NATIONAL SECURITY AGENCY
OFFICE OF THE INSPECTOR GENERAL
Audit of the Implementation of the
Coronavirus Aid, Relief, and Economic
Security (CARES) Act, Section 3610
AU-20-0008
26 May 2022
(Reissued with Administrative Revisions on 22 June 2022)
Audit of the Implementation of the CARES Act, Section 3610
Audit
of the Implementation of the CARES Act, Section 3610
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
ii
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .i
I. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
II. Results of the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
FINDING 1: NSA had signicant issues implementing the CARES Act, including
insucient invoice reviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
III. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
APPENDIX A: About the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
APPENDIX B: Abbreviations and Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
APPENDIX C: CARES Act Sample Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
I. INTRODUCTION
On 27 March 2020, Congress enacted the Coronavirus Aid, Relief, and Economic Security (CARES)
Act in response to the Coronavirus Disease 2019 (COVID-19) national emergency. The CARES Act
contains a number of provisions aimed at stabilizing the economy and helping affected households and
businesses. Section 3610 of the CARES Act permits federal agencies, under certain circumstances, to
modify terms of existing contracts or agreements, and to reimburse federal contractors’ compensation
due to COVID-19-related issues. CARES Section 3610 provides federal agencies the discretion
to reimburse paid leave to federal contractors confronted with the inability of their employees or
subcontractors to perform work at a federal government-approved work site due to facility closures,
government-directed denied access, or other restrictions when their job duties could not be performed
remotely.
1
Reimbursement under CARES Act, Section 3610 has several limitations, as described below:
• A contractor may only receive reimbursement if its employees or subcontractor employees:
- Cannot perform work at a government-owned, government-leased, contractor-
owned, or contractor-leased facility or site approved by the Federal Government
for contract performance due to COVID-related closures or other restrictions,
and
- Are unable to telework because their job duties cannot be performed remotely
during the public health emergency that was declared on 31 January 2020.
• Reimbursement is authorized:
- Only at the minimum applicable contract billing rate, and
- Not to exceed an average of 40 hours per week per employee.
2
• The Government must reduce the maximum reimbursement authorized by the amount of
credit the contractor is allowed pursuant to Division G of the Families First Coronavirus
Response Act (FFCRA) and any applicable credits the contractor is allowed.
3
• Reimbursement is contingent upon the availability of funds.
1
Government-directed denied access refers to NSA’s denied-access protocol that prevents affiliates with an increased risk
of having COVID-19 or individuals who are medically recommended to quarantine due to possible exposure to COVID19
from entering NSA spaces during the public health emergency.
2
The CARES Act states “not to exceed an average of 40 hours per week.” On 3 April 2020, the Office of the Director of
National Intelligence (ODNI) issued IC [Intelligence Community] Guiding Principles for the IC Acquisition & Procurement Community
on Implementation of the CARES Act, which states “not to exceed an average of 40 hours per week per employee.” On 9 April
2020, NSA issued Invoicing Information for Contractors under CARES Act, which states that “hours billed in cumulative shall not
exceed an average of 40 hours per week per obligated FTE [full time equivalent]. In cases where the FTE support level is less
than 40 hours per week, the hours billed shall not exceed the stated contractual hours per week.”
3
The FFCRA requires certain employers to provide employees with paid sick leave or expanded family and medical
leave for specific reasons related to COVID-19. Division G of the FFCRA allows tax credits to employers for COVID-19
paid leave.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
2
According to the Office of the Under Secretary of Defense, during the COVID-19 pandemic, many
Department of Defense (DoD) contractors were struggling to maintain a mission-ready workforce
due to work-site closures, personnel quarantines, and state and local restrictions on movement. The
Office of the Director of National Intelligence (ODNI) supported the immediate implementation of
Section 3610 of the CARES Act and encouraged Intelligence Community (IC) agencies to make full
use of the flexibility provided by the Act and other existing contracting tools to enable the maximum
number of contractor personnel to convert to staying home in a “ready state” during the national effort
to mitigate the spread of COVID-19.
4
As of 8 June 2021, NSA reported the amount of CARES invoices as totaling $917 million for a total
of 81,000 CARES hours.
B
See Appendix A, “About the Audit,” where the audit objective, scope, methodology, and criteria can
be found.
4
In the context of Section 3610 of the CARES Act, NSA defined “ready state” in communications to contractors as the
ability and willingness of a contractor employee to return to a place of performance that has been closed, or otherwise having
limited or reduced access due to conditions caused by the COVID-19 pandemic, within two hours after having been notified
by the Government through the contractor employee’s management.
B
Subsequent to issuance of this report, the Agency indicated to the OIG that the total number of 81,000 CARES hours
was incorrect. The Agency informed the OIG that the correct total for the time period was 6.4 million hours; however
the OIG has not independently verified the accuracy of this revised number. The hours were included in the report as
background information and are not a basis for or relevant to the audit’s findings or recommendations. Moreover, because
the invoiced amounts may include other indirect costs, it would not be possible to determine an hourly rate from these totals.
3
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
II. RESULTS OF THE AUDIT
The Agency did not perform sucient review of CARES invoices. This was due to
evolving guidelines, reduced contract oversight stang during the COVID-19 pandemic,
an overreliance on contractor-provided information, and the absence of clear and
comprehensive Contracting Ocer Representative (COR) oversight procedures for
CARES invoices. Insucient documentation and lack of COR oversight caused the OIG to
question more than $16.4 million, or 40 percent of the sampled CARES invoice charges.
As a result, the Agency has an increased risk of being overcharged for CARES paid leave
and of potential fraud by contractors, both of which could reduce the funds available for
mission requirements.
NSA notified contractors on 30 March 2020 that it was developing implementation guidance for the
CARES Act. The guidance notice provided to contractors on 31 March 2020 stated that “subject to
the availability of appropriations, contractors who are working under reduced manning at Agency
sites may be reimbursed . . . .” In addition, on 3 April 2020, the Agency published guidance on the
Acquisition Resource Center (ARC) website that stated that Section 3610 only applied if a contractor
employee was unable, due to COVID-19, to perform work because they were restricted from access
to the site where they are contractually assigned, and that telework by contractor personnel at private
residences was not permitted for any work charged to an Agency contract.
For any invoice payment, DoD Financial Management Regulation (FMR) 7000.14R, Volume 10,
Chapter 8, Section 0803, issued March 2020, states, “[a]s part of entitling and certifying a payment,
DoD Components must ensure that appropriate payment documentation is established and retained
to support payment of invoices and interest penalties. This documentation normally includes the
contract/purchase order, receipt/acceptance report, and a proper invoice.”
In addition to these documents, NSA required contractors to follow additional guidance and
submit CARES documentation to support reimbursement for paid leave. NSA provided CARES
invoicing guidelines and instructions to contractors on 9 April 2020. The invoice guidelines required
contractors to separately track all paid leave for COVID-19, by labor category, from actual hours
worked for all Cost-Reimbursement, Time and Materials, Labor Hour, and Fixed Price Level of Effort
contracts.
5
Invoices submitted for CARES reimbursement were to include “CARES” in the invoice
number to allow the Agency to track all invoices under the CARES Act. Vendors were required to
5
The CARES Act only applies to labor costs.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
4
submit separate invoices for hours worked and CARES paid leave. In addition to standard invoice
documentation, contractors were required to submit a completed and signed CARES Act Invoice
Contractor Certification Memo—which required the contractor to attest they were not receiving other
reimbursement for the same costs—and a completed CARES Hours Tracker Excel template.
6
The
CARES Hours Tracker is an Excel table that indicates both hours worked and CARES hours by
employee. The Hours Tracker also shows the work location, labor category, and hourly rate for each
employee. Templates for the additional documentation were provided via the ARC and Maryland
Procurement Office (MPO) websites. (See Appendix C for samples of the additional CARES invoice
documentation.)
Invoices for CARES Act reimbursement followed the same invoice process as all regular invoices, as
shown in Figure 1.
7
The OIG judgmentally sampled 25 CARES invoices with a period of service from 27 March through
31 August 2020 totaling $37.9 million.
8 9
Based on review of only the supporting documentation, the
OIG had questions or concerns with all but two invoices; these questions and concerns related to:
1. Questionable contractors billed: employees on invoices who were not listed on the
Electronic Contractor Position Roster Log (eCPRL) or who were listed as pending or
de-sponsored,
10 11
6
According to Business Management & Acquisition (BM&A), NSA participated in ODNI biweekly sessions with other
IC agencies to discuss the implementation of the CARES Act and share processes among participants. For example, the
group shared the process of having the vendor self-certify that they did not receive other COVID-19 relief.
7
The Electronic Commerce Interface (ECI) is used by contractors to submit electronic invoices to the Agency. Contract
Managers (CM) are responsible for contract monitoring, mission communication, and requisition tracking. Acceptance
Officer (AO) is an individual named by the Contracting Officer to verify receipt of supplies or simple services and approve
invoices for those actions.
8
The total number of CARES invoices submitted to the Agency from 27 March through 31 August 2020 was 2,145.
9
The OIG did not reach out to contractors to determine whether the questionable costs were true errors or complete
further review of invoices to determine the specific amount of error. If Agency personnel were unable to sufficiently justify
or explain the hours/rates on an invoice, we deemed the entire invoice questionable for purposes of this audit.
10
The eCPRL is an electronic contractor position log used to identify all cleared contractors associated with NSA
contracts.
11
“Pending” refers to individuals who require some type of Agency action to be in an active or approved status on the
eCPRL. “De-sponsored” refers to individuals who no longer require access to NSA.
5
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
2. Questionable differences: differences between e-invoices and CARES Hours Trackers,
3. Questionable billing rates: questionable hourly rates,
4. Questionable hours: hours in excess of 40 hours per week average, and
5. Questionable timeframe: hours billed outside CARES period.
Questionable contractors billed. The Agency’s Notice to Contractors Regarding COVID-19 Update,
issued 20 April 2020, stated that “only costs incurred on or after 27 March 2020 are reimbursable
under Section 3610 of the CARES Act.” In addition, Business Management & Acquisition’s (BM&A)
COVID-19 Invoicing Guidelines, issued 17 April 2020, stated that “the individual must be approved
to work on the contract by the COR or Contracting Officer (CO) prior to the contractor invoicing
for COVID-19 related expenses.”
12
We compared the individuals billed on CARES invoices to the
eCPRL for the contracts in our sample to determine whether the employee was active on the contract
prior to billing CARES leave and within the CARES period. We identified 10 invoices on which some
employees were either not listed on the eCPRL or were listed as pending, de-sponsored, or inactive
during the period of service on the invoice. For 2 of the 10 invoices, the CORs were unable to provide
additional documentation to support that the contractor was approved to work on the contract prior
to the invoice period:
• For one invoice, an individual billed on the CARES invoice was listed as pending on the
eCPRL as of July 2019. The COR stated that this individual was approved to work on the
contract as of July 2019 but could not provide documentation to support that statement and
could not explain why the eCPRL showed the individual as pending.
• The other invoice had an individual listed on the eCPRL as de-sponsored as of
27 March 2020 (the beginning of the CARES period) but billed 16.5 CARES leave hours
for a total of $2,355. As a result of our interview, the COR requested an explanation from
the contractor, who, upon review, admitted that the hours were billed in error and should
be credited to NSA on a future invoice.
Questionable differences. In addition to standard invoice documentation, the Agency required
contractors to submit a completed CARES Hours Tracker, as described above. We identified 13 of
the 25 invoices in which the e-invoice did not agree with the CARES Hours Tracker. As illustrated in
Figure 2, for 7 of the 13, or 54 percent of the invoices, the CORs were able to provide explanations of
the differences that the OIG determined were sufficient. For example, one COR stated the difference
was due to the contractor failing to update the hourly rates on the Hours Tracker. The contract
transitioned from one option year to the next and the labor rates changed; however, the e-invoice and
the Hours Tracker were using different rates. After further review of the contract and invoice, the OIG
determined that the documentation supported the COR’s explanation. For 6 of the 13 invoices, the
CORs were unable to sufficiently explain to the OIG the differences between the e-invoices and the
CARES Hours Trackers. For example, one COR stated that they relied on the vendor for the hours
and did not note the difference in the documentation.
12
The BM&A COVID-19 Guidelines were updated multiple times as the Agency received additional guidance. We are
including the date of issuance throughout the report for reference.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
6
Questionable billing rates. The CARES Act allowed agencies to “reimburse at the minimum
applicable contract billing rates.” According to BM&A’s COVID-19 Invoicing Guidelines, issued
17 April 2020, “the rate charged must be the minimum applicable contract billing rate for the location
where the work would have been performed (excluding profit/fee).”
13
We compared the hourly rates
per the contracts to the hourly rates billed on CARES invoices by labor category to determine whether
the rates charged were in accordance with the CARES Act, Section 3610. We identified 3 of the 25, or
12 percent of the invoices where the hourly rates billed on the CARES invoices exceeded the contract
rate. However, the CORs were able to justify the hourly rates billed on these invoices. These three
invoices were from cost contracts in which the rates varied from the stated contract rates. The CORs
were knowledgeable about the rate differences and noted that the CARES rates were lower than the
non-CARES rates, and the fee, if applicable, was separate, demonstrating that they had performed a
review of the rates. However, we also identified another three, or 12 percent of the invoices in which
we were unable to verify the hourly rates based on the documentation. The CORs were unable to
provide explanations to justify the hourly rates billed on these invoices. Two of the three invoices were
Firm-Fixed Price Level of Effort contracts. The labor rates billed agreed with the labor rates on the
contracts; however, the CORs stated that they were unsure if profit/fee was included in these rates.
For example, one contract manager stated that they thought some profit was built into the contract rate
but was not sure of the exact percentage or amount. The results of our analysis of the 25 invoices is
depicted in Figure 3 as follows:
13
In April 2020, a decision was made and communicated that profit/fee could not be reimbursed. See further discussion
in footnote 17.
7
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
As a result of our audit inquiry, the COR for one invoice reviewed the CARES billing to date for the
contractor and determined that there were fees included in the billing rates. In December 2021, the
Agency recovered $43,000 related to these mischarges.
In December 2021, the Agency recovered $43,000 related to [CARES
invoice] mischarges.
Questionable hours. The CARES Act, as implemented through ODNI guidance, states that
reimbursement is authorized not to exceed an average of 40 hours per week per employee. BM&A’s
COVID-19 Invoicing Guidelines, issued 17 April 2020, states that “hours billed in cumulative shall not
exceed an average of 40 hours per week per obligated FTE [full time equivalent] including sick leave
or other leave.” We reviewed invoice documentation to determine whether the hours billed exceeded
an average of 40 hours per week in accordance with the CARES Act and Agency guidance.
We identified two invoices in which the hours exceeded an average of 40 hours per week.
14
One invoice
had a period of service (POS) from 27 March through 7 June 2020. We determined there were 50
work days in that POS (excluding the government holiday) for an estimated total of 400 hours. There
were two individuals whose total hours per the CARES Hours Tracker were 472 hours and 432 hours
during this period, respectively. The COR was unable to provide an explanation for the hours. In
addition, the vendor provided an additional spreadsheet that broke out the CARES hours by month.
However, the CARES hours by month exceeded the possible work hours in the month for 12 out of 29
employees. The COR was unable to explain the CARES hours and admitted that this issue was not
noted or discussed with the COR-Technical (COR-T). The COR for another invoice stated that their
14
Since the CARES invoices did not provide details showing hours per week, we used the assumption that a 40-hour
work week equates to 8 hours per day. Eight hours was multiplied by the number of work days in the period of service (POS)
to get an estimate of the number of hours that would be reasonable for that POS.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
8
review included ensuring that individuals were not charging more than 180 hours total as that was the
typical hours for this vendor’s invoices. However, the OIG determined that for the sampled invoice,
the COR did not question why 73 of 444 (16 percent) employees billed more than 200 total hours and
2 of those billed more than 200 CARES hours.
