May 2000 Streamlining the Payment Process While Maintaining Effective Internal Control GAO/AIMD21.3.2 Contents Preface Introduction Page 1 GAO/AIMD21.3.2 (5/00) Contents Related GAO Products Figure Figure 1: Agency Systems Architecture Abbreviations Preface In recent years, agencies have taken advantage of advancing technology to streamline operations and reduce costs in financial management systems. Specifically, in the payment processing area, agencies have redesigned or improved existing systems and have formally requested GAO's views on the quality of internal control designed into the new or modified systems. As part of GAO's responsibility to issue internal control standards and our commitment to improve financial management in government, we have worked with agencies to assist them in saving millions of dollars while ensuring that effective control was also included in the systems designs and modifications. Many of the agencies' designs and systems modifications have been creative and innovative in streamlining payment systems and reducing costs. In each case, after working with the agencies, we summarized their designs and our positions with regard to the internal control in their designs. We have aggregated the views in our individual letters into this booklet as a guide to agencies which are reengineering their payment systems. Our intentions are to (1) assist agencies in maintaining sound internal control and (2) help them focus requests for our assistance on the effectiveness of planned internal control for revised payment systems. This guide is divided into four major sections. The first section covers background information about traditional payment systems and the changes occurring in them. The second section focuses on advancing technology and its impact on payment systems. The third section deals with streamlining efforts in the payment systems involving the purchase of goods and services while the last section deals with streamlining efforts in the employee travel payment systems. Additional copies of this guide can be obtained from the U.S. General Accounting Office, 700 4th Street NW, Room 1100, Washington, D.C. 20548, or by calling (202) 5126000 or TDD (202) 5122537. It is also available on the internet on GAO's Home Page (www.gao.gov)under "Other Publications." Jeffrey C. Steinhoff Assistant Comptroller General Accounting and Information Management Division Introduction This document contains four sections. The first section provides an overview of the traditional payment systems to vendors for the acquisition of goods and services and to employees as a result of government travel. It describes the major processing components of the payment system and focuses on the basic internal control that should have existed within these traditional systems to emphasize that these same control objectives should always be satisfied as payment systems change and evolve. The second section discusses the role of advancing technology and its effect on major changes that have and continue to occur in payment systems. The basic internal control discussed in traditional payment systems is emphasized as the key ingredient in maintaining effective payment systems regardless of the changes occurring. Also discussed are advances in technology, which have in recent years begun to be used by agencies, but for which wide spread application will likely occur in the foreseeable future. The third and fourth sections cover details of the numerous requests we have received, including a description of agencies' systems designs and modifications and our views on the effectiveness of the designed internal control in the proposed changes. The third section covers payments to vendors for the acquisition of goods and services and the fourth section covers payments to employees for government travel. The requests and our responses focus mostly on internal control regarding the automation of payment systems or the conversion from manual to automated systems. The first appendix covers relevant issues addressed in GAO's reports (responses to agency requests). The second appendix provides a brief discussion about relevant systems standards issued by the Joint Financial Management Improvement Program (JFMIP). The last page lists the products that form the basis for this document. In carrying out our responsibilities to work with agencies, we have published and periodically updated GAO's PolicyandProceduresManual forGuidanceofFederalAgencies. This manual is divided into eight major parts called titles. Title 7, "Fiscal Guidance," provides guidance in several areas including areas covering our responsibility to settle accounts of accountable officers, issue internal control standards, and respond to agencies that inquire about these matters. Title 7 contains extensive coverage on the payment process, which is the subject of this document, and provides the basic concepts and criteria we rely on in assisting agencies and responding to their requests. Background This section discusses the traditional payment process, modifications to the traditional payment process, and the importance of internal control in effectively administering the payment process. It also provides the basic concepts and criteria contained in Title 7, "Fiscal Guidance," of GAO's PolicyandProceduresManualforGuidanceofFederalAgencies. Title 7 provisions form the basis for our positions developed in response to agencies' requests for our views on proposed new payment systems or modifications to streamline the operations of existing systems. Traditional Payment Process Title 7 identifies the following steps of the acquisition and payment process involving general purchases: (1) purchase authorization (the ordering function), (2) receipt and acceptance of the items ordered, (3) receipt of the invoice, (4) payment approval and authorization, and (5) actual payment (disbursement of funds). None of the requests we received for assistance involved the actual payment part of the process, and therefore we are not covering that aspect in this document. The purchase authorization portion of the process is the formal approval of the purchase by responsible designated officials within the agency and usually results in the obligation of budget authority. The receipt and acceptance portion generally involves a government employee taking possession of the items purchased and verifying quantity and quality of the items received. Receipt of the invoice or bill from the supplier or vendor represents a claim against the government for the items sent or delivered per the government's purchase order. The payment approval and authorization portions of the process can involve a multistep process with administrative approvals being first Background followed by payment authorization.1 An administrative approval is generally performed by a responsible official in the unit that ordered or received the items purchased. The administrative approval normally is based on verification that the items ordered were actually received and met the government's specifications, and thus validates a vendor's request (invoice) for payment. Payment authorization is generally restricted to designated persons in the agency. These individuals can be held personally liable, under certain circumstances, for authorizations made by them. These individuals are responsible for ensuring the legality, propriety, validity, and accuracy of all payments they authorize. Specifically, they must determine whether: • the payment is permitted by law; • the appropriation amounts are available at the time and are being used for the intended purpose; • the goods and services have been received and conform to the requirements of the order or agreement; • the required administrative approvals have been obtained; and • the quantities, prices, and calculations are accurate. As used in this document, administrative approvals are differentiated from payment authorization. Payment authorization (also called payment certification) refers to the act of approving payment and authorizing Treasury to disburse funds. Agency officials designated to be certifying officers (who certify payment) must have certain documents on file with Treasury, must follow Treasury regulations, and can be held legally liable for payments they authorize. Administrative approvals, on the other hand, refer to the approval function of various aspects of a transaction except for payment authorization. Administrative approvals include, but are not limited to, obligation of funds (for example, authorizing the purchase of goods, approving employee travel, approving contracts on behalf of the agency); accepting