oversight

Audit of the Department of Education's Followup Process for Internal Audits.

Published by the Department of Education, Office of Inspector General on 2006-02-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          UNITED STATES DEPARTMENT OF EDUCATION 

                               OFFICE OF INSPECTOR GENERAL 


                                            400 MARYLAND AVENUE, S.W.
                                             WASHINGTON, DC 20202-1500




                                                     February 27, 2006
                                                                                               Control Number
                                                                                               ED-OIG/A19E0017

Danny Harris
Deputy Chief Financial Officer
U.S. Department of Education
Office of the Chief Financial Officer
400 Maryland Avenue, S.W.
Washington, DC 20202

Dear Mr. Harris:

This Final Audit Report, entitled Audit of the Department of Education’s Followup Process for
Internal Audits, presents the results of our audit. The purpose of the audit was to evaluate the
Department of Education’s (Department) controls to ensure that agreed upon corrective actions
have been taken in response to Office of Inspector General (OIG) issued internal audit reports.
Our review covered the period July 1, 2002 through September 30, 2004.




                                                   BACKGROUND 



Office of Management and Budget (OMB) Circular A-50, entitled “Audit Followup” requires
that each agency designate a top management official to oversee audit followup, including
resolution and corrective action. It also states the audit followup official has the responsibility
for ensuring corrective actions are taken. The Department’s designated followup official is the
Chief Financial Officer (CFO). Within the Office of the Chief Financial Officer (OCFO), the
Post Audit Group (PAG) is responsible for assisting the CFO in the audit followup process.

The Department tracks audit resolution and the completion of corrective action items through the
Audit Accountability and Resolution Tracking System (AARTS). AARTS is a web-based
application designed to assist the Department’s management with audit reporting and followup
activities. The AARTS User Manual for OIG Issued Internal Audits states that an action has
been “completed” when “The PO [Principal Office] Writer, PO Reviewer, and PO Authorizer
enter the “Actual Completion” dates for the Action Items . . ..”



          Our mission is to promote the efficiency, effectiveness, and integrity of the Department’s programs and operations.
Final Report
ED-OIG/A19E0017                                                                       Page 2 of 14

The Department has established a Post Audit User Guide (Guide) to provide policy and
procedures for the audit resolution and followup process. The Guide provides that each
Assistant Secretary (or equivalent office head) is responsible for ensuring that the overall audit
followup process operates efficiently and consistently. The Guide defines further responsibilities
of the Action Official (AO), generally an Assistant Secretary or equivalent office head, to
include:

        • 	 Determining the action to be taken and the financial adjustments to be made in
            resolving findings in audit reports concerning respective program areas of
            responsibility, and
        • 	 Maintaining formal, documented systems of cooperative audit resolution and
            follow-up to ensure that audit recommendations are implemented, completion
            dates captured, and appropriate documentation maintained to support
            completed corrective actions.

The Guide also defines roles and responsibilities for PAG that include:

   • 	 Ensuring that AOs have appropriate audit followup systems in place and that 

       these systems are being effectively used, 

   • 	 Monitoring the Department’s compliance with OMB Circular A-50, and
   • 	 Ensuring the overall effectiveness of the Department’s audit followup system.

In October 2001, the OIG issued a report entitled: “Audit of Controls Over the Audit Followup
Process,” (Control Number EDOIG/A19B0002). OIG reported that corrective actions were not
always implemented, were not fully implemented, or were implemented after the reported
completion date. In addition, OIG found that AOs did not certify that all corrective actions were
implemented, and program offices did not have completed records of corrective actions taken.
As a result of these findings, OIG concluded that reporting actions as completed that are not
actually implemented, are not fully implemented, or are implemented after the reported
completion date, compromises the Department’s audit followup process and negatively impacts
its credibility.

