No contract type requires more government oversight than cost reimbursement. Looking at just a small sample of invoices incurred by the National Security Agency, its inspector general found the NSA has some work to do. Inspector General Robert Storch had the details on the Federal Drive with Tom Temin.
Tom Temin: Mr. Storch, good to have you back.
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
Robert Storch: It’s a pleasure to be back Tom.
Tom Temin: Alright, so cost reimbursement contracts, are they a pretty substantial line item for the NSA to begin with?
Robert Storch: We looked in this audit at 151 cost reimbursement contracts in total for FY 2018. Now, it’s interesting, that represented only about 2% of the number of contracts for that year, but 36% of the total contract dollars awarded. So these are really large dollar contracts. As you may know, and your listeners may remember, we’ve looked at a number of different types of contracting vehicles at the NSA a couple of years ago, I was pleased to be on your program to talk about an audit we did on award fee contracts where we questioned the justification for both the use and the percentages and ended up questioning all 636 million I believe it was in award fees from 54 contracts that we examined. So this time, we were looking at cost reimbursement contracts. And as I say, numerically, not a huge number of contracts. But from a dollar point of view, it’s very significant.
Tom Temin: And it looks like the trends emerge very early, even if the sample was small. And you found that the agency’s review of actual costs for cost reimbursement contract expenses was insufficient. That kind of seems to be a deal breaker right there.
Robert Storch: Yeah, we found a number of issues basically divided into sort of process type issues, process tools, workload, things like that. And then the actual review that was done of the contracts, as well as the external oversight. If I can, I want to pick up, you made a really good point at the outset that I just want to elaborate a bit on in terms of the need for what we call report maximum surveillance on these contracts. So cost reimbursement contracts have a particularly high risk to the government because you’re reimbursing the contract as costs. There’s a potential there for cost escalation. And also, inherently the government is paying the cost of performance, regardless of whether the contract requirements are met. So we, as I say, looked at FY 2018. We went through, we did a sampling plan, sort of stratified, divided into different levels of low, medium and high clause contracts. Initially, we started with a universal 150 invoices from 53 contracts, then based on interviews and sort of commonalities in the way those were treated, we were able to develop a representative sample of 58 invoices from 18 of those contracts. And as you say, we found that there were significant insufficiencies in the review of actual clause, including that 70% of the invoices that we reviewed didn’t have the details that would be necessary to actually review the labor costs. And as a result of that, we ended up questioning all 146 million in the amount of those invoices for labor costs. And interestingly, we found that of those invoices, 62%, so almost two thirds of them, the contracting officers representative relied on the contractor prepared reports in order to approve the charges.
Tom Temin: So that ties in with another bullet point that you found, that the contracting officer representative, I guess they used to be called COTARs, now they’re called CORs, was ineffective and inefficient, because they use the vendors at a station, if you will, of labor costs, rather than some other means. How else could they have done it or should they have done it?
Robert Storch: So we actually went back through and reviewed procedures and policies in place for the CORs, as they’re called, and found a number of issues regarding their roles, responsibilities, and procedures. There actually are four different types of CORs that are employed, they’re what are called the primary cores, then there’s technical cores that support them with technical expertise, administrative cores, and then site cores for those at site. And we found that there was a lack of clarity on the roles and responsibilities for the different types of CORs, on the procedures they’re supposed to follow. And an overemphasis really are concerned about processing these invoices promptly under the Prompt Pay Act, which basically gives the agency seven days to reject them. And that actually ended up taking precedence over the actual review. We also found that in 10 of the 13 primary CORs that we examined would email their technical CORs with regard to the invoices, and they didn’t receive a response, they would assume that it was okay only to actually require a response. And so basically, they’re assuming a level of review by the technical CORs that we found wasn’t necessarily happening. So as a result of those and other issues, we recommended the agency put in place written procedures for the different types of CORs, a governance structure between the CORs and that communication processes to ensure that the CORs are communicating consistently.
Tom Temin: We’re speaking with Robert Storch, inspector general at the National Security Agency. So once the roles are clarified, then those that are responsible for cost reimbursement looksie then would be able to maybe have their mind focused on that task.
Robert Storch: Yeah, absolutely. Although there were other hurdles as well that we identified. One related to the tools that are being used. So basically, we found that the agency uses what are called technical task orders, or TTOs, to track the funds, but that in fact, they weren’t tracked in the agency financial management systems. But instead, that was basically done manually, both with regard to the TTOs and the funding for them. And one of the systems that we described in the report actually does have a field that could be used to track these TTOs, but we found that it wasn’t used. So we recommended that the agency develop a system to track and store the TTOs in one place, and then also to evaluate the use of that field to see if that would work, and if so to develop procedures. Additionally, we found and this wasn’t directly related to the examination of the contracts themselves and the invoices, but that there was a lack of controls in the COR tool, which is what’s used to track the COR appointments. So basically, they were using email distributions on these, and those weren’t always updated. So you didn’t necessarily have all the right CORs getting the right information. So we recommended work on that. And then finally, another impediment is that it was reported to us that the CORs were overloaded, the primary CORs have lots of different duties. The technical CORs work on a number of different contracts. There were some checklists that were utilized, but no procedures really to verify that they were used. And perhaps relatedly, it was reported to us that there was a high rate of attrition among these acquisition professionals. And obviously, it does require a certain level of expertise to be able to meaningfully review these invoices. And so we recommended that the agency look at the workload, do an evaluation of that and develop a plan to ensure that has appropriate resources. So there really were issues sort of on process, on tools and mechanics, and on workload that need to be evaluated here. And I should also mention, Tom, I mentioned the 70% of the invoices that didn’t have the required details. Additionally, there’s something called an approval of staffing clause. And I don’t wanna get too far into the weeds here. But basically, when you’re talking about level of effort contracts, it requires that you get a waiver if you’re going to go more than 20% above the contract labor weight. And we found in looking at the invoices, that only 9% of the invoices had the invoices necessary to check to see whether that staffing clause was complied with. And that resulted in questioning another 80 million. In addition, it was overlapping with the other 146. So in total, we end up questioning 227 million in labor charges from the sample, and the sample was about 304 million. So that actually represents questioning 75% of the total costs for those invoices. In addition to the labor that we also found, it’s not as much money, but it was very high level of concern that 96% of the invoices that had travel clause didn’t have sufficient documentation to enable the agency to determine if those costs were appropriate. The agency basically told us or people we talked with told us that the travel had been approved, but obviously that isn’t the same thing as ensuring that the clause are proper. And so we questioned all 226,000 of that as well. But overall, you’re looking at 227 million in question clause in this audit from a sample of 304 million.
Tom Temin: And on the labor costs themselves, is the original contract the kind of reference point for what is allowable in terms of labor rates?
Robert Storch: Sure, and as I say, the contracts where you’re talking about level of effort contracts have this provision for approval of staffing. So there can be some room there to get a waiver to go above certain rates, but there has to be sufficient documentation to justify that. And we found that in the significant majority of the cases that wasn’t there.
Tom Temin: Got it. And did the agency generally agree with your findings and your recommendations to fix those holes?
Robert Storch: They did, Tom. We made 22 recommendations in the report. And the agency did agree with all of them and said they’re going to take action that if taken would be sufficient to meet the intent of the recommendations.
Tom Temin: I would say this report probably has universal readability across the federal government because whether it’s classified or not, a cost reimbursement contract is a cost reimbursement contract.
Robert Storch: Sure, absolutely. We look at these contracting vehicles, and obviously as we’ve discussed in other interviews, there are details that obviously we can’t make public that are classified or otherwise. But from a general point of view, as we’ve discussed, these are contracts that carry a high level of risk, that require a high level of surveillance to make sure that the government’s money is being spent properly. In fact, I just note that in three public reports, unclassified reports that we’ve released over the last couple of years, the award fee, the report we talked about earlier this year on the installation and logistics contract, and on this cost reimbursement contract, we’ve here at NSA OIG questioned almost just short of $1.3 billion. So it’s a significant amount of taxpayer dollars, obviously. And as you say, the issues that we find may have relevance across the government.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: And did the CORs ever look at the history of a particular contractor? I mentioned, some tried to get away with murder on labor costs and some are squeaky clean.
Robert Storch: Now that’s a great question, Tom. In fact, we found that there were not any procedures in place to ensure that the CORs were aware where there were contractors that had history of labor mischarging, or any procedures for additional monitoring in those situations, and we made recommendations to address those as well. Additionally, we found that there was limited external oversight, DCAA serves as the DoD Cognizant contract auditor. But we found that because of security concerns between NSA and DCAA and otherwise, that there was really over reliance by management on that DCAA coverage. And we made a number of recommendations to help address that. I should say that the agency set up a process working group in April of 2019 to look into those issues, but that we found that there still were not policies and procedures in place to address them.
Tom Temin: Robert Storch is inspector general at the National Security Agency. As always, thanks so much.
Robert Storch: Thank you for interest in our work, Tom. Always a pleasure to be with you.