Centers for Medicare and Medicaid Services
Deficiencies in Contract Management Internal Control Are Pervasive Gao ID: GAO-10-60 October 23, 2009As a result of internal control deficiencies discussed in GAO's 2007 report on certain contracts at the Centers for Medicare and Medicaid Services (CMS), GAO was asked to identify the extent to which CMS (1) implemented effective control procedures over contract actions, and (2) established a strong control environment for contract management. GAO used a statistical random sample of 2008 CMS contract actions (including contract awards and modifications) to assess CMS internal control procedures. The results were projected to the population of 2008 CMS contract actions. GAO also determined the extent to which CMS implemented recommendations GAO made in 2007 to improve internal control over contracting and payments to contractors. GAO reviewed contract file documentation and interviewed senior acquisition management officials.
Pervasive deficiencies in CMS contract management internal controlincrease the risk of improper payments or waste. Specifically, based on our statistical random sample of 2008 CMS contract actions, GAO estimates that at least 84.3 percent of fiscal year 2008 contract actions contained at least one instance where a key control was not adequately implemented. GAO also estimates that at least 37.2 percent of fiscal year 2008 contract actions had three or more instances in which a key control was not adequately implemented. The contract actions GAO evaluated were generally subject to the Federal Acquisition Regulation. For example, CMS used cost reimbursement contracts without first ensuring that the contractor had an adequate accounting system. Also, project officers did not always certify invoices for payment. These deficiencies were due in part to a lack of agency-specific policies and procedures to help ensure proper contracting expenditures. These control deficiencies also stem from a weak overall control environment as characterized primarily by inadequate strategic planning for staffing and funding resources. CMS also did not accurately capture data on the nature and extent of its contracting, which hinders CMS's ability to manage its acquisition function by identifying areas of risk, due to a lack of quality assurance procedures over data entry. CMS also has not substantially addressed seven of the nine recommendations made by GAO in 2007 to improve internal control over contracting and payments to contractors. For example, CMS has not made progress in clarifying the roles and responsibilities for implementing certain contractor oversight responsibilities and, as of July 2009, CMS still had a backlog of contacts that were overdue for closeout, putting CMS at increased risk of not identifying or recovering improper payments or waste. The continuing weaknesses in contracting activities and limited progress in addressing known deficiencies will continue to put billions of taxpayer dollars at risk of improper payments or waste.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-10-60, Centers for Medicare and Medicaid Services: Deficiencies in Contract Management Internal Control Are Pervasive
This is the accessible text file for GAO report number GAO-10-60
entitled 'Centers For Medicare And Medicaid Services: Deficiencies in
Contract Management Internal Control Are Pervasive' which was released
on November 24, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
October 2009:
Centers For Medicare And Medicaid Services:
Deficiencies in Contract Management Internal Control Are Pervasive:
GAO-10-60:
GAO Highlights:
Highlights of GAO-10-60, a report to congressional requesters.
Why GAO Did This Study:
As a result of internal control deficiencies discussed in GAO‘s 2007
report on certain contracts at the Centers for Medicare and Medicaid
Services (CMS), GAO was asked to identify the extent to which CMS (1)
implemented effective control procedures over contract actions, and (2)
established a strong control environment for contract management. GAO
used a statistical random sample of 2008 CMS contract actions
(including contract awards and modifications) to assess CMS internal
control procedures. The results were projected to the population of
2008 CMS contract actions. GAO also determined the extent to which CMS
implemented recommendations GAO made in 2007 to improve internal
control over contracting and payments to contractors. GAO reviewed
contract file documentation and interviewed senior acquisition
management officials.
What GAO Found:
Pervasive deficiencies in CMS contract management internal control
increase the risk of improper payments or waste. Specifically, based on
our statistical random sample of 2008 CMS contract actions, GAO
estimates that at least 84.3 percent of fiscal year 2008 contract
actions contained at least one instance where a key control was not
adequately implemented. GAO also estimates that at least 37.2 percent
of fiscal year 2008 contract actions had three or more instances in
which a key control was not adequately implemented. The contract
actions GAO evaluated were generally subject to the Federal Acquisition
Regulation. For example, CMS used cost reimbursement contracts without
first ensuring that the contractor had an adequate accounting system.
Also, project officers did not always certify invoices for payment.
These deficiencies were due in part to a lack of agency-specific
policies and procedures to help ensure proper contracting expenditures.
These control deficiencies also stem from a weak overall control
environment as characterized primarily by inadequate strategic planning
for staffing and funding resources. CMS also did not accurately capture
data on the nature and extent of its contracting, which hinders CMS‘s
ability to manage its acquisition function by identifying areas of
risk, due to a lack of quality assurance procedures over data entry.
CMS also has not substantially addressed seven of the nine
recommendations made by GAO in 2007 to improve internal control over
contracting and payments to contractors. For example, CMS has not made
progress in clarifying the roles and responsibilities for implementing
certain contractor oversight responsibilities and, as of July 2009, CMS
still had a backlog of contacts that were overdue for closeout, putting
CMS at increased risk of not identifying or recovering improper
payments or waste.
Table: GAO Assessment of CMS Actions to Address Prior Recommendations:
GAO recommendation: 1. Develop policies for pre-award contract
activities.
GAO assessment: No action taken.
GAO recommendation: 2. Develop policies regarding cognizant federal
agency responsibilities.
GAO assessment: Actions insufficient.
GAO recommendation: 3. Develop policies that clarify roles and
responsibilities during the invoice review process.
GAO assessment: Completed.
GAO recommendation: 4. Develop guidelines regarding sufficient detail
to support contractor invoices.
GAO assessment: No action taken.
GAO recommendation: 5. Establish criteria for negative certification
for payment of invoices. GAO assessment: No action taken.
GAO recommendation: 6. Provide training on the invoice review policies.
GAO assessment: Actions insufficient.
GAO recommendation: 7. Develop a centralized tracking mechanism for
employee training.
GAO assessment: Completed.
GAO recommendation: 8. Develop a plan to reduce the backlog of
contracts eligible for closeout.
GAO assessment: Actions insufficient.
GAO recommendation: 9. Review the questionable payments identified in
GAO‘s 2007 report.
GAO assessment: Actions insufficient.
The continuing weaknesses in contracting activities and limited
progress in addressing known deficiencies will continue to put billions
of taxpayer dollars at risk of improper payments or waste.
What GAO Recommends:
GAO makes 10 recommendations for developing policies to improve
oversight and strengthen CMS‘s control environment. It also reaffirms 7
prior recommendations that CMS has not fully implemented. CMS concurred
with the new recommendations, but generally disagreed with GAO‘s
assessment of progress on the prior recommendations. GAO‘s analysis
confirmed the need for additional efforts on these recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-60] or key
components. For more information, contact Kay Daly at (202) 512-9095 or
dalykl@gao.gov.
[End of section]
Contents:
Letter:
Background:
Pervasive Deficiencies in Control Procedures at the Contract Level
Increase the Risk of Improper Payments or Waste:
Weak Control Environment Hinders CMS's Ability to Manage its FAR-based
Acquisition Process:
Conclusion:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Status of Prior Recommendations:
Appendix III: Comments from the Centers for Medicare and Medicaid
Services:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: GAO Assessment of Status of CMS Actions Taken to Address 2007
Recommendations:
Table 2: Contract Actions in the Sample:
Table 3: Control Procedures and Detailed Results:
Figure:
Figure 1: CMS Contracting Trends between 1998 and 2008:
Abbreviations:
ACMIS: Acquisition Career Management Information System:
CAS: Cost Accounting Standards:
CFA: cognizant federal agency:
CMS: Centers for Medicare and Medicaid Services:
CRB: Contract Review Board:
DCAA: Defense Contract Audit Agency:
DCIS: Departmental Contracts Information System:
FAR: Federal Acquisition Regulation:
FPDS-NG: Federal Procurement Data System Next Generation:
FTE: full time equivalents:
HHS: Department of Health and Human Services:
HHSAR: Health and Human Services Acquisition Regulations:
MMA: Medicare Prescription Drug, Improvement, and Modernization Act of
2003:
NIH: National Institutes of Health:
T&M: time and materials:
OAGM: Office of Acquisition and Grants Management:
OFM: Office of Financial Management:
OIG: Office of the Inspector General:
OMB: Office of Management and Budget:
SBA: Small Business Administration:
V&V: Verification and Validation:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
October 23, 2009:
Congressional Requesters:
The Centers for Medicare and Medicaid Services (CMS), a component of
the Department of Health and Human Services (HHS), administers the high-
risk programs of Medicare and Medicaid,[Footnote 1] and other programs
such as the State Children's Health Insurance Program. CMS relies
extensively on contractors to assist in carrying out its basic mission,
including program administration, management, and oversight of its
health programs. In fiscal year 2008, CMS reported that it obligated
$3.6 billion under contracts for a variety of goods and services. CMS's
acquisitions include contracts to administer, oversee, and audit claims
made under the Medicare program; provide information technology
systems; provide program management and consulting services; and
operate the 1-800 Medicare help line.
In November 2007, we reported[Footnote 2] significant deficiencies in
internal control over certain contracts used by CMS for start-up
administrative services to implement programs enacted under the
Medicare Prescription Drug, Improvement, and Modernization Act of 2003
(MMA).[Footnote 3] Internal control--the plans, methods, and procedures
used to meet missions, goals, and objectives--is the first line of
defense in safeguarding assets and preventing and detecting fraud and
errors and helps government program managers achieve desired results
through effective stewardship of public resources. We reported that
CMS's internal control deficiencies resulted in millions of dollars of
questionable payments to contractors, primarily because CMS did not
obtain adequate support for billed costs from certain contractors.
Because of concerns about the implications that these weaknesses may
have on all CMS contracts generally subject to the requirements of the
Federal Acquisition Regulation (FAR),[Footnote 4] you asked us to
perform a comprehensive, in-depth review of CMS's contract management
practices. This report addresses the extent to which (1) CMS
implemented effective internal control procedures over contract actions
to help ensure proper contracting expenditures and (2) CMS established
a strong control environment for contract management.
To address the extent to which CMS implemented control procedures over
contract actions, we focused on contracts that were generally subject
to the FAR (i.e., FAR-based)[Footnote 5], which represented about $2.5
billion, or about 70 percent, of total obligations awarded in fiscal
year 2008. The FAR is the governmentwide regulation containing the
rules, standards, and requirements for the award, administration, and
termination of government contracts. Based on the standards for
internal control,[Footnote 6] FAR requirements, and agency policies, we
identified and evaluated 11 key internal control procedures over
contract actions, ranging from ensuring contractors had adequate
accounting systems prior to the use of a cost reimbursement contract to
certifying invoices for payment. Contract actions include new contract
awards and modifications to existing contracts. We conducted our tests
on a statistically random sample[Footnote 7] of 102 FAR-based contract
actions CMS made in fiscal year 2008 and projected the results of our
statistical sample conservatively by reporting the lower bound of our
two-sided, 95 percent confidence interval. We tested a variety of
contract actions including a range of dollars obligated, different
contract types (fixed price, cost reimbursement, etc.), and the types
of goods and services procured. The actions in the sample ranged from a
$1,000 firm-fixed price contract for newspapers to a $17.5 million
modification of an information technology contract valued at over $500
million. For each contract action in the sample, we determined if the
11 key internal control procedures were implemented by reviewing the
contract file supporting the action and, where applicable, by obtaining
additional information from the contracting officer or specialist or
senior acquisition management. We also tested the reliability of the
data contained in CMS's two acquisition databases. Basic attributes of
its contract actions, such as contractor name and obligation amount,
which we found to be reliable for purposes of this report, were used to
produce the historical obligation information presented in the
background section.[Footnote 8]
To address the extent to which CMS established a strong control
environment for contract management, we obtained and reviewed
documentation regarding contract closeout, acquisition planning, and
other management information and interviewed officials in the Office of
Acquisition and Grants Management (OAGM) about its contract management
processes. We also evaluated whether CMS had addressed recommendations
we made in our prior report.[Footnote 9] We used the internal control
standards as a basis for our evaluation of CMS's contract management
control environment.
Appendix I provides additional details of our scope and methodology. We
conducted this performance audit from July 2008 to September 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Background:
Nature and Extent of CMS Contracting:
CMS reported total obligations for CMS contracts in fiscal year 2008
were $3.6 billion. This amount includes obligations against contracts
that process Medicare claims as well as obligations to other
contractors such as those that operate the 1-800 Medicare help line,
provide program management and consulting services, and support
information technology. The $3.6 billion obligated in 2008 represents a
71 percent increase since 1998, when $2.1 billion was obligated.
Since 1998, obligations to fiscal intermediaries, carriers, and
Medicare Administrative Contractors (contractors that primarily process
Medicare claims) have decreased approximately 16 percent. Obligations
for other-than-claims processing activities, such as the 1-800 help
line, information technology and financial management initiatives, and
program management and consulting services, have increased 466 percent,
as shown in figure 1. These trends may be explained in part by recent
changes to the Medicare program, including the movement of functions,
such as the help line, data centers, and certain financial management
activities, from the fiscal intermediaries and carriers to specialized
contractors. These specialized contractors, such as beneficiary contact
center contractors and enterprise data center contractors, are
categorized below as other-than-claims processing contractors.
Figure 1: CMS Contracting Trends between 1998 and 2008:
[Refer to PDF for image: vertical bar graph and line graph]
Fiscal year: 1998;
Non-claims processing: $0.4 billion;
Claims processing: $1.7 billion.
Fiscal year: 1999;
Non-claims processing: $0.9 billion;
Non-claims processing, percent increase (based on 1998): 121%;
Claims processing: $1.8 billion;
Claims processing, percent increase (based on 1998): 1%.
Fiscal year: 2000;
Non-claims processing: $1.0 billion;
Non-claims processing, percent increase (based on 1998): 165%;
Claims processing: $1.6 billion;
Claims processing, percent increase (based on 1998): -7%.
Fiscal year: 2001;
Non-claims processing: $0.7 billion;
Non-claims processing, percent increase (based on 1998): 70%;
Claims processing: $1.6 billion;
Claims processing, percent increase (based on 1998): -7%.
Fiscal year: 2002;
Non-claims processing: $1.0 billion;
Non-claims processing, percent increase (based on 1998): 144%;
Claims processing: $1.9 billion;
Claims processing, percent increase (based on 1998): 8%.
Fiscal year: 2003;
Non-claims processing: $1.4 billion;
Non-claims processing, percent increase (based on 1998): 272%;
Claims processing: $1.7 billion;
Claims processing, percent increase (based on 1998): -1%.
Fiscal year: 2004;
Non-claims processing: $1.1 billion;
Non-claims processing, percent increase (based on 1998): 196%;
Claims processing: $1.7 billion;
Claims processing, percent increase (based on 1998): -3%.
Fiscal year: 2005;
Non-claims processing: $1.6 billion;
Non-claims processing, percent increase (based on 1998): 317%;
Claims processing: $1.7 billion;
Claims processing, percent increase (based on 1998): -5%.
Fiscal year: 2006;
Non-claims processing: $2.2 billion;
Non-claims processing, percent increase (based on 1998): 465%;
Claims processing: $1.6 billion;
Claims processing, percent increase (based on 1998): -7%.
Fiscal year: 2007;
Non-claims processing: $2.2 billion;
Non-claims processing, percent increase (based on 1998): 469%;
Claims processing: $1.4 billion;
Claims processing, percent increase (based on 1998): -18%.
Fiscal year: 2008;
Non-claims processing: $2.2 billion;
Non-claims processing, percent increase (based on 1998): 466%;
Claims processing: $1.46 billion;
Claims processing, percent increase (based on 1998): -16%.
Source: GAO analysis of CMS-provided obligation data from the PRISM
database.
[End of figure]
MMA required CMS to transition its Medicare claims processing
contracts, which generally did not follow the FAR, to the FAR
environment through the award of contracts to Medicare Administrative
Contractors. CMS projected that the transition, referred to as Medicare
contracting reform, would produce administrative cost savings due to
the effects of competition and contract consolidation as well as
produce Medicare trust fund savings due to a reduction in the amount of
improper benefit payments. Additionally, the transition would subject
millions of dollars of CMS acquisitions to the rules, standards, and
requirements for the award, administration, and termination of
government contracts in the FAR. Obligations to the new Medicare
Administrative Contractors were first made in fiscal year 2007. CMS is
required to complete Medicare contracting reform by 2011. As of
September 1, 2009, 19 contracts have been awarded[Footnote 10] to
Medicare Administrative Contractors, totaling about $1 billion in
obligations to date.
Except for certain Medicare claims processing contracts,[Footnote 11]
CMS contracts are generally required to be awarded and administered in
accordance with general government procurement laws[Footnote 12] and
regulations such as the FAR; the Health and Human Services Acquisition
Regulations (HHSAR);[Footnote 13] the Cost Accounting Standards (CAS);
[Footnote 14] and the terms of the contract.
Overview of CMS Contract Management:
At CMS, OAGM manages contracting activities and is responsible for,
among other things, (1) developing policy and procedures for use by
acquisition staff; (2) coordinating and conducting acquisition
training; and (3) negotiation, award, administration, and termination
of contracts. Multiple key players work together to monitor different
aspects of contractor performance and execute pre-award and post-award
contract oversight. All but one of the key roles described below are
managed centrally in OAGM. The last, project officers, are assigned
from CMS program offices.
* Contracting officers are responsible for ensuring performance of all
necessary actions for effective contracting, overseeing contractor
compliance with the terms of the contract, and safeguarding the
interests of the government in its contractual relationships. The
contracting officer is authorized to enter into, modify, and terminate
contracts. According to OAGM's invoice review policy, contracting
officers, with the assistance of the contract specialists, review
contractor invoices for compliance with contract terms, among other
things.
* Contract specialists represent and assist the contracting officers
with the contract, but are generally not authorized to commit or bind
the government. The contract specialist assists with the invoice review
process.
* The cost/price team serves as an in-house consultant to others
involved in the contracting process at CMS. By request, the team, which
consists of four contract auditors, provides support for contract
administration including reviewing cost proposals, consultations about
the allowability of costs billed on invoices, and assistance during
contract closeout.
* Project officers serve as the contracting officer's technical
representative designated to monitor the contractor's progress,
including the surveillance and assessment of performance and compliance
with project objectives. According to OAGM invoice review policy,
project officers review certain invoice elements, such as labor and
direct costs, and are required to certify whether the invoice is
approved for payment by signing a Payments and Progress Certification
Form. They may also conduct periodic analyses of contractor performance
and cost data.
CMS utilizes two different databases of acquisition information for a
variety of internal and external reporting on its acquisition
activities. The PRISM database contains basic information such as
contract number, vendor name, and amount obligated. PRISM is used to
develop contract documents and for internal reporting and acquisition
planning. The Enhanced Departmental Contracts Information System (DCIS)
is an HHS database that is used for department-level acquisition
management and to satisfy external reporting requirements. DCIS
collects and forwards information to the Federal Procurement Data
System Next Generation (FPDS-NG), which is a publicly available
database of governmentwide acquisition information. Likewise, FPDS-NG
feeds into www.usaspending.gov, a Web site created in response to the
Federal Funding Accountability and Transparency Act of 2006,[Footnote
15] which required a single searchable Web site, accessible by the
public for free, that reports key information for each federal award.
Federal Acquisition, Contract Types, and Cognizant Federal Agency
Responsibilities:
The contract life cycle includes many acquisition and administrative
activities. Prior to award, an agency identifies a need; develops a
requirements package; determines the method of contracting; solicits
and evaluates bids or proposals; and ultimately awards a contract.
After contract award, the agency performs contract administration and
contract closeout. Contract administration involves monitoring the
contractor's performance as well as reviewing and approving (or
disapproving) the contractor's request for payment. Other tasks may
include audits or reviews of the contractor's costs and compliance with
CAS. The contract closeout process involves verifying that the goods or
services were provided and that administrative matters are completed,
including a contract audit of costs billed to the government and
adjusting for any over-or underpayments based on the final invoice.
Agencies may choose among different contract types to acquire goods and
services. This choice is the principal means that agencies have for
allocating risk between the government and the contractor. Contract
types can be grouped into three broad categories: fixed price
contracts, cost reimbursement contracts, and time and materials (T&M)
contracts. Although the FAR places limitations on the use of cost
reimbursement and T&M contract types, these contract types may be used
to provide the flexibility needed by the government to acquire the
large variety and volume of supplies and services it needs. As
discussed below, these three types of contracts place different levels
of risk on the government and the contractor. Generally, the government
manages its risk, in part, through oversight activities.
* For fixed price contracts, the government agrees to pay a set price
for goods or services regardless of the actual cost to the contractor.
A fixed price contract is ordinarily in the government's interest when
the risk involved is minimal or can be predicted with an acceptable
degree of certainty and a sound basis for pricing exists, as the
contractor assumes the risk for cost overruns.
* Under cost reimbursement contracts, the government agrees to pay
those costs of the contractor that are allowable, reasonable, and
allocable to the extent prescribed by the contract. The government
assumes most of the cost risk because the contractor is only required
to provide its best effort to meet contract objectives within the
estimated cost. If this cannot be done, the government can provide
additional funds to complete the effort, decide not to provide
additional funds, or terminate the contract. Cost reimbursement
contracts may be used only when the contractor's accounting system is
adequate for determining costs applicable to the contract and
appropriate government surveillance during performance will provide
reasonable assurance that efficient methods and effective cost controls
are used.[Footnote 16] In order to determine if the contractor has
efficient methods and effective cost controls, contracting officers and
other contracting oversight personnel may perform a comprehensive
review of contractor invoices to determine if the contractor is billing
costs in accordance with the contract terms and applicable government
regulations. In addition, the establishment of provisional and final
indirect cost rates helps to ensure that the government makes payments
for costs that are allowable, reasonable, and allocable to the extent
prescribed by the contract.
* For T&M contracts, the government agrees to pay fixed per-hour labor
rates and to reimburse other costs directly related to the contract,
such as materials, equipment, or travel, based on cost. Like cost
reimbursement contracts, the government assumes the cost risk because
the contractor is only required to make a good faith effort to meet the
government's needs within a ceiling price. A T&M contract may be used
only if the contracting officer prepares a determination and findings
that no other contract type is suitable and if the contract includes a
ceiling price that the contractor exceeds at its own risk.[Footnote 17]
In addition, since these contracts provide no positive profit incentive
for the contractor to control costs or use labor efficiently, the
government must conduct appropriate surveillance of contractor
performance to ensure efficient methods and effective cost controls are
being used.
The FAR defines cognizant federal agency (CFA) as the agency
responsible for establishing forward pricing rates,[Footnote 18] final
indirect cost rates (when not accomplished by a designated contract
auditor), and administering cost accounting standards for all contracts
in a business unit.[Footnote 19] Generally, the CFA is the agency with
the largest dollar amount of negotiated contracts, including options,
with the contractor. In addition, the CFA may be responsible for
establishing provisional indirect cost rates (also known as "billing
rates")[Footnote 20] based on recent reviews, previous rate audits,
experience, or similar reliable data to ensure that estimates are as
close as possible to final indirect cost rates anticipated.
Internal Control:
The Standards for Internal Control in the Federal Government provide
the overall framework for establishing and maintaining internal control
and for identifying and addressing areas at greatest risk of fraud,
waste, abuse, and mismanagement. These standards provide that--to be
effective--an entity's management should establish both a supportive
overall control environment and specific control activities directed at
carrying out its objectives. As such, an entity's management should
establish and maintain an environment that sets a positive and
supportive attitude towards control and conscientious management. A
positive control environment provides discipline and structure as well
as a climate supportive of quality internal control, and includes an
assessment of the risks the agency faces from both external and
internal sources. Control activities are the policies, procedures,
techniques, and mechanisms that enforce management's directives and
help ensure that actions are taken to address risks. The standards
further provide that information should be recorded and communicated to
management and oversight officials in a form and within a time frame
that enables them to carry out their responsibilities. Finally, an
entity should have internal control monitoring activities in place to
assess the quality of performance over time and ensure that the
findings of audits and other reviews are promptly resolved.
Control activities include both preventive and detective controls.
Preventive controls--such as invoice review prior to payment--are
controls designed to prevent errors, improper payments, or waste, while
detective controls--such as incurred cost audits--are designed to
identify errors or improper payments after the payment is made. A sound
system of internal control contains a balance of both preventive and
detective controls that is appropriate for the agency's operations.
While detective controls are beneficial in that they identify funds
that may have been inappropriately paid and should be returned to the
government, preventive controls such as accounting system reviews and
invoice reviews help to reduce the risk of improper payments or waste
before they occur. A key concept introduced in our standards is that
control activities selected for implementation be cost beneficial.
Generally it is more effective and efficient to prevent improper
payments. A control activity can be preventive, detective, or both
based on when the control occurs in the contract life cycle.
Pervasive Deficiencies in Control Procedures at the Contract Level
Increase the Risk of Improper Payments or Waste:
We found pervasive deficiencies in internal control over contracting
and payments to contractors. The internal control deficiencies occurred
throughout the contracting process, that is both pre-and post-award,
and increase the risk of improper payments or waste. These deficiencies
were due in part to a lack of agency-specific policies and procedures
to ensure that FAR requirements and other control objectives were met.
CMS also did not take appropriate steps to ensure that existing
policies were properly implemented nor maintain adequate documentation
in its contract files. Further, the Contract Review Board was not
effective in ensuring proper contract award actions. These internal
control deficiencies are a manifestation of CMS's weak overall control
environment, which is discussed later.
As a result of our work, we estimate that at least 84.3
percent[Footnote 21] of FAR-based contract actions made by CMS in
fiscal year 2008 contained at least one instance in which a key control
was not adequately implemented. (See table 3 in app. I for a list of
the 11 controls we tested, which ranged from ensuring contractors had
adequate accounting systems prior to the use of a cost reimbursement
contract to certifying invoices for payment.) Not only was the number
of internal control deficiencies widespread, but also many contract
actions had more than one deficiency. We also estimate that at least
37.2 percent[Footnote 22] of FAR-based contract actions made in fiscal
year 2008 had three or more instances in which a key control was not
adequately implemented. The high percentage of deficiencies indicates a
serious failure of control procedures over FAR-based acquisitions,
thereby creating a heightened risk of making improper payments or
waste. We determined a control to be "key" based on our review of the
standards for internal control as well as the FAR, HHSAR, and agency
policies and whether inadequate implementation would significantly
increase the risk of improper payments or waste. We also took into
consideration prior audit findings and the contract types CMS most
frequently used. See appendix I for additional details on the controls
we tested and the statistical sample results. We project the results of
our statistical sample conservatively by reporting the lower bound of
our two-sided, 95 percent confidence interval.
CMS's Lack of Policies and Procedures Resulted in Numerous Control
Deficiencies:
The control deficiencies we found were primarily caused by a lack of
agency-specific policies and procedures that would help ensure that
applicable FAR requirements, agency policies, and other control
objectives were met. CMS did not always meet FAR requirements for
specific contract types that were awarded, nor maintain adequate
support for approved provisional indirect cost rates, which are
necessary to determine the reasonableness of indirect costs billed on
invoices. Additionally, CMS did not timely perform or request audits of
incurred direct and indirect costs, which provide assurance that costs
billed by the contractor are allowable and reasonable under the terms
of the contract and applicable government regulations. These control
deficiencies are discussed in detail below and the results of the other
control procedures we tested can be found in appendix I.
* We estimate that at least 46.0 percent of fiscal year 2008 CMS
contract actions did not meet the FAR requirements applicable to the
specific contract type awarded.[Footnote 23] Sixteen contract actions
we tested had deficiencies--of which 1 related to a letter contract,
[Footnote 24] 9 related to cost reimbursement contracts, and 6 related
to T&M contracts. In the case of the letter contract, the contract file
did not contain the authorization for use of the letter contract, which
is required by HHSAR.[Footnote 25] In the case of cost reimbursement
contracts, the FAR states that a cost reimbursement contract may be
used only when the contractor's accounting system is adequate for
determining costs applicable to the contract.[Footnote 26] Of the
contract awards in our sample, we found 9 cases in which cost
reimbursement contracts were used without first ensuring that the
contractor had an adequate accounting system. An adequate contractor
accounting system is key to the government's ability to perform the
various contract oversight activities required by the FAR for cost
reimbursement contracts. In particular, contracting officers and other
members of the federal agency acquisition workforce rely on the
contractors' contract proposals, interim billings, provisional indirect
cost rates, and reports of actual costs incurred (which are used to
finalize the direct and indirect costs billed) all of which are
generated from data maintained in the contractor's accounting system.
In addition to the 9 cases above, during our review of modifications we
observed another 6 cases in which cost reimbursement contracts were
used even though CMS was aware that the contractor's accounting system
was inadequate at the time of award. In one instance, the contracting
officer was aware that a contractor had an inadequate accounting system
resulting from numerous instances of noncompliance with CAS. Using a
cost reimbursement contract when a contractor does not have an adequate
accounting system hinders the government's ability to fulfill its
oversight duties throughout the contract life cycle. Additionally, it
increases risk of improper payments and the risk that costs billed can
not be substantiated during an audit.
When choosing to use T&M contracts, the FAR requires contracting
officers to prepare and sign a determination and finding that no other
contract type is suitable for the acquisition.[Footnote 27] The
justification is required to set forth enough facts and circumstances
to clearly and convincingly justify the specific determination made.
[Footnote 28] We found that the determination and finding was either
not documented or insufficient in six T&M contract awards we reviewed.
In cases when the justification memorandum was prepared, contracting
officers merely quoted language from the FAR but did not set forth
clear and convincing findings--that is, the particular circumstances,
facts, or reasoning essential to support the determination--for why
other contract types could not be used. When the contracting officer
does not clearly and convincingly document the findings that support
using a T&M contract type, OAGM does not have assurance that the
appropriate contract type was used. In addition, for three of the
contract actions, the contract specialist told us that the actions the
document listed to mitigate the risk of awarding a T&M contract were
not performed. Because CMS did not carry out the stated mitigation
strategies used to justify the selection of the T&M contract type, it
increased its exposure to the risk of improper payments or waste.
* We estimate that for at least 40.4 percent of fiscal year 2008
contract actions, CMS did not have sufficient support for provisional
indirect cost rates nor did it identify instances when a contractor
billed rates higher than the rates that were approved for use.[Footnote
29] Specifically, for 17 contract actions that utilized indirect cost
rates, CMS did not have documentation supporting what would be the
appropriate provisional indirect cost rates for the contractor. For an
additional 19 contract actions, the provisional rates either did not
match the indirect rates billed on the invoices or could not be matched
because the invoice did not provide sufficient detail.[Footnote 30] The
FAR states that provisional indirect cost rates shall be used in
reimbursing indirect costs such as fringe benefits or overhead costs
under cost reimbursement contracts[Footnote 31] and are used to prevent
substantial overpayment or underpayment of indirect costs.[Footnote 32]
These rates are generally established by the CFA, contracting officer,
or auditor on the basis of reliable data or previous rate audits and
should be set as close as possible to the anticipated final indirect
cost rates.[Footnote 33] Provisional indirect cost rates provide
agencies with a mechanism by which to determine if the indirect costs
billed on invoices are reasonable for the services provided until such
time that final indirect cost rates can be established, generally at
the end of the contractor's fiscal year. Approval of provisional
indirect cost rates is important given the fact that indirect costs can
be more than 50 percent of the total invoice amount. When the agency
does not maintain adequate support for provisional indirect rates, it
increases its risk of making improper payments.
