$300 Thousand Wasted on Useless Training

Do you think training is important? Do you think continuing education is important? Is there real value in remedial training?

The Government thinks so. Read any report by GAO (Government Accountability Office) covering the effectiveness, efficiency, or economy of a program, service, or contract and invariably, it will include a recommendation for more training. Same goes to reports by various OIG (Office of Inspector General) organizations. Even DCAA (Defense Contract Audit Agency) recommends more training whenever they find internal controls deficiencies in one of the few business systems the organization audits these days.

As if more training is going to solve whatever problems have been identified. Here's some examples:

• Contractor employees didn't fill out their timecards properly or on time - they need more training.
• An interviewer said something naughty during an employment interview - the entire organization needs more training.
• Congress passed a law prohibiting retaliation against whistleblowers - train everyone on how not to retaliate against whistleblowers.
• A contracting officer didn't check all the boxes she was supposed to check prior to awarding a contract - the entire organization needs more training.

Recommendations for more training are lazy recommendations. The auditor or evaluator doesn't need to drill down to root causes why something didn't happen the way it should have or the way the process was designed. Why don't employees fill out their timecards correctly? Is it from lack of training? Probably not. It doesn't take any particular skill to fill out a timecard. There must be some other reason.

One of the problems that organizations have when trying to solve a problem with more training is that they come up with a half-baked training plan, throw it at the people. The organization is happy because they can now check a box saying they've complied with a recommendation. And the trainers are happy because they collect their money.

A recent article published by POGO (Project on Government Oversight) illustrates the problem when the training is motivated by an arbitrary timeline rather than a well thought out curriculum.

The VA (Department of Veterans Affairs) opened an accountability office to change the Agency's culture of retaliation against whistleblowers, The article is interesting in that it points to a lot of mismanagement in the organization. But the salient point to this article is that the number two guy in the organization demanded that its staff be trained by a certain date so that the number one guy, scheduled for Congressional testimony one month later, could state honestly that everyone had been trained.

What transpired after that was a sole-source contract for the training that was ultimately cobbled together from other sources including VA materials, much of it that wasn't even on subject-matter, conducted by individuals who obviously didn't know the materials even though they were subject-matter experts who read from scripts.

There wasn't anything in the training that was remotely relevant or useful. one attendee reported. It was like nothing I've ever seen, and I've been in Government for 20 years, another reported.

At one point, attendees had to correct instructors who didn't know the legal definition of a whistleblower had changed in 2017.

You could feel the hostility in the room, an attendee recounted, as the instructors struggled to exert control over the training and respond to questions from increasingly frustrated attendees.

Whenever we see or hear of recommendations that more training is needed to solve a problem, we just roll our eyes and read on to see if the report includes other recommendations to show the auditor/evaluator even understood the root cause and had precise or specific solutions to correct whatever deficiency had been cited.

You can read the full POGO article here.

Another Government Agency Finds Deficiencies in its Internal Controls over Employee Travel Card Usage

Do you give out credit cards and travel cards to your employees? If so, how confident are you that your internal controls are working, if you have any internal controls at all? If you're like most small firms, your policies are largely based on trust. But, as you no doubt know, 'trust' is not an internal control. Trust is important in any organization, but it is not an internal control.

The Government is a major user of travel cards but audit after audit show that the Government, with all of its controls and oversight (approvers checking the travelers, managers checking the approvers, and auditors checking the managers) they still have issues and deficiencies in managing their credit/travel card programs.

The Government Charge Card Abuse Prevention Act of 2012 requires OIGs (Office of Inspector Generals) of agencies with more than $10 million in travel card spending to conduct period audits of reviews of travel card programs to analyze risks of illegal, improper or erroneous purchases and payments.

The EPA (Environmental Protection Agency) Office of Inspector General (OIG) recently completed a risk assessment of the Agency's travel card program and decided there was enough risk to merit a full audit. The OIG found employees who had been separated from service with active travel cards. They found irreconcilable differences between transactions and bank records (Citibank records in this case). The OIG found reports with 'blank' columns where data should be listed. They also found that they couldn't determine how much 'credit' was remaining on travel cards.

You might want to read how one highly trusted contractor employee used a company issued credit card to embezzle $825 thousand from his company.

You might also be interested in our article on how to improve controls over credit card usage.

How To Improve Internal Controls over Credit Card Usage

Many companies struggle with balancing the benefits of issuing charge cards (i.e. credit cards or p-cards) to employees with the risks that those cards will be used to make purchases for goods and services that contractors disapprove of. There have been many noteworthy embezzlement schemes over the years (see "Embezzlement Through Corporate Credit Card Purchases", for one example. The Government certainly has the same concerns. The Government employs rigorous oversight to a degree that most companies cannot afford. The Government has no profit motive so there's that. And the Government has a ton of oversight. For example, the Government Accountability Office (GAO) frequently reviews Agency's charge card practices. But a major concern not really faced by contractors is that nefarious purchases by Government employees using Government charge cards tend to become public, creating quite an embarrassment.

 The Department of Defense's instructions pertaining to charge cards runs 160 pages (see Department of Defense Government Charge Card Guidebook for Establishing and Managing Purchase, Travel, and Fuel Card Programs). We wouldn't recommend that companies (contractors) emulate something that big - no one would bother reading it anyway. But such a document is useful as a guide to what's important as far as internal controls and oversight. In fact, companies should be guided by the five components of effective internal controls - environment, risk assessment, control activities, information and communication, and monitoring - when devising a credit card program.

