Publicly Released: May 9, 2023
The objective of this audit was to determine whether DoD Components performed oversight of task orders issued under the Defense Information Systems Agency’s (DISA) ENCORE III information technology service contract in accordance with Federal and DoD guidance. We reviewed a sample of five task orders awarded by DISA, U.S. Transportation Command (USTRANSCOM), and Washington Headquarters Services (WHS) contracting officers.
DoD Component contracting officer’s representatives (COR) did not oversee contractor performance in accordance with Federal and DoD guidance for the ENCORE III task orders we reviewed. Specifically, the CORs did not consistently maintain documentation of inspections of contractor performance, submit timely surveillance reports to contracting officers, or review contractor interim vouchers to prevent improper payments.
This occurred because contracting officers were not required to review COR files to determine whether the CORs were performing their duties as required until the CORs had been in place for 1 year. Our results indicate that waiting a year to review COR files is insufficient to detect and correct COR performance problems in a timely manner. In addition, COR training did not include instruction on how to review interim vouchers to prevent improper payments.
Furthermore, six of the eight CORs for the ENCORE III task orders did not meet technical experience requirements to oversee the contractor cybersecurity services required by the task orders. This occurred because three of the five requiring activities did not nominate qualified officials to be CORs, and the contracting officers did not verify that the COR nominees possessed the technical experience needed to oversee cybersecurity services before designating them as CORs. As a result, the CORs relied on other officials to inspect contractor performance, which violated DoD guidance and increased the risk of the DoD paying for services not received.
The lack of COR oversight for the ENCORE III task orders resulted in the DoD officials paying $24.2 million without reasonable assurance that contractor information technology services met task order requirements.
Among other recommendations, we recommend that the Principal Director of Defense Pricing and Contracting (DPC) revise DoD guidance to require contracting officers to conduct initial reviews of COR files within a set timeframe from designating CORs. We also recommend that the Principal Director develop and implement plans to ensure contracting officers are aware of the technical experience requirements for CORs who monitor cybersecurity services. We recommend that the Defense Acquisition University (DAU) President revise the DoD COR training to include detailed instructions for CORs to review interim vouchers to prevent improper payments.
Management Comments and Our Response
The Principal Director of DPC, the DAU Chief of Staff, and other management officials generally agreed with 14 of our 19 recommendations; however, 5 recommendations remain unresolved. We request additional comments on the unresolved recommendations within 30 days.
This report is a result of Project No. D2020-D000CT-0120.000.
As required by law, attached to this report are responses received from one or more non-governmental organizations or business entities that are specifically identified in the report.