DRUG ENFORCEMENT ADMINISTRATION'S
THIRD PARTY PAYMENT SYSTEM
Audit Report 97-01, (11/96)
TABLE OF CONTENTS
FINDING AND RECOMMENDATIONS
MANAGEMENT CONTROLS SHOULD BE STRENGTHENED
Security of Check Stock
STATEMENT OF COMPLIANCE WITH LAWS AND REGULATIONS
APPENDIX I - AUDIT SCOPE AND METHODOLOGY
APPENDIX II - MANAGEMENT CONTROL ERRORS
Third party payments are an alternative payment method for cash and an effective tool for reducing cash held by federal agencies. A third party payment is a negotiable instrument which does not immediately expend funds from the U.S. Treasury when issued. Third party payments are issued for imprest fund-type expenses, travel reimbursements, small purchases, and investigative expenses. The limit for imprest fund-type expenses and travel reimbursements is $2,500, and for small purchases and investigative expenses is $5,000. Funds paid to the payee are provided by the contracting bank, and Treasury funds are not disbursed until payment is made to the contracting bank for properly honored third party payments.
Mellon Bank processes third party payments under a Department of Justice contract in which the Drug Enforcement Administration (DEA) has participated since May 1990. During FY 1995, the DEA processed more than $30 million in third party payments at 25 sites. The DEA plans to implement the third party payment system at 7 additional sites.
Our review of 100 sampled third party payments identified the following weaknesses: (1) supporting documents were missing for 20 payments, (2) expenses were not authorized by the DEA Third Party Draft Payment System Policies and Procedures Manual and the Department of Justice Third Party Payment Policies and Procedures Handbook for 18 payments, (3) supporting documents were not signed by an approving official for 8 payments, and (4) voucher packages were not marked "PAID" for 91 payments. Our review of bank reconciliations at DEA Headquarters identified differences that were not identified and followed up in a timely manner. Our review of third party payment operations at the field offices identified shared passwords, unsecured blank check stock, missing voided checks, and manually voided checks recorded in the Financial Management Information System (FMIS) as issued or cleared. Our findings corroborated the results of office-by-office compliance reviews performed by the DEA's Office of Finance.
In our judgment, the third party payment system can be an effective method to make disbursements for imprest fund-type expenses, travel reimbursements, small purchases, and investigative expenses. However, the weaknesses we identified, when taken as a whole, increase the risk of waste, unauthorized use, or theft not being detected in a timely manner. To reduce this risk, DEA managers need to: (1) reinforce requirements for supporting documents, authorized expenses, approvals, and stamping voucher packages "PAID," (2) streamline bank reconciliations by incorporating the monthly reconciliations into the daily reconciliations, and eliminating the monthly reconciliations, (3) ensure bank reconciliations identify all differences and are timely completed, (4) ensure each draft technician has a unique user identification (USERID) and password, (5) ensure blank check stock is secured from unauthorized access, and (6) ensure voided checks are marked "VOID" and recorded in FMIS.
Prior to the issuance of this report, we discussed and reached agreement with DEA management on the finding and recommendations. The report discusses conditions found, our recommendations, and actions necessary for final closure. These matters are discussed in the Finding and Recommendations section of the report. Our audit scope and methodology are addressed in Appendix I.
FINDING AND RECOMMENDATIONS
MANAGEMENT CONTROLS SHOULD BE STRENGTHENED
In our judgment, the weaknesses we identified, taken as a whole, increase the risk of waste, unauthorized use, or theft not being detected in a timely manner. To reduce this risk, DEA managers should improve management controls to safeguard third party checks. We noted matters involving the management control structure and its operation that we did not consider significant enough to report, but that we communicated separately to DEA managers. The controls we believe need improvement are discussed below.
Guidance for the operation of DEA's third party payment system is contained in the DEA Third Party Draft Payment System Policies and Procedures Manual (DEA Manual) and the Department of Justice Third Party Draft Payment System Policies and Procedures Handbook (JMD Handbook). We worked with DEA managers to determine which controls in the DEA Manual and JMD Handbook were critical. We identified eight controls that should be working effectively to safeguard third party payments. We then evaluated the effectiveness of the eight controls using a statistically valid sample of third party payments. We determined if: (1) voucher packages included all required supporting documents, (2) expenses were authorized, (3) supporting documents were signed by approving officials, (4) checks were within allowable dollar limits, (5) information on checks matched supporting documents, (6) voucher packages were stamped "PAID," (7) checks were computer generated, and (8) signatures on checks matched signature cards and payees and check amounts on checks matched copies of checks.