One of the key components of effective controls over credit card usage is to put some limits on how much can be charged (dollars per month and single purchase limits). Another key component would be to clearly define what are proper charges. Often this is expressed in the way of prohibited uses of credit cards. DoD has such a list which is probably not a bad list to emulate, if you're thinking of drafting credit card policies. Some of these makes us wonder why anyone would think such a charge would be ever be appropriate (dating services). Here is DoD's list from the January 2018 guide.

• Appliances acquired for personal use in a work environment
• Bail and bond payments
• Betting, casino gaming chips and off-track betting
• Cash advances
• Construction services over $2,000
• Contractor purchases
• Court costs, alimony, and child support
• Dating and escort services
• Equal Employment Opportunity (EEO) settlements
• Fines
• Food and meals
• Foreign currency
• Gift certificates and gift cards
• Long-term lease of land and buildings
• Salaries and wages
• Savings bonds
• Service acquisitions greater than $2,500
• Split purchases
• Telecommunication systems
• Travel advances, claims, or expenses
• Vehicle-related expenses
• Weapons, ammunition, and explosives
• Wire transfers

Recently, two more prohibitions were added:

• Video surveillance cameras
• Commercial unmanned aerial systems

Contractors that do not have strong internal controls over employee credit card usage are at risk for unauthorized and inappropriate purchases. There is a good chance that such purchases will not be reimbursed by the Government.

The Importance of Internal Controls Over Labor Costs

Over the past two days, we've discussed the concept of division of duties (also called segregation of duties) as a component of internal controls over labor costs. We discussed the importance of the division of duties between those who review and approve employee time charges and those who prepare the payroll. We discussed the importance of the division of duties between those who review and approve employee time charges and those who are responsible for meeting budgets. The basic premise for internal controls is to reduce the chance that irregularities will occur. If you're a regular reader of this blog, you know that we comment on the results of fraud investigations quite often. And one thing that many of these fraud cases have in common is that the companies (or the Government organization) either lacked basic internal control systems, had internal controls in name only (they were not in compliance with the controls they had established), were ineffective for what they were intended to accomplish, or were easily circumvented.

Why so much attention to labor costs? Here's how DCAA (Defense Contract Audit Agency) characterizes of labor costs in its Contract Audit Manual (see CAM 5-902):

Labor costs are usually the most significant costs charged to Government contracts, and usually comprise the indirect cost allocation base, or the largest element in the base used for allocating indirect costs. Historical labor costs are often used to estimate labor for follow-on or similar item Government contracts. Unlike other cost items however, labor is not supported by third party documentation such as an invoice, purchase order, or receipt. Contractor personnel have complete control over the documents or devices of original entry, whether they consist of timecards, electronic media, or some other means. Responsibility for accuracy is diffused throughout the contractor's organization. Consequently the risks associated with the accurate recording, distribution, and payment of labor are almost always significant.

If you have ever been the recipient of a DCAA audit, you probably know that auditors spend most of their time testing indirect expenses for allowability under FAR Part 31 cost principles. Auditors might also pop in and perform random "floorchecks" to test the veracity of labor charging practices. Auditors rarely spend any time at all looking at materials cost and if they do, its rather superficial. We don't ever recall where a contract auditor verified that a vendor was a legitimate company and not a shell company. Audit procedures just don't go to that level of detail for material costs. That's not the case for labor costs. When it comes to labor costs, the contract auditors will test for ghost employees, labor mischarging, managing to budgets, and potential over-staffing. Contractors having a mix of cost-type and fixed price contracts will be scrutinized more than contractors that have all of one kind or another - just because the risk of mischarging from an overrun fixed-price contract to a cost-type contract is higher. What to avoid increased scrutiny by the Government? Implement strong internal controls.

Division of Duties - Payroll Preparation and Approving Employee Time Charges

Internal Controls are a critical component of nearly every financial transaction, practice, or procedure. Yesterday we discussed a control regarding the division of duties between those who have responsibility for meeting budgets and those responsible for approving time and attendance records (see Division of Duties - Responsibility for Meeting Budgets and Approving Employee Time Charges). Today we want to discuss another internal control related to labor costs - creating a division of duties between those approving time and attendance records and those responsible for the preparation and distribution of payroll.

As a general rule, contractors should have procedures to provide reasonable assurance that payrolls are prepared by persons independent of those responsible for the timekeeping operation and actual payroll payment.

These procedures should ensure that there is a segregation of responsibilities between timekeeping and payroll. These procedures are necessary to reduce the opportunity for any person to be in a position to both perpetrate and conceal errors or irregularities such as fictitious employees, improper time charges, etc.

A number of years ago, there was a major scandal involving a base maintenance contractor with a cost-type contract. Turned out that the contractor's payrolls were completely fabricated. And these payroll records were the basis for claiming reimbursement from the Government. Not only were fictitious employees on the payroll (the number of employees were overstated by 40 percent) but the rates of pay for the "real" employees were overstated as well. The fraud was uncovered by auditors asking the right questions during a labor floorcheck. Although this fraud was orchestrated by top management, it illustrates where a lack of internal controls can result in overstated costs to the Government and why the Government is so keen on ensuring adequate internal controls.

