oversight

OIG Review of OM's Internal Controls Over the Procurement of Goods and Services (A&I 2000-004) Date Issued: 6/26/2000 PDF (48K)

Published by the Department of Education, Office of Inspector General on 2000-06-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM


TO            :       Willie Gilmore
                      Director
                      Office of Management

FROM          :       John P. Higgins, Jr.
                      Acting Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT        :      Results of the OIG Review of OM's Internal Controls Over the
                      Procurement of Goods and Services (A&I 2000-004)


INTRODUCTION

This memorandum transmits the results of our review of OM's internal controls over the
procurement of goods and services. This review is part of OIG's Department-wide
review of this area. The Department’s management is responsible for establishing and
maintaining internal controls. We will transmit the Department-wide results to the
Deputy Secretary with copies to the Assistant Secretaries when we complete our review.
On June 23, 2000, OIG staff discussed the results of this review with you, your Deputy
Director, Linda Stracke, and your Administrative Staff Director, Keith Berger.

RESULTS

Based on our review, we identified certain deficiencies that prevent OM from satisfying
GAO’s Standards for Internal Control in the Federal Government. For your information
and corrective action, those deficiencies are listed in the attached chart (Attachment A).
In the future, we anticipate conducting a follow-up review to assess the actions you have
taken to satisfy GAO’s Standards for Internal Control in the Federal Government.

In addition, we want to advise you and OM managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
  to review the use of purchase cards. Therefore, it is important that approving officials
   properly review all cardholder statements, including invoices, before forwarding them
   to OCFO for payment.

ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of sample TPDS disbursements.

During our review, we noted that some OM employees assigned purchase cards are
below the minimum grade level (GS-9) required to receive annual ethics training.
Because of their procurement responsibilities, we believe that ethics training would
benefit these employees. Management should require them to attend annual ethics
training.

OTHER MATTERS

During our review, we interviewed some OM and OCFO staff members about contracts
involving the purchase of goods and services. We did not review contract files. Based
on our limited work in this area, we identified the following issues that management
should consider for further review.

       Control Environment – A good internal control environment requires that areas
       of authority and responsibility be clearly defined and reporting lines be clearly
       established. Two of the OM staff that OCFO identified as Contracting Officers
       Technical Representatives (COTRs) were not COTRs. They were Project Task
       Managers that perform duties similar to a COTR but for which there is no specific
       training requirement.

       Risk Assessment – OM is responsible for several contracts involving the
       purchase of goods and services. There is no formal risk assessment process for
       these contracts. OM should review these processes periodically to determine if
       risks have changed and whether it is managing existing risks appropriately.

       Control Activities/Monitoring – Past concerns raised by the OIG in the areas of
       property passes and mail management have not been fully addressed by OM.
       These concerns are contained in an OIG Investigative Advisory Program Report
       on Inventory Management (November 1994), a Management Review of Personal
       Property Management (November 1998) and an OIG Discussion Paper entitled
       “Mail Management” (June 1997).

The Executive Officer discontinued the purchase cards for certain OM employees
because those cardholders were not following proper procedures. Such actions are
appropriate and necessary to maintain an effective control environment.
OBJECTIVE

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters). Although we
interviewed staff regarding contracts for the purchase of goods and services, we did not
review contract files. We limited testing of accounting records to procurements using the
Third Party Draft System (TPDS) and Purchase Cards. We did not conduct testing on
OM’s use of the “Corporate” Government Travel Account.

METHODOLOGY

To achieve our objectives, we conducted interviews with OM staff who were involved
with the procurement process and reviewed relevant documents. As part of our work, we
reviewed 49 TPDS checks issued between October 1998 through September 1999 (FY
1999) and October 1999 through March 2000 (FY 2000).

