oversight

OIG Review of OPE's Internal Controls Over the Procurement of Goods and Services (A&I 2000-013) Date Issued: 9/19/2000 PDF (40K)

Published by the Department of Education, Office of Inspector General on 2000-09-19.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO             :      A. Lee Fritschler
                      Assistant Secretary
                      Office of Postsecondary Education

FROM           :      Mary Mitchelson
                      Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT        :      Results of the OIG Review of OPE's Internal Controls Over the
                      Procurement of Goods and Services (A&I 2000-013)


INTRODUCTION

This is our report of our review of the Office of Postsecondary Education’s (OPE)
internal controls over the procurement of goods and services. This review is part of our
Department-wide review of this area. The Department’s management is responsible for
establishing and maintaining internal controls. We will transmit the Department-wide
results to the Deputy Secretary with copies to the Assistant Secretaries and other senior
staff when we complete our review. On September 7, 2000, Office of Inspector General
(OIG) staff met with you, Francine Picoult, Humphrey Barnes and Yvonne Navalaney to
discuss the results of this review.

RESULTS

During our review of OPE, we identified instances of noncompliance with the Prompt
Payment Act. We found 15 invoices that appear to not have been paid timely as required
by the Act.

We also identified certain deficiencies, in addition to the above instances of
noncompliance, that prevent OPE from satisfying the General Accounting Office’s
(GAO) Standards for Internal Control in the Federal Government. For your information
and corrective action, we have listed those deficiencies in the attached chart (Attachment
A). In the future, we anticipate conducting a follow-up review to assess the actions you
have taken to satisfy GAO’s Standards for Internal Control in the Federal Government.

In addition, we want to advise you and OPE managers of inherent vulnerabilities we
identified in two Department procurement systems.
ü Purchase Cards – For efficiency, the Department designed a purchase card system
  where cardholders can order, receive and approve payments for goods and services.
  Consequently, as a control, the Department established approving officials to review
  the use of purchase cards. Therefore, it is important that approving officials properly
  review all cardholder statements, including invoices, before forwarding them to the
  Office of the Chief Financial Officer for payment.

ü Third Party Drafts (TPDs) – An individual with signature authority can issue Third
  Party Drafts without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of drafts issued.

During our review, we noted that one staff member assigned a purchase card is below the
grade level (GS-9) required to receive annual ethics training. Because of the employee’s
procurement responsibilities, ethics training would be beneficial to this staff member.
Management should require all procurement staff to attend annual ethics training.

OTHER MATTERS

We were informed that in the past some supervisors were using their staff members’
purchase cards. During our testing, we noted two transactions that indicated someone
other than the cardholder had initiated the transaction. The Executive Office staff
informed us that they were aware of the noncompliance and had informed those involved
to discontinue the practice. It appears that OPE has taken the necessary corrective action
to resolve the noncompliance with Department policy regarding the sharing of purchase
cards.

As described in the scope and methodology section of this report, some drafts issued by
Student Financial Assistance (SFA) are assigned OPE organization codes and thus listed
on OPE’s reports of Third Party Draft activity. OPE should work with SFA and OCFO
to ensure that only drafts issued by OPE are listed on OPE’s reports. In addition, some
SFA and OPE cardholders are listed in OCFO records under the wrong office. OPE
should work with SFA and OCFO to correct the records.

OBJECTIVE

Our review objective was to assess the internal controls to ensure compliance with laws
and regulations for the procurement of goods and services other than studies or
evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters) using TPDs
and purchase cards. We did not conduct testing on OPE’s use of “Corporate”
Government Travel Accounts.
METHODOLOGY

To achieve our objectives, we conducted interviews with OPE staff involved with the
procurement process, and we reviewed relevant documents. As part of our work, we
reviewed samples of TPDs and purchase card transactions.

We judgmentally selected a sample of 65 TPDs issued between October 1998 and
February 2000 (FY 1999 and the first five months of FY 2000) from EDCAPS reports on
OPE TPD activity. We were able to review files for 44 of the requested 65 drafts. Files
were not available in OPE for us to review 21 of the drafts.

We later found that some drafts issued by SFA appear on OPE’s EDCAPS reports. The
underlying obligation for some drafts issued by SFA was established when SFA was a
part of OPE. As the drafts are issued by SFA against those obligations, the drafts are
assigned to OPE organizational codes and thus included in the EDCAPS reports on OPE
TPD activity. We found that SFA had issued 16 of the 21 TPDs that were not available
for review in OPE. The remaining five drafts were issued by OPE, but the files could not
be located during the time of our review.

