Department of Justice Process for Identifying, Preventing, and Recovering Improper and Erroneous Payments
Audit Report 05-19
April 2005
Office of the Inspector General
Our audit determined that the risk assessments conducted by the USMS and OJP were not adequate to completely measure the risk of improper payments in all programs administered. In addition, we found weaknesses in certain policies and procedures used to prevent improper payments at the FBI and USMS. These conditions could cause improper payments to go undetected and therefore not be recovered. Many of the causes of improper payments can be traced to the lack of or an inadequate system of internal control. According to information obtained from the Chief Financial Officers Council and the President’s Council on Integrity and Efficiency, the causes for improper payments can be broken down into the following three broad categories:
To accomplish the objectives of this audit, we interviewed component officials and reviewed policies and procedures used by the BOP, OJP, FBI, and USMS to identify and prevent improper payments. In addition, we reviewed each component’s IPIA report, which included its program risk assessment, and compared each report to the IPIA reporting requirements. As detailed in the Introduction section of this report, the IPIA requires a risk assessment of all programs to identify those that are susceptible to significant improper payments. Guidance provided by OMB in accordance with the IPIA requires each agency to conduct a full program inventory and describe the risk assessment it performed on that inventory, including a listing of all risk-susceptible programs. In reviewing the risk assessments conducted by the four components, we noted that none of the assessments included an analysis or consideration of the material weaknesses, reportable conditions, or noncompliance matters resulting from the component’s annual financial statement audit.8 All of the components reviewed had either material weaknesses, reportable conditions, noncompliance matters, or some combination of the three reported in the FY 2004 financial statement audits. In addition, the Department received an overall disclaimer of opinion for its consolidated FY 2004 financial statement audit based on the significance of the findings within OJP. In our opinion, certain internal control issues could increase the risk of making improper payments. Thus, a thorough risk assessment should include a review of any reportable conditions or material weaknesses noted by the independent auditors and an analysis of whether those weaknesses or conditions could potentially impact the risk of making improper payments. The management of the components we reviewed, as well as JMD, agreed that this would be useful information to include in future risk assessments. In addition to the consideration of the annual financial statement audit results, we noted the following conditions during our review of policies and procedures used to identify and prevent improper payments, and in the risk assessments prepared by each component. The Department piloted a recovery audit program in FY 2003 and FY 2004, using a private contractor. This pilot included the Department’s Offices, Boards and Divisions (OBDs) and the BOP. The BOP’s portion of the recovery audit program was initiated in September 2003. This effort is designed to identify and recover improper payments. Initially, the contractor is reviewing BOP’s payments made from 1999 through 2004 and had not completed its review at the time our fieldwork ended in November 2004. As of September 2004, a total of $216,656 in improper payments had been identified and confirmed. The BOP had recovered $211,251 of this amount, or nearly 98 percent. Further information regarding the BOP’s recovery audit program is detailed under Finding II of this report. According to BOP management, it has an internal control structure in place to prevent improper payments.9 That structure includes written policies and procedures, the use of customized forms for recording multiple payments on one invoice, and the use of a three-tiered payment approval process. In addition, controls are built into the BOP’s financial management system, which generates a report of potential duplicate payments. The BOP also has a Program Review Division, which conducts internal audits at BOP institutions on a rotating basis, at least once every three years. These audits include transaction testing. Finally, BOP policies state that certifying officers are held accountable for each voucher they approve for payment. In August 2004, the BOP submitted a report to JMD in accordance with the IPIA, which included a description of the BOP’s risk assessment. However, according to BOP management, the assessment included in the report was not representative of the assessment actually conducted. The report indicated that the BOP’s risk assessment consisted only of the overall opinion from of its annual financial statement audit and the results of its recovery audit efforts, and did not contain details for the BOP’s program inventory, as required. When we interviewed BOP managers, they stated they were unsure of what specifically to report, because it was the first year these reports were required. They also indicated that the risk of improper payments was actually assessed in two primary payment program areas: vendor payments and travel reimbursements. Further, they stated that the