oversight

OIG Review of OVAE's Internal Controls Over the Procurement of Goods and Services Date Issued: 4/18/2000 PDF (36K)

Published by the Department of Education, Office of Inspector General on 2000-04-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

MEMORANDUM

TO             :      Patricia W. McNeil
                      Assistant Secretary
                      Office of Vocational and Adult Education

FROM           :      John P. Higgins, Jr.
                      Acting Assistant Inspector General
                      Analysis and Inspection Services

SUBJECT        :      Results of the OIG Review of OVAE's Internal Controls Over the
                      Procurement of Goods and Services

INTRODUCTION

This memorandum transmits the results of our review of OVAE's internal controls
over the procurement of goods and services. This review is part of OIG's
Department-wide review of this area. The Department’s management is
responsible for establishing and maintaining internal controls. We will transmit
the Department-wide results to the Deputy Secretary with copies to the Assistant
Secretaries when we complete our review. On April 11, 2000, OIG staff
discussed the results of this review with you and your Acting Deputy Assistant
Secretary, Robert Muller.

RESULTS

Based on our review, we identified certain deficiencies that prevent OVAE from fully
satisfying GAO’s Standards for Internal Control in the Federal Government. For your
information and corrective action, those deficiencies are listed in the attached chart
(Attachment A). In the future, we anticipate conducting a follow-up review to assess the
actions you have taken to correct the deficiencies identified in Attachment A.

In addition, we want to advise you and OVAE managers of inherent vulnerabilities we
identified in several Department procurement systems.

ü Purchase Cards – For efficiency reasons, the Department designed a purchase card
  system where cardholders can order, receive and approve payments for goods and
  services. Consequently, as a control, the Department established approving officials
  to review the use of purchase cards. Therefore, it is important that approving officials
  properly review all cardholder statements before forwarding them to OCFO for
  payment.
ü Third Party Draft System (TPDS) – An individual with signature authority can issue
  TPDS checks without the involvement of anyone else. Therefore, it is important that
  the supervisor of the individual with signature authority conduct periodic reviews of
  sample TPDS disbursements.

ü Telecommunications – Currently, many principal offices, including OVAE, have
  cellular phone bills paid by OCIO. Principal offices need to receive and review their
  own cellular phone bills to ensure the accuracy and appropriateness of all charges.

OBJECTIVE

Our review objective was to assess the internal controls over compliance with laws and
regulations for the procurement of goods and services other than studies or evaluations.

SCOPE

We limited our work to procurements by the Third Party Draft System (TPDS) and
Purchase Cards. OVAE has 23 open contracts. Your staff informed us that none of those
contracts involved the purchase of goods or services within the scope of our work.
Therefore, we did not review internal controls over contracts in OVAE. We also did not
conduct testing on the use of the “Corporate” Government Travel Account.

METHODOLOGY

To achieve our objectives, we conducted interviews with OVAE staff who were involved
with the procurement process and reviewed relevant documents. As part of our work, we
reviewed a sample of 47 TPDS checks and 48 charges to purchase cards. We based our
conclusions about OVAE's internal controls on the information gathered during our
interviews and transaction testing. We conducted our interviews and transaction testing
between February 24, 2000 and March 30, 2000.

We assessed OVAE's internal controls based on GAO's Standards for Internal Control in
the Federal Government issued November 1999. Attachment B to this letter contains a
summary of the GAO Standards. We conducted our work in accordance with the
President's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection
dated March 1993.

We appreciate the cooperation shown by your staff during our review. If you have any
questions regarding the results of this review, please call me at 205-5439.


Attachments


cc:    Deputy Secretary
                                                                           Attachment B

                            Components of Internal Control

•   Control Environment – Management and employees should establish and maintain
    an environment throughout the organization that sets a positive and supportive
    attitude toward internal controls and conscientious management.

    Factors:

    3 Management and staff maintain and demonstrate integrity and ethical values.

    3 Management maintains an active commitment to competence.

    3 Management’s philosophy and operating style exerts a positive influence on the
      organization (especially toward information systems, accounting, personnel
      functions, monitoring and audits).

    3 Organizational structure is appropriately centralized or decentralized, and
      facilitates the flow of information across all activities.

    3 Agency delegates authority and responsibility and establishes related policies
      throughout the organization in a manner that provides for accountability and
      control.

    3 Agency establishes human resource policies and practices that enable it to recruit
      and retain competent people to achieve its goals.

•   Risk Assessment – Internal controls should provide for an assessment of the risks the
    agency faces from both external and internal sources.

       Precondition: establishment of clear and consistent agency objectives.

       Risk assessment : the comprehensive identification and analysis of relevant risks
       associated with achieving agency objectives, like those defined in strategic and
       GPRA annual performance plans, and forming a basis for determining how the
       agency should manage risks.

       Risk identification: methods may include qualitative and quantitative ranking
       activities, management conferences, forecasting and strategic planning, and
       consideration of findings from audits and other assessments.

       Risk analysis: generally includes estimating the risk’s significance, assessing the
       likelihood of its occurrence, and deciding how the agency should manage its risk.
•   Control Activities – Internal control activities help ensure that employees carry out
    management directives. The control activities should effectively and efficiently
    accomplish agency control objectives.

    3 The control activities are the policies, procedures, techniques, and mechanisms
      that enforce management’s directives. They help ensure that employees take
      actions to address risks.

    3 Control activities occur at all levels and functions of the entity, and include a wide
      range of diverse activities such as approvals, authorizations, verifications,
      reconciliations, performance reviews, maintenance of security, and creation and
      maintenance of related records that document the execution of these activities.

•   Information and communications – Employees should record and communicate
    information to management and others within the entity who need it in a form and
    within a time frame that enables them to carry out their internal control (and other)
    responsibilities effectively and efficiently.

    3 An organization must have relevant, reliable, and timely communications relating
      to internal as well as external events. Information is needed throughout the
      agency to achieve all its operational and financial objectives.

    3 Effective communications should occur in a broad sense with information flowing
      down, across, and up the organization.

    3 Management should ensure there are adequate means of communicating with, and
      obtaining information from, external stakeholders that may have a significant
      impact on the agency achieving its goals.

•   Monitoring – Internal control monitoring should assess the quality of performance
    over time and ensure that audit and other review findings are promptly resolved.

    3 Includes regular management and supervisory activities, comparisons,
      reconciliations, and other actions employees take in performing their duties.

    3 Should include policies and procedures for ensuring that audit and other review
      findings are promptly resolved.
Internal Control Evaluation Form for the Office of Vocational and Adult Education                                Attachment A



Control Component     Deficiencies
Control Environment   • Organizational Structure – The monthly purchase card statement for one cardholder was approved by a
                         supervisor who was not the OVAE approving official. We have been informed that OVAE is taking
                         steps to address this issue.
                      • Assignment of Authority – Two purchase cardholders did not have the required warrants based on their
                         approved spending levels.
                      • Training – At the time purchase cards were issued, cardholders took the required training. However,
                         procurement staff have not received any recent or refresher training. In addition, to effectively use the
                         purchase card, one cardholder requires additional training on EDCAPS.

Risk Assessment       •   Identification of Risks – We were advised that OVAE’s Federal Managers’ Financial Integrity Act
                          (FMFIA) reporting process was ineffective and OVAE has no other formal procedures for risk
                          assessment in the procurement area.
                      •   Identification of Risks – One procurement staff member has been assigned a moderate risk level when
                          the employee’s responsibilities suggest that a high risk level is more appropriate.

Control Activities    •   Policies and Procedures – Although required by the Department’s directive on Commercial Credit Card
                          Service (C:FIM:6-102 dated 3/12/90), OVAE has no written policies and procedures on the purchase
                          card process. One purchase cardholder experienced difficulty in determining the correct process for
                          terminating the card and the OVAE executive office was not aware that the purchase card was no longer
                          active.
                      •   Segregation of Duties – One purchase cardholder is the alternate approving official for OVAE. Alternate
                          approving officials should not have the responsibility of approving their own monthly statements.
                 •   Recordkeeping – We were advised that one purchase cardholder does not record purchases in EDCAPS
                     at the time an order is placed on the card. Our testing of charges to purchase cards revealed 17 purchases
                     that had not been recorded in EDCAPS within a 48-hour window of the purchase.
                 •   Recordkeeping – We identified seven TPDS checks that have been outstanding for more than 90 days.
                     These checks should have been voided in the system to de-obligate the funds. In an April 1999
                     memorandum, OCFO noted that OVAE was not voiding checks that were outstanding for more than 90
                     days.
                 •   Recordkeeping – OVAE did not have a log to track the TPDS checks assigned to the office. Such a log
                     would allow OVAE to identify any missing checks. We have been informed that OVAE is taking steps
                     to address this issue.

Information &    •   Communication of Key Information – OVAE procurement staff were unaware of the Department’s
Communications       directive on Commercial Credit Card Service (C:FIM:6-102 dated 3/12/90).
                 •   Communication of Key Information – One purchase cardholder misunderstood the meaning of vendors
                     being listed in EDCAPS. The cardholder believed that the vendors in EDCAPS were “safe” or approved
                     by the Department. OCFO informed us that the Department has not reviewed or approved the vendors in
                     EDCAPS.

Monitoring       •   On-going Monitoring – The supervisor of the individual with signature authority for TPDS checks does
                     not perform periodic reviews of the EDCAPS reports on the checks issued by OVAE. We have been
                     informed that OVAE is taking steps to address this issue.
                 •   On-going Monitoring – The OVAE approving official does not perform periodic spot checks of the
                     invoices related to purchase card transactions.