oversight

on Select Education, Committee on Education and the Workforce, US House of Representatives, on the status of financial management at the Department of Education, Tuesday, July 24, 2001. PDF

Published by the Department of Education, Office of Inspector General on 2001-07-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

.


                                 Statement of Lorraine Lewis
                                      Inspector General
                                  Department of Education

                                         Before the
                            Subcommittee on Select Education
                         Committee on Education and the Workforce
                           United States House of Representatives

                                         July 24, 2001

Mr. Chairman and Members of the Subcommittee:



Thank you for the opportunity to participate in today’s hearing on financial management

practices at the Department of Education. You requested that I focus my testimony on the work

of the Office of Inspector General (OIG) concerning internal controls at the Department.

Specifically, I will address our reviews over the use of government purchase cards and third

party drafts, comment on investigations, and discuss our recommendations to the Department on

how to improve its financial management.



The Department of Education has serious financial management issues it must address. While

progress has been made and is continuing, much work remains. We will keep working closely

with the Subcommittee, the Department, and the General Accounting Office (GAO) to help the

Department continue to move forward in improving its financial management practices. I

commend the Subcommittee for its strong interest in these important matters and for the attention

it has given to financial management at the Department.



Secretary Paige’s establishment of the Management Improvement Team (MIT) is an important

step toward improvement. The MIT’s interim report of last week reflects a comprehensive
.


review of financial management, information technology security, and other management issues

and illustrates the significant challenges that still lie ahead.



As I have testified in the past, the financial statements audit reports, particularly the Report on

Internal Controls, provide the blueprint for addressing financial management issues. As the

GAO noted in a report on the Department's financial management, "internal control serves as the

first line of defense in safeguarding assets and in helping detect and prevent waste, fraud, and

abuse." (GAO-01-104R, Education's FY 1999 Financial Management Weaknesses, October 16,

2000, p. 9.) While an unqualified, or clean, opinion is an important goal, an equally important

goal is the resolution of the three material weaknesses and two reportable conditions in the

Report on Internal Controls. The material weaknesses identified were: 1) financial management

systems and financial reporting need to be strengthened; 2) reconciliations need to be improved;

and 3) controls surrounding information systems need enhancement. The reportable conditions

were: 1) improvement of financial reporting related to credit reform is needed; and 2) reporting

and monitoring of property needs to be improved.



We welcome the opportunity to have GAO join us in our oversight activity concerning internal

controls in the Department. We have shared with GAO the results from our purchase card and

third party draft reviews, as well as information on improper payments and information

technology security. We appreciate GAO’s work and results, and have learned from its efforts.




                                                    2
.


Internal Control Review over Purchase Card and Third Party Draft Payments

In October 2000, we issued our review of the Department’s internal control over the use of

purchase cards and third party drafts. (Results of the OIG Review of Internal Controls over the

Use of Purchase Cards and Third Party Drafts (A&I 2000-15), see Appendix A). We found that

the Department’s established procedures for these programs were not always current and were

not always followed. Additionally, the Office of Chief Financial Officer, which is responsible

for the programs, needed to improve its administration of both programs.



To help safeguard against potential misuse or waste, while ensuring that purchase card

transactions and third-party drafts serve program needs, we made 22 recommendations to the

Department. They were designed to:

    •   strengthen the control environment over the use of purchase cards and drafts;

    •   provide for an assessment of the external and internal risks the agency faces;

    •   strengthen control activities over the use of purchase cards and drafts;

    •   strengthen information and communication regarding the use of purchase cards and

        drafts; and

    •   strengthen monitoring over the use of purchase cards and drafts.

Department officials concurred with our findings and recommendations.



We initiated a follow-up review to address two specific recommendations that are key to

ensuring that these purchase cards are used properly and that the Department is paying the

correct amount. Those are: 1) requiring that all approving officials review and sign monthly

purchase card statements; and 2) reconciling the monthly Department-wide purchase card



                                                 3
.


statement to the monthly statements approved by the approving officials from the principal

offices and to the Department’s accounting system, EDCAPS.



