An Independent Risk Assessment of Facility Physical Security Was Not Performed in Compliance With Contract Requirements
July 25, 2012
Reference Number: 2012-10-075
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / http://www.tigta.gov
HIGHLIGHTS
AN INDEPENDENT RISK ASSESSMENT OF FACILITY PHYSICAL SECURITY WAS NOT PERFORMED IN COMPLIANCE WITH CONTRACT REQUIREMENTS
Highlights
Final Report issued on July 25, 2012
Highlights of Reference Number: 2012-10-075 to the Internal Revenue Service Deputy Commissioner for Operations Support.
IMPACT ON TAXPAYERS
The IRS has an obligation to protect the Federal Government’s tax administration system, which includes its 100,000 employees stationed at more than 700 facilities, taxpayer information, and the taxpayers who visit the IRS throughout the United States. Our review identified significant deficiencies in the administration of an IRS physical security risk assessment contract. As a result, the contractor was unable to conduct an in-depth, independent assessment regarding the security posture of IRS facilities, as required by the contract. When contracts are not properly administered, the IRS may not receive the desired contract outcomes and the best return on the taxpayers' dollar.
WHY TIGTA DID THE AUDIT
This audit was initiated because effective risk assessments are the primary method used to identify security weaknesses and allow steps to be taken to improve overall security at IRS facilities. The objective of this review was to determine whether the IRS administered the Physical Security Risk Assessment contract in compliance with acquisition regulations and guidance to ensure the IRS received the contract deliverables in accordance with the terms and conditions of the contract.
WHAT TIGTA FOUND
TIGTA determined that the IRS did not receive an in-depth, independent assessment regarding the security posture of its facilities as required by the contract. In addition, the IRS did not administer the Physical Security Risk Assessment contract in compliance with relevant acquisition regulations and guidance. IRS management and Physical Security and Emergency Preparedness program office employees, without the knowledge of the contracting officer, instructed the contractor to perform services that were lesser in scope than required by the original contract. In addition, the contractor indicated that the Physical Security and Emergency Preparedness program office did not provide the contractor access to all of the information necessary to complete a report outlining the IRS’s overall security posture. As a result of these actions, an independent risk assessment of facility physical security was not performed in compliance with contract requirements. In fact, the contractor declined to provide a validation of the acceptability of the IRS’s security posture.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Deputy Commissioner for Operations Support 1) reemphasize to IRS management officials, program office employees, and contracting officer’s technical representatives that contracting officers must be promptly notified of any changes to contract requirements, and 2) ensure contracting officer’s technical representatives perform their specific responsibilities including: advising the contracting officer when changes in the work occur, reviewing contractor vouchers and invoices to ensure they are accurate, determining whether services are delivered in conformance with the requirements of the contract, and following the contract’s quality assurance plan.
In their response, IRS management agreed with our recommendations and plans to issue a memorandum reemphasizing that contracting officers must be promptly notified of any changes to contract requirements so required modifications can be timely executed. Also, the IRS plans to issue a memorandum to contracting officer’s technical representatives outlining their roles and responsibilities.
July 25, 2012
MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT
FROM: Michael E. McKenney /s/ Michael E. McKenney
Acting Deputy Inspector General for Audit
SUBJECT: Final Audit Report – An Independent Risk Assessment of Facility Physical Security Was Not Performed in Compliance With Contract Requirements (Audit # 201110025)
This report presents the results of our review on the Independent Risk Assessment of Facility Physical Security. The overall objective of this review was to determine whether the Internal Revenue Service (IRS) administered the Physical Security Risk Assessment contract[1] in compliance with applicable Federal, Department of the Treasury, and IRS acquisition regulations and guidance to ensure the IRS received the contract deliverables in accordance with the terms and conditions of the contract. This review is included in our Fiscal Year 2012 Annual Audit Plan and addresses the major management challenge of Fraudulent Claims and Improper Payments.
Management’s complete response to the draft report is included as Appendix V.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Russell P. Martin, Acting Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.
Appendices
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix V – Management’s Response to the Draft Report
Abbreviations
|
COTR |
Contracting Officer’s Technical Representative |
|
FAR |
Federal Acquisition Regulation |
|
IRS |
Internal Revenue Service |
|
PSEP |
Physical Security and Emergency Preparedness |
The Internal Revenue Service (IRS) has an obligation to protect the Federal Government’s tax administration system, which includes its 100,000 employees stationed at more than 700 facilities, taxpayer information, and the taxpayers who visit the IRS throughout the United States. In 1995, the President issued Executive Order 12977, Interagency Security Committee,[2] which mandated that Federal agencies assess the vulnerability of Federal facilities. In compliance with Executive Order 12977, the Department of the Treasury requires that risk assessments be conducted at IRS facilities in order to assess security risks from internal or external threats, and to identify the need for security counter measures.[3] Within the IRS, these facility risk assessments are the responsibility of the Office of Physical Security and Emergency Preparedness (PSEP), in the Agency-Wide Shared Services.
