot. However, evaluations play a key role in strategic planning and program management. Conducting an evaluation would capture lessons learned from pilot activities. Additionally, by assessing scalability and incorporating input from a broad array of SBA staff and partner organizations, the evaluation could inform current and future programs and congressional decision-making. Fraud mitigation. SBA took steps to address fraud risk for the program, such as completing a fraud risk assessment and training hubs on financial oversight. However, during application reviews, SBA staff did not consult local SBA offices with potential knowledge about applicants' risks. For example, staff in one district office said they could have flagged a local applicant that overstated its capacity to provide assistance. SBA officials said that to avoid potential bias and inconsistency, its competitive grant programs' application reviews do not include consultation with local SBA offices. However, GAO identified federal grantmaking agencies that incorporated local staff input while implementing safeguards to mitigate bias and maintain consistency. By developing procedures to obtain relevant information from local agency staff, SBA could improve its ability to assess applicants and address fraud risks. Why GAO Did This Study Racial and ethnic minorities, women, tribal groups, and other communities have historically faced barriers to accessing credit, capital, and other resources necessary to start and grow businesses, according to SBA. The American Rescue Plan Act of 2021 directed SBA to establish the Community Navigator Pilot Program, a new, short-term business assistance program to serve these communities. GAO was asked to review the Community Navigator Pilot Program. This report examines (1) how the program reached underserved small business owners, (2) the program's alignment with leading practices for pilot program design, and (3) the program's efforts to manage fraud risk. GAO analyzed SBA documents, interviewed officials, and compared the pilot program design and fraud risk management processes against leading practices. GAO also analyzed SBA and Census data and interviewed 18 navigators (chosen to reflect a mix of grant amounts, regions, and organization types) about their activities. GAO conducted three site visits reflecting a mix of geographic regions and organization types.

What GAO Found Based on the limited procedures GAO performed in reviewing the independent public accounting firm's (IPA) fiscal year 2024 audit of the Patient-Centered Outcomes Research Institute's (PCORI) financial statements, GAO did not identify any significant issues that it believes require attention. Had GAO performed additional procedures, other matters might have come to its attention that it would have reported. The IPA provided an unmodified audit opinion on PCORI's fiscal years 2024 and 2023 financial statements. Specifically, the IPA found that PCORI's financial statements were presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles. Further, for fiscal year 2024, the IPA did not identify any deficiencies in internal control that it considered to be material weaknesses or any reportable noncompliance with the selected provisions of laws, regulations, contracts, and grant agreements it tested. PCORI concurred with the IPA's conclusions. GAO's review of PCORI's fiscal year 2024 financial statement audit, as differentiated from an audit of the financial statements, was not intended to enable GAO to express—and it does not express—an opinion on PCORI's financial statements or conclude on the effectiveness of its internal control over financial reporting. Furthermore, GAO does not express an opinion on PCORI's compliance with provisions of applicable laws, regulations, contracts, and grant agreements. The IPA is responsible for its reports on PCORI dated February 19, 2025, and the conclusions expressed therein. GAO provided a draft of its report to PCORI and the IPA for review and comment. PCORI's Chief Financial Officer provided technical comments, which GAO incorporated in the final report. An IPA partner responded that the IPA had no comments on the draft report. Why GAO Did This Study This report presents the results of GAO's review of PCORI's fiscal year 2024 financial statement audit. PCORI is a federally funded, nonprofit corporation that is neither an agency nor establishment of the U.S. government. PCORI's purpose is to help patients, clinicians, policymakers, and others make informed decisions about health and health care options. The Patient Protection and Affordable Care Act requires PCORI to obtain an annual financial statement audit from a private entity with expertise in conducting financial audits. The act includes a provision for the Comptroller General of the United States to review the audit and report the results to the Congress annually. GAO's objective was to review the results of PCORI's fiscal year 2024 financial statement audit. To satisfy this objective, GAO (1) read and considered various documents relating to the IPA's independence, objectivity, and qualifications; (2) analyzed key IPA audit documentation; (3) read PCORI's fiscal years 2024 and 2023 financial statements, the IPA's audit report on the financial statements, and the IPA's report on internal control over financial reporting and compliance; and (4) met with IPA representatives and PCORI management officials. For more information, contact Cheryl E. Clark at clarkce@gao.gov.

