FDICís Controls Over Contractor Invoice Approval, Payment, and Posting to the General Ledger
This report presents the results of our audit of the FDICís controls over contractor invoice approval, payment, and posting to the General Ledger (G/L). The G/L is the central component of the New Financial Environment (NFE)óthe FDICís financial management system. The G/L provides accounting, reporting, and decision-making information for the FDIC. The FDICís Division of Finance (DOF) is responsible for maintaining the G/L, receiving contractor invoices, verifying payment approvals, issuing disbursements and posting transactions to the G/L. In addition, the Division of Administrationís (DOA) Acquisition Services Branch (ASB) is responsible for developing all contracting policies and procedures and communicating and implementing those policies and procedures throughout the FDIC.
The audit objective was to assess the FDICís controls over contractor invoice approval, payment, and posting to the G/L. The audit focused on the FDICís control activities intended to provide reasonable assurance that the FDIC (1) meets management directives, such as budget execution; (2) accomplishes control objectives, such as efficient use of FDIC resources; and (3) mitigates risk. Control activities for invoice processing include the segregation of the receiving, invoicing, and purchasing functions; goods and services receipt verification; managerial authorizations; independent review before payment; and pre-payment procedures for Prompt Payment Act (PPA)1 compliance and duplicate payment detection to ensure that only valid transactions are authorized and approved.
We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report discusses our audit objective, scope, and methodology in detail.
Of the FDICís $992 million in calendar-year 2007 operating expenses, over $250 million represents amounts paid for contracted goods and services. For the 6 months ended June 2008, $121 million of $495 million in operating expenses was for contractor payments. Part of the $121 million was paid based on contractor invoices. Our review included a sample of 30 of 1,148 FDIC invoices, representing $5.7 million of the total $37.5 million in contractor payments from October 2007 through March 2008. The FDIC had assigned 15 Oversight Managers (OM) the responsibility for the review and approval of the 30 sampled invoices (see Appendix 2), representing 18 contractors.
Guidance and Controls Related to Contractor Payments
The FDIC has a number of policies and procedures related to controls over the contractor invoice payment process as described below.
FDIC Circular 4010.3. FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, adopted internal control standards prescribed in the Government Accountability Office (GAO) publication, Standards for Internal Control in the Federal Government. These standards apply to all operations (programmatic, financial, and compliance) and are intended to ensure the effectiveness and efficiency of operation, reliability of financial reporting, and compliance with applicable laws and regulations. Circular 4010.3 requires management to develop and implement controls to ensure that management directives are carried out and to provide reasonable assurance that controls are sufficient to minimize exposure to waste, fraud, and mismanagement.
Key control activities related to contractor payments described in Circular 4010.3 include:
The circular also requires management to perform monitoring activities to assess the quality of performance over time and the effectiveness of controls. Monitoring activities include routine management and supervisory actions; transaction comparisons and reconciliations; other actions taken in the course of normal operations; as well as separate and discrete control evaluations, including internal self-assessments and external reviews.
The Acquisition Policy Manual. The FDICís Acquisition Policy Manual (APM) provides that contract OMs are, among other things, responsible for reviewing and approving invoices promptly for payment to avoid interest on late payments and ensuring that the goods or services contracted for are received and within the scope of the contract. The APM requires that the Contracting Officer provide the program-appointed OM with a Letter of Oversight Manager Confirmation, describing the OMís authority and responsibilities. Prior to receiving the letter of confirmation, OMs are required to complete training that includes, among other things, the OM role in contract administration.
Interim Acquisition Policy No. 2004-5, CEFile, dated August 10, 2004. The policy states that the Contract Electronic File (CEFile) is the official contract file of record for the ASB. The CEFile is a Web-based template on the FDICnet used to create official contract files and electronically organize and store all pertinent contract file documentation such as the requirements package, contract, contract modifications, and OMís contract-related records. The policy memorandum states that the Contracting Officers and OMs are responsible to ensure that the CEFile is current, accurate, and complete. The documentation in the file shall be sufficient to (a) provide a complete background as a basis for informed decisions at each step in the acquisition process; (b) support actions taken; (c) provide information for reviews and investigations; and (d) furnish essential facts in the event of litigation or congressional inquiries.