goods and services delivered to an agency per order or contract; and approving travel vouchers for payment scheduling. Agency officials authorized to perform administrative approvals are generally required to follow agency policies and procedures as opposed to statutory requirements and Treasury regulations followed by certifying officers. Because certifying officers' responsibilities cover the payment they authorized, their responsibilities can extend to most aspects of a transaction. Officials performing administrative approvals usually are responsible for fewer aspects of a transaction. For example, the administrative approval of an employee's travel voucher (usually performed by the employee's supervisor) generally confirms the reasonableness of the claim and that the travel actually took place. The certifying officer, however, not only verifies that the voucher contains an administrative approval ensuring that the travel took place, but also performs numerous examination procedures to ensure all claims are within regulations and limitations. Background Traditionally, certifying or disbursing officers2 responsibilities extended throughout the payment process. They had staff assisting them in reviewing each invoice prior to payment authorization. This review is referred to as the "prepayment examination." The examination consisted of several steps, primarily focusing on comparing information on three critical documents-the obligation or ordering document, the receiving and inspection document (normally called a receiving report), and the invoice. The information on the three documents had to be of sufficient detail to allow an effective comparison to occur. The information had to include specific identification of the good or service (e.g., stock numbers, detailed descriptions, grades or quality, and types or models); quantities ordered, received, and billed; the quality (type, grade, or condition) of the items received; and prices per unit. If necessary, the invoice was adjusted to reflect the items actually received and accepted. While examining the documents, the staff also was required to verify that the documentation had the necessary administrative approvals. For example, such approvals could be evidenced by purchase orders signed by an authorized official or travel orders and vouchers signed by supervisors. Once the staff was satisfied that the invoice reflected a legal, proper, valid, and accurate amount, the invoice was deemed ready for payment. The invoice amount, or an adjusted or modified amount, was prepared for payment on a specific form. In the civil agencies, payment information (payee and amount) traditionally was entered on Treasury Form 1166, Voucher and Schedule of Payments. The specific form was forwarded along with the related supporting documents to the agency certifying or disbursing officer for review and approval. Once approved, by signature, the form without the supporting documents was forwarded to Treasury (for civil agencies) or another unit under the disbursing officer (for DOD) for actual payment. Lastly, the hard copy documents (i.e., obligation document, receiving report, and the invoice) supporting a disbursement were normally filed centrally at the certifying or disbursing officer's location for easy access in the event of a management review or outside audit of the payment process. The documents had to be retained for specified periods and be stored under certain procedures in accordance with Title 8, "Records Management," of GAO's PolicyandProceduresManual. Pursuant to Public Law 104106, National Defense Authorization Act for Fiscal Year 1996, DOD was given the authority to have certifying officers. Prior to that, disbursing officers usually approved vouchers for payment. Background Modifications to the Traditional Payment Process The traditional payment approval process has been modified over the years primarily through the application of statistical sampling and "fast pay" procedures, and the widespread use of computer technology. (Computer technology is discussed in the next section.) Statistical sampling was initially implemented in the 1960s to reduce the cost of the payment process while still affording confidence that payments were processed accurately. Statistical sampling procedures implemented involved a random selection of invoices from a known universe of invoices below a certain dollar amount (currently set at $2,5003)tobe examined in lieu of examining all invoices as would be done under a 100percent examination. Fast pay was implemented in the government, in certain circumstances, on a larger scale during the 1980s to assist agencies in meeting the payment timing requirements of the Prompt Payment Act. It involved the examination of invoices after payment in lieu of prepayment examination.4 It should be noted that statistical sampling and fast pay procedures neither reduce the need for effective internal control nor relieve the certifying/disbursing officer of his or her responsibility. They merely provide a mechanism to reduce clerical costs and expedite processing while continuing to meet prompt payment requirements and maintain effective internal control. Statistical sampling allows conclusions to be made about (1) the universe of invoices from which the sample was selected and (2) the procedures in effect used to process all invoices in the universe. Examination of the sample and evaluation of the results permits correction of errors and other deficiencies found in the items sampled and the procedures and controls directly related to the items. It also permits projections as to the quality of all invoices in the universe. Prior to implementing sampling procedures, a sampling plan should be developed. The plan should include (1) a definition of the universe of invoices to be examined, (2) the size and selection method of the sample based on the risks of the invoice processing system, (3) procedures to analyze the results of the sample, and (4) methods to document the plan and the analysis. 3Title 7 of GAO's PolicyandProceduresManual,section 7.4.E. 4 OMB Circular A125 (revised 12/12/89) PromptPayment, which provided guidance on the Prompt Payment Act, permits under certain conditions, the use of fast pay procedures to pay vendor invoices without evidence of receipt and acceptance at the time of certification and payment. (See footnote 5.) Background Compared to the prepayment examination of all invoices, implementing sampling procedures increases the risks of overpayments occurring and going undetected. This risk can be acceptably mitigated if the plan calls for invoice examination to be commensurate with the risk to the government. The plan should convincingly demonstrate that statistical sampling procedures would produce administrative savings while adequately protecting the interests of the government. Savings would be achieved if the combined costs of (1) examining the sample and (2) projected losses due to undetected errors on invoices not examined are less than the administrative cost of examining all invoices. Effective control over disbursements ordinarily requires examination of invoices before they are approved for payment. However, fast pay procedures typically entail payment authorization without evidence of receipt and acceptance, provided that subsequent to payment authorization, receipt and acceptance is verified. Under fast pay, examination of the invoice subsequent to payment authorization is sometimes referred to as "post payment examination." OMB Circular A125 PromptPayment,5 the Prompt Payment Act, and the Federal Acquisition Regulation (FAR), part 13 provide guidance on implementing fast pay. Based on that guidance, fast pay is currently subject to a limitation of $25,000 per invoice and the following conditions: (1) geographical separation and lack of communication facilities make it impractical to make timely payments based on evidence of acceptance, (2) suppliers who will be paid under the procedure have agreed to repair, correct, or replace goods or services not conforming to requirements, and (3) and it is limited to suppliers who have had and continue to have a good ongoing business relationship with the agency. Normally, under fast pay procedures, all invoices are examined subsequent to payment authorization. However, combining statistical sampling with fast pay procedures is permitted under appropriate circumstances. Although such a combination increases the risks of overpayments occurring, the risks can be effectively mitigated if the sampling plan developed ensures that projected savings exceed estimated costs. OMB revised the circular effective October 