Auditor notes need to enforce multiple approvals of personnel moves.
Management lapses make the State Department vulnerable to employees potentially awarding themselves promotions, the inspector general warned on Tuesday.
Watchdog Steve Linick issued a “management letter” that reproduces a compendium of issues with the department’s financial and security procedures prepared on April 15 by Kearney & Co. in its audit of State’s fiscal 2018 financial statement.
Among the issues raised is the way that State’s human resources team executes hiring, transfers, promotions and demotions using the SF-52 (Request for Personnel Action) forms in its Global Employment Management System.
“Internal controls are important for personnel systems,” the Kearney auditors noted, because they “maintain a significant amount of personally identifiable information and are susceptible to fraud.”
Under the safeguard known as “segregation of duties,” changes in personnel status are supposed to loop in an array of individuals with different specialties, preventing actions that are approved by only one employee.
Kearney selected a random sample of 51 new hire Civil and Foreign Service employees as of March 31, 2018, and found that 43 (84 percent) of their personnel actions tested were executed entirely by the same person.
Although the department has a matrix to enforce separation of duties, Kearney found it lacking because it “did not identify three of the main user roles as conflicting, even though the roles had functions that should not be performed by the same person,” the letter said. Of the 737 users of the global employment system, 19 (3 percent) had been assigned two or more conflicting roles.
An even more significant issue, the consultant warned, is that employees assigned one of the user roles in the system “can perform the actions provided in all three main roles; that is, the role is not limited to one type of activity, as would be appropriate.” As of May 18, 2018, 252 (34 percent) of 737 system users were assigned such a flexible role.
Inadequate enforcement of the separation of duties, auditors concluded, “may lead to fraud or unauthorized transactions to financial and personnel records.” The lapse also increases the risk that “inappropriate personnel actions are approved without being identified. For example, employees with a certain GEMS user role could fully execute a personnel action for themselves, such as a promotion.”
Other “significant deficiencies” that the auditor deemed reportable included an insufficient fund balance in State’s reconciliation process with the Treasury Department, inaccurate supporting data for asbestos remediation in buildings, insufficient vendor invoice approvals, and inadequate accounting for real property transactions with the General Services Administration.
State was credited with resolving three past problematic items, leaving seven still to be addressed.
Following release of the management letter, a State Department official told Government Executive in an email that the “Global Employee Management System does not allow an employee or processor to process promotions or any personnel action for themselves. HR Specialists with the appropriate roles and authorities can initiate and process actions on others, but the system includes automated security measures that prevent them from processing actions for themselves.” Other issues with the system, he added, are being addressed.
This article has been updated with comment from the State Department.