As we noted yesterday, very small contractors are not going to have sufficient personnel to ensure segregation (or division) of duties in all areas. Contractors (with the Government's "help" at times) are going to have to decide which controls are most important and work to enhance those. From the Government's perspective, controls dealing with labor are always important. We'll explain why tomorrow.

Division of Duties - Responsibility for Meeting Budgets and Approving Employee Time Charges

Once a contractor is awarded a contract, it typically sets up budgets for the work to be performed. At first, budgets are very rough estimates of what the contractor believes it will take to perform the task (or sub-task) but as the work progresses, the budgets become more refined.

The funny thing about budgets is the compelling need to manage to those budgets. Managers and teams that don't meet their budgets are sometimes viewed as less than successful. Often times, performance appraisals, bonuses, and promotions are based on the ability to meet budget.

Where there is undue pressure to meet budgets, the risk of labor mischarging increases. At least that's the Government's theory. So, for example, in its audit program for conducting floorchecks at small to medium-sized Government contractors, DCAA (Defense Contract Audit Agency) provides the following guidance:

Determine whether there is a division of responsibility between personnel having a part in the preparation and/or approval of time and attendance records and those responsible for operating within budgets. If a division of responsibility does not exist, the risk increases for affecting payroll in proportion to the number of personnel the employee/manager can influence.

So, how does a very small contractor go about creating a division of responsibility between the person responsible for operating within budget and those tasked with approving employee time charges? The short answer is you cannot. Its just like many of the desirable internal controls over accounting - if a company has only one person in its accounting department, there will never be an effective division of duties. The same with timekeeping and budgets. For small companies, there is just not enough people to have an effective division of duties.

So what are the consequences to the contractor? From a contract audit perspective, the risk of labor mischarging increases which means - at least in theory - that the auditors will want to increase their testing in that area. Practically, it means that during employee interviews, the auditors will want to increase the number of employee interviews and perhaps design some analytical tasks to see what happens to labor charging once budgets are met.

Poor Internal Controls Over Vendor Management Results in $530 Thousand Fraudulent Payment

Fowler General Construction holds a contract to build a new "Collaboration Center" at PNNL's (Pacific Northwest National Laboratory's) campus in Richland, WA. Taxpayers spend about $1 billion per year to Battelle Memorial Institute to operate the Lab for the Department of Energy.

In November 2016, PNNL received an email instructing the company to change the bank account for electronic payments made to Fowler for work performed. PNNL complied and issued a payment of $530 thousand to the new bank account on December 16, 2016.

In January 2017, Fowler called PNNL to ask the status of their payment stating they hadn't received the December payment. A subsequent investigation showed that the new bank account was not associated with Fowler and the account had been emptied shortly after payment had been made.

Whoops.

PNNL assigned Aleta Busselman, the Lab's enforcement coordinator, to investigate and prepare a root cause analysis report. Her job was to analyze PNNL's response to the bank account change request. DOE's (Energy) Inspector General and the Justice Department were performing their own investigation to determine how the  information to make the change was obtained by the thief.

Ms. Busselman's "audit" pointed to PNNL management and their failure to institute effective internal controls in its vendor program. PNNL management didn't like that result, fearing that it would make management and PNNL "look bad". For a few days she and management argued over what should be reported. Then, Ms. Busselman left for a scheduled vacation but when she returned, she didn't have a job. She also found that her report had been gutted of any mention of management responsibility.

Ms. Busselman is now accusing PNNL of retaliation and is suing to get her job back.

How effective would your internal controls be in preventing this kind of fraud?

The source for this post is an article appearing in  the June 21, 2017 edition of the Tri-City Herald.

Internal Control Questionnaire for Small Contractors

Yesterday we discussed a contractor's lack of robust internal controls that allowed an employee to embezzle $1.3 million over a four year period. If you missed that post, you can read it here. Every company needs internal controls but small companies sometimes cannot afford to have comprehensive systems to guard against fraud, waste, and abuse. But there are things even the smallest company can afford.

The following is an internal control/defalcation checklist adapted from a publication by the American Institute of Certified Public Accountants (AICPA) that independent independent accountants/auditors use to assess the adequacy of internal controls at companies of any size.

Use it to self-assess how your company measures up.

1. Segregation of duties
     a. Is the person who handles cash also responsible for recording cash?
     b. Does the person who pays or orders inventory also receive materials?
     c. Are two or fewer people responsible for the accounting function?
     d. Is only one person responsible for reviewing financial statements each month?
     e. Is your review of financial journals sporadic?

2. Bank reconciliations
     a. Do you reconcile the bank statement on a timely basis, at least once a month?
     b. Do you review any adjustments and verify reconciling items?
     c. Are reconciliations performed by one person and reviewed by another?
     d. Is the person who writes checks restricted from signatory authority?
     e. Do you review canceled checks and endorsements on a monthly basis?
     f. Do you compare payroll checks with your current employee records?
     g. Do you question funds transferred between bank accounts?
     h. Do you track the number of credit card bills you sign each month?

3. Supporting documentation
     a. Do you ever sign b lank checks?
     b. Do you ever sign checks without original supporting documentation?
     c. Have funds ever been transferred between accounts without review or verification?
     d. Do you ever sign checks for new business vendors without knowing or verifying their name and association with your company?