Specifically, in this follow-up review, we focused on the statements for the month ending

February 16, 2001. We reviewed the purchase card statements for 184 cardholders who had

activity for that month. With regard to approving official review, we found that six statements

lacked required signatures. We also found 68 statements were not submitted timely.

Consequently, some statements were unsigned or missing when the Department’s consolidated

bill was paid, 38 days after the due date.



With regard to reconciliation, the Department’s Financial Management Policies and

Administrative Programs (FMPAP) provided us documentation of reconciliation that we are still

evaluating. The FMPAP staff stated that when the Department’s new financial system is

operational, the reconciliation process should be more efficient.



We subsequently asked FMPAP to provide documentation for the payment of the Department-

wide purchase card statement for May 2001. From the documentation we received, we found

that FMPAP had not sent timely notices to purchase card approving officials for 22 overdue

statements. This contributed to the Department’s statement being paid 10 days past the due date.



Since our initial reports in this area, in response to our work, the Department has taken several

steps to correct weaknesses in the purchase card and third party draft programs. For example,

the Department has conducted mandatory training sessions for cardholders and supervisors,




                                                 4
.


conducted a risk assessment, provided written delegations, and provided managers GAO’s

Standards for Internal Control in the Federal Government. (GAO/AIMD-00-21.3.1, issued

November 1999.)



Additional Reviews of Internal Operations

We have also reviewed a number of other internal operations of the Department.


Disbursement Process Controls

Under contract to OIG, Ernst & Young is examining the Department's controls over its payment

systems and processes. Three have been completed:

    •   The Impact Aid Program within the Office of Elementary and Secondary Education;

    •   The discretionary grant disbursement process within the Office of Educational Research

        and Improvement; and

    •   The formula grant disbursement process within the Office of Vocational and Adult

        Education.

The objectives of each review were to determine the processes by which payments can be made

by the Department and to assess the controls over the payments in those processes to determine if

the controls are operating effectively. [Review of the Impact Aid Program Disbursement Process

Within the U.S. Department of Education Office of Elementary and Secondary Education (Audit

Control Number: ED-OIG/S17-B0013, July 19, 2001); Review of the Discretionary Grant

Disbursement Process Within the U.S. Department of Education Office of Educational Research

and Improvement (Audit Control Number: ED-OIG/S17-B0014; July 19, 2001); Review of the

Formula Grant Disbursement Process Within the U.S. Department of Education Office of




                                                5
.


Vocational and Adult Education (Audit Control Number: ED-OIG/S17-B0015, July 19, 2001),

see Appendix A].



Based on its reviews, Ernst & Young identified several areas where enhanced controls and

needed operational changes, if properly implemented, will reduce the risk of erroneous

payments. One common theme among these reviews was the need for improved data integrity

controls. The reviews contained recommendations to 1) establish procedures for and perform

formal reconciliation from feeder systems to the Grant Administration Payment System, and 2)

enhance grants monitoring.



Cellular Phones

In September 2000, we assessed the Department's controls over the purchase and management of

cellular phones. We found that improvements were needed in policies and procedures, inventory

controls, segregation of duties, billing processes, vendor selection, and maintenance of

documentation. As a result of the ineffective controls, the risk of errors, theft, fraud and abuse

was increased. The Department concurred with our findings and recommendations. (Audit of

the U.S. Department of Education's Controls over Cellular Phones (ED-OIG/A11-A0014), see

Appendix A).



We also note that in a recent investigation, we developed evidence that a Department employee

permitted his family members to use his Department-issued cell phone to make over 8,000

personal telephone calls between May 1998 and December 1999. In May 2001, the employee

pled guilty to a one-count criminal information and resigned from the Department.




                                                 6
.




Contracting Operations

We have consistently issued reports recommending improvements in the Department's

management of contracts and contractors.



¾      In March 2001, we assessed the Department's contract payment process and whether

controls were in place to prevent and detect improper payments. We found that improvements

were needed in controls over the invoice review process, segregation of duties, and the process

for establishing vendor information in the Department's contract payment system. Based on our

work, the Department lacked assurance that payments are proper. We made several

recommendations to the Department to improve the controls. The Department generally

concurred with our findings and agreed to take action on our recommendations. (Audit of

Controls over Contract Payments (ED-OIG/A07-A0015), see Appendix A.)



¾      We issued two reports in 2001 on the Department's controls over property furnished to

the Department's major student financial assistance contractors and found that the two

contractors did not comply with recordkeeping, reporting, and inventory requirements, and that

Government property was not properly identified. The contractors have concurred with our

findings and recommendations on the reports issued to date. (Audit of Controls Over

Government Property Furnished to Computer Sciences Corporation (ED-OIG/A19-B0003);

Audit of Controls Over Government Property Furnished to Affiliated Computer Services, Inc.

(ED-OIG/A19-B0004), see Appendix A).




                                                7
.


¾      Since Fiscal Year 1999, most of our work has focused on the major Student Financial

Assistance contractors. We evaluated the Department's processes for monitoring contract

performance, including the activities of the Contracting Officer, Contract Specialist, and

Contracting Officers’ Representative, as well as internal controls and processes at the individual

contractors. We found that: 1) contract changes were not formalized; 2) contract terms were not

adequately defined; 3) changes in key personnel were not approved in advance; 4) key contract

personnel were not devoting the time specified in the contract; 5) contractor remittances to the

Department were not monitored; and 6) incorrect contractor billings were not detected. (See

Appendix B for a list of the audits and other products.)



As a result, the Department was not getting what it was paying for with respect to the quality of

the projects and the contractors’ responsibilities under the contracts. Informal contract

agreements and ambiguous contract terms could result in misunderstandings and disputes over

what is expected under the contract. Changes in key personnel and key personnel working other

projects reduced the level of effort and quality of the overall project, and resulted in overcharges

since key personnel costs were built into the contract prices. Failure to monitor remittances

resulted in loss of funds. The Department's failure to appropriately review contractor billings

resulted in improper payments to contractors.



¾      In 2001, we conducted an audit follow-up review of these issues to determine if

corrective actions were taken. We found that corrective actions were taken to formalize contract

changes, define contract terms, and approve changes in key personnel in advance. Further

actions were needed, however, to implement corrective actions to ensure that contract personnel




                                                  8
.


devote the time specified in the contract, monitor contract remittances, and detect incorrect

billings. (Audit Follow-up Review on Corrective Actions the Department Had Taken in

Response to Issues Reported During the Office of Inspector General’s Contract Monitoring

Audits of Student Financial Assistance Information Technology Contracts (ED OIG/A07-

A0014), see Appendix A.)



Information Technology Security

Security of information technology systems is an important internal control. For several years,

we have reported security as a management challenge for the Department and have focused our

audit resources on identifying and reporting on vulnerabilities in the Department’s systems. As a

result of our audit work, the Department has identified information technology security as a

material weakness in its annual Federal Managers’ Financial Integrity Act reports since Fiscal

Year 1999. Additionally, Ernst & Young’s Report on Internal Controls for Fiscal Year 2000

identified controls surrounding information systems as a material weakness. We also welcome

GAO’s ongoing security work on the Department’s financial system, EDCAPS. To assist in its

effort, we provided GAO with the results of our previous audits and access to our workpapers.



Over the course of the last two years, we have issued numerous reports related to security

controls, including: Review of Security Posture, Policies and Plans (ED-OIG/A11-90013,

February 2000); Review of EDNet Security (ED-OIG/A11-90018, July 2000); Review of

Planning and Assessment Activities for Presidential Decision Directive 63 on Critical

Infrastructure Protection (ED-OIG/A11-A0005, September 2000); Audit of Collection of

Personally Identifiable Information Through ED Internet Sites (ED-OIG/A11-B0002, February




                                                 9
.


2001); Security Review of the Virtual Data Center (ED-OIG/A11-A0015, March 2001) (see

Appendix B).



These reports highlighted weaknesses in the Department’s security controls and provided

recommendations for better securing the Department’s systems. Some of our most significant

findings included the Department’s need to:

    •   Complete required security plans and reviews for mission-critical systems;

    •   Provide security training to staff;

    •   Improve technical and physical controls over its network and data centers to address

        existing vulnerabilities;

    •   Improve incident response capabilities, audit logging and tracking, and disaster recovery

        planning;

    •   Complete a critical infrastructure protection plan, identify critical assets, and conduct

        vulnerability assessments;

    •   Strengthen controls over collection of personally identifiable information on its Internet

        sites and posting of required privacy notices.



These identified internal control weaknesses collectively constitute a significant threat to the

security of the Department’s information technology systems and the data that they process. We

have made numerous recommendations for the Department to take action to develop and

implement the policies and practices necessary to protect the integrity and privacy of its IT

systems.




                                                 10
.


The Department has corrective action plans in place to address our recommendations and has

made progress. For example, the Department has completed security plans for all but one the

mission critical systems included in our report and completed security reviews for all of its

mission critical systems included in our report. Additionally, by December 2000, the

Department provided security awareness training to 97 percent of its staff.


The Department must remain diligent in addressing our remaining recommendations. Until these

remaining actions are taken, the Department remains vulnerable to security breaches such as

outside hackers, malicious viruses, and damage caused by disgruntled employees.



We will continue to focus on security issues in the Department as we complete our 2001 security

evaluation required by Title X, Subtitle G, “Government Information Security Reform,” of the

FY 2001 Defense Authorization Act. The results of this evaluation will be reported to the Office

of Management and Budget in September 2001.



Improper Payments

In an October 12, 2000 memorandum, we encouraged the Department to develop a process for

estimating improper payments for the Department. An estimate of improper payments could be

used by the Department to help it manage its financial resources and to make programmatic

decisions. The MIT Interim Report stated that the Department is preparing to implement Office

of Management and Budget guidance on estimates of erroneous or improper payments. (MIT

Interim Report on Management Improvement, July 17, 2001, p. 10.)




                                                11
.


During the Subcommittee’s April 2001 hearing, we referred to data reported in our previous

three fiscal years of Semiannual Reports to Congress and our recent work in the area of duplicate

payments to identify the known amount of improper payments. We identified a three-year total

of approximately $450 million. We are pleased that the Department addressed this important

issue and discussed its, and the Justice Department’s, efforts to recover these amounts. We agree

with Secretary Paige that collective efforts by the Department, the OIG, and the Justice

Department to find problems, recover funds, and enforce the law are examples of efforts we need

to make to protect the federal interest. (Secretary Paige’s letter to Chairman John Boehner, May

22, 2001.)



One method by which the Department could minimize improper payments is to obtain income

verification from the Internal Revenue Service. (OIG letter on Management Challenges,

December 8, 2000.) A significant concern for the Department has been student aid applicants

and their parents who under-report their income on the Free Application for Federal Student Aid

in order to receive student financial assistance funds to which they are not entitled. Congress

should enact whatever legislation is necessary to authorize this verification.



Investigative Activities

In my previous appearances before the Subcommittee, we indicated that we are conducting an

investigation of individuals who, between 1997 and 1999, purchased and/or received equipment

paid for with federal funds for non-business related purposes and billed the Department for

overtime hours not worked. The defendants defrauded the government of more than $300,000 in

property and more than $700,000 in false overtime charges. On May 23, 2001, 11 individuals,




                                                 12
.


including four employees of the Department, were charged in a 19-count indictment. The

charges included conspiracy to defraud the government, theft of government property, receipt of

stolen government property, sale of stolen government property, and conspiracy to submit false

claims to the government. Eight individuals, including four former Department employees,

previously pled guilty. All the Department employees who were involved or are alleged to be

involved, in these criminal cases have resigned or have been placed on indefinite suspension

without pay.



Recommendations to Improve Financial Management Operations

In December 2000, we responded to a joint House and Senate request for an update on the status

of the management challenges facing the Department. The first four management challenges that

we identified relate to financial management, information technology management, systems

security, and internal controls. While the Department has made progress on each of these

challenges, much work remains. These problems did not occur overnight. In some cases, the

challenges deal with complex issues, such as implementing new financial management systems

and information security policies and practices. As a result, some of the management challenges

facing the Department will take time to resolve.


We are working with the Secretary to improve the programs and operations of the Department

and protect the integrity of those programs and operations. The Secretary’s commitment and that

of his senior management team must be sustained if the Department is to make positive long

lasting changes.




                                               13
.


The Department needs to establish and maintain appropriate internal controls over Department

programs and operations by applying GAO’s Standards for Internal Control in the Federal

Government. The internal control structure must be well designed and operated, appropriately

updated to meet changing conditions, and provide reasonable assurance that the objectives of the

Department are being achieved. Adherence to these standards will provide management with

reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized

use or disposition; that transactions are executed in accordance with management’s authorization

and recorded properly; and that data supporting performance measures are properly recorded and

accounted for so that performance information will be reliable and complete.



Conclusion

We are committed to identifying problems and working with the Department and Congress on

solutions. The continued interest of the Subcommittee and the work of GAO will aid the

Department in improving its financial management practices and internal controls. We look

forward to contributing to this combined effort to improve the Department’s stewardship of

taxpayer dollars.



Mr. Chairman, this concludes my statement. I would be pleased to respond to any questions that

you or other Members of the Subcommittee may have.




                                               14
.


                            OFFICE OF INSPECTOR GENERAL
                             DEPARTMENT OF EDUCATION

                                           Appendix A

The following products that are referenced in this statement are available on the Internet at
http://www.ed.gov/offices/OIG/

    •   Results of the OIG Review of Internal Controls Over the Use of Purchase Cards and
        Third Party Drafts (A&I 2000-15, October 13, 2000)
    •   Review of the Impact Aid Program Disbursement Process Within the U.S. Department of
        Education Office of Elementary and Secondary Education (ED-OIG/S17-B0013, July 19,
        2001)
    •   Review of the Discretionary Grant Disbursement Process Within the U.S. Department of
        Education Office of Educational Research and Improvement (ED-OIG/S17-B0014, July
        19, 2001)
    •   Review of the Formula Grant Disbursement Process Within the U.S. Department of
        Education Office of Vocational and Adult Education (ED-OIG/S17-B0015, July 19,
        2001)
    •   Audit of the U.S. Department of Education's Controls Over Cellular Phones (ED-
        OIG/A11-A0014, September 15, 2000)
    •   Audit of Controls Over Contract Payments (ED-OIG/A07-A0015, March 13, 2001)
    •   Audit of Controls Over Government Property Furnished to Computer Sciences
        Corporation (ED-OIG/A19-B0003, March 19, 2001)
    •   Audit of Controls Over Government Property Furnished to Affiliated Computer Services,
        Inc. (ED-OIG/A19-B0004, April 20, 2001)
    •   Audit Follow-up Review on Corrective Actions the Department Had Taken in Response
        to Issues Reported During the Office of Inspector General’s Contract Monitoring Audits
        of Student Financial Assistance Information Technology Contracts (ED OIG/A07-
        A0014, September, 2000)
    •   Review of Security Posture, Policies and Plans (ED-OIG/A11-90013, February 2000)
    •   Review of EDNet Security (ED-OIG/A11-90018, July 2000)
    •   Review of Planning and Assessment Activities for Presidential Decision Directive 63 on
        Critical Infrastructure Protection (ED-OIG/A11-A0005, September 2000)
    •   Audit of Collection of Personally Identifiable Information Through ED Internet Sites
        (ED-OIG/A11-B0002, February 2001)
    •   Security Review of the Virtual Data Center (ED-OIG/A11-A0015, March 2001)
.


