FROM DOC_DB.DOCUMENT D, DOC_DB.REPORTS R, DOC_DB.BACKGROUND B
*
ERROR at line 2:
ORA-00942: table or view does not exist
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-404
TITLE: HOMELAND SECURITY: Contract Management and Oversight
for Visitor and Immigrant Status Program Need to Be Strengthened
DATE: 06/09/2006
-----------------------------------------------------------------
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-404
* Results in Brief
* Background
* Acquisition and Implementation Approach
* Organizational Structure and Responsibilities
* US-VISIT Relationships with Other DHS and Non-DHS Agencies
* Summary of DHS Reported Obligations for US-VISIT Contracts
* Prior Reviews Related to DHS Contractor Oversight and Manage
* Importance of Contractor Management Controls
* US-VISIT Established and Implemented Key Controls for Contra
* Program Office Established and Implemented Key Contractor Ma
* The Program Office Did Not Effectively Oversee US-VISIT-Rela
* US-VISIT's Oversight of Other Agencies' Contracting Activiti
* Agencies Managing US-VISIT-Related Contractors Did Not Estab
* All Agencies Established Some Policies and Procedures
for Co
* Agencies' Implementation of Key Practices Was Uneven
* Program Office and Other Agencies' Contract Management Was I
* Serious DHS Financial Management Problems Affected the Quali
* Program Office and Other DHS Agencies Did Not Adequately Tra
* The Amounts Reportedly Billed on US-VISIT-Related
Contracts
* DHS Agencies Did Not Always Separately Track
Expenditures Ma
* Several Payments to Contractors for US-VISIT Work Were Impro
* Conclusions
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* GAO Contacts
* Staff Acknowledgments
* GAO's Mission
* Obtaining Copies of GAO Reports and Testimony
* Order by Mail or Phone
* To Report Fraud, Waste, and Abuse in Federal Programs
* Congressional Relations
* Public Affairs
Report to Congressional Requesters
United States Government Accountability Office
GAO
June 2006
HOMELAND SECURITY
Contract Management and Oversight for Visitor and Immigrant Status Program
Need to Be Strengthened
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management US-VISIT Contract Management US-VISIT
Contract Management US-VISIT Contract Management US-VISIT Contract
Management US-VISIT Contract Management US-VISIT Contract Management
US-VISIT Contract Management
GAO-06-404
Contents
Letter 1
Results in Brief 2
Background 4
US-VISIT Established and Implemented Key Controls for Contracts That It
Managed Directly, but It Did Not Have Controls for Overseeing Contracts
Managed by Others or for Effective Financial Management 18
Conclusions 41
Recommendations for Executive Action 42
Agency Comments and Our Evaluation 43
Appendix I Objective, Scope, and Methodology 50
Appendix II Comments from the Department of Homeland Security 59
Appendix III Detailed Agency Evaluations 63
Appendix IV GAO Contacts and Staff Acknowledgments 76
Tables
Table 1: Relationships between Servicing Agencies Managing
US-VISIT-Related Contracts and US-VISIT Program 12
Table 2: APMO's Establishment and Implementation of Key Contractor
Management Practices 20
Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies 26
Table 4: Acceptance Reports for One Contract Deliverable 30
Table 5: Contract Actions Related to US-VISIT That Were Examined in This
Review 53
Table 6: Evaluation of US-VISIT Acquisition and Program Management Office
64
Table 7: Evaluation of General Services Administration 66
Table 8: Evaluation of Army Corps of Engineers Architect-Engineer Resource
Center 68
Table 9: Evaluation of Customs and Border Protection 70
Table 10: Evaluation of Transportation Security Administration 72
Table 11: Evaluation of Immigration and Customs Enforcement 74
Figures
Figure 1: Organizational Structure of DHS 8
Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities 9
Figure 3: Changes in US-VISIT System Ownership and Management, July
2003-March 2005 11
Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005 13
Abbreviations
ADIS Arrival Departure Information System
AERC Architect-Engineering Resource Center
APMO Acquisition and Program Management Office
CBP Customs and Border Protection
CMMI Capability Maturity Model Integration
COR contracting officer's representative
COTR contracting officer's technical representative
DHS Department of Homeland Security
FAR Federal Acquisition Regulation
GSA General Services Administration
IAA inter- or intra-agency agreement
ICE Immigration and Customs Enforcement
IDENT Automated Biometric Identification System
INS Immigration and Naturalization Service
IPAC Intra-governmental Payment and Collection
OMB Office of Management and Budget
SEI Software Engineering Institute
TECS Treasury Enforcement Communications Systems
TSA Transportation Security Administration
US-VISIT U.S. Visitor and Immigrant Status Indicator Technology
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 9, 2006
Congressional Requesters
The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)
program of the Department of Homeland Security (DHS) is a governmentwide
program for controlling and monitoring the pre-entry, entry, visa status,
and exit of foreign visitors. The department is taking an incremental
approach to acquiring and implementing US-VISIT, with the initial
increments focused on enhancing existing systems, modifying facilities,
and augmenting program office staff. In doing so, DHS has relied heavily
on contractor support, obtained through multiple existing contracts
managed by several DHS and non-DHS agencies. Because of the importance of
effective contractor management and oversight to this program, you asked
us to determine whether the department has established and implemented
effective controls for managing and overseeing US-VISIT-related
contractors.
To achieve this objective, we reviewed the contracting policies and
procedures of DHS and non-DHS agencies responsible for US-VISIT-related
contracts.1 We also reviewed a set of contracting actions (contract awards
and task orders) that were performed between March 2002 and March 2005. We
could not ensure that the selected contracting actions were statistically
representative of all US-VISIT-related contracting actions because DHS did
not have a complete inventory of such actions. Instead, we used a
judgmental selection, focusing on service contracts from fiscal years 2002
to 2005.2
1The DHS agencies are the US-VISIT Acquisition and Program Management
Office, US-VISIT Facilities & Engineering Management, U.S. Customs and
Border Protection, Immigration and Customs Enforcement, and the
Transportation Security Administration. The non-DHS agencies are the
General Services Administration and the U.S. Army Corps of Engineers
Architect-Engineering Resource Center.
We conducted our review from March 2005 through April 2006 in accordance
with generally accepted government auditing standards. Further details of
our objective, scope, and methodology, including the basis for our
judgmental selection, are included in appendix I.
Results in Brief
Although the success of the US-VISIT program depends heavily on the work
performed by contractors, important US-VISIT-related contract activities
have not been effectively managed and overseen. For those contracts that
it directly managed, the program office established and implemented
nonfinancial management controls (such as assigning contractor management
responsibilities and authorities, training key contract management
personnel, and verifying that contractor deliverables satisfied
established requirements), but it fell short in other key areas. In
particular:
o The program office did not establish and implement effective
nonfinancial management controls for overseeing US-VISIT-related
contract work performed on its behalf by other DHS agencies, such
as Customs and Border Protection (CBP), and by two non-DHS
agencies-the Army Corps of Engineers Architect-Engineering
Resource Center (AERC)3 and the General Services Administration
(GSA). These agencies did not always establish and implement the
full range of nonfinancial controls needed to effectively manage
their respective contracts. For example, the program office did
not know what US-VISIT-related contract actions these other
agencies had under way and had completed, and the other agencies
generally did not establish and implement controls for ensuring
that contractor deliverables satisfied contract requirements,
which is significant given that these DHS and non-DHS agencies
directly managed more than half (56 percent) of the total
obligations reported to us for US-VISIT-related contract work
during the period of our review.
o The program office and other DHS and non-DHS agencies doing
work on its behalf also did not implement effective
US-VISIT-related financial management controls. In the absence of
these controls, several agencies were unable to reliably report
US-VISIT contracting expenditures. Further, the program office and
the other agencies improperly paid and accounted for related
invoices, including making duplicate payments and making payments
for non-US-VISIT services using funds designated for US-VISIT
purposes.
According to the US-VISIT program official responsible for
contract matters, the program office has focused on contracts that
it manages directly and decided to rely on other agencies to
manage the other US-VISIT contracts. Further, it decided to rely
on these other agencies to properly manage financial matters for
their respective contracts, and on another agency for its own
financial management support. Without effective controls over all
US-VISIT-related contracts and related financial management
matters, the program office does not know whether required program
deliverables and associated mission results will be produced on
time and within budget, and that proper payments are made and
accounted for.
We are making recommendations to the Secretary of Homeland
Security to ensure that effective contract management and
financial controls are established and implemented both for
contracts managed by the US-VISIT program office and for those
managed by other agencies. For example, we are recommending that
the program office develop and implement practices for overseeing
contractor work managed by other agencies on the program office's
behalf, including (among other things) having current, reliable,
and timely information on the full scope of contract actions and
activities. In addition, we are recommending that the program
office strengthen financial management by (among other things)
ensuring that agencies managing contracts on its behalf record
amounts being billed and expended on US-VISIT-related work so that
these can be tracked and reported separately from amounts not for
US-VISIT purposes.
In written comments on a draft of this report, DHS stated that
although it disagreed with some of our assessment, it agreed with
many areas of the report and concurred with our recommendations
and the need for improvements in US-VISIT contract management and
oversight. In particular, DHS described as misleading our
characterization of US-VISIT's dependency on other agencies for
financial management support. DHS noted that the decision to use
other agencies was based on the nature of the services that were
required, which it said were outside the scope of the program
office's areas of expertise. We understand the rationale for the
decision to use other agencies, and the statement in question was
not intended to suggest anything more than that such a decision
was made. The department also provided clarifying information
about invoice discrepancies and improper payments cited in the
report, including reasons why they occurred. We do not question
the department's reasons for the discrepancies; however, they do
not change our findings about the fact that these discrepancies
did indeed occur. We have modified the report, where appropriate.
DHS's comments, along with our responses, are discussed in detail
in the Agency Comments and Our Evaluation section of this report.
The comments are also reprinted in their entirety in appendix II.
Officials from AERC and GSA provided oral comments aimed at
clarifying some of our statements and findings. We have made
revisions as appropriate. These comments and our responses are
also discussed in the Agency Comments and Our Evaluation section
of the report.
In response to legislation,4 the Immigration and Naturalization
Service (INS) established in 2002 an Entry/Exit Program to
strengthen management of the pre-entry, entry, visa status, and
exit of foreign nationals who travel to the United States. With
the creation of DHS in March 2003 and the inclusion of INS as part
of the new department, this initiative was renamed US-VISIT. The
goals of US-VISIT are to
o enhance the security of U.S. citizens and visitors,
o facilitate legitimate travel and trade,
o ensure the integrity of the U.S. immigration system, and
o protect the privacy of our visitors.
To achieve these goals, US-VISIT is to collect, maintain, and
share information on certain foreign nationals who enter and exit
the United States; detect fraudulent travel documents, verify
traveler identity, and determine traveler admissibility through
the use of biometrics; and facilitate information sharing and
coordination within the border management community.
As of October 2005, about $1.4 billion has been appropriated for
the program, and according to program officials, about $962
million has been obligated.
DHS plans to deliver US-VISIT capability in four increments:
Increments 1 through 3 are interim, or temporary, solutions that
were to fulfill legislative mandates to deploy an entry/exit
system by specified dates; Increment 4 is to implement a long-term
vision that is to incorporate improved business processes, new
technology, and information sharing to create an integrated border
management system for the future. For Increments 1 through 3, the
program is building interfaces among existing ("legacy") systems;
enhancing the capabilities of these systems; deploying these
capabilities to air, sea, and land ports of entry; and modifying
ports of entry facilities. These increments are to be largely
acquired and implemented through task orders placed against
existing contracts.5
o Increment 1 concentrates on establishing capabilities at air
and sea ports of entry and is divided into two parts-1 and 1B.
Increment 1 (air and sea entry) includes the electronic capture
and matching of biographic and biometric information (two digital
index fingerscans and a digital photograph) for selected foreign
nationals, including those from visa waiver countries.6 Increment
1 was deployed on January 5, 2004, at 115 airports and 14
seaports. Increment 1B (air and sea exit) collects biometric exit
data for select foreign nationals; it is currently deployed at 14
airports and seaports.
o Increment 2 focuses primarily on extending US-VISIT to land
ports of entry. It is divided into three parts-2A, 2B, and 2C.
o Increment 2A includes the capability to
biometrically compare and authenticate valid
machine-readable visas and other travel and entry
documents issued by the Department of State and DHS
to foreign nationals at all ports of entry (air, sea,
and land ports of entry). Increment 2A was deployed
on October 23, 2005, according to program officials.
