Financial Management
FBI Has Designed and Implemented Stronger Internal Controls over Sentinel Contractor Invoice Review and Equipment Purchases, but Additional Actions Are Needed Gao ID: GAO-08-716R July 15, 2008In February 2006, we reported on significant internal control deficiencies related to contractor payments and property accountability associated with the development of the Federal Bureau of Investigation's (FBI) Trilogy information technology (IT) modernization project. In that audit, we found FBI's invoice review and approval process did not provide an adequate basis to verify that goods and services billed were actually received and that amounts billed were appropriate. We also found that FBI relied extensively on Trilogy contractors to purchase and account for Trilogy equipment without controls or data to verify the accuracy and completeness of the contractor records. Additionally, once FBI took possession of the Trilogy equipment, it did not have adequate controls to safeguard those assets. FBI is now acquiring and deploying a new automated case management system, known as Sentinel, to replace the case management system that was to be delivered as part of the Trilogy project. Sentinel is being developed in four phases at an estimated cost of $425 million and is scheduled to be completed in May 2010. Phase 1 of the project was completed in June 2007. In light of the problems we found concerning the predecessor Trilogy project, Congress asked us to review the internal controls over expenditures related to the development and implementation of Sentinel. Specifically, Congress asked us to assess the design and implementation of FBI's internal controls over the Sentinel project for (1) preventing or detecting improper payments to project contractors and (2) maintaining proper accountability for equipment purchased for the project. Further, to the extent weaknesses were found, you asked us to determine whether those weaknesses resulted in improper payments or missing equipment.
FBI has designed and implemented internal controls over the review and approval of Sentinel contractor invoices that have reduced the risk of improper contractor payments. FBI established the Sentinel PMO to provide day-to-day oversight over both the technical and financial aspects of the project. The PMO designed policies and procedures that assign invoice-review responsibilities and require Sentinel contractors to provide detailed support for all invoiced amounts and to obtain advance approval from the PMO for travel, overtime, and other direct costs. The PMO's policies also require contractors to provide monthly progress reports that link invoiced amounts to tasks completed and explain any anomalies with the invoice. The PMO Business Management Team (BTM) is also assigned the task of assessing each submitted contractor invoice to determine whether invoiced costs are mathematically accurate and adequately supported. Our testing of these controls determined that the PMO had effectively implemented them. We did not identify any questionable contractor payments. The Sentinel PMO has also taken steps to improve the design and implementation of internal controls over purchased Sentinel equipment. In April 2007, the PMO hired a full-time Sentinel property manager to oversee the property management process. The property manager is responsible for maintaining accountability (physical and financial) over equipment purchased for the Sentinel project. The PMO established policies and procedures to help ensure equipment purchases are properly authorized and that received property is timely inspected and entered into FBI's Property Management Application (PMA) to be tracked and inventoried. Overall, with additional enhancements to these controls to address the issues noted below, the PMO's established policies and procedures would help ensure accountability over Sentinel equipment. Specifically, our testing of the implementation of the PMO property controls found opportunities for the PMO to improve controls by (1) establishing procedures to ensure the accuracy and completeness of the Lockheed Martin database used to establish the official FBI property record in PMA. Our initial testing of this contractor database found that it was corrupted and did not agree with either PMA or the supporting vendor invoices; (2)reconciling its asset records to the underlying source documents as part of the monthly invoice review and approval process. We found asset values had to be adjusted at the end of Phase 1 because assets were initially recorded in PMA using estimated costs rather than actual costs; (3) establishing policies and procedures to document the initial inspection of Sentinel assets and verification of the barcodes assigned to the property; and (4) capturing the date property was received so that the PMO could monitor compliance with its policy to record all accountable property in PMA within 27 days of receipt. Our testing did not identify any missing assets. However, we found 20 property records for which there were valuation discrepancies between the contractor database, PMA, and the supporting vendor invoices. We referred these records to the PMO to investigate and resolve.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-716R, Financial Management: FBI Has Designed and Implemented Stronger Internal Controls over Sentinel Contractor Invoice Review and Equipment Purchases, but Additional Actions Are Needed
This is the accessible text file for GAO report number GAO-08-716R
entitled 'Financial Management: FBI Has Designed and Implemented
Stronger Internal Controls over Sentinel Contractor Invoice Review and
Equipment Purchases, but Additional Actions Are Needed' which was
released on July 15, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-08-716R:
July 15, 2008:
The Honorable Arlen Specter:
Ranking Member:
Committee on the Judiciary:
United States Senate:
Subject: Financial Management: FBI Has Designed and Implemented
Stronger Internal Controls over Sentinel Contractor Invoice Review and
Equipment Purchases, but Additional Actions Are Needed:
Dear Senator Specter:
In February 2006, we reported on significant internal control
deficiencies related to contractor payments and property accountability
associated with the development of the Federal Bureau of
Investigation's (FBI) Trilogy information technology (IT) modernization
project.[Footnote 1] In that audit, we found FBI's invoice review and
approval process did not provide an adequate basis to verify that goods
and services billed were actually received and that amounts billed were
appropriate. We also found that FBI relied extensively on Trilogy
contractors to purchase and account for Trilogy equipment without
controls or data to verify the accuracy and completeness of the
contractor records. Additionally, once FBI took possession of the
Trilogy equipment, it did not have adequate controls to safeguard those
assets. FBI is now acquiring and deploying a new automated case
management system, known as Sentinel, to replace the case management
system that was to be delivered as part of the Trilogy project.
Sentinel is being developed in four phases at an estimated cost of $425
million and is scheduled to be completed in May 2010. Phase 1 of the
project was completed in June 2007.
In light of the problems we found concerning the predecessor Trilogy
project, you asked us to review the internal controls over expenditures
related to the development and implementation of Sentinel.
Specifically, you asked us to assess the design and implementation of
FBI's internal controls over the Sentinel project for (1) preventing or
detecting improper payments to project contractors and (2) maintaining
proper accountability for equipment purchased for the project. Further,
to the extent weaknesses were found, you asked us to determine whether
those weaknesses resulted in improper payments or missing equipment.
To assess the design and implementation of FBI's controls over Sentinel
contractor invoice review and equipment purchases, we obtained and
reviewed the Sentinel contracts, purchase orders, and statements of
work; the internal control policies and procedures developed by the
Sentinel Program Management Office (PMO); and the invoices and
accompanying supporting documentation submitted by Lockheed Martin, the
system development contractor, and the five companies assisting the PMO
in managing the project. We analyzed labor, overhead, and general and
administrative expense (G&A) rates billed by the contractors; and
examined property management records including purchase orders,
Lockheed Martin's database established to track equipment purchased for
Sentinel, and FBI's official property management records. We also
reviewed FBI's final reconciliation of all property acquired for Phase
1 of the Sentinel project. We reviewed approved contractor invoices and
equipment purchases for Phase 1 of the project, covering the period
from May 2005--when contractors began billing for Sentinel activities -
-through November 2007, when Lockheed Martin submitted its final Phase
1 invoice. We also discussed with FBI, PMO, and contractor officials
the policies, procedures, and practices used to review contractor
invoices and account for purchased equipment. Enclosure I provides
additional details on our scope and methodology.
We conducted this performance audit from August 2006 through May 2008
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform our audits to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Results in Brief:
FBI has designed and implemented internal controls over the review and
approval of Sentinel contractor invoices that have reduced the risk of
improper contractor payments. FBI established the Sentinel PMO to
provide day-to-day oversight over both the technical and financial
aspects of the project. The PMO designed policies and procedures that
assign invoice-review responsibilities and require Sentinel contractors
to provide detailed support for all invoiced amounts and to obtain
advance approval from the PMO for travel, overtime, and other direct
costs. The PMO's policies also require contractors to provide monthly
progress reports that link invoiced amounts to tasks completed and
explain any anomalies with the invoice. The PMO Business Management
Team (BTM) is also assigned the task of assessing each submitted
contractor invoice to determine whether invoiced costs are
mathematically accurate and adequately supported. Our testing of these
controls determined that the PMO had effectively implemented them. We
did not identify any questionable contractor payments.
The Sentinel PMO has also taken steps to improve the design and
implementation of internal controls over purchased Sentinel equipment.
In April 2007, the PMO hired a full-time Sentinel property manager to
oversee the property management process. The property manager is
responsible for maintaining accountability (physical and financial)
over equipment purchased for the Sentinel project. The PMO established
policies and procedures to help ensure equipment purchases are properly
authorized and that received property is timely inspected and entered
into FBI's Property Management Application (PMA) to be tracked and
inventoried. Overall, with additional enhancements to these controls to
address the issues noted below, the PMO's established policies and
procedures would help ensure accountability over Sentinel equipment.
Specifically, our testing of the implementation of the PMO property
controls found opportunities for the PMO to improve controls by:
* establishing procedures to ensure the accuracy and completeness of
the Lockheed Martin database used to establish the official FBI
property record in PMA. Our initial testing of this contractor database
found that it was corrupted and did not agree with either PMA or the
supporting vendor invoices;
* reconciling its asset records to the underlying source documents as
part of the monthly invoice review and approval process. We found asset
values had to be adjusted at the end of Phase 1 because assets were
initially recorded in PMA using estimated costs rather than actual
costs;
* establishing policies and procedures to document the initial
inspection of Sentinel assets and verification of the barcodes assigned
to the property; and:
* capturing the date property was received so that the PMO could
monitor compliance with its policy to record all accountable property
in PMA within 27 days of receipt.
Our testing did not identify any missing assets. However, we found 20
property records for which there were valuation discrepancies between
the contractor database, PMA, and the supporting vendor invoices. We
referred these records to the PMO to investigate and resolve.
We are making five recommendations to FBI to help strengthen the PMO's
asset accountability polices and procedures. If properly implemented,
these actions will help ensure that Sentinel property records are
accurate, complete, and recorded timely in the PMA.
We received written comments from FBI on a draft of this report. FBI
concurred with our recommendations regarding strengthening
accountability for Sentinel equipment. FBI's comment letter is
reprinted in enclosure II. FBI also provided separate technical
comments which we have considered and incorporated into this report as
appropriate.
Background:
In May 2001, FBI initiated a major IT upgrade project known as Trilogy
to modernize its IT infrastructure and systems and provide needed
applications, including a modern investigative case management system,
to help FBI agents, analysts, and others do their jobs. In March 2004,
after scheduling delays, cost overruns, and a failure to deliver the
envisioned case management system component which became known as the
Virtual Case File (VCF), you asked us to audit the costs of the
project, which then totaled approximately $537 million. Our audit of
Trilogy costs identified significant internal control deficiencies over
the processing, review, approval, and payment of invoices as well as
the accountability and control over assets purchased under the Trilogy
project.[Footnote 2]
More specifically, with respect to invoice processing, we reported that
FBI's review and approval process for Trilogy's contractor invoices did
not provide an adequate basis for verifying that goods and services
billed were actually received by FBI or that payments were for
allowable costs. This occurred in part because responsibility for the
review and approval of invoices was not clearly defined and because
contractor invoices frequently lacked the detailed supporting
documentation necessary to facilitate an adequate invoice review
process. During our audit, we identified more than $10 million in
questionable contractor costs paid by the FBI. With respect to
property, we reported that FBI (1) did not adequately maintain
accountability for computer equipment; (2) relied extensively on
contractors to account for Trilogy assets while they were being
purchased, warehoused, and installed; (3) did not establish controls to
verify the accuracy and completeness of contractor records it was
relying on; (4) did not ensure that only the items approved for
purchase were acquired by the contractors, and that it received all
those items; and (5) did not establish adequate physical control over
the assets. As a result of these deficiencies, we identified more than
1,200 pieces of missing equipment which we estimated to be worth more
than $7.5 million.
