oversight

OIG Review of OCFO and OCIO Internal Controls Over the Procurement of Goods and Services (A&I 2000-006) Date Issued: 7/26/2000 PDF (53K)

Published by the Department of Education, Office of Inspector General on 2000-07-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO            :      Thomas P. Skelly
                     Acting Chief Financial Officer
                     Office of the Chief Financial Officer

                     Craig B. Luigart
                     Chief Information Officer
                     Office of the Chief Information Officer

FROM          :      John P. Higgins, Jr.
                     Acting Assistant Inspector General
                     Analysis and Inspection Services

SUBJECT       :      Results of OIG Review of OCFO and OCIO Internal Controls
                     Over the Procurement of Goods and Services (A&I 2000-006)


INTRODUCTION

This memorandum transmits the results of our review of the OCFO and OCIO internal
controls over the procurement of goods and services. We conducted the review of OCFO
and OCIO jointly because the offices share an Executive Officer. This review is part of
OIG’s Department-wide review of this area. The Department’s management is
responsible for establishing and maintaining internal controls. We will transmit the
Department-wide results to the Deputy Secretary with copies to the Assistant Secretaries
and other senior staff when we complete our review. On Wednesday, July 12, 2000, OIG
staff met with you to discuss the results of this review.

We assessed OCFO’s and OCIO’s internal controls based on GAO’s Standards for
Internal Control in the Federal Government issued November 1999. We noted during
our meeting with you that both of you were familiar with, and had copies of, those
Standards.

RESULTS

We identified certain internal control deficiencies that prevent OCFO and OCIO from
satisfying GAO’s Standards for Internal Control in the Federal Government. For your
information and corrective action, those deficiencies are listed in the attached chart
(Attachment A). In the future, we anticipate conducting a follow-up review to assess the
actions you have taken to satisfy GAO’s Standards for Internal Control in the Federal
Government .

In addition, we want to advise you and OCFO and OCIO managers of inherent
vulnerabilities we identified in two Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
  to review the use of purchase cards. Therefore, it is important that approving officials
  properly review all cardholder statements, including invoices, before forwarding them
  to Financial Management Operations in OCFO.

ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of TPDS disbursements.

OTHER MATTERS

As you are aware, the Department had a financial loss because of the mishandling of
certain telecommunication contracts. Based on limited work in this area, we identified
significant control issues:

       Control Environment – A staff member expressed to us concerns about the lack
       of technical skills in OCIO and the lack of time to sufficiently monitor
       telecommunication contracts.

       Risk Assessment – There is currently no formal risk assessment process for
       contracts in OCFO and OCIO. OCFO and OCIO should conduct a review
       periodically to determine if risks have changed and whether it is managing
       existing risks appropriately. The CIO told us that risk assessment is being
       designed into his office’s procurement processes.

        Control Activities / Monitoring – A COTR expressed concern about the lack of
       documentation for telecommunication contracts that prevented him from doing in-
       depth contract monitoring. He said that he certifies four contracts monthly
       without knowing specifically what services are being provided. The CIO was
       aware of the situation with telecommunication contracts, but indicated that it was
       his understanding that future contracts through GSA will not provide more
       detailed information. ED must take appropriate steps to ensure that these and
       other contracts are properly monitored to prevent fraud, waste and abuse.
OBJECTIVE

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters). Although we
interviewed staff regarding contracts for the purchase of goods and services, we did not
review contract files. We limited testing of accounting records to procurements using
the Third Party Draft System (TPDS) and Purchase Cards. We did not conduct testing on
OCFO’s and OCIO’s use of “Corporate” Government Travel Accounts.

METHODOLOGY

To achieve our objectives, we conducted interviews with OCFO and OCIO staff who
were involved with the procurement process, and we reviewed relevant documents. As
part of our work, we reviewed samples of TPDS checks and purchase card transactions.
For the TPDS, we selected a random sample of 50 TPDS checks issued between October
1998 through September 1999 (FY 1999) and October 1999 through February 2000 (FY
2000). We judgmentally selected a sample of 15 monthly purchase card statements dated
between October 16, 1998 and February 16, 2000. Then we selected 51 transactions to
review. In selecting our sample, we did not include any transactions dated prior to
October 1, 1998. We also reviewed OCFO and OCIO monthly purchase card statements
that were in the Financial Management Policy and Administration Group files for the
months of September 1999 and March 2000.