Interim Acquisition Policy No. 2007-02, Establishment of the FDIC Contract Oversight Management Program, dated April 12, 2007. The policy memorandum formally establishes the FDIC Contract Oversight Management Program and states that supervisors must ensure that individuals considered for appointment as OMs obtain certain competencies needed to effectively and efficiently perform delegated contract management duties. On May 11, 2007, ASB notified OMs regarding mandatory classroom training.
Operating Expense Process Memorandum. DOFís Disbursement Operations Unit (DOU) processes approved invoices for goods and services procured by the FDIC. The FDICís Operating Expense Process Memorandum, for calendar year 2007, defines the G/L procedures related to operating expenses, which are included in the Operating Expense line item on the FDICís financial statements.
The process memorandum identifies key events and describes the controls provided at each stage as summarized below:
The GAO, as part of the annual audit of the FDICís financial statements, assesses the controls for contractor invoice payment processing and G/L posting activities. GAOís audit work includes testing and tracing of contractor invoice payments from approval through disbursements and G/L postings.
The DOF Accounts Payable Operating Procedures Manual, November 2006. DOF maintains this manual to document activities and procedures related to the FDICís Accounts Payable function. The topics addressed in the Manual include:
RESULTS OF AUDIT
The FDIC has established and implemented generally adequate controls over contractor invoice approval, payment, and posting to the G/L. The NFE provides an audit trail from the authorized invoice approval through posting of the payment transactions to the G/L. Payment transactions for the 30 sampled invoices were accurately posted to the correct fund and expense accounts in the G/L. Additionally, the FDIC has enhanced its Contract Oversight Management Program to ensure that OMs receive and complete training regarding their roles in reviewing and approving contractor invoices for payment.
However, based on our review of the 30 sampled contractor invoices, representing total FDIC expenditures of $5.7 million, we found that enhanced control activities could improve the OMís review and approval procedures as described below.
Strengthening controls in the areas of the segregation of duties, OM training, and contract file maintenance will help in ensuring the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with FDIC policies and procedures.
PAYMENT PROCESSING AND GENERAL LEDGER POSTING
We found that the FDIC has established and implemented adequate controls over the contractor invoice payment function and corresponding posting to the G/L. The NFE provides an audit trail from the authorized invoice approval through posting the payment transactions. We obtained documentation from DOF and traced the payment transactions of the 30 sampled invoices from NFE approval to disbursement and recording in the G/L. DOU approved the electronic payment transactions for the sampled invoices. After approval, DOU notified NSCU via email that the payment transactions were ready for processing. NSCU sent these payment transactions to the appropriate disbursement banks, and the automated interface in the Accounts Payable Module posted the payment transactions to the correct funds and expense accounts in the G/L.
We were able to verify that the 30 contractor invoices in our sample were paid in the correct amount invoiced and processed in a timely manner within the limits of the PPA late payment provisions. In addition, the edit checks in the Accounts Payable Module for duplicate payments and the DOU procedures for daily monitoring of invoices worked as intended for the sampled invoices. There were no duplicate payments for any of the 30 sampled invoices.
Based on the results of our audit work, we are not making recommendations in these areas. However, we found that management attention is warranted in the areas of the segregation of duties, OM training, and contract file maintenance as discussed below.
SEGREGATION OF DUTIES FOR INVOICE APPROVAL
We found that 5 of the 30 invoices, representing $239,300 in payments, were approved without an adequate segregation of duties. One OM prepared,3 submitted, and approved two invoices, while another OM submitted three invoices directly to DOF for the contractors and then approved them for payment processing.
Having one individual initiate and approve a transaction increases the risk of errors and unauthorized payment transactions. This control weakness occurred because management did not ensure compliance with the segregation of duties requirement for invoice preparation, submission, and approval in accordance with FDIC Circular 4010.3.
The two invoices prepared and approved by the same OM were for certain contracted insurance providers for the FDICís employee health benefits programs. The contractors did not have access to certain information needed for billing purposes;4 therefore, the OM transferred the billing data from BAS and added the required contract and cost allocation information on the invoices submitted to DOU for payment processing. After receiving notification, through the NFE, that the invoices needed approval, the same OM approved the invoices for payment. Having one individual with the capability to prepare, submit, and approve an invoice increases the risk of errors and could result in unauthorized payment transactions.
The three remaining invoices, which were for expert consulting services, were also submitted and approved without an adequate segregation of duties. The OM for the consulting services contracts received the invoices from the contractor, submitted them to DOF, and approved the invoices for payment.5 The Operating Expense Process Memorandum states that the contractor, not the OM, should submit invoices to DOU. The lack of segregation of duties increases the risk of errors or unauthorized payment transactions.
FDIC Circular 4010.3 states that key duties and responsibilities shall be divided among different individuals to reduce the risk of error or fraud. Maintaining appropriate segregation of duties in the invoice payment process is key to safeguarding FDIC resources.
Recommendation Related to Segregation of Duties for Invoice Approval
We recommend that the Director, DOA, work with the Director, DOF, to:(1) Strengthen controls to ensure segregation of duties for invoice preparation, submission, and approval.
OM CONFIRMATION LETTERS AND TRAINING
Three of 15 OMs, who approved 3 of the 30 sampled invoices did not have confirmation letters from Contracting Officers, authorizing them to perform OM responsibilities, including reviewing and approving invoices for payments. The three invoices totaled $213,150. In addition, two OMs approved three invoices totaling $130,600 without first completing the required OM training. Both of these OMs also lacked a confirmation letter from the Contracting Officer. The lack of OM confirmation letters and training occurred because DOA has not been monitoring and periodically assessing compliance with OM authorization requirements. Confirmation letters and training help to (1) ensure that the OMs are fully aware of their authorities and responsibilities and (2) reduce the risk of OMs approving erroneous and/or unauthorized transactions.
The APM requires that a Letter of Oversight Manager Confirmation be issued by the Contracting Officer to the OM, authorizing the OM to perform a number of tasks, including verifying satisfactory delivery of contract terms and/or performance, and reviewing and approving invoices promptly to avoid late payments and incurred interest charges. In addition, Interim Acquisition Policy No. 2007-02, dated April 12, 2007, defines required competencies for OMs, and ASB has established mandatory instructor-led classroom training for OMs regarding FDIC contract oversight management. An important part of the training focuses on the OM role in contract administration, which includes responsibilities for reviewing and approving invoices for contractor payments.
Recommendation Related to OM Confirmation Letters and Training
We recommend that the Director, DOA:
(2) Monitor and periodically assess compliance with the FDICís acquisition policy to ensure that designated OMs have received confirmation letters from Contracting Officers and completed required training.
We found that for the 30 invoices sampled, the CEFile did not contain 26 invoices representing about $1.7 million out of $5.7 million in contractor payments. This occurred because DOA has not been monitoring OM compliance with the requirements to ensure that the CEFile is current, accurate, and complete. As a result, the CEFile documents for 16 of the18 contracts in our sample were not up to date and cannot be relied upon as a record of contract activities.
Interim Acquisition Policy No. 2004-05 indicates that the CEFile is the official contract file of record. Further, DOA issued a memorandum, dated October 18, 2006, to FDIC Contracting Officers and OMs, stating that maintaining the CEFile is an ongoing and continuous process, and it is the responsibility of both the Contract Specialist and the OM to ensure that the CEFile is current, accurate, and complete.
In particular, OMs are required to maintain their contract-related records such as approved invoices in the CEFile. OM contract administration responsibilities are performed corporate-wide. Accordingly, DOA needs to monitor OM compliance with acquisition policy to ensure the CEFile is current, accurate, and complete.
Recommendation Related to Contract Documentation
We recommend that the Director, DOA:
(3) Monitor and periodically assess whether OMs record contract activities, including invoices, in a timely manner to ensure the CEFile is current, accurate, and complete.
CORPORATION COMMENTS AND OIG EVALUATION
On September 12, 2008, DOA and DOF provided a joint written response to the draft of this report. The response is provided in its entirety as Appendix 3 of this report. DOA and DOF concurred with our recommendations and provided planned corrective actions for each recommendation as discussed below.