It is also to include the deployment by October 26,
2006, of technology to read biometrically enabled
passports from visa waiver countries.
o Increment 2B redesigned the Increment 1 entry
solution and expanded it to the 50 busiest U.S. land
border ports of entry with certain modifications to
facilities. This increment was deployed to these 50
ports of entry as of December 29, 2004.
o Increment 2C is to provide the capability to
automatically, passively, and remotely record the
entry and exit of covered individuals using radio
frequency technology tags at primary inspection and
exit lanes.7 In August 2005, the program office
deployed the technology to five border crossings (at
three ports of entry) to verify the feasibility of
using passive radio frequency technology to record
traveler entries and exits via a unique
identification number embedded within
government-issued travel documentation. The program
office reported the evaluation results in January
2006, and according to the Increment 2C project
manager, the program is planning to move forward with
the second phase of this increment.
o Increment 3 extended Increment 2B entry capabilities to 104 of
the remaining 105 land ports of entry as of December 19, 2005.8
o Increment 4 is to define, design, build, and implement more
strategic US-VISIT program capability, which program officials
stated will likely consist of a further series of incremental
releases or mission capability enhancements that will support
business outcomes.
The first three increments of US-VISIT include the interfacing of
existing systems, the modification of facilities, and the
augmentation of program staff. Key existing systems include the
following:
o The Arrival Departure Information System (ADIS) is a database
that stores noncitizen traveler arrival and departure data
received from air and sea carrier manifests and that provides
query and reporting functions.
o The Treasury Enforcement Communications Systems (TECS) is a
system that maintains lookout (i.e., watch list) data, interfaces
with other agencies' databases, and is currently used by
inspectors at ports of entry to verify traveler information and
update traveler data.
o TECS includes the Advance Passenger Information System (APIS),
a system that captures arrival and departure manifest information
provided by air and sea carriers.
o The Automated Biometric Identification System (IDENT) is a
system that collects and stores biometric data about foreign
visitors.
In May 2004, DHS awarded an
indefinite-delivery/indefinite-quantity9 prime contract to
Accenture, which has partnered with a number of other vendors.10
According to the contract, the prime contractor will develop an
approach to produce the strategic solution. In addition, it is to
help support the integration and consolidation of processes,
functionality, and data, and is to assist the program office in
leveraging existing systems and contractors in deploying and
implementing the interim solutions.
In July 2003, DHS established the US-VISIT program office, which
is responsible for managing the acquisition, deployment, and
operation of the US-VISIT system and supporting people, processes,
and facilities. Accordingly, the program office's responsibilities
include, among other things,
o delivering program and system capabilities on time and within
budget and
o ensuring that program goals, mission outcomes, and program
results are achieved.
Within DHS, the US-VISIT program organizationally reports directly
to the Deputy Secretary for Homeland Security, as seen in figure
1.
2To judgmentally select our set of contracting actions, we identified the
DHS and non-DHS agencies that managed US-VISIT-related contracts and, for
each agency, we selected one contracting action for US-VISIT-related work
awarded in each fiscal year from March 1, 2002, through March 31, 2005.
Not all organizations awarded contracting actions in every fiscal year
covered under our review, in which case an action was not selected for
that fiscal year for that organization. Our judgmental selection did not
include contracting actions from one of the responsible organizations
(DHS's Immigration and Customs Enforcement) because this agency did not
provide requested documentation in time for us to include it in our
analysis of contracting actions.
3AERC is a component of the Department of Defense.
Background
48 U.S.C. 1365a; 6 U.S.C. 251 (transferred relevant Immigration and
Naturalization Service functions to DHS); 8 U.S.C. 1732(b).
Acquisition and Implementation Approach
5Over the last 3 years, we have issued five reports on the US-VISIT
program that, among other things, identified fundamental challenges that
the department faced in delivering promised program capabilities and
benefits on time and within budget. For our most recent report, see GAO,
Homeland Security: Recommendations to Improve Management of Key Border
Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.:
Feb. 14, 2006).
6The Visa Waiver Program permits foreign nationals from designated
countries to apply for admission to the United States for a maximum of 90
days as nonimmigrant visitors for business or pleasure.
7Radio frequency technology relies on proximity cards and card readers.
Radio frequency devices read the information contained on the card when
the card is passed near the device and can also be used to verify the
identity of the cardholder.
8At one port of entry, these capabilities were not fully operational until
January 7, 2006, because of a telephone company strike that prevented the
installation of a T-1 line.
Organizational Structure and Responsibilities
9An indefinite-delivery/indefinite-quantity contract provides for an
indefinite quantity, within stated limits, of supplies or services during
a fixed period of time. The government schedules deliveries or performance
by placing orders with the contractor.
10Accenture's partners include, among others, Raytheon Company, the Titan
Corporation, and SRA International, Inc.
Figure 1: Organizational Structure of DHS
The program office is composed of a number of functional groups. Among
these groups, three deal with contractor management. These are the
Acquisition and Program Management Office (APMO), the Office of Facilities
and Engineering Management, and the Office of Budget and Financial
Management. As seen in figure 2, all three groups report directly to the
US-VISIT Program Director.
Figure 2: Organizational Structure of US-VISIT Program Office and
Functional Responsibilities
APMO is to manage execution of the program's acquisition and program
management policies, plans, processes, and procedures. APMO is also
charged with ensuring effective selection, management, oversight, and
control of vendors providing services and solutions.
The Office of Facilities and Engineering Management is to implement the
program's physical mission environment through, for example, developing
and implementing physical facility requirements and developing cooperative
relationships and partnering arrangements with appropriate agencies and
activities.
The Office of Budget and Finance is to develop executable budgets to
contribute to cost-effective performance of the US-VISIT program and
mission; ensure full accountability and control over program financial
assets; and provide timely, accurate, and useful financial information for
decision support.
US-VISIT Relationships with Other DHS and Non-DHS Agencies
Since its inception, US-VISIT has relied extensively on contractors to
deliver system and other program capabilities; these contractors include
both contractors managed directly by the program office and those managed
by other DHS and non-DHS agencies. Within the program office, APMO manages
the prime contract mentioned earlier, as well as other program
management-related contracts. All other contracts were awarded and managed
either by other DHS agencies or by two non-DHS agencies, GSA and AERC. For
the contracts managed by other DHS agencies, the program office has
entered into agreements11 with these agencies. These agreements allow the
program to use previously awarded contracts to further develop and enhance
the existing systems that now are part of US-VISIT. By entering into
agreements with the various owners of these systems, the program office
has agreed to fund US-VISIT-related work performed on the systems by these
agencies, which include
o CBP, which owns and manages TECS;
o Immigration and Customs Enforcement (ICE), which owned and
managed IDENT (until 2004) and ADIS (until 2005), and still
provides some information technology support services;12 and
o the Transportation Security Administration (TSA), which in 2003
managed the development of the air/sea exit pilot program.
In addition, through its Office of Facilities and Engineering
Management, the program office has established an interagency
agreement with AERC and has established reimbursable work
authorizations with GSA.13 The agreements with GSA and AERC
generally provide for management services in support of US-VISIT
deployment.
When the US-VISIT program office was created in July 2003, the
program did not own or manage any of the key systems described
earlier. Rather, all systems were owned and managed by other DHS
agencies (see fig. 3). As of March 2005, the program office had
assumed ownership and management responsibility for IDENT, which
was originally managed by ICE; assumed management responsibility
for the air/sea exit project, which was originally managed by TSA;
and shares responsibility for ADIS, which was initially owned and
managed by ICE. US-VISIT owns ADIS, but CBP is responsible for
managing the system. These relationships are shown in figure 3.
Figure 3: Changes in US-VISIT System Ownership and Management,
July 2003-March 2005
IAAs establish a means for US-VISIT to transfer funds to other DHS
and non-DHS agencies for work done on its behalf. The IAAs first
give the servicing agencies (that is, the agencies performing the
work for US-VISIT) obligation authority to contract for US-VISIT
work. Once the work has been performed, the servicing agencies pay
their vendors according to the terms of their respective contracts
and then request reimbursement of the vendor payment from US-VISIT
via the Intra-governmental Payment and Collection (IPAC) system.14
In addition, the servicing agencies also receive IPAC payments for
the services they themselves provided for US-VISIT-essentially a
fee for the cost of managing contracts on the program's behalf.
Table 1 lists the various agencies currently managing
US-VISIT-related contracts and summarizes their respective
relationships with the program office and the purpose of the
contract actions that we reviewed.
11DHS uses inter- and intra-agency agreements (IAAs) to document
agreements entered into between federal agencies, or major organizational
units within an agency, which specify the goods to be furnished or tasks
to be accomplished by one agency (the servicing agency) in support of the
other (the requesting agency).
12Ownership and management of IDENT was transferred to US-VISIT in 2004;
ownership of ADIS was transferred to US-VISIT in 2005, but management was
transferred to CBP.
13Reimbursable work authorizations are used by GSA to capture and bill
GSA's customers for, among other things, the cost of providing services in
space managed by GSA over and above the basic operations financed through
rent for that space. In the case of US-VISIT, reimbursable work
authorizations were used to reimburse services required in support of
US-VISIT deployment efforts at the GSA-owned ports of entry.
14IPAC is the primary method used by most federal entities to
electronically bill and/or pay for services and supplies within the
government.
Table 1: Relationships between Servicing Agencies Managing
US-VISIT-Related Contracts and US-VISIT Program
Source: GAO analysis.
Summary of DHS Reported Obligations for US-VISIT Contracts
Documentation provided by the agencies responsible for managing
US-VISIT-related contracts shows that between March 2002 and March 31,
2005, they obligated about $347 million for US-VISIT-related contract
work.15 As shown in figure 4, about $152 million, or less than half (44
percent), of the $347 million in obligations reported to us was for
contracts managed directly by the US-VISIT program office. The remaining
$195 million, or 56 percent, was managed by other DHS and non-DHS
agencies. Specifically, $156 million, or 45 percent of the $347 million in
obligations reported to us for contracts, was managed by other DHS
agencies (TSA and CBP); $39 million, 11 percent, was managed by non-DHS
agencies (GSA and AERC).
15This number was derived from information provided to us by the agencies,
as well as analysis of provided documentation. Additionally, and as noted
in appendix I, weaknesses in DHS's financial systems call into question
the accuracy of these numbers. Further, this number does not include any
obligations from ICE, as it did not report US-VISIT-related obligations to
us in time for us to include in our analysis of contracting actions.
Figure 4: Distribution of $347 Million US-VISIT Obligated Contracting
Dollars between March 2002 and March 2005
From the inception of the US-VISIT program office through September 30,
2005, the program reports that it transferred about $96.7 million to other
agencies via the IPAC system for direct reimbursement of contract costs
and for the agencies' own costs.16
Prior Reviews Related to DHS Contractor Oversight and Management
In January 2005, we observed17 the increased use of interagency
contracting by the federal government and noted the factors that can make
interagency contract vehicles high risk in certain circumstances. One of
these factors was that the use of such contracting vehicles contributes to
a much more complex environment in which accountability had not always
been clearly established, including designation of responsibility for such
critical functions as describing requirements and conducting oversight. We
concluded that interagency contracting should be designated a high-risk
area because of the challenges associated with such contracts, problems
related to their management, and the need to ensure oversight.
16On the basis of previous audit findings, we do not consider this amount
reliable. DHS's independent auditors determined that its IPAC system
presented a weakness in DHS's financial management environment.
17GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January
2005).
In March 2005, we also reported18 on challenges facing DHS's efforts to
integrate its acquisition functions. One significant challenge was a lack
of sufficient staff in the Office of the Chief Procurement Officer to
ensure compliance with the department's acquisition regulations and
policies. Another challenge was that the department's Office of
Procurement Operations, which was formed to support DHS agencies that
lacked their own procurement support (such as US-VISIT), did not yet have
sufficient staff and relied heavily on interagency contracting. Further,
the office had not implemented management controls to oversee procurement
activity, including ensuring that proper contractor management and
oversight had been performed. We concluded that unless these challenges
were addressed, the department was at risk of continuing with a fragmented
acquisition organization that provided only stop-gap, ad hoc solutions.
Importance of Contractor Management Controls
Organizational policies and procedures are important management controls
to help program and financial managers achieve results and safeguard the
integrity of their programs. Agency management is responsible for
establishing and implementing financial and nonfinancial controls, which
serve as the first line of defense in ensuring contractor performance,
safeguarding assets, and preventing and detecting errors and fraud.
Pursuant to 31 U.S.C. S: 3512 (c),(d), the Comptroller General has
promulgated standards that provide an overall framework for establishing
and maintaining internal controls in the federal government.19 Policy and
guidance on internal control in executive branch agencies are provided by
the Office of Management and Budget (OMB) in Circular A-123,20 which
defines management's fundamental responsibility to develop and maintain
effective internal controls. Specifically, management is responsible for
implementing appropriate internal controls; assessing the adequacy of
internal controls, including those over financial reporting; identifying
needed improvements and taking corrective action; and reporting annually
on internal controls.
18GAO, Homeland Security: Successes and Challenges in DHS's Efforts to
Create an Effective Acquisition Organization, GAO-05-179 (Washington,
D.C.: Mar. 29, 2005).
19GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).
20OMB Circular A-123, Management's Responsibility for Internal Control
(effective beginning with fiscal year 2006) (revised Dec. 21, 2004).
The five general standards in our framework for internal control are
summarized below.
o Control environment. Management and employees should establish
and maintain an environment throughout the organization that sets
a positive and supportive attitude toward internal control and
conscientious management. A key factor relevant to contractor
management is having clearly defined areas of authority and
responsibility and appropriate lines of reporting.
o Risk assessment. Internal control should provide for an
assessment of the risks the agency faces from both external and
internal sources.
o Control activities. Internal control activities help ensure
that management's directives are carried out. The control
activities should be effective and efficient in accomplishing the
agency's control objectives. Key control activities associated
with contract management include
o appropriate documentation of transactions,
o accurate and timely recording of transactions and
events,
o controls over information processing,
o reviews by appropriate management in the
organization, and
o segregation of duties.
o Information and communications. Information should be recorded
and communicated to management (and others who need it) in a form,
and within a time frame, that enables them to carry out their
internal control and other responsibilities. Key contract
management activities include
o identifying, capturing, and distributing
information in a form and time frame that allows
people to perform their duties efficiently; and
o ensuring that information flows throughout the
organization and to external users as needed.
o Monitoring. Internal control monitoring should assess the
quality of performance over time and ensure that the findings of
audits and other reviews are promptly resolved.
To complement the standards, we developed a tool to help managers
and evaluators determine how well an agency's internal controls
are designed and functioning and what, where, and how improvements
may be implemented.21 This tool is intended to be used
concurrently with the standards described above and with OMB
Circular A-123. The tool associates each standard with a list of
major factors to be considered when users review the controls for
that standard, as well as points to be considered that may
indicate the degree to which the controls are functioning.
Relevant acquisition regulations and IT acquisition management
guidance also provide criteria for effectively managing contractor
activities. The Federal Acquisition Regulation (FAR)22 requires
that government agencies ensure that the contractor performs the
requirements of the contract, and the government receives the
service intended. However, the FAR does not prescribe specific
methods for doing so.
Other such methods or practices can be found in other acquisition
management guidance. In particular, the Capability Maturity Model
Integration model,23 developed by the Software Engineering
Institute (SEI) of Carnegie Mellon University, explicitly defines
process management controls that are recognized hallmarks for
successful organizations and that, if implemented effectively, can
greatly increase the chances of successfully acquiring software
and systems. These controls define a number of practices and
subpractices relevant to managing and overseeing contracts. These
practices are summarized below.
o Establish written policies and procedures for performing
contractor management. Polices establish the organization's
expectations for performing contractor management activities.
Procedures provide the "how to" or method to be followed in
implementing the policies.
o Establish and maintain a plan for performing the contract
oversight process. The plan should include, among other things, a
contractor management and oversight process description,
requirements for work products, an assignment of responsibility
for performing the process, and the evaluations and reviews to be
conducted with the contractor.
o Assign responsibility and authority for performing the specific
contractor management activities. Responsibility should be
assigned for performing the specific tasks of the contractor
management process.
o Train the people performing or supporting the contractor
management process. Personnel participating in the contract
oversight process should be adequately trained and certified, as
appropriate, to fulfill their assigned roles.
o Document the contract. This documentation should include, among
other things, a list of agreed-upon deliverables, a schedule and
budget, deliverable acceptance criteria, and types of reviews that
will be conducted with the contractor.
o Verify and accept the deliverables. Procedures for accepting
deliverables should be defined; those accepting the deliverables
should verify that they meet requirements; the results of
acceptance reviews or tests should be documented; action plans
should be developed for any products that do not pass their review
or test; and action items should be identified, documented, and
tracked to closure.
o Monitor risks involving the contractor and take corrective
actions as necessary. Risks should be identified and categorized
(e.g., risk likelihood or risk consequence) and then analyzed
according to these assigned categories.
o Conduct technical reviews with the contractor. Reviews should
ensure that technical commitments are being met in a timely manner
and should verify that the contractor's interpretation and
implementation of the requirements are consistent with the
project's interpretation.
o Conduct management reviews. Reviews should address critical
dependencies, project risks involving the contractor, and the
contract schedule and budget.
Given the US-VISIT program's dependence on contracting, it is
extremely important for the program office to effectively manage
and oversee its contracts via the establishment and implementation
of key contractor management and oversight controls. To its
credit, the program office established and implemented most of the
key practices associated with effectively managing nonfinancial
contractor activities for those contracts that it directly
manages. In particular, it established policies and procedures for
implementing all but one of the key practices that we reviewed,
and it implemented many of these practices-including assigning
responsibilities and training key personnel involved in contractor
management activities, verifying that contractor deliverables
satisfied established requirements, and monitoring the
contractor's cost and schedule performance for the task orders
that we reviewed. In doing so, the program has increased the
chances that program deliverables and associated mission results
will be produced on time and within budget.
However, the program office did not effectively oversee
US-VISIT-related contract work performed on its behalf by other
DHS and non-DHS agencies, and these agencies did not always
establish and implement the full range of controls associated with
effective management of their respective contractor activities.
Without effective oversight, the program office cannot adequately
ensure that program deliverables and associated mission results
will be produced on time and within budget.
Further, the program office and other agencies did not implement
effective financial controls. The program office and other
agencies managing US-VISIT-related work were unable to reliably
report the scope of contracting expenditures. In addition, some
agencies improperly paid and accounted for related invoices,
including making a duplicate payment and making payments for
non-US-VISIT services from funds designated for US-VISIT. Without
effective financial controls, DHS cannot reasonably ensure that
payments made for work performed by contractors are a proper and
efficient use of resources.
According to the US-VISIT program official responsible for
contract matters, the program office has initially focused on
contracts that it manages directly. For US-VISIT contracts managed
by other agencies, the program office has decided to rely on those
agencies to manage the contracts and associated financial matters.
In addition, it has decided to rely on another agency for
financial management support of the program office.
The US-VISIT program office is responsible and accountable for
meeting program goals and ensuring that taxpayer dollars are
expended effectively, efficiently, and properly. Within the
program office, APMO is responsible for establishing and
maintaining disciplined acquisition and program management
processes to ensure the efficient support, oversight, and control
of US-VISIT program activities. Accordingly, it is important that
APMO establish and implement effective contractor management
controls.
As mentioned previously, federal regulations and acquisition
management guidance24 identify effective contractor management as
a key activity and describe a number of practices associated with
this activity, including (among other things) establishing
policies and procedures for contractor management, defining
responsibilities and authorities, providing training, verifying
and accepting deliverables, and monitoring contractor performance.
These general practices often consist of more detailed
subpractices. Appendix III lists the practices and associated
subpractices, as well as the extent to which they were performed
on each of the contract actions that we reviewed.
For contracts that it directly managed, APMO established policies
and procedures for all but one of the key nonfinancial practices
associated with effective contractor management. For example, it
established policies and procedures for performing almost all
contractor management activities (practices) through its Contract
Administration and Management Plan. This programwide plan, in
conjunction with its Acquisition Procedures Guide Deskbook,
defines the methodology and approach for performing contractor
management for all contracts and task orders managed by APMO.
However, it neither established polices and procedures for having
a plan for overseeing individual contract actions, nor actually
developed such a plan. Instead, APMO relied on its programwide
polices and procedures for performing contract management
activities and to define what and how it actually implemented
them. However, without a plan for specific contracting actions,
the program office cannot be assured that contract management
activities will be implemented for each contracting action.
Table 2 shows the extent to which APMO, in its documented policies
and procedures, requires that the critical contractor management
practices be performed; this is shown under the heading "practice
established?" Under "practice implemented?" the table also shows
the extent to which APMO had actually implemented such practices
for those contracting actions that we reviewed, regardless of any
documented requirement.
Table 2: APMO's Establishment and Implementation of Key Contractor
Management Practices
Legend:
0M = Established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
Note: We determined whether the requirement for a practice was
established or not established on the basis of documented policies
and procedures addressing the practice and, where applicable, all,
some, or none of the subpractices. We determined whether a
practice was implemented or not implemented on the basis of
documentation demonstrating that all, some, or none of the
subpractices, where applicable, had been implemented for the task
orders that we reviewed.
APMO also implemented the aforementioned policies and procedures
that it established for each of the contracting actions that we
reviewed. For example, APMO implemented all of the key
subpractices associated with verifying and accepting contract
deliverables. Specifically, APMO defined acceptance procedures,
verified that deliverables satisfied their requirements,
documented the results of the review, developed a plan for
addressing deliverable deficiencies, and tracked those issues to
closure. With respect to one program support task order, for
example, a designated US-VISIT team reviewed a project plan
delivered by the contractor and returned it with a "conditionally
acceptable" letter; this letter stated that the comments included
were to be incorporated into the plan and assigned a date that the
revised plan was due back. The contractor resubmitted the plan by
the assigned date, and the contracting officer's technical
representative (COTR) accepted it. Throughout the process, APMO
tracked the status of this deliverable by means of a database
designed to track and update the status of deliverables owed to
US-VISIT by its contractors. The database included such
information as current document status and when the revised
document was due back to the program office.
APMO also implemented all critical subpractices associated with
contractor technical and management review activities. For
example, APMO required that the prime contactor provide monthly
cost performance reports that compared actual with budgeted cost
and addressed critical dependencies. For example, one report noted
that schedule and costs were impacted by a change in resources. In
the report, the contractor proposed a corrective action and
resolution date. APMO staff analyzed these reports and, according
to APMO officials, distributed the analysis results to program
office management for informational purposes (the results focused
on the causes of and planned corrective actions for the most
noteworthy cost and schedule variances). The information contained
in the monthly reports was also discussed at quarterly programwide
management reviews, which included contractor personnel. In
addition to management issues, these reviews addressed technical
issues such as deliverable status and requirements.
The quarterly reviews were also used to evaluate the contractor's
overall performance, as well as the contractor's performance on
each task order active during that reporting period. The task
orders that we examined were among those reviewed in this way. For
each task order, the quarterly reviews included an assessment of
schedule, cost and funding, technical performance, staffing, and
risks. For example, the information presented on one task order
that we reviewed reported that all of these categories were on
track and were forecast to remain on track.25 During these
reviews, technical requirements for each of the task orders were
discussed among stakeholders, contractor personnel, and management
to ensure a common understanding of those requirements and the
status of their implementation. The results of these reviews were
documented, and key discussion topics and a list and status of
action items were identified. The action items were assigned due
dates and were assigned to US-VISIT, the contractor, or specific
individuals. In some cases, an action item identified a specific
task order, such as a request to restructure a staffing report on
a program management task order (in order to more accurately
portray the level of contractor staffing). In the case of the
staffing report, it was assigned to a contractor for action.
Updated status of open items was also provided.
According to APMO's acquisition policy, the office established and
implemented these contractor management practices to establish a
standard approach for conducting contract activities and to ensure
that US-VISIT contracts continue to be managed in accordance with
relevant laws, regulations, policies, and acquisition
requirements. In doing so, the program has increased the chances
that program deliverables and associated mission results will be
produced on time and within budget.
The US-VISIT program office's APMO is responsible for the
program's contract-related matters. That means that APMO should,
among other things, effectively oversee contracts being managed by
others on the program's behalf. However, the program office did
not establish and implement effective controls for overseeing
US-VISIT-related contracts being managed by others. Specifically,
the program office did not know the full range of US-VISIT-related
contract actions that had been completed and were under way, and
it had not performed key practices associated with gaining
visibility into and understanding of contractor performance in
meeting the terms of these contracts. This oversight gap is
exacerbated by the fact that the other agencies did not always
establish and implement the full range of controls associated with
effective management of their contractor activities. For example,
these agencies did not always implement effective controls for
ensuring that contractor deliverables satisfy established
requirements. Without effective oversight of all US-VISIT-related
contracts, the program office is increasing the risk that program
goals and outcomes will not be accomplished on time and within
budget.
To effectively oversee program-related contracts being managed by
others, it is important for a program office to, at a minimum,
depending on the nature of the contract, (1) define the roles and
responsibilities for both itself and the entities it relies on to
manage the contracts, (2) know the full range of such contract
work that has been completed and is under way, and (3) define and
implement the steps it will take to obtain visibility into the
degree to which contract deliverables meet program needs and
requirements, which underpin the program goals and outcomes.
However, the US-VISIT program office did not effectively perform
the following oversight activities for contracts that are being
managed by other agencies:
Defining roles and responsibilities. The program office did not
define and document program office roles and responsibilities for
overseeing the contractor work managed by other agencies and did
not define the roles and responsibilities of the agencies managing
US-VISIT-related contracts. According to the APMO Director, the
roles and responsibilities were defined in IAAs between these
agencies and the program office. However, the IAAs generally did
not define roles and responsibilities. For example, US-VISIT
provided us with 12 agreements for the agencies that we
reviewed,26 and only one of them described roles and
responsibilities for either APMO or the agency managing the
contract work. Although responsibilities were identified, they
were at a high level and the same for both the program office and
the agency managing the contractor. Specifically, the IAA states
that the US-VISIT COTR or point of contact and the servicing
agency program office are responsible for technical oversight of
the specified product or service identified in the statement of
work. However, the IAA does not identify any specific contract
oversight practices to be performed. According to the APMO
Director, the program office did not define roles and
responsibilities because the office is relatively new, and most
efforts have been focused on developing policies and procedures
for managing contracts that it directly controls.
As noted earlier, we have previously reported that the use of IAAs
is a high-risk approach to contracting.27 Although these contract
vehicles can offer benefits of improved efficiency and timeliness,
effective management of IAAs is challenging. Accordingly, we
concluded that the use of IAAs requires, among other things, that
the issuing agency clearly define roles and responsibilities for
conducting contractor management and oversight.
Knowing the full range of contract work. The program office was
not able to provide us with a complete list of US-VISIT-related
contract actions. Instead, US-VISIT told us that we needed to
obtain a list of actions from each of the DHS and non-DHS agencies
that managed the contract work. Once we compiled the list of
contracting actions provided to us by the other agencies, the
Director told us that no one in the program office could verify
that the list was complete and correct. The Director further
stated that APMO is not responsible for overseeing contracts
managed outside the program office.
Defining and implementing the steps to verify that deliverables
meet requirements. According to DHS's directive on IAAs,28 the
issuing agency (US-VISIT, in this case) is to, among other things,
monitor the performance of the servicing agency and/or contractor;
the directive also assigns responsibility for monitoring
performance to the program office (or program point of contact)
and the contracting officer. The contracting officer responsible
for US-VISIT's IAAs told us that he relied on the program office's
designated points of contact to conduct oversight of those IAAs.
However, the program office did not define any specific
performance monitoring activities. As a result, oversight
activities performed have been informal and inconsistent. For
example, on the AERC contracts, the Facilities and Engineering
Budget Officer held weekly teleconferences with AERC to discuss
project progress and contract issues, and concerns on an exception
basis. However, these meetings were not documented; in other
words, any follow-up on open issues and tracking to closure was
handled informally. On the CBP contract actions, the US-VISIT
Deputy Chief Information Officer (or one of his representatives)
attended most, but not all, of the system development-milestone
progress reviews related to US-VISIT work, and held ad hoc
discussions with a CBP program manager to discuss funding and work
status. On air/sea exit,29 the US-VISIT Director of Implementation
relied on weekly meetings with TSA and the contractor to keep
apprised of project status. However, he relied on a representative
from US-VISIT Mission Operations to certify that testing on
air/sea exit was completed in a satisfactory manner, and neither
he nor a member of his team reviewed the results themselves.
According to the Director of APMO, specific activities to monitor
contracts managed by other agencies have not been established
because the program office's efforts to date have focused on
developing policies and procedures for contracts that the program
office manages directly.
Without clearly defined roles and responsibilities, as well as
defined oversight activities for ensuring successful completion of
the work across all US-VISIT-related contract activities, the
program office cannot be adequately assured that required tasks
are being satisfactorily completed.
As mentioned previously, acquisition management guidance30
identifies effective contractor management as a key activity and
describes a number of practices associated with this activity,
including (among other things) establishing policies and
procedures for contractor management, defining responsibilities
and authorities, providing training, verifying and accepting
deliverables, and monitoring contractor performance. As mentioned
earlier, these practices often consist of more detailed
subpractices; appendix III provides further details on the
practices, subpractices, and agency performance of these on each
of the contract actions we reviewed.
Table 3 shows the extent to which agencies, in their documented
policies or procedures, require that the critical contractor
management practices be performed (see columns under "practice
established?"); it also shows (under "practice implemented?") the
extent to which agencies had actually implemented such practices
for the contracting actions that we reviewed, regardless of any
documented requirement.
21GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: August 2001).
22The FAR system establishes the uniform set of policies and procedures
for acquisition by all executive branch agencies. This system consists of
the FAR, which is the primary document, and agency acquisition regulations
that implement or supplement the FAR.
23Carnegie Mellon University Software Engineering Institute, Capability
Maturity Model Integration, Systems Engineering Integrated Product and
Process Development, Continuous Representation, version 1.1 (March 2002).
US-VISIT Established and Implemented Key Controls for Contracts That It Managed
Directly, but It Did Not Have Controls for Overseeing Contracts Managed by
Others or for Effective Financial Management
Program Office Established and Implemented Key Contractor Management Practices
24Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.
The Program Office Did Not Effectively Oversee US-VISIT-Related Contracts
Managed by Other Agencies
25An apparent exception was the schedule, which was reported as having a
potential problem: deliverables were identified in the integrated master
schedule as not being complete. However, US-VISIT reported that the
deliverables were delivered on time.
US-VISIT's Oversight of Other Agencies' Contracting Activities Has Been
Informal and Inconsistent
26DHS IAAs were previously referred to as "reimbursable agreements." Five
of the agreements were actually reimbursable work authorizations for which
there was no IAA.
27 GAO-05-207 .
28DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.
Agencies Managing US-VISIT-Related Contractors Did Not Establish and Implement
Key Contractor Management Practices
29Air/sea exit, which was developed by TSA, collects biometric exit data
for select foreign nationals; it is currently deployed to 14 airports and
seaports.
30Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.
Table 3: Status of Critical Contractor Management Practices at US-VISIT
Contract Management Agencies
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
aWe determined whether the requirement for a practice was established,
partially established, or not established on the basis of documented
policies and procedures addressing the practice and, where applicable,
all, some, or none of the subpractices. We determined whether a practice
was implemented, partially implemented, or not implemented on the basis of
documentation demonstrating that all, some, or none of the subpractices,
where applicable, had been implemented for the task orders that we
reviewed.
bNo results are provided for ICE regarding implementation of best
practices because we were unable to obtain contract documentation in time
for analysis.
As table 3 shows, agencies' establishment and implementation of the key
contractor management practices for US-VISIT-related contracts have been
uneven.
o All of the agencies had established policies or procedures for
performing some of the key contractor management practices. Only
CBP, however, had established policies and procedures for some
aspect of all the key practices, while GSA and AERC had
established procedures for about half of the key practices.
o Nevertheless, most of the agencies at least partially
implemented most of the practices, even though they did not
establish written procedures for doing so. For example, although
three of the agencies31 did not establish documented policies or
procedures for conducting technical and management reviews with
the contractor, two of them implemented some aspects of the
practice.
All Agencies Established Some Policies and Procedures for Contractor
Management Activities
Contractor management policies and procedures define the
organization's expectations and practices for managing contractor
activities. All of the agencies (DHS and non-DHS) had established
polices or procedures for governing some key contractor management
practices. For example, CBP's Systems Development Life Cycle,
augmented by its Office of Information Technology Project
Manager's Guidebook, defines policies and procedures for assigning
responsibilities and authorities for key contracting personnel and
training those people responsible for implementing contractor
management activities. Among other things, these documents provide
descriptions of the duties of the contracting officer, the project
manager, and COTR.32 The documents also require all affected
agencies to train the members of their groups in the objectives,
procedures, and methods for performing contractor management
activities. CBP guidance also addresses contractor management
procedures, including verifying and accepting deliverables,
monitoring contract risk and taking corrective action, and
conducting various reviews with the contractor.
Other agencies, such as GSA and AERC, have established fewer
procedures for contractor management. For example, GSA had not
established procedures for three practices: (1) establishing and
maintaining a plan for performing contractor oversight, (2)
conducting technical reviews with the contractor, and (3)
conducting management reviews with the contractor. According to
GSA officials, they have not documented their oversight process in
order to allow for as much flexibility as possible in performing
the process. Further, they said they relied on the professional
expertise of the contracting officer's representative (COR) and/or
COTR to ensure the technical accuracy of work produced by a
contractor.
Without established policies and procedures for contractor
management, the organizations responsible for managing
US-VISIT-related contracts cannot adequately ensure that these
vital contractor management activities are performed.
Agencies' Implementation of Key Practices Was Uneven
Implementation of key practices in the contracting actions that we
reviewed was uneven. As table 3 shows, one practice-assigning
responsibilities and authorities-was implemented by all agencies.
Other key practices were only partially implemented or not
implemented by all agencies. The following discussion provides
selected examples.
Most agencies implemented training of contractor management
personnel. Training the personnel performing or supporting
contractor management activities helps to ensure that these
individuals have the necessary skills and expertise to adequately
perform their responsibilities.
Most of the agencies had trained some of the key contracting
officials responsible for the contracting actions that we reviewed
and were able to produce documentation of that training.33 For
example, CBP relied on a DHS-mandated training program to train
its key contract personnel. However, that program was not
established until March 2004 for contracting officers and December
2004 for COTRs, and so it did not apply to all the contracting
actions that we reviewed. Before these programs were established,
CBP relied on the previously existing qualifications of its
contracting personnel. However, it provided training documentation
for only some of the key contracting personnel for the contracting
actions that we reviewed.
With respect to non-DHS agencies, AERC and GSA records showed that
contracting personnel had completed contracting-related training
for the contracting actions that we reviewed.
Most agencies did not implement all key practices for verifying
and accepting contract deliverables. Verifying that contract
deliverables satisfy specified requirements provides an objective
basis to support a decision to accept the product. Verification
depends on the nature of the deliverable and can occur through
various means, such as reviewing a document or testing software.
Effectively verifying and accepting contract deliverables
includes, among other things, (1) defining procedures for
accepting deliverables; (2) conducting deliverable reviews or
tests in order to ensure that the acquired product satisfies
requirements; (3) documenting the results of the acceptance review
or test; (4) establishing an action plan for any deliverables that
do not pass the acceptance review or test; and (5) identifying,
documenting, and tracking action items to closure.
All agencies implemented some (but not all) of the key practices
associated with verifying and accepting contract deliverables. The
following two examples from CBP and TSA illustrate this.
o CBP implemented most of the subpractices associated with this
practice. For one contracting action reviewed (software
development for Increment 2B functionality), CBP defined
acceptance (testing) procedures, conducted the tests to verify
that the deliverables satisfied the requirements, and documented
the results. However, it did not develop an action plan to
identify, document, and track unresolved action items to closure.
Further, CBP accepted the deliverable before verifying that it had
satisfied the requirements. Specifically, test results were
presented at a production readiness review (one of the progress
reviews called for in CBP's system development life cycle) on
November 4, 2004. The review meeting included a US-VISIT
stakeholder representative who signed off on the test results,
indicating that US-VISIT accepted the deliverable and concurred
that it was ready to operate in a production environment. However,
the test analysis report highlighted several issues that called
this conclusion into question. For example, the report stated that
testing continued after the review (through November 8, 2004), and
the report identified 67 issues at severity level 2, which CBP
defines as a function that does not work and whose failure
severely impacts or degrades the system. The report further stated
that some test cases were delayed and subject to further testing.
CBP could not provide any documentation that these open issues
were resolved or that the test cases were executed. Further, the
COTR told us that CBP did not define specific acceptance
standards, such as the number and severity of defects permissible
for acceptance. Instead, acceptance of the deliverable was
subjectively based on the COTR's assessment of whether the
software could provide critical functionality.
For another contract action (Increment 1 hardware and software
installation at ports of entry), CBP did not verify that the
equipment was installed according to contract requirements. We
were told by both the CBP Director of Passenger Systems (who was
involved with much of the US-VISIT work) and the contract task
monitor that the formal process for verifying and accepting
contract deliverables consisted of a site-specific deployment
checklist that recorded acceptance of deployment at each port.
Acceptance required a signature from a government employee, a
date, and an indication of deployment status (the two options for
this status were (1) that the equipment was installed and
operational or (2) that it was not installed, along with a
description of reasons why it was not). However, as shown in table
4, not all checklists that we reviewed were signed or indicated
that the equipment was installed and operational, and CBP could
not provide documentation on how the identified issues were
resolved. Further, although the deliverable was deployed to 119
sites, CBP provided checklists for 102 sites and was unable to
provide them for the other 17 sites.
Table 4: Acceptance Reports for One Contract Deliverable
Legend:
X = Checklist elements completed
- = Checklist elements not completed
Source: GAO analysis of CBP documentation.
o TSA implemented three of the practices associated with
verifying and accepting deliverables-defining acceptance
procedures, verifying that deliverables satisfy requirements, and
documenting the results of the tests. Specifically, TSA tested the
air/sea exit software and hardware, and developed a test plan that
included test procedures and a traceability matrix. It also
documented the test results in a test analysis report that noted
that the software was ready for deployment because of the low
severity of identified deficiencies. The report included, among
other things, a list of system deficiencies identified during
testing.34 The report also included copies of documents provided
to a US-VISIT technical representative: a test problem report, a
summary of testing defects, and a document indicating that the
contractor had approved the test analysis.
