FDIC OIG Audit Report: FDIC’s Controls Over Contractor Invoice Approval, Payment, and Posting to the General Ledger, Report No. AUD-08-017, September 2008

FDIC, Federal Deposit Insurance Corporation, Office of Inspector General, core values: communication, objectivity, responsibility, excellence

FDIC’s Controls Over Contractor Invoice Approval, Payment, and Posting to the General Ledger

September 2008
Report No. AUD-08-017

Federal Deposit
Insurance Corporation

Why We Did The Audit

Of the FDIC’s $992 million in calendar-year 2007 operating expenses, over $250 million represents amounts paid for contracted goods and services. Through June 2008, $121 million of $495 million in operating expenses was for contractor payments, part of which was paid based on contractor invoices.

The audit objective was to assess the FDIC’s controls over contractor invoice approval, payment, and posting to the General Ledger. Our review included a sample of 30 of 1,148 FDIC invoices, representing $5.7 million in contractor invoice payments that totaled $37.5 million during the period October 2007 through March 2008.

Background

The General Ledger is the central component of the New Financial Environment (NFE), the FDIC’s financial management system. The General Ledger provides accounting, reporting, and decision-making information for the FDIC. The FDIC’s Division of Finance (DOF) is responsible for maintaining the General Ledger, receiving contractor invoices, verifying payment approvals, issuing disbursements, and posting transactions to the General Ledger.

The audit focused on the FDIC’s control activities intended to provide reasonable assurance that the FDIC (1) meets management directives, such as budget execution; (2) accomplishes control objectives, such as efficient use of FDIC resources; and (3) mitigates risk. Control activities for invoice processing include the segregation of the receiving, invoicing, and purchasing functions; goods and services receipt verification; managerial authorizations; independent review before payment; and pre-payment procedures for Prompt Payment Act compliance and duplicate payment detection to ensure that only valid transactions are authorized and approved.

The Contractor Electronic File (CEFile) is the FDIC’s official system of records for contract activities, including invoice approval decisions as part of contract oversight management. The FDIC’s Acquisition Policy Manual and guidance from the Division of Administration’s (DOA) Acquisition Services Branch describe the oversight management responsibilities related to invoices. General Ledger procedures related to operating expenses are defined in the FDIC’s Operating Expenses Process Memorandum and the DOF’s Accounts Payable Operating Procedures Manual.

Audit Results

The FDIC has established and implemented generally adequate controls over contractor invoice approval, payment, and posting to the general ledger. The NFE provides an audit trail from the authorized invoice approval through posting of the payment transactions. Additionally, the FDIC has enhanced its Contract Oversight Management Program to ensure that Oversight Managers (OM) receive and complete training regarding their roles in independently reviewing and approving contractor invoices for payment.

Based on our review of the 30 sampled contractor invoices, representing total FDIC expenditures of $5.7 million, we found that additional control activities could improve the OM’s review and approval procedures as described below.

Segregation of duties was lacking for five invoices, representing $239,300 in payments. The same OM prepared and approved two invoices. Another OM submitted the three other invoices directly to DOF for the contractors and then approved the invoices for payment. Properly designed control activities help ensure that no one individual can initiate and approve a transaction. Maintaining the segregation of duties in the invoice payment process would help reduce the risk of errors or unauthorized transactions.
Three of 15 OMs, who approved 3 invoices with a total value of $213,150, did not have confirmation letters from Contracting Officers, authorizing the OMs to perform contractor oversight responsibilities, including reviewing and approving invoices for payments. Also, two OMs who had not completed required training approved three invoices totaling $130,600. Confirmation letters and training help to ensure that OMs correctly review and approve invoice payments in accordance with FDIC policies.
The CEFile did not contain 26 out of 30 invoices sampled, representing about $1.7 million out of $5.7 million in contractor payments. OMs did not consistently follow the FDIC’s acquisition policy on documenting these contract activities in the CEFile. Timely inclusion of invoices in the CEFile ensures accurate and complete records of contract activities.

Strengthening controls in these areas will help in ensuring the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with FDIC policies and procedures.

Recommendations and Management Response

We recommended DOF and DOA ensure the segregation of duties for invoice preparation and approval. We also recommended DOA ensure that the OMs receive confirmation letters; complete required training; and maintain current, accurate, and complete documentation in the CEFile.

DOA and DOF concurred with our recommendations and planned to take responsive actions.

Contents

Page

BACKGROUND	2
Guidance and Controls Related to Contractor Payments	2
RESULTS OF AUDIT	5
PAYMENT PROCESSING AND GENERAL LEDGER POSTING	6
SEGREGATION OF DUTIES FOR INVOICE APPROVAL	6
Recommendation Related to Segregation of Duties for Invoice Approval	7
OM CONFIRMATION LETTERS AND TRAINING	8
Recommendation Related to OM Confirmation Letters and Training	8
CONTRACT DOCUMENTATION	8
Recommendation Related to Contract Documentation	9
CORPORATION COMMENTS AND OIG EVALUATION	9
APPENDICES
1. OBJECTIVE, SCOPE, AND METHODOLOGY	11
2. SAMPLED INVOICES	16
3. CORPORATION COMMENTS	17
4. MANAGEMENT RESPONSE TO RECOMMENDATIONS	20
5. ACRONYMS USED IN THE REPORT	21


DATE:	September 22, 2008

MEMORANDUM TO:	Bret D. Edwards
	Director, Division of Finance

	Arleas Upton Kea
	Director, Director, Division of Administration

FROM:	Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
	Assistant Inspector General for Audits

SUBJECT:	FDIC’s Controls Over Contractor Invoice Approval, Payment, and Posting to the General Ledgers (Report No. AUD-08-017)

This report presents the results of our audit of the FDIC’s controls over contractor invoice approval, payment, and posting to the General Ledger (G/L). The G/L is the central component of the New Financial Environment (NFE)—the FDIC’s financial management system. The G/L provides accounting, reporting, and decision-making information for the FDIC. The FDIC’s Division of Finance (DOF) is responsible for maintaining the G/L, receiving contractor invoices, verifying payment approvals, issuing disbursements and posting transactions to the G/L. In addition, the Division of Administration’s (DOA) Acquisition Services Branch (ASB) is responsible for developing all contracting policies and procedures and communicating and implementing those policies and procedures throughout the FDIC.

