FROM DOC_DB.DOCUMENT D, DOC_DB.REPORTS R, DOC_DB.BACKGROUND B
						 *
ERROR at line 2:
ORA-00942: table or view does not exist 

-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-404		

TITLE:     HOMELAND SECURITY: Contract Management and Oversight 
for Visitor and Immigrant Status Program Need to Be Strengthened

DATE:   06/09/2006 
				                                                                         
----------------------------------------------------------------- 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-404

     

     * Results in Brief
     * Background
          * Acquisition and Implementation Approach
          * Organizational Structure and Responsibilities
          * US-VISIT Relationships with Other DHS and Non-DHS Agencies
          * Summary of DHS Reported Obligations for US-VISIT Contracts
          * Prior Reviews Related to DHS Contractor Oversight and Manage
          * Importance of Contractor Management Controls
     * US-VISIT Established and Implemented Key Controls for Contra
          * Program Office Established and Implemented Key Contractor Ma
          * The Program Office Did Not Effectively Oversee US-VISIT-Rela
               * US-VISIT's Oversight of Other Agencies' Contracting Activiti
               * Agencies Managing US-VISIT-Related Contractors Did Not Estab
                    * All Agencies Established Some Policies and Procedures
                      for Co
                    * Agencies' Implementation of Key Practices Was Uneven
          * Program Office and Other Agencies' Contract Management Was I
               * Serious DHS Financial Management Problems Affected the Quali
               * Program Office and Other DHS Agencies Did Not Adequately Tra
                    * The Amounts Reportedly Billed on US-VISIT-Related
                      Contracts
                    * DHS Agencies Did Not Always Separately Track
                      Expenditures Ma
               * Several Payments to Contractors for US-VISIT Work Were Impro
     * Conclusions
     * Recommendations for Executive Action
     * Agency Comments and Our Evaluation
     * GAO Contacts
     * Staff Acknowledgments
     * GAO's Mission
     * Obtaining Copies of GAO Reports and Testimony
          * Order by Mail or Phone
     * To Report Fraud, Waste, and Abuse in Federal Programs
     * Congressional Relations
     * Public Affairs

Report to Congressional Requesters

United States Government Accountability Office

GAO

June 2006

HOMELAND SECURITY

Contract Management and Oversight for Visitor and Immigrant Status Program
Need to Be Strengthened

US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management

GAO-06-404

Contents

Letter 1

Results in Brief 2
Background 4
US-VISIT Established and Implemented Key Controls for Contracts That It
Managed Directly, but It Did Not Have Controls for Overseeing Contracts
Managed by Others or for Effective Financial Management 18
Conclusions 41
Recommendations for Executive Action 42
Agency Comments and Our Evaluation 43
Appendix I Objective, Scope, and Methodology 50
Appendix II Comments from the Department of Homeland Security 59
Appendix III Detailed Agency Evaluations 63
Appendix IV GAO Contacts and Staff Acknowledgments 76

Tables

Table 1: Relationships between Servicing Agencies Managing
US-VISIT-Related Contracts and US-VISIT Program 12
Table 2: APMO's Establishment and Implementation of Key Contractor
Management Practices 20
Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies 26
Table 4: Acceptance Reports for One Contract Deliverable 30
Table 5: Contract Actions Related to US-VISIT That Were Examined in This
Review 53
Table 6: Evaluation of US-VISIT Acquisition and Program Management Office
64
Table 7: Evaluation of General Services Administration 66
Table 8: Evaluation of Army Corps of Engineers Architect-Engineer Resource
Center 68
Table 9: Evaluation of Customs and Border Protection 70
Table 10: Evaluation of Transportation Security Administration 72
Table 11: Evaluation of Immigration and Customs Enforcement 74

Figures

Figure 1: Organizational Structure of DHS 8
Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities 9
Figure 3: Changes in US-VISIT System Ownership and Management, July
2003-March 2005 11
Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005 13

Abbreviations

ADIS Arrival Departure Information System

AERC Architect-Engineering Resource Center

APMO Acquisition and Program Management Office

CBP Customs and Border Protection

CMMI Capability Maturity Model Integration

COR contracting officer's representative

COTR contracting officer's technical representative

DHS Department of Homeland Security

FAR Federal Acquisition Regulation

GSA General Services Administration

IAA inter- or intra-agency agreement

ICE Immigration and Customs Enforcement

IDENT Automated Biometric Identification System

INS Immigration and Naturalization Service

IPAC Intra-governmental Payment and Collection

OMB Office of Management and Budget

SEI Software Engineering Institute

TECS Treasury Enforcement Communications Systems

TSA Transportation Security Administration

US-VISIT U.S. Visitor and Immigrant Status Indicator Technology

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

June 9, 2006

Congressional Requesters

The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)
program of the Department of Homeland Security (DHS) is a governmentwide
program for controlling and monitoring the pre-entry, entry, visa status,
and exit of foreign visitors. The department is taking an incremental
approach to acquiring and implementing US-VISIT, with the initial
increments focused on enhancing existing systems, modifying facilities,
and augmenting program office staff. In doing so, DHS has relied heavily
on contractor support, obtained through multiple existing contracts
managed by several DHS and non-DHS agencies. Because of the importance of
effective contractor management and oversight to this program, you asked
us to determine whether the department has established and implemented
effective controls for managing and overseeing US-VISIT-related
contractors.

To achieve this objective, we reviewed the contracting policies and
procedures of DHS and non-DHS agencies responsible for US-VISIT-related
contracts.1 We also reviewed a set of contracting actions (contract awards
and task orders) that were performed between March 2002 and March 2005. We
could not ensure that the selected contracting actions were statistically
representative of all US-VISIT-related contracting actions because DHS did
not have a complete inventory of such actions. Instead, we used a
judgmental selection, focusing on service contracts from fiscal years 2002
to 2005.2

1The DHS agencies are the US-VISIT Acquisition and Program Management
Office, US-VISIT Facilities & Engineering Management, U.S. Customs and
Border Protection, Immigration and Customs Enforcement, and the
Transportation Security Administration. The non-DHS agencies are the
General Services Administration and the U.S. Army Corps of Engineers
Architect-Engineering Resource Center.

We conducted our review from March 2005 through April 2006 in accordance
with generally accepted government auditing standards. Further details of
our objective, scope, and methodology, including the basis for our
judgmental selection, are included in appendix I.

                                Results in Brief

Although the success of the US-VISIT program depends heavily on the work
performed by contractors, important US-VISIT-related contract activities
have not been effectively managed and overseen. For those contracts that
it directly managed, the program office established and implemented
nonfinancial management controls (such as assigning contractor management
responsibilities and authorities, training key contract management
personnel, and verifying that contractor deliverables satisfied
established requirements), but it fell short in other key areas. In
particular:

           o  The program office did not establish and implement effective
           nonfinancial management controls for overseeing US-VISIT-related
           contract work performed on its behalf by other DHS agencies, such
           as Customs and Border Protection (CBP), and by two non-DHS
           agencies-the Army Corps of Engineers Architect-Engineering
           Resource Center (AERC)3 and the General Services Administration
           (GSA). These agencies did not always establish and implement the
           full range of nonfinancial controls needed to effectively manage
           their respective contracts. For example, the program office did
           not know what US-VISIT-related contract actions these other
           agencies had under way and had completed, and the other agencies
           generally did not establish and implement controls for ensuring
           that contractor deliverables satisfied contract requirements,
           which is significant given that these DHS and non-DHS agencies
           directly managed more than half (56 percent) of the total
           obligations reported to us for US-VISIT-related contract work
           during the period of our review.

           o  The program office and other DHS and non-DHS agencies doing
           work on its behalf also did not implement effective
           US-VISIT-related financial management controls. In the absence of
           these controls, several agencies were unable to reliably report
           US-VISIT contracting expenditures. Further, the program office and
           the other agencies improperly paid and accounted for related
           invoices, including making duplicate payments and making payments
           for non-US-VISIT services using funds designated for US-VISIT
           purposes.

           According to the US-VISIT program official responsible for
           contract matters, the program office has focused on contracts that
           it manages directly and decided to rely on other agencies to
           manage the other US-VISIT contracts. Further, it decided to rely
           on these other agencies to properly manage financial matters for
           their respective contracts, and on another agency for its own
           financial management support. Without effective controls over all
           US-VISIT-related contracts and related financial management
           matters, the program office does not know whether required program
           deliverables and associated mission results will be produced on
           time and within budget, and that proper payments are made and
           accounted for.

           We are making recommendations to the Secretary of Homeland
           Security to ensure that effective contract management and
           financial controls are established and implemented both for
           contracts managed by the US-VISIT program office and for those
           managed by other agencies. For example, we are recommending that
           the program office develop and implement practices for overseeing
           contractor work managed by other agencies on the program office's
           behalf, including (among other things) having current, reliable,
           and timely information on the full scope of contract actions and
           activities. In addition, we are recommending that the program
           office strengthen financial management by (among other things)
           ensuring that agencies managing contracts on its behalf record
           amounts being billed and expended on US-VISIT-related work so that
           these can be tracked and reported separately from amounts not for
           US-VISIT purposes.

           In written comments on a draft of this report, DHS stated that
           although it disagreed with some of our assessment, it agreed with
           many areas of the report and concurred with our recommendations
           and the need for improvements in US-VISIT contract management and
           oversight. In particular, DHS described as misleading our
           characterization of US-VISIT's dependency on other agencies for
           financial management support. DHS noted that the decision to use
           other agencies was based on the nature of the services that were
           required, which it said were outside the scope of the program
           office's areas of expertise. We understand the rationale for the
           decision to use other agencies, and the statement in question was
           not intended to suggest anything more than that such a decision
           was made. The department also provided clarifying information
           about invoice discrepancies and improper payments cited in the
           report, including reasons why they occurred. We do not question
           the department's reasons for the discrepancies; however, they do
           not change our findings about the fact that these discrepancies
           did indeed occur. We have modified the report, where appropriate.
           DHS's comments, along with our responses, are discussed in detail
           in the Agency Comments and Our Evaluation section of this report.
           The comments are also reprinted in their entirety in appendix II.

           Officials from AERC and GSA provided oral comments aimed at
           clarifying some of our statements and findings. We have made
           revisions as appropriate. These comments and our responses are
           also discussed in the Agency Comments and Our Evaluation section
           of the report.

           In response to legislation,4 the Immigration and Naturalization
           Service (INS) established in 2002 an Entry/Exit Program to
           strengthen management of the pre-entry, entry, visa status, and
           exit of foreign nationals who travel to the United States. With
           the creation of DHS in March 2003 and the inclusion of INS as part
           of the new department, this initiative was renamed US-VISIT. The
           goals of US-VISIT are to

           o  enhance the security of U.S. citizens and visitors,
           o  facilitate legitimate travel and trade,
           o  ensure the integrity of the U.S. immigration system, and
           o  protect the privacy of our visitors.

           To achieve these goals, US-VISIT is to collect, maintain, and
           share information on certain foreign nationals who enter and exit
           the United States; detect fraudulent travel documents, verify
           traveler identity, and determine traveler admissibility through
           the use of biometrics; and facilitate information sharing and
           coordination within the border management community.

           As of October 2005, about $1.4 billion has been appropriated for
           the program, and according to program officials, about $962
           million has been obligated.

           DHS plans to deliver US-VISIT capability in four increments:
           Increments 1 through 3 are interim, or temporary, solutions that
           were to fulfill legislative mandates to deploy an entry/exit
           system by specified dates; Increment 4 is to implement a long-term
           vision that is to incorporate improved business processes, new
           technology, and information sharing to create an integrated border
           management system for the future. For Increments 1 through 3, the
           program is building interfaces among existing ("legacy") systems;
           enhancing the capabilities of these systems; deploying these
           capabilities to air, sea, and land ports of entry; and modifying
           ports of entry facilities. These increments are to be largely
           acquired and implemented through task orders placed against
           existing contracts.5

           o  Increment 1 concentrates on establishing capabilities at air
           and sea ports of entry and is divided into two parts-1 and 1B.
           Increment 1 (air and sea entry) includes the electronic capture
           and matching of biographic and biometric information (two digital
           index fingerscans and a digital photograph) for selected foreign
           nationals, including those from visa waiver countries.6 Increment
           1 was deployed on January 5, 2004, at 115 airports and 14
           seaports. Increment 1B (air and sea exit) collects biometric exit
           data for select foreign nationals; it is currently deployed at 14
           airports and seaports.
           o  Increment 2 focuses primarily on extending US-VISIT to land
           ports of entry. It is divided into three parts-2A, 2B, and 2C.

                        o  Increment 2A includes the capability to
                        biometrically compare and authenticate valid
                        machine-readable visas and other travel and entry
                        documents issued by the Department of State and DHS
                        to foreign nationals at all ports of entry (air, sea,
                        and land ports of entry). Increment 2A was deployed
                        on October 23, 2005, according to program officials.
                        It is also to include the deployment by October 26,
                        2006, of technology to read biometrically enabled
                        passports from visa waiver countries.
                        o  Increment 2B redesigned the Increment 1 entry
                        solution and expanded it to the 50 busiest U.S. land
                        border ports of entry with certain modifications to
                        facilities. This increment was deployed to these 50
                        ports of entry as of December 29, 2004.
                        o  Increment 2C is to provide the capability to
                        automatically, passively, and remotely record the
                        entry and exit of covered individuals using radio
                        frequency technology tags at primary inspection and
                        exit lanes.7 In August 2005, the program office
                        deployed the technology to five border crossings (at
                        three ports of entry) to verify the feasibility of
                        using passive radio frequency technology to record
                        traveler entries and exits via a unique
                        identification number embedded within
                        government-issued travel documentation. The program
                        office reported the evaluation results in January
                        2006, and according to the Increment 2C project
                        manager, the program is planning to move forward with
                        the second phase of this increment.

           o  Increment 3 extended Increment 2B entry capabilities to 104 of
           the remaining 105 land ports of entry as of December 19, 2005.8

           o  Increment 4 is to define, design, build, and implement more
           strategic US-VISIT program capability, which program officials
           stated will likely consist of a further series of incremental
           releases or mission capability enhancements that will support
           business outcomes.

           The first three increments of US-VISIT include the interfacing of
           existing systems, the modification of facilities, and the
           augmentation of program staff. Key existing systems include the
           following:

           o  The Arrival Departure Information System (ADIS) is a database
           that stores noncitizen traveler arrival and departure data
           received from air and sea carrier manifests and that provides
           query and reporting functions.
           o  The Treasury Enforcement Communications Systems (TECS) is a
           system that maintains lookout (i.e., watch list) data, interfaces
           with other agencies' databases, and is currently used by
           inspectors at ports of entry to verify traveler information and
           update traveler data.
           o  TECS includes the Advance Passenger Information System (APIS),
           a system that captures arrival and departure manifest information
           provided by air and sea carriers.
           o  The Automated Biometric Identification System (IDENT) is a
           system that collects and stores biometric data about foreign
           visitors.

           In May 2004, DHS awarded an
           indefinite-delivery/indefinite-quantity9 prime contract to
           Accenture, which has partnered with a number of other vendors.10
           According to the contract, the prime contractor will develop an
           approach to produce the strategic solution. In addition, it is to
           help support the integration and consolidation of processes,
           functionality, and data, and is to assist the program office in
           leveraging existing systems and contractors in deploying and
           implementing the interim solutions.

           In July 2003, DHS established the US-VISIT program office, which
           is responsible for managing the acquisition, deployment, and
           operation of the US-VISIT system and supporting people, processes,
           and facilities. Accordingly, the program office's responsibilities
           include, among other things,

           o  delivering program and system capabilities on time and within
           budget and
           o  ensuring that program goals, mission outcomes, and program
           results are achieved.

           Within DHS, the US-VISIT program organizationally reports directly
           to the Deputy Secretary for Homeland Security, as seen in figure
           1.

2To judgmentally select our set of contracting actions, we identified the
DHS and non-DHS agencies that managed US-VISIT-related contracts and, for
each agency, we selected one contracting action for US-VISIT-related work
awarded in each fiscal year from March 1, 2002, through March 31, 2005.
Not all organizations awarded contracting actions in every fiscal year
covered under our review, in which case an action was not selected for
that fiscal year for that organization. Our judgmental selection did not
include contracting actions from one of the responsible organizations
(DHS's Immigration and Customs Enforcement) because this agency did not
provide requested documentation in time for us to include it in our
analysis of contracting actions.

3AERC is a component of the Department of Defense.

                                   Background

48 U.S.C. 1365a; 6 U.S.C. 251 (transferred relevant Immigration and
Naturalization Service functions to DHS); 8 U.S.C. 1732(b).

Acquisition and Implementation Approach

5Over the last 3 years, we have issued five reports on the US-VISIT
program that, among other things, identified fundamental challenges that
the department faced in delivering promised program capabilities and
benefits on time and within budget. For our most recent report, see GAO,
Homeland Security: Recommendations to Improve Management of Key Border
Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.:
Feb. 14, 2006).

6The Visa Waiver Program permits foreign nationals from designated
countries to apply for admission to the United States for a maximum of 90
days as nonimmigrant visitors for business or pleasure.

7Radio frequency technology relies on proximity cards and card readers.
Radio frequency devices read the information contained on the card when
the card is passed near the device and can also be used to verify the
identity of the cardholder.

8At one port of entry, these capabilities were not fully operational until
January 7, 2006, because of a telephone company strike that prevented the
installation of a T-1 line.

Organizational Structure and Responsibilities

9An indefinite-delivery/indefinite-quantity contract provides for an
indefinite quantity, within stated limits, of supplies or services during
a fixed period of time. The government schedules deliveries or performance
by placing orders with the contractor.

10Accenture's partners include, among others, Raytheon Company, the Titan
Corporation, and SRA International, Inc.

Figure 1: Organizational Structure of DHS

The program office is composed of a number of functional groups. Among
these groups, three deal with contractor management. These are the
Acquisition and Program Management Office (APMO), the Office of Facilities
and Engineering Management, and the Office of Budget and Financial
Management. As seen in figure 2, all three groups report directly to the
US-VISIT Program Director.

Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities

APMO is to manage execution of the program's acquisition and program
management policies, plans, processes, and procedures. APMO is also
charged with ensuring effective selection, management, oversight, and
control of vendors providing services and solutions.

The Office of Facilities and Engineering Management is to implement the
program's physical mission environment through, for example, developing
and implementing physical facility requirements and developing cooperative
relationships and partnering arrangements with appropriate agencies and
activities.

The Office of Budget and Finance is to develop executable budgets to
contribute to cost-effective performance of the US-VISIT program and
mission; ensure full accountability and control over program financial
assets; and provide timely, accurate, and useful financial information for
decision support.

US-VISIT Relationships with Other DHS and Non-DHS Agencies

Since its inception, US-VISIT has relied extensively on contractors to
deliver system and other program capabilities; these contractors include
both contractors managed directly by the program office and those managed
by other DHS and non-DHS agencies. Within the program office, APMO manages
the prime contract mentioned earlier, as well as other program
management-related contracts. All other contracts were awarded and managed
either by other DHS agencies or by two non-DHS agencies, GSA and AERC. For
the contracts managed by other DHS agencies, the program office has
entered into agreements11 with these agencies. These agreements allow the
program to use previously awarded contracts to further develop and enhance
the existing systems that now are part of US-VISIT. By entering into
agreements with the various owners of these systems, the program office
has agreed to fund US-VISIT-related work performed on the systems by these
agencies, which include

           o  CBP, which owns and manages TECS;
           o  Immigration and Customs Enforcement (ICE), which owned and
           managed IDENT (until 2004) and ADIS (until 2005), and still
           provides some information technology support services;12 and
           o  the Transportation Security Administration (TSA), which in 2003
           managed the development of the air/sea exit pilot program.

           In addition, through its Office of Facilities and Engineering
           Management, the program office has established an interagency
           agreement with AERC and has established reimbursable work
           authorizations with GSA.13 The agreements with GSA and AERC
           generally provide for management services in support of US-VISIT
           deployment.

           When the US-VISIT program office was created in July 2003, the
           program did not own or manage any of the key systems described
           earlier. Rather, all systems were owned and managed by other DHS
           agencies (see fig. 3). As of March 2005, the program office had
           assumed ownership and management responsibility for IDENT, which
           was originally managed by ICE; assumed management responsibility
           for the air/sea exit project, which was originally managed by TSA;
           and shares responsibility for ADIS, which was initially owned and
           managed by ICE. US-VISIT owns ADIS, but CBP is responsible for
           managing the system. These relationships are shown in figure 3.

           Figure 3: Changes in US-VISIT System Ownership and Management,
           July 2003-March 2005

           IAAs establish a means for US-VISIT to transfer funds to other DHS
           and non-DHS agencies for work done on its behalf. The IAAs first
           give the servicing agencies (that is, the agencies performing the
           work for US-VISIT) obligation authority to contract for US-VISIT
           work. Once the work has been performed, the servicing agencies pay
           their vendors according to the terms of their respective contracts
           and then request reimbursement of the vendor payment from US-VISIT
           via the Intra-governmental Payment and Collection (IPAC) system.14
           In addition, the servicing agencies also receive IPAC payments for
           the services they themselves provided for US-VISIT-essentially a
           fee for the cost of managing contracts on the program's behalf.

           Table 1 lists the various agencies currently managing
           US-VISIT-related contracts and summarizes their respective
           relationships with the program office and the purpose of the
           contract actions that we reviewed.

11DHS uses inter- and intra-agency agreements (IAAs) to document
agreements entered into between federal agencies, or major organizational
units within an agency, which specify the goods to be furnished or tasks
to be accomplished by one agency (the servicing agency) in support of the
other (the requesting agency).

12Ownership and management of IDENT was transferred to US-VISIT in 2004;
ownership of ADIS was transferred to US-VISIT in 2005, but management was
transferred to CBP.

13Reimbursable work authorizations are used by GSA to capture and bill
GSA's customers for, among other things, the cost of providing services in
space managed by GSA over and above the basic operations financed through
rent for that space. In the case of US-VISIT, reimbursable work
authorizations were used to reimburse services required in support of
US-VISIT deployment efforts at the GSA-owned ports of entry.

14IPAC is the primary method used by most federal entities to
electronically bill and/or pay for services and supplies within the
government.

Table 1: Relationships between Servicing Agencies Managing
US-VISIT-Related Contracts and US-VISIT Program

Source: GAO analysis.

Summary of DHS Reported Obligations for US-VISIT Contracts

Documentation provided by the agencies responsible for managing
US-VISIT-related contracts shows that between March 2002 and March 31,
2005, they obligated about $347 million for US-VISIT-related contract
work.15 As shown in figure 4, about $152 million, or less than half (44
percent), of the $347 million in obligations reported to us was for
contracts managed directly by the US-VISIT program office. The remaining
$195 million, or 56 percent, was managed by other DHS and non-DHS
agencies. Specifically, $156 million, or 45 percent of the $347 million in
obligations reported to us for contracts, was managed by other DHS
agencies (TSA and CBP); $39 million, 11 percent, was managed by non-DHS
agencies (GSA and AERC).

15This number was derived from information provided to us by the agencies,
as well as analysis of provided documentation. Additionally, and as noted
in appendix I, weaknesses in DHS's financial systems call into question
the accuracy of these numbers. Further, this number does not include any
obligations from ICE, as it did not report US-VISIT-related obligations to
us in time for us to include in our analysis of contracting actions.

Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005

From the inception of the US-VISIT program office through September 30,
2005, the program reports that it transferred about $96.7 million to other
agencies via the IPAC system for direct reimbursement of contract costs
and for the agencies' own costs.16

Prior Reviews Related to DHS Contractor Oversight and Management

In January 2005, we observed17 the increased use of interagency
contracting by the federal government and noted the factors that can make
interagency contract vehicles high risk in certain circumstances. One of
these factors was that the use of such contracting vehicles contributes to
a much more complex environment in which accountability had not always
been clearly established, including designation of responsibility for such
critical functions as describing requirements and conducting oversight. We
concluded that interagency contracting should be designated a high-risk
area because of the challenges associated with such contracts, problems
related to their management, and the need to ensure oversight.

16On the basis of previous audit findings, we do not consider this amount
reliable. DHS's independent auditors determined that its IPAC system
presented a weakness in DHS's financial management environment.

17GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January
2005).

In March 2005, we also reported18 on challenges facing DHS's efforts to
integrate its acquisition functions. One significant challenge was a lack
of sufficient staff in the Office of the Chief Procurement Officer to
ensure compliance with the department's acquisition regulations and
policies. Another challenge was that the department's Office of
Procurement Operations, which was formed to support DHS agencies that
lacked their own procurement support (such as US-VISIT), did not yet have
sufficient staff and relied heavily on interagency contracting. Further,
the office had not implemented management controls to oversee procurement
activity, including ensuring that proper contractor management and
oversight had been performed. We concluded that unless these challenges
were addressed, the department was at risk of continuing with a fragmented
acquisition organization that provided only stop-gap, ad hoc solutions.

Importance of Contractor Management Controls

Organizational policies and procedures are important management controls
to help program and financial managers achieve results and safeguard the
integrity of their programs. Agency management is responsible for
establishing and implementing financial and nonfinancial controls, which
serve as the first line of defense in ensuring contractor performance,
safeguarding assets, and preventing and detecting errors and fraud.

Pursuant to 31 U.S.C. S: 3512 (c),(d), the Comptroller General has
promulgated standards that provide an overall framework for establishing
and maintaining internal controls in the federal government.19 Policy and
guidance on internal control in executive branch agencies are provided by
the Office of Management and Budget (OMB) in Circular A-123,20 which
defines management's fundamental responsibility to develop and maintain
effective internal controls. Specifically, management is responsible for
implementing appropriate internal controls; assessing the adequacy of
internal controls, including those over financial reporting; identifying
needed improvements and taking corrective action; and reporting annually
on internal controls.

18GAO, Homeland Security: Successes and Challenges in DHS's Efforts to
Create an Effective Acquisition Organization, GAO-05-179 (Washington,
D.C.: Mar. 29, 2005).

19GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).

20OMB Circular A-123, Management's Responsibility for Internal Control
(effective beginning with fiscal year 2006) (revised Dec. 21, 2004).

The five general standards in our framework for internal control are
summarized below.

           o  Control environment. Management and employees should establish
           and maintain an environment throughout the organization that sets
           a positive and supportive attitude toward internal control and
           conscientious management. A key factor relevant to contractor
           management is having clearly defined areas of authority and
           responsibility and appropriate lines of reporting.
           o  Risk assessment. Internal control should provide for an
           assessment of the risks the agency faces from both external and
           internal sources.

           o  Control activities. Internal control activities help ensure
           that management's directives are carried out. The control
           activities should be effective and efficient in accomplishing the
           agency's control objectives. Key control activities associated
           with contract management include

                        o  appropriate documentation of transactions,
                        o  accurate and timely recording of transactions and
                        events,
                        o  controls over information processing,
                        o  reviews by appropriate management in the
                        organization, and
                        o  segregation of duties.

           o  Information and communications. Information should be recorded
           and communicated to management (and others who need it) in a form,
           and within a time frame, that enables them to carry out their
           internal control and other responsibilities. Key contract
           management activities include

                        o  identifying, capturing, and distributing
                        information in a form and time frame that allows
                        people to perform their duties efficiently; and
                        o  ensuring that information flows throughout the
                        organization and to external users as needed.

           o  Monitoring. Internal control monitoring should assess the
           quality of performance over time and ensure that the findings of
           audits and other reviews are promptly resolved.

           To complement the standards, we developed a tool to help managers
           and evaluators determine how well an agency's internal controls
           are designed and functioning and what, where, and how improvements
           may be implemented.21 This tool is intended to be used
           concurrently with the standards described above and with OMB
           Circular A-123. The tool associates each standard with a list of
           major factors to be considered when users review the controls for
           that standard, as well as points to be considered that may
           indicate the degree to which the controls are functioning.

           Relevant acquisition regulations and IT acquisition management
           guidance also provide criteria for effectively managing contractor
           activities. The Federal Acquisition Regulation (FAR)22 requires
           that government agencies ensure that the contractor performs the
           requirements of the contract, and the government receives the
           service intended. However, the FAR does not prescribe specific
           methods for doing so.

           Other such methods or practices can be found in other acquisition
           management guidance. In particular, the Capability Maturity Model
           Integration model,23 developed by the Software Engineering
           Institute (SEI) of Carnegie Mellon University, explicitly defines
           process management controls that are recognized hallmarks for
           successful organizations and that, if implemented effectively, can
           greatly increase the chances of successfully acquiring software
           and systems. These controls define a number of practices and
           subpractices relevant to managing and overseeing contracts. These
           practices are summarized below.

           o  Establish written policies and procedures for performing
           contractor management. Polices establish the organization's
           expectations for performing contractor management activities.
           Procedures provide the "how to" or method to be followed in
           implementing the policies.
           o  Establish and maintain a plan for performing the contract
           oversight process. The plan should include, among other things, a
           contractor management and oversight process description,
           requirements for work products, an assignment of responsibility
           for performing the process, and the evaluations and reviews to be
           conducted with the contractor.
           o  Assign responsibility and authority for performing the specific
           contractor management activities. Responsibility should be
           assigned for performing the specific tasks of the contractor
           management process.
           o  Train the people performing or supporting the contractor
           management process. Personnel participating in the contract
           oversight process should be adequately trained and certified, as
           appropriate, to fulfill their assigned roles.
           o  Document the contract. This documentation should include, among
           other things, a list of agreed-upon deliverables, a schedule and
           budget, deliverable acceptance criteria, and types of reviews that
           will be conducted with the contractor.
           o  Verify and accept the deliverables. Procedures for accepting
           deliverables should be defined; those accepting the deliverables
           should verify that they meet requirements; the results of
           acceptance reviews or tests should be documented; action plans
           should be developed for any products that do not pass their review
           or test; and action items should be identified, documented, and
           tracked to closure.
           o  Monitor risks involving the contractor and take corrective
           actions as necessary. Risks should be identified and categorized
           (e.g., risk likelihood or risk consequence) and then analyzed
           according to these assigned categories.
           o  Conduct technical reviews with the contractor. Reviews should
           ensure that technical commitments are being met in a timely manner
           and should verify that the contractor's interpretation and
           implementation of the requirements are consistent with the
           project's interpretation.
           o  Conduct management reviews. Reviews should address critical
           dependencies, project risks involving the contractor, and the
           contract schedule and budget.

           Given the US-VISIT program's dependence on contracting, it is
           extremely important for the program office to effectively manage
           and oversee its contracts via the establishment and implementation
           of key contractor management and oversight controls. To its
           credit, the program office established and implemented most of the
           key practices associated with effectively managing nonfinancial
           contractor activities for those contracts that it directly
           manages. In particular, it established policies and procedures for
           implementing all but one of the key practices that we reviewed,
           and it implemented many of these practices-including assigning
           responsibilities and training key personnel involved in contractor
           management activities, verifying that contractor deliverables
           satisfied established requirements, and monitoring the
           contractor's cost and schedule performance for the task orders
           that we reviewed. In doing so, the program has increased the
           chances that program deliverables and associated mission results
           will be produced on time and within budget.

           However, the program office did not effectively oversee
           US-VISIT-related contract work performed on its behalf by other
           DHS and non-DHS agencies, and these agencies did not always
           establish and implement the full range of controls associated with
           effective management of their respective contractor activities.
           Without effective oversight, the program office cannot adequately
           ensure that program deliverables and associated mission results
           will be produced on time and within budget.

           Further, the program office and other agencies did not implement
           effective financial controls. The program office and other
           agencies managing US-VISIT-related work were unable to reliably
           report the scope of contracting expenditures. In addition, some
           agencies improperly paid and accounted for related invoices,
           including making a duplicate payment and making payments for
           non-US-VISIT services from funds designated for US-VISIT. Without
           effective financial controls, DHS cannot reasonably ensure that
           payments made for work performed by contractors are a proper and
           efficient use of resources.

           According to the US-VISIT program official responsible for
           contract matters, the program office has initially focused on
           contracts that it manages directly. For US-VISIT contracts managed
           by other agencies, the program office has decided to rely on those
           agencies to manage the contracts and associated financial matters.
           In addition, it has decided to rely on another agency for
           financial management support of the program office.

           The US-VISIT program office is responsible and accountable for
           meeting program goals and ensuring that taxpayer dollars are
           expended effectively, efficiently, and properly. Within the
           program office, APMO is responsible for establishing and
           maintaining disciplined acquisition and program management
           processes to ensure the efficient support, oversight, and control
           of US-VISIT program activities. Accordingly, it is important that
           APMO establish and implement effective contractor management
           controls.

           As mentioned previously, federal regulations and acquisition
           management guidance24 identify effective contractor management as
           a key activity and describe a number of practices associated with
           this activity, including (among other things) establishing
           policies and procedures for contractor management, defining
           responsibilities and authorities, providing training, verifying
           and accepting deliverables, and monitoring contractor performance.
           These general practices often consist of more detailed
           subpractices. Appendix III lists the practices and associated
           subpractices, as well as the extent to which they were performed
           on each of the contract actions that we reviewed.

           For contracts that it directly managed, APMO established policies
           and procedures for all but one of the key nonfinancial practices
           associated with effective contractor management. For example, it
           established policies and procedures for performing almost all
           contractor management activities (practices) through its Contract
           Administration and Management Plan. This programwide plan, in
           conjunction with its Acquisition Procedures Guide Deskbook,
           defines the methodology and approach for performing contractor
           management for all contracts and task orders managed by APMO.
           However, it neither established polices and procedures for having
           a plan for overseeing individual contract actions, nor actually
           developed such a plan. Instead, APMO relied on its programwide
           polices and procedures for performing contract management
           activities and to define what and how it actually implemented
           them. However, without a plan for specific contracting actions,
           the program office cannot be assured that contract management
           activities will be implemented for each contracting action.

           Table 2 shows the extent to which APMO, in its documented policies
           and procedures, requires that the critical contractor management
           practices be performed; this is shown under the heading "practice
           established?" Under "practice implemented?" the table also shows
           the extent to which APMO had actually implemented such practices
           for those contracting actions that we reviewed, regardless of any
           documented requirement.

           Table 2: APMO's Establishment and Implementation of Key Contractor
           Management Practices

           Legend:

           0M = Established/implemented

           0m = Not established/implemented

           Sources: SEI, GAO analysis of agency data.

           Note: We determined whether the requirement for a practice was
           established or not established on the basis of documented policies
           and procedures addressing the practice and, where applicable, all,
           some, or none of the subpractices. We determined whether a
           practice was implemented or not implemented on the basis of
           documentation demonstrating that all, some, or none of the
           subpractices, where applicable, had been implemented for the task
           orders that we reviewed.

           APMO also implemented the aforementioned policies and procedures
           that it established for each of the contracting actions that we
           reviewed. For example, APMO implemented all of the key
           subpractices associated with verifying and accepting contract
           deliverables. Specifically, APMO defined acceptance procedures,
           verified that deliverables satisfied their requirements,
           documented the results of the review, developed a plan for
           addressing deliverable deficiencies, and tracked those issues to
           closure. With respect to one program support task order, for
           example, a designated US-VISIT team reviewed a project plan
           delivered by the contractor and returned it with a "conditionally
           acceptable" letter; this letter stated that the comments included
           were to be incorporated into the plan and assigned a date that the
           revised plan was due back. The contractor resubmitted the plan by
           the assigned date, and the contracting officer's technical
           representative (COTR) accepted it. Throughout the process, APMO
           tracked the status of this deliverable by means of a database
           designed to track and update the status of deliverables owed to
           US-VISIT by its contractors. The database included such
           information as current document status and when the revised
           document was due back to the program office.

           APMO also implemented all critical subpractices associated with
           contractor technical and management review activities. For
           example, APMO required that the prime contactor provide monthly
           cost performance reports that compared actual with budgeted cost
           and addressed critical dependencies. For example, one report noted
           that schedule and costs were impacted by a change in resources. In
           the report, the contractor proposed a corrective action and
           resolution date. APMO staff analyzed these reports and, according
           to APMO officials, distributed the analysis results to program
           office management for informational purposes (the results focused
           on the causes of and planned corrective actions for the most
           noteworthy cost and schedule variances). The information contained
           in the monthly reports was also discussed at quarterly programwide
           management reviews, which included contractor personnel. In
           addition to management issues, these reviews addressed technical
           issues such as deliverable status and requirements.

           The quarterly reviews were also used to evaluate the contractor's
           overall performance, as well as the contractor's performance on
           each task order active during that reporting period. The task
           orders that we examined were among those reviewed in this way. For
           each task order, the quarterly reviews included an assessment of
           schedule, cost and funding, technical performance, staffing, and
           risks. For example, the information presented on one task order
           that we reviewed reported that all of these categories were on
           track and were forecast to remain on track.25 During these
           reviews, technical requirements for each of the task orders were
           discussed among stakeholders, contractor personnel, and management
           to ensure a common understanding of those requirements and the
           status of their implementation. The results of these reviews were
           documented, and key discussion topics and a list and status of
           action items were identified. The action items were assigned due
           dates and were assigned to US-VISIT, the contractor, or specific
           individuals. In some cases, an action item identified a specific
           task order, such as a request to restructure a staffing report on
           a program management task order (in order to more accurately
           portray the level of contractor staffing). In the case of the
           staffing report, it was assigned to a contractor for action.
           Updated status of open items was also provided.

           According to APMO's acquisition policy, the office established and
           implemented these contractor management practices to establish a
           standard approach for conducting contract activities and to ensure
           that US-VISIT contracts continue to be managed in accordance with
           relevant laws, regulations, policies, and acquisition
           requirements. In doing so, the program has increased the chances
           that program deliverables and associated mission results will be
           produced on time and within budget.

           The US-VISIT program office's APMO is responsible for the
           program's contract-related matters. That means that APMO should,
           among other things, effectively oversee contracts being managed by
           others on the program's behalf. However, the program office did
           not establish and implement effective controls for overseeing
           US-VISIT-related contracts being managed by others. Specifically,
           the program office did not know the full range of US-VISIT-related
           contract actions that had been completed and were under way, and
           it had not performed key practices associated with gaining
           visibility into and understanding of contractor performance in
           meeting the terms of these contracts. This oversight gap is
           exacerbated by the fact that the other agencies did not always
           establish and implement the full range of controls associated with
           effective management of their contractor activities. For example,
           these agencies did not always implement effective controls for
           ensuring that contractor deliverables satisfy established
           requirements. Without effective oversight of all US-VISIT-related
           contracts, the program office is increasing the risk that program
           goals and outcomes will not be accomplished on time and within
           budget.

           To effectively oversee program-related contracts being managed by
           others, it is important for a program office to, at a minimum,
           depending on the nature of the contract, (1) define the roles and
           responsibilities for both itself and the entities it relies on to
           manage the contracts, (2) know the full range of such contract
           work that has been completed and is under way, and (3) define and
           implement the steps it will take to obtain visibility into the
           degree to which contract deliverables meet program needs and
           requirements, which underpin the program goals and outcomes.

           However, the US-VISIT program office did not effectively perform
           the following oversight activities for contracts that are being
           managed by other agencies:

           Defining roles and responsibilities. The program office did not
           define and document program office roles and responsibilities for
           overseeing the contractor work managed by other agencies and did
           not define the roles and responsibilities of the agencies managing
           US-VISIT-related contracts. According to the APMO Director, the
           roles and responsibilities were defined in IAAs between these
           agencies and the program office. However, the IAAs generally did
           not define roles and responsibilities. For example, US-VISIT
           provided us with 12 agreements for the agencies that we
           reviewed,26 and only one of them described roles and
           responsibilities for either APMO or the agency managing the
           contract work. Although responsibilities were identified, they
           were at a high level and the same for both the program office and
           the agency managing the contractor. Specifically, the IAA states
           that the US-VISIT COTR or point of contact and the servicing
           agency program office are responsible for technical oversight of
           the specified product or service identified in the statement of
           work. However, the IAA does not identify any specific contract
           oversight practices to be performed. According to the APMO
           Director, the program office did not define roles and
           responsibilities because the office is relatively new, and most
           efforts have been focused on developing policies and procedures
           for managing contracts that it directly controls.

           As noted earlier, we have previously reported that the use of IAAs
           is a high-risk approach to contracting.27 Although these contract
           vehicles can offer benefits of improved efficiency and timeliness,
           effective management of IAAs is challenging. Accordingly, we
           concluded that the use of IAAs requires, among other things, that
           the issuing agency clearly define roles and responsibilities for
           conducting contractor management and oversight.

           Knowing the full range of contract work. The program office was
           not able to provide us with a complete list of US-VISIT-related
           contract actions. Instead, US-VISIT told us that we needed to
           obtain a list of actions from each of the DHS and non-DHS agencies
           that managed the contract work. Once we compiled the list of
           contracting actions provided to us by the other agencies, the
           Director told us that no one in the program office could verify
           that the list was complete and correct. The Director further
           stated that APMO is not responsible for overseeing contracts
           managed outside the program office.

           Defining and implementing the steps to verify that deliverables
           meet requirements. According to DHS's directive on IAAs,28 the
           issuing agency (US-VISIT, in this case) is to, among other things,
           monitor the performance of the servicing agency and/or contractor;
           the directive also assigns responsibility for monitoring
           performance to the program office (or program point of contact)
           and the contracting officer. The contracting officer responsible
           for US-VISIT's IAAs told us that he relied on the program office's
           designated points of contact to conduct oversight of those IAAs.
           However, the program office did not define any specific
           performance monitoring activities. As a result, oversight
           activities performed have been informal and inconsistent. For
           example, on the AERC contracts, the Facilities and Engineering
           Budget Officer held weekly teleconferences with AERC to discuss
           project progress and contract issues, and concerns on an exception
           basis. However, these meetings were not documented; in other
           words, any follow-up on open issues and tracking to closure was
           handled informally. On the CBP contract actions, the US-VISIT
           Deputy Chief Information Officer (or one of his representatives)
           attended most, but not all, of the system development-milestone
           progress reviews related to US-VISIT work, and held ad hoc
           discussions with a CBP program manager to discuss funding and work
           status. On air/sea exit,29 the US-VISIT Director of Implementation
           relied on weekly meetings with TSA and the contractor to keep
           apprised of project status. However, he relied on a representative
           from US-VISIT Mission Operations to certify that testing on
           air/sea exit was completed in a satisfactory manner, and neither
           he nor a member of his team reviewed the results themselves.
           According to the Director of APMO, specific activities to monitor
           contracts managed by other agencies have not been established
           because the program office's efforts to date have focused on
           developing policies and procedures for contracts that the program
           office manages directly.

           Without clearly defined roles and responsibilities, as well as
           defined oversight activities for ensuring successful completion of
           the work across all US-VISIT-related contract activities, the
           program office cannot be adequately assured that required tasks
           are being satisfactorily completed.

           As mentioned previously, acquisition management guidance30
           identifies effective contractor management as a key activity and
           describes a number of practices associated with this activity,
           including (among other things) establishing policies and
           procedures for contractor management, defining responsibilities
           and authorities, providing training, verifying and accepting
           deliverables, and monitoring contractor performance. As mentioned
           earlier, these practices often consist of more detailed
           subpractices; appendix III provides further details on the
           practices, subpractices, and agency performance of these on each
           of the contract actions we reviewed.

           Table 3 shows the extent to which agencies, in their documented
           policies or procedures, require that the critical contractor
           management practices be performed (see columns under "practice
           established?"); it also shows (under "practice implemented?") the
           extent to which agencies had actually implemented such practices
           for the contracting actions that we reviewed, regardless of any
           documented requirement.

21GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: August 2001).

22The FAR system establishes the uniform set of policies and procedures
for acquisition by all executive branch agencies. This system consists of
the FAR, which is the primary document, and agency acquisition regulations
that implement or supplement the FAR.

23Carnegie Mellon University Software Engineering Institute, Capability
Maturity Model Integration, Systems Engineering Integrated Product and
Process Development, Continuous Representation, version 1.1 (March 2002).

US-VISIT Established and Implemented Key Controls for Contracts That It Managed
Directly, but It Did Not Have Controls for Overseeing Contracts Managed by
                  Others or for Effective Financial Management

Program Office Established and Implemented Key Contractor Management Practices

24Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.

The Program Office Did Not Effectively Oversee US-VISIT-Related Contracts
Managed by Other Agencies

25An apparent exception was the schedule, which was reported as having a
potential problem: deliverables were identified in the integrated master
schedule as not being complete. However, US-VISIT reported that the
deliverables were delivered on time.

  US-VISIT's Oversight of Other Agencies' Contracting Activities Has Been
  Informal and Inconsistent

26DHS IAAs were previously referred to as "reimbursable agreements." Five
of the agreements were actually reimbursable work authorizations for which
there was no IAA.

27 GAO-05-207 .

28DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.

  Agencies Managing US-VISIT-Related Contractors Did Not Establish and Implement
  Key Contractor Management Practices

29Air/sea exit, which was developed by TSA, collects biometric exit data
for select foreign nationals; it is currently deployed to 14 airports and
seaports.

30Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.

Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: SEI, GAO analysis of agency data.

aWe determined whether the requirement for a practice was established,
partially established, or not established on the basis of documented
policies and procedures addressing the practice and, where applicable,
all, some, or none of the subpractices. We determined whether a practice
was implemented, partially implemented, or not implemented on the basis of
documentation demonstrating that all, some, or none of the subpractices,
where applicable, had been implemented for the task orders that we
reviewed.

bNo results are provided for ICE regarding implementation of best
practices because we were unable to obtain contract documentation in time
for analysis.

As table 3 shows, agencies' establishment and implementation of the key
contractor management practices for US-VISIT-related contracts have been
uneven.

           o  All of the agencies had established policies or procedures for
           performing some of the key contractor management practices. Only
           CBP, however, had established policies and procedures for some
           aspect of all the key practices, while GSA and AERC had
           established procedures for about half of the key practices.
           o  Nevertheless, most of the agencies at least partially
           implemented most of the practices, even though they did not
           establish written procedures for doing so. For example, although
           three of the agencies31 did not establish documented policies or
           procedures for conducting technical and management reviews with
           the contractor, two of them implemented some aspects of the
           practice.

    All Agencies Established Some Policies and Procedures for Contractor
    Management Activities

           Contractor management policies and procedures define the
           organization's expectations and practices for managing contractor
           activities. All of the agencies (DHS and non-DHS) had established
           polices or procedures for governing some key contractor management
           practices. For example, CBP's Systems Development Life Cycle,
           augmented by its Office of Information Technology Project
           Manager's Guidebook, defines policies and procedures for assigning
           responsibilities and authorities for key contracting personnel and
           training those people responsible for implementing contractor
           management activities. Among other things, these documents provide
           descriptions of the duties of the contracting officer, the project
           manager, and COTR.32 The documents also require all affected
           agencies to train the members of their groups in the objectives,
           procedures, and methods for performing contractor management
           activities. CBP guidance also addresses contractor management
           procedures, including verifying and accepting deliverables,
           monitoring contract risk and taking corrective action, and
           conducting various reviews with the contractor.

           Other agencies, such as GSA and AERC, have established fewer
           procedures for contractor management. For example, GSA had not
           established procedures for three practices: (1) establishing and
           maintaining a plan for performing contractor oversight, (2)
           conducting technical reviews with the contractor, and (3)
           conducting management reviews with the contractor. According to
           GSA officials, they have not documented their oversight process in
           order to allow for as much flexibility as possible in performing
           the process. Further, they said they relied on the professional
           expertise of the contracting officer's representative (COR) and/or
           COTR to ensure the technical accuracy of work produced by a
           contractor.

           Without established policies and procedures for contractor
           management, the organizations responsible for managing
           US-VISIT-related contracts cannot adequately ensure that these
           vital contractor management activities are performed.

    Agencies' Implementation of Key Practices Was Uneven

           Implementation of key practices in the contracting actions that we
           reviewed was uneven. As table 3 shows, one practice-assigning
           responsibilities and authorities-was implemented by all agencies.
           Other key practices were only partially implemented or not
           implemented by all agencies. The following discussion provides
           selected examples.

           Most agencies implemented training of contractor management
           personnel. Training the personnel performing or supporting
           contractor management activities helps to ensure that these
           individuals have the necessary skills and expertise to adequately
           perform their responsibilities.

           Most of the agencies had trained some of the key contracting
           officials responsible for the contracting actions that we reviewed
           and were able to produce documentation of that training.33 For
           example, CBP relied on a DHS-mandated training program to train
           its key contract personnel. However, that program was not
           established until March 2004 for contracting officers and December
           2004 for COTRs, and so it did not apply to all the contracting
           actions that we reviewed. Before these programs were established,
           CBP relied on the previously existing qualifications of its
           contracting personnel. However, it provided training documentation
           for only some of the key contracting personnel for the contracting
           actions that we reviewed.

           With respect to non-DHS agencies, AERC and GSA records showed that
           contracting personnel had completed contracting-related training
           for the contracting actions that we reviewed.

           Most agencies did not implement all key practices for verifying
           and accepting contract deliverables. Verifying that contract
           deliverables satisfy specified requirements provides an objective
           basis to support a decision to accept the product. Verification
           depends on the nature of the deliverable and can occur through
           various means, such as reviewing a document or testing software.
           Effectively verifying and accepting contract deliverables
           includes, among other things, (1) defining procedures for
           accepting deliverables; (2) conducting deliverable reviews or
           tests in order to ensure that the acquired product satisfies
           requirements; (3) documenting the results of the acceptance review
           or test; (4) establishing an action plan for any deliverables that
           do not pass the acceptance review or test; and (5) identifying,
           documenting, and tracking action items to closure.

           All agencies implemented some (but not all) of the key practices
           associated with verifying and accepting contract deliverables. The
           following two examples from CBP and TSA illustrate this.

           o  CBP implemented most of the subpractices associated with this
           practice. For one contracting action reviewed (software
           development for Increment 2B functionality), CBP defined
           acceptance (testing) procedures, conducted the tests to verify
           that the deliverables satisfied the requirements, and documented
           the results. However, it did not develop an action plan to
           identify, document, and track unresolved action items to closure.
           Further, CBP accepted the deliverable before verifying that it had
           satisfied the requirements. Specifically, test results were
           presented at a production readiness review (one of the progress
           reviews called for in CBP's system development life cycle) on
           November 4, 2004. The review meeting included a US-VISIT
           stakeholder representative who signed off on the test results,
           indicating that US-VISIT accepted the deliverable and concurred
           that it was ready to operate in a production environment. However,
           the test analysis report highlighted several issues that called
           this conclusion into question. For example, the report stated that
           testing continued after the review (through November 8, 2004), and
           the report identified 67 issues at severity level 2, which CBP
           defines as a function that does not work and whose failure
           severely impacts or degrades the system. The report further stated
           that some test cases were delayed and subject to further testing.
           CBP could not provide any documentation that these open issues
           were resolved or that the test cases were executed. Further, the
           COTR told us that CBP did not define specific acceptance
           standards, such as the number and severity of defects permissible
           for acceptance. Instead, acceptance of the deliverable was
           subjectively based on the COTR's assessment of whether the
           software could provide critical functionality.

           For another contract action (Increment 1 hardware and software
           installation at ports of entry), CBP did not verify that the
           equipment was installed according to contract requirements. We
           were told by both the CBP Director of Passenger Systems (who was
           involved with much of the US-VISIT work) and the contract task
           monitor that the formal process for verifying and accepting
           contract deliverables consisted of a site-specific deployment
           checklist that recorded acceptance of deployment at each port.
           Acceptance required a signature from a government employee, a
           date, and an indication of deployment status (the two options for
           this status were (1) that the equipment was installed and
           operational or (2) that it was not installed, along with a
           description of reasons why it was not). However, as shown in table
           4, not all checklists that we reviewed were signed or indicated
           that the equipment was installed and operational, and CBP could
           not provide documentation on how the identified issues were
           resolved. Further, although the deliverable was deployed to 119
           sites, CBP provided checklists for 102 sites and was unable to
           provide them for the other 17 sites.

           Table 4: Acceptance Reports for One Contract Deliverable

           Legend:

           X = Checklist elements completed

           - = Checklist elements not completed

           Source: GAO analysis of CBP documentation.

           o  TSA implemented three of the practices associated with
           verifying and accepting deliverables-defining acceptance
           procedures, verifying that deliverables satisfy requirements, and
           documenting the results of the tests. Specifically, TSA tested the
           air/sea exit software and hardware, and developed a test plan that
           included test procedures and a traceability matrix. It also
           documented the test results in a test analysis report that noted
           that the software was ready for deployment because of the low
           severity of identified deficiencies. The report included, among
           other things, a list of system deficiencies identified during
           testing.34 The report also included copies of documents provided
           to a US-VISIT technical representative: a test problem report, a
           summary of testing defects, and a document indicating that the
           contractor had approved the test analysis.

           However, TSA did not provide evidence that the deficiencies were
           managed and tracked to closure. TSA officials told us that open
           issues were tracked informally via twice-weekly meetings with a
           US-VISIT representative, TSA personnel, and contactor staff.
           Although these meetings were documented, the minutes did not
           provide any evidence of testing issues being discussed. According
           to program officials, this was due to the short development time
           frame (about 4 months) and the need to bypass traditional TSA
           milestone reviews in order to ensure that the product was
           delivered on time.

           Without adequately verifying that contract deliverables satisfy
           requirements before acceptance, an organization cannot adequately
           know whether the contractor satisfied the obligations of the
           contract and whether the organization is getting what it has paid
           for.

           Most agencies performed contractor technical and management
           reviews. Monitoring contractor performance is essential for
           understanding the contractor's progress and taking appropriate
           corrective actions when the contractor's performance deviates from
           plans. Such monitoring allows the acquiring organization to ensure
           that the contractor is meeting schedule, effort, cost, and
           technical performance requirements. Effective monitoring
           activities include conducting reviews in which budget, schedule,
           and critical dependencies are assessed and documented, and the
           contractor's implementation and interpretation of technical
           requirements are discussed and confirmed.

           Three of the four agencies implemented some contractor review
           activities, including, among other things, addressing technical
           requirements progress against schedule and costs through regular
           meetings with the contractor. For example, TSA conducted weekly
           reviews with the contractor to discuss the status of contract
           performance; material prepared for some of these weekly meetings
           indicated that topics discussed were "actual dollars expended"
           versus "budget at project completion," projected and actual
           schedule versus baseline, anticipated product delivery dates
           against planned due dates, and issues and risks. As another
           example, CBP held weekly documented meetings with its contractor
           to discuss open issues, the status of the project, and the current
           stage of the systems development life cycle. Additionally, CBP
           milestone reviews addressed project schedule, budget, and risk,
           some of which could be traced to specific contracts.

           In contrast, AERC did not document the monitoring of contractor
           performance during the performance period of the contract.
           Instead, to document contractor performance, it relied solely on
           end-of-contract evaluations required by the FAR.

           Financial management weaknesses at both the program office and the
           other agencies impaired their ability to adequately manage and
           oversee US-VISIT-related contracting activities. Specifically,
           well-documented, severe financial management problems at DHS (and
           at ICE in particular) affected the reliability and effectiveness
           of accounting for the US-VISIT program. Accordingly, the program
           office and the other DHS agencies were unable to provide accurate,
           reliable, and timely accounts for billings and expenditures made
           for contracts related to US-VISIT. In addition, a number of
           invoice payments were improperly paid and accounted for.

           DHS's financial management problems are well-documented. When the
           department began operations in 2003, one of the challenges we
           reported35 was integrating a myriad of redundant financial
           management systems and addressing the existing financial
           management weaknesses inherited by the department. Since that
           time, DHS has undergone three financial statement audits and has
           been unable to produce fully auditable financial statements for
           any of the audits.36 In its most recent audit report, auditors
           reported37 10 material weaknesses and 2 reportable conditions.38

           Among the factors contributing to DHS's inability to obtain clean
           audit opinions were serious financial management challenges at
           ICE, which provides accounting services for several other DHS
           agencies, including the US-VISIT program. For fiscal years 2004
           and 2005, auditors reported that financial management and
           oversight at ICE was a material weakness, principally because its
           financial systems, processes, and control activities were
           inadequate to provide accounting services for itself and other DHS
           agencies.39 According to the auditors, ICE did not adequately
           maintain its own accounting records or the accounting records of
           other DHS agencies, including US-VISIT. The records that were not
           maintained included intradepartmental agreements and transactions,
           costs, and budgetary transactions. These and other accounts
           required extensive reconciliation and adjustment at year-end,
           which ICE was unable to complete. In addition, in fiscal year
           2005, ICE was unable to establish adequate internal controls that
           reasonably ensured the integrity of financial data and that
           adhered to our Standards for Internal Control in the Federal
           Government;40 the Chief Financial Officer of ICE also issued a
           statement of "no assurance" on internal control over financial
           reporting.

           These systemic financial challenges impaired the US-VISIT
           program's contract management and oversight. As the accounting
           service provider for the US-VISIT program, ICE is responsible for
           processing and recording invoice payments both for contractors
           working directly for the program and for the work ICE procures on
           the program's behalf. However, because of its financial problems,
           the reliability of the financial information processed by ICE as
           the accounting-services provider for the program office was
           limited. Further, ICE was unable to produce detailed, reliable
           financial information regarding the contracts it managed on behalf
           of US-VISIT.

           Of the DHS agencies we reviewed, the program office and two others
           managing US-VISIT-related contracts on the program's behalf did
           not track contract billings and expenditures in a way that was
           accurate, reliable, and useful for contract oversight and decision
           making. Specifically, the amounts reportedly billed were not
           always reliable, and expenditures for US-VISIT were not always
           separately tracked.

           Our Standards for Internal Control in the Federal Government
           identifies accurate recording of transactions and events as an
           important control activity. In addition, the standards state that
           pertinent financial information should be identified, captured,
           and distributed in a form that permits people to perform their
           duties effectively. In order for people to perform their duties
           effectively, they need access to information that is accurate,
           complete, reliable, and useful for oversight and decision making.
           In the case of US-VISIT, expenditures and billings made for
           US-VISIT-related contracts should be tracked by the program office
           and the agencies managing the contracts on the program office's
           behalf, and controls should be in place to ensure that the
           information is reliable, complete, and accurate. Furthermore, in
           order for the information to be useful for oversight and decision
           making, billings and expenditures made for US-VISIT work should be
           separately tracked and readily identifiable from other billings
           and expenditures. Separately accounting for program funds is an
           important budgeting and management tool, especially when those
           funds are reimbursed by another agency for a program-specific
           purpose, as was the case for US-VISIT. Finally, according to our
           internal control standards and more specifically, our Internal
           Control Management and Evaluation Tool,41 information should be
           available on a timely basis for effective monitoring of events,
           activities, and transactions.

    The Amounts Reportedly Billed on US-VISIT-Related Contracts Are Nor Reliable

           Because effective internal controls were not in place, the
           reliability of US-VISIT-related billings by DHS agencies was
           questionable. First, the program office could not verify the scope
           of completed and ongoing contracting actions. Second, for the
           contracting actions that were reported, not all agencies provided
           billing information that was reliable.

           The program office did not track all contracting activity and thus
           could not provide a complete list of contracting actions. In the
           absence of a comprehensive list, we assembled a list of
           contracting actions from the program office and from each of the
           five agencies responsible for contracting for US-VISIT work.
           However, the APMO Director did not know whether the list of
           contracting actions was valid.

           In addition, to varying degrees, other DHS agencies could not
           reliably report to us what had been invoiced on the
           US-VISIT-related contracts they managed. In particular, ICE's
           substantial financial management challenges precluded it from
           providing reliable information on amounts invoiced against its
           contracts. Its inability to provide us with key financial
           documents for US-VISIT-related contracts illustrated its
           challenges. Over a period of 9 months, we repeatedly requested
           that ICE provide various financial documents, including
           expenditure listings, invoice documentation, and a list of all
           contracting actions managed on behalf of US-VISIT. However, it did
           not provide complete documentation in time to be included in this
           report. In particular, ICE was not able to provide complete and
           reliable expenditures to date. It did provide a list of
           US-VISIT-related contracting actions, but it did not include the
           amounts invoiced on those contracting actions, and program office
           staff noted several problems with ICE's list, including several
           contracts that were likely omitted. A comparable list provided by
           the DHS Office of the Chief Procurement Officer showed ICE's
           invoiced amounts, but the contracting actions on this list
           differed from those provided by ICE. Without accurate tracking of
           financial information related to US-VISIT contracts, the full
           scope of contracting and spending on the program cannot be known
           with reasonable certainty. This limitation introduces the
           increased possibility of inefficiencies in spending, improper
           payments, and poor management of limited financial resources.

           For CBP, a list of contacting actions provided by program
           officials included discrepancies that raised questions about the
           accuracy both of the list and of the invoiced amounts. First, the
           task order number of a 2002 contracting action changed during our
           period of review, and CBP initially reported the task order as two
           different contracting actions-one issued in 2002 and another
           issued in 2004. Second, the task order was for services performed
           bureauwide, not just for US-VISIT, and from the contract
           documentation it was not discernable which work was specific to
           US-VISIT. Such discrepancies suggest that the amount invoiced
           specifically to US-VISIT was not accurate. Finally, our summation
           of all the invoices, through March 31, 2005, on this contracting
           action totaled about $8.8 million, which was about $1.3 million
           more than the total invoiced amount that CBP had reported.42 This
           discrepancy indicated that CBP was not adequately tracking funds
           spent for US-VISIT on this contracting action, which increased the
           risk that the program was improperly reimbursing CBP on this
           contract. No such discrepancy existed between reported and actual
           invoiced amounts on the 2003 and 2004 CBP contracting actions we
           reviewed.

           TSA was able to provide accurate billing information on the one
           US-VISIT-related contracting action that it managed, but delays in
           invoicing on this contracting action increase the risk of future
           problems. As of February 2005, development on the TSA contract
           action was finished, and the contract had expired. However, from
           April 2005 through February 2006 (the latest date available), TSA
           reported that it continued to receive and process about $5 million
           in invoices, and that the contractor can still bill TSA for prior
           work performed for up to 5 years after expiration of the contract.
           According to TSA, the contractor estimated (as of February 2006)
           that it would be sending TSA an additional $2 million in invoices
           to pay for work already completed. TSA officials could not explain
           this delay in invoicing. Such a significant lag between the time
           in which work is completed and when it is billed can present a
           challenge to the proper review of invoices.

    DHS Agencies Did Not Always Separately Track Expenditures Made to
    Contractors for US-VISIT Work

           ICE did not track expenditures made to contractors for US-VISIT
           work separately from other expenditures, and CBP experienced
           challenges in its efforts to do so. Reliable, separate tracking of
           such expenditures is an important internal control for ensuring
           that funds are being properly budgeted and that the program office
           is reimbursing agencies only for work performed in support of the
           program.

           In the case of ICE, its financial management system did not
           include unique codes or any other means to reliably track
           expenditures made for US-VISIT-related contracts separately from
           non-US-VISIT expenditures. As a result, ICE did not have reliable
           information on what it spent for the program, which means that it
           could have requested improper reimbursements from the program
           office. More specifically, the most detailed list ICE could
           provide of its US-VISIT-related payments was by querying its
           financial management system by contract number, which provided all
           payments under the contract number. However, each contract's scope
           of work is generally broad and includes work throughout ICE, not
           just for US-VISIT. Thus, this method would not give an accurate
           picture of what expenditures ICE had made for US-VISIT-related
           work.

           In the case of CBP, it began using coding in its financial
           management system to separately track US-VISIT obligations and
           expenditures beginning in fiscal year 2003, when CBP first
           received funding for US-VISIT. At that time, CBP tracked all
           US-VISIT expenditures under a single project code. However,
           between fiscal years 2003 and 2004, CBP underwent a system
           conversion that interrupted its tracking of US-VISIT-related
           funds, which made it challenging to separately report
           US-VISIT-related expenditures. During this time, several changes
           were made to the codes used to track US-VISIT information. When we
           requested a listing of the US-VISIT-related expenditures by CBP,
           it took several weeks for CBP finance center staff to document the
           financial management system coding changes and produce a
           reasonably complete listing of the US-VISIT-related expenditures
           that CBP made during the system conversion. In fiscal years 2004
           and 2005, CBP again began tracking all US-VISIT-related
           expenditures separately under a single budget code. Thus, in the
           future, the tracking and reporting of US-VISIT expenditures by CBP
           should be more timely and reliable.

           Although the program office and the agencies-both DHS and
           others-doing work on its behalf usually documented approval of
           contractor invoices before payment, a number of invoices were
           improperly paid and accounted for, resulting in a potential loss
           of funds control and, in one case, a duplicate payment on an
           invoice of over $3 million. Our Internal Control Management and
           Evaluation Tool states that transactions and events need to be
           appropriately classified and that pertinent information is to be
           identified and captured in the right form.43

           Overpayments occurred as a result of two kinds of errors: on one
           occasion a duplicate payment was made, and on several other
           occasions incorrect balances were paid.

           o  A duplicate payment was made on an invoice for over $3 million.
           APMO had sent an authorization for payment in full on the invoice
           to its finance center. Then, 1 month later, APMO sent another
           authorization for payment in full on the same invoice. The second
           payment was later noticed, and the contractor refunded the
           amount.44 
           o  The other set of overpayments, although small in dollar value,
           exemplify a significant breakdown in internal control. Invoices
           billed to AERC on a fiscal year 2005 contract listed the current
           amount billed on the invoice, as well as a cumulative balance; the
           cumulative balance included invoice payments that AERC had already
           made, but that had not been recorded by the contractor when the
           next invoice was generated. On several of the invoices, AERC
           mistakenly paid the higher cumulative balance when the current
           amount should have been paid. As a result, AERC overpaid the
           vendor by about $26,600. Moreover, it was the contractor that
           first reported this overpayment in September 2005 and refunded the
           overpayment amount to AERC. According to DHS officials, the
           US-VISIT program office had independently identified the
           overpayment in November 2005 and requested clarification from AERC
           the following day.

           Also at APMO, two questionable payments were made that arose from
           the overriding of controls created for the prime US-VISIT
           contract. The prime contract has been implemented through 12 task
           orders with multiple modifications that either increased funding
           or made other changes to the contract terms. To account for the
           obligations made on each task order, the program's Office of
           Budget and Finance created separate tracking codes in the
           financial system for each task order and sometimes for each
           modification of a task order. The separate tracking of each
           obligation is a good control for tracking and controlling spending
           against task order funds. However, APMO overrode this control when
           it instructed the finance center to pay two invoices-one for about
           $742,000 and one for about $101,000-out of the wrong account: that
           is, with funds for task orders other than those for which the
           invoices were billed. APMO did not provide any justification for
           payment with funds from the improper account. Our Internal Control
           Management and Evaluation Tool states that any intervention or
           overriding of internal controls should be fully documented as to
           the reasons and specific actions taken.45

           CBP also inappropriately paid for work unrelated to US-VISIT out
           of funds designated for US-VISIT. For a 2003 contracting action
           that we reviewed, invoices included a significant amount in travel
           billings. However, several travel vouchers that accompanied these
           invoices were for work unrelated to US-VISIT. For example, terms
           like "Legacy ag/legacy Customs unification," "Agriculture Notes
           Installation," and "Agriculture AQI" were indicated on the
           vouchers. CBP confirmed that these vouchers were billed to
           US-VISIT in error. Additionally, other vouchers included
           descriptions that were vague and not clearly related to any
           specific program (e.g., emergency hardware replacement), and thus
           it was not clear that the work being billed was related to the
           program. Along with the travel expenses, the labor hours
           associated with the above vouchers were also being billed to the
           program. This circumstance calls into question not only whether or
           not the travel charges were inappropriately classified as US-VISIT
           work, but also whether the time that these employees were charging
           was inappropriately classified, and thus improperly paid.

           On one CBP contracting action, some charges that were not related
           to US-VISIT may have been reimbursed by the program office. The
           contracting action in question was a 2002 action for CBP-wide
           disaster recovery services, and thus not all charges were directly
           related to the US-VISIT program. On this task order, CBP expended
           about $1.28 million from program-designated funds on items that
           were not clearly specified as US-VISIT work on the invoices. Of
           that amount, about $43,000 could be attributed to a contract
           modification specific to the program. However, CBP stated that one
           invoice for about $490,000 included in this $1.28 million was paid
           from the program's funds to correct two payments for earlier
           US-VISIT invoices that were erroneously made from nonprogram
           funds. We also found about $771,000 of invoice dollars that were
           specified as US-VISIT work, but that were not on the CBP-provided
           expenditure reports for program funds.

           As a result of these various discrepancies, the US-VISIT program
           may have reimbursed CBP for work that was not done on its behalf.
           Also, the program official responsible, under DHS policy,46 for
           monitoring the CBP contracts related to US-VISIT told us that he
           had not been reviewing invoices on IPAC reimbursement requests
           from CBP, even though such reviews are required by DHS policy.

           In addition, on the 2003 CBP contracting action that we reviewed,
           many of the travel vouchers included first-class flights taken by
           contract personnel, although (with few exceptions) purchase of
           first-class travel is not allowed for travel on cost-reimbursable
           type contracts. However, travel documentation indicated
           first-class travel on numerous instances with no explanation or
           justification of the first-class travel or documentation to
           indicate that CBP had requested any explanation. CBP officials
           noted that some frequent fliers are automatically upgraded when
           purchasing a full-fare flight. Although this is a reasonable
           explanation, CBP provided no documentation showing that it
           completed any inquiry or research at the time it was invoiced to
           determine if first-class travel was being purchased or if upgrades
           were being given, and invoice documentation did not clarify this.
           Further, in several instances, complete documentation was not
           provided for the costs of all airline travel expenses.

           A final concern regarding payments to contractors is raised by the
           fact that several of the agencies made late payments on invoices.
           Under the Prompt Payment Act,47 the government must pay interest
           on invoices it takes over 30 days to pay. Not only do these
           interest payments deplete funds available for US-VISIT, but
           excessive late invoice payments are also a signal that the
           contract payment oversight process is not being effectively
           managed. CBP and TSA experienced agencywide increases in contract
           prompt-payment interest. CBP reported that in fiscal year 2004,
           the year that it converted to a new accounting system, prompt pay
           interest accounted for 7.66 percent of all payments, a sharp
           increase from the prior year's frequency rate of 1.74 percent. In
           fiscal year 2005, the rate of interest payments at CBP receded to
           1.80 percent of total payments.

           APMO also paid substantial amounts in prompt payment interest.
           According to DHS's auditors, ICE, which provides US-VISIT payment
           services, had not established internal controls to ensure that
           invoices were paid in a timely manner.48 For the invoices that we
           reviewed, prompt-payment interest was paid on approximately 26
           percent of the prime contract invoices that we reviewed,
           representing over $27,000 in payments. In addition, we could not
           verify that the proper amount of interest was paid because
           information in the ICE financial management system was incorrect.
           For example, in many instances, important dates used for
           determining prompt-pay interest were entered incorrectly, or the
           dates in the system could not be validated based on invoice
           documentation provided. A program official told us that certain
           program staff have recently been granted read-only access to ICE's
           financial management system to monitor invoice payments. If the
           program office effectively uses this increased oversight ability,
           it could reduce the number of prompt-payment violations as well as
           reduce other improper contract payments made by the program
           office.

           Contractors have played, and will continue to play, a major role
           in delivering US-VISIT capabilities, including technology,
           facilities, and people. Therefore, the success of the program
           depends largely on how well DHS manages and oversees its
           US-VISIT-related contracts. Establishing and implementing
           effective contractor management and oversight controls, including
           financial management controls, can greatly increase the
           department's ability to manage and oversee US-VISIT-related
           contracts. However, the department's management and oversight of
           US-VISIT-related contracts are not yet at the level that they need
           to be to adequately ensure, for example, that contract
           deliverables satisfy program requirements, that cost and schedule
           commitments are met, that program outcomes are achieved, that
           funds are not overspent and improperly reimbursed, and that
           payments are made in a proper and timely manner.

           Although the program office has generally established and
           implemented key contractor management controls on those contracts
           that it manages directly, it has not adequately overseen
           US-VISIT-related contracts that were managed by other DHS and
           non-DHS agencies. According to program office officials, this is
           because they have initially focused on those contracts that they
           manage directly. However, this narrow focus raises concerns
           because the agencies managing contracts on the program office's
           behalf have not implemented the full range of management controls
           needed to have a full, accurate, reliable, and useful
           understanding of the scope of contract activities and performance.

           Moreover, none of the US-VISIT contracts that we reviewed have
           been subject to important financial management controls. As
           previous audits have shown, DHS suffers from numerous material
           weaknesses in financial management, some of which are directly
           related to ICE (the DHS component that provides financial
           management services to the program office). These weaknesses have
           contributed to the program's inability to know the full scope of
           contract activities and fully account for expenditures, among
           other things. By impairing the reliability and effectiveness of
           accounting for US-VISIT contracts, these weaknesses have
           diminished the program's ability to effectively manage and oversee
           work performed by contractors-work that is essential for the
           program to achieve its goals.

           Until DHS addresses these contract management and oversight
           weaknesses, the US-VISIT program will remain at risk of not
           delivering required capabilities and promised benefits on time and
           within budget, and it will be vulnerable to financial
           mismanagement.

           Given the US-VISIT program's mission importance, size, and heavy
           reliance on contractor assistance, we recommend that the Secretary
           of Homeland Security direct the US-VISIT Program Director to take
           the following five actions to strengthen contract management and
           oversight, including financial management:

           o  For each US-VISIT contract action that the program manages
           directly, establish and maintain a plan for performing the
           contractor oversight process, as appropriate.
           o  Develop and implement practices for overseeing contractor work
           managed by other agencies on the program office's behalf,
           including (1) clearly defining roles and responsibilities for both
           the program office and all agencies managing US-VISIT-related
           contracts; (2) having current, reliable, and timely information on
           the full scope of contract actions and activities; and (3)
           defining and implementing steps to verify that deliverables meet
           requirements.
           o  Require, through agreements, that agencies managing contract
           actions on the program office's behalf implement effective
           contract management practices consistent with acquisition guidance
           for all US-VISIT contract actions, including, at a minimum, (1)
           establishing and maintaining a plan for performing contract
           management activities; (2) assigning responsibility and authority
           for performing contract oversight; (3) training the people
           performing contract oversight; (4) documenting the contract; (5)
           verifying that deliverables satisfy requirements; (6) monitoring
           contractor-related risk; and (7) monitoring contractor performance
           to ensure that the contractor is meeting schedule, effort, cost,
           and technical performance requirements.
           o  Require DHS and non-DHS agencies that manage contracts on
           behalf of the program to (1) clearly define and delineate US-VISIT
           work from non-US-VISIT work as performed by contractors; (2)
           record, at the contract level, amounts being billed and expended
           on US-VISIT-related work so that these can be tracked and reported
           separately from amounts not for US-VISIT purposes; and (3)
           determine if they have received reimbursement from the program for
           payments not related to US-VISIT work by contractors, and if so,
           refund to the program any amount received in error.
           o  Ensure that payments to contractors are timely and in
           accordance with the Prompt Payment Act.

           We received written comments on a draft of this report from DHS,
           which were signed by the Director, Departmental GAO/IG Liaison
           Office, and are reprinted in appendix II. We also received
           comments from the Director of AERC and the Assistant Commissioner
           for Organizational Resources, Public Buildings Service, GSA. Both
           the Department of Defense audit liaison and the GSA audit liaison
           requested that we characterize these as oral comments.

           In its written comments, DHS stated that although it disagreed
           with some of our assessment, it agreed with many areas of the
           report and concurred with our recommendations and the need for
           improvements in US-VISIT contract management and oversight. The
           department disagreed with certain statements and provided
           additional information about three examples of financial
           management weaknesses in the report. Summaries of DHS's comments
           and our response to each are provided below.

           o  The department characterized as misleading our statements that
           US-VISIT (1) depended on other agencies to manage financial
           matters for their respective contracts and (2) relied on another
           agency for US-VISIT's own financial management support. With
           respect to the former, DHS noted that the decision to use other
           agencies was based on the nature of the services that were
           required, which it said were outside the scope of the program
           office's areas of expertise. We understand the rationale for the
           decision to use other agencies, and the statement in question was
           not intended to suggest anything more than that such a decision
           was made. We have slightly modified the wording to avoid any
           misunderstanding.

           With respect to its own financial management, DHS said that for us
           to declare that US-VISIT depended on another agency for financial
           management support without identifying the agency and the system,
           in combination with our acknowledging that we did not examine the
           effectiveness of this unidentified system, implies that our
           report's scope is broader than what our congressional clients
           asked us to review. We do not agree. First, our report does
           identify ICE as the agency that the program office relies on for
           financial management support. Second, although we did not identify
           by name the ICE financial management system, we did describe in
           detail the serious financial management challenges at ICE, which
           have been reported repeatedly by the department's financial
           statement auditors and which have contributed to the department's
           inability to obtain a clean audit opinion. Moreover, we fully
           attributed these statements about these serious challenges to the
           auditors.

           o  The department said that our statement regarding the purpose of
           the contracts managed by AERC needed to be clarified, stating that
           our report reflects the scope of the two contract actions reviewed
           and not the broader scope of services under the interagency
           agreement. We agree that the description of AERC services in our
           report is confined to the scope of the two contract actions that
           we reviewed. This is intentional on our part since the scope of
           our review did not extend to the other services. We have modified
           the report to clarify this.
           o  The department provided additional information about three
           examples of invoice discrepancies and improper payments cited in
           the report, including reasons why they occurred. Specifically, the
           department said that the reason that CBP reported a 2002
           contracting action as also a 2004 contracting action was because
           of the concurrent merger of CBP within DHS and the implementation
           of CBP's new financial system. It further stated that the reason
           that US-VISIT made a duplicate payment to the prime contractor
           was, at least partially, due to poor communication between
           US-VISIT and its finance center. Regarding two other duplicate
           payments, DHS stated that while the cause of the duplicate
           payments is not completely clear from the available evidence, both
           are almost certainly errors resulting from processes with
           significant manual components, as opposed to deliberate control
           overrides, since adequate funds were available in the correct
           accounts for each case. The department also noted that
           communications may have also contributed to one of these two
           duplicate payments. We do not question the department's reasons or
           the additional information provided for the other payments, but
           neither changes our findings about the invoice discrepancies and
           improper payments.

           o  The department stated that although the contractor initially
           identified the AERC overpayment on September 13, 2005, the
           US-VISIT program office independently identified the billing
           discrepancy on November 1, 2005, and requested clarification from
           AERC the following day. The department further stated that because
           we describe the overpayment example in the report as being a small
           dollar value, we should have performed a materiality test in
           accordance with accounting principles in deciding whether the
           overpayment should be disclosed in a public report.

           We do not dispute whether the US-VISIT program independently
           identified the overpayment in question. Our point is that an
           invoice overpayment occurred because adequate controls were not in
           place. In addition, while we agree that materiality is relevant to
           determining whether to cite an example of an improper payment,
           another relevant consideration to significance is the frequency of
           the error. Our decision to disclose this particular overpayment
           was based on our judgment regarding the significance of the error
           as defined in generally accepted government auditing standards. It
           is our professional judgment that this overpayment is significant
           because of the frequency with which it occurred. Specifically, of
           the eight invoices that we reviewed, four were improperly paid.

