Department of Justice Process for Identifying, Preventing, and Recovering Improper and Erroneous Payments

Audit Report 05-19
April 2005
Office of the Inspector General


OIG Findings and Recommendations


  1. Policies and Procedures for Identifying and Preventing Improper and Erroneous Payments

    Our audit determined that the risk assessments conducted by the USMS and OJP were not adequate to completely measure the risk of improper payments in all programs administered. In addition, we found weaknesses in certain policies and procedures used to prevent improper payments at the FBI and USMS. These conditions could cause improper payments to go undetected and therefore not be recovered.

Many of the causes of improper payments can be traced to the lack of or an inadequate system of internal control. According to information obtained from the Chief Financial Officers Council and the Presidentís Council on Integrity and Efficiency, the causes for improper payments can be broken down into the following three broad categories:

  • A weak or incomplete program control environment: this includes the systems, procedures, and practices, including rigorous oversight, that can help prevent or correct improper payments.

  • Risks inherent in the regulatory and policy structure: these define and support each federal program, and may stem directly from policy choices and mandates.

  • A lack of governmentwide consistency, coordination, and standardization: this includes a lack of alignment of program eligibility policies, sharing of data, consistency in measuring improper payments, and dissemination of best practices.

To accomplish the objectives of this audit, we interviewed component officials and reviewed policies and procedures used by the BOP, OJP, FBI, and USMS to identify and prevent improper payments. In addition, we reviewed each componentís IPIA report, which included its program risk assessment, and compared each report to the IPIA reporting requirements.

As detailed in the Introduction section of this report, the IPIA requires a risk assessment of all programs to identify those that are susceptible to significant improper payments. Guidance provided by OMB in accordance with the IPIA requires each agency to conduct a full program inventory and describe the risk assessment it performed on that inventory, including a listing of all risk-susceptible programs.

In reviewing the risk assessments conducted by the four components, we noted that none of the assessments included an analysis or consideration of the material weaknesses, reportable conditions, or noncompliance matters resulting from the componentís annual financial statement audit.8 All of the components reviewed had either material weaknesses, reportable conditions, noncompliance matters, or some combination of the three reported in the FY 2004 financial statement audits. In addition, the Department received an overall disclaimer of opinion for its consolidated FY 2004 financial statement audit based on the significance of the findings within OJP.

In our opinion, certain internal control issues could increase the risk of making improper payments. Thus, a thorough risk assessment should include a review of any reportable conditions or material weaknesses noted by the independent auditors and an analysis of whether those weaknesses or conditions could potentially impact the risk of making improper payments. The management of the components we reviewed, as well as JMD, agreed that this would be useful information to include in future risk assessments.

In addition to the consideration of the annual financial statement audit results, we noted the following conditions during our review of policies and procedures used to identify and prevent improper payments, and in the risk assessments prepared by each component.

Federal Bureau of Prisons

The Department piloted a recovery audit program in FY 2003 and FY 2004, using a private contractor. This pilot included the Departmentís Offices, Boards and Divisions (OBDs) and the BOP. The BOPís portion of the recovery audit program was initiated in September 2003. This effort is designed to identify and recover improper payments. Initially, the contractor is reviewing BOPís payments made from 1999 through 2004 and had not completed its review at the time our fieldwork ended in November 2004. As of September 2004, a total of $216,656 in improper payments had been identified and confirmed. The BOP had recovered $211,251 of this amount, or nearly 98 percent. Further information regarding the BOPís recovery audit program is detailed under Finding II of this report.

According to BOP management, it has an internal control structure in place to prevent improper payments.9 That structure includes written policies and procedures, the use of customized forms for recording multiple payments on one invoice, and the use of a three-tiered payment approval process. In addition, controls are built into the BOPís financial management system, which generates a report of potential duplicate payments. The BOP also has a Program Review Division, which conducts internal audits at BOP institutions on a rotating basis, at least once every three years. These audits include transaction testing. Finally, BOP policies state that certifying officers are held accountable for each voucher they approve for payment.

In August 2004, the BOP submitted a report to JMD in accordance with the IPIA, which included a description of the BOPís risk assessment. However, according to BOP management, the assessment included in the report was not representative of the assessment actually conducted. The report indicated that the BOPís risk assessment consisted only of the overall opinion from of its annual financial statement audit and the results of its recovery audit efforts, and did not contain details for the BOPís program inventory, as required.

