Efforts to Prevent, Identify, and Recover Improper and Erroneous Payments
by Selected Department of Justice Components

Audit Report 07-17
January 2007
Office of the Inspector General


Findings and Recommendations

I.       PREVENTING IMPROPER AND ERRONEOUS PAYMENTS

Many improper payments are caused by a lack of or an inadequate system of internal control. According to information obtained from the Chief Financial Officers Council and the President’s Council on Integrity and Efficiency, the causes for improper payments can be broken down into the following three broad categories:

The IPIA requires a risk assessment of all programs to identify those susceptible to significant improper payments. Guidance provided by OMB in accordance with the IPIA requires each agency to conduct a full program inventory and perform a risk assessment of each program in the program inventory.

In March 2006, JMD issued Bulletin 06-11, which required each component to include the following within its risk assessment: (1) the results from the most recent financial statement audit, including any material weaknesses or reportable conditions; (2) the effect of any weaknesses or conditions as it pertains to the risk of making improper payments; and (3) a description of the corrective actions taken to address any weaknesses or conditions.

We reviewed the FY 2005 risk assessments conducted by the OBDs, FPI, DEA, and ATF, and found that:

In our judgment, certain internal control deficiencies could increase the risk of making improper payments. Thus, a thorough risk assessment should include a review of the financial statement audit opinion, any reportable conditions or material weaknesses noted by the independent auditors, and an analysis of whether those weaknesses or conditions could potentially affect the component’s risk of making improper payments as required by Bulletin 06-11. In our judgment, unqualified audit opinions should also be included because they can further support a component’s risk assessment concluding that the component is not at significant risk of making improper payments. When we discussed this issue with management at the OBDs, FPI, and ATF, they generally concurred with our assessment.

OMB Circular A-123 revision requires annual assurance statements, a summary of material weaknesses and non-conformances, and a summary of the corrective action plans to be included within the PAR. The two required assurances include a statement on the overall adequacy and effectiveness of internal controls within the agency and the effectiveness of the internal controls over financial reporting. Documentation supporting the assurances should be maintained, including the assessment process, testing of controls, deficiencies identified, and suggestions for improvement.

During the period covered by our audit, the requirements of OMB Circular A-123 revision related to annual assurance statements in the PAR were not yet enacted. Further, none of the components included in our audit individually fall under the requirements of OMB Circular A-123 revision because it relates to DOJ as a whole. However, in order for DOJ to provide the assurances in its PAR, according to JMD management, individual components were required to provide assurances to them as of June 2006.

In our judgment, a thorough risk assessment for the IPIA should include the OMB Circular A-123 revision assurance opinion, the reason for the opinion, and an analysis of whether the reasons for the opinion could potentially affect the component’s risk of making improper payments. As a result, we are recommending that each component include this information in its risk assessments. Management at the OBDs, FPI, DEA, and ATF, as well as JMD, generally concurred with our recommendation.

In addition to our findings related to the annual financial statement audit and OMB Circular A-123 revision assurance results, we noted the conditions described below during our review of policies and procedures used by management at the OBDs, FPI, DEA, and ATF to prevent improper payments, and in the risk assessment prepared by each component.

It should be noted that OMB Circular A-123, Appendix C states that each agency with improper payment estimates less than $10 million are only required to report the total improper payment estimate in its annual PAR to OMB. Agencies are no longer required to include: (1) information on the risk assessment conducted, (2) a description of management accountability for reducing improper payments, and (3) a description on whether the information system and infrastructure are adequate to reduce improper payments.7 Those requirements apply to each DOJ program, rather than to the individual components. Moreover, because the improper payment estimate for each DOJ program is less than $10 million, in our judgment, DOJ is not required to include this information in its PAR for FY 2006. Nonetheless, Bulletin 06-11 still required the individual components to include the information in their IPIA reports. We recommend JMD evaluate the recent changes to OMB Circular A-123, Appendix C and determine whether changes need to be made to Bulletin 06-11.

As a result, throughout this report, we disclosed our findings related to Bulletin 06-11 requirements. However, we did not offer any recommendations related to the descriptions on: (1) the risk assessment conducted for the OBDs and ATF; (2) management accountability for reducing improper payments for the FPI, DEA, and ATF; and (3) whether the information system and infrastructure are adequate to reduce improper payments for the DEA.

Offices, Boards and Divisions

Preventive Measures

JMD manages the recovery audit program for the OBDs. JMD also established a written policy for the OBDs describing the identification, prevention, and recovery of improper payments in Financial Management Policies and Procedures Bulletin 05-03 (Bulletin 05-03), November 2004. Bulletin 05-03 explains procedures for preventing improper payments including controls built into the OBDs’ financial management system. The built-in controls alert the user when a potential duplicate invoice is entered into the system.

Additionally, according to JMD management, the OBDs have the internal control structure necessary to prevent improper payments.8 This structure includes written policies and procedures, separation of duties, and certification by a supervisor of no conflicting duties before a user is granted access to enter obligation data into the financial management system.

Finally, the OBDs’ financial management system will not permit payments that exceed the allowance amount to be recorded. However, the financial management system does provide "tolerance limits" that allow expenditures to be processed that exceed the obligated amount. The “tolerance limits” are generally set at the lower of $100 or 10 percent of the obligation.

Risk Assessment

For FY 2005, JMD submitted the IPIA report for the OBDs in accordance with regulations. We reviewed the OBDs’ full program inventory and risk assessment. The risk assessment included four programs that were considered at risk of making improper payments.9 However, it did not include how those programs were determined to be at risk.

According to JMD management, the risk assessments included a review of the: (1) mock audit risk assessments, which identify the OBD programs at high risk;10 (2) high-risk areas, including foreign payments; (3) the level of dollars involved; and (4) the recovery audit contractor’s analysis to determine whether any program reached the criteria for significant risk. Therefore, according to JMD, the risk assessment for the OBDs was more comprehensive than what was described in the IPIA report. However, a description of this four-step risk assessment was not included in the IPIA. Bulletin 06-11 states, "the Annual IPIA Report is to include a description of the component's risk assessment subsequent to compiling a full program inventory,” and the component is to “... maintain documentation of the risk assessment and the results." Therefore, according to JMD’s own criteria, the risk assessment methodology JMD described to the OIG during this audit should have been included in the IPIA report.

Bulletin 06-11 states that, " components are required to review all programs and activities administered, and identify those susceptible to significant improper payments. This includes payments from federal awards made by recipients and subrecipients subject to the Single Audit Act Amendments of 1996." JMD management stated that they were unsure whether all grant programs were included in JMD’s risk assessment of the OBDs. Based on our review of the FY 2005 IPIA report submitted by JMD for the OBDs, we found that JMD did not include a review of all payments from COPS and OVW federal awards in the risk assessment.

We discussed this issue with JMD management and they concurred with our finding that the risk assessment for the OBDs conducted for the FY 2005 IPIA report is missing an assessment of payments from federal awards made by recipients and subrecipients. JMD management agreed to conduct an assessment of all payments from federal awards made by recipients and subrecipients in the OBDs’ future risk assessments.

Management Accountability

JMD and the OBDs provided various documents demonstrating that management is held accountable for reducing improper payments. Management at JMD and the OBDs provided Performance Work Plans, which included a discussion on accountability for taxpayer dollars, specifically effective management of financial resources and unqualified financial audits. Additionally, the results from the mock audit can identify improper payments. If an improper payment was identified, it would be reflected on the component’s scorecard, which is reflected in management performance reviews and evaluations.

Information System and Infrastructure

We found that the OBDs have the infrastructure and information system necessary to reduce improper payments within the financial management system. We verified that the financial management system prompts the user if a potential improper payment is entered into the system. Additionally, the OBDs can produce the financial management system duplicate payment report, which identifies potential duplicates. These processes are also described in Bulletin 05-03.

Federal Prison Industries

Preventive Measures

According to FPI management, the FPI has the internal control structure in place to prevent improper payments.11 This structure includes existing written policies and procedures, segregating duties, centralizing payments, pre-auditing disbursement vouchers, utilizing the original invoice, tying the receipt to the line item received, and matching the purchase order to the original invoice. In addition, controls are built into the FPI’s financial management system, which alerts the user when a potential duplicate invoice is entered into the system. The FPI has a Program Review Division, which conducts internal audits on a rotating basis at FPI institutions, every 3 years. These audits include transaction testing.

Risk Assessment

In October 2005, the FPI submitted a report to JMD in accordance with the IPIA, which included a complete program inventory and a description of the FPI’s complete risk assessment. In the report, the FPI was defined as a single program, the purpose of which is to employ inmates.

Management Accountability

Bulletin 06-11 requires the annual IPIA reports to include a description of how managers are held accountable for reducing improper payments. The FPI’s FY 2005 IPIA report states that the "FPI's risk assessment has determined that internal controls governing the payment cycle are not a high-risk area. Therefore, no action is being taken in this regard at this time. If the recovery audit results should justify such action, then the FPI will amend it at that time." However, according to the FPI, managers are given responsibility and held accountable for reducing improper payments.

The FPI Program Statement on Accounts Payable, Accountable Officer Liability states, "An accountable officer may be held personally liable and subject to disciplinary actions for the loss or improper payment of funds for which they are accountable." The FPI also provided a draft policy on the IPIA, which states that the FPI will comply with the IPIA and "... provide other information on management accountability." Finally, the FPI Program Statement on Employee Code of Conduct states, "Employees will conform to procurement integrity regulations." We noted that management accountability described in the FPI’s IPIA report was not reflective of its actual policies related to management accountability for reducing improper payments at the FPI.

Information System and Infrastructure

We found that the FPI has a fully integrated accounting system which provides the infrastructure and information system necessary to reduce improper payments. We verified that the accounting system prompts the user if a potential improper payment is entered into the system. Then, the user will determine whether the payment is in fact improper.

Drug Enforcement Administration

Preventive Measures

According to DEA management, the DEA has an internal control structure in place to prevent improper payments.12 This structure includes:

We verified that internal controls have been built into the DEA’s financial management system. These controls include access security controls and a financial management system that will prompt "Possible Duplicate Payment" if a user enters an invoice with the same invoice number, date, and amount as a previously accepted invoice. DEA management explained that the "Possible Duplicate Payment" prompt will not appear for a duplicate payment if the vendor payment document has been “warehoused,” meaning payments are scheduled for payment by the Department of the Treasury (Treasury) in conformity with the time frame of the Prompt Payment Act or within the time frame negotiated on the obligation. However, an Erroneous Payment database was established to capture an improper payment that was “warehoused” the following day for the reason described above.

Risk Assessment

In October 2005, the DEA submitted a report to JMD in accordance with the IPIA, which included a complete program inventory and a complete description of the DEA’s risk assessment. The report defined the DEA’s programs by payment types. In the risk assessment, the DEA identified the preventive and detective controls for each program in the full program inventory. Additionally, the report described weaknesses within each program and identified areas where improper payments could occur, which assisted the DEA’s recovery audit program. The program inventory and risk assessment conducted by the DEA demonstrates a thorough and comprehensive review.

