UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC 20202-1500 February 27, 2006 Control Number ED-OIG/A19E0017 Danny Harris Deputy Chief Financial Officer U.S. Department of Education Office of the Chief Financial Officer 400 Maryland Avenue, S.W. Washington, DC 20202 Dear Mr. Harris: This Final Audit Report, entitled Audit of the Department of Education’s Followup Process for Internal Audits, presents the results of our audit. The purpose of the audit was to evaluate the Department of Education’s (Department) controls to ensure that agreed upon corrective actions have been taken in response to Office of Inspector General (OIG) issued internal audit reports. Our review covered the period July 1, 2002 through September 30, 2004. BACKGROUND Office of Management and Budget (OMB) Circular A-50, entitled “Audit Followup” requires that each agency designate a top management official to oversee audit followup, including resolution and corrective action. It also states the audit followup official has the responsibility for ensuring corrective actions are taken. The Department’s designated followup official is the Chief Financial Officer (CFO). Within the Office of the Chief Financial Officer (OCFO), the Post Audit Group (PAG) is responsible for assisting the CFO in the audit followup process. The Department tracks audit resolution and the completion of corrective action items through the Audit Accountability and Resolution Tracking System (AARTS). AARTS is a web-based application designed to assist the Department’s management with audit reporting and followup activities. The AARTS User Manual for OIG Issued Internal Audits states that an action has been “completed” when “The PO [Principal Office] Writer, PO Reviewer, and PO Authorizer enter the “Actual Completion” dates for the Action Items . . ..” Our mission is to promote the efficiency, effectiveness, and integrity of the Department’s programs and operations. Final Report ED-OIG/A19E0017 Page 2 of 14 The Department has established a Post Audit User Guide (Guide) to provide policy and procedures for the audit resolution and followup process. The Guide provides that each Assistant Secretary (or equivalent office head) is responsible for ensuring that the overall audit followup process operates efficiently and consistently. The Guide defines further responsibilities of the Action Official (AO), generally an Assistant Secretary or equivalent office head, to include: • Determining the action to be taken and the financial adjustments to be made in resolving findings in audit reports concerning respective program areas of responsibility, and • Maintaining formal, documented systems of cooperative audit resolution and follow-up to ensure that audit recommendations are implemented, completion dates captured, and appropriate documentation maintained to support completed corrective actions. The Guide also defines roles and responsibilities for PAG that include: • Ensuring that AOs have appropriate audit followup systems in place and that these systems are being effectively used, • Monitoring the Department’s compliance with OMB Circular A-50, and • Ensuring the overall effectiveness of the Department’s audit followup system. In October 2001, the OIG issued a report entitled: “Audit of Controls Over the Audit Followup Process,” (Control Number EDOIG/A19B0002). OIG reported that corrective actions were not always implemented, were not fully implemented, or were implemented after the reported completion date. In addition, OIG found that AOs did not certify that all corrective actions were implemented, and program offices did not have completed records of corrective actions taken. As a result of these findings, OIG concluded that reporting actions as completed that are not actually implemented, are not fully implemented, or are implemented after the reported completion date, compromises the Department’s audit followup process and negatively impacts its credibility. This report presents the results of our recent audit of the Department’s audit followup process for internal OIG audits. It combines the results of work conducted within four POs. In conducting this audit, separate reports were issued to POs with responsibility for audit resolution and followup for the audits included in our scope. A listing of these reports is included as Attachment 1 to this report. The following POs were included in our audit: • Federal Student Aid (FSA) • Office of Postsecondary Education (OPE) • Office of the Chief Information Officer (OCIO) • Office of the Chief Financial Officer (OCFO) A listing of the audits reviewed is included as Attachment 2 to this report. Final Report ED-OIG/A19E0017 Page 3 of 14 AUDIT RESULTS We found that the Department’s audit followup system was not always effective. PAG did not fulfill its responsibilities to ensure that AOs had systems in place to followup on corrective actions, monitor the Department’s compliance with OMB Circular