However, TSA did not provide evidence that the deficiencies were
managed and tracked to closure. TSA officials told us that open
issues were tracked informally via twice-weekly meetings with a
US-VISIT representative, TSA personnel, and contactor staff.
Although these meetings were documented, the minutes did not
provide any evidence of testing issues being discussed. According
to program officials, this was due to the short development time
frame (about 4 months) and the need to bypass traditional TSA
milestone reviews in order to ensure that the product was
delivered on time.
Without adequately verifying that contract deliverables satisfy
requirements before acceptance, an organization cannot adequately
know whether the contractor satisfied the obligations of the
contract and whether the organization is getting what it has paid
for.
Most agencies performed contractor technical and management
reviews. Monitoring contractor performance is essential for
understanding the contractor's progress and taking appropriate
corrective actions when the contractor's performance deviates from
plans. Such monitoring allows the acquiring organization to ensure
that the contractor is meeting schedule, effort, cost, and
technical performance requirements. Effective monitoring
activities include conducting reviews in which budget, schedule,
and critical dependencies are assessed and documented, and the
contractor's implementation and interpretation of technical
requirements are discussed and confirmed.
Three of the four agencies implemented some contractor review
activities, including, among other things, addressing technical
requirements progress against schedule and costs through regular
meetings with the contractor. For example, TSA conducted weekly
reviews with the contractor to discuss the status of contract
performance; material prepared for some of these weekly meetings
indicated that topics discussed were "actual dollars expended"
versus "budget at project completion," projected and actual
schedule versus baseline, anticipated product delivery dates
against planned due dates, and issues and risks. As another
example, CBP held weekly documented meetings with its contractor
to discuss open issues, the status of the project, and the current
stage of the systems development life cycle. Additionally, CBP
milestone reviews addressed project schedule, budget, and risk,
some of which could be traced to specific contracts.
In contrast, AERC did not document the monitoring of contractor
performance during the performance period of the contract.
Instead, to document contractor performance, it relied solely on
end-of-contract evaluations required by the FAR.
Financial management weaknesses at both the program office and the
other agencies impaired their ability to adequately manage and
oversee US-VISIT-related contracting activities. Specifically,
well-documented, severe financial management problems at DHS (and
at ICE in particular) affected the reliability and effectiveness
of accounting for the US-VISIT program. Accordingly, the program
office and the other DHS agencies were unable to provide accurate,
reliable, and timely accounts for billings and expenditures made
for contracts related to US-VISIT. In addition, a number of
invoice payments were improperly paid and accounted for.
DHS's financial management problems are well-documented. When the
department began operations in 2003, one of the challenges we
reported35 was integrating a myriad of redundant financial
management systems and addressing the existing financial
management weaknesses inherited by the department. Since that
time, DHS has undergone three financial statement audits and has
been unable to produce fully auditable financial statements for
any of the audits.36 In its most recent audit report, auditors
reported37 10 material weaknesses and 2 reportable conditions.38
Among the factors contributing to DHS's inability to obtain clean
audit opinions were serious financial management challenges at
ICE, which provides accounting services for several other DHS
agencies, including the US-VISIT program. For fiscal years 2004
and 2005, auditors reported that financial management and
oversight at ICE was a material weakness, principally because its
financial systems, processes, and control activities were
inadequate to provide accounting services for itself and other DHS
agencies.39 According to the auditors, ICE did not adequately
maintain its own accounting records or the accounting records of
other DHS agencies, including US-VISIT. The records that were not
maintained included intradepartmental agreements and transactions,
costs, and budgetary transactions. These and other accounts
required extensive reconciliation and adjustment at year-end,
which ICE was unable to complete. In addition, in fiscal year
2005, ICE was unable to establish adequate internal controls that
reasonably ensured the integrity of financial data and that
adhered to our Standards for Internal Control in the Federal
Government;40 the Chief Financial Officer of ICE also issued a
statement of "no assurance" on internal control over financial
reporting.
These systemic financial challenges impaired the US-VISIT
program's contract management and oversight. As the accounting
service provider for the US-VISIT program, ICE is responsible for
processing and recording invoice payments both for contractors
working directly for the program and for the work ICE procures on
the program's behalf. However, because of its financial problems,
the reliability of the financial information processed by ICE as
the accounting-services provider for the program office was
limited. Further, ICE was unable to produce detailed, reliable
financial information regarding the contracts it managed on behalf
of US-VISIT.
Of the DHS agencies we reviewed, the program office and two others
managing US-VISIT-related contracts on the program's behalf did
not track contract billings and expenditures in a way that was
accurate, reliable, and useful for contract oversight and decision
making. Specifically, the amounts reportedly billed were not
always reliable, and expenditures for US-VISIT were not always
separately tracked.
Our Standards for Internal Control in the Federal Government
identifies accurate recording of transactions and events as an
important control activity. In addition, the standards state that
pertinent financial information should be identified, captured,
and distributed in a form that permits people to perform their
duties effectively. In order for people to perform their duties
effectively, they need access to information that is accurate,
complete, reliable, and useful for oversight and decision making.
In the case of US-VISIT, expenditures and billings made for
US-VISIT-related contracts should be tracked by the program office
and the agencies managing the contracts on the program office's
behalf, and controls should be in place to ensure that the
information is reliable, complete, and accurate. Furthermore, in
order for the information to be useful for oversight and decision
making, billings and expenditures made for US-VISIT work should be
separately tracked and readily identifiable from other billings
and expenditures. Separately accounting for program funds is an
important budgeting and management tool, especially when those
funds are reimbursed by another agency for a program-specific
purpose, as was the case for US-VISIT. Finally, according to our
internal control standards and more specifically, our Internal
Control Management and Evaluation Tool,41 information should be
available on a timely basis for effective monitoring of events,
activities, and transactions.
The Amounts Reportedly Billed on US-VISIT-Related Contracts Are Nor Reliable
Because effective internal controls were not in place, the
reliability of US-VISIT-related billings by DHS agencies was
questionable. First, the program office could not verify the scope
of completed and ongoing contracting actions. Second, for the
contracting actions that were reported, not all agencies provided
billing information that was reliable.
The program office did not track all contracting activity and thus
could not provide a complete list of contracting actions. In the
absence of a comprehensive list, we assembled a list of
contracting actions from the program office and from each of the
five agencies responsible for contracting for US-VISIT work.
However, the APMO Director did not know whether the list of
contracting actions was valid.
In addition, to varying degrees, other DHS agencies could not
reliably report to us what had been invoiced on the
US-VISIT-related contracts they managed. In particular, ICE's
substantial financial management challenges precluded it from
providing reliable information on amounts invoiced against its
contracts. Its inability to provide us with key financial
documents for US-VISIT-related contracts illustrated its
challenges. Over a period of 9 months, we repeatedly requested
that ICE provide various financial documents, including
expenditure listings, invoice documentation, and a list of all
contracting actions managed on behalf of US-VISIT. However, it did
not provide complete documentation in time to be included in this
report. In particular, ICE was not able to provide complete and
reliable expenditures to date. It did provide a list of
US-VISIT-related contracting actions, but it did not include the
amounts invoiced on those contracting actions, and program office
staff noted several problems with ICE's list, including several
contracts that were likely omitted. A comparable list provided by
the DHS Office of the Chief Procurement Officer showed ICE's
invoiced amounts, but the contracting actions on this list
differed from those provided by ICE. Without accurate tracking of
financial information related to US-VISIT contracts, the full
scope of contracting and spending on the program cannot be known
with reasonable certainty. This limitation introduces the
increased possibility of inefficiencies in spending, improper
payments, and poor management of limited financial resources.
For CBP, a list of contacting actions provided by program
officials included discrepancies that raised questions about the
accuracy both of the list and of the invoiced amounts. First, the
task order number of a 2002 contracting action changed during our
period of review, and CBP initially reported the task order as two
different contracting actions-one issued in 2002 and another
issued in 2004. Second, the task order was for services performed
bureauwide, not just for US-VISIT, and from the contract
documentation it was not discernable which work was specific to
US-VISIT. Such discrepancies suggest that the amount invoiced
specifically to US-VISIT was not accurate. Finally, our summation
of all the invoices, through March 31, 2005, on this contracting
action totaled about $8.8 million, which was about $1.3 million
more than the total invoiced amount that CBP had reported.42 This
discrepancy indicated that CBP was not adequately tracking funds
spent for US-VISIT on this contracting action, which increased the
risk that the program was improperly reimbursing CBP on this
contract. No such discrepancy existed between reported and actual
invoiced amounts on the 2003 and 2004 CBP contracting actions we
reviewed.
TSA was able to provide accurate billing information on the one
US-VISIT-related contracting action that it managed, but delays in
invoicing on this contracting action increase the risk of future
problems. As of February 2005, development on the TSA contract
action was finished, and the contract had expired. However, from
April 2005 through February 2006 (the latest date available), TSA
reported that it continued to receive and process about $5 million
in invoices, and that the contractor can still bill TSA for prior
work performed for up to 5 years after expiration of the contract.
According to TSA, the contractor estimated (as of February 2006)
that it would be sending TSA an additional $2 million in invoices
to pay for work already completed. TSA officials could not explain
this delay in invoicing. Such a significant lag between the time
in which work is completed and when it is billed can present a
challenge to the proper review of invoices.
DHS Agencies Did Not Always Separately Track Expenditures Made to
Contractors for US-VISIT Work
ICE did not track expenditures made to contractors for US-VISIT
work separately from other expenditures, and CBP experienced
challenges in its efforts to do so. Reliable, separate tracking of
such expenditures is an important internal control for ensuring
that funds are being properly budgeted and that the program office
is reimbursing agencies only for work performed in support of the
program.
In the case of ICE, its financial management system did not
include unique codes or any other means to reliably track
expenditures made for US-VISIT-related contracts separately from
non-US-VISIT expenditures. As a result, ICE did not have reliable
information on what it spent for the program, which means that it
could have requested improper reimbursements from the program
office. More specifically, the most detailed list ICE could
provide of its US-VISIT-related payments was by querying its
financial management system by contract number, which provided all
payments under the contract number. However, each contract's scope
of work is generally broad and includes work throughout ICE, not
just for US-VISIT. Thus, this method would not give an accurate
picture of what expenditures ICE had made for US-VISIT-related
work.
In the case of CBP, it began using coding in its financial
management system to separately track US-VISIT obligations and
expenditures beginning in fiscal year 2003, when CBP first
received funding for US-VISIT. At that time, CBP tracked all
US-VISIT expenditures under a single project code. However,
between fiscal years 2003 and 2004, CBP underwent a system
conversion that interrupted its tracking of US-VISIT-related
funds, which made it challenging to separately report
US-VISIT-related expenditures. During this time, several changes
were made to the codes used to track US-VISIT information. When we
requested a listing of the US-VISIT-related expenditures by CBP,
it took several weeks for CBP finance center staff to document the
financial management system coding changes and produce a
reasonably complete listing of the US-VISIT-related expenditures
that CBP made during the system conversion. In fiscal years 2004
and 2005, CBP again began tracking all US-VISIT-related
expenditures separately under a single budget code. Thus, in the
future, the tracking and reporting of US-VISIT expenditures by CBP
should be more timely and reliable.
Although the program office and the agencies-both DHS and
others-doing work on its behalf usually documented approval of
contractor invoices before payment, a number of invoices were
improperly paid and accounted for, resulting in a potential loss
of funds control and, in one case, a duplicate payment on an
invoice of over $3 million. Our Internal Control Management and
Evaluation Tool states that transactions and events need to be
appropriately classified and that pertinent information is to be
identified and captured in the right form.43
Overpayments occurred as a result of two kinds of errors: on one
occasion a duplicate payment was made, and on several other
occasions incorrect balances were paid.
o A duplicate payment was made on an invoice for over $3 million.
APMO had sent an authorization for payment in full on the invoice
to its finance center. Then, 1 month later, APMO sent another
authorization for payment in full on the same invoice. The second
payment was later noticed, and the contractor refunded the
amount.44
o The other set of overpayments, although small in dollar value,
exemplify a significant breakdown in internal control. Invoices
billed to AERC on a fiscal year 2005 contract listed the current
amount billed on the invoice, as well as a cumulative balance; the
cumulative balance included invoice payments that AERC had already
made, but that had not been recorded by the contractor when the
next invoice was generated. On several of the invoices, AERC
mistakenly paid the higher cumulative balance when the current
amount should have been paid. As a result, AERC overpaid the
vendor by about $26,600. Moreover, it was the contractor that
first reported this overpayment in September 2005 and refunded the
overpayment amount to AERC. According to DHS officials, the
US-VISIT program office had independently identified the
overpayment in November 2005 and requested clarification from AERC
the following day.