Currently, OPE has 13 purchase cardholders. We reviewed transactions by 12
cardholders since one cardholder had no activity during the period of our review. We
also reviewed transactions by three former cardholders. We judgmentally selected a
sample of monthly purchase card statements dated between December 1999 and June
2000. Then, we selected 50 transactions to review. We also reviewed OPE monthly
purchase card statements that were in the Financial Management Policy and
Administrative Programs Group files for the months of September 1999 and March 2000.

We based our conclusions about OPE's internal controls on the information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between April 19, 2000 and July 28, 2000. We assessed OPE's
internal controls based on GAO's Standards for Internal Control in the Federal
Government issued November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency Quality Standards for Inspections dated
March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please contact me at 260-3556.


Attachments


cc:    Deputy Secretary
                                                                  Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exert a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

ü Precondition – establishment of clear and consistent agency objectives.

ü Risk assessment – the comprehensive identification and analysis of relevant risks
  associated with achieving agency objectives, like those defined in strategic and
  GPRA annual performance plans, and forming a basis for determining how the
  agency should manage risks.

ü Risk identification – methods may include qualitative and quantitative ranking
  activities, management conferences, forecasting and strategic planning, and
  consideration of findings from audits and other assessments.

ü Risk analysis – generally includes estimating the risk’s significance, assessing the
  likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office of Postsecondary Education                                      Attachment A

Control Component     Deficiencies
Control Environment   • Training – While most of the procurement staff we interviewed had taken simplified acquisition training,
                         the Executive Officer had not; although he had scheduled the training, he had not been able to attend.
                      • Assignment of Authority – The assignment of one of OPE’s employees as an approving official does not
                         comply with the Department’s Directive on Commercial Credit Card Service (C:FIM:6-102) dated
                         March 12, 1990, which states that “an approving official may not be a cardholder.”

Risk Assessment       •   Identification of Risks – OPE has no formal procedures for risk assessment in the procurement area.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service, OPE has no written policies and procedures on the purchase card process. In January 2000,
                          OPE did provide senior managers and division directors with a list of procurement “questions and
                          answers.”
                      •   Purchase Cards – We reviewed the September 1999 and the March 2000 statements from OCFO files.
                          Our purpose was to verify that OPE had submitted all its monthly card statements with activity to OCFO
                          and that the approving official had signed the card statements to support OCFO’s Department-wide
                          payments. We also judgmentally selected and reviewed 50 purchase card transactions.
                          ♦ Approval of monthly purchase card statements:
                             • For September 1999, ten cards had activity. Five statements were missing from OCFO files.
                                 Four were not signed by the approving official.
                             • For March 2000, ten cards had activity. Two statements were missing from OCFO files. Two
                                 were not signed by the approving official.
                          ♦ Preapproval – We did not find evidence of preapproval on the supporting documentation for 49 of the
                              50 transactions we selected to review.
                          ♦ Authorization – The balance on one card exceeded the cardholder’s monthly purchase limit by
                              $234.09.
                          ♦ Documentation – The supporting documents were missing for one transaction of $33.45.
                          ♦ Recordkeeping – We were unable to trace four of the transactions we selected to review to EDCAPS
                              because EDCAPS transaction numbers were not listed next to the charges on the card statements.
Control Component   Deficiencies
                    • Third Party Drafts (TPDs) – Files were not available for 21 of the 65 TPDs that we judgmentally selected
                       to review from an EDCAPS report on OPE’s TPD activity. Sixteen of those drafts were determined to
                       belong to SFA.
                       ♦ Documentation – Files were not available for five TPDs during our review.
                       ♦ Compliance/Prompt Payment – Out of the 44 invoices we reviewed, 15 do not appear to have been
                           paid timely as required by the Prompt Payment Act.
                       ♦ Date Stamping – The invoices were not date stamped for 25 of the 44 transactions.
                       ♦ Approval – One Form 1164 (employee reimbursement) was not signed by the approving supervisor.

Information &       •   Communication of Key Information – The procurement staff we interviewed were not familiar with the
Communications          Department’s Directive on Commercial Credit Card Service.
                    •   Reporting – The EDCAPS reports on OPE’s TPD activity include drafts issued by SFA.

Monitoring          •   On-going Monitoring – The supervisor of the individual with signature authority for TPDs does not
                        perform periodic reviews of the drafts issued by OPE.