risk assessment also included a review of internal controls and of its internal program reviews. When we discussed this issue with BOP managers, they concurred with our finding that the risk assessment detailed in the BOP’s IPIA report was not reflective of the assessment actually conducted, and agreed to include a more complete risk assessment narrative in future IPIA reports. In October 2004, OJP signed an agreement with a private contractor to initiate a recovery audit effort. In addition to the audits and reviews conducted by its External Oversight Division, OJP officials plan to utilize this recovery audit effort to identify its improper payments. Initially, the contractor will review payments from FY 2003 and FY 2004, but may expand into earlier years, depending on the results of the initial review. Because OJP is in the initial phases of this program, no improper payments had been identified at the time of our fieldwork. However, OJP estimates that approximately $1.3 million in improper payments will be identified and recovered utilizing this program. Further information regarding OJP’s recovery audit program is detailed under Finding II of this report. According to OJP management, there is an internal control structure in place to prevent improper payments.10 That structure includes written policies and procedures for processing invoices, internal audits, the use of reports to compare obligations to source documents, and controls built into OJP’s financial management system, including an invoice tracking system. In addition, OJP policies state that certifying officers are held accountable for payments they approve. OJP’s External Oversight Division conducts reviews of grantees using a risk-based model, and these reviews include transaction testing. In August 2004, OJP submitted a report to JMD in accordance with the IPIA, which included a description of OJP’s risk assessment. In its report, OJP stated that it “has encountered no instances of improper grant payments.” When we asked OJP management about this statement, we were told that OJP’s FY 2004 internal reviews revealed no instances of payments being made to incorrect grantees, and the statement did not refer to unallowable costs or funds not used in accordance with grant conditions. In FY 2004, OJP reported making over 82,000 grant payments totaling nearly $5.7 billion. In our judgment, the magnitude of these payments poses a significant risk of improper payments to incorrect grantees. In addition, the program inventory and assessment included in OJP’s IPIA report was inadequate and incomplete. This program inventory and assessment only included grant payments and not any other payments made by OJP, such as vendor payments, travel reimbursements, and payments made under various initiatives, such as the Southwest Border Prosecution Initiative, Bulletproof Vest Partnership, or the State Criminal Alien Assistance Program. The lack of a complete risk assessment of improper payments was also identified as a noncompliance issue during OJP’s independent financial statement audit for FY 2004.11 When we discussed this issue with OJP managers, they concurred with our finding and agreed to conduct a complete program inventory and risk assessment, and include the results in future IPIA reports. Federal Bureau of Investigation The FBI does not yet have a formalized recovery audit program in place, but FBI managers stated that the FBI utilizes several methods to identify improper payments. The FBI has an informal system to identify improper payments from many sources, including voucher examiners, refund checks received, and inquiries from vendors. In addition, the FBI utilizes the results of internal reviews at each field office and reviews conducted by its Inspections Division to identify potential improper payments. Improper payments are tracked and monitored on a spreadsheet. In FY 2004, the FBI identified $292,137 in improper payments made in 2004. It had recovered $237,160 or 81 percent of those payments at the time of our fieldwork. Our recommendation to implement a recovery audit program, which is detailed in Finding II of this report, addresses the lack of a formalized system to identify improper payments. According to the FBI’s management, it has an internal control structure in place to prevent improper payments.12 That structure includes written policies and procedures, the use of exception reports, the monthly closing process of its financial management system, and ongoing employee training. In addition, the FBI has two internal review functions – one at the field office level and the other by its Inspections Division. These reviews are conducted on a rotating basis and include transaction testing. FBI officials also stated that all employees are responsible for reducing improper payments, and this element is included in the FBI management’s Performance Work Plans. During our fieldwork we determined that the FBI had a Desk Guide that contained invoice processing procedures. However, we could not verify that this guide had been provided to the appropriate personnel. For example, when we asked to review a copy of this guide, employees responsible for processing invoices could not produce one. When we brought this to the attention of FBI management, we were provided with a copy of the guide. We believe that employees who process invoices should have direct access to written policies and procedures, which are a necessary control to