This report presents the results of our recent audit of the Department’s audit followup process for
internal OIG audits. It combines the results of work conducted within four POs. In conducting
this audit, separate reports were issued to POs with responsibility for audit resolution and
followup for the audits included in our scope. A listing of these reports is included as
Attachment 1 to this report. The following POs were included in our audit:

   •	   Federal Student Aid (FSA)
   •	   Office of Postsecondary Education (OPE)
   •	   Office of the Chief Information Officer (OCIO)
   •	   Office of the Chief Financial Officer (OCFO)

A listing of the audits reviewed is included as Attachment 2 to this report.
Final Report
ED-OIG/A19E0017                                                                                       Page 3 of 14



                                            AUDIT RESULTS 



We found that the Department’s audit followup system was not always effective. PAG did not
fulfill its responsibilities to ensure that AOs had systems in place to followup on corrective
actions, monitor the Department’s compliance with OMB Circular A-50, and ensure the overall
effectiveness of the Department’s audit resolution and followup system. In total, we found audit
followup activities were not effective for 16 of the 23 audits reviewed. As a result, the
Department did not have assurance that corrective actions were completed for 37 of the 160
action items reviewed. The risk remains that related programs may not be effectively managed.

In its response, OCFO generally concurred with the finding and recommendations in the draft
report. The comments are summarized at the end of the finding along with the OIG’s response.
The full text of OCFO’s comments is included as Attachment 3 to this report.


FINDING – PAG Did Not Ensure the Department’s Audit Followup System for
          Internal OIG Audits was Effective

PAG did not fulfill its responsibilities to ensure that the Department’s audit followup system for
internal OIG audits was operating effectively. Specifically, we found that PAG did not
effectively:

    • 	 Ensure that AOs had systems in place to follow up on corrective actions,
    • 	 Monitor the Department’s compliance with OMB Circular A-50, and
    • 	 Ensure the overall effectiveness of the Department’s audit resolution and followup
        system.

During our review, we identified corrective action items established by the Department during
the resolution of internal OIG audits. The 23 audits reviewed included a total of 108 completed
recommendations consisting of 160 corrective action items. We discussed the audit followup
process with PO staff, and evaluated documentation maintained by the POs to determine whether
the corrective action items were actually completed. We found that in 16 of the 23 audits, for 37
of the 160 corrective action items (23 percent), the Department did not have documentation
sufficient to support completion of the action items.

In addition, for the 99 corrective action items for which completion dates could be verified, we
found PO staff reported 30 corrective action items as completed in AARTS prior to the dates
reflected by supporting documentation (30 percent).1 These items were reported as completed
from 1 day to 22 months before dates noted on supporting documentation provided. Twenty-
four of the 30 actions were reported as completed two or more months before dates noted on
supporting documentation (80 percent).


1
  Completion dates could not be verified for 24 of the 123 supported corrective action items (20 percent) due to
limitations in the documentation provided by PO audit resolution staff.
Final Report
ED-OIG/A19E0017                                                                       Page 4 of 14

Twenty-two of the 30 action items with incorrect completion dates were from closed audits. For
1 of the 22 actions, we found the action item would not have been completed at the time of audit
closure. This audit was closed seven months prior to the actual completion date of this action
item.

Furthermore, for three corrective action items, we noted data was added to the PO Comments
field in the corrective action plan (CAP) indicating an action would not be completed as initially
described. This field was used by POs instead of modifying the agreed upon action item to
accurately reflect the final decision of management. For example, one corrective action item
called for a PO to implement a peer review process. However, the PO Comments field stated the
peer review monitoring model had not been funded and would not be implemented.

OMB Circular A-50, entitled “Audit Followup,” provides the requirements for establishing
systems to assure prompt and proper resolution and implementation of audit recommendations.
The Circular states,

       Audit followup is an integral part of good management, and is a shared
       responsibility of agency management officials and auditors. Corrective action
       taken by management on resolved findings and recommendations is essential to
       improving the effectiveness and efficiency of Government operations. Each
       agency shall establish systems to assure the prompt and proper resolution and
       implementation of audit recommendations. These systems shall provide for a
       complete record of action taken on both monetary and non-monetary findings and
       recommendations.

