oversight

Audit Followup Process for Office of Inspector General Internal Audits in the Office of the Chief Financial Officer .

Published by the Department of Education, Office of Inspector General on 2005-11-04.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                      UNITED STATES DEPARTMENT OF EDUCATION

                                      OFFICE OF INSPECTOR GENERAL




                                             November 4, 2005

                                                                                        CONTROL NUMBER
                                                                                          ED-OIG/A19F0004

Jack Martin
Chief Financial Officer
Office of the Chief Financial Officer
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202

Dear Mr. Martin:

This Final Audit Report (Control Number ED-OIG/A19F0004) presents the results of our audit
of the Audit Followup Process for Office of Inspector General Internal Audits in the Office of the
Chief Financial Officer. The objective of our audit was to verify whether adequate
documentation was maintained to support that corrective action items have been implemented as
stated in the Department of Education’s (Department) corrective action plans (CAP). This audit
is a part of a review of the Department’s internal audit followup process being performed in four
principal offices (POs). As the Department of Education’s audit followup official, you will also
receive a summary report upon completion of the audits in the individual POs.


                                           BACKGROUND
Office of Management and Budget (OMB) Circular A-50, entitled “Audit Followup,” provides
the requirements for establishing systems to assure prompt and proper resolution and
implementation of audit recommendations. The Department established a Post Audit User Guide
(Guide) to provide policy and procedures for the audit followup process. Section I, “Overview,”
of the Guide states,

       The effectiveness of the post audit process depends upon taking appropriate,
       timely action to resolve audit findings and their underlying causes, as well as
       providing an effective system for audit close-out, record maintenance, and follow-
       up on corrective actions.



                           400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510

           Our mission is to ensure equal access to education and to promote educational excellence
Mr. Martin	                                                                       Page 2 of 8



While overall responsibility for the audit followup process is assigned to the Office of the Chief
Financial Officer (OCFO), Post Audit Group (PAG), each Assistant Secretary (or equivalent
office head) is responsible for ensuring that the overall audit followup process operates
efficiently and consistently. The Guide defines further responsibilities of the Action Official
(AO), generally the Assistant Secretary (or equivalent office head), to include:

    • 	 Determining the action to be taken and the financial adjustments to be made in resolving
        findings in audit reports concerning respective program areas of responsibility,
    • 	 Maintaining formal, documented systems of cooperative audit resolution and follow-up
        to ensure that audit recommendations are implemented, completion dates captured, and
        appropriate documentation maintained to support completed corrective actions.

The Department tracks audit resolution and the completion of corrective action items through the
Audit Accountability and Resolution Tracking System (AARTS). For each audit, AARTS stores
detailed information on audit resolution, proposed corrective action items, Office of Inspector
General (OIG) concurrence with these action items, responsible individuals, and completion and
closure data.

When a PO has completed all corrective action items for an internal OIG audit, the PO certifies
this fact to PAG and requests closure of the audit in AARTS. PAG staff perform a review of the
documentation in the audit resolution file maintained by the PO to determine whether
implementation of corrective action items is supported. Once PAG is satisfied that
implementation of the corrective action items reviewed is supported, the audit is closed in
AARTS. PAG staff stated that until sometime in Fiscal Year 2004, only a sample of corrective
action items was evaluated and that PO staff did not necessarily know that all corrective action
items were not reviewed. PAG staff stated that currently all corrective action items are evaluated
in these reviews.


                                     AUDIT RESULTS
We found improvements are needed in OCFO’s internal control over its audit followup process.
While OCFO maintained files with documentation regarding audit followup activity, we found
OCFO’s audit followup process did not support the completion of all corrective action items. In
addition, this process did not always support completion of corrective action items by the date
reported as completed in AARTS.

OCFO audit resolution staff generally believed that completion of corrective action items was
adequately documented. However, we found documentation did not support completion of 3 of
the 38 corrective action items reviewed. As a result, OCFO does not have assurance that
corrective action items were implemented. In addition, reporting corrective action items as
completed before the actions have actually been taken compromises the integrity of the data
included in AARTS, understates internal management reports and reports to Congress on
corrective action items that have not yet been completed, and may negatively impact the
Department’s credibility.

                                         ED-OIG/A19F0004

Mr. Martin	                                                                                    Page 3 of 8




In its response to the draft audit report, OCFO concurred with the finding and provided
corrective actions to address each of the recommendations included in our report. The complete
text of OCFO’s response is included as Attachment 2 to this report.


Finding 1        OCFO Audit Followup Was Not Always Effective
We found OCFO’s audit followup process was not always effective. While OCFO certified that
corrective action items were completed, we found they were unable to support completion of 3 of
the 38 corrective action items reviewed (8 percent). We were able to validate closure dates for
29 of the 35 supported corrective actions through OCFO provided documentation.1 We found
OCFO reported 2 of these 29 action items (7 percent) as completed in the Department’s audit
tracking system prior to dates reflected by supporting documentation.

Documentation Did Not Support Completion of Corrective Action Items

OCFO audit resolution file documentation did not initially support completion of 7 of the 38
corrective action items reviewed (18 percent). In response to an OIG request, OCFO provided
additional documentation not originally included in the audit resolution files that supported
completion of 4 additional corrective action items. Ultimately, OCFO could not provide
documentation to support completion of 3 of the 38 corrective action items (8 percent).
Unsupported corrective action items noted during this audit included the following:

    • 	 In one audit, the corrective action item stated in part that OCFO would correct 213
        negative balances by December 31, 2003. 2 The audit resolution file contained an
        Obligation Amount Out of Balance report, which lists 46 awards, along with the award,
        obligation, and FMSS totals. In response to the OIG referral, OCFO advised us that the
        213 balances were corrected, but the employee responsible for making the corrections did
        not maintain documentation of the action.

    • 	 In another audit, the corrective action item stated OCFO would “follow-up on COR
        [Contracting Officer Representative] delegations to ensure that every OERI [Office of
        Educational Research and Improvement] contract over $100,000 has an appointed COR
        and that a delegation of responsibility memorandum has been issued.” 3



1
  In six cases, we could not validate closure dates because of limitations in the supporting documentation provided

by OCFO. 

2
  Audit Control Number (ACN) A17-D0001: “United States Department of Education: Office of the Chief Financial

Officer - Contracting and Purchasing Operations Compliance with Appropriation Law,” issued October 6, 2003,

Corrective Action Item 2.2.1.

3
  ACN A19-B0009: “Audit of The Department of Education's process for identifying and Monitoring High-Risk

Contracts that Support Office of Educational Research and Improvement (OERI) Programs,” issued September 20, 

2002, Corrective Action Item 1.12.1. 


                                                ED-OIG/A19F0004

Mr. Martin                                                                         Page 4 of 8



        The audit resolution file contained a listing of contracts that identified current contracts
        with values over $100,000, as well as the program manager, project manager, COR,
        contract specialist, and contracting officer for each contract. In response to the OIG
        referral, OCFO referred to an email from a Contracts Group Chief that stated staff
        reviewed applicable OERI contracts and the contracts are current in file organization.
        While this email states contract files are organized, we have no assurance that delegation
        of responsibility memorandums were issued to the CORs.

PAG issued Audit Closure Memos for two of the five audits included in this review. These two
audits contained 26 of the 38 corrective action items we reviewed. We noted 9 of these 26
corrective action items were identified as reviewed by PAG prior to issuance of the Audit
Closure Memos. We determined all 9 corrective action items reviewed by PAG were adequately
supported by documentation provided by OCIO. The results of our analysis of the effectiveness
of PAG’s review process will be included in the audit followup summary report upon completion
of the audits in individual offices.

Documentation Did Not Support Reported Completion Dates

For the 29 corrective action items for which completion dates could be verified, OCFO reported
2 corrective action items as completed in AARTS prior to dates reflected by supporting
documentation (7 percent). These items were reported as completed 13 and 15 months before
dates noted on supporting documentation.

For example, a corrective action item for one audit was reported as completed on August 31,
2003. OCFO provided us with an AARTS printout of the “View Audit” screen that shows the
issue date of a final audit report is logged in the system. This item was sufficient to support the
completion of the corrective action item, but was dated December 3, 2004.

Requirements for Audit Followup

OMB Circular A-50, entitled “Audit Followup,” provides the requirements for establishing
systems to assure prompt and proper resolution and implementation of audit recommendations.
The Circular states—

        Audit followup is an integral part of good management, and is a shared
        responsibility of agency management officials and auditors. Corrective action
        taken by management on resolved findings and recommendations is essential to
        improving the effectiveness and efficiency of Government operations. Each
        agency shall establish systems to assure the prompt and proper resolution and
        implementation of audit recommendations. These systems shall provide for a
        complete record of action taken on both monetary and non-monetary findings and
        recommendations.