What GAO Found The Single Audit Act requires non-federal entities that expend above a certain amount in federal awards in a fiscal year to undergo a single audit—an audit of an entity's financial statements and federal awards—or in select cases a program-specific audit. GAO analyzed 3,680 single audit findings from 2022 to 2024 addressed to recipients that received a grant award from a federal agency and passed funds through to another entity, or subrecipient, in the form of a subaward. According to this analysis, 36 percent of these findings were primarily associated with one of the following topics: Incomplete subaward reporting. Some of these grant recipients did not fulfill required reporting of subawards to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for display on USAspending.gov. This limits the transparency of federal funding and makes it challenging to track these funds for oversight purposes. Subrecipient monitoring activities. Some of these grant recipients did not monitor their subrecipients' activities or did not review audit reports for their subrecipients, which impairs their oversight of those subrecipients. Verifying or justifying eligibility decisions. Some of these grant recipients did not ensure that their subrecipients were eligible to receive federal funds, which can put those funds at risk for fraud. While grant recipients are responsible for overseeing their subawards, federal agencies are to ensure the grant recipients they make awards to carry out their oversight responsibilities. GAO selected an example grant program with subrecipients from each of the three agencies that received the largest amounts of Infrastructure Investment and Jobs Act (IIJA) funding. Officials from these programs described a variety of approaches to support subaward oversight, such as reviewing recipients' budgets, progress reports, and audit findings. In 2024, the Office of Management and Budget (OMB) took steps that could enhance federal subaward oversight. These steps include: amending the Code of Federal Regulations to direct agencies to review single audit findings to non-federal entities—including subrecipients—which could broaden agencies' awareness of challenges affecting their programs; issuing a memorandum directing agencies to update their award terms to clearly convey the requirement for grant recipients to provide complete subaward descriptions in their reports to FSRS, which should result in clearer information available to the public about federal spending; and addressing GAO's prior recommendation to clarify agencies' role in supporting subaward data quality by issuing a memorandum directing agencies to hold their grant recipients accountable for reporting subawards to FSRS, which should lead to more complete subaward data being publicly available on USAspending.gov. GAO will continue to monitor subaward oversight and transparency as agencies take steps to implement this guidance. Why GAO Did This Study In fiscal year 2024, the federal government obligated roughly $1.2 trillion in grants to support national priorities. Grant recipients can pass through these funds to subrecipients in the form of a subaward. GAO and Office of Inspectors General audits have found persistent issues with the completeness and accuracy of subaward information. This makes it challenging to track where subaward funds are ultimately spent and can increase the risk for fraud and misuse of federal funds. GAO was asked to review various issues related to subaward oversight. This report describes (1) common issues related to subaward oversight identified through single audits; (2) how selected federal agencies and grant programs implement their subaward oversight requirements; and (3) recent changes to regulations and guidance that could enhance subaward oversight. GAO analyzed single audit findings from the Federal Audit Clearinghouse to identify common compliance issues related to subaward oversight. GAO met with officials from IIJA grant programs with funds distributed as subawards to describe examples of federal subaward oversight. GAO also reviewed recent changes to relevant regulations and guidance and discussed how they could improve subaward oversight with OMB staff. We provided a draft to our three selected agencies and OMB for comment. One agency provided technical comments, which we incorporated as appropriate, and two responded with no comments. OMB did not provide comments. For more information, contact Jeff Arkin at ArkinJ@gao.gov.