Under section 7, “Responsibilities,” the Circular states:

       b. 	 Agency management officials are responsible for receiving and analyzing
            audit reports, providing timely responses to the audit organization, and taking
            corrective actions where appropriate….
       c. 	 The audit followup official has personal responsibility for ensuring that (1)
            systems of audit followup, resolution, and corrective action are documented
            and in place….(4) corrective actions are actually taken.

Section 8.a.(4) of the Circular states that systems for resolution and corrective action must,
“[M]aintain accurate records of the status of audit reports or recommendations through the entire
process of resolution and corrective action.”

The Department’s Post Audit User Guide, Section V, “Department
Responsibilities/Authorizations,” Chapter 1, Part D, states the Chief Financial Officer is the
designated Audit Followup Official (AFUO) for the Department of Education. The Guide also
states the AFUO is responsible for:

       1. Ensuring that a system of cooperative audit resolution and follow-up is
       documented and in place, including follow-up to ensure corrective actions are
       implemented…6. Tracking and following up on all corrective actions to be taken
       by [Education] ED in response to internal reports issued by ED-OIG….
Final Report
ED-OIG/A19E0017                                                                                 Page 5 of 14

Part E of the same chapter states that the Post Audit Group within the OCFO provides support to
the AFUO. The Guide further states PAG/OCFO is responsible for:

        1. Monitoring the Department’s compliance with OMB Circular A-50, Audit
        Follow-up…. 10. Tracking, evaluating and documenting the completion of
        corrective actions by ED officials in response to internal audits and alternative
        products issued by ED-OIG…. 19. Reviewing documentation of implemented
        corrective actions to ensure that pertinent documents are maintained and support
        closure. This review is performed prior to closure of internal audits issued by
        ED-OIG….

Section IV, “Internal Audits,” Chapter 1, Part H, states,

        Upon receipt of the AO's Request for Closure/Certification Memorandum,
        PAG/OCFO will perform a timely review of documentation to support closure of
        each recommendation/corrective action.

As a result of our previous internal audit followup work, PAG implemented a process for
reviewing documentation of implemented corrective actions prior to audit closure. However, we
noted several weaknesses with this process.

Of the 23 audits included in our review, PAG issued Audit Closure Memos for 16 audits. These
16 audits contained 121 of the 160 corrective action items we reviewed (76 percent). We noted
42 of these 121 corrective action items were identified as reviewed by PAG prior to issuance of
the Audit Closure Memos (35 percent). We determined that 11 of the 42 corrective action items
reviewed by PAG were not supported by documentation provided by the POs (26 percent).
Examples of documentation accepted by PAG follow:

    • 	 In one audit, the corrective action item stated that each significant information
        technology (IT) investment proposal will include summary, high-level, life-cycle cost,
        benefit, and risk estimates.2 The PO’s audit resolution file contained a Business Case
        template that included each of the four topic areas noted in the action item. However, the
        template does not provide assurance that the template was completed for each significant
        IT investment. PAG reviewed this template during its documentation review and
        accepted it as documentation supporting the completion of the action item.

    • 	 In another audit, the corrective action stated the PO would followup on audit resolution
        actions with OCFO and SFA [Student Financial Assistance] to help ensure findings and
        liabilities were properly resolved.3 The audit file included query results of the single
        audit database from which the PO randomly selected two grantees to followup with on
        compliance requirements. The PO stated it was unable to find documentation that it
        actually followed up on the two audits. PAG did not list the documentation it reviewed


2
  Audit Control Number (ACN) A07-C0033: “Audit of Capital Planning and Investment Management,” issued

September 2003, Corrective Action 2.1.1. 

3
  ACN A04-90013: “Office of Higher Education Programs Needs To Improve its Oversight of Parts A and B of the 

Title III Program,” issued December 2000, Corrective Action Item 2.5.1. 

Final Report
ED-OIG/A19E0017                                                                             Page 6 of 14

        for this corrective action item. Instead, the documentation review form stated,
        “Documentation is on file in [the PO].”

    • 	 In another audit, the corrective action stated the PO would circulate guidance for
        completion of actions in the FY 2003 Government Paperwork Elimination Act (GPEA)
        Work Plan through the Information Management Working Group (IMWG) and GPEA
        Coordinators.4 The audit file contained a copy of the FY 2003 GPEA Work Plan, but
        there was no documentation showing the circulation of guidance through the individuals
        noted in the action item. PAG accepted the Work Plan as supporting documentation.

During our review, we also noted information contained in PAG’s Documentation Review
Forms was not always adequate to assess what information was reviewed to support closure of a
corrective action item. We could not always determine what documentation PAG obtained to
conclude that supporting documentation was reasonable to support the closing of individual
audits. No specific documentation was noted as being reviewed for any of the corrective action
items in three audits. The section of the form entitled “List Documentation Below” was simply
annotated with “see folder.” A PAG staff member indicated he was referring to the audit file
maintained by the PO and did not believe it was a requirement, at the time, to list each piece of
documentation on the form. In addition, PAG’s documentation reviews did not ensure the date
of the supporting documentation matched the actual completion date reported in AARTS.

While PAG had developed internal procedures for its documentation review process in response
to OIG’s previous internal audit followup audit, these procedures were not formalized and
incorporated into OCFO policy. We also noted that procedures for modifying agreed upon
action items were not included in the Department’s AARTS User Manual for Internal Audits.

As a result of our review, we found the Department was not in compliance with OMB Circular
A-50, and its audit followup system for internal audits was not always effective. The
Department does not have assurance that all deficiencies noted in the OIG audits were corrected.
As such, the risk remains that related programs may not be effectively managed.

Reporting corrective action items as completed when they have not been, or in advance of the
actual completion date, compromises the integrity of the data included in AARTS and may
negatively impact the Department’s credibility. Management reports on corrective action items
due for completion may be understated. In addition, the Department’s Semiannual Report to
Congress on Audit Followup may also underreport the audits for which corrective action items
have not been completed.

By documenting changes to agreed upon action items in the AARTS PO Comments field, OIG
did not have the opportunity to concur or nonconcur with the revised action item as being
sufficient to address the issues noted during the audit.




4
 ACN A11-C0009: “Audit of the Implementation of the Government Paperwork Elimination Act (GPEA),” issued
September 2002, Corrective Action 1.2.2.
Final Report
ED-OIG/A19E0017                                                                    Page 7 of 14

Recommendations

We recommend that the Deputy Chief Financial Officer:

1.1 	   Develop and implement a process to periodically report to the Department’s senior
        management on the adequacy of AO systems for followup on internal corrective actions,
        and the overall effectiveness of the Department’s internal audit followup system, based
        on the reviews of audit followup documentation and other related factors currently
        tracked by the Department.

1.2 	   Ensure PAG staff accept from POs only documentation that adequately supports
        completion of the stated corrective action items prior to closing audits.

1.3 	   Formalize and implement PAG documentation review process procedures. Ensure the
        procedures include instructions for completing the documentation review forms and
        determining whether completion dates reported in AARTS are supported by
        documentation provided.

1.4 	   Update the AARTS User Manual for Internal Audits to include direction for POs on how
        to modify corrective action items after they have been accepted by the OIG.


OCFO Response:

In response to our draft report, OCFO concurred with our finding and provided a proposed
corrective action plan to address each recommendation. However, OCFO did not agree with the
wording of recommendation 1.2 because it believes it is the PO’s responsibility to provide PAG
with documentation that it believes supports completion of a corrective action. OCFO stated that
as written, the recommendation places the responsibility entirely on PAG.

Overall, OCFO stated PAG will develop and implement a process to annually report to the
Department’s senior management on the adequacy of AO systems for followup on internal
corrective actions, and the overall effectiveness of the Department’s internal audit followup
system. OCFO also indicated that PAG will work with the POs to ensure that documentation
provided by POs supported completion of stated corrective actions prior to closing audits. In
addition, PAG has revised its documentation review process procedures to include more detailed
guidance for completing the documentation review form, which includes an area for the PAG
Specialist to check whether the completion dates reported in AARTS matched the documentation
reviewed. OCFO also said the AARTS User Manual will be updated over the next twelve
months, and in the interim, PAG will provide written instructions to POs on how to modify
corrective action items after they have been accepted by the OIG.

OIG Comments:

While each PO is responsible for providing documentation to support completion of corrective
action items, PAG is ultimately responsible for acceptance or rejection of supporting
documentation prior to granting audit closure. As indicated in our audit results, we found PAG
accepted some documentation that was not sufficient to support completion of the corrective
   Final Report
   ED-OIG/A19E0017                                                                       Page 8 of 14

   action items. OIG believes the related recommendation accurately reflects PAG’s responsibility.
   No changes have been made.




                       OBJECTIVE, SCOPE, AND METHODOLOGY 



   The objective of our audit was to evaluate the Department’s controls to ensure that agreed upon
   corrective actions have been taken in response to OIG issued internal audit reports. To
   accomplish our objective, we performed a review of internal control applicable to the
   Department’s audit followup process. We reviewed applicable laws and regulations, and
   Department policies and procedures. We conducted interviews with Department staff
   responsible for resolving and following up on corrective action items for the audits selected. We
   also reviewed documentation provided by Department staff to support completion of the
   corrective action items included in our review.

   The universe of our audit included corrective action items associated with recommendations
   from OIG issued internal audit reports completed between July 1, 2002 and September 30, 2004
   for non-FSA audits, and July 1, 2002 through July 31, 2004 for FSA audits. Using AARTS, we
   identified a total of 573 recommendations with completion dates between July 1, 2002 and
   September 30, 2004. We excluded from our review recommendations from recurring audits,
   such as annual financial statement audits, information security audits, or those with prior or
   planned followup audits so as not to duplicate audit effort. This resulted in a universe consisting
   of 174 recommendations, as shown below by PO.


                                           Table 1

               Audit Reports and Completed Recommendations in Universe – By PO 


                    PO Title                     PO Acronym   Number of Audit     Number of Completed
                                                                 Reports          Recommendations
Office of the Chief Information Officer             OCIO              5                        39
Office of the Chief Financial Officer               OCFO               5                       33
Federal Student Aid                                  FSA              12                       33
Office of Postsecondary Education                   OPE               6                        26
Office of Intergovernmental and Interagency         OIIA              1                        18
Affairs
Office of Management                                OM                2                         9
Office of Elementary and Secondary Education       OESE               2                         6
Office of Special Education and Rehabilitative     OSERS              2                         5
Services
Office of Vocational and Adult Education            OVAE               1                        3
Office of the Deputy Secretary                       ODS               1                        1
Office of the Under Secretary                        OUS               1                        1
TOTAL                                                                 38                       174
Final Report
ED-OIG/A19E0017                                                                      Page 9 of 14


We refined our universe to include only those offices that had five or more audit reports issued
within our scope period, as shown below:

                                       Table 2

       Audit Reports and Completed Recommendations within Audit Scope – By PO 


                  PO           Number of Audit       Number of Completed
                                  Reports             Recommendations
            FSA                      9                       27
            OPE                      6                       26
            OCIO                     5                       39
            OCFO                     5                       33
            TOTAL                   25                      125

We determined that the resulting applicable universe of action items consisted of the following:

                                         Table 3
           Audit Reports and Applicable Corrective Action Items – By PO

                       PO             Number of Audit         Number of
                                         Reports           Corrective Action
                                                                Items
                    FSA                       9                   45
                    OPE                       6                   30
                    OCIO                       5                  60
                    OCFO                      5                   39
                    TOTAL                     25                 174


We further excluded certain action items from our review. This included action items worded
such that completion could not be readily assessed. As a result, our universe consisted of the
following:

                                         Table 4

               Audit Reports and Applicable Corrective Action Items – By PO 


                       PO             Number of Audit         Number of
                                         Reports           Corrective Action
                                                                Items
                    FSA                       9                   43
                    OPE                       4                   22
                    OCIO                       5                  57
                    OCFO                      5                   38
                    TOTAL                     23                 160

We reviewed each of the 160 corrective action items from the 23 audits noted in Table 4.
Final Report
ED-OIG/A19E0017                                                                       Page 10 of 14

We relied on computer-processed data initially obtained from AARTS to identify corrective
action items applicable to the scope period. An alternative data source is not available to directly
test the completeness of the corrective action items as reported in AARTS. However, we tested
the accuracy of AARTS data by comparing AARTS data to supporting documentation. We also
conducted a limited review of AARTS data controls and relied on feedback from resolution staff
to gain additional assurance relating to the completeness and accuracy of AARTS data. Based
on these tests and assessments, we determined that the computer-processed data was sufficiently
reliable for the purpose of our audit.

Our review was based on the corrective action items defined by PO staff in their CAPs and
agreed upon by OIG in the audit resolution process. We reviewed and analyzed documentation
in the POs’ audit resolution files to determine whether completion of each selected corrective
action item was supported. In cases where documentation in the file did not support completion
of the action item, we provided the POs with an opportunity to provide additional documentation
from other sources. We reviewed any additional documentation subsequently provided to make
a final determination as to whether completion of the corrective action items was then supported.
In addition, we verified the reported completion dates in AARTS against the supporting
documentation provided, where possible, for those corrective action items that were supported.

We conducted fieldwork at Department offices in Washington, DC, during the period July 2004
through October 2005. We held an exit conference with Department staff on November 10,
2005. Our audit was performed in accordance with generally accepted government auditing
standards appropriate to the scope of the review described above.




                            ADMINISTRATIVE MATTERS



Corrective actions proposed (resolution phase) and implemented (closure phase) by your
office(s) will be monitored and tracked through the Department’s Audit Accountability and
Resolution Tracking System (AARTS). ED policy requires that you develop a final corrective
action plan (CAP) for our review in the automated system within 30 days of the issuance of this
report. The CAP should set forth the specific action items, and targeted completion dates,
necessary to implement final corrective actions on the finding and recommendations contained in
this final audit report. An electronic copy of this report has been provided to your Audit Liaison
Officer.

In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector
General is required to report to Congress twice a year on the audits that remain unresolved after
six months from the date of issuance.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office
of Inspector General are available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the Act.
Final Report
ED-OIG/A19E0017                                                                  Page 11 of 14

If you have any questions, please call Michele Weaver-Dugan, Director, Operations Internal
Audit Team, at (202) 245-6941.

                                           Sincerely, 



                                           Helen Lew /s/ 

                                           Assistant Inspector General for Audit Services


Attachments
Final Report
ED-OIG/A19E0017                                                           Page 12 of 14


       Attachment 1: PO Reports Issued In Conjunction with this Audit
 Number      Audit                       Title                   PO     Final Report
            Control                                                         Date
            Number
   1       A19F0001   Audit Followup Process for Office of       FSA      9/8/2005
                      Inspector General Internal Audits in
                      Federal Student Aid
   2       A19F0002   Audit Followup Process for Office of       OPE     9/15/2005
                      Inspector General Internal Audits in the
                      Office of Postsecondary Education
   3       A19F0003   Audit Followup Process for Office of       OCIO    9/21/2005
                      Inspector General Internal Audits in the
                      Office of the Chief Information Officer
   4       A19F0004   Audit Followup Process for Office of       OCFO    11/4/2005
                      Inspector General Internal Audits in the
                      Office of the Chief Financial Officer
 Final Report
 ED-OIG/A19E0017                                                                       Page 13 of 14