A-50, and ensure the overall effectiveness of the Department’s audit resolution and followup system. In total, we found audit followup activities were not effective for 16 of the 23 audits reviewed. As a result, the Department did not have assurance that corrective actions were completed for 37 of the 160 action items reviewed. The risk remains that related programs may not be effectively managed. In its response, OCFO generally concurred with the finding and recommendations in the draft report. The comments are summarized at the end of the finding along with the OIG’s response. The full text of OCFO’s comments is included as Attachment 3 to this report. FINDING – PAG Did Not Ensure the Department’s Audit Followup System for Internal OIG Audits was Effective PAG did not fulfill its responsibilities to ensure that the Department’s audit followup system for internal OIG audits was operating effectively. Specifically, we found that PAG did not effectively: • Ensure that AOs had systems in place to follow up on corrective actions, • Monitor the Department’s compliance with OMB Circular A-50, and • Ensure the overall effectiveness of the Department’s audit resolution and followup system. During our review, we identified corrective action items established by the Department during the resolution of internal OIG audits. The 23 audits reviewed included a total of 108 completed recommendations consisting of 160 corrective action items. We discussed the audit followup process with PO staff, and evaluated documentation maintained by the POs to determine whether the corrective action items were actually completed. We found that in 16 of the 23 audits, for 37 of the 160 corrective action items (23 percent), the Department did not have documentation sufficient to support completion of the action items. In addition, for the 99 corrective action items for which completion dates could be verified, we found PO staff reported 30 corrective action items as completed in AARTS prior to the dates reflected by supporting documentation (30 percent).1 These items were reported as completed from 1 day to 22 months before dates noted on supporting documentation provided. Twenty- four of the 30 actions were reported as completed two or more months before dates noted on supporting documentation (80 percent). 1 Completion dates could not be verified for 24 of the 123 supported corrective action items (20 percent) due to limitations in the documentation provided by PO audit resolution staff. Final Report ED-OIG/A19E0017 Page 4 of 14 Twenty-two of the 30 action items with incorrect completion dates were from closed audits. For 1 of the 22 actions, we found the action item would not have been completed at the time of audit closure. This audit was closed seven months prior to the actual completion date of this action item. Furthermore, for three corrective action items, we noted data was added to the PO Comments field in the corrective action plan (CAP) indicating an action would not be completed as initially described. This field was used by POs instead of modifying the agreed upon action item to accurately reflect the final decision of management. For example, one corrective action item called for a PO to implement a peer review process. However, the PO Comments field stated the peer review monitoring model had not been funded and would not be implemented. OMB Circular A-50, entitled “Audit Followup,” provides the requirements for establishing systems to assure prompt and proper resolution and implementation of audit recommendations. The Circular states, Audit followup is an integral part of good management, and is a shared responsibility of agency management officials and auditors. Corrective action taken by management on resolved findings and recommendations is essential to improving the effectiveness and efficiency of Government operations. Each agency shall establish systems to assure the prompt and proper resolution and implementation of audit recommendations. These systems shall provide for a complete record of action taken on both monetary and non-monetary findings and recommendations. Under section 7, “Responsibilities,” the Circular states: b. Agency management officials are responsible for receiving and analyzing audit reports, providing timely responses to the audit organization, and taking corrective actions where appropriate…. c. The audit followup official has personal responsibility for ensuring that (1) systems of audit followup, resolution, and corrective action are documented and in place….(4) corrective actions are actually taken. Section 8.a.