This is the accessible text file for GAO report number GAO-08-716R 
entitled 'Financial Management: FBI Has Designed and Implemented 
Stronger Internal Controls over Sentinel Contractor Invoice Review and 
Equipment Purchases, but Additional Actions Are Needed' which was 
released on July 15, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-08-716R: 

July 15, 2008: 

The Honorable Arlen Specter:
Ranking Member:
Committee on the Judiciary:
United States Senate: 

Subject: Financial Management: FBI Has Designed and Implemented 
Stronger Internal Controls over Sentinel Contractor Invoice Review and 
Equipment Purchases, but Additional Actions Are Needed: 

Dear Senator Specter: 

In February 2006, we reported on significant internal control 
deficiencies related to contractor payments and property accountability 
associated with the development of the Federal Bureau of 
Investigation's (FBI) Trilogy information technology (IT) modernization 
project.[Footnote 1] In that audit, we found FBI's invoice review and 
approval process did not provide an adequate basis to verify that goods 
and services billed were actually received and that amounts billed were 
appropriate. We also found that FBI relied extensively on Trilogy 
contractors to purchase and account for Trilogy equipment without 
controls or data to verify the accuracy and completeness of the 
contractor records. Additionally, once FBI took possession of the 
Trilogy equipment, it did not have adequate controls to safeguard those 
assets. FBI is now acquiring and deploying a new automated case 
management system, known as Sentinel, to replace the case management 
system that was to be delivered as part of the Trilogy project. 
Sentinel is being developed in four phases at an estimated cost of $425 
million and is scheduled to be completed in May 2010. Phase 1 of the 
project was completed in June 2007. 

In light of the problems we found concerning the predecessor Trilogy 
project, you asked us to review the internal controls over expenditures 
related to the development and implementation of Sentinel. 
Specifically, you asked us to assess the design and implementation of 
FBI's internal controls over the Sentinel project for (1) preventing or 
detecting improper payments to project contractors and (2) maintaining 
proper accountability for equipment purchased for the project. Further, 
to the extent weaknesses were found, you asked us to determine whether 
those weaknesses resulted in improper payments or missing equipment. 

To assess the design and implementation of FBI's controls over Sentinel 
contractor invoice review and equipment purchases, we obtained and 
reviewed the Sentinel contracts, purchase orders, and statements of 
work; the internal control policies and procedures developed by the 
Sentinel Program Management Office (PMO); and the invoices and 
accompanying supporting documentation submitted by Lockheed Martin, the 
system development contractor, and the five companies assisting the PMO 
in managing the project. We analyzed labor, overhead, and general and 
administrative expense (G&A) rates billed by the contractors; and 
examined property management records including purchase orders, 
Lockheed Martin's database established to track equipment purchased for 
Sentinel, and FBI's official property management records. We also 
reviewed FBI's final reconciliation of all property acquired for Phase 
1 of the Sentinel project. We reviewed approved contractor invoices and 
equipment purchases for Phase 1 of the project, covering the period 
from May 2005--when contractors began billing for Sentinel activities -
-through November 2007, when Lockheed Martin submitted its final Phase 
1 invoice. We also discussed with FBI, PMO, and contractor officials 
the policies, procedures, and practices used to review contractor 
invoices and account for purchased equipment. Enclosure I provides 
additional details on our scope and methodology. 

We conducted this performance audit from August 2006 through May 2008 
in accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform our audits to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results in Brief: 

FBI has designed and implemented internal controls over the review and 
approval of Sentinel contractor invoices that have reduced the risk of 
improper contractor payments. FBI established the Sentinel PMO to 
provide day-to-day oversight over both the technical and financial 
aspects of the project. The PMO designed policies and procedures that 
assign invoice-review responsibilities and require Sentinel contractors 
to provide detailed support for all invoiced amounts and to obtain 
advance approval from the PMO for travel, overtime, and other direct 
costs. The PMO's policies also require contractors to provide monthly 
progress reports that link invoiced amounts to tasks completed and 
explain any anomalies with the invoice. The PMO Business Management 
Team (BTM) is also assigned the task of assessing each submitted 
contractor invoice to determine whether invoiced costs are 
mathematically accurate and adequately supported. Our testing of these 
controls determined that the PMO had effectively implemented them. We 
did not identify any questionable contractor payments. 

The Sentinel PMO has also taken steps to improve the design and 
implementation of internal controls over purchased Sentinel equipment. 
In April 2007, the PMO hired a full-time Sentinel property manager to 
oversee the property management process. The property manager is 
responsible for maintaining accountability (physical and financial) 
over equipment purchased for the Sentinel project. The PMO established 
policies and procedures to help ensure equipment purchases are properly 
authorized and that received property is timely inspected and entered 
into FBI's Property Management Application (PMA) to be tracked and 
inventoried. Overall, with additional enhancements to these controls to 
address the issues noted below, the PMO's established policies and 
procedures would help ensure accountability over Sentinel equipment. 
Specifically, our testing of the implementation of the PMO property 
controls found opportunities for the PMO to improve controls by: 

* establishing procedures to ensure the accuracy and completeness of 
the Lockheed Martin database used to establish the official FBI 
property record in PMA. Our initial testing of this contractor database 
found that it was corrupted and did not agree with either PMA or the 
supporting vendor invoices; 

* reconciling its asset records to the underlying source documents as 
part of the monthly invoice review and approval process. We found asset 
values had to be adjusted at the end of Phase 1 because assets were 
initially recorded in PMA using estimated costs rather than actual 
costs; 

* establishing policies and procedures to document the initial 
inspection of Sentinel assets and verification of the barcodes assigned 
to the property; and: 

* capturing the date property was received so that the PMO could 
monitor compliance with its policy to record all accountable property 
in PMA within 27 days of receipt. 