Management Accountability

The DEA provided various documents that hold management accountable for reducing improper payments. The DEA maintains scorecards for each division, regarding electronic payments to vendors, non-credit card invoices paid on time, and interest penalties paid on invoices. Department-wide scorecards are maintained to inform employees on how the DEA is performing. The DEA provided Performance Work Plans that explain accountability for taxpayer value, effective management of financial resources, and unqualified audits. Finally, the DEA provided documentation on Approving and Certifying Officers. Approving Officers may be subject to administrative discipline if they approve an incorrect, illegal, or improper payment. Certifying Officers are personally and financially accountable for the amount of any incorrect, illegal, or improper payment resulting from false or misleading certification, as well as for any payment prohibited by law that does not represent a legal obligation under the appropriation or fund involved. Certifying Officers may be required to reimburse the federal government for the entire amount of any incorrect, illegal, or improper payment resulting from their certification. In our opinion, the DEA’s management accountability for reducing improper payments ensures that the IPIA and the NDAA are addressed within the component, which is particularly important during times when budgets are tight.

Bulletin 06-11 required the annual IPIA reports to include a description of how managers are held accountable for reducing improper payments. In reviewing the DEA’s FY 2005 IPIA report, we noted that the DEA stated “not applicable” for Item 6, which asks for a description of the steps taken or planned to ensure managers are held accountable for reducing improper payments. However, as described above, managers are given responsibility and held accountable for reducing improper payments.

Information System and Infrastructure

Bulletin 06-11 required the annual IPIA reports to include within Item 7, a description as to whether the component has the information system and other infrastructure it needs to reduce improper payments to the levels the component has targeted. If the component does not have the information system or infrastructure necessary to reduce improper payments, the component should include a description of the resources the component requested in its budget submission to Congress to obtain the necessary information system and infrastructure. In reviewing the DEA’s FY 2005 IPIA report that was submitted to JMD, we found that the DEA stated “not applicable” for Item 7. However, we found that the DEA has the information system and infrastructure necessary to reduce improper payments through its financial management system.

Bureau of Alcohol, Tobacco, Firearms and Explosives

Preventive Measures

According to ATF management, ATF has the internal control structure and three processes in place to prevent improper payments.13 The first control, which we verified, is a prompt that appears to the user when a duplicate invoice is entered into the system. Second, prior to authorizing a payment, ATF performs a draft referencing process by examining the obligating documents, receiving documents, and the invoice. The draft referencing process compares the information on all of these documents and ensures the accuracy on each. This process is performed both when funds have and have not been obligated. The referencing process can prevent improper payments because when funds have been obligated, the payment should reference the vendor invoice; when funds have not been obligated, the payment should reference the purchase order. Finally, ATF provided a draft policy for transactions greater than $2,500, which requires system approval prior to being processed and paid by the Certifying Officer. The Certifying Officer reviews documentation prior to certifying an invoice for payment.

Risk Assessment

For FY 2005, ATF submitted a report to JMD as required by the IPIA. The program inventory and risk assessment completed by ATF stated, “ATF does not have any significant risk programs in which improper payments exceed both 2.5 percent of program payments and $10 million.” However, according to ATF management, a risk assessment was not performed in FY 2005. Instead, we determined that ATF management relied on the FY 2004 risk assessment and data on improper payments identified and recovered in 2005 to make the concluding statement in the FY 2005 IPIA report.

Bulletin 06-11 requires each component to review all programs and activities administered and identify those susceptible to significant risk and to "describe the risk assessment performed, subsequent to compiling the full program inventory." A full program inventory and risk assessment ensures that all payments and controls are reviewed for weaknesses and strengths in preventing and identifying improper payments and the reasons they occur. When we discussed the lack of a risk assessment conducted for the FY 2005 report with ATF managers, they stated that because the FY 2004 IPIA report reported no significant risk programs, a risk assessment for FY 2005 was not necessary. However, ATF needs to conduct a risk assessment of its full program inventory each year until the level of risk is known and the baseline estimates, if applicable, are established as required by Bulletin 06-11. ATF should maintain documentation of the risk assessment. When ATF’s programs are deemed not risk susceptible and documentation is maintained, ATF can conduct a risk assessment every 3 years.

We discussed with ATF management this finding related to conducting a complete risk assessment of all programs within the full program inventory and maintaining documentation of the risk assessment. ATF management concurred and agreed to conduct a complete risk assessment and to maintain documentation of the risk assessment performed.

Management Accountability

ATF management described Certifying Officers, Contracting Officer Technical Representatives (COTRs), and post-contract responsibilities that ensure management's responsibility for reducing improper payments. Certifying Officers are held accountable for any improper payments they certify. Additionally, Certifying Officers are also responsible for reviewing the appropriate documents prior to certifying an invoice for payment. ATF explained and provided documentation on COTRs’ responsibilities, which include: (1) reviewing invoices to ensure ATF is not receiving duplicate invoices, (2) comparing invoices to the terms of the contract, (3) reviewing the performance accomplished on the contract, (4) analyzing the spend rate based on the work completed on the contract, and (5) handling any other contract issues. According to Acquisition Management Policy No. 007, Accelerated Closeout Procedures for Simplified Acquisition Procedures Contract Files, post-contract responsibilities include ensuring all goods and services were received, reviewing terms of the contract, verifying that the final invoice has been received and approved for payment, and determining that multiple payments were not made. In our judgment, these processes assist in ensuring no duplicate, under- or over-payments occur.

Bulletin 06-11 requires the annual IPIA report to include a description of how managers are held accountable for reducing improper payments. In reviewing the FY 2005 IPIA report, we noted that ATF stated “not applicable” for Item 6, which asks for a description of the steps taken or planned to ensure managers are held accountable for reducing improper payments. However, ATF designates responsibilities for reducing improper payments through Certifying Officers, COTRs, and post-contract responsibilities.

Information System and Infrastructure

We determined that ATF has the infrastructure and information system necessary to reduce improper payments. We verified that the financial management system prompts the user if a potential improper payment is entered into the system. Then, the user will determine whether the payment is in fact improper.

