Financial Management: Poor Internal Control Exposes Department of
Education to Improper Payments (24-JUL-01, GAO-01-997T).
Internal control and financial management weaknesses at the
Department of Education are not new. GAO and Education's Office
of Inspector General have provided many reports and testimonies
over the last several years on the financial management
challenges faced by Education and the need to eliminate internal
control weaknesses to reduce the potential for fraud, waste, and
mismanagement at the Department. In an April 2001 assessment of
the internal control over Education's payment processes and the
associated risks for improper payments, GAO reported four broad
categories of internal control weaknesses: poor segregation of
duties, lack of supervisory review, inadequate audit trails, and
inadequate computer systems' applications controls. In this
testimony, GAO discusses how these weaknesses make Education
susceptible to improper payments in each of the three following
disbursement areas: grant and loan payments, third party drafts,
and government purchase card purchases. GAO found that
Education's student aid application processing system for grants
and loans lacks an automated edit check that would identify
potentially improper payments stemming from students that were
much older than expected, a single social security number
associated with two or more dates of birth, grants to recipients
in excess of statutory limits, and searches for invalid social
security numbers. GAO also found problems with Education's third
party draft system. Specifically, Education (1) circumvented a
system's application control designed to avoid duplicate payments
by adding a suffix to the invoice/voucher number when the system
indicates that an invoice/voucher number has already been used,
(2) allowed 21 of the 49 Education employees who could issue
third party drafts to do so without involving anyone else, and
(3) lacked adequate audit trails, such as a trigger log, to
identify changes made to the list of approved vendors. GAO also
found problems with Education's internal controls over government
purchase cards. Specifically, Education (1) did not use
management reports available from Bank of America, Education's
contractor for government purchase cards, to monitor purchases
(2) had serious deficiencies in its process for reviewing and
approving purchase card transactions, and (3) allowed employees
to execute transactions beyond the scope of their authority.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-01-997T
ACCNO: A01443
TITLE: Financial Management: Poor Internal Control Exposes
Department of Education to Improper Payments
DATE: 07/24/2001
SUBJECT: Auditing procedures
Educational grants
Erroneous payments
Fraud
Internal controls
Program abuses
Student loans
Financial management systems
Credit sales
Auditing standards
Dept. of Education Grant Administration
and Payment System
Dept. of Education Third Party Draft
Program
Pell Grant
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Testimony. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-01-997T
Ordering Information
Ordering Information
For Release on Delivery Expected at 9: 30 a. m. Tuesday, July 24, 2001
GAO- 01- 997T
FINANCIAL MANAGEMENT
Poor Internal Control Exposes Department of Education to Improper Payments
Statement of Linda Calbom Director, Financial Management and Assurance
Testimony
Before the Subcommittee on Select Education, Committee on Education and
Workforce, House of Representatives
United States General Accounting Office
GAO
Page 1 GAO- 01- 997T
Mr. Chairman and Members of the Subcommittee: I am pleased to be here today
to discuss our ongoing review of the Department of Education?s payment
processes and how the existing internal control weaknesses we have noted
thus far make the Department vulnerable to, and in some cases have resulted
in, improper payments. Improper payments include errors, such as duplicate
payments and calculation errors; payments for unsupported or inadequately
supported claims; payments for services not rendered or to ineligible
beneficiaries; and payments resulting from fraud and abuse.
Internal control and financial management weaknesses at Education are not
new. We and Education?s Office of Inspector General (IG) have provided many
reports and testimonies over the last several years on the financial
management challenges faced by Education and the need to eliminate internal
control weaknesses to reduce the potential for fraud, waste, and
mismanagement at the Department. 1 In addition, since 1990 we have
designated Education?s student financial assistance programs as ?high-
risk,? 2 largely because of severe internal control weaknesses within those
programs. Further, Education?s IG reported information system general
controls as a material weakness in fiscal year 2000. 3 The effectiveness of
general controls is a significant factor in the effectiveness of application
controls. 4 Without effective general controls, application controls may be
rendered ineffective by circumvention or modification.
1 Financial Management: Education Faces Challenges in Achieving Financial
Management Reform
(GAO/ T- AIMD- 00- 106, March 1, 2000), Financial Management: Education?s
Financial Management Problems Persist (GAO/ T- AIMD- 00- 180, May 24, 2000),
Financial Management: Financial Management Challenges Remain at the
Department of Education (GAO/ T- 00- AIMD- 00- 323, September 19, 2000),
Financial Management: Internal Control Weaknesses Leave Department of
Education Vulnerable to Improper Payments (GAO- 01- 585T, April 3, 2001),
and Financial Management: Review of Education?s Grantback Account (GAO/
AIMD- 00- 228, August 18, 2000).
2 Major Management Challenges and Program Risks: Department of Education
(GAO- 01- 245, January 2001) and High- Risk Series: An Update (GAO- 01- 263,
January 2001). 3 General controls affect the overall effectiveness and
security of computer operations as opposed to being unique to any specific
computer application. They include security management; operating
procedures; software security features; and physical protection designed to
ensure that access to data and programs is appropriately restricted, only
authorized changes are made to computer programs, computer security duties
are segregated, and backup and recovery plans are adequate to ensure
continuity of essential operations.
4 Application controls help ensure that transactions completed through
computer applications are valid, properly authorized, and completely and
accurately processed and reported. Application controls include (1)
programmed control techniques, such as automated edits, and (2) manual
followup of computer- generated reports, such as reviews of reports
identifying rejected or unusual items.
Page 2 GAO- 01- 997T
As you know, internal controls serve as the first line of defense in
safeguarding assets and in preventing and detecting fraud, abuse, and
errors. It is incumbent upon Federal agency managers to establish a system
of internal control consistent with our Standards for Internal Control in
the Federal Government. 5 Given the billions of dollars in payments made by
Education each year and the risk of erroneous or fraudulent payments making
their way through Education?s processes without prevention or detection, you
requested that we audit selected Department accounts that may be
particularly susceptible to improper payments.
In response to your request, we initiated a body of work designed to (1)
identify Education?s payment processes, (2) determine what internal controls
exist over these processes, (3) assess whether the internal controls provide
reasonable assurance that improper payments will not occur or will be
detected in the normal course of business, (4) identify additional controls
that should be implemented to provide reasonable assurance that improper
payments will not occur, and (5) use various computer auditing techniques to
identify potentially improper payments made by Education during the period
May 1998 through September 2000.
Our review has focused on the $181.5 billion of disbursements that the
Department made from May 1998 through September 2000. This amount includes
$181. 4 billion in grant and loan payments processed through Education?s
Grant Administration and Payment System (GAPS), $55 million paid by paper
checks called third party drafts, and $22 million in government purchase
card purchases. We conducted our work from August 2000 through July 2001, in
accordance with generally accepted government auditing standards and
investigative standards established by the President?s Council on Integrity
and Efficiency.
On April 3, 2001, we testified at a hearing held by this subcommittee on our
assessment of the internal control over Education?s payment processes and
the associated risks for improper payments. 6 Specifically, we described
four broad categories of internal control weaknesses (1) poor segregation of
duties; (2) lack of supervisory review; (3) inadequate
5 Standards for Internal Control in the Federal Government (GAO/ AIMD- 00-
21.3.1), which was prepared to fulfill our statutory requirement under the
Federal Managers? Financial Integrity Act, provides an overall framework for
establishing and maintaining internal control and for identifying and
addressing major performance and management challenges and areas at greatest
risk of fraud, waste, abuse, and mismanagement.
6 Financial Management: Internal Control Weaknesses Leave Department of
Education Vulnerable to Improper Payments (GAO- 01- 585T, April 3, 2001)
Page 3 GAO- 01- 997T
audit trails; 7 and (4) inadequate computer systems? application controls.
Following this hearing, the Department established a management improvement
team, consisting of eight senior managers, to address the Department?s
serious management problems.
Since the April 3 hearing, we have focused our work on searching for
potentially improper payments resulting from these and one additional
internal control weakness we recently identified - transactions that were
authorized and executed by persons acting outside the scope of their
authority. In my testimony today I will discuss how these weaknesses make
Education susceptible to improper payments in each of the major disbursement
areas we have reviewed. I will also discuss several confirmed incidence of
improper payments identified by our work thus far. Further, I will discuss
throughout my testimony the various steps Education has taken to improve the
agency?s overall control environment and its efforts to research the
potentially improper payments that we have identified. I will now provide a
summary of our findings thus far in each of the three major disbursement
areas.
Education disburses grant and loan payments by electronic funds transfer and
processes these payments in GAPS. This disbursement process relies
extensively on various computer systems application controls, or edit
checks, to help ensure the propriety of these payments. Because these edit
checks are important to the Department?s controls over grant and loan
payments, we focused our work on assessing whether existing edit checks were
working effectively and whether additional edit checks and controls are
needed.
Using computerized matching techniques, we tested the $181.4 billion of
grant and loan payments processed through GAPS to identify potentially
improper payments that could have resulted from either ineffective edit
checks or the lack of necessary edit checks. Following are examples of
improper and potentially improper payments we identified through our various
tests.
7 Sound internal controls also include creating and maintaining adequate
documentation providing a means to trace transactions back to their
origination - in other words, generating ?audit trails.? While audit trails
are essential to auditors and system evaluators, they are also necessary for
day- to- day operation of the system because they allow for the detection
and systematic correction of errors that arise. The Joint Financial
Management Improvement Program?s Core Financial System Requirements
state that federal financial systems must provide certain crucial audit
trails, including trails to identify document input, change, approval, and
deletions by the originator. Grant and Loan
Payments Lacked Certain Edit Checks and Other Key Controls
Page 4 GAO- 01- 997T
We found that Education?s student aid application processing system lacks an
automated edit check that would identify students that were much older than
expected. To identify improper payments that may have resulted from the
absence of this edit check, we initially identified institutions that
disbursed Pell Grants over multiple years to students 70 years of age or
older. We chose to test for students of this age because we did not expect
large numbers of older students to be enrolled in a degree program and thus
eligible for student aid.
Based on the initial results of our test of students 70 years of age or
older and because of the problems we identified in the past, we decided to
expand our review of schools that had disproportionately high numbers of
older students to include recipients 50 years of age or older. Our Office of
Special Investigations, in coordination with Education?s IG, investigated
four schools that disbursed as much as $3.4 million in Pell Grants to
ineligible students. These students were ineligible because their primary
course of study was English as a second language, and they were not seeking
a degree or determined to need English language instruction in order to
utilize their existing knowledge and skills. The investigation disclosed
that at least one of the schools generated fraudulent student admissions
documents to create the appearance that students who were not in fact
seeking a degree were participating in a degree program. We previously
investigated two of these four schools in 1993 and found the similar
activities, including the falsification of student records to support the
schools? eligibility to participate in the Pell Grant program. 8 We have
also identified three other schools that disbursed about $500,000 in Pell
Grants that warrant additional review. These schools have unusually high
concentrations of older, foreign- born students who are more likely to be
studying English as a second language. We will formally refer the
information related to these three schools, as well as the results of our
investigations of the four schools discussed above, to Education?s IG for
appropriate follow- up.
During our testing, we also identified an additional 708 schools that
disbursed Pell Grants to students 70 years or older totaling $4.5 million.
We provided lists of these schools to the Department for additional
analysis. Based on its analysis, Education has determined that two of these
schools also exhibited disbursement patterns similar to the schools above
that disbursed Pell Grants to ineligible students for the study of English
as a second language. For these two schools, the Department plans to perform
full program reviews later this year to assess their
8 Student Financial Aid Programs: Pell Grant Program Abuse (GAO/ T- OSI- 94-
8, October 27, 1993).
Page 5 GAO- 01- 997T
eligibility to continue to participate in the Pell Grant program. We are
currently expanding our review in this area to determine whether additional
schools may be inappropriately disbursing Pell Grants.
Education told us that they have performed ad hoc reviews in the past to
identify Pell Grants disbursed to ineligible students and have recovered
some improper payments as a result of these reviews. Based on the results of
our analyses, Education has decided to implement a new edit check for
students? 85 years or older beginning with the 2002- 2003 academic year. If
the birth date on a student?s application indicates the student is 85 years
of age or older, the application processing system will identify the
applicant and Education will forward the information to the school for
follow- up. Education also said it conducts other limited procedures -
including the use of Single Audit results - to assess schools? determination
of student eligibility. However, these procedures are not specifically
designed to identify schools that are knowingly disbursing Pell Grants to
students who are not eligible to participate in the program.
Regarding the edit check that Education plans to implement in the 2002 -
2003, we believe the age limit is too high and will exclude many potential
problems. Using Education?s criteria, we would have identified less than 1
percent of the students that were ineligible to receive as much as $3.4
million in Pell Grants. Further, given the recurring nature of improper Pell
Grant disbursements, we feel it is incumbent upon Education to implement a
formal, routine process to identify and investigate questionable
disbursement patterns such as those I have discussed.
Another key control, which was not in effect during the time of our review,
was a match of student social security numbers (SSN) with Social Security
Administration (SSA) death files. As a result, we had SSA compare loan and
grant recipient data in Education?s systems with SSA?s death records. SSA
identified over 900 instances, totaling $2.7 million, in which the student
SSN was listed in SSA?s death records. We are currently in the process of
reviewing additional data from Education that they believe supports the
propriety of many of these payments. Beginning with the 2000- 2001 award
year (subsequent to our review period), as part of the application process,
Education started matching student SSNs with SSA death records to identify
potentially improper payments.
We also performed several additional tests of Education?s existing edit
checks to identify potentially improper grant and loan payments that may not
have been detected by these checks. These tests included searches for a
single SSN associated with two or more dates of birth, grants to recipients
in excess of statutory limits, and searches for invalid SSNs.
Page 6 GAO- 01- 997T
Based on these tests, we initially identified $43.6 million in potentially
improper payments, for which Education has to date been able to provide
sufficient supporting documentation for $18.7 million or about 42 percent of
these payments. 9 Education is in the process of researching the remaining
$24.9 million of potentially improper payments. Our conclusion as to the
effectiveness of Education?s existing edit checks will depend on the
resolution of the remaining $24.9 million currently being researched by the
Department.
Education?s third party draft 10 system was originally set up to efficiently
process checks to pay non- Education employees who review grant
applications, known as field readers. However, in May 1999, Education?s
policy manual expanded the use of third party drafts to pay for other
expenses including employee local travel reimbursements, fuel and
maintenance for government vehicles, and other small purchases. Third party
drafts could be issued for up to $10,000 - the limitation printed on the
face of each draft. Executive Officers 11 determine who has signature
authority within their units. From May 1998 through September 2000,
Education?s payments by third party draft totaled $55 million. During our
analysis of the third party draft payment process, we identified several
internal control weaknesses, including inadequate computer systems
application controls, poor segregation of duties, and inadequate audit
trails. Specifically, as we discussed in our April 3, 2001, testimony,
Education (1) circumvented a system?s application control designed to avoid
duplicate payments by adding a suffix to the invoice/ voucher number when
the system indicates that an invoice/ voucher number has already been used;
(2) allowed 21 of the 49 Education employees who could issue third party
drafts to do so without involving anyone else; and (3) lacked adequate audit
trails, such as a trigger log, to identify changes made to the list of
approved vendors. Based on these weaknesses and information gathered from
Education IG reports, we designed tests to identify potentially improper
payments in this area. These tests included various automated searches of
Education?s disbursement data, as well as manual reviews of about 38,000
third party draft transactions. Based on these analyses thus far, we have
identified 268 instances in which multiple third party drafts were issued to
the same payee with the
9 Many of these potentially improper payments resulted from erroneous data
in Education?s system that was subsequently corrected. 10 Third party drafts
are a form of payment similar to a personal check.
11 Executive Officers have the day- to- day general responsibility for
financial management and maintaining funds control for the programs and
activities of each of the major organizational units within Education. Third
Party Draft
Process Lacked Preventive and Detective Controls
Page 7 GAO- 01- 997T
same invoice number or on the same day, totaling about $8.9 million.
Education officials are in the process of researching and providing
supporting documentation for these transactions, which we will then test for
overpayments and duplicate payments.
In addition to analyzing the support for the potentially improper payments I
have described, we plan to perform various computerized sorts and searches
to identify additional anomalies, including a thorough review of third party
drafts issued by individuals with complete control over the payment process
to determine whether questionable transactions occurred that require
additional research to assess their propriety. Following the April 3, 2001
hearing, Education took action to eliminate the use of third party drafts.
The Department?s Third Party Draft Program?s Closing Procedures, issued in
May, 2001, indicates that Treasury payments will replace third party drafts.
In addition, Education officials acknowledged that the Department lacks
adequate trigger logs and told us that they are currently developing and
implementing more- effective trigger logs. Even though Education is no
longer issuing third party drafts, this is an important improvement because
the same system that produced those payments also produces Treasury
payments, which are replacing third party drafts.
Government purchase cards are available to federal agencies under a General
Services Administration (GSA) contract and, according to instructions from
the Department of Treasury, should generally be used for small purchases up
to $25,000. Treasury requires agencies to establish approved uses and
limitations on the types of purchases and dollar amounts. According to a
departmental directive, Education?s policy is to use government purchase
cards for authorized purchases of expendable goods and services, such as
supplies not available from the GSA Customer Supply Center. From May 1998
through September 2000, the time frame for our review, Education?s payments
by government purchase card totaled over $22 million.
During our analysis of the purchase card payment process, we identified
internal control weaknesses, including inadequate computer systems
application controls, lack of supervisory review, and improper authorization
of transactions. Specifically, we found that Education (1) did not use
management reports available from Bank of America, Education?s contractor
for government purchase cards, to monitor purchases; (2) had serious
deficiencies in its process for reviewing and approving purchase card
transactions; and (3) allowed employees to execute transactions beyond the
scope of their authority. Inadequate control over these expenditures,
combined with the inherent risk of fraud Government Purchase
Card Process Lacked Preventive and Detective Controls
Page 8 GAO- 01- 997T
and abuse associated with purchase card purchases, provides Education
employees the opportunity to make unauthorized purchases without detection.
Based on these weaknesses and information gathered from Education IG
reports, we designed tests to identify potentially improper payments made
with government purchase cards. As with third party drafts, we performed
various automated searches of purchase card disbursement data. Specifically,
we sorted the data by principal office, cardholder, vendor, and Merchant
Category Code (MCC) 12 to identify unusual transactions and patterns. We
supplemented these computerized searches with manual reviews of the over
35,000 purchase card transactions. We also selected 5 months of cardholders?
statements, a total of 903 statements, to review for certain attributes,
including approving official?s signature.
Out of the 903 purchase cardholders? monthly statements totaling $4 million
that we reviewed, 338 statements, totaling about $1.8 million, were not
properly approved. 13 Because this key control- supervisory review and
approval- was not operating, we requested supporting documentation for these
transactions from the Department. Education has provided invoices and other
support related to most of the transactions included in these monthly
statements. The Department believes this support will validate these
transactions. We are currently reviewing the support to confirm this
assessment.
We provided Education with an additional 833 transactions, totaling about
$362,000, in which the payee appeared to be an unusual vendor to be engaging
in commerce with the Department. For example, we found one instance, that is
now being investigated by our Office of Special Investigations, in which a
cardholder made several purchases from two pornographic Internet sites. The
names of these sites should have aroused suspicions when they appeared on
the employee?s monthly credit card bill. We also found another instance in
which Education paid for an employee to take a training course completely
unrelated to activities of the Department. In addition, we gave Education a
list of 124 instances,
12 The MCC relates to the types of supplies or services that a vendor
provides. The MCC for the Government Purchase Card consists of 11 retail
categories. Agencies have the ability to prohibit cardholders from
purchasing certain supplies or services by blocking specific MCCs.
13 The Department of Defense (DOD) issued a Fraud Alert in June 2000
indicating that government purchase card use is increasing and that along
with the increase in spending levels there has been an increase in card
abuse. DOD has identified several instances involving the fraudulent use of
government purchase cards, some the result of supervisors who may have been
negligent in their review of purchases.
Page 9 GAO- 01- 997T
totaling about $600,000, in which it appears that cardholders may have split
their purchases into multiple transactions to bypass pre- established
single- purchase spending limits. Education is currently researching these
transactions.
In our April 2001 testimony, we also reported that individual cardholders?
monthly purchase limits were as high as $300,000. Education, in response to
a letter from this subcommittee dated April 19, 2001, said the Department
has taken action to improve internal controls related to the use of the
government purchase card. Education has lowered the maximum monthly spending
limit to $30,000, revoked some purchase cards, and lowered other
cardholders? single purchase and total monthly purchase limits. While these
are important improvements, they will not prevent cardholders from
continuing to split large purchases in order to circumvent single purchase
limits. In addition, they do not address the issue of lax approval
practices.
To address these issues, Education needs to reiterate and strengthen its
policy of requiring review and approval of cardholders? monthly statements,
including a review for potentially split purchases. In addition, Education
should institute a mechanism to periodically monitor purchase card activity
to ensure that proper review and approval is occurring and that split
purchases are not. Further, since MCCs can be effectively used to prevent
purchases from certain types of vendors, Education should expand its list of
MCCs that are being blocked to further help prevent improper payments.
In closing, Mr. Chairman, I want to emphasize the importance of Education
management?s giving top priority to improving internal control to minimize
the agency?s vulnerability to improper payments. The Secretary?s actions to
establish a management improvement team to address the Department?s serious
management problems, and to respond to issues related to using third party
drafts and purchase cards, are important first steps. However, there are
other important steps that we recommend be taken to address the Department?s
control problems. The Department needs to (1) establish appropriate edit
checks to identify unusual grant and loan disbursement patterns, (2)
implement a formal routine process to investigate unusual disbursement
patterns identified by the edit checks, (3) reiterate to all employees
established policies regarding the appropriate use of purchase cards, (4)
strengthen the process of reviewing and approving purchase card
transactions, focusing on identifying split purchases and other
inappropriate transactions, and (5) expand the use of MCCs to block
transactions with certain vendors. Further, the Department needs to continue
to focus on researching and Conclusions and
Recommendations
Page 10 GAO- 01- 997T
resolving the potential improper payments that we have identified thus far.
This will help provide a clear picture of any fraud or abuse that has
occurred. Once the improper activities are identified, immediate action can
be taken to terminate them. We discussed our recommendations with Department
officials and they generally concurred. We may have additional
recommendations after we complete our work later this fall.
Mr. Chairman, this concludes my statement. I would be happy to answer any
questions you or other Members of the Subcommittee may have.
Page 11 GAO- 01- 997T
For information about this statement, please contact Linda Calbom, Director,
Financial Management and Assurance, at (202) 512- 9508 or at
calboml@ gao. gov. Individuals making key contributions to this statement
include Dan Blair, Don Campbell, Anh Dang, Bonnie Derby, David Engstrom,
Bill Hamel, Kelly Lehr, Sharon Loftin, Bridgette Lennon, Diane Morris, Andy
O? Connell, Russell Rowe, Peggy Smith, Brooke Whittaker, and Doris Yanger.
(190024) Contact and
Acknowledgments
Orders by Internet
For information on how to access GAO reports on the Internet, send an e-
mail message with ?info? in the body to:
Info@ www. gao. gov or visit GAO?s World Wide Web home page at: http:// www.
gao. gov
Contact one:
Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@
gao. gov 1- 800- 424- 5454 (automated answering system)
To Report Fraud, Waste, and Abuse in Federal Programs
*** End of document. ***