Financial Management:

Improvements Needed in Air Force Vendor Payment Systems and Controls

AIMD-98-274: Published: Sep 28, 1998. Publicly Released: Sep 28, 1998.

Additional Materials:

Contact:

Gregory D. Kutz
(202) 512-9505
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed two specific cases of fraud involving Air Force vendor payments, focusing on: (1) internal control weaknesses that contributed to the two fraud cases; (2) observations on whether the same or similar internal control weaknesses continue to leave the Air Force vulnerable to fraud or improper payments; and (3) reconstructing the history of the two contracts associated with the Bolling Air Force Base (AFB) fraud to determine whether the government received the goods and services paid for under the contracts.

GAO noted that: (1) the two cases of fraud resulted from a weak internal control environment; (2) the lack of segregation of duties and other control weaknesses created an environment where employees were given broad authority and the capability, without compensating controls, to perform functions that should have been performed by separate individuals under proper supervision; (3) similar internal control weaknesses continue to leave Air Force funds vulnerable to fraudulent or improper vendor payments; (4) for example, as of mid-June 1998, over 1,800 Defense Finance and Accounting Service (DFAS) and Air Force employees had a level of access to the vendor payment system that allowed them to enter contract information, including the contract number, delivery orders, modifications, and obligations, as well as invoice and receiving report information and remittance addresses; (5) no one individual should control all key aspects of a transaction or event without appropriate compensating controls; (6) this level of access allows these employees to submit all the information necessary to create fraudulent and improper payments; (7) in addition, the automated vendor payment system is vulnerable to penetration by unauthorized users due to weaknesses in computer security, including inadequate password controls; (8) further, DFAS lacked procedures to ensure that the date that invoices were received for payment and the date that goods and services were received were properly documented; (9) these are critical dates for ensuring proper vendor payments and compliance with the Prompt Payment Act, which requires that payments made after the due date include interest; (10) missing records, another indicator of a weak internal control environment, prevented GAO from reconstructing the complete history of the two Air Force contracts associated with the Bolling AFB fraud; and (11) GAO was also unable to determine whether the Air Force received the goods and services paid for under these contracts because, in addition to missing records, a number of improper procedures were followed for receipt and control of equipment and services paid for under the contracts.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In September 1998, GAO reported that control weaknesses in the vendor payment processes and system have contributed to unauthorized vendor payment system access and the ability to circumvent interest payments to vendors, as required by the Prompt Payment Act (PPA). For example, according to DFAS internal review and Air Force investigative reports, during 1996, DFAS Dayton used faxed invoices to alter invoice reciept dates to avoid late payment interest required by the PPA. As a result, GAO recommended that the DFAS Director should ensure that:(1) the date that invoices are received and the date that goods and services are received are properly documented, and (2) invoices are tracked from reciept through disbursement of funds. In response to GAO's recommendation, the DFAS Denver Center developed a new management control structure at the vendor payment offices that segregated vendor payment duties and provided for reliable documentation of invoice and goods or services receipt dates across DFAS operating locations. The new structure improved mailroom operations, established a document control section, and divided payment teams into task-related branches responsible for entering specific data or processing specific functions in the vendor payment system. The DFAS Denver Center flowcharted the vendor payment process to identify key internal controls and developed extensive procedures to track invoices from receipt through the disbursement of funds. Further, DFAS Denver Center managers directed monthly voucher reviews and implemented a management tool for detecting potential duplicate payments to better oversee the vendor payment process.

    Recommendation: To help ensure that vendor payments are proper and that they comply with Prompt Payment Act timeframes, the Director, DFAS, should ensure that: (1) the date that invoices are received and the date that goods and services are received are properly documented; and (2) invoices are tracked from receipt through disbursement of funds.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

  2. Status: Closed - Implemented

    Comments: DFAS concurred with the recommendation and revised the operation review program to provide for continuous assessment of internal controls within the evolving electronic processing environment. In August 1999, GAO reviewed DFAS' revised internal review program and a draft report of a completed operation review of the San Antonio operation location. The operation review included a more comprehensive assessment of the internal controls over the vendor payment processes.

    Recommendation: To ensure that internal controls are properly designed and operating as intended, the Director, DFAS, should revise the operational review program to include assessments of the internal controls over the vendor payment process.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

  3. Status: Closed - Implemented

    Comments: According to the Under Secretary of Defense (Comptroller), an action plan was developed to ensure that necessary corrective actions are completed. For example, in response to the DISA Security Readiness Review of the Defense Megacenter at the DFAS-San Antonio Operating Location, the Megacenter developed a resolution plan with milestones to address each vulnerability. In addition, due to the severity of the findings regarding unsecured password files, DISA took immediate action to secure password files. DFAS worked with DISA to evaluate, document, and correct other system control weaknesses identified during GAO's field work.