               Attachment 2: Audit Reports Reviewed in this Audit
Number   Audit Control                Report Title                    Report     PO        Number of
           Number                                                   Issue Date             Corrective
                                                                                          Action Items
  1       A05D0001       Audit of Educational Credit                 3/20/03     FSA           2
                         Management Corporation’s
                         Administration of the Federal Family
                         Education Loan Program Federal and
                         Operating Funds for the period April 1,
                         2000 through March 31, 2001.
  2       A06A0020       Audit of the Effectiveness of the           3/28/02     FSA           4
                         Department’s Student Financial Aid
                         Application Verification Process
  3       A19C0006       Audit of the Department of                 10/31/02     FSA           7
                         Education’s Controls Over the Access,
                         Disclosure, and Use of Social Security
                         Numbers by Third Parties.
  4       A19D0002       Audit of the Department of                 12/23/03     FSA           8
                         Education’s Monitoring of Private
                         Collection Agency Contractors
  5       A0190005       Audit of the Recertification Process for    9/29/00     FSA           1
                         Foreign Schools
  6       A05D0010       Audit of Oversight Issues Related to        7/31/03     FSA           2
                         Guaranty Agencies’ Administration of
                         the Federal Family Education Loan
                         Program Federal and Operating Funds.
  7       A07B0008       Audit of FSA’s Modernization Partner       11/20/02     FSA           7
                         Agreement
  8       A19B0001       Audit of Controls over Government           3/15/02     FSA           9
                         Property Provided under Federal
                         Student Aid Contracts
  9       A03B0001       Audit of Procedures at Federal Student      8/22/02     FSA           3
                         Aid for Monitoring the Ability-to-
                         Benefit Test Publishers Approved by
                         the U.S. Department of Education
  10      A0790034       Department Controls Over TRIO                1/4/02     OPE           7
                         Grantee Monitoring
  11      A0490013       Office of Higher Education Programs        12/27/00     OPE           6
                         Needs To Improve its Oversight of
                         Parts A and B of the Title III Program
  12      A0490014       Review of Title III Program, HEA,           6/30/00     OPE           7
                         Compliance with GPRA Requirements
                         for Implementation of Performance
                         Indicators
  13      A07A0033       Gaining Early Awareness and                  6/7/02     OPE           2
                         Readiness for Undergraduate Programs
  14      A11A0011       Audit of the Department’s Records           9/27/01     OCIO          14
                         Management Program
  15      A11D0001       Phase II Audit of the Department’s          3/28/03     OCIO          15
                         Critical Infrastructure Protection
                         Program
Final Report
ED-OIG/A19E0017                                                            Page 14 of 14

16      A11C0009   Implementation of the Government          9/30/02    OCIO       8
                   Paperwork Elimination Act
17      A19B0011   Audit of Controls over Government         10/24/02   OCIO       13
                   Calling Cards
18      A07C0033   Audit of Capital Planning and             9/12/03    OCIO       7
                   Investment Management
19      A17D0001   United States Department of               10/6/03    OCFO       5
                   Education: Office of the Chief
                   Financial Officer - Contracting and
                   Purchasing Operations Compliance
                   with Appropriation Law
20      A19B0009   Audit of The Department of                9/20/02    OCFO       23
                   Education's process for identifying and
                   Monitoring High-Risk Contracts that
                   Support Office of Educational
                   Research and Improvement (OERI)
                   Programs
21      A19C0004   Audit of Funds Not Recovered Due to        1/6/04    OCFO       6
                   the Statute of Limitations
22      A19B0010   Audit of Controls over Government          3/7/02    OCFO       3
                   Travel Cards
23      A17E0001   Reconciliation of Principal Office         7/8/04    OCFO       1
                   Records to the United States
                   Department of Education Central
                   Automated Processing System
      Total                                                                       160
                                                                                                               Attachment 3


