oversight

National Science Foundation FY 2016 Management Letter

Published by the National Science Foundation, Office of Inspector General on 2017-03-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                      National Science Foundation • Office of Inspector General
                      4201 Wilson Boulevard, Suite I-1135, Arlington, Virginia 22230

MEMORANDUM 


DATE:          March 10, 2017

TO:            Dr. France Cordova, Director

               Ms. Martha A. Rubenstein, Chief Financial Officer       fl. (A Q~
FROM:     .{OrMark Bell, Assistant Inspector General for Audit         ~~t~~
SUBJECT:       National Science Foundation FY 2016 Management Letter, Number 17-2-005


Attached is the National Science Foundation Fiscal Year 2016 Management Letter prepared by
Kearney and Company. The letter includes observations and suggestions identified during the FY
2016 audit of NSF's financial statements (seven new observations and six repeat/revised
observations, one ofwhich relates to the prior year significant deficiency) that were not considered
to be significant deficiencies in FY 2016. A draft of this report was previously submitted to your
staff for comment and their comments were considered in preparing this final report.

To comply with the Inspector General Empowerment Act, we will be sharing this letter with
various interested parties, including Congress, and will be posting it to the OIG web site.

We will not be tracking the corrective actions to this report separately, however these issues will
be considered in the FY 2017 financial statement audit process.

We appreciate the cooperation that was extended to Kearney and us during this audit. If you have
any questions, please call me at 703-292-2985 or Catherine Walters at 703-292-5018.

Attachment

cc: John Anderson
    John Veysey
    Ann Bushmiller
    Fae Korsmo
    Joan Ferrini-Mundy
    Christina Sarris
    John Lynskey
    Rafael Cotto
    Allison Lerner
    Marie Maguire
    Louise Nelson
   Dan Hofherr 

   Mary Lou Tillotson 

                                                   
 
                                                          1701 Duke Street, Suite 500, Alexandria, VA 22314
                                               
                                                          PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com
 
 
                                  MANAGEMENT LETTER

To the National Science Board and the Inspector General of the National Science Foundation


In planning and performing our audit of the National Science Foundation (NSF)’s financial
statements as of and for the year ending September 30, 2016, in accordance with auditing
standards generally accepted in the United States of America; standards applicable to financial
audits contained in Government Auditing Standards, issued by the Comptroller General of the
United States; and Office of Management and Budget (OMB) Bulletin 15-02, Audit
Requirements for Federal Financial Statements, Kearney & Company, P.C. (defined as
“Kearney,” “we,” and “our” in this letter) considered NSF’s internal control over financial
reporting and compliance with provisions of applicable laws, regulations, contracts, and grant
agreements in order to determine our auditing procedures for the purpose of expressing an
opinion on the financial statements, and not to provide assurance on internal control over
financial reporting or on compliance. Accordingly, we do not express an opinion of the
effectiveness of NSF’s internal control over financial reporting or on its compliance.

Our Independent Auditor’s Report on Internal Control Over Financial Reporting, dated January
13, 2017, noted no material weaknesses and one significant deficiency. The significant
deficiency is not repeated in this letter, as it is explained in detail in that report.

Although not considered to be material weaknesses or significant deficiencies, we noted certain
matters involving internal control that are presented in this letter for NSF’s consideration. These
observations and suggestions are intended to assist in improving NSF’s internal control or result
in other operating efficiencies. We have not considered NSF’s internal control since January 13,
2017.

Exhibit I of this letter provides NSF management’s response to the observations and suggestions
detailed in this letter.

We appreciate the courteous and professional assistance that NSF’s personnel extended to us
during our audit. We would be pleased to discuss our observations and suggestions with NSF at
any time.

The purpose of this letter is solely to communicate other deficiencies in internal control or non-
compliances noted during the audit to management and those charged with governance, and not
to provide an opinion on the effectiveness of the entity’s internal control or on compliance.
Accordingly, this communication is not suitable for any other purpose.




                                                  1

Alexandria, Virginia
March 9, 2017




                       2
                          MANAGEMENT LETTER COMMENTS

            STATUS OF PRIOR YEAR MANAGEMENT LETTER FINDINGS

During the audit of the NSF’s fiscal year (FY) 2015 financial statements, a predecessor auditor
identified matters that were reported in an internal control report and a management letter.
During the audit of the FY 2016 financial statements, Kearney assessed the status of the
deficiencies reported by the predecessor auditor. As described in the table below, one of the
items reported in the FY 2015 Financial Management Letter were closed. Four control
deficiencies reported in FY 2015 remained open; its FY 2016 status is provided below.

    PY No.            Financial - FY 2015 Management Letter Findings                Status
  ML 15-01        Grants Monitoring                                                 Closed
  ML 15-02        Grant Accrual Estimation Process                                  Open
  ML 15-03        Monitoring of Cost Reimbursement Contracts                        Open
  ML 15-04        Intragovernmental Transactions                                    Open
  ML 15-05        Accounting Policies and Procedures                                Open

As part of the FY 2016 financial statement audit, Kearney also assessed the status of information
technology deficiencies reported by the predecessor auditor. As described in the table below,
seven of the items reported in the FY 2015 Information Technology Management Letter were
closed. One control deficiency reported in FY 2015 remained open; its FY 2016 status is
provided below.

      PY No.             IT - FY 2015 Management Letter Findings                    Status
   IT ML 15-01    iTRAK Assessment and Authorization                                Closed
   IT ML 15-02    iTRAK Password Controls                                           Closed
   IT ML 15-03    iTRAK Configuration Management (Application Changes)              Closed
   IT ML 15-04    iTRAK Account Management & ACM$ Periodic Review of                Closed
                  Access
   IT ML 15-06    iTRAK Configuration Management (Baselines)                        Closed
   IT ML 15-07    iTRAK Audit Logging                                               Closed
   IT ML 15-08    iTRAK Business Impact Assessment                                  Closed
   IT ML 15-09    iTRAK Accreditation Packages                                      Open
   IT ML 15-14    NSF Background investigations                                     Closed




                                                3

               MODIFIED REPEAT MANAGEMENT LETTER COMMENTS


1. Budgetary Resources

NFR 2016-FR-03: Monitoring and Oversight over Undelivered Orders Needs Improvement
(Note: This NFR is derived from the ‘Accounting Policies and Procedures’ management letter
comment noted on the table above)

Background:

Obligations are definite commitments that will result in outlays, immediately or in the future.
NSF records obligations in its financial management system when it enters into an agreement,
such as a contract or purchase order, to purchase goods and services. Once recorded, obligations
remain open until they are fully reduced by a disbursement, are deobligated, or until the
appropriation funding the obligations is cancelled. As payments are made, obligations are
liquidated by the amount of the payments. Undelivered orders (UDO) represent the cumulative
amount of orders, contracts, and other binding agreements for which the goods and services
ordered have not been received, or for which the goods and services have been received, but
payment has not yet been made.

Agencies should maintain policies, procedures, and information systems to ensure that UDOs
continue to represent required future Federal outlays. NSF has developed and implemented
policies and procedures around appropriate steps for the contract closeout process. The de-
obligation of excess funds is performed as part of its contract closeout process. During the
closeout process, NSF utilizes a Contractor Performance Evaluation (CPE) to document the end
of a contract/interagency agreement in order to determine whether the outstanding funds within
the referenced contract/agreement are ready for de-obligation and ultimately closeout. However,
there does not appear to be a similar process for monitoring and closing UDOs.

NSF reported more than $462 million in non-grant related UDOs, as of June 30, 2016, that
covered a broad range of budgetary authority, including annual, multi-year, and no-year
appropriations.

Observation:

We tested the validity of a sample of 38 UDOs, totaling $20.21 million, out of a population of
2,940 UDOs, totaling $34.47 million as of June 30, 2016. We focused our testing on those UDOs
that had no activity during FY 2016, because we considered them to have a higher risk for
invalidity.

During our testing, we identified 13 invalid open obligations, totaling $6.83 million (34 percent
of both the number of transactions and dollars tested). The invalid obligations consisted of five
non-Federal (four contract-related [$2.82 million] and one travel-related [$153,000]) transactions
and eight Federal (interagency agreements [$3.43 million] and relocation-related [$427,000])
transactions. We determined that these UDOs were invalid based on inactivity, lack of


                                                4

supporting documentation, or inability to support a bona fide need to keep the outstanding
obligation open.

Non-Federal (Contract related) UDOs: The Division of Acquisition and Cooperative Support
(DACS) uses the FAR guidance (i.e., closeout time standards) as part of its contract closeout
process, which includes the determination of whether excess funds should be deobligated. For
contract related UDO transactions, DACS noted that the related contractual instruments fall
under the 20-month time requirement for closeout. Although the 20-month period had not
expired, the UDO transactions had no disbursement or expenditure activity for over a year. For
the tested items, DACS informed us that no additional expenditures were expected, thus
confirming that the funds were ready for deobligation.

Non-Federal (Travel-related) UDO: Travel funds are obligated for employee travel. Travel
expenditures were incurred against the tested obligation, but more than three years had passed
from the date of the last disbursement. Based on discussions with NSF staff, we were informed
that no additional expenditures were expected and the remaining funds were ready for
deobligation.

Federal (Relocation-related) UDOs: Travel funds are obligated for employee relocation. Travel
expenditures were incurred against the tested obligations, but more than a year had passed from
the date of the last disbursement. Through our discussions with NSF staff, we determined that
the applicable program office (i.e., Division of Administrative Services, DAS) depended on
another Federal entity for ultimate closeout of the obligations. DAS informed us that, based on
discussions with the other agency, no additional expenditures were expected, thus confirming
that the funds were ready for deobligation.

Federal (Interagency Agreement) UDOs: BFA (DACS, Division of Grants and Agreements
[DGA], etc.) oversees outgoing interagency agreements entered into by NSF and other Federal
agencies. Although a shared responsibility exists in the oversight of interagency agreements,
BFA heavily relies on the receiving agencies to determine UDO validity and whether the
agreements are ready for closeout. BFA informed us that no additional expenditures were
expected for the tested items, thus confirming that the UDO balances were ready for
deobligation.

Suggestions:

We suggest that NSF establish standardized processes to ensure the validity and accuracy of
unliquidated obligations. Specifically, NSF should:

       1.	 Develop and implement formal policies and procedures over a periodic UDO
           certification process to assess the validity of outstanding obligation balances and
           ensure appropriate communication and monitoring takes place.
       2.	 Develop and implement policies and procedures for the management of obligations
           between respective NSF offices, including procedures to estimate invalid open



                                                5

           obligations and determine if a temporary adjustment to agency open obligation
           estimates is required for year-end financial reporting.


2. Grants Payable

NFR 2016-FR-04: Estimation and Validation Process for the Incurred but not Reported
(IBNR) Grant Liability (Note: This NFR is derived from the ‘Grant Accrual Estimation Process’
management letter comment noted on the table above)

Background:

Generally accepted accounting principles require that Federal agencies record liabilities for costs
incurred but not paid as of the financial statement date. To do this, agencies may need to
estimate liability amounts relating to costs for which they have not obtained an invoice or for
which it would be burdensome to track. Additionally, management should perform analyses in
subsequent periods to validate that accrual methodology and key underlying assumptions were
appropriate and to determine whether updates to the methodology are required.

NSF’s major estimate relates to grants. Grant cost is composed of two elements: 1) actual grant
expenditures reported by awardees through the draw process and 2) an estimate of awardee
expenditures incurred, but not yet reported or drawn (IBNR) from NSF (referred to hereafter as
the IBNR liability).

Prior to fiscal year (FY) 2013, NSF based the IBNR liability on historical data reported by
awardees on a quarterly basis. In June 2013, NSF implemented a new awardee cash request and
expenditure reporting system, the Award Cash Management Service (ACM$), which accelerated
the manner and timing by which awardees could draw funds and report expenditures for their
awards.

In FY 2015, NSF developed a grant accrual methodology based on a Linear Regression Model
(LRM) using historical data from FYs 2001 through 2014. The grant accrual methodology
objectives are to accumulate historical data, determine and execute a methodology, validate the
accrual for reasonableness using a statistical sampling technique, and evaluate and update the
methodology as necessary. The original methodology used pre-ACM$ data, as there was
insufficient ACM$-based data to include in the model. NSF has added ACM$-based data as it
has become available. The LRM (using both pre-ACM$ and ACM$ data) estimated the IBNR
liability at $411.6 M for June 30, 2016 and $412.6 M for September 30, 2016.

NSF performs a two part validation of the IBNR liability. Part one includes an annual statistical
validation of the September 30 IBNR liability estimate. This validation serves two purposes: to
assess the reasonableness of the estimate, and to provide data for use in future grant accrual
calculations. NSF uses the results of the statistical validation to determine the “cash on hand”
amount included as input data for the IBNR liability for future periods. Part two consists of
conducting a validation of the “big picture” factors to determine the best LRM is in place.


                                                 6

Observation:

During our analysis of the IBNR liability estimate, we determined that NSF does not have an
adequate validation process in place. Specifically, part two of the validation of the IBNR is
insufficient given the significance of the liability. In FY 2015, NSF performed an analysis to
determine the best accrual option for FY 2016. NSF analyzed three options: Option 1 used 51
quarters of data; Option 2 used 24 quarters of data; and Option 3 used 12 quarters of data. NSF
determined Option 1 was the best based on the results. Additionally, NSF officials stated that
they chose Option 1 because it is an “already-audited approach from FY15 which would require
no changes to our process narrative.” However, we determined that the analysis did not
sufficiently consider the various accrual options as the analysis improperly utilized forward-
looking data.


Suggestions:

We suggest that NSF continue to strengthen the IBNR liability validation process and the
controls over the IBNR liability estimate. Specifically, we suggest that NSF:

   1.	 Expand oversight and quality control procedures relating to accrual estimates.
   2.	 Continue to perform validations of accrual estimates and modify the accrual methodology
       (as necessary) to ensure that accrual methods continue to be reasonable and appropriate.
   3.	 Maintain a record of each IBNR liability calculation for use in the accrual validations.
   4.	 Determine to what extent pre-ACM$ data should still be considered and at what point only
       ACM$ data will be needed for use in the IBNR liability estimation and validation process.


3.	 Grants Payable

NFR 2016-FR-06: Insufficient Monitoring of Contingency Funds
(Note: This NFR is derived from the ‘Monitoring of Construction Type Cooperative
Agreements’ significant deficiency noted in the prior year. During FY 2016, this NFR was
downgraded to a management letter comment)

Background:

As of September 30, 2016, the National Science Foundation (NSF) had five open construction-
type cooperative agreements (CA) aggregating approximately $803.8 million in projected award
funding ($508.5 million obligated). Of the total projected award funding, $138.9 million, or
17.28% percent, represents contingency amounts for those CAs.

NSF awards CAs with both an estimated baseline budget by cost type and a separate contingency
budget. The budget is further broken down into annual funding increments, with future years’
funds identified as subject to the availability of funds. When a CA is awarded, an obligation is


                                               7

created for the total amount of the award, including the contingency budget in accordance with
the Uniform Guidance. As part of the terms and conditions of a CA, awardees are required to use
the Award Cash Management Service (ACM$) system to request reimbursement for any award-
related expenditures. Once the obligation is created, ACM$ allows grantees to draw down
available funding.

Observation:

iTRAK cannot track contingency funds separately. In addition, NSF does not require awardees to
separately track the use of contingency funds within their accounting systems. Specifically:

   1.	 There are no accounting system controls to prevent awardees from drawing down on the
       contingency funds without prior NSF approval.
   2.	 Contingency funds are commingled with the remainder of the award funds in NSF’s
       accounting system at initial obligation. NSF relies on information provided by the
       awardees to track the allocation of the contingency funds to budgeted line items.
       However, NSF does not require awardees to separately track their contingency use and,
       accordingly, it cannot track the use of contingency funds to ensure that they are aligned
       with the awarded budgeted amounts.
   3.	 NSF considers future years’ funds to be “under the control” of NSF.

Suggestions:

We suggest that NSF:

   1.	 Develop a method in iTRAK to segregate contingency funds from non-contingency funds
       in obligated amounts.
   2.	 Implement controls in ACM$ that require NSF approval prior to drawdown of 

       contingency funds. 



4.	 Financial Reporting

NFR 2016-FR-07: Intragovernmental Transaction Differences (Note: This NFR is derived
from the ‘Intragovernmental Transactions’ management letter comment noted on the table
above)

Background:

Federal agencies are responsible for reporting intragovernmental transactions generated to the
U.S. Department of the Treasury (Treasury) quarterly through Treasury’s Government-wide
Treasury Account Symbol (GTAS) Adjusted Trial Balance System website. Differences that
exist as a result of intragovernmental transactions need to be resolved prior to preparing the
financial statements and related footnote disclosures to eliminate the risk of misstatement.



                                                8

Although the Treasury Financial Manual (TFM) provides guidance on reconciling
intragovernmental differences, the Federal Government has not been effective in eliminating the
unreconciled differences.

Observation:

During testing of NSF’s intragovernmental activities, we identified the following weakness that,
if not corrected, could result in misstatements in the financial statements and footnote
disclosures. NSF had balance differences with 35 Trading Partners (TPs) with an approximate
absolute value of $114.3 million in FY 2016. While NSF continues to have intragovernmental
differences, these differences decreased by $74.8 million from the FY 2015 adjusted absolute
value of $189.0 million.

                                                   Amount
                Fiscal Year        Quarter                                      Source
                                                 (in millions)
                    2015                4            189.0               Prior-Year NFR
                    2016                3             81.4           FY 2016 Q3 ITG by TP
                                                                       Differences Report
                    2016               4              114.3         FY 2016 Q4 IGT Scorecard
                    2016               5A             108.8          FY 2016 Q5 ITG by TP
                                                                       Differences Report
A
    Q5 represents the Government-wide reporting period (i.e., the Closing Package) balances as of September 30.

NSF was not able to provide explanations for the TP differences reported as of September 30,
2016.

Suggestion:

We suggest that, when unable to obtain sufficient information from TPs to reconcile
intragovernmental balances, NSF follow the steps prescribed in TFM Volume 1, Part 2, Chapter
4700, Appendix 10 Intragovernmental Transactions Guide, updated July 2016.

5. Procurement (Contracts and Awards)

NFR 2016-FR-09: Monitoring of Cost Reimbursement Contracts and Awards (Note: This NFR
is derived from the ‘Monitoring of Cost Reimbursement Contracts’ management letter comment
noted on the table above)

Background:

Federal agencies are responsible for monitoring cost reimbursement contracts to ensure that
contract costs are reasonable, allowable, and allocable. Incurred Cost Audits (ICA) are an
important tool which enable management to assess a contractor’s compliance with the financial
terms and conditions of a contract. ICAs should be conducted when deemed necessary by the
Agency based on a risk analysis of the award, and when performed should be completed in a


                                                          9

timely manner to identify any deficiencies and/or questioned costs. The NSF Office of Inspector
General (OIG) has historically contracted for ICAs of NSF’s large contracts.

Observation:

In FY 2016, NSF obligated approximately $420.6 million for contracts for the delivery of
products and services. Of this amount, $180.8 million was obligated for the Antarctic Logistical
Support contract, a cost reimbursement contract for which NSF has previously initiated (through
the NSF OIG) annual ICAs. The NSF program office (Division of Acquisition and Cooperative
Support [DACS]) has not taken action to obtain ICAs for most individual cost reimbursement
contracts. When ICAs were determined to be necessary, DACS has relied on NSF OIG to obtain
these audits. The NSF OIG also performed additional incurred cost audits that were not based on
DACS requests, but on its own assessment of award risk.

Based on our review, we noted the following FY 2016 DCAA ICA reports were completed by
the OIG:

   a)	 CH2M Hill Constructors, Inc. – The NSF OIG contracted with DCAA to perform ICAs
       of CH2M for FY 2008 through FY 2010 that included NSF’s United States Arctic
       Program (USAP) contract.
   b) Booz Allen Hamilton (BAH) U.S. Consulting – The NSF OIG contracted with DCAA to
       perform ICAs of BAH for FY 2008 that included two contracts.
   c) Associated Universities, Inc.’s (AUI) – The NSF OIG contracted with DCAA to perform
       ICAs of AUI for FY 2008 through FY 2013.
   d) Consortium for Ocean Leadership, Inc. (COL) – The NSF OIG contracted with DCAA to
       perform ICAs for FY 2010 to FY 2011.
   e) Raytheon Technical Service Company (RTSC), Polar Services – The NSF OIG
       contracted with DCAA to perform ICAs of RTSC Polar Services for FY 2001 through
       FY 2012.
   f)	 National Ecological Observatory Network (NEON) – The NSF OIG contracted with
       DCAA to perform ICAs of NEON Management Fees for FY 2012 through FY 2014.
   g) National Ecological Observatory Network (NEON) – The NSF OIG contracted with
       DCAA to perform ICAs of NEON’s inadequate incurred cost submissions for FY 2010
       and FY 2011.

Additionally, as part of our undelivered orders testing for the period ending June 30, 2016, we
identified three contracts that contained undelivered orders with no activity during in the first
three quarters of FY 2016. Although the obligations lacked expenditure activity for an extensive
period of time (over one year), NSF had not closed out the contracts. The timely completion of
audits and determination of final indirect rates would allow NSF to determine when the contract
is ready for closeout and whether excess funds remain valid or should be deobligated.

Suggestions:

We suggest that NSF:


                                                10

   1.	 Develop and implement a plan to determine which contracts require ICAs.
   2.	 Engage in a dialogue with NSF OIG to coordinate the plan to obtain ICAs for contracts as
       determined necessary.
   3.	 After determining that the awards are ready for closeout including final indirect rates
       determinations, as applicable, ensure that funds are deobligated based on any disallowed
       costs for the three contracts identified during our testing and that those contracts are then
       closed in a timely manner

6.	 Information Technology

NFR 2016-IT-10: iTRAK System Security Plan (SSP) (Note: This NFR is derived from the
‘iTRAK Accreditation Packages’ management letter comment noted on the table above)

Observation:

The SSPs for the iTRAK system are not fully compliant with National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-53, Revision (Rev.) 4 controls. The iTRAK
system is comprised of two Cloud Service Providers (DataPipe Government Solutions [DGS]
and Accenture Federal Services [AFS]). DGS received a Federal Risk and Authorization
Management Program (FedRAMP) Joint Advisory Board (JAB) Provisional Authorization to
Operate (P-ATO) in October 2015 that was initiated under NIST SP 800-53 Rev. 3. After
receiving the FedRAMP JAB P-ATO, DGS was required to update its SSP and controls
documentation to Rev. 4 within one year. Accenture’s Agency SSP as well as NSF’s SSP used
NIST 800-53 Rev. 4, documenting the services received from DGS, including the privacy
controls, per FedRAMP guidance. However, DGS has not yet fully implemented its assessment
and updates relating to Plan of Action and Milestones (POA&M) controls per NIST 800-53 Rev.
4.

The predecessor auditors recommended that NSF ensure that the iTRAK SSP be updated to
comply with the requirements of the NIST SP 800-53, Rev. 4. Specifically, controls related to
privacy, configuration management (CM), and POA&M were not addressed in the prior iTRAK
SSP. While NSF has taken steps to update its iTRAK SSP for privacy and configuration
management controls, the revised iTRAK SSP indicated that the POA&M controls were “not
implemented.”

Suggestions:

We suggest that NSF:

   1.	 Ensure the iTRAK SSP is aligned with current NIST SP 800-53, Rev. 4 requirements;
       and,
   2.	 Ensure that Cloud Service Provider POA&Ms are updated regularly.




                                                11

                      NEW MANAGEMENT LETTER COMMENTS


7. Payroll

NFR 2016-FR-01: Payroll Personnel Actions

Background:

During the new hire process at the National Science Foundation (NSF), employees are required
to submit several documents to Human Resources Management (HRM), including Form I-9,
Employee Eligibility Verification. Form I-9 is used to verify the identity and employment
authorization of individuals hired in the United States.

Following the new hire process, all employees are provided with Standard Form (SF)-50,
Notification of Personnel Action Form, which is generated whenever there is a change in the
employee’s personnel file. This form is also used when an employee separates from the agency.
Further, employees complete OF-306 (Declaration of Federal Employment) as part of its new
hire process to determine the individual’s suitability for employment within the Federal
Government. NSF’s Onboarding and Separations Guide mandates the actions required when an
employee separates from NSF. The employee’s Administrative Manager initiates the separation
process with a clearance e-mail that includes the employee’s name and effective date of
separation. The separating employee is then required to complete NSF Form 362, Employee
Separation Clearance. This form is used to notify appropriate directorates and offices of the
employee’s pending separation so that they can take steps to collect property, terminate accounts,
and collect badges. Once HRM processes this action in Federal Personnel/Payroll System
(FPPS), a new SF-50 is generated to document the separation.

Senior Executive Service (SES) employees who meet certain requirements are eligible to receive
bonuses and awards. The SES employee’s supervisor may nominate the employee for
awards/bonuses. HRM processes bonus/award payments effective no later than the last pay
period in the calendar year, and notifies the ADs/Office Heads of final bonus amounts so they
can advise the bonus recipients.

Observation:

During testing over payroll personnel actions and SES bonus/awards, we identified the following
discrepancies:

   ●   New Hires
        For 7 of the 39 employees tested, the Form I-9s had exceptions. Two forms were not
         properly completed/approved, one form was missing, and four were dated after
         yearend and approved after audit inquiry.
        For 5 of the 39 employees tested, the OF-306s has exceptions. Four forms were not
         properly approved and one was missing.



                                               12

      ●	   Separations
            For 2 of the 39 employees tested, the NSF Form 362 was missing.
            For 2 of 39 employees tested, the SF-50 was not processed/approved timely (approval
             occurred a full pay period after their separation).

      ●	   SES Employee Awards
           	 For 4 of the 28 employees tested, personnel actions for awards were initiated and
              approved by the same HRM staff.

Suggestions:

We suggest that NSF:

      1.	 Implement policies and procedures to ensure that all required forms are completed
          appropriately and timely and retained.
      2.	 Develop and implement a policy that calls for the segregation of duties between the
          approver and processor of SES awards.


8.	 Financial Reporting (Disclosures)

NFR 2016-FR-02: Related Party Disclosures

Background:

NSF provides the opportunity for scientists, engineers, and educators to join NSF as temporary
program directors and advisors. These “rotators” provide input during the merit review process
of proposals; provide insight for new directions in the fields of science, engineering, and
education; and make recommendations to support cutting-edge interdisciplinary research.
Rotators can come to NSF under multiple mechanisms. The largest number come on
Intergovernmental Personnel Act (IPA) assignments, in which they are assigned for up to four
years while remaining employees of their home institutions. Rotators serve in various positions
throughout NSF, and as of July 2016, IPAs led 5 of NSF’s 7 science directorates and 22 (of 30)
divisions1.

All rotators are subject to criminal conflict of interest statutes, as well as the Government-wide
Standards of Ethical Conduct of Employees of the Executive Branch, which prohibit them from
participating in NSF proposals and awards affecting themselves and their home institutions.
While rotators are subject to policies that are designed to prevent the occurrence of any conflicts
of interest, some rotators do participate in the policy decisions of the agency. NSF facilitates
rotator assignments through grants to the rotator’s home institution as a whole or partial
reimbursement for the institution’s salary and benefits payments to its employee. In some


1
    As noted in the OIG’s Memorandum “Management Challenges for NSF in FY 2017.”


                                                     13

instances, NSF may also make other awards to rotators’ home institutions through its normal
course of business, which includes the merit review process.

The Federal Accounting Standards Advisory Board (FASAB) issued Statement of Federal
Financial Accounting Standards (SFFAS) No. 47, Reporting Entity, to address related parties in
the Federal Government. Specifically, SFFAS No. 47 states that participation in the policy
decisions of an agency leads to the creation of a related party, and does not include any language
that restricts agencies from reporting related parties. In addition, SFFAS No. 47 states that
“judgment will also be required to identify relationships that warrant disclosure.” However,
SFFAS No. 47 becomes effective for periods beginning after September 30, 2017, and does not
permit earlier implementation. Therefore, until fiscal year (FY) 2018, Government entities
follow the Financial Accounting Standards Board (FASB) Financial Accounting Standard (FAS)
No. 57, Related Party Disclosures, which provides examples of related party transactions and
requires the disclosure of material related party transactions. Although FASAB states2 that “the
related party guidance was not readily adaptable to the federal government,” it does not preclude
an agency from using FAS No. 57 as guidance on reporting.

Observation:

While Note 13 to NSF’s financial statements discloses NSF’s relationship to the home
institutions of National Science Board (NSB)3 members as “affiliated parties,” the note does not
include any information about NSF rotators and, thus, is not fully transparent.

In addition, NSF discloses awards made (i.e., obligations) to the home institutions of members of
NSB. However, NSF does not disclose awards made in the prior year, as recommended in FAS
No. 57.

Suggestions:

We suggest that NSF:

     1.	 Include a disclosure in the financial statements describing the relationship between NSF
         and rotators.
     2.	 Update the footnotes to include disclosures about rotators in the Awards to Affiliated
         Institutions (Note 13 in FY 2016). The disclosure should include, at a minimum, the
         overall dollar amount awarded to the rotators’ home institutions in the current and prior
         FYs and a description of the nature of the relationship.
     3.	 Include, in the disclosure for awards to affiliated parties, the amount awarded to NSB
         members’ home institutions in the prior FY.

2
  SFFAS 39, Subsequent Events: Codification of Accounting and Financial Reporting Standards Contained in the
AICPA Statements on Auditing Standards
3
  The 25 members of the National Science Board (NSB) establish the policies of NSF within the framework of
applicable national policies set forth by the President and the Congress. In this capacity, the NSB identifies issues
that are critical to NSF's future, approves NSF's strategic budget directions and the annual budget submission to the
Office of Management and Budget, and approves new major programs and awards.


                                                         14

9. Property, Plant and Equipment

NFR 2016-FR-05: Personal Property Additions and Deletions

Background:

NSF acquires assets by purchase, gain-by-inventory (i.e., lost/found), transfers from another
entity, or construction. NSF capitalizes general Property, Plant, and Equipment (PP&E) with an
acquisition cost of $25,000 or greater and a useful life of two or more years. Depreciation of
personal property is calculated based on the straight-line method using a half-year convention.
NSF does not have a property sub-ledger system in its financial reporting system, iTRAK; rather,
asset activity (e.g., additions, deletions, transfers, depreciation, etc.) is recorded via journal
vouchers (JV) as part of the quarterly property reporting process.

NSF reports asset acquisitions at the original cost of the asset. Assets transferred to NSF from
other entities are reported at an acquisition cost net of accumulated depreciation. The acquisition
cost of the asset includes all costs associated with placing the asset into service (e.g., purchase
cost, shipping/freight, installation costs, etc.). Based on the type of personal property acquired, a
useful life is assigned to each asset to calculate and record depreciation.

NSF disposes assets internally held when equipment is beyond its useful life or lost, damaged, or
no longer useful to operations or mission objectives. Assets externally held are reviewed by a
NSF Property Analyst before disposal. When disposal or destruction of an asset occurs, the
change in status must be documented via a Property Adjustment Documentation (PAD) form
authorized by the Property Analyst.

Observation:

We performed testing over personal property additions and deletions that occurred during the
period of October 1, 2015 through June 30, 2016. The personal property additions sample
consisted of 16 judgmentally selected assets, composed of four internally-held assets and 12
externally-held assets. The personal property deletions sample consisted of five judgmentally
selected assets, composed of three internally-held assets and two externally-held assets. We
identified the following discrepancies:

      Personal Property Additions (Internal)
       - For 3 of the 4 additions tested, the asset was acquired during a prior year but recorded
          in the current-year property records. NSF recorded these additions through a prior
          period adjustment of $114,817. Although proper adjusting entries were made to
          correct the addition/accumulated depreciation, the asset additions were a result of a
          prior-year acquisition.
       - For 1 of the 4 additions tested, the asset addition was acquired in FY 2014. However,
          NSF incorrectly recorded the new asset as a current-year addition (FY 2016). As a
          result, the asset’s accumulated depreciation was understated by $13,701.


                                                 15

      Personal Property Additions (External)
       - For 2 of the 16 additions tested, the asset was acquired during a prior year but
          recorded on the current-year property records. NSF recorded these additions through
          a prior period adjustment of $80,318. Although proper adjusting entries were made to
          correct the addition/accumulated depreciation, the asset additions were a result of a
          prior-year acquisition.
       - For 2 of the 16 additions tested, the acquisition cost did not include all costs
          associated with placing the asset into service (e.g., shipping/freight, actual costs, etc.).
          As a result, the acquisition costs were understated by $289.
       - For 1 of the 16 additions tested, NSF recorded the acquisition of a new asset based on
          a gain-by-inventory transaction (i.e., asset found through inventory process).
          However, this item was originally acquired in FY 2009 and thus was fully depreciated
          (with a net book value [NBV] of zero). When NSF recorded the asset as a new
          acquisition, it overstated the asset cost and accumulated depreciation by $46,248 and
          $3,469, respectively.

      Personal Property Deletion (External)
       - For 1 of the 2 deletions tested, the asset was improperly removed from the property
          records as part of the inventory process. The asset had originally been acquired in FY
          2014 and remains in operating condition. As a result, the asset acquisition cost and
          accumulated depreciation were understated by $34,314 and $15,441, respectively.
       - For 1 of the 2 deletions tested, the asset was improperly removed from the property
          records as part of an upgrade process. Although the asset is fully depreciated (NBV
          of zero), the asset was incorrectly removed from the property records as of June 30,
          2016.

Suggestions:

We suggest that NSF strengthen its oversight of its internal property acquisition and disposal
activities and record keeping, and of its contractors who maintain the externally-held asset
records.

10. Accounts Payable

NFR 2016-FR-08: Improper Payment Due to Duplicate Obligation

Background:

NSF follows the procurement regulations in the Federal Acquisition Regulation (FAR) to
contract for goods and services. The Division of Administrative Services (DAS) handles certain
administrative service purchases, such as support office equipment, professional services
technical support, and audio-visual Information Technology (IT), while the Division of
Acquisition and Cooperative Support (DACS) handles all other procurement actions.



                                                 16

Contractor Specialists (CS) or Contracting Officers (CO) initiate the requisition process after
identification of a bona fide need. Division Directors and Branch Chiefs provide the final
requisition approval, which commits the funding. Upon award of a contract or modification, the
CO reviews and approves the action to obligate the funds in iTRAK, which creates a purchase
order. As goods or services are rendered, the vendor submits an invoice to NSF for payment. It is
the responsibility of the Contracting Officer’s Representative (COR) to verify that the goods or
services were provided in accordance with the contract/modification, as well as to record the
acceptance of the goods or services in iTRAK. Lastly, the COR’s acceptance of the goods or
services in iTRAK triggers an approval action which initiates the disbursement process by the
Cash Management Branch (CMB) within the Division of Financial Management.

The expenditures incurred, recorded, and disbursed are applied to the applicable contract or
modification associated with the purchase order and requisition posted in iTRAK.

Observation:

We tested 63 statistically selected NSF expenditure transactions that occurred during the period
of October 1, 2015 through June 30, 2016, and identified one discrepancy.

During July 2015, NSF authorized the creation of requisition 1017, which committed funding.
The CO processed a contract modification (Mod 11) and used requisition 1017 to record a
corresponding purchase order (PO) 12T6005 (PO lines 1010, 1011, 1012, 1018, and 1019) for a
total of $82,006. However, the PO could not be properly linked to requisition 1017 due to an
incomplete account code structure in iTRAK. Because the PO could not be linked to requisition
1017, the CO obligated the funds without an associated requisition. However, NSF did not
cancel the original requisition 1017 in iTRAK. In September 2015, as part of the year-end
closeout process, a second PO (PO line 1021) was created which was associated with requisition
1017 for the same amount ($82,006). This created a duplicate obligation of $82,006 in iTRAK’s
records.

As services were received under the contract, the COR initially applied invoices to PO lines
1010, 1011, 1012, 1018, and 1019. Once the CO posted PO line 1021, the COR did not realize it
was a duplicate and applied invoices against it until this PO for $82,006 was fully liquidated
Then, as additional costs were incurred, the COR liquidated these cost against the original
obligation (PO line 1017). As a result, $82,006 of the September 2015 (duplicate) obligation was
improperly liquidated against an invalid PO line, resulting in an improper payment in the amount
of $82,006.

Suggestions:

We suggest that NSF:

   1.	 Strengthen internal controls by performing consistent monitoring over open commitments
       and obligations.



                                               17

   2.	 Provide additional training and reports, as needed, to users who enter POs and receipts in
       iTRAK.


11. Information Technology

NFR 2016-IT-01: iTRAK Separation of Duties Review of Access

Observation:

NSF does not document its reviews to identify emerging instances of segregation of duties
conflicts that could exist within the iTRAK application for existing users. NSF stated that it
conducts monthly reviews; however, these reviews are not formally documented. The NSF
Information Security Handbook did not describe the process or the individuals responsible for
reviewing access within the iTRAK application after initial provisioning, however NSF’s
Division of Financial Management (DFM) had established other procedures for implementing
the SOD matrix.

Suggestions:

We suggest that NSF:

   1.	 Update its procedures to adequately document the individuals responsible for the control
       and process in which the control is conducted.
   2.	 Document the monthly review of iTRAK application users’ access for instances of
       potential segregation of duties conflicts. The documentation should include the date the
       review was completed and the reviewer’s signature.


12. Information Technology

NFR 2016-IT-03: Incomplete Review of Service Organization Controls (SOC) Report from
Interior Business Center

Observation:

NSF uses Department of the Interior’s Interior Business Center’s (IBC) webTA application to
process time and attendance. IBC hosts a number of systems, including webTA, which are
financially relevant to Federal agencies. IBC contracted with an Independent Public Accounting
(IPA) firm to issue Service Organization Controls (SOC) reports. These reports are prepared
under American Institute of Certified Public Accountants (AICPA) Standards for Attestation
Engagement No. 16 (SSAE-16) to provide assurance that the information provided by the service
provider is complete and accurate, and to identify risks to IBC customers. Although NSF
received and reviewed the annual SSAE-16 report from IBC, NSF did not evaluate whether key



                                               18

controls relating to the webTA application were included in the report. The following controls
are not addressed in the webTA SSAE-16 report:

       1.	 Identification and authentication is unique to each user (or processes acting on behalf
           of users) at each webTA application layer (e.g., application, database, and operating
           system)
       2.	 Accounts and accounts for terminated individuals are disabled or removed at each
           webTA application layer (e.g., application, database and operating system)
       3.	 Emergency or temporary access (e.g., fire call IDs) is appropriately controlled.

Suggestions:

We suggest that NSF enhance its “Assessment of Third Party Service Provider” operating
procedure for reviewing SSAE-16 reports for the webTA application. At a minimum, NSF
should:

   1.	 Determine whether all key controls (as identified by NSF) have been included in the
       SSAE-16 report.
   2.	 For those key controls not assessed by IBC, identify methods to mitigate the risks.
   3.	 For those key controls that were assessed and found to be either not suitably designed or
       not operating effectively, gain an understanding of the root causes and identify mitigating
       controls.
   4.	 Coordinate with IBC to add any key controls determined by management that are not
       currently in scope of the SSAE-16 examination.


13. Information Technology

NFR 2016-IT-04: Monitoring of iTRAK Configuration Controls

Observation:

NSF has known that conflicts exist related to separation of duties over the ability to both develop
and implement configurations to the iTRAK production environment, but has not documented
the acceptance of risk. In addition, NSF has not implemented compensating controls to prevent
the migration of unauthorized changes to the iTRAK production environment. Currently, three
developers and two DBAs with access to iTRAK have the ability to both design and migrate
changes to the production environment. This ability to both develop and migrate changes creates
a separation of duties conflict and allows for potential unauthorized activity. In addition, NSF
did not formally monitoring the 15 persons who have production access and 9 persons who have
developer access within the iTRAK production environment to detect unauthorized activity.




                                                19

Suggestions:

We suggest that NSF mitigate the risk of unauthorized changes being implemented within the
iTRAK production environment through the following actions:

   1.	 Remove user access for job functions outside their responsibility. Specifically, users should
       have only either development or migration responsibility.
   2.	 Identify and document high-risk activities for both iTRAK users and developers.
   3.	 Implement a monitoring program over the high-risk activities. This program should include
       logging, aggregation, reviewing, and following-up of these activities by an independent
       member of the Information Technology (IT) Security team.
   4.	 Document the monitoring program in a standard operating procedure (SOP).
   5.	 Implement an automated tool that notifies applicable stakeholders whenever configuration
       management changes to iTRAK are migrated to production.




                                                20

Exhibit I – NSF Management’s Response to Management Letter




                            21