    Recommendation: To strengthen computer security for the vendor payment system, the Director, Defense Information Systems Agency, should: (1) correct the system security control weaknesses in the operating system (mainframe) on which DFAS Denver's vendor payment system application runs; and (2) assess the costs and benefits of implementing technological and/or administrative controls over user IDs and passwords.

    Agency Affected: Department of Defense: Defense Information Systems Agency

  4. Status: Closed - Implemented

    Comments: In response to the recommendation, DFAS required that access to all DOD vendor payment systems be reduced to the minimum levels needed to successfully conduct business. Initially, DFAS indicated that the number of personnel with access to systems within the DFAS-Denver Center network for vendor pay was reduced by 1,109, or 48 percent. DFAS continued to review systems access to ensure that access is limited to only those functions necessary for the applicable employee to perform his or her duties without compromising the desired level of duty separation. As of July 23, 1999, DFAS had further reduced the number of individuals with access to the vendor payment system by 1,448, or 78 percent.

    Recommendation: To address the continuing vulnerabilities in the vendor payment process, the Director, DFAS, should reduce the number of employees with vendor payment system access by: (1) identifying the minimum number of employees needing on-line access to specific functions; (2) determining whether the access levels given to each user are appropriate for the user's assigned duties; and (3) removing access from employees who are no longer assigned to these functions.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

  5. Status: Closed - Implemented

    Comments: In response to GAO's recommendation, DFAS required that access to all DOD vendor payment systems be reduced to the minimum levels needed to successfully conduct business. In addition, in August 1999, DFAS added additional vendor payment system access levels to correspond to the segregation of organizational responsibilities. However, in June 2000, the DOD Inspector General (IG) reported that additional improvements were needed. Specifically, the IG found that DFAS and the Air Force did not always assign access levels consistent with the new standard internal control structure, access to the vendor payment system outside the DFAS Denver Center network was not significantly reduced, and the Air National Guard employees retained the same level of unrestricted access to the vendor payment system that they had before the system changes were made. The DOD IG made a number of recommendations to further strengthen controls over the vendor payment process. DFAS and the Air Force concurred with DOD's key recommendations and implemented additional controls to monitor individuals with access to the vendor payment system, and they developed compensating controls to ensure proper segregation of duties for Air National Guard.

    Recommendation: To address the continuing vulnerabilities in the vendor payment process, the Director, DFAS, should revise vendor payment system access levels to correspond with the segregation of organizational responsibility delineated above.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

  6. Status: Closed - Implemented

    Comments: In August 1998, DFAS initiated a comprehensive review of the organization's internal controls. The findings from that review were used to determine where separation of duties was inadequate, and to develop and implement an action plan to improve separation of duties. GAO reviewed DOD documentation showing that DFAS has now taken action necessary to separate organization responsibility for vendor payment functions.

    Recommendation: To address the continuing vulnerabilities in the vendor payment process, the Director, DFAS, should strengthen payment processing controls by establishing separate organizational responsibility for entering: (1) obligations and contract information; (2) invoice and receiving report information; and (3) changes in remittance addresses.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

  7. Status: Closed - Implemented

    Comments: DFAS issued an Internal Control Management Alert stating that the alteration or creation of an invoice on behalf of a contractor is unacceptable. If a contractor claims not to have invoicing capability, the contractor is required to submit a billing letter. GAO provided copies of the falsified invoices that it identified to the Air Force Audit Agency (AFAA) and asked AFAA to verify that these procedures had been implemented. As part of its review of the fiscal year 1998 Air Force Statement of Budgetary Resources, AFAA tested a random sample of over 350 Air Force vendor payment transactions and did not identify any DFAS altered or created invoices. GAO's review of AFAA's workpapers confirmed the results of its test work.

    Recommendation: The Director, DFAS, should no longer permit the creation of contractor invoices by DFAS employees and require those contractors that lack invoicing capability to submit billing letters.

    Agency Affected: Department of Defense: Defense Finance and Accounting Service

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 6, 2016

Aug 19, 2016

Aug 12, 2016

Jul 29, 2016

Jul 28, 2016

Jul 13, 2016

Jul 11, 2016

Jun 13, 2016

Looking for more? Browse all our products here