* We estimate that for at least 52.6 percent of fiscal year 2008
contract actions, CMS did not have support for final indirect cost
rates.[Footnote 34] Specifically, 23 contract actions we tested did not
have documentation of final indirect cost rates or support for the
prompt request of an audit of indirect costs.[Footnote 35] The FAR
states that final indirect cost rates, which are based on the actual
indirect costs incurred during a given fiscal year, shall be used in
reimbursing indirect costs under cost reimbursement contracts.[Footnote
36] The amounts a contractor billed using provisional indirect cost
rates are adjusted annually for final indirect cost rates providing a
mechanism for the government to timely ensure that indirect costs are
allowable and allocable to the contract. Final indirect cost rates are
generally negotiated by the government's negotiating team that includes
the CFA following an audit of a statement of incurred costs submitted
by the contractor.[Footnote 37] CMS officials told us that they
generally adjust for final indirect cost rates during contract closeout
at the end of the contract performance rather than annually mainly due
to the cost and effort the adjustment takes. Moreover, since final
indirect cost rates are established by the CFA, when CMS is not the
CFA, CMS must wait on the CFA to perform the necessary audit work
required to establish the final indirect cost rates. Not annually
adjusting for final indirect cost rates increases the risk that CMS is
paying for costs that are not allowable or allocable to the contract.
Furthermore, putting off the control activity until the end of contract
performance increases the risk of overpaying for indirect costs during
contract performance and may make identification or recovery of any
unallowable costs during contract closeout more difficult due to the
passage of time.
* We estimate that for at least 54.9 percent of fiscal year 2008
contract actions, CMS did not promptly perform or request an audit of
direct costs.[Footnote 38] We found that 25 contract actions for which
this control applied did not have an audit of direct costs promptly
[Footnote 39] performed or requested. Similar to the audit of indirect
costs, audits of direct costs allow the government to verify that the
costs billed by the contractor were allowable, reasonable, and
allocable to the contract. The audit of direct costs is the
responsibility of the contracting officer; however, the contracting
officer may request, for a fee, that the CFA for the contractor perform
the audit work. The FAR does not provide time frames or other
requirements for when the audit of direct costs should be performed
except that such an audit may be necessary for closing out the contract
at the end of contract performance.[Footnote 40] Not annually auditing
direct costs increases the risk that CMS is paying for costs that are
not allowable or allocable to the contract.
CMS Did Not Follow Existing Policies on Invoice Certification and
Purchase Card Oversight:
CMS had policies for invoice certification and purchase card oversight;
however, these policies were not consistently followed. The failure to
follow established agency policy increases CMS's risk of improperly
paying contractor invoices or purchase card transactions.
* We estimate that for at least 59.0 percent of fiscal year 2008
contract actions, the project officer did not always certify the
invoices.[Footnote 41] CMS's Acquisition Policy Notice 16-01 requires
the project officer to review each contractor invoice and recommend
payment approval or disapproval to the contracting officer. This review
is to determine, among other things, if the expenditure rate is
commensurate with technical progress and whether all direct cost
elements are appropriate, including subcontracts, travel, and
equipment. Based on his or her review, the project officer is then to
approve the invoice for payment by signing a Payments and Progress
Certification Form or disapprove by issuing a suspension notice. In one
case, although a contractor submitted over 100 invoices for fiscal year
2008,[Footnote 42] only 8 were certified by the project officer. The
total value of the contract through January 2009 was about $64 million.
* After the project officer's review, the contracting officer or
specialist is also required to review invoices for critical elements
such as compliance with the terms of the contract--including indirect
cost rates--and mathematical accuracy. Based on a cursory review of the
fiscal year 2008 invoices submitted for payment, we found instances in
which the contracting officer or specialist did not identify items that
were inconsistent with the terms of the contract. For example,
facilities capital cost of money is generally disallowed by HHSAR.
[Footnote 43] However, we found two instances where the contractor
billed, and CMS paid, this cost. Another contractor submitted invoices
under its fixed price contract that were contrary to the payment
schedule stipulated in the contract terms. The contract required the
contractor to submit four invoices of equal amount every 3 months
during the 1-year performance period. However, the contractor submitted
one invoice for the entire amount of the contract. Moreover, the
invoice was dated prior to the start date of the contract period of
performance. CMS increases its risk of making improper payments when it
does not properly review and approve invoices prior to payment.
* OAGM also did not perform required audits and reviews of CMS purchase
cards to identify fraud or waste.[Footnote 44] These audits and reviews
are particularly important because of the authorized spending limits.
As of July 15, 2009, OAGM's purchase card program had issued 123 cards
with 20 percent having monthly spending limits of at least $50,000.
Eight card holders had monthly spending limits of $100,000, the highest
spending limit authorized by CMS. Without sufficient oversight of the
purchase card program, CMS does not have assurance that only allowable
transactions are procured through purchase cards and that the purchase
cards are not being used to circumvent FAR competition requirements.
The HHS purchase card policy guidance provides that the purchase card
coordinator, which at CMS is within OAGM, is required to conduct
surveillance of the purchase card program by annually auditing
cardholder transactions using such methods as statistical and
nonstatistical sampling, data mining, and spot checks; monitoring
purchase card usage; and deactivitating purchase cards when
appropriate, among other things. The OAGM purchase card coordinator's
supervisor told us that OAGM did not perform the oversight activities
because the supervisor viewed those activities as the responsibility of
the Office of Financial Management (OFM). We spoke with an OFM official
who stated that OFM does not review purchase card transactions for
fraud or inappropriate use, but instead pays the purchase card invoice
based on the authorizing official's approval.
CMS Did Not Maintain Adequate Documentation in Its Contract Files:
During the tests of control procedures, we observed that the contract
files did not always contain all required documentation to support the
contract actions we reviewed. Standards for internal control call for
transactions and other significant events to be clearly documented, and
the documentation should be readily available for examination. In
addition, the FAR provides that the documentation in the contract files
shall be sufficient to constitute a complete history of the contract
action for the purpose of providing a basis for informed decisions at
each step in the acquisition process, and providing information for
reviews and investigations, among other things.[Footnote 45] Clearly
documenting the history of a contract action is an important tool that
provides management with assurance that the agency has complied with
applicable regulations and has made well-informed decisions for
efficient contract management. Incomplete or inadequate contract files
and documentation hinder the ability of the contracting officers to
perform their oversight duties, especially those who assume
responsibility for contracts that have changed hands during the life of
the contract.
CMS contract files did not always contain documentation necessary to
support the action and that would provide contracting officers with the
tools they needed to adequately perform their oversight functions.
Specifically, we found a contract file was missing a statement of work
and another file was missing a copy of the actual contract. In
addition, two contract files did not maintain any information regarding
the General Services Administration schedule contract that was valid at
the time of the award of the task order. In numerous instances, we
determined that the letter delegating duties to the project officer and
the training certificate for the project officer--both of which are
required by OAGM policies--were not in the file. Also, a chronological
list of contracting officers and their dates of responsibility, which
provides an important tool for establishing accountability for contract
files over time, was consistently absent.
Additionally, we found that CMS's use of negotiation memorandums was
inconsistent. The HHSAR provides[Footnote 46] that the negotiation
memorandum is a complete record of all actions leading to the award of
a contract and should be in sufficient detail to explain and support
the rationale, judgments, and authorities upon which all actions were
predicated and should be signed by the contract negotiator. However, we
found that negotiation memorandums were not always prepared for actions
in which they were clearly required, and were prepared for actions in
which they may not be required, according to HHSAR. Moreover, while
many negotiation memorandums we reviewed had signature blocks for both
the contract specialist and the contracting officer (generally the
preparer and reviewer, respectively) the memorandums were not always
signed by the contracting officer.
Contract Review Board Not Effective in Ensuring Proper Contract Award
Actions:
CMS's OAGM established the Contract Review Board (CRB) reviews as a key
control procedure to help ensure contract award actions are in
conformance with law, established policies and procedures, and sound
business practices. However, our review of the CRB process found that
the process had not been properly or fully implemented. For example, of
the 22 contracts selected to be reviewed by the CRB in 2008, only 7
were actually reviewed. Similarly, for fiscal year 2009, 22 contracts
were selected for the CRB but only 2 have been reviewed as of the end
of the third quarter. Also, the contracting officer for the contract
action being reviewed is neither required to reach consensus with the
CRB on the resolution of issues identified nor to document the
justification for not resolving CRB issues. Moreover, CMS is not
following its policies for selecting the contracts to be reviewed by
the CRB. While OAGM's policies require that all contracts above $10
million be subjected to the CRB, CMS confirmed that only contracts
nominated by division directors are reviewed. If used correctly, the
CRB can be an effective tool for risk-based quality assurance and for
reviewing the internal controls throughout the contract award and
administration process. However, because CMS policies do not require
issues to be resolved and documented and because CMS is not fully
implementing the CRB, opportunities to identify and fix deficiencies in
the contract administration process and to improve internal controls
may be missed.
Weak Control Environment Hinders CMS's Ability to Manage its FAR-based
Acquisition Process:
In addition to the deficiencies in contract-level control procedures as
discussed previously, CMS's FAR-based contract management was impaired
by a weak control environment. CMS's control environment is
characterized by the lack of strategic planning to identify necessary
staffing and funding, a lack of reliable data for effectively carrying
out contract management responsibilities, very limited actions taken on
the recommendations we made in 2007 related to contracting and payments
to contractors, and a lack of procedures for managing contract audits
which are essential to managing and overseeing the growing value of
contracting activities. A positive control environment sets the tone
for the overall quality of an entity's internal control, and provides
the foundation for an entity to effectively manage contracts and
payments to contractors. Without a strong control environment, the
control deficiencies we identified during this review will likely
persist.
OAGM Management Has Not Determined CMS Contract Management Staffing and
Funding Resource Requirements:
OAGM management has not analyzed its contract management workforce and
related funding needs through a comprehensive, strategic acquisition
workforce plan. Such a plan is critical to help manage the increasing
acquisition workload and meet its contracting oversight needs. We
reported in November 2007[Footnote 47] that staff resources allocated
to contract oversight had not kept pace with the increase in CMS
contract awards. A similar trend continued into 2008. While the
obligated amount of contract awards has increased 71 percent since
1998, OAGM staffing resources--its number of full time equivalents
(FTE)--has increased 26 percent. This trend presents a major challenge
to contract award and administration personnel who must deal with a
significantly increased workload without additional support and
resources.
While CMS has data on its workforce changes since January 2007
(attritions and additions), documentation requesting additional FTEs
for a specific project, and, in its fiscal year 2010 budget, a request
to hire contract support staff to help meet contract and grant
administration needs, CMS has not yet determined the amount of total
FTEs needed for the fiscal year and beyond. For example, the
documentation did not contain an analysis of the workload anticipated
for the year, such as the total number of new awards, the number of
active contracts by contract type, the number of CMS contracts under
HHS's cognizance, or the number and type of audits needed. The
documents did not contain information on CMS's current FTE level, skill
mix, or analysis of any skill gaps. Without this information, OAGM has
limited insight into appropriate solutions, such as the use of
contractor support staff. While the use of contractor support staff has
in recent years become commonplace in the federal government, we have
previously reported[Footnote 48] that using contractors for contract
administrative functions may increase the risk of establishing
unauthorized personal services contracts or the risk of contractors
performing inherently governmental functions, both of which are
prohibited by FAR.[Footnote 49]
According to its staff and management, OAGM is challenged to meet the
various audit requirements necessary to ensure adequate oversight of
contracts that pose more risk to the government, specifically cost
reimbursement contracts, as well as perform the activities required of
a CFA. While officials told us they could use more audit funding, we
found that OAGM management had yet to determine what an appropriate
funding level should be. Without knowing for which contractors
additional CFA oversight is needed, CMS does not know with certainty
the number of audits and reviews that must be performed annually or the
depth and complexity of those audits. Without this key information, CMS
can not estimate an adequate level of audit funding that it needs.
During interviews and our on-site review of contract files, we were
told by OAGM senior management and contracting officers and specialists
that the first set of activities that the contracting officers and
specialists tend to neglect under resource constraints was post-award
administration and contract closeout. Moreover, while OAGM management
told us that staff worked hard to comply with its instructions to
follow all applicable FAR requirements, CMS staff told us they take
shortcuts due to resource constraints. For example, one contract
specialist told us she prepared the Independent Government Cost
Estimate based on the winning contractor's proposed costs instead of
conducting her own independent research to determine the government's
benchmark for the reasonableness of the costs of the scope of work.
Additionally, as previously discussed, CMS officials told us that
incurred cost audits are not performed annually primarily due to
insufficient resources. A shortage of financial and human resources
creates an environment that introduces vulnerabilities to the
contracting process, hinders management's ability to sustain an
effective overall control environment, and ultimately increases risk in
the contracting process.
CMS Lacks Reliable Data Needed to Effectively Carry Out Contract
Management Responsibilities:
Although CMS has generally reliable information on basic attributes of
each contract action, such as vendor name and obligation amount, CMS
lacks reliable management information on other key aspects of its FAR-
based contracting operations, including the number of certain contract
types awarded, the extent of competition achieved, and total contract
value. Standards for internal control provide that for an agency to
manage its operations, it must have relevant, reliable, and timely
information relating to the extent and nature of its operations,
including both operational and financial data, that should be recorded
and communicated to management and others within the agency who need it
and in a form and within a time frame that enables them to carry out
their internal control and operational responsibilities. The
acquisition data errors are due in part to a lack of sufficient quality
assurance activities over the data entered into the acquisition
databases. Without accurate data, CMS program managers do not have
adequate information to identify and monitor areas that pose a high
risk of improper payments or waste. Moreover, inaccurate or incomplete
data hinder CMS's ability to mitigate through additional policies or
enhanced oversight any high-risk areas, such as the frequent use of
cost reimbursement contracts, that would be identified based on reports
or analysis of the databases. The errors in DCIS, including the
unrecorded actions, also impact governmentwide reporting. The Office of
Management and Budget (OMB) requires agencies to submit their
acquisition data to the Federal Procurement Database System-Next
Generation (FDPS-NG). Since HHS submits DCIS data to the FDPS-NG, which
in turn feeds into OMB's publicly available database at
www.usaspending.gov, the DCIS errors noted above are provided to the
public and limit the usefulness and transparency of this important
tool.
* We estimate that for at least 34.9 percent of fiscal year 2008
contract actions,[Footnote 50] PRISM contained at least one error in
the selected critical fields we reviewed. In particular, we found that
PRISM contained 16 errors in a field we reviewed that designated the
extent to which the contract was competed, for example, full and open
competition or not competed as a result of being a logical follow-on to
a previous contract. Additionally, we determined that the award type
field in PRISM did not capture consistent information. For example, the
field had prepopulated options associated with both award type (basic
ordering agreement, delivery order, letter contract, etc.) and contract
type (cost reimbursement, fixed price, and T&M). Combining these
options into one data field prevents CMS from determining the total
number of each award type and each contract type, making it difficult
to accurately determine CMS's contracting trends. OAGM officials told
us that the data entered into PRISM are not subjected to a secondary
review in which the data entered are compared to the information in the
contract file.
* We estimate that for at least 54.2 percent of fiscal year 2008
contract actions,[Footnote 51] DCIS contained at least one error in the
selected critical fields we reviewed. DCIS contained errors in current
contract value and ultimate contract value fields,[Footnote 52] as well
as the extent of competition, contract type, and award type fields.