help prevent improper payments. FBI management concurred with our observation and agreed to provide each employee responsible for processing invoices with a copy of this guide. In September 2004, the FBI submitted a report to JMD in accordance with the IPIA, which included a thorough program inventory and a description of its risk assessment. The report contained all of the required elements, and we noted no deficiencies in the report. United States Marshals Service The USMS does not have a mechanism in place to identify improper payments. USMS officials asserted the USMS had a low risk of making improper payments because of sufficient internal controls. Thus, no improper payments had been identified or recovered. During this audit, we did not conduct a complete assessment or testing of the USMS’ internal control structure, so we do not endorse this assertion. While we acknowledge that a solid internal control structure can be instrumental in reducing the risk of making improper payments, it does not necessarily eliminate the occurrence of improper payments, and therefore it is crucial for the USMS to have a mechanism in place to identify improper payments actually made. The results of a recovery audit program could be utilized to identify specific programs with improper payments. Thus, our recommendation to implement a recovery audit program, which is detailed under Finding II of this report, addresses the lack of a formalized system to identify improper payments. According to USMS management, the USMS’s internal control structure includes written policies and procedures, controls built into its financial management systems, and a multi-tiered invoice review and approval process.13 Further, USMS officials stated that they relied on their annual financial statement audit’s opinion, past and ongoing audits by the Office of the Inspector General, and internal controls as a basis for asserting that it doesn’t make improper payments. Officials in the USMS’s Prisoner Services Division also stated that reviews had not been conducted at the district office level in the past three to four years due to budget constraints and an ongoing reorganization of the division. A recent restructuring has led to the creation of two organizations, the Inspections Division and Internal Affairs, which the USMS states will begin routine reviews of district offices and detention agreements that will include transaction testing. Policies for this function were in the draft stages at the time of our fieldwork, and USMS personnel believed that these reviews would begin in early 2005. In our judgment, these reviews are an important internal control for identifying and preventing potential improper payments, and we agree they should include transaction testing of prior payments. In September 2004, the USMS submitted a report to JMD in accordance with the IPIA, which included a very brief description of its risk assessment. However, we concluded that the assessment in the report was inadequate and incomplete. It contained only a limited summary of prior audit results. In addition, the report did not contain details of the USMS’s program inventory, as required by OMB guidance. According to USMS officials, no program inventory was conducted. For the risk assessment, the USMS selected a judgmental sample of 15 invoices from all invoices paid in FY 2004 that exceeded $400,000. Those payments were then traced back to supporting documentation, and no improper payments were found. When we reviewed the sample of 15 invoices, we noted that the payments did not include those made from all USMS programs (e.g. travel and purchase cards, employee reimbursements, prisoner medical payments, detention agreement payments, and witness security payments). Further, we believe that the $400,000 threshold is too high, because improper payments can occur at levels far below $400,000. When we discussed these issues with USMS officials, they concurred with our findings. They agreed to conduct a complete program inventory, lower the threshold for future risk assessments so that payments from all programs are tested, and include a complete description of this program inventory and risk assessment in future IPIA reports. We recommend that the BOP:
We recommend that OJP:
We recommend that the FBI:
We recommend that the USMS:
Our audit determined that the FBI, OJP, and USMS did not have processes in place to determine the full extent of improper payments made. Further, none of the four components we audited had established a fully-documented program to recover improper payments. We also found that recovery audit guidance provided by JMD could be improved. These conditions result from component management not placing priority on implementing a recovery audit effort, and from the lack of a comprehensive Departmentwide recovery audit program policy. These conditions increase the risk of improper payments not being identified and recovered, and in the Department not being in full compliance with Public Law 107-107, which requires each agency to have a recovery audit program in place. Measuring the extent of improper payments is an essential step in assessing the need for and types of corrective actions required to manage improper payments and help ensure efficient and effective program operations. According to the GAO, “nondisclosure of improper payment amounts may indicate the absence of a significant level of improper payments or that agencies are unable to or did not attempt to determine or estimate the amount of improper payments in their programs or activities.”14 It is difficult for a component to be able to accurately assess the extent of its improper payments if it does not have a recovery audit program in place. A recovery audit program includes a comprehensive review of prior payments to determine whether they were improper. A recovery audit program looks for several types of improper payments, including: 1) duplicate payments, 2) payments made that were not in accordance with an applicable contract, 3) payments made for incorrect amounts, 4) payments for which allowable discounts were not taken, and 5) payments made for goods or services not received. While recovery audits can serve as an important vehicle for recovering improper payments already made, the results of these audits can also be used to determine the extent of improper payments and to identify systemic control weaknesses. During our audit, we reviewed the laws and regulations applicable to recovery audit activities. In addition, we reviewed the policies and procedures used by the BOP, FBI, OJP, and USMS to quantify and recover improper payments. We also interviewed officials at each of these components who were responsible for recovery audit activities, and we reviewed policies implemented by JMD relating to recovery audits. When conducting audit work at JMD, we determined that a written policy for recovery audits for the Department’s OBDs had been implemented, but no recovery audit policy for other Department components had been established. According to JMD management, the Department had mandated that all components establish and implement a recovery audit program, but JMD had not implemented an official policy because it wanted to allow each component time to develop a policy that would best fit its individual and unique circumstances. However, during our audit of the four components, we determined that each component’s recovery audit effort was in different stages of development and implementation. Under these circumstances, we believe the development and implementation of a Departmentwide policy could ensure that each Department component is undertaking adequate efforts to recover improper payments. For example, the BOP and OBDs had contracted with a private recovery audit contractor to identify improper payments. This effort began in late FY 2003 and early FY 2004. As of September 2004, a total of $1,156,949 in improper payments had been identified, and $959,108 or nearly 83 percent had been recovered.15 However, as detailed in the following pages of this report, OJP signed an agreement to initiate recovery audit activities in October 2004. Thus, OJP’s recovery audit program was in the initial stages at the time of our fieldwork, so no improper payments had yet been identified or recovered. Further, the FBI had only begun researching options for a recovery audit program, and had not yet implemented a formal program. The USMS had no recovery audit program in place and had not made any decisions regarding the implementation of a program at the time of our fieldwork. Because of this lack of consistency among Department components, we believe that a Departmentwide recovery audit policy is necessary. This policy should include the scope (e.g. which years and payment amount thresholds), the types of payments that must be included in each component’s program (e.g. vendor payments, grant payments, contract payments, and detention and intergovernmental service agreement payments), and payment search criteria (e.g. data fields within automated financial systems). In addition, some components we audited agreed that Departmentwide guidance would be beneficial. When we discussed this issue with JMD officials, they agreed that enough time had passed and they would now develop and implement a Departmentwide policy for recovery audits. We also noted that JMD did not have an official reporting mechanism for it to monitor each component’s recovery audit activities on a regular, ongoing basis. While each component is required to report all recovery audit activities for the Department’s annual PAR, no structure for monitoring ongoing progress reports existed. In our opinion, regular status reporting to JMD of each component’s recovery audit activities and accomplishments would not only allow JMD to monitor the Department’s ongoing progress, but would also encourage each component to focus on its recovery audit efforts. We discussed this issue with JMD officials and they agreed that quarterly status reporting for recovery audit activities would be helpful in monitoring the Department’s progress. They agreed to prepare and implement a written policy. Our audit found that the BOP had determined the extent of its improper payments and had established a method for recovery. As previously mentioned, the BOP was using a contractor to conduct recovery audits. This effort started in September 2003 and payments made from 1999 through 2004 are now being reviewed. While the effort is ongoing, as of September 2004, $216,656 in improper payments had been identified, and $211,251 or nearly 98 percent had been recovered. However, we noted that the BOP had not implemented written policies and procedures for its recovery audit program. In our judgment, written policies and procedures are an important aspect of any program, and should include information such as: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. We discussed this with BOP officials and they agreed to establish and implement written procedures for BOP’s recovery audit program. Our audit found that OJP had not determined the extent of its improper payments, but had established a method of recovery. As previously detailed, OJP contracted with a private company to conduct recovery audits of its vendor payments. The contract was signed in October 2004. As of the time of our fieldwork, no improper payments had been identified or recovered. The initial phases of the program will focus on payments made in FY 2003 and FY 2004, and depending on the results of the audits, may then be expanded to prior years. In our opinion, this recovery audit program, once fully implemented, will enhance OJP’s ability to determine the extent of its improper payments and recover those payments. In addition, we believe that the scope of these audits should extend beyond 2003, and should be addressed in a Departmentwide recovery audit policy. OJP’s recovery audit effort does not include a review of grant payments. Officials at OJP stated that its External Oversight Division reviews grant payments and its internal audit group will begin examining payments made under its State Criminal Alien Assistance Program. In addition, they believed that these reviews, combined with the recovery audits being conducted by the contractor, satisfied the intent of the IPIA. However, we noted that OJP’s IPIA report and risk assessment only included grant payments. In FY 2004, OJP reported making over 82,000 grant payments totaling nearly $5.7 billion. While the IPIA and OMB guidance do not address specific types of payments, because of the volume of these grant payments and the resultant potential improper payment risk we believe that OJP’s grant payments should be included in its recovery audit effort. Further, OJP had not implemented written policies and procedures for its recovery audit program. In our judgment, written policies and procedures are an important aspect of any program, and should include information such as: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. We discussed this with OJP officials and they agreed to establish and implement written policies and procedures for their recovery audit program. Federal Bureau of Investigation We determined that the FBI did not have processes in place to determine the full extent of its improper payments, and it did not have a formalized mechanism to recover improper payments already made. As mentioned previously, the FBI has an informal process to identify improper payments. In FY 2004, the FBI identified $292,137 in improper payments and had recovered $237,160 or 81 percent of those payments at the time of our fieldwork. However, these payments were usually discovered as the result of a vendor call or the FBI receiving a refund check for a duplicate payment made. They likely do not represent the full extent of improper payments made by the FBI. Each component within the Department must have a recovery audit program in place so that the Department is in compliance with Public Law 107-107. Therefore, the FBI should develop and implement a formalized recovery audit program, including written policies and procedures that include the following information: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. This recovery audit program, once fully implemented, will enhance the FBI’s ability to determine the extent of its improper payments and recover those payments. We discussed this with FBI officials and they agreed to establish and implement a recovery audit program, including written policies and procedures. United States Marshals Service We determined that the USMS did not have processes in place to determine the extent of its improper payments, and did not have a formalized mechanism to recover improper payments already made. As mentioned previously, USMS officials stated they did not believe the USMS made any improper payments because of sufficient internal controls. Therefore, no recovery audit program was in place to quantify and collect improper payments. Each component within the Department must have a recovery audit program in place for the Department to be in compliance with Public Law 107-107. Therefore, the USMS should develop and implement a formalized recovery audit program, including written policies and procedures that include the following information: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. This recovery audit program, once fully implemented, will enhance the USMS’s ability to determine the extent of its improper payments and recover those payments. We discussed this with USMS officials and they agreed to establish and implement a recovery audit program, including written policies and procedures. In conclusion, while some components within the Department have policies and procedures in place to identify and prevent improper payments, some component’s policies and procedures are lacking, and others do not have any policies and procedures. In addition, there is significant variance in each component’s progress in implementing a recovery audit program. The recommendations in this report will help ensure that all components make progress toward compliance with applicable laws, regulations, and guidance pertaining to improper payments. We recommend that JMD:
We recommend that the BOP:
We recommend that OJP:
We recommend that the FBI:
We recommend that the USMS:
Footnotes
|