united states General Accounting Office Washington, D.C. 20648 Accounting and Information Management Division B-281421 April 14,1999 Mr. Robert J. Lieberman Assistant Inspector General for Auditing Department of Defense . . Subject: Pavment Processing: Validation of Receipt and Acceptance Dear Mr. Lieberman This letter responds to your request for an interpretation of certain parts of Title 7, “Fiscal . Procedures,”of the GAO Policv and ProceduresManual for Gu’dance of Federal Agent es. Specifically, you asked whether it is acceptable (1) for disbursmg officers to authorize r payment without reviewing evidence transmitted directly by an authorized employee attesting to the receipt and acceptanceof goods and services,(2) for disbursing officers to authorize payment after reviewing the vendor’s invoice and vendor maintained delivery data without first reviewing evidence of receipt and acceptanceby a government official, and (3) to verify receipt and acceptanceafter payment authorization based on review of a statistically selected sample of invoices in lieu of conducting prepayment verification. Your staff stated that the request was initiated becauseyour office was reviewing the propriety of the process currently used to authorize payments for certain fuel purchases. As described in your letter, the Defense Finance and Accounting Service (DFAS) and your office have taken different positions on these questions as they relate to the process for purchasing certain fuel as described later in our letter. To supplement the information in your letter, we contacted your staff, DFAS officials, and Defense Energy Support Center (DEW)’ personnel to discuss the questions and your respective positions on this matter in more detail. DESC is the unit responsible for monitoring implementation of portions of that process which your questions cover. Since we did not test the DFAS system,our responseonly addressesyour questions conceptually. Essentially, your questions ask whether it is acceptableto authorize payment on a vendor’s invoice for certain fuels purchased without reviewing documents showing a government employee’sstatement of receipt and then to verify documentsshowing such receipt on a postpayment basis using statistical sampling rather than 100percent testing. Authorizing payment prior to verification of receipt is referred to as “fast pay”in Title 7. Although fast pay ‘Prior to January 16,1998, DESC was formally known as the DefenseFuel Supply Center. DESCis a unit operating within the Defense,LogisticsAgency responsible for assisting DOD and other federal agenciesin procuring fuel and other energy resources. /ic& 7J--- GAOIAIMD-99-1llR Payment Processing(DOD) B-281421 is permitted under certain criteria, the fuel purchasesunder the process you inquired’about would not meet the criteria, given the error rate reported by your office is considered above an acceptable rate or where a particular purchaseexceedsthe fast pay limitation of $26,000. Your office issued a report on vessel fuel acquisition’stating that during a 5-month period ending in January 1997,a lo-percent error rate was found in invoices for fuel purchases reviewed. Where the lo-percent error rate is consideredabove an acceptable error rate as determined by managementof DFAS and DESCafter careful analysis and after concurrence by the IG, fast pay procedures, not withstancliig the $25,000limitation, should be suspended until the error rate is reduced to an acceptablelevel. Regardingsampling of invoices on a postpaymentbasis to verify receipt by a government employee as proposed but not yet implementedby DESC,Title 7 limits the sampling to invoices under $2,600. When the purchaseof these certain fuels exceed the $2,500limitation, verification of receipt of the fuels would be required. For invoices under the $2,600 limitation, sampling should be not be implementeduntil (1) the 10 percent error rate disclosed in your report is reduced to a level consideredto be an acceptable error rate establishedby managementand agreedto by the IG and (2) the actual error rate remains equal to or above the acceptablerate. The details of our responseto your inquiry are discussedin the following sections. The Process Currently Established in Verifying Receipt and Acceptance by DFAS Your staff and officials from DFAS and DESCexplained the existing process as follows. The DOD official responsible for receiving and acceptingfuel on the government vessel, completes an order form prior to the fueling. The order requests a specified amount of fuel and type of fuel and also identifies the vessel,port (all fuelings under this process take place at a port), the vendor, the related contract identification, and the ordering official’s name as well as other data. The official signs the order, provides the vendor a copy, and retains a copy. Before the fueling, the official is required to use a plastic card assignedto him or her to initiate a “MAGSTRIP”process3 (The card is referred to as a “MAGSTRIPcard.“) The official’s government-issuedMAGSTRIPcard is scannedthrough an electronic device.” Information maintained in the electronic device includes the vendor name and identification, dock name and location, contract identification, and the date and time of fuel delivery. The ‘DOD Contract Sh.p Fuels @unker Fuels) Acau.s.uon . Process, Office of the Inspector General,DOD, Reiort Number 98141, May 29, &&. “The MAGSTRIP(magnetic strip) process is essentiallyan electronic information reading and sendingprocess involving a special plastic card and a small electronic device. The card is passedthrough the device in a designatedgroove,manner, and direction enabling the device to (1) electronically scan information from the card, (2) send information electronically, and (3) print a hard copy document containing information. 41fthe official does not have a MAGSTRIPcard, as is the case on occasion, the official enters an account number by pressing the applicable digit symbols on the electronic device. However, since your request focuses on the MAGSTRIPprocess, we limited our response to that process. 2 GAOIAIMD-99-1llR Payment Processing (DOD) B-281421 MAGSTRIPcard identifies the ordering official, the vessel,and information about the appropriation under which the purchaseis to be charged. The electronic device also has a keyboard for the vendor personnel to manually enter information. After the fueling, information on the type, quantity, and unit price of the fuel delivered to the vessel as well as other information (such as discounts offered) is entered manually by vendor personnel. The MAGSTRIPprocess was designedand implemented to streamline the purchase of fuels and the related payment processes. As explained to us, after the information is manually entered, the electronic device generates a hard copy document in duplicate which servesas a receiving report. That document contains key information scannedfrom the MAGSTRIPcard, imbedded in the card reader, and manually entered data regardingthe quantity, grade or type, and price of fuel; the date and location (port); the supplier’s name or identification; the vessel identification; total price of the fuel; and the name of ‘the official. The ordering official is required to sign the receiving report and the vendor and the official each retain a copy. Pursuant to the MAGSTRIP process, the official’s copy along with the order is maintained on the vessel until it is forwarded to the base unit having operational control over the vessel. The electronic device used to scan the MAGSTRIPcard belongsto the government but is in the possessionof the fuel supplier at the fueling point6 We were told that in the interest of expediting payment, the information from the electronic device is transferred to another systemthat allows the vendor to forward an invoice electronically to DFAS (Columbus,Ohio). The information conveyed electronically is supposedto include the sameinformation on the previously mentioned order form and receiving report including the number of units (or gallons) purchased and the total price of the fueling. DFAS performs numerouselectronic edits on the information received. The edits involve comparing the information on the invoice with information on DFAS’ maintained files. The edits determinethat the invoice is under a valid contract with the vendor for the purchase, that the contract is still in effect, the official was using a valid MAGSTRIPcard, other details of the billing (such as the port, vessel, and fuel grade and quantities) are allowable under the contract, and that payment has not been previously authorized under that specific order or invoice. If the edits do not uncover errors or unauthorized items (such as, for example,an invalid MAGSTRIPcard or contract), the invoice is authorized for payment DESC officials further explained that after payment, all paid invoices are tested against written receipt and acceptancedocumentation. On monthly or shorter intervals, DFAS sends the purchasing unit (those units having operational control over the vessels, for example, the Coast Guard, Navy, or Army) electronic reports showing each order number for which payment was made. For each paid item, the units are required to verify that a valid receiving report exists showing the officer’s signature,quantities of fuel acquired, and other data. If 6DFASofficials told us that the initial design of the MAGSTRIPprocess in DOD called for the electronic MAGSTRIPcard reading device to be in the possessionof the government, not the merchant supplier. However, becausethe battery pack powering the device could occasionally spark, it was removed to the suppliers’location for safety reasons. 3 GAOMMD-99- 1llR Payment Processing (DOD) B-281421 discrepanciesare uncovered,the units are required to notify DFAS within 30 days of the date of the report. Initially when the MAGSTRIPsystem was designed,it called for DESC to test for receipt and acceptanceof fuels on a samplebasis, rather than testing all purchases. However, DESC officials told us that becausethe various agenciesand units purchasing the fuel followed different processesin testing paid invoices for validity, loo-percent testing is being done until DESC believes that 100percent testing is not necessary. DESC officials stated that sampling could be implemented (the loo-percent testing would no longer be necessary)when they believe that the procedures followed at the administrative offices of each customer completely and adequatelyverifies the items required to be verified. Positions of DFAS, DESC, and Yoqr Oflece As explained by your staff, each of your three questions involves the verification of receipt and acceptanceof fuel delivered to sea vesselsand the authorization of the payment being made to the vendor. Essentially,your questions ask whether it is acceptable to authorize payment on a vendor’s invoice without review of documents supplied or generated by a government official attesting to the receipt and acceptanceof fuel purchased, and then to verily receipt and acceptanceon a postpayment basis using statistical sampling, rather than the traditional loo-percent testing. DFAS and DESCofficials’position is that receiving statements or reports completed by government officials need not be sent to or reviewed by the disbursing officer prior to authorizing payment. DFAS officials have stated that it is acceptable for the disbursing officer to sufficiently verify the invoice in two steps. First, the electronic invoices are subject to edit tests (previously discussed),which involve comparing certain information against information maintained on master files by DFAS. Second,subsequentto payment authorization, verification of receipt and acceptance is completed at the unit level (the unit having operational control over the vessel) where the signed receiving report is to be matched against the quantities appearingon the invoice. If discrepanciesare found, units are to notify DFAS to offset subsequentinvoices. DFAS stated that vendor invoices are intended to contain the sameinformation appearing on the order form and the receiving report generatedby the MAGSTRIPdevice at the fueling site, except for the official’s signature. DFAS staff also cited a 1987GAO decision”which they assert allows using vendor-generated information electronically submitted to suffice for payment authorization. DFAS and DESC officials have stated that verification of receipt and acceptanceafter payment is permissible if overpayments,when occurring, are collected or credit is granted. DFAS officials pointed out that its continuing relationship with vendors allows them to offset any overpaymentsuncovered during the post-payment verification of receipt and acceptance Tom the vendors on subsequentinvoices. Regardingstatistical sampling, DESC officials believe that a sampling process can be implementedif it is carefully planned and monitored. Although DESC currently reviews all 667Comp. Gen. 72 (1987). 4 GAOMMD-99-1llR Payment Processing (DOD) B-281421 payments to verify receipt and acceptance,it is moving towards verification on a statistical sampling basis. DESCofficials believe that sampling is acceptableprovided that the sampling procedure does not indicate high error rates and that the sampling process is monitored to ensure that it is effectively implemented. Conversely,your office believes that (1) the information electronically submitted by the vendor to DFAS for payment is not sufficient by itself to authorize payment and (2) the risk of DFAS accepting and not detecting misrepresentedor altered information is increased. Your staff explained that the vendor controls the data in the MAGSTRIPprocess since the electronic device is in the possession of the vendor and that information created based on the fuel purchase can be accessedand modified before it is forwarded electronically to DFAS for payment processing. Your staff pointed out that consequently,altered data, whether it is altered intentionally or unintentionally, could be sent to DFAS for payment. Since the paper copies of both the order and receiving report completed by the vessel’s official at the fueling site are forwarded by that officer at a later date, and then only to the unit having operational control over the vessel,at no time prior to payment authorization does DFAS verify that a government employee (1) generated the purchase order for the specific purchase or (2) attested to the receipt and acceptance. As your staff further stated, if altered data are forwarded to DFAS and remain within the contract limitations, DFAS will authorize payment since the electronic edits done before authorization will not identify that data were altered. Having both (or’either) of the government employee’sgeneratedpurchase order and receiving report reviewed prior to payment authorization would reduce the risks of overpaymentsgoing undetected.. Your staff emphasizedthat by allowing payment authorization to occur without this review, there is no independent verification (otherwise traditionally obtained from a review of a government employee’ssigned receiving report) on the vendor’s statement of claims until after payment. Technological AdvancesCould Enhance Internal Control and Data Inte@,ty The Federal Financial Management Improvement Act of 1996requires that agencies implement and maintain financial managementsystemsthat comply with federal financial managementsystem requirements. The Joint Financial ManagementImprovement Program (JFMIP) has issued a series of system requirements documents generally accepted as the systemsstandards. by the federal sector to be followed by agencies. In its Framework for Federal Flmwal ManagementSvstems, JFMIP envisioned systemswith standardized information and electronic data exchange to eliminate manual processes,reduce the risks of data loss or errors, and eliminate manual reentry and interpretation.’ In discussing technology in payment systems, Title 7 states that agenciesshould endeavor to establish automatedprocessingtechniques (including data interchange) and controls whenever feasible so long as the interests of the government are protected. Title 7 also states that the use of automated signatureshelps safeguard against errors and irregularities and ensuresdata integrity in electronic environments. To be effective, automatedsignaturesmust be (1) unique to the signer, (2) under the signer’s sole control, and ‘I . Managementm amework for Federal Fmancml , JFMIP, January 1996,pp. S-9. - 6 GAO/AIMD-99-1llR Payment Processing(DOD) B-281421 (3) capable of being verified. Also, to help ensure data integrity, the signature must be linked to the data in such a manner that, if the data are changed,the signature is invalidated.s Becauseof the nature of electronic data, it is difficult to ascertain whether the data have been altered unless the signature is linked to the data in such a way that the signature verification process can detect data changes. Traditional systemsbasedon passwordsand identification codes (such as those using account numbers) usually do not meet these criteria’ The National Institute of Standardsand Technology (NIST)’has establishedprocedures for the evaluation and approval of certain automatedsignature techniques”to ensure the integrity of the data and compliance with the previously mentioned criteria. We believe that financial managementsystemswill continue to improve and evolve to have the capabilities for automating the validation processbefore payment authorization. Invoices could be validated as a result of comparing the data on them with the information on purchase orders and receiving reports transmitted from multiple locations, such as from vendors (where a government employee transmits data electronically at a fueling dock, for example), from central offices of agencies,and from agencies’remote locations, including sea vessels. These systemsshould also have the capability of providing automated signatures that meet NIST requirements to ensure data integrity. When these systemshave evolved and are operational, internal control will be enhanced,accuracy will be better assured,and data integrity will be improved at less cost. However, until these systemsare implemented, automated processes must be supplementedwith manual ones in order to provide assurances that the government’s interest is protected. . of Recemt. Documm ent. Authonzatron Without Review I . . . . . Is Pemsslble Under.Catam . Cntena. But the MAGSTRIPProcess May Not Meet the Cntena A payment process whereby receipt and acceptanceis verified after payment authorization is referred to as “fast pay.” In following the MAGSTRIPprogram, DOD has implemented a fast pay process. As we have previously reported, agenciesare generally permitted to implement a fast pay process’* subject to several conditions and controls.” Among the pertinent conditions and controls are the following. ‘71 Comp. Gen. 109 (1991). @Underthe Computer Security Act, NIST is responsible for establishingstandards for federal computer systems that process sensitive but unclassified information. ‘“Theseprocedures are contained in the Federal In&m&ion Procew. Wps). ‘ILetter to the Honorable Charles E. Grassleycommenting on the proposed DOD Reform Act, B-279620,March 31,1998. “Office of Management and Budget Circular A-125,Prompt Pavm&, December 12,1989,and the Federal Acouisition Regulation, (FAR) part 13. 6 GAO/AIMD-99-1llR Payment Processing(DOD) B-281421 l The fast pay process is limited to payments for goods or services where there is a continuing relationship with reliable vendors that will facilitate the recovery of overpayments. l Fast pay process suppliers who will be paid under the procedure agree to replace, repair, or correct supplies not conforming to purchaserequirements. l The agency having the fast pay processmust have a system in place to identify suppliers who have a history of abusingthe fast payment procedure. l The fast pay process is subject to a generallimitation of $25,000. Also, the agency should be able to take advantageof prompt payment discounts or to effect other economies in order to implement fast pay.‘$ We have two concerns with DOD’s’MAGSTRIPprocess. First, many military sea vessels require large volumes of fuel. If quantities obtained during a refueling result in a purchase exceeding the fast pay limitation of $25,960,(establishedby the Office of Managementand Budget Circular A-125, “Prompt Payment,”and the FAR, part 13), authorization of payment prior to review of documentationpreparedby a government official (such as a receiving report) would not be permitted. Notwithstanding the $25,900fast pay limitation, the 1987 GAO decision4 cited by DFAS as support for the MAGSTRIPprocess is not applicable. That decision did not cover the subject of authorizing payments without government documentation showing receipt and acceptance. The decision applied only to the elimination of gasoline company delivery tickets, called “credit card charge tickets,” and addressedonly the question of whether charge card invoices were required to include attached delivery tickets. Second,although it is permissible to implement payment systems where the government payment officer authorizes payment basedon vendor-submitted invoices under a fast pay process, procedures must ensure that the risk of losses are minimized to acceptable limits. DOD’s Office of Inspector General (IG) issued a report on vessel fuel acquisition” and reported that about a lo-percent error rate (basedon the number of invoices) was found as a result of missing or inaccurate data on the order forms and receiving reports for vendors’bills reviewed under the MAGSTRIPprocess for the period September 1996through January “Pavment Processing (Enerq 1: N egati‘ve Confirmation of Receipt (GAO/AIMD97-77R, . April 24,1997) and -lD). . . . ahdauon After Pavment on a Samohng Be (GAO/AIMD-98-8R,October 21,1997). EacVhof these reports resulted from agency requests that were supported by detailed analysisof cost savings associatedwith implementing fast pay. 14See 67 Comp. Gen. 72 (1987). ‘“DOD Contract Ship Fuels (Bunker Fuels) Acau.s .bon . Process, Office of the Inspector General,DOD, Report Number 98141, May 29, lii8. 7 GAO/AIMD-99-111RPayment Processing (DOD) B-281421 1997.“j The IG also reported that DFAS and DESCwere working to reduce or eliminate the errors. If DFAS and DESC have successfullyreduced the error rate to a lower level within a tolerable lower limit as determined by managementand agreed to by the IG in order to minimize the risk of overpayment,authorizingpayment based on vendor-transmitted data is permissible, provided purchased amountsdo not exceed the fast pay limit of $25,000. If, on the other hand, the error rate continuesto be high, posing a higher than acceptable risk of overpayments,payment authorizationbased on vendor invoice data should be suspended until such time as the error rate is reduced to be within established tolerable limits. Regarding statistical sampling,Title 7 requires that when it is combined with fast pay, as DOD has proposed but not yet implemented,the sampling plan must provide for several items. Among the most important items, the plan must provide for (1) invoice examination to be commensurate with the risk to the government,”(2) sampling of ail invoices under $2,500’* not subject to complete examination,(3) effective monitoring to ensure that the risks to the government remain within tolerable limits, and (4) a continuing relationship with the vendor such that the risk of loss is minimized. Combining fast pay with a statistical sampling procedure to verify receipt increasesthe risks of overpaymentscompared to verifying receipt on all payments. Nevertheless,we believe that these risks would be acceptably mitigated if a plan containing the items previously listed were effectively implemented. Most likely, invoices receivedunder MAGSTRIPpurchaseswould not qualify for statistical sampling. Since vessel fuel purchasesare for large quantities, most invoices submitted for payment under the MAGSTRIPpurchaseprocess would exceed the sampling limit of $2,500. Also, regardlessof the $2,500limitation, where a lo-percent error rate is not within the tolerable range, implementation of the statistical sampling process should be delayed until DFAS and DESC have reducedthe lo-percent error rate reported by the IG to a rate acceptableto both managementand the IG. ----- ‘@ IheIG reviewed 1,257paymentsunder the MAGSTRIPprocess and found 131 with incorrectly completed ordering or receiving forms. The results of the payments reviewed were not extrapolated or inferred to a universe of payments or dollar amounts for the year. “In developing a sampleplan, agenciesshould make sure that their proposed procedures will produce savings while adequatelyprotecting the government’sinterest. Savings would be achievedwhen the combined costs of (1) examining the sample and (2) projected losses due to undetected errors on invoices not examined are less than the cost of examining all invoices. Through analysis,the plan must identify a tolerable error rate (the point at which or below which savings occur), the number of invoices to select for examination, and the selection method “Agency heads are authorizedby law (31 U.S.C.3521(b)) to establish statistical sampling programs for examination of vouchers in support of their payment authorization subject to Comptroller General limitations, which are currently set at $2,500. 8 GAO/AIMD-99-l11R Payment Processing (DOD) B-281421 The contents of this letter were discussedwith Lieutenant Colonel Thomas P. Toole, Mr. John Gannon, and Mr. David Leising of your staff as well as DFAS and DESC officials. We hope our comments are helpful. If you have any questionsor would like to discussthese matters further, please contact me or Bruce Michelson, Assistant Director, at (202) 612-9406. Sincerely yours, Robert W. Gramling v Director, Corporate Audits and Standards (922258) 9 GAO/AIMD89-1llR Payment Processing(DOD) Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address . are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please caIl(202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States General Accounting Office BulkRaR Washington, D.C. 20548-0001 Postage & Fee+ Paid GAO Permit No. GlOO I Official Business Penalty for Private Use $300 Address Correction Requested
Payment Processing: Validation of Receipt and Acceptance
Published by the Government Accountability Office on 1999-04-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)