Improper Payments from the 2025 Green Book
In May 2025, GAO released an update to the Green Book, The Standards for Internal Control in the Federal Government. I shared my thoughts on the exposure draft when it was released for public comment last year. If you are worried that you are just hearing about this now, don’t be! It would take a forensic auditor (maybe you are?) to notice the difference between the 2014 Green Book and this update. The most prominent update was the inclusion of improper payments in Principle 8.
What is an improper payment?
GAO defines it as any payments that should not have been made or that were made in an incorrect amount. Payments are also considered improper when there is insufficient or lack of documentation.
Types of improper payments
Overpayments
This is the most straightforward. Payments that have been sent to ineligible recipients, or in excess of the goods/services provided.
Underpayments
This occurs when a recipient does not receive the payment that they should have. For example, a grant recipient who should receive a payment of $5,000 after meeting all eligibility requirements is only sent $500 because of a typing error.
You may be wondering, how do you calculate the improper payment? Using our example above, the difference between what should have been paid and what was is considered the improper payment amount. In this case, $4,500.
Improper payment risk factors
Management should consider improper payment risk factors, including internal and external risk factors. Here are some risk factors management could consider:
Whether the program or activity is new
The program’s complexity
The volume of payments processed
Use of external parties to make payments or eligibility decisions
Major recent changes in funding, laws, or procedures
Experience and training of personnel handling payments
Reliance on recipients to self-certify eligibility
Known internal control weaknesses that affect payment accuracy
Lack of data or systems to verify eligibility or payment accuracy
Fraud risk associated with the program or activity
Where GAO erred in this update
I still remember explaining to a political appointee years ago that an underpayment counted as an improper payment. Their first reaction was disbelief. “Wait, we paid too little, and that’s improper?” I nodded. It took a few minutes of conversation to get there, but eventually they understood that “improper” is about deviation from what should have happened, whether the agency paid too much or too little. Now imagine trying to explain that a payment is improper not because of who was paid or how much, but because we could not find every supporting document. Picture telling that same appointee, “We paid the right person the right amount for the right work, but the invoice is missing a date stamp, so it is classified as an improper payment.” You can almost see the confusion setting in.
The decision to add “insufficient or lack of documentation” to the definition is, in my view, a mistake. The original intent behind identifying improper payments was straightforward: are we paying the right person, the right amount, for the right purpose? By adding documentation issues to the definition, GAO has shifted the focus from whether the payment itself was wrong to whether the file folder looks complete. That subtle shift has big implications for how agencies measure and report risk.
By folding documentation failures directly into the improper payment category, the result is that otherwise correct payments could now be labeled as improper simply because someone misplaced a file or failed to upload a form. That inflates reported numbers and distracts from the real concern, payments that actually go to the wrong recipient or are made in the wrong amount.