This is the accessible text file for GAO report number GAO-06-404
entitled 'Homeland Security: Contract Management and Oversight for
Visitor and Immigrant Status Program Need to Be Strengthened' which was
released on July 10, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
June 2006:
Homeland Security:
Contract Management and Oversight for Visitor and Immigrant Status
Program Need to Be Strengthened:
US-VISIT Contract Management:
GAO-06-404:
GAO Highlights:
Highlights of GAO-06-404, a report to congressional requesters
Why GAO Did This Study:
The Department of Homeland Security (DHS) has established a
multibillion-dollar program—U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT)—to control and monitor the pre-entry, entry, visa
status, and exit of foreign visitors. To deliver system and other
program capabilities, the program relies extensively on contractors,
some of whom are managed directly by US-VISIT and some by other
agencies (including both DHS agencies, such as Customs and Border
Protection, and non-DHS agencies, such as the General Services
Administration). Because of US-VISIT’s heavy reliance on contractors to
deliver program capabilities, GAO was asked to determine whether DHS
has established and implemented effective controls for managing and
overseeing US-VISIT–related contracts.
What GAO Found:
US-VISIT–related contracts have not been effectively managed and
overseen. The US-VISIT program office established and implemented
certain nonfinancial controls for those contracts that it managed
directly, such as verifying that contractor deliverables satisfied
established requirements. However, it did not implement effective
controls for overseeing its contracts managed by other DHS agencies and
by non-DHS agencies. Moreover, effective financial controls were not in
place on any contracts that GAO reviewed (see table for agencies
managing these contracts).
* The program office did not know the full extent of US-VISIT–related
contract actions, and it had not performed key nonfinancial practices
associated with understanding contractor performance in meeting the
terms of these contracts. This oversight gap was exacerbated by the
fact that the other agencies had not always established and implemented
effective controls for managing their respective contracts. These other
agencies directly managed more than half (56 percent) of the total US-
VISIT–related contract obligations reported to GAO.
* The program office and other agencies did not implement effective
financial controls. Without these controls, some agencies were unable
to reliably report US-VISIT contracting expenditures. Further, the
program office and these other agencies improperly paid and accounted
for related invoices, including making duplicate payments and payments
for non-US-VISIT services with funds designated for US-VISIT.
According to the US-VISIT program official responsible for contract
matters, the program office has focused on contracts that it manages
directly and decided to rely on the responsible agencies to manage the
other contracts. Further, it has decided to use other agencies to
properly manage financial matters for their respective contracts, and
it also decided to rely on another agency for its own financial
management services. Without effective contract management and
oversight controls, the program office does not know that required
program deliverables and mission results will be produced on time and
within budget, and that proper payments are made.
Table: Agencies Managing US-VISIT-Related Contracts:
Managing Organization: US-VISIT Acquisition and Program Management
Office; Purpose of Contract actions managed: Support all aspects of US-
VISIT.
Managing Organization: Architect Engineering Resource Center (Army
Corps of Engineer); Purpose of Contract actions managed: On-site
program management at ports of entry and economic impact assessment of
US-VISIT implementation on northern and southern borders.
Managing Organization: General Services Administration; Purpose of
Contract actions managed: Facilities services related to US-VISIT work
at ports of entry.
Managing Organization: Customs and Border Protection (DHS); Purpose of
Contract actions managed: Systems development; hardware deployment.
Managing Organization: Immigration and Customs Enforcement (DHS);
Purpose of Contract actions managed: Systems engineering; IT support.
Managing Organization: Transportation Security Administration (DHS);
Purpose of Contract actions managed: Systems development.
Source: GAO analysis.
[End of Table]
What GAO Recommends:
GAO is making recommendations to the Secretary of Homeland Security to
ensure that effective contract management and financial controls are
established and implemented both for contracts managed by the US-VISIT
program office and for those managed by other agencies. In written
comments on a draft of this report, DHS concurred with the
recommendations. In oral comments, officials from other agencies
provided comments aimed at clarifying selected GAO statements.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-404].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or McCoy Williams at (202) 512-9095.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
US-VISIT Established and Implemented Key Controls for Contracts That It
Managed Directly, but It Did Not Have Controls for Overseeing Contracts
Managed by Others or for Effective Financial Management:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: Detailed Agency Evaluations:
Appendix IV: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Relationships between Servicing Agencies Managing US-VISIT-
Related Contracts and US-VISIT Program:
Table 2: APMO's Establishment and Implementation of Key Contractor
Management Practices:
Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies:
Table 4: Acceptance Reports for One Contract Deliverable:
Table 5: Contract Actions Related to US-VISIT That Were Examined in
This Review:
Table 6: Evaluation of US-VISIT Acquisition and Program Management
Office:
Table 7: Evaluation of General Services Administration:
Table 8: Evaluation of Army Corps of Engineers Architect-Engineer
Resource Center:
Table 9: Evaluation of Customs and Border Protection:
Table 10: Evaluation of Transportation Security Administration:
Table 11: Evaluation of Immigration and Customs Enforcement:
Figures:
Figure 1: Organizational Structure of DHS:
Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities:
Figure 3: Changes in US-VISIT System Ownership and Management, July
2003-March 2005:
Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005:
Abbreviations:
ADIS: Arrival Departure Information System:
AERC: Architect-Engineering Resource Center:
APMO: Acquisition and Program Management Office:
CBP: Customs and Border Protection:
CMMI: Capability Maturity Model Integration:
COR: contracting officer's representative:
COTR: contracting officer's technical representative:
DHS: Department of Homeland Security:
FAR: Federal Acquisition Regulation:
GSA: General Services Administration:
IAA: inter-or intra-agency agreement:
ICE: Immigration and Customs Enforcement:
IDENT: Automated Biometric Identification System:
INS: Immigration and Naturalization Service:
IPAC: Intra-governmental Payment and Collection:
OMB: Office of Management and Budget:
SEI: Software Engineering Institute:
TECS: Treasury Enforcement Communications Systems:
TSA: Transportation Security Administration:
US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology:
United States Government Accountability Office:
Washington, DC 20548:
June 9, 2006:
Congressional Requesters:
The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)
program of the Department of Homeland Security (DHS) is a
governmentwide program for controlling and monitoring the pre-entry,
entry, visa status, and exit of foreign visitors. The department is
taking an incremental approach to acquiring and implementing US-VISIT,
with the initial increments focused on enhancing existing systems,
modifying facilities, and augmenting program office staff. In doing so,
DHS has relied heavily on contractor support, obtained through multiple
existing contracts managed by several DHS and non-DHS agencies. Because
of the importance of effective contractor management and oversight to
this program, you asked us to determine whether the department has
established and implemented effective controls for managing and
overseeing US-VISIT-related contractors.
To achieve this objective, we reviewed the contracting policies and
procedures of DHS and non-DHS agencies responsible for US-VISIT-related
contracts.[Footnote 1] We also reviewed a set of contracting actions
(contract awards and task orders) that were performed between March
2002 and March 2005. We could not ensure that the selected contracting
actions were statistically representative of all US-VISIT-related
contracting actions because DHS did not have a complete inventory of
such actions. Instead, we used a judgmental selection, focusing on
service contracts from fiscal years 2002 to 2005.[Footnote 2]
We conducted our review from March 2005 through April 2006 in
accordance with generally accepted government auditing standards.
Further details of our objective, scope, and methodology, including the
basis for our judgmental selection, are included in appendix I.
Results in Brief:
Although the success of the US-VISIT program depends heavily on the
work performed by contractors, important US-VISIT-related contract
activities have not been effectively managed and overseen. For those
contracts that it directly managed, the program office established and
implemented nonfinancial management controls (such as assigning
contractor management responsibilities and authorities, training key
contract management personnel, and verifying that contractor
deliverables satisfied established requirements), but it fell short in
other key areas. In particular:
* The program office did not establish and implement effective
nonfinancial management controls for overseeing US-VISIT-related
contract work performed on its behalf by other DHS agencies, such as
Customs and Border Protection (CBP), and by two non-DHS agencies--the
Army Corps of Engineers Architect-Engineering Resource Center
(AERC)[Footnote 3] and the General Services Administration (GSA). These
agencies did not always establish and implement the full range of
nonfinancial controls needed to effectively manage their respective
contracts. For example, the program office did not know what US-VISIT-
related contract actions these other agencies had under way and had
completed, and the other agencies generally did not establish and
implement controls for ensuring that contractor deliverables satisfied
contract requirements, which is significant given that these DHS and
non-DHS agencies directly managed more than half (56 percent) of the
total obligations reported to us for US-VISIT-related contract work
during the period of our review.
* The program office and other DHS and non-DHS agencies doing work on
its behalf also did not implement effective US-VISIT-related financial
management controls. In the absence of these controls, several agencies
were unable to reliably report US-VISIT contracting expenditures.
Further, the program office and the other agencies improperly paid and
accounted for related invoices, including making duplicate payments and
making payments for non-US-VISIT services using funds designated for US-
VISIT purposes.
According to the US-VISIT program official responsible for contract
matters, the program office has focused on contracts that it manages
directly and decided to rely on other agencies to manage the other US-
VISIT contracts. Further, it decided to rely on these other agencies to
properly manage financial matters for their respective contracts, and
on another agency for its own financial management support. Without
effective controls over all US-VISIT-related contracts and related
financial management matters, the program office does not know whether
required program deliverables and associated mission results will be
produced on time and within budget, and that proper payments are made
and accounted for.
We are making recommendations to the Secretary of Homeland Security to
ensure that effective contract management and financial controls are
established and implemented both for contracts managed by the US-VISIT
program office and for those managed by other agencies. For example, we
are recommending that the program office develop and implement
practices for overseeing contractor work managed by other agencies on
the program office's behalf, including (among other things) having
current, reliable, and timely information on the full scope of contract
actions and activities. In addition, we are recommending that the
program office strengthen financial management by (among other things)
ensuring that agencies managing contracts on its behalf record amounts
being billed and expended on US-VISIT-related work so that these can be
tracked and reported separately from amounts not for US-VISIT purposes.
In written comments on a draft of this report, DHS stated that although
it disagreed with some of our assessment, it agreed with many areas of
the report and concurred with our recommendations and the need for
improvements in US-VISIT contract management and oversight. In
particular, DHS described as misleading our characterization of US-
VISIT's dependency on other agencies for financial management support.
DHS noted that the decision to use other agencies was based on the
nature of the services that were required, which it said were outside
the scope of the program office's areas of expertise. We understand the
rationale for the decision to use other agencies, and the statement in
question was not intended to suggest anything more than that such a
decision was made. The department also provided clarifying information
about invoice discrepancies and improper payments cited in the report,
including reasons why they occurred. We do not question the
department's reasons for the discrepancies; however, they do not change
our findings about the fact that these discrepancies did indeed occur.
We have modified the report, where appropriate. DHS's comments, along
with our responses, are discussed in detail in the Agency Comments and
Our Evaluation section of this report. The comments are also reprinted
in their entirety in appendix II.
Officials from AERC and GSA provided oral comments aimed at clarifying
some of our statements and findings. We have made revisions as
appropriate. These comments and our responses are also discussed in the
Agency Comments and Our Evaluation section of the report.
Background:
In response to legislation,[Footnote 4] the Immigration and
Naturalization Service (INS) established in 2002 an Entry/Exit Program
to strengthen management of the pre-entry, entry, visa status, and exit
of foreign nationals who travel to the United States. With the creation
of DHS in March 2003 and the inclusion of INS as part of the new
department, this initiative was renamed US-VISIT. The goals of US-VISIT
are to:
* enhance the security of U.S. citizens and visitors,
* facilitate legitimate travel and trade,
* ensure the integrity of the U.S. immigration system, and:
* protect the privacy of our visitors.
To achieve these goals, US-VISIT is to collect, maintain, and share
information on certain foreign nationals who enter and exit the United
States; detect fraudulent travel documents, verify traveler identity,
and determine traveler admissibility through the use of biometrics; and
facilitate information sharing and coordination within the border
management community.
As of October 2005, about $1.4 billion has been appropriated for the
program, and according to program officials, about $962 million has
been obligated.
Acquisition and Implementation Approach:
DHS plans to deliver US-VISIT capability in four increments: Increments
1 through 3 are interim, or temporary, solutions that were to fulfill
legislative mandates to deploy an entry/exit system by specified dates;
Increment 4 is to implement a long-term vision that is to incorporate
improved business processes, new technology, and information sharing to
create an integrated border management system for the future. For
Increments 1 through 3, the program is building interfaces among
existing ("legacy") systems; enhancing the capabilities of these
systems; deploying these capabilities to air, sea, and land ports of
entry; and modifying ports of entry facilities. These increments are to
be largely acquired and implemented through task orders placed against
existing contracts.[Footnote 5]
* Increment 1 concentrates on establishing capabilities at air and sea
ports of entry and is divided into two parts--1 and 1B. Increment 1
(air and sea entry) includes the electronic capture and matching of
biographic and biometric information (two digital index fingerscans and
a digital photograph) for selected foreign nationals, including those
from visa waiver countries.[Footnote 6] Increment 1 was deployed on
January 5, 2004, at 115 airports and 14 seaports. Increment 1B (air and
sea exit) collects biometric exit data for select foreign nationals; it
is currently deployed at 14 airports and seaports.
* Increment 2 focuses primarily on extending US-VISIT to land ports of
entry. It is divided into three parts--2A, 2B, and 2C.
* Increment 2A includes the capability to biometrically compare and
authenticate valid machine-readable visas and other travel and entry
documents issued by the Department of State and DHS to foreign
nationals at all ports of entry (air, sea, and land ports of entry).
Increment 2A was deployed on October 23, 2005, according to program
officials. It is also to include the deployment by October 26, 2006, of
technology to read biometrically enabled passports from visa waiver
countries.
* Increment 2B redesigned the Increment 1 entry solution and expanded
it to the 50 busiest U.S. land border ports of entry with certain
modifications to facilities. This increment was deployed to these 50
ports of entry as of December 29, 2004.
* Increment 2C is to provide the capability to automatically,
passively, and remotely record the entry and exit of covered
individuals using radio frequency technology tags at primary inspection
and exit lanes.[Footnote 7] In August 2005, the program office deployed
the technology to five border crossings (at three ports of entry) to
verify the feasibility of using passive radio frequency technology to
record traveler entries and exits via a unique identification number
embedded within government-issued travel documentation. The program
office reported the evaluation results in January 2006, and according
to the Increment 2C project manager, the program is planning to move
forward with the second phase of this increment.
* Increment 3 extended Increment 2B entry capabilities to 104 of the
remaining 105 land ports of entry as of December 19, 2005.[Footnote 8]
* Increment 4 is to define, design, build, and implement more strategic
US-VISIT program capability, which program officials stated will likely
consist of a further series of incremental releases or mission
capability enhancements that will support business outcomes.
The first three increments of US-VISIT include the interfacing of
existing systems, the modification of facilities, and the augmentation
of program staff. Key existing systems include the following:
* The Arrival Departure Information System (ADIS) is a database that
stores noncitizen traveler arrival and departure data received from air
and sea carrier manifests and that provides query and reporting
functions.
* The Treasury Enforcement Communications Systems (TECS) is a system
that maintains lookout (i.e., watch list) data, interfaces with other
agencies' databases, and is currently used by inspectors at ports of
entry to verify traveler information and update traveler data.
* TECS includes the Advance Passenger Information System (APIS), a
system that captures arrival and departure manifest information
provided by air and sea carriers.
* The Automated Biometric Identification System (IDENT) is a system
that collects and stores biometric data about foreign visitors.
