oversight

OIG Review of OGC's Internal Controls Over the Procurement of Goods and Services (A&I 2000-012) Date Issued: 9/18/2000 PDF (39K)

Published by the Department of Education, Office of Inspector General on 2000-09-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO            :       Judith A. Winston
                      General Counsel
                      Office of the General Counsel

FROM          :       Mary Mitchelson
                      Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT       :       Results of the OIG Review of OGC’s Internal Controls Over the
                      Procurement of Goods and Services (A&I 2000-012)


INTRODUCTION

This is our report of our review of the Office of the General Counsel’s (OGC) internal
controls over the procurement of goods and services. This review is part of our
Department-wide review of this area. The Department’s management is responsible for
establishing and maintaining internal controls. We will transmit the Department-wide
results to the Deputy Secretary with copies to the Assistant Secretaries and other senior
staff when we complete our review. On September 12, 2000, Office of Inspector General
(OIG) staff met with you and your Executive Officer, Carolyn Adams, to discuss the
results of this review.

RESULTS

During our review in OGC, we identified instances of noncompliance with the Federal
Acquisition Regulation (FAR) and current Department policies and procedures:

ü Possible split procurements – We identified two acquisitions that appear to have been
  split. One appears to have been split to avoid the cardholder’s single purchase limit
  and the other to avoid the micro-purchase threshold. The FAR prohibits the division
  of an acquisition to “avoid any requirement that applies to purchases exceeding the
  micro-purchase threshold.”

ü Use of purchase cards by a non-cardholder – We were informed that purchase cards
  were used by the Approving Official/Executive Officer, who is not a cardholder. The
  Department’s Directive on Commercial Credit Card Service states: “Each card has
  the cardholder’s name embossed on it and may be used only by that person. No one
   else is authorized to use the card.” The Directive also states: “An approving official
   may not be a cardholder.” These restrictions are to ensure the proper use of purchase
   cards.

We identified certain deficiencies, in addition to the instances of non-compliance
identified above, that prevent OGC from satisfying the General Accounting Office’s
(GAO) Standards for Internal Control in the Federal Government. For your information
and corrective action, those deficiencies are listed in the attached chart (Attachment A).
In the future, we anticipate conducting a follow-up review to assess the actions you have
taken to satisfy GAO’s Standards for Internal Control in the Federal Government.

In addition, we want to advise you and OGC managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency, the Department designed a purchase card system
  where cardholders can order, receive and approve payments for goods and services.
  Consequently, as a control, the Department established approving officials to review
  the use of purchase cards. Therefore, it is important that approving officials properly
  review all cardholder statements, including invoices, before forwarding them to the
  Office of the Chief Financial Officer for payment.

ü Third Party Drafts (TPDs) – An individual with signature authority can issue TPDs
  without the involvement of anyone else. Therefore, it is important that, at a
  minimum, the supervisor of the individual with signature authority conduct periodic
  reviews of drafts issued.

OBJECTIVE

Our review objective was to assess the internal controls to ensure compliance with laws
and regulations for the procurement of goods and services other than studies or
evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters) using TPDs
and purchase cards. We did not conduct testing on OGC’s use of “Corporate”
Government Travel Accounts. We conducted a cash count of OGC’s Imprest fund. We
did not review individual transactions of the Imprest fund.

METHODOLOGY

To achieve our objectives, we conducted interviews with OGC staff involved with the
procurement process, and we reviewed relevant documents. As part of our work, we
reviewed samples of TPDs and purchase card transactions. For our review of TPDs, we
selected a random sample of 20 TPDs issued between October 1998 through September
1999 (FY 1999) and October 1999 through February 2000 (FY 2000). OGC has two
cardholders. We judgmentally selected a sample of monthly purchase card statements
dated between January 1999 and May 2000. Then we selected 25 transactions to review.
We also reviewed OGC’s monthly purchase card statements that were in the Financial
Management Policies and Administrative Programs Group files for the months of
September 1999 and March 2000.

We based our conclusions about OGC's internal controls on information gathered during
our interviews and transaction testing. We conducted our interviews and transaction
testing between May 11, 2000 and August 25, 2000. We assessed OGC's internal
controls based on GAO's Standards for Internal Control in the Federal Government
issued November 1999. Attachment B to this memorandum contains a summary of the
GAO Standards. We conducted our work in accordance with the President's Council on
Integrity and Efficiency Quality Standards for Inspections dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 260-3556.


