Internal Audit Report. Contract Administration TxDOT Office of Internal Audit

Transcription

1 Internal Audit Report Contract Administration TxDOT Office of Internal Audit

2 Objective Determine whether contract management and governance at TxDOT is designed and operating effectively in regards to: vendor selection, proper approval, and oversight/monitoring of vendor performance or deliverables. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization's system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Significant improvements are required to correct control gaps and mitigate residual risk that may result in potentially significant negative impacts to the organization including the achievement of the organization's business/control objectives. Overall Engagement Assessment Needs Improvement Findings Title Control Design Operating Effectiveness Rating Finding 1 Control Environment and Contract Governance x x Needs Improvement Management concurs with the above finding and prepared management action plans to address deficiencies. Control Environment TxDOT s contracting infrastructure includes agency-wide activities among multiple districts, divisions, and offices (DDOs) with varying processes and roles and responsibilities. Contracts for this audit were observed from four primary systems used for contract management: Financial Information Management System (FIMS, now PeopleSoft as of October 2014), Electronic Data Management System (EDMS), Professional Services Contract Administration and Management System (PSCAMS), and SiteManager*. TxDOT has no single office of primary responsibility presiding over the oversight and monitoring for contract governance. Contracting activities and processes vary by DDO. Knowledge of roles and responsibilities required of each DDO are not well understood and communicated within the agency, particularly, when the contract manager changes or the contract responsibility passes from one DDO to another. In testing information/data/records from all the contract management systems noted as of March 2015, records were not always current, some data could not be easily retrieved, or the office with primary responsibility could not be accurately identified. In testing the control design of the contracting process, we noted the processes included adequate segregation of duties in contract formation. *SiteManager is a registered trademark of the American Association of State Highway Transportation Officials (AASHTO) December

3 TxDOT utilizes multiple guides, standard operating procedures, and policy and procedure manuals to provide guidance to employees on contract management and administration processes. At times during our audit work, guides and manuals covering the contracting process were noted to be outdated, contradictory, or were uncirculated or not published on the TxDOT intranet site for use and understanding by all those responsible for carrying out contracting duties. Summary Results Finding Scope Area Evidence The department had four primary contract management databases which did not ensure accuracy and completeness of contract data or information/records. 1 Vendor Selection and Contract Management Contract Administration 23 of 36 (64%) contracts tested, had one or more of the following structural, reporting, and monitoring issues noted: Contract documents were missing required provisions and miscellaneous information as follows: Provisions: o Conflict of Interest o Right to Audit o Buy Texas o Requirement for Performance and/or Payment Bonds o Dispute Resolution Miscellaneous information: o payment schedules, execution and performance dates, contract numbers, and reference to statutory authority to perform duties within the contract o request for proposal, signed contract extension, and cost benefit analysis, as needed Contracts which were required to be reported to Legislative Budget Board (LBB) were not included in the repository and/or were reported incorrectly In examining contract administration procedures: o Payments were made on contracts without ensuring vendor compliance with contract terms such as insurance monitoring, bond requirements, and billing 4 of 14 (29%) Purchase Order (PO) files tested did not have evidence of vendor debarment review prior to procurement. One of the four POs utilized a federally debarred vendor. Audit Scope The audit was performed by Albert Bourque, Jessica Esqueda, Milan Hawkins, Bill Urbina, Eva Vargas, and Karen Henry (Engagement Lead). The audit was conducted during the period from March 9, 2015 to August 20, December

4 Testing included analysis of contract data from the various contract management systems (excluding PeopleSoft) for active contracts as of March 2015 and purchase orders (PO) issued in Fiscal Years Based on results of analysis, 36 contracts and 20 purchase orders covering 11 districts and 15 divisions and offices were selected for further testing. Audit test work did not include the review of grants or any changes because of Senate Bill (SB) 20, passed in the 84th Texas Legislature, due to the audit start date. Contract management is defined as the four core processes of planning, procurement, contract formation (e.g. procurement process, type, contract language, and provisions), and contract administration. Contract administration further adds monitoring performance and payment approval. Contracting processes tested included vendor selection, contract formation, vendor performance monitoring, and payment approval. PO procurement processes tested included vendor selection and contract formation. Table 1: The contracts selected for testing were as follows: Contract Type DDO Owner(s) Number Tested Contract Amount Aviation (AVN) AVN Division 4 $ 16,556,108 Bridge (BRG) BRG Division 2 9,500,000 Construction Engineering and Inspection (CEI) Waco District (1) Dallas District (1) 2 22,818,153 Construction (CST) CST Division** 2 67,797,725 Houston District (1) Pharr District (1) Donation Agreements Atlanta District (1) 4 16,849,000 Corpus Christi District (1) San Antonio District (1) Tyler District (1) Highway Improvement El Paso District 1 3,000,000 Interagency Travel Division (1) Research and Technology Implementation Office (1) Dallas District (1) Waco District (1) Interlocal Dallas District (1) Fort Worth District (1) Houston District (1) Maintenance (MNT) MNT Division** Bryan District (1) Houston District (2) Waco District (1) 4 40,998, ,388, ,814,840 December

5 Private Consulting Administration (1) 2 5,547,183 Innovative Financing/Debt Management Office (1) Professional Services Finance Division (3) 5 38,726,593 Office of General Counsel (2) Right of Way (ROW) ROW Division 2 1,402,450 Appraisal Traffic (TRF) Engineering TRF Division 1 3,050,000 Total 36 $ 485,449,515 **contract administration process ownership resides with the respective districts indicated In addition, 20 POs totaling $55,139,641 were selected for testing. Three of the above contracts were referred to the Office of Compliance for further evaluation related to statutory authority reference and to assess compliance. Methodology The methodology used to complete the objectives of this audit included judgmentally selecting a sample of contracts and purchase orders by type and dollar amount to test key processes like vendor selection, contract formation, vendor management, and contract oversight. The judgmental sample of 36 contracts and 20 purchase orders was selected to provide a broad perspective of contracting processes across the many types of contracting activities in the agency. The engagement work included: Reviewed TxDOT internal documents, including policy and procedure manuals, executive memorandums, organization charts, process maps, and management reports Reviewed state codes and manuals, including State of Texas Procurement manual, Texas Government Code, and Texas Administrative Code sections for purchase and contract rules Reviewed various State and Federal Statutes and Guides, TxDOT Policies and Procedures Manuals, Standard Operating Procedures, and checklists and templates utilized in the performance of various contracting processes Reviewed prior audit reports from TxDOT s Office of Internal Audit and Texas State Auditor s Office Viewed State and Federal websites to identify vendor debarment or violation information as reported by the Texas Comptroller of Public Accounts, Texas Secretary of State, U.S. Government System for Award Management, and Occupational Safety and Health Administration Interviewed personnel in multiple DDOs, including but not limited to, Construction Division, Maintenance Division, Finance Division, Right of Way Division, Procurement Division, and Contract Services Office management and staff. Management/staff December

6 were also interviewed from each of the respective DDOs mentioned in Table 1. Personnel from the Legislative Budget Board were also interviewed. Reviewed TxDOT Commission Minute Orders related to approval of contracts and purchase orders meeting certain criteria in order to verify commission approval Identified various contracting process control design and operating effectiveness through a Responsibility Assignment Matrix (RACI Model) evaluation Tested and analyzed contract data from the four contract management and purchase order database repositories as noted in the Control Environment section Reviewed contract provisions within the sampled contracts to determine compliance with laws and completeness of the contracts Reviewed contract related documentation, procedures, and processes among various stages of the agency s contract landscape and lifecycle Reviewed files and other supporting documents for evidence of vendor performance management and oversight, and invoice and payment approval Reviewed project planning documents, solicitation, bidding, and procurement processes Reviewed internal communication and management s overall organizational tone related to policies, procedures, and directives for contracting functions for agency staff and among DDOs These procedures were applied as necessary to perform the audit fieldwork. Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Contract Administration audit which was conducted as part of the Fiscal Year 2015 Audit Plan. TxDOT is required to procure and manage contracts in accordance with various federal and state laws and regulations. State law requires contracting activities to be tied to a specific statute that authorizes its procurement and establishes the process of provider selection. Under the delegation of authority granted by the State of Texas, TxDOT designated the Contract Services Office (CSO) to set the contracting policy for the agency and the Procurement Division (PRO) to oversee purchase order procurement activities. The Professional Engineering and Procurement Services (PEPS) Division oversees professional engineering service procurements. Districts, divisions, and offices (DDO) are generally responsible for contract administration, vendor oversight/monitoring, and project closeout activities. The contracting life cycle involves various processes and coordinated efforts among DDOs. The agency enters into many types of contracts and agreements. Approximately 16,500 active contracts, totaling approximately $56 Billion have been identified as of March The annual volume for purchasing in Fiscal Year 2014 included over 43,000 purchase orders totaling over $689 Million. Construction and Maintenance makes up the majority with approximately 64 percent ($36 Billion of $56 Billion) of active contracts as of March Vendor selection for contract procurement is based on four contract classifications: competitive bid, qualifications, best value, and non-discretionary, depending on the type of contract to be procured. December

7 TxDOT uses four primary contract repository systems for contract management. In addition, purchase orders to procure goods and services prior to October 2014 (PeopleSoft transition date) were generated through the Automated Purchasing System (APS). We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Office of Internal Audit uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version A defined set of control objectives was utilized to focus on reporting, operating, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance, particularly in areas not included in the scope of this audit. December

8 Detailed Findings and Management Action Plans (MAP) Finding No. 1: Control Environment and Contract Governance Condition The control environment and contract governance supporting agency contracts did not ensure the reporting and operational effectiveness of the contracting process. Effect/Potential Impact Insufficient oversight in management of contracts could result in inadequate information being used for decision-making. The utilization of multiple systems for contract management can also lead to conflicting information on contracts resulting in misreporting and contract mismanagement. Additional impacts of the failure to track and provide proper contract governance include noncompliance with provisions as outlined below, overspending and mismanagement on contracts, and the potential for fraud. Criteria The following criteria address specific contract administration, management, and oversight activities that are to be followed for TxDOT contracting and purchase orders: Texas Government Code, which governs non-highway contracting and purchases of service Texas Transportation Code which governs award and management of highway contracts 43 Texas Administrative Code, , describes required conduct, including conflict of interest, by entities doing business with TxDOT Texas Government Code, , requires each state agency to provide major contract information to the Legislative Budget Board for purposes of information disclosure State of Texas Contract Management Guide and Record Retention Schedule TxDOT Contract Management Manual TxDOT Division Policy Manuals for o Purchasing o Procurement o Negotiated Contracts Cause Disparity of contract types used within District/Division/Office (DDO) has led to complexity in the contracting landscape and contract governance structure. TxDOT has not assigned full responsibility for contract inventory management to any one DDO. Contract inventory management has been delegated to the owners of the four primary management systems that are used across the agency. TxDOT has multiple guides, standard operating procedures, and policy and procedure manuals for generalized expectations. However, many of these guides and manuals did not define roles and responsibilities of each DDO and were outdated, uncirculated, or not published on the TxDOT intranet for reference purposes. December

9 Evidence In reviewing 36 contracts and 20 purchase orders for effective/efficient design and operating effectiveness for structural, reporting, and monitoring activities, the following were noted: Contract Management/Governance: TxDOT had four primary contract management systems: Financial Information Management System (FIMS, now PeopleSoft), Electronic Data Management System (EDMS), Professional Services Contract Administration Management System (PSCAMS), and SiteManager Data in the contract management systems noted above did not always agree to the actual contract documents (e.g. dates, contract amounts, etc.) being retained Contract documents were noted to be missing required provisions and miscellaneous information as follows: Provisions: o Conflict of Interest o Right to Audit o Buy Texas o Requirement for Performance and/or Payment Bonds o Dispute Resolution Miscellaneous information o payment schedules, execution and completion dates, contract numbers, statutory authority reference o Contract documentation, such as request for proposal, signed contract extension, cost benefit analysis, etc., were not always available for review Contracts required to be reported to Legislative Budget Board (LBB) were not included in the repository or were reported incorrectly Contract Administration: o Payments were made to vendors without ensuring vendor compliance with contract terms such as insurance monitoring, bond requirements, and billing Purchase Order (PO) Management: 4 of 14 (29%) Purchase Order (PO) files tested did not have evidence of vendor debarment review prior to procurement. One of the four POs utilized a federally debarred vendor. Management Action Plan (MAP): MAP Owners: Kenneth Stewart, Director, Contract Services Office Maureen Wakeland, Director, Enterprise Systems Office Janice Mullinex, Chief of Strategic Implementation MAP 1.1: The department is implementing the Enterprise Information Management Project, an agency-wide effort to examine how agency information is used and stored in order to improve the accuracy and efficiency of the department s contracting and other functions. An integral part of this effort is creating a Data Lake, an agency wide data warehouse that will December

10 allow the department to operate more efficiently by centralizing data in a single location, from which various applications will draw data. Completion Date: August 15, 2017 MAP Owners: Kenneth Stewart, Director, Contract Services Office Maureen Wakeland, Director, Enterprise Systems Office Janice Mullinex, Chief of Strategic Implementation MAP 1.2: The Modernize Portfolio Project Management project (MPPM) includes project management and contract management components. These systems will add agency wide capabilities and will replace the FILENET based PSCAMS system. In addition, the department is expanding the use of E-GRANTS, a grant management program currently used by Traffic Safety, and it will be rolled out for use by Aviation and Public Transportation. In response to legislation passed in 2015, the department is also creating an online library of agency contracts. As required by SB 20, all agency contracts will be posted on the internet. The department has chosen to exceed the minimum requirements of the law and is posting its agreements in a searchable format, by contract type, execution date, operating division and counter party. Currently, contracts are being added manually, but an IT developed solution will be rolled out to add these agreements automatically. Completion Date: August 15, 2017 MAP Owner: Kenneth Stewart, Director, Contract Services Office MAP 1.3: Concerning specific recommendations addressed to Contract Services, the office is in the process of revising and publishing its Policy and Procedures Manuals to comply with recent legislative changes. Specifically, CSO is publishing revised versions of its Policy Manual and Procedures Manual within 45 days. The revised Policy Manual will specifically address: the Selection File, File of Record, Documentation File, and Record Retention and Open Records Requests obligations applicability of the Texas Comptroller s Contract Management Guide Additionally, CSO will review each of the contract types addressed by the audit to confirm that the identified provisions are required and are not covered by an exemption, and that the relevant templates are updated. Completion Date: March 15, 2016 December

11 MAP Owner: Glenn Hagler, Statewide Procurement Director MAP 1.4: The Procurement Division (PRO) will provide ongoing training for PRO purchasers to reinforce the requirement for completing vendor background checks prior to award of each procurement, and include training on retaining the appropriate documentation in the purchase order file. The training will be included as a recurring presentation in the professional development training calendar. The purchase order file assembly checklist will also be updated to include the requirement. PRO will provide ongoing training for PRO purchasers to reinforce the requirement for completing federal debarred vendor checks prior to award of each procurement, and include training on retaining the appropriate documentation in the purchase order file. The training will be included as a recurring presentation in the professional development training calendar. The purchase order file assembly checklist will also be updated to include the requirement. PRO will perform periodic quality control reviews based on a statistical sampling of department purchase orders at least quarterly to ensure all required documents, including vendor background checks, are retained in the purchase order file by adding this responsibility to the purchasing lead s duties. A recap of the findings will be posted on the PRO SharePoint site. Completion Date: March 15, 2016 December

12 Summary Results Based on Enterprise Risk Management Framework ERM Component Organizational Tone Planning Forecasting Goal-Setting Cost-Benefit Analysis Business Continuity Risk Assessment Evaluations/Analysis Management Action Plans Control Activities Policies/Procedure Development & Maintenance Approvals/Authorizations Control Activities Supporting Evidence/Records Availability Segregation of Duties Safeguarding Assets Information Classification Information Input Information Processing Output/Reporting and Messaging Exception Reporting Review Reconciliations/Root-Cause Analysis Peer Reviews Management Representations Scope Area Assessment Audit Results Dashboard Contract Administration Scope Areas Evaluated Business Objectives (Reporting, Operational, Compliance) R, O, C R, O, C Control Environment Information & Communication Monitoring Vendor Selection and Contract Management Contract Administration Rating Assessment Grid Exemplary Satisfactory Needs Improvement Unsatisfactory Closing Comments The results of this audit were discussed with Contract Services Office and Procurement Division on December 9, We appreciate the assistance and cooperation received from all the Districts, Divisions and Offices contacted during this audit. December