Also at APMO, two questionable payments were made that arose from
the overriding of controls created for the prime US-VISIT
contract. The prime contract has been implemented through 12 task
orders with multiple modifications that either increased funding
or made other changes to the contract terms. To account for the
obligations made on each task order, the program's Office of
Budget and Finance created separate tracking codes in the
financial system for each task order and sometimes for each
modification of a task order. The separate tracking of each
obligation is a good control for tracking and controlling spending
against task order funds. However, APMO overrode this control when
it instructed the finance center to pay two invoices-one for about
$742,000 and one for about $101,000-out of the wrong account: that
is, with funds for task orders other than those for which the
invoices were billed. APMO did not provide any justification for
payment with funds from the improper account. Our Internal Control
Management and Evaluation Tool states that any intervention or
overriding of internal controls should be fully documented as to
the reasons and specific actions taken.45
CBP also inappropriately paid for work unrelated to US-VISIT out
of funds designated for US-VISIT. For a 2003 contracting action
that we reviewed, invoices included a significant amount in travel
billings. However, several travel vouchers that accompanied these
invoices were for work unrelated to US-VISIT. For example, terms
like "Legacy ag/legacy Customs unification," "Agriculture Notes
Installation," and "Agriculture AQI" were indicated on the
vouchers. CBP confirmed that these vouchers were billed to
US-VISIT in error. Additionally, other vouchers included
descriptions that were vague and not clearly related to any
specific program (e.g., emergency hardware replacement), and thus
it was not clear that the work being billed was related to the
program. Along with the travel expenses, the labor hours
associated with the above vouchers were also being billed to the
program. This circumstance calls into question not only whether or
not the travel charges were inappropriately classified as US-VISIT
work, but also whether the time that these employees were charging
was inappropriately classified, and thus improperly paid.
On one CBP contracting action, some charges that were not related
to US-VISIT may have been reimbursed by the program office. The
contracting action in question was a 2002 action for CBP-wide
disaster recovery services, and thus not all charges were directly
related to the US-VISIT program. On this task order, CBP expended
about $1.28 million from program-designated funds on items that
were not clearly specified as US-VISIT work on the invoices. Of
that amount, about $43,000 could be attributed to a contract
modification specific to the program. However, CBP stated that one
invoice for about $490,000 included in this $1.28 million was paid
from the program's funds to correct two payments for earlier
US-VISIT invoices that were erroneously made from nonprogram
funds. We also found about $771,000 of invoice dollars that were
specified as US-VISIT work, but that were not on the CBP-provided
expenditure reports for program funds.
As a result of these various discrepancies, the US-VISIT program
may have reimbursed CBP for work that was not done on its behalf.
Also, the program official responsible, under DHS policy,46 for
monitoring the CBP contracts related to US-VISIT told us that he
had not been reviewing invoices on IPAC reimbursement requests
from CBP, even though such reviews are required by DHS policy.
In addition, on the 2003 CBP contracting action that we reviewed,
many of the travel vouchers included first-class flights taken by
contract personnel, although (with few exceptions) purchase of
first-class travel is not allowed for travel on cost-reimbursable
type contracts. However, travel documentation indicated
first-class travel on numerous instances with no explanation or
justification of the first-class travel or documentation to
indicate that CBP had requested any explanation. CBP officials
noted that some frequent fliers are automatically upgraded when
purchasing a full-fare flight. Although this is a reasonable
explanation, CBP provided no documentation showing that it
completed any inquiry or research at the time it was invoiced to
determine if first-class travel was being purchased or if upgrades
were being given, and invoice documentation did not clarify this.
Further, in several instances, complete documentation was not
provided for the costs of all airline travel expenses.
A final concern regarding payments to contractors is raised by the
fact that several of the agencies made late payments on invoices.
Under the Prompt Payment Act,47 the government must pay interest
on invoices it takes over 30 days to pay. Not only do these
interest payments deplete funds available for US-VISIT, but
excessive late invoice payments are also a signal that the
contract payment oversight process is not being effectively
managed. CBP and TSA experienced agencywide increases in contract
prompt-payment interest. CBP reported that in fiscal year 2004,
the year that it converted to a new accounting system, prompt pay
interest accounted for 7.66 percent of all payments, a sharp
increase from the prior year's frequency rate of 1.74 percent. In
fiscal year 2005, the rate of interest payments at CBP receded to
1.80 percent of total payments.
APMO also paid substantial amounts in prompt payment interest.
According to DHS's auditors, ICE, which provides US-VISIT payment
services, had not established internal controls to ensure that
invoices were paid in a timely manner.48 For the invoices that we
reviewed, prompt-payment interest was paid on approximately 26
percent of the prime contract invoices that we reviewed,
representing over $27,000 in payments. In addition, we could not
verify that the proper amount of interest was paid because
information in the ICE financial management system was incorrect.
For example, in many instances, important dates used for
determining prompt-pay interest were entered incorrectly, or the
dates in the system could not be validated based on invoice
documentation provided. A program official told us that certain
program staff have recently been granted read-only access to ICE's
financial management system to monitor invoice payments. If the
program office effectively uses this increased oversight ability,
it could reduce the number of prompt-payment violations as well as
reduce other improper contract payments made by the program
office.
Contractors have played, and will continue to play, a major role
in delivering US-VISIT capabilities, including technology,
facilities, and people. Therefore, the success of the program
depends largely on how well DHS manages and oversees its
US-VISIT-related contracts. Establishing and implementing
effective contractor management and oversight controls, including
financial management controls, can greatly increase the
department's ability to manage and oversee US-VISIT-related
contracts. However, the department's management and oversight of
US-VISIT-related contracts are not yet at the level that they need
to be to adequately ensure, for example, that contract
deliverables satisfy program requirements, that cost and schedule
commitments are met, that program outcomes are achieved, that
funds are not overspent and improperly reimbursed, and that
payments are made in a proper and timely manner.
Although the program office has generally established and
implemented key contractor management controls on those contracts
that it manages directly, it has not adequately overseen
US-VISIT-related contracts that were managed by other DHS and
non-DHS agencies. According to program office officials, this is
because they have initially focused on those contracts that they
manage directly. However, this narrow focus raises concerns
because the agencies managing contracts on the program office's
behalf have not implemented the full range of management controls
needed to have a full, accurate, reliable, and useful
understanding of the scope of contract activities and performance.
Moreover, none of the US-VISIT contracts that we reviewed have
been subject to important financial management controls. As
previous audits have shown, DHS suffers from numerous material
weaknesses in financial management, some of which are directly
related to ICE (the DHS component that provides financial
management services to the program office). These weaknesses have
contributed to the program's inability to know the full scope of
contract activities and fully account for expenditures, among
other things. By impairing the reliability and effectiveness of
accounting for US-VISIT contracts, these weaknesses have
diminished the program's ability to effectively manage and oversee
work performed by contractors-work that is essential for the
program to achieve its goals.
Until DHS addresses these contract management and oversight
weaknesses, the US-VISIT program will remain at risk of not
delivering required capabilities and promised benefits on time and
within budget, and it will be vulnerable to financial
mismanagement.
Given the US-VISIT program's mission importance, size, and heavy
reliance on contractor assistance, we recommend that the Secretary
of Homeland Security direct the US-VISIT Program Director to take
the following five actions to strengthen contract management and
oversight, including financial management:
o For each US-VISIT contract action that the program manages
directly, establish and maintain a plan for performing the
contractor oversight process, as appropriate.
o Develop and implement practices for overseeing contractor work
managed by other agencies on the program office's behalf,
including (1) clearly defining roles and responsibilities for both
the program office and all agencies managing US-VISIT-related
contracts; (2) having current, reliable, and timely information on
the full scope of contract actions and activities; and (3)
defining and implementing steps to verify that deliverables meet
requirements.
o Require, through agreements, that agencies managing contract
actions on the program office's behalf implement effective
contract management practices consistent with acquisition guidance
for all US-VISIT contract actions, including, at a minimum, (1)
establishing and maintaining a plan for performing contract
management activities; (2) assigning responsibility and authority
for performing contract oversight; (3) training the people
performing contract oversight; (4) documenting the contract; (5)
verifying that deliverables satisfy requirements; (6) monitoring
contractor-related risk; and (7) monitoring contractor performance
to ensure that the contractor is meeting schedule, effort, cost,
and technical performance requirements.
o Require DHS and non-DHS agencies that manage contracts on
behalf of the program to (1) clearly define and delineate US-VISIT
work from non-US-VISIT work as performed by contractors; (2)
record, at the contract level, amounts being billed and expended
on US-VISIT-related work so that these can be tracked and reported
separately from amounts not for US-VISIT purposes; and (3)
determine if they have received reimbursement from the program for
payments not related to US-VISIT work by contractors, and if so,
refund to the program any amount received in error.
o Ensure that payments to contractors are timely and in
accordance with the Prompt Payment Act.
We received written comments on a draft of this report from DHS,
which were signed by the Director, Departmental GAO/IG Liaison
Office, and are reprinted in appendix II. We also received
comments from the Director of AERC and the Assistant Commissioner
for Organizational Resources, Public Buildings Service, GSA. Both
the Department of Defense audit liaison and the GSA audit liaison
requested that we characterize these as oral comments.
In its written comments, DHS stated that although it disagreed
with some of our assessment, it agreed with many areas of the
report and concurred with our recommendations and the need for
improvements in US-VISIT contract management and oversight. The
department disagreed with certain statements and provided
additional information about three examples of financial
management weaknesses in the report. Summaries of DHS's comments
and our response to each are provided below.
o The department characterized as misleading our statements that
US-VISIT (1) depended on other agencies to manage financial
matters for their respective contracts and (2) relied on another
agency for US-VISIT's own financial management support. With
respect to the former, DHS noted that the decision to use other
agencies was based on the nature of the services that were
required, which it said were outside the scope of the program
office's areas of expertise. We understand the rationale for the
decision to use other agencies, and the statement in question was
not intended to suggest anything more than that such a decision
was made. We have slightly modified the wording to avoid any
misunderstanding.
With respect to its own financial management, DHS said that for us
to declare that US-VISIT depended on another agency for financial
management support without identifying the agency and the system,
in combination with our acknowledging that we did not examine the
effectiveness of this unidentified system, implies that our
report's scope is broader than what our congressional clients
asked us to review. We do not agree. First, our report does
identify ICE as the agency that the program office relies on for
financial management support. Second, although we did not identify
by name the ICE financial management system, we did describe in
detail the serious financial management challenges at ICE, which
have been reported repeatedly by the department's financial
statement auditors and which have contributed to the department's
inability to obtain a clean audit opinion. Moreover, we fully
attributed these statements about these serious challenges to the
auditors.
o The department said that our statement regarding the purpose of
the contracts managed by AERC needed to be clarified, stating that
our report reflects the scope of the two contract actions reviewed
and not the broader scope of services under the interagency
agreement. We agree that the description of AERC services in our
report is confined to the scope of the two contract actions that
we reviewed. This is intentional on our part since the scope of
our review did not extend to the other services. We have modified
the report to clarify this.
o The department provided additional information about three
examples of invoice discrepancies and improper payments cited in
the report, including reasons why they occurred. Specifically, the
department said that the reason that CBP reported a 2002
contracting action as also a 2004 contracting action was because
of the concurrent merger of CBP within DHS and the implementation
of CBP's new financial system. It further stated that the reason
that US-VISIT made a duplicate payment to the prime contractor
was, at least partially, due to poor communication between
US-VISIT and its finance center. Regarding two other duplicate
payments, DHS stated that while the cause of the duplicate
payments is not completely clear from the available evidence, both
are almost certainly errors resulting from processes with
significant manual components, as opposed to deliberate control
overrides, since adequate funds were available in the correct
accounts for each case. The department also noted that
communications may have also contributed to one of these two
duplicate payments. We do not question the department's reasons or
the additional information provided for the other payments, but
neither changes our findings about the invoice discrepancies and
improper payments.
o The department stated that although the contractor initially
identified the AERC overpayment on September 13, 2005, the
US-VISIT program office independently identified the billing
discrepancy on November 1, 2005, and requested clarification from
AERC the following day. The department further stated that because
we describe the overpayment example in the report as being a small
dollar value, we should have performed a materiality test in
accordance with accounting principles in deciding whether the
overpayment should be disclosed in a public report.
We do not dispute whether the US-VISIT program independently
identified the overpayment in question. Our point is that an
invoice overpayment occurred because adequate controls were not in
place. In addition, while we agree that materiality is relevant to
determining whether to cite an example of an improper payment,
another relevant consideration to significance is the frequency of
the error. Our decision to disclose this particular overpayment
was based on our judgment regarding the significance of the error
as defined in generally accepted government auditing standards. It
is our professional judgment that this overpayment is significant
because of the frequency with which it occurred. Specifically, of
the eight invoices that we reviewed, four were improperly paid.
