Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Remember the CARES Act, enacted at the height of the pandemic? Among other things, it let agencies reimburse contractors to pay employees unable to work at an approved federal site or to telework. At the National Security Agency, lack of controls led to millions of dollars in improper payments under the CARES Act. That’s according to an...
Remember the CARES Act, enacted at the height of the pandemic? Among other things, it let agencies reimburse contractors to pay employees unable to work at an approved federal site or to telework. At the National Security Agency, lack of controls led to millions of dollars in improper payments under the CARES Act. That’s according to an audit by the NSA’s Office of Inspector General. Joining the Federal Drive with Tom Temin with more, the assistant IG for audits, Jamal Hall.
Tom Temin: Mr. Hall, good to have you on.
Insight by HP: During this exclusive webinar, moderator Jason Miller and his guest, Todd Gustafson, president of HP Federal, LLC and the head of U.S. public sector at HP, Inc. will discuss how can agencies can take advantage of secure cloud capabilities and other technologies to drive better mission outcomes.
Jamal Hall: Thank you, Tom, good to be here.
Tom Temin: And what did you look at here? Basically, the entire program of payments to contractors that the NSA made under the CARES Act?
Jamal Hall: Yes. So we took a look at the entire payment program, we looked at the period from March to the end of August 2020. And we were really looking for, you know, variances between kind of what was provided for CARES reimbursement, versus kind of the data and evidence that we had available at the time. And what we did find was a lot of really good sort of questionable items to come out of it, and variances that cause additional questions in the future.
Tom Temin: All right, and your methodology was to take 25 sample invoices, or did you have a bigger base of information than that?
Jamal Hall: Oh, yes, we did take a sample of 25 invoices at the time, and we did it based almost on the sort of the category and it was out of like 2,145 invoices that we had available. So a lot of times from an audit and Yellowbook standpoint, what we do is we select the sample size based on the amount of testing that we do the extent of that testing, so it dictates the sample size. So in this case, we knew we couldn’t do you know 50%, because we were really going to get into the details here. So what we did was we took a look at the labor categories, the different contract categories for the contract. So we selected between time and materials cost for our fixed price. And we took sort of a weighted sample of those different contract types to kind of formulate a 25 sample invoices.
Tom Temin: But you do feel that the results are projectable across the entire 2,145 population of those invoices?
Jamal Hall: Only predictable from the process standpoint, I would say. So the processes were systemic. And that’s what we found. We wouldn’t necessarily project sort of the dollar figure the 16.4 question cost against the overall total number of invoices. So we are always a little, a little gun shy of doing that.
Tom Temin: And we should say, too, that the NSA did jump on this because by the 31st, I believe it is of March of that year, they had guidance out to contractors on how they should submit invoices under the CARES Act so that the agency was quick to get on board. Correct?
Jamal Hall: Correct. NSA was extremely aggressive and implementing this putting out guidance, saying on the 27th of March was the start of the period to make this happen. And of course, the director of National Intelligence was also extremely aggressive in ensuring that the intelligence community participate in this program for its flexibilities. But definitely NSA was extremely aggressive. And one of the things if I may kind of give the agency credit here was that they did set up guardrails immediately to try to make sure that they had control of this. They did things like make sure that the word CARES appeared in the invoice number or that the contractors had to submit, you know, when they submit a CARES invoice, they also have to submit a certification memorandum which basically said that they did not receive reimbursement from other coronavirus programs. And then they also had to submit an hours tracker, which basically, you know, it gets into details, but it’s basically a spreadsheet that lines up individuals with the hours worked and the CARES hours so they can better do tracing themselves. So they were aggressive about implementing this, but I have to give him credit, they did try to set up some guardrails to kind of get their hands around it.
Tom Temin: We are speaking with Jamal Hall, he is assistant inspector general for audits at the National Security Agency. But nevertheless, you found there were bills for employees that you couldn’t find on the base of employees for that contract, non-existent, possibly. You found discrepancies in hours and rates. So give us the top line of what you found that maybe didn’t go so well.
Jamal Hall: You know, we found issues where individuals were billed to the agency that were not necessarily associated with NSA contracts. And from that we found a few of those, we found instances where individuals exceeded the hours that they were supposed to work. So if you’re supposed to work a 40 hour average work week, which is understandable under a reimbursement program that we had folks that actually submitted a request for over those 40 hours. We also had where folks exceeded their labor rates. So labor rates are sort of established in the contract. But when the reimbursement requirements came back in you had these individuals that exceeded those labor rates. So a lot of varying sort of issues across the board that we found there.
We did also, I mean, I talked about sample at 25. I gotta say we also did a sample of 20, because one things that we wanted to do was in we tried to be as thorough as we can with these projects, right? We took a look at you know, for invoices that were submitted for a period of service before and after the CARES period, which I think I mentioned started 27th of March, but also ended like Sept. 30. So we found one instance where there was an invoice submitted and then went to March 11, which is before the CARES period and tried to figure out what happened there. And when we asked agency contract offer representatives offered that, hey, this is, you know, partly due to the changing policies. We did another one where we found where, you know, a request was put in and the period was after. And what we had there was just honestly, just bad tracking, and that sort of understanding of the hours that are supposed to be recorded and against, you know, kind of verifying the number of hours that they were supposed to go over. So we found a lot of different issues across the board, which you kind of say was, you would expect an unprecedented sort of response that the agency took like this.
Tom Temin: Sure. And so was this basically, because of the speed and the amount of manual checking required? Or is there some sort of basic controls that should be in their system now that were not in place?
Jamal Hall: I must say that what you said was definitely dead on output. That is, number one, right? The fact that this is unprecedented, the fact that it was immediate, but it also kind of borne out some things as well. So first off, one of the things that happened was the guidance was constantly evolving. You had 10 memos come out during the period from DoD, director of National Intelligence and OMB (Office of Management and Budget). You had 25 guidance documents come from the agency, right, you had six different versions of the certification memo template, and four different versions of our tracker spreadsheet that I mentioned, right? I can imagine that’d be very difficult for a COR (contracting officer representative) who was processing and going through these invoices to make sure that we’re using the most up to date guidance. Another factor was immediacy, there was also reduced staffing, which is also a thing that affected a lot of federal agencies. And because of that reduced staffing, you had CORs that sometimes had to approve contracts that they weren’t as familiar with. And when we talked to some of these CORs, they felt uncomfortable applying cares requirements against those invoices. And this is something else that kind of came up. That borne out. You know, we did a report back here that released unclassified in 20 Oct. of last year, 2021. And what we found was that this generally just over reliance on contractor provided support, and this kind of borne out as well, this is what we saw in some of our results. For this audit, when we talked to 20 CORs, four of them kind of shared that they relied on the contractors’ word and provided a document to verify the accuracy of the invoices, which is not something that you would expect, you expect it to be some sort of independent verification, right. And then also, you know, previously, and this is kind of just the timing of this, from that prior audit that we’ve done of cost reimbursement contracts, we also found that the fact that COR oversight was not as mature as it should have been. So we found, you know, vague and effective CORroles, responsibilities and oversight procedures that the agency was still working on due to the audit. So a lot of those things kind of came up around the same time.
Tom Temin: Sometimes I think the contracting officer representative might be one of the toughest jobs in government. But is it possible, then, to know the total number of hours that were involved here that were paid improperly? Or the total dollars that went out that should not have? Are you able to sum that up?
Jamal Hall: So one of the things that we did not do and it wasn’t actually part of the scope, because we’re looking further at the the veracity invoices was go do and run background to look at how they calculated the total. Right? So from an IG standpoint, I can’t necessarily say verify, with assurance, the total number of hours is approximately $117 million, the number of hours the agency is working back, and they provided the number of hours but we did not verify that either. So that’s one of the things that we were gonna go back and you know, kind of just maybe take a look at in the future say, OK, well, you know, generally, how was this total number sort of calculated, but it wasn’t necessarily within the scope of the project.
Tom Temin: And this might also be out of the scope. But can the agency get that money back, either by just reimbursement checks from the contractors, or simply deducting it from future invoices if that’s even legal or possible under federal accounting?
Jamal Hall: That I do not know. And I shouldn’t say that during the interview, right? But one of the things I do know is that we are tracking how they recover it, because we do put out recommendations were specifically for the cost that we questioned the 16.4 million, we’re asking them to go back, go to the contract and make sure that they collect that additional evidence to ensure the accuracy of the hours, the rates and the contractor status. We’re also not just for the invoices that we questioned. But for the ones that we didn’t question the broader sense, we’re asking them to do a risk assessment, we’re recommending that they do a risk assessment for all the invoices and determine the level of testing that’s needed to identify where the unsupported payments are, where these problems are, and then of course, perform that testing and recover that cost. So through our follow up process, we are tracking to make sure that if something is deemed unsupportable, that they are unable to get the you know, the evidence to support those costs, that they actually recover.
Tom Temin: Sure, because it’s not as if they paid ransomware to some outfit in Romania. These are companies that are still dealing with and working with day by day.
Jamal Hall: Exactly. And these are relationships that I assume they want to maintain as well, right?
Tom Temin: And there is a billion dollars at stake almost and so, that’s not chump change even for the NSA.
Jamal Hall: Exactly.
Tom Temin: Jamal Hall is assistant inspector general for audits at the National Security Agency. Hey, thanks so much for joining me.
Jamal Hall: Thanks a lot, Tom. It’s been a pleasure.