oversight

OIG Review of SFA's Internal Controls Over the Procurement of Goods and Services Using Third Party Drafts and Purchase Cards (A&I 2000-014) Date Issued: 10/05/2000 PDF (61K)

Published by the Department of Education, Office of Inspector General on 2000-10-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM


TO             :      Greg Woods
                      Chief Operating Officer
                      Student Financial Assistance


FROM           :      Mary Mitchelson
                      Assistant Inspector General
                      Analysis and Inspection Services


SUBJECT        :      Results of the OIG Review of SFA’s Internal Controls Over the
                      Procurement of Goods and Services Using Third Party Drafts and
                      Purchase Cards (A&I 2000-014)


INTRODUCTION

This memorandum transmits the results of our review of Student Financial Assistance’s
(SFA) internal controls over the procurement of goods and services using Third Party
Drafts and purchase cards. This review is part of OIG's Department-wide review of this
area. The Department’s management is responsible for establishing and maintaining
internal controls. We will provide a summary report of the Department-wide results to
the Deputy Secretary with copies to the Assistant Secretaries and other senior staff when
we complete our review. On October 4, 2000, OIG staff met with you and members of
your procurement staff to discuss the results of this review.

RESULTS

We identified significant noncompliance with current Department policies and
procedures:

Ø Many monthly purchase card statements were not reviewed by an Approving Official.

     We were informed that the Approving Officials had not been receiving, reviewing
     and signing all the monthly purchase card statements before forwarding the
     statements to the Office of the Chief Financial Officer (OCFO) for payment. We
     reviewed records in SFA and OCFO for a period of six months (one month in FY99
   and five months in FY00). For any given month, we determined that at least half of
   the purchase card statements were not reviewed by Approving Officials.

   The Departmental Directive Commercial Credit Card Service dated March 12, 1990
   requires that the Approving Official review and sign the cardholders’ monthly
   purchase card statements and then forward the signed statements to OCFO for
   payment. The Department’s policy is based on requirements in the Treasury
   Financial Manual. The review by Approving Officials is necessary to ensure that all
   charges on the statement are proper.

Ø Supporting documentation on some Third Party Drafts was not available for review.

   Supporting documentation (copies of drafts, invoices, receipts, purchase orders) for
   22 of the 57 drafts that we judgmentally selected to review from SFA’s EDCAPS
   report on Third Party Payment activity were not available for us to review. These 22
   drafts totaled $47,333. Without documentation there is no assurance that these
   charges are appropriate.

   The Department’s Third Party Draft Operating Procedures Manual dated May 1999
   states:

       Government regulations require these documents (copies of the drafts,
       invoices/SF-1164s) be filed on site for a period of one year, readily
       accessible for an additional two years, and archived for three more years.

In addition, we want to advise you and SFA managers of an inherent vulnerability we
identified in the Third Party Draft System. An individual with signature authority can
issue Third Party Drafts without the involvement of anyone else. Therefore, it is
important that, at a minimum, a supervisor without signature authority periodically
review drafts issued.

We identified other deficiencies in SFA’s internal control, which are described in
Attachment A. The non-compliance described above and the deficiencies listed in the
attachment prevent SFA from satisfying the General Accounting Office (GAO)
Standards for Internal Control in the Federal Government. In the future, we anticipate
conducting a follow-up review to assess the actions you have taken to satisfy these
standards.

OTHER MATTERS

Ethics training for all cardholders – During our review, we noted that some SFA staff
assigned purchase cards are below the minimum grade level (GS-9) required to receive
annual ethics training. Because of their procurement responsibilities, ethics training
would benefit these employees. Management should consider requiring them to attend
annual ethics training.
Third Party Drafts listed on OPE’s reports – Some drafts issued by SFA are assigned
Office of Postsecondary Education (OPE) organization codes and thus are listed on
OPE’s reports of Third Party Draft activity. SFA should work with OPE and OCFO to
ensure that drafts issued by SFA are listed on SFA’s reports.

Errors on OCFO records of cardholders – Some SFA and OPE cardholders are listed in
OCFO records under the wrong office. SFA should work with OPE and OCFO to correct
the records.

OBJECTIVE, SCOPE AND METHODOLOGY

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.
We limited our work to procurements in Washington, D.C. (Headquarters) using the
Third Party Drafts and purchase cards. We did not conduct testing on SFA’s use of
“Corporate” Government Travel Accounts. Third Party Drafts are used in certain student
financial assistance loan program transactions. Since these transactions are not
procurements, we did not include them in our review.

To achieve our objectives, we conducted interviews with SFA staff involved with the
procurement process, and we reviewed relevant documents. As part of our work, we
reviewed samples of Third Party Draft and purchase card transactions.

Third Party Drafts listed on SFA’s Reports – We judgmentally selected a sample of 57
drafts issued between October 1998 through February 2000 (FY99 and the first five
months of FY00) from EDCAPS reports on SFA’s Third Party Draft activity. Supporting
documentation (copies of drafts, invoices, receipts, and purchase orders) were not
available during fieldwork for 22 of the 57 drafts.

Third Party Drafts not listed on SFA’s Reports – During our review of OPE, we
determined that 16 of the drafts selected for our sample from EDCAPS reports on OPE’s
Third Party Draft activity were actually issued by SFA. The drafts were assigned
organizational codes under OPE and thus appeared on OPE’s EDCAPS reports rather
than on SFA’s EDCAPS reports. Supporting documentation (copies of drafts, invoices,
receipts, and purchase orders) were not available during fieldwork for 3 of the 16 drafts.

Purchase Cards Statements – SFA has approximately 30 Headquarters cardholders and
40 Regional cardholders. As mentioned in the “Results” section of this report,
Approving Officials were not receiving all of the monthly purchase card statements. The
Approving Officials keep a copy of the monthly purchase card statements that they
receive in their files. We inventoried purchase card statements located in the Approving
Officials’ files for six months: September 1999 (FY99) and November 1999 through
March 2000 (FY00). We then compared our results to the Department’s monthly
purchase card bills in OCFO’s files to determine which statements were missing from the
Approving Officials’ files. We limited our review to cardholders located at
Headquarters. We identified 20 statements belonging to Headquarters cardholders that
had activity but were not in the Approving Officials’ files. By the end of our fieldwork,
SFA provided us with 14 of the 20 statements. Subsequent to our work in SFA we were
provided with four of the six remaining statements which we did not include in the
transaction sampling.

Purchase Card Transactions – We judgmentally selected 20 purchases from the purchase
card statements originally in the Approving Official’s files. In addition, we judgmentally
selected 19 purchases and three credits from the 14 purchase card statements that were
not originally in the Approving Officials’ files but were produced during our fieldwork.

We based our conclusions about SFA's internal controls from information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between May 1, 2000 and August 25, 2000. We assessed SFA's
internal controls based on GAO's Standards for Internal Control in the Federal
Government issued November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspections
dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 260-3556.

Attachments

cc:    Deputy Secretary
                                                                   Attachment B

GAO’s Standards for Internal Control in the Federal Government
Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exert a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

    ü Precondition – establishment of clear and consistent agency objectives.

    ü Risk assessment – the comprehensive identification and analysis of relevant risks
      associated with achieving agency objectives, like those defined in strategic and
      GPRA annual performance plans, and forming a basis for determining how the
      agency should manage risks.

    ü Risk identification – methods may include qualitative and quantitative ranking
      activities, management conferences, forecasting and strategic planning, and
      consideration of findings from audits and other assessments.

    ü Risk analysis – generally includes estimating the risk’s significance, assessing the
      likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for Student Financial Assistance (SFA)                                            Attachment A


Control Component     Deficiencies
Control Environment   • Overall — We identified significant noncompliance with current Department policies and procedures
                         regarding purchase cards. While OCFO did not ensure that Approving Officials reviewed monthly
                         purchase card statements, SFA was ultimately responsible for ensuring that transactions complied with
                         laws and regulations. Review of the monthly purchase card statement as described in the Department’s
                         Directive on Commercial Credit Card Service would provide reasonable assurance that purchase card
                         transactions comply with laws and regulations.

                      •   Assignment of Authority — The assignment of Approving Officials in SFA does not comply with the
                          Department’s Directive on Commercial Credit Card Service. OCFO’s records of purchase cardholders
                          list two Approving Officials and more than 70 cardholders. One Approving Official is the Executive
                          Officer and the other is a cardholder. The Executive Officer serves as the Approving Official only for
                          the other Approving Official/cardholder.
                          3 The assignment of one Approving Official does not comply with the Department’s Directive, which
                               states that “an Approving Official may not be a cardholder.” In addition, the Approving Official/
                               cardholder is not at the managerial level required by the Directive. The Directive states: “The duties
                               of the Approval Official shall not be delegated lower than an office head or service area director.”
                          ü With OCFO’s knowledge, part of the workload of the Approving Official/cardholder was given to
                               another cardholder. This other cardholder also does not meet the requirements in the Directive for an
                               Approving Official.
                          ü Even with their duties split, these individuals are responsible for more cardholders than most of the
                               other Approving Officials in the Department.

                      •   Training — The Executive Officer, who has responsibility for procurement, has not taken formal
                          procurement training. In addition, all procurement staff could benefit from refresher training.
Control Component    Deficiencies
Risk Assessment      • Identification of Risks — Currently, SFA has no formal procurement risk assessment procedures. In
                        addition, the Executive Officer has not been involved with the Federal Managers’ Financial Integrity Act
                        (FMFIA) reporting process.

                     •   Identification of Risks — Some staff have been assigned moderate risk levels when their procurement
                         responsibilities and authority suggest a higher risk level may be warranted.

Control Activities   •   Policies and Procedures — Although required by the Department’s Directive on Commercial Credit
                         Card Service, SFA has no written purchase card policies and procedures.

                     •   Documentation — Files were not easily accessible to SFA staff as the files were in boxes from a prior
                         office move. Some documentation was not available for review.

                     •   Purchase Cards
                         ü Incomplete review of monthly statements by Approving Officials.
                            ♦ The Approving Officials stated that many cardholders sent their statements directly to OCFO
                               instead of forwarding the statements to them for review.
                            ♦ We inventoried purchase card statements for FY 99 (September 1999) and FY 00 (November
                               1999 through March 2000) located in the Approving Officials’ files and compared our results to
                               OCFO’s monthly purchase card bills to determine which statements were missing from the
                               Approving Officials’ files. For any given month at least half of the statements with purchase card
                               activity were missing from the Approving Officials’ files.
                            ♦ Five of the six monthly statements of the cardholder with the largest monthly purchase balance
                               were not in the Approving Officials’ files. That cardholder’s monthly balance was as high as
                               $96,925.38.
                         ü Documentation — We requested SFA to obtain 20 statements belonging to Headquarters’
                            cardholders that were not originally in the Approving Officials’ files. SFA was able to obtain 14 of
                            the statements prior to our finishing fieldwork on August 25, 2000. Subsequent to the completion of
                            our fieldwork, we were provided with four of the six remaining statements.
Control Component   Deficiencies
                       ü Purchase Card Sharing — During our review of purchase card statements, we noted invoices where
                           the name of the person ordering was not the cardholder. This situation may indicate that employees
                           were sharing purchase cards. The Department’s Directive states: “Each card has the cardholder’s
                           name embossed on it and may be used only by that person. No one else is authorized to use the
                           card.”

                    •   Purchase Card Transactions from Statements found in Approving Officials’ Files — We reviewed 19
                        transactions judgmentally selected from statements in the Approving Officials’ files.
                        3 Preapproval — Six of 19 transactions had written evidence that the purchase was approved by a
                            supervisor before it was executed.
                        3 Documentation — One transaction was larger than the $2,500 micro purchase threshold. The FAR
                            requires the solicitation of quotes or offers from a reasonable number of sources or sole-source
                            justification for any purchase of more than $2,500. No documentation was available to verify that
                            the purchase was made with the solicitation of at least three bids or a justification statement for a
                            sole-source purchase.

                    •   Purchase Card Transactions from Statements Not Originally in Approving Officials’ Files — We
                        judgmentally selected 19 charges to review. No supporting documents (invoices, receipts or purchase
                        orders) were attached for five of those transactions.
                        3 Preapproval — Of the 14 with documentation, four transactions had written evidence that the
                            purchase was approved by a supervisor before it was executed.
                        ü Recording — EDCAPS transaction numbers were not listed on the card statements for three
                            transactions. The three transactions were recorded on three different statements belonging to two
                            cardholders.
                        ü Documentation — Nine transactions were larger than the $2,500 micro purchase threshold. The FAR
                            requires the solicitation of quotes or offers from a reasonable number of sources or sole-source
                            justification for any purchase of more than $2,500.
                           • One of those transactions was missing all supporting documents.
                           • Six others lacked documentation to verify that the purchase was made with the solicitation of at
                               least three bids or a justification statement for a sole-source purchase.
Control Component   Deficiencies
                    • Third Party Drafts listed on SFA’s EDCAPS reports — We judgmentally selected 57 drafts to review.
                       Files could not be found for 22 of the drafts during fieldwork. We were able to review supporting
                       documentation for 35 drafts.
                       3 Preapproval — All but two transactions had written evidence that the purchase was approved by a
                           supervisor before it was executed.
                       3 Date stamping — 18 invoices were not date stamped when received or paid.
                       ü Prompt payment — In 14 instances, invoices do not appear to have been paid timely as required by
                           the Prompt Payment Act.
                       3 Documentation — In 8 instances, drafts did not have one of the following required documentation to
                           verify purchase transactions: invoice, purchase order or packing slip.
                       3 Policy on use of drafts — The Department strongly encourages all principal offices to maximize
                           purchase card use, because each card usage saves ED substantial processing costs as opposed to other
                           payment mechanisms . In 22 instances, SFA may have been able to use the corporate purchase card,
                           electronic fund transfer or Treasury checks instead of a draft.

                    •   Third Party Drafts listed on OPE’s EDCAPS reports — During work in OPE, we selected 16 drafts from
                        OPE’s EDCAPS reports that were determined to be SFA drafts. Files could not be found for 3 of those
                        drafts. We were able to review supporting documentation for 13 drafts.
                        ü Date stamping — 5 were missing date stamps.
                        ü Prompt payment — One invoice was marked “Past Due Notice.”

Information &       •   Communication of Key Information — Only one member of the procurement staff that we interviewed
Communications          was familiar with the Department’s Directive on Commercial Credit Card Service.

                    •   Recordkeeping — The EDCAPS reports on OPE’s Third Party Draft activity include drafts issued by
                        SFA.

Monitoring          •   On-going Monitoring — SFA managers do not periodically review drafts issued as required by the
                        Department’s Third Party Draft Operating Procedures Manual issued May 1999.