For the Food and Drug Administration, as for so many agencies, information technology is a big-ticket expenditure. The Health and Human Services inspector general examined FDA contracting officers dealing with one large deal, and found a few things to tighten up. The Federal Drive with Tom Temin got more from the IG’s director of cybersecurity and IT audits, Jarvis Rodgers.
Interview transcript:
Tom Temin
The methodology of the study was kind of interesting. You looked at a task order type of contract, a single contract with a single contractor that the FDA used across different components over a period of years. Just tell us about the methodology here first.
Jarvis Rodgers
Well, here at the [Office of Inspector General], we firmly believe that what gets checked gets done. So in this case, the total of the contract that we looked at was a little over $26 million. Over around that same period, FDA had spent about $2 billion. But in this case, we were able to find some issues, find some deficiencies that we’ll talk about here, I’m sure soon. And ultimately resulted in some really impactful change across the enterprise. So FDA actually did implement some new regulations, some new procedures, where they’re going to be now looking at some of the issues that we identified across the entire enterprise. So even from looking at just one contractor in this case, we were still able to have a wide impact.
Tom Temin
Well, what did you find?
Jarvis Rodgers
Well, we found that in some instances, the contracting officer did not appoint a COR. And a COR is actually a very important role, because they administered a day to day management of the contract.
Tom Temin
COR stands for Contracting Officer’s Representative.
Jarvis Rodgers
You got it. So in this case, a COR was not officially appointed. And that could actually present some issues for the government in the future. Should it be a challenge, if the COR were to ask your contractor to perform a certain duty, and they were not adequately authorized under [Federal Acquisition Regulations], to ask the contractor to perform those duties. If there happen to be a protest in the future, there would be a number of steps before would actually get there. But if it got to a legal issue, the government could kind of be in a pickle if there was a situation and a COR was not authorized to tell the contractor to perform certain duties.
Tom Temin
So the contracting officer then does what in a given action? And what does the COR do? Maybe it would be helpful to understand the differentiation of labor there.
Jarvis Rodgers
Well, the contracting officer under the FAR is sort of the go to person and then they delegate their duties to the COR. So when we talk about the COR, the COR is actually acting on behalf of the contracting officer. So the contracting officer, I would say, is a level up, and then the COR would sort of be one level down beneath that, but they can perform a lot of the same duties that the contracting officer would perform. And in some instances, the contracting officer may not appoint a COR and may just do some of these duties on their own.
Tom Temin
But you found in some cases, there was no contracting officer’s representative. But neither did the job get done that either the CO or the COR would have done.
Jarvis Rodgers
Well, we found that there was a COR, but they were not officially appointed. So in a lot of instances, the COR was in place, but again, was not officially in place. And we found in some other instances, where there was not a COR appointed, but then a contracting officer sort of missed a couple of things where they didn’t complete a price evaluation and a preaward review. And there was some signatures that were missing on some other documents.
Tom Temin
Yeah, so the sound like administrivia, but actually, they’re pretty much regulations enshrined in the FAR sounds like.
Jarvis Rodgers
Some of them. Yes. And some of them were [Department of Health and Human Services] requirements. The funding determination document was an HHS requirement. And the recommendation for award document was also falls under the HHS requirements.
Tom Temin
We are speaking with Jarvis Rodgers. He is the inspector general’s director of Cybersecurity and IT Audits at Health and Human Services. And if you look at all of these discrepancies or procedures that weren’t quite followed, is there any evidence that the wrong things were delivered or that FDA did not get what it should have contracted for? What was the net effect of what you found, in terms of the procedural discrepancies?
Jarvis Rodgers
Well, sometimes we find some good things. So I do want to take a second to kind of talk about those. I mean, FDA did have policies and procedures in place to make sure all the I’s were dotted and T’s were crossed. We didn’t find any instances where FDA did not get services that it paid for, anything like that. We just found, again, as we just talked about instances where a COR was not appropriately appointed, and these things, should a number of other actions occur, could snowball and result in some problems for FDA. But overall, FDA did have the foundation in place. And when we do an audit, we kind of look at the whole internal control structure. We referenced, not to get too wonky here, but we referenced the Government Accountability Office GreenBook, which has five phases in it. One of the last phases in there was monitoring. So where the organization would have controls in place to monitor to see if the internal controls that it has implemented — in this case, the policies and procedures — are actually effectively working. So what we saw here is that FDA could have improved some of its monitoring and we were pleased with the response that FDA provided to one of our recommendations, where it said that it would increase its monitoring controls as a result of this audit.
Tom Temin
All right, let’s get back a step here to the major recommendations. What generally were they?
Jarvis Rodgers
So the major recommendation I would say is the one that I just addressed. Where we had one recommendation for FDA to evaluate internal procedures and documents for key contracting decisions, and activities to verify that all supporting contract documents are based on current HHS and FDA policies and procedures. So with that, as I just mentioned, FDA instituted a new program where it’s going to conduct additional audits and reviews going forward. We hope that this should result in long lasting cultural change. Some of these changes will help ensure that oversights that we identified during this audit do not occur again in the future. And ultimately, what this will do is it’ll protect the interests of the American people and protect the tax dollars of all of us. And I know we’re very familiar with that as well, either paying out taxes or about to pay out taxes very soon.
Tom Temin
And just one detail I wanted to follow up on too, in your recommendations, was contractor performance and collecting that information. Because we discuss some of the front end activities of having the COR and the contracting documents all signed and sealed correctly. But then after the fact there is contractor performance monitoring. It seems like that was an important part of your report, is to make sure that they followed up, after the contract award to make sure that the contractors did what they were supposed to?
Jarvis Rodgers
Yes. What the government likes to see is after a contractor performs for the government, that they’re sort of graded. And FDA in some cases was not timely putting in the HHS system its evaluation of the contractor performance. As a result of this audit, what FDA said and their response to the report, is that they’re going to work more closely with HHS to ensure that the contractor performance is done timely going forward.
Tom Temin
And the other thing I think is key here, you note that FDA noted that there was a lot of staff turnover in those three years that you studied. Which kind of mitigates toward, hey, if you bring new people in to do contracting, you better watch them and watch the watchers to make sure everything gets done right.
Jarvis Rodgers
Well, and that’s why, as you’ve heard me kind of talk about quite a bit, is the importance of that audit and that follow up and that monitoring. I can’t overemphasize the importance of that. It’s not just putting the policies and procedures in place, because again, you could have new people come on board, you can introduce them to the policies and procedures. But then you have to have that kind of check and balance in place to make sure that they’re actually meeting the requirements of the policies and procedures. And again, the big thing for us is, when that checks and balance is in place, it creates a culture, it creates a different type of environment. People talk, there’s water cooler talk where he says, hey, Sam, we do periodic checks to make sure that the performance evaluations are done timely, we do periodic checks to make sure that all the appropriate sign offs are done. When that culture and those conversations occur, at least from my experience in the OIG community for more than 20 years, it starts to permeate throughout the organization, and you’re able to see the change that you’re really aiming for. So we were pleased with the actions that FDA has taken. We hope that as a result of this audit, and the additional controls that they’re going to put in place from a monitoring standpoint, we won’t see these things happen again.
Tom Temin
Sounds like that old Alec Baldwin movie, coffee is for people that dot their I’s cross their T’s and follow up after the award.
Jarvis Rodgers
That’s absolutely right.