(4) of the Circular states that systems for resolution and corrective action must, “[M]aintain accurate records of the status of audit reports or recommendations through the entire process of resolution and corrective action.” The Department’s Post Audit User Guide, Section V, “Department Responsibilities/Authorizations,” Chapter 1, Part D, states the Chief Financial Officer is the designated Audit Followup Official (AFUO) for the Department of Education. The Guide also states the AFUO is responsible for: 1. Ensuring that a system of cooperative audit resolution and follow-up is documented and in place, including follow-up to ensure corrective actions are implemented…6. Tracking and following up on all corrective actions to be taken by [Education] ED in response to internal reports issued by ED-OIG…. Final Report ED-OIG/A19E0017 Page 5 of 14 Part E of the same chapter states that the Post Audit Group within the OCFO provides support to the AFUO. The Guide further states PAG/OCFO is responsible for: 1. Monitoring the Department’s compliance with OMB Circular A-50, Audit Follow-up…. 10. Tracking, evaluating and documenting the completion of corrective actions by ED officials in response to internal audits and alternative products issued by ED-OIG…. 19. Reviewing documentation of implemented corrective actions to ensure that pertinent documents are maintained and support closure. This review is performed prior to closure of internal audits issued by ED-OIG…. Section IV, “Internal Audits,” Chapter 1, Part H, states, Upon receipt of the AO's Request for Closure/Certification Memorandum, PAG/OCFO will perform a timely review of documentation to support closure of each recommendation/corrective action. As a result of our previous internal audit followup work, PAG implemented a process for reviewing documentation of implemented corrective actions prior to audit closure. However, we noted several weaknesses with this process. Of the 23 audits included in our review, PAG issued Audit Closure Memos for 16 audits. These 16 audits contained 121 of the 160 corrective action items we reviewed (76 percent). We noted 42 of these 121 corrective action items were identified as reviewed by PAG prior to issuance of the Audit Closure Memos (35 percent). We determined that 11 of the 42 corrective action items reviewed by PAG were not supported by documentation provided by the POs (26 percent). Examples of documentation accepted by PAG follow: • In one audit, the corrective action item stated that each significant information technology (IT) investment proposal will include summary, high-level, life-cycle cost, benefit, and risk estimates.2 The PO’s audit resolution file contained a Business Case template that included each of the four topic areas noted in the action item. However, the template does not provide assurance that the template was completed for each significant IT investment. PAG reviewed this template during its documentation review and accepted it as documentation supporting the completion of the action item. • In another audit, the corrective action stated the PO would followup on audit resolution actions with OCFO and SFA [Student Financial Assistance] to help ensure findings and liabilities were properly resolved.3 The audit file included query results of the single audit database from which the PO randomly selected two grantees to followup with on compliance requirements. The PO stated it was unable to find documentation that it actually followed up on the two audits. PAG did not list the documentation it reviewed 2 Audit Control Number (ACN) A07-C0033: “Audit of Capital Planning and Investment Management,” issued September 2003, Corrective Action 2.1.1. 3 ACN A04-90013: “Office of Higher Education Programs Needs To Improve its Oversight of Parts A and B of the Title III Program,” issued December 2000, Corrective Action Item 2.5.1. Final Report ED-OIG/A19E0017 Page 6 of 14 for this corrective action item. Instead, the documentation review form stated, “Documentation is on file in [the PO].” • In another audit, the corrective action stated the PO would circulate guidance for completion of actions in the FY 2003 Government Paperwork Elimination Act (GPEA) Work Plan through the Information Management Working Group (IMWG) and GPEA Coordinators.4 The audit file contained a copy of the FY 2003 GPEA Work Plan, but there was no documentation showing the circulation of guidance through the individuals noted in the action item. PAG accepted the Work Plan as supporting documentation. During our review, we also noted information contained in PAG’s Documentation Review Forms was not always adequate to assess what information was reviewed to support closure of a corrective action item. We could not always determine what documentation PAG obtained to conclude that supporting documentation was reasonable to support the closing of individual audits. No specific documentation was noted as being reviewed for any of the corrective action items in three audits. The section of the form entitled “List Documentation Below” was simply annotated with “see folder.” A PAG staff member indicated he was referring to the audit file maintained by the PO and did not believe it was a requirement, at the time, to list each piece of documentation on the form. In