On February 18, 2010, a single-engine airplane was intentionally flown into an IRS building in Austin, Texas, killing the pilot and an IRS employee, and injuring 13 others (hereafter referred to as the Austin incident). In response to the Austin incident, the IRS contracted with a consulting firm to conduct a limited study of the IRS’s security posture and to identify gaps in IRS security policy, program administration, management, or practices. The consulting firm’s April 2010 report included a number of areas for improvements. These areas included:
On May 20, 2010, IRS management issued an announcement to update IRS employees on safety and security initiatives underway as a result of the Austin incident. IRS management advised that they were launching an in-depth security review of IRS facilities across the country to determine how the agency might improve its current security posture. The announcement indicated that the IRS would be looking at a host of issues to see what appropriate steps could be taken to improve overall security.
In support of its goal of improving facility security, the IRS initiated the Commissioner’s Security Readiness Project in March 2010. To obtain an independent perspective on IRS security issues, the IRS appointed an executive from the Office of Procurement to lead this effort. This project team developed an action plan to identify steps that could be taken to improve overall security following the Austin incident. An important part of the action plan included conducting in-depth security reviews (risk assessments) of all IRS facilities by December 31, 2010. The IRS concluded that it did not have the in-house capacity to perform the in-depth risk assessments within the six-month time period and obtained the services of a contractor on June 15, 2010.
The contract[5] required the contractor to:
A contract modification was executed on December 30, 2010, revising key provisions in the original contract to include that the contractor develop a report that summarizes recurring findings and systemic failures and make recommendations for corrective actions. The contractor was also asked to evaluate the overall PSEP risk assessment process and provide an opinion on the IRS’s overall compliance with Federal facility security standards based on the contractor’s personal observations.
IRS contract administration roles and responsibilities
When the IRS awards a contract, the acquisition team is responsible for the various aspects of the contract administration. This team consists of program managers, contracting officers, and contracting officer’s technical representatives (COTR). The responsibilities of the acquisition team are as follows:
This review was performed at the Agency-Wide Shared Services National Headquarters in Washington, D.C.; the Office of Procurement in Oxon Hill, Maryland; the Agency-Wide Shared Services PSEP offices in Memphis, Tennessee, and Ogden, Utah; and the Department of Homeland Security, Office of Procurement, in Washington, D.C., during the period September 2011 through March 2012. We also visited the contractor’s office in Fayetteville, Georgia. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Independent, in-depth security reviews were not performed at all IRS facilities in compliance with the requirements of the Physical Security Emergency Preparedness Risk Assessment contract.
Our review determined that the contractor did not perform an in-depth, independent assessment regarding the security posture of the IRS’s 669 facilities as required by the contract. In addition, the IRS did not administer the Physical Security Risk Assessment contract in compliance with acquisition regulations and guidance. IRS management and PSEP program office employees directed the contractor to perform services that were lesser in scope than required by the original contract. This direction included that the contractor: assist PSEP employees with conducting the risk assessments rather than lead the risk assessments, provide observations to PSEP personnel who prepared the facility risk assessment reports, and attend only those facility site visits where PSEP personnel requested support. In addition, the contractor indicated that the PSEP program office did not provide the contractor access to all of the information necessary to complete the report outlining the overall IRS security posture.
As a result of the IRS’s actions, the IRS did not receive contract deliverables in accordance with the contract’s requirements, and the contractor declined to provide a validation of the acceptability of the IRS’s security posture. The noncompliance of contract deliverables could potentially impact the IRS’s ability to make informed decisions regarding its physical security and the need for additional security enhancements. When contracts are not properly administered, the IRS may not receive the desired contract outcomes and the best return on the taxpayers’ dollar.
An Independent Assessment of the Adequacy of Facility Security Was Not Performed in Compliance With the Contract
Our review determined that the contractor did not conduct independent facility risk assessments in compliance with contract requirements. Instead, the contractor indicated that PSEP employees conducted the risk assessments and were often the same PSEP employees assigned the primary security duties for the facility under review. Analysis of contractor invoices and IRS documentation found that the contractor was not involved in the performance of a risk assessment at 327 (52 percent) of 631 facilities.[7] Even at the IRS sites where the contractor was asked to participate, the amount of assistance provided by the contractor varied at each location based on what the local PSEP representative requested.
In addition, the contractor indicated that the IRS did not provide access to the official risk assessment reports for the locations where the contractor’s support was provided. Therefore, the contractor did not have assurance that all significant observations were included in the risk assessment reports for the facilities at which the contractor provided support. Figure 1 provides a summary of the key contract requirements and modifications and whether or not they were met.