In March 2005, FBI discontinued the virtual case file component of its
Trilogy project after VCF was determined to be infeasible and cost
prohibitive to implement as originally envisioned. FBI's Sentinel
project was approved in July 2005 to both succeed and expand the failed
VCF component. The Sentinel project is intended to provide FBI with a
modern, automated investigative case management system that will
facilitate information sharing and help field agents and intelligence
analysts perform their jobs more effectively and efficiently. The
system is based on commercially available software and hardware
components and is being acquired and implemented in four phases. The
primary deliverables for each of the four phases include:
Phase 1: A Web-based portal that will provide access to data in FBI's
existing Automated Case Support system (ACS) and other legacy systems
and which eventually, through incremental changes in subsequent phases,
will support access to the newly created investigative case management
system.
Phase 2: Case document and records management capabilities, document
repositories, improved information assurance, application workflow, and
improved data labeling to enhance information sharing.
Phase 3: Updated and enhanced system storage and search capabilities.
Phase 4: Remaining case management system components, including
reporting capabilities, and migration of closed case data from ACS to
the new system and retirement of ACS.
Lockheed Martin was awarded the Sentinel development contract in March
2006 through a governmentwide acquisition contract. The contract is a
cost-plus award fee contract under which task orders will be issued for
each phase of the project to be completed. Under a cost-plus award fee
contract, costs incurred by the contractor that are allowable,
reasonable, and allocable to the contract are reimbursed and fees may
be awarded to the contractor based on acceptable performance. Under
this type of contract, the government assumes most of the cost risk.
The Federal Acquisition Regulation (FAR) requires agencies to mitigate
this risk through adequate government oversight during the performance
of the contract. In addition, the contractor must have adequate
accounting systems to record and bill costs.
The Sentinel project and PMO are supported by five other contracted
firms. These companies are providing administrative and engineering
services to support the requirements definition, acquisition, and
development support for the Sentinel system. Two of these firms are
also under cost-plus award fee contracts while the other three are
under time and material (T&M) contracts. Under a T&M contract, the
government agrees to pay fixed per-hour labor rates and to reimburse
other costs directly related to the contract, such as materials,
equipment, or travel, based on cost. Again, the government assumes the
cost risk because the requirement for the contractor is to make a good
faith effort to meet the government's needs within a ceiling price.
Accordingly, the government must monitor contractor performance to
ensure efficient methods and effective cost controls are being used.
According to FBI officials and documents related to Sentinel, Phase 1
of the project was deployed in June 2007. Overall, FBI estimates that
the Sentinel project will be completed in May 2010 and cost $425
million, including $305 million for system acquisition and development
costs and $120 million for contractor support and PMO costs.
FBI Designed and Implemented Stronger Internal Controls over the Review
of Sentinel Contractor Invoices:
We found FBI has taken a number of actions to strengthen the design and
implementation of internal controls over the review and approval of
Sentinel contractor invoices, including the establishment of the
Sentinel PMO to oversee on a daily basis all technical and financial
aspects of the Sentinel project and the development of Sentinel-
specific invoice processing policies and procedures. We determined that
these policies and procedures, if properly implemented, should reduce
the risk of improper payments to Sentinel contractors. In testing the
implementation of these controls, we found the PMO had effectively
implemented its invoice-processing controls. We did not identify any
questionable contractor payments.
Policies and Procedures Issued for Sentinel Invoice Processing:
Standards for internal control in the federal government state that
management is responsible for developing internal control activities to
help ensure that management's directives are achieved.[Footnote 3]
Control activities are the policies, procedures, and mechanisms that
enforce management's directives. Control activities include a wide
range of diverse activities such as approvals, authorizations,
verification, reconciliations, and the creation and maintenance of
related records that provide evidence that these activities have been
executed and documented.
Based on our review of Sentinel invoice processing policy and
procedures, examples of underlying documentation, and interviews with
PMO staff, we found the PMO has established requirements for the
Sentinel project that meet internal control standards for invoice
review and approval. These requirements are responsive to the
recommendations for correcting the invoice-processing deficiencies we
identified in our prior Trilogy work and, if implemented properly, will
help to ensure accurate and proper payments for goods and services
purchased for the project.
For example, the PMO's Sentinel invoice-processing policy specifies the
roles and responsibilities for the parties involved in the review and
approval of Sentinel invoices. Specifically, the Contracting Officer's
Technical Representative (COTR) and the PMO Business Management Team
(BMT) have responsibility for reviewing the invoices to ensure that
billed work has been performed and is within the scope of the contract;
that sufficient funds are available to pay the amounts billed; and that
the work has not been previously invoiced. The Sentinel Unit Chiefs
(UC) are responsible for validating invoice charges to ensure that
labor hours billed, travel expenses, and other direct charges (ODCs)
are appropriate, reasonable, and have been delivered in accordance with
the contract statement of work. The BMT records and tracks invoice
charges and vendor payments against purchase orders and compares actual
expenditures against planned expenditures. The Sentinel Program Manager
or Deputy Program Manager is responsible for final approval of invoices
for payment after verification of invoice charges by the UCs and
invoice certification by the COTR. The Contracting Officer processes
and forwards approved invoices to the FBI's Commercial Payments Unit.
