Payment Processing: Validation of Receipt and Acceptance

Published by the Government Accountability Office on 1999-04-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

united states
General Accounting   Office
Washington,   D.C. 20648

Accounting and Information
Management   Division


April 14,1999

Mr. Robert J. Lieberman
Assistant Inspector General for Auditing
Department of Defense
                         .                     .
Subject: Pavment Processing: Validation of Receipt and Acceptance
Dear Mr. Lieberman
This letter responds to your request for an interpretation of certain parts of Title 7, “Fiscal
Procedures,”of the GAO Policv and ProceduresManual for Gu’dance of Federal Agent es.
Specifically, you asked whether it is acceptable (1) for disbursmg officers to authorize r
payment without reviewing evidence transmitted directly by an authorized employee
attesting to the receipt and acceptanceof goods and services,(2) for disbursing officers to
authorize payment after reviewing the vendor’s invoice and vendor maintained delivery data
without first reviewing evidence of receipt and acceptanceby a government official, and
(3) to verify receipt and acceptanceafter payment authorization based on review of a
statistically selected sample of invoices in lieu of conducting prepayment verification.
Your staff stated that the request was initiated becauseyour office was reviewing the
propriety of the process currently used to authorize payments for certain fuel purchases. As
described in your letter, the Defense Finance and Accounting Service (DFAS) and your office
have taken different positions on these questions as they relate to the process for purchasing
certain fuel as described later in our letter. To supplement the information in your letter, we
contacted your staff, DFAS officials, and Defense Energy Support Center (DEW)’ personnel
to discuss the questions and your respective positions on this matter in more detail. DESC is
the unit responsible for monitoring implementation of portions of that process which your
questions cover. Since we did not test the DFAS system,our responseonly addressesyour
questions conceptually.
Essentially, your questions ask whether it is acceptableto authorize payment on a vendor’s
invoice for certain fuels purchased without reviewing documents showing a government
employee’sstatement of receipt and then to verify documentsshowing such receipt on a
postpayment basis using statistical sampling rather than 100percent testing. Authorizing
payment prior to verification of receipt is referred to as “fast pay”in Title 7. Although fast pay

‘Prior to January 16,1998, DESC was formally known as the DefenseFuel Supply Center.
DESCis a unit operating within the Defense,LogisticsAgency responsible for assisting DOD
and other federal agenciesin procuring fuel and other energy resources.

                                     /ic&               7J---
                                                GAOIAIMD-99-1llR Payment Processing(DOD)

is permitted under certain criteria, the fuel purchasesunder the process you inquired’about
would not meet the criteria, given the error rate reported by your office is considered above
an acceptable rate or where a particular purchaseexceedsthe fast pay limitation of $26,000.
Your office issued a report on vessel fuel acquisition’stating that during a 5-month period
ending in January 1997,a lo-percent error rate was found in invoices for fuel purchases
reviewed. Where the lo-percent error rate is consideredabove an acceptable error rate as
determined by managementof DFAS and DESCafter careful analysis and after concurrence
by the IG, fast pay procedures, not withstancliig the $25,000limitation, should be suspended
until the error rate is reduced to an acceptablelevel.
Regardingsampling of invoices on a postpaymentbasis to verify receipt by a government
employee as proposed but not yet implementedby DESC,Title 7 limits the sampling to
invoices under $2,600. When the purchaseof these certain fuels exceed the $2,500limitation,
verification of receipt of the fuels would be required. For invoices under the $2,600
limitation, sampling should be not be implementeduntil (1) the 10 percent error rate
disclosed in your report is reduced to a level consideredto be an acceptable error rate
establishedby managementand agreedto by the IG and (2) the actual error rate remains
equal to or above the acceptablerate. The details of our responseto your inquiry are
discussedin the following sections.
The Process Currently     Established in Verifying Receipt and Acceptance by DFAS

Your staff and officials from DFAS and DESCexplained the existing process as follows. The
DOD official responsible for receiving and acceptingfuel on the government vessel,
completes an order form prior to the fueling. The order requests a specified amount of fuel
and type of fuel and also identifies the vessel,port (all fuelings under this process take place
at a port), the vendor, the related contract identification, and the ordering official’s name as
well as other data. The official signs the order, provides the vendor a copy, and retains a
copy. Before the fueling, the official is required to use a plastic card assignedto him or her to
initiate a “MAGSTRIP”process3 (The card is referred to as a “MAGSTRIPcard.“) The
official’s government-issuedMAGSTRIPcard is scannedthrough an electronic device.”
Information maintained in the electronic device includes the vendor name and identification,
dock name and location, contract identification, and the date and time of fuel delivery. The
‘DOD Contract Sh.p Fuels @unker Fuels) Acau.s.uon     . Process, Office of the Inspector
General,DOD, Reiort Number 98141, May 29, &&.

“The MAGSTRIP(magnetic strip) process is essentiallyan electronic information reading and
sendingprocess involving a special plastic card and a small electronic device. The card is
passedthrough the device in a designatedgroove,manner, and direction enabling the device
to (1) electronically scan information from the card, (2) send information electronically, and
(3) print a hard copy document containing information.

41fthe official does not have a MAGSTRIPcard, as is the case on occasion, the official enters
an account number by pressing the applicable digit symbols on the electronic device.
However, since your request focuses on the MAGSTRIPprocess, we limited our response to
that process.

2                                              GAOIAIMD-99-1llR Payment Processing (DOD)

MAGSTRIPcard identifies the ordering official, the vessel,and information about the
appropriation under which the purchaseis to be charged. The electronic device also has a
keyboard for the vendor personnel to manually enter information. After the fueling,
information on the type, quantity, and unit price of the fuel delivered to the vessel as well as
other information (such as discounts offered) is entered manually by vendor personnel. The
MAGSTRIPprocess was designedand implemented to streamline the purchase of fuels and
the related payment processes.
As explained to us, after the information is manually entered, the electronic device generates
a hard copy document in duplicate which servesas a receiving report. That document
contains key information scannedfrom the MAGSTRIPcard, imbedded in the card reader,
and manually entered data regardingthe quantity, grade or type, and price of fuel; the date
and location (port); the supplier’s name or identification; the vessel identification; total price
of the fuel; and the name of ‘the official. The ordering official is required to sign the receiving
report and the vendor and the official each retain a copy. Pursuant to the MAGSTRIP
process, the official’s copy along with the order is maintained on the vessel until it is
forwarded to the base unit having operational control over the vessel. The electronic device
used to scan the MAGSTRIPcard belongsto the government but is in the possessionof the
fuel supplier at the fueling point6
We were told that in the interest of expediting payment, the information from the electronic
device is transferred to another systemthat allows the vendor to forward an invoice
electronically to DFAS (Columbus,Ohio). The information conveyed electronically is
supposedto include the sameinformation on the previously mentioned order form and
receiving report including the number of units (or gallons) purchased and the total price of
the fueling. DFAS performs numerouselectronic edits on the information received. The
edits involve comparing the information on the invoice with information on DFAS’
maintained files. The edits determinethat the invoice is under a valid contract with the
vendor for the purchase, that the contract is still in effect, the official was using a valid
MAGSTRIPcard, other details of the billing (such as the port, vessel, and fuel grade and
quantities) are allowable under the contract, and that payment has not been previously
authorized under that specific order or invoice. If the edits do not uncover errors or
unauthorized items (such as, for example,an invalid MAGSTRIPcard or contract), the
invoice is authorized for payment
DESC officials further explained that after payment, all paid invoices are tested against
written receipt and acceptancedocumentation. On monthly or shorter intervals, DFAS sends
the purchasing unit (those units having operational control over the vessels, for example, the
Coast Guard, Navy, or Army) electronic reports showing each order number for which
payment was made. For each paid item, the units are required to verify that a valid receiving
report exists showing the officer’s signature,quantities of fuel acquired, and other data. If

6DFASofficials told us that the initial design of the MAGSTRIPprocess in DOD called for the
electronic MAGSTRIPcard reading device to be in the possessionof the government, not the
merchant supplier. However, becausethe battery pack powering the device could
occasionally spark, it was removed to the suppliers’location for safety reasons.

3                                              GAOMMD-99- 1llR Payment Processing (DOD)

discrepanciesare uncovered,the units are required to notify DFAS within 30 days of the date
of the report.
Initially when the MAGSTRIPsystem was designed,it called for DESC to test for receipt and
acceptanceof fuels on a samplebasis, rather than testing all purchases. However, DESC
officials told us that becausethe various agenciesand units purchasing the fuel followed
different processesin testing paid invoices for validity, loo-percent testing is being done until
DESC believes that 100percent testing is not necessary. DESC officials stated that sampling
could be implemented (the loo-percent testing would no longer be necessary)when they
believe that the procedures followed at the administrative offices of each customer
completely and adequatelyverifies the items required to be verified.
Positions of DFAS, DESC, and Yoqr Oflece

As explained by your staff, each of your three questions involves the verification of receipt
and acceptanceof fuel delivered to sea vesselsand the authorization of the payment being
made to the vendor. Essentially,your questions ask whether it is acceptable to authorize
payment on a vendor’s invoice without review of documents supplied or generated by a
government official attesting to the receipt and acceptanceof fuel purchased, and then to
verily receipt and acceptanceon a postpayment basis using statistical sampling, rather than
the traditional loo-percent testing.
DFAS and DESCofficials’position is that receiving statements or reports completed by
government officials need not be sent to or reviewed by the disbursing officer prior to
authorizing payment. DFAS officials have stated that it is acceptable for the disbursing
officer to sufficiently verify the invoice in two steps. First, the electronic invoices are subject
to edit tests (previously discussed),which involve comparing certain information against
information maintained on master files by DFAS. Second,subsequentto payment
authorization, verification of receipt and acceptance is completed at the unit level (the unit
having operational control over the vessel) where the signed receiving report is to be
matched against the quantities appearingon the invoice. If discrepanciesare found, units are
to notify DFAS to offset subsequentinvoices. DFAS stated that vendor invoices are intended
to contain the sameinformation appearing on the order form and the receiving report
generatedby the MAGSTRIPdevice at the fueling site, except for the official’s signature.
DFAS staff also cited a 1987GAO decision”which they assert allows using vendor-generated
information electronically submitted to suffice for payment authorization.
DFAS and DESC officials have stated that verification of receipt and acceptanceafter
payment is permissible if overpayments,when occurring, are collected or credit is granted.
DFAS officials pointed out that its continuing relationship with vendors allows them to offset
any overpaymentsuncovered during the post-payment verification of receipt and acceptance
Tom the vendors on subsequentinvoices.
Regardingstatistical sampling, DESC officials believe that a sampling process can be
implementedif it is carefully planned and monitored. Although DESC currently reviews all

667Comp. Gen. 72 (1987).

 4                                              GAOMMD-99-1llR Payment Processing (DOD)

  payments to verify receipt and acceptance,it is moving towards verification on a statistical
  sampling basis. DESCofficials believe that sampling is acceptableprovided that the sampling
  procedure does not indicate high error rates and that the sampling process is monitored to
  ensure that it is effectively implemented. Conversely,your office believes that (1) the
  information electronically submitted by the vendor to DFAS for payment is not sufficient by
  itself to authorize payment and (2) the risk of DFAS accepting and not detecting
  misrepresentedor altered information is increased.
  Your staff explained that the vendor controls the data in the MAGSTRIPprocess since the
  electronic device is in the possession of the vendor and that information created based on the
  fuel purchase can be accessedand modified before it is forwarded electronically to DFAS for
  payment processing. Your staff pointed out that consequently,altered data, whether it is
  altered intentionally or unintentionally, could be sent to DFAS for payment. Since the paper
  copies of both the order and receiving report completed by the vessel’s official at the fueling
  site are forwarded by that officer at a later date, and then only to the unit having operational
  control over the vessel,at no time prior to payment authorization does DFAS verify that a
  government employee (1) generated the purchase order for the specific purchase or (2)
  attested to the receipt and acceptance. As your staff further stated, if altered data are
  forwarded to DFAS and remain within the contract limitations, DFAS will authorize payment
  since the electronic edits done before authorization will not identify that data were altered.
  Having both (or’either) of the government employee’sgeneratedpurchase order and
  receiving report reviewed prior to payment authorization would reduce the risks of
  overpaymentsgoing undetected.. Your staff emphasizedthat by allowing payment
  authorization to occur without this review, there is no independent verification (otherwise
  traditionally obtained from a review of a government employee’ssigned receiving report) on
  the vendor’s statement of claims until after payment.
  Technological AdvancesCould Enhance Internal Control and Data Inte@,ty
  The Federal Financial Management Improvement Act of 1996requires that agencies
  implement and maintain financial managementsystemsthat comply with federal financial
  managementsystem requirements. The Joint Financial ManagementImprovement Program
  (JFMIP) has issued a series of system requirements documents generally accepted as the
  systemsstandards. by the federal sector to be followed by agencies. In its Framework for
  Federal Flmwal ManagementSvstems, JFMIP envisioned systemswith standardized
  information and electronic data exchange to eliminate manual processes,reduce the risks of
  data loss or errors, and eliminate manual reentry and interpretation.’ In discussing
  technology in payment systems, Title 7 states that agenciesshould endeavor to establish
  automatedprocessingtechniques (including data interchange) and controls whenever
  feasible so long as the interests of the government are protected.
  Title 7 also states that the use of automated signatureshelps safeguard against errors and
  irregularities and ensuresdata integrity in electronic environments. To be effective,
  automatedsignaturesmust be (1) unique to the signer, (2) under the signer’s sole control, and
  ‘I                            . Managementm
       amework for Federal Fmancml                         , JFMIP, January 1996,pp. S-9.

- 6                                             GAO/AIMD-99-1llR Payment Processing(DOD)

(3) capable of being verified. Also, to help ensure data integrity, the signature must be linked
to the data in such a manner that, if the data are changed,the signature is invalidated.s
Becauseof the nature of electronic data, it is difficult to ascertain whether the data have been
altered unless the signature is linked to the data in such a way that the signature verification
process can detect data changes. Traditional systemsbasedon passwordsand identification
codes (such as those using account numbers) usually do not meet these criteria’ The
National Institute of Standardsand Technology (NIST)’has establishedprocedures for the
evaluation and approval of certain automatedsignature techniques”to ensure the integrity of
the data and compliance with the previously mentioned criteria.
We believe that financial managementsystemswill continue to improve and evolve to have
the capabilities for automating the validation processbefore payment authorization. Invoices
could be validated as a result of comparing the data on them with the information on
purchase orders and receiving reports transmitted from multiple locations, such as from
vendors (where a government employee transmits data electronically at a fueling dock, for
example), from central offices of agencies,and from agencies’remote locations, including sea
vessels. These systemsshould also have the capability of providing automated signatures
that meet NIST requirements to ensure data integrity. When these systemshave evolved and
are operational, internal control will be enhanced,accuracy will be better assured,and data
integrity will be improved at less cost. However, until these systemsare implemented,
automated processes must be supplementedwith manual ones in order to provide assurances
that the government’s interest is protected.
                                      . of Recemt. Documm
      ent. Authonzatron  Without   Review
                 I   .

            .               .     . .
Is Pemsslble Under.Catam .     Cntena. But the MAGSTRIPProcess
May Not Meet the Cntena
A payment process whereby receipt and acceptanceis verified after payment authorization is
referred to as “fast pay.” In following the MAGSTRIPprogram, DOD has implemented a fast
pay process. As we have previously reported, agenciesare generally permitted to implement
a fast pay process’* subject to several conditions and controls.” Among the pertinent
conditions and controls are the following.

‘71 Comp. Gen. 109 (1991).

@Underthe Computer Security Act, NIST is responsible for establishingstandards for federal
computer systems that process sensitive but unclassified information.

‘“Theseprocedures are contained in the Federal In&m&ion Procew.                      Wps).
‘ILetter to the Honorable Charles E. Grassleycommenting on the proposed DOD Reform Act,
B-279620,March 31,1998.

“Office of Management and Budget Circular A-125,Prompt Pavm&, December 12,1989,and
the Federal Acouisition Regulation, (FAR) part 13.

6                                               GAO/AIMD-99-1llR Payment Processing(DOD)

l   The fast pay process is limited to payments for goods or services where there is a
    continuing relationship with reliable vendors that will facilitate the recovery of
l   Fast pay process suppliers who will be paid under the procedure agree to replace, repair,
    or correct supplies not conforming to purchaserequirements.
l   The agency having the fast pay processmust have a system in place to identify suppliers
    who have a history of abusingthe fast payment procedure.
l   The fast pay process is subject to a generallimitation of $25,000.
Also, the agency should be able to take advantageof prompt payment discounts or to effect
other economies in order to implement fast pay.‘$
We have two concerns with DOD’s’MAGSTRIPprocess. First, many military sea vessels
require large volumes of fuel. If quantities obtained during a refueling result in a purchase
exceeding the fast pay limitation of $25,960,(establishedby the Office of Managementand
Budget Circular A-125, “Prompt Payment,”and the FAR, part 13), authorization of payment
prior to review of documentationpreparedby a government official (such as a receiving
report) would not be permitted. Notwithstanding the $25,900fast pay limitation, the 1987
GAO decision4 cited by DFAS as support for the MAGSTRIPprocess is not applicable. That
decision did not cover the subject of authorizing payments without government
documentation showing receipt and acceptance. The decision applied only to the elimination
of gasoline company delivery tickets, called “credit card charge tickets,” and addressedonly
the question of whether charge card invoices were required to include attached delivery
Second,although it is permissible to implement payment systems where the government
payment officer authorizes payment basedon vendor-submitted invoices under a fast pay
process, procedures must ensure that the risk of losses are minimized to acceptable limits.
DOD’s Office of Inspector General (IG) issued a report on vessel fuel acquisition” and
reported that about a lo-percent error rate (basedon the number of invoices) was found as a
result of missing or inaccurate data on the order forms and receiving reports for vendors’bills
reviewed under the MAGSTRIPprocess for the period September 1996through January

“Pavment Processing (Enerq 1: N egati‘ve Confirmation of Receipt (GAO/AIMD97-77R,
                                                                             .      April
24,1997) and -lD).            .              .   .
                                           ahdauon After Pavment on a Samohng Be
(GAO/AIMD-98-8R,October 21,1997). EacVhof these reports resulted from agency requests
that were supported by detailed analysisof cost savings associatedwith implementing fast
    67 Comp. Gen. 72 (1987).

‘“DOD Contract Ship Fuels (Bunker Fuels) Acau.s .bon
                                                  . Process, Office of the Inspector
General,DOD, Report Number 98141, May 29, lii8.

7                                             GAO/AIMD-99-111RPayment Processing (DOD)

1997.“j The IG also reported that DFAS and DESCwere working to reduce or eliminate the
If DFAS and DESC have successfullyreduced the error rate to a lower level within a tolerable
lower limit as determined by managementand agreed to by the IG in order to minimize the
risk of overpayment,authorizingpayment based on vendor-transmitted data is permissible,
provided purchased amountsdo not exceed the fast pay limit of $25,000. If, on the other
hand, the error rate continuesto be high, posing a higher than acceptable risk of
overpayments,payment authorizationbased on vendor invoice data should be suspended
until such time as the error rate is reduced to be within established tolerable limits.
Regarding statistical sampling,Title 7 requires that when it is combined with fast pay, as DOD
has proposed but not yet implemented,the sampling plan must provide for several items.
Among the most important items, the plan must provide for (1) invoice examination to be
commensurate with the risk to the government,”(2) sampling of ail invoices under $2,500’*
not subject to complete examination,(3) effective monitoring to ensure that the risks to the
government remain within tolerable limits, and (4) a continuing relationship with the vendor
such that the risk of loss is minimized. Combining fast pay with a statistical sampling
procedure to verify receipt increasesthe risks of overpaymentscompared to verifying receipt
on all payments. Nevertheless,we believe that these risks would be acceptably mitigated if a
plan containing the items previously listed were effectively implemented.
Most likely, invoices receivedunder MAGSTRIPpurchaseswould not qualify for statistical
sampling. Since vessel fuel purchasesare for large quantities, most invoices submitted for
payment under the MAGSTRIPpurchaseprocess would exceed the sampling limit of $2,500.
Also, regardlessof the $2,500limitation, where a lo-percent error rate is not within the
tolerable range, implementation of the statistical sampling process should be delayed until
DFAS and DESC have reducedthe lo-percent error rate reported by the IG to a rate
acceptableto both managementand the IG.

‘@ IheIG reviewed 1,257paymentsunder the MAGSTRIPprocess and found 131 with
incorrectly completed ordering or receiving forms. The results of the payments reviewed
were not extrapolated or inferred to a universe of payments or dollar amounts for the year.

“In developing a sampleplan, agenciesshould make sure that their proposed procedures will
produce savings while adequatelyprotecting the government’sinterest. Savings would be
achievedwhen the combined costs of (1) examining the sample and (2) projected losses due
to undetected errors on invoices not examined are less than the cost of examining all
invoices. Through analysis,the plan must identify a tolerable error rate (the point at which or
below which savings occur), the number of invoices to select for examination, and the
selection method

“Agency heads are authorizedby law (31 U.S.C.3521(b)) to establish statistical sampling
programs for examination of vouchers in support of their payment authorization subject to
Comptroller General limitations, which are currently set at $2,500.

8                                              GAO/AIMD-99-l11R Payment Processing (DOD)

The contents of this letter were discussedwith Lieutenant Colonel Thomas P. Toole, Mr. John
Gannon, and Mr. David Leising of your staff as well as DFAS and DESC officials. We hope
our comments are helpful. If you have any questionsor would like to discussthese matters
further, please contact me or Bruce Michelson, Assistant Director, at (202) 612-9406.
Sincerely yours,

Robert W. Gramling            v
Director, Corporate Audits
 and Standards


9                                           GAO/AIMD89-1llR Payment Processing(DOD)
Ordering     Information

The first copy of each GAO report and testimony is free.
Additional   copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent     of Documents, when
necessary. VISA and Mastercard      credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting    Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting  Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202)       512-2537.

Each day, GAO issues a list of newly available reports and
testimony.   To receive facsimile copies of the daily list or any
list from the past 30 days, please caIl(202)  512-6000 using a
touchtone phone. A recorded menu will provide information         on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:


or visit    GAO’s World Wide Web Home Page at:

United States
General Accounting  Office                 BulkRaR
Washington, D.C. 20548-0001          Postage & Fee+ Paid
                                       Permit No. GlOO     I
Official   Business
Penalty    for Private   Use $300

Address    Correction    Requested