4. Employees - know your employees and be aware of changes in their behavior
     a. Are any employees extremely possessive of their work records and reluctant to share their tasks?
     b. Are any employees apprehensive about taking a vacation and time off, and are also the first one in the office and the last one out?
     c. Have you notice a substantial change in the lifestyle of any employees?
     d. Do any of your employees have a possible substance abuse problem?
     e. Are any of your employees living beyond their means?
     f. Have you ever hired an employee without checking references?
     g. Do you permit accounting personnel to work longer than a year without taking a vacation?
     h. Do you have any accounting staff who has not been bonded?

5. Safeguard assets
     a. Are blank checks and signature stamps locked up?
     b. Do you restrictively endorse all checks?
     c. Do you deposit all cash and checks daily?
     d. Do you maintain a list of office furniture, equipment, and vehicles?
     e. Do you back up all computer files on a regular basis and store the backup in a remote location?
     f. Do you have password restrictions for your systems?
     g. Do you maintain adequate insurance coverage n all assets including business interruption insurance?

How does your company compare? Remember, "trust" is not an internal control.

Another Credit Card Embezzlement Scheme

Just a week ago, we reported on a case where a highly trusted contractor employee embezzled $825 thousand from his company by using a company issued credit card for personal expenses. Now we have another misuse of company credit card case being reported by the Department of Justice. This time, the perpetrator made $1.3 million in unauthorized personal charges to a company credit card. He has pleaded guilty and has agreed to pay restitution and when he appears for sentencing, faces additional fines and possibly prison time. This time however, the perpetrator was not someone in a trusted position in the company - he was a lowly accountant who got away with the embezzlement for four years. Cases like these should really be wake up calls for companies to examine their own company-issued credit card policies and related internal controls. As we all know, "trust" is not an internal control.

In the most recent case (you can read DoJ's press release here), Mr. Bell got a job in the accounting department at Phoenix in 2008. Phoenix is a non-profit firm providing counseling for and placing people with disabilities in administrative, manufacturing, and custodial positions. One of Phoenix's Government contracts was valued at $20 per year providing custodial services at Redstone Arsenal. A year later, Bell began using a company-issued credit card for personal expenses until he was caught in 2013. By that time, he had racked up $1.3 million in personal expenses including nearly $100 thousand to Best Buy, $70 thousand to airlines, $70 thousand to hotels, and many other luxury goods and department stores. We wonder why no one ratted him out for living well beyond his apparent means in an accounting job.

We're not quite sure how Bell covered his tracks - the DoJ press release didn't go into a lot of detail concerning the cover-up. "Bell deleted unauthorized purchases from the credit care monthly statements and manipulated Phoenix's account ledgers so that they would balance with the bank's spreadsheet that showed what Phoenix owed for its staff credit cards." The only way for this balancing act to have worked is if Bell increased the expenses related to other "legitimate" charges equal to the amounts he deleted for personal expenses.

Along the way, Bell became more emboldened. He set up his own accounting firm and invoiced Phoenix for $300 thousand in accounting services never provided. Bell never reported this income either and now has IRS problems.

The press release did not divulge how the embezzlement was discovered. Eventually, these embezzlement schemes are exposed even if it takes 15 years like one case in Washington State. The most basic control a company can implement in credit card programs is to ensure that staff responsible for reviewing and processing credit card transactions, does not themselves, have company-issued credit cards.

Embezzlement through Corporate Credit Card Purchases

Here's a fraud case that should prompt companies to review their own internal control systems for preventing employee  fraud, waste, and abuse.

Stuart Teshima, the former CFO of Epsilon Systems Solutions (a Government contractor headquartered in the San Diego area) pleaded guilty last Tuesday to embezzling $825 thousand from his company over an eight year period. He did this from his trusted positions of Vice President, Senior Vice President, and Chief Financial Officer of the company.

How did he do it? According to the Department of Justice Press Release, Teshima used the company credit card to pay for personal expenses including airfare and other personal travel, jewelry, gifts for family members, furniture, lavish dinners, and even his personal income tax bill. Then, before submitting invoices for reimbursement, Teshima would conceal the personal spending by altering his account statements to replace the personal items with fictitious business expenses. He then falsely reported to company representatives that the statements he submitted were generated directly from his credit card account, when in fact he altered the records himself before submitting them for reimbursement.

There are obvious internal control weaknesses in Epsilon's system. First of all, it appears that the company was paying its credit card balances without any support in the form of source documents. It merely relied on the signature of a trusted employee. Second, Epsilon was paying based on a "downloaded" statement which, of course, can be easily altered. It should have been paying based on printed statements received by mail that were reviewed and approved by a independent party. The independent reviewer should have insisted that charges be supported by original receipts.

It should not be surprising that auditors (both financial auditors and contract auditors) ask for original source documents. They are not trying to be obnoxious but when they put their name on a report asserting that the financial representations fairly present the objective of their audit, they need to be certain, beyond a reasonable doubt, that the company's representations are not misleading (or worse).

Epsilon has 1,000 employees and its not unlikely that with this many employees, there will be plenty of opportunities for those so bent, to poke around and find internal control weaknesses. Companies need to stay one step ahead of the fraudsters.

Teshima pleaded guilty but has not been sentenced. He has agreed to pay restitution for the amount embezzled. In addition, he faces probable fines and possible imprisonment.