Recommendations:

We recommend that JMD:

  1. Ensure that risk assessments for each component are required to include: (1) an assurance statement of an unqualified, qualified, or no-assurance opinion, following the requirements of OMB Circular A-123 revision, Management’s Responsibility for Internal Control, for DOJ as a whole; (2) the reason for the opinion and its effect on the component's risk of making improper payments; and (3) any corrective actions being taken to address the opinion and the component's risk.

  2. Evaluate the recent changes to OMB Circular A-123, Appendix C and determine whether changes need to be made to Bulletin 06-11.

We recommend that for the OBDs, JMD:

  1. Ensure future risk assessments include: (1) the results from the most recent financial statement audit, including any material weaknesses or reportable conditions; (2) the effect of those weaknesses or conditions on its risk of making improper payments; and (3) a description of the corrective action taken to address those weaknesses or conditions as required by Bulletin 06-11.

  2. Ensure future risk assessments include: (1) an assurance statement of an unqualified, qualified, or no-assurance opinion; (2) the reason for the opinion and its effect on the component's risk of making improper payments; and (3) any corrective actions being taken to address the opinion and the component's risk.

  3. Ensure future risk assessments include an assessment of federal award payments made by the recipients and subrecipients as required by Bulletin 06-11.

We recommend that the FPI:

  1. Ensure future risk assessments include: (1) the results from the most recent financial statement audit, including any material weaknesses or reportable conditions; (2) the effect of those weaknesses or conditions on its risk of making improper payments; and (3) a description of the corrective action taken to address those weaknesses or conditions as required by Bulletin 06-11.

  2. Ensure future risk assessments include: (1) an assurance statement of an unqualified, qualified, or no-assurance opinion; (2) the reason for the opinion and its effect on the component's risk of making improper payments; and (3) any corrective actions being taken to address the opinion and the component's risk.

We recommend that the DEA:

  1. Ensure future risk assessments include: (1) an assurance statement of an unqualified, qualified, or no-assurance opinion; (2) the reason for the opinion and its effect on the component's risk of making improper payments; and (3) any corrective actions being taken to address the opinion and the component's risk.

We recommend that ATF:

  1. Ensure future risk assessments include: (1) the results from the most recent financial statement audit, including any material weaknesses or reportable conditions; (2) the effect of those weaknesses or conditions on its risk of making improper payments; and (3) a description of the corrective action taken to address those weaknesses or conditions as required by Bulletin 06-11.

  2. Ensure future risk assessments include: (1) an assurance statement of an unqualified, qualified, or no-assurance opinion; (2) the reason for the opinion and its effect on the component's risk of making improper payments; and (3) any corrective actions being taken to address the opinion and the component's risk.

  3. Conduct a complete program inventory and risk assessment for each program, and maintain documentation as required by Bulletin 06-11.


II.      IDENTIFYING AND RECOVERING IMPROPER AND ERRONEOUS PAYMENTS

In February 2006, OMB issued Improving the Accuracy and Integrity of Federal Payments, which identified approximately $888 million in improper payments made by federal agencies in FY 2005. Additionally, the report stated, “Of the $888 million in improper vendor payments, agencies recovered $656 million. Approximately, $205 million is pending resolution, with the remainder either still in dispute or deemed unrecoverable. This demonstrates an improper payment recovery rate of 74 percent.” DOJ was included in this report, which compiled information from the agencies’ PARs. According to DOJ’s FY 2005 PAR, DOJ identified improper payments totaling $1,044,320 and $765,086 (73 percent) had been recovered.

However, according to testimony by David Walker, the Comptroller General of the United States, “Significant challenges remain to effectively achieve the goals of the IPIA....”14 Walker also reported that the Government Accountability Office’s review of FY 2005 PARs, “... noted that some agencies still have not instituted a systematic method of reviewing all programs and activities, have not identified all programs susceptible to significant improper payments, and have not annually estimated improper payments for their high-risk programs.” Specific agencies were not identified in his testimony.

Identifying improper payments is an essential step in assessing the need for and types of corrective action required to manage improper payments and help ensure efficient and effective program operations. A recovery audit program includes a comprehensive review of prior payments to determine whether they were improper. A recovery audit program also looks for several types of improper payments, including:

Not only is a recovery audit program an important tool for identifying improper payments already made, the results of the program can also be used to address the flaws in an agency's internal controls.

Recovering identified improper payments is the final aspect of a recovery audit program. Establishing a written policy for the component’s recovery audit program ensures that the goal of the program – to recover the improper payments made by the component – and the procedures for accomplishing the goal are available to all employees. JMD recognized the importance of a written policy and required each component to establish a written policy for its recovery audit program, in accordance with Bulletin 06-11.

However, in reviewing Bulletin 06-11, we found that JMD did not define time limits for confirming or refuting an improper payment identified by the recovery audit contractor. In our opinion, the time limits for confirming or providing documentation refuting the improper payment, should be included in Bulletin 06-11. JMD managers concurred with our finding and agreed to include time limits within Bulletin 06-11.

During our audit, we reviewed laws and regulations applicable to recovery audit activities. We reviewed each component’s IPIA report, which included a description of its recovery audit program. In addition, we interviewed component officials and reviewed policies and procedures used by the OBDs, FPI, DEA, and ATF to identify and recover improper payments.

In addition to considering the time limits for components utilizing the recovery audit contractor, we noted the following conditions during our review of policies and procedures used to identify and recover improper payments, and in the recovery audit program.

Offices, Boards and Divisions

The OBDs are made up of 35 DOJ Offices, Boards and Divisions. One of the 35 subcomponents, the Executive Office for United States Attorneys, is the liaison between the DOJ and 93 United States Attorney Districts. Appendix III provides a complete listing of the OBD subcomponents and Appendix IV lists the United States Attorney Districts.15 In order to assess the OBDs’ compliance with the IPIA and the NDAA, we selected a sample of six OBD subcomponents for review.16 The subcomponents selected for our review included the:

Recovery Audit Program

JMD’s Financial Management Policies and Procedures Bulletin 05-03 (Bulletin 05-03), November 2004, details the recovery audit program in three parts for the OBDs.