Further, 11 sample items, or approximately 10 percent of the sample,
were not in DCIS. Our high-level data analysis on the population of
fiscal year 2008 contract actions identified that certain required
fields, such as contract type and competition, contained blank
responses and "nulls". We also noted obvious errors. For example, CMS
entered codes for "potato farming" and "tortilla manufacturing" in the
industry code field for two contract actions.
* Prior to calendar year 2008, CMS did not have quality assurance
activities, such as formal data entry reviews or database training,
over the data contained in the DCIS database. In December 2007, OAGM
established a Verification and Validation Plan for DCIS Accuracy
Improvements (V&V). The V&V plan contained several actions, including a
secondary review of data entered into DCIS for every 50th contract
action. The V&V plan lacks key elements and controls to ensure that the
resolution of potential errors is properly documented and errors are
corrected in a timely manner. For example, OAGM officials could not
determine if all errors identified during the file reviews were
properly resolved and the appropriate adjustments to DCIS were made.
Additionally, while staff training was provided in January 2008, the
DCIS data entry instructions were later modified with new information.
In one instance, we noted that the DCIS preparer and the reviewer were
using different versions of the instructions resulting in confusion
over what would be the appropriate DCIS entry. OAGM officials provided
us with the results for the V&V plan for 2008, which showed that 23 of
the total 2,031 contract actions entered into DCIS in 2008 were
reviewed for accuracy, which is approximately every 88th action.
Seven of Nine GAO 2007 Recommendations Remain Substantially Unresolved:
As of July 22, 2009, CMS management had not taken substantial actions
to address our prior recommendations to improve internal control in the
contracting process. Only two of GAO's nine 2007 recommendations had
been fully addressed. Table 1 summarizes, and appendix II provides
additional detail on, our assessment of the status of CMS's actions to
address our recommendations. The seven substantially unresolved
recommendations represent a lack of action on the part of CMS
management to resolve key control deficiencies.
Table 1: GAO Assessment of Status of CMS Actions Taken to Address 2007
Recommendations:
(1); GAO recommendation: Develop policies and criteria for pre-award
contract activities;
GAO assessment of status: No action taken.
(2); GAO recommendation: Develop policies and procedures to help ensure
that cognizant federal agency responsibilities are performed;
GAO assessment of status: Actions insufficient. No policies or
procedures developed. See discussion below.
(3); GAO recommendation: Develop agency-specific policies and
procedures for the review of contractor invoices so that key players
are aware of their roles and responsibilities;
GAO assessment of status: Completed.
(4); GAO recommendation: Prepare guidelines to contracting officers on
what constitutes sufficient detail to support amounts billed on
contractor invoices to facilitate the review process;
GAO assessment of status: No action taken.
(5); GAO recommendation: Establish criteria for the use of negative
certification in the payment of a contractor's invoices to consider
potential risk factors;
GAO assessment of status: No action taken.
(6); GAO recommendation: Provide training on the invoice review
policies and procedures to key personnel responsible for executing the
invoice review process;
GAO assessment of status: Actions taken do not achieve intent of
recommendation. Training was provided; however, invoice review policies
have not yet been sufficiently revised to address our recommendations.
(7); GAO recommendation: Create a centralized tracking mechanism that
records the training taken by personnel assigned to contract oversight
activities;
GAO assessment of status: Completed.
(8); GAO recommendation: Develop a plan to reduce the backlog of
contracts awaiting closeout;
GAO assessment of status: Actions insufficient. See discussion below.
(9); GAO recommendation: Review the questionable payments identified in
this report to determine whether CMS should seek reimbursement from
contractors;
GAO assessment of status: Actions insufficient. See discussion below.
Source: GAO.
[End of table]
* Policies and criteria for pre-award contract activities have not been
developed. In our 2007 report, we recommended that CMS develop policies
for certain pre-award contract activities, such as analysis to justify
the contract type selected and verification of the adequacy of the
contractor's accounting system prior to the award of a cost
reimbursement contract. However, no new policies or guidance were
developed, because in CMS's view, policies and criteria are already
established in the FAR and HHSAR. While the FAR provides requirements
for federal acquisitions, it is up to the agencies to develop and
provide their contracting workforce with specific policies and day-to-
day procedures that guide them in implementing those requirements and
to tailor the policies to address the specific operational environment.
Agency-specific policy may include guidance on applicable approval
levels, time frames, agency forms, and routing processes. Also, while
the HHSAR provides additional guidance and policies specific to HHS,
the HHSAR does not specifically address all of the pre-award contract
activities that we identified as needing improvement, nor does it
delineate the roles and responsibilities of the different staff
involved in the contracting process or establish time frames for when
certain pre-award contract activities should be performed. The
deficiencies identified in this report, especially those associated
with FAR requirements unique to specific contract types, further
highlight the need for additional guidance for contracting officers.
* Roles and responsibilities for implementation of CFA responsibilities
not clearly defined. The FAR requires that CFAs perform certain
oversight and monitoring activities. The CFA concept provides an
efficient way for contractors to receive a streamlined set of audits
and reviews, thereby enabling them to receive and perform government
contracts. In our 2007 report, we found that CFA responsibilities were
inadequately fulfilled and recommended that CMS develop policies and
procedures to ensure that CFA responsibilities were performed. In a
recommendation resolution report, HHS stated that policies and
procedures were needed at both the department level and at CMS. As of
July 2009, neither HHS nor CMS had developed such policies and
procedures or a mechanism to track the CMS contractors for which
additional oversight is needed. Moreover, roles and responsibilities
for the performance of CFA duties were not clear among HHS and its
components, including CMS.
During an interview with CMS, HHS, NIH, and HHS Office of Inspector
General (OIG) officials, HHS officials stated that CFA responsibilities
lie at the HHS department level. However, HHS officials also said that
certain CFA responsibilities are delegated to HHS components and to
contracting officers. Specifically, NIH was assigned responsibility to
establish indirect rates for the contractors under HHS's cognizance,
but contracting officers within HHS components are responsible for
other CFA duties. However, during the meeting, the officials could not
clearly explain how the performance of these duties was monitored to
ensure that CFA oversight takes place. HHS officials said that they did
not have a process to identify the contractors, including CMS
contractors, for which HHS would be the CFA. Without a list that is
periodically updated for the contractors' portfolio of federal
government contracting activity, HHS and its components do not know the
contractors for which CFA oversight is needed.
NIH officials acknowledged their centralized role in determining
indirect rates, but noted that NIH did not have the resources necessary
to determine the indirect rates for the contractors under HHS's
cognizance. CMS officials told us that when NIH can not perform the
reviews within the needed time frames to make timely contract awards,
CMS's cost/price team establishes the rates. The confusion over roles
and responsibilities increases the risk that CFA responsibilities are
not being timely performed, if at all. Without effective coordination,
contractors may not receive the necessary oversight and the government
may not be positioned to protect itself from the risk of improper
payments or waste. The risks of not performing CFA duties are
exacerbated by the fact that other federal agencies that use the same
contractors rely on the oversight and monitoring work of the CFA.
* CMS policies did not provide guidance on what constitutes sufficient
detail to support amounts billed on contractor invoices to facilitate
the review process. Despite our prior recommendation, CMS had not
prepared guidelines or revised its invoice review policy to specify or
provide examples of sufficient detail that would be needed to support
contractor invoices to facilitate an adequate review. In fact, most of
the invoices we reviewed were not sufficiently supported. We identified
invoices missing payroll detail, travel receipts, and subcontractor
invoices, all of which are necessary to provide the reviewers adequate
information to confirm if the amounts billed were compliant with the
terms of the contract or otherwise allowable and allocable to that
contract. In one instance, invoices reported labor costs based on labor
categories, but did not show hours worked by employees or their
respective labor rates. In another example, a contractor submitted an
invoice in 2008 for services that were provided in 2003. The contractor
did not provide supporting documentation for the $36,944 billed.
Neither the invoice paid in 2008, nor the related file included
evidence that the charge was investigated or further evaluated by
either the project officer or contracting specialist. While different
levels of review may be required based on the complexity of individual
invoices and associated contract type, inadequately reviewing invoices
increases the risk of improper payments.
* CMS has not set criteria for the use of negative certification. We
recommended in our 2007 report that CMS establish criteria for the use
of negative certification in the payment of contractor invoices which
would consider potential risk factors. CMS uses negative certification--
a process whereby it pays contractor invoices without knowing whether
they were reviewed and approved--in order to ensure invoices are paid
in a timely fashion. This approach, however, significantly reduces the
incentive for contracting officers, specialists, and project officers
to review the invoice prior to payment. Reviewing invoices prior to
payment is a preventive control which may result in the identification
of unallowable billings, especially on cost reimbursement and T&M
invoices, before the invoices are paid. In light of the importance of
this preventive control, we recommended that CMS establish criteria for
when to use negative certification; such criteria may be based on
considerations of potential risk factors such as contract type, the
adequacy of the contractor's accounting system, and prior history with
the contractor. We found, however, that OAGM's invoice review policy
was not revised to address this recommendation and OAGM officials
confirmed that negative certification is still the primary method for
paying invoices regardless of risks.
* Training on invoice review procedures still needed. As discussed
earlier, project officers did not always certify invoices for approval
and contracting officers or specialists did not always identify
instances where invoices did not comply with contract terms and
conditions. We also found that invoices were not always maintained in
the file, as required by CMS's invoice review policy. In light of these
continuing deficiencies, and the need for further revisions to its
invoice review policy described above, further training on invoice
review procedures will be necessary.
* Continuing backlog of contracts overdue for closeout. In 2007, we
reported that CMS did not timely perform contract closeout procedures
resulting in a backlog of 1,300 contracts, of which 407 were overdue
for closeout as of September 30, 2007. We recommended that CMS develop
a plan to reduce the number of contracts in the backlog. CMS did not
provide us a closeout plan for fiscal year 2008 and the fiscal year
2009 plan was insufficient. Specifically, the plan did not include a
comprehensive strategy to reduce the backlog of contracts that are
eligible and overdue for closeout nor did it contain a workload
analysis, such as a list of contracts eligible for closeout by
contracting officer or specialist or an estimate of the number of hours
or audit funds it would need to close the contracts.
The FAR establishes time standards for closing out a contract after the
work is physically completed (i.e., goods or services are provided).
[Footnote 53] The contract closeout process is an important internal
control, in part, because it is generally the last opportunity for the
government to detect and recover any improper payments. The complexity
and length of the closeout process can vary with the extent of
oversight performed by the agency during the period of performance and
the contract type.[Footnote 54]
CMS officials told us that during fiscal year 2008, OAGM closed 581
contracts and reduced the overdue backlog to 400 contracts (from the
407 reported at the end of fiscal year 2007).[Footnote 55] Yet OAGM
officials could not provide support for these closures or a list of the
contracts overdue for closeout. Additionally, CMS officials stated that
as of July 29, 2009, the total backlog of contracts eligible for
closeout was 1,611, with 594 overdue based on FAR timing standards.
This is a substantial increase over the balances at the end of fiscal
year 2007. Moreover, the total contract value of contracts eligible for
closeout has increased from $3 billion to at least $3.8 billion.
Insufficient progress has been made to reduce the backlog of contracts
eligible for closeout. The closeout process is particularly important
for cost reimbursement contracts because a contractor is allowed to
bill costs it incurred to provide the good or service. During the
closeout process, the government audits these billed costs to determine
if they were allowable and allocable to the contract, and processes the
final invoice with an adjustment for any over-or underpayments. The
failure to perform contract closeouts in a timely manner puts CMS at
increased risk of improper payments or waste, and may make
identification and recovery of any such improper payments more
difficult due to the passage of time.
* CMS has not taken sufficient actions to investigate and recover
questionable payments. CMS described several actions it has taken to
investigate payments made to 3 of the 12 contractors for which we
identified questionable payments. The actions CMS has taken to date are
insufficient to fully resolve the issues identified and more remains to
be done to recover funds that may have been inappropriately paid to
contractors.
For example, CMS highlighted $67 million in questionable payments that
were related to one specific contractor and stated that these
questionable payments are being investigated via a fiscal year 2008
incurred cost audit. However, the $67 million related to costs incurred
in fiscal years 2004, 2005, and 2006 and therefore would not be covered
or investigated in an audit of fiscal year 2008 incurred costs.
Additionally, CMS said it had resolved the questionable payments made
to another contractor; however, CMS's actions did not relate to the
$1.4 million in payments CMS made in fiscal year 2006 that we
questioned. Regarding a third contractor, CMS issued a demand letter in
April 2007 to recover funds the contractor billed and CMS paid in
excess of contract ceiling limits; however, no resolution has yet been
reached. CMS could not tell us whether it had recovered any of the
questioned amounts.
CMS's resolution of questionable payments of the magnitude we
identified ($88.8 million) in the prior report should be performed
expeditiously. As a steward of taxpayer dollars, CMS is accountable for
how it spends and safeguards funds as well as having mechanisms in
place to recoup those funds when improper payments are identified. CMS
relies on incurred cost audits that are conducted at the end of
contract performance when the contract is closed to validate the
overall propriety of payments. As discussed earlier, incurred cost
audits are best conducted annually, rather than at the end of contract
performance. CMS's backlog of contracts eligible for closeout delays
investigations and makes recovery more difficult.
CMS Does Not Track, Investigate, and Resolve Contract Audit and
Evaluation Findings to Aid Decision Making:
CMS does not track, investigate, and resolve contract audit and
evaluation findings for purposes of cost recovery and future award
decisions. Tracking audit and evaluation findings strengthens the
control environment in part because it can help assure management that
the agency's objectives are being met through the efficient and
effective use of the agency's resources. It can also help management
determine whether the entity is complying with applicable acquisition
laws and regulations. Contract audits and evaluations can add
significant value to an organization's oversight and accountability
structure, but only if management ensures that the results of these
audits and evaluations are promptly investigated and resolved.
During our review of the contract files, we noted that audits and
evaluations CMS requested of organizations such as DCAA or performed by
the CMS cost/price team identified questionable payments, accounting
system deficiencies, and other significant weaknesses or deficiencies
associated with certain CMS contractors. However, we could not
consistently determine how the contracting officer or other OAGM staff
followed up on the results of these audits and noted that CMS was not
always taking the results of these audits and evaluations into
consideration when making decisions relating to future contract awards.
For example, in an audit report dated September 30, 2008, DCAA
questioned approximately $2.1 million of costs that CMS paid to a
contractor in fiscal year 2006. OAGM management confirmed that no
action has been taken to investigate and recover the challenged costs.
In another instance, the contracting officer--based on the results of a
cost/price team evaluation of a contractor's technical capability and
negative results of DCAA audits--deemed the contractor "risky" during
the pre-award contract proposal evaluation process. Nevertheless, the
contracting officer awarded the cost reimbursement contract to this
"risky" contractor. We found no evidence of any plans or procedures
that would mitigate the identified risks.
CMS has not established a formal procedure or system for tracking and
pursuing the results of contract or contractor audits and had not
provided its contracting officers guidance or procedures for when to
request the assistance of internal and external audit and evaluation
services. For example, OAGM did not provide direction on when (what
stage(s) in the contract life cycle and under what circumstances) the
contracting officer should utilize the service of the cost/price team
or other contract auditors. By not timely acting on audit results or
fully incorporating knowledge identified by cost/price evaluations or
other audits into award decisions, CMS is forgoing the potential
benefits from those audits and evaluations. A well-established tenet
for recovery of improper payments is that it becomes increasingly more
difficult with the passage of time. Careful and prompt consideration of
audit results, including tracking and pursuing findings, helps to
reduce the risk of improper payments or waste, and making other-than-
the-best award decisions.
Conclusion:
The contract-level and overall control environment weaknesses we found
significantly increase CMS's vulnerability to improper or wasteful
contract payments. To address these deficiencies, CMS will need to
develop and implement CMS-specific policies and procedures to ensure
that contract actions are properly administered and comply with
applicable requirements. CMS also needs to strengthen its overall
contract management control environment, including developing strategic
workforce plans, establishing appropriate contract management oversight
procedures, and maintaining reliable management information.
In addition, CMS management has made limited progress in substantively
addressing most of the broad-based recommendations from our 2007
report. We found that many of our findings in this review could be, at
least in part, attributed to CMS management's lack of attention given
to resolving the control deficiencies. Consequently, we are reiterating
our previous recommendations to (1) develop policies for pre-award
contracting activities, (2) develop policies to help ensure CFA
responsibilities are performed, (3) prepare guidelines on what
constitutes sufficient detail to support contractor invoices, (4)
establish criteria for the use of negative certification, (5) provide
training on revised invoice review policies, (6) develop a plan to
reduce the backlog of contracts eligible for closeout, and (7) review
the questionable payments identified in the prior report to determine
if payments are recoverable.
The continuing weaknesses in contracting activities and limited
progress in addressing known deficiencies raise questions concerning
whether CMS management has established an appropriate "tone at the top"
regarding contracting activities. Until CMS management addresses our
previous recommendations in this area, along with taking action to
address the additional deficiencies identified in this report, its
contracting activities will continue to pose significant risk of
improper payments, waste, and mismanagement. Further, the deficiencies
we identified are likely to be exacerbated by the rise in obligations
for non-claims processing contract awards as well as CMS's extensive
reliance on contractors to help achieve its mission objectives. It is
imperative that CMS take immediate action to address its serious
contract-level control deficiencies and take action on our previous
recommendations to improve contract-level and overall environment
controls or CMS will continue to place billions of taxpayer dollars at
risk of fraud, or otherwise improper contract payments.
Recommendations for Executive Action:
We make the following nine recommendations to the Administrator of CMS
to develop and implement policies and procedures to ensure that FAR
requirements and other control objectives are met. Policies and
procedures should:
* Document compliance with FAR requirements for different contract
types. At a minimum, enhance current documentation, such as the
contract checklist, to ensure the contract file documents
authorizations for letter contracts, adequacy of the contractors
accounting systems, and determination and findings for time and
materials contracts, when applicable.
* Document in the contract file provisional indirect cost rates used as
a basis for reviewing the reasonableness of the indirect costs billed
on the contractor invoices.
* Specify what constitutes timely performance of (or request for)
audits of contractors' statements of incurred cost for cost
reimbursement and T&M contracts, including circumstances when OAGM
should perform the audit itself or request another organization to
perform the service.
* Specify circumstances under which negotiation memorandums should be
used and the content of such, and any required secondary reviews, in
light of HHSAR requirements and current OAGM practice.
* Specify Contract Review Board review documentation to include, at a
minimum, documentation of the number of contracts reviewed each year,
the issues identified by the CRB reviewer(s), and resolution of issues
identified during the CRB reviews.
* Require Division Directors to periodically assess, document, and
report to senior management on the results of their review of whether
the contract files contain documentation that invoices were properly
reviewed by both the project officer and contracting officer or
specialist.
To strengthen the control environment, we recommend that OAGM
management:
* Develop and implement a comprehensive strategic acquisition workforce
plan. The plan should include, at a minimum, elements such as
performance goals, time frames, implementation actions, and resource
requirements, and address issues such as OAGM workload, full time
equivalents needed, and a workforce skills analysis, as well as an
estimate of the amount of resources OAGM needs to fulfill the audit and
other FAR requirements for comprehensive oversight, including those
required of a CFA.
* Revise the Verification and Validation Plan for DCIS Accuracy and
Improvements policy to require all relevant errors be corrected and
their resolution documented.
* Develop and implement policies and procedures for tracking contract
audit requests, monitoring the results of contract audits and
evaluations, and resolving the audit findings, to include roles and
responsibilities of the contracting officer, specialist, and members of
the cost/price team.
We make the following recommendation to the Secretary of HHS to improve
the department's fulfillment of CFA duties as described in FAR.
* Develop policies and procedures that clearly assign roles and
responsibilities for the timely fulfillment of CFA duties, and that
include the preparation of and periodic update of a list of contractors
for which the department is the CFA.
Agency Comments and Our Evaluation:
In written comments on a draft of this report (reprinted in their
entirety in appendix III), CMS and HHS agreed with each of our 10 new
recommendations and described steps planned to address them. CMS also
stated that the recommendations will serve as a catalyst for
improvements to the internal controls for its contracting function. In
its comments, CMS also expressed concerns about the scope and timing of
our work with respect to our November 2007 recommendations and
disagreed with our assessment of the status of 5 of the 7
recommendations we made in that report. We address the concerns CMS
raised in its comment letter below and include additional information
at the end of appendix III.
In its comments, CMS stated its belief that the 11 internal controls we
reviewed did not provide a complete picture of its internal controls
over contract management activities. We acknowledge that there are many
internal controls that are and can be instituted by agencies to help
safeguard assets, prevent and detect fraud and errors, and help
government program managers achieve desired results through effective
stewardship of public resources. As described in appendix I, we
selected 11 controls that we determined to be "key" based on GAO's
standards for internal control, the FAR and HHSAR, CMS's policies and
procedures, and other factors including our prior audit findings
regarding CMS's acquisition controls and the nature of CMS's
acquisition function.
CMS stated its belief that "virtually all" of the errors we identified
related to "perceived documentation deficiencies." CMS stated it was
encouraged that the errors we found did not involve more substantive
departures from the FAR or HHSAR. We disagree with CMS's overall
assessment of our findings and message of the report. The internal
controls we tested are key to ensuring that contracting activities,
both pre-award and post-award, mitigate risks to the federal
government. A number of the findings we identified during the testing
of a statistically valid sample of contract files involved the lack of
documentation that the controls were performed. Lack of documentation
reduces management's ability to ascertain whether these important
controls were appropriately implemented and therefore is a serious
internal control deficiency. OAGM management's downplaying of the
overall message of the report--that control deficiencies are pervasive--
further illustrates the weak internal control environment. Setting an
appropriate control environment, especially "tone at the top," is key
to ensuring that staff take all appropriate steps to mitigate risk and
protect tax dollars from fraud, waste, and abuse.
CMS also stated that a reasonable amount of time had not yet elapsed
since the issuance of our November 2007 report to allow for corrective
actions to have taken place. A significant number of our current report
findings, including weaknesses in the control environment, were based
on observations and interviews with OAGM officials and reviews of
related documentation such as policies and strategic plans. Our current
review was completed in September 2009, nearly 2 years after the
issuance of our November 2007 report. While CMS also stated that the
contract actions we reviewed took place in fiscal year 2008, it is
important to note that we considered the timing of CMS's corrective
actions when evaluating the controls we tested. For example, CMS's
Acquisition Policy 02-03, which identifies level of approvals required
by agency officials based on the estimated dollar value for
acquisitions awarded through other than full and open competition, was
implemented in April 2008. We applied these approval levels only to the
awards and modifications in our sample that were made after the policy
was implemented. Furthermore, our observations and recommendations
related to CMS's control environment are based on conditions that
continued to exist in September 2009.
CMS disagreed with our determination that their actions to address five
of the seven prior recommendations were not sufficient. These prior
recommendations were aimed at improving preventive controls. Preventive
controls, such as policies and criteria for pre-award activities and a
sound invoice review process prior to payment, are the first line of
defense in reducing the risk of improper payments or waste. We continue
to believe that the limited actions OAGM management has taken, and in
some cases, management's inaction, fall short of expectations and miss
the intent of improving CMS's overall system of control over its
acquisition activities.
For example, CMS asserted that its Acquisition Policy 16-01 entitled
"Invoicing Payment Procedures" satisfies two of the prior
recommendations. The intent of these two recommendations was to ensure
that contractors provided adequate support to facilitate an appropriate
detailed review of the invoiced costs prior to payment and that CMS
develop clear risk-based criteria for the use of negative
certification. CMS uses negative certification--a process whereby it
pays contractor invoices without knowing whether they were reviewed and
approved--in order to ensure invoices are paid in a timely fashion. We
examined this policy during our review and found it to be unresponsive
to the recommendations because it did not provide the recommended
additional guidelines on what the contractor should provide that would
constitute sufficient detail to support amounts billed on contractor
invoices. It also did not describe under what circumstances or in what
situations it was acceptable for CMS to use negative certification.
With regard to a third prior recommendation that CMS review the
questionable payments we identified, CMS described in its comment
letter specific actions taken to investigate some of the questionable
payments and subsequently provided documentation of actions it had
taken to investigate the questionable payments we identified for three
contractors. After reviewing this information, we revised our
assessment of the status of efforts taken by CMS from "No Actions
Taken" to "Actions Insufficient." While CMS had taken some action, the
steps have not resolved the questionable payments we identified. For
example, CMS highlighted $67 million that we previously questioned that
was related to one specific contractor and stated that these
questionable payments are being investigated via a fiscal year 2008
incurred cost audit. The $67 million we questioned related to costs
incurred in fiscal years 2004, 2005, and 2006 and therefore would not
be covered or investigated in an audit of fiscal year 2008 incurred
costs. Moreover, as of the date of the report, CMS could not tell us
whether it had recovered any of the questioned amounts. We continue to
believe that CMS's actions to date are insufficient and more actions
are needed to investigate and recover the questionable payments we
identified.
No other changes were made to the report as a result of agency
comments. See appendix III for a discussion of the remaining two prior
recommendations (points 2, 3, and 4) for which CMS disagreed with our
assessment of its progress and our analysis of comments CMS made on our
new recommendations.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from its date. At that time, we will send copies to the Secretary of
Health and Human Services, Administrator of the Centers for Medicare
and Medicaid Services, and interested congressional committees. Copies
will also be available to others on request. In addition, the report
will be available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-9095 or dalykl@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. Major contributors to this report are
acknowledged in appendix IV.
Signed by:
Kay L. Daly:
Director:
Financial Management and Assurance:
List of Requesters:
The Honorable Max Baucus:
Chairman:
The Honorable Charles E. Grassley:
Ranking Member:
Committee on Finance:
United States Senate:
The Honorable Henry A. Waxman:
Chairman:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Edolphus Towns:
Chairman:
Committee on Oversight and Government Reform:
House of Representatives:
The Honorable Claire McCaskill:
Chairman:
Ad Hoc Subcommittee on Contracting Oversight:
Committee on Homeland Security and Government Affairs:
United States Senate:
[End of section]
Appendix I: Scope and Methodology:
To determine the extent to which the Centers for Medicare and Medicaid
Services (CMS) implemented effective internal control procedures over
contract actions, we focused on contracts that were generally subjected
to the Federal Acquisition Regulation. We also interviewed senior
management of CMS's Office of Acquisition and Grants Management (OAGM),
contracting officers and specialists, and cost/price team members as
well as officials in the Office of Acquisition Management and Policy at
the Department of Health and Human Services (HHS). We selected 11
internal controls over contracting and payments to contractors to test
for this report, ranging from ensuring contractors had adequate
accounting systems prior to the use of a cost reimbursement contract to
certifying invoices for payment. We selected controls to test based on
our review of GAO's standards for internal control,[Footnote 56] the
Federal Acquisition Regulation requirements, and agency policies and
procedures, taking into consideration prior audit findings and the
contract types most frequently awarded. The controls we tested are key
to effective administration of the contract in that the lack of
implementation would significantly increase the risk of improper
payments or waste.
To test internal control procedures over contract actions, we selected
a stratified random sample of 102 contract actions totaling $140.7
million in fiscal year 2008 obligations from a population of 2,441
contract actions totaling $2.5 billion in fiscal year 2008 obligations.
We stratified the contract actions by type of action, namely contract
awards and contract modifications, recorded in CMS's PRISM database
from October 1, 2007, through September 30, 2008. Each contract action
was either a new contract award or modification to an existing
contract. With this probability sample, each contract action in the
sample frame had a non-zero probability of being included and that
probability could be computed from any contract action. Each stratum
was subsequently weighted in the analysis to account statistically for
all the contract actions in the sample frame, including those that were
not selected. Results from this statistical sample were projected to
the population of contract actions made from October 1, 2007, through
September 30, 2008. See table 2 for specific details related to
contract actions selected in the sample.
Table 2: Contract Actions in the Sample:
Contract type: Cost reimbursement;
Awards: 14; $19,343,733;
Modifications: 39; $71,718,383;
Total: 53; $91,062,116.
Contract type: Fixed price;
Awards: 17; $2,527,049;
Modifications: 6; $1,054,274;
Total: 23; $3,581,323.
Contract type: Time and materials;
Awards: 11; $11,590,778;
Modifications: 10; $6,921,590;
Total: 21; $18,512,367.
Contract type: Combination[1];
Awards: 0; $0;
Modifications: 5; $27,593,568;
Total: 5; $27,593,568.
Total:
Awards: 42; $33,461,560;
Modifications: 60; $107,287,815;
Total: 102; $140,749,375.
Source Selection: Full and open;
Awards: 14; $15,443,355;
Modifications: 40; $98,426,529;
Total: 54; $113,869,884.
Source Selection: Logical follow-on;
Awards: 4; $2,177,215;
Modifications: 6; $2,354,367;
Total: 10; $4,531,582.
Source Selection: Only one supplier;
Awards: 9; $2,130,305;
Modifications: 6; $1,427,131;
Total: 15; $3,557,436.
Source Selection: 8(a)[2];
Awards: 3; $2,096,448;
Modifications: 2; $421,958;
Total: 5; $2,518,406.
Source Selection: Other[3];
Awards: 12; $11,614,238;
Modifications: 6; $4,657,829;
Total: 18; $16,272,067.
Total:
Awards: 42; $33,461,560;
Modifications: 60; $107,287,815;
Total: 102; $140,749,375.
Source: PRISM.
[1] "Combination" represents contracts that are a combination of
multiple contract types.
[2] "8(a)" represents a source selection made to a contractor in the
Small Business Administration's (SBA) 8(a) program. Contracts awarded
to 8(a) contractors do not require competition if the award is below
certain dollar thresholds and is approved by an SBA official.
[3] "Other" represents other source selections, such as acquisitions
that are authorized by statute (not competed).
[End of table]
We evaluated contract actions that varied in amount of dollars
obligated, contract type (fixed price, cost reimbursement, etc.), and
the type of goods and services procured. The actions in the sample
ranged from a $1,000 firm-fixed price contract for newspapers to a
$17.5 million modification of an information technology contract valued
at over $500 million. We reviewed the contract files supporting actions
in the sample and, as needed, interviewed and solicited further
information from the contracting officer or specialist, CMS's cost/
price team, and senior management. Controls were considered to be
implemented if the performance of the control was documented in either
the contract file or centrally with the cost/price team or if the
contracting officer or specialist provided us with supplementary
documentation or other evidence that the control was performed. The 11
controls we tested may not apply to all contract actions selected in
the sample. For example, having support for provisional indirect cost
rates is required for cost reimbursement contracts but not for other
contract types, such as fixed price contracts. In these instances, we
designated the control to be "not applicable" to the sample item. Table
3 provides further details on the control procedures we tested, the
criteria or source for the procedure, and detailed results.
Table 3: Control Procedures and Detailed Results:
1;
Internal controls: If the contract action relates to a modification,
did CMS properly support and justify the action (e.g., was the new
action within the scope of the underlying contract)?
Criteria/source: It is important for agencies to determine if a
modification is within the general scope of the contract to help ensure
compliance with Federal Acquisition Regulation (FAR) 43-201(a), FAR
6.001(c), and applicable contract funding rules. Further, contract file
documentation shall be sufficient to constitute a complete history of
the contract for the purpose of: (1) providing a complete background as
a basis for informed decisions at each step in the acquisition process,
(2) supporting actions taken, (3) providing information for reviews and
investigations, and (4) furnishing essential facts in the event of
litigation or congressional inquiries. FAR 4.801(b); see also FAR
4.803(a)(26)(iii);
Number of errors in the sample: 5;
Number of sample items to which the control applied[1]: 60;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 3.4%.
2;
Internal controls: For contracts awarded through other than full and
open competition, was the justification documented, approved by the
appropriate official, and does it meet the FAR criteria (e.g., FAR
6.302) for using other than full and open competition?
Criteria/source: FAR 6.303-1 through 6.304; FAR 16.505(b)(5);
FAR 13.106-1(b)(1); CMS's Acquisition Policy Notice 02-03;
Number of errors in the sample: 5;
Number of sample items to which the control applied[1]: 19;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 11.3%.
3;
Internal controls: Is there evidence that the contracting officer
reviewed the contractor's proposals for price reasonableness?
Criteria/source: FAR 15.404-1(a)(1); FAR 15.305 (a)(1); FAR
4.803(a)(19);
Number of errors in the sample: 11;
Number of sample items to which the control applied[1]: 40;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 16.5%.
4;
Internal controls: Did CMS include documentation in the file that
supports its determination that the contractor is "responsible" to
perform under the contract?
Criteria/source: FAR 9.103(a); FAR 9.105-2(b); FAR 4.803(a)(14);
Number of errors in the sample: 16;
Number of sample items to which the control applied[1]: 39;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 28.0%.
5;
Internal controls: Did CMS comply with and document the requirements
unique to the contract type awarded?
Criteria/source: FAR 16.301-3(a)(1); FAR 16.104(h); FAR 16.601(d)(1);
FAR 1.704; Health and Human Services Acquisition Regulations (HHSAR)
316.603-71; FAR 4.803(a)(2) and (22);
Number of errors in the sample: 16;
Number of sample items to which the control applied[1]: 25;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 46.0%.
6;
Internal controls: When applicable, did CMS conduct a technical panel?
If issues were identified by the technical panel or during the price
reasonableness evaluation under control # 3 in this table, did CMS
clearly and sufficiently document how the issues were addressed prior
to the award of the contract?
Criteria/source: Per FAR 15.304(c)(2), agency acquisition officials are
required to evaluate the quality of the product or service for every
contract source selection. See FAR 15.305(a)(3) and 15.308 for specific
documentation requirements. In addition, HHSAR 315.305(a)(3)(ii)(A)(1)
requires a technical evaluation panel for all acquisitions subject to
the HHSAR Subpart 315.3--Source Selection which are expected to exceed
$500,000 and in which technical evaluation is considered a key element
in the award decision. Furthermore, standards for internal control
provide that internal control and all transactions and other
significant events need to be clearly documented and that managers are
required to complete all actions that correct or otherwise resolve the
matters brought to management's attention during the course of a
review. See also FAR 4.801(b);
Number of errors in the sample: 4;
Number of sample items to which the control applied[1]: 27;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 5.4%.
7;
Internal controls: For cost reimbursement and time and materials
contracts (where applicable), are there approved provisional indirect
cost rates on file? If so, do the rates claimed on the contractor's
invoice(s) match the approved provisional indirect cost rates?
Criteria/source: FAR 42.703-1(b) and 42.704. See also FAR 4.803(c);
CMS's Acquisition Policy Notice 16-01;
Number of errors in the sample: 36;
Number of sample items to which the control applied[1]: 62;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 40.4%.
8;
Internal controls: If the contract is subject to an annual incurred
cost audit of indirect costs, did CMS adjust the contractor's billed
indirect rates for final indirect rates?
Criteria/source: The government is required to adjust the provisional
indirect cost rates used by the contractors for the interim
reimbursement of indirect costs based on final indirect rates, which
are generally established by auditing the contractor's report of
incurred costs (both direct and indirect costs). The FAR requires
contractors to submit its report of incurred costs to the government no
later than 6 months after the end of its fiscal year. A contract clause
prescribed by the FAR commits the government to establishing final
indirect cost rates as "promptly as practical" after the receipt of the
contractor's report of incurred costs. For purposes of this report, we
defined "promptly" as an audit or request for an audit within 12 months
of the due date of the contractor's incurred cost report, or a total of
18 months from the end of the contractor's fiscal year end. Twelve
months from the due date of the incurred cost report allows sufficient
time for the agency to determine the financial resources necessary to
perform the audit or pay another agency, such as the Defense Contract
Audit Agency (DCAA), to perform the audit; FAR 42.705-2(b)(2); FAR
42.702(b); FAR 52.216-7(d)(2)(i) and (ii);
Number of errors in the sample: 23;
Number of sample items to which the control applied[1]: 34;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 52.6%.
9;
Internal controls: If the contract is subject to an annual incurred
cost audit of indirect costs, did CMS timely perform or request that
the relevant cognizant federal agency perform an audit of direct costs
to CMS contracts as part of the incurred cost audit; and were any
overbillings recovered?
Criteria/source: The audit of direct costs provides agencies with
reasonable assurance that the direct costs billed to the government are
allowable, reasonable, and allocable to the government contracts.
Therefore, direct cost audits are an important control activity to help
ensure a proper accountability for stewardship of government resources.
In addition, the audit of direct costs is important for the
establishment of final indirect rates. In order to establish final
indirect rates, the government audits the contractor's allocation
bases--which include direct costs--used for calculating and applying
the indirect rates. Direct costs are generally audited by the
government as part of the audit of the contractor's final indirect
rates. For example, DCAA's Information for Contractors Pamphlet, DCAAP
7641.90 (Jan. 2005), § 6-301.b, states that the audit of the
contractors' incurred cost proposal includes an evaluation of both
direct and indirect costs. As such, for purposes of this report, we
evaluated whether CMS requested an audit of direct costs using the same
timing criteria for the audit of indirect costs, that is, 18 months
from the end of the contractor's fiscal year. Twelve months from the
due date of the incurred cost report allows sufficient time for the
agency to determine the financial resources necessary to perform the
audit or pay another agency, such as DCAA, to perform the audit. See
control #8, above;
Number of errors in the sample: 25;
Number of sample items to which the control applied[1]: 36;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 54.9%.
10;
Internal controls: Is there sufficient support for the costs claimed on
the invoices to enable CMS to sufficiently review the contractor's
invoices?
Criteria/source: According to FAR 52.216-7(a)(1), the government will
make payments to the contractor under cost reimbursement and time and
materials contracts in amounts determined to be allowable by the
contracting officer in accordance with the contract cost principles and
procedures in FAR Subpart 31.2. In addition, FAR states that the
government pays contractors under fixed price contracts based on the
submission of proper invoices or vouchers (FAR 52.232-1 and 52.232-2).
In order to determine whether an invoice is proper or complies with FAR
cost principles, contracting officers need to obtain sufficient support
that will provide the basis for such determination. According to the
Treasury Financial Manual, effective control over disbursements
requires a preaudit and approval of vouchers before they are certified
for payment (Vol. I, Part 4, §§ 2020.10, 2020.30, and 2025.10). This
process will include determining whether the payment and the goods
received or services performed were in accordance with the agreement.
In addition, standards for internal control provide that "internal
control and all transactions and other significant events need to be
clearly documented;"
Number of errors in the sample: 53;
Number of sample items to which the control applied[1]: 90;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 49.9%.
11;
Internal controls: Is there sufficient evidence that the project
officer approved all invoices?
Criteria/source: CMS's Acquisition Policy Notice 16-01;
Number of errors in the sample: 61;
Number of sample items to which the control applied[1]: 90;
Estimated lower error limit of all FY 2008 CMS contract actions that
did not meet the control test[2]: 59.0%.
Source: GAO.
[1] The specific control we tested may not apply to all items in the
sample. For example, the establishment of provisional indirect cost
rates is required for cost reimbursement contracts but would not apply
to other contract types such as fixed price contracts.
[2] Based on the results of our work, we are 95 percent confident that
the total percentage of contract actions that did not meet the control
test is at least the percentage indicated for each control, which is
the estimated lower error limit.
[End of table]
To determine the extent to which CMS established a strong control
environment for contract management, we interviewed CMS officials and
reviewed agency documentation to determine the actions CMS took to
address prior recommendations.[Footnote 57] We also obtained
information from agency officials regarding contract closeout,
cognizant federal agency responsibilities, audit funding, and staff
resources. We used the internal control standards as a basis for our
evaluation of CMS's contract management control environment.
We assessed the reliability of CMS's two acquisition databases,
Departmental Contracts Information System (DCIS) and PRISM by (1)
performing electronic testing of required data elements, and (2)
interviewing both CMS and HHS officials on quality assurance activities
performed on the databases. In addition, we used a statistically random
sample selected to test the application of controls to also test the
accuracy of the data in the systems. We determined that only basic
contract information maintained in the PRISM database, such as vendor
name and obligation amount, was reliable for purposes of this report.
The historical obligation amounts presented in the background section
of the report come primarily from CMS's PRISM database.
We requested comments on a draft of this report from HHS and CMS. We
received written comments on October 2, 2009, and have summarized those
comments in the Agency Comments and Our Evaluation section of this
report. Our response to certain specific CMS comments appears in the
GAO Comments section of appendix III. We conducted this performance
audit in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. We
conducted our audit work in Washington, D.C. and Baltimore, Maryland
from July 2008 through September 2009.
[End of section]
Appendix II: Status of Prior Recommendations:
(1); GAO recommendation: Develop policies and criteria for pre-award
contract activities, including (1) appropriate use of competition
exemptions such as logical follow-on agreements, unusual and compelling
urgency, and the Small Business Administration's (SBA) 8(a) program;
(2) analysis to justify contract type selected, as well as, if
applicable, verification of the adequacy of the contractor's accounting
system prior to the award of a cost reimbursement contract;
and (3) consideration of the extent to which work will be
subcontracted;
Progress and GAO evaluation: Progress: The Department of Health and
Human Services (HHS) reported that (a) the policy and criteria for pre-
award contracting activities are already established in the Federal
Acquisition Regulation (FAR) and the Health and Human Services
Acquisition Regulation (HHSAR), (b) that existing policies would be
reviewed and changes would be made as appropriate, and (c) certain pre-
award activities, such as the need for adequate accounting systems for
cost reimbursement contracts, would be reviewed with staff at internal
training sessions;
GAO evaluation: While the Office of Acquisition and Grants Management
(OAGM) did conduct internal training on various pre-award activity
topics, such as the proper circumstances to use sole source contracts,
the Centers for Medicare and Medicaid Service's (CMS) actions are
unresponsive to the recommendation. OAGM still has not developed
policies and criteria that provide clear procedures for staff to follow
during the pre-award stage, such as applicable approval levels, time
frames, agency forms, and routing processes. Furthermore, while FAR and
HHSAR provide regulations agencies must follow, it is up to agency
management to develop agency-specific policies and other guidance that
implement those regulations;
GAO-determined status: No action taken.
(2); GAO recommendation: Develop policies and procedures to help ensure
that cognizant federal agency (CFA) responsibilities are performed,
including (1) monitoring compliance with the Cost Accounting Standards,
(2) a mechanism to track contractors for which CMS is the cognizant
federal agency, and (3) coordination efforts with other agencies;
Progress and GAO evaluation: Progress: HHS reported that while HHS is
the CFA for CMS's contractors, policies and procedures need to be
developed both at the department level and at CMS. Further it stated
that to the extent CMS is designated to perform functions supporting
HHS as the CFA, CMS will develop appropriate procedures for monitoring
Cost Accounting Standards compliance and for coordinating efforts with
other agencies;
GAO evaluation: Neither HHS nor CMS has developed policies that clearly
define key areas of authority and duties for the CFA responsibilities.
Moreover, neither HHS nor CMS has developed a list of contractors for
which HHS is the CFA;
GAO-determined status: Actions insufficient. No policies and procedures
developed.
(3); GAO recommendation: Develop agency-specific policies and
procedures for the review of contractor invoices so that key players
are aware of their roles and responsibilities, including (1) specific
guidance on how to review key invoice elements, (2) methods to document
review procedures performed, and (3) consideration to circumstances
that may increase risk, such as contract type or complex subcontractor
agreements;
Progress and GAO evaluation: Progress: HHS reported that CMS revised
its invoice review policy to better define roles and responsibilities;
GAO evaluation: We reviewed the CMS revised invoice review policy and
determined that new invoice payment procedures contain clear roles and
responsibilities;
GAO-determined status: Completed.
(4); GAO recommendation: Prepare guidelines to contracting officers on
what constitutes sufficient detail to support amounts billed on
contractor invoices to facilitate the review process;
Progress and GAO evaluation: Progress: HHS reported that CMS revised
its invoice review policy;
GAO evaluation: CMS's actions are unresponsive to the recommendation.
The revised policy does not specify the documentation the contractors
would be required to submit to support the invoices or what would be
needed for the project officer, contracting specialist, or contracting
officer to validate information in the invoices;
GAO-determined status: No action taken.
(5); GAO recommendation: Establish criteria for the use of negative
certification in the payment of a contractor's invoices to consider
potential risk factors, such as contract type, the adequacy of the
contractor's accounting and billing systems, and prior history with the
contractor;
Progress and GAO evaluation: Progress: HHS reported that CMS revised
its invoice review policy;
GAO evaluation: CMS's actions are unresponsive to the recommendation.
The revised policy still contains the use of negative certification as
a default. This policy does not provide criteria to consider potential
risk factors for the use of negative certification in the review of
contractor's invoices and discuss circumstances that warrant the use of
this method;
GAO-determined status: No action taken.
(6); GAO recommendation: Provide training on the invoice review
policies and procedures to key personnel responsible executing the
invoice review process;
Progress and GAO evaluation: Progress: HHS reported that CMS provided
invoice review training to the OAGM staff and project officers on May 7
and May 15, 2008;
GAO evaluation:
According to the OAGM Internal Training schedule, they provided
training on invoice review procedures. However, since CMS has not
addressed two of the three recommendations on invoice review--
specifically, guidelines to contracting officers on what constitutes
sufficient detail to support amounts billed and establishing criteria
for the use of negative certification (see above)--actions taken do not
achieve the intent of the recommendation;
GAO-determined status: Actions insufficient. Actions taken do not
achieve intent of recommendation.
(7); GAO recommendation: Create a centralized tracking mechanism that
records the training taken by personnel assigned to contract oversight
activities;
Progress and GAO evaluation: Progress: HHS reported that they have
implemented the Acquisition Career Management Information System
(ACMIS). ACMIS is a centralized tracking mechanism that maintains
training records for the personnel assigned to contract activities;
GAO evaluation: HHS's implementation of the centralized system to track
training addressed our recommendation;
GAO-determined status: Completed.
(8); GAO recommendation: Develop a plan to reduce the backlog of
contracts awaiting closeout;
Progress and GAO evaluation: Progress: HHS reported that CMS developed
a plan to reduce the backlog of contracts overdue awaiting closeout and
that CMS reduced this backlog by the end of fiscal year 2007 from 581
to 407 contracts;
GAO evaluation:
CMS provided its fiscal year 2009 contract closeout plan;
however, the plan did not include a comprehensive strategy to reduce
the backlog of contracts that are eligible and overdue for closeout.
For example, it did not contain a workload analysis, such as a list of
contracts eligible for closeout by contracting officer or specialist or
an estimate of the number of hours or audit funds it would need to
close the contracts. The fiscal year 2009 plan only contained three
bullets stating that OAGM would provide quarterly reports to the
division directors and training to OAGM staff. It also stated that OAGM
would establish "a contract closeout day." Furthermore, as discussed in
the body of this report, the backlog of contracts overdue for closeout
persists;
GAO-determined status: Actions insufficient.