In May 2004, DHS awarded an indefinite-delivery/indefinite-
quantity[Footnote 9] prime contract to Accenture, which has partnered
with a number of other vendors.[Footnote 10] According to the contract,
the prime contractor will develop an approach to produce the strategic
solution. In addition, it is to help support the integration and
consolidation of processes, functionality, and data, and is to assist
the program office in leveraging existing systems and contractors in
deploying and implementing the interim solutions.
Organizational Structure and Responsibilities:
In July 2003, DHS established the US-VISIT program office, which is
responsible for managing the acquisition, deployment, and operation of
the US-VISIT system and supporting people, processes, and facilities.
Accordingly, the program office's responsibilities include, among other
things,
* delivering program and system capabilities on time and within budget
and:
* ensuring that program goals, mission outcomes, and program results
are achieved.
Within DHS, the US-VISIT program organizationally reports directly to
the Deputy Secretary for Homeland Security, as seen in figure 1.
Figure 1: Organizational Structure of DHS:
[See PDF for image]
Source: GAO analysis of DHA data.
[End of figure]
The program office is composed of a number of functional groups. Among
these groups, three deal with contractor management. These are the
Acquisition and Program Management Office (APMO), the Office of
Facilities and Engineering Management, and the Office of Budget and
Financial Management. As seen in figure 2, all three groups report
directly to the US-VISIT Program Director.
Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities:
[See PDF for image]
Source: US-VISIT.
[End of figure]
APMO is to manage execution of the program's acquisition and program
management policies, plans, processes, and procedures. APMO is also
charged with ensuring effective selection, management, oversight, and
control of vendors providing services and solutions.
The Office of Facilities and Engineering Management is to implement the
program's physical mission environment through, for example, developing
and implementing physical facility requirements and developing
cooperative relationships and partnering arrangements with appropriate
agencies and activities.
The Office of Budget and Finance is to develop executable budgets to
contribute to cost-effective performance of the US-VISIT program and
mission; ensure full accountability and control over program financial
assets; and provide timely, accurate, and useful financial information
for decision support.
US-VISIT Relationships with Other DHS and Non-DHS Agencies:
Since its inception, US-VISIT has relied extensively on contractors to
deliver system and other program capabilities; these contractors
include both contractors managed directly by the program office and
those managed by other DHS and non-DHS agencies. Within the program
office, APMO manages the prime contract mentioned earlier, as well as
other program management-related contracts. All other contracts were
awarded and managed either by other DHS agencies or by two non-DHS
agencies, GSA and AERC. For the contracts managed by other DHS
agencies, the program office has entered into agreements[Footnote 11]
with these agencies. These agreements allow the program to use
previously awarded contracts to further develop and enhance the
existing systems that now are part of US-VISIT. By entering into
agreements with the various owners of these systems, the program office
has agreed to fund US-VISIT-related work performed on the systems by
these agencies, which include:
* CBP, which owns and manages TECS;
* Immigration and Customs Enforcement (ICE), which owned and managed
IDENT (until 2004) and ADIS (until 2005), and still provides some
information technology support services;[Footnote 12] and:
* the Transportation Security Administration (TSA), which in 2003
managed the development of the air/sea exit pilot program.
In addition, through its Office of Facilities and Engineering
Management, the program office has established an interagency agreement
with AERC and has established reimbursable work authorizations with
GSA.[Footnote 13] The agreements with GSA and AERC generally provide
for management services in support of US-VISIT deployment.
When the US-VISIT program office was created in July 2003, the program
did not own or manage any of the key systems described earlier. Rather,
all systems were owned and managed by other DHS agencies (see fig. 3).
As of March 2005, the program office had assumed ownership and
management responsibility for IDENT, which was originally managed by
ICE; assumed management responsibility for the air/sea exit project,
which was originally managed by TSA; and shares responsibility for
ADIS, which was initially owned and managed by ICE. US-VISIT owns ADIS,
but CBP is responsible for managing the system. These relationships are
shown in figure 3.
Figure 3: Changes in US-VISIT System Ownership and Management, July
2003-March 2005:
[See PDF for image]
Source: GAO analysis of DHS data.
[End of figure]
IAAs establish a means for US-VISIT to transfer funds to other DHS and
non-DHS agencies for work done on its behalf. The IAAs first give the
servicing agencies (that is, the agencies performing the work for US-
VISIT) obligation authority to contract for US-VISIT work. Once the
work has been performed, the servicing agencies pay their vendors
according to the terms of their respective contracts and then request
reimbursement of the vendor payment from US-VISIT via the Intra-
governmental Payment and Collection (IPAC) system.[Footnote 14] In
addition, the servicing agencies also receive IPAC payments for the
services they themselves provided for US-VISIT--essentially a fee for
the cost of managing contracts on the program's behalf.
Table 1 lists the various agencies currently managing US-VISIT-related
contracts and summarizes their respective relationships with the
program office and the purpose of the contract actions that we
reviewed.
Table 1: Relationships between Servicing Agencies Managing US-VISIT-
Related Contracts and US-VISIT Program:
Managing organization: US-VISIT Acquisition and Program Management
Office;
Relationship to US-VISIT: N/A;
Purpose of contract actions managed: Support for all aspects of US-
VISIT.
Managing organization: Architect Engineering Resource Center (Army
Corps of Engineers);
Relationship to US-VISIT: Interagency agreement/ Reimbursable work
authorization;
Purpose of contract actions managed: On-site program management at
ports of entry and economic impact assessment of US-VISIT
implementation on northern and southern borders.
Managing organization: General Services Administration;
Relationship to US-VISIT: Reimbursable work authorization;
Purpose of contract actions managed: Facilities services related to US-
VISIT work at ports of entry.
Managing organization: Customs and Border Protection (DHS);
Relationship to US-VISIT: Intra-agency agreement;
Purpose of contract actions managed: Work related to TECS and ADIS.
Managing organization: Immigration and Customs Enforcement (DHS);
Relationship to US-VISIT: Intra-agency agreement;
Purpose of contract actions managed: Work related to IDENT and ADIS; IT
support services.
Managing organization: Transportation Security Administration (DHS);
Relationship to US-VISIT: Intra-agency agreement;
Purpose of contract actions managed: Work related to air/sea exit pilot
(which interfaces with IDENT).
Source: GAO analysis.
[End of table]
Summary of DHS Reported Obligations for US-VISIT Contracts:
Documentation provided by the agencies responsible for managing US-
VISIT-related contracts shows that between March 2002 and March 31,
2005, they obligated about $347 million for US-VISIT-related contract
work.[Footnote 15] As shown in figure 4, about $152 million, or less
than half (44 percent), of the $347 million in obligations reported to
us was for contracts managed directly by the US-VISIT program office.
The remaining $195 million, or 56 percent, was managed by other DHS and
non-DHS agencies. Specifically, $156 million, or 45 percent of the $347
million in obligations reported to us for contracts, was managed by
other DHS agencies (TSA and CBP); $39 million, 11 percent, was managed
by non-DHS agencies (GSA and AERC).
Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005:
[See PDF for image]
Source: GAO analysis of DHS data.
[End of figure]
From the inception of the US-VISIT program office through September 30,
2005, the program reports that it transferred about $96.7 million to
other agencies via the IPAC system for direct reimbursement of contract
costs and for the agencies' own costs.[Footnote 16]
Prior Reviews Related to DHS Contractor Oversight and Management:
In January 2005, we observed[Footnote 17] the increased use of
interagency contracting by the federal government and noted the factors
that can make interagency contract vehicles high risk in certain
circumstances. One of these factors was that the use of such
contracting vehicles contributes to a much more complex environment in
which accountability had not always been clearly established, including
designation of responsibility for such critical functions as describing
requirements and conducting oversight. We concluded that interagency
contracting should be designated a high-risk area because of the
challenges associated with such contracts, problems related to their
management, and the need to ensure oversight.
In March 2005, we also reported[Footnote 18] on challenges facing DHS's
efforts to integrate its acquisition functions. One significant
challenge was a lack of sufficient staff in the Office of the Chief
Procurement Officer to ensure compliance with the department's
acquisition regulations and policies. Another challenge was that the
department's Office of Procurement Operations, which was formed to
support DHS agencies that lacked their own procurement support (such as
US-VISIT), did not yet have sufficient staff and relied heavily on
interagency contracting. Further, the office had not implemented
management controls to oversee procurement activity, including ensuring
that proper contractor management and oversight had been performed. We
concluded that unless these challenges were addressed, the department
was at risk of continuing with a fragmented acquisition organization
that provided only stop-gap, ad hoc solutions.
Importance of Contractor Management Controls:
Organizational policies and procedures are important management
controls to help program and financial managers achieve results and
safeguard the integrity of their programs. Agency management is
responsible for establishing and implementing financial and
nonfinancial controls, which serve as the first line of defense in
ensuring contractor performance, safeguarding assets, and preventing
and detecting errors and fraud.
Pursuant to 31 U.S.C. °Þ 3512 (c),(d), the Comptroller General has
promulgated standards that provide an overall framework for
establishing and maintaining internal controls in the federal
government.[Footnote 19] Policy and guidance on internal control in
executive branch agencies are provided by the Office of Management and
Budget (OMB) in Circular A-123,[Footnote 20] which defines management's
fundamental responsibility to develop and maintain effective internal
controls. Specifically, management is responsible for implementing
appropriate internal controls; assessing the adequacy of internal
controls, including those over financial reporting; identifying needed
improvements and taking corrective action; and reporting annually on
internal controls.
The five general standards in our framework for internal control are
summarized below.
* Control environment. Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management. A key factor relevant to contractor
management is having clearly defined areas of authority and
responsibility and appropriate lines of reporting.
* Risk assessment. Internal control should provide for an assessment of
the risks the agency faces from both external and internal sources.
* Control activities. Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives. Key control activities associated with contract management
include:
* appropriate documentation of transactions,
* accurate and timely recording of transactions and events,
* controls over information processing,
* reviews by appropriate management in the organization, and:
* segregation of duties.
* Information and communications. Information should be recorded and
communicated to management (and others who need it) in a form, and
within a time frame, that enables them to carry out their internal
control and other responsibilities. Key contract management activities
include:
* identifying, capturing, and distributing information in a form and
time frame that allows people to perform their duties efficiently; and:
* ensuring that information flows throughout the organization and to
external users as needed.
* Monitoring. Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
To complement the standards, we developed a tool to help managers and
evaluators determine how well an agency's internal controls are
designed and functioning and what, where, and how improvements may be
implemented.[Footnote 21] This tool is intended to be used concurrently
with the standards described above and with OMB Circular A-123. The
tool associates each standard with a list of major factors to be
considered when users review the controls for that standard, as well as
points to be considered that may indicate the degree to which the
controls are functioning.
Relevant acquisition regulations and IT acquisition management guidance
also provide criteria for effectively managing contractor activities.
The Federal Acquisition Regulation (FAR)[Footnote 22] requires that
government agencies ensure that the contractor performs the
requirements of the contract, and the government receives the service
intended. However, the FAR does not prescribe specific methods for
doing so.
Other such methods or practices can be found in other acquisition
management guidance. In particular, the Capability Maturity Model
Integration model,[Footnote 23] developed by the Software Engineering
Institute (SEI) of Carnegie Mellon University, explicitly defines
process management controls that are recognized hallmarks for
successful organizations and that, if implemented effectively, can
greatly increase the chances of successfully acquiring software and
systems. These controls define a number of practices and subpractices
relevant to managing and overseeing contracts. These practices are
summarized below.
* Establish written policies and procedures for performing contractor
management. Polices establish the organization's expectations for
performing contractor management activities. Procedures provide the
"how to" or method to be followed in implementing the policies.
* Establish and maintain a plan for performing the contract oversight
process. The plan should include, among other things, a contractor
management and oversight process description, requirements for work
products, an assignment of responsibility for performing the process,
and the evaluations and reviews to be conducted with the contractor.
* Assign responsibility and authority for performing the specific
contractor management activities. Responsibility should be assigned for
performing the specific tasks of the contractor management process.
* Train the people performing or supporting the contractor management
process. Personnel participating in the contract oversight process
should be adequately trained and certified, as appropriate, to fulfill
their assigned roles.
* Document the contract. This documentation should include, among other
things, a list of agreed-upon deliverables, a schedule and budget,
deliverable acceptance criteria, and types of reviews that will be
conducted with the contractor.
* Verify and accept the deliverables. Procedures for accepting
deliverables should be defined; those accepting the deliverables should
verify that they meet requirements; the results of acceptance reviews
or tests should be documented; action plans should be developed for any
products that do not pass their review or test; and action items should
be identified, documented, and tracked to closure.
* Monitor risks involving the contractor and take corrective actions as
necessary. Risks should be identified and categorized (e.g., risk
likelihood or risk consequence) and then analyzed according to these
assigned categories.
* Conduct technical reviews with the contractor. Reviews should ensure
that technical commitments are being met in a timely manner and should
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation.
* Conduct management reviews. Reviews should address critical
dependencies, project risks involving the contractor, and the contract
schedule and budget.
US-VISIT Established and Implemented Key Controls for Contracts That It
Managed Directly, but It Did Not Have Controls for Overseeing Contracts
Managed by Others or for Effective Financial Management:
Given the US-VISIT program's dependence on contracting, it is extremely
important for the program office to effectively manage and oversee its
contracts via the establishment and implementation of key contractor
management and oversight controls. To its credit, the program office
established and implemented most of the key practices associated with
effectively managing nonfinancial contractor activities for those
contracts that it directly manages. In particular, it established
policies and procedures for implementing all but one of the key
practices that we reviewed, and it implemented many of these practices-
-including assigning responsibilities and training key personnel
involved in contractor management activities, verifying that contractor
deliverables satisfied established requirements, and monitoring the
contractor's cost and schedule performance for the task orders that we
reviewed. In doing so, the program has increased the chances that
program deliverables and associated mission results will be produced on
time and within budget.
However, the program office did not effectively oversee US-VISIT-
related contract work performed on its behalf by other DHS and non-DHS
agencies, and these agencies did not always establish and implement the
full range of controls associated with effective management of their
respective contractor activities. Without effective oversight, the
program office cannot adequately ensure that program deliverables and
associated mission results will be produced on time and within budget.
Further, the program office and other agencies did not implement
effective financial controls. The program office and other agencies
managing US-VISIT-related work were unable to reliably report the scope
of contracting expenditures. In addition, some agencies improperly paid
and accounted for related invoices, including making a duplicate
payment and making payments for non-US-VISIT services from funds
designated for US-VISIT. Without effective financial controls, DHS
cannot reasonably ensure that payments made for work performed by
contractors are a proper and efficient use of resources.
According to the US-VISIT program official responsible for contract
matters, the program office has initially focused on contracts that it
manages directly. For US-VISIT contracts managed by other agencies, the
program office has decided to rely on those agencies to manage the
contracts and associated financial matters. In addition, it has decided
to rely on another agency for financial management support of the
program office.
Program Office Established and Implemented Key Contractor Management
Practices:
The US-VISIT program office is responsible and accountable for meeting
program goals and ensuring that taxpayer dollars are expended
effectively, efficiently, and properly. Within the program office, APMO
is responsible for establishing and maintaining disciplined acquisition
and program management processes to ensure the efficient support,
oversight, and control of US-VISIT program activities. Accordingly, it
is important that APMO establish and implement effective contractor
management controls.