When we interviewed BOP managers, they stated they were unsure of what specifically to report, because it was the first year these reports were required. They also indicated that the risk of improper payments was actually assessed in two primary payment program areas: vendor payments and travel reimbursements. Further, they stated that the risk assessment also included a review of internal controls and of its internal program reviews.

When we discussed this issue with BOP managers, they concurred with our finding that the risk assessment detailed in the BOPís IPIA report was not reflective of the assessment actually conducted, and agreed to include a more complete risk assessment narrative in future IPIA reports.

Office of Justice Programs

In October 2004, OJP signed an agreement with a private contractor to initiate a recovery audit effort. In addition to the audits and reviews conducted by its External Oversight Division, OJP officials plan to utilize this recovery audit effort to identify its improper payments. Initially, the contractor will review payments from FY 2003 and FY 2004, but may expand into earlier years, depending on the results of the initial review. Because OJP is in the initial phases of this program, no improper payments had been identified at the time of our fieldwork. However, OJP estimates that approximately $1.3 million in improper payments will be identified and recovered utilizing this program. Further information regarding OJPís recovery audit program is detailed under Finding II of this report.

According to OJP management, there is an internal control structure in place to prevent improper payments.10 That structure includes written policies and procedures for processing invoices, internal audits, the use of reports to compare obligations to source documents, and controls built into OJPís financial management system, including an invoice tracking system. In addition, OJP policies state that certifying officers are held accountable for payments they approve. OJPís External Oversight Division conducts reviews of grantees using a risk-based model, and these reviews include transaction testing.

In August 2004, OJP submitted a report to JMD in accordance with the IPIA, which included a description of OJPís risk assessment. In its report, OJP stated that it ďhas encountered no instances of improper grant payments.Ē When we asked OJP management about this statement, we were told that OJPís FY 2004 internal reviews revealed no instances of payments being made to incorrect grantees, and the statement did not refer to unallowable costs or funds not used in accordance with grant conditions. In FY 2004, OJP reported making over 82,000 grant payments totaling nearly $5.7 billion. In our judgment, the magnitude of these payments poses a significant risk of improper payments to incorrect grantees.

In addition, the program inventory and assessment included in OJPís IPIA report was inadequate and incomplete. This program inventory and assessment only included grant payments and not any other payments made by OJP, such as vendor payments, travel reimbursements, and payments made under various initiatives, such as the Southwest Border Prosecution Initiative, Bulletproof Vest Partnership, or the State Criminal Alien Assistance Program. The lack of a complete risk assessment of improper payments was also identified as a noncompliance issue during OJPís independent financial statement audit for FY 2004.11

When we discussed this issue with OJP managers, they concurred with our finding and agreed to conduct a complete program inventory and risk assessment, and include the results in future IPIA reports.

Federal Bureau of Investigation

The FBI does not yet have a formalized recovery audit program in place, but FBI managers stated that the FBI utilizes several methods to identify improper payments. The FBI has an informal system to identify improper payments from many sources, including voucher examiners, refund checks received, and inquiries from vendors. In addition, the FBI utilizes the results of internal reviews at each field office and reviews conducted by its Inspections Division to identify potential improper payments. Improper payments are tracked and monitored on a spreadsheet. In FY 2004, the FBI identified $292,137 in improper payments made in 2004. It had recovered $237,160 or 81 percent of those payments at the time of our fieldwork. Our recommendation to implement a recovery audit program, which is detailed in Finding II of this report, addresses the lack of a formalized system to identify improper payments.

According to the FBIís management, it has an internal control structure in place to prevent improper payments.12 That structure includes written policies and procedures, the use of exception reports, the monthly closing process of its financial management system, and ongoing employee training. In addition, the FBI has two internal review functions Ė one at the field office level and the other by its Inspections Division. These reviews are conducted on a rotating basis and include transaction testing. FBI officials also stated that all employees are responsible for reducing improper payments, and this element is included in the FBI managementís Performance Work Plans.

