OIG Review of OCR's Internal Controls Over the Procurement of Goods and Services (A&I 2000-007) Date Issued: 8/02/2000 PDF (47K)

Published by the Department of Education, Office of Inspector General on 2000-08-02.

Below is a raw (and likely hideous) rendition of the original report. (PDF)


TO            :      Norma V. Cantú
                     Assistant Secretary
                     Office for Civil Rights

FROM          :      John P. Higgins, Jr.
                     Acting Assistant Inspector General
                     Analysis and Inspection Services

SUBJECT       :      Results of the OIG Review of OCR's Interna l Controls Over the
                     Procurement of Goods and Services (A&I 2000-007)


This memorandum transmits our review results of OCR’s internal controls over the
procurement of goods and services. This review is part of OIG's Department-wide
review of this area. The Department’s management is responsible for establishing and
maintaining internal controls. We will transmit the Department-wide results to the
Deputy Secretary with copies to the Assistant Secretaries and other senior staff when we
complete our review. On July 27, 2000, OIG staff met with you and your Special
Assistant, John Jackson, to discuss the results of this review. Following that meeting,
OIG staff also met with members of the OCR procurement staff to discuss the review.


Based on our review, we identified certain deficiencies that prevent OCR from fully
satisfying GAO’s Standards for Internal Control in the Federal Government. For your
information and corrective action, we listed those deficiencies in the attached chart
(Attachment A). In the future, we anticipate conducting a follow-up review to assess
actions you have taken to satisfy GAO’s Standards for Internal Control in the Federal
Government .

In addition, we want to advise you and OCR managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
   to review the use of purchase cards. Therefore, it is important that approving officials
   properly review all cardholder statements, including invoices, before forwarding them
   to OCFO for payment.

ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of TPDS disbursements.

During our review, we noted that some OCR employees assigned purchase cards are
below the minimum grade level (GS-9) required to receive annual ethics training.
Because of their procurement responsibilities, we believe that ethics training would
benefit these employees. Management should require them to attend annual ethics


Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.


We limited our work to procurements in Washington, D.C. (Headquarters) using the
Third Party Draft System and purchase cards. We did not conduct testing on OCR’s
contracting practices or use of the “Corporate” Government Travel Account.


To achieve our objectives, we interviewed OCR staff involved with procurement
processes and reviewed relevant documents. As part of our work, we reviewed samples
of TPDS checks and purchase card transactions. For TPDS, we selected a sample of 50
TPDS checks issued between October 1998 through September 1999 (FY 1999) and
October 1999 through February 2000 (FY 2000). OCR has four cardholders located in
headquarters. One of those cardholders had no activity during the period covered by our
review. We judgmentally selected a sample of 18 card statements belonging to the three
cardholders with activity during the period we were reviewing. We then selected 50
purchases to review for periods ending October 16, 1998 and February 16, 2000. In
selecting our sample, we did not include any transactions dated prior to October 1, 1998.
We also reviewed OCR’s monthly card statements included in OCFO’s files for
September 1999 and March 2000.

We based our conclusions about OCR's internal controls on information gathered during
interviews and transaction testing. We conducted our interviews and transaction testing
between May 3, 2000 and July 3, 2000. We assessed OCR's internal controls based on
GAO's Standards for Internal Control in the Federal Government issued November
1999. Attachment B to this memorandum contains a summary of the GAO Standards.
We conducted our work in accordance with the President's Council on Integrity and
Efficiency (PCIE) Quality Standards for Inspection dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.


cc:   Deputy Secretary
                                                                          Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.


    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office for Civil Rights                                             Attachment A

Control Component     Deficiencies
Control Environment   • Assignment of Authority – According to OCFO records, four cardholders need warrants because their
                         spending limits are in excess of $2,500.

Risk Assessment       •   Identification of Risks – Although OCR conducts self-evaluations in certain procurement areas, formal
                          risk assessment procedures have not been established.
                      •   Identification of Risks – One procurement staff member has been assigned a moderate risk level
                          although the employee’s responsibilities suggest a high risk level is more appropriate. Another staff
                          member has been assigned a low risk level although the employee’s responsibilities suggest a moderate
                          risk level is more appropriate.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service (C:FIM:6-102) dated March 12, 1990, OCR has no written purchase card policies and
                      •   Approval – We reviewed the September 1999 and March 2000 OCR card statements from OCFO files.
                          Our purpose was to verify that OCR had submitted all its monthly card statements with purchases to
                          OCFO, and that the Approving Official had signed the statements.
                                ü Fifteen cards had activity in September 1999. Statements for six of those cards were missing
                                    from the OCFO files. Of the nine statements available for review, the Approving Official had
                                    not signed five.
                                ü Sixteen cards had activity in March 2000. Statements for all sixteen cards were in the OCFO
                                    files. Of the sixteen statements, the Approving Official had not signed one.
                      •    Recordkeeping – From a sample of 50 purchase card charges, OCR was unable to provide receipts for
                           15 charges. Nine of these charges were for more than $400, including two that were larger than $1,400.
                      •    Recordkeeping – Four purchase card charges in FY 1999 were assigned EDCAPS IMPAC numbers;
                           however, those IMPAC numbers did not appear on the EDCAPS IMPAC Report. OCR was unable to
                           explain why the transactions did not appear on the EDCAPS report.
                 • Policies and Procedures – The Department strongly encourages all principal offices to maximize
                   purchase card use, because each card usage saves ED substantial processing costs as opposed to other
                   payment mechanisms . In FY 1999, OCR issued 107 TPDS checks to the USDA Graduate School despite
                   their acceptance of purchase card payments. At the time of our review, OCR had issued four (4) TPDS
                   checks in FY 2000 to the USDA Graduate School. OCR should only issue TPDS checks when the
                   vendor will not accept the purchase card.
                 • Recordkeeping – We reviewed a sample of 50 TPDS checks. Of these 50, OCR was unable to provide
                   supporting documentation for three (3) checks. The amounts of these checks were $885, $210, and $117.
                 • Procedures – Of the 50 TPDS checks we reviewed, OCR did not pay five (5) within the time
                   requirements of the Prompt Payment Act. All the late payments occurred in FY 1999. In addition, we
                   noted two instances where the purchase card was used to pay an invoice that was overdue. Both of these
                   instances also occurred in FY 1999. OCR staff told us that they had made improvements to their TPDS
                   procedures since last year including requiring a procurement processing form and implementing a
                   database to track invoices.
                 • Recordkeeping – OCR did not maintain a log to track TPDS checks assigned to the office. Such a log
                   would allow OCR to identify any missing checks.

Information &    •   Communication of Key Information – The procurement staff we interviewed were not familiar with the
Communications       Department’s Directive on Commercial Credit Card Service.

Monitoring       •   On-going Monitoring – The supervisor of the individual with signature authority for TPDS checks does
                     not perform periodic reviews of EDCAPS reports of checks issued by OCR.