Previously Reported Audit Findings

Many times, contract auditors issue internal control deficiency reports with recommended corrective actions or, more likely, a comment or two on contractor corrective action plans. Sometimes its months or years before the auditor comes back to reassess that particular audit area (e.g. accounting system internal controls, billing system internal controls, etc.). In the meantime, no one has assessed whether the contractor's corrective actions are working as intended and even if effectively implemented, have solved the internal control problem. With auditor turnover, the next batch of auditors are unaware of the history of previous audits. According to a DoD-IG (Department of Defense, Office of Inspector General) report issued earlier this year, many of these "new" teams never bothered to assess promised contractor corrective actions to previous audit findings. According to the DoD-IG, this failure represented a departure from GAGAS (Generally Accepted Government Auditing Standards) Section 5.06 which requires auditors to obtain an understanding of contractor corrective actions to previous audit findings in assessing risk and determining the nature, timing, and extent of current work, including potential testing of the implemented corrective actions.

The Defense Contract Audit Agency (DCAA) recently issued an audit alert regarding the need to assess contractor corrective actions to previously reported audit findings. Audit findings in this case could pertain to DCAA audit findings and/or findings from audits or studies performed by other than DCAA that are relevant to the subject matter under audit. The "other" audits or studies would include contractor internal audit reports which the Agency has been trying to access, without much success, for many years, management letters issued by a firms independent public accountants, and reviews performed pursuant to the Sarbanes - Oxley Act.

DCAA has modified its audit programs to emphasis this audit step. The additional audit program language requires that auditors review permanent file to determine if previous audits included findings and recommendations that impact the subject matter under audit (GAGAS 5.06). If there were findings, auditors should document this information in the risk assessment and ask contractor management if corrective actions were taken to address findings and recommendations reported in previous DCAA audits (e.g., questioned costs, business system deficiencies, CAS audits) that are relevant to the subject matter of audit. If yes, have contractor explain corrective actions taken and determine if additional audit procedures should be included in the fieldwork to test the corrective actions.

Contractors should anticipate these additional queries during future audits.

Purchase Card Programs - How Effective are Your Internal Controls

We finished last week by discussing the House Committee on Veterans' Affairs hearing on waste, fraud, and abuse in the Veteran Administration's (VA) purchase card program. Although the hearing was limited to problems in the VA, issues with purchase card programs is widespread among Government contractors and can significantly affect contractors' ability to ensure the propriety of costs charged to Government contracts. By studying the Government's purchase card problems, the methods used by its oversight arms to ferret out fraud, waste, and abuse, and the internal controls established to reduce the risk of fraud in the program, we might be able to offer up best practices for contractors.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act or CCA) requires agencies to establish and maintain safeguards and internal controls for purchase cards. Under the CCA, Inspectors General must conduct periodic risk assessments of agency purchase card programs to analyze the risks of illegal, improper, or erroneous purchases. Inspectors General then use these risk assessments to determine the necessary scope, frequency, and number of audits or reviews of these programs. Long time readers of this blog and those involved in internal audits will recognize the "risk assessment" is the second of the five elements of internal controls.

At the Hearing, the VA's Assistant Inspector General for Audits and Evaluations described their risk assessment as follows:

For the fiscal year (FY) 2015 risk assessment, we performed data mining on credit card transactions using a set of defined criteria designed to identify transactions or patters of activity that appear to represent potential fraud, waste, or abuse. Our risk assessment examined

• Cardholders with a high volume of transactions
• Multiple transactions made on the same day with the same vendor, amount and purchase card
• Credit card purchases that exceeded established purchase card limits
• Recurring transactions made with the same vendor
• Transactions occurring on holidays, weekends, in the last two months of the fiscal year, and during unusual times of the day
• Transactions made by a facility that were more than double the nationwide average number of transactions and costs per purchase card.

This would seem like a likely starting point for contractors to assess their risks and vulnerabilities in purchase card programs. There doesn't seem to be anything in this listing that would test or point to the use of cards to make "personal" purchases so that might be an additional risk factor that contractors consider.

Continuing on with the testimony, the Assistant IG  noted that from the above risk assessment, the organization identified seven high risk areas that included:

• Cardholder transactions that exceed authorized purchase limits including unauthorized commitments.
• Inadequate financial controls prohibiting duplicative and split payments
• An excessive number of cardholders making purchases with inadequate justifications
• An unmanageable span of control resulting from an unbalanced ratio or cardholders to approving officials.
• Inadequate recording or reporting of financial information.
• Insufficient oversight of year-end spending
• Inadequate review of purchases by approving officials.

Based on the risk assessments, the IG plans to conduct audits and reviews to identify control weaknesses, strengthen program control, and address inefficiencies in VA’s Purchase Card Program. Its recent work has identified significant control weaknesses that did not prevent transactions involving unauthorized commitments, improper payments, split purchases, and purchases that lacked appropriate supporting documentation.  

So evidently, the controls that are in place to prevent unauthorized commitments, improper payments, split purchases, and purchases that lacked supporting documentation were not working. Now its up to the auditors and management to improve its system of internal controls to prevent that from happening in the future.

Routine Audits Can Turn Into Investigations

What good are policies and procedures if no one follows them? What good does it do to develop good policies and procedures if no one enforces them? Why have polices and procedures in the first place if no one monitors compliance or checks to see if they're working, as intended?

