oversight

OIG Review of OUS's Internal Controls Over the Procurement of Goods and Services (A&I 2000-011) Date Issued: 9/19/2000 PDF (39K)

Published by the Department of Education, Office of Inspector General on 2000-09-19.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO             :       Frank S. Holleman, III
                       Deputy Secretary
                       Office of the Deputy Secretary

                       Judith A. Winston
                       Acting Under Secretary
                       Office of the Under Secretary


FROM           :       Mary Mitchelson
                       Assistant Inspector General
                       Analysis and Inspection Services

SUBJECT        :       Results of the OIG Review of OUS’s Internal Controls Over the
                       Procurement of Goods and Services (A&I 2000-011)


INTRODUCTION

This is our report of our review of the Office of the Under Secretary’s (OUS) internal
controls over the procurement of goods and services. This review is part of our
Department-wide review of this area. The Department’s management is responsible for
establishing and maintaining internal controls. We will transmit the Department-wide
results to you with copies to the Assistant Secretaries and other senior staff when we
complete our review. On August 11, 2000, Office of Inspector General (OIG) staff met
with Diane Rogers, Chief of Staff to the Deputy Secretary, and Steve Moore, Senior
Management Advisor, to discuss the results of this review.

RESULTS

During our review in OUS, we identified two instances of possible noncompliance with
the Federal Acquisition Regulation (FAR) and current Department policies and
procedures. The FAR requires the solicitation of quotes or offers from a reasonable
number of sources or sole-source justification for any purchase of more than $2,500. We
identified:

•    Undocumented sole-source procurement – A purchase over $2,500 did not have
     documentation to verify that the purchase was made with the solicitation of at least
    three bids or a justification statement for a sole-source purchase. The procurement
    was made with a Third Party Draft for $8,396 to purchase computer equipment.

•   Possible spilt procurement – A single purchase order was prepared for ink and
    transparencies at an estimated cost of $5,800. The purchase was completed with the
    use of three separate invoices for less than $2,500 each issued on the same day from
    the same vendor and charged to the same purchase card.

We also identified three invoices that appeared to not have been paid timely as required
by the Prompt Payment Act. Two invoices were marked either “past due” or “second
request.” We identified another invoice that was dated February 1999, but was paid in
July 1999.

We identified certain deficiencies, in addition to the possible instances of non-compliance
identified above, that prevent OUS from satisfying the General Accounting Office’s
(GAO) Standards for Internal Control in the Federal Government. For your information
and corrective action, those deficiencies are listed in the attached chart (Attachment A).
In the future, we anticipate conducting a follow-up review to assess the actions you have
taken to satisfy GAO’s Standards for Internal Control in the Federal Government.

In addition, we want to advise you and OUS managers of inherent vulnerabilities we
identified in two Department procurement systems.

ü Purchase Cards – For efficiency, the Department designed a purchase card system
  where cardholders can order, receive and approve payments for goods and services.
  Consequently, as a control, the Department established approving officials to review
  the use of purchase cards. Therefore, it is important that approving officials properly
  review all cardholder statements, including invoices, before forwarding them to the
  Office of the Chief Financial Officer for payment.

ü Third Party Drafts (TPDs) – An individual with signature authority can issue TPDs
  without the involvement of anyone else. Therefore, it is important that, at a
  minimum, the supervisor of the individual with signature authority conduct periodic
  reviews of drafts issued.

OBJECTIVE

Our review objective was to assess the internal controls to ensure compliance with laws
and regulations for the procurement of goods and services other than studies or
evaluations.

SCOPE

We limited our work to procurements in Washington, D.C. (Headquarters) using TPDs
and purchase cards. We did not conduct testing on OUS’s use of the “Corporate”
Government Travel Accounts.
METHODOLOGY

To achieve our objectives, we conducted interviews with OUS staff who were involved
with the procurement process, and we reviewed relevant documents. As part of our
work, we reviewed samples of TPDs and purchase card transactions. For our review of
TPDs, we selected a random sample of 50 TPDs issued between October 1998 through
September 1999 (FY 1999) and October 1999 through February 2000 (FY 2000). We
reviewed the monthly purchase card statements dated between December 1998 and June
2000 for OUS’s three cardholders. Then, we judgmentally selected 50 transactions to
review. We also reviewed OUS monthly purchase card statements that were in the
Financial Management Policies and Administrative Programs Group files for the months
of September 1999 and March 2000.

We based our conclusions about OUS’s internal controls on the information gathered
during our interviews and transaction testing. We conducted our interviews and
transaction testing between May 15, 2000 and July 11, 2000. We assessed OUS’s
internal controls based on GAO’s Standards for Internal Control in the Federal
Government issued November 1999. Attachment B to this memorandum contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency Quality Standards for Inspections dated
March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 260-3556.


Attachments
                                                                           Attachment B

          GAO’s Standards for Internal Control in the Federal Government
                        Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exert a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

    ü Precondition – establishment of clear and consistent agency objectives.

    ü Risk assessment – the comprehensive identification and analysis of relevant risks
      associated with achieving agency objectives, like those defined in strategic and
      GPRA annual performance plans, and forming a basis for determining how the
      agency should manage risks.

    ü Risk identification – methods may include qualitative and quantitative ranking
      activities, management conferences, forecasting and strategic planning, and
      consideration of findings from audits and other assessments.

    ü Risk analysis – generally includes estimating the risk’s significance, assessing the
      likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and Communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office of the Under Secretary                                          Attachment A


Control Component     Deficiencies
Control Environment   • Assignment of Authority – OCFO records indicate that one OUS cardholder has a single purchase limit
                         of $25,000. Those records also indicate that the cardholder does not have the necessary training or
                         warrant to have such a limit. This cardholder stated that her single purchase limit was $2,500.

Risk Assessment       •   Identification of Risks – OUS has no formal procedures for risk assessment in the procurement area.

Control Activities    •   Policies and Procedures – Although required by the Department’s Directive on Commercial Credit Card
                          Service (C:FIM:6-102) dated March 12, 1990, OUS has no written policies and procedures on the
                          purchase card process.
                      •   Purchase cards – OUS has three purchase cardholders. We reviewed the September 1999 and the March
                          2000 statements from OCFO files. Our purpose was to verify that OUS had submitted all its monthly
                          card statements with activity to OCFO and that the approving official had signed the card statements to
                          support OCFO’s Department-wide payments. We also judgmentally selected and reviewed 50 purchase
                          card transactions.
                          ♦ Approval of monthly purchase card statements:
                             • For September 1999, there were two purchase cards that had transaction activity. Only one
                                 statement was located in the OCFO files.
                             • For March 2000, all three purchase cards had transaction activity and were accounted for in the
                                 OCFO files. None of the statements were signed by the approving official. (In our review of
                                 monthly statements in OUS’s files, we found a much higher percentage of statements signed by
                                 the approving official compared to the OUS statements we reviewed in OCFO’s files.)
                          ♦ Documentation – Supporting documents such as invoices and receipts were missing for five
                              transactions.
                          ♦ Compliance/Bids – As mentioned in the cover memorandum, we identified one acquisition that
                              appears to be a spilt purchase to avoid the micro-purchase threshold of $2,500. A single purchase
                              order was prepared for ink and transparencies at an estimated cost of $5,800. The purchase was
                        completed with three sequentially numbered invoices for less than $2,500 each issued on the same
                        day from the same vendor and charged to the same purchase card. All three charges had the same
                        EDCAPS transaction number.
                 •   Third Party Drafts (TPDs) – We reviewed 50 randomly selected TPDs.
                     ♦ Documentation – The file for one of the requested TPDs was not available for review. Supporting
                        documents such as invoices and receipts were missing for six other TPDs.
                     ♦ Compliance/Bids – As mentioned in the cover memorandum, a procurement of $8,396 to purchase
                        computer equipment lacked documentation to verify that this purchase was made with the solicitation
                        of at least three bids or a justification statement for a sole-source purchase.
                     ♦ Approval – Fourteen invoices had no documentation of preapproval by the Executive Officer. Four
                        of those had documentation of preapproval by another individual.
                     ♦ Date Stamping – Four invoices were not date stamped on receipt. The date of receipt is necessary to
                        determine the payment due date under the Prompt Payment Act.
                     ♦ Prompt Payment – We identified three invoices that appear to not have been paid timely as required
                        by the Prompt Payment Act.

Information &    •   Communication of Key Information – The procurement staff that we interviewed were not familiar with
Communications       the Department’s Directive on Commercial Credit Card Service.

Monitoring       •   On-going Monitoring – The supervisor of the individual with signature authority for TPDs does not
                     perform periodic reviews of the drafts issued by OUS.