(9); GAO recommendation: Review the questionable payments identified in
this report to determine whether CMS should seek reimbursement from
contractors;
Progress and GAO evaluation: Progress:
HHS reported that CMS will review the questionable payments identified
in GAO-08-54 to determine whether CMS should seek reimbursement from
the contractors. It further stated that the questionable costs will be
identified in the course of incurred cost audits which CMS will obtain
in the course of closing out the contracts. Additionally, CMS described
specific actions taken to investigate some of the questionable
payments;
GAO evaluation: The actions taken to investigate questionable payments
were either insufficient or incomplete. CMS's approach to delay
investigation and recovery to the end of the contract performance
period does not result in timely resolution of questionable payments of
this magnitude. Audits and inquiries into the issues we identified in
our report should be made as soon as possible;
GAO-determined status: Actions insufficient.
[End of section]
Source: GAO analysis, based on a CMS-provided report (dated December 3,
2008) used by HHS to track the resolution of GAO audit findings,
interviews, and other documentation such as agency policies.
[End of table]
[End of section]
Appendix III: Comments from the Centers for Medicare and Medicaid
Services:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Department Of Health & Human Services:
Centers for Medicare & Medicaid Services:
Administrator:
Washington, DC 20201:
Date: October 2, 2009:
To: Andrea Palm:
Acting Assistant Secretary for Legislation:
Office of the Secretary:
From: [Signed by] Charlene Frizzera:
Acting Administrator:
Subject: Government Accountability Office Draft Report: "Deficiencies
in Contract Management Internal Control are Pervasive" (GAO-10-60):
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report entitled, "Deficiencies in
Contract Management Internal Control are Pervasive," (GAO-10-60).
The Centers for Medicare & Medicaid Services (CMS) is committed to the
highest degree of integrity in the conduct and management of its
contracting activities. Furthermore, CMS seeks to continually improve
and strengthen its acquisitions functions. To that end, we appreciate
the work that GAO has done to review our contracting activities, and
believe that GAO's findings and recommendations will serve as a
catalyst for improvements to the internal controls for our contracting
functions.
The Federal Acquisition Regulations (FAR) and the Health and Human
Services Acquisition Regulations (HHSAR) prescribe literally hundreds
of internal controls for Federal Government contracting. In its review,
GAO considered only 11 internal controls, some of which have common
elements. While we feel that a limited scope review does not provide
for a complete picture of the internal controls CMS has established, we
are encouraged by the fact that virtually all of those errors relate to
perceived documentation deficiencies, and do not involve more
substantive departures from the FAR or HHSAR. [See comment 1]
We are providing the following responses to GAO's recommendations:
Recommendations from 2007 Audit:
We are concerned that GAO, in questioning the implementation of its
prior findings, did not consider the timing of the release of its
November 2007 report in that it did not permit a reasonable amount of
time to elapse to allow for corrective action to be taken. In November
2007, GAO issued a report that identified perceived deficiencies in
CMS' acquisition internal controls. [See comment 1] Hence, the November
2007 report was issued in fiscal year (FY) 2008. With respect to the
current draft report, GAO considered contract actions that occurred in
FY 2008. Accordingly, many of the purported deficiencies in the draft
report stem from its review of contract actions that occurred prior to
the time it was reasonably possible for CMS to implement the
recommendations contained in the November 2007 report. That being said,
CMS did, in fact, substantially implement the recommendations contained
in GAO's 2007 report. Our responses to GAO's contention that findings
remain unresolved from the November 2007 GAO report are as follows:
1. Policies and criteria for preaward contract activities have not been
developed.
We disagree. In the November 2007 report, GAO recommended that CMS
develop policies for certain pre-award contract activities, such as the
analysis required to justify the contract type selected and the
measures required to verify the adequacy of a contractor's accounting
system prior to the award of a cost reimbursement contract. However, in
the draft report GAO states that no new policies or guidance were
developed. The finding does not consider actions taken by CMS.
The original recommendation in the November 2007 report arose from a
unique situation involving the award of noncompetitive cost-
reimbursement contracts required to implement the mandates of the
Medicare Prescription Drug, Improvement, and Modernization Act of 2003
(MMA), Pub. L. No. 108-173. In our comments to the November 2007
report, we provided justification for the necessity to award contracts
noncompetitively and on other than a fixed-price basis because of the
limited time provided by Congress to implement important new health
care programs. Also, because the new requirements for the Medicare
prescription program were evolving, it required that CMS contract for
needed services on a cost-reimbursement basis. Moreover, the MMA itself
provided statutory authority for the noncompetitive award of certain
contracts necessary to carry out the mandates of this important
legislation. Although this particular event required the use of certain
types of contracts, we have expressed our commitment to competition and
said we would continuously promote the competitive award of contracts
through our policies and procedures and would continue to provide
appropriate training to our employees. [See comment 2]
Since the issuance of the November 2007 GAO report, we have promulgated
policies and guidance for preaward contract activities. Specifically,
in May 2008, CMS obtained licenses to Acquisition Solution's Virtual
Acquisition Office (VAO) for all of the staff of the Office of
Acquisition and Grants Management (OAGM). The VAO is a Web-based tool
that contains detailed checklists and instructions as well as templates
for virtually every type of contracting action. It links acquisition
policies and procedures to the relevant sections of the FAR and other
applicable authorities. The VAO is widely used throughout the Federal
Government. It is intended to provide contracting staff with
information needed to achieve consistency in their performance as well
as compliance with the FAR. We have provided extensive training on the
use of the VAO. Therefore, by adopting the VAO, we have provided our
contracting staff with extensive access to policies, guidance, and
operational procedures regarding contracting policies and procedures.
Moreover, we have provided a great deal of training to our employees
regarding preaward contracting requirements and activities. [See
comment 3]
2. Roles and responsibilities for implementation of CFA
responsibilities not clearly defined.
We agree. In accordance with FAR 42.003, Cognizant Federal Agency (CFA)
responsibility normally would fall upon the agency with the largest
amount of negotiated contracts with a contractor. For CMS, an Operating
Division of the Department of Health and Human Services (DHHS), the
Department would be the CFA. HHSAR 342.705 addresses the authority to
establish indirect cost rates, fringe benefit rates, etc., for use in
contracts and grants awarded to commercial organizations. This section
of the HHSAR delegates CFA indirect cost rate responsibilities to the
Division of Financial Advisory Services of the National Institutes of
Health (NIH). We agree with GAO that we need to establish additional
policies and procedures for the performance of CFA functions. We have
already started to develop the necessary policies for CMS Contracting
Officer performance of CFA functions and will coordinate activities
with the Department.
3. CMS did not always require contractors to submit invoices that
contain sufficient information to facilitate an adequate review. [See
comment 1]
We disagree. We have developed very detailed and complete guidelines
for Contracting Officers and Project Officers on what constitutes
sufficient detail to support contractor invoices. On May 5, 2008, we
issued Acquisition Policy 16-01, entitled "Invoicing Payment
Procedures." This policy issuance contained detailed guidance as to
precisely what information a Contract Specialist or Contracting Officer
needs to consider in reviewing and approving an invoice. Moreover, we
have conducted extensive training for both contracting and program
staff on the review and approval of invoices. The concerns expressed in
the GAO draft report with regard to the approval of contractor invoices
are largely attributable to the timing of the latest review, and that
sufficient time had not elapsed to fully train staff and to implement
the invoicing policies contained in the May 5, 2008, policy directive.
4. CMS has not set criteria for the use of negative certification. [See
comment]
We disagree. In Acquisition Policy 16-01 we imposed the requirement
that a Contracting Officer obtain documentation from the Project
Officer that demonstrates the Project Officer's review and approval of
an invoice. Contracting Officers are required to sign an invoice as
evidence of approval. If a Contracting Officer does not have a complete
record supporting the payment of an invoice, he or she must notify the
payment office within 20 days of the receipt of the invoice that the
payment is disapproved. A copy of the signed invoice is to be placed
into the contract file to document the Project Officer's and
Contracting Officer's approval.
The draft report found that there were instances where the contract
file did not have a copy of an invoice signed by the Project Officer.
However, our policy requires that a Project Officer sign a "Payments
and Progress Certification Form", as opposed to the actual invoice. We
will reexamine our invoicing policies and will make appropriate changes
to those policies to assure that there is adequate documentation in the
contract file to support both the Project Officer's and Contracting
Officer's approval of an invoice. We will further provide training to
both contracting and program staff on the review and approval of
invoices to reemphasize each of their responsibilities in this process.
5. Training on invoice review procedures still needed.
We agree. While we have provided extensive training in the past 2 years
to both contracting and program staff regarding the processing and
approval of contract invoices, we will continue those efforts and
provide further training to CMS staff on the review and approval of
invoices.
6. Continuing backlog of contracts for closeout.
We disagree. We have, in fact, developed a contract close out plan that
has resulted in over a 30 percent reduction in the number of contracts
eligible for closeout since 2007. For FY 2009, we fully expect to be
"Green" for the contract closeout element in the DHHS Acquisition
Dashboard. We have taken measures to reduce the backlog of open
contracts, including dedicating staff to the contract closeout
function. We have also secured additional funds to obtain incurred cost
audits necessary for contract closeout. We further have contractor
support to expedite the contract closeout process. [See comment 4]
7. CMS has not taken action to investigate and recover questionable
payments.
We disagree. The CMS has taken action to investigate and recover what
GAO characterized as questionable payments in its November 2007 report.
In that report, GAO asserted that CMS had made $88.8 million in
questionable payments. At that time, we disagreed with the finding in
large part because the payments in question were interim payments under
cost reimbursement contracts, and Contracting Officers had reasonable
bases for approving the questioned payments. We indicated in our
response that we would obtain audits of all costs under the contracts
at issue and would take appropriate action to recoup any inappropriate
contract payments.
At this point, we have taken action to determine the appropriateness of
the questioned payments. [See comment 1] Specifically, as described in
the November 2007 report, most of the alleged questionable costs were
incurred under prime contracts and subcontracts with one specific
contractor. Those costs amounted to $67 million. We have obtained
incurred cost proposals from the contractor and have been working with
the Defense Contract Audit Agency (DCAA) to schedule the required
contract audits. The earliest DCAA can schedule the audit of the FY
2008 incurred cost submission is later this fiscal year. The
Contracting Officer was vigilant in obtaining incurred cost submissions
from the contractor and in pursuing the audit review of the
contractor's costs. For the other contracts for which costs were
questioned, we have obtained incurred cost proposals. In some
instances, we completed our consideration of the costs and made
appropriate modifications to the contracts to resolve the cost issues.
In other instances, audits of the questioned costs have been completed
and we are in negotiations to finalize the allowability of costs under
the contracts, or we are awaiting DCAA's completion of audits.
Recommendations:
The recommendations contained in the current GAO report, together with
our responses, are as follows:
The Administrator of CMS should:
1. Document compliance with FAR requirements for different contract
types. At a minimum, enhance current documentation, such as the
contract checklist, to ensure the contract file documents
authorizations for letter contracts, adequacy of the contractors
accounting systems, and determination and findings for time and
materials contracts, when applicable.
We agree. We have disseminated to CMS contracting staff relatively
complete instructions and guidance for contracting actions that are
intended to assure compliance with FAR requirements. In so doing, we
developed a standard checklist for all CMS contracts which has served
as an effective internal control for assuring consistency in CMS
contracts and compliance with the FAR and HHSAR. In addition, the
Virtual Acquisition Office contains extensive contracting checklists
and provides detailed step-by-step instructions for the completion of
contract actions. DHHS has developed new contracting checklists which,
in accordance with HHSAR 304.803-70, are mandatory for all DHHS
contracts as of October 1, 2009. It appears that these new checklists
will generally address GAO's concerns. However, we will share GAO's
recommendations with the Department so that appropriate revisions can
be made to the checklists or other HHSAR provisions to implement those
recommendations. We will further review CMS' internal procedures to
provide necessary supplemental guidance. We will also provide training
to our staff on the use of internal control measures which either the
Department or CMS develops. [See comment 5]
2. Document in the contract file provisional indirect cost rates used
as a basis for reviewing the reasonableness of the indirect costs
billed on the contractor invoices.
We agree. GAO identified instances where it does not believe that the
contract file contained adequate support for provisional indirect cost
rates. We have established a highly-skilled and experienced team of
contract auditors who work with CMS' Contracting Officers on all cost-
related matters, including the establishment of provisional indirect
cost rates. Documentation to support provisional indirect cost rates is
maintained by that team in centralized files. Contracting Officers
approve provisional indirect cost rates based upon that documentation.
Hence, we have established a process that is intended to assure the
reasonableness of provisional indirect cost rates. GAO was concerned
that CMS did not retain the supporting documentation for each
individual contract file. We agree to strengthen our internal controls
by including the supporting documentation in the relevant contract
files. We will develop policies for documenting provisional indirect
cost rates that will provide an appropriate level of internal control.
[See comment 6]
3. Specify what constitutes timely performance of (or request for)
audits of contractors' statements of incurred cost for cost
reimbursement and T&M contracts, including circumstances when OAGM
should perform the audit itself or request another organization to
perform the service.
We agree that guidance is needed as to what constitutes timely
performance of contract audits and which provides more detailed
instructions to Contracting Officers regarding the process for
obtaining needed audit services.
4. Specify circumstances under which negotiation memorandums should be
used and the content of such, and any required secondary reviews, in
light of HHSAR requirements and current OAGM practice.
We agree that the preparation of a negotiation memorandum is an
important internal control which provides a basis to assess the
adequacy and appropriateness of a Contracting Officer's actions in
awarding a contract. We will therefore develop guidance on the
preparation of negotiation memorandums and we will provide appropriate
training to CMS staff.
5. Specify Contract Review Board review documentation to include, at a
minimum, documentation of the number of contracts reviewed each year;
the issues identified by the CRB reviewer(s); and resolution of issues
identified during the CRB reviews.
We agree. The Contract Review Board (CRB) is an internal control that
CMS established to promote the appropriate award of CMS contracts and
compliance with the FAR and HHSAR. We believe that it is an important
internal control. We will therefore reexamine our CRB policy and make
appropriate revisions to ensure that eligible contracts are reviewed to
the maximum practicable extent and that CRB findings are fully
resolved.
6. Require Division Directors to periodically assess, document and
report to senior management on the results of their review of whether
the contract files contain documentation that invoices were properly
reviewed by both the project officer and contracting officer or
specialist.
We agree. The OAGM Division Directors are responsible for assuring that
staff performs contract actions in compliance with the FAR and HHSAR
and that all contract actions are adequately documented. We will
establish a reporting mechanism whereby Division Directors will have a
means to document that invoices are properly reviewed and file
documentation is otherwise complete and adequate.
OAGM Management:
1. Develop and implement a comprehensive strategic acquisition
workforce plan. The plan should include, at a minimum, elements such as
performance goals, time frames, implementation actions, and resource
requirements and address issues such as OAGM workload, full time
equivalents needed, and a workforce skills analysis; as well as an
estimate of the amount of resources OAGM needs to fulfill the audit and
other FAR requirements for comprehensive oversight, including those
required of a CFA.
We agree. We have performed various assessments of CMS' acquisition
workforce in the past, especially when necessary to determine staffing
resources required to implement major new contracting initiatives such
as the competitive award of contracts to Medicare Administrative
Contractors. The Agency has added additional resources to the
acquisition workforce based upon those assessments. We concur that
there would be benefits to undertaking a broader and more strategic
analysis of the acquisition workforce and to developing an acquisition
workforce plan.
2. Revise the Verification and Validation Plan for DCIS Accuracy and
Improvements policy to require all relevant errors be corrected and
their resolution documented.
We agree. The draft report states that there were numerous errors in
the data entered into the Departmental Contracts Information System
(DCIS). In FY 2008, we initiated a number of actions to facilitate the
accuracy of data entered into DCIS. Since GAO's review occurred in FY
2008, when those measures were in the process of being implemented,
they were not reflected in this report. We are committed to ensuring
the accuracy of all data entered into our procurement systems. We
expended a great deal of effort to develop policies and procedures that
were intended to ensure the accuracy of data entry. We conducted
extensive training for all OAGM personnel on data entry. As
part of that training, we developed very specific guides that clearly
identified the information to be entered into DCIS fields. CMS'
policies and processes were adopted by DHHS as the model that all
Operating Divisions were required to employ. On November 26, 2008, DHHS
issued Acquisition Policy Memorandum 2008-05, which implemented the CMS
plan for the entire Department. These instructions were issued after
the close of FY 2008, the period that was the subject of GAO's review.
Since FY 2008, we have sought to improve our data entry accuracy as our
policies and procedures evolved and we have provided additional
training and guidance to our employees. A sample of DCIS entries
reviewed in FY 2009 was determined to have an accuracy rate of 98
percent. Moreover, we have implemented a process whereby if an error is
found in a DCIS entry, the DCIS reviewer provides a scorecard to the
Contract Specialist and their manager. The Contract Specialist is
required to notify the DCIS reviewer when the error has been corrected.
Hence, there is a process for documenting the resolution of DCIS
issues. We will review our policies and procedures and make
improvements as necessary. [See comment 7]
3. Develop and implement policies and procedures for tracking contract
audit requests, monitoring the results of contract audits and
evaluations, and resolving the audit findings, to include roles and
responsibilities of the contracting officer, specialist, and members of
the cost/price team.
We agree that improvements are needed to our policies and procedures
for tracking contract audit requests and for monitoring the results of
those audits and the subsequent resolution of those findings. We will
make appropriate revisions to our policies and procedures to better
manage the audit process.
Secretary of HHS:
Develop policies and procedures that clearly assign roles and
responsibilities for the timely fulfillment of CFA duties, and that
include the preparation of and periodic update of a list of contractors
for which the department is the CFA.
We agree. We will work with the Department to clearly distinguish among
the different types of CFA duties, including contract audit (Office of
Inspector General); commercial indirect rates (NIH); non-profit
indirect cost rates (PSC), etc. Regarding the contract audit function,
DHHS plans to issue a joint Office of Inspector General/Office of
Acquisition Management and Policy memorandum.
GAO Comments:
1. See "Agency Comments and Our Evaluation" section.
2. As we stated in our November 2007 report[Footnote 58], we
acknowledge that the time frames for implementing the Medicare
Prescription Drug, Improvement, and Modernization Act of 2003 added
schedule pressures for the Centers for Medicare and Medicaid Services
(CMS). At the same time, the compressed time frames and resulting
contracting practices added risk to the contracting process. Many of
the findings in the November 2007 report were a result of the increased
risk together with inadequate compensating controls to mitigate risk.
3. While the Virtual Acquisition Office, which is an off-the-shelf
acquisition software that provides Web links to acquisition regulation
and templates to aid in completion of common acquisition activities,
can be a useful tool for contracting officers, specialists, and the
Office of Acquisition and Grants Management (OAGM) management, it does
not represent the agency-specific policies and criteria we recommended
that CMS implement for pre-award activities. As such, CMS's actions are
unresponsive to the recommendation. Agency-specific policies provide
guidance on how CMS staff are expected to perform their day-to-day
duties.
4. As discussed in the report, we continue to believe the contract
closeout plan does not sufficiently address our recommendation because
it did not include a comprehensive strategy to reduce the backlog of
contracts that are eligible and overdue for closeout, nor did it
contain a workload analysis. The plan was for fiscal year 2009; no
other plans were developed. Additionally, CMS stated that it achieved a
30 percent reduction in the number of contracts eligible for closeout
since 2007. However, CMS could not fully support the analysis it
provided and it related only to the time period between April 2007 and
September 30, 2007.[Footnote 59] According to data provided to us by
CMS during this current review, since September 30, 2007, the number of
contracts eligible for closeout has increased by 24 percent, from 1,300
in 2007 to 1,611 in 2009. Additionally, the number of contracts overdue
for closeout has increased from 407 in 2007 to 594 in 2009, a 46
percent increase.
5. The contract file document checklist employed by CMS at the time of
our review identified key documents that may be included in a contract
file. This checklist is usually completed by either the contract
specialist or contracting officer. While such a checklist is useful for
ensuring that certain documents are contained in a contract file, it
did not reflect certain requirements in which we found CMS to be
deficient, such as ensuring contractors had adequate accounting systems
prior to the use of a cost reimbursement contract. We are encouraged
that CMS is taking additional actions to implement the checklists
developed by the Department of Health and Human Services to be used in
fiscal year 2010.
6. During our review and as a result of multiple conversations with
OAGM staff including the team of contract auditors, we revised our
testing procedures to consider and accept provisional indirect cost
rates that were not maintained in the individual contract file but were
maintained by the cost/price team in its central files. Therefore, all
provisional indirect cost rate determinations that were maintained by
OAGM, regardless of location, were considered during our review. The
steps CMS described that it plans to take will be important for
ensuring that contract office staff have the information needed readily
available to manage contracts throughout the contract life cycle.
7. As stated in the report, CMS's current procedures regarding the
accuracy of data entered into the Departmental Contracts Information
System (DCIS) do not include procedures that would ensure that the
resolution of potential errors are properly documented and errors are
corrected in a timely manner. We further found that OAGM was not fully
implementing its policy because it reviewed every 88th action, rather
than every 50th as provided for in the plan. However, we are encouraged
by the recent initiatives described in CMS's comments, such as the
scorecard, and OAGM's commitment to review current policies and
procedures and to make improvements where necessary.
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Kay L. Daly, (202) 512-9095, or dalykl@gao.gov:
Acknowledgments:
Staff members who made key contributions to this report include Marcia
Carlsen and Phil McIntyre (Assistant Directors), Sharon Byrd, Richard
Cambosos, Abe Dymond, Patrick Frey, Jason Kelly, John Lopez, Ron
Schwenn, Omar Torres, Ruth Walk, and Danietta Williams.
[End of section]
Footnotes:
[1] GAO, High Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 22,
2009).
[2] GAO, Centers for Medicare and Medicaid Services: Internal Control
Deficiencies Resulted in Millions of Dollars of Questionable Contract
Payments, [hyperlink, http://www.gao.gov/products/GAO-08-54]
(Washington, D.C.: Nov. 15, 2007).
[3] Pub. L. No. 108-173, 117 Stat. 2066 (Dec. 8, 2003).
[4] 48 C.F.R. ch. 1.
[5] Certain CMS contracts, such as the claims administration contracts
referred to as fiscal intermediaries and carriers, generally are not
subject to FAR requirements. CMS is transitioning these contracts to
FAR-based acquisitions in response to requirements in the MMA. This
transition, referred to as Medicare contracting reform, should be
completed by 2011.
[6] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[7] We selected a stratified random sample of 102 contract actions from
a population of 2,441 total contract actions recorded in CMS's
procurement system, PRISM, during fiscal year 2008. See app. I for
additional sample details.
[8] An obligation is a definite commitment that creates a legal
liability of the government for the payment of goods and services
ordered or received, or a legal duty on the part of the United States
that could mature into a legal liability by virtue of actions on the
part of the other party beyond the control of the United States.
Payment may be made immediately or in the future.
[9] [hyperlink, http://www.gao.gov/products/GAO-08-54].
[10] Of the 19 contracts awarded, 6 are under protest and are not yet
operational.
[11] CMS contracts with fiscal intermediaries and carriers for Medicare
claims processing generally do not follow the FAR.
[12] Title 41, United States Code.
[13] 48 C.F.R. ch. 3.
[14] 48 C.F.R. ch. 99. These standards are mandatory for use by all
executive agencies and by contractors and subcontractors in estimating,
accumulating, and reporting costs in connection with pricing and
administration of, and settlement of disputes concerning, all
negotiated prime contract and subcontract procurements with the U.S.
government in excess of $500,000. Certain contracts or subcontracts are
exempt from CAS, such as those that are fixed price or those with a
small business. Additionally, contractors that received less than $50
million in net awards in the prior accounting period are subject to
only certain CAS standards, known as modified coverage. The FAR
incorporates the CAS, see 48 C.F.R. §30.101(b).
[15] Pub. L. No. 109-282, 120 Stat. 1186 (Sept. 26, 2006).
[16] 48 C.F.R. §§ 16.104(h), 16.301-3(a).
[17] 48 C.F.R. § 16.601(d).
[18] Forward pricing rates represent an agreement negotiated between a
contractor and the government to make certain rates available during a
specified period for use in pricing contracts or modifications.
[19] 48 C.F.R. §§ 2.101. See 48 C.F.R. §§ 42.302(a), 42.703-1, 30.601.
[20] 48 C.F.R. § 42.704(a) and (b).
[21] Based on the results of our work, we are 95 percent confident that
the percentage of contract actions that did not meet at least one
control test is at least 84.3 percent.
[22] Based on the results of our work, we are 95 percent confident that
the percentage of contract actions that did not meet three or more
control tests is at least 37.2 percent.
[23] We identified 25 contract actions to which FAR requirements
specific to the contract type awarded applied, of which 16 contract
actions did not meet the control test. Based on the results of our
work, we are 95 percent confident that the total percentage of contract
actions that did not meet the control test is at least 46.0 percent.
[24] A letter contract is a written preliminary contractual instrument
that authorizes the contractor to begin immediately manufacturing
supplies or performing services.
[25] 48 C.F.R. § 316.603-3.
[26] 48 C.F.R. §§ 16.104(h), 16.301-3. The lack of evidence of an
adequate accounting system on a cost reimbursement contract may also
indicate that a prospective contractor is not responsible. See 48
C.F.R. § 9.104-1(e) and B-239114, Matter of: Henry G. Kirschenmann,
Jr., July 23, 1990.
[27] 48 C.F.R. § 16.601(d).
[28] 48 C.F.R. § 1.704.
[29] We identified 62 contract actions to which provisional indirect
cost rates applied, of which 36 contract actions did not meet the
control test. Based on the results of our work, we are 95 percent
confident that the total percentage of contract actions that did not
meet the control test is at least 40.4 percent.
[30] In some cases, the contractor billed indirect costs following a
different structure or the contractor did not provide sufficient detail
on the invoice (such as the rate and base to which the rate is applied)
to allow a match to the approved provisional indirect cost rates.
[31] 48 C.F.R. § 42.703-1(b). Provisional indirect cost rates,
sometimes called a materials handling rate, may also be used on some
T&M contracts. 48 C.F.R. §§ 16.307(a)(1), 52.216-7.
[32] 48 C.F.R. § 52.216-7(e)(2).
[33] 48 C.F.R. § 42.704(b).
[34] We identified 34 contract actions to which final indirect cost
rates applied, of which 23 contract actions did not meet the control
test. Based on the results of our work, we are 95 percent confident
that the total percentage of contract actions that did not meet the
control test is at least 52.6 percent.
[35] 48 C.F.R. § 52.216-7(d)(2)(i) and (ii) requires that contractors
submit a report of their incurred costs (both direct and indirect) to
the government no later than 6 months after the end of their fiscal
year. The FAR states that the government should establish final
indirect cost rates as "promptly as practical" after the receipt of the
contractor's report of incurred costs. For purposes of this report, we
defined "promptly" as an audit or request for an audit within 12 months
of the due date of the incurred cost report, or a total of 18 months
from the end of the contractor's fiscal year. In our view, 12 months
from the due date of the incurred cost report allows sufficient time
for the agency to determine the financial resources necessary to
perform the audit or pay another agency, such as the Defense Contract
Audit Agency (DCAA), to perform the audit.
[36] 48 C.F.R. § 42.703-1(b).
[37] 48 C.F.R. § 42.705-1(a) and (b)(1).
[38] We identified 36 contract actions to which an audit of direct
costs applied, of which 25 contract actions did not meet the control
test. Based on the results of our work, we are 95 percent confident
that the total percentage of contract actions that did not meet the
control test is at least 54.9 percent.
[39] For purposes of this report, we defined "promptly" as an audit or
request for an audit within 12 months of the due date of the incurred
cost report, or a total of 18 months from the end of the contractor's
fiscal year. In our view, 12 months from the due date of the incurred
cost report allows sufficient time for the agency to determine the
financial resources necessary to perform the audit or pay another
agency, such as DCAA, to perform the audit.
[40] 48 C.F.R. § 4.804-5(a)(7) and (12).
[41] We identified 90 contract actions to which certification of
invoices applied, of which 61 contract actions did not meet the control
test. Based on the results of our work, we are 95 percent confident
that the total percentage of contract actions that did not meet the
control test is at least 59.0 percent.
[42] The contractor submitted separate invoices for different contract
line items, which resulted in the high number of invoices in one fiscal
year.
[43] 48 C.F.R. § 315.404-4(d)(4). The HHSAR generally disallows
facilities capital cost of money. In cases when the contractor includes
the cost in its proposal, the agency is required to reduce the amount
of the profit objective by an equivalent amount. In the two instances
where CMS paid facilities capital cost of money, the cost was either
expressly disallowed by 48 C.F.R. § 52.215-17 or the profit objective
was not reduced.
[44] The government purchase card program offers substantial benefits,
but not without risk of fraud, waste, or misuse. 48 C.F.R. § 13.201(b)
states that the governmentwide purchase card is the preferred method
for making purchases below the micropurchase threshold, which currently
is set by FAR at $3,000 for most types of purchases.
[45] 48 C.F.R. § 4.801(b).
[46] 48 CFR § 315.372.
[47] [hyperlink, http://www.gao.gov/products/GAO-08-54], p. 18.
[48] [hyperlink, http://www.gao.gov/products/GAO-08-360].
[49] 48 C.F.R. §§ 37.104(b) and 37.102(c).
[50] Based on the results of our work, we are 95 percent confident that
the total percentage of contract actions that did not meet the control
test is at least 34.9 percent.
[51] Based on the results of our work, we are 95 percent confident that
the total percentage of contract actions that did not meet the control
test is at least 54.2 percent.
[52] The current contract value field is supposed to capture the
cumulative obligated amounts on the contract to date and ultimate
contract value is supposed to capture the current contract value plus
anticipated future obligations, i.e., option years.
[53] 48 C.F.R. § 4.804.
[54] 48 C.F.R. § 4.804 states that firm fixed price contracts should be
closed within 6 months; contracts requiring the settlement of indirect
costs rates, such as cost reimbursement contracts, should be closed
within 36 months; and all other contracts should be closed within 20
months. These time frames begin in the month in which the contracting
official receives evidence of physical completion of the contract.
Generally, files for contracts using simplified acquisition procedures
should be considered closed when the contracting officer receives
evidence of receipt of property and final payment.
[55] [hyperlink, http://www.gao.gov/products/GAO-08-54], p. 31.
[56] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[57] GAO, Centers for Medicare and Medicaid Services: Internal Control
Deficiencies Resulted in Millions of Dollars of Questionable Contract
Payments, [hyperlink, http://www.gao.gov/products/GAO-08-54]
(Washington, D.C.: Nov. 15, 2007), p. 45.
[58] GAO, Centers for Medicare and Medicaid Services: Internal Control
Deficiencies Resulted in Millions of Dollars of Questionable Contract
Payments, [hyperlink, http://www.gao.gov/products/GAO-08-54]
(Washington, D.C.: Nov. 15, 2007).
[59] The number of contracts eligible for closeout and overdue for
closeout as of September 30, 2007, was reported in our November 2007
report.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
