Contract Oversight Management

View Summary Announcement

Report Information

Publish Date

October 28, 2019

Report sub-type

Evaluation Report

Report Number

EVAL-20-001

Questioned Costs

Funds for Better Use

Unimplemented Recommendations

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

Text Alternative

This is the accessible text file for FDIC OIG report number Aud-20-001 entitled 'Contract Oversight Management' .

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

[FDIC OIG logo]

Contract Oversight Management

October 2019

EVAL-20-001

Evaluation Report

Program Audits and Evaluations

Executive Summary

Contract Oversight Management

The Federal Deposit Insurance Corporation (FDIC) relies heavily on contractors for support of its mission, especially for information technology (IT), receivership, and administrative support services. It procures goods and services to augment its internal resources and help the Agency achieve its mission of insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex institutions resolvable, and managing receiverships. The FDIC relies upon the Division of Administration (DOA) to lead the procurement effort.

Over a 5-year period from 2013 to 2017, DOA awarded 5,144 contracts valued at $3.2 billion. The average annual awarded amount by the FDIC for contractor services over these 5 years was approximately $640 million.

As of fourth quarter 2017, DOA, the Division of Information Technology (DIT), and Division of Resolutions and Receiverships (DRR) accounted for approximately 95 percent of all contract awards through DOA’s Acquisition Services Branch (ASB). Our analysis indicates that while there was a 38-percent decrease in the total number of contracts from 2016 to 2017, there was a 65- percent increase in the average dollar amount per contract awarded by the FDIC over the same period of time. According to ASB, from January 1, 2016 to December 31, 2017, DRR and DIT oversaw 541 awarded contracts valued at $1 million or more each, and many of these contracts were for information technology-related and administrative services that range in value from $1 million to $66 million.

The ASB works with Oversight Managers (OM) from FDIC program Divisions and Offices to provide oversight of FDIC procurements, including for facility, security, technology, and resolution and receivership services.

Results

The FDIC must strengthen its contract oversight management. For four sampled contracts, we found that the FDIC received goods and services as specified in the contracts and complied with its security requirements for contractors and their personnel. However, we found that the FDIC needs to improve its contracting management information system, contract documentation, workload capacity of OMs for one Division, and the training and certification of certain OMs. Specifically, we found that:

• The FDIC’s contracting management information system had limited data and reporting capabilities for agency-wide oversight of its contract portfolio;

• The FDIC’s contract files were missing certain required documentation;

• Personally Identifiable Information (PII) was improperly stored in the FDIC’s electronic contract file (CEFile);

• Some OMs within the DIT lacked the workload capacity to oversee contracts; and

• Certain OMs were not properly trained or certified.

We found that the FDIC was overseeing contracts on a contract-by-contract basis rather than on a portfolio basis and did not have an effective contracting management information system to readily gather, analyze, and report portfolio-wide contract information across the Agency. The FDIC’s contracting system did not maintain certain key data in a manner necessary to conduct historical trend analyses, plan for future acquisition decisions, and assess risk in the FDIC’s awarded contract portfolio.

We also found that OM contract files were often incomplete and OMs were unable to produce the missing contract documentation based on our sample results. This included critical documents such as inspection and acceptance documentation. Without this documentation, the FDIC could incur additional costs to recover or replace lost documentation and could have difficulty enforcing the contract in the event of contractor noncompliance with contract terms.

Further, we found that an OM had improperly uploaded contractor deliverable documentation containing PII to CEFile for one of our sampled contracts covering property management services for failed bank properties. FDIC instructions require the documentation of contract deliverables in CEFile, and these deliverables may contain PII. However, FDIC policy prohibits employees from uploading PII into CEFile. Therefore, there is a contradiction between the FDIC policy and its instructions to OMs. As a result, there is a risk that either: (1) the CEFile will be incomplete and lack key documentation that contains PII, or (2) the Agency will be unaware of key documentation that contains PII in CEFile and therefore unable to properly protect the PII.

In addition, given the volume of information in CEFile and the number of employees with access to CEFile, there is a risk that the PII in CEFile could be compromised. Because CEFile was not identified as a system to retain PII, the FDIC is not monitoring CEFile for PII. Therefore, there is a risk that the PII in CEFile could be improperly accessed, printed, and removed.

During the course of our evaluation, we found that the workload for OMs in DIT expanded significantly due to an increase in contracts and decrease in the OM workforce. DIT’s OM workload was 67-percent higher than another FDIC Division with a similar-sized contract portfolio. DIT acknowledged that its insufficient OM capacity put it at risk for not effectively overseeing contracts. Further, previous OIG work found:

• A DIT OM did not conduct proper oversight of a contractor, which resulted in unallowable charges; and

• A DIT OM resource shortage required some work to be tabled until more resources were on-boarded.

Finally, the FDIC did not have proper internal controls for verifying OM training and certification requirements. We found that 14 OMs did not have the necessary training or certification requirements prescribed by policy. OM training helps to ensure that OMs have the necessary knowledge and skills to successfully manage FDIC contracts.

Our report made 12 recommendations to the Deputy to the Chairman and Chief Operating Officer to improve the FDIC’s contract oversight management. Management concurred with 10 recommendations and planned to complete all corrective actions by March 31, 2021. Management partially concurred with two recommendations, and we will seek resolution during the evaluation follow-up process.

[End of Executive Summary]

[Contents]

BACKGROUND

EVALUATION RESULTS

The FDIC’s Contracting Management Information System Had Limited Data and Reporting Capabilities

The FDIC Did Not Gather and Analyze Certain Key Contract Data

The FDIC’s Contracting System Had Limited Reporting Capabilities

The FDIC’s Contract Files Were Missing Certain Required Documentation

Personally Identifiable Information Was Improperly Stored in CEFile

Some Oversight Managers in DIT Lacked the Workload Capacity to Oversee Contracts

Certain Oversight Managers Were Not Properly Trained or Certified

Sampled Contracts Complied with Security Requirements

The FDIC Received Goods and Services for Sampled Contracts

FDIC COMMENTS AND OIG EVALUATION

Appendices

1. Objective, Scope, and Methodology

2. Acronyms and Abbreviations

3. FDIC Comments

4. Summary of the FDIC’s Corrective Actions

Figures

1. FDIC Contract Awards and Amounts by Year (2013-2017)

2. Awarded Contract Dollars by Division During Calendar Year 2017

3. FDIC Contract Portfolio Pricing Arrangements

Tables

1. Missing Contract Documentation

2. OM Capacity Information for Highest Volume Divisions as of December 31, 2017

3. OIG Sampled Contracts

[End of Contents]

[FDIC OIG Letterhead, FDIC Logo, Federal Deposit Insurance Corporation, Office of Inspector General, Office of Program Audits and Evaluations]

October 28, 2019

Subject: Contract Oversight Management

Over a 5-year period from 2013 to 2017, the Division of Administration (DOA) awarded 5,144 contracts valued at $3.2 billion. The average annual awarded amount by the FDIC for contractor services over these 5 years was approximately $640 million.

Figure 1: FDIC Contract Awards and Amounts by Year (2013-2017)

(bar graph)

Bar 1; Year: 2013; Total Contracts Awarded: $572,800,000;

Bar 2; Year: 2014; Total Contracts Awarded: $686,800,000;

Bar 3; Year: 2015; Total Contracts Awarded: $858,400,000;

Bar 4; Year: 2016; Total Contracts Awarded: $508,800,000;

Bar 5; Year: 2017; Total Contracts Awarded: $523,700,000;

Source: FDIC Annual Reports 2013 – 2017 and information provided by ASB personnel.

[End of figure 1]

As of fourth quarter 2017, DOA, the Division of Information Technology (DIT), and the Division of Resolutions and Receiverships (DRR) accounted for approximately 95 percent of all contract awards through DOA’s Acquisition Services Branch (ASB). While the number of awarded contracts declined by 38 percent from 2016 to 2017, the average dollar amount per contract awarded by the FDIC from 2016 to 2017 increased by 65 percent. According to ASB, from January 1, 2016 to December 31, 2017, DRR and DIT oversaw 541 awarded contracts valued at $1 million or more each. Many of these contracts were for information technology-related and administrative services that range in value from $1 million to $66 million.

The FDIC relies upon the ASB, DOA, to lead the procurement effort. The ASB works with Oversight Managers (OM) from FDIC program Divisions and Offices to provide oversight of FDIC procurements for such areas as facility, security, technology, and resolution and receivership services. OMs are responsible for ensuring contractors deliver required goods or perform work according to the contracts and delivery schedules. OMs also monitor the expenditure of funds in relation to contract dollar ceilings and approve invoices. For complex contracts, the OM may nominate one or more Technical Monitors (TMs) to assist the OM in carrying out contract oversight responsibilities.

The FDIC assigned approximately 287 OMs to oversee the 5,144 awarded contracts from 2013 to 2017. On December 31, 2017, there were approximately 133 OMs overseeing the FDIC’s existing contracts. These OMs, on average, supervised approximately 12 contracts.

Our objective was to assess the FDIC’s contract oversight management, including its oversight and monitoring of contracts using its contracting management information system, the capacity of OMs to oversee assigned contracts, OM training and certifications, and security risks posed by contractors and their personnel.

To answer our objective, we reviewed the FDIC’s contract oversight policies and procedures, assessed the FDIC’s contract information management system using the Knowledge and Information Management cornerstone of the Government Accountability Office’s (GAO) Framework for Assessing the Acquisition Function at Federal Agencies (GAO Framework), interviewed FDIC officials and OMs in nine Divisions and Offices, and analyzed data from the FDIC’s contracting systems. We also tested four judgmentally selected FDIC contracts for the following contract oversight activities:

• Planning and communication;

• Contract monitoring, including enforcing the contract timeline and expenditure ceiling, inspection, acceptance, security risks, and performance; and

• OM workload, training, and certification.

We conducted this evaluation from November 2017 through December 2018 at the FDIC’s Virginia Square facilities, Arlington, VA, in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. Appendix 1 of this report contains our objective, scope, and methodology; Appendix 2 contains a list of acronyms and abbreviations; and Appendices 3 and 4 contain the FDIC’s comments and a summary of the FDIC’s corrective actions, respectively.

BACKGROUND

FDIC Contracting Authority

The Federal Deposit Insurance Act provides the FDIC with authority to enter into contracts with the private sector and to establish acquisition policies and procedures.1 The Deputy Director, ASB, within the FDIC’s DOA is responsible for carrying out acquisition activities on behalf of the FDIC.2

Footnote 1 12 U.S.C. § 1819(a). [End of footnote]

Footnote 2 FDIC Circular 3700.16, FDIC Acquisition Policy Manual (APM), as amended (May 11, 2017) (APM Chapter 1.2 Authority; Section 1.206, "Contracting Authority"). [End of footnote]

FDIC Acquisition Process

The acquisition process is divided into three phases: (1) Contract Pre-award, (2) Contract Post-award (contract management and oversight), and (3) Contract Close-out. Our evaluation focused on the second phase—the FDIC’s Contract Post-award activities.

Contract Management and Oversight Roles and Responsibilities

The ASB is responsible for overseeing all aspects of the contract management and oversight process, including:

• Developing and implementing contract oversight management policies and procedures for use by all FDIC Divisions and Offices (including documentation requirements);

• Coordinating contracting activities with the Divisions and Offices;

• Assigning contracting officers (CO) to contracts and delegating OM appointments;

• Managing the contracting record retention requirements for the FDIC;

• Administering the OM training and certification requirements;

• Providing contract information to the Divisions and Offices to assist with monitoring contracting activities; and

• Reporting contract information to the FDIC’s Board of Directors.

Contract Oversight Management

To initiate a contract, an FDIC Division or Office submits a request to the ASB, and the ASB assigns the request to an ASB CO, who has contracting authority.3 The CO coordinates the contracting activities and appoints an OM who works within the Division or Office based on the Division’s nomination. The OM monitors the technical performance requirements of the contract and ensures the contractor delivers the required goods or performs the work according to the delivery schedule and the terms of the contract. OMs are also responsible for monitoring contract expenditures in relation to the work completed and the contract expenditure ceiling; communicating with the CO, Division or Office, and contractor; and obtaining and maintaining required OM training certifications.

Footnote 3 APM (Section 1.209, "Contracting Officer Authority"). Contracts may be entered into and signed on behalf of the FDIC only by duly appointed COs. COs operate under the authority of Certificates of Appointment issued by the ASB Deputy Director. The certificate establishes the scope and limits of the CO’s authority. [End of footnote]

For complex contracts, the OM may nominate one or more TMs to assist with contract oversight responsibilities, including the following:

• Providing technical guidance and monitoring of contractor activities as assigned by the OM;

• Conducting site visits and evaluating changes in technical performance affecting personnel, schedules, deliverables, and cost;

• Reviewing contractor deliverables and invoices; and

• Conducting other administrative needs, such as preparing communication documents, evaluating contractor status reports, and adhering to FDIC information technology requirements.

FDIC Acquisition Policies

The Acquisition Policy Manual (APM) is the FDIC’s policy for acquisitions, contract management and oversight, contract file management, contract reporting, and contract modification. The Acquisition Procedures, Guidance and Information (PGI) supplements the APM and provides the specific procedures for implementation. In May 2017, the ASB updated the APM governing the FDIC acquisition process and in February 2019, the ASB updated its PGI implementing the APM.4

Footnote 4 APM (May 2017); PGI (February 2019). [End of footnote]

Framework for Assessing the Acquisition Function at Federal Agencies

In 2005, the GAO recognized that Federal agencies were spending billions of dollars on contractors but that systemic weaknesses in the acquisition internal control environment persisted. To help Federal agencies manage their acquisition process and avoid the unnecessary loss of time, money, and goods, the GAO issued the Framework for Assessing the Acquisition Function at Federal Agencies (GAO Framework).5 The GAO Framework consists of four cornerstones that are essential to an efficient, effective, and accountable acquisition process: Organizational Alignment and Leadership; Policies and Processes; Human Capital; and Knowledge and Information Management.

Footnote 5: GAO Report, Framework for Assessing the Acquisition Function at Federal Agencies (GAO-05-218G) (September 2005) (GAO Framework). [End of footnote]

Our evaluation focused on the Knowledge and Information Management cornerstone of the GAO Framework to assess the FDIC’s oversight and monitoring of contracts using its contracting information system. According to the GAO Framework, “knowledge and information management refers to a variety of technologies and tools that help managers and staff make well-informed acquisition decisions.” The goal is to ensure that credible, reliable, and timely data is provided to key decision-makers, so that executives can make informed acquisition decisions.

The GAO Framework states that:

Such decisions have a direct impact on many levels—program and acquisition personnel who decide which goods and services to buy; project managers who receive the goods and services from contractors; commodity managers who maintain supplier relationships; contract administrators who oversee compliance with the contracts; and the finance department, which pays for the goods and services. They all need meaningful data to perform their respective roles and responsibilities.

The GAO Framework is based on the Standards for Internal Control in the Federal Government, which states that Federal management officials are responsible for establishing and maintaining effective internal controls.6 These Standards for Internal Control are intended to be the “first line of defense” in safeguarding assets and preventing fraud, and they support the framework’s four interrelated cornerstones. The GAO identified five standards of internal control:

Footnote 6: GAO Standards for Internal Control in the Federal Government (Green Book) (GAO-14-704G) (September 10, 2014). [End of footnote]

(1) Control Environment—The oversight body7 and management establish and maintain an environment throughout the agency that sets a positive attitude toward internal control;

(2) Risk Assessment—Management assesses both internal and external challenges facing the agency as it seeks to achieve its objectives;

(3) Control Activities—Management establishes actions through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system;

Footnote 7: The Board of Directors serves as the oversight body of the FDIC. [End of footnote]

According to the GAO’s Information standard (#4 above), agency management should use quality information to achieve the entity’s objectives and should obtain relevant data from reliable sources. Agency management processes relevant data from reliable internal and external sources into quality information within the entity’s information system. Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management uses the quality information to make informed decisions and evaluate the entity’s performance in achieving key objectives and addressing risks.

Importance of Agency-wide Contract Oversight

The GAO Framework provides critical success factors, such as agency leaders who articulate an agency-wide vision for the acquisition of goods and services and mechanisms to anticipate, identify, and react to risks presented by changes in conditions that can affect agency-wide or acquisition-related goals. The GAO Framework also identifies indicators of practices and activities that hinder good acquisition outcomes that agencies should be cautious of, such as acquisition planning that is completed on a contract-by-contract basis rather than with consideration of agency-wide needs.

The FDIC uses several systems to oversee and support the acquisition process. These systems include the Automated Procurement System (APS);8 New Financial Environment (NFE);9 and Contract Electronic File (CEFile),10 part of the FDIC’s Consolidated Document Information System (CDIS). The APS is an integrated information management system that facilitates the creation of procurement- related documentation and provides the capability to monitor procurement activity through the acquisition phases of contract planning, solicitation, award, administration, and closeout. The APS is a repository of contracting data and contains a significant amount of contract data, including the contract number, vendor, the FDIC’s contracting personnel, Divisions/Offices, dates, and contract funding information among other data elements. NFE contains invoices and contract expenditure data. CEFile is the official contract file of record and contains pre-award, post-award, and OM contract file documentation. The ASB uses these systems to maintain and report contract information to the Divisions, Offices, and Board of Directors.

According to an Assistant Director, ASB, OMs can access NFE and use the system to produce a download of all contract information in NFE from the system’s inception to the date the download was generated. To assist with prior period analysis, the ASB creates the APS Award Summary and NFE Purchase Order Summary reports on a monthly basis11 and publishes them on the FDIC’s intranet for easy access. The Divisions and Offices use this information to manage their respective contracts.

Footnote 8: APM (APM Chapter 6.1 FDIC Automated Procurement System; 6.103 “FDIC Automated Procurement System Policy”). [End of footnote]

Footnote 9: APM (APM Chapter 5.13 Contract Payment; 5.1304 “Invoices”). [End of footnote]

Footnote 10: APM (APM Chapter 6.2 Contract File Management; Section 6.202, "Definitions"). [End of footnote]

Footnote 11: The APS Award Summary Report provides select contracting data from the APS. The NFE Purchase Order Summary Report provides financial contracting data from NFE. [End of footnote]

On a quarterly basis, the Deputy Director, ASB, provides a Quarterly Award Profile Report to the Board of Directors, which summarizes new awards and expenditures, award activity and divisional participation, minority and women-owned businesses (MWOB) statistics, procurement card data, pending procurement actions (estimated values of $5 million or more), basic ordering agreements (BOA),12 blanket purchase agreements (BPA),13 receivership basic ordering agreements (RBOA),14 Tasking Basic Ordering Agreements (TBOA),15 Interagency Agreements (IAA), detailed information for higher risk contracts over $5 million and all contracts over $20 million,16 and detailed profiles for certain contract awards.17

Footnote 12: BOAs are not contracts. They are written instruments of understanding negotiated between the FDIC and a contractor for future delivery of as yet unspecified quantities of goods or services. BOAs become a binding contract when a task order is issued. A task order is an instrument that turns a BOA into a binding contract after issuance. [End of footnote]

Footnote 13: BPAs are agreements establishing FDIC rights to place orders for specific goods or services. [End of footnote]

Footnote 14: RBOA are BOA awards specific to DRR financial institution resolution contracts. [End of footnote]

Footnote 15: TBOA are BOA awards specific to IT services. [End of footnote]

Footnote 16: The Quarterly Award Profile report lists awards with a value of $5 million to $20 million that require greater oversight, because they present financial, operational, or reputational risk to the FDIC, such as security support services, financial institution resolution planning, and information management system redesign. [End of footnote]

Footnote 17: These profiles include the awarded value, expiration date, expenditure amount to date, vendor profile, and additional comments about the contract. [End of footnote]

Three Divisions—DOA, DIT, and DRR—accounted for approximately 96 percent of all contracts awarded in both volume and dollars during our evaluation period. DOA contracts for security services, facilities, and records management. DIT contracts for technology services, such as the Help Desk, computer system design, and telecommunications. DRR is responsible for managing the resolution process, which involves a range of contracts to support the closing functions at failed financial institutions and the management and disposition of receivership assets. For example, DRR contracts include appraisal management services, commercial loan servicing, and data management. Figure 2 shows the dollar value of contract awards by Division for calendar year 2017.

Figure 2: Awarded Contract Dollars by Division During Calendar Year 2017

(pie graph, 5 slices)

Slice 1; Division: DRR; Awarded Contract Amount: $175,300,000;

Slice 2; Division: DIT; Awarded Contract Amount: $85,400,000;

Slice 3; Division: DOA; Awarded Contract Amount: $235,400,000;

Slice 4; Division: DOF; Awarded Contract Amount: $15,500,000;

Slice 5; Division: Other; Awarded Contract Amount: $12,100,000;

Source: OIG analysis of ASB Quarterly Award Profile Reports.

[End of figure]

EVALUATION RESULTS

Based on our review, we found that the FDIC must strengthen its contract oversight management. Specifically, we found that:

• The FDIC’s contracting management information system had limited data and reporting capabilities for agency-wide oversight of its contract portfolio;18

• The FDIC OM contract files were missing certain required documentation;

• Personally Identifiable Information (PII) was improperly stored in the FDIC’s electronic contract file (CEFile);

• Some OMs in the DIT lacked the workload capacity to oversee contracts; and

• Certain OMs were not properly trained or certified.

Footnote 18: The GAO Framework, recommends that acquisition of goods and services be viewed from an agency-wide perspective. It further recommends that senior leadership should promote a strategic, integrated, and agency- wide approach to acquisition. The use of the term “portfolio” in this report is used to describe GAO’s recommendation to consider acquisition services from an agency-wide perspective and not solely on a contract-by-contract basis. [End of footnote]

We reviewed four sampled contracts and found that the FDIC received goods and services as specified in the contracts and complied with its security requirements.

THE FDIC’S CONTRACTING MANAGEMENT INFORMATION SYSTEM HAD LIMITED DATA AND REPORTING CAPABILITIES

The GAO Framework states that the “Agency leadership enables an integrated and agency-wide approach to acquisition” and it should “have mechanisms to anticipate, identify, and react to risks presented by changes in condition that can affect agency-wide or acquisition-related goals.” The GAO Framework also identifies “indicators of practices and activities that hinder good acquisition outcomes” such as “acquisition planning [that] is completed on a contract-by-contract basis rather than with consideration of agency-wide needs.”

ASB creates the Quarterly Award Profile Report to provide Agency contracting information to the Board of Directors. It includes detailed information for higher risk contracts over $5 million19 and all contracts over $20 million. This detailed information includes the awarded value, expiration date, expenditure amount to date, vendor profile, and additional comments about each contract. In addition to sending this information to the Board of Directors, an ASB official stated that it uses these reports to analyze its contract portfolio.

Footnote 19: The Quarterly Award Profile report lists awards with a value of $5 million to $20 million that require greater oversight because they present financial, operational, or reputational risk to the FDIC, such as security support services, financial institution resolution planning, and information management system redesign. [End of footnote]

According to the Director of ASB, there is no set goal for the percentage of contracts covered by the Quarterly Award Profile Reports. During the scope of our evaluation from 2013 to 2017, we determined that 4 percent of the number of contracts were over $5 million; these contracts accounted for 57 percent of the value of FDIC contracts. As a result, the reports prepared for the Board of Directors from 2013 to 2017 did not include 96 percent of the FDIC’s contracts and 43 percent of the value.

While the information included in the Quarterly Award Profile Report is important for the Board of Directors to understand the status of higher risk FDIC acquisitions as of a specific point in time, it does not provide the Board or other senior management officials with a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analyses to identify risk or plan for future acquisitions.

An Assistant Director, ASB, stated that ASB has information related to cost and schedule changes that it can assemble on an agency-wide basis from previous Award Summary Reports. However, compiling this information manually from previous reports does not constitute an effective contracting management information system to readily gather, analyze, and report portfolio-wide contract information across the Agency. The FDIC would benefit from more comprehensive information on an overall agency-wide portfolio basis to readily provide management additional information to inform decision-making, measure performance, identify risks, and manage contract costs.

Ten years ago in 2009, the GAO identified deficiencies in the FDIC’s system of internal control as part of its financial statement audit. 20 These deficiencies, although not material weaknesses or significant deficiencies, merited FDIC management’s attention and correction, and the GAO communicated them in a separate management letter.

Footnote 20 FDIC Report, 2009 Annual Report (June 2010). [End of footnote]

A memorandum to Division and Office Directors from the FDIC’s Office of Enterprise Risk Management, dated June 21, 2010, mentioned the GAO-identified internal control deficiencies, including the adequacy of controls associated with monitoring transaction activity throughout the FDIC. 21 The memorandum further explained that the FDIC’s Program Management Organizations/Offices and the Boston Consulting Group identified related shortcomings, including a shortcoming on contract oversight management. The FDIC hired the Boston Consulting Group (BCG), which examined the FDIC’s agency-wide contracting system. BCG found that the FDIC’s contracting system was missing key data related to contract spending, contract performance, and oversight resources. BCG also found that the FDIC’s contracting system restricted reporting to FDIC management as it did not produce an executive dashboard with metrics to provide visibility into the FDIC’s contracting statistics. As explained in more detail below, we found similar issues in this evaluation.

Footnote 21 FDIC Memorandum from the Office of Enterprise Risk Management, Guidance for 2010 Assurance Statements (June 21, 2010). [End of footnote]

The FDIC Did Not Gather and Analyze Certain Key Contract Data

According to the GAO Framework, “data collected in support of meaningful metrics can assist agencies [in tracking] achievements in comparison with plans, goals and objectives.” The GAO further states that two interrelated processes are critical to the success of such data systems: (1) tracking acquisition data and (2) translating the data into a meaningful format. The FDIC must improve both of these areas.

According to the GAO Framework, “an effective agency-wide system integrates financial, acquisition, operating, and management information and allows decision makers to access relevant information easily and perform ad-hoc data analysis.” Both the GAO Framework and the FDIC’s PGI identified key data elements that should be tracked in the FDIC’s contracting system.

The FDIC’s APS included a significant amount of contract data, including the contract number, vendor, assigned contracting personnel, requesting Divisions, pertinent dates, and contract funding information, among other data elements, and NFE contained invoices and contract expenditure data. While the FDIC’s electronic contract files contained information about each individual FDIC contract,22 these files are the equivalent of hard copy paper files in which pertinent data is not easily searched, retrieved, or analyzed. Further, the FDIC’s contracting information management system did not track the following key data elements recommended by the GAO Framework and/or the FDIC PGI:

Footnote 22: These files are maintained in CEFile. [End of footnote]

• Original contract award amount for modified contracts;23

• Original period of performance for modified contracts;

• Clear and properly recorded contract modifications;

• OM workload; and

• Contract cost structures.

Footnote 23: While the contract award amount and period of performance are recorded in APS for each awarded contract, if a contract is modified, the original award amount and original period of performance are overwritten and therefore, no longer available in APS. [End of footnote]

During our evaluation, we identified best practices for implementing an effective contracting management information system to readily gather, analyze, and report portfolio-wide contract information across the Agency. Specifically, we found that the General Services Administration24 and a regulatory agency have contracting management information systems that maintain procurement data, including the data elements listed above, which are readily available for analysis on a portfolio- wide basis across their respective agencies.25 In addition, the GSA maintains an agency-wide acquisition executive dash board that is used to assess the strengths and weaknesses of its internal control program for acquisition, as well as perform workforce planning analysis.

Footnote 24: The General Services Administration (GSA) provides centralized procurement for the federal government. [End of footnote]

Footnote 25: Federal agencies are responsible for collecting and reporting data to the GSA Federal Procurement Data System (FPDS) as required by the Federal Acquisition Regulation (FAR). The FPDS is the authoritative source of contract information and contains data that is used for policy and trend analysis. [End of footnote]

The FDIC’s APS Did Not Track Certain Important Events in the Life of a Contract

Original Contract Award Amount. While the original contract award amount is initially captured in the APS, if a contract is modified, the original contract award amount is overwritten by the modified contract amount and, as a result, the original contract award amount is no longer maintained in the APS.26 For example, one of the four contracts we reviewed was increased from $991,960 to $1,193,960 (approximately a 20-percent increase), and the original contract price was not apparent by reviewing the data in the APS. In order to identify the original contract price and assess the increases in contract award amounts, the FDIC must go through a manual process to review the contract documents in CEFile.

Footnote 26 Per discussions with ASB, the original contract award amount exists in both APS and NFE; however, if a contract is modified, the original contract information is overwritten in APS. [End of footnote]

Without tracking the original contract award amount in the APS, it would be difficult for the FDIC to perform portfolio-wide analyses to compare original contract award amounts to actual contract cost amounts. Using the documentation in CEFile for this purpose would not be feasible, as it would require a review of the contract documents in CEFile (assuming the documents were in the file) followed by the manual entry of the needed fields into a spreadsheet for thousands of contracts before the portfolio analyses could be performed. Manual entry is inefficient and error-prone.

The FDIC monitors its contracts on a contract-by-contract basis and is therefore aware of increased costs occurring on ongoing individual contracts. However, without analyzing original contract award information and actual contract cost information across the portfolio and on a historical basis (trend analyses), FDIC management is unable to determine the frequency of increased costs within the awarded contract portfolio, assess cost effectiveness, and identify any related process weaknesses within its operations.

Original Period of Performance. Similar to the original contract award amount, original periods of performance are not maintained in the APS after a contract is modified. In one of the four contracts we reviewed, the ASB modified the period of performance twice, extending the contract a total of 1½ years. In this instance, the original period of performance was not apparent by reviewing the data in the APS.

According to an Assistant Director, ASB, the original period of performance for each contract is maintained in a document in CEFile. As mentioned earlier, using CEFile is not feasible for analyses of the FDIC’s contract portfolio data.

Because the FDIC monitors its contracts on a contract-by-contract basis, it is aware of changes to the periods of performance for ongoing contracts. However, without analyzing original periods of performance information and actual period of performance across the portfolio and on a historical basis (trend analyses), FDIC management is unable to determine the frequency of contract delays within the awarded contract portfolio. Such delays could also be indicators of contractor performance issues. ASB management agreed that tracking this information in the FDIC’s contracting information management system would be beneficial to the FDIC.

Contract Modifications. Contract modifications provide information on changes to the contract, such as changes to dollar ceiling adjustments and the period of performance. According to an Assistant Director, ASB, the APS has a modification report; however, we found that due to incomplete information, the FDIC cannot conduct portfolio-wide analysis.

Specifically, the APS lacks standardized modification descriptions for COs to select. As a result, COs are entering insufficient detail into the system for the FDIC to analyze modifications. For example, the FDIC is unable to identify all modifications relating to the period of performance or dollar ceiling increases. This issue is compounded by the fact that there are numerous modifications for many contracts. For example, our four sampled contracts had 5 to 11 modifications each.

Without analyzing contract award, period of performance, and contract modification data on a portfolio-wide and historical basis, the FDIC cannot readily perform trend analyses across the FDIC contract portfolio to:

• Determine the reasons for cost overruns and missed contract deadlines;

• Understand why its contract estimates and milestone dates were inaccurate;

• Assess what factors led to increased costs or missed milestones; and

• Identify indicators of poor contractor performance.

The FDIC Did Not Track Oversight Manager Workload

The FDIC should track information about the workload of OMs, as it can provide useful insight into the ability of an OM to handle the requirements outlined in the OM’s appointment letter. The APS does not provide the ratio of contracts to OMs. This ratio would be helpful to Divisions and Offices in conducting workforce planning.

For example, if an OM has a substantial number of contracts at a given time, depending on the contract’s complexity and the OM’s experience, the OM may not be able to fulfill the appointment letter requirements. Cost overruns and missed deadlines can occur if OMs are unable to handle their responsibilities. In addition, contractors may not be held to the terms of their contracts due to inadequate oversight, which could result in improper payments or security risks. We identified workload concerns of OMs, as discussed below in our finding on DIT Oversight Managers Lacked the Workload Capacity to Oversee Contracts. The FDIC should compile the ratios of contracts to OMs so that ASB can analyze and assess workloads across the contract portfolio and coordinate with Divisions and Offices to ensure resources are assigned appropriately.

The FDIC Did Not Analyze and Consistently Track Data Related to Contract Cost Structures

Contract Pricing Arrangement is the contract cost structure for paying the contractor for services. For example, as shown in Figure 3 below, firm-fixed price or fixed-unit pricing places the cost risk on the contractor while time and materials or labor hours contracts place the cost risk on the FDIC. A hybrid contract pricing arrangement is a combination of pricing arrangements in one contract and results in a shared risk between the FDIC and the contractor.27 In a firm-fixed-price structure, the contractor is responsible for completing the scope of work for a set price and, therefore, will be required to absorb any additional costs related to cost overruns or missed deadlines in completing the scope of work.

Footnote 27: PGI (Section 3.217(d)) “Pricing Arrangements" explaining that Firm- Fixed-Price (FFP) contracts represent “the least risk for FDIC in that the contract has a predetermined total price at the time of contract award and is not subject to adjustment during contract performance. Accordingly, a FFP arrangement places the maximum risk upon the contractor to manage costs and resulting profit or loss. It provides maximum incentive for the contractor to control costs and perform effectively and imposes a minimum administrative burden upon the contracting parties.” [End of footnote]

Under a time and materials or labor hours contract, the Agency pays the contractor for the number of hours its staff works to complete the scope of the contract. The Agency establishes a contract ceiling and must closely monitor the contract to ensure the contractor is using hours at an appropriate burn rate (amount expended on the contract over time) to complete the required tasks. Otherwise, the contractor could expend the total number of hours, yet only complete a portion of the contract requirements. This contract type requires a higher level of monitoring and scrutiny than a firm-fixed-price contract and is at increased risk for cost overruns and missed deadlines for the Agency.

Figure 3: FDIC Contract Portfolio Pricing Arrangements

Contracting Price Arrangement

Source: FDIC portfolio pricing arrangements over a 5-year period (2013-2017) and associated risks, OM Training Level II materials, and OIG analysis of ASB Contract Clause Reports, which include contract information.

[End of figure]

At our request, ASB queried the APS and provided the contract pricing arrangements for 7,786 ongoing contracts between 2013 and 2017. Based on our analysis, we found that nearly 20 percent, or 1,518 of 7,786, of the contracts’ pricing arrangements were not recorded in APS. Per ASB, these pricing arrangements were not entered because COs had discretion in deciding whether to enter the pricing arrangements in APS. Without complete data, the FDIC cannot readily analyze the contract pricing arrangements across the FDIC’s contract portfolio. In addition, the FDIC cannot assess historical contract pricing arrangement trends across the portfolio, identify anomalies and risk, or incorporate this information when planning for future acquisitions. The GAO Framework cites lack of data on the types of contracts used on procurement actions as an indicator of “practices and activities that hinder good acquisition outcomes.”

In a GAO report,28 the GAO identified overall trends in defense and civilian agencies’ contract obligations from fiscal years 2011 through 2015. The GAO found that nearly two-thirds of overnment contract obligations (63 percent) had a fixed- price-cost structure. The GAO report stated that the Office of Management and Budget considers non-fixed-price contracts high risk because they do not directly incentivize contractors to control costs and thus carry significant potential risk of overspending. The report stated that agencies should periodically conduct analysis to determine if a contract could transition to a less risky pricing arrangement in order to achieve acquisition savings.

Footnote 28: GAO Report, Contracting Data Analysis Assessment of Government-wide Trends (GAO-17-244SP) (March 2017). [End of footnote]

Due to the incomplete pricing arrangement data, ASB was unable to determine the percentage of the FDIC’s acquisition portfolio with a fixed-price cost structure or any other pricing cost structure to benchmark against other federal agencies. If ASB and the Divisions periodically analyzed and consistently tracked the contract pricing arrangement type in the APS, ASB and the Divisions would be more aware of the level of portfolio pricing risk that the FDIC is assuming. In addition, ASB could work with Divisions and Offices to analyze the amount of pricing risk in order to potentially achieve acquisition savings.

The FDIC’s Contracting System Had Limited Reporting Capabilities

According to the GAO Framework, data are meaningless unless the data can be translated into relevant, understandable formats for officials involved in the acquisition process.29 Comprehensive portfolio-wide reporting, for instance, on cost and period of performance changes, would provide agency management information to help inform acquisition decision-making, measure performance, identify risks and manage contract costs.

Footnote 29 GAO Framework, Critical Success Factor, Translating Financial Data into Meaningful Formats. [End of footnote]

The ASB exports data from the APS and NFE and prepares monthly summary reports on DOA’s intranet site for use by Divisions and Offices in managing their contracts. However, in addition to not tracking the key information discussed above, we found that the Award Summary Report included a large amount of contract data that required subject-matter expertise and manual data manipulation to extract meaningful information. For example, the simple task of determining the total number of contracts for a particular Division would require the Division to manually remove BOA, RBOA, and TBOA non-contract information, all of which is not apparent. An Assistant Director, ASB, described filters that could be used to identify letters in contract numbers which represent BOAs, and from there, those particular line items would simply be deleted. While individuals who work with the data on a regular basis may perform these steps quickly, it is a form of manual manipulation that is prone to error and it is not intuitive for other users.30 The system does not meet the GAO standard of being accessible to key users and stakeholders if only expert users of the data and system are able to perform desired analyses.

Footnote 30 The GAO Report, The Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014) (Green Book) defines control activities. It states control activities can be implemented in either an automated or a manual manner. Automated control activities are either wholly or partially automated through the entity’s information technology. Manual control activities are performed by individuals with minor use of the entity’s information technology. Automated control activities tend to be more reliable because they are less susceptible to human error and are typically more efficient. If the entity relies on information technology in its operations, management designs control activities so that the information technology continues to operate properly. [End of footnote]

Footnote 31: FDIC Memorandum from the Office of Enterprise Risk Management, Guidance for 2010 Assurance Statements (June 21, 2010). [End of footnote]

Given the volume of DRR contracts during the financial crisis of 2008-2011, the then-FDIC Chairman chose to focus on DRR. BCG examined the FDIC’s agency-wide contracting system, as DRR did not have a separate contracting system, and identified poor management visibility into the contracting process. Specifically, BCG found that the FDIC’s contracting system was missing key data related to contract spending, contract performance, and oversight resources. BCG also found that the FDIC’s contracting system restricted reporting to FDIC management, as it did not produce an executive dashboard with metrics to provide visibility into the FDIC’s contracting statistics. As a result, BCG found that DRR was unable to accurately project its spending on contracts and only measured contract performance using award ceilings that appeared high. BCG’s report resulted in six recommendations, which the FDIC implemented. 32

Footnote 32 BCG recommended that the FDIC group oversight resources by contract type, level of contract complexity, and required skill sets; standardize the contract oversight process and develop metrics to measure contractor performance; develop an executive dashboard with metrics for key risks; capture pricing opportunities: rotational award model and volume discounts; align contracting responsibilities and enhance cross divisional collaboration; and implement a series of tactical initiatives to improve effectiveness, including capturing reporting of Minority and Women Owned Business (MWOB) subcontractors. [End of footnote]

DRR subsequently created and implemented a reporting system that provides DRR management with reporting and graphs that capture contract award (volume and dollars), expiration date, and burn rate. However, DRR’s reporting system has limitations; for example, it does not report on key milestones, contract modifications, adjustments in contract dollar ceiling, period of performance, and contract closeout. DRR management could identify opportunities to reduce or control costs, meet contract target dates, and assess contractor performance, if this additional information was contained in its dashboard for monitoring key contract metrics.