We also judgmentally selected a sample of 21 card statements and then selected 49
purchases to review for the periods ending October 16, 1998 and February 16, 2000, thus
disregarding any transactions dated prior to October 1, 1998. The OCFO provided us
with a list of 18 cardholders in Headquarters. We reviewed card statements belonging to
15 of the 18 cardholders in Headquarters. We did not include the card statements of the
cardholder assigned flexiplace outside of Washington, D.C. because we were informed
that the documentation was maintained at the flexiplace. We were informed that two
cardholders did not have activity during the timeframe we were reviewing; therefore, we
did not review any card statements or transactions of those two cardholders.

We based our conclusions about OM's internal controls on the information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between March 20, 2000 and May 2, 2000. We assessed OM's
internal controls based on GAO's Standards for Internal Control in the Federal
Government issued November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection
dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.


Attachments


cc:    Deputy Secretary
                                                                          Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office of Management                                                 Attachment A


Control Component     Deficiencies
Control Environment   • Assignment of Authority – One purchase cardholder has an approved single purchase limit of $80,000
                         but only has a warrant for $25,000.
                      • Assignment of Authority – One cardholder stated that she had never used her purchase card and was
                         unable to locate the card.
                      • Training – While the cardholders we interviewed had taken the required purchase card training, and
                         some of these cardholders and the Executive Officer had also taken simplified acquisitions training, the
                         staff had not received recent or refresher training.
                      • Training – As noted below, a significant number of purchase card statements were not signed by
                         approving officials. One of the three approving officials we interviewed could not remember taking
                         purchase card training and another stated that additional training would be useful.

Risk Assessment       •   Identification of Risks – OM has no formal procedures for risk assessment in the procurement area. The
                          Executive Officer also informed us that he was not involved in the Federal Managers’ Financial Integrity
                          Act (FMFIA) process.
                      •   Identification of Risks – Two procurement staff members have been assigned a moderate risk level when
                          the employees’ responsibilities suggest that a high-risk level is more appropriate. One procurement staff
                          member has been assigned a low risk level when the employee’s responsibilities suggest that a moderate
                          risk level is more appropriate.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service (C:FIM:6-102) dated March 12, 1990, OM has no written policies and procedures on the
                          purchase card process.
                      •   Management review – The three approving officials we interviewed told us they reviewed the card
                          statements and signed them. We selected and reviewed 21 card statements of various cardholders from
                          OM files and noted that only 11 were signed by approving officials. We also reviewed the September
                     1999 and March 2000 card statements for OM from files in OCFO.
                           ü Eleven statements had balances in September 1999. One of those statements was missing from
                              the OCFO files. Of the ten statements available for review, five were not signed by an
                              approving official.
                           ü Seventeen statements had balances in March 2000. All seventeen statements were in the OCFO
                              files. Four of the 17 were not signed by an approving official and one was not signed by the
                              cardholder.
                 •   Approval – We reviewed 49 TPDS checks. The supporting document for one $909check was a contract
                     modification. That contract modification was not signed by the Executive Officer.
                 •   Documentation – We reviewed 49 TPDS checks. Documentation for one $830 TPDS check was not
                     available. We reviewed 49 charges to purchase cards. Documentation was not available for two charges
                     ($225 and $17) to purchase cards. Both charges were on the same cardholder’s account.
                 •   Recordkeeping – OM did not have a log to track the TPDS checks assigned to the office. Such a log
                     would allow OM to identify any missing checks.

Information &    •   Communication of Key Information – The procurement staff that we interviewed were not familiar with
Communications       the Department’s Directive on Commercial Credit Card Service.
                 •   Communication of Key Information – The Department’s Directive on Commercial Credit Card Service
                     has not been republished since 1990.

Monitoring       •   On-going Monitoring – The supervisor of the individual with signature authority for TPDS checks does
                     not perform periodic reviews of the EDCAPS reports on the checks issued by OM.
                 •   On-going Monitoring – Two of the three approving officials we interviewed indicated that they did not
                     review the supporting documents for the card statements.