           In oral comments, the Director of AERC questioned the
           applicability of the criteria we used to evaluate AERC contract
           management practices and our assessment of its process for
           verifying and accepting deliverables. Despite these disagreements,
           he described planned corrective actions to respond to our
           findings.

           o  The Director stated in general that the Capability Maturity
           Model Integration (CMMI)(R) model was not applicable to the
           contracts issued by the Corps of Engineers, and in particular that
           a contract oversight plan was not applicable to the two contract
           actions that we reviewed. In addition, the Director commented that
           AERC's practices were adequate to deal appropriately with
           contractor performance issues had these been raised. Nonetheless,
           to address this issue, the Director stated that AERC would require
           the US-VISIT program office to submit an oversight plan describing
           the project's complexity, milestones, risks, and other relevant
           information, and it would appoint qualified CORs or COTRs to
           implement the plans and monitor contractor performance.

           We disagree with AERC's comments on the applicability of our
           criteria. Although the CMMI model was established to manage IT
           software and systems, the model's practices are generic and
           therefore applicable to the acquisition of any good or service.
           Specifically, the contractor management oversight practices
           discussed in this report are intended to ensure that the
           contractor performs the requirements of the contract, and the
           government receives the services and/or products intended within
           cost and schedule. We also do not agree that the contract actions
           in question did not warrant oversight plans. Although the content
           of oversight plans may vary (depending on the type, complexity,
           and risk of the acquisition), each acquisition should have a plan
           that, at a minimum, describes the oversight process, defines
           responsibilities, and identifies the contractor evaluations and
           reviews to be conducted. Since the chances of effective oversight
           occurring are diminished without documented plans, we support the
           program manager's commitment to require these plans in the future.

           o  Regarding an overpayment discussed in our report, the Director
           indicated that this problem was resolved as described in DHS's
           comments, and that in addition, AERC has procedures and controls
           to prevent the government from paying funds in excess on a
           firm-fixed price contract such as the one in question.
           Nonetheless, the Director described plans for strengthening
           controls over contract progress payments and invoices, including
           having trained analysts review all invoices and ensuring that a
           program/project manager has reviewed the invoices and submitted
           written authorization to pay them. The Director also stated that
           AERC has an established process for controlling and paying
           invoices, which provides for verifying and accepting deliverables.
           We do not consider that the AERC process was established because
           although AERC officials described it to us, it was neither
           documented nor consistently followed. For example, one contracting
           action that we reviewed had three invoices that did not have a
           signature or other documentation of approval, even though such
           approval, according to AERC, is a required part of the process.

           In oral comments, the GSA Assistant Commissioner disagreed with
           the applicability of certain of the criteria that we used in our
           assessment, as well as with our assessment that these and other
           criteria had not been met. For example, the Assistant Commissioner
           stated that regulations or policies do not require GSA to
           establish and maintain a plan for performing the contract
           oversight process, that its current practices and documents (such
           as the contract statement of work and COR/COTR delegation letters)
           in effect establish and maintain such a plan, that GSA documented
           the oversight process and results to the extent necessary to
           ensure contractor performance, and that GSA had established a
           requirement to conduct contractor reviews. Although, as we state
           in our report, GSA policies do not include a requirement for an
           oversight plan, we still believe that it is appropriate to
           evaluate GSA against this practice (which is consistent with sound
           business practices and applies to any acquisition), and that GSA's
           processes and activities did not meet the criteria for this
           practice and ensure effective oversight of the contracts. We did
           not find that the delegation letters and contract statements of
           work were sufficient substitutes for such plans, because, for
           example, they do not consistently describe the contractor
           oversight process or contractor reviews. Further, the inclusion of
           a requirement for contractor reviews in some contracts/statements
           of work does not constitute agencywide policies and procedures for
           performing reviews on all contracts.

           GSA also provided further descriptions of its financial management
           controls and oversight processes and activities, but these
           descriptions did not change our assessment of GSA's financial
           management controls or the extent to which the oversight processes
           and activities satisfy the practices that we said were not
           established49 or not consistently implemented. Among these
           descriptions was information on an automated tool that GSA
           provided its contracting officers; however, this tool was not used
           during the period under review. GSA also provided certain
           technical comments, which we have incorporated in our report, as
           appropriate.

           As agreed with your offices, unless you publicly announce the
           contents of this report earlier, we plan no further distribution
           until 30 days from the report date. At that time, we will send
           copies of this report to the Chairmen and Ranking Minority Members
           of the Senate and House Appropriations Committees, as well as to
           the Chairs and Ranking Minority Members of other Senate and House
           committees that have authorization and oversight responsibility
           for homeland security. We will also send copies to the Secretary
           of Homeland Security, the Secretary of Defense, the Administrator
           of GSA, and the Director of OMB. Copies of this report will also
           be available at no charge on our Web site at http:// www.gao.gov .

           Should your offices have any questions on matters discussed in
           this report, please contact Randolph C. Hite at (202) 512-3439 or
           at [email protected] , or McCoy Williams at (202) 512-9095 or at
           [email protected] . Contact points for our Offices of
           Congressional Relations and Public Affairs may be found on the
           last page of this report. Key contributors to this report are
           listed in appendix IV.

           Randolph C. Hite Director, Information Technology Architecture and
           Systems Issues

           McCoy Williams Director, Financial Management and Assurance

           List of Requesters

           The Honorable Peter T. King Chairman The Honorable Bennie G.
           Thompson Ranking Minority Member Committee on Homeland Security
           House of Representatives

           The Honorable Bob Filner House of Representatives

           The Honorable Raul Grijalva House of Representatives

           The Honorable Ruben Hinojosa House of Representatives

           The Honorable Solomon Ortiz House of Representatives

           The Honorable Silvestre Reyes House of Representatives

           Our objective was to determine whether the Department of Homeland
           Security (DHS) has established and implemented effective controls
           for managing and overseeing contracts related to the U.S. Visitor
           and Immigrant Status Indicator Technology (US-VISIT) program. To
           address our objective, we assessed the implementation of key
           contractor management controls at the program office and at other
           DHS and non-DHS agencies responsible for managing US-VISIT-related
           contracts. We also evaluated the program office's oversight of
           US-VISIT-related contracts managed by these other organizations.
           Finally, we reviewed internal control processes and procedures in
           place over contract financial management.

           Besides the US-VISIT program office, the organizations within DHS
           that we identified as having responsibility for managing
           US-VISIT-related contracts were

           o  Customs and Border Protection (CBP),
           o  the Transportation Security Agency (TSA), and
           o  Immigration and Customs Enforcement (ICE).

           The non-DHS agencies performing work in support of US-VISIT were

           o  the General Services Administration (GSA) and
           o  the Army Corps of Engineers Architect-Engineer Resource Center
           (AERC).

           Contract management controls: To assess key contract management
           controls and implementation of those controls at US-VISIT and
           other agencies responsible for managing US-VISIT-related
           contracts, we identified leading public and private sector
           practices on contract management, such as those prescribed by the
           Federal Acquisition Regulation (FAR)1 and Carnegie Mellon
           University's Software Engineering Institute, which publishes the
           Capability Maturity Model Integration.2 US-VISIT officials
           identified the contracts being managed by the program, all within
           the Acquisition Program Management Office (APMO). To evaluate the
           management of the program's contracts, we assessed APMO's and
           other agencies' documented policies against the leading practices
           that we identified. We also determined the extent to which those
           policies were applied to specific contracting actions and
           determined the extent to which, if any, other formal or otherwise
           established practices were used to manage or oversee the specific
           contract actions. We also discussed any variances with agency
           officials to determine the reasons why those variances existed.

           In determining the extent to which practices/subpractices were
           judged to be established/implemented, we categorized them into one
           of the following:

           o  established/implemented,
           o  partially established/implemented, or
           o  not established/implemented.

           We judged whether the practice was established, partially
           established, or not established depending on whether the agency
           had documented policies and procedures addressing the practice and
           all, some, or none of the subpractices (where applicable). We
           judged whether a practice was implemented, partially implemented,
           or not implemented on the basis of documentation demonstrating
           that the practice and all, some, or none of the subpractices
           (where applicable) had been implemented for the contracting
           actions that we reviewed.

           We judged that an agency had "partially established" the
           requirement for a practice or subpractice if the agency relied
           only on the FAR requirement to perform this activity, but did not
           establish a process (i.e., documented procedures) for how the FAR
           requirement was to be met.

           We judged that an agency had "partially implemented" a practice or
           subpractice if it had implemented some, but not all, facets of the
           practice (including its own related requirements for that
           practice).

           To select specific contracting actions for review, we analyzed
           documentation provided by the program and by the DHS and non-DHS
           agencies responsible for managing US-VISIT-related contracts, to
           identify all contracting work performed in support of the program.

           Program officials were unable to validate the accuracy,
           reliability, and completeness of the list of contracting actions.
           Therefore, we did not perform a statistical sampling of the
           identified contracting actions. Rather, we judgmentally selected
           from each agency one contracting action for US-VISIT-related work
           awarded in each fiscal year from March 1, 2002, through March 31,
           2005, focusing on service-based contracts. Thus, fiscal years 2002
           through 2005 were each reviewed to some extent. Not all
           organizations awarded contracting actions in every fiscal year
           covered under our review, in which case an action was not selected
           for that fiscal year for that organization. The contracting
           actions selected from ICE were excluded in our analysis of the
           implementation of management and financial controls because of
           delays in receiving contract-specific documentation. One program
           management contract that was reported to us by US-VISIT was
           transferred to the program from ICE shortly before the end of our
           review period, and so we were unable to determine, because of the
           issues with ICE identified above, what management activities were
           performed on the contract.

           For each selected contracting action, we reviewed contract
           documentation, including statements of work, project plans,
           deliverable reviews, and other contract artifacts, such as
           contractor performance evaluations. We then compared documentary
           evidence of contract management activity to leading practices and
           documented policies, plans, and practices. Finally, we determined
           what, if any, formal or established oversight practices were in
           existence at the contract level.

           Table 5 shows the judgmental selection of contract actions that
           were reviewed for each agency, including APMO.

31No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in time
for our analysis.

32The contracting officer is the person with authority to procure, enter
into, administer, and terminate contracts and make related determinations
and findings. The project manager is responsible for planning, directing,
controlling, structuring, and motivating the project. The COTR reviews
contractor performance regularly, ensures that contractual milestones are
met and standards are being maintained, conducts regular inspections of
contractor deliverables throughout the contract period, and ensures that
all contract conditions and clauses are acted upon.

33No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in time
for our analysis.

34All of the deficiencies were level 3, which TSA defines as a defect that
negatively impacts the environment and/or the application but that can be
overcome by a manual workaround, by additional training, or by addressing
the fix as part of a subsequent enhancement.

Program Office and Other Agencies' Contract Management Was Impaired by Financial
Management Weaknesses

  Serious DHS Financial Management Problems Affected the Quality of Financial
  Data for US-VISIT Contracts

35GAO, Financial Management: Department of Homeland Security Faces
Significant Financial Management Challenges, GAO-04-774 (Washington, D.C.:
July 19, 2004).

36For the 7-month period from March 1, 2003, to September 30, 2003, DHS
received a qualified opinion from its independent auditors on its
consolidated balance sheet as of September 30, 2003, and the related
statement of custodial activity for the 7 months ending September 30,
2003. Auditors were unable to opine on the consolidated statements of net
costs and changes in net position, combined statement of budgetary
resources, and consolidated statement of financing. For fiscal years 2004
and 2005, DHS's independent auditors were unable to opine on any of its
financial statements.

37DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov. 15,
2005).

38Under standards issued by the American Institute of Certified Public
Accountants, "reportable conditions" are matters coming to the auditors'
attention relating to significant deficiencies in the design or operation
of internal controls that, in the auditors' judgment, could adversely
affect the department's ability to record, process, summarize, and report
financial data consistent with the assertions of management in the
financial statements. Material weaknesses are reportable conditions in
which the design or operation of one or more of the internal control
components does not reduce (to a relatively low level) the risk that
misstatements, in amounts that would be material in relation to the
financial statements being audited, may occur and not be detected in a
timely period by employees in the normal course of performing their
assigned functions.

39DHS, Performance and Accountability Report: Fiscal Year 2004 (Nov. 18,
2004), and Performance and Accountability Report: Fiscal Year 2005 (Nov.
15, 2005).

  Program Office and Other DHS Agencies Did Not Adequately Track Billings and
  Expenditures

40 GAO/AIMD-00-21 .3.1.

41 GAO-01-1008G .

42The $7.5 million reported as the invoiced amount is the addition of the
invoiced amounts reported separately for the 2002 and 2004 task order
numbers.

  Several Payments to Contractors for US-VISIT Work Were Improperly Paid and
  Accounted for

43 GAO-01-1008G .

44Refund documentation did not provide evidence showing whether DHS
officials or contractor staff noticed the overpayment.

45 GAO-01-1008G .

46DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.

47Codified at 31 U.S.C. S:S: 3901-3904 and implemented at 5 C.F.R. pt
1315.

                                  Conclusions

48DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov. 15,
2005).

                      Recommendations for Executive Action

                       Agency Comments and Our Evaluation

49That is, the agency had not documented these processes and activities
and established their performance, as would be consistent with the best
practice.

Appendix I: Objective, Scope, and Methodology Appendix I: Objective,
Scope, and Methodology

1The FAR system establishes the uniform set of policies and procedures for
acquisition by all executive branch agencies. This system consists of the
primary FAR document and agency acquisition regulations that implement or
supplement the FAR.

2Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.

Table 5: Contract Actions Related to US-VISIT That Were Examined in This
Review

Source: GAO analysis of agency data.

aUS-VISIT did not manage any contracts before fiscal year 2004.

bIn fiscal years 2004 and 2005, GSA issued two task orders under the same
contract for similar types of work. Both of these task orders were
selected for our review.

cAERC did not issue new US-VISIT-related work in fiscal year 2004.

Contract oversight controls: To assess the program's oversight of
program-related contracts, we used DHS guidance pertaining to intra- and
intergovernmental contracting relationships,3 as well as practices for
oversight developed by us.  We met with program office officials to
determine the extent to which the program office oversaw the performance
of US-VISIT-related contracts and identified the organizations performing
work in support of the program (as listed earlier). We met with these
organizations to determine the extent to which the program office
interacted with them in an oversight capacity.

Financial management controls: To assess internal control processes and
procedures in place over contract financial management, we reviewed
authoritative guidance on contract management found in the following:

           o  the FAR;
           o  our Policy and Procedures Manual for Guidance of Federal
           Agencies, Title 7-Fiscal Guidance;
           o  Office of Management and Budget (OMB) Revised Circular A-123,
           Management's Responsibility for Internal Control; and
           o  OMB Revised Circular A-76, Performance of Commercial
           Activities.

           We also reviewed DHS's performance and accountability reports for
           fiscal years 2003, 2004, and 2005, including the financial
           statements and the accompanying independent auditor's reports, and
           we reviewed other relevant audit reports issued by us and
           Inspectors General. We interviewed staff of the independent public
           accounting firm responsible for auditing ICE and the DHS bureaus
           for which ICE provides accounting services (including US-VISIT).

           We obtained the congressionally approved budgets for US-VISIT work
           and other relevant financial information. For each of the
           contracting actions selected for review, listed above, at
           US-VISIT, AERC, GSA, CBP, and TSA, we obtained copies of available
           invoices and related review and approval documentation. We
           reviewed the invoice documentation for evidence of compliance with
           our Standards for Internal Control in the Federal Government and
           Internal Control Management and Evaluation Tool.4 Specifically, we
           reviewed the invoices for evidence of the performance of certain
           control activities, including the following: review and approval
           before payment by a contracting officer, contracting officer's
           technical representative, and other cognizant officials;
           reasonableness of expenses billed (including travel) and their
           propriety in relation to US-VISIT; payment of the invoice in the
           proper amount and to the correct vendor; payment of the invoice
           from a proper funding source; and payment of the invoice within 30
           days as specified by the Prompt Payment Act. We also reviewed the
           invoices for compliance with requirements of the specific contract
           provisions for which they were billed. We did not review invoice
           documentation for the selected contracting actions managed by ICE,
           because ICE did not provide us with invoice documentation for all
           requested contracts in time to meet fieldwork deadlines.

           We also obtained copies of invoices paid through July 2005 and
           available payment review and approval documentation on the prime
           contract from the ICE finance center. We reviewed this
           documentation for evidence of execution of internal controls over
           payment approval and processing. In addition, we performed data
           mining procedures on the list of payments from APMO for unusual or
           unexpected transactions. Based on this analysis, we chose a
           judgemental selection of payments and reviewed their related
           invoice and payment approval documentation.

           We interviewed agency officials involved with budgeting, financial
           management, contract oversight, and program management at the
           program office, ICE, CBP, TSA, AERC, and GSA. We obtained and
           reviewed DHS and US-VISIT policies, including

           o  the DHS Acquisition Manual;
           o  US-VISIT Contract Management and Administration Plan;
           o  US-VISIT Acquisition Procedures Guide (APG-14)-Procedures for
           Invoice Review and Approval;
           o  DHS Management Directive 0710.1 (Reimbursable Agreements); and
           o  CBP and ICE's standard operating procedures regarding financial
           activities.

           We also interviewed representatives from the prime contractor to
           determine how they track certain cost information and invoice the
           program. In addition, we observed how requisitions and obligations
           are set up in the financial management system used by the program.

           We observed invoice processing and payment procedures at the CBP
           and ICE finance centers, the two major finance centers responsible
           for processing payments for program-related work. From the CBP
           finance center, we obtained data on expenditures for
           US-VISIT-related work made by CBP from fiscal year 2003 through
           fiscal year 2005. From the ICE finance center, which processes
           payments for the program office, we obtained a list of payments
           made by US-VISIT from August 2004 through July 2005. We did not
           obtain this level of detail for expenditures at AERC and GSA
           because these agencies are external to DHS; therefore we do not
           report on the reliability of expenditure reporting by either
           agency.

           From ICE's finance center, we also obtained and reviewed a list of
           Intra-governmental Payment and Collection system transactions paid
           by the US-VISIT program office to its federal trading partners
           through September 30, 2005. We requested a list of expenditures on
           program-related contracts managed by ICE; however, ICE was unable
           to provide a complete, reliable list. Officials at ICE's Debt
           Management Center, however, did provide a list of ICE's
           interagency agreements related to US-VISIT.

           In assessing data reliability, we determined that the available
           data for this engagement were not sufficiently reliable for us to
           conduct statistical sampling or to base our conclusions solely on
           the data systems used by the program and other agencies managing
           US-VISIT-related contracts. Specifically, the contracting actions
           managed by the program office and these agencies were
           self-reported and could not be independently validated. Further,
           recent audit reports found that the financial system used by the
           program office and ICE was unreliable, and because of the system,
           among other reasons, the auditors could not issue an opinion on
           DHS's fiscal year 2004 and 2005 financial statements. Our
           conclusions, therefore, are based primarily on documentary reviews
           of individual contracting actions and events, and our findings
           cannot be projected in dollar terms to the whole program.

           We conducted our work at

           o  DHS finance centers in Dallas, Texas and Indianapolis, Indiana;
           o  CBP facilities in Washington, D.C., and Newington, Virginia;
           o  ICE facilities in Washington, D.C.;
           o  TSA facilities in Arlington, Virginia;
           o  the US-VISIT program offices in Rosslyn, Virginia; and
           o  GSA and AERC facilities in Ft. Worth, Texas.

           Our work was conducted from March 2005 through April 2006, in
           accordance with generally accepted government auditing standards.

           We evaluated the extent to which the agencies covered by our
           review (US-VISIT APMO, GSA, AERC, CBP, TSA, and ICE1) had
           established and implemented effective contract management and
           oversight practices for the contracting actions that we reviewed.

           Details are presented, by agency, in this appendix. Some practices
           are further divided into subpractices. The extent to which
           practices/subpractices were judged to be established/implemented
           was categorized as one of the following:

           0M = established/implemented

           0L = partially established/implemented

           0m = not established/implemented

           We judged whether the practice was established, partially
           established, or not established depending on whether the agency
           had documented policies and procedures addressing the practice and
           all, some, or none of the subpractices (where applicable). We
           judged whether a practice was implemented, partially implemented,
           or not implemented on the basis of documentation demonstrating
           that the practice and all, some, or none of the subpractices
           (where applicable) had been implemented for the contracting
           actions that we reviewed.

           We judged that an agency had "partially established" the
           requirement for a practice or subpractice if the agency relied
           only on the FAR requirement to perform this activity, but did not
           establish a process (i.e., documented procedures) for how the FAR
           requirement was to be met.

           We judged that an agency had "partially implemented" a practice or
           subpractice if it had implemented some, but not all, facets of the
           practice (including its own related requirements for that
           practice).

3DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.

4 GAO/AIMD-00-21 .3.1; GAO-01-1008G .

Appendix II: Comments from the Department of Homeland Security Appendix
II: Comments from the Department of Homeland Security

Appendix III: Detailed Agency Evaluations Appendix III: Detailed Agency
Evaluations

1No results are provided for ICE regarding implementation of best
practices, because we were unable to obtain contract documentation in time
for analysis.

Table 6: Evaluation of US-VISIT Acquisition and Program Management Office

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: Software Engineering Institute (SEI), GAO analysis of agency
data.

Note: The following are the services provided in the contracts described,
by fiscal year.

FY 2004: Program-level management

FY 2005: US-VISIT strategic plan development

Table 7: Evaluation of General Services Administration

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: SEI, GAO analysis of agency data.

Note: The following are the services provided in the contracts described,
by fiscal year.

FY 2002: Pre-award and post-award acquisition services

FY 2003: Planning and mobilization for feasibility studies

FY 2004: Program management of US-VISIT at ports of entry

FY 2005: Program management of US-VISIT at ports of entry

Table 8: Evaluation of Army Corps of Engineers Architect-Engineer Resource
Center

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: SEI, GAO analysis of agency data.

Note: The following are the services provided in the contracts described,
by fiscal year.

FY 2003: On-site program management at ports of entry

FY 2005: Economic impact assessment of US-VISIT along northern and
southern borders

Table 9: Evaluation of Customs and Border Protection

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: SEI, GAO analysis of agency data.

Note: The following are the services provided in the contracts described,
by fiscal year.

FY 2002: Commercial recovery services

FY 2003: Infrastructure upgrades at ports of entry

FY 2004: Software maintenance and development for Increment 2B

Table 10: Evaluation of Transportation Security Administration

Legend:

0M = Established/implemented

0L = Partially established/implemented

0m = Not established/implemented

Sources: SEI, GAO analysis of agency data.

Note: The following are the services provided in the contract described:

FY 2003: Air/sea exit

Table 11: Evaluation of Immigration and Customs Enforcement

Legend:

0M = Established

0L = Partially established

0m = Not established

Sources: SEI, GAO analysis of agency data.

Appendix IV: GAO Contacts and Staff Acknowledgments

                                  GAO Contacts

Randolph C. Hite, (202) 512-3439 or [email protected]

McCoy Williams, (202) 512-9095 or [email protected]

                             Staff Acknowledgments

In addition to the contacts named above, the following people made key
contributions to this report: Deborah Davis, Assistant Director; Casey
Keplinger, Assistant Director; Sharon Byrd; Shaun Byrnes; Barbara Collier;
Marisol Cruz; Francine Delvecchio; Neil Doherty; Heather Dunahoo; Dave
Hinchman; James Houtz; Stephanie Lee; David Noone; Lori Ryza; Zakia
Simpson; and Charles Youman.

(310600)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-404 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Randolph C. Hite at (202) 512-3439 or McCoy
Williams at (202) 512-9095.

Highlights of GAO-06-404 , a report to congressional requesters

June 2006

HOMELAND SECURITY

Contract Management and Oversight for Visitor and Immigrant Status Program
Need to Be Strengthened

The Department of Homeland Security (DHS) has established a
multibillion-dollar program-U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT)-to control and monitor the pre-entry, entry, visa
status, and exit of foreign visitors. To deliver system and other program
capabilities, the program relies extensively on contractors, some of whom
are managed directly by US-VISIT and some by other agencies (including
both DHS agencies, such as Customs and Border Protection, and non-DHS
agencies, such as the General Services Administration). Because of
US-VISIT's heavy reliance on contractors to deliver program capabilities,
GAO was asked to determine whether DHS has established and implemented
effective controls for managing and overseeing US-VISIT-related contracts.

What GAO Recommends

GAO is making recommendations to the Secretary of Homeland Security to
ensure that effective contract management and financial controls are
established and implemented both for contracts managed by the US-VISIT
program office and for those managed by other agencies. In written
comments on a draft of this report, DHS concurred with the
recommendations. In oral comments, officials from other agencies provided
comments aimed at clarifying selected GAO statements.

US-VISIT-related contracts have not been effectively managed and overseen.
The US-VISIT program office established and implemented certain
nonfinancial controls for those contracts that it managed directly, such
as verifying that contractor deliverables satisfied established
requirements. However, it did not implement effective controls for
overseeing its contracts managed by other DHS agencies and by non-DHS
agencies. Moreover, effective financial controls were not in place on any
contracts that GAO reviewed (see table for agencies managing these
contracts).

           o  The program office did not know the full extent of
           US-VISIT-related contract actions, and it had not performed key
           nonfinancial practices associated with understanding contractor
           performance in meeting the terms of these contracts. This
           oversight gap was exacerbated by the fact that the other agencies
           had not always established and implemented effective controls for
           managing their respective contracts. These other agencies directly
           managed more than half (56 percent) of the total US-VISIT-related
           contract obligations reported to GAO.
           o  The program office and other agencies did not implement
           effective financial controls. Without these controls, some
           agencies were unable to reliably report US-VISIT contracting
           expenditures. Further, the program office and these other agencies
           improperly paid and accounted for related invoices, including
           making duplicate payments and payments for non-US-VISIT services
           with funds designated for US-VISIT.

According to the US-VISIT program official responsible for contract
matters, the program office has focused on contracts that it manages
directly and decided to rely on the responsible agencies to manage the
other contracts. Further, it has decided to use other agencies to properly
manage financial matters for their respective contracts, and it also
decided to rely on another agency for its own financial management
services. Without effective contract management and oversight controls,
the program office does not know that required program deliverables and
mission results will be produced on time and within budget, and that
proper payments are made.

Agencies Managing US-VISIT-Related Contracts

Source: GAO analysis.
*** End of document. ***