What GAO Found Capital plays a critical role in ensuring bank safety and soundness. The Basel Committee on Banking Supervision, an international body of bank supervisors, sets nonbinding minimum regulatory capital standards for large banks. The committee relies on its members to implement the standards in their jurisdictions. The U.S. members of the Basel Committee are the Board of Governors of the Federal Reserve System, Federal Reserve Bank of New York, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency. Standard-development process. The Basel Committee process for developing the standards involved multiple rounds of analyses, discussion, and review. Each final standard underwent at least one round of public comments and quantitative studies assessed potential impacts on banks' regulatory capital. Decisions were made by consensus, with groups negotiating and agreeing on the scope of work, alternatives to analyze, actions to take or not take, and standards to propose and finalize. Staff from all U.S. members participated in these groups. GAO found collaboration among U.S. members throughout this process generally reflected best practices for interagency collaboration (such as leveraging information and including relevant participants). External comments and impact analyses. U.S. members informed their positions by reviewing public comments on proposals, meeting with industry representatives, contributing to and using quantitative impact studies, and conducting their own analyses. These activities helped provide insight into the potential impacts of proposed reforms and identify alternative approaches. GAO found that the information U.S. members collected and analyses they conducted generally reflected key elements for regulatory analysis (such as consideration of alternatives and evaluation of benefits and costs). U.S. members' negotiating priorities. U.S. members had two overarching reform priorities for the final Basel III standards. One was to better align certain regulatory standards for non-U.S. banks with their parallel U.S. requirements to promote a more level playing field. U.S. members also shared the Committee's priority to address weaknesses in the Basel framework—they sought to improve and balance the simplicity, comparability, and risk sensitivity of bank capital standards. For example, previous standards allowed banks more leeway in the way they modeled the risks of their assets (to help determine how much regulatory capital to hold to offset the risks). The Committee, including U.S. members, prioritized reforms that constrained banks' use of internal models to help increase the comparability of risk-weighted assets across banks. GAO's analysis of U.S. documents showed that U.S. members participated actively in the working groups that developed the standards to further their reform priorities. Why GAO Did This Study The Basel Committee released initial Basel III standards in 2010, followed by additional reforms that resulted in final Basel III standards in 2017 and 2019. These updated standards, which have not yet been implemented in the U.S., revised methods for estimating a bank's risks, which affect its regulatory capital requirements. GAO was asked to review U.S members' actions during the final Basel III negotiations. This report examines (1) how the Basel Committee organized the work to develop the standards, (2) information and analyses U.S. members considered to inform their positions, and (3) U.S. members' priorities for reform and actions taken to further those priorities. This is the public version of a sensitive report GAO issued in December 2024. Information on U.S. members' actions during the development of the standards and their positions on reforms has been omitted. GAO analyzed U.S. members' internal sensitive documents related to the development of the standards. These included internal briefing notes, talking points, analyses, and other documents prepared for the negotiations during 2011–2019. GAO also analyzed Basel Committee consultative documents, quantitative impact studies, other publicly released documents, and the final Basel III standards. GAO interviewed officials from the four U.S. members responsible for the final Basel III negotiations and Basel Committee Secretariat staff (who support the work of the Committee and its component groups). For more information, contact Michael Clements at clementsm@gao.gov.

What GAO Found Although maritime threats have been growing, the Navy has not increased its fleet size as planned over the past 20 years. Over this period, GAO has found that the Navy's shipbuilding acquisition practices consistently resulted in cost growth, delivery delays, and ships that do not perform as expected. For example, GAO identified schedule risks in 2024 for the Constellation class frigate program. Counter to leading ship design practices, construction for the lead ship started before the ship design work was complete, and delivery is expected to be delayed by at least 3 years. The Navy's recent practices with the frigate program are similar to its prior performance with its Littoral Combat Ship and Zumwalt Class Destroyer programs. Both programs were hampered by weak business cases that over-promised the capability that the Navy could deliver. Together, these two ship classes consumed tens of billions of dollars more to acquire than initially budgeted and ultimately delivered far less capability and capacity to fleet users than the Navy had promised. The Navy cannot expect to look within its existing playbook to find answers. Current challenges can provide the Navy leadership with the impetus to look for solutions outside of the existing defense acquisition paradigm. Specifically, the Navy can innovate by using effective, proven ship design practices and product development approaches that are rooted in the approaches of industry-leading companies worldwide. GAO has previously identified leading ship design practices used by commercial ship buyers and builders that the Navy can use to achieve more timely, predictable outcomes for its shipbuilding programs. Leading Practices Supporting Timely Ship Design and Delivery While the Navy strives to improve its shipbuilding performance, marginal changes within the existing acquisition structures are unlikely to provide the foundational shift needed to break the pervasive cycle of delivery delays and cost overruns. Leading practices offer the Navy a near-term path toward restoring credibility with the operational fleet, Congress, and the taxpayers. More importantly, over the long-term, these leading practices can help the Navy redefine its shipbuilding acquisition process, achieve its goals related to the number of ships needed to compete against potential adversaries, and reinforce the superiority of the Navy fleet. Why GAO Did This Study Although the Navy has seen a near doubling of its shipbuilding budget over the past 2 decades, acquisition challenges have resulted in consistent failure to increase its ship count as planned. GAO has regularly reported that the Navy's shipbuilding acquisition approach does not align with innovative practices that promote timely, predictable development and delivery of new, fully capable ships. This statement addresses (1) challenges that Navy practices pose to achieving desired shipbuilding outcomes, and (2) leading commercial practices that could improve Navy results over both the near term and far term. This statement is based on information from GAO-25-108136, GAO-24-106546, GAO-24-105503, and GAO-23-106222, among others. Information about the scope and methodology of prior work on which this statement is based can be found in those products.