During our fieldwork we determined that the FBI had a Desk Guide that contained invoice processing procedures. However, we could not verify that this guide had been provided to the appropriate personnel. For example, when we asked to review a copy of this guide, employees responsible for processing invoices could not produce one. When we brought this to the attention of FBI management, we were provided with a copy of the guide.

We believe that employees who process invoices should have direct access to written policies and procedures, which are a necessary control to help prevent improper payments. FBI management concurred with our observation and agreed to provide each employee responsible for processing invoices with a copy of this guide.

In September 2004, the FBI submitted a report to JMD in accordance with the IPIA, which included a thorough program inventory and a description of its risk assessment. The report contained all of the required elements, and we noted no deficiencies in the report.

United States Marshals Service

The USMS does not have a mechanism in place to identify improper payments. USMS officials asserted the USMS had a low risk of making improper payments because of sufficient internal controls. Thus, no improper payments had been identified or recovered. During this audit, we did not conduct a complete assessment or testing of the USMSí internal control structure, so we do not endorse this assertion. While we acknowledge that a solid internal control structure can be instrumental in reducing the risk of making improper payments, it does not necessarily eliminate the occurrence of improper payments, and therefore it is crucial for the USMS to have a mechanism in place to identify improper payments actually made. The results of a recovery audit program could be utilized to identify specific programs with improper payments. Thus, our recommendation to implement a recovery audit program, which is detailed under Finding II of this report, addresses the lack of a formalized system to identify improper payments.

According to USMS management, the USMSís internal control structure includes written policies and procedures, controls built into its financial management systems, and a multi-tiered invoice review and approval process.13 Further, USMS officials stated that they relied on their annual financial statement auditís opinion, past and ongoing audits by the Office of the Inspector General, and internal controls as a basis for asserting that it doesnít make improper payments.

Officials in the USMSís Prisoner Services Division also stated that reviews had not been conducted at the district office level in the past three to four years due to budget constraints and an ongoing reorganization of the division. A recent restructuring has led to the creation of two organizations, the Inspections Division and Internal Affairs, which the USMS states will begin routine reviews of district offices and detention agreements that will include transaction testing. Policies for this function were in the draft stages at the time of our fieldwork, and USMS personnel believed that these reviews would begin in early 2005. In our judgment, these reviews are an important internal control for identifying and preventing potential improper payments, and we agree they should include transaction testing of prior payments.

In September 2004, the USMS submitted a report to JMD in accordance with the IPIA, which included a very brief description of its risk assessment. However, we concluded that the assessment in the report was inadequate and incomplete. It contained only a limited summary of prior audit results. In addition, the report did not contain details of the USMSís program inventory, as required by OMB guidance. According to USMS officials, no program inventory was conducted. For the risk assessment, the USMS selected a judgmental sample of 15 invoices from all invoices paid in FY 2004 that exceeded $400,000. Those payments were then traced back to supporting documentation, and no improper payments were found.

When we reviewed the sample of 15 invoices, we noted that the payments did not include those made from all USMS programs (e.g. travel and purchase cards, employee reimbursements, prisoner medical payments, detention agreement payments, and witness security payments). Further, we believe that the $400,000 threshold is too high, because improper payments can occur at levels far below $400,000.

When we discussed these issues with USMS officials, they concurred with our findings. They agreed to conduct a complete program inventory, lower the threshold for future risk assessments so that payments from all programs are tested, and include a complete description of this program inventory and risk assessment in future IPIA reports.

Recommendations:

We recommend that the BOP:

  1. Ensure that its future risk assessment, required to be in its IPIA report, contains: 1) the results from its most recent financial statement audit, including any material weaknesses or reportable conditions; 2) the effect of those weaknesses or conditions on its risk of making improper payments; and 3) a description of the corrective actions taken to address those weaknesses or conditions.

  2. Ensure that future IPIA reports include a complete description of the risk assessment performed on each of the programs in its program inventory.

We recommend that OJP:

  1. Ensure that its future risk assessment, required to be in its IPIA report, contains: 1) the results from its most recent financial statement audit, including any material weaknesses or reportable conditions; 2) the effect of those weaknesses or conditions on its risk of making improper payments; and 3) a description of the corrective actions taken to address those weaknesses or conditions.