Nevertheless, many issues identified by BCG are the same types of concerns that we identified during this evaluation for the entire FDIC contract portfolio. These concerns include:

• Missing data;

• Ineffective reporting; and

• Lack of executive-level visibility.

DRR management stated that it shared its reporting system with the ASB to recommend implementation across the FDIC. The ASB, however, chose not to pursue this system, nor did it substantially upgrade the existing system to incorporate facets of the DRR system. ASB officials stated that the organization believed that their reporting process met the FDIC’s business needs. However, at the time the ASB officials made this statement, they were not aware of the GAO Framework.

Based on the results of our OIG evaluation, we do not agree that the ASB’s reporting system meets the needs of the FDIC in gathering, analyzing, and reporting on contract data.

Recommendations

We recommend that the Deputy to the Chairman and Chief Operating Officer:

(1) Collect key acquisition data, including original contract award amount for modified contracts, original period of performance for modified contracts, clear and properly recorded contract modifications, and oversight manager workload, which will enhance automated portfolio-wide analyses and reporting to support informed decision-making.

(2) Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

THE FDIC’S CONTRACT FILES WERE MISSING CERTAIN REQUIRED DOCUMENTATION

We found that although the FDIC has requirements for maintaining key documents, contract files were often not complete based on our sample. Three of the four contract files we reviewed did not contain one or more of the following documentation: (1) a Contract Management Plan; (2) Post-award Conference Documentation; and/or (3) Deliverable, Inspection, and Acceptance Documentation. In addition, FDIC OMs were unable to produce the documents more than 6 months after our request for the missing information. The Table below describes the information that was missing from CEFile and not provided during our evaluation.

Table 1: Missing Contract Documentation

Row 1; Required Documentation: Contract Management Plan; Sample (division - DRR) 1: Documents found in CEFile.; Sample (division - DRR) 2: Missing documents.; Sample (division - DIT) 3: Missing documents.; Sample (division - RMS) 4: Documents found in CEFile.;

Row 2; Required Documentation: Post-award Conference Documentation; Sample (division - DRR) 1: Missing documents.; Sample (division - DRR) 2: Documents found in CEFile.; Sample (division - DIT) 3: Documents found in CEFile.; Sample (division - RMS) 4: Documents found in CEFile.;

Row 3; Required Documentation: Deliverable Inspection and Acceptance Documentation; Sample (division - DRR) 1: Documents found in CEFile.; Sample (division - DRR) 2: Missing documents.; Sample (division - DIT) 3: Documents found in CEFile.; Sample (division - RMS) 4: Documents found in CEFile.;

Source: OIG analysis of contract documents in CEFile.

[End of table]

A Contract Management Plan outlines the level of oversight needed to ensure completion of the contract. The Contract Management Plan is intended to ensure that the COs and OMs have a common understanding of both contractor and FDIC obligations under the terms of the contract. In both instances where the Contract Management Plan was missing (Samples 2 and 3 above in Table 1), DRR and DIT OMs asserted that their level of experience negated the need for this document.

We do not agree with this assertion. Contract Management Plans are critical in the event of a dispute or disagreement during the course of a contract. According to the PGI, OMs are not authorized to forego the preparation of a Contract Management Plan and should not make such a decision without the approval of the CO. Such approvals were not obtained in these cases.

The Post-award Conference Documentation covers areas such as the roles of the FDIC and contractor personnel, scope of contract, rights and obligations, and other contract details. Inspection and acceptance documentation is important because it provides evidence that the contractor’s work was in compliance with contract requirements, and the acceptance documentation supports the payment or rejection of invoices. Missing contract documentation could pose a significant risk to the FDIC, if there were contractor performance issues or legal issues such as contract disputes on these contracts. In addition, if OMs provide the proper documentation in CEFile, the FDIC will have greater assurance that OMs are fulfilling their contract oversight responsibilities.

[Text box]

The FDIC OIG’s audit report on Payments to Pragmatics, Inc.33 provides an example of the issues that can occur when contract documentation is not properly maintained. We found the FDIC did not maintain required documentation regarding an OM site visit. As a result, there was no documentation of whether or not the contractor could perform work in alternative locations. The report stated:

“The FDIC conducted a site visit for one of Pragmatics’ off-site locations in July 2013. However, FDIC contracting and program office personnel did not retain documentation regarding the outcome of the visit, including whether the FDIC had approved Pragmatics personnel to work at the off-site location. The ambiguity regarding the place of performance caused confusion and uncertainty among FDIC and Pragmatics personnel.”

“The OIG determined that $39,979 was unallowable because the work was performed off site and recommended the FDIC identify the portion of the $39,979 that should be disallowed and recovered. The OIG also recommended that the FDIC document the results of the site visit and remind contracting personnel of the requirement to document site visits.” As of July 2019, the FDIC had resolved the recommendation regarding documenting the results of the site visit; however, the recommendation regarding unallowable charges was still open.

[End of text box]

Footnote 33: OIG Report, Payments to Pragmatics, Inc. (AUD-19-003) (December 2018). [End of footnote]

The ASB requires OMs to maintain all pertinent contract documents in CEFile, a module of the FDIC’s CDIS.34 Within CEFile, OMs must use the OM File for items such as contract deliverables, invoice-related documents, performance documentation, and for tracking contractor personnel and FDIC-furnished property. Once a contract is closed out, the CO permanently removes these files from CEFile and archives them in Digital Library—also a module of CDIS.

Footnote 34: The FDIC Acquisition Policy Manual (APM), and FDIC policy (Procedures, Guidance and Information (PGI), Job Aid No. 5 documentation checklist) require contracting officers and OMs to use CEFile, part of CDIS, to organize and file contract documents. [End of footnote]

OMs expressed frustration and described challenges associated with system faults in uploading documents into CEFile and the amount of time required to do so. OMs stated that the document upload time deterred them from complying with documentation requirements. Seventy-eight percent (7 of 9) of the contracting personnel in the nine FDIC Divisions and Offices we interviewed stated that CEFile was “not user-friendly.” These individuals expressed that using CEFile was time-consuming and burdensome. Similarly, each of the OMs overseeing our four sampled contracts stated the same.

A DIT OM provided a collaborative OM response stating that “CEFile is too slow and cumbersome to navigate. As such, OMs will maintain official contract files outside of CEFile.”

DOF OMs stated that, “[i]f we had more contracts, CEFile performance would be a concern.” During the financial crisis of 2008-2011, the FDIC also faced challenges dealing with the increased volume of contracts needed. The FDIC awarded over 6,000 contracts totaling nearly $7.5 billion. The size of its acquisition staff was initially insufficient, which resulted in delays to modify existing contracts and issue new contracts. The FDIC needed to rapidly hire and train personnel to oversee the contracts. If DOF’s contracting needs increased as they did during the previous financial crisis, uploading information into CEFile would be challenging.35

Footnote 35: Effectively Managing Acquisition Services Branch Procurement Policies and Resources – Meeting the Challenges of the Financial Crisis 2008-2011; Flexibility in Staffing and Realignment of ASB: Flexibility in staffing and staff realignment was necessary to meet the significantly increased demand for goods and services during the crisis. [End of footnote]

Uploading completed contract documents into CEFile in a timely manner is particularly important to ensure a smooth transition of contract oversight when the FDIC experiences employee turnover. DRR officials stated that in turning over a contract to a new OM, the former OM meets with the new OM to familiarize the new OM with the contract. Further, they stated that if the former OM is not available, the new OM relies upon the documents in CEFile. The FDIC cannot implement this process if the OM leaves the FDIC prior to uploading these documents.

[Text box]

Difficulty in transitioning a contract to a new OM is exemplified by a sampled contract where the OM died and had not placed documentation in CEFile. In this instance, the Division was unable to recover the documents from the deceased OM’s computer, even after sending it to DIT in an effort to extract the information. As a result, during our evaluation, the newly assigned OM was unable to answer simple questions about the contract, such as whether the contract had a contract management plan or a post-award conference had been held.

[End of text box]

This concern is compounded by the fact that as of July 31, 2018, approximately 63 percent of employees within DRR are eligible to retire within 5 years. It is imperative that the FDIC ensure that documentation is accessible and well organized to facilitate the transfer of knowledge as more and more employees retire.

As a result of the delayed upload of documents into the CEFile, OMs stated that they stored documents on SharePoint sites, work station hard drives, and even maintained physical copies. When the OIG requested documents missing from CEFile, OMs had to search for the documentation and, in some cases, were unable to locate the missing documentation. This manual search process is an inefficient use of time and puts the Agency at risk of losing contract documentation and violating the Agency’s record retention requirements. Furthermore, for critical documents such as inspection and acceptance documentation or payment information, the FDIC could incur additional costs to recover or replace lost documentation. This could also lead to difficulty in enforcing the contract in the event of contractor noncompliance.

Without a process to oversee OM compliance in uploading complete contract documentation to CEFile in a timely manner, OMs admitted that they have delayed or avoided uploading documentation as required by the PGI. Despite this deficiency, the FDIC received goods and services as specified in the contract for the four contracts we sampled. While we did not identify instances where OMs were unable to fulfill their oversight responsibilities for the four contracts we reviewed, the FDIC needs better assurance that OMs have the necessary tools and systems available to upload materials, are fulfilling their responsibilities, and meeting documentation requirements for all FDIC contracts.

Recommendations

We recommend that the Deputy to the Chairman and Chief Operating Officer:

(3) Remind Oversight Managers of CEFile documentation requirements established by the Acquisition Policy Manual.

(4) Evaluate CEFile/CDIS performance to assess Oversight Managers’ concerns regarding extensive document upload time, and, if substantiated, implement a solution.

(5) Require Divisions/Offices to implement a routine process to verify that Oversight Managers are uploading documents in CEFile in a timely manner and are maintaining complete files.

PERSONALLY IDENTIFIABLE INFORMATION WAS IMPROPERLY STORED IN CEFILE

The Federal Government has enacted laws governing the protection of PII.36 The E-Government Act of 200237 requires Government agencies to safeguard the personal information of members of the public. The Privacy Act of 1974 established a Code of Fair Information Practices that regulates the collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of record by Federal agencies. To comply with the Federal requirements, the FDIC has implemented a process to safeguard PII using a Privacy Threshold Analysis (PTA)38 and a Privacy Impact Assessment (PIA).39

Footnote 36: OIG Report, The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information (AUD-17-006) (September 2017). PII is defined as information that can be used to distinguish or trace an individual’s identity, including an individual’s name, Social Security Number, or biometric records, alone, or when combined with other PII which is linked or linkable to the individual, such as date and place of birth, mother’s maiden name, etc. Office of Management and Budget (OMB) Memorandum No. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007). A revised OMB Memorandum No. M-17-12 was issued on January 3, 2017. See, also, FDIC Circular 1360.9, Protecting Sensitive Information (April 30, 2007) for a comprehensive definition. [End of footnote]

Footnote 37: The E-Government Act of 2002, Public L. 107-347 (Section 208) requires the FDIC to conduct Privacy Impact Assessments (PIA) for information technology systems and electronic collections affecting 10 or more members of the public. [End of footnote]

Footnote 38: A PTA is used to determine whether a Privacy Impact Assessment (PIA) is required for: (1) a new information technology (IT) system developed or procured by the FDIC that collects or processes personally identifiable information; (2) a substantially changed or modified system that may create a new privacy risk; (3) a new or updated rulemaking that may affect the privacy of PII in some manner; or (4) any other internal or external electronic collection activity or process that involves PII. [End of footnote]

Footnote 39: A PIA is a documented analysis of: (1) how personally identifiable information is collected, stored, protected, shared and managed; (2) the deliberate incorporation of privacy protections by system owners and developers throughout the entire life cycle of an IT system or application; and (3) privacy protections built into a system/application from its inception - rather than later in the system life cycle when cost and project viability may be adversely affected. [End of footnote]

One of our sampled contracts was awarded to procure property management services for failed bank properties. For this contract, we found that a DRR OM improperly uploaded contractor deliverable documentation containing PII to CEFile. Specifically, the OM uploaded PII contained in leasing agreements for failed bank properties. CEFile Job Aid Number 5 required that these leasing agreements be documented in CEFile, because they were deliverables of the contract and were reviewed as part of the OM’s inspection and acceptance process. However, the PGI prohibited their inclusion in CEFile, because they contained PII such as names, addresses, phone numbers, and Social Security Numbers.

[Text box]

In September 2017, the OIG issued The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information regarding a series of data breaches reported by the FDIC in late 2015 and early 2016. The OIG audit found that many of the data breaches involved PII, and reported:

“The FDIC established formal processes for evaluating the risk of harm to individuals potentially affected by a breach involving PII and providing notification and services to those individuals, when appropriate. However, the implementation of these processes was not adequate. The OIG made seven recommendations to promote more timely breach response activities and strengthen controls for evaluating the risk of harm to individuals potentially affected by a breach and notifying and providing services to those individuals, when appropriate. “

The Agency implemented corrective actions to address all seven recommendations made in this audit report.

[End of text box]

The FDIC’s PGI specifically states, “documents containing PII must not be uploaded into CEFile.”40 However, CEFile Job Aid Number 5 requires OMs to file and upload contract deliverable, inspection, and acceptance documentation into CEFile. The Job Aid Number 5 for CEFile contradicts the PGI when contracting documentation contains PII, and, therefore, according to one OM, “it then causes confusion when deliverable documentation contains PII.” As a result of the contradictory guidance, there is a risk that either the CEFile will be incomplete because the document will not be uploaded, or the file will be complete but will contain PII unbeknownst to the FDIC.

Footnote 40: Per DIT, contracting documents are uploaded into Documentum through the CDIS application. Documentum is a unified Content Management System that provides tools for working with many types of content (documents, drawings, scanned images, and hard copies) in a single repository that can span multiple departments and functional areas within an organization. [End of footnote]

On October 7, 2010, DOA completed a PTA of CEFile. The PTA concluded that the FDIC would not store PII in CEFile. Based upon the results of the PTA, DOA was not required to complete a PIA to document how PII is collected, stored, protected, shared, and managed. Instead, as a result of the PTA, DOA prohibited the storage of PII in CEFile and incorporated relevant guidance in the PGI.

Given the fact that the FDIC is responsible for managing and resolving failed bank properties, it is likely the FDIC has entered into other contracts for managing failed bank properties with deliverables that contain PII. Further, given the contradictory instructions provided by the PGI and the CEFile Job Aid, there is a risk that other types of contract deliverables containing PII have been uploaded into CEFile. Finally, given the volume of information in CEFile and number of employees with access to CEFile, there is a risk that the PII in CEFile could be improperly accessed, printed, and removed.

As of December 31, 2018, CEFile contained acquisition and contract management documentation for 6,816 contracts, and approximately 30 FDIC COs have access to all contract files. Access to CEFile is designed so that COs have the capability to view and edit information within the entire system. OMs have limited access to edit the OM section and view all other files for their assigned contracts.

According to the National Institute of Standards and Technology (NIST), an organization cannot properly protect PII it does not know about.41 Should a breach of the system occur, the FDIC risks unauthorized access or improper release of PII, such as names, addresses, phone numbers, and Social Security Numbers. In addition, the FDIC could be unaware of the types of documents containing PII that were breached. As a result, the FDIC may not follow proper breach response procedures, such as identifying and notifying affected individuals; ensuring proper reporting requirements both internally and externally; and assessing and mitigating the risk of harm to affected individuals.42 If the FDIC does not adequately protect PII, as well as report a breach in a timely manner, it could cause harm to individuals or other affected stakeholders.

Footnote 41 NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (April 2010). [End of footnote]

Footnote 42 FDIC Report, Breach Response Plan (BRP) (December 7, 2018). [End of footnote]

Recommendations

We recommend that the Deputy to the Chairman and Chief Operating Officer:

(6) Issue updated guidance for Oversight Managers handling documents that contain Personally Identifiable Information.

(7) Complete an updated Privacy Threshold Analysis of CEFile as well as an updated Privacy Threshold Analysis of CDIS, in conjunction with the Division of Information Technology.

(8) In conjunction with the Division of Information Technology, develop controls around access to information contained within CEFile to ensure that Personally Identifiable Information is appropriately protected, or identify an alternative to CEFile that can serve as a secure repository for all contract documents.

SOME OVERSIGHT MANAGERS IN DIT LACKED THE WORKLOAD CAPACITY TO OVERSEE CONTRACTS

As discussed earlier, we found that the FDIC did not consistently track or analyze OM workloads. We found that, in particular, DIT OMs did not have sufficient workload capacity to oversee assigned contracts because (i) the average number of contracts per OMs in DIT was significantly higher than other FDIC Divisions (particularly with respect to the size and award amounts of the DIT contracts); (ii) DIT officials stated that the Division lacked sufficient capacity for the number and size of its contractual needs; and (iii) OMs were not able to provide sufficient oversight over some DIT contracts, leading to delays and unallowable labor charges on those contracts.

According to DIT, as of December 31, 2017, DIT had approximately 740 ongoing contracts totaling approximately $1 billion. These contracts were overseen by 16 OMs, 8 of whom were performing their OM responsibilities as a collateral duty.43 Therefore, each OM in DIT handled, on average, about 62 contracts. In contrast, DRR had 847 contracts totaling nearly $1 billion with 23 full-time OMs or about 37 contracts on average per full-time OM.44

Footnote 43: A collateral duty is an assignment that is not a part of the employee’s primary job duties. [End of footnote]

Footnote 44: We compared the OM workload capacity of DIT to DRR because both Divisions are the largest users of contracting services at the FDIC, had similar sized portfolios, and both have complex contract needs. DOA and RMS had substantially fewer contracts and contract portfolios with lower dollar amounts. [End of footnote]

Our analysis also showed that four DIT OMs handled more than 100 contracts,45 with one responsible for 177 contracts totaling $53 million. The majority of these contracts were goods oriented and therefore not as complex as other DIT service-related contracts, which according to a DIT Supervisory Financial Management Analyst, allowed for a higher contract to OM ratio. However, DIT stated that it has service-related contracts that are challenging to oversee given the complex nature of IT projects. Table 2 shows contract information and the number of OMs, provided by the Divisions with the highest contract volume as of December 31, 2017.

Footnote 45: The OMs responsible for more than 100 contracts were responsible for the following types of contracts: hardware, licenses and subscription services, leases, telecommunications, professional services, asset management, and software. [End of footnote]

Table 2: OM Capacity Information for Highest Volume Divisions as of December 31, 2017

Row 1; Ongoing Contracts; DIT: 740; DRR: 847; DOA: 125;

Row 2; Awarded Amount; DIT: $1 Billion; DRR: $1 Billion; DOA: $652 Million;

Row 3; Number of Full-Time OMs*; DIT: 12; DRR: 23; DOA: 26;

Row 4; Average Contracts Per OM; DIT: 62; DRR: 37; DOA: 5;

Row 5; Average Amount Per OM; DIT: $83 Million; DRR: $43 Million; DOA: $25 Million;

Sources: Divisions of Information Technology, Resolutions and Receiverships, and Administration, and OIG analysis of the Award Summary Report.

*Average number of OMs adjusted for OMs with collateral duties. [End of table]

According to a DIT Supervisory Financial Management Analyst, DIT had previously identified that insufficient OM capacity put it at risk for not effectively overseeing contracts and requested additional financial resources from the Division of Finance to hire more staff. DIT OMs and their supervisors explained that the number of ongoing contracts more than doubled from 314 to 740 from 2013 to 2017, but the FDIC did not hire additional OMs or staff to accommodate this increase in workload.

For contracts with complex areas of performance, OMs obtain assistance from Technical Monitors (TM). Notwithstanding DIT’s ability to use TMs to assist with complex contracts, there is still a workload capacity issue for DIT’s oversight of contracts. Also, per the PGI, the duties of the Technical Monitor are a subset of the duties of the OM, and the responsibility for oversight management remains with the OM.

The FDIC OIG audit entitled Payments to Pragmatics, Inc.46 also highlighted the type of issues that can arise when OMs do not have the workload capacity to properly oversee their contracts. As noted earlier, the OIG identified nearly $40,000 of unallowable labor charges due to a contractor performing FDIC work at an unauthorized offsite location. According to the OM, because of workload constraints, the OM did not have the capacity to follow up and ensure the contractor performed the work in the proper approved location.

Footnote 46: OIG Report, Payments to Pragmatics, Inc. (AUD-19-003) (December 2018). [End of footnote]

Similarly, in response to a complaint received by the OIG, an OM in DIT stated that an OM resource shortage impacted progress on ongoing contracts until more resources could be on-boarded. Further, previous OIG reports and the GAO Framework also state that insufficient capacity can lead to cost overruns, missed deadlines, security risks, improper payments, poor quality deliverables, or delivery failure.

The GAO Framework states that acquisition workforce data should be used for planning and decision-making, and an agency should implement workforce planning to ensure that individuals who manage and monitor contracts have an appropriate workload to perform their jobs effectively.47

Footnote 47: GAO Framework, Critical Success Factor, Monitoring and Providing Oversight to Achieve Desired Outcomes. [End of footnote]

Recommendations

We recommend that the Deputy to the Chairman and Chief Operating Officer:

(9) Provide Oversight Manager workload ratio information to Division and Office management to assist in making informed workforce planning decisions.

(10) Determine the appropriate number of oversight managers needed to manage the Division of Information Technology’s (DIT) contract workload in conjunction with DIT, and ensure the Oversight Manager workforce is appropriately staffed.

CERTAIN OVERSIGHT MANAGERS WERE NOT PROPERLY TRAINED OR CERTIFIED

In the post-financial crisis lessons learned document entitled Effectively Managing Acquisition Services Branch Procurement Policies and Resources – Meeting the Challenges of the Financial Crisis 2008-2011, FDIC management stated that:

[i]t is important that Oversight Managers are trained properly in order to make sure contractors are performing in accordance with the contract, to include among other responsibilities monitoring deliverables, and contractor invoices and burn rates.

PGI Section 6.405(d), Training Requirements for Oversight Managers and Technical Monitors, requires OMs to have a specified level of training based on the dollar value of contracts they will oversee. They are also required to take a refresher course every 3 years. Specifically, PGI 6.405(d) states OMs must complete the FDIC Contract Oversight Management Certification Training Program up to the level corresponding to the total value of the contract prior to assignment as follows:

• Level I Certification - up to $100,000;

• Level II Certification - ≥ $100,000 and < $1 Million; and

• Level III Certification - ≥ $1 Million and all RBOAs.

PGI Section 6.405(b), Appointment of Oversight Manager, requires COs to verify OM Training and Certification by using the Oversight Management Training Log. An ASB employee manually maintains the Oversight Management Training Log. This individual extracts data from Corporate University’s (CU) Learning Management System (LMS) training logs and then uploads the Oversight Management Training Log into the Oversight Management Component (OMC) within the APS.

We found that 14 OMs did not have the necessary training or certification requirements prescribed by the PGI.

• Two of the 83 OMs (2.4 percent) assigned to contracts over $1 million did not complete the FDIC’s OM Refresher Training class and were responsible for 36 DIT contracts totaling nearly $630 million.

• Twelve of the 150 OMs (8 percent) assigned to active contracts during our evaluation period did not have the required certification level for 20 contracts totaling more than $47 million.

The PGI instructed COs to use an Oversight Management Training Log list posted in the APS to verify that a potential OM had successfully completed the required level of training. However, the OIG identified 12 instances where COs had not verified that the OMs had met necessary training requirements for the assigned contracts.

FDIC officials stated that heavy workload contributed to OMs’ inability to obtain the proper level of training for their assigned contracts. ASB management advised that as of December 31, 2019, CU will be providing all OM certification training online, so that OMs can take the training on their own schedule and ASB can monitor OMs’ training through CU certifications. Completing required OM training will help to ensure that OMs have the necessary knowledge and skills to successfully manage FDIC contracts.

[Text box]

A DOA Management Services Branch (MSB) report, Review of FDIC Oversight Management Training, dated June 1, 2018, found that:

“. . . training information discrepancies . . . exist between the APS OMC [Oversight Management Component] and FDICLearn. Specifically, we found 52 individuals who had OM training information recorded in FDICLearn, but were not captured in the APS OMC. We believe the cause for the discrepancies may be attributed to the current processes for updating OM training records in the two systems. Currently, when an FDIC employee completes a web-based OM training course, the employee's training record is automatically updated in FDICLearn. We found that there is no automated update to the APS OMC system when an employee completes an OM training course. The process to update APS OMC is a manual update processed by ASB. Additionally, given the discrepancies identified, it would appear that periodic reconciliations are not being made by ASB to ensure that the two systems reconcile.” The MSB recommended that the ASB improve its training oversight for OM training.

[End of text box]

Recommendations

We recommend that the Deputy to the Chairman and Chief Operating Officer:

(11) Revise the Acquisition Services Branch’s Oversight Manager training and certification verification process to require the use of Corporate University’s Learning Management System.

(12) Verify Oversight Manager certifications as required by Acquisition Procedures, Guidance, and Information requirements.

SAMPLED CONTRACTS COMPLIED WITH SECURITY REQUIREMENTS

In an FDIC OIG evaluation, Controls over Separating Personnel’s Access to Sensitive Information,48 the OIG identified concerns with the pre-exit clearance process for contractors. At the time of our evaluation, the OIG had closed the recommendation related to this finding. Furthermore, our review of the four sampled contracts did not identify similar issues with the pre-exit clearance process. In addition, as part of our review of the four sampled contracts, we noted that the FDIC had established policies and procedures to oversee security risks posed by contractors, including background checks, IT security training requirements, and security over contract deliverables. The CO and the OM have a continuing duty over the life of the contract to update security information as changes in contractor personnel occur, including their access to FDIC facilities and network systems.

Footnote 48 OIG Report, Controls over Separating Personnel’s Access to Sensitive Information (EVAL-17-007) (September 2017). [End of footnote]

We reviewed the FDIC’s security policies and procedures and, for our sampled contracts, observed how OMs performed their responsibilities. We did not identify security issues related to FDIC contractors or their deliverables for the four contracts we reviewed.

THE FDIC RECEIVED GOODS AND SERVICES FOR SAMPLED CONTRACTS

According to the PGI, the OM is responsible for inspecting the contractor’s work to ensure that it is in compliance with contract requirements. Once the OM completes an inspection and finds the contractor’s work satisfactory, the OM accepts the goods or services for the FDIC. If the contractor’s work is not satisfactory, the OM rejects the goods or services. The OM must document acceptance in CEFile. This documentation is important because it provides evidence of contractor performance.

We found that the FDIC received the goods and services as specified in the contracts for our four sampled contracts. As discussed previously in our finding above, The FDIC’s Contract Files Were Missing Certain Required Documentation, CEFile did not contain inspection and acceptance documentation for one sampled contract. However, the OIG ascertained that the OM had inspected and accepted the goods and services and there were no issues with the contractor’s deliverables.

FDIC COMMENTS AND OIG EVALUATION

On October 7, 2019, the FDIC’s Deputy to the Chairman and Chief Operating Officer, on behalf of the Agency, provided a written response to a draft of this report (FDIC Response), which is presented in its entirety in Appendix 3. We carefully considered the comments in the FDIC Response.

The FDIC concurred with 10 recommendations and partially concurred with 2 recommendations made in this report and stated that management was committed to continuous improvement with regard to contract oversight management. The FDIC Response acknowledged “the importance of having a contract oversight program that embodies the GAO Framework [Framework for Assessing the Acquisition Function at Federal Agencies] cited by the OIG as well as having controls, processes, and meaningful data that allow for proactive monitoring and mitigation of risks.” The FDIC Response further stated that “we [the FDIC] recognize and embrace opportunities to improve our programs and processes where it is cost-effective to do so.” The FDIC Response stated that “[t]he OIG correctly noted that the FDIC cannot easily, and without manual data manipulation, conduct comprehensive portfolio-wide analyses and reporting.” In that regard, the FDIC is working to “replace APS with a new end-to-end procurement system.” The FDIC has “set forth expectations that the new system should provide dashboards, enhanced reporting, improved document upload functionality, and management and oversight of contracts on a portfolio-wide basis. These improved capabilities are consistent with the OIG’s findings and recommendations.”

The FDIC Response described actions and processes that were implemented or in progress to oversee contracted goods and services. We did not validate the FDIC’s implementation of these efforts.

The FDIC agreed to undertake the following actions to address 10 of the OIG’s recommendations:

• Develop reports to identify and capture key contract information and issue guidance to Contracting Officers to improve the consistency, reliability, and usefulness of contract data;

• Issue a reminder to Oversight Managers on contract documentation requirements;

• Conduct performance testing on the contract document system upload times, and if proven slow, consider the feasibility and cost of solutions to improve performance;

• Establish a routine process and perform an internal review to verify that Oversight Managers upload documents into the contract document system in a timely manner and maintain complete files;

• Issue updated guidance to Oversight Managers on handling documents containing Personally Identifiable Information;

• Complete an updated Privacy Threshold Analysis on the contract document system;

• Determine whether controls need to be established or alternative solutions are needed to ensure that Personally Identifiable Information is protected in the contract document system;

• Provide Oversight Manager workload ratio information to Divisions and Offices;

• Include guidance as part of the FDIC’s annual budget and planning process instructing Divisions and Offices to consider contract oversight workload in proposing their budgets and staffing and work with Divisions and Offices to ensure they consider an employee’s existing workload when designating the employee as an Oversight Manager on a contract; and

• Remind Contracting Officers to verify Oversight Manager certifications.

These planned actions are responsive to Recommendations 1, 3, 4, 5, 6, 7, 8, 9, 10, and 12; therefore, we consider these recommendations to be resolved.

For the remaining two recommendations (Recommendations 2 and 11) with partial concurrence, the FDIC agreed to undertake the following actions:

• Consult with stakeholders to evaluate the usefulness of newly captured acquisition data and consider any possible reporting enhancements; and

• Continue to check the Contract Management Certification Log before appointing an Oversight Manager to provide reasonable assurance that Oversight Managers have taken proper training.

These actions did not fully address Recommendations 2 and 11 and, therefore, we do not consider them to be resolved. With regard to Recommendation 2, our report and the FDIC Response supported that enhanced contract portfolio reports should be provided to FDIC executives, senior management and the Board of Directors. Our evaluation found that the FDIC’s reports do not provide the Board or other senior management officials with a portfolio-wide view of the FDIC’s contracts. We also noted that enhanced reporting will increase transparency in regard to contract costs, periods of performance, modifications, and OM workload. As discussed above, the FDIC response stated it has set forth expectations that the new system should provide dashboards and enhanced reporting. Therefore, “consulting” with stakeholders and “considering” possible reporting enhancements is not sufficient.

With regard to Recommendation 11, the FDIC stated that its process for verifying OM training certifications provides reasonable assurance that OMs have taken proper training. The FDIC cited that 94 to 98 percent of OMs met training requirements and those that did not created minimal risk. In one case, the FDIC stated that it “granted an allowable exception” for one employee described as a “subject matter expert.” Nevertheless, during our evaluation, the FDIC did not provide evidence that such exceptions were allowable. Further, as discussed in the report, FDIC officials noted that there were other OMs who did not obtain the proper level of training due to a heavy workload. We maintain that the training was required per the FDIC’s acquisition procedures, and proper internal controls are necessary to ensure OMs meet training and certification requirements.

To that end, during our evaluation, the FDIC informed us that as of December 31, 2019, it would monitor OM training and certifications directly through CU Learning Management System. This appeared to be a more viable solution than the process being used by the ASB to manually extract data from CU’s system and upload it into the Oversight Management Training Log—a process that is prone to discrepancies.49 As such, we made a recommendation to require the use of CU’s Learning Management System. If the FDIC is no longer pursuing this approach, it should implement another automated process that will not rely on the manual input of data. We will seek resolution of Recommendations 2 and 11 during the evaluation follow-up process.

Footnote 49 DOA’s Management Services Branch identified these discrepancies during an internal review in June 2018. We have included this information in the final report to further support the recommended process change. [End of footnote]

Although the FDIC acknowledged the most significant conclusions of our report—the need for a contract oversight program that embodies the GAO Framework and allows the FDIC to easily, and without manual data manipulation, conduct comprehensive portfolio-wide analyses and reporting—the FDIC also criticized our evaluation methodology and some of our conclusions. We take strong exception to this criticism, and it is at odds with the FDIC’s overall concurrence and agreement with our findings and recommendations.

For example, the FDIC criticized our contract sample size stating that “[a] more comprehensive sample would have provided better evidence for reaching conclusions on the effectiveness of contract oversight, and moreover, any actual risks or negative effects resulting from findings.” To that end, the FDIC stated that our conclusion that “the FDIC must strengthen its contract oversight [management]” conveyed a “sense of unmitigated risk and immediacy that is not supported by the scope and results of the OIG’s review.”

These comments demonstrate a misunderstanding of our evaluation methodology and the evidence supporting our findings and conclusions. Given the large size of the FDIC’s contract portfolio and associated contract management systems and activities, the OIG pursued a multi-pronged approach to evaluate the FDIC’s contract oversight, including:

• An assessment of the FDIC’s contracting management information system in relation to the standards established by the GAO Framework;

• An assessment of OM workload capacity, training, and certification using ASB and CU reports;

• An in-depth review of a limited number of sampled contracts to assess compliance with the FDIC’s policies and procedures and best practices;50 and

• Numerous interviews with contract personnel, nine FDIC Divisions and Offices, and several Federal Agencies.

Footnote 50 This is a common methodology used throughout the OIG community and supported by Government Accountability Office guidance. For example, GAO Report, Program Evaluation and Methodology Division -- Case Study Evaluations (November 1990). [End of footnote]

In performing these evaluation procedures, we obtained sufficient, competent and relevant evidence to support our findings and conclusions in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. These standards do not require us to identify actual negative effects to support our conclusions. Rather, the Quality Standards for Inspection and Evaluation state “a finding or set of findings is complete to the extent that the [evaluation] objectives are satisfied and the report clearly relates those objectives to the applicable elements of a finding.” Additionally, according to Government Auditing Standards,51 “effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.”52 Our report identified numerous effects and potential effects. For example, our report noted:

Footnote 51: Neither the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation nor the Government Auditing Standards require that the auditor identify actual negative effects to support the conclusions. [End of footnote]

Footnote 52: GAO Report, Government Auditing Standards 2018 Revision (GAO-18-568G) (July 2018) (Yellow Book). [End of footnote]

• The FDIC could not use its contracting management information system to conduct historical trend analyses, plan for future acquisition decisions, and assess risk in the FDIC’s contract portfolio;

• The FDIC could incur additional costs to recover or replace lost documentation and could have difficulty enforcing a contract in the event of contractor noncompliance;

• PII could be compromised because the FDIC is not monitoring the electronic contract files for PII; and

• Insufficient OM capacity in one FDIC Division put it at risk for not effectively overseeing contracts.

These effects and potential effects clearly demonstrate that the FDIC must strengthen its contract oversight management and, therefore, we continue to support the conclusions in our report. We have added details to the Objective, Scope, and Methodology included in Appendix 1 to explain more fully the OIG’s methodology related to our assessment of the FDIC’s contracting management information system against the GAO Framework.

The FDIC Response stated that there is value to overseeing contracts on both a contract-by-contract basis and a portfolio basis. We agree and support the FDIC’s use of both approaches. However, we disagree that the FDIC was using both approaches during the period of our evaluation. The FDIC stated that “ASB, in collaboration with FDIC Divisions and Offices, including the Legal Division, are using both means to ensure contractor performance and costs are effectively managed” [emphasis added] and that the report provided to the Board of Directors “actually covers the entire portfolio in some form.” The facts and evidence obtained during our evaluation do not support these statements. We found that the FDIC’s agency-wide contracting system did not maintain certain key data in a manner necessary to conduct portfolio-wide analyses. Additionally, contract monitoring in silos from Division to Division does not constitute portfolio-wide contract oversight management as described in the GAO Framework and explained throughout our report. Further, while the ASB report presented to the Board may describe trends in new awards and expenditures, as noted in our evaluation report, it only includes detailed information for higher risk contracts over $5 million and all contracts over $20 million. These contracts comprised only a small percentage of the overall portfolio of the FDIC’s contracts. As a result, we continue to support our position that the ASB report does not provide a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analyses.

Finally, the FDIC stated that it enhanced the procurement system and reporting in 2011 and 2012; however, ASB was unable to provide documentation or support for agency-wide system enhancements related to missing data, ineffective reporting, and an executive dashboard. Therefore, the enhancements cited in the FDIC Response are unrelated to the issues presented in our evaluation report.

We acknowledge the efforts of the FDIC to oversee its contracts, and we appreciate the information provided for this report. We look forward to the FDIC’s implementation of our recommendations to improve its contract oversight management.

Appendix 1

Objectives, Scope, and Methodology

Objective, Scope, and Methodology

Our evaluation objective was to assess the FDIC’s contract oversight management, including its oversight and monitoring of contracts using its contracting management information system, the capacity of OMs to oversee assigned contracts, OM training and certification, and security risks posed by contractors and their personnel. We conducted this evaluation from November 2017 to December 2018 in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. The scope of this evaluation included judgmentally selecting three FDIC contracts from the Divisions with the highest volume of contracts in the Agency and one FDIC contract from a Division with a lower volume of contracts. We included the lower contract volume Division in order to ensure coverage of low volume Divisions and to compare procurement activities. These contracts were awarded between 2013 and 2017 with one or more of the following characteristics: contracts equal to or greater than $1 million, OMs with 10 or more contracts, significant number of modifications, contract complexity, or cyber supply chain risk.53

Footnote: 53 Cyber supply chain risk management is the process of mitigating the risk that foreign entities or other malicious actors may be able to do harm because of the agency’s reliance on contractors and vendors to provide computer hardware, software, or other technological services.

Table 3: OIG Sampled Contracts

Row: 1; Sample Items: Sample 1; Divisions: DRR; Awarded Amount: $6,765,600; Concurrent Contracts*: 7; Modifications: 8; Pricing Arrangement: Hybrid**; Supply Chain Risk: No;

Row: 2; Sample Items: Sample 2; Divisions: DRR; Awarded Amount: $10,000,000; Concurrent Contracts*: 20; Modifications: 0; Pricing Arrangement: Fixed-Price Award; Supply Chain Risk: No;

Row: 3; Sample Items: Sample 3; Divisions: DIT; Awarded Amount: $869,132; Concurrent Contracts*: 11; Modifications: 1; Pricing Arrangement: Time and Materials; Supply Chain Risk: Yes;

Row: 4; Sample Items: Sample 4; Divisions: RMS; Awarded Amount: $1,193,960; Concurrent Contracts*: 1; Modifications: 12; Pricing Arrangement: Hybrid**; Supply Chain Risk: No;

[End of table]

Source: OIG analysis of contract documents in CEFile.

*Number of contracts overseen by the OM simultaneously. **Hybrid is a combination of firm-fixed price and labor hours, time and materials, or pass-through cost.

To assess oversight and monitoring of contracts, we reviewed relevant FDIC policies and procedures. We also reviewed contracting files and interviewed assigned OMs to evaluate the OMs’ contract oversight plans and communication strategies; contract monitoring activities, including enforcing the contract timeline and expenditure ceiling; inspection and acceptance of deliverables; oversight of contractor security risks (protection of Personally Identifiable Information, onboarding/exiting contractor staff, and cyber supply chain risk management); and monitoring of contractor performance.

To assess the capacity of OMs to oversee assigned contracts and OM training and certification, we interviewed FDIC officials, including OMs, and analyzed FDIC reports from the ASB and the FDIC’s CU.

We reviewed relevant Federal acquisition guidance, in particular the GAO Framework for Assessing the Acquisition Function at Federal Agencies. Our review of the GAO Framework focused on the Knowledge and Information Management cornerstone to assess the FDIC’s oversight and monitoring of contracts using its contracting information system at the contract portfolio level. We also reviewed the Standards for Internal Control in the Federal Government (Green Book). We conducted interviews with the Deputy Director of the ASB and other contract personnel in order to understand their roles and responsibilities in Agency-wide contract oversight, and identify concerns. We also conducted interviews with officials in nine FDIC Divisions and Offices to develop insight into their roles and responsibilities regarding contract oversight management. Finally, we interviewed General Services Administration and select Federal Financial Institution Examination Council Agency officials to understand their contract oversight management policies and procedures to identify best practices.

Appendix 2

Acronyms and Abbreviations

APM Acquisition Policy Manual

APS Automated Procurement System

ASB Acquisition Services Branch

BCG The Boston Consulting Group

BOA Basic Ordering Agreement

BPA Blanket Purchase Agreement

CDIS Consolidated Document Information System

CEFile Contract Electronic File

CMP Contract Management Plan

CO Contracting Officer

DIT Division of Information Technology

DOA Division of Administration

DRR Division of Resolutions and Receiverships

FDI Act Federal Deposit Insurance Act

FDIC Federal Deposit Insurance Corporation

GAO Government Accountability Office

IAA Interagency Agreement

IT Information Technology

LMS Learning Management System

MWOB Minority and Women-owned Business

NFE New Financial Environment

NIST National Institute of Standards and Technology

OIG Office of Inspector General

OM Oversight Manager

PGI Procedures, Guidance, and Information

PII Personally Identifiable Information

PTA Privacy Threshold Analysis

RBOA Receivership Basic Ordering Agreement

RMS Division of Risk Management Supervision

TBOA Tasking Basic Ordering Agreement

TM Technical Monitor

Appendix 3 FDIC Comments

[FDIC Letterhead, Division of Administration]

DATE: October 7, 2019

MEMORANDUM TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, Office of Inspector General

FROM: Arleas Upton Kea, Deputy to the Chairman and Chief Operating Officer

SUBJECT: Management Response to the OIG Draft Report, Contract Oversight Management (Assignment No. 2018-008)

The FDIC has completed its review of the Office of Inspector General’s (OIG) draft evaluation report titled Contract Oversight Management, issued on August 30, 2019. We appreciate the opportunity to comment on the report’s findings and recommendations.

Introduction

As outlined in the Acquisition Policy Manual, our contracting program strives to meet the following key attributes:

• Effectiveness: The timely and cost-effective procurement of goods and services that work well for the customer.

• Flexibility: The ability to make good decisions based on best practices for particular circumstances, rather than rigid adherence to standard procedures.

• Efficiency: Simple processes that achieve good results without undue oversight or waste of resources.

• Responsibility: The role of each member of the FDIC Acquisition Team is to exercise personal initiative and sound business judgment.

• Public Trust: Achieved through fairness and open and honest communications with contractors and the public.

We have designed policies, procedures, and practices consistent with those attributes and, with respect to contract oversight, believe they reasonably ensure that contractors deliver required goods or perform work according to delivery schedules and within contract ceilings. These controls are accompanied by a multi-level training program for Oversight Managers (OM) assigned responsibility for overseeing work performed by contractors. Furthermore, as described in the OIG report, we also maintain and rely on information systems and provide reports to management and the FDIC Board of Directors to track key contract-related data and identify and mitigate risk.

The following section describes actions and processes in addition to those included in the OIG’s report that the FDIC has successfully implemented or has in progress to oversee contracted goods and services.

Actions and Processes that Add Transparency and Governance to Contractor-Provided Goods and Services

• The FDIC’s procurement-related delegations of authority require Board approval for all contract actions with a total value of $20 million or greater. This approval is obtained through submission of a case addressed to the Board of Directors, prepared jointly by the Division of Administration, Acquisition Services Branch and the program office. The Board case includes key information regarding the proposed contract such as background and description of the requirement, information regarding the acquisition strategy, sources being solicited, proposed cost of the procurement, and the timeline of the procurement action. This approval process resulted in the Board being provided in-depth visibility into 14 contracts and Basic Ordering Agreements (BOA) valued at approximately $1.9 billion and 8 task orders issued under several of the BOAs referenced above valued at approximately $268 million from 2013 through 2017, the period covered by the OIG’s evaluation.

• The FDIC also has a Capital Investment Review Committee (CIRC), made up of senior management officials across the Corporation, to implement a systematic management review process that supports budgeting for the FDIC’s capital investments and ensures regular monitoring and proper management once funded. The CIRC is dedicated to reviewing and overseeing all major IT (Information Technology) and non-IT capital investments. The Committee determines whether a proposed investment is appropriate for the FDIC Board's consideration, oversees approved investments throughout their life cycle, and provides quarterly reports to the Board of Directors. Contractors are frequently involved in these projects, and, as a result, the CIRC provides another avenue for senior management and the Board to be aware of risks associated with ongoing contracts.

• As part of the annual budget and planning process, divisions and offices provide detailed information supporting requested funding for contractor-provided services. The requests are evaluated against the Corporation’s performance goals and prioritized accordingly. In its memorandum to the Board of Directors requesting approval of the Operating Budget, the FDIC specifically addresses the extent to which funding is required for contracts and discusses key corporate initiatives involving contracted services. Any variances in this budget category are flagged as part of quarterly performance reviews and included in Chief Financial Officer reports provided to the Board.

Footnote 1:Additionally, a request to the Board is required after contract award when subsequent modifications to the contract increase the total contract value to 115% (cumulative) or more of the Board-approved original award amount, or increase the proposed project schedule or period of performance by more than 15% (cumulative). Footnote 2:The CIRC is responsible for approving and overseeing all investments with either a proposed investment cost of at least $9 million, or the investment is deemed to have a “significant corporate impact”.

• ASB has made significant improvements to its Automated Procurement System (APS) to enhance the FDIC’s Contract Oversight Management Program. These enhancements include developing three components in 2011 and 2012 to facilitate contract oversight (i.e., the Contractor Performance Component, the Milestone Schedule Component, and the Oversight Management Component). ASB also developed new reports, including the Procurement Action Lead Time report, the Clause/Provision report and the Contract Category report, which are used by Contracting Officers and Program Offices in managing awards. ASB also enhanced various reports to provide more detailed status of the contract portfolio, including additional oversight/risk categories, OM/Technical Monitor (TM) certification levels, contractor performance, and award close-out dates.

• The Division of Information Technology (DIT) and Division of Resolutions and Receiverships (DRR) use dashboards to provide key insights on procurement actions, OM workloads, summary reports with links to detailed data including budgeted to actual expenses, demographic data, and data on all active awards.

• DRR regularly holds contract forums with various stakeholders of DRR’s contracting program and topics include industry best practices, security issues, and innovative contracting techniques.

• DIT and ASB have recurring meetings among various stakeholders on active contracts to discuss status and any risks or issues that require mitigation.

• ASB has continually refined its Oversight Manager Training Program. Over time, ASB has strengthened the program from 3 days of basic training to a multi-tiered approach that is commensurate with the complexity of the assigned contract. The curriculum covers all aspects of oversight management and refresher training. These program improvements have resulted in greater efficiency, flexibility in delivery, measurable training progress, and “just in time” learning.

• The OIG correctly noted that the FDIC cannot easily, and without manual data manipulation, conduct comprehensive portfolio-wide analyses and reporting. In that regard, ASB is collaborating with DIT to replace APS with a new end-to-end procurement system that will facilitate pre-award planning, contract writing, and post award contract administration. We have set forth expectations that the new system should provide dashboards, enhanced reporting, improved document upload functionality, and management and oversight of contracts on a portfolio-wide basis. These improved capabilities are consistent with the OIG’s findings and recommendations.

Observations Regarding the OIG’s Findings and Conclusions

We acknowledge the importance of having a contract oversight program that embodies the GAO Framework cited by the OIG as well as having controls, processes, and meaningful data that allow for proactive monitoring and mitigation of risks. Accordingly, we take the results of the OIG’s evaluation seriously and our overall concurrence with the individual recommendations reflects our commitment to continuous improvement with regards to contract oversight management. However, we have several observations regarding the OIG’s presentation of findings and conclusions that bring needed clarity to the report and a more fair and objective portrayal of the program.

The OIG states in its report that “the FDIC must strengthen its contract oversight”. The tone of that conclusion conveys a sense of unmitigated risk and immediacy that is not supported by the scope and results of the OIG’s review. While the OIG performed various procedures to evaluate program-level aspects of the FDIC’s contract oversight, it only included four contracts in its sample, noting they were awarded between 2013 and 2017, based on several criteria associated with elevated contract risk. The aggregate value of these four contracts totaled approximately $18.9 million. During that timeframe, the FDIC awarded over 5,000 contracts valued at $3.2 billion. The divisions responsible for two of the four contracts oversee hundreds of contracts on a continuing basis. A more comprehensive sample would have provided better evidence for reaching conclusions on the effectiveness of contract oversight, and moreover, any actual risks or negative effects resulting from findings. Notably, for the contracts that the OIG did review, it found that the FDIC received goods and services consistent with contract provisions.

The OIG reported that “the FDIC was overseeing contracts on a contract-by-contract basis rather than on a portfolio basis.” We believe there is value to both approaches. The portfolio-wide analysis is useful for identifying trends, planning acquisitions, determining lessons learned, and targeting risk and acknowledge that we can improve our system and reporting capabilities in that regard. However, such analysis must be accompanied by fundamental contract oversight on individual contracts. As described above, ASB, in collaboration with FDIC divisions and offices, including the Legal Division, are using both means to ensure contractor performance and costs are effectively managed. Collectively, the existing practices and planned system and reporting capabilities described earlier will provide a risk-based oversight approach that covers a substantial portion of the dollar value of FDIC contracts outstanding.

On pages 16 through 18 of the draft report, the OIG discusses activities surrounding Government Accountability Office-identified internal control deficiencies, including one involving contract oversight—in 2010. In that section of the report, the OIG suggests that DOA did not take full advantage of an opportunity to leverage a DRR contract reporting system to improve corporate-wide contract reporting. While that may have been the case for a variety of business reasons, the report does not mention that ASB worked to mitigate the internal control deficiencies through enhancements to the procurement system and reporting, as described earlier in our response.

In discussing its review of OM training, the OIG reported that some OMs did not have the necessary training or certification requirements prescribed by the PGI. Notably, the OIG highlighted two OMs who did not complete FDIC’s OM Refresher Training class and another twelve OMs who did not have the required certification level for contracts to which they were assigned. While we agree that compliance with these training requirements is important and did not occur in these instances, the report lacks facts and context that would enable the reader of the report to more fully understand the actual versus potential effect of the finding.

As it relates to the two OMs who did not complete refresher training, both individuals had completed all advanced oversight management training requirements. With respect to those who did not have the required certification level, several are considered to be subject matter experts in the area of contract oversight management and are widely regarded as authoritative resources in this area. One such OM is the Program Manager for the OM training program who developed the OM curriculum and frequently delivers OM training on behalf of the Agency. As a result of the OM’s expertise, ASB’s Deputy Director granted an allowable exception to the requirement that she attend training for which she developed and frequently delivers. The OIG did not mention this relevant point in its report. Another OM is a seasoned Contracting Officer with an unlimited contracting warrant who maintains 80 hours of continuous learning every two years. This individual is also considered to be a subject matter expert in the area of contract oversight.

Lastly, the Executive Summary does not, in some instances, accurately reflect the detailed findings in the body of the report or provide appropriate balance and context. For example:

• The OIG did not reference various contracting system functionalities that exist for divisions and offices to manage their respective contracts or a quarterly report provided to the Board of Directors that provides key data on contracts deemed to require greater oversight.

• In discussing the workload for OMs, the OIG fails to acknowledge that TMs assist in monitoring contracts involving complex work.

• The OIG states that “14 OMs did not have the necessary training or certification requirements prescribed by policy”. As described later in the report, this number reflects just 2 percent of OMs needing a refresher course and 8 percent not having the required certification level.

Further, within the body of the report, the OIG quotes an FDIC management review of the financial crisis which states “it is important that Oversight Managers are trained properly in order to make sure contractors are performing in accordance with the contract, to include among other responsibilities, monitoring deliverables, and contractor invoices and burn rates.” The report fails to note that FDIC significantly improved the OM training program after the financial crisis by implementing a multi-course and more in-depth training program described earlier in our response.

Despite these concerns, we recognize and embrace opportunities to improve our programs and processes where it is cost-effective to do so. Our responses to the OIG’s recommendations follow with that in mind.

Recommendation 1: Collect key acquisition data, including original contract award amount for modified contracts, original period of performance for modified contracts, clear and properly recorded contract modifications, and Oversight Manager workload, which will enhance automated portfolio-wide analyses and reporting to support informed decision-making.

Management Decision: Concur. ASB notes that Contracting Officers, in consultation with the Legal Division and program offices, provide heightened scrutiny to contract modifications that involve increasing contract value, extending periods of performance, or modifying the scope of work as part of routine business operations. This provides the FDIC with greater assurance that modifications are appropriate and for good business reasons, and provides ongoing insight into the reasons modifications are necessary.

Corrective Actions: ASB will take the following corrective actions:

(a) ASB will coordinate with DIT’s Business Intelligence Service Center (BISC) to develop reports that identify the original contract award amount and original period of performance and changes to these key data fields that occur over the life of the award; capture APS data associated with modified contracts, including the original contract award amount and original period of performance; and, in coordination with BISC, develop reports that identify contract ceiling and period of performance changes.

(b) ASB will issue guidance to Contracting Officers requiring they use pre-selected, universal descriptions of contract modifications in the ‘Modification Title’ data field within APS (e.g., change Oversight Manager, increase award value, extend period of performance, etc.) to describe the purpose of the modification. This guidance will be issued to improve the consistency of input and in turn the reliability and usefulness of data that is produced on APS reports.

(c) ASB will work with BISC to capture APS data on OMs assigned to active contracts for purposes of determining OM workload.

Estimated Completion Dates:

(a) June 30, 2020.

(b) December 31, 2019.

Recommendation 2: Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

Management Decision: Partially Concur.

Corrective Actions: ASB notes that in describing the Award Profile Report, the OIG states that the reports prepared for the Board did not include 96 percent of the FDIC’s contracts and 43 percent of the value. The report actually covers the entire portfolio in some form, to include trends in new awards and expenditures, division-level award activity, pending awards, and purchase card transactions. There is also an appendix which includes all awards $5 million or greater, providing the total value and total paid for each one. Nevertheless, ASB will consult stakeholders, evaluate the usefulness of the newly captured acquisition data resulting from actions taken to address Recommendation 1, and consider any possible reporting enhancements resulting from the acquisition systems and business process modernization effort and make a recommendation to the Deputy to the Chairman and Chief Operating Officer for revised portfolio-level reporting. In the interim, ASB will continue to provide the Award Profile Report to FDIC executives, senior management, and the Board of Directors.

Estimated Completion Date: December 31, 2020.

Recommendation 3: Remind Oversight Managers of CEFile documentation requirements established by the Acquisition Policy Manual.

Management Decision: Concur.

Corrective Actions: ASB will issue a reminder notification of CEFile documentation requirements to OMs.

Estimated Completion Date: December 31, 2019.

Recommendation 4: Evaluate CEFile/CDIS performance to assess Oversight Managers’ concerns regarding extensive document upload time, and, if substantiated, implement a solution.

Management Decision: Concur.

Corrective Actions: ASB will request that DIT conduct performance testing on CDIS-CEFile to determine upload time. If performance testing shows there is consistent systemic slowness when a user clicks on a document to upload, ASB will request that DIT consider the feasibility and cost of solutions to improve performance and provide recommendations.

Estimated Completion Date: September 30, 2020.

Recommendation 5: Require Divisions/Offices to implement a routine process to verify that Oversight Managers are uploading documents in CEFile in a timely manner and are maintaining complete files.

Management Decision: Concur.

Corrective Actions: ASB will work with Division/Offices to (1) establish a routine process to verify that OMs are uploading documents in CEFile in a timely manner and maintaining complete files and (2) perform an internal review of a sample of contract files—allowing time for the process to be implemented and have an impact—to determine whether CEFile documentation has improved and is reasonably adequate.

Estimated Completion Date: By December 31, 2019, ASB will issue guidance that implements the verification process agreed upon with Divisions/Offices and provide a report to the Deputy to the Chairman and Chief Operating Officer on the adequacy of CEFile documentation by December 31, 2020.

Recommendation 6: Issue updated guidance for Oversight Managers handling documents that contain Personally Identifiable Information [PII].

Management Decision: Concur.

Corrective Actions: ASB notes that the manner in which OMs handle documents containing PII will ultimately be determined by the Privacy Threshold Analyses addressed in Recommendation 7 and controls established as a result of Recommendation 8. In the interim, ASB will update its CEFile Job Aid No. 5 (“CEFile Contract File Maintenance Responsibilities: CEFile Documentation Checklist/Guidance for Contract Specialists and Oversight Managers”) to instruct OMs to not file documents containing PII in CDIS-CEFile. ASB’s guidance will require that OMs file a memorandum in the contract file that describes the document (deliverable) that contains PII and to specify where the document is filed. The guidance will also remind OMs that the location of where the document is filed must be secure.

Estimated Completion Date: December 31, 2019.

Recommendation 7: Complete an updated Privacy Threshold Analysis of CEFile as well as an updated Privacy Threshold Analysis of CDIS, in conjunction with the Division of Information Technology.

Management Decision: Concur.

Corrective Actions: The CIOO’s Privacy Section will coordinate with ASB to complete an updated Privacy Threshold Analysis of CDIS-CEFile.

Estimated Completion Date: December 31, 2020. Recommendation 8: In conjunction with DIT, develop controls around access to information contained within CEFile to ensure that PII is appropriately protected, or identify an alternative to CEFile that can serve as a secure repository for all contract documents.

Management Decision: Concur.

Corrective Actions: After the Privacy Threshold Analysis is completed, ASB will review the results and work with DIT and the CIOO’s Privacy Section to determine whether any controls need to be established, or alternative solutions are needed, to ensure that PII is appropriately protected in CDIS-CEFile.

Estimated Completion Date: March 31, 2021.

Recommendation 9: Provide Oversight Manager workload ratio information to Division and Office management to assist in making informed workforce planning decisions.

Management Decision: Concur.

Corrective Actions: ASB will evaluate the most cost-effective frequency and means to providing OM workload ratio information (i.e. the number of OMs assigned to active awards) to Divisions/Offices, make a recommendation to the Deputy to the Chairman and Chief Operating Officer, and then implement the solution.

Estimated Completion Date: ASB will begin providing the OM information based upon the agreed upon approach by June 30, 2020.

Recommendation 10: Determine the appropriate number of Oversight Managers needed to manage DIT’s contract workload in conjunction with DIT, and ensure the OM workforce is appropriately staffed.

Management Decision: Concur.

Corrective Actions: The OM workload information to be provided (i.e., number of OMs assigned to active awards) to Divisions/Offices will enable them to make more informed workforce planning decisions, including resources needed to oversee contracts. In addition, the Deputy to the Chairman and Chief Operating Officer will coordinate with the Deputy to the Chairman and Chief Financial Officer to ensure that guidance issued as part of the FDIC’s annual budget and planning process instructs Divisions/Offices to consider contract oversight workload in proposing budget and staffing levels. In the interim, Contracting Officers will continue to work with Divisions/Offices to ensure that they consider an employee’s existing workload when designating them as an OM on a contract.

Estimated Completion Date: The guidance issued to Divisions/Offices for the 2021 budget year will include contract oversight as a workload driver. We expect the guidance to be issued by August 30, 2020.

Recommendation 11: Revise the Acquisition Services Branch’s Oversight Manager training and certification verification process to require the use of Corporate University’s Learning Management System.

Management Decision: Partially concur.

Corrective Actions: ASB is confident that the certification process currently in use to verify OM training certifications provides reasonable assurance that OMs have taken proper training. As indicated in the report, 94 percent to 98 percent of OMs met training requirements at the time of the OIG’s review. In addition, as described above, those that had not met the requirements created minimum risk to effective oversight because they had extensive training and subject matter expertise in the area. ASB will continue to check the Contract Management Certification Training Log, which is stored in the APS Oversight Management Component for easy access by Contracting Officers, before appointing an OM or Technical Monitor. ASB will also be reminding Contracting Officers of their responsibility to verify OMs have current training and certifications commensurate with the dollar value of contracts as described in our response to Recommendation 12 that follows.

Estimated Completion Date: December 31, 2019.

Recommendation 12: Verify Oversight Manager certifications as required by Acquisition Procedures, Guidance, and Information requirements.

Management Decision: Concur.

Corrective Actions: ASB will remind Contracting Officers to follow the guidance stated in the PGI to verify OM certifications.

Estimated Completion Date: December 31, 2019.

Appendix 4

Summary of the FDIC’s Corrective Actions

Row 1: ; Rec. No.: 1; Corrective Action Taken or Planned: - The FDIC will develop reports to identify and capture key contract information and issue guidance to Contracting Officers to improve the consistency, reliability, and usefulness of contract data.; Expected Completion Date: June 30, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 2: ; Rec. No.: 2; Corrective Action Taken or Planned: - The FDIC will consult with stakeholders to evaluate the usefulness of newly captured acquisition data and consider any possible reporting enhancements.; Expected Completion Date: December 31, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 3: ; Rec. No.: 3; Corrective Action Taken or Planned: - The FDIC will issue a reminder to Oversight Managers on contract documentation requirements.; Expected Completion Date: December 31, 2019; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 4: ; Rec. No.: 4; Corrective Action Taken or Planned: - The FDIC will conduct performance testing on the contract document system upload times, and if proven slow, consider the feasibility and cost of solutions to improve performance.; Expected Completion Date: September 30, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 5: ; Rec. No.: 5; Corrective Action Taken or Planned: - The FDIC will establish a routine process and perform an internal review to verify that Oversight Managers upload documents into the contract document system in a timely manner and maintain complete files.; Expected Completion Date: December 31, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 6: ; Rec. No.: 6; Corrective Action Taken or Planned: - The FDIC will issue updated guidance to Oversight Managers on handling documents containing Personally Identifiable Information.; Expected Completion Date: December 31, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 7: ; Rec. No.: 7; Corrective Action Taken or Planned: - The FDIC will complete an updated Privacy Threshold Analysis on the contract document system.; Expected Completion Date: December 31, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 8: ; Rec. No.: 8; Corrective Action Taken or Planned: - The FDIC will determine whether controls need to be established or alternative solutions are needed to ensure that Personally Identifiable Information is protected in the contract document system.; Expected Completion Date: March 31, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 9: ; Rec. No.: 9; Corrective Action Taken or Planned: - The FDIC will provide Oversight Manager workload ratio information to Divisions and Offices.; Expected Completion Date: June 30, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open; Row 1: ;

Row 10: ; Rec. No.: 10; Corrective Action Taken or Planned: - The FDIC will include guidance as part of the FDIC’s annual budget and planning process instructing Divisions and Offices to consider contract oversight workload in proposing their budgets and staffing and work with Divisions and Offices to ensure they consider an employee’s existing workload when designating them as an Oversight Manager on a contract.; Expected Completion Date: August 30, 2020; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 11: ; Rec. No.: 11; Corrective Action Taken or Planned: - The FDIC will continue to check the Contract Management Certification Log before appointing an Oversight Manager to provide reasonable assurance that Oversight Managers have taken proper training.; Expected Completion Date: December 31, 2019; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 12: ; Rec. No.: 12; Corrective Action Taken or Planned: - The FDIC will remind Contracting Officers to verify Oversight Manager certifications.; Expected Completion Date: December 31, 2019; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

[End of table]

a Recommendations are resolved when —

1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation.

2. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation.

3. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive.

[End of report]

Federal Deposit Insurance Corporation

Office of Inspector General

3501 Fairfax Drive, Room VS-E-9068, Arlington, VA 22226

(703) 562-2035

The OIG’s mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC.

FDIC OIG website, www.fdicoig.gov

Twitter, @FDIC_OIG

Oversight.gov - www.oversight.gov/

Breadcrumb

Contract Oversight Management

Report Information

Unimplemented Recommendations

Recommendation #2

Text Alternative