As mentioned previously, federal regulations and acquisition management
guidance[Footnote 24] identify effective contractor management as a key
activity and describe a number of practices associated with this
activity, including (among other things) establishing policies and
procedures for contractor management, defining responsibilities and
authorities, providing training, verifying and accepting deliverables,
and monitoring contractor performance. These general practices often
consist of more detailed subpractices. Appendix III lists the practices
and associated subpractices, as well as the extent to which they were
performed on each of the contract actions that we reviewed.
For contracts that it directly managed, APMO established policies and
procedures for all but one of the key nonfinancial practices associated
with effective contractor management. For example, it established
policies and procedures for performing almost all contractor management
activities (practices) through its Contract Administration and
Management Plan. This programwide plan, in conjunction with its
Acquisition Procedures Guide Deskbook, defines the methodology and
approach for performing contractor management for all contracts and
task orders managed by APMO. However, it neither established polices
and procedures for having a plan for overseeing individual contract
actions, nor actually developed such a plan. Instead, APMO relied on
its programwide polices and procedures for performing contract
management activities and to define what and how it actually
implemented them. However, without a plan for specific contracting
actions, the program office cannot be assured that contract management
activities will be implemented for each contracting action.
Table 2 shows the extent to which APMO, in its documented policies and
procedures, requires that the critical contractor management practices
be performed; this is shown under the heading "practice established?"
Under "practice implemented?" the table also shows the extent to which
APMO had actually implemented such practices for those contracting
actions that we reviewed, regardless of any documented requirement.
Table 2: APMO's Establishment and Implementation of Key Contractor
Management Practices:
Practice: Establish and maintain a plan for performing the contractor
oversight process;
Practice Established: [Empty];
Practice Implemented: [Empty].
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Established: check;
Practice Implemented: check.
Practice: Train the people performing or supporting the contractor
oversight process as needed;
Practice Established: check;
Practice Implemented: check.
Practice: Document the contract;
Practice Established: check;
Practice Implemented: check.
Practice: Verify and accept the deliverables;
Practice Established: check;
Practice Implemented: check.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice Established: check;
Practice Implemented: check.
Practice: Conduct technical reviews with the contractor;
Practice Established: check;
Practice Implemented: check.
Practice: Conduct management reviews with the contractor;
Practice Established: check;
Practice Implemented: check.
Legend:
Filled in = Established/implemented:
Not filled in = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
Note: We determined whether the requirement for a practice was
established or not established on the basis of documented policies and
procedures addressing the practice and, where applicable, all, some, or
none of the subpractices. We determined whether a practice was
implemented or not implemented on the basis of documentation
demonstrating that all, some, or none of the subpractices, where
applicable, had been implemented for the task orders that we reviewed.
[End of Table]
APMO also implemented the aforementioned policies and procedures that
it established for each of the contracting actions that we reviewed.
For example, APMO implemented all of the key subpractices associated
with verifying and accepting contract deliverables. Specifically, APMO
defined acceptance procedures, verified that deliverables satisfied
their requirements, documented the results of the review, developed a
plan for addressing deliverable deficiencies, and tracked those issues
to closure. With respect to one program support task order, for
example, a designated US-VISIT team reviewed a project plan delivered
by the contractor and returned it with a "conditionally acceptable"
letter; this letter stated that the comments included were to be
incorporated into the plan and assigned a date that the revised plan
was due back. The contractor resubmitted the plan by the assigned date,
and the contracting officer's technical representative (COTR) accepted
it. Throughout the process, APMO tracked the status of this deliverable
by means of a database designed to track and update the status of
deliverables owed to US-VISIT by its contractors. The database included
such information as current document status and when the revised
document was due back to the program office.
APMO also implemented all critical subpractices associated with
contractor technical and management review activities. For example,
APMO required that the prime contactor provide monthly cost performance
reports that compared actual with budgeted cost and addressed critical
dependencies. For example, one report noted that schedule and costs
were impacted by a change in resources. In the report, the contractor
proposed a corrective action and resolution date. APMO staff analyzed
these reports and, according to APMO officials, distributed the
analysis results to program office management for informational
purposes (the results focused on the causes of and planned corrective
actions for the most noteworthy cost and schedule variances). The
information contained in the monthly reports was also discussed at
quarterly programwide management reviews, which included contractor
personnel. In addition to management issues, these reviews addressed
technical issues such as deliverable status and requirements.
The quarterly reviews were also used to evaluate the contractor's
overall performance, as well as the contractor's performance on each
task order active during that reporting period. The task orders that we
examined were among those reviewed in this way. For each task order,
the quarterly reviews included an assessment of schedule, cost and
funding, technical performance, staffing, and risks. For example, the
information presented on one task order that we reviewed reported that
all of these categories were on track and were forecast to remain on
track.[Footnote 25] During these reviews, technical requirements for
each of the task orders were discussed among stakeholders, contractor
personnel, and management to ensure a common understanding of those
requirements and the status of their implementation. The results of
these reviews were documented, and key discussion topics and a list and
status of action items were identified. The action items were assigned
due dates and were assigned to US-VISIT, the contractor, or specific
individuals. In some cases, an action item identified a specific task
order, such as a request to restructure a staffing report on a program
management task order (in order to more accurately portray the level of
contractor staffing). In the case of the staffing report, it was
assigned to a contractor for action. Updated status of open items was
also provided.
According to APMO's acquisition policy, the office established and
implemented these contractor management practices to establish a
standard approach for conducting contract activities and to ensure that
US-VISIT contracts continue to be managed in accordance with relevant
laws, regulations, policies, and acquisition requirements. In doing so,
the program has increased the chances that program deliverables and
associated mission results will be produced on time and within budget.
The Program Office Did Not Effectively Oversee US-VISIT-Related
Contracts Managed by Other Agencies:
The US-VISIT program office's APMO is responsible for the program's
contract-related matters. That means that APMO should, among other
things, effectively oversee contracts being managed by others on the
program's behalf. However, the program office did not establish and
implement effective controls for overseeing US-VISIT-related contracts
being managed by others. Specifically, the program office did not know
the full range of US-VISIT-related contract actions that had been
completed and were under way, and it had not performed key practices
associated with gaining visibility into and understanding of contractor
performance in meeting the terms of these contracts. This oversight gap
is exacerbated by the fact that the other agencies did not always
establish and implement the full range of controls associated with
effective management of their contractor activities. For example, these
agencies did not always implement effective controls for ensuring that
contractor deliverables satisfy established requirements. Without
effective oversight of all US-VISIT-related contracts, the program
office is increasing the risk that program goals and outcomes will not
be accomplished on time and within budget.
US-VISIT's Oversight of Other Agencies' Contracting Activities Has Been
Informal and Inconsistent:
To effectively oversee program-related contracts being managed by
others, it is important for a program office to, at a minimum,
depending on the nature of the contract, (1) define the roles and
responsibilities for both itself and the entities it relies on to
manage the contracts, (2) know the full range of such contract work
that has been completed and is under way, and (3) define and implement
the steps it will take to obtain visibility into the degree to which
contract deliverables meet program needs and requirements, which
underpin the program goals and outcomes.
However, the US-VISIT program office did not effectively perform the
following oversight activities for contracts that are being managed by
other agencies:
Defining roles and responsibilities. The program office did not define
and document program office roles and responsibilities for overseeing
the contractor work managed by other agencies and did not define the
roles and responsibilities of the agencies managing US-VISIT-related
contracts. According to the APMO Director, the roles and
responsibilities were defined in IAAs between these agencies and the
program office. However, the IAAs generally did not define roles and
responsibilities. For example, US-VISIT provided us with 12 agreements
for the agencies that we reviewed,[Footnote 26] and only one of them
described roles and responsibilities for either APMO or the agency
managing the contract work. Although responsibilities were identified,
they were at a high level and the same for both the program office and
the agency managing the contractor. Specifically, the IAA states that
the US-VISIT COTR or point of contact and the servicing agency program
office are responsible for technical oversight of the specified product
or service identified in the statement of work. However, the IAA does
not identify any specific contract oversight practices to be performed.
According to the APMO Director, the program office did not define roles
and responsibilities because the office is relatively new, and most
efforts have been focused on developing policies and procedures for
managing contracts that it directly controls.
As noted earlier, we have previously reported that the use of IAAs is a
high-risk approach to contracting.[Footnote 27] Although these contract
vehicles can offer benefits of improved efficiency and timeliness,
effective management of IAAs is challenging. Accordingly, we concluded
that the use of IAAs requires, among other things, that the issuing
agency clearly define roles and responsibilities for conducting
contractor management and oversight.
Knowing the full range of contract work. The program office was not
able to provide us with a complete list of US-VISIT-related contract
actions. Instead, US-VISIT told us that we needed to obtain a list of
actions from each of the DHS and non-DHS agencies that managed the
contract work. Once we compiled the list of contracting actions
provided to us by the other agencies, the Director told us that no one
in the program office could verify that the list was complete and
correct. The Director further stated that APMO is not responsible for
overseeing contracts managed outside the program office.
Defining and implementing the steps to verify that deliverables meet
requirements. According to DHS's directive on IAAs,[Footnote 28] the
issuing agency (US-VISIT, in this case) is to, among other things,
monitor the performance of the servicing agency and/or contractor; the
directive also assigns responsibility for monitoring performance to the
program office (or program point of contact) and the contracting
officer. The contracting officer responsible for US-VISIT's IAAs told
us that he relied on the program office's designated points of contact
to conduct oversight of those IAAs. However, the program office did not
define any specific performance monitoring activities. As a result,
oversight activities performed have been informal and inconsistent. For
example, on the AERC contracts, the Facilities and Engineering Budget
Officer held weekly teleconferences with AERC to discuss project
progress and contract issues, and concerns on an exception basis.
However, these meetings were not documented; in other words, any follow-
up on open issues and tracking to closure was handled informally. On
the CBP contract actions, the US-VISIT Deputy Chief Information Officer
(or one of his representatives) attended most, but not all, of the
system development-milestone progress reviews related to US-VISIT work,
and held ad hoc discussions with a CBP program manager to discuss
funding and work status. On air/sea exit,[Footnote 29] the US-VISIT
Director of Implementation relied on weekly meetings with TSA and the
contractor to keep apprised of project status. However, he relied on a
representative from US-VISIT Mission Operations to certify that testing
on air/sea exit was completed in a satisfactory manner, and neither he
nor a member of his team reviewed the results themselves. According to
the Director of APMO, specific activities to monitor contracts managed
by other agencies have not been established because the program
office's efforts to date have focused on developing policies and
procedures for contracts that the program office manages directly.
Without clearly defined roles and responsibilities, as well as defined
oversight activities for ensuring successful completion of the work
across all US-VISIT-related contract activities, the program office
cannot be adequately assured that required tasks are being
satisfactorily completed.
Agencies Managing US-VISIT-Related Contractors Did Not Establish and
Implement Key Contractor Management Practices:
As mentioned previously, acquisition management guidance[Footnote 30]
identifies effective contractor management as a key activity and
describes a number of practices associated with this activity,
including (among other things) establishing policies and procedures for
contractor management, defining responsibilities and authorities,
providing training, verifying and accepting deliverables, and
monitoring contractor performance. As mentioned earlier, these
practices often consist of more detailed subpractices; appendix III
provides further details on the practices, subpractices, and agency
performance of these on each of the contract actions we reviewed.
Table 3 shows the extent to which agencies, in their documented
policies or procedures, require that the critical contractor management
practices be performed (see columns under "practice established?"); it
also shows (under "practice implemented?") the extent to which agencies
had actually implemented such practices for the contracting actions
that we reviewed, regardless of any documented requirement.
Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Established?[A]: GSA: No;
Practice Established?[A]: AERC: No;
Practice Established?[A]: CBP: Partially;
Practice Established?[A]: TSA: Partially;
Practice Established?[A]: ICE[B]: Partially;
Practice Implemented?[A]: GSA: No;
Practice Implemented?[A]: AERC: No;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: Partially.
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Established?[A]: GSA: Yes;
Practice Established?[A]: AERC: Yes;
Practice Established?[A]: CBP: Yes;
Practice Established?[A]: TSA: Partially;
Practice Established?[A]: ICE[B]: Yes;
Practice Implemented?[A]: GSA: Yes;
Practice Implemented?[A]: AERC: Yes;
Practice Implemented?[A]: CBP: Yes;
Practice Implemented?[A]: TSA: Yes.
Practice: Train the people performing or supporting the contract
oversight process;
Practice Established?[A]: GSA: Yes;
Practice Established?[A]: AERC: Yes;
Practice Established?[A]: CBP: Yes;
Practice Established?[A]: TSA: Partially;
Practice Established?[A]: ICE[B]: Yes;
Practice Implemented?[A]: GSA: Yes;
Practice Implemented?[A]: AERC: Yes;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: No.
Practice: Document the contract;
Practice Established?[A]: GSA: Partially;
Practice Established?[A]: AERC: Partially;
Practice Established?[A]: CBP: Partially;
Practice Established?[A]: TSA: Partially;
Practice Established?[A]: ICE[B]: Partially;
Practice Implemented?[A]: GSA: Partially;
Practice Implemented?[A]: AERC: Partially;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: Partially.
Practice: Verify and accept the deliverables;
Practice Established?[A]: GSA: Partially;
Practice Established?[A]: AERC: Partially;
Practice Established?[A]: CBP: Partially;
Practice Established?[A]: TSA: Partially;
Practice Established?[A]: ICE[B]: Partially;
Practice Implemented?[A]: GSA: Partially;
Practice Implemented?[A]: AERC: Partially;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: Partially.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice Established?[A]: GSA: Partially;
Practice Established?[A]: AERC: No;
Practice Established?[A]: CBP: Yes;
Practice Established?[A]: TSA: Yes;
Practice Established?[A]: ICE[B]: Partially;
Practice Implemented?[A]: GSA: No;
Practice Implemented?[A]: AERC: No;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: Partially.
Practice: Conduct technical reviews with the contractor;
Practice Established?[A]: GSA: No;
Practice Established?[A]: AERC: No;
Practice Established?[A]: CBP: Yes;
Practice Established?[A]: TSA: No;
Practice Established?[A]: ICE[B]: Partially;
Practice Implemented?[A]: GSA: Partially;
Practice Implemented?[A]: AERC: No;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: No.
Practice: Conduct management reviews with the contractor;
Practice Established?[A]: GSA: No;
Practice Established?[A]: AERC: No;
Practice Established?[A]: CBP: Partially;
Practice Established?[A]: TSA: No;
Practice Established?[A]: ICE[B]: No;
Practice Implemented?[A]: GSA: Partially;
Practice Implemented?[A]: AERC: No;
Practice Implemented?[A]: CBP: Partially;
Practice Implemented?[A]: TSA: Partially.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
[A] We determined whether the requirement for a practice was
established, partially established, or not established on the basis of
documented policies and procedures addressing the practice and, where
applicable, all, some, or none of the subpractices. We determined
whether a practice was implemented, partially implemented, or not
implemented on the basis of documentation demonstrating that all, some,
or none of the subpractices, where applicable, had been implemented for
the task orders that we reviewed.
[B] No results are provided for ICE regarding implementation of best
practices because we were unable to obtain contract documentation in
time for analysis.
[End of table]
As table 3 shows, agencies' establishment and implementation of the key
contractor management practices for US-VISIT-related contracts have
been uneven.
* All of the agencies had established policies or procedures for
performing some of the key contractor management practices. Only CBP,
however, had established policies and procedures for some aspect of all
the key practices, while GSA and AERC had established procedures for
about half of the key practices.