  2. Conduct a complete program inventory, perform a risk assessment for each identified program, and maintain the documentation of this program inventory and risk assessment.

  3. Ensure that future IPIA reports include a complete description of the risk assessment performed for each of the programs in its program inventory.

We recommend that the FBI:

  1. Ensure that its future risk assessment, required to be in its IPIA report, contains: 1) the results from its most recent financial statement audit, including any material weaknesses or reportable conditions; 2) the effect of those weaknesses or conditions on its risk of making improper payments; and 3) a description of the corrective actions taken to address those weaknesses or conditions.

  2. Provide a copy of its Desk Guide for invoice processing procedures to all relevant employees, ensuring that all employees certify that they have received a copy.

We recommend that the USMS:

  1. Ensure that its future risk assessment, required to be in its IPIA report, contains: 1) the results from its most recent financial statement audit, including any material weaknesses or reportable conditions; 2) the effect of those weaknesses or conditions on its risk of making improper payments; and 3) a description of the corrective actions taken to address those weaknesses or conditions.

  2. Conduct a complete program inventory, perform a risk assessment for each identified program, and maintain the documentation of this program inventory and risk assessment.

  3. Ensure that future IPIA reports include a complete description of the risk assessment performed for each of the programs in its program inventory.

  4. Provide documentation, including formalized policies and procedures, for the implementation of an ongoing internal review program, which includes transaction testing.


  1. Efforts to Determine the Extent of Improper and Erroneous Payments, and to Establish Methods to Recover Them

    Our audit determined that the FBI, OJP, and USMS did not have processes in place to determine the full extent of improper payments made. Further, none of the four components we audited had established a fully-documented program to recover improper payments. We also found that recovery audit guidance provided by JMD could be improved. These conditions result from component management not placing priority on implementing a recovery audit effort, and from the lack of a comprehensive Departmentwide recovery audit program policy. These conditions increase the risk of improper payments not being identified and recovered, and in the Department not being in full compliance with Public Law 107-107, which requires each agency to have a recovery audit program in place.

Measuring the extent of improper payments is an essential step in assessing the need for and types of corrective actions required to manage improper payments and help ensure efficient and effective program operations. According to the GAO, ďnondisclosure of improper payment amounts may indicate the absence of a significant level of improper payments or that agencies are unable to or did not attempt to determine or estimate the amount of improper payments in their programs or activities.Ē14

It is difficult for a component to be able to accurately assess the extent of its improper payments if it does not have a recovery audit program in place. A recovery audit program includes a comprehensive review of prior payments to determine whether they were improper. A recovery audit program looks for several types of improper payments, including: 1) duplicate payments, 2) payments made that were not in accordance with an applicable contract, 3) payments made for incorrect amounts, 4) payments for which allowable discounts were not taken, and 5) payments made for goods or services not received. While recovery audits can serve as an important vehicle for recovering improper payments already made, the results of these audits can also be used to determine the extent of improper payments and to identify systemic control weaknesses.

During our audit, we reviewed the laws and regulations applicable to recovery audit activities. In addition, we reviewed the policies and procedures used by the BOP, FBI, OJP, and USMS to quantify and recover improper payments. We also interviewed officials at each of these components who were responsible for recovery audit activities, and we reviewed policies implemented by JMD relating to recovery audits.

When conducting audit work at JMD, we determined that a written policy for recovery audits for the Departmentís OBDs had been implemented, but no recovery audit policy for other Department components had been established. According to JMD management, the Department had mandated that all components establish and implement a recovery audit program, but JMD had not implemented an official policy because it wanted to allow each component time to develop a policy that would best fit its individual and unique circumstances. However, during our audit of the four components, we determined that each componentís recovery audit effort was in different stages of development and implementation. Under these circumstances, we believe the development and implementation of a Departmentwide policy could ensure that each Department component is undertaking adequate efforts to recover improper payments.

For example, the BOP and OBDs had contracted with a private recovery audit contractor to identify improper payments. This effort began in late FY 2003 and early FY 2004. As of September 2004, a total of $1,156,949 in improper payments had been identified, and $959,108 or nearly 83 percent had been recovered.15 However, as detailed in the following pages of this report, OJP signed an agreement to initiate recovery audit activities in October 2004. Thus, OJPís recovery audit program was in the initial stages at the time of our fieldwork, so no improper payments had yet been identified or recovered. Further, the FBI had only begun researching options for a recovery audit program, and had not yet implemented a formal program. The USMS had no recovery audit program in place and had not made any decisions regarding the implementation of a program at the time of our fieldwork.

Because of this lack of consistency among Department components, we believe that a Departmentwide recovery audit policy is necessary. This policy should include the scope (e.g. which years and payment amount thresholds), the types of payments that must be included in each componentís program (e.g. vendor payments, grant payments, contract payments, and detention and intergovernmental service agreement payments), and payment search criteria (e.g. data fields within automated financial systems). In addition, some components we audited agreed that Departmentwide guidance would be beneficial. When we discussed this issue with JMD officials, they agreed that enough time had passed and they would now develop and implement a Departmentwide policy for recovery audits.

We also noted that JMD did not have an official reporting mechanism for it to monitor each componentís recovery audit activities on a regular, ongoing basis. While each component is required to report all recovery audit activities for the Departmentís annual PAR, no structure for monitoring ongoing progress reports existed. In our opinion, regular status reporting to JMD of each componentís recovery audit activities and accomplishments would not only allow JMD to monitor the Departmentís ongoing progress, but would also encourage each component to focus on its recovery audit efforts.

We discussed this issue with JMD officials and they agreed that quarterly status reporting for recovery audit activities would be helpful in monitoring the Departmentís progress. They agreed to prepare and implement a written policy.

Federal Bureau of Prisons

Our audit found that the BOP had determined the extent of its improper payments and had established a method for recovery. As previously mentioned, the BOP was using a contractor to conduct recovery audits. This effort started in September 2003 and payments made from 1999 through 2004 are now being reviewed. While the effort is ongoing, as of September 2004, $216,656 in improper payments had been identified, and $211,251 or nearly 98 percent had been recovered.

However, we noted that the BOP had not implemented written policies and procedures for its recovery audit program. In our judgment, written policies and procedures are an important aspect of any program, and should include information such as: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. We discussed this with BOP officials and they agreed to establish and implement written procedures for BOPís recovery audit program.

Office of Justice Programs

Our audit found that OJP had not determined the extent of its improper payments, but had established a method of recovery. As previously detailed, OJP contracted with a private company to conduct recovery audits of its vendor payments. The contract was signed in October 2004. As of the time of our fieldwork, no improper payments had been identified or recovered. The initial phases of the program will focus on payments made in FY 2003 and FY 2004, and depending on the results of the audits, may then be expanded to prior years. In our opinion, this recovery audit program, once fully implemented, will enhance OJPís ability to determine the extent of its improper payments and recover those payments. In addition, we believe that the scope of these audits should extend beyond 2003, and should be addressed in a Departmentwide recovery audit policy.

OJPís recovery audit effort does not include a review of grant payments. Officials at OJP stated that its External Oversight Division reviews grant payments and its internal audit group will begin examining payments made under its State Criminal Alien Assistance Program. In addition, they believed that these reviews, combined with the recovery audits being conducted by the contractor, satisfied the intent of the IPIA. However, we noted that OJPís IPIA report and risk assessment only included grant payments. In FY 2004, OJP reported making over 82,000 grant payments totaling nearly $5.7 billion. While the IPIA and OMB guidance do not address specific types of payments, because of the volume of these grant payments and the resultant potential improper payment risk we believe that OJPís grant payments should be included in its recovery audit effort.

Further, OJP had not implemented written policies and procedures for its recovery audit program. In our judgment, written policies and procedures are an important aspect of any program, and should include information such as: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. We discussed this with OJP officials and they agreed to establish and implement written policies and procedures for their recovery audit program.

Federal Bureau of Investigation

We determined that the FBI did not have processes in place to determine the full extent of its improper payments, and it did not have a formalized mechanism to recover improper payments already made. As mentioned previously, the FBI has an informal process to identify improper payments. In FY 2004, the FBI identified $292,137 in improper payments and had recovered $237,160 or 81 percent of those payments at the time of our fieldwork. However, these payments were usually discovered as the result of a vendor call or the FBI receiving a refund check for a duplicate payment made. They likely do not represent the full extent of improper payments made by the FBI.