DEA's third party payments are processed through the JMD's FMIS. From the FMIS, we identified the universe of third party payments issued during the period October 1, 1994 through September 30, 1995. The universe included third party payments issued for imprest-fund type expenses, travel reimbursements, small purchases, and investigative expenses. From the universe, we selected a stratified statistical sample of 100 payments valued at $45,022 from a universe of 69,336 payments valued at $30,159,429.
Based on our testing, we are 95 percent confident that the combined error rate for all eight controls was 96 percent, with one to four errors per payment. Four payments had no errors, 60 payments had one error, 26 payments had two errors, 8 payments had three errors, and 2 payments had four errors. See Appendix II for a matrix of control errors for each sampled third party payment.
The error rate for four of eight controls tested was at or less than 5 percent. The four controls were: (1) expense limits; (2) matching document information; (3) review of check; and (4) draft disbursing officer signature, payee, and check amounts.
A summary of the four remaining controls follows:
Supporting Documents. Eighty of 100 third party payments were supported by required documents; the remaining 20 payments were not. Based on our testing, we estimate that 13,870 payments with a value of about $2,257,911 did not include at least one of the required supporting documents. See page 15 for a list of required supporting documents.
The requirements for supporting documents are designed to ensure expenses are legitimate and properly documented. The payments that did not include all required supporting documentation were for: (1) office supplies, (2) travel, (3) room rental, (4) data base service, (5) radio equipment rental, (6) vehicle maintenance and repair, (7) equipment parts and repair, (8) honorarium, (9) bottled water, and (10) fuel.
Authorized Expenses. Eighty-two of 100 third party payments were for authorized expenses; the remaining 18 payments were not. Based on our testing, we estimate that 12,529 payments with a value of about $1,584,556 were for unauthorized expenses. See page 15 for the categories of authorized expenses. The DEA's Office of Finance will pursue collection of improper payments identified in this report, as well as strengthen post payment audit procedures.
The requirements limiting the types of expenses are designed to ensure funds are not wasted. The unauthorized payments were for: (1) tolls claimed for travel not specified as government or official business, (2) bottled water, and (3) travel expenses. The payments for travel expenses included reimbursement for: (1) per diem, phone calls, and rental car in excess of allowable amounts; (2) air fare, automatic teller machine fees, and banquet fees not authorized per the travel authorization; and (3) expenses not supported by a travel authorization or approved travel voucher.
Approvals. Ninety-two of 100 third party payments were properly approved as evidenced by either a supervisor's, manager's, or auditor's signature; the remaining 8 payments were not. Based on our testing, we estimate that 5,550 payments with a value of about $791,989 did not include at least one required approval. See page 15 for a list of required approvals.
The requirements for approvals are designed to ensure expenses are legitimate and authorized. The payments that were not approved were for: (1) travel, (2) training, and (3) office supplies.
Voucher Packages. Nine of 100 third party payments were stamped "PAID" as required; the remaining 91 payments were not. Based on our testing, we estimate that 63,103 payments with a value of about $21,850,057 were not stamped "PAID." Although we found no duplicate payments resulting from vouchers not being stamped "PAID," the requirement decreases the risk of loss from documents being used to support more than one payment.
DEA Compliance Reviews
Our findings, based on a nationwide review of the program, corroborated the results of office-by-office compliance reviews performed by the DEA's Office of Finance. These reviews, performed by DEA accountants independent of the process and knowledgeable of proper management controls and financial systems, were conducted to determine if staff at third party payment sites were following the DEA Manual. The reviews included a sample of checks processed from June 1, 1993 through July 31, 1995. The reports, issued for each office reviewed, cited the weaknesses, applicable policy, and recommendations for corrective actions. Management at the third party payment sites provided written responses addressing the recommendations. The responses indicated an increased awareness and understanding of management controls. To reinforce the results of the reviews, DEA management is revising the DEA Manual to eliminate confusing and conflicting information and to emphasize new policies and procedures for ensuring proper management controls.
Many of the management control errors identified in our report were also identified during the reviews. Prior to our audit, the DEA's Office of Finance had taken corrective action regarding stamping voucher packages "PAID." For the remaining controls of supporting documents, authorized expenses, and approvals, the third party payment site managers agreed in writing to corrective actions. The Office of Finance is continuing to work with the site managers to correct outstanding recommendations and to promote a clear understanding of management controls.
The Federal Managers' Financial Integrity Act (FMFIA) of 1982 requires internal accounting and administrative controls to provide reasonable assurance that: (1) funds are safeguarded against waste, loss, unauthorized use, or misappropriation; and (2) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets. DEA's FMFIA reporting identified nonconformances for bank reconciliations and classified the findings as "management concerns."
A key feature of internal accounting controls is the independent reconciliation of bank statements and accounting records to ensure errors or irregularities are detected in a timely manner. DEA Headquarters' staff performed daily and monthly reconciliations of checks paid by the bank with entries recorded in the DEA Accounting System (DEAAS). These reconciliations required agreement between the FMIS, DEAAS, Mellon Bank, and U.S. Treasury. In addition, funds were obligated in DEAAS, while checks were issued through the FMIS.
Daily Bank Reconciliations: DEA performed daily reconciliations of: (1) checks issued to checks presented to Mellon Bank for payment, and (2) checks issued and presented to Mellon Bank for payment to DEAAS obligations.
Checks Issued to Checks Presented for Payment. This reconciliation was designed to identify differences between checks issued through the FMIS to checks presented to Mellon Bank for payment. JMD staff electronically reconciled the FMIS to the presented checks and printed a report of differences. The report included differing check amounts and check numbers. DEA Cash Unit staff tried to resolve all differences the same day by following up with the bank, reviewing FMIS, or reviewing the check at DEA Headquarters. Errors were corrected on FMIS, if necessary. The Cash Unit staff said the bank was not notified of errors because the bank usually discovered mistakes. As of November 28, 1995, the report listed no differences older than four workdays old; therefore, we considered the differences timely resolved.
Until recently, DEA staff relied on the monthly reconciliations for identifying credits due, such as for bank input errors. Because of the delayed acceptance of credits, funds had to be paid from the Treasury earlier than necessary. In January 1996, the DEA began identifying credits due on a daily basis.
Checks Issued and Presented for Payment to DEAAS. This reconciliation was designed to (1) identify differences between checks issued and checks presented to Mellon Bank for payment to DEAAS obligations and (2) ensure all daily transactions were entered into DEAAS. DEA Financial Systems Unit staff electronically matched issued and presented checks to DEAAS obligations and printed a report of differences. These differences included transactions rejected because of insufficient obligations or improper object classification codes. DEA Cash Unit staff attempted to resolve the differences identified by the electronic reconciliation. However, the report did not identify all differences.
DEA Cash Unit staff duplicated the electronic reconciliation with a manual reconciliation because checks issued and voided on the same day were not listed in DEAAS. Additionally, when checks were voided in the FMIS after the date of issuance, DEAAS erroneously recorded the void date as the date the check was originally issued. DEA staff had to override DEAAS to correct the date to the actual date voided. DEA Cash Unit staff tried to resolve all differences the same day by following up with the responsible third party payment site or reviewing the check at DEA Headquarters.
We reviewed 12 daily reconciliations from FY 1995. As of January 30, 1996, 5 daily reconciliations had unreconciled differences for issued checks which ranged from $342 more in checks issued per DEAAS to $634 more in checks issued per FMIS. Differences for presented checks ranged from $1,004 more in checks presented per DEAAS to $1,607 more in checks presented per FMIS. DEA staff said these differences had not been resolved because of oversight and lack of knowledge in handling the corrective accounting entries.
Monthly Bank Reconciliations: Staff from DEA's General Accounting Unit performed monthly reconciliations of: (1) DEAAS transactions to Mellon Bank for presented checks, (2) DEAAS transactions to FMIS issued checks, and (3) U.S. Treasury reimbursements to Mellon Bank for paid checks. DEA's Cash Unit was responsible for resolving the differences identified for issued and presented checks.
The monthly reconciliations of DEAAS to Mellon Bank and to the FMIS are essentially the same as the daily reconciliation of DEAAS to Mellon Bank and FMIS. Therefore, if the daily reconciliations were timely performed and resolved, the monthly reconciliations would not need to be performed.
DEA's General Accounting Unit prepared a summary level reconciliation of all third party payment schedules. The reconciliation of the U.S. Treasury to Mellon Bank was designed to ensure the DEA accurately reimbursed Mellon Bank for presented checks and that daily reconciliations were being timely completed. Prior to our audit, DEA staff were not resolving the differences identified from this reconciliation. As of April 23, 1996, the General Accounting Unit staff said all differences from October 1995 through February 1996 were resolved; the differences were primarily attributed to credits due. The differences for the remaining FY 1995 reconciliations will be resolved as time allows.
Given the problems with password security, check stock security, and voided checks discussed below, the DEA should improve the reconciliation process by: (1) incorporating the monthly reconciliation of Mellon Bank to Treasury into the daily reconciliations, (2) ensuring the daily reconciliations are completed timely and all differences identified and followed up timely, and (3) eliminating the monthly reconciliations. The DEA would benefit from the increased control over cash.
DOJ Order 2640.2C, Telecommunications and Automated Information Systems Security, Chapter 2, requires that USERID and password systems support the minimum requirements of access control, and requires each user to have a unique user identification and password. The JMD Handbook also requires that each Draft Technician have an individual USERID and password. Each Draft Technician is required to have a unique USERID and password for accessing the FMIS Draft Module.
Draft Technicians at seven field office each had unique USERIDs and passwords. However, Draft Technicians at the three remaining field offices said they shared USERIDs and passwords. In addition, at one of these field offices, the USERID, password, and instructions for accessing the FMIS Draft Module was posted next to the computer used for issuing checks.
The FMIS includes a computer program that records logons. Each time a user ends an FMIS session, a record is written to the accounting file. The accounting file contains the length of time a user was connected to FMIS, but not the time of the logon and logoff. DEA Management would be unable to trace errors or irregularities to a single user in the field offices with shared USERIDs and passwords.
Shared USERIDs and passwords compromise the management control of the third party payment system. Lack of control over USERIDs and passwords combined with posted instructions for accessing the computer permits unauthorized access to FMIS. This in turn could lead to unauthorized issuance of checks.
The DEA's Office of Finance identified shared passwords as a weakness at three third party payment sites in FY 1995. During our audit we visited two of these sites and found that passwords were no longer shared.
Security of Check Stock
The DEA Manual and JMD Handbook requires blank check stock be secured from unauthorized access and/or theft at all times. The blank check stock must be stored in a fireproof container, at a minimum, and safeguarded until needed.
Blank check stock was properly secured at four field offices. However, blank check stock was not stored in a fire-proof container and the storage area was not secured at the remaining six field offices. At three of the six field offices, blank check stock was stored in the original cardboard box on the floor of the imprest fund room. At the other three field offices, blank check stock was stored in an unlocked file cabinet or safe. At all six field offices, the imprest fund rooms were unsecured during the day, but were secured after business hours. The lack of security could lead to loss or theft of checks and unauthorized issuance of checks.
DEA's Office of Finance identified unsecured blank check stock as a weakness at six third party payment sites in FY 1995. During our audit we visited one of these sites and found that blank check stock was still not properly secured.
The DEA Manual requires the Draft Technician to write or stamp "VOID" on the front of the original check and all copies, preferably over the space provided for the signature. In addition, all checks which are manually voided must be voided in the FMIS Draft module.
We reviewed 824 voided checks from a printout provided by JMD. Seven hundred and seventy three checks were manually voided. However, only 207 were voided across the signature line. Of the remaining 566 checks, 564 were voided either partially or wholly across the face of the check and 2 were voided across the check stub. Twelve checks were not voided. In addition, 39 checks were not on file at the field offices; we could not determine if the checks were voided. For each of the 39 checks, we reviewed the bank statements from the issue date to 180 days past the issue date, since checks are void after 180 days. None of the 39 checks had been cashed.
