Financial Management

As illustrated by two cases in which officials with contracting responsibilities tried to steal or embezzle more than $1 million, lax internal controls over the Air Force's vendor payment system--primarily the lack of segregation of duties among individuals--have left Air Force funds vulnerable to fraudulent and improper payments. As of June 1998, more than 1,800 employees of the Air Force and the Defense Finance and Accounting Service had a level of access to the vendor payment system that allowed them to enter contract information, including the contract number, delivery orders, modifications, and obligations, as well as invoice and receiving report information and remittance addresses. No single person should be able to control all key aspects of a transaction without appropriate compensating controls. This level of access allowed these employees to submit all the information needed to create fraudulent and improper payments. At the same time, the automated vendor payment system was plagued by computer security weaknesses, including inadequate password controls. Missing records, another indicator of weak internal controls, prevented GAO from reconstructing the complete history of the two Air Force contracts associated with fraud at Bolling Air Force Base. GAO also was unable to determine whether the Air Force received the goods and services paid for under these contracts because, in addition to missing records, several improper procedures were followed for receipt and control of equipment and services paid for under the contracts. GAO summarized this report, along with GAO/OSI-98-15, in testimony before Congress; see: Financial Management: Improvements Needed in Air Force Vendor Payment Systems and Controls, by Jeffrey C. Steinhoff, Director of Planning and Reporting in the Accounting and Information Management Division, before the Subcommittee on Administrative Oversight and the Courts, Senate Committee on the Judiciary. GAO/T-AIMD-98-308, Sept. 28 (17 pages).

GAO noted that: (1) the two cases of fraud resulted from a weak internal control environment; (2) the lack of segregation of duties and other control weaknesses created an environment where employees were given broad authority and the capability, without compensating controls, to perform functions that should have been performed by separate individuals under proper supervision; (3) similar internal control weaknesses continue to leave Air Force funds vulnerable to fraudulent or improper vendor payments; (4) for example, as of mid-June 1998, over 1,800 Defense Finance and Accounting Service (DFAS) and Air Force employees had a level of access to the vendor payment system that allowed them to enter contract information, including the contract number, delivery orders, modifications, and obligations, as well as invoice and receiving report information and remittance addresses; (5) no one individual should control all key aspects of a transaction or event without appropriate compensating controls; (6) this level of access allows these employees to submit all the information necessary to create fraudulent and improper payments; (7) in addition, the automated vendor payment system is vulnerable to penetration by unauthorized users due to weaknesses in computer security, including inadequate password controls; (8) further, DFAS lacked procedures to ensure that the date that invoices were received for payment and the date that goods and services were received were properly documented; (9) these are critical dates for ensuring proper vendor payments and compliance with the Prompt Payment Act, which requires that payments made after the due date include interest; (10) missing records, another indicator of a weak internal control environment, prevented GAO from reconstructing the complete history of the two Air Force contracts associated with the Bolling AFB fraud; and (11) GAO was also unable to determine whether the Air Force received the goods and services paid for under these contracts because, in addition to missing records, a number of improper procedures were followed for receipt and control of equipment and services paid for under the contracts.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: