oversight

OIG Review of OIIA's Internal Controls Over the Procurement of Goods and Services (A&I 2000-008) Date Issued: 8/18/2000 PDF (41K)

Published by the Department of Education, Office of Inspector General on 2000-08-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO             :      G. Mario Moreno
                      Assistant Secretary
                      Office of Intergovernmental and Interagency Affairs

FROM           :      John P. Higgins, Jr.
                      Acting Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT        :      Results of the OIG Review of OIIA’s Internal Controls Over the
                      Procurement of Goods and Services (A&I 2000-008)


INTRODUCTION

This memorandum transmits the results of our review of OIIA’s internal controls over the
procurement of goods and services. This review is part of OIG's Department-wide
review of this area. The Department’s management is responsible for establishing and
maintaining internal controls. We will transmit the Department-wide results to the
Deputy Secretary with copies to the Assistant Secretaries and other senior staff when we
complete our review. On August 10, 2000, OIG staff met with you, your Chief of Staff,
Connie Jameson, and your Executive Officer, Norman Hall, to discuss the results of this
review.

RESULTS

During our review in OIIA, we identified instances of possible noncompliance with the
Federal Acquisition Regulation (FAR) and current Department policies and procedures:

•    The FAR requires the solicitation of quotes or offers from a reasonable number of
     sources or sole-source justifications for any purchase of more than $2,500. In our
     sample of TPDS checks there were fourteen transactions that were over $2,500. Six
     of the transactions had no documentation to verify that these purchases were made
     with the solicitation of at least three bids or to justify a sole-source purchase.

•    We also identified eleven invoices that appear to not have been paid timely as
     required by the Prompt Payment Act.
We identified certain deficiencies, in addition to the instances of possible non-compliance
identified above, that prevent OIIA from satisfying GAO’s Standards for Internal
Control in the Federal Government. For your information and corrective action, those
deficiencies are listed in the attached chart (Attachment A). In the future, we anticipate
conducting a follow-up review to assess the actions you have taken to satisfy GAO’s
Standards for Internal Control in the Federal Government.

In addition, we want to advise you and OIIA managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
  to review the use of purchase cards. Therefore, it is important that approving officials
  properly review all cardholder statements, including invoices, before forwarding them
  to OCFO for payment.

ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of TPDS disbursements.

During our review, we noted that two OIIA employees assigned purchase cards are below
the minimum grade level (GS-9) required to receive annual ethics training. Because of
their procurement responsibilities, we believe that ethics training would be beneficial to
these employees. Management should require them to attend annual ethics training.

OTHER MATTERS

OIIA has Contribution Accounts containing donations in support of activities such as the
Presidential Scholars program and satellite town meetings. According to OIIA staff, the
Office of the General Counsel (OGC) is aware of the Contribution Accounts; however,
these accounts should be audited on a regular basis.

OBJECTIVE

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters). Although we
interviewed staff regarding contracts for the purchase of goods and services, we did not
review contract files. We limited testing of accounting records to procurements using
the Third Party Draft System (TPDS) and purchase cards. We did not conduct testing on
OIIA’s use of “Corporate” Government Travel Accounts.

METHODOLOGY

To achieve our objective, we conducted interviews with OIIA staff who were involved
with the procurement process and we reviewed relevant documents. As part of our work,
we reviewed samples of TPDS checks and purchase card transactions. For the TPDS, we
selected a random sample of 50 TPDS checks issued between October 1998 through
September 1999 (FY 1999) and October 1999 through February 2000 (FY 2000). There
are seven cardholders in Headquarters. We judgmentally selected a sample of
transactions from purchase card statements dated between January 1999 through May
2000. Then we selected 71 transactions to review. We also reviewed OIIA monthly
purchase card statements that were in the Financial Management Policy and
Administration Group files for the months of September 1999 and March 2000.

We based our conclusions about OIIA’s internal controls on the information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between May 23, 2000 and July 18, 2000. We assessed OIIA's
internal controls based on GAO's Standards for Internal Control in the Federal
Government , issued in November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection
dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.