                            OFFICE OF INSPECTOR GENERAL
                             DEPARTMENT OF EDUCATION

                                          Appendix B

The following reports, while not specifically referenced, relate to internal controls. Some may
be found on the Internet; other must be requested.

    •   Audit of Public Inquiry Contract, National Computer Systems, Iowa City, IA (ED
        OIG/A07-80017, November 1998)
    •   OSFAP Action Memorandum 99-01 – Informal Contract Task Orders/Modifications,
        Title IV Wide Area Network Contract (ED OIG/E07-90014, October 27, 1998)
    •   OSFAP Action Memorandum 99-02 – Outstanding Title IV Wide Area Network
        Remittances, (ED OIG/E07-90013, November 2, 1998)
    •   OSFAP Action Memorandum 99-05 – Title IV Wide Area Network Contract –
        Inappropriate Charges for Key Personnel to New Tasks and Other NCS Contracts,
        (ED OIG/E07-90012, December 16, 1998)
    •   OSFAP Action Memorandum 99-09 – Department Officials Should Avoid the
        Appearance of Limiting Full and Open Competition (ED OIG/E07-90011, February 25,
        1999)
    •   Audit of Title IV Wide Area Network Contract, National Computer Systems, Iowa City,
        IA, (ED OIG/A07-80018, May 1999)
    •   OSFAP Action Memorandum 99-11 – Key Personnel Requirements Should be Clarified
        Prior to Award of the Editorial Services Contract (ED OIG/E07-90025, May 25, 1999)
    •   OSFAP Action Memorandum 99-12 – Allowing Contracting Officer’s Technical
        Representatives to Authorize Work is Contrary to Procurement Regulations (ED
        OIG/E07-90027, May 28, 1999)
    •   Audit of the Central Processing System Contract (ED OIG/A07-90003, March 2000)
    •   Audit of Compliance with Cost Accounting Standards for Travel, National Computer
        Systems, Iowa City, IA, (ED OIG/A07-90017, March 2000)
    •   SFA Action Memorandum 00-01 -- Planned Payment to Contractor for Unauthorized
        Work (ED OIG/E07-A0017, May 8, 2000)
    •   Recipient Financial Management System Contract awarded to Computer Data System,
        Incorporated (CDSI) (ED OIG/A02-80002, September 2000)
    •   Review of the Department's Requirements Definition & Testing Processes for the Loan
        Origination and Loan Consolidation Systems (ED OIG/A11-70010, March 30, 1999)
    •   Assessment of Direct Consolidation Loan Program Administration and Operations by
        EDS, Inc. Since December 1, 1997, (ED OIG/A04-80009, May 28, 1999)
    •   Review of the Department's Acquisition Process for Office of Student Financial
        Assistance Programs Information Systems, (ED OIG/A11-80004, May 1999)
    •   Review of Collection Activities at Unger and Associates, (ED OIG/A06-90011, February
        8, 2000)
    •   Audit of Controls over Government Property Furnished to Affiliated Computer Services,
        Inc., (ED OIG/A19-B0004, April 20, 2001)
.


                           OFFICE OF INSPECTOR GENERAL
                            DEPARTMENT OF EDUCATION

                                         Appendix B

    •   Assessment of Direct Consolidation Loan Program Administration and Operations by
        EDS, Inc. Since December 1, 1997, (ED OIG/A04-80009, May 28, 1999)
    •   Review of the Department's Acquisition Process for Office of Student Financial
        Assistance Programs Information Systems, (ED OIG/A11-80004, May 1999)
    •   Review of Collection Activities at Unger and Associates, (ED OIG/A06-90011, February
        8, 2000)
    •   Audit of Controls over Government Property Furnished to Affiliated Computer Services,
        Inc., (ED OIG/A19-B0004, April 20, 2001)
    •   Appendix B WestEd's Administration of the Regional Educational Laboratory Contracts
        (ED OIG/A09-60009, March 31, 1998)
    •   State and Local Action Memorandum 00-05, Duplicate Payment Made to Policy Studies
        Associates, Inc. (ED OIG/E07-A0022, July 13, 2000)




                                              17