                                          ED-OIG/A19F0004

Mr. Martin                                                                      Page 5 of 8



The Department’s Post Audit User Guide, Section IV, “Internal Audits,” Chapter 1, “ED Office
of Inspector General (ED-OIG) Audit Reports and Alternative Products,” Part G, “Corrective
Actions,” states:

        Each AO must maintain documentation to support implementation of each
        corrective action in accordance with the Guidelines for Establishing File Folders
        and Maintaining Documentation. The documentation must be specifically
        identifiable to a corrective action to withstand any post audit closure review by
        PAG/OCFO, ED-OIG, [Government Accountability Office] GAO and/or OMB.
        All ED-OIG audit records must be retained by an AO for at least five years after
        ED-OIG is notified that all corrective actions have been completed.

The Department’s Guidelines for Establishing File Folders and Maintaining
Documentation states:

        A file folder should be established for each audit report beginning with the draft
        report. Each folder should contain . . .Documentation to support implementation
        of corrective actions or specific notes that indicate where said documents are
        located . . .Explanation of how such documentation supports the corrective action,
        if not readily understood or evident.

The Guidelines for Establishing File Folders and Maintaining Documentation also provides
examples of supporting documentation to include memos of understanding, final regulations,
Dear Colleague Letters, records from databases, and policies and procedures.

OCFO audit resolution staff generally believed that available documentation was
adequate to support completion. OCFO stated they had no supporting documentation for
one corrective action item because the employee responsible for implementing the action
item did not maintain documentation supporting completion of the action. We concluded
OCFO could not support an additional corrective action item because they were unsure of
the type of documentation to provide that would show the corrective action item had been
implemented.

Without appropriate documentation, OCFO does not have assurance that identified deficiencies
were corrected. As such, the risk remains that related programs may not be effectively managed.

By reporting corrective action items as completed when they have not been, or in advance of the
actual completion date, OCFO compromises the integrity of the data included in AARTS and
may negatively impact the Department’s credibility. Management reports on corrective action
items due for completion may be understated. In addition, the Department’s Semiannual Report
to Congress on Audit Followup may also under report the audits for which corrective action
items have not been completed.




                                        ED-OIG/A19F0004

Mr. Martin	                                                                       Page 6 of 8



Recommendations:

We recommend that the Chief Financial Officer:

1.1 	   Establish and implement procedures to ensure that implementation of corrective action
        items is fully supported by adequate documentation, in accordance with the Department’s
        audit related documentation and file requirements.

1.2 	   Establish and implement procedures to ensure that completion dates reported in AARTS
        are consistent with dates reflected in supporting documentation.

1.3 	   Update AARTS to reflect the actual completion dates for the corrective action items
        noted in this audit with discrepancies in the reported completion dates.


OCFO Response:

In its response to the draft audit report, OCFO concurred with the finding and provided
corrective actions to address each of the recommendations included in our report. OCFO stated
PAG will implement procedures that will require the Audit Liaison Officers (ALOs) within
OCFO to complete a documentation checklist that will include line items regarding adequate
documentation for each corrective action as well as ensuring that completion dates in AARTS
match dates of supporting documentation. PAG will also implement procedures to ensure that its
staff will include confirmation that the dates match in the verification review before closure of an
audit. In addition, PAG will train the ALOs within OCFO on what is considered reasonable
documentation, as well as the new process and procedures. OCFO also indicated it has already
changed the actual completion dates in AARTS as recommended.


                  OBJECTIVE, SCOPE, AND METHODOLOGY
The objective of our audit was to verify whether adequate documentation was maintained to
support that corrective action items have been implemented as stated in the Department’s CAPs.

To accomplish our objective, we performed a review of internal control applicable to OCFO’s
audit followup process. We reviewed applicable laws and regulations, and Department policies
and procedures. We conducted interviews with OCFO/PAG staff regarding Department policy
and procedures, and AARTS operation. We conducted interviews with OCFO staff responsible
for resolving and following up on corrective action items for the audits selected. We also
reviewed documentation provided by OCFO staff to support completion of corrective action
items for the recommendations included in our review.