In addition, the Sentinel PMO has a staff auditor to perform detailed
analyses of all contractor invoices.
Further, the Sentinel invoice-processing policy requires verification
that contractor invoices provide detailed supporting information,
including documentation for invoiced labor, travel, subcontractor
services, equipment, and other charges. The internal staff auditor
makes an assessment of this documentation and when necessary,
recommends that the COTR obtain additional supporting documentation or
withhold payment for unsupported costs. The policy also requires
advanced approval for overtime, travel, and other direct costs.
Also, the Sentinel policy establishes monthly reporting requirements
for the contractors. The policy also requires contractors to provide a
detailed analysis of any labor rate variances, verification of receipt
for any equipment or software, and a report describing any unusual
invoiced amounts such as previously suppressed charges that are now
being billed. The monthly reporting requirements help to establish a
link between amounts invoiced and the contractor's performance.
Finally, the PMO has established an invoice-review checklist to help
ensure that all key invoice-review requirements have been met.
Implementation of Sentinel Invoice Processing Controls:
We obtained and reviewed each of the 15 Lockheed Martin and all of the
142 PMO support contractors' monthly invoices submitted for Phase 1 of
Sentinel. These invoices totaled approximately $83 million and included
Lockheed Martin's $60.3 million for system development and
implementation costs and $22.9 million in costs for the five PMO
support contractors. Based on our review of these 157 invoices and the
supporting documentation, we found that the PMO has effectively
implemented the invoice-review procedures established for Sentinel.
Specifically, except for a few instances, the contractor invoices had
the required PMO officials' approval and the supporting documentation
included the required monthly status reports. We found that the PMO BMT
staff is, as specified in the Sentinel invoice-processing policy and
procedures, routinely performing mathematical checks of accuracy and
tracing invoiced direct costs back to detailed support in the invoice
package, such as vendor invoices for equipment, labor detail reports,
or travel detail reports or vouchers. Additionally, according to PMO
management, the BMT is periodically, as required, selecting contractor
employees, obtaining time sheets from the contractor, and comparing
time sheet data to the hours charged to Sentinel to verify that the
charges are reasonable and supported by the relevant time sheet data.
For the invoices containing equipment purchases, we saw that all
equipment purchased and invoiced had been traced back (mapped) to the
Bill of Material (BOM) to verify the purchase had been authorized.
We also traced invoiced costs (i.e., labor, material and travel costs)
back to the supporting documentation accompanying the invoice and found
the support to be adequate to validate the charges. (The lack of
adequate supporting documentation was a significant deficiency
identified during our prior work on Trilogy.) In a few cases, we found
that the PMO denied payment of certain charges that it determined were
either not adequately supported, had been previously billed, had not
been pre-approved, or represented over billings. We also compared the
direct labor rates and other indirect cost rates charged on the
invoices (i.e., overhead, general and administrative, cost of money,
and fees) back to the contracts and other supporting documentation
provided to us and found that the contractors had charged the
appropriate rates. We also found that the PMO kept a log to track the
invoice deficiencies it identified and their resolution. This can offer
valuable insights into recurring issues and thus a basis for assessing
the need for enhancements to invoice-processing policies and
procedures. We did not identify any questionable contractor payments in
our review of the invoices.
FBI Has Designed and Implemented Policies to Strengthen Accountability
Over Sentinel Equipment but Opportunities to Further Strengthen
Controls Remain:
We found the Sentinel PMO has taken steps to design and implement
effective internal control policies and procedures over purchased
Sentinel equipment. These steps include hiring a Sentinel property
manager in April 2007 and issuing Sentinel-specific policies and
procedures on how to account for Sentinel equipment. These policies and
procedures should help ensure that equipment purchases are properly
authorized and that received property is timely inspected and entered
into PMA to be tracked and inventoried. However, we did identify some
opportunities to further enhance both the design and implementation of
controls in this area including:
* controls to ensure the asset tracking database is accurate and
complete and that records in it and PMA are reconciled and adjusted as
necessary,
* controls to document that property shipments have been promptly
inspected and accepted, and:
* controls to ensure that property is recorded in PMA in a timely
manner.
In addition, while we did not identify any missing assets as part of
our testing of the PMO's property controls, we referred records for 20
assets with valuation concerns to the PMO to research and resolve.
Policies and Procedures Issued for Accountability over Sentinel
Equipment:
Standards for internal control in the federal government require that
internal controls be designed to provide reasonable assurance regarding
prevention of or prompt detection of unauthorized acquisition, use, or
disposition of an agency's assets.[Footnote 4] Further, an agency must
establish physical control to secure and safeguard vulnerable assets
(such as computers or sensitive equipment). Such assets should be
periodically counted and compared to control records, with adjustments
made as necessary.
For the Sentinel project, FBI established the Sentinel PMO to manage
all aspects of the project, including maintaining accountability for
purchased equipment. In turn, the PMO established specific internal
control policies and procedures to account for purchased equipment,
including accountable property items. According to FBI policy,
accountable property (i.e., assets valued at $2,500 or more, as well as
certain sensitive items) must be accounted for in PMA, an automated
management system that allows FBI to track the cost, location, and
history of its accountable assets. The specific policies for the
Sentinel project require the PMO to:
* establish its own database for tracking equipment purchases under the
Sentinel project;
* verify that all invoiced equipment was authorized under the BOM;
* compare received property with the packing lists or invoice;
* affix all accountable property with a bar code for tracking;
* enter accountable property in PMA within 27 days of receipt, and;
* conduct an annual inventory of all accountable Sentinel equipment.