addition, PAG’s documentation reviews did not ensure the date of the supporting documentation matched the actual completion date reported in AARTS. While PAG had developed internal procedures for its documentation review process in response to OIG’s previous internal audit followup audit, these procedures were not formalized and incorporated into OCFO policy. We also noted that procedures for modifying agreed upon action items were not included in the Department’s AARTS User Manual for Internal Audits. As a result of our review, we found the Department was not in compliance with OMB Circular A-50, and its audit followup system for internal audits was not always effective. The Department does not have assurance that all deficiencies noted in the OIG audits were corrected. As such, the risk remains that related programs may not be effectively managed. Reporting corrective action items as completed when they have not been, or in advance of the actual completion date, compromises the integrity of the data included in AARTS and may negatively impact the Department’s credibility. Management reports on corrective action items due for completion may be understated. In addition, the Department’s Semiannual Report to Congress on Audit Followup may also underreport the audits for which corrective action items have not been completed. By documenting changes to agreed upon action items in the AARTS PO Comments field, OIG did not have the opportunity to concur or nonconcur with the revised action item as being sufficient to address the issues noted during the audit. 4 ACN A11-C0009: “Audit of the Implementation of the Government Paperwork Elimination Act (GPEA),” issued September 2002, Corrective Action 1.2.2. Final Report ED-OIG/A19E0017 Page 7 of 14 Recommendations We recommend that the Deputy Chief Financial Officer: 1.1 Develop and implement a process to periodically report to the Department’s senior management on the adequacy of AO systems for followup on internal corrective actions, and the overall effectiveness of the Department’s internal audit followup system, based on the reviews of audit followup documentation and other related factors currently tracked by the Department. 1.2 Ensure PAG staff accept from POs only documentation that adequately supports completion of the stated corrective action items prior to closing audits. 1.3 Formalize and implement PAG documentation review process procedures. Ensure the procedures include instructions for completing the documentation review forms and determining whether completion dates reported in AARTS are supported by documentation provided. 1.4 Update the AARTS User Manual for Internal Audits to include direction for POs on how to modify corrective action items after they have been accepted by the OIG. OCFO Response: In response to our draft report, OCFO concurred with our finding and provided a proposed corrective action plan to address each recommendation. However, OCFO did not agree with the wording of recommendation 1.2 because it believes it is the PO’s responsibility to provide PAG with documentation that it believes supports completion of a corrective action. OCFO stated that as written, the recommendation places the responsibility entirely on PAG. Overall, OCFO stated PAG will develop and implement a process to annually report to the Department’s senior management on the adequacy of AO systems for followup on internal corrective actions, and the overall effectiveness of the Department’s internal audit followup system. OCFO also indicated that PAG will work with the POs to ensure that documentation provided by POs supported completion of stated corrective actions prior to closing audits. In addition, PAG has revised its documentation review process procedures to include more detailed guidance for completing the documentation review form, which includes an area for the PAG Specialist to check whether the completion dates reported in AARTS matched the documentation reviewed. OCFO also said the AARTS User Manual will be updated over the next twelve months, and in the interim, PAG will provide written instructions to POs on how to modify corrective action items after they have been accepted by the OIG. OIG Comments: While each PO is responsible for providing documentation to support completion of corrective action items, PAG is ultimately responsible for acceptance or rejection of supporting documentation prior to granting audit closure. As indicated in our audit results, we found PAG accepted some documentation that was not sufficient to support completion of the corrective Final Report ED-OIG/A19E0017 Page 8 of 14 action items. OIG believes the related recommendation accurately reflects PAG’s responsibility. No changes have been made. OBJECTIVE, SCOPE, AND METHODOLOGY The objective of our audit was to evaluate the Department’s controls to ensure that agreed upon corrective actions have been taken in response to OIG issued internal audit reports. To