Questionable timeframe. The CARES Act states that a contractor may receive reimbursement if its
employees or subcontractor employees cannot perform work due to COVID-related closures or other
restrictions, as laid out in the introduction of this report. Although the CARES Act was extended
past 30 September 2020, CARES invoices should have been minimal after that point. We identified
28 invoices with a POS outside the CARES period or with no POS. We judgmentally selected 20 of
these invoices and identified 2 with questionable costs for a total of $738,000:
• One invoice for $11,000 had a POS beginning 16 March 2020, and the number of hours
billed was excessive for the CARES period, which should have started 27 March. The COR
stated that there were multiple changes to the guidelines going on at the time of this invoice
and that this was an oversight.
• Another invoice for $727,000 had a POS from 15 August through 25 September 2020. Given
the contractor’s work schedule during that timeframe, the OIG would expect that there were
approximately 14 work days in the POS for this invoice, which equates to approximately
112 hours per individual contractor. Twenty individuals billed CARES hours in excess of
112 hours, including two individuals with CARES hours in excess of 440 hours (see Figure
4 below). In addition, no (non-CARES) hours worked were reported. The COR did not
explain how they determined the accuracy of the CARES hours. The COR stated that they
were not familiar with this contract, but they had been reviewing invoices for someone who
was on extended COVID leave. The COR believed the excess hours were due to back hours
from subcontractors that bill later than the original invoice. Even though the invoice POS
was August through September, the invoice backup documentation provided by the COR
showed hours from March through September as all CARES hours. Since the invoice POS
included a period in which the contractor employees should have been working alternate
weeks, yet the invoice documentation showed no hours worked, it is unclear how the COR
monitored which employees were entitled to CARES leave and which were required to
report to work in order to ensure the accuracy of the invoice.
9
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
For the 25 invoices with concerns in our sample, the OIG interviewed the 22 CORs who approved the
CARES invoices, and based on our review of the available documentation and those interviews, we
questioned a total of $16,442,669, representing approximately 40 percent of the sample reviewed.
15
After discussions with CORs, the OIG identified the following problems with the process that may
have led to the more than $16 million in questionable costs related to the CARES invoices.
Guidance Constantly Evolving. The dynamic and prolonged nature of COVID-19 caused Section
3610 guidance to be continuously updated. From the time the CARES Act was passed on 27 March
2020, the implementation guidance was being updated and clarified through as late as December
2020. There were at least 10 memoranda issued by the Office of the Secretary of Defense, ODNI,
and the Office of Management and Budget (OMB) and over 25 ARC guidance documents, with each
providing additional clarification for agencies to implement the CARES Act. NSA management
tracked the changing guidelines and issued announcements to contractors and contracting personnel
through the ARC and internal NSA websites. Although 80 percent of the CORs interviewed stated that
the guidance they received from management regarding CARES invoices was helpful, the changing
guidance increased the risk for invoicing errors.
In addition, the required CARES invoice documentation was updated to reflect changes in guidance
that resulted in at least six versions of the Certification Memo and four versions of the CARES Hours
Tracker spreadsheet. Invoices were being submitted at the same time guidance was changing, making
15
Twenty-five questionable invoices are the result of 23 invoices from the original sample of CARES invoices from 27
March through 31 August 2020 and 2 questionable invoices from the sample of CARES invoices outside the CARES period.
(See Appendix A for more information on the two samples.)
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
10
it difficult for CORs and contractors to ensure they were using the most up-to-date guidance and
documentation. For example, due to unspecific initial guidance from OMB and DoD, the start date
for occurrence of labor costs reimbursable under Section 3610 was initially declared in a 9 April 2020
ARC announcement as 31 January 2020; however, due to evolving OMB guidance, the start date was
changed to 27 March 2020 just one week later.
16
Additionally, there was initial confusion regarding
whether fee/profit could be included in a Section 3610 reimbursement request.
17
Reduced Staffing to Review Increased Number of Invoices During COVID-19 Pandemic. During
the COVID-19 pandemic, the Agency developed procedures where other CORs would review invoices
in the event the primary/assigned COR was not available to review invoices. In addition to reduced
staffing of Agency personnel, there was also an increase in the number of invoices submitted because
contractors were required to submit separate invoices for CARES leave hours and actual work
performed in order to properly track CARES spending.
BM&A’s COVID-19 Invoicing Guidelines, issued 29 April 2020, stated that “designated BCMO [Business
and Contract Management Office] POCs [points of contact] will research invoices to determine if the
primary or alternate COR is [available]. For invoices without a present COR, the BCMO POCs shall
obtain reasonable knowledge and reasonable verification of all invoices.” The guidelines also stated
that “individuals approving invoices, other than regularly assigned CORs/AOs [Acceptance Officers],
will document the steps taken to gain reasonable verification in a Word document and attach to the
invoice in FACTS along with any supporting documentation utilized.”
18
Our sample did not contain
any invoices that were approved by someone other than an assigned COR. Fourteen of the 25 were
not approved by the primary COR but did have an assigned COR approval. Therefore, none of the
sample invoices had any additional documentation to support the verification of the sampled invoices.
During our interviews, one COR-T stated that they approved most of the non-CARES invoices for the
contract but felt that they were in a position to do that since they understand the nature of the work.
However, the COR-T stated they were unsure of the requirements for approving the CARES invoices
and would rather have not approved those invoices. They were asked to approve the CARES invoices
because they were working at the time the invoice needed approval. Another COR stated that there
was a two-to-three week delay between Accounts Payable receiving an invoice and sending the invoice
to the COR for review, so they felt their primary responsibility was ensuring the invoice was approved
or rejected as soon as it hit their queue.