In oral comments, the Director of AERC questioned the
applicability of the criteria we used to evaluate AERC contract
management practices and our assessment of its process for
verifying and accepting deliverables. Despite these disagreements,
he described planned corrective actions to respond to our
findings.
o The Director stated in general that the Capability Maturity
Model Integration (CMMI)(R) model was not applicable to the
contracts issued by the Corps of Engineers, and in particular that
a contract oversight plan was not applicable to the two contract
actions that we reviewed. In addition, the Director commented that
AERC's practices were adequate to deal appropriately with
contractor performance issues had these been raised. Nonetheless,
to address this issue, the Director stated that AERC would require
the US-VISIT program office to submit an oversight plan describing
the project's complexity, milestones, risks, and other relevant
information, and it would appoint qualified CORs or COTRs to
implement the plans and monitor contractor performance.
We disagree with AERC's comments on the applicability of our
criteria. Although the CMMI model was established to manage IT
software and systems, the model's practices are generic and
therefore applicable to the acquisition of any good or service.
Specifically, the contractor management oversight practices
discussed in this report are intended to ensure that the
contractor performs the requirements of the contract, and the
government receives the services and/or products intended within
cost and schedule. We also do not agree that the contract actions
in question did not warrant oversight plans. Although the content
of oversight plans may vary (depending on the type, complexity,
and risk of the acquisition), each acquisition should have a plan
that, at a minimum, describes the oversight process, defines
responsibilities, and identifies the contractor evaluations and
reviews to be conducted. Since the chances of effective oversight
occurring are diminished without documented plans, we support the
program manager's commitment to require these plans in the future.
o Regarding an overpayment discussed in our report, the Director
indicated that this problem was resolved as described in DHS's
comments, and that in addition, AERC has procedures and controls
to prevent the government from paying funds in excess on a
firm-fixed price contract such as the one in question.
Nonetheless, the Director described plans for strengthening
controls over contract progress payments and invoices, including
having trained analysts review all invoices and ensuring that a
program/project manager has reviewed the invoices and submitted
written authorization to pay them. The Director also stated that
AERC has an established process for controlling and paying
invoices, which provides for verifying and accepting deliverables.
We do not consider that the AERC process was established because
although AERC officials described it to us, it was neither
documented nor consistently followed. For example, one contracting
action that we reviewed had three invoices that did not have a
signature or other documentation of approval, even though such
approval, according to AERC, is a required part of the process.
In oral comments, the GSA Assistant Commissioner disagreed with
the applicability of certain of the criteria that we used in our
assessment, as well as with our assessment that these and other
criteria had not been met. For example, the Assistant Commissioner
stated that regulations or policies do not require GSA to
establish and maintain a plan for performing the contract
oversight process, that its current practices and documents (such
as the contract statement of work and COR/COTR delegation letters)
in effect establish and maintain such a plan, that GSA documented
the oversight process and results to the extent necessary to
ensure contractor performance, and that GSA had established a
requirement to conduct contractor reviews. Although, as we state
in our report, GSA policies do not include a requirement for an
oversight plan, we still believe that it is appropriate to
evaluate GSA against this practice (which is consistent with sound
business practices and applies to any acquisition), and that GSA's
processes and activities did not meet the criteria for this
practice and ensure effective oversight of the contracts. We did
not find that the delegation letters and contract statements of
work were sufficient substitutes for such plans, because, for
example, they do not consistently describe the contractor
oversight process or contractor reviews. Further, the inclusion of
a requirement for contractor reviews in some contracts/statements
of work does not constitute agencywide policies and procedures for
performing reviews on all contracts.
GSA also provided further descriptions of its financial management
controls and oversight processes and activities, but these
descriptions did not change our assessment of GSA's financial
management controls or the extent to which the oversight processes
and activities satisfy the practices that we said were not
established49 or not consistently implemented. Among these
descriptions was information on an automated tool that GSA
provided its contracting officers; however, this tool was not used
during the period under review. GSA also provided certain
technical comments, which we have incorporated in our report, as
appropriate.
As agreed with your offices, unless you publicly announce the
contents of this report earlier, we plan no further distribution
until 30 days from the report date. At that time, we will send
copies of this report to the Chairmen and Ranking Minority Members
of the Senate and House Appropriations Committees, as well as to
the Chairs and Ranking Minority Members of other Senate and House
committees that have authorization and oversight responsibility
for homeland security. We will also send copies to the Secretary
of Homeland Security, the Secretary of Defense, the Administrator
of GSA, and the Director of OMB. Copies of this report will also
be available at no charge on our Web site at http:// www.gao.gov .
Should your offices have any questions on matters discussed in
this report, please contact Randolph C. Hite at (202) 512-3439 or
at [email protected] , or McCoy Williams at (202) 512-9095 or at
[email protected] . Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the
last page of this report. Key contributors to this report are
listed in appendix IV.
Randolph C. Hite Director, Information Technology Architecture and
Systems Issues
McCoy Williams Director, Financial Management and Assurance
List of Requesters
The Honorable Peter T. King Chairman The Honorable Bennie G.
Thompson Ranking Minority Member Committee on Homeland Security
House of Representatives
The Honorable Bob Filner House of Representatives
The Honorable Raul Grijalva House of Representatives
The Honorable Ruben Hinojosa House of Representatives
The Honorable Solomon Ortiz House of Representatives
The Honorable Silvestre Reyes House of Representatives
Our objective was to determine whether the Department of Homeland
Security (DHS) has established and implemented effective controls
for managing and overseeing contracts related to the U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) program. To
address our objective, we assessed the implementation of key
contractor management controls at the program office and at other
DHS and non-DHS agencies responsible for managing US-VISIT-related
contracts. We also evaluated the program office's oversight of
US-VISIT-related contracts managed by these other organizations.
Finally, we reviewed internal control processes and procedures in
place over contract financial management.
Besides the US-VISIT program office, the organizations within DHS
that we identified as having responsibility for managing
US-VISIT-related contracts were
o Customs and Border Protection (CBP),
o the Transportation Security Agency (TSA), and
o Immigration and Customs Enforcement (ICE).
The non-DHS agencies performing work in support of US-VISIT were
o the General Services Administration (GSA) and
o the Army Corps of Engineers Architect-Engineer Resource Center
(AERC).
Contract management controls: To assess key contract management
controls and implementation of those controls at US-VISIT and
other agencies responsible for managing US-VISIT-related
contracts, we identified leading public and private sector
practices on contract management, such as those prescribed by the
Federal Acquisition Regulation (FAR)1 and Carnegie Mellon
University's Software Engineering Institute, which publishes the
Capability Maturity Model Integration.2 US-VISIT officials
identified the contracts being managed by the program, all within
the Acquisition Program Management Office (APMO). To evaluate the
management of the program's contracts, we assessed APMO's and
other agencies' documented policies against the leading practices
that we identified. We also determined the extent to which those
policies were applied to specific contracting actions and
determined the extent to which, if any, other formal or otherwise
established practices were used to manage or oversee the specific
contract actions. We also discussed any variances with agency
officials to determine the reasons why those variances existed.
In determining the extent to which practices/subpractices were
judged to be established/implemented, we categorized them into one
of the following:
o established/implemented,
o partially established/implemented, or
o not established/implemented.
We judged whether the practice was established, partially
established, or not established depending on whether the agency
had documented policies and procedures addressing the practice and
all, some, or none of the subpractices (where applicable). We
judged whether a practice was implemented, partially implemented,
or not implemented on the basis of documentation demonstrating
that the practice and all, some, or none of the subpractices
(where applicable) had been implemented for the contracting
actions that we reviewed.
We judged that an agency had "partially established" the
requirement for a practice or subpractice if the agency relied
only on the FAR requirement to perform this activity, but did not
establish a process (i.e., documented procedures) for how the FAR
requirement was to be met.
We judged that an agency had "partially implemented" a practice or
subpractice if it had implemented some, but not all, facets of the
practice (including its own related requirements for that
practice).
To select specific contracting actions for review, we analyzed
documentation provided by the program and by the DHS and non-DHS
agencies responsible for managing US-VISIT-related contracts, to
identify all contracting work performed in support of the program.
Program officials were unable to validate the accuracy,
reliability, and completeness of the list of contracting actions.
Therefore, we did not perform a statistical sampling of the
identified contracting actions. Rather, we judgmentally selected
from each agency one contracting action for US-VISIT-related work
awarded in each fiscal year from March 1, 2002, through March 31,
2005, focusing on service-based contracts. Thus, fiscal years 2002
through 2005 were each reviewed to some extent. Not all
organizations awarded contracting actions in every fiscal year
covered under our review, in which case an action was not selected
for that fiscal year for that organization. The contracting
actions selected from ICE were excluded in our analysis of the
implementation of management and financial controls because of
delays in receiving contract-specific documentation. One program
management contract that was reported to us by US-VISIT was
transferred to the program from ICE shortly before the end of our
review period, and so we were unable to determine, because of the
issues with ICE identified above, what management activities were
performed on the contract.
For each selected contracting action, we reviewed contract
documentation, including statements of work, project plans,
deliverable reviews, and other contract artifacts, such as
contractor performance evaluations. We then compared documentary
evidence of contract management activity to leading practices and
documented policies, plans, and practices. Finally, we determined
what, if any, formal or established oversight practices were in
existence at the contract level.
Table 5 shows the judgmental selection of contract actions that
were reviewed for each agency, including APMO.
31No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in time
for our analysis.
32The contracting officer is the person with authority to procure, enter
into, administer, and terminate contracts and make related determinations
and findings. The project manager is responsible for planning, directing,
controlling, structuring, and motivating the project. The COTR reviews
contractor performance regularly, ensures that contractual milestones are
met and standards are being maintained, conducts regular inspections of
contractor deliverables throughout the contract period, and ensures that
all contract conditions and clauses are acted upon.
33No results are provided for ICE regarding implementation of these
practices because we were unable to obtain contract documentation in time
for our analysis.
34All of the deficiencies were level 3, which TSA defines as a defect that
negatively impacts the environment and/or the application but that can be
overcome by a manual workaround, by additional training, or by addressing
the fix as part of a subsequent enhancement.
Program Office and Other Agencies' Contract Management Was Impaired by Financial
Management Weaknesses
Serious DHS Financial Management Problems Affected the Quality of Financial
Data for US-VISIT Contracts
35GAO, Financial Management: Department of Homeland Security Faces
Significant Financial Management Challenges, GAO-04-774 (Washington, D.C.:
July 19, 2004).
36For the 7-month period from March 1, 2003, to September 30, 2003, DHS
received a qualified opinion from its independent auditors on its
consolidated balance sheet as of September 30, 2003, and the related
statement of custodial activity for the 7 months ending September 30,
2003. Auditors were unable to opine on the consolidated statements of net
costs and changes in net position, combined statement of budgetary
resources, and consolidated statement of financing. For fiscal years 2004
and 2005, DHS's independent auditors were unable to opine on any of its
financial statements.
37DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov. 15,
2005).
38Under standards issued by the American Institute of Certified Public
Accountants, "reportable conditions" are matters coming to the auditors'
attention relating to significant deficiencies in the design or operation
of internal controls that, in the auditors' judgment, could adversely
affect the department's ability to record, process, summarize, and report
financial data consistent with the assertions of management in the
financial statements. Material weaknesses are reportable conditions in
which the design or operation of one or more of the internal control
components does not reduce (to a relatively low level) the risk that
misstatements, in amounts that would be material in relation to the
financial statements being audited, may occur and not be detected in a
timely period by employees in the normal course of performing their
assigned functions.
39DHS, Performance and Accountability Report: Fiscal Year 2004 (Nov. 18,
2004), and Performance and Accountability Report: Fiscal Year 2005 (Nov.
15, 2005).
Program Office and Other DHS Agencies Did Not Adequately Track Billings and
Expenditures
40 GAO/AIMD-00-21 .3.1.
41 GAO-01-1008G .
42The $7.5 million reported as the invoiced amount is the addition of the
invoiced amounts reported separately for the 2002 and 2004 task order
numbers.
Several Payments to Contractors for US-VISIT Work Were Improperly Paid and
Accounted for
43 GAO-01-1008G .
44Refund documentation did not provide evidence showing whether DHS
officials or contractor staff noticed the overpayment.
45 GAO-01-1008G .
46DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.
47Codified at 31 U.S.C. S:S: 3901-3904 and implemented at 5 C.F.R. pt
1315.
Conclusions
48DHS, Performance and Accountability Report: Fiscal Year 2005 (Nov. 15,
2005).
Recommendations for Executive Action
Agency Comments and Our Evaluation
49That is, the agency had not documented these processes and activities
and established their performance, as would be consistent with the best
practice.
Appendix I: Objective, Scope, and Methodology Appendix I: Objective,
Scope, and Methodology
1The FAR system establishes the uniform set of policies and procedures for
acquisition by all executive branch agencies. This system consists of the
primary FAR document and agency acquisition regulations that implement or
supplement the FAR.