The first part is provided internally by each subcomponent and includes the following elements:

When a subcomponent of the OBDs identifies and recovers an improper payment, the subcomponent can keep 100 percent of the recovered amount, rather than a percentage going to the recovery audit contractor or to JMD.

In the second part of the OBDs’ recovery audit program, JMD searches for improper payments by generating the financial management system duplicate payment reports and researching the results. If JMD identifies and verifies a duplicate payment, the OBD subcomponent that made the duplicate payment must pay JMD a fee of 14.46 percent of any recovered amount for administering the OBDs’ recovery audit program. Therefore, the subcomponent that made the improper payment only receives 85.54 percent of the recovered amount.

The third and primary aspect of the OBDs’ recovery audit program consists of utilizing a private contractor to conduct recovery audits. This effort began in May 2003, and payments made from FYs 1999 through 2004 were reviewed for improper payments as of April 2006. At the time of our audit, the recovery audit contractor was reviewing fiscal year data 6 months after each fiscal-year end.

When the recovery audit contractor identifies an improper payment, the subcomponent is notified. The subcomponent then has 15 days to respond to the recovery audit contractor to confirm whether the payment is in fact improper and whether the improper payment has already been recovered. After the improper payment is recovered, the recovery audit contractor receives 20 percent of the recovered amount for identifying the improper payment, the Department of the Treasury receives 2 percent for the OBDs using Treasury’s contract, and JMD receives 14.46 percent for administering the OBDs’ recovery audit program. Therefore, the subcomponent that made the improper payments only receives the remaining 63.54 percent of the recovered amount.

As shown in Table 1, as of April 2006, the recovery audit contractor stated that it had identified improper payments totaling $1,198,443 for all of the OBDs and recovered $916,711 of this amount.

Table 1: IMPROPER PAYMENTS IDENTIFIED AND RECOVERED BY THE RECOVERY AUDIT CONTRACTOR
NAME IMPROPER PAYMENTS IDENTIFIED IMPROPER PAYMENTS RECOVERED IMPROPER PAYMENTS OUTSTANDING PERCENTAGE RECOVERED

Recovery Audit Contractor

$1,198,443

$916,711

$281,732

76%

Source: Recovery audit contractor

As shown in Table 2, the six OBD subcomponents included in our audit stated that they identified an additional $215,212 in improper payments, of which $203,896 was recovered.

Table 2: IMPROPER PAYMENTS IDENTIFIED AND RECOVERED BY SIX SUBCOMPONENTS OF THE OBDs
COMPONENT IMPROPER PAYMENTS IDENTIFIED IMPROPER PAYMENTS RECOVERED IMPROPER PAYMENTS OUTSTANDING PERCENTAGE RECOVERED

RCLO

$6,180

$6,180

$ 0

100%

COPS

2,605

2,605

0

100%

OVW

2,155

2,155

0

100%

WMO

773

773

0

100%

CIV

188,802

186,774

2,028

99%

EOIR

14,696

5,408

9,288

37%

Total

$215,212

$203,896

$11,316

95%

Source: Management at the following OBD subcomponents: the RCLO, COPS, OVW, WMO, CIV, and EOIR. The differences in the totals are due to rounding.

As mentioned previously, Bulletin 05-03 requires each subcomponent of the OBDs to submit the Notification of Erroneous Payment form (Attachment 2 of Bulletin 05-03) to JMD Finance Staff informing JMD of any improper payments identified and confirming that a receivable has been established. However, we found that some subcomponents provided the information but did not utilize the Notification of Erroneous Payment form. Instead, they submitted the refund and supporting documentation directly to JMD or used a Transmittal of Currency form to report improper payment recovery activities. Utilizing the Notification of Erroneous Payment form is the only way to guarantee that appropriate JMD Finance Staff, who administer the OBDs recovery audit program, receive the information. It is essential for appropriate JMD personnel to receive the information so these amounts can be included within the Quarterly Recovery Audit Reports and within the annual IPIA reports. When subcomponents do not submit the Notification of Erroneous Payment form, JMD cannot accurately report what has been identified and recovered by the OBDs, which is combined with the other DOJ components and reported in the annual PAR. Table 3 details how each of the six subcomponents of the OBDs reported recovery audit information to JMD.

Table 3: SUBCOMPONENTS OF THE OBDs UTILIZING THE NOTIFICATION OF ERRONEOUS PAYMENT FORM (ATTACHMENT 2 OF BULLETIN 05-03)
COMPONENT HOW RECOVERY AUDIT INFORMATION IS REPORTED TO JMD

EOIR

Utilized Attachment 2

WMO

Utilized Attachment 2

COPS

Did not utilize Attachment 2, but submitted information on a Transmittal of Currency form

OVW

Did not utilize Attachment 2, but submitted information on a Transmittal of Currency form

CIV

Did not utilize Attachment 2, but the refund and support were forwarded to JMD

RCLO

Did not utilize Attachment 2

Source: Management at the following OBD subcomponents: the RCLO, COPS, OVW, WMO, CIV, and EOIR

When we discussed this issue with JMD management, they concurred with our finding and agreed to ensure that each of the OBD subcomponents submit the Notification of Erroneous Payment form to ensure accurate reporting.

We also found that some of the six OBD subcomponents included in our audit had additional procedures for identifying and recovering improper payments. The additional procedures included reviews of the Open Obligation Report and the Consolidated Obligation Report. The Open Obligation Report shows whether the appropriate account payable was properly liquidated; when an item has been paid for, but has not been received; and when a transaction has not been paid. The Open Obligation Report identifies these issues so they can be researched to determine if a transaction was expected or occurred in error. The Consolidated Obligation Report shows when a good or service was paid for, but the corresponding obligation was not established and liquidated. This activity can identify potential errors which should be researched. Table 4 identifies the OBD subcomponents that use additional procedures beyond the recovery audit contractor and the financial management system duplicate payment report.