accomplish our objective, we performed a review of internal control applicable to the Department’s audit followup process. We reviewed applicable laws and regulations, and Department policies and procedures. We conducted interviews with Department staff responsible for resolving and following up on corrective action items for the audits selected. We also reviewed documentation provided by Department staff to support completion of the corrective action items included in our review. The universe of our audit included corrective action items associated with recommendations from OIG issued internal audit reports completed between July 1, 2002 and September 30, 2004 for non-FSA audits, and July 1, 2002 through July 31, 2004 for FSA audits. Using AARTS, we identified a total of 573 recommendations with completion dates between July 1, 2002 and September 30, 2004. We excluded from our review recommendations from recurring audits, such as annual financial statement audits, information security audits, or those with prior or planned followup audits so as not to duplicate audit effort. This resulted in a universe consisting of 174 recommendations, as shown below by PO. Table 1 Audit Reports and Completed Recommendations in Universe – By PO PO Title PO Acronym Number of Audit Number of Completed Reports Recommendations Office of the Chief Information Officer OCIO 5 39 Office of the Chief Financial Officer OCFO 5 33 Federal Student Aid FSA 12 33 Office of Postsecondary Education OPE 6 26 Office of Intergovernmental and Interagency OIIA 1 18 Affairs Office of Management OM 2 9 Office of Elementary and Secondary Education OESE 2 6 Office of Special Education and Rehabilitative OSERS 2 5 Services Office of Vocational and Adult Education OVAE 1 3 Office of the Deputy Secretary ODS 1 1 Office of the Under Secretary OUS 1 1 TOTAL 38 174 Final Report ED-OIG/A19E0017 Page 9 of 14 We refined our universe to include only those offices that had five or more audit reports issued within our scope period, as shown below: Table 2 Audit Reports and Completed Recommendations within Audit Scope – By PO PO Number of Audit Number of Completed Reports Recommendations FSA 9 27 OPE 6 26 OCIO 5 39 OCFO 5 33 TOTAL 25 125 We determined that the resulting applicable universe of action items consisted of the following: Table 3 Audit Reports and Applicable Corrective Action Items – By PO PO Number of Audit Number of Reports Corrective Action Items FSA 9 45 OPE 6 30 OCIO 5 60 OCFO 5 39 TOTAL 25 174 We further excluded certain action items from our review. This included action items worded such that completion could not be readily assessed. As a result, our universe consisted of the following: Table 4 Audit Reports and Applicable Corrective Action Items – By PO PO Number of Audit Number of Reports Corrective Action Items FSA 9 43 OPE 4 22 OCIO 5 57 OCFO 5 38 TOTAL 23 160 We reviewed each of the 160 corrective action items from the 23 audits noted in Table 4. Final Report ED-OIG/A19E0017 Page 10 of 14 We relied on computer-processed data initially obtained from AARTS to identify corrective action items applicable to the scope period. An alternative data source is not available to directly test the completeness of the corrective action items as reported in AARTS. However, we tested the accuracy of AARTS data by comparing AARTS data to supporting documentation. We also conducted a limited review of AARTS data controls and relied on feedback from resolution staff to gain additional assurance relating to the completeness and accuracy of AARTS data. Based on these tests and assessments, we determined that the computer-processed data was sufficiently reliable for the purpose of our audit. Our review was based on the corrective action items defined by PO staff in their CAPs and agreed upon by OIG in the audit resolution process. We reviewed and analyzed documentation in the POs’ audit resolution files to determine whether completion of each selected corrective action item was supported. In cases where documentation in the file did not support completion of the action item, we provided the POs with an opportunity to provide additional documentation from other sources. We reviewed any additional documentation subsequently provided to make a final determination as to whether completion of the corrective action items was then supported. In addition, we verified the reported completion dates in AARTS against the supporting documentation provided, where possible, for those corrective action items that were supported. We conducted fieldwork at Department offices in Washington, DC, during the period July 2004 through October 2005. We held an exit conference with Department staff on November 10, 2005. Our audit was performed in accordance with generally accepted government auditing standards appropriate to the scope of the review described above. ADMINISTRATIVE MATTERS Corrective actions proposed (resolution phase) and implemented (closure phase) by your office(s) will be monitored and tracked through the Department’s Audit Accountability and Resolution Tracking System (AARTS). ED policy requires that you develop a final corrective action plan (CAP) for our review in the automated system within 30 days of the issuance of this report. The CAP should set forth the specific action items, and targeted completion dates, necessary to implement final corrective actions on the finding and recommendations contained in this final audit report. An electronic copy of this report has been provided to your Audit Liaison Officer. In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is required to report to Congress twice a year on the audits that remain unresolved after six months from the date of issuance. In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. Final Report ED-OIG/A19E0017 Page 11 of 14 If you have any questions, please call Michele Weaver-Dugan, Director, Operations Internal Audit Team, at (202) 245-6941. Sincerely, Helen Lew /s/ Assistant Inspector General for Audit Services Attachments Final Report ED-OIG/A19E0017 Page 12 of 14 Attachment 1: PO Reports Issued In Conjunction with this Audit Number Audit Title PO Final Report Control Date Number 1 A19F0001 Audit Followup Process for Office of FSA 9/8/2005 Inspector General Internal Audits in Federal Student Aid 2 A19F0002 Audit Followup Process for Office of OPE 9/15/2005 Inspector General Internal Audits in the Office of Postsecondary Education 3 A19F0003 Audit Followup Process for Office of OCIO 9/21/2005 Inspector General Internal Audits in the Office of the Chief Information Officer 4 A19F0004 Audit Followup Process for Office of OCFO 11/4/2005 Inspector General Internal Audits in the Office of the Chief Financial Officer Final Report ED-OIG/A19E0017 Page 13 of 14 Attachment 2: Audit Reports Reviewed in this Audit Number Audit Control Report Title Report PO Number of Number Issue Date Corrective Action Items 1 A05D0001 Audit of Educational Credit 3/20/03 FSA 2 Management Corporation’s Administration of the Federal Family Education Loan Program Federal and Operating Funds for the period April 1, 2000 through March 31, 2001. 2 A06A0020 Audit of the Effectiveness of the 3/28/02 FSA 4 Department’s Student Financial Aid Application Verification Process 3 A19C0006 Audit of the Department of 10/31/02 FSA 7 Education’s Controls Over the Access, Disclosure, and Use of Social Security Numbers by Third Parties. 4 A19D0002 Audit of the Department of 12/23/03 FSA 8 Education’s Monitoring of Private Collection Agency Contractors 5 A0190005 Audit of the Recertification Process for 9/29/00 FSA 1 Foreign Schools 6 A05D0010 Audit of Oversight Issues Related to 7/31/03 FSA 2 Guaranty Agencies’ Administration of the Federal Family Education Loan Program Federal and Operating Funds. 7 A07B0008 Audit of FSA’s Modernization Partner 11/20/02 FSA 7 Agreement 8 A19B0001 Audit of Controls over Government 3/15/02 FSA 9 Property Provided under Federal Student Aid Contracts 9 A03B0001 Audit of Procedures at Federal Student 8/22/02 FSA 3 Aid for Monitoring the Ability-to- Benefit Test Publishers Approved by the U.S. Department of Education 10 A0790034 Department Controls Over TRIO 1/4/02 OPE 7 Grantee Monitoring 11 A0490013 Office of Higher Education Programs 12/27/00 OPE 6 Needs To Improve its Oversight of Parts A and B of the Title III Program 12 A0490014 Review of Title III Program, HEA, 6/30/00 OPE 7 Compliance with GPRA Requirements for Implementation of Performance Indicators 13 A07A0033 Gaining Early Awareness and 6/7/02 OPE 2 Readiness for Undergraduate Programs 14 A11A0011 Audit of the Department’s Records 9/27/01 OCIO 14 Management Program 15 A11D0001 Phase II Audit of the Department’s 3/28/03 OCIO 15 Critical Infrastructure Protection Program Final Report ED-OIG/A19E0017 Page 14 of 14 16 A11C0009 Implementation of the Government 9/30/02 OCIO 8 Paperwork Elimination Act 17 A19B0011 Audit of Controls over Government 10/24/02 OCIO 13 Calling Cards 18 A07C0033 Audit of Capital Planning and 9/12/03 OCIO 7 Investment Management 19 A17D0001 United States Department of 10/6/03 OCFO 5 Education: Office of the Chief Financial Officer - Contracting and Purchasing Operations Compliance with Appropriation Law 20 A19B0009 Audit of The Department of 9/20/02 OCFO 23 Education's process for identifying and Monitoring High-Risk Contracts that Support Office of Educational Research and Improvement (OERI) Programs 21 A19C0004 Audit of Funds Not Recovered Due to 1/6/04 OCFO 6 the Statute of Limitations 22 A19B0010 Audit of Controls over Government 3/7/02 OCFO 3 Travel Cards 23 A17E0001 Reconciliation of Principal Office 7/8/04 OCFO 1 Records to the United States Department of Education Central Automated Processing System Total 160 Attachment 3 UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF THE CHIEF FINANCIAL OFFICER MEMORANDUM FEB I 2006 To: Michelle Weaver-Dugan, Director Operations