Financial Management: Improvements Needed in Air Force Vendor Payment Systems and Controls

In August 1998, DFAS initiated a comprehensive review of the organization's internal controls. The findings from that review were used to determine where separation of duties was inadequate, and to develop and implement an action plan to improve separation of duties. GAO reviewed DOD documentation showing that DFAS has now taken action necessary to separate organization responsibility for vendor payment functions.

In response to GAO's recommendation, DFAS required that access to all DOD vendor payment systems be reduced to the minimum levels needed to successfully conduct business. In addition, in August 1999, DFAS added additional vendor payment system access levels to correspond to the segregation of organizational responsibilities. However, in June 2000, the DOD Inspector General (IG) reported that additional improvements were needed. Specifically, the IG found that DFAS and the Air Force did not always assign access levels consistent with the new standard internal control structure, access to the vendor payment system outside the DFAS Denver Center network was not significantly reduced, and the Air National Guard employees retained the same level of unrestricted access to the vendor payment system that they had before the system changes were made. The DOD IG made a number of recommendations to further strengthen controls over the vendor payment process. DFAS and the Air Force concurred with DOD's key recommendations and implemented additional controls to monitor individuals with access to the vendor payment system, and they developed compensating controls to ensure proper segregation of duties for Air National Guard.

In response to the recommendation, DFAS required that access to all DOD vendor payment systems be reduced to the minimum levels needed to successfully conduct business. Initially, DFAS indicated that the number of personnel with access to systems within the DFAS-Denver Center network for vendor pay was reduced by 1,109, or 48 percent. DFAS continued to review systems access to ensure that access is limited to only those functions necessary for the applicable employee to perform his or her duties without compromising the desired level of duty separation. As of July 23, 1999, DFAS had further reduced the number of individuals with access to the vendor payment system by 1,448, or 78 percent.

According to the Under Secretary of Defense (Comptroller), an action plan was developed to ensure that necessary corrective actions are completed. For example, in response to the DISA Security Readiness Review of the Defense Megacenter at the DFAS-San Antonio Operating Location, the Megacenter developed a resolution plan with milestones to address each vulnerability. In addition, due to the severity of the findings regarding unsecured password files, DISA took immediate action to secure password files. DFAS worked with DISA to evaluate, document, and correct other system control weaknesses identified during GAO's field work.

DFAS concurred with the recommendation and revised the operation review program to provide for continuous assessment of internal controls within the evolving electronic processing environment. In August 1999, GAO reviewed DFAS' revised internal review program and a draft report of a completed operation review of the San Antonio operation location. The operation review included a more comprehensive assessment of the internal controls over the vendor payment processes.

In September 1998, GAO reported that control weaknesses in the vendor payment processes and system have contributed to unauthorized vendor payment system access and the ability to circumvent interest payments to vendors, as required by the Prompt Payment Act (PPA). For example, according to DFAS internal review and Air Force investigative reports, during 1996, DFAS Dayton used faxed invoices to alter invoice reciept dates to avoid late payment interest required by the PPA. As a result, GAO recommended that the DFAS Director should ensure that:(1) the date that invoices are received and the date that goods and services are received are properly documented, and (2) invoices are tracked from reciept through disbursement of funds. In response to GAO's recommendation, the DFAS Denver Center developed a new management control structure at the vendor payment offices that segregated vendor payment duties and provided for reliable documentation of invoice and goods or services receipt dates across DFAS operating locations. The new structure improved mailroom operations, established a document control section, and divided payment teams into task-related branches responsible for entering specific data or processing specific functions in the vendor payment system. The DFAS Denver Center flowcharted the vendor payment process to identify key internal controls and developed extensive procedures to track invoices from receipt through the disbursement of funds. Further, DFAS Denver Center managers directed monthly voucher reviews and implemented a management tool for detecting potential duplicate payments to better oversee the vendor payment process.

DFAS issued an Internal Control Management Alert stating that the alteration or creation of an invoice on behalf of a contractor is unacceptable. If a contractor claims not to have invoicing capability, the contractor is required to submit a billing letter. GAO provided copies of the falsified invoices that it identified to the Air Force Audit Agency (AFAA) and asked AFAA to verify that these procedures had been implemented. As part of its review of the fiscal year 1998 Air Force Statement of Budgetary Resources, AFAA tested a random sample of over 350 Air Force vendor payment transactions and did not identify any DFAS altered or created invoices. GAO's review of AFAA's workpapers confirmed the results of its test work.