* Nevertheless, most of the agencies at least partially implemented
most of the practices, even though they did not establish written
procedures for doing so. For example, although three of the
agencies[Footnote 31] did not establish documented policies or
procedures for conducting technical and management reviews with the
contractor, two of them implemented some aspects of the practice.
All Agencies Established Some Policies and Procedures for Contractor
Management Activities:
Contractor management policies and procedures define the organization's
expectations and practices for managing contractor activities. All of
the agencies (DHS and non-DHS) had established polices or procedures
for governing some key contractor management practices. For example,
CBP's Systems Development Life Cycle, augmented by its Office of
Information Technology Project Manager's Guidebook, defines policies
and procedures for assigning responsibilities and authorities for key
contracting personnel and training those people responsible for
implementing contractor management activities. Among other things,
these documents provide descriptions of the duties of the contracting
officer, the project manager, and COTR.[Footnote 32] The documents also
require all affected agencies to train the members of their groups in
the objectives, procedures, and methods for performing contractor
management activities. CBP guidance also addresses contractor
management procedures, including verifying and accepting deliverables,
monitoring contract risk and taking corrective action, and conducting
various reviews with the contractor.
Other agencies, such as GSA and AERC, have established fewer procedures
for contractor management. For example, GSA had not established
procedures for three practices: (1) establishing and maintaining a plan
for performing contractor oversight, (2) conducting technical reviews
with the contractor, and (3) conducting management reviews with the
contractor. According to GSA officials, they have not documented their
oversight process in order to allow for as much flexibility as possible
in performing the process. Further, they said they relied on the
professional expertise of the contracting officer's representative
(COR) and/or COTR to ensure the technical accuracy of work produced by
a contractor.
Without established policies and procedures for contractor management,
the organizations responsible for managing US-VISIT-related contracts
cannot adequately ensure that these vital contractor management
activities are performed.
Agencies' Implementation of Key Practices Was Uneven:
Implementation of key practices in the contracting actions that we
reviewed was uneven. As table 3 shows, one practice--assigning
responsibilities and authorities--was implemented by all agencies.
Other key practices were only partially implemented or not implemented
by all agencies. The following discussion provides selected examples.
Most agencies implemented training of contractor management personnel.
Training the personnel performing or supporting contractor management
activities helps to ensure that these individuals have the necessary
skills and expertise to adequately perform their responsibilities.
Most of the agencies had trained some of the key contracting officials
responsible for the contracting actions that we reviewed and were able
to produce documentation of that training.[Footnote 33] For example,
CBP relied on a DHS-mandated training program to train its key contract
personnel. However, that program was not established until March 2004
for contracting officers and December 2004 for COTRs, and so it did not
apply to all the contracting actions that we reviewed. Before these
programs were established, CBP relied on the previously existing
qualifications of its contracting personnel. However, it provided
training documentation for only some of the key contracting personnel
for the contracting actions that we reviewed.
With respect to non-DHS agencies, AERC and GSA records showed that
contracting personnel had completed contracting-related training for
the contracting actions that we reviewed.
Most agencies did not implement all key practices for verifying and
accepting contract deliverables. Verifying that contract deliverables
satisfy specified requirements provides an objective basis to support a
decision to accept the product. Verification depends on the nature of
the deliverable and can occur through various means, such as reviewing
a document or testing software. Effectively verifying and accepting
contract deliverables includes, among other things, (1) defining
procedures for accepting deliverables; (2) conducting deliverable
reviews or tests in order to ensure that the acquired product satisfies
requirements; (3) documenting the results of the acceptance review or
test; (4) establishing an action plan for any deliverables that do not
pass the acceptance review or test; and (5) identifying, documenting,
and tracking action items to closure.
All agencies implemented some (but not all) of the key practices
associated with verifying and accepting contract deliverables. The
following two examples from CBP and TSA illustrate this.
* CBP implemented most of the subpractices associated with this
practice. For one contracting action reviewed (software development for
Increment 2B functionality), CBP defined acceptance (testing)
procedures, conducted the tests to verify that the deliverables
satisfied the requirements, and documented the results. However, it did
not develop an action plan to identify, document, and track unresolved
action items to closure. Further, CBP accepted the deliverable before
verifying that it had satisfied the requirements. Specifically, test
results were presented at a production readiness review (one of the
progress reviews called for in CBP's system development life cycle) on
November 4, 2004. The review meeting included a US-VISIT stakeholder
representative who signed off on the test results, indicating that US-
VISIT accepted the deliverable and concurred that it was ready to
operate in a production environment. However, the test analysis report
highlighted several issues that called this conclusion into question.
For example, the report stated that testing continued after the review
(through November 8, 2004), and the report identified 67 issues at
severity level 2, which CBP defines as a function that does not work
and whose failure severely impacts or degrades the system. The report
further stated that some test cases were delayed and subject to further
testing. CBP could not provide any documentation that these open issues
were resolved or that the test cases were executed. Further, the COTR
told us that CBP did not define specific acceptance standards, such as
the number and severity of defects permissible for acceptance. Instead,
acceptance of the deliverable was subjectively based on the COTR's
assessment of whether the software could provide critical
functionality.
For another contract action (Increment 1 hardware and software
installation at ports of entry), CBP did not verify that the equipment
was installed according to contract requirements. We were told by both
the CBP Director of Passenger Systems (who was involved with much of
the US-VISIT work) and the contract task monitor that the formal
process for verifying and accepting contract deliverables consisted of
a site-specific deployment checklist that recorded acceptance of
deployment at each port. Acceptance required a signature from a
government employee, a date, and an indication of deployment status
(the two options for this status were (1) that the equipment was
installed and operational or (2) that it was not installed, along with
a description of reasons why it was not). However, as shown in table 4,
not all checklists that we reviewed were signed or indicated that the
equipment was installed and operational, and CBP could not provide
documentation on how the identified issues were resolved. Further,
although the deliverable was deployed to 119 sites, CBP provided
checklists for 102 sites and was unable to provide them for the other
17 sites.
Table 4: Acceptance Reports for One Contract Deliverable:
Reports: 47;
Signed?: Yes;
Status Verified: Operational: Completed;
Status Verified: Not installed: Not completed;
No Status provided: Not completed.
Reports: 37;
Signed?: Yes;
Status Verified: Operational: Not Completed;
Status Verified: Not installed: Completed;
No Status provided: Not completed.
Reports: 3;
Signed?: Yes;
Status Verified: Operational: Not Completed;
Status Verified: Not installed: Not completed;
No Status provided: Completed.
Reports: 2;
Signed?: No;
Status Verified: Operational: Completed;
Status Verified: Not installed: Not completed;
No Status provided: Not Completed.
Reports: 13;
Signed?: No;
Status Verified: Operational: Not Completed;
Status Verified: Not installed: Not completed;
No Status provided: Completed.
Reports: Total: 102;
Legend:
X = Checklist elements completed:
-- = Checklist elements not completed:
Source: GAO analysis of CBP documentation.
[End of table]
* TSA implemented three of the practices associated with verifying and
accepting deliverables--defining acceptance procedures, verifying that
deliverables satisfy requirements, and documenting the results of the
tests. Specifically, TSA tested the air/sea exit software and hardware,
and developed a test plan that included test procedures and a
traceability matrix. It also documented the test results in a test
analysis report that noted that the software was ready for deployment
because of the low severity of identified deficiencies. The report
included, among other things, a list of system deficiencies identified
during testing.[Footnote 34] The report also included copies of
documents provided to a US-VISIT technical representative: a test
problem report, a summary of testing defects, and a document indicating
that the contractor had approved the test analysis. However, TSA did
not provide evidence that the deficiencies were managed and tracked to
closure. TSA officials told us that open issues were tracked informally
via twice-weekly meetings with a US-VISIT representative, TSA
personnel, and contactor staff. Although these meetings were
documented, the minutes did not provide any evidence of testing issues
being discussed. According to program officials, this was due to the
short development time frame (about 4 months) and the need to bypass
traditional TSA milestone reviews in order to ensure that the product
was delivered on time.
Without adequately verifying that contract deliverables satisfy
requirements before acceptance, an organization cannot adequately know
whether the contractor satisfied the obligations of the contract and
whether the organization is getting what it has paid for.
Most agencies performed contractor technical and management reviews.
Monitoring contractor performance is essential for understanding the
contractor's progress and taking appropriate corrective actions when
the contractor's performance deviates from plans. Such monitoring
allows the acquiring organization to ensure that the contractor is
meeting schedule, effort, cost, and technical performance requirements.
Effective monitoring activities include conducting reviews in which
budget, schedule, and critical dependencies are assessed and
documented, and the contractor's implementation and interpretation of
technical requirements are discussed and confirmed.
Three of the four agencies implemented some contractor review
activities, including, among other things, addressing technical
requirements progress against schedule and costs through regular
meetings with the contractor. For example, TSA conducted weekly reviews
with the contractor to discuss the status of contract performance;
material prepared for some of these weekly meetings indicated that
topics discussed were "actual dollars expended" versus "budget at
project completion," projected and actual schedule versus baseline,
anticipated product delivery dates against planned due dates, and
issues and risks. As another example, CBP held weekly documented
meetings with its contractor to discuss open issues, the status of the
project, and the current stage of the systems development life cycle.
Additionally, CBP milestone reviews addressed project schedule, budget,
and risk, some of which could be traced to specific contracts.
In contrast, AERC did not document the monitoring of contractor
performance during the performance period of the contract. Instead, to
document contractor performance, it relied solely on end-of-contract
evaluations required by the FAR.
Program Office and Other Agencies' Contract Management Was Impaired by
Financial Management Weaknesses:
Financial management weaknesses at both the program office and the
other agencies impaired their ability to adequately manage and oversee
US-VISIT-related contracting activities. Specifically, well-
documented, severe financial management problems at DHS (and at ICE in
particular) affected the reliability and effectiveness of accounting
for the US-VISIT program. Accordingly, the program office and the other
DHS agencies were unable to provide accurate, reliable, and timely
accounts for billings and expenditures made for contracts related to US-
VISIT. In addition, a number of invoice payments were improperly paid
and accounted for.
Serious DHS Financial Management Problems Affected the Quality of
Financial Data for US-VISIT Contracts:
DHS's financial management problems are well-documented. When the
department began operations in 2003, one of the challenges we
reported[Footnote 35]was integrating a myriad of redundant financial
management systems and addressing the existing financial management
weaknesses inherited by the department. Since that time, DHS has
undergone three financial statement audits and has been unable to
produce fully auditable financial statements for any of the
audits.[Footnote 36] In its most recent audit report, auditors
reported[Footnote 37] 10 material weaknesses and 2 reportable
conditions.[Footnote 38]
Among the factors contributing to DHS's inability to obtain clean audit
opinions were serious financial management challenges at ICE, which
provides accounting services for several other DHS agencies, including
the US-VISIT program. For fiscal years 2004 and 2005, auditors reported
that financial management and oversight at ICE was a material weakness,
principally because its financial systems, processes, and control
activities were inadequate to provide accounting services for itself
and other DHS agencies.[Footnote 39] According to the auditors, ICE did
not adequately maintain its own accounting records or the accounting
records of other DHS agencies, including US-VISIT. The records that
were not maintained included intradepartmental agreements and
transactions, costs, and budgetary transactions. These and other
accounts required extensive reconciliation and adjustment at year-end,
which ICE was unable to complete. In addition, in fiscal year 2005, ICE
was unable to establish adequate internal controls that reasonably
ensured the integrity of financial data and that adhered to our
Standards for Internal Control in the Federal Government;[Footnote 40]
the Chief Financial Officer of ICE also issued a statement of "no
assurance" on internal control over financial reporting.
These systemic financial challenges impaired the US-VISIT program's
contract management and oversight. As the accounting service provider
for the US-VISIT program, ICE is responsible for processing and
recording invoice payments both for contractors working directly for
the program and for the work ICE procures on the program's behalf.
However, because of its financial problems, the reliability of the
financial information processed by ICE as the accounting-services
provider for the program office was limited. Further, ICE was unable to
produce detailed, reliable financial information regarding the
contracts it managed on behalf of US-VISIT.
Program Office and Other DHS Agencies Did Not Adequately Track Billings
and Expenditures:
Of the DHS agencies we reviewed, the program office and two others
managing US-VISIT-related contracts on the program's behalf did not
track contract billings and expenditures in a way that was accurate,
reliable, and useful for contract oversight and decision making.
Specifically, the amounts reportedly billed were not always reliable,
and expenditures for US-VISIT were not always separately tracked.
Our Standards for Internal Control in the Federal Government identifies
accurate recording of transactions and events as an important control
activity. In addition, the standards state that pertinent financial
information should be identified, captured, and distributed in a form
that permits people to perform their duties effectively. In order for
people to perform their duties effectively, they need access to
information that is accurate, complete, reliable, and useful for
oversight and decision making. In the case of US-VISIT, expenditures
and billings made for US-VISIT-related contracts should be tracked by
the program office and the agencies managing the contracts on the
program office's behalf, and controls should be in place to ensure that
the information is reliable, complete, and accurate. Furthermore, in
order for the information to be useful for oversight and decision
making, billings and expenditures made for US-VISIT work should be
separately tracked and readily identifiable from other billings and
expenditures. Separately accounting for program funds is an important
budgeting and management tool, especially when those funds are
reimbursed by another agency for a program-specific purpose, as was the
case for US-VISIT. Finally, according to our internal control standards
and more specifically, our Internal Control Management and Evaluation
Tool,[Footnote 41] information should be available on a timely basis
for effective monitoring of events, activities, and transactions.
The Amounts Reportedly Billed on US-VISIT-Related Contracts Are Nor
Reliable:
Because effective internal controls were not in place, the reliability
of US-VISIT-related billings by DHS agencies was questionable. First,
the program office could not verify the scope of completed and ongoing
contracting actions. Second, for the contracting actions that were
reported, not all agencies provided billing information that was
reliable.
The program office did not track all contracting activity and thus
could not provide a complete list of contracting actions. In the
absence of a comprehensive list, we assembled a list of contracting
actions from the program office and from each of the five agencies
responsible for contracting for US-VISIT work. However, the APMO
Director did not know whether the list of contracting actions was
valid.
In addition, to varying degrees, other DHS agencies could not reliably
report to us what had been invoiced on the US-VISIT-related contracts
they managed. In particular, ICE's substantial financial management
challenges precluded it from providing reliable information on amounts
invoiced against its contracts. Its inability to provide us with key
financial documents for US-VISIT-related contracts illustrated its
challenges. Over a period of 9 months, we repeatedly requested that ICE
provide various financial documents, including expenditure listings,
invoice documentation, and a list of all contracting actions managed on
behalf of US-VISIT. However, it did not provide complete documentation
in time to be included in this report. In particular, ICE was not able
to provide complete and reliable expenditures to date. It did provide a
list of US-VISIT-related contracting actions, but it did not include
the amounts invoiced on those contracting actions, and program office
staff noted several problems with ICE's list, including several
contracts that were likely omitted. A comparable list provided by the
DHS Office of the Chief Procurement Officer showed ICE's invoiced
amounts, but the contracting actions on this list differed from those
provided by ICE. Without accurate tracking of financial information
related to US-VISIT contracts, the full scope of contracting and
spending on the program cannot be known with reasonable certainty. This
limitation introduces the increased possibility of inefficiencies in
spending, improper payments, and poor management of limited financial
resources.