Internal Audit Team Office of Inspector General From: Danny A. Harris, PhD~. \~i Deputy Chief Financial Officer Subject: Draft Audit Report: Audit of the Department of Education's Followup Process for Internal Audits, Audit Control Number A19-E0017 Thank you for the opportunity to respond to the above referenced draft audit report. The Office of the Chief Financial Officer (OCFO) generally concurs with the report's finding and recommendations. Overall, the subject report disclosed that the Department's Audit Followup System for Internal OIG Audits was not always effective. While the Department acknowledges that improvements are needed, significant action has been taken to automate the tracking, reporting and management of its audit followup activities, and improve guidance and standards for documenting completed corrective actions. The following are our proposed corrective actions to address the four recommendations cited in your audit. Recommendation 1.1 Develop and implement a process to periodically report to the Department's senior management on the adequacy of Action Official's (AO) systems for followup on internal corrective actions, and the overall effectiveness of the Department's internal audit followup system, based on the review of audit followup documentation and other related factors currently tracked by the Department. OCFO's Response We concur with this recommendation. OCFO's Post Audit Group (P AG) will develop and implement a process to annually report to the Department's senior management on the adequacy of AO systems for followup on internal corrective actions, and the overall effectiveness of the Department's internal audit followup system. The annual report will be based on the review of audit followup documentation and other related factors that will be tracked by PAG. P AG will meet with the Audit Liaison Officers to briefthem on OIG's finding and recommendation, PAG's process for reviewing audit followup documentation, as well as the Principal Office's responsibility in the process. Recommendation 1.2 Ensure PAG staff accepts from POs only documentation that adequately supports completion of the stated corrective action items prior to closing audits. 400 MARYLAND AVE., S.W., WASHINGTON, D.C. 20202-4300 www.ed.gov Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation. ACN A19-E0017 P.2 OCFO's Response We concur with the recommendation that only documentation that adequately supports completion of the stated corrective action be used in determining audit closure. However, we continue to believe that it is the PO's responsibility to provide PAG with documentation that it believes supports completion of a corrective llction. The recommendation, as written, places the responsibility entirely on P AG. P AG will work with the POs to ensure that documentation provided by POs supports completion of stated corrective actions prior to closing audits. Recommendation 1.3 Formalize and implement PAG documentation review process procedures. Ensure the procedures include instructions for completing the documentation review forms and determining whether completion dates reported in AARTS are supported by documentation provided. OCFO's Response We concur with this recommendation and have already taken some action to address it. In this regard, PAG had formal documentation review process procedures in effect when OIG performed its audit. All P AG staff involved in the documentation review process were provided a copy of the document. In response to ~IG's recent audit entitled Audit Followup Process for Office of Inspector General Internal Audits in the Office of the Chief Financial Officer (ACN-19-F0004), PAG revised its documentation review process procedures to include more detailed guidance for completing the documentation review form. P AG also revised the documentation review form to include an area for the PAG Specialist to check whether the completion dates reported in AARTS matched the documentation reviewed. P AG will review its detailed guidance and review form again, in light of this recommendation and Recommendation 1.2. Changes will be made as appropriate. Recommendation 1.4 Update the AARTS User Manual for Internal Audits to include directions for POs on how to modify corrective action items after they have been accepted by the OIG. OCFO's Response We concur with this recommendation. The updating of the AARTS User Manual is planned over the next twelve months. In the interim, to address this recommendation, P AG will provide written instructions to POs on how to modify corrective action items after they have been accepted by the OIG. If you have any questions, please contact Gail Cornish, Management Analyst, Post Audit Group at (202) 401-2853.
Audit of the Department of Education's Followup Process for Internal Audits.
Published by the Department of Education, Office of Inspector General on 2006-02-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)