29, 1999. The requirements and the guidance in the circular were then placed in the Code of Federal Regulations (5 C.F.R. part 1315, "Prompt Payment") and the circular was rescinded. Background Importance of Effective Internal Control and Financial Management Systems Each agency's internal control over the payment process should be based on the operating needs of the agency. In particular, the units that process payments under the direction of the certifying and disbursing officers should have in place effective internal control activities6 to ensure payments are legal, proper, valid, and accurate and that duplicate payments are avoided. Under traditional payment processes, certifying officers reviewed all invoices they authorized for payment. Although the certifying officers are primarily responsible for payments authorized, the volume of transactions, the geographic dispersion of activities, and the emphasis on prompt payment make it virtually impossible for these individuals to review all invoices before authorizing payment. Consequently, in fulfilling their responsibilities, these officers must rely on the systems, internal controls, and personnel that process the transactions. As a result, payment process oversight has generally shifted from individual transaction reviews to reviews of internal control over systems that process the transactions. This shift in emphasis from approval of individual transactions to evaluations of the adequacy of systems and the internal control environment has been reflected in law and in policy for numerous years. The Federal Managers' Financial Integrity Act of 1982 requires agency management to annually assess and report on the adequacy of internal control. The guidance needed to comply with this act is contained in GAO's StandardsforInternalControlintheFederalGovernment7 and OMB Circular A123 (revised June 21, 1995), Managementand AccountabilityControl. The Federal Financial Management Improvement Act of 1996 requires, among other things, that agencies implement and maintain financial management systems that substantially comply with federal financial management systems requirements. These system requirements are detailed in the Financial Management Systems Requirements series issued by the Joint Financial Management Improvement Program (JFMIP) and OMB Circular A127 (revised June 10, 1999), FinancialManagement Systems. JFMIP requirements documents include (1) a framework for financial management systems, (2) core financial management systems 6 Examples of internal control include separation of duties, limited access to assets and information, clear documentation of all transactions and events, and the timely recording of transactions and events. 7StandardsforInternalControlintheFederalGovernment(GAO/AIMD99.21.3.1) was revised in November 1999, and is available on the Internet, GAO home page (www.gao.gov) under "Other Publications." It is also available in hard copy by calling (202) 5126000 or at Room 1100, 700 4th Street NW (corner of 4th and G Sts. NW, Washington, DC. Background requirements, and (3) requirements for 16 other systems that support agency operations. (See appendix II for a further description of the JFMIP systems requirements series.) While new technologies and reengineering of business processes may change how certifying and disbursing officers operate, their basic responsibilities and accountabilities remain unaltered. Consequently, these officers must have valid and documented assurances that the systems and key controls on which they rely for authorizing payments are working as intended and remain intact and effective over time. This confidence in the systems and control should be based on several factors; among the most significant are the following: • A welldefined organizational structure and flow of work, appropriate separation of responsibilities, and clearly written policies and procedures governing purchase authorization, receipt of goods and services, and examination and approval of invoices for payment. • Effective application of available technology for efficient and effective acquisition of goods and services and processing of payment authorization. • Review of the invoice examination process in sufficient scope, depth, and frequency to provide reasonable assurance that systems and controls are working as intended and are reliable. Advancing Technology The repetitive nature of processing most transactions and the uniform examination procedures applied to invoice processing usually permit extensive automation of these processes. In lieu of the traditional practice of performing a 100percent manual prepayment examination of invoices, agencies today process large volumes of transactions in highly automated systems with automated controls, electronic data interchange, and computer assisted examination techniques. Data entry edits to ensure accurate and reliable data processing are relatively simple to develop and use. Edits are programmed to perform various comparisons, verifications, and calculations to produce outputs that effectively replace many of the manual invoice processing and examination procedures. As the sophistication and the number of edits continue to evolve and become more widely applied throughout the government, agencies have been revising their automated payment processes to reflect these improvements while at the same time making their systems more efficient. Hard copy documentation that is necessary to support invoice examination and payment authorizations is giving way to electronic forms which reduce retention and storage costs while concurrently enhancing access capabilities. Today's proper application of available technology makes it possible to perform the required prepayment examination without assembling hard copy records from diverse locations as in the past. With today's technology, personnel can extract data from hard copy source records, input the information into the automated system through computer terminals, and forward the data through communications networks to a centralized location for further online processing, examination, and payment authorization. However, implementation of available technologies does not change the requirement that audit trails of transactions and authorizations be maintained or the rigors of examination of invoices not be compromised. Although automation of payment processes helps streamline operations, the basic responsibilities of the certifying and disbursing officers remain the same. These officers must have sufficient knowledge of the automated systems in order to carry out their responsibilities effectively. They are still responsible for making sure that they can rely on the quality of the automated systems to ensure that invoices authorized for payment are legal, proper, valid, and correct. The quality of the automated systems is to a large extent based on the effectiveness of internal control. Internal control over automated systems can be grouped into general control and application control. General Electronic Signatures Advancing Technology control applies to all information systems-mainframe, minicomputer, network, and enduser environment. Application control is designed to cover the processing of data within application software.8 To ensure the quality of the automated systems, management must provide the environment for effective implementation of general and application controls. Automated environments naturally require various levels of access in order to permit data entry, appropriate data manipulation (i.e., calculations, summarization, and reporting), program modifications, and data review and approval. Generally, access, authorization, and approvals are permitted through various controls and electronic symbols or programmed data elements. The degree of control over access to automated systems for data entry, examinations, reviews, and approvals will vary. User identification codes and passwords provide less control over data than do electronic signatures. An electronic signature is a method of signing an electronic message that (1) identifies and authenticates a particular person as the source of the electronic message and (2) indicates such person's approval of the information contained in the electronic message.9 An electronic signature is a data authentication process, which when effectively implemented, provides assurance that data associated with the signature has not been altered or changed. Traditional user identification codes and passwords, while permitted under certain circumstances, do not. To be effective, GAO recommends that electronic signatures be (1) unique to the signer, (2) under the signer's sole control, and (3) capable of verification. In addition, the signature should be linked to the data in such a manner that if the data are changed, the signature is invalidated. The National Institute of Standards and Technology (NIST)10 has established procedures for the evaluation and approval of certain automated signature techniques11 to ensure data integrity and consistency with previously mentioned criteria. 