The PMO hired a full-time Sentinel property manager in April 2007 to
provide additional oversight for Sentinel assets and to ensure that the
PMO's asset management policies and procedures are effectively
implemented. Until the property manager was hired, the Business
Management Unit Chief and a temporarily detailed FBI Asset Management
Unit employee tracked and managed purchased Sentinel assets. The
Property Manager has now assumed these responsibilities. The PMO has
issued updated Sentinel asset policies and procedures which include
additional controls. In addition, a new BOM Deviation policy has been
established in response to a prior finding by the Department of Justice
Office of Inspector General (DOJ IG).
Implementation of Sentinel Asset Accountability Controls:
For Phase 1 of Sentinel, more than 750 pieces of accountable property
were purchased by Lockheed Martin or directly by FBI. Total property
purchased for Phase 1 of Sentinel was valued at $26.3 million. Lockheed
Martin procured more than 490 of these assets valued at $24.1 million.
We performed detailed tests on assets comprising about 85 percent of
equipment costs invoiced by Lockheed Martin and additional detailed
tests on the property acquired directly by FBI. As discussed in the
following sections, our testing identified opportunities for further
enhancement of property controls.
Asset-Tracking Database:
The PMO did not establish its own asset-tracking database, as required
by its policies and procedures, to track Sentinel equipment purchased
by Lockheed Martin. Instead, the PMO decided to utilize, with some
modification, the asset-tracking database developed and administered by
Lockheed Martin. Using a contractor to create and maintain the asset-
tracking database can be an effective control mechanism provided that
appropriate managerial and oversight measures are taken to
independently verify that all equipment has been accurately recorded in
the database. The PMO uses this contractor database to create FBI's
official property record in PMA.
To test the accuracy and completeness of this database, we attempted to
match the records in it with FBI's official PMA records and vendor
invoices. At the time of our test, most of the records we reviewed from
the database contained discrepancies. The bar codes, serial numbers,
cost, and other key information for the accountable property items
recorded in the database did not agree to PMA records and vendor
invoices. Furthermore, these discrepancies had not been detected by the
PMO, indicating that it did not have adequate procedures for
independently monitoring the accuracy and completeness of the
contractor records upon which it was relying to create FBI's official
property record.
We identified two causes for the discrepancies: (1) the Lockheed Martin
database (an Excel spreadsheet) had become corrupted, most likely as a
result of an unintended sorting error, resulting in misaligned data
fields that could not be matched to the vendor invoices or PMA and (2)
many asset costs had been initially entered into PMA at estimated
values based on the BOM or using other methods of estimating the cost.
PMA requires a cost amount to be entered to create a property record in
the system. PMO officials told us that they used estimates so that they
could more timely establish a record of the property for tracking
purposes. Actual costs - obtained from the Lockheed Martin monthly
invoices and accompanying supporting documentation - may not have been
available until a month or more after property was received. Actual
costs were accumulated in a work-in-progress account to be assigned
later.
Once the final Lockheed Martin invoice for Phase 1 was received in
December 2007, FBI attempted to reconcile all sources of data to ensure
an accurate final costing of materials, and performed a comprehensive
review of the BOM, the Lockheed Martin invoices, the asset database,
and FBI data contained in PMA to produce an accurate asset database
that supported FBI's property records. This effort was completed at the
end of March 2008. As part of this process, asset values were adjusted
to reflect actual invoiced costs. We analyzed the reconciled property
records and found them to generally be in agreement, although we found
20 property records for which there were valuation discrepancies
between the revised database, PMA, and the vendor invoices. We referred
these records to the PMO for investigation.
Authorization and Receipt of Sentinel Equipment:
To determine whether each purchase has been authorized, the PMO's
invoice review procedures include a requirement that the COTR and the
BMU support staff, including the staff auditor, "map" or trace all
equipment that Lockheed Martin had invoiced FBI for back to the BOM.
The BOM, which was part of Lockheed Martin's accepted proposal,
detailed the equipment that would need to be purchased to build and
implement the Sentinel system. We reviewed the PMO staff auditor's
documentation of this procedure and found sufficient evidence to
indicate this control had been effectively implemented. Related to this
control, the DOJ IG, as part of its oversight of the Sentinel project,
reported in August 2007 that there was a significant flaw in the PMO's
policy with regard to obtaining required approvals for changes to the
original BOM.[Footnote 5] They reported that although the BOM Deviation
Policy stated that a deviation is any addition or deletion to the BOM,
the policy did not require FBI approval for these additions or
deletions. At the time of our review, the PMO was revising its BOM
deviation policies to address the IG's finding. The revised BOM
Deviation policy was issued in January 2008.
To verify the property shipped to Lockheed Martin was received and
properly bar coded, PMO and Lockheed Martin officials told us that for
every property shipment, a PMO official visits Lockheed Martin's
facilities to physically inspect the equipment and verify it has been
properly bar coded. We accompanied the PMO Sentinel property manager on
one visit and saw these procedures performed. We also saw where the PMO
staff auditor (who performed this step prior to the Sentinel property
manager's coming on board) had written down the bar codes assigned to
many of the property items during his visits to inspect the property
and kept this in his working copy of the Lockheed Martin invoices,
which we reviewed. However, we observed that there is no consistent
means of documenting that this control procedure had been performed and
when it was performed. The PMO's policies and procedures do not specify
how the performance of this control activity should be documented.
Timely Entry and Accurate Recording of Sentinel Assets into PMA:
During our audit of the Trilogy project, we found that accountable
assets were not entered into PMA in a timely manner. Because PMA is
used to track the location of FBI's accountable property, delay in
entering a property record exposes the assets to a greater risk of loss
or theft. In response to this finding, the Sentinel PMO established a
policy of entering accountable property into PMA within 27 days of
receipt. We attempted to test the implementation of this policy for all
accountable Sentinel property. However, because neither PMA nor the
Lockheed Martin database date-of-receipt field captured the actual
receipt date of the property by Lockheed Martin we could not determine
the extent to which the PMO complied with its 27-day requirement for
recording assets in PMA. Instead, by applying alternative procedures,
we looked at records for 198 pieces of equipment for which we could
approximate the receipt date (based on supplier invoices that listed
asset serial numbers) and compared these estimated receipt dates to the
dates captured in PMA when the asset records were created. We found
that about two-thirds of the 198 assets had been recorded within or
very near the 27-day target. The remaining one-third did not meet the
target. Using this procedure, we found examples of accountable Sentinel
assets that had not been recorded in PMA for up to 150 days.
Timeliness is one key element of recording accountable property. The
data must also be recorded accurately. As discussed above our analysis
of PMA records, the Lockheed Martin database, and vendor invoices
identified many discrepancies that called into question the accuracy of
the data entered into PMA. The PMO's reconciliation of the Phase 1
purchases, discussed above, was an important step in correcting the
deficiencies we identified. However, without additional steps going
forward to help ensure that the Lockheed Martin database --the source
document for entries into PMA --is accurate and complete at the time
the PMA entry is made, there is an increased risk that Sentinel
property will not be properly recorded. Further, internal control
objectives for asset control anticipate that property will be recorded
in a timely manner to afford visibility over the assets and minimize
the risk of their loss or unauthorized use.
Inventory of Sentinel Assets:
In 2007, FBI conducted an agencywide "wall-to-wall" inventory of all
accountable property, including sensitive property items (e.g., laptop
computers and weapons which are susceptible to theft), recorded in PMA.
Sentinel assets were included in this inventory. We obtained and
reviewed reports from FBI's PMA that indicated that all accountable and
sensitive Sentinel assets recorded in the system were successfully
inventoried. To obtain assurance that the PMA records were complete, we
matched the records in the corrected Lockheed Martin asset-tracking
database to the records in PMA and found six accountable property items
that were captured in the database but not recorded in PMA. When assets
are not recorded in the property system, there is no record of their
existence when physical inventories are performed. This limits the
effectiveness of the physical inventory in detecting missing assets. We
provided a list of these six assets to the PMO to research and resolve.
PMO officials provided us an explanation for each of the six items on
the list. One asset was improperly bar coded and one was not an
accountable property item. The PMO was in the process of uploading the
other four assets into PMA. These assets will be included in the 2008
inventory of Sentinel equipment which began in early 2008.
Conclusions:
FBI has designed and implemented improved internal controls for the
processing of Sentinel invoices and for maintaining accountability over
Sentinel equipment. As a result, the risk of making improper payments
to Sentinel contractors and the risk of misuse, loss, or theft of
Sentinel equipment has been significantly reduced. However, additional
procedures to strengthen accountability over Sentinel equipment are
still needed in order to enhance FBI's ability to account for and
control project assets. If effective corrective actions are taken and
properly implemented for these remaining areas of risk, we believe that
the design and implementation of internal controls for the Sentinel
project could serve as a model for FBI's invoice and property control
in other projects involving contractors.
Recommendations for Executive Action:
We recommend that the Director of the FBI direct the Sentinel Program
Manager to modify existing Sentinel policies and procedures to:
* require the Sentinel property manager to verify for every property
shipment that data in the Lockheed Martin database are complete and
accurate before using these data to create or update FBI's official
property records in PMA;
* require that the Sentinel property manager perform monthly
reconciliations of the key property records (i.e., the BOM, the vendor
invoices, the Lockheed Martin database, and PMA) throughout each
subsequent phase of Sentinel rather than a single close-out
reconciliation at the completion of a phase;
* require the Sentinel property manager to document the initial
inspection of property as it is received, including verification that
the property was properly barcoded;
* require the Sentinel property manager to record in the Lockheed
Martin database the date Sentinel property is received to allow for
assessments of whether Sentinel property was timely recorded into PMA;
and:
* require the Sentinel property manager to follow up on and document
actions taken with respect to the 20 property records we identified as
having valuation discrepancies, including any adjustments to the
valuations in either FBI's or the contractor records.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, FBI's Executive
Assistant Director/Chief Information Officer stated that FBI concurs
with our recommendations regarding strengthening accountability for
Sentinel equipment. In his comments, he stated that the PMO asset
accountability policies and procedures have been adjusted based on
lessons learned from Phase 1 and that steps are now being taken to
ensure that the Lockheed Martin database is accurately populated before
entering data into FBI's PMA. He also stated that the PMO has been
working to resolve the asset valuation discrepancies that we
identified. FBI's comment letter is reprinted in enclosure II. FBI also
separately provided technical comments which we have considered and
incorporated into the final report as appropriate.
We are sending copies of this report to the Chairman of the Senate
Judiciary Committee, the Attorney General, the Director of the Federal
Bureau of Investigation, and other interested congressional committees.
We will also provide copies to others on request. In addition, the
report will be available at no charge on GAO's Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-9471 or by e-mail at franzelj@gao.gov. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made major
contributions to this report are listed in Enclosure III.
Sincerely yours,
Jeanette M. Franzel:
Director, Financial Management and Assurance:
[End of section]
Enclosure I: Scope and Methodology:
We assessed the design and implementation of the Federal Bureau of
Investigation's (FBI) internal controls over the Sentinel system
development and implementation effort to determine whether (1) these
controls provided a reasonable level of assurance that improper
payments to Sentinel contractors would be prevented or detected in the
normal course of business and (2) FBI maintained adequate
accountability over equipment purchased for the Sentinel system. In
addition, we designed our work so that if we found current weaknesses
in internal control, we would determine whether those weaknesses
resulted in improper payments or missing equipment. Our work focused on
the recently completed Phase 1 of the Sentinel project and included all
157 contractor invoices submitted and equipment purchased for this
phase of the project. The initial contractor invoices were for planning
activities for Phase 1 that began in May 2005. The final invoice for
this phase, dated November 30, 2007, was submitted and processed in
December 2007. We reviewed the invoices submitted by Lockheed Martin,
the Sentinel development contractor, which began work in March 2006, as
well as the five firms assisting FBI's Sentinel PMO in its planning for
and oversight of the project.