Regarding recommendation 1 on segregation of duties for invoice preparation, submission, and approval, DOA indicated that the OMís review and approval procedures could be improved for invoices of the employee health benefits program. Currently, the FDICís contractor for administering the employee benefits program, BAS, provides the employee premiums to the FDIC. The DOA Benefits Center staff then creates a separate spreadsheet for the DOU showing the contract name, number, allocation codes, and amounts and sends the entire package as an invoice to DOU for input into the NFE. To improve segregation of duties, DOAís Benefits Center staff will instruct BAS to include on its invoice the name and number of the contract, dollar amount allocation per budget line, and total dollar amount and send the invoice directly to DOU. This new procedure will be implemented by December 31, 2008.
DOF also agreed to take actions to strengthen segregation of duties controls for invoice preparation, submission, and approval. DOU will implement a process by September 30, 2008, to follow up with OMs who receive an invoice directly from a contractor and subsequently forward the invoice to the DOU for processing. DOU will reinforce to the OM that contractors should submit invoices directly to DOU. Where there is a valid business reason that supports a vendor invoice being first received by the program office, DOF will document this exception and stress to the program office the importance of maintaining appropriate segregation of duties regarding the preparation, submission, and approval of invoices.
With respect to recommendation 2 on OM Confirmation Letters and Training, DOA will monitor and periodically assess compliance with acquisition policy through contract post-award reviews to be conducted by DOAís Acquisition Services Branch.
DOA indicated that by December 31, 2008, a contract post-award review checklist will be developed to include a review of OM training and appointments.
Regarding recommendation 3 on contract documentation, DOA will include on the contract post-award review checklist being developed (by December 31, 2008) a review of the CEFile to ensure that all applicable documentation is included in that file.
A summary of managementís response to the recommendations is in Appendix 4. We consider the planned actions to be responsive to the recommendations. The recommendations are resolved but will remain open until we have determined that agreed-to corrective actions have been completed and are responsive.
OBJECTIVE, SCOPE, AND METHODOLOGY
We performed our audit work at the FDICís Headquarters offices in Arlington, Virginia, and Washington, D.C., and the Dallas Regional Office.
We identified the key control points in the FDICís invoice payment processes. Our tests addressed these key control activities:
Reliance on Computer-processed Information
In performing this audit, we relied on data from the NFE and CEFile. We confirmed the accuracy of the data through tracing to source documents and considered the reasonableness of data such as electronic timesheets of hours charged on invoices.
We reviewed the FDICís 2008 Annual Performance Plan and found that it did not contain specific goals, objectives, or performance measures that were relevant to our audit. We did note that DOF maintains a Balanced Scorecard to track initiatives, targets, and accomplishments. The Balanced Scorecard for 2007 indicates a number of accomplishments that enhance the controls over contractor invoice approval, payment, and posting processes:
Compliance with Laws and Regulations
The following laws and regulations are relevant to the FDICís controls over contractor invoice approval, payment and posting to the G/L:
The FDIC has determined that to the extent that Circulars No. A-123 and No. A-127 articulate the standards of FMFIA, the FDIC should adhere to those standards. Moreover, the FDIC is not bound by the letter of the circulars, but as long as the FDIC develops internal controls that are consistent with the goals of FMFIA, the FDIC will have met its legal obligations. Most provisions of Circular No. A-130 apply to the FDIC.
The FDIC has determined that the Act is applicable to invoices relating to the FDIC in its corporate capacity but generally not its receivership capacity unless contract terms are to the contrary.
We assessed DOAís and DOFís internal controls and practices for invoice approval, payment, and posting payment transactions to the G/L for consistency with the above laws and regulations, although we limited our assessment of the PPA to late payment provisions.
We assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence.
|FDIC Division||Invoice Number||Invoice Amount||FDIC Contract Number||OM Location|
|DRR||278440||$32,100.00||CORFD120||Dallas Regional Office|
|DRR||2785.84-022908||$2,785.84||CORFD205||Dallas Regional Office|
|DRR||8000574104||$292,384.07||CORFD313||Dallas Regional Office|
|DRR||8000574104B||*($22,384.07)||CORFD313||Dallas Regional Office|
|DRR||8000574104D||$22,384.07||CORFD313||Dallas Regional Office|
|DRR||8000608194||$356,362.35||CORFD313||Dallas Regional Office|
|DRR||201-1225||$36,366.00||CORFD42||Dallas Regional Office|
|DRR||201-1234||$36,366.00||CORFD42||Dallas Regional Office|
We appreciate that the OIG noted in its report that the FDIC has established and implemented adequate controls over the contractor invoice payment function and corresponding posting to the general ledger. However, we recognize that additional steps could be taken to enhance these controls. This response outlines the planned corrective actions for each of the recommendations cited in the OIG's Report.
Finding: Segregation of Duties Requirement for Invoice Approval
Recommendation 1: That the Director, Division of Administration (DOA), work with the Director Division of Finance (DOF) to strengthen controls to ensure segregation of duties for invoice preparation, submission, and approval.
Management Response 1: DOA and DOF concur with the recommendation.
DOA Corrective Action: With regards to the employee health benefits program invoices identified in the OIG's Draft Report, DOA acknowledges that enhanced control activities could improve the OM's review and approval procedures related to the review and approval of these invoices. Currently, the FDIC's third party vendor, BAS, provides the invoice for employee premiums to FDIC. The DOA Benefits Center staff creates a separate spreadsheet for DOF Disbursement Operations Unit (DOU) showing the contract name, number, allocation codes, and amounts and sends the entire package to DOF DOU for input into NFE. To eliminate any appearances of non-segregation of duties, the Benefits Center staff will instruct BAS going forward to include the name of the contract, contract number, dollar amount allocation per budget line and total dollar amount on their invoice and send the invoice directly to DOF DOU.
MANAGEMENT RESPONSE TO RECOMMENDATIONS
|Rec. No.||Corrective Action: Taken or Planned||Expected Completion Date||Monetary Benefits||Resolved:a Yes or No||Open or Closedb|
|1||DOAís Benefits Center staff will instruct BAS, the contractor for administering the employee benefits programs, to include the required information on the invoices for the program and send the invoices directly to DOF.||12/31/2008||NA||Yes||Open|
DOF will implement a process to follow up with OMs who receive an invoice directly from a contractor and forward the invoice to DOF for processing. DOF will reinforce to the OM that contractors should submit invoices directly to DOF. If there is a valid reason for a vendor invoice being first received by the program office, DOF will document this exception and stress to the program office the importance of maintaining segregation of duties for invoice preparation, submission, and approval.
|2||DOA will include a review of OM training and appointments on a new review checklist for contract post-award reviews to be conducted for contract compliance.||12/31/2008||NA||Yes||Open|
|3||DOA will also include on the contract post-award review checklist a CEFile review to ensure that all contract documentation is in the files.||12/31/2008||NA||Yes||Open|
|a Resolved Ė||(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.|
|(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.|
|(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.|
ACRONYMS USED IN THE REPORT
|APM||Acquisition Policy Manual|
|ASB||Acquisition Services Branch|
|BAS||Benefits Allocation Specialists|
|CEFile||Contract Electronic File|
|CFOA||Chief Financial Officers Act of 1990|
|C.F.R.||Code of Federal Regulations|
|DIR||Division of Insurance and Research|
|DIT||Division of Information Technology|
|DOA||Division of Administration|
|DOF||Division of Finance|
|DOU||Disbursement Operations Unit|
|DRR||Division of Resolutions and Receiverships|
|EFT||Electronic Funds Transfer|
|FASAB||Federal Accounting Standards Advisory Board|
|FASB||Financial Accounting Standards Board|
|FDI Act||Federal Deposit Insurance Act|
|FMFIA||Federal Managersí Financial Integrity Act|
|GAAP||Generally Accepted Accounting Standards|
|GAO||Government Accountability Office|
|NFE||New Financial Environment|
|NSCU||NFE Servicing and Control Unit|
|OIG||Office of Inspector General|
|OMB||Office of Management and Budget|
|PPA||Prompt Payment Act|
|Last updated 1/12/2009|