For CBP, a list of contacting actions provided by program officials
included discrepancies that raised questions about the accuracy both of
the list and of the invoiced amounts. First, the task order number of a
2002 contracting action changed during our period of review, and CBP
initially reported the task order as two different contracting actions-
-one issued in 2002 and another issued in 2004. Second, the task order
was for services performed bureauwide, not just for US-VISIT, and from
the contract documentation it was not discernable which work was
specific to US-VISIT. Such discrepancies suggest that the amount
invoiced specifically to US-VISIT was not accurate. Finally, our
summation of all the invoices, through March 31, 2005, on this
contracting action totaled about $8.8 million, which was about $1.3
million more than the total invoiced amount that CBP had
reported.[Footnote 42] This discrepancy indicated that CBP was not
adequately tracking funds spent for US-VISIT on this contracting
action, which increased the risk that the program was improperly
reimbursing CBP on this contract. No such discrepancy existed between
reported and actual invoiced amounts on the 2003 and 2004 CBP
contracting actions we reviewed.
TSA was able to provide accurate billing information on the one US-
VISIT-related contracting action that it managed, but delays in
invoicing on this contracting action increase the risk of future
problems. As of February 2005, development on the TSA contract action
was finished, and the contract had expired. However, from April 2005
through February 2006 (the latest date available), TSA reported that it
continued to receive and process about $5 million in invoices, and that
the contractor can still bill TSA for prior work performed for up to 5
years after expiration of the contract. According to TSA, the
contractor estimated (as of February 2006) that it would be sending TSA
an additional $2 million in invoices to pay for work already completed.
TSA officials could not explain this delay in invoicing. Such a
significant lag between the time in which work is completed and when it
is billed can present a challenge to the proper review of invoices.
DHS Agencies Did Not Always Separately Track Expenditures Made to
Contractors for US-VISIT Work:
ICE did not track expenditures made to contractors for US-VISIT work
separately from other expenditures, and CBP experienced challenges in
its efforts to do so. Reliable, separate tracking of such expenditures
is an important internal control for ensuring that funds are being
properly budgeted and that the program office is reimbursing agencies
only for work performed in support of the program.
In the case of ICE, its financial management system did not include
unique codes or any other means to reliably track expenditures made for
US-VISIT-related contracts separately from non-US-VISIT expenditures.
As a result, ICE did not have reliable information on what it spent for
the program, which means that it could have requested improper
reimbursements from the program office. More specifically, the most
detailed list ICE could provide of its US-VISIT-related payments was by
querying its financial management system by contract number, which
provided all payments under the contract number. However, each
contract's scope of work is generally broad and includes work
throughout ICE, not just for US-VISIT. Thus, this method would not give
an accurate picture of what expenditures ICE had made for US-VISIT-
related work.
In the case of CBP, it began using coding in its financial management
system to separately track US-VISIT obligations and expenditures
beginning in fiscal year 2003, when CBP first received funding for US-
VISIT. At that time, CBP tracked all US-VISIT expenditures under a
single project code. However, between fiscal years 2003 and 2004, CBP
underwent a system conversion that interrupted its tracking of US-
VISIT-related funds, which made it challenging to separately report US-
VISIT-related expenditures. During this time, several changes were made
to the codes used to track US-VISIT information. When we requested a
listing of the US-VISIT-related expenditures by CBP, it took several
weeks for CBP finance center staff to document the financial management
system coding changes and produce a reasonably complete listing of the
US-VISIT-related expenditures that CBP made during the system
conversion. In fiscal years 2004 and 2005, CBP again began tracking all
US-VISIT-related expenditures separately under a single budget code.
Thus, in the future, the tracking and reporting of US-VISIT
expenditures by CBP should be more timely and reliable.
Several Payments to Contractors for US-VISIT Work Were Improperly Paid
and Accounted for:
Although the program office and the agencies--both DHS and others--
doing work on its behalf usually documented approval of contractor
invoices before payment, a number of invoices were improperly paid and
accounted for, resulting in a potential loss of funds control and, in
one case, a duplicate payment on an invoice of over $3 million. Our
Internal Control Management and Evaluation Tool states that
transactions and events need to be appropriately classified and that
pertinent information is to be identified and captured in the right
form.[Footnote 43]
Overpayments occurred as a result of two kinds of errors: on one
occasion a duplicate payment was made, and on several other occasions
incorrect balances were paid.
* A duplicate payment was made on an invoice for over $3 million. APMO
had sent an authorization for payment in full on the invoice to its
finance center. Then, 1 month later, APMO sent another authorization
for payment in full on the same invoice. The second payment was later
noticed, and the contractor refunded the amount.[Footnote 44]
* The other set of overpayments, although small in dollar value,
exemplify a significant breakdown in internal control. Invoices billed
to AERC on a fiscal year 2005 contract listed the current amount billed
on the invoice, as well as a cumulative balance; the cumulative balance
included invoice payments that AERC had already made, but that had not
been recorded by the contractor when the next invoice was generated. On
several of the invoices, AERC mistakenly paid the higher cumulative
balance when the current amount should have been paid. As a result,
AERC overpaid the vendor by about $26,600. Moreover, it was the
contractor that first reported this overpayment in September 2005 and
refunded the overpayment amount to AERC. According to DHS officials,
the US-VISIT program office had independently identified the
overpayment in November 2005 and requested clarification from AERC the
following day.
Also at APMO, two questionable payments were made that arose from the
overriding of controls created for the prime US-VISIT contract. The
prime contract has been implemented through 12 task orders with
multiple modifications that either increased funding or made other
changes to the contract terms. To account for the obligations made on
each task order, the program's Office of Budget and Finance created
separate tracking codes in the financial system for each task order and
sometimes for each modification of a task order. The separate tracking
of each obligation is a good control for tracking and controlling
spending against task order funds. However, APMO overrode this control
when it instructed the finance center to pay two invoices--one for
about $742,000 and one for about $101,000--out of the wrong account:
that is, with funds for task orders other than those for which the
invoices were billed. APMO did not provide any justification for
payment with funds from the improper account. Our Internal Control
Management and Evaluation Tool states that any intervention or
overriding of internal controls should be fully documented as to the
reasons and specific actions taken.[Footnote 45]
CBP also inappropriately paid for work unrelated to US-VISIT out of
funds designated for US-VISIT. For a 2003 contracting action that we
reviewed, invoices included a significant amount in travel billings.
However, several travel vouchers that accompanied these invoices were
for work unrelated to US-VISIT. For example, terms like "Legacy ag/
legacy Customs unification," "Agriculture Notes Installation," and
"Agriculture AQI" were indicated on the vouchers. CBP confirmed that
these vouchers were billed to US-VISIT in error. Additionally, other
vouchers included descriptions that were vague and not clearly related
to any specific program (e.g., emergency hardware replacement), and
thus it was not clear that the work being billed was related to the
program. Along with the travel expenses, the labor hours associated
with the above vouchers were also being billed to the program. This
circumstance calls into question not only whether or not the travel
charges were inappropriately classified as US-VISIT work, but also
whether the time that these employees were charging was inappropriately
classified, and thus improperly paid.
On one CBP contracting action, some charges that were not related to US-
VISIT may have been reimbursed by the program office. The contracting
action in question was a 2002 action for CBP-wide disaster recovery
services, and thus not all charges were directly related to the US-
VISIT program. On this task order, CBP expended about $1.28 million
from program-designated funds on items that were not clearly specified
as US-VISIT work on the invoices. Of that amount, about $43,000 could
be attributed to a contract modification specific to the program.
However, CBP stated that one invoice for about $490,000 included in
this $1.28 million was paid from the program's funds to correct two
payments for earlier US-VISIT invoices that were erroneously made from
nonprogram funds. We also found about $771,000 of invoice dollars that
were specified as US-VISIT work, but that were not on the CBP-provided
expenditure reports for program funds.
As a result of these various discrepancies, the US-VISIT program may
have reimbursed CBP for work that was not done on its behalf. Also, the
program official responsible, under DHS policy,[Footnote 46] for
monitoring the CBP contracts related to US-VISIT told us that he had
not been reviewing invoices on IPAC reimbursement requests from CBP,
even though such reviews are required by DHS policy.
In addition, on the 2003 CBP contracting action that we reviewed, many
of the travel vouchers included first-class flights taken by contract
personnel, although (with few exceptions) purchase of first-class
travel is not allowed for travel on cost-reimbursable type contracts.
However, travel documentation indicated first-class travel on numerous
instances with no explanation or justification of the first-class
travel or documentation to indicate that CBP had requested any
explanation. CBP officials noted that some frequent fliers are
automatically upgraded when purchasing a full-fare flight. Although
this is a reasonable explanation, CBP provided no documentation showing
that it completed any inquiry or research at the time it was invoiced
to determine if first-class travel was being purchased or if upgrades
were being given, and invoice documentation did not clarify this.
Further, in several instances, complete documentation was not provided
for the costs of all airline travel expenses.
A final concern regarding payments to contractors is raised by the fact
that several of the agencies made late payments on invoices. Under the
Prompt Payment Act,[Footnote 47] the government must pay interest on
invoices it takes over 30 days to pay. Not only do these interest
payments deplete funds available for US-VISIT, but excessive late
invoice payments are also a signal that the contract payment oversight
process is not being effectively managed. CBP and TSA experienced
agencywide increases in contract prompt-payment interest. CBP reported
that in fiscal year 2004, the year that it converted to a new
accounting system, prompt pay interest accounted for 7.66 percent of
all payments, a sharp increase from the prior year's frequency rate of
1.74 percent. In fiscal year 2005, the rate of interest payments at CBP
receded to 1.80 percent of total payments.
APMO also paid substantial amounts in prompt payment interest.
According to DHS's auditors, ICE, which provides US-VISIT payment
services, had not established internal controls to ensure that invoices
were paid in a timely manner.[Footnote 48] For the invoices that we
reviewed, prompt-payment interest was paid on approximately 26 percent
of the prime contract invoices that we reviewed, representing over
$27,000 in payments. In addition, we could not verify that the proper
amount of interest was paid because information in the ICE financial
management system was incorrect. For example, in many instances,
important dates used for determining prompt-pay interest were entered
incorrectly, or the dates in the system could not be validated based on
invoice documentation provided. A program official told us that certain
program staff have recently been granted read-only access to ICE's
financial management system to monitor invoice payments. If the program
office effectively uses this increased oversight ability, it could
reduce the number of prompt-payment violations as well as reduce other
improper contract payments made by the program office.
Conclusions:
Contractors have played, and will continue to play, a major role in
delivering US-VISIT capabilities, including technology, facilities, and
people. Therefore, the success of the program depends largely on how
well DHS manages and oversees its US-VISIT-related contracts.
Establishing and implementing effective contractor management and
oversight controls, including financial management controls, can
greatly increase the department's ability to manage and oversee US-
VISIT-related contracts. However, the department's management and
oversight of US-VISIT-related contracts are not yet at the level that
they need to be to adequately ensure, for example, that contract
deliverables satisfy program requirements, that cost and schedule
commitments are met, that program outcomes are achieved, that funds are
not overspent and improperly reimbursed, and that payments are made in
a proper and timely manner.
Although the program office has generally established and implemented
key contractor management controls on those contracts that it manages
directly, it has not adequately overseen US-VISIT-related contracts
that were managed by other DHS and non-DHS agencies. According to
program office officials, this is because they have initially focused
on those contracts that they manage directly. However, this narrow
focus raises concerns because the agencies managing contracts on the
program office's behalf have not implemented the full range of
management controls needed to have a full, accurate, reliable, and
useful understanding of the scope of contract activities and
performance.
Moreover, none of the US-VISIT contracts that we reviewed have been
subject to important financial management controls. As previous audits
have shown, DHS suffers from numerous material weaknesses in financial
management, some of which are directly related to ICE (the DHS
component that provides financial management services to the program
office). These weaknesses have contributed to the program's inability
to know the full scope of contract activities and fully account for
expenditures, among other things. By impairing the reliability and
effectiveness of accounting for US-VISIT contracts, these weaknesses
have diminished the program's ability to effectively manage and oversee
work performed by contractors--work that is essential for the program
to achieve its goals.
Until DHS addresses these contract management and oversight weaknesses,
the US-VISIT program will remain at risk of not delivering required
capabilities and promised benefits on time and within budget, and it
will be vulnerable to financial mismanagement.
Recommendations for Executive Action:
Given the US-VISIT program's mission importance, size, and heavy
reliance on contractor assistance, we recommend that the Secretary of
Homeland Security direct the US-VISIT Program Director to take the
following five actions to strengthen contract management and oversight,
including financial management:
* For each US-VISIT contract action that the program manages directly,
establish and maintain a plan for performing the contractor oversight
process, as appropriate.
* Develop and implement practices for overseeing contractor work
managed by other agencies on the program office's behalf, including (1)
clearly defining roles and responsibilities for both the program office
and all agencies managing US-VISIT-related contracts; (2) having
current, reliable, and timely information on the full scope of contract
actions and activities; and (3) defining and implementing steps to
verify that deliverables meet requirements.
* Require, through agreements, that agencies managing contract actions
on the program office's behalf implement effective contract management
practices consistent with acquisition guidance for all US-VISIT
contract actions, including, at a minimum, (1) establishing and
maintaining a plan for performing contract management activities; (2)
assigning responsibility and authority for performing contract
oversight; (3) training the people performing contract oversight; (4)
documenting the contract; (5) verifying that deliverables satisfy
requirements; (6) monitoring contractor-related risk; and (7)
monitoring contractor performance to ensure that the contractor is
meeting schedule, effort, cost, and technical performance requirements.
* Require DHS and non-DHS agencies that manage contracts on behalf of
the program to (1) clearly define and delineate US-VISIT work from non-
US-VISIT work as performed by contractors; (2) record, at the contract
level, amounts being billed and expended on US-VISIT-related work so
that these can be tracked and reported separately from amounts not for
US-VISIT purposes; and (3) determine if they have received
reimbursement from the program for payments not related to US-VISIT
work by contractors, and if so, refund to the program any amount
received in error.
* Ensure that payments to contractors are timely and in accordance with
the Prompt Payment Act.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from DHS, which
were signed by the Director, Departmental GAO/IG Liaison Office, and
are reprinted in appendix II. We also received comments from the
Director of AERC and the Assistant Commissioner for Organizational
Resources, Public Buildings Service, GSA. Both the Department of
Defense audit liaison and the GSA audit liaison requested that we
characterize these as oral comments.
In its written comments, DHS stated that although it disagreed with
some of our assessment, it agreed with many areas of the report and
concurred with our recommendations and the need for improvements in US-
VISIT contract management and oversight. The department disagreed with
certain statements and provided additional information about three
examples of financial management weaknesses in the report. Summaries of
DHS's comments and our response to each are provided below.
* The department characterized as misleading our statements that US-
VISIT (1) depended on other agencies to manage financial matters for
their respective contracts and (2) relied on another agency for US-
VISIT's own financial management support. With respect to the former,
DHS noted that the decision to use other agencies was based on the
nature of the services that were required, which it said were outside
the scope of the program office's areas of expertise. We understand the
rationale for the decision to use other agencies, and the statement in
question was not intended to suggest anything more than that such a
decision was made. We have slightly modified the wording to avoid any
misunderstanding.
With respect to its own financial management, DHS said that for us to
declare that US-VISIT depended on another agency for financial
management support without identifying the agency and the system, in
combination with our acknowledging that we did not examine the
effectiveness of this unidentified system, implies that our report's
scope is broader than what our congressional clients asked us to
review. We do not agree. First, our report does identify ICE as the
agency that the program office relies on for financial management
support. Second, although we did not identify by name the ICE financial
management system, we did describe in detail the serious financial
management challenges at ICE, which have been reported repeatedly by
the department's financial statement auditors and which have
contributed to the department's inability to obtain a clean audit
opinion. Moreover, we fully attributed these statements about these
serious challenges to the auditors.