The audit objective was to assess the FDIC’s controls over contractor invoice approval, payment, and posting to the G/L. The audit focused on the FDIC’s control activities intended to provide reasonable assurance that the FDIC (1) meets management directives, such as budget execution; (2) accomplishes control objectives, such as efficient use of FDIC resources; and (3) mitigates risk. Control activities for invoice processing include the segregation of the receiving, invoicing, and purchasing functions; goods and services receipt verification; managerial authorizations; independent review before payment; and pre-payment procedures for Prompt Payment Act (PPA)1 compliance and duplicate payment detection to ensure that only valid transactions are authorized and approved.

¹ The PPA and its implementing regulations from the U.S. Office of Management and Budget, (5 Code of Federal Regulations (C.F.R.) Part 1315) require that agencies, among other things, pay interest to contractors if contractor invoices are not paid in a timely manner, for example, within the period established by the contract. The FDIC, in its corporate capacity, is an agency for purposes of the PPA. Additional information is contained in Appendix 1 under the Compliance with Laws and Regulations section.

We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report discusses our audit objective, scope, and methodology in detail.

BACKGROUND

Of the FDIC’s $992 million in calendar-year 2007 operating expenses, over $250 million represents amounts paid for contracted goods and services. For the 6 months ended June 2008, $121 million of $495 million in operating expenses was for contractor payments. Part of the $121 million was paid based on contractor invoices. Our review included a sample of 30 of 1,148 FDIC invoices, representing $5.7 million of the total $37.5 million in contractor payments from October 2007 through March 2008. The FDIC had assigned 15 Oversight Managers (OM) the responsibility for the review and approval of the 30 sampled invoices (see Appendix 2), representing 18 contractors.

Guidance and Controls Related to Contractor Payments

The FDIC has a number of policies and procedures related to controls over the contractor invoice payment process as described below.

FDIC Circular 4010.3. FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, adopted internal control standards prescribed in the Government Accountability Office (GAO) publication, Standards for Internal Control in the Federal Government. These standards apply to all operations (programmatic, financial, and compliance) and are intended to ensure the effectiveness and efficiency of operation, reliability of financial reporting, and compliance with applicable laws and regulations. Circular 4010.3 requires management to develop and implement controls to ensure that management directives are carried out and to provide reasonable assurance that controls are sufficient to minimize exposure to waste, fraud, and mismanagement.

Key control activities related to contractor payments described in Circular 4010.3 include:

Segregation of Duties. Key duties and responsibilities shall be divided among different individuals such that no one individual should control all key aspects of a transaction to reduce the risk of error or fraud.
Proper Execution of Transactions and Events. Transactions and other significant events shall be authorized and executed only by persons acting within the scope of their authority.
Appropriate Documentation of Transactions and Internal Controls. Internal controls, all transactions, and other significant events shall be clearly documented. This helps to ensure that payment transactions are complete, accurate, and recorded in a timely manner. Documentation shall be readily available for examination.

The circular also requires management to perform monitoring activities to assess the quality of performance over time and the effectiveness of controls. Monitoring activities include routine management and supervisory actions; transaction comparisons and reconciliations; other actions taken in the course of normal operations; as well as separate and discrete control evaluations, including internal self-assessments and external reviews.

The Acquisition Policy Manual. The FDIC’s Acquisition Policy Manual (APM) provides that contract OMs are, among other things, responsible for reviewing and approving invoices promptly for payment to avoid interest on late payments and ensuring that the goods or services contracted for are received and within the scope of the contract. The APM requires that the Contracting Officer provide the program-appointed OM with a Letter of Oversight Manager Confirmation, describing the OM’s authority and responsibilities. Prior to receiving the letter of confirmation, OMs are required to complete training that includes, among other things, the OM role in contract administration.

Interim Acquisition Policy No. 2004-5, CEFile, dated August 10, 2004. The policy states that the Contract Electronic File (CEFile) is the official contract file of record for the ASB. The CEFile is a Web-based template on the FDICnet used to create official contract files and electronically organize and store all pertinent contract file documentation such as the requirements package, contract, contract modifications, and OM’s contract-related records. The policy memorandum states that the Contracting Officers and OMs are responsible to ensure that the CEFile is current, accurate, and complete. The documentation in the file shall be sufficient to (a) provide a complete background as a basis for informed decisions at each step in the acquisition process; (b) support actions taken; (c) provide information for reviews and investigations; and (d) furnish essential facts in the event of litigation or congressional inquiries.

Interim Acquisition Policy No. 2007-02, Establishment of the FDIC Contract Oversight Management Program, dated April 12, 2007. The policy memorandum formally establishes the FDIC Contract Oversight Management Program and states that supervisors must ensure that individuals considered for appointment as OMs obtain certain competencies needed to effectively and efficiently perform delegated contract management duties. On May 11, 2007, ASB notified OMs regarding mandatory classroom training.

Operating Expense Process Memorandum. DOF’s Disbursement Operations Unit (DOU) processes approved invoices for goods and services procured by the FDIC. The FDIC’s Operating Expense Process Memorandum, for calendar year 2007, defines the G/L procedures related to operating expenses, which are included in the Operating Expense line item on the FDIC’s financial statements.

The process memorandum identifies key events and describes the controls provided at each stage as summarized below:

DOU is responsible for the initial receipt and date stamping of invoices and input of information into the NFE Accounts Payable Module. DOU is also responsible for evaluating invoices to ensure compliance with the PPA late payment provisions.
DOU reviews invoice information to verify that it complies with the FDIC-designed vendor invoice format that is acceptable for NFE billing. The standardized invoice form requires vendors to provide mandatory elements, such as the contract/purchase order number, labor categories, hourly rates, period being invoiced, and applicable backup documentation, to determine, among other things, the appropriate fund and expense accounts in the G/L for authorizing the payment transaction. Once approved by DOU, the invoice is routed in NFE to the OM for final approval.
The OM is responsible for reviewing the invoice in accordance with ASB requirements, including the APM. The review is intended to ensure that the invoice is correct and complies with the terms and conditions of the contract and the payments in process do not exceed the specified contract purchase order or task order contract limits and expenditure authority. The Invoice Review Checklist in the APM provides the OM guidelines for reviewing contractor invoices. If the invoice and purchase order are correct, the OM approves the invoice in NFE.
Once the OM approves the invoice in NFE, payments are generally made through an Electronic Funds Transfer (EFT).2 DOU approves the daily electronic payment transactions on-line. EFT payment files are sent to the disbursing bank upon e-mail notification from DOU to DOF’s NFE Servicing and Control Unit (NSCU). The NFE Accounts Payable Module then records the journal entries for the payment transactions and through its system interface with the G/L, automatically posts these transactions to the appropriate fund and expense accounts in the G/L. The Accounts Payable Module has built-in edits to prevent duplicate payments. In addition, daily reports are run and reviewed by DOU to detect suspect invoices that could result in duplicate payments.

The GAO, as part of the annual audit of the FDIC’s financial statements, assesses the controls for contractor invoice payment processing and G/L posting activities. GAO’s audit work includes testing and tracing of contractor invoice payments from approval through disbursements and G/L postings.

² EFT is the electronic movement of funds from one bank account to another, by means of electronically communicated payment instructions.

The DOF Accounts Payable Operating Procedures Manual, November 2006. DOF maintains this manual to document activities and procedures related to the FDIC’s Accounts Payable function. The topics addressed in the Manual include:

Reviewing an Accounts Payable invoice before processing
Accounts Payable pay-cycle review and approval
Auditing large dollar Accounts Payable payments
Reviewing and monitoring for compliance with the PPA
Reviewing and monitoring for duplicate payments
Accounts Payable voucher routing error
Accounts Payable voucher override/matching procedure
Scanning and attaching an invoice voucher
Accounts Payable Electronic Invoice Processing
Processing Accounts Payable Expense Adjustment Voucher

RESULTS OF AUDIT

The FDIC has established and implemented generally adequate controls over contractor invoice approval, payment, and posting to the G/L. The NFE provides an audit trail from the authorized invoice approval through posting of the payment transactions to the G/L. Payment transactions for the 30 sampled invoices were accurately posted to the correct fund and expense accounts in the G/L. Additionally, the FDIC has enhanced its Contract Oversight Management Program to ensure that OMs receive and complete training regarding their roles in reviewing and approving contractor invoices for payment.

However, based on our review of the 30 sampled contractor invoices, representing total FDIC expenditures of $5.7 million, we found that enhanced control activities could improve the OM’s review and approval procedures as described below.

Segregation of duties was lacking for five invoices, representing $239,300 in contractor payments. The same OM prepared and approved two invoices. Another OM submitted the three other invoices directly to DOF for the contractors and then approved those invoices for payment. Properly designed control activities help ensure that no one individual can initiate and approve a transaction. Maintaining the segregation of duties in the invoice payment process would help to reduce the risk of errors or unauthorized transactions.
Three of 15 OMs, who approved 3 invoices, with a total value of $213,150, did not have confirmation letters from Contracting Officers, authorizing the OMs to perform contractor oversight responsibilities, including reviewing and approving invoices for payments. Also, two OMs, who had not completed the required training, approved three invoices totaling $130,600. Confirmation letters and training help to ensure that OMs correctly review and approve invoice payments in accordance with FDIC policies.

The CEFile did not contain 26 out of the 30 invoices sampled, which represented about $1.7 million out of the $5.7 million in contractor payments. OMs did not consistently follow the FDIC’s acquisition policy regarding documenting these contract activities in the CEFile. Timely inclusion of invoices in the CEFile ensures current, accurate, and complete records of contract activities.

Strengthening controls in the areas of the segregation of duties, OM training, and contract file maintenance will help in ensuring the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with FDIC policies and procedures.

PAYMENT PROCESSING AND GENERAL LEDGER POSTING

We found that the FDIC has established and implemented adequate controls over the contractor invoice payment function and corresponding posting to the G/L. The NFE provides an audit trail from the authorized invoice approval through posting the payment transactions. We obtained documentation from DOF and traced the payment transactions of the 30 sampled invoices from NFE approval to disbursement and recording in the G/L. DOU approved the electronic payment transactions for the sampled invoices. After approval, DOU notified NSCU via email that the payment transactions were ready for processing. NSCU sent these payment transactions to the appropriate disbursement banks, and the automated interface in the Accounts Payable Module posted the payment transactions to the correct funds and expense accounts in the G/L.

We were able to verify that the 30 contractor invoices in our sample were paid in the correct amount invoiced and processed in a timely manner within the limits of the PPA late payment provisions. In addition, the edit checks in the Accounts Payable Module for duplicate payments and the DOU procedures for daily monitoring of invoices worked as intended for the sampled invoices. There were no duplicate payments for any of the 30 sampled invoices.

Based on the results of our audit work, we are not making recommendations in these areas. However, we found that management attention is warranted in the areas of the segregation of duties, OM training, and contract file maintenance as discussed below.

SEGREGATION OF DUTIES FOR INVOICE APPROVAL

We found that 5 of the 30 invoices, representing $239,300 in payments, were approved without an adequate segregation of duties. One OM prepared,3 submitted, and approved two invoices, while another OM submitted three invoices directly to DOF for the contractors and then approved them for payment processing.

³ Invoice preparation involved transferring billing data received from the contractor, Benefits Allocation Specialists (BAS), and submitting a supplemental cover page with contract information and cost allocation information into the invoice format required by DOF. The FDIC contracted with BAS to administer certain FDIC employee benefits programs and maintain FDIC employees’ benefits enrollment information.

Having one individual initiate and approve a transaction increases the risk of errors and unauthorized payment transactions. This control weakness occurred because management did not ensure compliance with the segregation of duties requirement for invoice preparation, submission, and approval in accordance with FDIC Circular 4010.3.

The two invoices prepared and approved by the same OM were for certain contracted insurance providers for the FDIC’s employee health benefits programs. The contractors did not have access to certain information needed for billing purposes;⁴ therefore, the OM transferred the billing data from BAS and added the required contract and cost allocation information on the invoices submitted to DOU for payment processing. After receiving notification, through the NFE, that the invoices needed approval, the same OM approved the invoices for payment. Having one individual with the capability to prepare, submit, and approve an invoice increases the risk of errors and could result in unauthorized payment transactions.

The three remaining invoices, which were for expert consulting services, were also submitted and approved without an adequate segregation of duties. The OM for the consulting services contracts received the invoices from the contractor, submitted them to DOF, and approved the invoices for payment.⁵ The Operating Expense Process Memorandum states that the contractor, not the OM, should submit invoices to DOU. The lack of segregation of duties increases the risk of errors or unauthorized payment transactions.

FDIC Circular 4010.3 states that key duties and responsibilities shall be divided among different individuals to reduce the risk of error or fraud. Maintaining appropriate segregation of duties in the invoice payment process is key to safeguarding FDIC resources.

Recommendation Related to Segregation of Duties for Invoice Approval

We recommend that the Director, DOA, work with the Director, DOF, to:

(1) Strengthen controls to ensure segregation of duties for invoice preparation, submission, and approval.

⁴ The BAS database contains sensitive personnel enrollment information such as Social Security numbers, addresses, family members, and their Social Security numbers. The contracted insurance providers do not have direct access to the BAS database.
⁵ The contract for one invoice and a similar contract for two invoices did not specify where to send the invoices. This may result in the need for the contractors to contact the OM for further invoice submission instruction.

OM CONFIRMATION LETTERS AND TRAINING

Three of 15 OMs, who approved 3 of the 30 sampled invoices did not have confirmation letters from Contracting Officers, authorizing them to perform OM responsibilities, including reviewing and approving invoices for payments. The three invoices totaled $213,150. In addition, two OMs approved three invoices totaling $130,600 without first completing the required OM training. Both of these OMs also lacked a confirmation letter from the Contracting Officer. The lack of OM confirmation letters and training occurred because DOA has not been monitoring and periodically assessing compliance with OM authorization requirements. Confirmation letters and training help to (1) ensure that the OMs are fully aware of their authorities and responsibilities and (2) reduce the risk of OMs approving erroneous and/or unauthorized transactions.

The APM requires that a Letter of Oversight Manager Confirmation be issued by the Contracting Officer to the OM, authorizing the OM to perform a number of tasks, including verifying satisfactory delivery of contract terms and/or performance, and reviewing and approving invoices promptly to avoid late payments and incurred interest charges. In addition, Interim Acquisition Policy No. 2007-02, dated April 12, 2007, defines required competencies for OMs, and ASB has established mandatory instructor-led classroom training for OMs regarding FDIC contract oversight management. An important part of the training focuses on the OM role in contract administration, which includes responsibilities for reviewing and approving invoices for contractor payments.

Recommendation Related to OM Confirmation Letters and Training

We recommend that the Director, DOA:

(2) Monitor and periodically assess compliance with the FDIC’s acquisition policy to ensure that designated OMs have received confirmation letters from Contracting Officers and completed required training.

CONTRACT DOCUMENTATION

We found that for the 30 invoices sampled, the CEFile did not contain 26 invoices representing about $1.7 million out of $5.7 million in contractor payments. This occurred because DOA has not been monitoring OM compliance with the requirements to ensure that the CEFile is current, accurate, and complete. As a result, the CEFile documents for 16 of the18 contracts in our sample were not up to date and cannot be relied upon as a record of contract activities.

Interim Acquisition Policy No. 2004-05 indicates that the CEFile is the official contract file of record. Further, DOA issued a memorandum, dated October 18, 2006, to FDIC Contracting Officers and OMs, stating that maintaining the CEFile is an ongoing and continuous process, and it is the responsibility of both the Contract Specialist and the OM to ensure that the CEFile is current, accurate, and complete.