8 General and application control is discussed further in the StandardsforInternalControl intheFederalGovernment, November 1999 (GAO/AIMD0021.3.1), pp. 1618. 9 The Government Paperwork Elimination Act, section 1710(1). 10 Under the requirements of the Computer Security Act, NIST is responsible for establishing standards for federal computer systems that process sensitive but unclassified information. 11 These procedures are contained in the Federal Information Processing Standards (FIPS PUB 186). Advancing Technology Enhancing Internal Control and Data Integrity In developing electronic data authentication systems, Title 7 recommends that agencies follow NIST guidance for payment approval (payment certification). Automated approvals, when the risks associated with automated records and approvals warrant it, might necessitate electronic signatures that follow NIST guidance. The Government Paperwork Elimination Act requires OMB to issue guidance to agencies regarding automated systems that maintain electronic information as a substitute for paper and use electronic signatures. OMB's published guidance12 states that an agency should perform an assessment to evaluate the suitability of electronic signature alternatives for a particular application. Among other things, the assessment should develop strategies to mitigate risks and maximize benefits in the context of available technologies, and the relative total costs and effects of implementing those technologies. In its FrameworkforFederalFinancialManagementSystems, JFMIP envisioned automated systems with standardized information and electronic data exchange to eliminate manual processes, reduce the risks of data loss or errors, and eliminate manual reentry and interpretation. Title 7 states that agencies should endeavor to establish automated techniques, including data interchange, and control whenever feasible so long as the interests of the government are protected. Although many current payment systems are highly automated, the technological changes envisioned by JFMIP have not yet been fully realized. There are several major areas in the payment process where technological advances have had and will continue to have a substantial impact. Three of these areas include: (1) the automation of receipt and acceptance, (2) electronic signatures, and (3) statistical sampling regarding examination of claims in the payment process. Although some agencies have automated part of the receipt and acceptance function, widespread application has not yet occurred. As the application of advancing technology continues, systems will be able to directly transmit receipt and acceptance data from points of purchase to central locations for invoice examination and payment authorization. Transmissions of receipt and acceptance data will come from multiple locations and possibly from vendor locations where, for example, a government employee transmits data electronically from a fueling dock and from agencies' remote locations, including field offices and sea vessels. Electronically submitted data will alleviate many of the current 12See OMB's ImplementationoftheGovernmentPaperworkEliminationAct, May 2, 2000, at its internet address http://www.whitehouse.gov/OMB/, under "Information and Regulatory Policy." Advancing Technology problems agencies face in locating hard copy receiving reports and manually reconciling receipt data to invoice amounts. Once the electronic data are received centrally, the examination process could be more automated. Receipt and acceptance data could be compared electronically to the ordering and the invoice information to help ensure that payment authorization is valid and at the same time reduce the risk of errors in the process. Also, the cost of the examination process would be reduced due to the elimination of manual reconciliation procedures. The time and effort needed to locate receiving reports would also not exist, and prompt payment requirements (taking advantage of discounts and avoiding late payment fees) could more easily be met. The OMB guidance states that automated techniques should depend upon risks, benefits, and cost effectiveness associated with the automated applications. Agencies should determine whether any electronic signature alternative, in conjunction with appropriate process controls, represents a practicable tradeoff between benefits on the one hand and cost and risk on the other. Electronic signatures meeting the aforementioned criteria, however, can provide the necessary data integrity for highly automated systems because the signature "seals" the data once it is applied. Any subsequent alterations to the data can be readily detected. Because of the nature of electronic data, it is sometimes difficult to ascertain whether the data have been altered or manipulated unless the signature is linked to the data in such a way that the signature verification process can detect data changes. Passwords and identification codes generally do not provide this detection capability. Although implementation of electronic signatures meeting the NIST criteria may not currently be costeffective in all cases, or may not be needed because the electronic data application is low risk, technological advances will continue to occur, making the signatures more affordable and widespread in the future. Combining the automation of the receipt and acceptance process with the widespread use of electronic signatures could be a major move towards full automation. With full automation, statistical sampling of invoices prior to payment to make inferences about the universe would no longer be necessary since the system would perform a 100percent verification of receipt and acceptance. Statistical sampling would only be needed for monitoring the system operations through periodic testing. Aspects of the system that could be tested through sampling might include verifying that the electronic recording of receipt and acceptance was supported by other sources. Advancing Technology Also, under full automation, fast pay could be eliminated in most situations. Since the system would automatically verify all receipts and acceptances prior to invoice payment authorization, there would be no need to authorize payment prior to verification of receipt. Moreover, systems could be designed and operated to contain specific control mechanisms to prevent payment authorization either manually or in an automated environment prior to confirmation of receipt and acceptance. Streamlining the Payment Process- Acquisition of Goods and Services Verification of Receipt and Acceptance After Payment Authorization (Fast Pay) In an effort to streamline operations and reduce costs while taking advantage of currently available technology, many agencies have redesigned or modified their payment systems. Several agencies have requested opinions from us on whether proposed new payment system designs or proposed system modifications conform to the requirements of Title 7 internal controls. Agencies' specific questions regarding their payment systems for the acquisition of goods, along with our responses, are organized into the following six sections. Since we did not test the proposed changes, our responses only addressed agencies' proposals conceptually. Several agencies asked whether certain changes to their existing payment process complied with the internal control requirements of Title 7. At the time of the request, their procedures required the verification of receipt and acceptance prior to authorization of payment. The proposed changes would allow payment on invoices under $25,000 prior to verification of receipt and acceptance of the items purchased. GAO Response Payment authorization prior to verifying receipt and acceptance is a common process referred to as "fast pay." Since specific authority to implement a fast pay process for the acquisition of goods and services at agencies exists as set forth in OMB Circular A12513 and FAR, our permission is not necessary. However, we responded to agency requests for assistance in designing and implementing effective internal controls. In responding to these agencies' requests, we verified that their designs met the fast pay requirements previously discussed (limitation of $25,000, geographical separation, ongoing relationship with suppliers, and methods to identify suppliers abusing fast pay). If the designed procedures met the requirements, we did not object to the implementation of fast pay. In keeping with the fast pay requirements, we also suggested that the system designs include procedures to identify first time vendors and vendors with a history of abusing fast pay.These vendors would not be eligible to participate in fast pay until the agency had satisfied itself that those vendors were worthy businesses that could be paid under fast pay. In each case, we further suggested that, as part of its required FMFIA review of its internal controls, special emphasis be given to testing controls of the new processes to help ensure effective implementation. 