2Capability Maturity Model Integration, Systems Engineering Integrated
Product and Process Development, Continuous Representation, version 1.1.
Table 5: Contract Actions Related to US-VISIT That Were Examined in This
Review
Source: GAO analysis of agency data.
aUS-VISIT did not manage any contracts before fiscal year 2004.
bIn fiscal years 2004 and 2005, GSA issued two task orders under the same
contract for similar types of work. Both of these task orders were
selected for our review.
cAERC did not issue new US-VISIT-related work in fiscal year 2004.
Contract oversight controls: To assess the program's oversight of
program-related contracts, we used DHS guidance pertaining to intra- and
intergovernmental contracting relationships,3 as well as practices for
oversight developed by us. We met with program office officials to
determine the extent to which the program office oversaw the performance
of US-VISIT-related contracts and identified the organizations performing
work in support of the program (as listed earlier). We met with these
organizations to determine the extent to which the program office
interacted with them in an oversight capacity.
Financial management controls: To assess internal control processes and
procedures in place over contract financial management, we reviewed
authoritative guidance on contract management found in the following:
o the FAR;
o our Policy and Procedures Manual for Guidance of Federal
Agencies, Title 7-Fiscal Guidance;
o Office of Management and Budget (OMB) Revised Circular A-123,
Management's Responsibility for Internal Control; and
o OMB Revised Circular A-76, Performance of Commercial
Activities.
We also reviewed DHS's performance and accountability reports for
fiscal years 2003, 2004, and 2005, including the financial
statements and the accompanying independent auditor's reports, and
we reviewed other relevant audit reports issued by us and
Inspectors General. We interviewed staff of the independent public
accounting firm responsible for auditing ICE and the DHS bureaus
for which ICE provides accounting services (including US-VISIT).
We obtained the congressionally approved budgets for US-VISIT work
and other relevant financial information. For each of the
contracting actions selected for review, listed above, at
US-VISIT, AERC, GSA, CBP, and TSA, we obtained copies of available
invoices and related review and approval documentation. We
reviewed the invoice documentation for evidence of compliance with
our Standards for Internal Control in the Federal Government and
Internal Control Management and Evaluation Tool.4 Specifically, we
reviewed the invoices for evidence of the performance of certain
control activities, including the following: review and approval
before payment by a contracting officer, contracting officer's
technical representative, and other cognizant officials;
reasonableness of expenses billed (including travel) and their
propriety in relation to US-VISIT; payment of the invoice in the
proper amount and to the correct vendor; payment of the invoice
from a proper funding source; and payment of the invoice within 30
days as specified by the Prompt Payment Act. We also reviewed the
invoices for compliance with requirements of the specific contract
provisions for which they were billed. We did not review invoice
documentation for the selected contracting actions managed by ICE,
because ICE did not provide us with invoice documentation for all
requested contracts in time to meet fieldwork deadlines.
We also obtained copies of invoices paid through July 2005 and
available payment review and approval documentation on the prime
contract from the ICE finance center. We reviewed this
documentation for evidence of execution of internal controls over
payment approval and processing. In addition, we performed data
mining procedures on the list of payments from APMO for unusual or
unexpected transactions. Based on this analysis, we chose a
judgemental selection of payments and reviewed their related
invoice and payment approval documentation.
We interviewed agency officials involved with budgeting, financial
management, contract oversight, and program management at the
program office, ICE, CBP, TSA, AERC, and GSA. We obtained and
reviewed DHS and US-VISIT policies, including
o the DHS Acquisition Manual;
o US-VISIT Contract Management and Administration Plan;
o US-VISIT Acquisition Procedures Guide (APG-14)-Procedures for
Invoice Review and Approval;
o DHS Management Directive 0710.1 (Reimbursable Agreements); and
o CBP and ICE's standard operating procedures regarding financial
activities.
We also interviewed representatives from the prime contractor to
determine how they track certain cost information and invoice the
program. In addition, we observed how requisitions and obligations
are set up in the financial management system used by the program.
We observed invoice processing and payment procedures at the CBP
and ICE finance centers, the two major finance centers responsible
for processing payments for program-related work. From the CBP
finance center, we obtained data on expenditures for
US-VISIT-related work made by CBP from fiscal year 2003 through
fiscal year 2005. From the ICE finance center, which processes
payments for the program office, we obtained a list of payments
made by US-VISIT from August 2004 through July 2005. We did not
obtain this level of detail for expenditures at AERC and GSA
because these agencies are external to DHS; therefore we do not
report on the reliability of expenditure reporting by either
agency.
From ICE's finance center, we also obtained and reviewed a list of
Intra-governmental Payment and Collection system transactions paid
by the US-VISIT program office to its federal trading partners
through September 30, 2005. We requested a list of expenditures on
program-related contracts managed by ICE; however, ICE was unable
to provide a complete, reliable list. Officials at ICE's Debt
Management Center, however, did provide a list of ICE's
interagency agreements related to US-VISIT.
In assessing data reliability, we determined that the available
data for this engagement were not sufficiently reliable for us to
conduct statistical sampling or to base our conclusions solely on
the data systems used by the program and other agencies managing
US-VISIT-related contracts. Specifically, the contracting actions
managed by the program office and these agencies were
self-reported and could not be independently validated. Further,
recent audit reports found that the financial system used by the
program office and ICE was unreliable, and because of the system,
among other reasons, the auditors could not issue an opinion on
DHS's fiscal year 2004 and 2005 financial statements. Our
conclusions, therefore, are based primarily on documentary reviews
of individual contracting actions and events, and our findings
cannot be projected in dollar terms to the whole program.
We conducted our work at
o DHS finance centers in Dallas, Texas and Indianapolis, Indiana;
o CBP facilities in Washington, D.C., and Newington, Virginia;
o ICE facilities in Washington, D.C.;
o TSA facilities in Arlington, Virginia;
o the US-VISIT program offices in Rosslyn, Virginia; and
o GSA and AERC facilities in Ft. Worth, Texas.
Our work was conducted from March 2005 through April 2006, in
accordance with generally accepted government auditing standards.
We evaluated the extent to which the agencies covered by our
review (US-VISIT APMO, GSA, AERC, CBP, TSA, and ICE1) had
established and implemented effective contract management and
oversight practices for the contracting actions that we reviewed.
Details are presented, by agency, in this appendix. Some practices
are further divided into subpractices. The extent to which
practices/subpractices were judged to be established/implemented
was categorized as one of the following:
0M = established/implemented
0L = partially established/implemented
0m = not established/implemented
We judged whether the practice was established, partially
established, or not established depending on whether the agency
had documented policies and procedures addressing the practice and
all, some, or none of the subpractices (where applicable). We
judged whether a practice was implemented, partially implemented,
or not implemented on the basis of documentation demonstrating
that the practice and all, some, or none of the subpractices
(where applicable) had been implemented for the contracting
actions that we reviewed.
We judged that an agency had "partially established" the
requirement for a practice or subpractice if the agency relied
only on the FAR requirement to perform this activity, but did not
establish a process (i.e., documented procedures) for how the FAR
requirement was to be met.
We judged that an agency had "partially implemented" a practice or
subpractice if it had implemented some, but not all, facets of the
practice (including its own related requirements for that
practice).
3DHS, Reimbursable Agreements, Management Directive System, MD 0710.1.
4 GAO/AIMD-00-21 .3.1; GAO-01-1008G .
Appendix II: Comments from the Department of Homeland Security Appendix
II: Comments from the Department of Homeland Security
Appendix III: Detailed Agency Evaluations Appendix III: Detailed Agency
Evaluations
1No results are provided for ICE regarding implementation of best
practices, because we were unable to obtain contract documentation in time
for analysis.
Table 6: Evaluation of US-VISIT Acquisition and Program Management Office
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: Software Engineering Institute (SEI), GAO analysis of agency
data.
Note: The following are the services provided in the contracts described,
by fiscal year.
FY 2004: Program-level management
FY 2005: US-VISIT strategic plan development
Table 7: Evaluation of General Services Administration
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts described,
by fiscal year.
FY 2002: Pre-award and post-award acquisition services
FY 2003: Planning and mobilization for feasibility studies
FY 2004: Program management of US-VISIT at ports of entry
FY 2005: Program management of US-VISIT at ports of entry
Table 8: Evaluation of Army Corps of Engineers Architect-Engineer Resource
Center
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts described,
by fiscal year.
FY 2003: On-site program management at ports of entry
FY 2005: Economic impact assessment of US-VISIT along northern and
southern borders
Table 9: Evaluation of Customs and Border Protection
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contracts described,
by fiscal year.
FY 2002: Commercial recovery services
FY 2003: Infrastructure upgrades at ports of entry
FY 2004: Software maintenance and development for Increment 2B
Table 10: Evaluation of Transportation Security Administration
Legend:
0M = Established/implemented
0L = Partially established/implemented
0m = Not established/implemented
Sources: SEI, GAO analysis of agency data.
Note: The following are the services provided in the contract described:
FY 2003: Air/sea exit
Table 11: Evaluation of Immigration and Customs Enforcement
Legend:
0M = Established
0L = Partially established
0m = Not established
Sources: SEI, GAO analysis of agency data.
Appendix IV: GAO Contacts and Staff Acknowledgments
GAO Contacts
Randolph C. Hite, (202) 512-3439 or [email protected]
McCoy Williams, (202) 512-9095 or [email protected]
Staff Acknowledgments
In addition to the contacts named above, the following people made key
contributions to this report: Deborah Davis, Assistant Director; Casey
Keplinger, Assistant Director; Sharon Byrd; Shaun Byrnes; Barbara Collier;
Marisol Cruz; Francine Delvecchio; Neil Doherty; Heather Dunahoo; Dave
Hinchman; James Houtz; Stephanie Lee; David Noone; Lori Ryza; Zakia
Simpson; and Charles Youman.
(310600)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
www.gao.gov/cgi-bin/getrpt? GAO-06-404 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Randolph C. Hite at (202) 512-3439 or McCoy
Williams at (202) 512-9095.
Highlights of GAO-06-404 , a report to congressional requesters
June 2006
HOMELAND SECURITY
Contract Management and Oversight for Visitor and Immigrant Status Program
Need to Be Strengthened
The Department of Homeland Security (DHS) has established a
multibillion-dollar program-U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT)-to control and monitor the pre-entry, entry, visa
status, and exit of foreign visitors. To deliver system and other program
capabilities, the program relies extensively on contractors, some of whom
are managed directly by US-VISIT and some by other agencies (including
both DHS agencies, such as Customs and Border Protection, and non-DHS
agencies, such as the General Services Administration). Because of
US-VISIT's heavy reliance on contractors to deliver program capabilities,
GAO was asked to determine whether DHS has established and implemented
effective controls for managing and overseeing US-VISIT-related contracts.
What GAO Recommends
GAO is making recommendations to the Secretary of Homeland Security to
ensure that effective contract management and financial controls are
established and implemented both for contracts managed by the US-VISIT
program office and for those managed by other agencies. In written
comments on a draft of this report, DHS concurred with the
recommendations. In oral comments, officials from other agencies provided
comments aimed at clarifying selected GAO statements.
US-VISIT-related contracts have not been effectively managed and overseen.
The US-VISIT program office established and implemented certain
nonfinancial controls for those contracts that it managed directly, such
as verifying that contractor deliverables satisfied established
requirements. However, it did not implement effective controls for
overseeing its contracts managed by other DHS agencies and by non-DHS
agencies. Moreover, effective financial controls were not in place on any
contracts that GAO reviewed (see table for agencies managing these
contracts).
o The program office did not know the full extent of
US-VISIT-related contract actions, and it had not performed key
nonfinancial practices associated with understanding contractor
performance in meeting the terms of these contracts. This
oversight gap was exacerbated by the fact that the other agencies
had not always established and implemented effective controls for
managing their respective contracts. These other agencies directly
managed more than half (56 percent) of the total US-VISIT-related
contract obligations reported to GAO.
o The program office and other agencies did not implement
effective financial controls. Without these controls, some
agencies were unable to reliably report US-VISIT contracting
expenditures. Further, the program office and these other agencies
improperly paid and accounted for related invoices, including
making duplicate payments and payments for non-US-VISIT services
with funds designated for US-VISIT.
According to the US-VISIT program official responsible for contract
matters, the program office has focused on contracts that it manages
directly and decided to rely on the responsible agencies to manage the
other contracts. Further, it has decided to use other agencies to properly
manage financial matters for their respective contracts, and it also
decided to rely on another agency for its own financial management
services. Without effective contract management and oversight controls,
the program office does not know that required program deliverables and
mission results will be produced on time and within budget, and that
proper payments are made.
Agencies Managing US-VISIT-Related Contracts
Source: GAO analysis.
*** End of document. ***