The scope of our audit was limited to corrective action items developed in response to internal
OIG audits of OCFO processes and programs. Our scope included only those corrective action
items reported as “completed” in AARTS during the period July 1, 2002, through September 30,

                                         ED-OIG/A19F0004

Mr. Martin                                                                       Page 7 of 8



2004. We excluded from our review corrective action items for recurring audits, such as annual
financial statement audits, information security audits, or those with prior or planned followup
audits, so as not to duplicate audit effort. Overall, we selected a total of 38 corrective action
items from 5 OCFO related audits. The selected audits and corrective action items reviewed are
listed in Attachment 1 to this report.

We relied on computer-processed data initially obtained from AARTS to identify action items
applicable to the scope period. An alternative data source is not available to directly test the
completeness of the corrective action items as reported in AARTS. However, we tested the
accuracy of AARTS data by comparing AARTS data to supporting documentation. We also
conducted a limited review of AARTS data controls and relied on feedback from resolution staff
to gain additional assurance relating to the completeness and accuracy of AARTS data. Based on
these tests and assessments, we determined that the computer-processed data was sufficiently
reliable for the purpose of our audit.

Our review was based on the corrective action items defined by OCFO in its CAPs and agreed
upon by OIG in the audit resolution process. We reviewed and analyzed documentation in
OCFO’s audit resolution files to determine whether completion of each selected corrective action
item was supported. In cases where documentation in the file did not support completion of the
action item, we provided OCFO with an opportunity to provide additional documentation from
other sources. We reviewed any additional documentation subsequently provided to make a final
determination as to whether completion of the corrective action items was then supported. In
addition, we verified the reported completion dates in AARTS against the supporting
documentation provided, where possible, for those corrective action items that were supported.

We conducted fieldwork at OCFO offices in Washington, DC, during the period January 2005
through August 2005. We held an exit conference with OCFO staff on August 16, 2005. Our
audit was performed in accordance with generally accepted government auditing standards
appropriate to the scope of the review described above.


                            ADMINISTRATIVE MATTERS
Corrective actions proposed (resolution phase) and implemented (closure phase) by your office
will be monitored and tracked through the Department’s Audit Accountability and Resolution
Tracking System. Department policy requires you develop a final CAP for our review in the
automated system within 30 days of the issuance of this report. The CAP should set forth the
specific action items, and targeted completion dates, necessary to implement final corrective
actions on the finding and recommendations contained in this final audit report

In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector
General is required to report to Congress twice a year on the audits that remain unresolved after
six months from the date of issuance.



                                        ED-OIG/A19F0004

Mr. Martin	                                                                    Page 8 of 8



Statements that managerial practices need improvements, as well as other conclusions and
recommendations in this report, represent the opinions of the Office of Inspector General.
Determinations of corrective action to be taken will be made by the appropriate Department of
Education officials.

In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office
of Inspector General are available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the Act.

We appreciate the cooperation provided to us during this review. Should you have any questions
concerning this report, please call Michele Weaver-Dugan at (202) 245-6941.

                                            Sincerely, 



                                            Helen Lew /s/        

                                            Assistant Inspector General for Audit Services        



cc: 	   Gail Cornish, Audit Liaison Officer, OCFO
        Charles Miller, Supervisor, PAG/OCFO




                                       ED-OIG/A19F0004

             ATTACHMENT 1 – Audits and Corrective Action Items Reviewed

Number Audit              Title           Issue Corrective Unsupported Unsupported
      Control                             Date Action Items Action Items Completion
      Number                                      Reviewed                      Dates
  1    A17- United States Department 10/6/03 2.1.1, 2.2.1,      2.2.1, 2.4.1    None
       D0001 of Education: Office of the         2.3.1, 2.4.1,
              Chief Financial Officer -              2.5.1
              Contracting and Purchasing
              Operations Compliance
              with Appropriation Law
  2    A19- Audit of The Department 9/20/02 1.1.1, 1.1.2,          1.12.1       None
       B0009 of Education's process for          1.1.3, 1.1.4,
              identifying and Monitoring         1.1.5, 1.2.1,
              High-Risk Contracts that           1.3.1, 1.4.1,
              Support Office of                  1.5.1, 1.6.1,
              Educational Research and           1.7.1, 1.8.1,
              Improvement (OERI)                 1.8.2, 1.9.1,
              Programs                          1.10.1, 1.10.2,
                                                1.11.1, 1.12.1,
                                                1.13.1, 1.14.1,
                                                1.16.1, 1.18.1,
                                                     1.19.1
  3    A19- Audit of Funds Not           5/10/04 1.5.1, 1.6.1,     None      1.6.1, 3.2.1
       C0004 Recovered Due to the                1.6.2, 1.6.3,
              Statute of Limitations              3.1.1, 3.2.1
  4    A19- Audit of Controls over       3/27/02 1.1.1, 1.2.1,     None         None
       B0010 Government Travel Cards                  1.3.1
  5    A17- Reconciliation of Principal 7/8/04       1.2.1         None         None
       E0001 Office Records to the
              United States Department
              of Education Central
              Automated Processing
              System
TOTAL                                                  38            3            2
                                                                                                               Attachment 2


                     UNlTED STATES DEPARTMENT OF EDUCATION
                                 OFFICE OF THE CHIEF FINANCIAL OFFICER

                                                                                              THE CHIEF FINANCIAL OFfICER


                                                  OCT 2 4 2005

MEMORANDUM

TO: 	             Michelle Weaver-Dugan, Director
                  Operations lntemal Audit Team
                  Office of Inspector General

FROM : 	          Jack Martin

SUBJECT: 	 Draft Audit tteport: Audit Followup Process for Office ofInspector
                  General Internal Audits in the Office of the Chicf Financial Officer,
                  Control Number ED-OIG/A 19F0004

Thank you for the opportunity to respond to the above referenced draft audit report. The
Office of the Chief Financial Officer (OCFO) agrees that audit followup procedures
could be improved to ensure implementation of corrective actions is supported by
adequate documentation, and completion dates in the Audit Accountab ili ty and
Resolution Tracking System (AARTS) are consistent with dates reflected on supporting
documentation.

OCFO takes audit followup seriously, which is supported by the low percentage of errors
or instances or non-compliance disclosed in the subj ect audit. In this regard, the audit
indicated that in eight percent of the correcti ve actions reviewed (3 of 38), documentation
was not provided to support completion of corrective actions, and in seven percent orthe
corrective actions reviewed (2 of29) completion dates in AARTS did not agree with the
dates reflected by supporting documentation Further, based upon documentation
provided by OCFO staff, OIG was also able to adequately validate closure dates [or 29 of
the 35 supported corrective actions.

While we acknowledge that improvements can be made, our goal is to ensure thal our
audit followup system provides a reasonable level or assurance that OCFO complies
with current guidance and regulations. We believe that your report validates our actions
and efforts in this regard.

The following are our proposed corrective actions 10 address the three recommendations
cited in your audit:




                          400 MARYLAND AVE., S.W.          WASHINGTON. D.C. 20202-4300


  Our mission is [0 ensure equal access   (0   education and   (0   promOle educational excellence Ihroughout [he IVmion.
Page 2 - ACN-AI9-F0004


Recommendation 1.1
Establish and implement procedures that ensure implementation of corrective act ion
items is fully supported by adequate documentation, in accordance with the Department's
audit related documentation and file requirements.

OCFO's Response
The Post Audit Group (PAG) will continue taking a leadership role by implementing
additional procedures that will require the Audit Liaison Officers (ALOs) within OCFO
to complete a documentation checklist that will include line items regarding adequate
documentation for each corrective action, as well as ensuring that completion dates in
AARTS match dates of supporting documentation. PAG will also train the ALOs within
OCFO on what is considered reasonable documentation, as well as the improvements to
the process and procedures.

Recommendation 1.2
Establish and implement procedures to ensure that completion dates reported in AARTS
are consistent with dates reflected in supporting documentation.

OCFO's Response
PAG will take more ofa leadership role by implementing procedures that will require the
ALOs within OCFO to complete a documentation checklist that will include line items
regarding adequate documentation for each corrective action as well as ensuring that
completion dates in AARTS match dates of supporting documentation. PAG will also
implement procedures to ensure that its staff will include confinnation that the dates
match in the verification review before closure of an audit. PAG wi ll train the ALOs
within OCFO on what is considered reasonable documentation, as well as the new
process and procedures.

Recommendation 1.3
Update AARTS to reflect the actual completion dates for the corrective action items
noted in this audit with discrepancies in the reported completion dates.

OCFO's Response
OCFO completed this corrective action on August 23, 2005, by changing the actual
completion date in AARTS as recommended. Implementation of new procedures that
will address Recommendations 1.1 and 1.2 will also address the recurrence of th is type of
discrepancy.

Thank you for the opportunity to respond to the draft report. If you have any questions,
please contact Gail Cornish, Management Analyst, Post Audit Group at (202) 401-285 3.