Each component within the Department must have a recovery audit program in place so that the Department is in compliance with Public Law 107-107. Therefore, the FBI should develop and implement a formalized recovery audit program, including written policies and procedures that include the following information: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. This recovery audit program, once fully implemented, will enhance the FBIís ability to determine the extent of its improper payments and recover those payments. We discussed this with FBI officials and they agreed to establish and implement a recovery audit program, including written policies and procedures.

United States Marshals Service

We determined that the USMS did not have processes in place to determine the extent of its improper payments, and did not have a formalized mechanism to recover improper payments already made. As mentioned previously, USMS officials stated they did not believe the USMS made any improper payments because of sufficient internal controls. Therefore, no recovery audit program was in place to quantify and collect improper payments.

Each component within the Department must have a recovery audit program in place for the Department to be in compliance with Public Law 107-107. Therefore, the USMS should develop and implement a formalized recovery audit program, including written policies and procedures that include the following information: 1) methodology and scope of transactions, 2) types of programs and payments, 3) search criteria, 4) information on the identification and confirmation of identified payments, and 5) details of the collection process. This recovery audit program, once fully implemented, will enhance the USMSís ability to determine the extent of its improper payments and recover those payments. We discussed this with USMS officials and they agreed to establish and implement a recovery audit program, including written policies and procedures.

In conclusion, while some components within the Department have policies and procedures in place to identify and prevent improper payments, some componentís policies and procedures are lacking, and others do not have any policies and procedures. In addition, there is significant variance in each componentís progress in implementing a recovery audit program. The recommendations in this report will help ensure that all components make progress toward compliance with applicable laws, regulations, and guidance pertaining to improper payments.

Recommendations:

We recommend that JMD:

  1. Develop and implement a Departmentwide recovery audit policy, which defines the scope, types of payments, and criteria to be included in each componentís recovery audit program.

  2. Implement a policy for Department components to report quarterly on recovery audit activities, including 1) current activities, 2) amounts of improper payments identified and recovered, and 3) planned activities for the following quarter.

We recommend that the BOP:

  1. Develop and implement written policies and procedures for its recovery audit program, in accordance with guidance received from JMD.

  2. Report recovery audit activities and accomplishments quarterly to JMD, in accordance with guidance received from JMD.

We recommend that OJP:

  1. Develop and implement written policies and procedures for its recovery audit program, in accordance with guidance received from JMD.

  2. Ensure that its recovery audit program addresses and includes grant payments.

  3. Report recovery audit activities and accomplishments quarterly to JMD, in accordance with guidance received from JMD.

We recommend that the FBI:

  1. Develop and implement a comprehensive recovery audit program, including written policies and procedures, in accordance with guidance received from JMD.

  2. Report recovery audit activities and accomplishments quarterly to JMD, in accordance with guidance received from JMD

We recommend that the USMS:

  1. Develop and implement a comprehensive recovery audit program, including written policies and procedures, in accordance with guidance received from JMD.

  2. Report recovery audit activities and accomplishments quarterly to JMD, in accordance with guidance received from JMD.


Footnotes

  1. The Chief Financial Officerís Act of 1990 establishes a leadership structure, provides for long-range planning, requires audited financial statements, and strengthens accountability reporting.

  2. See the Statement on Internal Controls, at the back of this report, for details of our review of BOPís controls, policies, and procedures.

  3. See the Statement on Internal Controls, at the back of this report, for details of our review of OJPís controls, policies, and procedures.

  4. OJPís noncompliance with the IPIA was noted in the Report of Independent Auditors on Compliance and Other Matters, issued by PricewaterhouseCoopers LLP, dated October 27, 2004.

  5. See the Statement on Internal Controls, at the back of this report, for details of our review of FBIís controls, policies, and procedures.

  6. See the Statement on Internal Controls, at the back of this report, for details of our review of USMSís controls, policies, and procedures.

  7. GAO-02-131R, Financial Management: Improper Payments Reported in Fiscal Year 2000 Financial Statements, dated November 2, 2001.

  8. Of the $1,156,949 in total improper payments found, BOPís portion was $216,656, and $211,251 had been recovered.



Previous Page Back to Table of Contents Next Page