19
Adequate review of CARES invoices requires knowledge of
16
See NSA CARES Act FAQs [Frequently Asked Questions], Revised, issued 14 April 2020; OMB M-20-22, Preserving the
Resilience of the Federal Contracting Base in the Fight Against the Coronavirus Disease 2019, issued 17 April 2020; the ARC COVID-
19 Invoice Guidelines, issued 17 April 2020; and ARC-Revised CARES Act Implementation Guidance, issued 20 April 2020.
17
An ARC announcement dated 9 April 2020 stated that “the minimum applicable billing rate may be fully loaded, and
inclusive of fee. Award fees will be calculated according to the applicable award fee plan.” However, on that same day, 9
April 2020, a Secretary of Defense memorandum stated that no contractor profit or fee is to be reimbursed. On 14 April
2020, an NSA CARES FAQs document announced the following revision: “In accordance with DPC [Defense Pricing and
Contracting] guidelines, profit/fee cannot be included.” On 22 April 2020, an ARC NSA CARES FAQs document noted
questions from contractors regarding fee/profit and requested assistance in removal of fee/profit from invoices, indicating
there was still confusion regarding fee/profit.
18
FACTS is the fully integrated financial management system that provides support to a variety of financial and business
functions.
19
According to Accounts Payable, the maximum number of days for receiving and sending an invoice to the COR for
review was 14 calendar days.
11
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
the contract, invoice details, and CARES requirements; therefore, reduced staffing increased the risk
that an error or mischarge on the invoice would not be caught.
Overreliance on Contractor-Provided Support. The OIG Audit of Cost-Reimbursement Contracts
(AU19-0010), issued 1 July 2021 (unclassified version released 20 October 2021), found that there was
an overreliance on contractor-provided reports. CORs were relying on contractor-provided monthly
reports to perform a cost review of invoices; however, in instances where the monthly reports did not
reconcile to the invoice amount, the CORs did not take steps to validate the difference. The OIG
found similar overreliance related to CARES supporting documentation.
Four of 20 (20 percent) of the CORs we interviewed stated that they relied on either the contractor’s
word or contractor-provided documents to verify the accuracy of the CARES invoices. In addition, two
CORs stated that they received no information from Occupational Health, Environmental and Safety
Services (OHESS) regarding those contractors who were on denied access due to testing COVID-
19 positive or being a close contact. Therefore, they were not able to verify that those individuals
were on denied access and relied on representations from the contractor. The CORs were under
the impression that information should have come from OHESS. However, according to BM&A
leadership interviewed by the OIG, they, along with the Office of the General Counsel, decided the
contractor Certification Memo was sufficient given the limitations on support the Agency could
request due to concerns about the dissemination of personally identifiable information and personal
medical information.
In addition, the Agency relied on self-certification by the contractor (discussed in the “Potential Fraud”
section of this report) that no other COVID-19 relief was received. Without an independent review or
determination as to the accuracy of contractor-provided documentation, there is an increased risk the
Agency was overcharged for CARES paid leave.
Absence of Clear and Comprehensive COR Oversight Procedures. Throughout April 2020, BM&A’s
evolving guidelines included the invoice verification process for government personnel. While the
guidance stated what costs are allowable under CARES and that no invoice will be paid if the COR
cannot obtain reasonable verification that the goods or services were received, the verification steps do
not include the COR determination that the CARES invoice amount was accurate. The verification
steps for reviewing invoices submitted under CARES ultimately included:
• Reviewing dates of the paid leave charges (27 March 2020 or later),
• Confirming the Excel document and certification statement were submitted as required,
and
• Ensuring that profit/fee is not included in charges.
These steps do not include instructions on how to verify the accuracy of the CARES hours or total
claim amounts submitted. In addition, the CARES Hours Tracker included the hourly rate per
individual and the number of hours but did not calculate total dollars. Based on our interviews with
CORs, they claim this made it difficult to compare the Hours Tracker to the e-invoice, and many CORs
did not notice there was a difference in amounts between the e-invoice and the Hours Tracker (see the
“Questionable Differences” section of this report for more detail). We asked the Contracting office
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
12
what type of review the COR was expected to perform to determine whether the hours and amount of
the invoice were accurate. They stated that the CORs are expected to perform a comparative analysis
to validate the number of hours from previous periods as well as the projection for the subject invoice
period. However, this type of analysis was not included in any invoice guidelines provided to the
CORs.
Previously Identified Inadequate COR Oversight. The Audit of Cost-Reimbursement Contracts
(AU19-0010) demonstrated that the Agency had inadequate oversight of the actual costs of cost-
reimbursement contracts due to vague and ineffective COR roles, responsibilities, and oversight
procedures. As a result, the OIG recommended that the Agency develop written procedures
documenting the COR process, including a standard governance structure and standard communication
processes among CORs to support the primary COR function. The OIG also recommended that
the Agency include invoice review responsibilities for all types of CORs and expressly address how
invoices are reviewed for accuracy and completeness (including rates and factors that comprise costs).
This recommendation, when implemented, should address the CARES invoice review deficiencies
identified by the OIG in this audit; therefore, we will not be making a separate recommendation in this
report. The recommendation is repeated below:
RECOMMENDATION AU-19-0010-1 [from the Audit of Cost-Reimbursement
Contracts (AU-19-0010)]
There were more than 2,000 CARES invoices rejected by NSA through October 2020. Accounts
Payable rejected the majority of the invoices due to incomplete or inaccurate supporting documentation;
however, we identified six invoices that were rejected by CORs:
• Four contractor employees charged CARES leave but the respective CORs determined that
the contractors were not in a “ready state.” Some examples under this category included
one contractor who had not yet been issued a badge and, therefore, could not access the
work site, and one contractor who had a health condition that qualified them as high risk
under COVID19.
• One COR stated that they rejected the invoice because the contractor billed for CARES
leave when the contractor was not scheduled to work.
• Another COR stated that the contractor billed hours past 26 September 2020 with no valid
reason for denied access.
13
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
In addition, CORs rejected another 86 invoices because the invoice period was outside of the CARES
time period, and 157 invoices were rejected because of either inaccurate or disputed billing or hours.
The majority, 75 percent, of COR rejections appeared to occur in June 2020 or later, which may
indicate that the reviews were improving as the guidance became clearer and/or more invoices were
reviewed. However, since the COR process is manual and not comprehensive or standardized, not
all CORs perform the same level of detailed review and there are not standards in place to ensure the
continuity of any improvement in this area.
OMB Memorandum 20-22 states:
The federal government’s aggressive response to COVID-19 included an unprecedented
economic relief package, including multiple mechanisms to support federal contractors and
their employees. To ensure relief achieves its desired impact and federal funds are not being
used to make multiple payments for the same purpose, agencies should take the following steps:
a) maintain mission focus and evaluate use of Section 3610 in the broader context of all
strategies to promote contractor resiliency;
b) follow restrictions in Section 3610;
c) work with the contractor to secure necessary documentation to support reimbursement
and prevent duplication of payment; and
d) track use of Section 3610.
The CARES Act requires the amount of reimbursement for paid leave to be reduced by the amount
of credit a contractor has received from other COVID-19 relief programs, such as the Family First
Coronavirus Relief Act (FFCRA) and the Paycheck Protection Program (PPP). However, the CARES
Act does not specify how agencies should vet whether a contractor received other COVID19 relief.
NSA created the Certification Memo for vendors to attest that they have not received and will not
receive credit for the hours for which they are requesting reimbursement. The memo requires vendors
to notify NSA if they do get credit after the fact to ensure the Government is able to recover improper
payments.
The PPP, managed by the Small Business Administration (SBA), provides loans to small businesses as
an incentive to keep their workers on payroll. If businesses meet certain requirements, they are eligible
for PPP loan forgiveness through the SBA. The OIG obtained the SBA PPP loan data for the period
of April through August 2020. We matched the vendors on the PPP loan data to the entire population
of Agency CARES invoices. We identified a number of vendors whose name and address matched
exactly in both data sets.
The SBA also provided other COVID-19 relief in the form of Economic Injury Disaster Recovery Loans
(EIDLs) and EIDL Advances. EIDLs provided relief for small businesses who were experiencing a
temporary loss of revenue in terms of a fixed interest rate loan with a 30-year term and 1-year deferred
payments. EIDL Advances were provided to businesses that were in low-income communities and
had a 30-percent reduction in revenue over an eight-week period up to a maximum of $15,000 and did
not have to be repaid. We matched the vendors on the EIDL data (both advances and loans) to the
entire population of Agency CARES invoices. We identified a number of matches on the business
name for the EIDL Advance data. While it is possible that the vendors used the PPP loans and EIDLs
and EIDL Advances for non-NSA employees, it does raise concerns about the contractor potentially
double dipping. This information was provided to the OIG Office of Investigations for further review.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
14
In addition, contractors were eligible for COVID-19 relief through the FFCRA, Division G, which
provided tax credits to employers for paid sick and paid family and medical leave related to COVID19.
Division G allowed employers a credit against the Social Security Tax imposed (both employer and
employee portions) for each calendar quarter in an amount equal to 100 percent of the qualified sick
leave wages paid by the employer, subject to limitations. Without extensive interagency coordination,
the Agency and the OIG cannot conduct an analysis of tax credits to verify whether any NSA
contractors took advantage of these credits or potentially received duplicative payments as a result.
Because the Agency did not receive separate CARES funding to reimburse contractors for paid leave
and, therefore, had to use current contract funding to pay approximately $900 million in CARES
invoices, the OIG inquired as to how the Agency tracked CARES spending and assessed impacts on
mission and contract completion. We found the following:
Tracking CARES Spending. ODNI requested each agency to aggregate their total expenses incurred
attributed to the CARES Act. Resource Data Analytics was responsible for tracking CARES spending
for the Agency. Resource Data Analytics aggregated the CARES invoices by manually pulling each
CARES Hours Tracker spreadsheet to compile hours, and dollar amounts were pulled from FACTS.
Resource Data Analytics maintained a report of the CARES invoice data from March 2020. As of
8 June 2021, BM&A leadership reported to ODNI, and others, that the amount of CARES invoices
totaled $917 million for 81,000 CARES hours.
C
According to BM&A leadership, NSA has a higher
CARES cost than other IC agencies given that the nature of the work does not allow for many telework
opportunities. NSA reconstituted earlier than some other IC agencies, which, according to BM&A,
helped mitigate CARES Act costs.
Assessing Mission Impact. BM&A leadership stated that the NSA Director and Deputy Director
were aware of the potential for mission impacts due to the implementation of the CARES Act, but
made the decision that health and safety and maintaining a cleared contract workforce was worth
the risk. According to BM&A, the Agency was tracking and reporting CARES Act spending as well
as COVID-19 mission impacts. BM&A told the OIG that program managers worked to minimize
program impacts through requirement trade-offs, schedule delays, implementation of unclassified
telework, exhaustion of contract reserve funding, or recalling certain contractors early. BM&A
leadership stated that the greater mission impacts were due to other COVID-19 restrictions, such as
travel restrictions and deployment delays, rather than Section 3610 paid leave.
Additionally, NSA provided regular COVID-19 impacts to the Under Secretary of Defense as input
into their Defense Intelligence Enterprise COVID-19 Mission Impacts and reported the total monthly CARES
Act expenses to the IC Chief Financial Officer beginning in June 2020.
C
Subsequent to issuance of this report, the Agency indicated to the OIG that the total number of 81,000 CARES hours
was incorrect. The Agency informed the OIG that the correct total for the time period was 6.4 million hours; however
the OIG has not independently verified the accuracy of this revised number. The hours were included in the report as
background information and are not a basis for or relevant to the audit’s findings or recommendations. Moreover, because
the invoiced amounts may include other indirect costs, it would not be possible to determine an hourly rate from these totals.
15
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
Because of insufficient review of CARES Act invoices, the Agency may have incorrectly reimbursed
contractors for paid leave. Insufficient documentation and lack of COR oversight led the OIG to
question approximately 40 percent of the CARES invoices that we reviewed. Moreover, because the
Agency did not receive separate CARES funding, it used current contract funding, which, extrapolated
to the full amount of CARES invoices, could impact current and future contract work and mission
requirements.
RECOMMENDATION AU-20-0008-1
RECOMMENDATION AU-20-0008-2
RECOMMENDATION AU-20-0008-3
RECOMMENDATION AU-20-0008-4
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
16
III. RECOMMENDATIONS
RECOMMENDATION AU-20-0008-1
Perform a thorough review of OIG-sampled CARES invoices with questionable costs, and request
additional contractor documentation necessary to determine accuracy of CARES hours, rates, and
contractor status. If any charges are not allowed, recover as appropriate.
Page: 15
AGREE. The Primary CORs will perform a review of the OIG-sampled CARES invoices to determine
accuracy of CARES hours, rates, and contractor status. If any charges are not allowed, recover as
appropriate.
Implementing Organization: Business Contract Management Groups
OIG Analysis: The action planned meets the intent of the recommendation.
RECOMMENDATION AU-20-0008-2
For invoice 146201-CARES (contact 19-C-0057), ensure credit was received for the hours that the
contractor admitted to billing in error.
Page: 15
AGREE. A credit, in the amount of $2,355.92, was received on 7 February 2022 and approved on
1 March 2022.
Implementing Organization: Cybersecurity & Enterprise Discovery and Information and Intelligence
Analysis Contract Management.
OIG Analysis: CLOSED. Corrective action was taken before report publication and has been verified
by the OIG as sufficient to meet the intent of the recommendation.
RECOMMENDATION AU-20-0008-3
Perform a risk assessment of all CARES invoices and processes to determine, at a minimum, the
nature and extent of testing required to sufficiently identify unsupported payments.
Page: 15
17
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
AGREE. A risk assessment of all CARES invoices and processes to determine the extent of testing
required to identify unsupported payments will be conducted.
Implementing Organization: Business Contract Management Groups
OIG Analysis: The action planned meets the intent of the recommendation.
RECOMMENDATION AU-20-0008-4
Based on the results of Recommendation AU-20-0008-3, perform a review of CARES invoices to
ensure accuracy of CARES hours, billing rates, and contractor COVID-19 status, and, if necessary,
recover costs from inaccurate billing.
Page: 15
AGREE. Based on the results of recommendation AU-20-0008-3, the Primary CORs will review the
CARES invoices to ensure the accuracy of CARES hours, billing rates, and contractor COVID-19
status and, if necessary, recover costs from inaccurate billing.
Implementing Organization: Business Contract Management Groups and Office of Contracting
OIG Analysis: The action planned meets the intent of the recommendation.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
18
APPENDICES
The objective of this audit was to determine whether NSA economically, effectively, and efficiently
implemented Section 3610 of the CARES Act.
Fieldwork for this audit was conducted from July 2020 through July 2021. The scope of the audit was
CARES Act requests for reimbursement and payments.
We reviewed written processes, procedures, and other documentation for adequate controls. We
conducted interviews of personnel in Accounts Payable, Contracting, BM&A leadership, and CORs
across multiple directorates who are responsible for or have specified roles in CARES Act, Section 3610
reimbursement.
We performed data analytics of the CARES invoices to include:
• A review of vendors submitting both CARES and non-CARES invoices for the same time
period,
• A comparison of historical vendor payments to CARES invoices, and
• A search for CARES invoices for goods-only contracts.
We conducted this performance audit in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
We received a population of CARES Act reimbursement payments from 27 March 2020 through
31 August 2020 from the Contracting office.
20
We selected a random sample of contracts from each of
the six contract types (i.e., Time & Materials, Cost Plus Fixed Fee, Cost, Cost Plus Award Fee, Labor
Hour, Firm-fixed Price). The number of contracts we randomly selected from each contract type was
judgmental based on the number of invoices for a total of 25 sampled invoices totaling approximately
20
There were a total of 2,145 CARES invoices submitted to the Agency from 27 March 2020 through 31 August 2020.
19
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
$37.9 million. We also judgmentally selected an additional 20 invoices, totaling $3.23 million, from
a population of CARES invoices with a POS prior to 31 March 2020 or after 30 September 2020
(the initial CARES period). For each invoice, we reviewed supporting documentation, including the
CARES Act invoice and backup documentation, signed Certification Memo, CARES Hours Tracker
spreadsheet, and COR approvals. We also met with CORs responsible for reviewing and approving
CARES invoices.
We used computer-processed data from FACTS to select a population of CARES invoices. We used
data from the eCPRL tool and COR tool to assist our review of the invoices. We did not attempt to
assess the completeness of FACTS, the eCPRL tool, or the COR tool because it was not relevant to
the context of our audit. Our testwork involved tracing invoices from the FACTS population to source
documents. In addition, any inconsistencies or issues noted with the eCPRL or COR tools were
followed up by interviews with CORs.
There was no previous OIG coverage of this topic.
Public Law 116-136, Coronavirus Aid, Relief, and Economic Security Act, Section 3610, issued
27 March 2020, permits federal agencies, under certain circumstances, to modify terms of existing
contracts or agreements and to reimburse federal contractors’ compensation due to COVID-19 related
issues.
Defense Federal Acquisition Regulation Supplement 231.205-79(a)(1)(i), CARES Act Section
3610 Implementation, issued 8 April 2020, provides a framework for CARES Act, Section 3610
implementation.
Office of Management and Budget Memo M-20-18, Managing Federal Contract Performance Issues
Associated with the Novel Coronavirus, issued 20 March 2020, identifies steps to help ensure the safety of
federal contractors while maintaining continued contract performance in support of agency missions,
wherever possible.
Office of Management and Budget Memo M-20-22, Preserving the Resilience of the Federal Contracting
Base in the Fight Against the Coronavirus Disease 2019, issued 17 April 2020, provides supplemental
guidance for the implementation of CARES Act, Section 3610.
Office of Management and Budget Memo M-20-27, Additional Guidance on Federal Contracting
Resiliency in the Fight Against the Coronavirus Disease, issued 14 July 2020, provides additional guidance
that further addresses the resiliency of the federal acquisition workforce and federal contractors who
support agency missions.
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
20
Office of the Under Secretary of Defense Memo 2020-00013, Class Deviation – CARES Act Section
3610 Implementation, issued 8 April 2020, provides a framework for CARES Act, Section 3610
implementation.
Office of the Under Secretary of Defense Memo, Implementation Guidance for Section 3610 of the CARES
Act, issued 9 April 2020, provides supplemental guidance for the implementation of the CARES Act,
Section 3610.
Office of the Under Secretary of Defense Memo, Assessment of Other COVID-19 Related Impacts and
Costs, issued 2 July 2020, provides guidance on the assessment of costs and delays due to COVID-19.
Office of the Director of National Intelligence for Enterprise Capacity, IC Guiding Principles for
the IC Acquisition & Procurement Community on Implementation of the CARES Act, issued 3 April 2020,
provides the IC community with guiding principles to address procurement issues during pandemic
mitigation.
NSA/CSS Policy Manual 4-19, Health and Safety of the Workforce, issued 30 October 2020, establishes
standards and procedures to ensure the health and safety of NSA/CSS affiliates and contractors who
have been exposed to or are in danger of being exposed to a communicable disease in the event of a
declared public health emergency.
NSA/CSS COVID-19 webpage provides continuously updated guidance for NSA contractors.
As part of the audit, we assessed the internal control environment as outlined in NSA/CSS
Policy 73, Managers’ Internal Control Program, issued 17 October 2016. We focused on internal controls
when assessing processes and procedures for the implementation of CARES Act, Section 3610. We
reviewed the vulnerability and process assessment for Accounts Payable. We did not identify any
significant control deficiencies pertaining to this audit. Through interviews, reviews of procedures,
and testing, we assessed the control environment, risk assessment, control activities, information and
communication, and monitoring, and found there is a lack of controls to ensure the accuracy of
CARES reimbursement payments.
21
AU-20-0008
Audit of the Implementation of the CARES Act, Section 3610
IC
AO Acceptance Officer
ARC Acquisition Resource Center
BCMO Business and Contract Management Office
BM&A Business Management & Acquisition
CARES Coronavirus Aid, Relief, and Economic Security
CO Contracting Officer
COR Contracting Officer Representative
COR-T Contracting Officer Representative - Technical
COVID-19 Coronavirus Disease 2019
CSS Central Security Service
DoD Department of Defense
ECI Electronic Commerce Interface
eCPRL Electronic Contractor Position Roster Log
EIDL Economic Injury Disaster Recovery Loan
FFCRA Family First Coronavirus Relief Act
FMR Financial Management Regulation
FTE Full time equivalent
Intelligence Community
MPO Maryland Procurement Office
NSA National Security Agency
ODNI Office of the Director of National Intelligence
OHESS Occupational Health, Environmental and Safety Services
OIG Office of the Inspector General
OMB Office of Management and Budget
POC Point of contact
POS Period of service
PPP Paycheck Protection Program
SBA Small Business Administration
Audit of the Implementation of the CARES Act, Section 3610
AU-20-0008
22
OFFICE OF THE INSPECTOR GENERAL
How to Reach Us
HOTLINE