                           UNITED STATES DEPARTMENT OF EDUCATION

                                       OFFICE OF THE CHIEF FINANCIAL OFFICER




MEMORANDUM 	                                                                    FEB       I 2006

To: 	                Michelle Weaver-Dugan, Director
                     Operations Internal Audit Team
                     Office of Inspector General

From: 	              Danny A. Harris, PhD~. \~i
                     Deputy Chief Financial Officer

Subject: 	           Draft Audit Report: Audit of the Department of Education's Followup Process
                     for Internal Audits, Audit Control Number A19-E0017

Thank you for the opportunity to respond to the above referenced draft audit report. The Office
of the Chief Financial Officer (OCFO) generally concurs with the report's finding and
recommendations. Overall, the subject report disclosed that the Department's Audit Followup
System for Internal OIG Audits was not always effective. While the Department acknowledges
that improvements are needed, significant action has been taken to automate the tracking,
reporting and management of its audit followup activities, and improve guidance and standards
for documenting completed corrective actions.

The following are our proposed corrective actions to address the four recommendations cited in
your audit.

Recommendation 1.1
Develop and implement a process to periodically report to the Department's senior management
on the adequacy of Action Official's (AO) systems for followup on internal corrective actions,
and the overall effectiveness of the Department's internal audit followup system, based on the
review of audit followup documentation and other related factors currently tracked by the
Department.

OCFO's Response
We concur with this recommendation. OCFO's Post Audit Group (P AG) will develop and
implement a process to annually report to the Department's senior management on the adequacy
of AO systems for followup on internal corrective actions, and the overall effectiveness of the
Department's internal audit followup system. The annual report will be based on the review of
audit followup documentation and other related factors that will be tracked by PAG. P AG will
meet with the Audit Liaison Officers to briefthem on OIG's finding and recommendation, PAG's
process for reviewing audit followup documentation, as well as the Principal Office's
responsibility in the process.

Recommendation 1.2
Ensure PAG staff accepts from POs only documentation that adequately supports completion of
the stated corrective action items prior to closing audits.




                                     400 MARYLAND AVE., S.W., WASHINGTON, D.C. 20202-4300
                                                              www.ed.gov

             Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation.
                                                                                  ACN A19-E0017
                                                                                              P.2

OCFO's Response
We concur with the recommendation that only documentation that adequately supports
completion of the stated corrective action be used in determining audit closure. However, we
continue to believe that it is the PO's responsibility to provide PAG with documentation that it
believes supports completion of a corrective llction. The recommendation, as written, places the
responsibility entirely on P AG. P AG will work with the POs to ensure that documentation
provided by POs supports completion of stated corrective actions prior to closing audits.

Recommendation 1.3
Formalize and implement PAG documentation review process procedures. Ensure the procedures
include instructions for completing the documentation review forms and determining whether
completion dates reported in AARTS are supported by documentation provided.

OCFO's Response
We concur with this recommendation and have already taken some action to address it. In this
regard, PAG had formal documentation review process procedures in effect when OIG performed
its audit. All P AG staff involved in the documentation review process were provided a copy of
the document. In response to ~IG's recent audit entitled Audit Followup Process for Office of
Inspector General Internal Audits in the Office of the Chief Financial Officer (ACN-19-F0004),
PAG revised its documentation review process procedures to include more detailed guidance for
completing the documentation review form. P AG also revised the documentation review form to
include an area for the PAG Specialist to check whether the completion dates reported in AARTS
matched the documentation reviewed. P AG will review its detailed guidance and review form
again, in light of this recommendation and Recommendation 1.2. Changes will be made as
appropriate.

Recommendation 1.4
Update the AARTS User Manual for Internal Audits to include directions for POs on how to
modify corrective action items after they have been accepted by the OIG.

OCFO's Response
We concur with this recommendation. The updating of the AARTS User Manual is planned over
the next twelve months. In the interim, to address this recommendation, P AG will provide
written instructions to POs on how to modify corrective action items after they have been
accepted by the OIG.

If you have any questions, please contact Gail Cornish, Management Analyst, Post Audit Group
at (202) 401-2853.