In particular, OMs are required to maintain their contract-related records such as approved invoices in the CEFile. OM contract administration responsibilities are performed corporate-wide. Accordingly, DOA needs to monitor OM compliance with acquisition policy to ensure the CEFile is current, accurate, and complete.

Recommendation Related to Contract Documentation

We recommend that the Director, DOA:

(3) Monitor and periodically assess whether OMs record contract activities, including invoices, in a timely manner to ensure the CEFile is current, accurate, and complete.

CORPORATION COMMENTS AND OIG EVALUATION

On September 12, 2008, DOA and DOF provided a joint written response to the draft of this report. The response is provided in its entirety as Appendix 3 of this report. DOA and DOF concurred with our recommendations and provided planned corrective actions for each recommendation as discussed below.

Regarding recommendation 1 on segregation of duties for invoice preparation, submission, and approval, DOA indicated that the OM’s review and approval procedures could be improved for invoices of the employee health benefits program. Currently, the FDIC’s contractor for administering the employee benefits program, BAS, provides the employee premiums to the FDIC. The DOA Benefits Center staff then creates a separate spreadsheet for the DOU showing the contract name, number, allocation codes, and amounts and sends the entire package as an invoice to DOU for input into the NFE. To improve segregation of duties, DOA’s Benefits Center staff will instruct BAS to include on its invoice the name and number of the contract, dollar amount allocation per budget line, and total dollar amount and send the invoice directly to DOU. This new procedure will be implemented by December 31, 2008.

DOF also agreed to take actions to strengthen segregation of duties controls for invoice preparation, submission, and approval. DOU will implement a process by September 30, 2008, to follow up with OMs who receive an invoice directly from a contractor and subsequently forward the invoice to the DOU for processing. DOU will reinforce to the OM that contractors should submit invoices directly to DOU. Where there is a valid business reason that supports a vendor invoice being first received by the program office, DOF will document this exception and stress to the program office the importance of maintaining appropriate segregation of duties regarding the preparation, submission, and approval of invoices.

With respect to recommendation 2 on OM Confirmation Letters and Training, DOA will monitor and periodically assess compliance with acquisition policy through contract post-award reviews to be conducted by DOA’s Acquisition Services Branch.

DOA indicated that by December 31, 2008, a contract post-award review checklist will be developed to include a review of OM training and appointments.

Regarding recommendation 3 on contract documentation, DOA will include on the contract post-award review checklist being developed (by December 31, 2008) a review of the CEFile to ensure that all applicable documentation is included in that file.

A summary of management’s response to the recommendations is in Appendix 4. We consider the planned actions to be responsive to the recommendations. The recommendations are resolved but will remain open until we have determined that agreed-to corrective actions have been completed and are responsive.

APPENDIX 1 OBJECTIVE, SCOPE, AND METHODOLOGY

Objective and Scope

The audit objective was to assess the FDIC’s controls over contractor invoice approval, payment, and posting to the G/L. We conducted this performance audit from April through July 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

The scope of the audit was the contractor invoices processed in the NFE Accounts Payable Module for the 6-month period of October 1, 2007 through March 31, 2008. The scope was limited to EFT and check payments for FDIC contractor invoices. We obtained information regarding these contractor payment transactions from a query of the NFE Accounts Payable Module.

Methodology

To accomplish our objective, we:

Judgmentally selected 30 invoices out of the 1,148 total invoices processed through the NFE Accounts Payable Module during the period of October 1, 2007 through March 31, 2008.⁶ Our sample included invoices from six FDIC divisions, the Division of Resolutions and Receiverships (DRR), Division of Insurance and Research (DIR), DOA, Division of Information Technology (DIT), Legal Division, and the FDIC’s Corporate University. These invoices were for contracts managed by both FDIC Headquarters and the Dallas Regional Office. The selected invoices ranged from over $1 million to less than $2,000.
Interviewed the OMs for each of the 18 contracts associated with the 30 invoices in our sample. Examined OM files and reviewed the OM procedures for reviewing and approving FDIC invoices. Obtained documentation on OM confirmation letters and training requirements. We reviewed electronic documents stored in the CEFile, as well as working documents stored separately by the OMs to assist with their review and approval of invoices.
Examined each invoice to determine whether the OMs had carried out their responsibilities related to invoice review as described in their letters of confirmation. Key responsibilities include receiving and accepting deliverables, verifying satisfactory contract performance before approving invoices for payment, reviewing and approving invoices promptly to avoid late payment interest charges, and ensuring that the dollar values of invoices do not exceed the expenditure authority.

⁶ The results of a non-statistical sample cannot be projected to the intended population by standard statistical methods.

APPENDIX 1

Queried the CEFile to verify whether the following contract documentation related to the sampled invoices was included in the files: OM confirmation letters, OM-approved invoices, the contracts, contract modifications, and correspondence related to the contract events and transactions.
Reviewed the documentation stored in NFE to support the posting of the 30 sampled invoice transactions to the G/L and to verify that the amounts had been paid and cleared the disbursement bank.
Queried the NFE Accounts Payable Module to trace invoices through the entire process--from approval to the bank clearance. The key steps in this process are OM invoice approval, DOF invoice input into NFE, preparation of contractor payments within NFE, the posting of each transaction to the G/L, and the funding of payments through payment vouchers.
Verified that the 30 invoices in our sample had been paid within the required timeframes of the PPA provisions regarding late payments.
Considered relevant provisions of the FDIC’s policies pertaining to the following:
- The FDIC’s APM, which provides FDIC policy on contracting for products and services.
- The FDIC’s Circular 4010.3, FDIC Enterprise Risk Management Program, which adopts the internal control standards prescribed in the GAO publication, Standards for Internal Control in the Federal Government. These standards apply to all operations (programmatic, financial, and compliance) and are intended to ensure the effectiveness and efficiency of operation, reliability of financial reporting, and compliance with applicable laws and regulations. Circular 4010.3 requires management to develop and implement controls to ensure that management directives are carried out and to provide reasonable assurance that controls are sufficient to minimize exposure to waste, fraud, and mismanagement.
- GAO’s publication, Standards for Internal Control in the Federal Government, as largely adopted in FDIC Circular 4010.3.
- DOF’s Accounts Payable Operating Procedures Manual, which documents the activities and procedures related to the FDIC’s Accounts Payable function.