13See footnote 4. Combining Statistical Sampling With Fast Pay The agencies requesting guidance on internal controls when implementing fast pay have also designed procedures to verify receipt and acceptance of goods ordered on an afterthefact sampling basis rather than on the basis of a 100percent postpayment verification as is traditionally done. We reviewed the proposals involving the statistical sampling verification procedures. GAO Response Title 7 limits statistical sampling to invoices under $2,500. Combining statistical sampling with fast pay procedures increases the risks that overpayments would occur and go undetected compared to a 100percent verification of receipt and acceptance. These risks would be acceptably mitigated if the statistical sampling plan provided for (1) the scope or extent of invoice examination to be commensurate with the risk to the government,14 (2) sampling from the universe of all invoices under $2,500 not subject to complete examination, (3) effective monitoring to ensure that the plan is effectively implemented and the risks to the government remain within tolerable limits, and (4) a continuing relationship with the vendor so that the risk of loss is minimized. We did not object to implementing sampling so long as the plan included these four items. In a variation of the preceding, one agency proposed to implement a statistical sampling process where the sample limitation was increased from $2,500 to $25,000, the same limitation for fast pay. The agency would require the purchasing office to notify the central office (where payment certification took place) within 20 days of the receipt of the invoice only in instances where the actual receipt of goods differed from the order, thus affecting payment. The agency would limit the use of this process to vendors with whom it had an ongoing satisfactory relationship. To ensure that the purchasing offices compared invoices to receiving reports subsequent to payment authorization, the agency would regularly examine statistical samples of paid invoices, provide adequate training for personnel, and regularly review implementation of controls. Our response was that if the agency followed through with its proposed controls and that the benefits derived exceeded the cost, the modifications would be in accordance with Title 7. As with other requests, we recommended that the agency's subsequent 14 In developing a sample plan, agencies should make sure that their proposed procedures would produce savings while adequately protecting the government's interest. Savings, as defined by Title 7, would be achieved when the combined cost of (1) examining the sample and (2) projected losses due to undetected errors on invoices not examined are less than the cost of examining all vouchers. Through analysis, the plan must develop and identify a tolerable error rate (the point at which, or below which, savings should occur), the number of vouchers to select for examination, and the selection method. Fast Pay Combined With Statistical Sampling When Weak Internal Controls Exist FMFIA reviews specifically emphasize testing the effectiveness of the controls over its fast pay procedures and related statistical sampling. In the previous discussions, agencies requesting our assistance had designed but not yet implemented fast pay. However, one agency, where fast pay procedures had been implemented for the acquisition of certain goods, was moving toward verifying receipt and acceptance of invoices on a sampling basis. The agency's Office of Inspector General (OIG) had asked us whether the agency's fast pay procedures combined with statistical sampling was permissible. The OIG reported that, over a 5month period, 10 per cent of the invoices paid under the fast pay process had incorrect or missing support. That review and process uncovered missing or inaccurate data on order forms and receiving reports. The errors occurred because poor controls existed in the review and processing of invoices for payment. Also, during our discussions with agency officials, we were told that many invoices processed for payment were likely to exceed the $25,000 limitation of fast pay. GAO Response We responded to the request by stating that although fast pay is permitted under certain criteria, the purchases under the process inquired about would not meet the criteria (1) where the purchase exceeds $25,000 or (2) if the 10percent error rate is considered by management and the IG office to be above the tolerable acceptable error rate. Regarding sampling of invoices after payment authorization to verify receipt and acceptance, we pointed out that Title 7 limits sampling to invoices under $2,500. Without a specific request to raise the limitation,15 we stated that verification of receipt and acceptance would be required for all invoices equal to or greater than $2,500. In addition, we stated that sampling should not be implemented if the 10percent error rate is considered above the acceptable error rate. 15 In the preceding section on the discussion of combining statistical sampling with fast pay, one agency had proposed a design under which sampling would be done for all invoices $25,000 or less. GAO responded to that agency's proposal as to whether it could raise the $2,500 limitation to $25,000. However, in this request, we were not provided a design nor asked if the limitation could be raised. Processing Payment Without an Invoice One federal entity asked GAO whether it would be permissible to make purchase order or contract payments (without a vendor's invoice) solely on the basis of a receiving report or other documentary evidence showing receipt and acceptance. This entity had designed a payment system whereby the acquisition of certain goods and services made under maintenance contracts and purchase orders would not require an invoice to generate a payment. GAO Response We reviewed the proposed payment processes and responded by stating that Title 7 identifies three typical steps to ensure proper payment is authorized: (1) the acquisition of goods and services was properly authorized as evidenced by an approved purchase order or contract, (2) the goods and services ordered have been delivered and accepted, evidenced by a receiving and inspection report, and (3) a claim has been made against the government as evidenced by receipt of an invoice or bill. Vendor's billing and government payment systems have been traditionally designed and operated with the invoice being the primary document initiating the payment process. Title 7, however, does not preclude payment from being authorized without an invoice if adequate internal controls exist to protect the government's interest. Three specific areas where internal control should be given special attention when authorizing payments without invoices are: (1) payment is initiated only after receipt and acceptance of ordered goods and services and is authorized only after matching the types and quantities received with those on the purchase order or contract,16 (2) controls exist to insure against duplicate payment should a vendor mistakenly seek payment for goods or services for which payment has already been made, and (3) payments are made to coincide with the due dates to take advantage of discount terms or avoid late payment penalties.17 The proposed design contained sufficient control in these three areas to protect the government's interest. We did not object to the system design so long as steps were taken to ensure effective implementation. Record Retention at Field Offices or Sites Two of the agencies requesting our assistance on designing and implementing fast pay also asked if the key documents (i. e. purchase order, receiving report, and invoice) could be retained in the field offices 16 A purchase order or contract should contain details of the type or quality of goods or services (e.g. model, stock number, quantity, per item price, discount, and payment due date). 17 The annual blanket contracts should stipulate discount terms and late payment dates. GAO Response or sites where the purchase was initiated. Instead of sending supporting documentation to the finance center for payment certification, a purchase log or other summary information would be maintained and all pertinent data would be entered into it, signed by the purchaser and approving official, and sent to the finance center for payment authorization. Periodically, samples of all paid invoices would be selected and the supporting documentation reviewed to verify the validity of the payment. Field offices and sites would then be required to forward the related documentation for all the transactions selected in the sample. We stated that, although supporting documents are traditionally maintained at the certifying/disbursing officer's location, Title 7 did not preclude the documents being retained at the field offices or sites. However, we emphasized that employees responsible for maintaining the documents must be familiar with the retention and storage requirements set forth in Title 8, "Records Management," of the GAO Policyand ProceduresManualand that they might be requested to forward the documents for review by the certifying officer or auditors. We suggested that agencies inform the field office staff that random samples of all payment transactions would be selected for the purpose of verifying the validity of the payments and that they would be required to forward all documents related to the selected transactions to the certifying officer's location for review. We also suggested that the agencies provide the field office staff with training to familiarize them with the retention and storage requirements. We did not object to retaining documents at field or site locations provided the suggestions we made were implemented. Electronic Imaging One agency asked us if electronic images (i.e.,an electroniccopyor image of a paper document) constituted an acceptable record. This agency's plan was to convert financial paper records (such as payment vouchers and related supporting documents) into electronic records. After the conversion, the paper documents would be destroyed and the electronic records would become the official records of the agency. GAO Response GAO has long recognized that agency records need not be maintained in their original paperbased form. For example, we have found that microfilm and similar technologies are acceptable methods for storing data originally on paper. Electronic technology that allows data to be examined in human readable form, as on a monitor, stored in electronic Page 21 GAO/AIMD21.3.2 (5/00) media, recalled from storage, and reviewed in human readable form can provide data integrity that is equal to that of a paper document. Any system, regardless of the technology used, must incorporate adequate controls to ensure the integrity of the data. Internal control must ensure that (1) the digital images accurately represent the corresponding paper document, (2) any changes to the original digital image can be detected, (3) access to the images is limited to authorized personnel for authorized purposes, and (4) the digital images are not destroyed, but remain accessible until the applicable retention period expires. Although authorized changes to an image may need to be made, the unaltered copy of the original image should be maintained to facilitate adequate audit trails. We did not object to the agency's electronic imaging plan so long as internal control was implemented to ensure that the criteria in the preceding paragraph were met. Streamlining the Payment Process- Employee Travel Claims Electronic Vouchers, Electronic Edits, and Authorizing Payment BasedonElectronic Validation In an effort to streamline operations and reduce costs while taking advantage of currently available technology, many agencies have redesigned or modified their employee travel claim payment systems. Several agencies have requested our opinion on whether newly designed systems or modified ones conform to the requirements of Title 7 regarding internal control. Agencies' specific questions regarding these systems along with our responses are organized into the following seven sections. While the General Services Administration (GSA) is responsible for issuing federal travel regulations, which are published in the Code of Federal Regulations (41 C.F.R. 301), we have provided our views on the internal control considerations in agencies' system designs pursuant to our authority to issue internal control standards. Since we did not test agencies' proposals, our responses only address agencies' proposals conceptually. In streamlining their employee travel systems, several agencies designed automated systems containing electronic travel vouchers and requested our assistance in interpreting Title 7 requirements and assessing their designed internal controls. While each of the designs had minor differences, they generally called for a commercial software package modified to fit specific agency needs. The software contained a travel voucher form in two parts, a summary of the claims, and related detail supporting amounts. After completing the travel, the traveler completed the forms and signed the voucher electronically. The electronic forms contained the same information as the standard government hard copy travel voucher. After the voucher was completed, the traveler's supervisor reviewed it. During the review of the voucher, the supervisor could ask for supporting hard copy documents (e.g., hotel receipts) if additional detail was needed to verify any of the claims on the voucher. The supervisor would then approve the voucher electronically. The approval signified reasonable assurance that the travel actually took place and that the claimed amounts were reasonable. The supervisory approved voucher would then be forwarded electronically to the certifying or payment officer for approval of payment. Numerous electronic edits would be applied to the voucher at the certifying or payment officer's location prior to payment authorization. The edits could, for example, verify that the travel has been authorized and compare information on the voucher to information on master files to test the validity of the claims (i.e., that the claims were proper, legal, and accurate). Information to be compared could include, for example, data on the traveler (e.g., name, employee or social security number, etc.) and limitations such as per diem amounts allowed in the city where the traveler stayed. If the edits did not uncover any discrepancies, the voucher would be approved for payment. Subsequent to payment, the designs called for a review of the supporting documentation related to the travel vouchers. Those vouchers which would be reviewed included (1) all vouchers exceeding $2,500 and (2) a random sample selected from all vouchers for $2,500 or less. The supporting documents would be examined to help verify the validity of the claims and the effectiveness of the system. Title 7 does not require payment approval of travel vouchers to be based solely on the traditional review of supporting documentation if adequate controls compensate for not reviewing such documentation. In addition to the traditional supervisors' review and approval of the voucher, the primary compensating controls designed were the automated edits and computations to ensure that the travel claims complied with all requirements. Although automated edits assist in determining the validity of a claim, they cannot determine whether the claim was properly documented nor can they fully replace the role of a human reviewer. The plan to test vouchers on a sample basis after payment authorization for vouchers $2,500 or less should give further assurances that the claims are valid. The sample should follow a plan that provides for voucher examination against hardcopy documents to be commensurate with the risk to the government and a sample from the universe of all vouchers not subject to complete examination. We did not object to the implementation of the automated travel systems, but suggested that, to help ensure effective implementation, each agency emphasize testing controls in its new designs during its annual review of internal control as required by the FMFIA. GAO Response Travelers Retaining Supporting Documentation Each agency designing automated employee travel voucher systems discussed in the previous section also asked us if the traveler could retain the supporting hardcopy documentation. These agencies stated that part of the streamlining effort would include reducing the time, effort, and cost of moving paper documents through a manual system, reviewing and approving the documents, and filing the documents at the certifying or payment officer's location. Reducing the paper flow would also result in faster payments since the system would not be relying solely on hard copy documents. Regarding employees that either retire or leave the agency prior the expiration of the retention period, the designs called for an employee checkout procedure whereby clearance from their travel unit (as well as other units within the agency) is required prior to receiving their last salary payment. Traditionally, hardcopy documents have been retained at the certifying or payment officer's location for ease in accessibility. However, Title 7 does not preclude the documents from being maintained at the traveler's location. Nevertheless, we emphasized that the travelers must retain the documents in accordance with the requirements of Title 8, "Records Management," of the GAO PolicyandProceduresManual. We suggested that agencies inform all travelers that random samples of payment transactions would be selected for the purpose of further verifying the validity of the payments and, for those selected transactions, travelers would be required to forward all related documents to the certifying or payment officer's location for review. We also suggested that the agencies provide travelers with training to familiarize them with the retention and storage requirements. We did not object to travelers retaining supporting hardcopy documents so long as the suggestions we made were effectively implemented. GAO Response Electronic Signatures Several of the agencies designing automated employee travel voucher systems discussed in the previous sections did not indicate how the data would be secured from unauthorized access and manipulation. Two agencies requested our views on whether the electronic signatures proposed in their designs provided sufficient control to ensure the integrity of the data on the vouchers after being completed by the traveler and approved by the supervisor. GAO Response Regarding those agencies that did not disclose the type of signature in their proposals, we pointed out that the degree to which data on electronic vouchers are secured depends upon the type of automated signature used. Electronic signatures meeting the criteria previously discussed may be used to secure data on the voucher when the traveler and the supervisor electronically sign the voucher. Page 25 GAO/AIMD21.3.2 (5/00) After our responses, the Government Paperwork Elimination Act (GPEA) became effective, requiring OMB to issue guidance to agencies for using and accepting electronic documents and signatures. OMB's guidance states that an agency should determine whether an electronic signature alternative, in conjunction with appropriate process controls, represents a practicable tradeoff between benefits, costs, and risks; and if so, determine and document which signature alternative is the best one to use for a particular application. Regarding the two agencies requesting our views on the signatures proposed in their designs, we stated that their signatures must meet the aforementioned criteria. These agencies were working with their contractors (who provided the electronic applications for the automated employees travel system) in moving towards meeting the criteria. We did not object to their system being pilot tested at limited locations so long as they continued to move toward meeting the criteria. The agencies agreed to follow up by requesting our views on full implementation when the signatures at the pilot locations were implemented. One of the agencies planning the implementation of an electronic travel claim system asked us if travelers could be reimbursed on a flatrate basis for lodging (the maximum allowed at the city where the travel took place), under the same concept of the per diem rate allowed for meals and related incidental amounts. The agency believed that a flatrate would reduce the administrative effort needed to separately record all actual lodging costs incurred, retain and submit the receipts when requested, and examine the lodging costs on the voucher. FlatRate Lodging Reimbursement GAO Response The GAO PolicyandProceduresManualdoes not address lodging reimbursement on a flatrate basis. GSA is responsible for setting the maximum allowable amount for a particular locality. However, we provided the requester our views on internal control when considering the implementation of flatrate lodging policy. Going to a flatrate lodging basis poses a risk that the government would incur more cost than it would otherwise. Travelers who incur minimal lodging costs by staying at a government facility/military base or low cost lodging would, in many instances, receive excessive travel stipends under the proposal, especially if they stay at a location for an extended period. We believe the agency should analyze the costs and benefits of going to a flatrate basis for lodging before a decision is made to implement it. The Validating Travel Claims After Payment Authorization analysis should include consideration of the costs to process travel vouchers as well as a review of past travel authorizations and claims by employees compared to the maximum amounts allowed. If the difference were minimal, justification would exist for going to such a rate, providing GSA approved. If the difference is material, the agency should reconsider going to such a rate or establish procedures to ensure travelers incur at least a significant portion of the flatrate amount or, if not, are reimbursed at the actual costs incurred. Another one of the agencies planning the implementation of an electronic travel claim system believed that about 10 percent of the travel claims would continue to come from small, isolated offices (where personnel spend most of the time out of the office) where obtaining and operating computer facilities are not costeffective. Travel vouchers for staff at those locations were to continue to be completed and processed in hardcopy paper documents under a manual system. To reduce the cost of processing such hardcopy documents, the agency designed procedures whereby travel vouchers would be certified for payment prior to the review of supporting documentation. After completing and signing the voucher, it would be approved by the supervisor, then forwarded to the certifying officer's location, certified for payment, and payment made to the traveler. After payment, a test of the validity of the payment would be made on a sample basis by obtaining the supporting documentation from the traveler (where it would be retained) and reviewing information in the documents to ensure the validity of the claim. The sampling methodology would follow the sampling requirements contained in Title 7. The agency believed that the risks to the government from implementing such a design were minimal based on an analysis it had performed under its current system. The analysis revealed that very low error rates were found during its prepayment testing of vouchers and that collecting overpayments from employees, by virtue of their relationship with the agency, would be easily done. Nevertheless, to ensure that overpayments were collected, the agency would take the most expedient of the three following options to recover funds: (1) obtain reimbursement from the traveler, (2) make deductions from other travel payments due the traveler, or (3) initiate action for payroll deductions from the traveler's salary.18 The agency's goal was to 18 The agency's attorneys had provided clearance to the financial office regarding authority to make payroll deductions from employees for overpayment of travel claims. GAO Response recover overpayments, using one of the three collection options, within 60 days of discovering the overpayment. The type of postpayment validation procedures the agency proposed to implement is analogous to the form of payment known as "fast pay," available for the purchase of goods and services. In assessing the agency's design, we applied the fast pay criteria. Fast pay is permitted primarily where there is a continuing relationship with reliable vendors and a geographical separation exists between the payment authorization office and the location where goods and services are received. We believed the two criteria were met; however, we offered four suggestions to the agency. First, the sampling plan should be designed to ensure that the risks of overpayments are within tolerable thresholds. Second, the agency should formally communicate to its employees who prepare these vouchers the process for recovering overpayments. Third, the agency should establish a mechanism to identify employees who make repeated errors, so their vouchers could receive prepayment validation until such time as the errors are eliminated or reduced to an acceptable level. Finally, during the initial period of implementation, the agency should emphasize its review of the new process during the agency's annual internal control review under FMFIA. We did not object to this portion of the agency's new employee travel system, provided our suggestions were effectively implemented. Omitting Supervisory Approval of Travel Claims Two agencies planning the implementation of an electronic travel claim system designed systems in which the supervisor's approval of travel vouchers would not be needed. The agency would rely on the supervisor's approval of the travel order (i.e., the obligating document authorizing travel to be taken), the electronic edits, and the review of supporting documents after payment certification. The review of supporting documents to fully validate the automated edits would be done on a statistically generated sample from the universe of all vouchers. GAO Response The primary purpose of the supervisor's approval of staff's travel vouchers is to help the certifying officer ensure that all claims are valid when certified. Generally, the supervisor's approval serves two main purposes for the certifying officer: (1) to indicate the claims on the voucher are reasonable and (2) to verify that the travel actually took place. While the first purpose would be achieved through the electronic edits proposed in Page 28 GAO/AIMD21.3.2 (5/00) the design, we were concerned that payment would be authorized before verifying that the travel actually took place. We believe there are several alternative procedures available to verify that travel actually took place without requiring the supervisor's approval. For example, employees could be required to use the agencydesignated charge card for hotel and certain other costs. When the travel voucher is being processed, the automated system could compare the information on the actual charges processed by the charge card company with those claimed on the voucher. When a "match" occurs for hotel and certain other charges, a verification of the actual trip would be made. Where no match is found, the travel office (or certifying officer) could request the hotel receipts to verify outoftown lodging costs. Properly implemented, this approach provides reasonable assurance that a trip occurred. We did not object to the implementation of the agency's proposal so long as procedures were implemented to verify that authorized trips were actually taken by employees prior to payment authorization and that for the first year the system was operational, assessment of internal control in the system was emphasized during the annual FMFIA review. One agency intended to implement an employee travel claim procedure allowing travelers, with certain exceptions, to merely list an aggregate amount of all expenses that individually cost $75 or less.19 At thetimeof the request, GSA required all travel expenses to be listed on the voucher; however, it granted the requester a waiver of the requirement to itemize expenses costing $75 or less as long as we concurred. Summarizing Expenses of $75 or Less GAO Response Since Title 7 requires the validity of travel claims to be established prior to certification for payment, we believe that listing all expenses individually on the travel voucher helps satisfy this requirement. Such a list provides the official administratively approving the voucher (usually the traveler's supervisor) and the certifying officer additional evidence for determining the reasonableness of the claims. It also reduces the risks of errors or fraud occurring and going undetected. Our response contained a simple example of an error occurring that would not be detected if all expenses $75 or less were merely listed in the aggregate on the voucher. If the traveler inadvertently summarized taxi 19 At the time of our response to this agency, GSA required the traveler to obtain receipts for all expenses individually costing $75 or more. fares costing $17.99 as $71.99 on the voucher by transposing the seven and the one, the approving official and the certifying officer, who might generally expect much lower taxi fares, would have no basis to assess the reasonableness of the claim. Both officials would lose the capability to determine whether claims under $75 were reasonable under the circumstances. We suggested that the agency modify its proposal to require travelers to list each expense individually on the travel voucher. Relevant Issues Addressed in GAO Reports Financial Management System Standards Issued by JFMIP The Joint Financial Management Improvement Program (JFMIP) is a joint cooperative undertaking of the Office of Management and Budget, the General Accounting Office, the Department of Treasury, and the Office of Personnel Management, working in cooperation with each other and with operating agencies to improve financial management practices throughout the government. The program was initiated in 1948 by the Secretary of the Treasury, the Director of the Bureau of the Budget (now OMB), and the Comptroller General and was given statutory authorization in the Budget and Accounting Procedures Act of 1950. The Civil Service Commission, now the Office of Personnel Management (OPM), joined JFMIP in 1966. The Federal Financial Management Improvement Act (FFMIA) of 1996 requires, among other things, that agencies implement and maintain financial management systems that substantially comply with federal financial management systems requirements. These system requirements are detailed in the Financial Management Systems Requirements series issued by JFMIP and Office of Management and Budget (OMB) Circular A127, FinancialManagementSystems. JFMIP requirements documents identify (1) a framework for financial management systems, (2) core financial systems requirements, and (3) 16 other financial and mixed systems supporting agency operations, not all of which are applicable to all agencies. Figure 1 is the JFMIP model that illustrates how these systems interrelate in an agency's overall systems architecture. Systems standards are important for agencies streamlining operations by redesigning or modifying systems to take advantage of technological advances. The standards provide the criteria to help ensure that the systems include effective internal control and meet the requirements imposed for central reporting and complying with laws and regulations. Appendix II Financial Management System Standards Issued by JFMIP Figure 1: Agency Systems Architecture Source: JFMIP Core Financial System Requirementsdocument. To date, JFMIP has issued (1) the FrameworkforFederalFinancial ManagementSystems(not shown in Figure 1) and (2) systems requirements for the core financial system and 7 of the 16 other systems identified in the architecture. (See figure 1.)20 Thus far, the series includes the (1) FrameworkforFederalFinancialManagement Systems,(2) CoreFinancialSystemRequirements,(3) InventorySystemRequirements, (4) Seized/ForfeitedAssetSystemRequirements,(5) DirectLoanSystemRequirements, (6) GuaranteedLoanSystemRequirements,(7) TravelSystemRequirements,(8)Human Resources&PayrollSystemsRequirements,and (9) SystemRequirementsforManagerial CostAccounting. In early 1998, JFMIP decided to initiate projects to update system requirements documents that were not current with regulations and legislation. JFMIP also planned to initiate projects to complete the remaining systems requirements where none currently exist. Related GAO Products (922280) Ordering Information The first copy of each GAO report is free. Additional copies of reports are $2 each. A check or money order should be made out to the Superintendent of Documents. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 Orders by visiting: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders by phone: (202) 512-6000 fax: (202) 512-6061 TDD (202) 512-2537 Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. Orders by Internet: For information on how to access GAO reports on the Internet, send an e-mail message with "info" in the body to: info@www.gao.gov or visit GAO's World Wide Web home page at: http://www.gao.gov Contact one: To Report Fraud, • Web site: http://www.gao.gov/fraudnet/fraudnet.htm Waste, or Abuse in • e-mail: fraudnet@gao.gov • 1-800-424-5454 (automated answering system)