* The department said that our statement regarding the purpose of the
contracts managed by AERC needed to be clarified, stating that our
report reflects the scope of the two contract actions reviewed and not
the broader scope of services under the interagency agreement. We agree
that the description of AERC services in our report is confined to the
scope of the two contract actions that we reviewed. This is intentional
on our part since the scope of our review did not extend to the other
services. We have modified the report to clarify this.
* The department provided additional information about three examples
of invoice discrepancies and improper payments cited in the report,
including reasons why they occurred. Specifically, the department said
that the reason that CBP reported a 2002 contracting action as also a
2004 contracting action was because of the concurrent merger of CBP
within DHS and the implementation of CBP's new financial system. It
further stated that the reason that US-VISIT made a duplicate payment
to the prime contractor was, at least partially, due to poor
communication between US-VISIT and its finance center. Regarding two
other duplicate payments, DHS stated that while the cause of the
duplicate payments is not completely clear from the available evidence,
both are almost certainly errors resulting from processes with
significant manual components, as opposed to deliberate control
overrides, since adequate funds were available in the correct accounts
for each case. The department also noted that communications may have
also contributed to one of these two duplicate payments. We do not
question the department's reasons or the additional information
provided for the other payments, but neither changes our findings about
the invoice discrepancies and improper payments.
* The department stated that although the contractor initially
identified the AERC overpayment on September 13, 2005, the US-VISIT
program office independently identified the billing discrepancy on
November 1, 2005, and requested clarification from AERC the following
day. The department further stated that because we describe the
overpayment example in the report as being a small dollar value, we
should have performed a materiality test in accordance with accounting
principles in deciding whether the overpayment should be disclosed in a
public report. We do not dispute whether the US-VISIT program
independently identified the overpayment in question. Our point is that
an invoice overpayment occurred because adequate controls were not in
place. In addition, while we agree that materiality is relevant to
determining whether to cite an example of an improper payment, another
relevant consideration to significance is the frequency of the error.
Our decision to disclose this particular overpayment was based on our
judgment regarding the significance of the error as defined in
generally accepted government auditing standards. It is our
professional judgment that this overpayment is significant because of
the frequency with which it occurred. Specifically, of the eight
invoices that we reviewed, four were improperly paid.
In oral comments, the Director of AERC questioned the applicability of
the criteria we used to evaluate AERC contract management practices and
our assessment of its process for verifying and accepting deliverables.
Despite these disagreements, he described planned corrective actions to
respond to our findings.
* The Director stated in general that the Capability Maturity Model
Integration (CMMI)® model was not applicable to the contracts issued by
the Corps of Engineers, and in particular that a contract oversight
plan was not applicable to the two contract actions that we reviewed.
In addition, the Director commented that AERC's practices were adequate
to deal appropriately with contractor performance issues had these been
raised. Nonetheless, to address this issue, the Director stated that
AERC would require the US-VISIT program office to submit an oversight
plan describing the project's complexity, milestones, risks, and other
relevant information, and it would appoint qualified CORs or COTRs to
implement the plans and monitor contractor performance.
We disagree with AERC's comments on the applicability of our criteria.
Although the CMMI model was established to manage IT software and
systems, the model's practices are generic and therefore applicable to
the acquisition of any good or service. Specifically, the contractor
management oversight practices discussed in this report are intended to
ensure that the contractor performs the requirements of the contract,
and the government receives the services and/or products intended
within cost and schedule. We also do not agree that the contract
actions in question did not warrant oversight plans. Although the
content of oversight plans may vary (depending on the type, complexity,
and risk of the acquisition), each acquisition should have a plan that,
at a minimum, describes the oversight process, defines
responsibilities, and identifies the contractor evaluations and reviews
to be conducted. Since the chances of effective oversight occurring are
diminished without documented plans, we support the program manager's
commitment to require these plans in the future.
* Regarding an overpayment discussed in our report, the Director
indicated that this problem was resolved as described in DHS's
comments, and that in addition, AERC has procedures and controls to
prevent the government from paying funds in excess on a firm-fixed
price contract such as the one in question. Nonetheless, the Director
described plans for strengthening controls over contract progress
payments and invoices, including having trained analysts review all
invoices and ensuring that a program/project manager has reviewed the
invoices and submitted written authorization to pay them. The Director
also stated that AERC has an established process for controlling and
paying invoices, which provides for verifying and accepting
deliverables. We do not consider that the AERC process was established
because although AERC officials described it to us, it was neither
documented nor consistently followed. For example, one contracting
action that we reviewed had three invoices that did not have a
signature or other documentation of approval, even though such
approval, according to AERC, is a required part of the process.
In oral comments, the GSA Assistant Commissioner disagreed with the
applicability of certain of the criteria that we used in our
assessment, as well as with our assessment that these and other
criteria had not been met. For example, the Assistant Commissioner
stated that regulations or policies do not require GSA to establish and
maintain a plan for performing the contract oversight process, that its
current practices and documents (such as the contract statement of work
and COR/COTR delegation letters) in effect establish and maintain such
a plan, that GSA documented the oversight process and results to the
extent necessary to ensure contractor performance, and that GSA had
established a requirement to conduct contractor reviews. Although, as
we state in our report, GSA policies do not include a requirement for
an oversight plan, we still believe that it is appropriate to evaluate
GSA against this practice (which is consistent with sound business
practices and applies to any acquisition), and that GSA's processes and
activities did not meet the criteria for this practice and ensure
effective oversight of the contracts. We did not find that the
delegation letters and contract statements of work were sufficient
substitutes for such plans, because, for example, they do not
consistently describe the contractor oversight process or contractor
reviews. Further, the inclusion of a requirement for contractor reviews
in some contracts/statements of work does not constitute agencywide
policies and procedures for performing reviews on all contracts.
GSA also provided further descriptions of its financial management
controls and oversight processes and activities, but these descriptions
did not change our assessment of GSA's financial management controls or
the extent to which the oversight processes and activities satisfy the
practices that we said were not established[Footnote 49] or not
consistently implemented. Among these descriptions was information on
an automated tool that GSA provided its contracting officers; however,
this tool was not used during the period under review. GSA also
provided certain technical comments, which we have incorporated in our
report, as appropriate.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to the Chairmen and Ranking Minority Members of the Senate and House
Appropriations Committees, as well as to the Chairs and Ranking
Minority Members of other Senate and House committees that have
authorization and oversight responsibility for homeland security. We
will also send copies to the Secretary of Homeland Security, the
Secretary of Defense, the Administrator of GSA, and the Director of
OMB. Copies of this report will also be available at no charge on our
Web site at [Hyperlink, http://www.gao.gov].
Should your offices have any questions on matters discussed in this
report, please contact Randolph C. Hite at (202) 512-3439 or at
hiter@gao.gov, or McCoy Williams at (202) 512-9095 or at
williamsm1@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix IV.
Signed by:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
Signed by:
McCoy Williams:
Director, Financial Management and Assurance:
List of Requesters:
The Honorable Peter T. King:
Chairman:
The Honorable Bennie G. Thompson:
Ranking Minority Member:
Committee on Homeland Security:
House of Representatives:
The Honorable Bob Filner:
House of Representatives:
The Honorable Raul Grijalva:
House of Representatives:
The Honorable Ruben Hinojosa:
House of Representatives:
The Honorable Solomon Ortiz:
House of Representatives:
The Honorable Silvestre Reyes:
House of Representatives:
[End of section]
Appendix I: Objective, Scope, and Methodology:
Our objective was to determine whether the Department of Homeland
Security (DHS) has established and implemented effective controls for
managing and overseeing contracts related to the U.S. Visitor and
Immigrant Status Indicator Technology (US-VISIT) program. To address
our objective, we assessed the implementation of key contractor
management controls at the program office and at other DHS and non-DHS
agencies responsible for managing US-VISIT-related contracts. We also
evaluated the program office's oversight of US-VISIT-related contracts
managed by these other organizations. Finally, we reviewed internal
control processes and procedures in place over contract financial
management.
Besides the US-VISIT program office, the organizations within DHS that
we identified as having responsibility for managing US-VISIT-related
contracts were:
* Customs and Border Protection (CBP),
* the Transportation Security Agency (TSA), and:
* Immigration and Customs Enforcement (ICE).
The non-DHS agencies performing work in support of US-VISIT were:
* the General Services Administration (GSA) and:
* the Army Corps of Engineers Architect-Engineer Resource Center
(AERC).
Contract management controls: To assess key contract management
controls and implementation of those controls at US-VISIT and other
agencies responsible for managing US-VISIT-related contracts, we
identified leading public and private sector practices on contract
management, such as those prescribed by the Federal Acquisition
Regulation (FAR)[Footnote 50] and Carnegie Mellon University's Software
Engineering Institute, which publishes the Capability Maturity Model
Integration.[Footnote 51] US-VISIT officials identified the contracts
being managed by the program, all within the Acquisition Program
Management Office (APMO). To evaluate the management of the program's
contracts, we assessed APMO's and other agencies' documented policies
against the leading practices that we identified. We also determined
the extent to which those policies were applied to specific contracting
actions and determined the extent to which, if any, other formal or
otherwise established practices were used to manage or oversee the
specific contract actions. We also discussed any variances with agency
officials to determine the reasons why those variances existed.
In determining the extent to which practices/subpractices were judged
to be established/implemented, we categorized them into one of the
following:
* established/implemented,
* partially established/implemented, or:
* not established/implemented.
We judged whether the practice was established, partially established,
or not established depending on whether the agency had documented
policies and procedures addressing the practice and all, some, or none
of the subpractices (where applicable). We judged whether a practice
was implemented, partially implemented, or not implemented on the basis
of documentation demonstrating that the practice and all, some, or none
of the subpractices (where applicable) had been implemented for the
contracting actions that we reviewed.
We judged that an agency had "partially established" the requirement
for a practice or subpractice if the agency relied only on the FAR
requirement to perform this activity, but did not establish a process
(i.e., documented procedures) for how the FAR requirement was to be
met.
We judged that an agency had "partially implemented" a practice or
subpractice if it had implemented some, but not all, facets of the
practice (including its own related requirements for that practice).
To select specific contracting actions for review, we analyzed
documentation provided by the program and by the DHS and non-DHS
agencies responsible for managing US-VISIT-related contracts, to
identify all contracting work performed in support of the program.
Program officials were unable to validate the accuracy, reliability,
and completeness of the list of contracting actions. Therefore, we did
not perform a statistical sampling of the identified contracting
actions. Rather, we judgmentally selected from each agency one
contracting action for US-VISIT-related work awarded in each fiscal
year from March 1, 2002, through March 31, 2005, focusing on service-
based contracts. Thus, fiscal years 2002 through 2005 were each
reviewed to some extent. Not all organizations awarded contracting
actions in every fiscal year covered under our review, in which case an
action was not selected for that fiscal year for that organization. The
contracting actions selected from ICE were excluded in our analysis of
the implementation of management and financial controls because of
delays in receiving contract-specific documentation. One program
management contract that was reported to us by US-VISIT was transferred
to the program from ICE shortly before the end of our review period,
and so we were unable to determine, because of the issues with ICE
identified above, what management activities were performed on the
contract.
For each selected contracting action, we reviewed contract
documentation, including statements of work, project plans, deliverable
reviews, and other contract artifacts, such as contractor performance
evaluations. We then compared documentary evidence of contract
management activity to leading practices and documented policies,
plans, and practices. Finally, we determined what, if any, formal or
established oversight practices were in existence at the contract
level.
Table 5 shows the judgmental selection of contract actions that were
reviewed for each agency, including APMO.
Table 5: Contract Actions Related to US-VISIT That Were Examined in
This Review:
Services acquired: Program level management;
Contract manager: US- VISIT;
Relationship to US-VISIT: Managed within program office;
Fiscal year: 2004[A];
Contract type: Cost plus award fee;
Description of services provided by contracting action reviewed:
Providing program planning, cost and schedule estimation methodology,
program control methodology, a risk management program, a configuration
management plan and repository, a quality management plan, a process
improvement program, a communications management plan and program
support, a support collaboration tool and integrated portal solution,
and additional program-level activities.
Services acquired: US-VISIT strategic plan development;
Contract manager: US-VISIT;
Relationship to US-VISIT: Managed within program office;
Fiscal year: 2005;
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Providing, among other things, an as-is assessment, a business
functionality vision, an information technology strategic plan, a
facilities strategic plan, a strategic plan, a data management
strategic plan, and a business case and implementation plan.
Services acquired: Pre-award and post-award acquisition services;
Contract manager: GSA;
Relationship to US-VISIT: Reimbursable work authorization;
Fiscal year: 2002;
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Providing pre-award and post-award functions involving the acquisition
of services to carry out the overall program of the Public Buildings
Service including the US-VISIT program.
Services acquired: Planning and mobilization for feasibility studies;
Contract manager: GSA;
Relationship to US-VISIT: Reimbursable work authorization;
Fiscal year: 2003;
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Providing, among other things, mobilization of planning efforts for
several ports of entry and providing the management of feasibility
studies for 51 separate ports of entry.
Services acquired: Program management of US-VISIT at ports of entry;
Contract manager: GSA;
Relationship to US-VISIT: Reimbursable work authorization;
Fiscal year: 2004, 2005[B];
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed: Among
other things, directing and managing the implementation of the US-VISIT
program at ports of entry and providing a single point of interface and
accountability for program implementation efforts.
Services acquired: On-site program management at ports of entry;
Contract manager: AERC;
Relationship to US-VISIT: Reimbursable work authorization;
Fiscal year: 2003;
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Providing internal US-VISIT management support and coordination for US-
VISIT initiatives, managing and providing direction to GSA and its
contractors, coordinating project information and details with CBP, and
facilitating communication between the various government groups
involved in port of entry projects.
Services acquired: Economic impact assessment;
Contract manager: AERC;
Relationship to US-VISIT: Interagency agreement;
Fiscal year: 2005[C];
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Analyzing and assessing the overall life cycle benefits and costs of
the US-VISIT program implementation along the northern and southern
borders of the United States.
Services acquired: Commercial recovery services;
Contract manager: CBP;
Relationship to US-VISIT: Intra-agency agreement;
Fiscal year: 2002;
Contract type: Firm fixed price;
Description of services provided by contracting action reviewed:
Providing, through a subscription, an adequately equipped primary and
secondary recovery facility in order to ensure data replication,
disaster recovery services, extended recovery services, and disaster
declaration.
Services acquired: Infrastructure upgrades at ports of entry;
Contract manager: CBP;
Relationship to US-VISIT: Intra-agency agreement;
Fiscal year: 2003;
Contract type: Labor hour with other direct costs;
Description of services provided by contracting action reviewed:
Providing technical support and a comprehensive and integrated
management approach for infrastructure upgrades at various airports and
seaports for US-VISIT.
Services acquired: Systems software maintenance and development
support;
Contract manager: CBP;
Relationship to US-VISIT: Intra-agency agreement;
Fiscal year: 2004;
Contract type: Time and materials;
Description of services provided by contracting action reviewed:
Providing, among other things, requirements analysis, system
development and enhancements, and maintenance in support of Increment
2B.
Services acquired: Air/sea exit;
Contract manager: TSA;
Relationship to US-VISIT: Intra-agency agreement;
Fiscal year: 2003;
Contract type: Firm fixed price/Time and materials;
Description of services provided by contracting action reviewed:
Providing self-service and attended workstations to guide nonimmigrant
visa holders through the presentation of their travel documents and
submission of two fingerprints each.
Source: GAO analysis of agency data.
[A] US-VISIT did not manage any contracts before fiscal year 2004.
[B] In fiscal years 2004 and 2005, GSA issued two task orders under the
same contract for similar types of work. Both of these task orders were
selected for our review.
[C] AERC did not issue new US-VISIT-related work in fiscal year 2004.
[End of table]
Contract oversight controls: To assess the program's oversight of
program-related contracts, we used DHS guidance pertaining to intra-and
intergovernmental contracting relationships,[Footnote 52] as well as
practices for oversight developed by us.We met with program office
officials to determine the extent to which the program office oversaw
the performance of US-VISIT-related contracts and identified the
organizations performing work in support of the program (as listed
earlier). We met with these organizations to determine the extent to
which the program office interacted with them in an oversight capacity.
Financial management controls: To assess internal control processes and
procedures in place over contract financial management, we reviewed
authoritative guidance on contract management found in the following:
* the FAR;
* our Policy and Procedures Manual for Guidance of Federal Agencies,
Title 7--Fiscal Guidance;
* Office of Management and Budget (OMB) Revised Circular A-123,
Management's Responsibility for Internal Control; and:
* OMB Revised Circular A-76, Performance of Commercial Activities.
We also reviewed DHS's performance and accountability reports for
fiscal years 2003, 2004, and 2005, including the financial statements
and the accompanying independent auditor's reports, and we reviewed
other relevant audit reports issued by us and Inspectors General. We
interviewed staff of the independent public accounting firm responsible
for auditing ICE and the DHS bureaus for which ICE provides accounting
services (including US-VISIT).
We obtained the congressionally approved budgets for US-VISIT work and
other relevant financial information. For each of the contracting
actions selected for review, listed above, at US-VISIT, AERC, GSA, CBP,
and TSA, we obtained copies of available invoices and related review
and approval documentation. We reviewed the invoice documentation for
evidence of compliance with our Standards for Internal Control in the
Federal Government and Internal Control Management and Evaluation
Tool.[Footnote 53]Specifically, we reviewed the invoices for evidence
of the performance of certain control activities, including the
following: review and approval before payment by a contracting officer,
contracting officer's technical representative, and other cognizant
officials; reasonableness of expenses billed (including travel) and
their propriety in relation to US-VISIT; payment of the invoice in the
proper amount and to the correct vendor; payment of the invoice from a
proper funding source; and payment of the invoice within 30 days as
specified by the Prompt Payment Act. We also reviewed the invoices for
compliance with requirements of the specific contract provisions for
which they were billed. We did not review invoice documentation for the
selected contracting actions managed by ICE, because ICE did not
provide us with invoice documentation for all requested contracts in
time to meet fieldwork deadlines.
We also obtained copies of invoices paid through July 2005 and
available payment review and approval documentation on the prime
contract from the ICE finance center. We reviewed this documentation
for evidence of execution of internal controls over payment approval
and processing. In addition, we performed data mining procedures on the
list of payments from APMO for unusual or unexpected transactions.
Based on this analysis, we chose a judgemental selection of payments
and reviewed their related invoice and payment approval documentation.
We interviewed agency officials involved with budgeting, financial
management, contract oversight, and program management at the program
office, ICE, CBP, TSA, AERC, and GSA. We obtained and reviewed DHS and
US-VISIT policies, including:
* the DHS Acquisition Manual;
* US-VISIT Contract Management and Administration Plan;
* US-VISIT Acquisition Procedures Guide (APG-14)--Procedures for
Invoice Review and Approval;
* DHS Management Directive 0710.1 (Reimbursable Agreements); and:
* CBP and ICE's standard operating procedures regarding financial
activities.
We also interviewed representatives from the prime contractor to
determine how they track certain cost information and invoice the
program. In addition, we observed how requisitions and obligations are
set up in the financial management system used by the program.
We observed invoice processing and payment procedures at the CBP and
ICE finance centers, the two major finance centers responsible for
processing payments for program-related work. From the CBP finance
center, we obtained data on expenditures for US-VISIT-related work made
by CBP from fiscal year 2003 through fiscal year 2005. From the ICE
finance center, which processes payments for the program office, we
obtained a list of payments made by US-VISIT from August 2004 through
July 2005. We did not obtain this level of detail for expenditures at
AERC and GSA because these agencies are external to DHS; therefore we
do not report on the reliability of expenditure reporting by either
agency.
From ICE's finance center, we also obtained and reviewed a list of
Intra-governmental Payment and Collection system transactions paid by
the US-VISIT program office to its federal trading partners through
September 30, 2005. We requested a list of expenditures on program-
related contracts managed by ICE; however, ICE was unable to provide a
complete, reliable list. Officials at ICE's Debt Management Center,
however, did provide a list of ICE's interagency agreements related to
US-VISIT.
In assessing data reliability, we determined that the available data
for this engagement were not sufficiently reliable for us to conduct
statistical sampling or to base our conclusions solely on the data
systems used by the program and other agencies managing US-VISIT-
related contracts. Specifically, the contracting actions managed by the
program office and these agencies were self-reported and could not be
independently validated. Further, recent audit reports found that the
financial system used by the program office and ICE was unreliable, and
because of the system, among other reasons, the auditors could not
issue an opinion on DHS's fiscal year 2004 and 2005 financial
statements. Our conclusions, therefore, are based primarily on
documentary reviews of individual contracting actions and events, and
our findings cannot be projected in dollar terms to the whole program.
We conducted our work at:
* DHS finance centers in Dallas, Texas and Indianapolis, Indiana;
* CBP facilities in Washington, D.C., and Newington, Virginia;
* ICE facilities in Washington, D.C;
* TSA facilities in Arlington, Virginia;
* the US-VISIT program offices in Rosslyn, Virginia; and:
* GSA and AERC facilities in Ft. Worth, Texas.
Our work was conducted from March 2005 through April 2006, in
accordance with generally accepted government auditing standards.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
May 19, 2006:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
U.S. Government Accountability Office:
Washington, D.C. 20548:
Dear Mr. Hite:
Thank you for the opportunity to review the draft report, Homeland
Security: Contract Management and Oversight for Visitor and Immigrant
Status Program Need to Be Strengthened (GAO-06-404). As with prior
reports that your office has issued regarding US-VISIT, there are many
areas with which we agree, and the recommendations have made US-VISIT a
stronger program. However, as with those past reports, the Department
of Homeland Security (DHS) has certain areas of disagreement. They
appear in our comments, which follow.
While we disagree with some of GAO's assessment of US-VISIT's contract
management and oversight, we concur with the report's recommendations
and the need for improvement. Overall, the report's findings will help
US-VISIT to continue making its already highly successful and valuable
contributions to the enhanced security of the United States.
On page 6 of the draft report, GAO states: "Further, it [US-VISIT] has
depended on the other agencies to properly manage financial matters for
their respective contracts, and it also depended on another agency for
its own financial management support. "
This is a misleading statement. To declare that US-VISIT depended on
another agency for its own financial management support without
identifying that agency/system, and disclosing that the current
engagement did not examine the effectiveness of that financial
management system, implies that the scope of this report is broader
than Congress directed. The reference to "another agency" should be
deleted or the statement should clarify that financial management
controls were examined and not the financial management systems
themselves.
Furthermore, the decision to use other agencies to manage US-VISIT
contracts is based on the nature of the facilities and infrastructure
services required at the ports of entry. Procurement of architectural
and engineering services and property management services are outside
the information technology systems scope of the core US-VISIT mission.
Rather than establish that capability in-house, the Director of US-
VISIT decided to utilize the existing expertise at the Architect
Engineering Resource Center/Army Corps of Engineers (AERC) and the
General Services Administration (GSA).
When authority to manage facilities and infrastructure contracts was
granted to AERC and GSA, US-VISIT also delegated to those agencies the
authority to manage financial matters under those contracts. Each
agency provides turnkey procurement services, including contract
management and financial management. These two functions cannot be
easily separated since each agency maintains systems of records for
contracts issued and disbursements made under those contracts.
* In Table 1 on page 15, GAO states that the purpose of the contracts
managed for AERC is "On-site program management at ports of entry and
economic impact assessment of US-VISIT implementation on northern and
southern borders. "
This statement needs clarification. The AERC provides facilities
services for US-VISIT reporting primarily on-site. Services encompass
program and project management, planning, and environmental studies.
The description in the table reflects the scope of work for the two
contracts sampled and not for the broader scope of services that AERC
delivers under the interagency agreement. GSA provides facilities
program and project management services at ports of entry,
infrastructure design and construction services, and coordination of
services between GSA personnel and US-VISIT. The table should reflect
this.
* On page 43, GAO states: "For CBP, a list of contracting actions
provided by program officials included discrepancies that raised
questions about the accuracy both of the list and of the invoiced
amounts. First, the task order number of a 2002 contracting action
changed during our period of review, and CBP initially reported the
task order as two different contracting actions, one issued in 2002 and
another issued in 2004. "
A task order could be reported as two different contracting actions
simply because of its two different numbering patterns. The different
numbering patterns are due to the merging of U.S. Customs under DHS and
not as an inconsistent error. Contract actions awarded prior to FY 2004
were based on the U.S. Customs contract numbering system; however, by
October 1, 2003 (FY 2004), DHS required components to utilize its
unique procurement instrument identifiers for all contract actions.
That is the date on which SAP Release 2, CBP's new financial system,
implemented its procurement module. All contract actions awarded in FY
2004 against a contract awarded prior to FY 2004 have different
contract numbers than the originating contracts. The old contract
numbers are referenced on the face page of applicable award documents
signed after October 1, 2003.
On page 45, in the section entitled "Several Payments to Contractors
for US-VISIT Work Were Improperly Paid and Accounted for, " GAO states:
"A duplicate payment was made on an invoice for over $3 million. APMO
had sent an authorization for payment in full on the invoice to its
finance center. Then, 1 month later, APMO sent another authorization
for payment in full on the same invoice. The second payment was later
noticed, and the contractor refunded the amount. "
US-VISIT agrees that this invoice was submitted by the prime contractor
once, transmitted by US-VISIT twice, paid twice, and collected once
when the second payment was discovered. The duplicate payment was at
least partially caused by a communications problem. APMO validated the
invoice and sent an authorization for payment in full to its finance
center. One month later, APMO checked on the status of the payment, and
was told that the invoice number in question was not held in the
finance center. It had apparently been logged into the Finance Center's
financial management system under a slightly different control number,
and was actually being processed. Assuming it to be lost, APMO sent
another authorization for payment in full on the same invoice. Both
invoices were paid. The second payment was later noticed and the
contractor refunded the second payment.
GAO also states: "Also at APMO, two questionable payments were made
that arose from the overriding of controls created for the prime US-
VISIT contract. The prime contract has been implemented through 12 task
orders with multiple modifications that either increased funding or
made other changes to the contract terms. To account for the
obligations made on each task order, the program's Office of Budget and
Finance created separate tracking codes in the financial system for
each task order and sometimes for each modification of a task order.
The separate tracking of each obligation is a good control for tracking
and controlling spending against task order funds. However, APMO
overrode this control when it instructed the finance center to pay two
invoices-one for about $742, 000 and one for about $101, 000-out of the
wrong account: that is, with funds for task orders other than those for
which the invoices were billed."
While the cause of the questionable payments is not completely clear
from the available evidence, both transactions are almost certainly
errors arising from processes with significant manual components, as
opposed to deliberate control overrides, since adequate funds were
available in the correct accounts for each case. In the case of the
second incorrect transaction, communication could have been an issue as
well. While APMO incorrectly directed that payment of the first invoice
($742,000) was to be made from the account of another task order, file
documentation indicates that the second invoice was correctly processed
by APMO, and subsequently paid by the Finance Center from an incorrect
account, i.e., with funds for a task order other than those billed by
the invoice.
* On page 46, GAO states: "The other set of overpayments, although
small in dollar value, exemplify a significant breakdown in internal
control. As a result, AERC overpaid the vendor by about $26,600.
Moreover, it was the contractor, not AERC, that noticed the overpayment
and refunded it. "
To clarify: The vendor notified the AERC Finance Center of the
overpayment on September 13, 2005. The US-VISIT Office of Facilities
and Engineering independently identified a billing discrepancy on
November 1, 2005, and requested clarification from AERC the following
day. The billing error was detected by OFE after reviewing the AERC
monthly report issued on October 19, 2005. Although the vendor reported
the overpayment first, OFE did request clarification independently.
In addition, although GAO discloses that the overpayments were small in
value, it should perform a materiality test in accordance with
accounting principles and make a determination whether the overpayment
should be disclosed in a public report.
Thank you for the opportunity to review the GAO report. We would be
happy to answer any questions or address any information needs you or
your staff may have.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director, Departmental GAO/IG Liaison Office:
[End of section]
Appendix III: Detailed Agency Evaluations:
We evaluated the extent to which the agencies covered by our review (US-
VISIT APMO, GSA, AERC, CBP, TSA, and ICE[Footnote 54]) had established
and implemented effective contract management and oversight practices
for the contracting actions that we reviewed.
Details are presented, by agency, in this appendix. Some practices are
further divided into subpractices. The extent to which practices/
subpractices were judged to be established/implemented was categorized
as one of the following:
Filled in = established/implemented:
Half filled in = partially established/implemented:
Empty = not established/implemented:
We judged whether the practice was established, partially established,
or not established depending on whether the agency had documented
policies and procedures addressing the practice and all, some, or none
of the subpractices (where applicable). We judged whether a practice
was implemented, partially implemented, or not implemented on the basis
of documentation demonstrating that the practice and all, some, or none
of the subpractices (where applicable) had been implemented for the
contracting actions that we reviewed.
We judged that an agency had "partially established" the requirement
for a practice or subpractice if the agency relied only on the FAR
requirement to perform this activity, but did not establish a process
(i.e., documented procedures) for how the FAR requirement was to be
met.
We judged that an agency had "partially implemented" a practice or
subpractice if it had implemented some, but not all, facets of the
practice (including its own related requirements for that practice).
Table 6: Evaluation of US-VISIT Acquisition and Program Management
Office:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Practice components: Review schedule and budget;
Requirement established: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: Software Engineering Institute (SEI), GAO analysis of agency
data.
Note: The following are the services provided in the contracts
described, by fiscal year.
FY 2004: Program-level management:
FY 2005: US-VISIT strategic plan development:
[End of table]
Table 7: Evaluation of General Services Administration:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Yes;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Yes;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: Partially;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: Partially;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: No;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: Partially;
Practice Implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: Partially;
Practice Implemented: FY 2002: Partially;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: No.
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially;
Practice Implemented: FY 2005: Partially.
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially;
Practice Implemented: FY 2005: Partially.
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially;
Practice Implemented: FY 2005: Partially.
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: No;
Practice Implemented: FY 2002: N/A;
Practice Implemented: FY 2003: N/A;
Practice Implemented: FY 2004: N/A;
Practice Implemented: FY 2005: N/A.
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: No;
Practice Implemented: FY 2002: N/A;
Practice Implemented: FY 2003: N/A;
Practice Implemented: FY 2004: N/A;
Practice Implemented: FY 2005: N/A.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: Partially;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: No.
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Practice components: Review schedule and budget;
Requirement established: No;
Practice Implemented: FY 2002: No;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially;
Practice Implemented: FY 2005: No.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts
described, by fiscal year.