What GAO Found There is a growing emphasis on how the federal government can improve its approach to disaster recovery. In the last 10 years, appropriations for disaster assistance totaled at least $448 billion, plus an additional $110 billion in supplemental appropriations so far in fiscal year 2025. Recent disasters such as Hurricanes Helene and Milton, the wildfires in California, and this month's destructive tornadoes across the Midwest and South demonstrated the need for government-wide action to deliver assistance efficiently and effectively and reduce its fiscal exposure (see figure). Given the rise in the number and cost of disasters and increasing challenges related to the delivery of federal disaster assistance identified in GAO's work, Improving the Delivery of Federal Disaster Assistance was added to GAO's High-Risk List in February 2025. To improve the federal government's delivery of disaster assistance, GAO has found that attention is needed to improve processes for assisting survivors, reduce fragmentation across federal disaster assistance programs, strengthen the disaster workforce and capacity, and invest in resilience. For example, GAO has recommended that Congress should consider establishing an independent commission to recommend reforms to the federal approach to disaster recovery, which is fragmented across more than 30 federal entities. GAO also reported on various options for reforming the federal approach to disaster recovery, such as better coordinating and consolidating programs across agencies and simplifying processes for survivors, among other things. Examples of 2024 and 2025 Disaster Damage Further, GAO recommended that the Federal Emergency Management Agency (FEMA) develop and implement a methodology that provides a more comprehensive assessment of a jurisdiction's ability to respond to a disaster without federal assistance. Without an accurate assessment, FEMA runs the risk of recommending to the President that federal disaster assistance be awarded to jurisdictions that may not need it. FEMA has taken past steps to do this but has not fully implemented this recommendation. GAO also found that FEMA's workforce is overwhelmed by the increasing number of disasters and other emergencies. Strengthening the disaster workforce will be a critical part of better delivering the assistance that communities and survivors need to recover. Why GAO Did This Study Natural disasters have become costlier and more frequent. In 2024, there were 27 disasters with at least $1 billion in damages, compared to 14 in 2018. Disasters in 2024 resulted in 568 deaths nationwide. Further, federal disaster declarations and the expectation for federal support have increased. In addition, federal support for disaster recovery can last for years. For example, FEMA is managing over 600 open major disaster declarations—some of which occurred almost 20 years ago, according to the agency. This statement discusses GAO's new disaster high-risk area, and related work on reducing fragmentation of the federal approach to disaster assistance, among other things. This statement is based on products GAO issued from May 2020 through February 2025. For this work, GAO analyzed federal law and documents related to disaster assistance and interviewed officials across relevant federal, state and local agencies. GAO also conducted site visits to recent disasters areas, among other actions.

What GAO Found According to Small Business Administration (SBA) officials, the four-step process for managing fraud risks in its pandemic loan programs generally consisted of the following components for both the Paycheck Protection Plan (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) programs: Screening: automated review, sometimes with additional manual components, that compared each application with several public and private databases and checked for internal inconsistencies that indicated data anomalies. Data analytics: various data analytic tools to examine data anomalies, sometimes using a type of artificial intelligence called machine learning for the PPP to help identify files with data anomalies in need of review. Human-led reviews: manual reviews of files with data anomalies to determine if the file was ineligible or likely fraudulent. OIG referrals: referrals of likely fraudulent applications to SBA's Office of Inspector General (OIG). This process and its various steps were introduced at different times for COVID-19 EIDL and the PPP and were implemented iteratively over the course of the pandemic. However, SBA did not implement the process until more than half of the programs' funding had been approved, thus limiting its impact in preventing fraud. Specifically, for COVID-EIDL, over $210 billion of an eventual $385 billion (or about 55 percent) had already been disbursed before the full process was implemented. For the PPP, over $525 billion of an eventual $800 billion (or about 66 percent) had already been approved. The four-step process as applied to COVID-19 EIDL and the PPP had weaknesses, as several audit entities, including GAO, SBA's OIG, and SBA's independent financial statement auditor, have previously reported. For example, as part of its screening step, SBA compared loan applications against the Treasury's various Do Not Pay (DNP) databases and public records. A June 2024 SBA OIG report found, however, that SBA awarded and disbursed funds to potentially ineligible entities listed in DNP without sufficient evidence to support the loan decision. In response to this report, SBA agreed, among other things, to review and address those loans and grants with an alert in the file that was not previously addressed. According to SBA's OIG, the proposed action did not fully meet OIG's recommendation to review all loans identified as potentially ineligible. In its work, GAO identified a weakness in SBA's process for referring cases of likely fraud to its OIG—that is, step four of its four-step process. As part of its referral step for COVID-EIDL, SBA submitted almost 3 million referrals to its OIG. SBA OIG officials told GAO that of these referrals, about 2 million were not actionable because they did not contain enough data elements to allow for further investigation or had quality issues, such as duplicates or incorrect information. Without an effective referral process, the SBA OIG is not able to fully investigate instances of likely fraud and make follow-on referrals to, for example, the Department of Justice for prosecution, as necessary. Why GAO Did This Study SBA distributed over $1 trillion in loans and grants to over 10 million small businesses in 2020-2022 during the COVID-19 pandemic. Through the CARES Act and other laws, Congress provided funding for PPP and COVID-19 EIDL to support small businesses. In June 2020, GAO found that SBA had not yet developed and implemented plans to identify and respond to risks for the PPP to ensure program integrity. GAO reported in May 2023 that SBA moved quickly under challenging circumstances to develop and launch its pandemic relief programs but that some of the relief funds went to those who sought to defraud the government. The CARES Act includes a provision for GAO to monitor COVID-19 pandemic relief funds. In this report, GAO examines SBA's four-step antifraud process by describing (1) how the process for detecting and referring likely fraud cases was designed and implemented for COVID-19 EIDL and the PPP and identifying (2) any control weaknesses in the process for detecting and referring likely fraud cases for COVID-19 EIDL and the PPP. GAO examined SBA documentation, interviewed SBA officials, and reviewed prior reports by GAO, SBA's OIG, and SBA's independent financial statement auditor, and reports by the Pandemic Response Accountability Committee.

What GAO Found Eighteen private sector companies surveyed by GAO reported using the majority of 19 leading practices across three management areas—acquisition, cybersecurity, and workforce development—when adopting and implementing cloud computing solutions. Subject matter experts from academia agreed these are leading practices for cloud adoption, and the majority of companies found them very or extremely important for an effective cloud adoption strategy. Cloud Management Areas Where Companies Reported Using Leading Practices for Adopting Cloud Services Examples of leading practices reported by private sector companies included: Acquisition: Companies reported using 7 leading practices, including defining the business case for the cloud adoption, negotiating clear terms and agreements, and assessing service performance against expectations. Cybersecurity: Companies reported using 6 leading practices, including implementing incident response procedures, establishing continuous monitoring, and clarifying cloud security responsibilities. Workforce Development: Companies reported using 6 leading practices, including identifying skill gaps, retaining and recruiting staff, and shifting internal culture. Companies also identified potential challenges that organizations may encounter when adopting new cloud solutions, including approaches for addressing those challenges and related technical considerations. Companies reported that addressing these technical considerations enhanced flexibility, mitigated risks, and optimized cloud resource utilization. For example, one company reported implementing a multi-cloud strategy early in its migration to a cloud environment, which helped enable flexibility across different providers. However, to realize these benefits, companies reported requiring additional investments, such as in workforce training and cybersecurity tools. Why GAO Did This Study Private sector companies spend billions of dollars adopting cloud computing, with the federal government making other substantial investments. Across the private and public sectors, organizations adopt cloud computing solutions to realize a range of potential benefits, such as lowering IT costs. In pursuing these benefits, organizations may also encounter various risks and challenges. Given the evolving nature of cloud computing, identifying leading practices used by the private sector could provide valuable insights. These insights could help inform federal policymakers and program managers in their efforts to adopt cloud solutions. This report identifies (1) leading practices in the private sector for adopting cloud solutions and (2) approaches to address challenges in the private sector regarding the adoption of cloud solutions. GAO reviewed prior work and federal and nonfederal guidance related to cloud computing. GAO then surveyed a nongeneralizable sample of 18 private sector companies identified as leaders in business and technological innovation across multiple industries about their experiences adopting cloud computing solutions. We also asked companies about their approaches for addressing challenges and related technical considerations associated with adopting cloud computing solutions. GAO validated the leading cloud adoption practices by soliciting and incorporating feedback from cloud computing subject matter experts at academic institutions. For more information, contact Brian Bothwell at BothwellB@gao.gov or Vijay A. D’Souza at DSouzaV@gao.gov.