We also reviewed 117 voided checks at the ten field offices to determine if they were on the JMD printout. Seventy-five checks were not on the printout. Of the 75 checks, 20 checks were recorded in FMIS as "void", 12 checks were recorded in FMIS as "damaged", 6 checks were recorded in FMIS as "issued", 1 check was recorded in FMIS as "cleared", while the remaining 36 checks were not recorded in FMIS. Of the 20 checks recorded as "void", 8 checks were voided outside of the review period; therefore, they would not be on the JMD list. The remaining 12 checks were voided during the review and should have been on the JMD list. For each of the 7 checks recorded in FMIS as "issued" or "cleared," we reviewed the bank statements from the issue date to 180 days past the issue date. None of the 7 checks had been cashed.
If voided checks are not properly marked, they could be easily negotiated. Also, if voided checks are not entered into FMIS, accountability over the issuance of such checks is jeopardized.
In summary, (1) supporting documents were missing from voucher packages; (2) expenses were paid which were not authorized by the DEA Manual and JMD Handbook; (3) payments were made which had not been approved by a supervisor, manager, or auditor; and (4) voucher packages were not marked "PAID." In addition, DEA staff conducting bank reconciliations did not follow-up on all the differences identified during the daily reconciliations. Finally, field office staff shared passwords, did not secure blank check stock, and did not properly account for voided checks. The causes for the above weaknesses ranged from inadequate oversight to not being aware of or familiar with the controls in the DEA Manual. The reasons were all indicative of management not stressing and reinforcing the third party payment controls.
In our judgment, the third party payment system can be an effective method to make disbursements for imprest fund-type expenses, travel reimbursements, small purchases, and investigative expenses. However, DEA managers should improve management controls to decrease the risk of waste, unauthorized use, or theft going undetected.
Prior to issuance of this report, we discussed the finding with DEA management and obtained concurrence on each recommendation. The actions necessary for final closure are discussed following each recommendation.
We recommend the Administrator, DEA:
1. Reinforce requirements for supporting documents, authorized expenses, approvals, and stamping voucher packages "PAID."
Resolved. This recommendation can be closed when we receive documentation that the requirements have been reinforced to DEA personnel.
2. Streamline bank reconciliations by incorporating the monthly reconciliations into the daily reconciliations and eliminating the monthly reconciliations.
Resolved. This recommendation can be closed when we receive documentation that the monthly bank reconciliations have been incorporated into the daily reconciliation, thus eliminating the monthly reconciliation.
3. Ensure bank reconciliations identify all differences and are timely completed.
Resolved. This recommendation can be closed when we receive documentation that DEA staff have been instructed to timely complete bank reconciliations and resolve all differences.
4. Ensure each draft technician has a unique USERID and password.
Resolved. This recommendation can be closed when we receive documentation that unique USERIDs and passwords have been assigned to draft technicians at each third party payment office.
5. Ensure blank check stock is secured from unauthorized access.
Resolved. This recommendation can be closed when we receive documentation that staff at each third party payment office have been instructed to secure blank check stock in accordance with DEA requirements.
6. Ensure voided checks are marked and are recorded in FMIS as void.
Resolved. This recommendation can be closed when we receive documentation that staff at each third party payment office have been instructed to ensure that voided checks are marked and recorded in FMIS as void.
STATEMENT OF COMPLIANCE WITH LAWS AND REGULATIONS
We have audited the DEA's Third Party Payment System. The audit covered the period October 1, 1994 through the third quarter of FY 1996, and included a review of selected activities and transactions.
In connection with the audit and as required by government auditing standards, we tested transactions and accounting records to obtain reasonable assurance about the DEA's compliance with the laws, regulations, and the U.S. Treasury Financial Manual that we believe could have a material effect on the use of third party payments. Compliance with laws, regulations, and sections of the U.S. Treasury Financial Manual applicable to the use of third party payments is the responsibility of DEA management.
An audit includes examining on a test basis, evidence about laws and regulations. The specific law and guideline for which we conducted tests are contained in:
· the Federal Managers' Financial Integrity Act of 1982, and
· Section 3040.70, U.S. Treasury Financial Manual.
Except for the management control weaknesses identified in the Finding and Recommendations section of this report, the DEA complied with the requirements of the Federal Managers' Financial Integrity Act of 1982 and Section 3040.70 of the U.S. Treasury Financial Manual. With respect to those transactions not tested, nothing came to our attention that caused us to believe that DEA management was not in compliance with the law cited above.