Table 4: SUBCOMPONENTS OF THE OBDs WITH ADDITIONAL RECOVERY AUDIT PROGRAMS
COMPONENT RECOVERY AUDIT PROGRAM

COPS

Monthly review of the Open Obligation Report

WMO

Monthly review of the Open Obligation Report and the Consolidated Obligation Report

OVW

Quarterly review of the Open Obligation Report and monthly review of the Consolidated Obligation Report

Source: Management at the following OBD subcomponents: COPS, WMO, and OVW

COPS and OVW were two of the OBD subcomponents included in our audit that manage grant programs. According to COPS and OVW, monitoring of grantee expenditures occurs through: the Office of Justice Programs, Office of the Comptroller, Desk Reviews; and Financial Monitoring Site Visits. 18 However, Desk Reviews and Financial Monitoring Site Visits are not conducted for all grants awarded by COPS and OVW and do not include a review of all grant expenditures for the selected grants. In other words, only a sample of expenditures for selected grants are reviewed and verified for accuracy. According to Bulletin 06-11, "the recovery audit must encompass... all payments made from FY 2003 forward... grant payments are to be included in each component's recovery audit activity." Therefore, the OBD’s recovery audit program is not in compliance with Bulleting 06-11 because it does not include all grant payments.

When we discussed this issue with JMD management, they concurred with our finding and agreed to include grant payments within the scope of the OBDs’ recovery audit program.

Federal Prison Industries

Recovery Audit Program

Beginning in July 2004, the FPI began using a private contractor to conduct recovery audits. Payments made in FY 2003 were reviewed and vendor letters requesting reimbursement for any overpayments were sent for FYs 2003 through 2005. As shown in Table 5, as of April 2006, the FPI stated that a total of $43,182 in improper payments had been identified and confirmed from those fiscal years, and the FPI had recovered $12,355 of this amount.

Table 5: IMPROPER PAYMENTS IDENTIFIED AND RECOVERED AT THE FPI
COMPONENT IMPROPER PAYMENTS IDENTIFIED IMPROPER PAYMENTS RECOVERED IMPROPER PAYMENTS OUTSTANDING PERCENTAGE RECOVERED

FPI

$43,182

$12,355

$30,827

29%

Source: Management at the FPI and the recovery audit contractor

The scope of the FPI's recovery audit program includes the following two criteria to ensure that the program is cost-effective.

After the recovery audit contractor's review, the FPI receives the potential improper payment claims and validates them. According to the draft Recovery Audit Program, Program Statement, the validation will include confirmation by the vendor of the amount recoverable, confirmation by the FPI transacting staff (such as the receiver of goods or services, the procuring official, and the disbursing official) of the amount recoverable, verification that subsequent resolution of the recoverable amount has not occurred, and verification that amounts due have not been recovered. Upon validation, the claim is approved and collection is pursued. Additionally, the FPI prepares monthly summaries of recovery audit claims, including the causes.

According to Bulletin 06-11, "recovery audit programs must determine, at a minimum, duplicate payments, payments made for incorrect amounts, payments for which allowable discounts were not taken and goods and services were not received, and if payments were contract compliant. Contract compliance reviews will determine if payments made were consistent with the terms and conditions of the contract. All classes of contract/vendor payments are to be considered for recovery audits." The FPI's recovery audit program looks for all of those types of improper payments except that it does not include a contract compliance review as required by Bulletin 06-11.

We discussed this issue with FPI management, and they explained that contract compliance review had not started because the contractor is not at the level to conduct this review. Specifically, according to FPI management, the recovery audit contractor operates in phases, and has not implemented the review yet.

Additionally, our audit found that the FPI does not have a final written policy for its recovery audit program. Instead, the FPI has a draft policy for complying with the IPIA and for its recovery audit program. According to Bulletin 06-11, “each component is required to develop and implement written policies and procedures for its recovery audit program.” We acknowledge that the FPI has a draft policy for its recovery audit program, but recommend that the FPI develop a final written policy as it is an important tool to ensure FPI staff complies with the IPIA and the NDAA.

We discussed this issue with FPI management, and they concurred. However, they stated that due to various levels of review, it takes approximately 1 year for a draft policy to become final. The FPI management agreed to implement a final policy for its recovery audit program.

Drug Enforcement Administration

Recovery Audit Program

Although the DEA's initial recovery audit program began in FY 2004 and continued through FY 2005, it was not a comprehensive recovery audit program. Instead, a statistical sample of payments pulled from a population of all DEA payment categories, except payroll, were selected and tested to determine if any improper payments were made. Additionally, improper payments were identified by COTRs, Financial Management Division, as well as through other internal controls. In FY 2006, the DEA established a new recovery audit program, administered by the Financial Analysis and Reporting Unit (FNOF), which reports recovery audit information to JMD. The FNOF reviews all payments applicable to the IPIA, instead of sampling payments, and constitutes a comprehensive recovery audit program. As shown in Table 6, as of May 2006, the DEA stated that a total of $403,305 in improper payments were identified and confirmed from FYs 2003 through 2005, of which $386,833 was recovered.

Table 6: IMPROPER PAYMENTS IDENTIFIED AND RECOVERED BY THE DEA
COMPONENT IMPROPER PAYMENTS IDENTIFIED IMPROPER PAYMENTS RECOVERED IMPROPER PAYMENTS OUTSTANDING PERCENTAGE RECOVERED

DEA

$403,305

$386,833

$16,472

96%

Source: Management at the DEA

The scope of the DEA’s recovery audit program encompasses all payments made from FYs 2003 through 2005. However, the DEA’s initial recovery audit program did not review all payments made from FY 2003 forward as required by Bulletin 06-11. Instead, a sample of payments was tested from each fiscal year. After we noted this deficiency to DEA management during the course of our audit, the DEA completed and provided documentation for its review of all payments related to the IPIA from FYs 2003 through 2005. Therefore, a formal recommendation will not be made.

