OIG report highlights shortcomings in FDA’s IT acquisition procedures

Editor's note: This article has been updated with additional comments from the FDA.

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) is calling on the Food and Drug Administration (FDA) to improve its processes for buying information technology (IT). Overall, the oversight agency determined that FDA followed federal regulations, but there were several areas where it failed to assign responsibilities and keep records properly.
 
The OIG published a report summarizing its findings of a sample of five FDA IT system purchases totaling almost $24 million between 2018 and 2020. It notes that the regulatory agency spent more than $2.3 billion on IT products and services during that time, and in 2020 alone it spent almost $683 million.
 
The OIG said it conducted the audit of FDA’s IT purchases as part of a broader efforts to understand the financial integrity of HHS programs.
 
“This audit is part of a broad portfolio of HHS OIG audits examining various aspects of HHS contracting operations, including payment accuracy, eligibility verification, management and administration, and data security,” the OIG said. “Our objective was to determine whether FDA administered contracts for the acquisition of IT in accordance with applicable Federal acquisition regulations and HHS acquisition regulations and policies.”
 
The OIG pointed out in its report that executive branch agencies are required to follow the Federal Acquisition Regulation (FAR). FDA must also abide by the HHS Acquisition Regulation (HHSAR), as well as directives in FDA Staff Manual Guides that provide details on administrative and program policies, responsibilities and procedures, including those that govern procurement.
 
The report said that, for the most part, FDA contracting officers reviewed in the audit followed federal policies and regulations, but they did come short in some areas. For instance, they often failed to properly designate a contracting officer's representative (COR) to help monitor and administer the contract. A COR is someone with the technical knowledge to properly oversee contract work, direct technical aspects of the work, and ultimately notify the contracting officer if there are any deviations from the plan performance.
 
Of the five purchases reviewed, the OIG said that FDA failed to properly designate a COR or retain and complete COR duties in three of the orders. For two of those contracts, the OIG said that a COR was not designated using a COR memo, even though FDA designated CORs in their contract files. In the third order, FDA contracting officer’s signature was missing from the COR memo.
 
“Although the individuals performed COR duties such as invoice and solicitation document reviews and completed a COR Certification and Completion Statement, the designation of the COR was not compliant with the FAR and with FDA’s Acquisition Policy and Oversight Branch requirements,” the report states. “Further, the FDA centers and offices failed to complete contract file checklists, which are intended to ensure that contract administration requirements, such as the completion of a COR memo, have been accomplished.”
 
“An individual serving as a contract’s COR without a signed COR Memo that establishes duties to perform and the actions not authorized to perform could impact the effectiveness of FDA’s oversight of the technical and programmatic aspects of the contract and the reliability and timely completion of contractor performance assessments and could result in the Federal Government incurring additional contract costs,” the report added.
 
The OIG also said that FDA failed to complete required contractor performance evaluations, properly document all key contracting decisions or activities, and include the required acquisition strategy statement in the orders’ acquisition plans. The agency noted that FDA responded to its report and concurred with the findings and recommendations.
 
“FDA stated that it has increased its reviews and audits of the acquisition files to ensure that all applicable contract documentation is properly prepared and uploaded into the [Purchase Request Information System (PRISM)],” said the OIG. “FDA stated that it has updated its policies and procedures to ensure that all contracting decisions made by the contracting officer will be documented and that the documentation will include the rationale for any business judgments.”
 
The oversight body said that FDA plans to assess the acquisition lifecycle process to ensure that all acquisition activities align with current policies and procedures and established best practices.
 
On 20 December 2022, Lisa Rovin, FDA’s director for public health strategy and analysis responded to the OIG’s draft report and said that the agency does not think a contracting officer representative needs to be assigned in every purchase order and that it has discretion when a COR needs to be added under FAR.
 
“To increase visibility when a COR is appointed, FDA now tracks COR Appointments through a dedicated data field in PRISM,” FDA said. “Also, [FDA’s Office of Acquisitions and Grants Services (OAGS)] has increased its reviews of Acquisition Files, including COR Appointment documentation, within operational supervisory chains of command, as well as greater Acquisition File audits and other reviews by the Acquisition Policy and Oversight Branch.”
 
The agency went on to state for the other issues raised by the OIG, it has updated its procedures and will remind contracting officers of their responsibilities to ensure they comply with federal regulations.

"There is no single reason for some of the findings identified within the report," Audra Harrison, an FDA spokesperson, told Focus. "In some cases, it was an oversight of the contract official to upload the required supporting documentation which is being addressed through the reissuing of the [standard operating procedures] and continuous monitoring of contract files by their leadership. In other cases, it will be ensuring that members of the acquisition team collaborate to ensure that the appropriate actions are either followed and are documented."

Harrison added that OAGS will take the necessary steps to ensure future compliance which includes training or re-training, reviewing guidance to ensure that it is updated or reflects best practices, and additional reviews and or audits as deemed necessary.