In news article published today, a State Auditor's Office performing a routine audit identified two employees whose overtime totals stood out from all other employees. As part of the audit, the auditors compared overtime hours claimed with information compiled from their building access cards. There were substantial differences so the auditors referred the matter to State investigators. The investigation found that two employees "gobbled up" $130 thousand over a three year period in "bogus overtime" payments.

Needless to say, these two employees are in trouble. One was fired and the other resigned but they may be facing other legal consequences. Their supervisor was demoted for lax oversight and the article is blaming the matter on failure to follow policy.

Our take on this matter is different. We believe that a failure of the internal controls allowed these individuals to skirt established policies. The policies and procedures may have been good but if compliance is not tested from time to time, those policies and procedures will be rendered ineffective. When a scheme goes undetected for three years, there would have had to have been a significant lack of internal controls including oversight, employee training, monitoring, and feedback.

One of the most fundamental methods of internal control is the segregation of duties. When it comes to overtime, one individual should not be capable of initiating, authorizing, executing, and subsequently reviewing overtime requests for appropriateness. An individual should not request overtime. Overtime should be requested by a supervisor based on need. The supervisor should obtain approval from someone higher up the chain. Someone from finance should authorize funds. The employee and the supervisor should sign the timecard/timesheet certifying that the hours were worked and charged to the appropriate job. Payroll should verify that overtime hours were approved and reviewed by appropriate supervisors and management. Internal audit or special teams should periodically review these practices for compliance.

Internal controls are not that difficult to implement.

How Good Are Your Purchasing System Internal Controls?

When companies first start out, the entrepreneur/founder does just about everything him/herself - engineering, manufacturing, purchasing, estimating, accounting, billing, and on and on. As the company grows, specialists are hired to take over these functions. As a sole proprietor, internal controls are not critical. But as employees are added and systems become more complex and vulnerable to fraud, internal controls become absolutely necessary.  Purchasing is a system that is highly vulnerable to fraud. Purchasing agents have a lot of opportunity and methods in which they can enrich themselves at the expense of the employer (e.g. the Government contractor) and ultimately the Government. All you need to do is peruse the DoJ's press releases to find dozens, perhaps hundreds of incidences involving procurement fraud by Government and contractor employees alike.

So one would think that a company like Boeing would have internal controls that would be impervious to procurement fraud. After all, their business systems are considered the gold standard for Government contractors, they are publicly held and responsible to stockholders and they are subject to all of the internal control requirements of the Sarbanes-Oxley Act. They probably have enough policies and procedures to fill a semi truck trailer.

But Boeing is not immune to fraud committed by employees and neither are you. Last Monday, a Federal grand jury in St. Louis indicted a Boeing procurement office on charges he gave inside information to a Washington state shop owner and others, netting the subcontractors more than $3.5 million in orders for aircraft parts. In this case, the Boeing employee gave the shop owner information about the competitors bids and also, historical price information in exchange for cash.

According to the indictment, the shop owner used the information from Boeing to prepare and submit bids to Boeing on behalf of his company. Ultimately, the shop was awarded seven purchase orders totaling $2 million. The Boeing employee also perpetrated his scheme with other suppliers.

FBI raided the shop owner's facility in Washington last May and hauled away lots of records. At that time, FBI refused to discuss what they were up to. Now we know.

The shop owner also appeared on a Bank of America promotional video in which he and employees talked about how the business grew with help from the bank. That video, which has since been taken down from Bank of America's website, included the following quote:

I just got into this trade without a formal business background. High school had a metal shop. It was a great place to fix my dirt bike. Couldn't afford to really go buy parts all the time. And this led to a job in a machine shop. Twenty-five years or so, it kind of just flies by, and here you are.

We guess he should have also mentioned the help he got by bribing Boeing purchasing agents for the company's growth.

So, how effective are your internal controls over purchasing?

The Importance of Data Entry Accuracy

Everyone has heard the axiom, "garbage in, garbage out" (GIGO). The term originated and is still mostly associated with the field of information technology. It refers to the fact that computers will unquestioningly process the most nonsensical of input data (garbage in) and produce nonsensical output (garbage out).

This illustrates why auditors of all stripes, financial auditors, internal auditors, Sarbanes-Oxley auditors, and government auditors, are profoundly concerned with "data input controls". We are not yet "paperless" and much of the data that goes into computers, originates with paper. Someone has to glean data from paper and enter it into the computer.

Take a simple purchase, for example. The purchase might originate with a purchase request which goes to a "buyer" who initiates a purchase order. The purchase order goes to a vendor who fills the order, issues an invoice, a picking slip, and perhaps a packing slip. The customer receives the invoice which must be entered into a computer. The shipping/receiving department receives the merchandise, verifies receipt (kinds and quantities) and probably enters that into a computer. Consider the potential for data to get messed up along the way. A simple date slip up could mean the difference between getting and losing an early payment discount. An address mistake might send the product to the wrong company. A coding error could send the cost to the wrong account, or the wrong project.

All companies, and Government contractors in particular need internal controls in place to help ensure that all input data are authorized and complete, and data are consistently recorded, accumulated, processed, and reported in a controlled environment to produce timely and accurate information. These controls normally include written procedures for originating, authorizing, collecting, preparing, and approving input transactions to the contractor's accounting system.