Figure 1: Contractor Compliance With Contract Requirements
|
Contractor Requirements |
Requirement Met |
|
Conduct risk assessments at 669 IRS facilities nationwide and analyze existing security measures and practices in each facility by December 31, 2010. |
No – PSEP staff conducted the risk assessments themselves and requested the contractor to provide assistance at only 304 sites. |
|
Modification: Provide a minimum of one qualified contract security specialist when requested to assist in the completion of site risk assessments at up to 669 IRS facilities by December 31, 2010. |
Yes |
|
Provide risk assessment reports which include findings and recommendations on any deficiencies noted during the risk assessments. |
No – PSEP staff prepared the risk assessment reports themselves, with the contractor providing observations only when requested. |
|
Modification: Provide individual findings and recommendations, verbal or written, relating to the individual risk assessments for each facility where assistance was provided as requested. |
Yes |
|
Prepare a report outlining the overall IRS security posture. |
No – The contractor did not provide support at 327 (52 percent) of the 631 sites where risk assessments were completed. For the sites where only PSEP personnel conducted the risk assessment, the IRS provided copies of risk assessment reports for the contractor’s review. Since the contractor was not physically present for these risk assessments and had concerns about the adequacy of the IRS risk assessment process, the contractor elected not to place reliance on the results. Consequently, the contractor did not provide validation of the acceptability of the IRS’s overall security posture. |
|
Contractor Requirements |
Requirement Met |
|
Modification: Provide an executive summary describing the IRS’s overall compliance with Federal facility security standards based on sites visited by the contractor. |
No – The contractor indicated that the IRS did not provide the contractor access to the official risk assessment reports for the locations where the contractor’s support was provided. Therefore, the contractor did not have assurance that all significant observations were included in the official risk assessment reports. |
|
In addition to those requirements previously listed, the following reporting requirements were added during the modification of the contract’s requirements: |
|
|
Provide an evaluation of the PSEP overall risk assessment process and recommendations for process improvements based on actual sites visited. |
Yes |
|
Provide a report that summarizes recurring findings, identifies systematic failures, and makes recommended corrective actions. |
No – The contractor did not provide support for all |
|
Provide recommendations on the future use of contractor support for the risk assessment process to include lessons learned during the contract’s performance period. |
Yes |
|
Provide draft report to the COTR.[8] |
Yes |
|
Provide final report to the COTR. |
Yes |
Source: The Treasury Inspector General for Tax Administration’s review of the contract Performance Work Statement issued June 15, 2010, and modified December 30, 2010.
Beginning as early as June 18, 2010, IRS management and PSEP program office employees instructed the contractor to perform services that were lesser in scope than stated in the original contract. The contractor is responsible for notifying the contracting officer of any changes in work scope. We identified no written notifications to the contracting officer prior to the contractor providing the reduced services. However, the contractor did provide IRS management and an Office of Procurement official with both written and verbal notifications of a significant change in work scope. For example, in a written notification, dated July 12, 2010, the contractor stated:
In light of the meeting today and the significant change in the scope of work, I think we should meet tomorrow to go over all of the changes to ensure we are all clear on the work to be performed and the expected results/deliverables.
The contractor advised us that IRS management provided verbal assurances that a contract modification would be put in place. However, this modification was not executed until December 30, 2010, after the completion of the facility risk assessments. Additionally, our review of the contract file identified a December 17, 2010, memorandum written by the contracting officer indicating that the change in the contractor’s role and work scope had been informally put into effect at the request of the PSEP program office. The memorandum further states that the basis for the change in the contractor’s role and work scope was that the IRS did not want the contractor to have knowledge of any security flaws that might potentially exist at IRS facilities. The memorandum also notes that the PSEP program office had not made the contracting officer aware of the change it had directed the contractor to make. In fact, based on the memorandum, the matter did not come to the contracting officer’s attention until she learned of it during an interview with Treasury Inspector General for Tax Administration auditors in November 2010. Below are excerpts from the December 17, 2010, memorandum:
It should be noted that the contracting officer and the COTR believed the contractor to be performing in accordance with the requirements in the contract. When it was brought to our attention that this might not necessarily be the case (that, in fact, the contractor was performing some risk assessments reviews behind the PSEP program office personnel, and not independently conducting the security assessments themselves), this was discussed with the IRS program manager(s). However, inasmuch as this ‘technical direction’ was done without the knowledge or concurrence of either the COTR or the contracting officer, the contracting officer has since attempted to ensure that: (1) the contract now reflects the work actually performed, and (2) the contractor is paid only for work performed.
The contracting officer and the COTR have been in communication with each other and have realized that changes to the contract requirements were made by individuals in positions well above themselves without including the contracting officer and COTR in these decisions. The contracting officer questioned how this could have happened and was told by the COTR that the PSEP Office didn’t want an individual or contractor to be privy to all of the possible flaws within the various IRS locations.
The Federal Acquisition Regulation (FAR)[9] requires, when possible, that a contract modification be executed before the work scope changes are implemented. This protects the Government’s interest relating to the overall cost of the contract and allows the contracting officer to direct the performance of the contract work.
IRS management informed us that numerous discussions were held after the physical security risk assessment contract was awarded regarding a change in the contractor’s role and a reduction in work scope. However, the IRS advised us that the content of the discussions and key decisions made at these meetings were not documented. Our discussions with IRS management found that the IRS did not consider taking any alternative actions to protect the Government’s interests, such as terminating the contract once they decided not to have the contractor independently conduct the facility risk assessments. The IRS indicated that while the PSEP security specialists were capable of conducting the risk assessments without contractor support, the IRS wanted the contractor’s involvement to add additional perspective and credibility to its assessments. This explanation contradicted the justification in the contract acquisition plan which indicated that the IRS did not have the in-house capacity to perform the risk assessments within the six-month time period required for completion.
The contractor’s final report raises concerns regarding PSEP personnel’s performance of risk assessments
The contractor’s final report deliverable was comprised of lessons learned from the current PSEP risk assessment process, and a number of issues were identified for IRS consideration. One concern the contractor noted involved the independence of PSEP employees leading the risk assessments. Often the PSEP employees conducting the risk assessments were the same employees assigned the primary security duties for the facility under review. The contractor suggested that the IRS select risk assessment team personnel from a different geographical area if using IRS personnel to conduct future risk assessments. The use of personnel from another Federal agency or a private contractor was also recommended as another alternative to the current practice.
Other significant concerns the contractor raised in the report included:
It should be noted that the contractor raised additional issues of concerns in its draft version of the report. However, the contractor was directed to remove those statements because the IRS did not want these issues presented in the final report. The IRS also requested specific examples from the contractor in order to respond to the concerns raised, including the concern that not all identified deficiencies were documented by PSEP personnel in the resulting reports, either out of political expediency or due to concerns that the findings would lead to additional workload for security personnel.
The IRS’s rebuttal to the concerns raised in the final report indicated that it would consider the suggestion to select risk assessment team personnel from a different geographical area in future assessments. However, the IRS indicated that physical security specialists are required to attend training. The IRS also indicated that it believed the software was up-to-date with new Federal facility security standards, and the cost estimator in the software uses an industry-accepted standard.
Based on the concerns raised during this review relating to potential physical security deficiencies that the IRS identified, but that may not have documented in the risk assessments, we are initiating a separate review to assess the adequacy of the physical security assessments conducted at IRS facilities.[10]
Significant Deficiencies Were Identified in the Administration of the Physical Security Risk Assessment Contract
Our review determined that the IRS did not administer the Physical Security Risk Assessment contract in accordance with relevant FAR provisions, Department of the Treasury regulations, and IRS policies and procedures. Figure 2 provides a summary of our evaluation of the key contract administration requirements relevant to the contract and whether the requirement was met.
Figure 2: Key IRS
Contract Administration Responsibilities
Relevant to the Contract
|
Contract Administration Requirements |
Responsibility Met |
|
Appoint a COTR by issuing a signed Letter of Appointment[11] tailored to meet the needs of each contract. |
Yes |
|
Ensure that all security requirements of the contractor are met, including obtaining security background investigations for all required contractor personnel. |
Yes |
|
Monitor the contractor’s performance to assure that the contractor has delivered supplies and services that conform to contract requirements. |
No |
|
Review contractor invoices and supporting documentation to ensure labor rates are consistent with the terms and conditions of the contract, and whether billed travel costs are supported by appropriate documentation. |
No |
|
Contract Administration Requirements |
Responsibility Met |
|
Review hours worked by contractor employees and verify contractor qualifications and experience levels for individual contractor employees. |
No |
|
Ensure that employees (other than the contracting officer) are prohibited from providing technical direction to the contractor that may change the terms and conditions of the contract. |
No |
|
Ensure that changes in the delivery of goods or services and the resulting effects on the delivery schedule are formally made by written modification issued by the contracting officer before the contractor proceeds with the change. |
No |
Source: The Treasury Inspector General for Tax
Administration’s review of FAR provisions, Department
of the Treasury regulations, IRS Acquisition guidance, and the COTR Letter of
Appointment.
In addition, we found that PSEP program office employees acted beyond their authority when directing the contractor to perform a variety of tasks at the 304 facilities the contractor visited. These tasks were in direct contradiction to the terms and conditions of the contract. For example:
The FAR states that in the event the contractor makes any changes at the direction of any person other than the contracting officer, the change will be considered to have been made without authority. Our review identified that the role and scope of work performed by the contractor was reduced based on the verbal direction of IRS management. This change was not at the direction of the contracting officer, as required.
The contract was not timely modified
Although IRS management changed the role and responsibilities of the contractor by directing a reduction in services shortly after the contract was awarded, the contract was not modified until six months after the contractor began. Specifically, the contract modification was not executed until after all of the risk assessments of IRS facilities were performed.
A contracting officer relies upon the COTR and the contractor to advise him or her of any change in the contract requirements (scope of work). One of the duties included in the COTR Letter of Appointment is to assure that changes in work or services are included in the contract through a written modification issued by the contracting officer. This modification should be prepared before the contractor implements the changes. Figure 3 shows a timeline of significant events based on our review of the contract file, e-mails, and discussions with the IRS and the contractor. The timeline provides examples of the numerous opportunities PSEP personnel had to inform the contracting officer, as required, of the changes that had been informally implemented.
Figure 3: Timeline of Events During Contract Performance
|
Date |
Event |
|
June 15, 2010 |
Contract awarded. |
|
June 18, 2010 |
The Commissioner’s Security Readiness Project leadership advised the PSEP Risk Assessment Project Manager of a change in the role of the contractor. The COTR advised the PSEP Risk Assessment Project Manager of delays in the contractor security clearance process. |
|
June 22, 2010 |
Due to the delays in completing the contractor background investigations, the PSEP Risk Assessment Project Manager advised PSEP management that PSEP staff would begin to conduct the planned risk assessments and indicated that contractor employees would take over performance of the risk assessments once they received their security clearance. |
|
June 25, 2010 |
The COTR was included in distribution of an e-mail that discussed the contractor work scope change. The contracting officer indicated that the changes to the scope of work were not communicated at this time. |
|
July 1, 2010 |
The first two contractor employees received their security clearance. |
|
July 7-9, 2010 |
The contractor attempts to conduct the first three risk assessments as scheduled. However, IRS employees advised the contractor that they would not be given access to the facilities without IRS escorts. In one instance, the PSEP program employee advised the contractor that the IRS had already completed the risk assessment. |
|
July 12, 2010 |
During another risk assessment, the contractor indicated that a PSEP program employee advised the contractor that the IRS had already completed the risk assessment. The contractor notifies IRS management of the direction he received on the change in work scope, including an executive from the Office of Procurement. The contracting officer indicated that the changes to the scope of work were not communicated to her at this time. |
|
July 14, 2010 |
Commissioner’s Security Readiness Project personnel advised the contractor that PSEP program employees would be leading the risk assessments and that the contractor would be providing assistance as needed. |
|
August 4, 2010 |
The contract specialist (assists the contracting officer) contacted the IRS Project Manager for a status update on the contract performance. The PSEP Risk Assessment Project Manager’s e-mail did not advise the contract specialist of the changes to the scope of work. |
|
September 8-16, 2010 |
The COTR advised the contract specialist that the funds needed for the contract had been reduced based on the progress of risk assessments completed. The contracting officer signed contract modification number one to remove approximately $800,000 for labor hours no longer needed over the term of the contract.[12] The contracting officer indicated that the changes to the scope of work were not communicated at this time. |
|
November 1, 2010 |
The contracting officer was advised of the risk assessment contract’s change in contractor role and work scope during an interview with the Treasury Inspector General for Tax Administration. |
|
November 5, 2010 |
Contract modification number two was issued to change the responsible contracting officer. The contract specialist was assigned as the responsible contracting officer. The contracting officer indicated that the contract specialist had received the contracting officer’s warrant[13] and could now be assigned to serve as the responsible contracting officer. |
|
December 15, 2010 |
The contractor returns IRS-issued laptops, ending the contractor’s participation and assistance in the risk assessments. |
|
December 30, 2010 |
The contracting officer signed contract modification number three changing the requirements of the contract to mirror the reduced scope of work. |
|
February 28, 2011 |
Final contractor report deliverable provided to the IRS. |
|
June 28, 2011 |
Over the life of the contract, the contractor received approximately $1.2 million, with the remaining $1.3 million in contract funds deobligated. |
Source: The Treasury Inspector General for Tax Administration’s review of the contract file, various e-mails from the IRS and the contractor, and discussions with the IRS and the contractor.
In our interviews with the IRS, we inquired as to why PSEP personnel did not timely contact the contracting officer to execute a contract modification. Individuals we interviewed were in positions in which they had a responsibility to inform the contracting officer that significant deviations were being made in the scope of the work being performed by the contractor. For example:
The absence of a timely executed modification left the COTR and the contractor without guidance on how to properly direct the performance of this contract. We believe that the IRS inefficiently spent approximately $1.2 million as a result of IRS management’s actions. The contractor was unable to provide key aspects of the contract’s requirements, including assurance that all significant observations were identified and reported in the subject risk assessments and a validation of the acceptability of the IRS’s security posture.
The COTR did not ensure invoice documentation was obtained in support of payments made to the contractor
Our review of all eight invoices totaling approximately $1.2 million submitted for payment under the contract identified that the COTR did not obtain and/or maintain sufficient documentation to support more than $1 million of the total amount approved for payment. Figure 4 summarizes our review of the supporting invoice documentation maintained by the IRS.
Figure 4: IRS Contractor Invoice Review
|
Invoice item |
Amount Claimed |
Amount Supported |
Amount Not Supported |
Percentage Not Supported |
|
Labor |
$935,463 |
$0 |
$935,463 |
100% |
|
Travel Expenses |
$301,175 |
$190,380 |
$110,795 |
37% |
|
Total |
$1,236,638 |
$190,380 |
$1,046,258 |
85% |
Source: The Treasury Inspector General for Tax Administration’s review of IRS supporting documentation maintained for eight invoices submitted for payment under the contract.
The COTR duties include reviewing contractor vouchers and invoices to ensure they accurately reflect the services delivered in conformance with the requirements of the contract. However, our review found that the COTR relied on program office employees to determine whether the contractor’s billed labor hours for each of the 304 site visits were reasonable based on the requirements of the contract and did not obtain any supporting documentation from the contractor, e.g., approved timesheets, to ensure the accuracy of the labor hours claimed.
In addition, we identified additional deficiencies relating to the administration of this contract, including:
The COTR indicated that it was difficult to monitor the contractor’s performance because the contractor employees could not be observed as they were in a different geographic location, and because the PSEP Physical Security Specialist assigned to each facility decided how much and the kind of assistance they needed at each site. Although the COTR stated that all travel expenses were reviewed prior to recommending payment approval for the invoiced expenses, none of the invoices contained evidence of review, such as the date of the review or the COTR’s signature or initials. Our review found that this occurred because the responsible COTR failed to complete specific responsibilities as detailed in the COTR Letter of Appointment.
Recommendations
The Deputy Commissioner for Operations Support should:
Recommendation 1: Reemphasize to IRS management officials, program office employees, and the COTRs that contracting officers must be promptly notified of any changes to contract requirements so required modifications can be timely executed.
Management’s Response: IRS management agreed with our recommendation and will issue a memorandum to IRS management officials and the COTRs reemphasizing that contracting officers must be promptly notified of any changes to contract requirements so required modifications can be timely executed.
Recommendation 2: Ensure that the COTRs are administering contracts in accordance with relevant FAR provisions, Department of the Treasury regulations, and IRS policies and procedures, and perform their specific responsibilities as detailed in the COTR Letter of Appointment. This includes ensuring that the COTRs advise contracting officers when changes in the work or services occur, review contractor vouchers and invoices to ensure they are accurate, determine whether services are delivered in conformance with the requirements of the contract, and follow the contract’s quality assurance plan.
Management’s Response: IRS management agreed with our recommendation and will issue a memorandum to PSEP COTRs outlining their roles and responsibilities. In addition, this memorandum will contain specific guidance on advising the contracting officer when changes in the work occur, reviewing contractor vouchers and invoices to ensure they are accurate and supported with appropriate documentation, determining whether services are delivered in conformance with the requirements of the contract, and following the contract’s quality assurance plan.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS administered the Physical Security Risk Assessment contract[15] in compliance with applicable Federal, Department of the Treasury, and IRS acquisition regulations and guidance to ensure the IRS received the contract deliverables in accordance with the terms and conditions of the contract. To accomplish our objective, we:
I. Reviewed the FAR[16] provisions, Department of the Treasury regulations, and IRS acquisition guidance to identify contract administration requirements.
A. Reviewed the guidance to identify all requirements, including roles and responsibilities of procurement and program office staff related to the administration of contracts.
B. Interviewed key IRS personnel, including the contracting officer, contract specialist, the COTR, and PSEP program manager, and reviewed the PSEP Risk Assessment contract file to determine the technical requirements and contract administrative duties performed during the administration of the contract.
II. Determined whether key IRS personnel, including the contracting officer, contract specialist, the COTR, and PSEP program manager performed their contract administration duties in accordance with regulations and guidance. This included:
A. Whether contract modifications were properly and timely issued by the contracting officer.
B. Whether the COTR was formally delegated authority and trained before performing COTR responsibilities.
C. Whether the COTR performed the specific duties related to the contract that were outlined and agreed to in the COTR’s Letter of Appointment.
D. Whether the IRS obtained security clearances for the contractor’s employees within required time periods.
E. Obtained and reviewed supporting documents related to the first contract modification to evaluate how the IRS calculated the $800,000 reduction in contract value from $3.3 million to $2.5 million.
III. Determined whether the IRS received the deliverables in accordance with the terms and conditions of the contract.
A. Reviewed the Performance Work Statement from both the original contract and the modification issued on December 30, 2010, to obtain an understanding of the technical requirements of the contract.
B. Interviewed key IRS officials to determine whether the contractor performed any duties different than those outlined in the Performance Work Statement from both the original contract and the modification issued on December 30, 2010.
C. Interviewed key contractor personnel to determine whether the contractor was provided direction to deviate from the performance requirements detailed in the Performance Work Statements from both the original contract and the modification issued on December 30, 2010, and obtained supporting records and documentation to substantiate the information provided during the interviews, when available.
D. Determined whether IRS program office personnel acted within the scope of their authority when providing direction to the contractor by determining whether program office personnel were aware that their actions were not in accordance with their authority and what actions, if any, were taken to address the unauthorized direction to the contractor.
E. Obtained and reviewed all deliverables provided by the contractor to the IRS to determine whether they complied with the contract’s technical requirements as outlined in the Performance Work Statement in both the original contract and the contract modification issued on December 30, 2010.
F. Determined whether the IRS considered any alternative actions to protect the Government’s interests (resources), such as requesting the contractor to complete or re-perform tasks at no additional cost, decreasing task values and related contract costs, withholding payment, or terminating the contract.
G. Determined whether the IRS performed quality assurance[17] to ensure that deliverables and services provided by the contractor conformed to contract requirements.
1. Reviewed the contract’s quality assurance plan, the COTR Letter of Appointment, and IRS acquisition regulations and guidance to identify all requirements, including the roles and responsibilities of the contracting officer and the COTR, related to performing quality assurance per invoices and deliverables.
2. Reviewed all invoices and deliverables related to the contract and verified whether items include evidence of IRS inspection, such as inspection dates, a description of the services rendered for inspection, the outcome of the inspection, and signature of the COTR.
3. Reviewed all invoices and contract files and determined whether the IRS performed a labor-hour check, which is evidenced through documentation such as the date and time the check was performed, the name of the employee, the employee’s labor category, a description of the work being performed, and the employee’s qualifications.
4. Reviewed all invoices and supporting documentation and determined whether labor rates and categories were consistent with the terms and conditions of the contract and whether travel costs billed were supported by documentation consistent with the General Services Administration rates and related to the performance of the contract.
Internal controls methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined the following internal controls were relevant to our audit objective: FAR provisions, Department of the Treasury regulations, and IRS policies and procedures. We evaluated these controls by interviewing IRS management and program office personnel, contracting officers, the COTR, and contractor personnel, and reviewing applicable documentation.
Appendix II
Major Contributors to This Report
Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)
Russell P. Martin, Acting Assistant Inspector General for Audit (Management Services and Exempt Organizations)
Alicia Mrozowski, Director
Darryl Roth, Audit Manager
Michele Strong, Lead Auditor
Yasmin Ryan, Senior Auditor
Heather Hill, Senior Evaluator
Lauren Bourg, Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Chief, Agency-Wide Shared Services OS:A
Director, Physical Security and Emergency Preparedness OS:A:PSEP
Director, Procurement OS:A:P
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief, Agency-Wide Shared Services OS:A
Director, Physical Security and Emergency Preparedness OS:A:PSEP
Director, Procurement OS:A:P
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
· Inefficient Use of Resources – Potential; $1,236,638 (see page 9).
Methodology Used to Measure the Reported Benefit:
In June 2010, the IRS awarded a contract to conduct risk assessments at all 669 IRS facilities[18] nationwide. The contract required the contractor to analyze existing security measures and practices in each facility; provide findings and recommendations on any deficiencies noted, including cost estimates for corrective actions; and prepare a report outlining the overall IRS security posture. IRS management and PSEP program office employees directed the contractor to perform services that were lesser in scope than required by the original contract. This direction included that the contractor assist PSEP employees with conducting the risk assessments rather than lead the risk assessments, provide observations to PSEP personnel who prepared the final risk assessment reports, and attend only those facility site visits where PSEP personnel requested support. In addition, the contractor indicated that the PSEP program office did not provide the contractor access to all of the information necessary to complete the report outlining the overall IRS security posture. As a result of its actions, the IRS did not receive contract deliverables in accordance with the contract’s requirements.
IRS management informed us that numerous discussions were held after the contract was awarded regarding a change in the contractor’s role and a reduction in work scope. In addition, the IRS indicated that, while the PSEP security specialists were capable of conducting the risk assessments without contractor support, the IRS wanted the contractor’s involvement to add additional perspective and credibility to its risk assessments. This explanation was in complete contrast to the justification in the contract acquisition plan that indicated the IRS did not have the in-house capacity to perform the risk assessments within the six-month period required for their completion. The absence of a timely executed modification left the COTR and the contractor without guidance on how to properly direct the performance of this contract. We believe that the IRS inefficiently spent $1,236,638 because the contractor was unable to provide key aspects of the contract’s deliverables, including assurance that all significant observations were identified and reported in the subject risk assessment reports, and validation of the acceptability of the IRS’s security posture. We used the total amount spent on this contract, $1,236,638, as the measure of the inefficient use of resources.
Appendix V
Management’s Response to the Draft Report
DEPARTMENT OF THE TREASURY
INTERNAL REVENUE SERVICE
WASHINGTON, D.C. 20224
CHIEF
AGENCY-WIDE
SHARED SERVICES
July 9, 2012
MEMORANDUM FOR MICHAEL E. MCKENNEY
ACTING DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM: David A. Grant /s/ David A. Grant
Chief, Agency-Wide Shared Services
SUBJECT: Draft Audit Report - An Independent Risk Assessment of Facility Physical Security Was Not Performed in Compliance With Contract Requirements (Audit #201110025)
Thank you for giving us the opportunity to respond to the draft report. The audit was conducted to determine whether the Internal Revenue Service (IRS) administered the Physical Security Risk Assessment contract in compliance with applicable Federal, Department of the Treasury, and IRS acquisition regulations and guidance to ensure the IRS received the contract deliverables in accordance with the terms and conditions of the contract.
After reviewing the draft report, we concur with the recommendations and will develop corrective actions as listed. Please see our response to the two recommendations attached.
We appreciate the continued support and assistance provided by your office. If you have any questions, please contact me at (202) 622-7500. If there are any technical questions, a member of your staff may contact Norris Walker, Director, Physical Security and Emergency Preparedness, at (202) 622-0831. For matters concerning audit procedural follow-up, please contact Larry Pugh, Office of Strategy and Finance, Agency-Wide Shared Services, at (202) 622-4541.
Attachment
RECOMMENDATION #1: Reemphasize to IRS management officials, program office employees, and COTRs that contracting officers must be promptly notified of any changes to contract requirements so required modification can be timely executed.
CORRECTIVE ACTION: We agree with this recommendation. Physical Security and Emergency Preparedness (PSEP) will engage with Procurement for the development and issuance of a memorandum to IRS management officials and contracting officer representatives (CORs) reemphasizing that contracting officers must be promptly notified of any changes to contract requirements so required modifications can be timely executed.
IMPLEMENTATION DATE: August 1, 2012
RESPONSIBLE OFFICIAL: Director, Physical Security and Emergency Preparedness, Agency-Wide Shared Services
CORRECTIVE ACTION MONITORING PLAN: PSEP will enter the corrective action in the Joint Audit Management Enterprise System (JAMES). The corrective action will be monitored on a monthly basis until completion.
RECOMMENDATION #2: Ensure that COTRs are administering contracts in accordance with relevant FAR provisions, Department of the Treasury regulations, and IRS policies and procedures, and perform their specific responsibilities as detailed in the COTR Letter of Appointment. This includes ensuring that the COTRs advise contracting officers when changes in the work or services occur, review contractor vouchers and invoices to ensure they are accurate, determine whether services are delivered in conformance with the requirements of the contract, and follow the contract's quality assurance plan.
CORRECTIVE ACTION: We agree with this recommendation. PSEP will engage with Procurement and issue a memorandum to PSEP CORs, outlining their roles and responsibilities. In addition, this memorandum will contain specific guidance on advising the contracting officer when changes in the work occur, reviewing contractor vouchers and invoices to ensure they are accurate and supported with appropriate documentation, determining whether services are delivered in conformance with the requirements of the contract, and following the contract's quality assurance plan.
IMPLEMENTATION DATE: November 30, 2012
RESPONSIBLE OFFICIAL: Director, Physical Security and Emergency Preparedness, Agency-Wide Shared Services
CORRECTIVE ACTION MONITORING PLAN: PSEP will enter the corrective action in the Joint Audit Management Enterprise System (JAMES). The corrective action will be monitored on a monthly basis until completion.
[1] TIRNO-10-C-00041.
[2] 60 C.F.R. 54411 (1995).
[3] Counter measures include, but are not limited to, security guards, surveillance cameras, and locked entryways.
[4] The Interagency Security Committee established policies for security in and protection of Federal facilities. The Interagency Security Committee issued interim standards, Physical Security Criteria for Federal Facilities - An Interagency Security Committee Standard, dated April 12, 2010, that established a baseline set of physical security measures to be applied to all Federal facilities based on their designated facility security level.
[5] Physical Security Emergency Preparedness Risk Assessment contract (TIRNO-10-C-00041).
[6] While the IRS has more than 700 facilities, the IRS indicated that facilities were excluded from the risk assessment review based on whether the facility was under realignment or underwent major changes before March 11, 2010. The contract further noted that the total number and actual site locations were subject to change due to planned closures and new facility openings. Of the 669 sites initially identified in the contract, the IRS indicated that 631 risk assessments were performed.
[7] Of the 669 sites initially identified in the contract, the IRS indicated that 631 risk assessments were performed.
[8] The Performance Work Statement modified on December 30, 2010, stated that the contractor was to submit a draft and final report; however, the original contract Performance Work Statement did not indicate the specific information to be included in these reports. The contractor’s draft and final reports included: an evaluation of the PSEP overall risk assessment process and recommendations for process improvements, recommendations on future use of contractor support for the risk assessment process, and lessons learned during the contract’s performance period.
[9] 48 C.F.R. ch. 1 (2009).
[10] Physical Security and Emergency Preparedness Risk Assessment Process (Audit # 201210007).
[11] A Letter of Appointment is issued by the contracting officer detailing the roles and responsibilities of the COTR in regard to the contract.
[12] The amount of the original contract was $3.3 million.
[13] Under FAR provisions, contracting officers must be appointed in writing on Standard Form 1402, Certificate of Appointment. This Certificate of Appointment is commonly referred to as a “warrant.”
[14] Quality assurance is the action taken by the Government to assure that the contractor has delivered supplies or rendered services that conform to contract requirements. Quality assurance is conducted after supplies are received or services rendered and before acceptance is certified in the IRS’s Web Requisition Tracking System.
[15] TIRNO-10-C-00041.
[16] 48 C.F.R., Ch. 1, (2009).
[17] Quality assurance is the action taken by the Government to assure that the contractor has delivered supplies or rendered services that conform to contract requirements. Quality assurance is conducted after supplies are received or services rendered and before acceptance is certified in the IRS’s Web Requisition Tracking System.
[18] While the IRS has more than 700 facilities, the IRS indicated that facilities were excluded from the review based on whether the facility was under realignment or underwent major changes before March 11, 2010. The contract further noted that the total number and actual site locations were subject to change due to planned closures and new facility openings. Of the 669 sites initially identified in the contract, the IRS indicated that 631 risk assessments were ultimately performed.