DEA management had established an internal recovery audit team, FNOF, rather than utilizing the recovery audit contractor. Bulletin 06-11 states, "The Director, JMD Finance Staff, has implemented a department-wide recovery audit contract, which all components are required to use unless a waiver is granted. Requests for waivers must be forwarded to the Director, Finance Staff, and include a complete description of your Recovery Audit Program and the cost of the program." During our audit we found that the DEA had not submitted a request for waiver to the Director of the JMD Finance Staff describing its internal recovery audit program or its cost. In our opinion, submitting a request for waiver ensures each DOJ component has a cost-effective recovery audit program in place. As a result of our audit, on November 30, 2006, DEA management submitted a request for waiver to the Director of the JMD Finance Staff describing its internal recovery audit program and received approval on the same day. Therefore, a formal recommendation will not be made.

During our audit, we found that the DEA has a contract closeout process, which verifies that: (1) all payments are proper; (2) all goods and services have been received; (3) all federal property has been returned; (4) all invoices have been paid; (5) no over, under, or duplicate payments were paid; (6) all applicable discounts have been taken and received; and (7) interest has been paid. At the time of our audit, no improper payments were identified through the contract closeout process. The DEA management explained that if an improper payment was identified, it would be corrected by the contract closeout team at the time of reconciliation and would not be reported to the FNOF. By not reporting identified and recovered improper payments to the FNOF, the DEA may potentially understate the amounts in its annual IPIA report, which are consolidated with other DOJ components into the DOJ’s PAR. As a result of our audit, on November 22, 2006, DEA management revised its Contract Closeout Handbook to include the requirements that the Financial Operations Section be notified of any improper payments prior to actual contract close out. The Financial Operation Section contains four units, one of which is the FNOF, and will notify FNOF of any improper payment information. Therefore, a formal recommendation will not be made.

During our fieldwork we found that the DEA had established policies for its recovery audit program, although the policies were in various documents. Bulletin 06-11 requires, "each component to develop and implement written policies and procedures for its recovery audit program." We recommended the DEA consolidate the policies into a single source that can be easily accessed. DEA management concurred with our recommendation and combined the recovery audit policies into a Recovery Audit Standard Operating Procedure, which the DEA provided to us. Therefore, a formal recommendation will not be made.

Statutory and Regulatory Barriers

OMB Circular A-123, Appendix C states that agencies with improper payment estimates less than $10 million are only required to report the total estimate in their annual PARs to OMB. These agencies are no longer required to include a description of any statutory or regulatory barriers which limit corrective actions in reducing improper payments.19 This criterion applies to each DOJ program, rather than to the individual components. Because the improper payment estimate for each DOJ program is less than $10 million, in our judgment, DOJ is not required to include this information in its PAR report for FY 2006. Nonetheless, Bulletin 06-11 still required the individual components to include the information in their IPIA reports. As a result, below we noted a finding related to the DEA and this requirement, but do not offer a recommendation related to this issue.

While reviewing the DEA's recovery audit program, we found that the DEA does not include contract payments at DEA foreign offices, which are processed by the Department of State via a reimbursable agreement. The DEA has not been granted disbursing authority by the Department of the Treasury. Instead, the State Department has designated United States Disbursing Officers, who have been delegated disbursing authority by the Department of the Treasury and authorized by the Treasury Secretary. Only a Disbursing Officer can make payments in local currency, which enables an agency to conduct business overseas. As a result, the State Department makes all of the DEA’s foreign payments. Additionally, if a federal agency wants to conduct business overseas, contracts must be negotiated through the International Cooperative Administrative Support Services.

Bulletin 06-11 required the annual IPIA reports to include within Item 8 a description of any statutory or regulatory barriers which limit corrective actions in reducing improper payments. We recognize that the DEA does not have contracting or disbursing authority overseas. However, in our opinion, this information concerning disbursements by the State Department on behalf of the DEA should be included within Item 8 of the IPIA.

Bureau of Alcohol, Tobacco, Firearms and Explosives

Recovery Audit Program

ATF's internal recovery audit activities began in 2001. They include: (1) reviewing the accounts payable listing to identify payables exceeding 90 days that can identify multiple payments made in other forms; (2) requiring COTRs to ensure that payments follow the terms of the contract that can identify duplicate payments and under- or over-spending on the contracts; and (3) conducting the contract closeout process, which compares payments to the language in the contract to identify missed discounts, duplicate payments, under- or over-payments, or improper payments that may not be allowed by the contract.

As shown in Table 7, ATF stated that it had identified $42,465 in improper payments and recovered $8,830, as of May 2006. ATF officials stated that they planned to pursue the remaining amount, as well as pursue collection of all identified improper payments.

Table 7: IMPROPER PAYMENTS IDENTIFIED AND RECOVERED BY ATF
COMPONENT IMPROPER PAYMENTS IDENTIFIED IMPROPER PAYMENTS RECOVERED IMPROPER PAYMENTS OUTSTANDING PERCENTAGE RECOVERED

ATF

$42,465

$8,830

$33,636

21%

Source: ATF management. The differences in the totals are due to rounding.

During our audit we found that improper payments that had not been recovered are tracked on an aging of accounts receivable schedule. However, after an improper payment is collected, ATF no longer tracks the recovered improper payment. In addition, ATF pursues all improper payments as regular debts and does not separately track improper payments from other debts. Therefore, ATF cannot determine when the identified and recovered improper payments occurred. Additionally, ATF cannot determine whether the identified and recovered improper payment amounts provided include all improper payments identified and recovered. Bulletin 06-11 requires each component to report the amount of improper payments identified and recovered over the reporting period and cumulatively. It is important for ATF to develop methods for tracking improper payments separately from other debts, so it can provide accurate information on improper payments identified and recovered that can be included in DOJ’s annual PAR. Additionally, ATF should include the timeframe in which the identified and recovered improper payments occurred. When we discussed this issue with ATF management, they concurred with our finding and agreed to revise and report the correct information – when it is available – in annual IPIA and quarterly reports.

Additionally, we found that ATF has not requested a waiver from the Director, JMD Finance Staff, to not use the recovery audit contractor as required by Bulletin 06-11. We believe, however, that ATF should utilize the recovery audit contractor, unless an approved internal recovery audit program that is compliant with all areas of Bulletin 06-11 and other applicable laws and regulations is developed. When we discussed this issue with ATF management, they concurred with our finding.

ATF management stated that they are reviewing the accounts payable listing for payments that are over 90 days old and conducting the contract closeout process after a contract is closed. Management is also making sure that Certifying Officers and COTRs perform their duties as necessary. Although ATF management stated that they anticipate utilizing the recovery audit contractor to review all payments from FY 2004 forward, they will need to include all payments made from FY 2003 forward to be compliant with Bulletin 06-11. Specifically, Bulletin 06-11 states, "the recovery audit must encompass, at a minimum, all payments made from FY 2003 forward." When we discussed this issue with ATF management, they noted that they could encounter difficulties researching payments that occurred prior to January 2003, when ATF became a DOJ component. In our judgment, ATF needs to obtain a waiver if it is not possible to research prior payments. Otherwise, ATF should expand the scope of its recovery audit activities to encompass, at a minimum, all payments made from FY 2003 forward as required by Bulletin 06-11. ATF management agreed to discuss the scope of its review of payments with JMD and review all payments FY 2003 forward, if possible.

Finally, our audit found that ATF had not developed a written policy for its recovery audit activities. Instead, policies exist in both draft and final form for portions of ATF’s recovery audit activities. According to Bulletin 06-11, "each component is required to develop and implement written policies and procedures for its recovery audit program." We discussed this issue with ATF management and they concurred with our finding and agreed to develop and implement a written final policy for the recovery audit program when a program is in place.

Recommendations:

We recommend that JMD:

  1. Develop and implement a department-wide policy for time limits after the recovery audit contractor identifies a potential improper payment and submits the claim to the component.

We recommend that for the OBDs, JMD:

  1. Ensure each subcomponent submit the Notification of Erroneous Payment form (Attachment 2 of Bulletin 05-03) to JMD Finance Staff regarding improper payments identified and recovered by the OBDs as required by Bulletin 05-03.

  2. Ensure that its recovery audit program addresses and includes grants as required by Bulletin 06-11.

We recommend that the FPI:

  1. Implement a contract compliance review within its recovery audit program as required by Bulletin 06-11.

  2. Implement a final policy for its recovery audit program as required by Bulletin 06-11.

We recommend that ATF:

  1. Develop methods for tracking improper payments separately from other debts, so it can provide information on the amount of improper payments identified and recovered. Additionally, ATF should include and maintain documentation on the timeframe in which the identified and recovered improper payments occurred.

  2. Demonstrate progress toward utilizing the recovery audit contractor as required by Bulletin 06-11, unless an approved internal recovery audit program that is compliant with all areas within Bulletin 06-11 and other applicable laws and regulations is developed, and a waiver is submitted to and approved by the Director, JMD Finance Staff as required by Bulletin 06-11.

  3. Expand the scope of the recovery audit program to encompass, at a minimum, all payments made from FY 2003 forward as required by Bulletin 06-11.

  4. Develop and implement a final written policy and procedure when a program is in place for ATF’s recovery audit program as required by Bulletin 06-11.



Footnotes
  1. OMB Circular A-136 - Revised July 2006, requires additional IPIA and recovery audit information to be included in the annual PAR.

  2. See the Statement on Internal Controls, at the back of this report, for details of our review of the OBDs’ controls, policies, and procedures.

  3. The OBDs’ risk assessment for FY 2005 included the: (1) Office on Violence Against Women, (2) Radiation Exposure Compensation, (3) Regime Crimes Liaison Office, and (4) salaries and other outlays.

  4. Mock audits, administered by the JMD Quality Control and Compliance Group, are audit simulations that aim to reduce audit findings, minimize organizational weaknesses, and strengthen financial management and practices of the OBDs, Working Capital Fund, and the United States Attorneys’ district offices. Each mock audit analyzes and tests a component’s financial processes and assigns a risk ranking to the component based upon the results.

  5. See the Statement on Internal Controls, at the back of this report, for details of our review of the FPI’s controls, policies, and procedures.

  6. See the Statement on Internal Controls, at the back of this report, for details of our review of the DEA’s controls, policies, and procedures.

  7. See the Statement on Internal Controls, at the back of this report, for details of our review of ATF’s controls, policies, and procedures.

  8. Government Accountability Office, Fiscal Year 2005 U.S. Government Financial Statements, Sustained Improvement in Federal Financial Management Is Crucial to Addressing Our Nation’s Financial Condition and Long-term Fiscal Imbalance, Statement of David M. Walker, Comptroller General of the United States, March 2006.

  9. The OIG is a subcomponent of the OBDs and is included in Appendix III.

  10. The methodology for the selection of the OBD subcomponents is detailed in Appendix I.

  11. The RCLO is not listed in Appendix III, because the RCLO is a component of the Office of the Deputy Attorney General.

  12. The Office of the Comptroller provides financial monitoring activities for both COPS and OVW.

  13. OMB Circular A-136 - Revised July 2006, requires additional IPIA and recovery audit information to be included in the annual PAR.



« Previous Table of Contents Next »