We based our conclusions about OCFO and OCIO internal controls on the information
gathered during our interviews and transaction testing. We conducted our interviews and
transaction testing between April 10, 2000 and May 25, 2000. We conducted our work in
accordance with the President's Council on Integrity and Efficiency (PCIE) Quality
Standards for Inspection dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.


Attachments


cc:    Deputy Secretary
                                                                          Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form                                                Attachment A
Office of the Chief Financial Officer and Office of the Chief Information Officer
Control Component     Deficiencies
Control Environment   • Assignment of Authority
                         ü The Executive Officer continued to have and use a purchase card after becoming the Approving
                             Official for OCFO and OCIO. The balance on his card for January 2000 was $19,789; for February,
                             $35,743; and for March, $7,142.

                      •   Training
                          3 OCFO and OCIO have one cardholder that has not taken the required purchase card training. In
                             addition, all procurement staff could benefit from refresher training.

Risk Assessment       •   Identification of Risks
                          3 OCFO and OCIO have no formal procedures for risk assessment in the procurement area. The OCIO
                             is in the process of designing risk assessment into their systems.
                          3 The Executive Officer’s position is designated as moderate risk. Executive Officer positions are
                             generally designated high risk. On May 30, 2000, OIG requested a position description to assess the
                             risk designation. As of July 24, 2000, OIG had not received the requested position description.

Control Activities    •   Policies and Procedures
                          3 Purchase cards – The Department’s Directive on Commercial Credit Card Services (C:FIM:6-102)
                             dated March 12, 1990, requires that Principal Offices establish internal procedures on the
                             safeguarding and authorized use of credit cards. OCFO and OCIO are in the process of updating
                             their policies and procedures on the purchase card process.
                          3 Third Party Draft System – Invoices are not manually date stamped upon receipt. We were told that
                             the invoices are not date stamped because the receipt date is entered into the Financial Management
                             Support System (FMSS). We noted some invoices where the date of the invoice was significantly
                             different from the receipt date recorded in FMSS. For example, an invoice to PageNet was dated
                             November 1, 1998 with a due date of November 30, 1998. The receipt date in FMSS was January 6,
                             1999. The date of the TPDS check was also January 6, 1999. According to the Code of Federal
                             Regulations (5 CFR Section 1315.4(b)(1)(i)), the date an invoice is received is only applicable for
                       determining the due date “if the agency annotates the invoice with date of receipt at the time of
                       receipt.”
                     3 Third Party Draft System – OCFO and OCIO do not have a log to track unissued TPDS checks. Such
                       a log would allow both Program Offices to identify any missing checks.
                     3 Security reviews – On March 16, 2000, OIG requested security forms to update the investigations of
                       a staff member with procurement authority. As of July 24, 2000, OIG had not received the requested
                       forms.

                 •   Third Party Draft System (TPDS) – We randomly selected 50 TPDS checks to review.
                     3 Recordkeeping – Supporting documentation could not be found for three checks. The amounts of
                        those three checks were $1,920, $615, and $6,169.
                     3 Approval – Of the 47 TPDS checks that had supporting documentation, we noted that in nine
                        instances the Executive Officer’s approval was missing. In five of those nine instances, another
                        person had approved the transaction. In four cases, there was no documentation of approval.
                     3 Recordkeeping – Supporting documentation for one check of $2,394 noted an unpaid balance of
                        $372.50. There was no supporting documentation to verify that the remaining $372.50 was paid in
                        full.

                 •   Purchase Cards – We selected 51 purchase card transactions to review.
                     3 Recordkeeping – In 13 instances, supporting documentation was missing or incomplete. For
                        example, the supporting documentation for the purchase of toner cartridges ($2,498) consisted of a
                        delivery ticket without price information. The supporting documentation for the purchase of a copier
                        ($11,861) also consisted of a shipping ticket without price information.
                     3 Authorization – One cardholder exceeded their monthly credit limit by $527. Subsequently, the
                        cardholder’s monthly credit limit was increased.

Information &    •   Communication of Key Information
Communications       3 OCFO and OCIO procurement staff were unfamiliar with the Department’s Directive on Commerical
                       Credit Card Services.

Monitoring       •   On-going Monitoring
                     3 The supervisor of the individual with signature authority for TPDS checks does not perform periodic
                       reviews of the EDCAPS reports on the checks issued by OCFO and OCIO.