FY 2002: Pre-award and post-award acquisition services:
FY 2003: Planning and mobilization for feasibility studies:
FY 2004: Program management of US-VISIT at ports of entry:
FY 2005: Program management of US-VISIT at ports of entry:
[End of Table]
Table 8: Evaluation of Army Corps of Engineers Architect-Engineer
Resource Center:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: Partially;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: Partially;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: Partially;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: Partially;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: Yes.
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: Partially;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: Partially.
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: Yes.
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Partially;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2005: Partially.
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: Partially;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2005: Partially.
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: No;
Practice Implemented: FY 2003: N/A;
Practice Implemented: FY 2005: N/A.
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: No;
Practice Implemented: FY 2003: N/A;
Practice Implemented: FY 2005: N/A.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review schedule and budget;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2005: No.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts
described, by fiscal year.
FY 2003: On-site program management at ports of entry:
FY 2005: Economic impact assessment of US-VISIT along northern and
southern borders:
[End of Table]
Table 9: Evaluation of Customs and Border Protection:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Partially.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Partially.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Partially.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No.
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Partially.
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Yes;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Partially.
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: Yes;
Practice implemented: FY 2002: Partially;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: No;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: Yes;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: No;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Yes.
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: Partially;
Practice implemented: FY 2002: Partially;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Partially.
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No.
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: Yes;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Yes;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Yes.
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: Yes;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: Partially;
Practice Implemented: FY 2004: Yes.
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: Partially;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No.
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: Partially;
Practice implemented: FY 2002: Yes;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: No.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Yes.
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: Yes;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: No;
Practice Implemented: FY 2004: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: Partially;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: Partially;
Practice implemented: FY 2002: No;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: Yes.
Practice: Conduct management reviews with the contractor;
Practice components: Review schedule and budget;
Requirement established: Partially;
Practice implemented: FY 2002: Partially;
Practice Implemented: FY 2003: Yes;
Practice Implemented: FY 2004: No.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts
described, by fiscal year.
FY 2002: Commercial recovery services:
FY 2003: Infrastructure upgrades at ports of entry:
FY 2004: Software maintenance and development for Increment 2B:
[End of Table]
Table 10: Evaluation of Transportation Security Administration:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: Yes;
Practice Implemented: FY 2003: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice Implemented: FY 2003: Partially;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Partially;
Practice Implemented: FY 2003: Yes;
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Partially;
Practice Implemented: FY 2003: No;
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: Yes;
Practice Implemented: FY 2003: No;
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: No;
Practice Implemented: FY 2003: Yes;
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice Implemented: FY 2003: Yes;
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: No;
Practice Implemented: FY 2003: Yes;
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: Yes;
Practice Implemented: FY 2003: Yes;
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: Yes;
Practice Implemented: FY 2003: Partially;
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: No;
Practice Implemented: FY 2003: No;
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: No;
Practice Implemented: FY 2003: Partially;
Practice: Conduct management reviews with the contractor;
Practice components: Review schedule and budget;
Requirement established: No;
Practice Implemented: FY 2003: Yes;
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contract
described:
FY 2003: Air/sea exit:
[End of table]
Table 11: Evaluation of Immigration and Customs Enforcement:
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include a contract oversight process description;
Requirement established: Yes;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include standards for work products;
Requirement established: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: Include requirements for work products;
Requirement established: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice components: : Include resources required to perform the
process;
Requirement established: No;
Practice: Establish and maintain a plan for performing the contract
oversight process;
Practice Components: Include evaluations and reviews to be conducted
with the contractor;
Requirement established: Partially;
Practice: Assign responsibility and authority for performing the
contractor oversight process;
Practice Components: Assign responsibility and authority for performing
the specific tasks of the process.
Requirement established: Yes;
Practice: Train the people performing or supporting the contract
oversight process as needed;
Practice components: Include training requirements;
Requirement established: Yes;
Practice: Document the contract;
Practice components: Include a statement of work;
Requirement established: Yes;
Practice: Document the contract;
Practice components: Include a list of agreed upon deliverables;
Requirement established: No;
Practice: Document the contract;
Practice components: Include a schedule;
Requirement established: No;
Practice: Document the contract;
Practice components: Include a budget;
Requirement established: No;
Practice: Document the contract;
Practice components: Include who from the project is responsible and
authorized to make changes to the contract;
Requirement established: N/A;
Practice: Document the contract;
Practice components: Include deliverable acceptance criteria;
Requirement established: Yes;
Practice: Document the contract;
Practice components: Include the type and depth of oversight of the
contractor, procedures, and evaluation criteria to be used in
monitoring the contractor's performance;
Requirement established: Yes;
Practice: Document the contract;
Practice components: Include the types of reviews that will be
conducted with the contractor;
Requirement established: No;
Practice: Verify and accept the deliverables;
Practice components: Define acceptance procedures;
Requirement established: Yes;
Practice: Verify and accept the deliverables;
Practice components: Verify that acquired products satisfy their
requirements;
Requirement established: Yes;
Practice: Verify and accept the deliverables;
Practice components: Document the results of the acceptance review or
test;
Requirement established: No;
Practice: Verify and accept the deliverables;
Practice components: Agree to an action plan for work products that do
not pass their review or test;
Requirement established: No;
Practice: Verify and accept the deliverables;
Practice components: Identify, document, and track action items to
closure;
Requirement established: No;
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Identify and categorize risk (for example, risk
likelihood, risk consequence, and thresholds to trigger management
activities);
Requirement established: Yes;
Practice: Monitor risks involving the contractor and take corrective
actions as necessary;
Practice components: Analyze risk using the assigned categories;
Requirement established: No;
Practice: Conduct technical reviews with the contractor;
Practice components: Ensure the technical commitments are being met,
communicated, and resolved in a timely manner;
Requirement established: Partially;
Practice: Conduct technical reviews with the contractor;
Practice components: Review the contractor's technical activities and
verify that the contractor's interpretation and implementation of the
requirements are consistent with the project's interpretation;
Requirement established: No;
Practice: Conduct management reviews with the contractor;
Practice components: Review critical dependencies;
Requirement established: No;
Practice: Conduct management reviews with the contractor;
Practice components: Review project risks involving the contractor;
Requirement established: No.
Practice: Conduct management reviews with the contractor;
Practice components: Review schedule and budget;
Requirement established: No.
Legend:
Filled in = Established/implemented:
Half filled in = Partially established/implemented:
Empty = Not established/implemented:
Sources: SEI, GAO analysis of agency data.
[End of Table]
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Randolph C. Hite, (202) 512-3439 or hiter@gao.gov:
McCoy Williams, (202) 512-9095 or williamsm1@gao.gov:
Staff Acknowledgments:
In addition to the contacts named above, the following people made key
contributions to this report: Deborah Davis, Assistant Director; Casey
Keplinger, Assistant Director; Sharon Byrd; Shaun Byrnes; Barbara
Collier; Marisol Cruz; Francine Delvecchio; Neil Doherty; Heather
Dunahoo; Dave Hinchman; James Houtz; Stephanie Lee; David Noone; Lori
Ryza; Zakia Simpson; and Charles Youman.
FOOTNOTES
[1] The DHS agencies are the US-VISIT Acquisition and Program
Management Office, US-VISIT Facilities & Engineering Management, U.S.
Customs and Border Protection, Immigration and Customs Enforcement, and
the Transportation Security Administration. The non-DHS agencies are
the General Services Administration and the U.S. Army Corps of
Engineers Architect-Engineering Resource Center.
[2] To judgmentally select our set of contracting actions, we
identified the DHS and non-DHS agencies that managed US-VISIT-related
contracts and, for each agency, we selected one contracting action for
US-VISIT-related work awarded in each fiscal year from March 1, 2002,
through March 31, 2005. Not all organizations awarded contracting
actions in every fiscal year covered under our review, in which case an
action was not selected for that fiscal year for that organization. Our
judgmental selection did not include contracting actions from one of
the responsible organizations (DHS's Immigration and Customs
Enforcement) because this agency did not provide requested
documentation in time for us to include it in our analysis of
contracting actions.
[3] AERC is a component of the Department of Defense.
[4] 8 U.S.C. 1365a; 6 U.S.C. 251 (transferred relevant Immigration and
Naturalization Service functions to DHS); 8 U.S.C. 1732(b).
[5] Over the last 3 years, we have issued five reports on the US-VISIT
program that, among other things, identified fundamental challenges
that the department faced in delivering promised program capabilities
and benefits on time and within budget. For our most recent report, see
GAO, Homeland Security: Recommendations to Improve Management of Key
Border Security Program Need to Be Implemented, GAO-06-296 (Washington,
D.C.: Feb. 14, 2006).
[6] The Visa Waiver Program permits foreign nationals from designated
countries to apply for admission to the United States for a maximum of
90 days as nonimmigrant visitors for business or pleasure.
[7] Radio frequency technology relies on proximity cards and card
readers. Radio frequency devices read the information contained on the
card when the card is passed near the device and can also be used to
verify the identity of the cardholder.
[8] At one port of entry, these capabilities were not fully operational
until January 7, 2006, because of a telephone company strike that
prevented the installation of a T-1 line.
[9] An indefinite-delivery/indefinite-quantity contract provides for an
indefinite quantity, within stated limits, of supplies or services
during a fixed period of time. The government schedules deliveries or
performance by placing orders with the contractor.
[10] Accenture's partners include, among others, Raytheon Company, the
Titan Corporation, and SRA International, Inc.
[11] DHS uses inter-and intra-agency agreements (IAAs) to document
agreements entered into between federal agencies, or major
organizational units within an agency, which specify the goods to be
furnished or tasks to be accomplished by one agency (the servicing
agency) in support of the other (the requesting agency).
[12] Ownership and management of IDENT was transferred to US-VISIT in
2004; ownership of ADIS was transferred to US-VISIT in 2005, but
management was transferred to CBP.
[13] Reimbursable work authorizations are used by GSA to capture and
bill GSA's customers for, among other things, the cost of providing
services in space managed by GSA over and above the basic operations
financed through rent for that space. In the case of US-VISIT,
reimbursable work authorizations were used to reimburse services
required in support of US-VISIT deployment efforts at the GSA-owned
ports of entry.
[14] IPAC is the primary method used by most federal entities to
electronically bill and/or pay for services and supplies within the
government.
[15] This number was derived from information provided to us by the
agencies, as well as analysis of provided documentation. Additionally,
and as noted in appendix I, weaknesses in DHS's financial systems call
into question the accuracy of these numbers. Further, this number does
not include any obligations from ICE, as it did not report US-VISIT-
related obligations to us in time for us to include in our analysis of
contracting actions.
[16] On the basis of previous audit findings, we do not consider this
amount reliable. DHS's independent auditors determined that its IPAC
system presented a weakness in DHS's financial management environment.
[17] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[18] GAO, Homeland Security: Successes and Challenges in DHS's Efforts
to Create an Effective Acquisition Organization, GAO-05-179
(Washington, D.C.: Mar. 29, 2005).
[19] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[20] OMB Circular A-123, Management's Responsibility for Internal
Control (effective beginning with fiscal year 2006) (revised Dec. 21,
2004).
[21] GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: August 2001).
[22] The FAR system establishes the uniform set of policies and
procedures for acquisition by all executive branch agencies. This
system consists of the FAR, which is the primary document, and agency
acquisition regulations that implement or supplement the FAR.
[23] Carnegie Mellon University Software Engineering Institute,
Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1
(March 2002).
[24] Capability Maturity Model Integration, Systems Engineering
Integrated Product and Process Development, Continuous Representation,
version 1.1.
[25] An apparent exception was the schedule, which was reported as
having a potential problem: deliverables were identified in the
integrated master schedule as not being complete. However, US-VISIT
reported that the deliverables were delivered on time.
[26] DHS IAAs were previously referred to as "reimbursable agreements."
Five of the agreements were actually reimbursable work authorizations
for which there was no IAA.
[27] GAO-05-207.
[28] DHS, Reimbursable Agreements, Management Directive System, MD
0710.1.
[29] Air/sea exit, which was developed by TSA, collects biometric exit
data for select foreign nationals; it is currently deployed to 14
airports and seaports.
[30] Capability Maturity Model Integration, Systems Engineering
Integrated Product and Process Development, Continuous Representation,
version 1.1.
[31] No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in
time for our analysis.
[32] The contracting officer is the person with authority to procure,
enter into, administer, and terminate contracts and make related
determinations and findings. The project manager is responsible for
planning, directing, controlling, structuring, and motivating the
project. The COTR reviews contractor performance regularly, ensures
that contractual milestones are met and standards are being maintained,
conducts regular inspections of contractor deliverables throughout the
contract period, and ensures that all contract conditions and clauses
are acted upon.
[33] No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in
time for our analysis.
[34] All of the deficiencies were level 3, which TSA defines as a
defect that negatively impacts the environment and/or the application
but that can be overcome by a manual workaround, by additional
training, or by addressing the fix as part of a subsequent enhancement.
[35] GAO, Financial Management: Department of Homeland Security Faces
Significant Financial Management Challenges, GAO-04-774 (Washington,
D.C.: July 19, 2004).
[36] For the 7-month period from March 1, 2003, to September 30, 2003,
DHS received a qualified opinion from its independent auditors on its
consolidated balance sheet as of September 30, 2003, and the related
statement of custodial activity for the 7 months ending September 30,
2003. Auditors were unable to opine on the consolidated statements of
net costs and changes in net position, combined statement of budgetary
resources, and consolidated statement of financing. For fiscal years
2004 and 2005, DHS's independent auditors were unable to opine on any
of its financial statements.
[37] DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov.
15, 2005).
[38] Under standards issued by the American Institute of Certified
Public Accountants, "reportable conditions" are matters coming to the
auditors' attention relating to significant deficiencies in the design
or operation of internal controls that, in the auditors' judgment,
could adversely affect the department's ability to record, process,
summarize, and report financial data consistent with the assertions of
management in the financial statements. Material weaknesses are
reportable conditions in which the design or operation of one or more
of the internal control components does not reduce (to a relatively low
level) the risk that misstatements, in amounts that would be material
in relation to the financial statements being audited, may occur and
not be detected in a timely period by employees in the normal course of
performing their assigned functions.
[39] DHS, Performance and Accountability Report: Fiscal Year 2004 (Nov.
18, 2004), and Performance and Accountability Report: Fiscal Year 2005
(Nov. 15, 2005).
[40] GAO/AIMD-00-21.3.1.
[41] GAO-01-1008G.
[42] The $7.5 million reported as the invoiced amount is the addition
of the invoiced amounts reported separately for the 2002 and 2004 task
order numbers.
[43] GAO-01-1008G.
[44] Refund documentation did not provide evidence showing whether DHS
officials or contractor staff noticed the overpayment.
[45] GAO-01-1008G.
[46] DHS, Reimbursable Agreements, Management Directive System, MD
0710.1.
[47] Codified at 31 U.S.C. §§ 3901-3904 and implemented at 5 C.F.R. pt
1315.
[48] DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov.
15, 2005).
[49] That is, the agency had not documented these processes and
activities and established their performance, as would be consistent
with the best practice.
[50] The FAR system establishes the uniform set of policies and
procedures for acquisition by all executive branch agencies. This
system consists of the primary FAR document and agency acquisition
regulations that implement or supplement the FAR.
[51] Capability Maturity Model Integration, Systems Engineering
Integrated Product and Process Development, Continuous Representation,
version 1.1.
[52] DHS, Reimbursable Agreements, Management Directive System, MD
0710.1.
[53] GAO/AIMD-00-21.3.1; GAO-01-1008G.
[54] No results are provided for ICE regarding implementation of best
practices, because we were unable to obtain contract documentation in
time for analysis.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: