oversight

OIG Review of OSERS' Internal Controls Over the Procurement of Goods and Services (A&I 2000-005) Date Issued: 7/19/2000 PDF (56K)

Published by the Department of Education, Office of Inspector General on 2000-07-19.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO             :      Judith E. Heumann
                      Assistant Secretary
                      Office of Special Education and Rehabilitative Services

FROM           :      John P. Higgins, Jr.
                      Acting Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT        :      Results of the OIG Review of OSERS’ Internal Controls Over the
                      Procurement of Goods and Services (A&I 2000-005)


INTRODUCTION

This memorandum transmits the results of our review of OSERS’ internal controls over
the procurement of goods and services. This review is part of OIG’s Department-wide
review of this area. The Department’s management is responsible for establishing and
maintaining internal controls. We will transmit the Department-wide results to the
Deputy Secretary with copies to the Assistant Secretaries and other senior staff when we
complete our review. On July 7, 2000, OIG staff met with you and your Deputy, Curtis
Richards, to discuss the results of this review. On July 13, 2000, OIG staff completed
their briefing with you, Mr. Richards, Andrew Pepin, Paul O’Connell and Linda Cornett.

RESULTS

During our review, we identified within OSERS an area of noncompliance with current
Department policies and procedures for the Purchase Card Program. Purchase cards have
been shared among employees in OSERS with management’s knowledge. The
Department’s Directive on Commercial Credit Card Service states: “Each card has the
cardholder’s name embossed on it and may be used only by that person. No one else is
authorized to use the card.”

We also identified four instances of possible noncompliance with the Federal Acquisition
Regulation (FAR) and current Department policies and procedures. The FAR requires
the solicitation of quotes or offers from a reasonable number of sources or sole-source
justification for any purchase of more than $2,500. We identified four purchases over
$2,500 in fiscal year 1999 where there was no documentation to verify that these
purchases were made with the solicitation of at least three bids or to justify a sole-source
purchase. The four purchases were from (1) Blazie Engineering Inc. for $9,653 for
Braille equipment, (2) Future Enterprises Inc. for $7,051 for a projector, (3) Colorcraft
for $3,035 for brochures, and (4) Marriott Hotels for $2,641 for meeting room space.

Based on our review, we identified certain internal control deficiencies, in addition to the
compliance issues described above, that prevent OSERS from satisfying the General
Accounting Office (GAO) Standards for Internal Control in the Federal Government.
For your information and corrective action, those deficiencies are listed in the attached
chart (Attachment A). In the future, we anticipate conducting a follow-up review to
assess the actions you have taken to satisfy GAO’s Standards for Internal Control in the
Federal Government.

In addition, we want to advise you and OSERS managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
  to review the use of purchase cards. Therefore, it is important that approving officials
  properly review all cardholder statements, including invoices, before forwarding them
  to the Office of the Chief Financial Officer (OCFO) for payment.

ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that,
  at a minimum, the supervisor of the individual with signature authority conduct
  periodic reviews of TPDS disbursements.

During our review, we noted that some OSERS employees assigned purchase cards are
below the minimum grade level (GS-9) required to receive annual ethics training.
Because of their procurement responsibilities, we believe that ethics training would
benefit these employees. Management should require them to attend annual ethics
training.

OTHER MATTERS

OSERS is responsible for several contracts. One contract with Educational Services, Inc.
allows the contractor to purchase laptop computers for use by reviewers. Based on our
limited work in this area, we identified the following issues related to contracts:

       Risk Assessment – There is no formal risk assessment process for contracts.
       OSERS should conduct a review periodically to determine if risks have changed
       and whether it is managing existing risks appropriately.

       Control Activities – We were informed that the Contracting Officer’s Technical
       Representative (COTR) has not obtained a listing of equipment purchased under
       the Educational Services, Inc. contract. An inventory of the equipment purchased
       under the contract would be useful to ensure that the equipment is properly
       disposed of when the contract expires.

During our review, we identified the following practice that we believe strengthens
internal controls:

       Control Activities – In March 2000, the Executive Officer of OSERS
       implemented a policy requiring that all monthly purchase card statements include
       a certification statement signed by the cardholders and their supervisors. Such a
       certification statement is a method for cardholders and their supervisors to
       acknowledge responsibility for executing transactions in accordance with
       applicable laws and regulations.

OBJECTIVE

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters). Although we
interviewed staff regarding contracts for the purchase of goods and services, we did not
review contract files. We limited testing of accounting records to procurements using
the Third Party Draft System (TPDS) and Purchase Cards. We did not conduct testing on
OSERS’ use of the “Corporate” Government Travel Account.

METHODOLOGY

To achieve our objectives, we conducted interviews with OSERS staff who were
involved with the procurement process, and we reviewed relevant documents. As part of
our work, we reviewed samples of TPDS checks and purchase card transactions. For
TPDS, we selected a random sample of 50 TPDS checks issued between October 1998
through September 1999 (FY 1999) and October 1999 through January 2000 (FY 2000).
OSERS had eight (8) cardholders located in Headquarters. We judgmentally selected a
sample of 16 monthly card statements dated between October 16, 1998 and February 16,
2000. Then we selected 50 transactions (47 purchases and 3 credits) to review. In
selecting our sample, we did not include any transactions dated prior to October 1, 1998.
We also reviewed OSERS’ monthly card statements that were in OCFO’s files for the
months of September 1999 and March 2000.

We based our conclusions about OSERS’ internal controls on the information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between March 13, 2000 and May 3, 2000. We assessed OSERS’
internal controls based on GAO’s Standards for Internal Control in the Federal
Government issued November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection
dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.

Attachments

cc:    Deputy Secretary
                                                                          Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
                                                                                                                  Attachment A

Internal Control Evaluation Form for the Office of Special Education and Rehabilitative Services

Control Component     Deficiencies
Control Environment   • Training
                         3 OSERS has two cardholders who have not taken the required purchase card training. In addition, all
                             procurement staff could benefit from refresher training.

Risk Assessment       •   Identification of Risks
                          3 OSERS has no formal procedures for risk assessment in the procurement area.
                          3 One Director has had only a low risk background investigation completed while the Director’s
                             position has been designated high risk. On April 7, 2000, OIG sent a memorandum to OSERS’
                             Executive Officer requesting forms for a higher level investigation for this Director. As of July 6,
                             2000, OIG had not received the requested forms. This Director also is a current purchase cardholder.
                          3 Two purchase cardholders have been assigned to lower risk security levels than are appropriate based
                             on the employees’ responsibilities.

Control Activities    •   Policies and Procedures
                          3 The Department’s Directive on Commercial Credit Card Service (C:FIM:6-102) dated March 12,
                             1990 requires that Principal Offices establish internal procedures on the safeguarding and authorized
                             use of credit cards. Although OSERS’ Executive Officer and Budget Analyst convey Federal
                             Acquisition Regulation purchasing guidance via electronic mail, OSERS has no written policies and
                             procedures on the purchase card process. During our review, one cardholder was uncertain about the
                             order of the approval process for purchases.

                      •   Third Party Draft System (TPDS) Checks
                          3 During the period of our review, OSERS issued multi-TPDS checks to pay for invoices over $10,000.
                             The Executive Officer informed us that OSERS has discontinued this practice and is now handling
                             invoices over $10,000 by electronic funds transfer or “Treasury” checks.
                          3 In a random sample of 50 TPDS checks, we noted that all 50 TPDS checks were approved by the
                             Executive Officer and the invoices had been dated stamped. However, in two instances, invoices
      were not paid timely. One invoice totaled $5,000 and was four days late, thus resulting in minimal
      penalty interest. The other invoice totaled $330 and was 17 days late; however, no penalty interest
      was noted as being paid. In a February 1998 OCFO memorandum to OSERS, it was noted that three
      invoices were paid too late and, in 46 instances, invoices were paid too early. Under the Prompt
      Payment Act, invoices are due either on the date specified in the contract, or the invoices are to be
      paid within 30 days after receipt, but no sooner than seven days prior to the due date.
    3 The supporting invoice for one “Claim for Reimbursement for Expenditures on Official Business”
      posed questions that OSERS staff were unable to resolve. The claim was for the purchase of
      software. The billing and shipping information on the invoice was to an individual with the same
      surname as the employee submitting the claim. The address on the invoice was a non-ED address.
      OSERS staff told us that they thought that the individual named on the invoice is the spouse of the
      employee. During the process of approving the claim, an explanation of the invoice should have
      been added to the supporting documents.

•    Approval of Monthly Purchase Card Statements
     3 We reviewed the September 1999 and March 2000 OSERS card statements from OCFO files. Our
       purpose was to verify that OSERS had submitted all its monthly card statements with activity to
       OCFO and that the Approving Official had signed the card statements.
       • Seventeen cards had activity in September 1999. We noted the following:
          3 Six (6) card statements were not in OCFO’s files.
          3 The Approving Official did not sign three (3) regional card statements.
       • Eighteen cards had activity in March 2000. We noted the following:
          3 All 18 card statements were in OCFO’s files.
          3 The Approving Official did not sign one (1) Headquarters card statement.

•   Recordkeeping – Purchase Cards
    3 We reviewed 16 card statements. Twelve were not reconciled by the cardholder to the EDCAPS log.
      Nine (9) of the 12 were reconciled to the cardholders’ own logs. We were unable to reconcile two of
      the remaining card statements.
    3 We reviewed 50 purchase card transactions:
       • In three instances, documentation was incomplete.
           3 For a purchase of $3,035, documentation consisted of a delivery ticket without a purchase
              price.
                            3 For a purchase of $1,781, documentation consisted of a credit card slip without the vendor’s
                                name.
                            3 For a purchase of $1,663, supporting invoices only totaled $1,647, a difference of $16.
                        •   As mentioned in the cover memorandum, we identified four transactions that were over $2,500.
                            There was no documentation to verify that these purchases were made with the solicitation of at
                            least three oral bids or to justify a sole-source purchase.

                 •   Authorization
                     ü As mentioned in the cover memorandum, although prohibited by the Department’s Directive on
                       Commercial Credit Card Services, purchase cards were shared among employees.

Information &    •   Communication of Key Information
Communications       3 OSERS’ procurement staff were unfamiliar with the Department’s Directive on Commercial Credit
                       Card Services.

Monitoring       •   On-going Monitoring
                     3 The supervisor of the individual with signature authority for TPDS checks does not perform periodic
                        reviews of the EDCAPS reports on the checks issued by OSERS.