Attachments


cc:    Deputy Secretary
                                                                           Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exert a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

    ü Precondition – establishment of clear and consistent agency objectives.

    ü Risk assessment – the comprehensive identification and analysis of relevant risks
      associated with achieving agency objectives, like those defined in strategic and
      GPRA annual performance plans, and forming a basis for determining how the
      agency should manage risks.

    ü Risk identification – methods may include qualitative and quantitative ranking
      activities, management conferences, forecasting and strategic planning, and
      consideration of findings from audits and other assessments.

    ü Risk analysis – generally includes estimating the risk’s significance, assessing the
      likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office of the General Counsel                                          Attachment A

Control Component     Deficiencies
Control Environment   • Training – Cardholders are not inputting their own transactions into EDCAPS because they have not had
                         sufficient training on EDCAPS.

Risk Assessment       •   Identification of Risks – OGC procurement staff were not aware of any formal risk assessment
                          procedures in the procurement area. In addition, the Executive Officer has not been significantly
                          involved with the Federal Managers’ Financial Integrity Act (FMFIA) reporting process.
                      •   Assignment of Risk Levels – The Executive Officer has been assigned a moderate risk level. Most
                          Executive Officers in the Department have been assigned a high risk level.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service (C:FIM:6-102) dated March 12, 1990, OGC has no written policies and procedures on the
                          purchase card process.
                      •   Non-Compliance – As mentioned in the cover memorandum, we were informed that purchase cards were
                          used by the Executive Officer.
                      •   Separation of Duties – In addition to periodically using the purchase cards, the Executive Officer inputs
                          the purchase card transactions into EDCAPS. No one reviews that input.
                      •   Purchase Cards – We reviewed the September 1999 and the March 2000 statements from OCFO files.
                          Our purpose was to verify that OGC had submitted all its monthly card statements with activity to OCFO
                          and that the approving official had signed the card statements to support OCFO’s Department-wide
                          payments. We also reviewed 25 judgmentally selected purchase card transactions.
                          ♦ Approval of monthly purchase card statements:
                             • For September 1999, one card had activity. The statement for that card was in OCFO’s files and
                                 was signed by the approving official.
                             • For March 2000, both cards had activity. Statements for both cards were in OCFO files and were
                                 signed by the approving official. However, neither card was signed by the cardholder.
                             • Of the 25 statements in OGC’s files dated between January 1999 and May 2000, all were signed
                                 by the approving official but only four were signed by the cardholders.
                   ♦ Split Procurements – As mentioned in the cover memorandum, we identified two acquisitions that
                       appear to have been split.
                      • One card statement had two charges of equal amounts on the same day to the same vendor for the
                          same product. The total of the two charges would have exceeded the cardholder’s single purchase
                          limit. Both charges had the same EDCAPS transaction number.
                      • Another card statement had three charges of equal amounts on the same day to the same vendor.
                          The three charges totaled $5080 which exceeds the micro-purchase threshold. All three charges
                          had the same EDCAPS transaction number.
                   ♦ Recordkeeping – The amount recorded in EDCAPS for both of the acquisitions that appear to have
                       been split were in error. The amounts recorded in EDCAPS exceed the charges by $599 and $470,
                       respectfully.
                 • Third Party Drafts (TPDs) – We reviewed 20 randomly selected TPDs.
                   ♦ Date Stamping – None of the invoices were dated stamped upon receipt. The date of receipt is
                      necessary to determine the payment due date under the Prompt Payment Act.
                   ♦ Prompt Payment – Based on the due date noted on the invoice, one invoice was paid five days late.
                   ♦ Overpayment – Payment to one vendor was miscalculated resulting in a $249.25 overpayment.
                      While we were conducting our review, OGC requested a refund of the overpayment.
                   ♦ Prepayment – OGC prepaid one vendor $350.35.
                   ♦ Documentation – One invoice for $54 was missing.
                 • Imprest Fund:
                   ♦ The cash on hand was $127.05 and $5 in metro fare cards. The balance listed in the records of the
                      fund was $113.73. We were unable to reconcile the difference.
                   ♦ OGC had no written policies and procedures regarding the Imprest fund.

Information &    •   Communication of Key Information – One of the cardholders had heard of the Department’s Directive
Communications       on Commercial Credit Card Service; the other had not.

Monitoring       On-going Monitoring – The supervisor of the individual with signature authority for TPDs does not perform
                 periodic reviews of the drafts issued by OGC.