We performed our audit work at the FDIC’s Headquarters offices in Arlington, Virginia, and Washington, D.C., and the Dallas Regional Office.

APPENDIX 1

Internal Controls

We identified the key control points in the FDIC’s invoice payment processes. Our tests addressed these key control activities:

The separation of duties between receiving, billing, and purchasing functions.
The required verification of receipt of goods and services before payments can be authorized.
The required authorization (OM confirmation letters and FDIC contract oversight management training) for OMs to carry out their responsibilities.
DOF’s independent review of invoices for compliance with the FDIC’s billing policies.
DOF’s review for suspect invoices prior to payment processing.
DOF managerial review and approval of funding payments.

Reliance on Computer-processed Information

In performing this audit, we relied on data from the NFE and CEFile. We confirmed the accuracy of the data through tracing to source documents and considered the reasonableness of data such as electronic timesheets of hours charged on invoices.

Performance Measurement

We reviewed the FDIC’s 2008 Annual Performance Plan and found that it did not contain specific goals, objectives, or performance measures that were relevant to our audit. We did note that DOF maintains a Balanced Scorecard to track initiatives, targets, and accomplishments. The Balanced Scorecard for 2007 indicates a number of accomplishments that enhance the controls over contractor invoice approval, payment, and posting processes:

Under Internal Operational Excellence, DOF had an objective of continuous improvement. In 2007, the target of having all hard copies of contractor invoices scanned into NFE and electronically routed to the OM had been accomplished. Procedures have been written, and new contracts are being written to encourage vendors to submit invoices electronically.
Under Promoting Financial Stewardship, DOF has completed a formal program of post-payment controls, reviews, and monitoring and incurred only $1,982 in interest related to the PPA for 2007.

APPENDIX 1

Compliance with Laws and Regulations

The following laws and regulations are relevant to the FDIC’s controls over contractor invoice approval, payment and posting to the G/L:

The Federal Managers’ Financial Integrity Act (FMFIA) (31 United States Code 3512, subsection (b)) states the head of each executive agency shall establish and maintain systems of accounting and internal controls that provide complete disclosure of the financial results of the activities of the agency and adequate financial information the agency needs for management purposes. In addition, FMFIA requires the head of each executive agency to establish internal accounting and administrative controls that reasonably ensure that (1) obligations and costs comply with applicable law; (2) all assets are safeguarded against waste, loss, unauthorized use, and misappropriation; and (3) revenues and expenditures applicable to agency operations are recorded properly so that accounts and reliable financial and statistical reports may be prepared and accountability of assets may be maintained. While the FDIC is not an executive agency for purposes of the FMFIA, provisions of the FMFIA became applicable to the FDIC via the Chief Financial Officers Act of 1990, described below.
The Chief Financial Officers Act of 1990 (CFOA) requires that government corporations such as the FDIC submit an annual management report to the Congress that includes a statement on internal accounting and administrative control systems by the head of the management of the corporation, consistent with the requirements for agency statements on internal accounting and administrative control systems under the amendments made by the FMFIA. CFOA also requires the Inspectors General to audit their agencies’ financial statements unless the GAO conducts the audit instead.
The Federal Deposit Insurance Act (FDI Act), section 17(e), requires that the financial transactions of the FDIC be audited by the GAO in accordance with the principles and procedures applicable to commercial corporate transactions and under such rules and regulations as may be prescribed by the Comptroller General of the United States.
Two Office of Management and Budget (OMB) Circulars related to internal controls and financial management systems were issued to guide agency compliance with FMFIA.
- Circular No. A-123, Management’s Responsibility for Internal Control, notes the provisions of FMFIA regarding internal controls, then specifies requirements for assessing internal control, correcting internal control deficiencies, and reporting on internal control. The circular’s high-level discussion does not prescribe specific control or assessments for a particular type of account, but the circular's principles are applicable to all types of agency internal control.

APPENDIX 1

Circular No. A-127, Financial Management Systems, deals with financial management systems, i.e., systems that can be used for processing and reporting data about financial events; supporting financial planning or budgeting activities; accumulating and reporting cost information; or supporting the preparation of financial statements. Financial management systems form a portion of the management control structure required by Circular No. A-123. Circular No. A-127 has a number of provisions addressing the U.S. Government Standard General Ledger and on the internal control aspects of financial management systems, among other things. The circular includes various requirements for systems as well as related agency responsibilities, to include the development of financial management inventories, plans, reviews, and directives.

Circular No. A-127 also references OMB Circular No. A-130, Management of Federal Information Resources, indicating that the circular applies to all agency information resources, including financial management systems as defined in Circular No. A-127. Circular No. A-130 addresses various issues related to information technology systems, as well as paper-based systems.

The FDIC has determined that to the extent that Circulars No. A-123 and No. A-127 articulate the standards of FMFIA, the FDIC should adhere to those standards. Moreover, the FDIC is not bound by the letter of the circulars, but as long as the FDIC develops internal controls that are consistent with the goals of FMFIA, the FDIC will have met its legal obligations. Most provisions of Circular No. A-130 apply to the FDIC.

The PPA and/or its implementing regulations (5 C.F.R. Part 1315), require generally that agencies pay vendor invoices timely and include interest in their payments if (1) payment is made after the contractual due date or due date established by the regulations, as appropriate, or (2) if agencies claim discounts beyond the indicated discount period. We refer to these provisions as the “late-payment provisions.” The Act or the regulations also contain detailed requirements for invoice content, receipts of goods and services, and contract documentation. According to the regulations, agencies should pay invoices close to, but not later than, the applicable due dates. Moreover, agencies should have adequate controls governing the payment process, consistent with OMB Circular Nos. A-123 and A-127 as discussed above.

The FDIC has determined that the Act is applicable to invoices relating to the FDIC in its corporate capacity but generally not its receivership capacity unless contract terms are to the contrary.

We assessed DOA’s and DOF’s internal controls and practices for invoice approval, payment, and posting payment transactions to the G/L for consistency with the above laws and regulations, although we limited our assessment of the PPA to late payment provisions.

We assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence.

APPENDIX 2 SAMPLED INVOICES

FDIC Division	Invoice Number	Invoice Amount	FDIC Contract Number	OM Location
Corporate University	2107	$21,932.70	CORHQ0893	Headquarters
Corporate University	FDIC2008-01-101	$1,787.50	CORHQ178	Headquarters
DIR	FDIC55	$3,360.00	CORHQ1011	Headquarters
DIR	FDIC56	$3,680.00	CORHQ1011	Headquarters
DIR	07-004	$9,416.67	CORHQ1022	Headquarters
DIT	028-0002045571	$1,634,809.42	CORHQ680	Headquarters
DIT	031-0002061105	$1,223,357.56	CORHQ680	Headquarters
DIT	FDAD0907	$442,695.16	CORHQ896	Headquarters
DIT	FDAD1207	$688,108.30	CORHQ896	Headquarters
DIT	400439	$85,252.62	CORHQ904	Headquarters
DOA	25432	$22,690.79	CORHQ802	Headquarters
DOA	25506	$50,961.22	CORHQ802	Headquarters
DOA	METLIFE-PP02-08	$192,129.45	CORHQ906	Headquarters
DOA	VSP-PP21-07	$30,719.75	CORHQ919	Headquarters
DOA	KC00683625	$133,592.73	CORHQ987	Headquarters
DOA	KC00688644	$214,746.14	CORHQ987	Headquarters
DRR	278440	$32,100.00	CORFD120	Dallas Regional Office
DRR	07-F-009-A	$35,310.99	CORFD189	Headquarters
DRR	08-F-002-A	$14,785.00	CORFD189	Headquarters
DRR	2785.84-022908	$2,785.84	CORFD205	Dallas Regional Office
DRR	401676	$21,246.00	CORFD285	Headquarters
DRR	8000574104	$292,384.07	CORFD313	Dallas Regional Office
DRR	8000574104B	*($22,384.07)	CORFD313	Dallas Regional Office
DRR	8000574104D	$22,384.07	CORFD313	Dallas Regional Office
DRR	8000608194	$356,362.35	CORFD313	Dallas Regional Office
DRR	401680	$12,468.97	CORFD317	Headquarters
DRR	201-1225	$36,366.00	CORFD42	Dallas Regional Office
DRR	201-1234	$36,366.00	CORFD42	Dallas Regional Office
Legal	083681	$14,580.96	CORHQ135	Headquarters
Legal	3373810827	$95,797.34	CORHQ979	Headquarters

Source: OIG Analysis of NFE payment transactions processed from October 1, 2007 through March 31, 2008.

*This amount was deducted from the invoice because the OM initially deemed that travel expenses were not allowed under the contract for this invoice. However, the OM subsequently determined that the travel expense was allowable on the contract and approved the billed travel expense.

APPENDIX 3 CORPORATION COMMENTS

FDIC, Federal Desposit Insurance, 3501 Fairfax Drive, Arlington, VA, 22226-3500

DATE:	September 12,2008

MEMORANDUM TO:	Russell A. Rau
	Assistant Inspector General for Audits

FROM:	Arleas Upton [Electronically produced version; original signed by Arleas Upton]
	Director, Division of Administration

	Karen J. Hughes [Electronically produced version; original signed by Karen J. Hughes]
	Deputy Director/Controller

SUBJECT:	Management Response to the Draft OIG Audit Report Entitled, FDIC's Controls Over Contractor Invoice Approval, Payment, and Posting to the General Ledger (Assignment No. 2008-015)

This is in response to the subject Draft Offce ofInspector General (OIG) Audit Report, issued August 13, 2008. In its report, the OIG made three recommendations to the Division of Administration, one of which includes coordination with the Division of Finance.

We appreciate that the OIG noted in its report that the FDIC has established and implemented adequate controls over the contractor invoice payment function and corresponding posting to the general ledger. However, we recognize that additional steps could be taken to enhance these controls. This response outlines the planned corrective actions for each of the recommendations cited in the OIG's Report.

MANAGEMENT DECISION

Finding: Segregation of Duties Requirement for Invoice Approval

Recommendation 1: That the Director, Division of Administration (DOA), work with the Director Division of Finance (DOF) to strengthen controls to ensure segregation of duties for invoice preparation, submission, and approval.

Management Response 1: DOA and DOF concur with the recommendation.

DOA Corrective Action: With regards to the employee health benefits program invoices identified in the OIG's Draft Report, DOA acknowledges that enhanced control activities could improve the OM's review and approval procedures related to the review and approval of these invoices. Currently, the FDIC's third party vendor, BAS, provides the invoice for employee premiums to FDIC. The DOA Benefits Center staff creates a separate spreadsheet for DOF Disbursement Operations Unit (DOU) showing the contract name, number, allocation codes, and amounts and sends the entire package to DOF DOU for input into NFE. To eliminate any appearances of non-segregation of duties, the Benefits Center staff will instruct BAS going forward to include the name of the contract, contract number, dollar amount allocation per budget line and total dollar amount on their invoice and send the invoice directly to DOF DOU.

APPENDIX 3

This new procedure should be implemented by December 31, 2008.

Completion Date: December 31, 2008.

DOF Corrective Action: It is the FDIC practice to have all contractor invoices sent directly to the DOU, within DOF. DOU will implement a process to follow up with Oversight Managers (OM) who receive an invoice directly from a contractor and subsequently forward the invoice to the DOU for processing.

Upon identification of the circumstance noted above, the DOU will reinforce to the OM that contractors should submit invoices directly to the DOF DOD. In the rare situation where there is a valid business reason which supports a vendor invoice being first received by the program office, DOF will document this exception and stress to the program offce the importance of maintaining appropriate segregation of duties regarding the preparation, submission, and approval of invoices.

Completion Date: September 30, 2008.

Finding: OM Confirmation Letters and Training

Recommendation 2: That the Director, DOA, monitor and periodically assess compliance with the FDIC's acquisition policy to ensure that designated OMs have received confirmation letters from Contracting Offcers and completed required training.

Management Response 2: DOA concurs with the recommendation.

Corrective Action: DOA will monitor and periodically assess compliance with acquisition policy through contract post-award reviews. These reviews will be accomplished by the Acquisition Services Branch, Policy and Operations section. In order to establish the review process, DOA is developing a contract post-award review checklist to include a review of OM training and appointments. Development of the checklist should be completed by December 31, 2008.

Completion Date: December 31, 2008.

Finding: Contract Documentation

Recommendation 3: That the Director, DOA, monitor and periodically assess whether OMs record contract activities, including invoices, in a timely manner to ensure the CEFile is current, accurate, and complete.

Management Response 3: DOA concurs with the recommendation.

APPENDIX 3

Corrective Action: As discussed in the DOA response to Recommendation 2, DOA is in the process of developing a contract post-award review checklist. This list will be used to accomplish on-going contract post-award reviews. The list will include a review of CEFile to ensure that all applicable documentation is filed in the offcial contract fie in CEFile. Development of the list will be completed by December 31, 2008.

Completion Date: December 31, 2008

If you have any questions regarding this response, the points of contact for DOA is William Gately at (703) 562-2118, and for DOF is Craig Sweeney at (703) 562-6209.

cc: Bret D. Edwards, DOF

Glen Bjorklund, DOA
Michael J. Rubino, DOA
Elizabeth Walker, DOA
Robert C. Waldron, DOF
J. Craig Sweeney, DOF
James H. Angel, Jr., OERM
William J. Gately, Jr., DOA
Barbara Glasby, DOF

APPENDIX 4 MANAGEMENT RESPONSE TO RECOMMENDATIONS

Rec. No.	Corrective Action: Taken or Planned	Expected Completion Date	Monetary Benefits	Resolved:^a Yes or No	Open or Closed^b
1	DOA’s Benefits Center staff will instruct BAS, the contractor for administering the employee benefits programs, to include the required information on the invoices for the program and send the invoices directly to DOF.	12/31/2008	NA	Yes	Open
	DOF will implement a process to follow up with OMs who receive an invoice directly from a contractor and forward the invoice to DOF for processing. DOF will reinforce to the OM that contractors should submit invoices directly to DOF. If there is a valid reason for a vendor invoice being first received by the program office, DOF will document this exception and stress to the program office the importance of maintaining segregation of duties for invoice preparation, submission, and approval.	9/30/2008
2	DOA will include a review of OM training and appointments on a new review checklist for contract post-award reviews to be conducted for contract compliance.	12/31/2008	NA	Yes	Open
3	DOA will also include on the contract post-award review checklist a CEFile review to ensure that all contract documentation is in the files.	12/31/2008	NA	Yes	Open

^a Resolved –	(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
	(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
	(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

^b Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.

APPENDIX 4 ACRONYMS USED IN THE REPORT

APM	Acquisition Policy Manual
ASB	Acquisition Services Branch
BAS	Benefits Allocation Specialists
CEFile	Contract Electronic File
CFOA	Chief Financial Officers Act of 1990
C.F.R.	Code of Federal Regulations
DIR	Division of Insurance and Research
DIT	Division of Information Technology
DOA	Division of Administration
DOF	Division of Finance
DOU	Disbursement Operations Unit
DRR	Division of Resolutions and Receiverships
EFT	Electronic Funds Transfer
FASAB	Federal Accounting Standards Advisory Board
FASB	Financial Accounting Standards Board
FDI Act	Federal Deposit Insurance Act
FMFIA	Federal Managers’ Financial Integrity Act
GAAP	Generally Accepted Accounting Standards
GAO	Government Accountability Office
G/L	General Ledger
NFE	New Financial Environment
NSCU	NFE Servicing and Control Unit
OIG	Office of Inspector General
OM	Oversight Manager
OMB	Office of Management and Budget
PPA	Prompt Payment Act

Last updated 1/12/2009