Our testing did not identify any missing assets. However, we found 20 
property records for which there were valuation discrepancies between 
the contractor database, PMA, and the supporting vendor invoices. We 
referred these records to the PMO to investigate and resolve. 

We are making five recommendations to FBI to help strengthen the PMO's 
asset accountability polices and procedures. If properly implemented, 
these actions will help ensure that Sentinel property records are 
accurate, complete, and recorded timely in the PMA. 

We received written comments from FBI on a draft of this report. FBI 
concurred with our recommendations regarding strengthening 
accountability for Sentinel equipment. FBI's comment letter is 
reprinted in enclosure II. FBI also provided separate technical 
comments which we have considered and incorporated into this report as 
appropriate. 

Background: 

In May 2001, FBI initiated a major IT upgrade project known as Trilogy 
to modernize its IT infrastructure and systems and provide needed 
applications, including a modern investigative case management system, 
to help FBI agents, analysts, and others do their jobs. In March 2004, 
after scheduling delays, cost overruns, and a failure to deliver the 
envisioned case management system component which became known as the 
Virtual Case File (VCF), you asked us to audit the costs of the 
project, which then totaled approximately $537 million. Our audit of 
Trilogy costs identified significant internal control deficiencies over 
the processing, review, approval, and payment of invoices as well as 
the accountability and control over assets purchased under the Trilogy 
project.[Footnote 2] 

More specifically, with respect to invoice processing, we reported that 
FBI's review and approval process for Trilogy's contractor invoices did 
not provide an adequate basis for verifying that goods and services 
billed were actually received by FBI or that payments were for 
allowable costs. This occurred in part because responsibility for the 
review and approval of invoices was not clearly defined and because 
contractor invoices frequently lacked the detailed supporting 
documentation necessary to facilitate an adequate invoice review 
process. During our audit, we identified more than $10 million in 
questionable contractor costs paid by the FBI. With respect to 
property, we reported that FBI (1) did not adequately maintain 
accountability for computer equipment; (2) relied extensively on 
contractors to account for Trilogy assets while they were being 
purchased, warehoused, and installed; (3) did not establish controls to 
verify the accuracy and completeness of contractor records it was 
relying on; (4) did not ensure that only the items approved for 
purchase were acquired by the contractors, and that it received all 
those items; and (5) did not establish adequate physical control over 
the assets. As a result of these deficiencies, we identified more than 
1,200 pieces of missing equipment which we estimated to be worth more 
than $7.5 million. 

In March 2005, FBI discontinued the virtual case file component of its 
Trilogy project after VCF was determined to be infeasible and cost 
prohibitive to implement as originally envisioned. FBI's Sentinel 
project was approved in July 2005 to both succeed and expand the failed 
VCF component. The Sentinel project is intended to provide FBI with a 
modern, automated investigative case management system that will 
facilitate information sharing and help field agents and intelligence 
analysts perform their jobs more effectively and efficiently. The 
system is based on commercially available software and hardware 
components and is being acquired and implemented in four phases. The 
primary deliverables for each of the four phases include: 

Phase 1: A Web-based portal that will provide access to data in FBI's 
existing Automated Case Support system (ACS) and other legacy systems 
and which eventually, through incremental changes in subsequent phases, 
will support access to the newly created investigative case management 
system. 

Phase 2: Case document and records management capabilities, document 
repositories, improved information assurance, application workflow, and 
improved data labeling to enhance information sharing. 

Phase 3: Updated and enhanced system storage and search capabilities. 

Phase 4: Remaining case management system components, including 
reporting capabilities, and migration of closed case data from ACS to 
the new system and retirement of ACS. 

Lockheed Martin was awarded the Sentinel development contract in March 
2006 through a governmentwide acquisition contract. The contract is a 
cost-plus award fee contract under which task orders will be issued for 
each phase of the project to be completed. Under a cost-plus award fee 
contract, costs incurred by the contractor that are allowable, 
reasonable, and allocable to the contract are reimbursed and fees may 
be awarded to the contractor based on acceptable performance. Under 
this type of contract, the government assumes most of the cost risk. 
The Federal Acquisition Regulation (FAR) requires agencies to mitigate 
this risk through adequate government oversight during the performance 
of the contract. In addition, the contractor must have adequate 
accounting systems to record and bill costs. 

The Sentinel project and PMO are supported by five other contracted 
firms. These companies are providing administrative and engineering 
services to support the requirements definition, acquisition, and 
development support for the Sentinel system. Two of these firms are 
also under cost-plus award fee contracts while the other three are 
under time and material (T&M) contracts. Under a T&M contract, the 
government agrees to pay fixed per-hour labor rates and to reimburse 
other costs directly related to the contract, such as materials, 
equipment, or travel, based on cost. Again, the government assumes the 
cost risk because the requirement for the contractor is to make a good 
faith effort to meet the government's needs within a ceiling price. 
Accordingly, the government must monitor contractor performance to 
ensure efficient methods and effective cost controls are being used. 

According to FBI officials and documents related to Sentinel, Phase 1 
of the project was deployed in June 2007. Overall, FBI estimates that 
the Sentinel project will be completed in May 2010 and cost $425 
million, including $305 million for system acquisition and development 
costs and $120 million for contractor support and PMO costs. 

FBI Designed and Implemented Stronger Internal Controls over the Review 
of Sentinel Contractor Invoices: 

We found FBI has taken a number of actions to strengthen the design and 
implementation of internal controls over the review and approval of 
Sentinel contractor invoices, including the establishment of the 
Sentinel PMO to oversee on a daily basis all technical and financial 
aspects of the Sentinel project and the development of Sentinel- 
specific invoice processing policies and procedures. We determined that 
these policies and procedures, if properly implemented, should reduce 
the risk of improper payments to Sentinel contractors. In testing the 
implementation of these controls, we found the PMO had effectively 
implemented its invoice-processing controls. We did not identify any 
questionable contractor payments. 

Policies and Procedures Issued for Sentinel Invoice Processing: 

Standards for internal control in the federal government state that 
management is responsible for developing internal control activities to 
help ensure that management's directives are achieved.[Footnote 3] 
Control activities are the policies, procedures, and mechanisms that 
enforce management's directives. Control activities include a wide 
range of diverse activities such as approvals, authorizations, 
verification, reconciliations, and the creation and maintenance of 
related records that provide evidence that these activities have been 
executed and documented. 

Based on our review of Sentinel invoice processing policy and 
procedures, examples of underlying documentation, and interviews with 
PMO staff, we found the PMO has established requirements for the 
Sentinel project that meet internal control standards for invoice 
review and approval. These requirements are responsive to the 
recommendations for correcting the invoice-processing deficiencies we 
identified in our prior Trilogy work and, if implemented properly, will 
help to ensure accurate and proper payments for goods and services 
purchased for the project. 

For example, the PMO's Sentinel invoice-processing policy specifies the 
roles and responsibilities for the parties involved in the review and 
approval of Sentinel invoices. Specifically, the Contracting Officer's 
Technical Representative (COTR) and the PMO Business Management Team 
(BMT) have responsibility for reviewing the invoices to ensure that 
billed work has been performed and is within the scope of the contract; 
that sufficient funds are available to pay the amounts billed; and that 
the work has not been previously invoiced. The Sentinel Unit Chiefs 
(UC) are responsible for validating invoice charges to ensure that 
labor hours billed, travel expenses, and other direct charges (ODCs) 
are appropriate, reasonable, and have been delivered in accordance with 
the contract statement of work. The BMT records and tracks invoice 
charges and vendor payments against purchase orders and compares actual 
expenditures against planned expenditures. The Sentinel Program Manager 
or Deputy Program Manager is responsible for final approval of invoices 
for payment after verification of invoice charges by the UCs and 
invoice certification by the COTR. The Contracting Officer processes 
and forwards approved invoices to the FBI's Commercial Payments Unit. 
In addition, the Sentinel PMO has a staff auditor to perform detailed 
analyses of all contractor invoices. 

Further, the Sentinel invoice-processing policy requires verification 
that contractor invoices provide detailed supporting information, 
including documentation for invoiced labor, travel, subcontractor 
services, equipment, and other charges. The internal staff auditor 
makes an assessment of this documentation and when necessary, 
recommends that the COTR obtain additional supporting documentation or 
withhold payment for unsupported costs. The policy also requires 
advanced approval for overtime, travel, and other direct costs. 

Also, the Sentinel policy establishes monthly reporting requirements 
for the contractors. The policy also requires contractors to provide a 
detailed analysis of any labor rate variances, verification of receipt 
for any equipment or software, and a report describing any unusual 
invoiced amounts such as previously suppressed charges that are now 
being billed. The monthly reporting requirements help to establish a 
link between amounts invoiced and the contractor's performance. 
Finally, the PMO has established an invoice-review checklist to help 
ensure that all key invoice-review requirements have been met. 

Implementation of Sentinel Invoice Processing Controls: 

We obtained and reviewed each of the 15 Lockheed Martin and all of the 
142 PMO support contractors' monthly invoices submitted for Phase 1 of 
Sentinel. These invoices totaled approximately $83 million and included 
Lockheed Martin's $60.3 million for system development and 
implementation costs and $22.9 million in costs for the five PMO 
support contractors. Based on our review of these 157 invoices and the 
supporting documentation, we found that the PMO has effectively 
implemented the invoice-review procedures established for Sentinel. 

Specifically, except for a few instances, the contractor invoices had 
the required PMO officials' approval and the supporting documentation 
included the required monthly status reports. We found that the PMO BMT 
staff is, as specified in the Sentinel invoice-processing policy and 
procedures, routinely performing mathematical checks of accuracy and 
tracing invoiced direct costs back to detailed support in the invoice 
package, such as vendor invoices for equipment, labor detail reports, 
or travel detail reports or vouchers. Additionally, according to PMO 
management, the BMT is periodically, as required, selecting contractor 
employees, obtaining time sheets from the contractor, and comparing 
time sheet data to the hours charged to Sentinel to verify that the 
charges are reasonable and supported by the relevant time sheet data. 
For the invoices containing equipment purchases, we saw that all 
equipment purchased and invoiced had been traced back (mapped) to the 
Bill of Material (BOM) to verify the purchase had been authorized. 

We also traced invoiced costs (i.e., labor, material and travel costs) 
back to the supporting documentation accompanying the invoice and found 
the support to be adequate to validate the charges. (The lack of 
adequate supporting documentation was a significant deficiency 
identified during our prior work on Trilogy.) In a few cases, we found 
that the PMO denied payment of certain charges that it determined were 
either not adequately supported, had been previously billed, had not 
been pre-approved, or represented over billings. We also compared the 
direct labor rates and other indirect cost rates charged on the 
invoices (i.e., overhead, general and administrative, cost of money, 
and fees) back to the contracts and other supporting documentation 
provided to us and found that the contractors had charged the 
appropriate rates. We also found that the PMO kept a log to track the 
invoice deficiencies it identified and their resolution. This can offer 
valuable insights into recurring issues and thus a basis for assessing 
the need for enhancements to invoice-processing policies and 
procedures. We did not identify any questionable contractor payments in 
our review of the invoices. 

FBI Has Designed and Implemented Policies to Strengthen Accountability 
Over Sentinel Equipment but Opportunities to Further Strengthen 
Controls Remain: 

We found the Sentinel PMO has taken steps to design and implement 
effective internal control policies and procedures over purchased 
Sentinel equipment. These steps include hiring a Sentinel property 
manager in April 2007 and issuing Sentinel-specific policies and 
procedures on how to account for Sentinel equipment. These policies and 
procedures should help ensure that equipment purchases are properly 
authorized and that received property is timely inspected and entered 
into PMA to be tracked and inventoried. However, we did identify some 
opportunities to further enhance both the design and implementation of 
controls in this area including: 

* controls to ensure the asset tracking database is accurate and 
complete and that records in it and PMA are reconciled and adjusted as 
necessary, 

* controls to document that property shipments have been promptly 
inspected and accepted, and: 

* controls to ensure that property is recorded in PMA in a timely 
manner. 

In addition, while we did not identify any missing assets as part of 
our testing of the PMO's property controls, we referred records for 20 
assets with valuation concerns to the PMO to research and resolve. 

Policies and Procedures Issued for Accountability over Sentinel 
Equipment: 

Standards for internal control in the federal government require that 
internal controls be designed to provide reasonable assurance regarding 
prevention of or prompt detection of unauthorized acquisition, use, or 
disposition of an agency's assets.[Footnote 4] Further, an agency must 
establish physical control to secure and safeguard vulnerable assets 
(such as computers or sensitive equipment). Such assets should be 
periodically counted and compared to control records, with adjustments 
made as necessary. 

For the Sentinel project, FBI established the Sentinel PMO to manage 
all aspects of the project, including maintaining accountability for 
purchased equipment. In turn, the PMO established specific internal 
control policies and procedures to account for purchased equipment, 
including accountable property items. According to FBI policy, 
accountable property (i.e., assets valued at $2,500 or more, as well as 
certain sensitive items) must be accounted for in PMA, an automated 
management system that allows FBI to track the cost, location, and 
history of its accountable assets. The specific policies for the 
Sentinel project require the PMO to: 

* establish its own database for tracking equipment purchases under the 
Sentinel project; 

* verify that all invoiced equipment was authorized under the BOM; 

* compare received property with the packing lists or invoice; 

* affix all accountable property with a bar code for tracking; 

* enter accountable property in PMA within 27 days of receipt, and; 

* conduct an annual inventory of all accountable Sentinel equipment. 

The PMO hired a full-time Sentinel property manager in April 2007 to 
provide additional oversight for Sentinel assets and to ensure that the 
PMO's asset management policies and procedures are effectively 
implemented. Until the property manager was hired, the Business 
Management Unit Chief and a temporarily detailed FBI Asset Management 
Unit employee tracked and managed purchased Sentinel assets. The 
Property Manager has now assumed these responsibilities. The PMO has 
issued updated Sentinel asset policies and procedures which include 
additional controls. In addition, a new BOM Deviation policy has been 
established in response to a prior finding by the Department of Justice 
Office of Inspector General (DOJ IG). 

Implementation of Sentinel Asset Accountability Controls: 

For Phase 1 of Sentinel, more than 750 pieces of accountable property 
were purchased by Lockheed Martin or directly by FBI. Total property 
purchased for Phase 1 of Sentinel was valued at $26.3 million. Lockheed 
Martin procured more than 490 of these assets valued at $24.1 million. 
We performed detailed tests on assets comprising about 85 percent of 
equipment costs invoiced by Lockheed Martin and additional detailed 
tests on the property acquired directly by FBI. As discussed in the 
following sections, our testing identified opportunities for further 
enhancement of property controls. 

Asset-Tracking Database: 

The PMO did not establish its own asset-tracking database, as required 
by its policies and procedures, to track Sentinel equipment purchased 
by Lockheed Martin. Instead, the PMO decided to utilize, with some 
modification, the asset-tracking database developed and administered by 
Lockheed Martin. Using a contractor to create and maintain the asset- 
tracking database can be an effective control mechanism provided that 
appropriate managerial and oversight measures are taken to 
independently verify that all equipment has been accurately recorded in 
the database. The PMO uses this contractor database to create FBI's 
official property record in PMA. 

To test the accuracy and completeness of this database, we attempted to 
match the records in it with FBI's official PMA records and vendor 
invoices. At the time of our test, most of the records we reviewed from 
the database contained discrepancies. The bar codes, serial numbers, 
cost, and other key information for the accountable property items 
recorded in the database did not agree to PMA records and vendor 
invoices. Furthermore, these discrepancies had not been detected by the 
PMO, indicating that it did not have adequate procedures for 
independently monitoring the accuracy and completeness of the 
contractor records upon which it was relying to create FBI's official 
property record. 

We identified two causes for the discrepancies: (1) the Lockheed Martin 
database (an Excel spreadsheet) had become corrupted, most likely as a 
result of an unintended sorting error, resulting in misaligned data 
fields that could not be matched to the vendor invoices or PMA and (2) 
many asset costs had been initially entered into PMA at estimated 
values based on the BOM or using other methods of estimating the cost. 
PMA requires a cost amount to be entered to create a property record in 
the system. PMO officials told us that they used estimates so that they 
could more timely establish a record of the property for tracking 
purposes. Actual costs - obtained from the Lockheed Martin monthly 
invoices and accompanying supporting documentation - may not have been 
available until a month or more after property was received. Actual 
costs were accumulated in a work-in-progress account to be assigned 
later. 

Once the final Lockheed Martin invoice for Phase 1 was received in 
December 2007, FBI attempted to reconcile all sources of data to ensure 
an accurate final costing of materials, and performed a comprehensive 
review of the BOM, the Lockheed Martin invoices, the asset database, 
and FBI data contained in PMA to produce an accurate asset database 
that supported FBI's property records. This effort was completed at the 
end of March 2008. As part of this process, asset values were adjusted 
to reflect actual invoiced costs. We analyzed the reconciled property 
records and found them to generally be in agreement, although we found 
20 property records for which there were valuation discrepancies 
between the revised database, PMA, and the vendor invoices. We referred 
these records to the PMO for investigation. 

Authorization and Receipt of Sentinel Equipment: 

To determine whether each purchase has been authorized, the PMO's 
invoice review procedures include a requirement that the COTR and the 
BMU support staff, including the staff auditor, "map" or trace all 
equipment that Lockheed Martin had invoiced FBI for back to the BOM. 
The BOM, which was part of Lockheed Martin's accepted proposal, 
detailed the equipment that would need to be purchased to build and 
implement the Sentinel system. We reviewed the PMO staff auditor's 
documentation of this procedure and found sufficient evidence to 
indicate this control had been effectively implemented. Related to this 
control, the DOJ IG, as part of its oversight of the Sentinel project, 
reported in August 2007 that there was a significant flaw in the PMO's 
policy with regard to obtaining required approvals for changes to the 
original BOM.[Footnote 5] They reported that although the BOM Deviation 
Policy stated that a deviation is any addition or deletion to the BOM, 
the policy did not require FBI approval for these additions or 
deletions. At the time of our review, the PMO was revising its BOM 
deviation policies to address the IG's finding. The revised BOM 
Deviation policy was issued in January 2008. 

To verify the property shipped to Lockheed Martin was received and 
properly bar coded, PMO and Lockheed Martin officials told us that for 
every property shipment, a PMO official visits Lockheed Martin's 
facilities to physically inspect the equipment and verify it has been 
properly bar coded. We accompanied the PMO Sentinel property manager on 
one visit and saw these procedures performed. We also saw where the PMO 
staff auditor (who performed this step prior to the Sentinel property 
manager's coming on board) had written down the bar codes assigned to 
many of the property items during his visits to inspect the property 
and kept this in his working copy of the Lockheed Martin invoices, 
which we reviewed. However, we observed that there is no consistent 
means of documenting that this control procedure had been performed and 
when it was performed. The PMO's policies and procedures do not specify 
how the performance of this control activity should be documented. 

Timely Entry and Accurate Recording of Sentinel Assets into PMA: 

During our audit of the Trilogy project, we found that accountable 
assets were not entered into PMA in a timely manner. Because PMA is 
used to track the location of FBI's accountable property, delay in 
entering a property record exposes the assets to a greater risk of loss 
or theft. In response to this finding, the Sentinel PMO established a 
policy of entering accountable property into PMA within 27 days of 
receipt. We attempted to test the implementation of this policy for all 
accountable Sentinel property. However, because neither PMA nor the 
Lockheed Martin database date-of-receipt field captured the actual 
receipt date of the property by Lockheed Martin we could not determine 
the extent to which the PMO complied with its 27-day requirement for 
recording assets in PMA. Instead, by applying alternative procedures, 
we looked at records for 198 pieces of equipment for which we could 
approximate the receipt date (based on supplier invoices that listed 
asset serial numbers) and compared these estimated receipt dates to the 
dates captured in PMA when the asset records were created. We found 
that about two-thirds of the 198 assets had been recorded within or 
very near the 27-day target. The remaining one-third did not meet the 
target. Using this procedure, we found examples of accountable Sentinel 
assets that had not been recorded in PMA for up to 150 days. 

Timeliness is one key element of recording accountable property. The 
data must also be recorded accurately. As discussed above our analysis 
of PMA records, the Lockheed Martin database, and vendor invoices 
identified many discrepancies that called into question the accuracy of 
the data entered into PMA. The PMO's reconciliation of the Phase 1 
purchases, discussed above, was an important step in correcting the 
deficiencies we identified. However, without additional steps going 
forward to help ensure that the Lockheed Martin database --the source 
document for entries into PMA --is accurate and complete at the time 
the PMA entry is made, there is an increased risk that Sentinel 
property will not be properly recorded. Further, internal control 
objectives for asset control anticipate that property will be recorded 
in a timely manner to afford visibility over the assets and minimize 
the risk of their loss or unauthorized use. 

Inventory of Sentinel Assets: 

In 2007, FBI conducted an agencywide "wall-to-wall" inventory of all 
accountable property, including sensitive property items (e.g., laptop 
computers and weapons which are susceptible to theft), recorded in PMA. 
Sentinel assets were included in this inventory. We obtained and 
reviewed reports from FBI's PMA that indicated that all accountable and 
sensitive Sentinel assets recorded in the system were successfully 
inventoried. To obtain assurance that the PMA records were complete, we 
matched the records in the corrected Lockheed Martin asset-tracking 
database to the records in PMA and found six accountable property items 
that were captured in the database but not recorded in PMA. When assets 
are not recorded in the property system, there is no record of their 
existence when physical inventories are performed. This limits the 
effectiveness of the physical inventory in detecting missing assets. We 
provided a list of these six assets to the PMO to research and resolve. 
PMO officials provided us an explanation for each of the six items on 
the list. One asset was improperly bar coded and one was not an 
accountable property item. The PMO was in the process of uploading the 
other four assets into PMA. These assets will be included in the 2008 
inventory of Sentinel equipment which began in early 2008. 

Conclusions: 

FBI has designed and implemented improved internal controls for the 
processing of Sentinel invoices and for maintaining accountability over 
Sentinel equipment. As a result, the risk of making improper payments 
to Sentinel contractors and the risk of misuse, loss, or theft of 
Sentinel equipment has been significantly reduced. However, additional 
procedures to strengthen accountability over Sentinel equipment are 
still needed in order to enhance FBI's ability to account for and 
control project assets. If effective corrective actions are taken and 
properly implemented for these remaining areas of risk, we believe that 
the design and implementation of internal controls for the Sentinel 
project could serve as a model for FBI's invoice and property control 
in other projects involving contractors. 

Recommendations for Executive Action: 

We recommend that the Director of the FBI direct the Sentinel Program 
Manager to modify existing Sentinel policies and procedures to: 

* require the Sentinel property manager to verify for every property 
shipment that data in the Lockheed Martin database are complete and 
accurate before using these data to create or update FBI's official 
property records in PMA; 

* require that the Sentinel property manager perform monthly 
reconciliations of the key property records (i.e., the BOM, the vendor 
invoices, the Lockheed Martin database, and PMA) throughout each 
subsequent phase of Sentinel rather than a single close-out 
reconciliation at the completion of a phase; 

* require the Sentinel property manager to document the initial 
inspection of property as it is received, including verification that 
the property was properly barcoded; 

* require the Sentinel property manager to record in the Lockheed 
Martin database the date Sentinel property is received to allow for 
assessments of whether Sentinel property was timely recorded into PMA; 
and: 

* require the Sentinel property manager to follow up on and document 
actions taken with respect to the 20 property records we identified as 
having valuation discrepancies, including any adjustments to the 
valuations in either FBI's or the contractor records. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, FBI's Executive 
Assistant Director/Chief Information Officer stated that FBI concurs 
with our recommendations regarding strengthening accountability for 
Sentinel equipment. In his comments, he stated that the PMO asset 
accountability policies and procedures have been adjusted based on 
lessons learned from Phase 1 and that steps are now being taken to 
ensure that the Lockheed Martin database is accurately populated before 
entering data into FBI's PMA. He also stated that the PMO has been 
working to resolve the asset valuation discrepancies that we 
identified. FBI's comment letter is reprinted in enclosure II. FBI also 
separately provided technical comments which we have considered and 
incorporated into the final report as appropriate. 

We are sending copies of this report to the Chairman of the Senate 
Judiciary Committee, the Attorney General, the Director of the Federal 
Bureau of Investigation, and other interested congressional committees. 
We will also provide copies to others on request. In addition, the 
report will be available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-9471 or by e-mail at franzelj@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in Enclosure III. 

Sincerely yours, 

Jeanette M. Franzel:
Director, Financial Management and Assurance: 

[End of section] 

Enclosure I: Scope and Methodology: 

We assessed the design and implementation of the Federal Bureau of 
Investigation's (FBI) internal controls over the Sentinel system 
development and implementation effort to determine whether (1) these 
controls provided a reasonable level of assurance that improper 
payments to Sentinel contractors would be prevented or detected in the 
normal course of business and (2) FBI maintained adequate 
accountability over equipment purchased for the Sentinel system. In 
addition, we designed our work so that if we found current weaknesses 
in internal control, we would determine whether those weaknesses 
resulted in improper payments or missing equipment. Our work focused on 
the recently completed Phase 1 of the Sentinel project and included all 
157 contractor invoices submitted and equipment purchased for this 
phase of the project. The initial contractor invoices were for planning 
activities for Phase 1 that began in May 2005. The final invoice for 
this phase, dated November 30, 2007, was submitted and processed in 
December 2007. We reviewed the invoices submitted by Lockheed Martin, 
the Sentinel development contractor, which began work in March 2006, as 
well as the five firms assisting FBI's Sentinel PMO in its planning for 
and oversight of the project. 

We used our Standards for Internal Control in the Federal Government 
[Footnote 6] as overarching criteria and also considered specific 
policies and procedures developed by FBI's Sentinel PMO as discussed 
below. In performing our work, we also considered the weaknesses we had 
identified in our prior work on Trilogy and FBI's efforts to ensure 
similar weaknesses were not present in the Sentinel project. We did not 
make an assessment of invoice-processing controls or equipment 
accountability on an FBI-wide basis. Our assessment was for the 
Sentinel project only. 

Assessment of the Design and Implementation of Internal Controls over 
Sentinel Invoice Processing: 

To understand and assess the design of internal controls over Sentinel 
invoice processing, we obtained and reviewed the relevant internal 
control policy and procedures that had been developed by the Sentinel 
PMO. This included the specific policy and procedures dealing with the 
PMO's invoice processing, contractor time card reviews, and the 
documentation requirements contractors were expected to follow when 
submitting their monthly invoices. We held discussions with PMO 
officials involved in the financial management aspects of Sentinel 
including the program manager, deputy program manager, contracting 
officer, contracting officer's technical representative, business 
management unit chief, and internal auditor to determine and understand 
their roles in the invoice-review process. We also obtained and 
reviewed the contracts, statements of work, purchase orders, and cost 
proposals for Lockheed Martin and the five PMO contractors as well as 
Phase 1 contractor invoices with accompanying supporting documentation. 

To evaluate the implementation of controls over Sentinel invoice review 
and approval, we performed tests and analysis of the five areas 
discussed in detail below. 

Invoice Approval and Adequacy of Supporting Documentation: 

We obtained and reviewed all 157 contractor invoices submitted during 
Phase 1 of the Sentinel project by Lockheed Martin and the five PMO 
contractors to determine whether there was evidence that the invoices 
had been reviewed and approved in accordance with the PMO invoice- 
processing policy. We also examined the accompanying supporting 
documentation submitted by the contractors to determine whether 
significant charges on the invoices were adequately supported and 
contractors had submitted the required monthly status reports that link 
invoiced costs to work activities during the invoice period. 

Invoiced Equipment and Software Costs: 

We reviewed the purchasing reports and supplier invoices that were 
included in the Lockheed Martin monthly invoice packages to determine 
whether the invoiced equipment costs were adequately supported. 
Lockheed Martin was the only contractor that purchased Sentinel 
equipment. We performed this procedure for every Lockheed Martin 
invoice that included equipment purchases. 

Review of PMO's Time Card Audits: 

PMO policies require contractor time card audits to help substantiate 
invoiced labor costs. PMO management told us they had conducted these 
audits, which compared contractor time cards to the labor detail 
reports included in the monthly invoice packages submitted by Lockheed 
Martin and the five PMO contractors. The PMO internal auditor showed us 
copies of several contractor employees time cards that he had obtained 
and explained the tick marks he placed on the invoices to denote the 
completion of these audits. 

Analysis of Labor Costs and Rates: 

To review labor charges included in each monthly invoice package 
submitted by Lockheed Martin and the PMO support contractors, we traced 
invoiced amounts back to the detailed supporting documentation included 
in the invoice packages that listed employees' labor category, hours 
worked, hourly rates, and total labor cost. We also analyzed the hours 
and rates billed by Lockheed Martin and the five PMO contractors. Based 
on this analysis, we selected a nonstatistical sample of 12 contractor 
and subcontractor employees whom we determined had either charged 
significant hours to the Sentinel project, had higher than average 
labor rates, or charged multiple labor categories. There was at least 1 
employee selected from each of the five PMO contractors and 6 employees 
selected from Lockheed Martin and its subcontractors. For the selected 
employees, we requested salary information, resumes, time and 
attendance records, and personnel actions. Using these data, we 
determined whether the employees' hourly rates were consistent with the 
rates billed to the Sentinel project and inline with the rates for 
individual labor categories specified in the contracts or cost 
proposals. We also compared data on the individuals' resumes to the 
skill and experience requirements specified in the contracts for the 
labor categories in which their time was reported. 

Analysis of Overhead, G&A, and Fees: 

Using the contractors' monthly invoices, we calculated the rates the 
contractors charged for overhead, general and administrative (G&A) 
expenses, and Cost of Money fees. We then compared the calculated rates 
to the rates specified in the contracts or approved by the Defense 
Contract Audit Agency for the applicable time periods. 

Assessment of the Design and Implementation of Internal Controls for 
Sentinel Equipment: 

We obtained and reviewed the Sentinel PMO's policies and procedures for 
authorizing the purchase of and accounting for Sentinel equipment and 
reviewed procedures carried out by the property manager to account for 
purchased equipment including the process used to bar code equipment 
and physically verify its receipt. We also met with FBI, PMO (including 
the Sentinel property manager), and Lockheed Martin officials with 
responsibility for asset accountability to better understand the 
policies and procedures and their implementation. We visited the 
Lockheed Martin facilities where property is received and stored and 
conducted a walk-through of the process Lockheed Martin has established 
to account for and safeguard Sentinel assets. 

In order to assess the accuracy and completeness of the Lockheed Martin 
database and to determine whether the PMO had created an appropriate 
corresponding record in PMA, FBI's official property management system, 
we performed the following: 

* obtained and analyzed the database to identify any irregularities 
such as duplicate bar codes or missing information; 

* compared the vendor invoice number and item description, cost, and 
serial number (taken from supporting documentation) to the Lockheed 
Martin database for six Lockheed Martin invoices that together 
represented billings for approximately 85 percent of the total material 
[Footnote 7] purchased and billed by Lockheed Martin; 

* compared the bar codes recorded on Lockheed Martin's database to PMA 
to identify any bar codes not recorded in PMA and investigated any 
discrepancies. 

* compared the data (e.g., serial number, asset description, and asset 
cost) for each bar coded property item in the Lockheed Martin database 
to the PMA record and followed up on any discrepancies; and: 

* obtained and reviewed FBI's reconciliation of all Sentinel assets 
purchased by Lockheed Martin and billed on their monthly invoices to 
the Sentinel Bill of Material (BOM) to determine whether the purchase 
was authorized. 

FBI also purchased several Sentinel assets directly.[Footnote 8] We 
performed the following procedures to help ensure that these assets 
were properly accounted for: 

* obtained and reviewed a listing of all purchase orders issued by FBI 
for the Sentinel project along with copies of the vendor invoices 
related to those purchase orders that included the purchased Sentinel 
equipment; and: 

* compared the data, such as quantity, serial number, asset 
description, and asset cost for the items on the vendor invoices to the 
PMA listing of accountable property for the purchase orders identified 
and followed up on any discrepancies. 

Finally, we reviewed the documentation provided to us by the Sentinel 
PMO following the completion of the overall asset reconciliation 
performed at the end of Phase 1. As part of this effort, PMO officials 
stated that they would reconcile the BOM, vendor invoices, the Lockheed 
Martin database, and PMA and make the necessary adjustments to ensure 
that the recorded costs of Sentinel equipment agrees with actual vendor 
invoice amounts. 

We conducted this performance audit from August 2006 through May 2008 
in accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform our audits to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Enclosure II: Comments From the Federal Bureau of Investigation: 

U.S. Department of Justice: 
Federal Bureau of Investigation: 
Washington, D. C. 20535-0001: 

June 23, 2008: 

Ms. Jeanette M. Franzel: 
Director, Financial Management and Assurance: 
Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Ms. Franzel: 

Re: FBI Response To GAO'S Draft Report, "Financial Management: FBI Has 
Designed And Implemented Stronger Internal Controls Over Sentinel 
Contractor Payments And Equipment Purchase, But Additional Actions Are 
Needed," GAO-08-716R. 

Thank you for the opportunity to review and comment on the Government 
Accountability Office (GAO) draft report entitled "Financial 
Management: FBI Has Designed and Implemented Stronger Internal Controls 
over SENTINEL Contractor Payments and Equipment Purchase, but 
Additional Actions Are Needed" (hereafter referred to as "the Report"). 
The FBI appreciates the positive tone and recognition for its efforts 
to maintain stronger internal controls in the SENTINEL Program's 
financial management activities. The Report has been reviewed by the 
Federal Bureau of Investigation (FBI), Information and Technology 
Branch, and coordinated with the Finance Division (FD). This letter 
constitutes the formal FBI response. 

Based on our review of the Report, the FBI concurs with The GAO's 
recommendation regarding strengthening accountability for SENTINEL 
equipment. The assignment of an FBI employee as the SENTINEL property 
manager was designed to provide the leadership and expertise necessary 
to maintain appropriate control over government assets. Additionally, 
the SENTINEL Program Management Office (PMO) has required Lockheed 
Martin (LM) to mirror the SENTINEL property manager position. 

Many of the SENTINEL PMO's policies and procedures were implemented as 
a result of the SENTINEL property manager's assignment and were 
adjusted based on lessons learned from Phase 1. For example, the GAO 
recommends (Recommendation #1) that the SENTINEL PMO verify that data 
in the LM Database is complete and accurate before using the data to 
create or update the FBI's official property record. 

The SENTINEL property manager verifies the data, maps it to the Bill of 
Materials, and ensures the LM Database is accurately populated before 
entering data into the FBI's Property Management Application. The 
SENTINEL PMO also requires LM to provide a copy of the mapping of the 
property to the LM Database and the invoice. 

With regard to the fifth recommendation concerning the 20 assets with 
valuation discrepancies: the SENTINEL property manager, business 
management employee, and FD's financial analyst have been working 
closely with the GAO auditor to resolve all discrepancies and satisfy 
concerns described in this recommendation. Although the valuation 
discrepancies reported pertained to 20 items out of an estimated 1,200 
items reviewed, the SENTINEL PMO is striving to be error free. The 
SENTINEL PMO and LM have a clear agreement on proper reporting and 
accountability procedures. 

Again, thank you for the opportunity to respond to the Report. Should 
you or your staff have questions regarding our response, please contact 
me or one of my executives listed below: 

Mr. Dean E. Hall: 
Deputy Chief Information Officer: 
Information and Technology Branch: 
202-324-2307: 

Mr. John M. Hope: 
Program Management Executive: 
Office of IT Program Management: 
202-324-9798: 

Sincerely yours, 

Signed by: 

Zalmar Amzi: 
Executive Assistant Director and Chief Information Officer: 

[End of section] 

Enclosure III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Jeanette M. Franzel (202) 512-9471 or franzelj@gao.gov: 

Acknowledgments: 

In addition to the contact named above, Phillip W. McIntyre, Assistant 
Director; Ed Brown; Fred Evans; and Edward Tanaka made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] GAO, Federal Bureau of Investigation: Weak Controls over Trilogy 
Project Led to Payment of Questionable Contractor Costs and Missing 
Assets, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-306] 
(Washington, D.C.: February 2006). 

[2] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-306]. 

[3] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[4] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1]. 

[5] U.S. Department of Justice, Office of the Inspector General, 
Sentinel Audit III: Status of the Federal Bureau of Investigation's 
Case Management System, Audit Report 07-40 (August 2007). 

[6] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1]. 

[7] Material charges include all software and hardware purchased by 
Lockheed Martin. 

[8] The FBI issued purchase orders directly to vendors to purchase 
equipment, software, and other services related to the Sentinel project 
in addition to the goods and services purchased by Lockheed Martin. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: