A Performance Audit
An Audit Report on Selected Contracts at the Commission on State Emergency Communications
July 2017
Summary Analysis
The Commission on State Emergency Communications (Commission) should strengthen certain contract oversight and planning processes, but it procured and formed the two contracts audited in accordance with most applicable requirements. The Commission should also improve its monitoring of data security.
The contracts audited were:
• A contract for upgrades to and maintenance of the Texas Poison Control Network (Poison Control Network contract).
• A contract for planning and managing testing in support of efforts to upgrade the state’s 9-1-1 systems (9-1-1 Test Lab Services contract).
The Commission had documented processes for monitoring deliverables for both contracts audited. However, it did not always follow those processes. Specifically:
• The Commission did not consistently document its required review and approval of expectations documentation.
• For the 9-1-1 Test Lab Services contract, the Commission did not consistently follow its process for authorizing the contractor to begin work on a deliverable.
• For the Poison Control Network contract, the Commission did not always ensure that deliverables were complete before accepting them. For the 9-1-1 Test Lab Services contract, the Commission’s project manager and a director verified that the deliverables met the acceptance criteria and approved all 21 deliverables tested. However, for the Poison Control Network contract, the Commission accepted incomplete deliverables for 2 (50 percent) of 4 deliverables tested.
In addition, the Commission did not monitor or maintain documentation related to the timeliness of any of the 21 deliverables tested for the 9-1-1 Test Lab Services contract. For the Poison Control Network contract, the Commission accepted all four deliverables by the contractually agreed-upon due dates.
The Commission established processes for monitoring ongoing services for both contracts audited, and its monitoring of ongoing services on the 9-1-1 Test Lab Services was adequate. However, auditors identified weaknesses in the Commission’s monitoring of the Poison Control Network contract. For example, the Commission did not establish a performance standard to ensure network optimization improvements were met; it also did not adequately monitor the contractor’s compliance with the performance standard for Poison Control Network application availability.
The Commission had an adequate payment review process for both contracts audited. All 34 payments tested on the 9-1-1 Test Lab Services contract and all 10 payments tested on the Poison Control Network contract were based on an approved invoice, priced the same as in the contract, and allowable per the terms of the contract.
In planning both contracts audited, the Commission prepared solicitation documents that included detailed specifications for quantity and quality of the products to be procured, as required by the State of Texas Contract Management Guide.
However, the Commission did not retain documentation showing that it performed an adequate risk assessment for either contract as required by the State of Texas Contract Management Guide. The Commission also did not have supporting documentation showing that it performed an adequate needs assessment or cost estimate for the 9-1-1 Test Lab Services contract as required by the State of Texas Contract Management Guide.
Additionally, the Commission did not include evaluation criteria or best value considerations in the solicitation documents for the 9-1-1 Test Lab Services contract as required by the State of Texas Contract Management Guide.
The Commission complied with most applicable statutes and the State of Texas Contract Management Guide when it procured and formed the 9-1-1 Test Lab Services and Poison Control Network contracts.
• The Commission had proper justification for selecting the contractors and ensured that purchasing staff had the required certifications and completed conflict of interest forms.
• The Commission generally formed both contracts audited in accordance with applicable statutes and rules.
Auditors identified weaknesses in the Commission’s monitoring of data security. Specifically, the Commission did not ensure that user access levels in the Uniform Statewide Accounting System (USAS) enforced appropriate segregation of duties. Additionally, the Commission did not have a process to monitor contractor compliance with contractual data security requirements and did not always follow its policies related to user access to the Poison Control Network.
Graphics, Media, Supporting documents