When auditors begin their work, they first assess the adequacy of internal controls. Strong controls typically mean that auditors can scale back the number of transactions they need to review. Concerning data entry controls, the auditors might look to see if the company has implemented the following:

• Documentation exists to identify all input data and/or files
• There are established authorization procedures for all source documents feeding the system.
• The functions of originating, approving, and converting source documents into computer data are adequately segregated. If anyone in the data input area performs more than one of the operations related to the origination, entering, processing, or distribution of data, there should be compensating controls for the lack of segregation of duties.
• All input data is properly authorized, validated, and recorded
• All authorized data remains complete, accurate, and valid through the source document origination process.
• All input data is transmitted in a timely manner.
• Source documents are periodically reviewed for proper completion and approval
• Erroneous source documents are handled appropriately and are not entered into the system.
• An audit trail is maintained during and after data input.

It might be useful to self-assess how your internal controls stack up against these attributes.

Avoid Potential Problems - Don't React to Them

Its a new year and it looks like we've avoided the so-called "fiscal cliff". "The sequestration can (automatic spending cuts) has been kicked down the road for a couple of months and tax rates will not rise unless you earn $450 thousand or more. All of these matters of great pith and moment are well beyond our and your abilities to influence - we're merely bystanders. But, when it comes to contract compliance, contractors do not want to be caught unawares. There are many things contractors can and should do to prevent problems before they occur.

Contract compliance has been and will continue to be a recurring theme in this blog. There are many things contractors can do to avoid problems down the road. However, it does take a certain amount of persistence and consistency. Here then is our short list of ways to avoid contract problems in 2013.

Adopt and comply with written policies and procedures - There are two elements here - have them and follow them. Some contractors have written policies and procedures but fail to consistently follow them. We've stated it before but will do so again - failing to follow internal policies and procedures is sometimes worse than not having them at all. And not having them all is bad. Failing to follow internal policies is a "slam-dunk" finding for an auditor - there's no adequate defense.

Keep good records - Many contractors have experienced first-hand the consequences of inadequate records or missing records - costs are disallowed. This is more poignant now that the auditors are working off the backlog of incurred cost audits - back to 2004 in some cases we know of. Contractors are expected to dig out archived records back that far!

Develop an ethics/compliance plan - It all begins at the top, so they say. Management must show a commitment to ethical behavior and expect the same from employees. Not only is it the right thing to do but in addition to auditors looking over your shoulders, contractors are now increasingly faced with the prospect of in-house whistle-blowers filing qui-tam actions. In fiscal year 2012, the Justice Department reported a record 647 whistle-blower cases were filed. Some employees see this as their way to riches and an entire industry has developed to support and encourage whistle-blowing. All it takes to bring out a whistle-blower is one falsified timecharge.

Conduct internal audits (reviews) - Contractors may have the best of intentions, great internal controls, excellent record retention practices, and effective ethics programs but never know whether they are being followed. It is critical that contractors implement internal reviews to ascertain the degree to which employees are adhering to the company's policies.

We will be coming back to these themes from time to time, expanding upon them and offering some ideas on how to avoid problems in cost-effective ways. Implementing these practices should not become a burden to contractors - particularly small businesses.

Internal Controls - From Objectives to Activities

We're going to finish up our current discussion on internal controls by associating some "internal control activities" to the "internal control objectives" we discussed previously. Yesterday, we listed eight internal control objectives that the Government believes will satisfy just one of the 18 attributes of an adequate accounting system; a sound environment, framework, and organizational structure. Not all of these will be applicable to all contractors. Small businesses are not likely to have audit committees, for examples. Some contractors will devise other objectives, just as good or better than these. We suggest however, at a minimum, that contractors at least consider these.

Once contractors have established their internal control objectives for a given area, they need to devise internal control activities upon which to satisfy those objectives. Each objective needs one or more activity. Here again, DCAA has provided examples of activities that might satisfy each objective. Lets take the first objective we highlighted yesterday; integrity and ethical values. Management must convey the message that integrity and ethical values cannot be compromised, and employees must receive and understand that message through continuous demonstration of words, actions and commitment to high ethical standards.

Here are examples of control activities that DCAA believes will satisfy the objective:

• Written codes of conduct that address 
• ethical business practices, 
• conflicts of interest and 
• expected standards of ethical and moral behavior including dealings with customers, suppliers, employees and other parties.
• Management places emphasis on establishing and maintaining an effective system of internal controls and self-governance and does not condone signs of inappropriate practices.

The second bullet point is important. It constitutes what the COSO (Committee of Sponsoring Organizations) guidance terms "setting the tone at the top". Management does indeed set the tone for the entire organization. Winking at indiscretions would not be setting the proper tone. Taking corrective actions including disciplinary action when necessary, would be setting the proper tone.

Ultimately, it is up to contractor to ensure adequate systems of internal controls for their unique situation. The DCAA guidance can be very useful in jump starting the program.

Internal Controls - What's Important

Today's post is a bit on the technical side. The purpose here is to walk through the process of identifying internal controls that are important to Government contracting and to show how the Government determines whether controls, as implements, are effective.

We will start with one of the DFARS (DoD FAR Supplement) business systems; accounting. DFARS 252.242-7006 states that contractors must establish and maintain an acceptable accounting system that provides reasonable assurance that applicable laws and regulations are complied with, that produces reliable cost data, minimizes the risk of misallocations and mischarges, and consistent with the billing system.