We used our Standards for Internal Control in the Federal Government
[Footnote 6] as overarching criteria and also considered specific
policies and procedures developed by FBI's Sentinel PMO as discussed
below. In performing our work, we also considered the weaknesses we had
identified in our prior work on Trilogy and FBI's efforts to ensure
similar weaknesses were not present in the Sentinel project. We did not
make an assessment of invoice-processing controls or equipment
accountability on an FBI-wide basis. Our assessment was for the
Sentinel project only.
Assessment of the Design and Implementation of Internal Controls over
Sentinel Invoice Processing:
To understand and assess the design of internal controls over Sentinel
invoice processing, we obtained and reviewed the relevant internal
control policy and procedures that had been developed by the Sentinel
PMO. This included the specific policy and procedures dealing with the
PMO's invoice processing, contractor time card reviews, and the
documentation requirements contractors were expected to follow when
submitting their monthly invoices. We held discussions with PMO
officials involved in the financial management aspects of Sentinel
including the program manager, deputy program manager, contracting
officer, contracting officer's technical representative, business
management unit chief, and internal auditor to determine and understand
their roles in the invoice-review process. We also obtained and
reviewed the contracts, statements of work, purchase orders, and cost
proposals for Lockheed Martin and the five PMO contractors as well as
Phase 1 contractor invoices with accompanying supporting documentation.
To evaluate the implementation of controls over Sentinel invoice review
and approval, we performed tests and analysis of the five areas
discussed in detail below.
Invoice Approval and Adequacy of Supporting Documentation:
We obtained and reviewed all 157 contractor invoices submitted during
Phase 1 of the Sentinel project by Lockheed Martin and the five PMO
contractors to determine whether there was evidence that the invoices
had been reviewed and approved in accordance with the PMO invoice-
processing policy. We also examined the accompanying supporting
documentation submitted by the contractors to determine whether
significant charges on the invoices were adequately supported and
contractors had submitted the required monthly status reports that link
invoiced costs to work activities during the invoice period.
Invoiced Equipment and Software Costs:
We reviewed the purchasing reports and supplier invoices that were
included in the Lockheed Martin monthly invoice packages to determine
whether the invoiced equipment costs were adequately supported.
Lockheed Martin was the only contractor that purchased Sentinel
equipment. We performed this procedure for every Lockheed Martin
invoice that included equipment purchases.
Review of PMO's Time Card Audits:
PMO policies require contractor time card audits to help substantiate
invoiced labor costs. PMO management told us they had conducted these
audits, which compared contractor time cards to the labor detail
reports included in the monthly invoice packages submitted by Lockheed
Martin and the five PMO contractors. The PMO internal auditor showed us
copies of several contractor employees time cards that he had obtained
and explained the tick marks he placed on the invoices to denote the
completion of these audits.
Analysis of Labor Costs and Rates:
To review labor charges included in each monthly invoice package
submitted by Lockheed Martin and the PMO support contractors, we traced
invoiced amounts back to the detailed supporting documentation included
in the invoice packages that listed employees' labor category, hours
worked, hourly rates, and total labor cost. We also analyzed the hours
and rates billed by Lockheed Martin and the five PMO contractors. Based
on this analysis, we selected a nonstatistical sample of 12 contractor
and subcontractor employees whom we determined had either charged
significant hours to the Sentinel project, had higher than average
labor rates, or charged multiple labor categories. There was at least 1
employee selected from each of the five PMO contractors and 6 employees
selected from Lockheed Martin and its subcontractors. For the selected
employees, we requested salary information, resumes, time and
attendance records, and personnel actions. Using these data, we
determined whether the employees' hourly rates were consistent with the
rates billed to the Sentinel project and inline with the rates for
individual labor categories specified in the contracts or cost
proposals. We also compared data on the individuals' resumes to the
skill and experience requirements specified in the contracts for the
labor categories in which their time was reported.
Analysis of Overhead, G&A, and Fees:
Using the contractors' monthly invoices, we calculated the rates the
contractors charged for overhead, general and administrative (G&A)
expenses, and Cost of Money fees. We then compared the calculated rates
to the rates specified in the contracts or approved by the Defense
Contract Audit Agency for the applicable time periods.
Assessment of the Design and Implementation of Internal Controls for
Sentinel Equipment:
We obtained and reviewed the Sentinel PMO's policies and procedures for
authorizing the purchase of and accounting for Sentinel equipment and
reviewed procedures carried out by the property manager to account for
purchased equipment including the process used to bar code equipment
and physically verify its receipt. We also met with FBI, PMO (including
the Sentinel property manager), and Lockheed Martin officials with
responsibility for asset accountability to better understand the
policies and procedures and their implementation. We visited the
Lockheed Martin facilities where property is received and stored and
conducted a walk-through of the process Lockheed Martin has established
to account for and safeguard Sentinel assets.
In order to assess the accuracy and completeness of the Lockheed Martin
database and to determine whether the PMO had created an appropriate
corresponding record in PMA, FBI's official property management system,
we performed the following:
* obtained and analyzed the database to identify any irregularities
such as duplicate bar codes or missing information;
* compared the vendor invoice number and item description, cost, and
serial number (taken from supporting documentation) to the Lockheed
Martin database for six Lockheed Martin invoices that together
represented billings for approximately 85 percent of the total material
[Footnote 7] purchased and billed by Lockheed Martin;
* compared the bar codes recorded on Lockheed Martin's database to PMA
to identify any bar codes not recorded in PMA and investigated any
discrepancies.
* compared the data (e.g., serial number, asset description, and asset
cost) for each bar coded property item in the Lockheed Martin database
to the PMA record and followed up on any discrepancies; and:
* obtained and reviewed FBI's reconciliation of all Sentinel assets
purchased by Lockheed Martin and billed on their monthly invoices to
the Sentinel Bill of Material (BOM) to determine whether the purchase
was authorized.
FBI also purchased several Sentinel assets directly.[Footnote 8] We
performed the following procedures to help ensure that these assets
were properly accounted for:
* obtained and reviewed a listing of all purchase orders issued by FBI
for the Sentinel project along with copies of the vendor invoices
related to those purchase orders that included the purchased Sentinel
equipment; and:
* compared the data, such as quantity, serial number, asset
description, and asset cost for the items on the vendor invoices to the
PMA listing of accountable property for the purchase orders identified
and followed up on any discrepancies.
Finally, we reviewed the documentation provided to us by the Sentinel
PMO following the completion of the overall asset reconciliation
performed at the end of Phase 1. As part of this effort, PMO officials
stated that they would reconcile the BOM, vendor invoices, the Lockheed
Martin database, and PMA and make the necessary adjustments to ensure
that the recorded costs of Sentinel equipment agrees with actual vendor
invoice amounts.
We conducted this performance audit from August 2006 through May 2008
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform our audits to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Enclosure II: Comments From the Federal Bureau of Investigation:
U.S. Department of Justice:
Federal Bureau of Investigation:
Washington, D. C. 20535-0001:
June 23, 2008:
Ms. Jeanette M. Franzel:
Director, Financial Management and Assurance:
Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Franzel:
Re: FBI Response To GAO'S Draft Report, "Financial Management: FBI Has
Designed And Implemented Stronger Internal Controls Over Sentinel
Contractor Payments And Equipment Purchase, But Additional Actions Are
Needed," GAO-08-716R.
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report entitled "Financial
Management: FBI Has Designed and Implemented Stronger Internal Controls
over SENTINEL Contractor Payments and Equipment Purchase, but
Additional Actions Are Needed" (hereafter referred to as "the Report").
The FBI appreciates the positive tone and recognition for its efforts
to maintain stronger internal controls in the SENTINEL Program's
financial management activities. The Report has been reviewed by the
Federal Bureau of Investigation (FBI), Information and Technology
Branch, and coordinated with the Finance Division (FD). This letter
constitutes the formal FBI response.
Based on our review of the Report, the FBI concurs with The GAO's
recommendation regarding strengthening accountability for SENTINEL
equipment. The assignment of an FBI employee as the SENTINEL property
manager was designed to provide the leadership and expertise necessary
to maintain appropriate control over government assets. Additionally,
the SENTINEL Program Management Office (PMO) has required Lockheed
Martin (LM) to mirror the SENTINEL property manager position.
Many of the SENTINEL PMO's policies and procedures were implemented as
a result of the SENTINEL property manager's assignment and were
adjusted based on lessons learned from Phase 1. For example, the GAO
recommends (Recommendation #1) that the SENTINEL PMO verify that data
in the LM Database is complete and accurate before using the data to
create or update the FBI's official property record.
The SENTINEL property manager verifies the data, maps it to the Bill of
Materials, and ensures the LM Database is accurately populated before
entering data into the FBI's Property Management Application. The
SENTINEL PMO also requires LM to provide a copy of the mapping of the
property to the LM Database and the invoice.
With regard to the fifth recommendation concerning the 20 assets with
valuation discrepancies: the SENTINEL property manager, business
management employee, and FD's financial analyst have been working
closely with the GAO auditor to resolve all discrepancies and satisfy
concerns described in this recommendation. Although the valuation
discrepancies reported pertained to 20 items out of an estimated 1,200
items reviewed, the SENTINEL PMO is striving to be error free. The
SENTINEL PMO and LM have a clear agreement on proper reporting and
accountability procedures.
Again, thank you for the opportunity to respond to the Report. Should
you or your staff have questions regarding our response, please contact
me or one of my executives listed below:
Mr. Dean E. Hall:
Deputy Chief Information Officer:
Information and Technology Branch:
202-324-2307:
Mr. John M. Hope:
Program Management Executive:
Office of IT Program Management:
202-324-9798:
Sincerely yours,
Signed by:
Zalmar Amzi:
Executive Assistant Director and Chief Information Officer:
[End of section]
Enclosure III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Jeanette M. Franzel (202) 512-9471 or franzelj@gao.gov:
Acknowledgments:
In addition to the contact named above, Phillip W. McIntyre, Assistant
Director; Ed Brown; Fred Evans; and Edward Tanaka made key
contributions to this report.
[End of section]
Footnotes:
[1] GAO, Federal Bureau of Investigation: Weak Controls over Trilogy
Project Led to Payment of Questionable Contractor Costs and Missing
Assets, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-306]
(Washington, D.C.: February 2006).
[2] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-306].
[3] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[4] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1].
[5] U.S. Department of Justice, Office of the Inspector General,
Sentinel Audit III: Status of the Federal Bureau of Investigation's
Case Management System, Audit Report 07-40 (August 2007).
[6] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1].
[7] Material charges include all software and hardware purchased by
Lockheed Martin.
[8] The FBI issued purchase orders directly to vendors to purchase
equipment, software, and other services related to the Sentinel project
in addition to the goods and services purchased by Lockheed Martin.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