Attachments


cc:    Deputy Secretary
                                                                          Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
                                                                                                                 Attachment A

Internal Control Evaluation Form for the Office of Intergovernmental and Interagency Affairs


Control Component     Deficiencies
Control Environment   • Assignment of Authority – According to OCFO records, three cardholders with spending limits in excess
                         of $2,500 do not have warrants nor have they taken the small purchase training required to obtain a
                         warrant.
                      • Training – One cardholder has not taken purchase card training; however, the cardholder has taken small
                         purchase training. All procurement staff could benefit from refresher training.
                      • Human Resources – One cardholder was not allowed to include purchase card responsibilities as a GPAS
                         rating element because management had characterized the responsibility as “just ordering supplies.”

Risk Assessment       •   Identification of Risks – The Executive Officer and other procurement staff should have a more
                          significant role in OIIA’s Federal Managers’ Financial Integrity Act (FMFIA) reporting process.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service (C:FIM:6-102) dated March 12, 1990, OIIA has no written policies and procedures on the
                          purchase card process.
                      •   Policies and Procedures – OIIA appears to make several sole-source procurements. For instance, we
                          noticed that all but one of the TPDS purchases that we reviewed that were over $2,500 and had
                          supporting documentation were sole-source.
                      •   Policies and Procedures – According to the Department’s simplified acquisition procedures, micro-
                          purchases (under $2,500) are to be distributed “equitably among qualified suppliers.” As a result of
                          reviewing the card statements for Headquarters for the period of January 1999 to May 2000, we noticed
                          that OIIA used the GSA Supply Service Center 7 times and used Office Depot 127 times.
                      •   Policies and Procedures – Cardholders should be recording purchases into EDCAPS at the time an order
                          is placed; instead, the two approving officials have been recording purchases into EDCAPS during their
                          review of the card statements.
•   Purchase Cards – We reviewed the September 1999 and the March 2000 statements from OCFO files.
    Our purpose was to verify that OIIA had submitted all of its monthly card statements with activity to
    OCFO and that the approving official had signed the card statements. We also reviewed 71 judgmentally
    selected purchase card transactions.
    ♦ Approval of monthly purchase card statements – The Executive Officer, one of two approving
        officials, informed us that he does not sign the statements because there is only one line for a
        signature on the statements. He assumed that the line was for the cardholder.
       • For September 1999, 14 cards had balances. One statement was missing from OCFO files. None
            of the statements were signed by an approving official.
       • For March 2000, 16 cards had balances. All the statements were in OCFO files. None of the
            statements were signed by an approving official. In addition, seven were not signed by the
            cardholder.
    ♦ Approval – We were told that the Director/Team Leader, Executive Officer and Assistant
        Secretary/Chief of Staff approved purchases. This OIIA pre-approval policy was not consistently
        followed based on the results of our review.
        • Director/Team Leader approved 55 out of 71 samples reviewed.
        • Executive Officer approved 69 out of 71 samples reviewed.
        • Assistant Secretary/Chief of Staff approved 42 out of 71 samples reviewed.
    ♦ Documentation – Supporting documents such as invoices and receipts were missing for 20
        transactions, one of which was also missing the office request form.
•   TPDS Checks – We reviewed 50 randomly selected TPDS checks.
    ♦ Documentation – The file for one of the TPDS checks was not available for review. Principal Office
        copies of checks were missing for six TPDS checks, which were employee reimbursements.
    ♦ Compliance/Bids – As mentioned in the cover memorandum, we identified 14 transactions that were
        over $2,500. There was no documentation to verify that six of these purchases were made with the
        solicitation of at least three oral bids or to justify a sole-source purchase.
    ♦ Approval – Eight purchases had no documentation of preapproval by the Executive Officer.
    ♦ Date Stamping – 37 invoices were not date stamped on receipt.
    ♦ Compliance/Prompt Payment – As mentioned in the cover memorandum, we identified 11 invoices
        that appear to not have been paid timely.
                     ♦ Compliance/Reimbursable Costs – Commuting costs were not deducted from two employee
                         reimbursements for local travel nor was there an explanation of why such costs were not deducted.
                 •   Safeguarding of Assets – While OIIA maintains a log for metro cards supplied to staff members, the
                     cards are not numbered and the dollar balances are not recorded when cards are issued.

Information &    •   Communication of Key Information – The Executive Officer stated that he was familiar with the
Communications       Department’s Directive on Commercial Credit Card Service (C:FIM:6-102) dated March 12, 1990;
                     however, the rest of the procurement staff that we interviewed were not familiar with the Directive.

Monitoring       •   On-going Monitoring – The supervisor of the individual with signature authority for TPDS checks does
                     not perform periodic reviews of the EDCAPS reports on the checks issued by OIIA.