On the surface, that might seem fairly straight-forward - just buy a $200 QuickBooks package and you're off. Well its a little more complicated than that because this DFARS clause then goes on to list 18 attributes that the accounting system must provide for.

The first of these 18 criteria is "The Contractor's accounting system shall provide for a sound internal control environment, accounting framework, and organizational structure." Now it gets a little confusing and note the subjective word "sound". How is a contractor supposed to figure out what this means and how can it satisfy such a fuzzy requirement?

Do not despair. DCAA has come to your rescue. You can refer to Chapter 5 of the Contract Audit Manual or download the internal control matrix for Control Environment and Overall Accounting System Controls and obtain sample control objectives and examples of corresponding control activities for creating a sound environment, framework, and organizational structure. These control objectives include:

1. Integrity and ethical values: management must convey the message that integrity and ethical values cannot be compromised, and employees must receive and understand that message through continuous demonstration of words, actions and commitment to high ethical standards. 
2. External auditor's report: management should take timely corrective action on any deficiencies noted by the external auditor.
3. Board of directors/audit committee: the board and audit committee should be sufficiently independent enough from management to constructively challenge management's decisions and act effectively on external audit communications and recommendations.
4. Basic structural organization: the organization structure provides the overall framework for planning, directing and controlling operations
5. Assignment of authority and responsibility: management ensures that appropriate responsibility and delegation of authority is assigned to deal with goals and objectives, operating functions, regulatory requirements, information systems and authorization for changes. The delegation of authority ensures a basis for accountability and control and sets forth individual respective roles.
6. Financial capability: management must ensure that the contractor has adequate financial resources to perform on Government contracts.
7. Accounting system and controls: the accounting system is well-designed and is operating effectively to provide reliable accounting data and prevent misstatements that would otherwise occur.
8. Cost allocations: management ensures that an item of cost or a group of items of cost are assigned to one or more cost objectives in accordance with rules, regulations, and standards for proper distribution of direct cost and allocation of indirect costs. Management ensures the proper allocation of both the direct assignment of cost and the reassignment of a share from an indirect cost pool.

Now that you see what's important, you can begin to devise "control activities" to help ensure these "control objectives" are carried out. DCAA provides some ideas here as well. We'll look at a couple of those tomorrow.

Internal Controls - Where to Find Guidance

Yesterday we defined internal controls and discussed five interrelated components that make up effective internal controls. This information came from COSO (Committee of Sponsoring Organizations of the Treadway Commission) whose mission is to

... provide thought leadership through the development of comprehensive frameworks and guidance on ... internal control ... designed to improve organizational performance and guidance...

The sponsoring organizations include the AICPA, the American Accounting Association, Financial Executives International, The Institute of Internal Auditors, and the Institute of Management Accountants.

DCAA considers the COSO guidance to be authorative and has relied upon it for establishing guidance for performing audits of internal control systems that are pertinent to Government contracting (See CAM Chapter 5).

Funny things happen however between the audit guidance and the actual application of audit procedures. Although COSO and CAM clearly state that internal controls must be tailored for each individual contractor/company, and considering size, organizational characteristics, the nature of the business, complexity of operations, applicable regulatory requirements, etc., we could share many examples where auditors have disregarded the contractor's assessment of its own control environment and corresponding control activities and have used published "control activity examples" as a checklist - "you don't do this, you fail" mentality.

Its easy to know what internal control systems are important to DCAA. The Agency's Contract Audit Manual as well as published audit programs and internal control matrices identify those areas considered most important to the Government contracting environment. These include accounting system, estimating system, billing system, labor system, and six others. DCAA is in the process of realigning its coverage so that it ties in closer with the new DoD Business System rules but the core elements will still be there.

Tomorrow, we will look at some of the specific internal controls related to accounting systems.

Internal Controls - Its a Contractor's Responsibility

It is important to remember that contractors must have effective systems of internal controls and that management is solely responsible for establishing and maintaining adequate internal controls. Some contractors have a notion that the Government will come along some day and tell them what internal controls they should implement. Some managers believe that by keeping their fingers on the pulse, they do not need internal controls. Others, sadly, do not want strong systems of internal controls because they fear that it would encumber their management style and prerogatives.

Internal controls are important and necessary, never more so than in the Government contracting environment. Internal controls provide reasonable (not absolute) assurance that financial reporting is reliable, that operations are running effectively and efficiently, and that applicable laws and regulations are being complied with.

Internal controls consist of five interrelated components:

1. Control environment - this is the foundation to all other components. The board or senior management establish the "tone from the top" regarding the importance of internal control and expected standards of conduct. It provides discipline, process, and structure.
2. Risk assessment - this involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, forming a basis for determining how risks should be managed.
3. Control activities - these are the actions established by policies and procedures to help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes.
4. Information and communication - necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.. Communication enables all personnel to understand internal control responsibilities and their importance to the achievement of objectives.
5. Monitoring - used to ascertain whether each of the five components of internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.

When it comes to establishing effective internal control systems, one size does not fit all. Internal controls must be considered in the context of company size, organizational characteristics, the nature of the business (e.g. type of contracts), complexity of operations, applicable regulatory requirements, and more. Sometimes it seems that contract auditors want more controls than what contractors deem necessary. Sometimes they're right, sometimes not. Tomorrow we will look at the guidance that auditors follow in assessing whether select internal control systems are adequate.