This is the accessible text file for GAO report number GAO-06-1117 entitled 'Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity' which was released on September 28, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Joint Report by the United States Government Accountability Office and the Office of the Inspector General--Department of Homeland Security to Congressional Committees: September 2006: Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity: GAO-06-1117: GAO Highlights: Highlights of GAO-06-1117, a report to congressional committees Why GAO Did This Study: In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government’s response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS’s control environment and management of purchase card usage were effective; (2) DHS’s key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS. What GAO Found: A weak control environment and breakdowns in key controls exposed DHS to fraud and abuse in its use of the purchase card. While DHS’s draft Purchase Card Manual generally contained effective control procedures, it was not finalized due to a lack of leadership by the Chief Financial Officer in resolving disagreements over its implementation. This led to DHS cardholders following different procedures. Inadequate staffing, insufficient training, and ineffective monitoring, along with inconsistent purchase card policies contributed to a weak control environment and breakdowns in specific key controls. GAO and DHS OIG found a lack of documentation that key purchase card internal controls were performed. Based on a statistical sample, GAO and DHS OIG estimated that 45 percent of DHS’s purchase card transactions were not properly authorized, 63 percent did not have evidence that the goods or services were received, and 53 percent did not give priority to designated procurement sources. GAO and DHS OIG also found cardholders who failed to dispute improper charges, which resulted in losses to the federal government. Because of the urgent needs caused by the hurricanes, DHS made a number of noncompetitive purchase card acquisitions. GAO recognizes that DHS had the authority to make noncompetitive purchases; however, GAO found transactions where DHS cardholders could have exercised greater prudence without jeopardizing relief efforts. The weak control environment and ineffective internal control activities allowed potentially fraudulent, improper, and abusive or questionable transactions to occur. Although this work was not designed to identify, and we cannot determine the full extent of fraud, waste, and abuse, GAO and the DHS OIG identified numerous examples of potentially fraudulent, improper, and abusive or questionable transactions. The table below lists examples of potentially fraudulent activity related to items acquired with DHS purchase cards. In addition, poor control over accountable property acquired with purchase cards may have resulted in lost or misappropriated assets. Table: Examples of Potential Fraud: Item Purchased: Lap Tops (FEMA); Description: Over 100 missing and presumed stolen; Amount of transaction: $300,000. Item Purchased: Boast (FEMA); Description: Unauthorized use of card by a vendor; Amount of transaction: $208,000. Item Purchased: Printers (FEMA); Description: Over 20 missing and presumed stolen; Amount of Transaction: $84,000. Item purchased: Lap Tops (Coast Guard); Description: 3 missing and reported stolen; Amount of transaction: $8,000. Source: GAO and DHS OIG investigation. [End of Table] GAO and DHS OIG also found examples of improper use of the purchase card such as the use of convenience checks to pay $460,000 for pre- packaged meals. Other instances of abusive or questionable transactions included the purchase of a beer brewing kit, a 63-inch plasma television costing $8,000 which was found unused in its original box 6 months after being purchased, and tens of thousands of dollars for training at golf and tennis resorts. GAO referred cardholders responsible for many of these and other purchases to DHS management for administrative action. What GAO Recommends: To provide reasonable assurance that fraud, waste, and abuse related to the use of purchase cards is minimized, GAO recommends that DHS (1) make changes to the draft purchase card manual and issue a final, agencywide version (2) establish policies and procedures to ensure more effective oversight and enforcement of the purchase card program. DHS concurred with all of our recommendations. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-1117]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Greg Kutz at (202) 512- 7455 or kutzg@gao.gov or Matthew Jadacki at (202) 254-4100 or matt.jadacki@dhs.gov. [End of Section] Contents: Letter: Overview of Testimony: Conclusions: Recommendations for Executive Action: Agency Comments: Appendixes: Appendix I: Testimony GAO-06-957T: Appendix II: Comments from the Department of Homeland Security: Abbreviations: DHS: U.S. Department of Homeland Security: DHS OIG: U.S. Department of Homeland Security Office of Inspector General: FEMA: Federal Emergency Management Agency: GSA: General Services Agency: September 28, 2006: Congressional Committees: On July 19, 2006, GAO testified before the Committee on Homeland Security and Governmental Affairs on the results of our audit and investigation of purchase card transactions at the Department of Homeland Security (DHS) for the 5-month period beginning in June 2005.[Footnote 1] The General Service Administration's SmartPay® purchase card program has proven to be a valuable tool for the government by providing federal agencies and their employees a more flexible and efficient way to purchase commercial goods and services. However, to ensure the most effective use of the purchase card, federal agencies must foster a strong control environment and establish sound internal controls related to the use of the card. To this end, agencies must establish policies and procedures that ensure appropriate oversight of their purchase card programs. Our work focused on determining whether (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive or questionable purchase card activity existed at DHS. This report summarizes the GAO testimony, which is reprinted in appendix I, and makes specific recommendations for corrective actions. We hope that these recommendations; the criminal referrals we provided to the Katrina Fraud Task Force, the Coast Guard Investigative Service, and the Federal Bureau of Investigation; as well as the administrative referrals we provided to DHS serve to assist DHS in its ongoing effort to improve the purchase card program. We conducted our audit work from November 2005 through June 2006 in accordance with U.S. generally accepted government auditing standards. We performed our investigative work in accordance with standards prescribed by the President's Council on Integrity and Efficiency. Overview of Testimony: In our testimony, we stated that a weak control environment and breakdowns in key controls exposed DHS to fraud, waste, and abuse in its purchase card program. While DHS's draft Purchase Card Manual generally incorporated adequately designed controls, disagreements among DHS organizational elements concerning the implementation of the manual prevented a final copy from being issued. As a result of DHS not finalizing the Purchase Card Manual and not making it applicable to all organizational elements within DHS, a weak control environment resulted where cardholders adopted inconsistent and inadequate purchase card practices. For example, some cardholders at the U.S. Coast Guard believed that obtaining written authorization prior to purchase was required while others did not. The testimony described how inadequate staffing and ineffective monitoring contributed to a weak control environment, which, in addition to the prevalence of thousands of unused purchase cards, left DHS vulnerable to fraud, waste, and abuse. DHS had roughly 13,900 purchase cards but failed to assign sufficient resources to manage its purchase card program as evidenced by the fact that we found numerous instances where approving officials assumed oversight responsibilities for an excessive number of cardholders. We found, for example, three approving officials who were responsible for more than 30 cardholders each. In contrast, GAO has issued an audit guide[Footnote 2] prescribing that the ratio of cardholders to approving officials should not exceed seven to one. As an example of ineffective monitoring, we found that the U.S. Coast Guard has only one individual responsible for administering and overseeing its purchase card activity, which totaled over $227 million in goods and services with their purchase cards in fiscal year 2005. Further, our testimony showed that we were unable to obtain evidence to confirm that DHS is providing appropriate training to enable cardholders to be aware of and follow internal controls related to use of the purchase card. We found that for 60 of the 96 transactions in our statistical sample, the cardholder lacked documentation showing that they received either the required initial training or the refresher training. Without adequate training, DHS can not expect cardholders and approving officials to understand and comply with purchase card policies, thus elevating the risk associated with card usage. Our testimony also described DHS's failure to conduct timely and effective postpayment audits. The postpayment audit is conducted by DHS after cardholders have made purchases and requires that cardholders submit purchase-related documentation for transactions selected for audit. We also found that DHS failed to suspend cards and discipline cardholders who did not provide the required supporting documentation for audit. Without a strong postpayment audit process, DHS is not able to obtain reasonable assurance that purchases are valid and appropriate, which needlessly exposes DHS to additional risk of fraud, waste, and abuse. GAO and DHS's Office of Inspector General (DHS OIG) performed statistical testing on purchase card transactions and identified weak implementation of several key internal controls. On the basis of a statistical sample of DHS's purchase card transactions for a 5-month period beginning in June 2005, we estimated that 45 percent lacked prior written authorization, 8 percent failed to provide required sales documentation, 63 percent lacked documentation evidencing proper receipt and acceptance, and 53 percent did not give priority to designated sources. Our work also identified specific incidents of (1) potentially fraudulent, (2) improper, and (3) abusive or questionable purchases made by DHS cardholders. A U.S. Coast Guard employee potentially committed fraud by misappropriating laptops and then falsifying records to hide the fraud. As an example of an improper purchase, we identified an instance where a DHS cardholder failed to dispute an improper transaction in a timely manner, resulting in losses to the federal government of $153,000. Also, a U.S. Coast Guard cardholder used his purchase card to acquire a beer brewing kit--a questionable use of taxpayer money. Further, we found purchases where DHS cardholders failed to adopt prudent pricing practices, resulting in waste of government funds. Although DHS had the authority to make noncompetitive purchases in response to the hurricanes in the Gulf Region, GAO identified instances where DHS cardholders could have saved the government money by purchasing items from GSA vendors, or by using the government's substantial purchasing power to negotiate better pricing and or delivery terms. In one case, a Federal Emergency Management Agency (FEMA) cardholder used his purchase card to acquire flat-bottom boats at double the retail price. We also found unnecessary purchases due to procurement problems. For example, a FEMA cardholder unnecessarily purchased items totaling $68,000 that was inadvertently included on a provision list. Although these procurement problems are not isolated to purchase card acquisitions, they do represent examples in which DHS cardholders used the government purchase card and wasted tax dollars. Finally, our testing found many instances where assets acquired using the purchase card were not promptly or accurately entered into a property tracking system. The way DHS used purchase cards to acquire accountable property allowed for such assets to be susceptible to the risk of not being properly tracked in the property system. As a result, we found a significant number of assets that DHS could not locate. By not following procedures to appropriately track assets in a property system, DHS is subject to greater risk of misappropriation of its assets. Of the 433 assets we attempted to locate and which were obtained with DHS purchase cards, 154 could not be located by GAO or DHS (e.g., boats, laptops, and printers). Conclusions: The purchase card has proven to be a valuable tool for the government to purchase commercial goods and services. However, empowering approximately 14,000 DHS cardholders with purchasing authority, while not implementing effective controls and performing adequate management oversight, allowed potentially fraudulent, improper, and abusive or questionable usage of purchase cards to go undetected. Many of the transactions we highlighted as examples of misuse of the purchase card in our testimony were related to hurricane response efforts in the Gulf Region, demonstrating that the government is particularly vulnerable when purchase cards are used during times of disaster and even more so if an effective internal control structure is not in place and faithfully implemented. Taking immediate actions to improve its purchase card program will help DHS maximize the value and benefit of the purchase card program and provide reasonable assurance that fraud, waste, and abuse are minimized. Recommendations for Executive Action: To provide reasonable assurance that fraud, waste, and abuse related to DHS's purchase card program are minimized and that government assets acquired with purchase cards are controlled, we are making six recommendations. Specifically, we recommend that the Secretary of DHS take the following actions: * Implement changes to DHS's draft Purchase Card Manual to include policies and procedures addressing the four areas detailed below. After implementing the changes, the Purchase Card Manual should be finalized agencywide. - Training: Establish policies and procedures that document that all cardholders have completed the appropriate training. The documentation should include the date of the training, a description of the training, and the name of the recipient of the training. - Independent Receipt and Acceptance: Develop policies and procedures for the performance and documentation of independent receipt and acceptance attesting to the receipt of goods or the complete rendering of services. This documentation would be maintained along with other required documentation supporting each transaction. - Accountable Property: Develop policies and procedures to provide reasonable assurance that highly pilferable assets such as laptop computers, cell phones, personal digital assistants, memory storage devices, and other pilferable property acquired with a purchase card are entered into an accountable property system immediately after being received. Cardholders should be required to contact accountable property officers (or others acting in a similar capacity) before acquiring accountable property, or within a reasonable time thereafter, so that the property is properly bar coded and tracked in the property system. This should be completed prior to placement of the asset in service. The property system should include accurate information on the location of the asset, the individual responsible for the asset, the manufacturer's serial number, as well as the agency's unique identification code for the asset (e.g., a bar code). - Disciplinary or Administrative Actions: The agency should develop a range of potential disciplinary and administrative actions that may occur as a result of a cardholder or others failing to comply with the policies and procedures in the Purchase Card Manual. * Improve the existing electronic systems to allow those with oversight responsibilities the ability to determine if cardholders and approving officials performed their reconciliation and certifying duties in a meaningful way. * Conduct a review to determine if adequate resources are devoted to administering, maintaining, and enforcing the purchase card program at both the agency level and the organizational element level. DHS should further develop specific oversight responsibilities that need to be carried out at both the agency level and at the organizational element level. * Adopt prudent purchasing practices by entering into arrangements with dependable sources in the government or vendors who can provide reasonable pricing for specific goods and services with a foreseeable demand in the event of an emergency. In anticipation of future emergencies, DHS should take the following actions: - Identify specific sources in the federal government or vendors in the private sector that can reliably supply the necessary goods and services for DHS to accomplish its mission in emergency situations. - In the case of vendors in the private sector, negotiate pricing and delivery terms with these sources using the federal government's substantial purchasing power so that in a time of crisis DHS will be able to efficiently obtain the necessary goods and services. * Develop policies and procedures to limit approving officials' span of control. The number of cardholders and card accounts that any one approving official is responsible for should be reasonable and should be established in consideration of the approving official's other responsibilities. In addition, approving officials should have an appropriate number of transactions so that they may conduct a thorough and proper review of supporting documentation for each transaction. * Continuously monitor and review open accounts to provide reasonable assurance that only cardholders who have a documented need to acquire items for the government are issued a purchase card. Instances where cards have not been used for over a year should be analyzed to determine if a valid need for the card exists. If a valid need can not be established, the purchase card should be suspended or the account closed. Agency Comments: In written comments dated September 15, 2006, on a draft of this report, DHS concurred with all of our recommendations. In the comments, which are reprinted in appendix II, DHS stated that it has incorporated the relevant changes into its Purchase Card Manual and offered additional details on the actions it has taken or which it plans to take in the near future. Specifically, DHS offered the language it had added to the draft Purchase Card Manual relating to: training; independent receipt and acceptance; tracking of accountable property; disciplinary and administrative actions; and approving official span-of-control. Furthermore, and importantly, DHS issued the finalized DHS Purchase Card Manual on September 15, 2006, after incorporating the recommended changes. For other recommendations, DHS stated that it is working to develop policies and procedures to enhance its purchase card control environment. For example, DHS said it is working with its purchase card vendor to incorporate specific control activities into the automated system which will address the validity of cardholder reconciliations and approving official certifications. As agreed with your offices, we will send copies to interested congressional committees and the Office of the Chief Financial Officer at DHS. We will make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. Please contact Gregory Kutz at (202) 512-7455 or kutzg@gao.gov, or Matt Jadacki at (202) 254-4100 or matt.jadacki@dhs.gov if you or your staffs have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Signed by: Gregory D. Kutz: Managing Director: Forensic Audits and Special Investigations: Signed by: Matthew Jadacki: Special Inspector General: Department of Homeland Security: List of Committees: The Honorable Susan M. Collins: Chairman: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Charles E. Grassley: Chairman: The Honorable Max Baucus: Ranking Minority Member: Committee on Finance: United States Senate: The Honorable Tom Davis: Chairman: The Honorable Henry A. Waxman: Ranking Minority Member: Committee on Government Reform: House of Representatives: The Honorable Harold Rogers: Chairman: The Honorable Martin Olav Sabo: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Honorable Michael McCaul: Chairman: The Honorable Bob Etheridge: Ranking Minority Member: Subcommittee on Investigations: Committee on Homeland Security: House of Representatives: The Honorable Anthony Weiner: House of Representatives: [End of section] Appendix I: Testimony GAO-06-957T: This is the accessible text file for GAO report number GAO-06-957T entitled 'Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity' which was released on July 19, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Senate Homeland Security and Governmental Affairs Committee: For release on Delivery Expected: 10:00 a.m. EST: Wednesday, July 19, 2006: Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity: Statement of Gregory D. Kutz, Managing Director: Forensic Audits and Special Investigations: John J. Ryan, Assistant Director: Forensic Audits and Special Investigations: GAO-06-957T: GAO Highlights: Highlights of GAO-06-957T, a testimony before the Committee on Homeland Security and Governmental Affairs, U.S. Senate, Why GAO Did This Study: In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government’s response to those events. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane rescue and relief operations. GAO, working with DHS OIG, interviewed DHS personnel and reviewed purchase card policies and procedures to assess the control environment. GAO and DHS OIG conducted statistical tests from a random sample of transactions and performed data mining on all DHS purchase card transactions for a 5-month period beginning in June 2005. GAO and DHS OIG looked at all transactions in this period because the database did not distinguish hurricane related from routine purchases. GAO and DHS OIG used the testing results to determine the extent of control weaknesses and identify instances of fraud, waste, and abuse. This testimony addresses whether (1) DHS’s control environment and management of purchase card usage were effective; (2) DHS’s key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) indications existed of potentially fraudulent, improper, and abusive or questionable purchase card activity at DHS. What GAO Found: A weak control environment and breakdowns in key controls exposed DHS to fraud and abuse in its use of the purchase card. While DHS’s draft Purchase Card Manual generally contained effective control procedures, it was not finalized due to a lack of leadership by the CFO in resolving disagreements over its implementation. This led to DHS cardholders not following the same procedures. Inadequate staffing, insufficient training, and ineffective monitoring also contributed to the weak control environment. The weak control environment and inconsistent purchase card policies contributed to breakdowns in specific key controls. GAO and DHS OIG found a lack of documentation that key purchase card internal controls were performed. Based on a statistical sample, GAO and DHS OIG estimated that 45 percent of DHS’s purchase card transactions were not properly authorized, 63 percent did not have evidence that the goods or services were received, and 53 percent did not give priority to designated sources. GAO and DHS OIG also found cardholders who failed to dispute improper transactions, which resulted in losses to the federal government. Because of the urgent needs caused by the hurricanes, DHS made a number of noncompetitive purchase card acquisitions. GAO recognizes that DHS had the authority to make noncompetitive purchases; however, GAO found transactions where DHS cardholders could have exercised greater prudence without jeopardizing relief efforts. The weak control environment and ineffective internal control activities allowed potentially fraudulent, improper, and abusive or questionable transactions to occur. Although this work was not designed to identify, and we cannot determine, the full extent of fraud, waste, and abuse, GAO and DHS OIG identified numerous examples of potentially fraudulent, improper, and abusive or questionable transactions. The table below lists the potentially fraudulent activity related to items acquired with DHS purchase cards. In addition, poor control over accountable property acquired with purchase cards may have resulted in lost or misappropriated assets. Table: Examples of Potential Fraud: Item Purchased: Lap Tops (FEMA); Description: Over 100 missing and presumed stolen; Amount of transaction: $300,000. Item Purchased: Boast (FEMA); Description: Unauthorized use of card by a vendor; Amount of transaction: $208,000. Item Purchased: Printers (FEMA); Description: Over 20 missing and presumed stolen; Amount of Transaction: $84,000. Item purchased: Lap Tops (Coast Guard); Description: 3 missing and reported stolen; Amount of transaction: $8,000. Source: GAO and DHS OIG investigation. [End of Table] GAO and DHS OIG also found examples of improper use of the purchase card such as the use of convenience checks to pay $460,000 for pre- packaged meals. Further, they found instances of abusive or questionable transactions that included the purchase of a beer brewing kit, a 63” plasma television costing $8,000 which was found unused in its original box 6 months after being purchased, and tens of thousands of dollars for training at golf and tennis resorts. GAO intends to refer the cardholders responsible for many of these and other purchases to DHS management for administrative action. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-957T]. To view the full product, click on the link above. For more information, contact Gregory D. Kutz at (202) 512-7455 or kutz@gao.gov and Matthew A. Jadacki at (202) 254-5477 or matt.jadacki@dhs.gov. [End of Section] Madam Chairman and Members of the Committee: Thank you for the opportunity to discuss the results of the forensic audit and investigation of the Department of Homeland Security's (DHS) purchase card program, a joint audit by GAO and DHS's Office of Inspector General (DHS OIG). This joint audit is one among a number of audits and investigations that GAO and DHS OIG initiated in the wake of Hurricanes Katrina and Rita to review the effectiveness of the federal government's disaster response. A crucial tool DHS used to expedite the government's response to the two disasters was the SmartPay® purchase card program, a program implemented to provide federal agencies and their employees a more flexible and efficient way to purchase commercial goods and services. GAO and DHS OIG support the use of a well-controlled purchase card program, which our experience shows reduces transaction processing costs and provides agencies with flexibility to achieve their mission objectives. This testimony builds on GAO's substantial experience in identifying fraud, waste, and abuse in government purchase card programs (see app. I for previous audit reports) and DHS OIG's significant experience auditing one of our nation's largest federal agencies. With the creation of DHS in 2002,[Footnote 1] the management of thousands of purchase cardholders from 22 separate federal agencies was combined under one umbrella program, the DHS Purchase Card Program. The legacy agencies such as the Federal Emergency Management Agency (FEMA), the U.S. Coast Guard (Coast Guard), and the U.S. Customs and Border Protection (CBP) are now referred to as DHS organizational elements. During fiscal year 2005, these organizational elements accumulated more than $420 million in charges, ranking DHS among the top purchase card users in the federal government. In response to Hurricanes Katrina and Rita, DHS made thousands of purchase card transactions to buy goods and services for hurricane rescue and relief operations. For Katrina- related procurements, Congress authorized an increase to the micropurchase threshold from $2,500 to $250,000.[Footnote 2] When making micropurchases, authorized cardholders are not required to solicit competitive bids if they consider the price to be reasonable. For further details on the DHS purchase card program, see appendix II. Our testimony today addresses whether (1) DHS's control environment and management of the purchase card program were effective; (2) DHS's key control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) indications existed of potentially fraudulent, improper, and abusive or questionable activity related to items acquired with DHS purchase cards.[Footnote 3] Following this testimony, we plan to issue a joint report with recommendations to DHS for improving internal controls over its purchase card activities. The scope of our joint audit covered all DHS purchase card transactions from June 13, 2005, through November 12, 2005. We selected all transactions during this period because we could not distinguish between routine and hurricane-related purchases in the database provided by U.S. Bank (DHS's purchase card contractor). To assess the design and implementation of controls over purchase card transactions, we conducted interviews of purchase card administrators and compared DHS's purchase card policies and procedures to the Office of Management and Budget's (OMB) Circular No. A-123, GAO's Standards for Internal Controls in the Federal Government (Standards for Internal Controls) and to the best practices for purchase card programs outlined in GAO's Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs (GAO's Audit Guide). Using purchase card data provided by U.S. Bank, we conducted statistical tests from a random sample of transactions and performed other audit work to evaluate the design and implementation of key internal control activities. We also performed data mining on the transactions to determine whether there were potentially fraudulent, improper, abusive, or questionable activities related to the purchase card program. Our data mining efforts included reviewing and analyzing transactions to determine whether split payments occurred,[Footnote 4] whether DHS maintained appropriate controls over property accountability, and whether DHS was able to leverage the hundreds of millions of dollars it spends with a purchase card to obtain favorable pricing from frequently used vendors, among others. We used forensic audit and investigative techniques to determine if the purchase card was used in a potentially fraudulent manner. Although we did identify some potentially fraudulent, improper, and abusive or questionable transactions, our work was not designed to identify, and we cannot determine, the extent of fraudulent, improper, and abusive or questionable transactions. See appendix III for further details on our scope and methodology. We conducted our audit work from November 2005 through June 2006 in accordance with U.S. generally accepted government auditing standards. We performed our investigative work in accordance with standards prescribed by the President's Council on Integrity and Efficiency. We briefed DHS on the details of our work, including our scope, and methodology and our findings. Summary: A weak control environment and breakdowns in key internal controls exposed DHS to fraud, waste, and abuse in its purchase card program. Our review of DHS's draft Purchase Card Manual (draft manual) found that the draft manual generally incorporated well-designed internal controls for an agencywide purchase card program that were consistent with OMB's Circular No. A-123, GAO's Standards for Internal Controls, and the best practices for purchase card programs outlined in GAO's Audit Guide.[Footnote 5] However, according to representatives from the Office of the Chief Financial Officer, the draft manual was not issued in its final format due to ongoing disagreements with DHS organizational elements over its implementation. Without a final policy, DHS organizational elements adopted inconsistent purchase card practices. Some organizational elements followed purchase card policies from their legacy agencies, others observed requirements from the draft DHS policy, and yet others relied on a combination. Overall, we found that a lack of leadership in finalizing the draft manual, inadequate resources devoted to the purchase card program, insufficient training, and ineffective monitoring and oversight each contributed to a weak control environment. We also found weaknesses in specific key control activities over purchase card transactions. Specifically, we found a lack of documentation that required internal controls over purchase card transactions were performed. Based on our sample of DHS purchase card transactions, we estimated that 45 percent did not have prior written authorization, 8 percent did not provide required sales documentation, 63 percent did not have evidence that the goods or services were actually received, and 53 percent did not give priority to required or preferred vendors (designated sources). We also found instances where DHS cardholders failed to dispute improper transactions, resulting in losses to the federal government from improper and potentially fraudulent purchases. Further, DHS did not invoke the special authority provided to increase the threshold for micropurchases from $2,500 to $250,000. Instead, DHS invoked other clauses in the Federal Acquisition Regulations (FAR) to make noncompetitive purchases under existing procurement authority. While we recognize that DHS has authority to make such noncompetitive purchases under the FAR, we identified transactions where DHS cardholders could have obtained better pricing without jeopardizing relief efforts or where the purchase was unnecessary. Later in our testimony, we identify examples of poor pricing and unnecessary purchases, but also highlight instances where the cardholder acted prudently to obtain the best pricing. The weak control environment and weak implementation of specific internal control activities allowed potentially fraudulent, improper, abusive, or questionable transactions to go undetected. In one potential fraud case, ineffective procurement practices resulted in DHS paying double the retail price for 20 flat-bottom boats. The vendor in this case improperly used the DHS purchase card number to purchase boats from retailers before reselling them to DHS. In another potentially fraudulent case, breakdowns in property accountability controls allowed a DHS employee to submit falsified records related to three stolen laptops. As an example of improper use of a purchase card, we identified a cardholder who used convenience checks to pay a vendor who normally accepted credit cards but who did not want to pay credit card transaction fees for a large purchase--in which case the cardholder violated DHS policy. As a result of this policy violation, the DHS incurred $8,000 in unnecessary processing fees related to the use of convenience checks. Other cardholders abused their purchase card privileges or made questionable purchases. For example, one cardholder purchased a beer brewing kit and ingredients to brew beer for official parties. Another cardholder, based on questionable need, purchased a Samsung 63-inch plasma screen television for about $8,000 at the end of the fiscal year. We observed this large-screen television unused and in its original packaging 6 months after it was purchased. In cases where appropriate, we plan to refer cardholders responsible for these and other purchases to DHS management for possible administrative action. We also found instances where items acquired with a DHS purchase card highlight weaknesses in DHS's inventory control and procurement practices that led to potentially fraudulent and abusive or questionable activity. For example, over 100 laptops were lost or misappropriated when shipped to New Orleans as part of the relief efforts. The above examples of potential fraud, improper use of the purchase card, and abusive or questionable activity relating to items acquired with DHS purchases cards are further detailed below. Weaknesses in DHS's Overall Control Environment Contributed to Ineffective Purchase Card Program Controls: DHS has not established an effective internal control environment to manage its government purchase card program. Specifically, for the last two years, DHS did not finalize its departmentwide purchase card policy that detailed the internal control policies and procedures that organizational elements must follow. As a result, cardholders did not consistently apply basic control procedures, which were necessary to provide reasonable assurance that acquisitions made with purchase cards adhered to governmentwide requirements. Inadequate staffing and training, and a weak postpayment audit function further contributed to a weak overall internal control environment and left DHS vulnerable to fraud, waste, and abuse. Unimplemented Agencywide Manual Contributes to Inconsistency and Confusion: DHS's Chief Financial Officer (CFO) distributed the agency's most recent draft of the departmentwide purchase card policies and procedures in March 2004. Since then the draft manual has been out for agencywide comment twice. The internal control procedures described in that draft document were largely consistent with OMB Circular No. A- 123, GAO's Standards for Internal Controls, and GAO's Audit Guide. According to the Office of the Chief Financial Officer, the draft policies were not accepted and implemented across DHS due to disputes with organizational elements over implementation of the draft manual. Further, officials within the Office of the Chief Financial Officer do not have a plan or timeline for resolving these disputes in order to finalize DHS's draft manual. Consequently, some organizational elements are following internal control policies that existed in their legacy environments prior to their absorption into DHS, while others adopted DHS's draft policies. Others are adhering to elements from both. We found that although some internal control policies from legacy agencies were consistent with GAO's Standards for Internal Controls and GAO's Audit Guide, others were not. For example, the Organizational Program Coordinator (OPC) for the Purchase Card Program at the Coast Guard stated that written authorization prior to purchase is generally required. In contrast, CBP indicated that written authorization is not required prior to use by a CBP cardholder. As a result of the unimplemented DHS draft manual, organizational elements were confused about and did not consistently apply purchase card policies and procedures, which negatively affected the control environment. As an example, the OPC at the Coast Guard, in charge of the largest purchase card program within DHS, informed us that some cardholders within Coast Guard followed the draft DHS manual, while others did not consider the manual applicable. Insufficient Resources Committed to Purchase Card Program: DHS failed to assign sufficient resources to manage its purchase card program. As a result, we found many instances where approving officials had oversight responsibilities for an excessive number of cardholders. Additionally, we found that DHS lacked sufficient staffing to effectively manage and oversee the purchase card program. GAO's Audit Guide and OMB Circular No. A-123 emphasize the importance of establishing reasonable levels of responsibility for approving officials who are responsible for reviewing and certifying purchase card transactions. Assigning approving officials more cardholders than they can effectively supervise is a symptom of a weak control environment, as it is unreasonable to expect approving officials who have too many transactions to conduct a thorough and proper review of supporting documentation for each transaction. Basic fraud prevention concepts and our previous audits of purchase card programs have shown that opportunities for fraud and abuse arise if cardholders know that their purchases are not being properly reviewed. We found that DHS's draft manual contained requirements for approving officials that are consistent with OMB Circular A-123 and GAO's Audit Guide. Specifically, the proposed DHS policy stipulates that a single approving official may not oversee more than 7 cardholders. However, our work showed that DHS organizational elements did not adhere to this guidance. As shown in table 1, as of the end of fiscal year 2005, we found that 176 DHS approving officials, out of approximately 3,300 approving officials departmentwide, had oversight responsibilities for more than 7 cardholders.[Footnote 6] At the Coast Guard alone, 147 approving officials supervised more than 7 cardholders, with 3 individuals managing more than 30 cardholders. According to the OPC at the Coast Guard, insufficient staff to monitor and oversee the purchase card program is a primary cause for the large number of approving officials with excessive span of control. Having approving officials responsible for more than 7 cardholders is inconsistent with the DHS draft manual and is contrary to GAO's best practices guidance. Table 1: Number of Approving Officials at DHS Organizational Elements with Excessive Span of Control: Organizational element: U.S. Coast Guard; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 84; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 53; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 7; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 3; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 147. Organizational element: U.S. Customs and Border Protection; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 7; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 3; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 10. Organizational element: Federal Emergency Management Agency; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 5; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 3; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 8. Organizational element: U.S. Secret Service; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 3; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 2; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 2; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 7. Organizational element: DHS Science and Technology; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 1; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 1. Organizational element: Transportation Security Administration; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 1; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 1. Organizational element: U.S. Citizenship and Immigration Services; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 1; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 1. Organizational element: Federal Air Marshal Service; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 1; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 0; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 1. Organizational element: Total; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 8-10: 102; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 11-20: 62; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: 21-30: 7; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: >30: 5; Number of Approving officials with excessive span of control, stratified by number of cardholders managed: Total: 176. Source: GAO analysis of U.S. Bank data. [End of table] Our analysis of purchase card data uncovered other fundamental breakdowns in controls. For example, we identified 6 cardholder accounts where the approving official and the cardholder were the same individual--a major conflict of interest. We also identified 2,468 open accounts--19 percent of DHS's purchase cards--that as of December 13, 2005, had not been used since before January 2005. According to OMB and the U.S. General Services Administration (GSA),[Footnote 7] purchase cards should only be issued to individuals who have a documented need to acquire items for the government with the purchase card. It is difficult to argue that the 2,468 individuals who have not made a single purchase in an entire year have such a need. Consequently, those accounts should have been closed to minimize the risk of fraud, waste, and abuse. Furthermore, we found that at both the DHS level and organizational element level, there were inadequate resources to effectively manage the program. As stated in GAO's Audit Guide, it is vital for purchase card programs to be sufficiently staffed to manage the program. At the DHS agencywide level, the DHS Agency Program Coordinator (APC) is the sole person responsible for overseeing not only DHS's Purchase Card Program, one of the government's largest purchase card programs, but also DHS's Travel Charge Card Program and Fleet Charge Card Program.[Footnote 8] In total, DHS spent nearly $1 billion on these three charge card programs during fiscal year 2005. Based on our assessment of the control environment and discussions with the APC, a lack of adequate resources caused insufficient management and oversight of the purchase card program at the DHS agencywide level. At the organizational element level, we found a similar lack of staffing resources devoted to the management of the purchase card program. For example, as shown in table 2, the number of personnel assisting the OPC at the organizational element level is not consistent with the risk of exposure, as measured by expenditures. In fact, the largest organizational element, the Coast Guard, provides no additional staff to the OPC to assist in managing and overseeing the purchase card program. Based on our assessment of the control environment and discussions with the OPC at the Coast Guard, the Coast Guard did not have adequate resources to both administer the purchase card program and provide adequate compliance control. Table 2: Employees Responsible for Management of the Purchase Card Program at Four of the Largest Organizational Elements within DHS: Organizational element: U.S. Coast Guard; Staff devoted to purchase card: 1 (OPC); Fiscal year 2005 total purchase card dollars (millions): $ 227. Organizational element: Federal Emergency Management Agency; Staff devoted to purchase card: 2 (1 OPC and 1 additional staff); Fiscal year 2005 total purchase card dollars (millions): 32. Organizational element: U.S. Immigration and Customs Enforcement; Staff devoted to purchase card: 4 (1 OPC and 3 additional staff); Fiscal year 2005 total purchase card dollars (millions): 21. Organizational element: U.S. Customs and Border Protection; Staff devoted to purchase card: 6 (1 OPC and 5 additional staff); Fiscal year 2005 total purchase card dollars (millions): 66. Source: DHS data. [End of table] Evidence Lacking that Most Cardholders Received Required Training: Evidence was not provided to show that DHS is providing the training necessary to obtain reasonable assurance that its cardholders understand the purchase card program's key controls. Adequate training is essential to ensuring that the cardholders and approving officials have the skills necessary to achieve organizational goals in an effective and efficient manner. OMB Circular A-123 and DHS's draft manual require that all cardholders be trained prior to receiving a purchase card and receive annual refresher training. We found that for 60 of the 96 transactions in our statistical sample, the cardholder lacked documentation showing that they received either the required initial training or the refresher training. Monitoring and Oversight Needs Improvement: Our review of the DHS purchase card program found that DHS had ineffective procedures to monitor and oversee cardholder's compliance with agencywide and governmentwide purchase card policies through postpayment audits. The purpose of the postpayment audit is to provide reasonable assurance that the purchases made by cardholders, and payments made to the bank, were valid and appropriate. However, our audit found that DHS did not conduct postpayment audits effectively. Specifically, we found that the organizational elements did not follow up with cardholders who failed to provide the required supporting documentation. We identified 10,339 transactions between December 2003 and February 2006 that were selected for audit, but which were not audited because cardholders did not submit the required supporting documentation. Many of the cardholders who failed to submit the required supporting documentation were nevertheless allowed to continue using their purchase cards. Failure to suspend those cards and discipline users exposed DHS to fraud, waste, and abuse in its purchase card program. Inconsistently Implemented Control Activities Leave DHS Vulnerable to Fraud, Waste, and Abuse: The results of our testing of key controls at DHS revealed significant failure rates that bring into question the efficacy of DHS's implementation of internal controls. Internal control activities associated with purchase card transactions occur at various levels within an agency. Activities include a wide range of diverse actions such as authorizations, verifications, reconciliations, certifications, and the production of records and documentation. However, our statistical tests of DHS purchase card transactions from June 13, 2005, through November 12, 2005, found that several key transaction-level controls were ineffective, with failure rates ranging from 8 percent to 63 percent. In addition, the high rates of failure associated with authorization and independent receipt and acceptance also led us to question the effectiveness of the DHS reconciliation and certification process. Specifically, DHS's automated systems and practices associated with reconciling and certifying purchase card transactions for payment were not effective to provide reasonable assurance that charges appearing on the cardholder's bank statements were valid. We also found instances where DHS lacked effective controls to ensure proper follow- through of disputed transactions, leaving DHS at an increased risk of fraud, waste, and abuse associated with the payment of purchase card transactions. Finally, while DHS did not rely on its increased micropurchase threshold authority, DHS did activate certain FAR provisions to streamline the acquisition process for transactions made in response to the hurricane disaster in the Gulf Region. We are not questioning the authority on which DHS relied. However, we have identified examples where DHS did not exercise prudent pricing practices. Statistical Tests Indicated Weak Internal Controls: Control activities we tested included whether (1) cardholders obtained written authorization prior to purchases, (2) invoices supporting the transactions existed, (3) independent receipt and acceptance of goods and services occurred, and (4) cardholders screened for required or preferred vendors (designated sources). As shown in table 3, the failure rates for the four attributes that we tested ranged from 8 percent to 63 percent. We looked for documented evidence that these control activities were followed; therefore, these rates may be higher than actual failures rates if control activities were followed but not documented. Table 3: Results of Statistical Testing for Four Key Internal Controls (percent): Internal control: Authorization; Point estimate[A]: 45; 95-percent confidence interval[B]: 35-55. Internal control: Sales documentation; Point estimate[A]: 8; 95-percent confidence interval[B]: 4 - 16. Internal control: Independent receipt and acceptance; Point estimate[A]: 63; 95-percent confidence interval[B]: 53 - 73. Internal control: Priority for designated sources; Point estimate[A]: 53; 95-percent confidence interval[B]: 43-63. Source: GAO and DHS OIG testing and statistical analysis of DHS purchase card transactions provided by U.S. Bank. [A] The numbers represent point estimates for the population based on our random sample rounded to the nearest percentage point. [B] The numbers represent a 2-sided confidence interval assuming a 95 percent confidence level. [End of table] Lack of Written Authorization--In 45 percent of the sample transactions, the cardholders did not obtain written authorization prior to obtaining the items in question. Requiring the cardholder to obtain written authorization prior to using the purchase card is key to providing reasonable assurance that the purchase represents a legitimate government need. The draft manual addresses this fundamental internal control element by proposing to require written authorization prior to purchases. However, as indicated by the high rate of failure, cardholders did not consistently adhere to this internal control standard, thereby exposing DHS to misuse of the purchase card. For example, a cardholder from CBP acquired nearly $2,500 in rain jackets without written preauthorization. Had the cardholder been subject to DHS's requirement for written authorization prior to purchase, as outlined in the draft manual, this improper purchase may have been prevented. Lack of Sales Documentation Supporting Purchases--We estimate that 8 percent of DHS cardholders failed to provide sales documentation, such as a receipt, for the items obtained with a purchase card. This is inconsistent with the draft manual, which would require cardholders to obtain and retain all sales documentation relevant to their transaction. Requiring cardholders to obtain and retain sales related documentation from the vendor is a basic internal control to reduce the risk of fraud, waste, and abuse. Without sales documentation, an approving official has no means of reasonably determining whether the item purchased represents a legitimate government need or is fraudulent, improper, or abusive. Lack of Independent Receipt and Acceptance--We estimate that 63 percent of DHS transactions did not have independent receipt and acceptance. Receipt and acceptance of goods and services by someone other than the cardholder provides reasonable assurance that the organization actually received what it purchased. This internal control procedure segregates the duties involved in the acquisition of goods and services and thereby reduces the risk of fraud, waste, and abuse. According to GAO's Audit Guide, a properly documented independent receipt and acceptance must contain the signature of the independent individual, who should also document the date of receipt. Failure to adhere to proper receipt and acceptance procedures exposes agencies to increased risk of fraud, waste, and abuse. For example, a transaction we sampled involved the purchase of three laptop computers by a Coast Guard cardholder. However, independent receipt and acceptance was not performed, and the laptops were not recorded in the property records. Subsequently, the laptops could not be located and were later reported as stolen. If proper receipt and acceptance had been performed, theft of the laptops may have been prevented. Failure to Give Priority to Designated Sources--We estimate that in 53 percent of the sampled transactions, the cardholder failed to document whether they gave priority to designated sources. In one example, a cardholder purchased 25 portable global positioning system (GPS) units at full retail price from Best Buy when the same units could have been obtained through a GSA Advantage[Footnote 9] vendor for 15 percent less. The DHS draft manual would require that cardholders use designated sources if the source is capable of providing the goods or services as needed. GSA Advantage is identified as a designated source in the draft manual. Generally, the goods and services provided by designated sources will be offered at reasonable prices.[Footnote 10] In this case, the failure to consider designated source resulted in the cardholder paying Best Buy about $2,700 more than if the units were acquired through GSA Advantage. Although the cardholder was acquiring the GPS units for an emergency situation, we found that GSA Advantage can often deliver goods on an expedited basis. Alternatively, the cardholder could have obtained a special discount from Best Buy if he had opened a government account. Online Reconciliation and Certification Processes Not Fully Effective: Effective reconciliation and certification are crucial in helping to provide reasonable assurance that all charges appearing on the cardholder's bank statement are valid. However, our review of the DHS purchase card systems found that the practices used by the Coast Guard, FEMA, CBP, and U.S. Immigration and Customs Enforcement (ICE) were not fully effective. Each of these organizational elements primarily relied upon online reconciliation and certification capabilities inherent in their respective purchase card systems, but none of these systems provided sufficient evidence to determine if a comprehensive reconciliation and certification was actually performed. While online processes can provide an efficient and effective means for accomplishing such tasks without the burden of a paper-laden environment, reliance upon online processes requires effective internal controls (e.g., sufficient audit trails, implementation of sound business practices) to gain reasonable assurance that the processes were properly performed. However, none of these DHS components had fully effective systems or practices to provide reasonable assurance that cardholders exercised due diligence in reconciling their statements. One attribute lacking was notations, such as the ability to enter check marks indicating that transactions on the cardholder's monthly statements were individually reviewed and reconciled. In addition, these components did not demonstrate that they had fully effective systems or practices that would allow them to track the length of time a cardholder spent performing their reconciliation and an approving official spent certifying statements to rule out the possibility of merely "rubber stamping" monthly statements. Further, we found many instances where approving officials did not certify their respective cardholders' statements. DHS's draft manual requires approving officials to certify a cardholder's bill within 14 days of the close of billing cycle. Based on the results of our analysis, we identified 8,630 uncertified statements that were pending approving official certification as of February 12, 2006. As previously discussed, given the insufficient resources committed to the purchase card program and the high rates of failure associated with the authorization and independent receipt and acceptance, comprehensive reconciliations and certifications are crucial in helping to provide reasonable assurance that all charges are valid. As a result of these internal control weaknesses, DHS's compliance with controls to prevent or detect fraudulent, improper, or abusive purchases is in question. Pay and Confirm Environment Increased Risk of Fraud, Waste, and Abuse: We found instances where DHS cardholders failed to dispute unauthorized transactions. The dispute process is especially critical in DHS's pay and confirm environment, called SmartPay®. One feature of GSA's SmartPay® program is that, unlike a normal credit card monthly billing process, the agency pays charges daily. By agreeing to pay first and confirm later, agencies can reduce costs since the bank provides rebates[Footnote 11] based on how quickly the charges are paid. However, the pay and confirm environment requires diligence on the part of cardholders to perform thorough and comprehensive reconciliations of their charges and to submit timely disputes of improper charges to the bank for credit. Because agencies have already paid the bank for the potential unauthorized charges prior to receiving the monthly billing statement, the payment will not be reversed unless a dispute is submitted. Because of weaknesses in the implementation of the dispute process in some instances, DHS did not identify and obtain credits for unauthorized transactions. In one instance, a cardholder appropriately initiated the dispute process when a vendor improperly charged the government $153,000 prior to completion of contracted services. However, the cardholder failed to perform appropriate follow-through and submit the required dispute documentation. Consequently, DHS made a second payment to the vendor when services were complete, resulting in a double payment of $153,000. FEMA was unaware of the double payment until we questioned the payments in May 2006. At that time, FEMA contacted the vendor and recovered the overpayment. In another example, discussed later in this testimony, a cardholder's failure to dispute $30,000 in unauthorized charges resulted in FEMA making payments for potentially fraudulent and improper charges for flat-bottom boats. In this case, the cardholder and the approving official failed to dispute the unauthorized charges. Although the pay and confirm environment can bring economic benefits (i.e., rebates) to federal agencies, it requires the implementation of effective controls to detect and correct charges that should be disputed and reversed. The high rates of failure in our tests of key internal controls and the examples highlighted above bring into question whether DHS's pay and confirm process exposes DHS to unacceptable levels of risk for fraud, waste, and abuse. DHS Used a Provision of the Federal Acquisitions Regulations to Avoid Obtaining Competitive Bids: To facilitate the government's response to hurricanes Katrina and Rita, Congress authorized an increase to the micropurchase threshold from $2,500 to $250,000. When making micropurchases, authorized cardholders need not solicit for competitive bids if they consider the price reasonable. Executive agencies such as DHS could have extended this authority to certain cardholders directly supporting hurricane-related rescue and relief operations. However DHS told us that they did not implement the increased threshold because they had the flexibility they needed to make noncompetitive purchases under existing procurement authority. DHS cited their justification for other than full and open competition under the Unusual and Compelling Urgency provisions of the Federal Acquisition Regulations.[Footnote 12] Under these provisions, cardholders had discretion to select contractors noncompetitively as long as the purchase was directly related to Hurricane Katrina response efforts. Although DHS has authority to make purchases without competition, we highlight transactions where DHS cardholders failed to adopt prudent pricing practices and subsequently wasted government funds. Part of DHS's mission is to respond to emergency situations like Katrina and Rita and a reasonable person would expect DHS to be more prepared for relief and rescue operations than other agencies with routine functions. In this light, we question the propriety of several of the noncompetitive transactions that we investigated for potential fraud. In the next section we identify many examples of potential fraud, improper purchases, and abusive or questionable transactions. Some of the examples are multifaceted and touch on several issues including the pricing and requirements management issues discussed previously. Potentially Fraudulent, Improper, Abusive, or Questionable Transactions: Our forensic audit and investigative work identified numerous transactions where DHS failed to prevent or detect potential fraudulent, improper, abusive, or questionable purchases. Many of these examples also show that the government could have obtained better pricing. However, our work was not designed to identify all instances of, or estimate the full extent of fraud, waste, and abuse. Therefore we did not determine, and make no representations regarding, the overall extent of fraudulent, improper, and abusive or questionable transactions. Potentially Fraudulent and Improper Activity Related to Purchase Card Acquisitions: Our data mining work identified many instances of both potentially fraudulent and improper use of the purchase cards, and potentially fraudulent and improper activity related to items acquired with the purchase card. We considered potentially fraudulent purchases to be those which were unauthorized and intended for personal use. The transactions we determined to be improper are those intended for government use, but which are not for a purpose that is permitted by law, regulation, or policy. Potentially Fraudulent Activity--Table 4 shows five cases of potential fraud involving both use of a DHS purchase card and weaknesses with DHS's accountable property[Footnote 13] controls that led to potentially fraudulent misappropriation of government assets. Property that is unaccounted for may simply be misplaced; or it may be that the assets were misappropriated for a use other than that of the government. The misappropriation of government assets (theft) represents fraudulent activity. These five potentially fraudulent cases involve 154 missing items out of the 433 accountable property items that we tested. Because only a limited number of transactions in our statistical sample contained accountable or pilferable property, we did not attempt to estimate the extent to which DHS could not account for pilferable property. Table 4: Potentially Fraudulent Activity: Case: 1; Items purchased: Laptop computers; Organizational element: FEMA; Vendor: CDW; Additional facts: 107 of 200 not located; Amount of transaction: $300,000. Case: 2; Items purchased: Flat-bottom boats; Organizational element: FEMA; Vendor: Banita Creek Hall; Additional facts: Unauthorized use of purchase card by a vendor, 12 of 20 boats not in property system; Amount of transaction: 177,000. Case: 3; Items purchased: Printers; Organizational element: FEMA; Vendor: CDW; Additional facts: 22 of 100 not located; Amount of transaction: 84,000. Case: 4; Items purchased: GPS units; Organizational element: FEMA; Vendor: Best Buy; Additional facts: 2 of 25 not located; Amount of transaction: 18,000. Case: 5; Items purchased: Laptop computers; Organizational element: Coast Guard; Vendor: Best Buy; Additional facts: 3 of 3 reported as stolen; Amount of transaction: 13,000. Source: GAO and DHS OIG investigation. [End of table] Our testing work for the above transactions included traveling to the location of the accountable property to observe the item and determine if the asset existed or was in possession of the government. More detailed information is as follows: * In cases 1, 3, and 4, FEMA purchased 200 laptops, 100 printers, and 25 GPS units in five separate transactions totaling about $400,000. While FEMA documented independent receipt and acceptance for the laptops and the GPS units, it did not do so for the printers. Further, FEMA did not properly record and track some of the assets in its property records. As a result, FEMA could not locate the accountable property items when asked, and consequently was not able to account for 107 laptops, 22 printers, and 2 GPS units that cost about $170,000. Based on the information FEMA provided for the location of the assets in question, in March 2006 we traveled to the FEMA field offices in New Orleans and Baton Rouge to observe assets acquired using a purchase card. After arriving at these locations, however, FEMA gave us different location information. We were instead informed that the laptops were shipped directly to and currently located in a conference room at the Royal Sonesta Hotel in the French Quarter, which was serving as the Joint Command Post for the various federal, state, and local authorities. We were told that many of the laptops and printers were being used by the New Orleans Police Department (NOPD) at the Joint Command Post. However, as shown in figure 1, when FEMA's accountable property officer took us to the conference room, it was vacant and the laptops and printers were missing. Figure 1. Hotel Conference Room Where FEMA Laptops and Printers Were Supposed to Be: [See PDF for Image] Source: GAO. [End of Figure] We questioned NOPD to find the location of the laptops and printers and we were able to account for 28 laptops and 16 printers in the possession of NOPD personnel and 4 laptops in possession of the Louisiana District Attorneys Office (LADA). These assets were on loan to NOPD and LADA to assist them in their hurricane response efforts. We subsequently accounted for 61 laptops, 72 printers, and 23 GPS units at FEMA field offices in Baton Rouge and New Orleans. Despite substantial efforts to locate the property, neither FEMA, GAO, or DHS OIG was able to find all the accountable property at the time of our field testing. Ultimately, FEMA could not account for 107 laptops, 22 printers, and 2 GPS units with a total value of about $170,000. Significantly, we found that FEMA failed to enter the laptops into their accountable property system until two months after delivery. In addition, when FEMA did add the laptops to the property system, they failed to accurately record who was in possession of the laptops. In February 2006, after we made inquiries regarding the laptops, FEMA made an effort to track down the laptops and properly record who was in possession of and accountable for the laptops. However, they were unable to do so for most of the laptops. The process for using a purchase card to obtain highly pilferable and expensive equipment such as laptops should include controls that ensure such property is accurately recorded and tracked in a property system. In this case, the absence of effective controls led to potential fraud and a substantial cost to the taxpayer. * For case 2, FEMA paid a vendor $208,000, or twice the retail price, to deliver 20 flat-bottom boats (with motors and trailers) needed for relief operations in New Orleans. This vendor, a broker who did not possess any boats himself, used the FEMA purchase card account number to pay for the boats prior to delivery to FEMA. He also used the card number to make two unauthorized payments for 6 of the 20 boats totaling about $30,000. Although the vendor billed FEMA for all 20 of the boats, the vendor failed to pay one retailer who provided 11 of the 20 boats. This retailer provided the boats to the broker believing he was dealing with a FEMA representative, and therefore the retailer did not require payment up-front. The retailer has since reported the 11 boats as stolen and not provided title to the vendor. Further, FEMA only has 8 of the 20 boats in its property records and could not provide the location for the other 12 boats. Many issues surround the purchase of the 20 boats, but the most significant involve the vendor. We estimate that the vendor walked away with over $150,000, including the profit he made on the 11 boats that the vendor obtained without payment. We are coordinating our investigation with both local law enforcement and the Federal Bureau of Investigation. Key control breakdowns relating to this transaction include the cardholder not obtaining adequate receipt and acceptance as evidenced by the fact that FEMA did not receive title to at least 11 boats, and the fact that neither the cardholder or the approving official flagged two unauthorized charges on the monthly purchase card statement. * Case 3 involved one or more Coast Guard employees who submitted falsified records and provided false information pertaining to the theft of three laptop computers. Our investigative work found that a Coast Guard cardholder, accompanied by an Information Technology (IT) specialist, purchased 13 laptops from Best Buy using his government purchase card. The cardholder placed the laptops in an unsecured trailer, but did not immediately record the serial numbers so they could be entered into an accountable property system. According to the cardholder, 3 laptops went missing the next day. In an interview with our investigator and the Coast Guard Investigative Service, the cardholder admitted that he did not record the serial numbers immediately as instructed by his superior, and the property log was subsequently falsified to include fictitious serial numbers for the missing laptops. During separate interviews with the cardholder and the IT specialist, we noted inconsistencies in their explanations. We attempted to conduct a follow-up interview with the IT specialist, but after being notified to report for the scheduled interview, the IT specialist took actions that made himself unavailable. The Coast Guard Investigative Service is continuing to investigate the stolen laptops. Improper Transactions--We identified numerous instances where cardholders used their purchase cards to make improper purchases. According to the FAR, purchase cards may be used only for purchases that are otherwise authorized by law, regulation, or organizational policy. Table 5 contains some examples of improper transactions. Table 5. Examples of Improper Purchase Card Transactions: Case: 1; Items purchased: Meals ready to eat (MRE's); Organizational element: CBP; Vendor: MRE Foods.com; Amount of transaction: $465,000. Case: 2; Items purchased: Waste removal; Organizational element: FEMA; Vendor: EMO Energy Solutions; Amount of transaction: 153,000. Case: 3; Items purchased: Rain jackets; Organizational element: CBP; Vendor: Helly Hansen; Amount of transaction: 2,500. Case: 4; Items purchased: Men's clothing; Organizational element: ICE; Vendor: Hecht's; Amount of transaction: 430. Source: DHS data. [End of table] The following contains detailed information on some improper transactions shown in table 5: * Case 1 related to the improper use of convenience checks, where a CBP cardholder improperly issued five convenience checks totaling about $465,000 to prepay for a 2 months' supply of meals-ready-to-eat (MRE), about $30,000 of which was for shipping. The MREs were sent to the Gulf Region for consumption by CBP employees who were deployed to assist in the response to the hurricanes. In general, DHS policies consider the use of convenience checks a tool of last resort, that is, to be used only after "maximum efforts" have been made to find alternate vendors who accept the government purchase card. However, we found that the CBP cardholder violated DHS policies related to use of convenience checks. In addition, the CBP employees who were sent to the Gulf Region were pulled out earlier than anticipated and almost half of the MREs purchased were delivered to a CBP training facility in El Paso, Texas. Because the cardholder prepaid for the MREs, the cardholder precluded the option of buying in increments as the fluid circumstances might have dictated. Because the demand did not materialize, thousands of MREs are sitting in a warehouse in El Paso, Texas. The cardholder in this instance relied on the Unusual and Compelling Urgency provisions of the Federal Acquisition Regulations to expedite the purchase and meet an apparent need. While we are not questioning the cardholder's reliance on these provisions, we identified actions taken by the cardholder that unnecessarily increased the cost to the taxpayer: * Instead of contracting with the Defense Logistics Agency[Footnote 14] (DLA) to deliver MREs on an as-needed basis, the cardholder acquired about 62,000 MREs from a vendor on the internet. However, DLA informed us that it had a large supply of MREs when Hurricane Katrina hit the Gulf Region and would have been able to meet CBP's demand for MREs and provide free shipping. Further, we found that a GSA Advantage vendor was selling similar MRE's at a substantially lower price than what the cardholder paid. The vendor selected by the cardholder was not a GSA Advantage vendor and the cardholder acknowledged that she did not contact this GSA Advantage vendor. Had the cardholder contacted the GSA Advantage vendor, she may have saved taxpayers over $100,000. * The website of the vendor selected by the cardholder clearly shows that it accepts credit cards. However, according to the cardholder, the vendor did not want to incur a credit card processing fee on the large order. The cardholder therefore paid the vendor using convenience checks, which cost the government a 1.75 percent processing fee. Therefore, due to the cardholder's improper use of convenience checks, DHS paid $8,000 in processing fees unnecessarily. * In case 3, a CBP cardholder improperly used his purchase card to acquire 37 black rain jackets from Helly Hansen for nearly $2,500 and obtained a government discount to the personal benefit of CBP employees. The purchase violated CBP's policy against using a purchase card to acquire clothing. The cardholder claimed the rain jackets were personal protective equipment (PPE) for which there is an exception. The cardholder explained that the black rain jackets are given to safety officials on the firing range and allow these officials to be readily identified. However, these officials are issued red shirts for safety and identification purposes and when it rains, the red shirts are covered by the rain jackets. Other individuals who are not safety officials also wear black rain jackets, making these other individuals indistinguishable from safety officials. Therefore, the rain jackets do not serve a safety purpose and are not PPE. The cardholder also admitted that when the rain is heavy, the firing range is normally shut down. Furthermore, the rain jackets were not kept on the firing range but were given to range officials to keep, without any record of who was receiving the rain jackets. While safety of CBP employees should be a primary concern, the facts in this case indicate that cardholder obtained a government discount from the vendor to provide personal clothing to CBP employees and for which no safety related purpose was served. Abusive and Questionable Transactions: We identified numerous examples of abusive and questionable items acquired with DHS purchase cards during our testing. We defined abusive transactions as those that were authorized, but the items purchased were at an excessive cost (unreasonable pricing) or were not needed by the government, or both. As an organization whose mandate is to deal with security and emergency needs, DHS and its employees should adopt prudent purchasing practices by implementing existing agreements with vendors to allow favorable pricing even in times of disaster. Questionable transactions are defined as transactions that appear to be improper or abusive but for which there is insufficient documentation on which to conclude.[Footnote 15] Obtaining reasonable pricing for goods or services includes not only avoiding excessive pricing, but also includes taking reasonable steps to obtain appropriate discounts. However, vendors often will not provide discounts unless the government cardholder asks if a discount is available. We found instances where it was likely a vendor discount could have been obtained but was not. However, we noted several occasions where cardholders obtained a point-of-sale discount. For example, an ICE cardholder obtained 60 sleeping bags and cots from Cabela's. The sleeping bags and cots were acquired to meet the needs of those affected by the hurricanes. The cardholder was able to obtain a 10 percent point-of-sale discount from the manager. By asking for the discount, the cardholder was able to save the taxpayer over $750. In another example, FEMA purchased over $600,000 in medical equipment and supplies from Medtronic Physio-Control in three separate transactions in order to supply special medical response teams after the hurricanes. FEMA obtained almost $18,000 in point-of-sale discounts from this vendor. In order to obtain the best pricing, it is often beneficial to make arrangements with vendors in advance of potential spikes in demand for goods or services. We noted numerous instances where we believe better pricing could have been obtained had various DHS organizational elements made arrangements with vendors in advance of the devastating hurricanes along the Gulf Region. If DHS does not anticipate its needs and get prearranged pricing from quality vendors, then it must often scramble to acquire the necessary goods and services during a crisis. Frequently, the emphasis shifts from efficiency to expediency when acquiring goods and services during a crisis, resulting in additional and unnecessary costs to the government. Table 6 lists some examples of abusive and questionable purchases that we identified at DHS. Table 6: Abusive and Questionable Transactions: Transaction: 1; Item purchased: Shower units; Organizational element: CBP; Vendor: MD Descant; Nature of transaction: Abusive; Amount: $71,000. Transaction: 2; Item purchased: Dog booties; Organizational element: FEMA; Vendor: Backcountry Gear Limited; Nature of transaction: Abusive; Amount: $68,000. Transaction: 3; Item purchased: GPS units; Organizational element: FEMA; Vendor: Best Buy; Nature of transaction: Abusive; Amount: $18,000. Transaction: 4; Item purchased: 63" Plasma screen television; Organizational element: FEMA; Vendor: Jan-Tronics; Nature of transaction: Abusive; Amount: $8,000. Transaction: 5; Item purchased: iPod Nanos and Shuffles; Organizational element: USSS; Vendor: Apple; Nature of transaction: Questionable; Amount: $7,000. Transaction: 6; Item purchased: Training seminar; Organizational element: CBP; Vendor: Sea Palms Golf and Tennis Resort; Nature of transaction: Abusive; Amount: $2,000. Transaction: 7; Item purchased: Leadership conference; Organizational element: CIS; Vendor: Hyatt Golf Resort, Spa & Marina; Nature of transaction: Abusive; Amount: $2,000. Transaction: 8; Item purchased: Beer brewing kit; Organizational element: Coast Guard; Vendor: Beer and Wine Hobby; Nature of transaction: Abusive; Amount: $230. Source: GAO and DHS OIG investigations of DHS data. [End of table] The following provides further details on a number of transactions listed above: * The first case involved a CBP cardholder who paid for three 6-person portable shower units when less expensive units could have been rented. In this instance, CBP represented to us that they did not have time to obtain competing bids because of the need to prepare immediate shower units for CBP personnel in the Gulf Region responding to hurricanes. However, because CBP did not specify the need for hot water and sinks, the portable shower units did not come with this capability. In contrast, a vendor in GSA Advantage could have rented two prefabricated 16-person mobile shower units with hot water capabilities and had them delivered in less time than it took the original vendor to deliver. The cost from the GSA Advantage vendor would have been approximately $45,000, or 36 percent less than the nearly $71,000 CBP paid. * In case 2, a FEMA cardholder unnecessarily purchased over 2,000 sets of canine booties at a cost exceeding $68,000. Canine booties are used to protect the dog's paws in a debris laden environment. According to FEMA, after the terrorist attacks of 9-11 many donated dog booties were placed in storage facilities and were mistakenly placed on emergency provisioning lists. When the hurricanes struck the Gulf Region, FEMA acquired items on the provisioning lists including thousands of additional dog booties unnecessarily. However, we were informed by FEMA that since most of the search and rescue dogs in the Gulf Region were not accustomed to wearing booties, the canine booties continue to sit unused in FEMA storage facilities. The error of placing the booties on the emergency provisioning list resulted in a $68,000 unnecessary expenditure. * In case 4, a FEMA cardholder abused a purchase card to acquire a Samsung 63 inch plasma screen television on September 16, 2005 for almost $8,000, lacking a government need. The plasma screen, which was not timely recorded in an accountable property system, was still unused and in its original box six months after its purchase. The fact that it was unused after such an extended period of time casts significant doubt as to whether there was a legitimate government need for acquiring the 63 inch plasma screen in the first place. In addition, as the cost of high-end electronic equipment can fall dramatically in a short period of time, we found that the same 63 inch plasma screen television could have been obtained for $1,200 less at the time we observed it in the box at FEMA. Considering the plasma screen was bought at the end of the fiscal year and that it was unused 6 months after the purchase, a concern arises regarding whether the purchase was made to use up remaining funds at the end of the fiscal year. * In case 5, the U.S. Secret Service (USSS) spent over $7,000 to acquire 12 Apple iPod Nanos and 42 iPod Shuffles. This purchase is questionable because iPods are generally used to store and play music-- not a legitimate government need. In addition the USSS did not enter the iPod shuffles into its accountable property system. After we questioned the validity of the purchase, USSS provided a memorandum justifying the purchase on the basis that the iPods were used for training and data storage. However, we found that other memory devices existed that were not primarily designed to play music but would have satisfied the need for data storage. USSS did not provide evidence to support its claim that the iPods were used in training. Further, USSS represented to us that they did not track the iPod shuffles because the iPods cost less than the $300 threshold required for accountable property. This is inconsistent with established DHS policy that requires all memory devices be tracked in a property system. Without appropriate substantiation, we could not obtain assurance that the iPods were used for legitimate government needs. * Case 6 involved the abusive use of government funds to hold a CBP training seminar at the Sea Palms Resort at Saint Simons Island in Georgia. We identified a purchase card transaction related to this event for about $2,000 and performed additional audit work to determine the basis for selecting the resort. We found that the golf and tennis resort was used to train 32 newly hired attorneys when the nearby Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia, could have been used with a savings of approximately $10,000. According to the CBP officials we interviewed, CBP had determined that the FLETC facility could not accommodate their training. However, CBP could not produce any documentation such as a request form indicating that CBP had contacted FLETC for determining availability. Further, a FLETC official in charge of scheduling informed us that FLETC did not receive a request from CBP and that had CBP given FLETC sufficient notice, it was more than likely that FLETC would have been able to accommodate CBP. While training is a necessary investment in human capital, cardholders and government officials need to be careful stewards of taxpayer's funds. By not contacting FLETC and instead using the resort for training, CBP failed to act prudently with taxpayer dollars. * In case 7, the U.S. Citizenship and Immigration Services (CIS) held its annual leadership conference at the Hyatt Regency Chesapeake Bay Golf Resort, Spa and Marina in Cambridge, MD, which cost the government about $40,000 in additional travel expenses. We initially selected this transaction because a CIS cardholder had paid the resort about $2,300 for materials used in a team building exercise. Irrespective of the merits of the team building exercise expenses, holding the annual leadership conference about 90 miles outside Washington, D.C. resulted in roughly 50 Washington, D.C. based staff incurring travel expenses for lodging, meals, and other expenses. About 110 CIS employees attended the July 2005 conference. According to a March 25, 2005, CIS memorandum documenting the CIS conference planning efforts, CIS officials only contacted resorts outside the Washington, D.C. normal commuting area. If CIS had held the annual conference within the Washington, D.C. commuting area, the 50 of the employees would not have incurred travel expenses and the savings to the government would have been about $40,000. * Case 8 involved a Coast Guard cardholder who abused his purchase card to obtain beer brewing equipment and ingredients, and wasted government resources by brewing alcohol while on duty. The cardholder, whose duties involved planning, procuring, and organizing social functions for the Coast Guard Academy, purchased a beer brewing kit for about $230 and additional ingredients. According to the Coast Guard, the beer kit provided the Academy with both a cost savings and a quality product for official parties attended by cadets, dignitaries, and other guests of the Superintendent. The Coast Guard also explained that the Coast Guard beer, with the custom Coast Guard themed labels, functioned as an "ice-breaker" for discussion at these official parties. Our subsequent work indicated that the Academy achieved no cost savings by brewing their own beer. From early August 2005 through March 2006, the Academy used an additional $800 on beer brewing ingredients[Footnote 16] to brew 532 bottles of beer, or 12 batches. The Coast Guard estimated that it took two hours to brew, bottle, and label each batch of Coast Guard beer. Given a conservative approximate hourly labor rate of $15, it would cost over $13 for a six-pack of Coast Guard beer--considering the variable costs alone (ingredients and labor). The Coast Guard provided GAO with a detailed 5-year analysis showing a cost savings but the analysis failed to account for any labor costs. Absent the purported cost savings and the dubious need for the government to brew its own alcohol, the purchase of the kit and the beer brewing activity itself fall short of prudent use of taxpayer dollars and therefore exemplify purchase card abuse. Concluding Observations: The purchase card has proven to be a valuable tool that provides the government flexibility in making purchases and saves money on transaction processing. However, putting purchasing decisions in the hands of about 9,000 DHS employees with ineffective management oversight and control has allowed potentially fraudulent, improper, and abusive or questionable usage of these purchase cards to go undetected. Some of the examples highlighted in this testimony related to Hurricanes Katrina and Rita show that the government is particularly vulnerable when purchase cards are used during times of disaster. Taking immediate action to improve the processes and internal controls over its purchase card program will help DHS maximize the value and benefit of the purchase card and provide reasonable assurance that fraud, waste, and abuse are minimized. Madam Chairman and Members of the Committee, this concludes our statement. We would be pleased to answer any questions that you or other members of the committee may have at this time. Contacts and Acknowledgments: For further information about this testimony, please contact Gregory D. Kutz at (202) 512-7455 or kutzg@gao.gov at GAO or Matt A. Jadacki at (202) 254-5477 or matt.jadacki@dhs.gov at DHS OIG. GAO individuals making key contributions to this testimony included James Ashley, Kord Basnight, James Berry, Beverly Burke, Jennifer Costello, Danielle Free, Christine Hodakievic, Ryan Holden, Aaron Holling, John Kelly, Tram Le, John Ledford, Barbara Lewis, Jenny Li, John Ryan, Robert Sharpe, Bethany Smith, Tuyet-Quan Thai, Patrick Tobo, and Michael Zola. DHS OIG individuals making key contributions to this testimony included Modupe Akinsika, Andre Marseille, and Frank Parrott. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this testimony. Appendix I: Prior GAO Purchase Card Audits: VHA Purchase Cards: Internal Controls Over the Purchase Card Program Need Improvement. GAO-04-737. Washington, D.C.: June 7, 2004. Purchase Cards: Increased Management Oversight and Control Could Save Hundreds of Millions of Dollars. GAO-04-717T. Washington, D.C.: April 28, 2004. Forest Service Purchase Cards: Internal Control Weaknesses Resulted in Instances of Improper, Wasteful, and Questionable Purchases. GAO-03- 786. Washington, D.C.: August 11, 2003. HUD Purchase Cards: Poor Internal Controls Resulted in Improper and Questionable Purchases. GAO-03-489. Washington, D.C.: April 11, 2003. Purchase Cards: Steps Taken to Improve DOD Program Management, but Actions Needed to Address Misuse. GAO-04-156. Washington, D.C.: December 2, 2003. FAA Purchase Cards: Weak Controls Resulted in Instances of Improper and Wasteful Purchases and Missing Assets. GAO-03-405. Washington, D.C.: March 21, 2003. Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 20, 2002. Purchase Cards: Navy is Vulnerable to Fraud and Abuse but Is Taking Action to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.: September 27, 2002. Government Purchase Cards: Control Weaknesses Expose Agencies to Fraud and Abuse. GAO-02-676T. Washington, D.C.: May 1, 2002. Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse. GAO-02-732. Washington, D.C.: June 27, 2002. Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse. GAO-02-32. Washington, D.C.: November 30, 2001. Appendix II: Background: The Department of Homeland Security's (DHS) purchase card program is part of the General Services Administration's (GSA) Smart Pay® program, which was established to streamline federal agency acquisition processes for eligible purchases by providing a low-cost, efficient vehicle for obtaining goods and services directly from vendors. Under the GSA blanket contract, DHS has contracted with U.S. Bank for its purchase card services. To assist DHS organizational elements in carrying out their various missions, such as that of the U.S. Coast Guard (Coast Guard),[Footnote 17] U.S. Customs and Border Protection (CBP),[Footnote 18] Transportation Security Administration (TSA),[Footnote 19] and the Federal Emergency Management Agency (FEMA),[Footnote 20] DHS reported that it used purchase cards for more than 1.1 million transactions valued at more than $420 million in fiscal year 2005. According to DHS data, the purchase card activity for the Coast Guard, CBP, TSA, and FEMA accounted for $364 million or about 86 percent of the more than $420 million in fiscal year 2005 DHS purchase card payments. Table 1 identifies the number and dollar amount of purchase card transactions during fiscal year 2005 for these and other DHS components. Table 7: Number and Amount of Fiscal Year 2005 Purchase Card Transactions: DHS Component: Coast Guard; Number of transactions (in thousands): 568; Amount of transactions (in millions): $227; Percentage of; DHS purchase card payments: 54%. DHS Component: CBP; Number of transactions (in thousands): 295; Amount of transactions (in millions): 66; Percentage of; DHS purchase card payments: 16. DHS Component: TSA; Number of transactions (in thousands): 74; Amount of transactions (in millions): 38; Percentage of; DHS purchase card payments: 9. DHS Component: FEMA; Number of transactions (in thousands): 31; Amount of transactions (in millions): 32; Percentage of; DHS purchase card payments: 8. DHS Component: Other DHS components; Number of transactions (in thousands): 178; Amount of transactions (in millions): 60; Percentage of; DHS purchase card payments: 13. Total; Number of transactions (in thousands): 1,146; Amount of transactions (in millions): $423; Percentage of; DHS purchase card payments: 100%. Source: GAO analysis of U.S. Coast Guard Finance Center's reports. [End of table] Management of the DHS Purchase Card Program: DHS's Purchase Card Program Management Office, which is within the office of the Under Secretary for Management--Chief Financial Officer (CFO), is responsible for the overall management of the DHS purchase card program. In carrying out its management responsibilities, the Purchase Card Program Management Office has a directive for use by all DHS components on the Government Purchase Card Program. In addition, the Office of the Chief Financial Officer developed a draft manual, which has been in draft since March 8, 2004. This draft manual describes the various roles and responsibilities of key program management functions and the overall business process for carrying out the purchase card program. Regarding key management functions, the Agency Program Coordinator has responsibility for managing the overall program and working through the CFO and Chief Procurement Officer on purchase card issues; developing, implementing, and updating the program policies, procedures, and guidelines; and ensuring the implementation of and compliance with adequate internal controls in the management of the program, as well as serve as the communication liaison between DHS and the U.S. Bank. Further, within each DHS component, an Organizational Program Coordinator(s) is designated to oversee the purchase card program within that component (e.g., Coast Guard). Their responsibilities include controlling issuance, revocation, and the closing of purchase cards; providing, monitoring, and maintaining training prior to issuance of the purchase card and annual refresher training for all cardholders and approving officials; and managing and conducting oversight of the program (includes span of control and ongoing and annual reviews to ensure compliance with the program requirements). Figure 3 illustrates DHS's business process for carrying out the purchase card program. Figure 2: DHS Purchase Card Program Flowchart: [See PDF for Image] Source: GAO analysis of the business process for the DHS Purchase Card Program. [End of Figure] Coast Guard Is a Steward for DHS's Purchase Card Program: Since February 2004, the U.S. Coast Guard Finance Center (Finance Center) has been operating under a Memorandum of Understanding with DHS to be the servicing agent providing centralized invoicing and payment of all DHS purchase card activity. The Finance Center has developed and implemented a system that supports the receipt of daily invoices from U.S. Bank for all DHS components, supports the payment of those invoices within one business day of receipt, and provides transmission of an electronic file containing transaction data to each component's accounting system. The intent of the daily payment is to maximize the performance rebates earned by the purchase card program. On a daily basis, U.S. Bank's Customer Automation and Reporting Environment generates an invoice file containing transaction level data for all DHS purchase card activity posted on the previous day and submits the file to the Finance Center, where the file is loaded into the Finance Center's Consolidated Billing System. Among other things, this system is used to process all purchase card transactions and provide data to participating DHS components. Cardholders are responsible for identifying any discrepancies on their billing statements and contacting the merchant to resolve any disputed transactions. If the cardholder is unable to resolve the dispute with the merchant, he or she has up to 60 days from the statement date to file a dispute form with U.S. Bank and request a credit. Approving officials are responsible for (1) receiving and reviewing their assigned cardholders' monthly statement to ensure all charges were allowable and conducted within acquisition guidelines, (2) determining that the goods or services were received, and documentation is complete, and (3) verifying that the cardholder follows through in resolving any disputed transactions with the merchant and U.S. Bank. An approving official's certification of the monthly billing statement cannot occur until the cardholder, or in some cases, the approving official, performs and completes a reconciliation of all charges on the statement. Appendix III: Scope and Methodology: To assess whether DHS's internal control policies and procedures are adequately designed to provide reasonable assurance that fraud, waste, and abuse are minimized and are operating effectively to prevent or detect potentially fraudulent, abusive, and improper purchase card use, we reviewed and tested key purchase card controls over purchase card use by DHS's major organizational elements.[Footnote 21] Our review of purchase card controls covered: * DHS's and its organizational elements' overall management control environment, including (1) management's role in establishing needed controls, (2) the numbers of cardholders, cardholder accounts, approving/billing officials, and program coordinators, (3) training provided for cardholders, (4) monitoring and audit of purchase card activity, and (5) effectiveness of purchase card infrastructure; * attribute tests on a statistical sample of key controls over purchase card transactions made during the period from June 13, 2005 through November 12, 2005, including (1) proper written preauthorization of purchases, (2) maintenance of sales documentation, (3) documented performance of independent confirmation that items or services paid for with the purchase card were received, and (4) documentation that cardholders gave priority to designated sources; and: * data mining of the population of transactions made during the above mentioned test period to identify potentially fraudulent, improper, and abusive or questionable purchase card transactions. Departmental and Organizational Element Control Environment: To assess the overall management control environment for DHS's purchase card program, we obtained an understanding of the processes utilized by DHS and its major organizational elements by interviewing officials involved in overseeing and managing the various purchase card activities, analyzing each entity's control procedures and processes, and performing walk-throughs of the detailed processes utilized at the major organizational elements to request, approve/authorize, make, document, and verify/certify transactions using purchase cards. We also analyzed the database of active cardholders to assess the ratios of approving/billing officials to assigned cardholders and cardholder accounts and assessed cardholder training. For these tests, we utilized the active member cardholder database provided by U.S. Bank covering the period from June 2005 through December 2005. We also visited and interviewed officials of the Coast Guard's Finance Center, Chesapeake, Virginia, DHS's purchase card paying agent, to discuss the payment and management oversight processes utilized to ensure the timely processing of payments and the reasonableness and appropriateness of transactions. Statistical Sample of Internal Control Procedures: We obtained and reviewed the U.S. Bank-provided database of purchase card transactions covering the period from June 13, 2005, through November 12, 2005, and analyzed a random probability sample of these transactions to assess compliance with key internal controls. The sample design was a simple random probability sample of 96 transactions. The sample size was calculated to achieve a precision of any estimated internal control error rate for the category (except accountable property) to be +/-10 percentage points or less. With this probability sample, each transaction in the population had a known, nonzero probability of being selected. Each selected transaction was subsequently weighted in the analysis to account statistically for all the transactions in the population, including those not selected. Because we selected a sample of transactions, our results are estimates of a population of transactions and thus are subject to sample errors that are associated with samples of this size and type. Our confidence in the precision of the results from this sample is expressed in 95- percent confidence intervals. The 95-percent confidence intervals are expected to include the actual results in 95 percent of the samples of this type. We calculated confidence intervals for this sample based on methods that are appropriate for a simple random probability sample. To test compliance with internal controls, we applied procedures in GAO's Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs (GAO-04-87G, Washington, D.C.: November 2003) and internal control standards included in the draft manual dated March 8, 2004. We utilized DHS's draft manual because we found that DHS had not issued an official standardized set of purchase card policies and procedures since the department was established by the Homeland Security Act in November 2002. Further, our review of the draft procedures showed that the procedures contained a reasonable set of standards that were generally consistent with good purchase card operating policies and procedures utilized by other governmental entities we had audited and covered in GAO's Audit Guide. We also reviewed (1) OMB Circular No. A-123, (2) Treasury Financial Manual Vol. 1 Part 4-4500 "Government Purchase Cards," (3) FAR, (4) organizational policies, including draft organizational policies, and (5) GAO's Standards for Internal Controls. Data Mining: In addition to selecting statistically projectable samples of transactions to test specific internal controls, we also made nonrepresentative selections of transactions from these entities. We conducted separate analysis of transactions that appeared on the surface to be potentially fraudulent, improper, and abusive or questionable. Our data mining for transactions was limited in scope. For this review, we scanned the population of transactions for vendor names and merchant codes that are likely to sell goods or services that are personal in nature, listed on DHS's restricted/prohibited lists, or are otherwise questionable. Our expectation was that transactions with certain vendors had a more likely chance of being fraudulent, improper, and abusive or questionable. We reviewed and made inquiries about 200 transactions with vendors that sold such items as sporting goods, sporting event tickets, groceries, clothing, jewelry, alcohol, entertainment, or were third-party payers, such as PayPal. Our inquiries also identified some purchases that turned out to be legitimate in terms of need but could have been obtained from vendors at significant price savings. We found other purchases were made during conditions of exigency that under normal operating conditions would not or should not have been made. While we identified, and performed limited inquiries about, some potentially fraudulent, improper, and abusive or questionable transactions, our work was not designed to identify, and we cannot determine, the extent of fraudulent, improper, and abusive or questionable transactions. We briefed DHS on the details of our work, including our scope, and methodology and our findings. We conducted our audit work from October 2005 through June 2006 in accordance with U.S. generally accepted government auditing standards, and we performed our investigative work in accordance with standards prescribed by the President's Council on Integrity and Efficiency. (192211): FOOTNOTES [1] The Homeland Security Act of 2002, Pub. L. No. 107-296, led to the creation in January 2003 of DHS--the most substantial reorganization of the federal government since the 1940s. The creation of DHS, which began operations in March 2003, represents the fusion of 22 federal agencies to coordinate and centralize the leadership of many homeland security activities under a single department. [2] Second Emergency Supplemental Appropriations Act to Meet Immediate Needs Arising from the Consequences of Hurricane Katrina, 2005, Pub. L. No. 109-62, Sec. 101 (Sept. 8, 2005). [3] We considered potentially fraudulent purchases to be those which were unauthorized and intended for personal use. The transactions we determined to be improper are those purchases intended for government use, but are not for a purpose that is permitted by law, regulation, or policy. We also identified as improper a number of purchases made on the same day from the same vendor, and which appeared to circumvent cardholder single transaction limits or bidding requirements. We defined abusive transactions as those that may be authorized, but the items purchased were at an excessive cost or were not needed by the government, or both. Questionable transactions could be improper or abusive but for which there is insufficient documentation to conclude either. [4] A split payment occurs when a cardholder splits a transaction into more than one segment to circumvent the requirement to obtain competitive prices for purchases over the $2,500 micropurchase threshold (in the case of Hurricanes Katrina and Rita, a micropurchase threshold of up to $250,000) or to avoid other established credit limits. [5] Because we believe DHS's draft manual, Department of Homeland Security Purchase Card Manual (Washington, D.C.: Mar. 8, 2004) is largely consistent with GAO's Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs, GAO-04-87G (Washington, D.C.: Nov. 1, 2003) and Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C. Nov. 1999), we generally used the draft manual as the criteria against which we tested internal controls. [6] On an agencywide basis, 2,150 cardholders, or over 20 percent of DHS's over 9,000 cardholders, were managed by approving officials whose span of control exceeded the 7:1 cardholder to approving official internal control as contained in the DHS draft manual. [7] Federal agency purchase card programs operate under a government wide GSA SmartPay® master contract. Agency purchase card programs must comply with the terms of the contract and task orders under which the agency placed its order for purchase card services. [8] The GSA offers SmartPay®, a federal government charge card program that improves travel, purchase, and fleet payment services for federal employees by simplifying payments and cutting administrative costs. [9] GSA Advantage, a program offered by the GSA, is a convenient one- stop shopping source to meet federal agencies' procurement needs by selecting and listing vendors who may offer the best value. [10] Using designated sources results in the agency obtaining reasonable prices or purchasing goods and services that meet other policy objectives, such as creating jobs and training opportunities for people who are blind or have other severe disabilities. [11] As part of GSA's SmartPay® program, contracting banks provide rebates (refunds) to agencies based on sales volume (payments) and payment timeliness. [12] 6.302-2 and 41 U.S.C. § 253(c)(2), state that "[a]n executive agency may use procedures other than competitive procedures only when . . . the executive agency's need for the property or services is of such an unusual and compelling urgency that the Government would be seriously injured unless the executive agency is permitted to limit the number of sources from which it solicits bids or proposals." See also 48 C.F.R. § 6.302-2, Unusual and compelling urgency. [13] DHS's Personal Property Management Directive 565 defines accountable property as personal property with an initial acquisition cost at or above a specific threshold, and items designated as sensitive. These items are to be recorded in the organization's automated control system. DHS's Capitalization and Inventory of Personal Property Management Directive 1120 establishes differing thresholds for tracking accountable property. Generally, DHS requires its organizational elements to track electronic communications equipment with a cost greater than or equal to $1,000, information technology equipment with memory at any cost, and other personal property with a cost greater than or equal to $5,000. [14] DLA provides worldwide logistics support for the missions of the military departments and the Unified Combatant Commands under conditions of peace and war. It also provides logistics support to other DOD components and certain federal agencies such as DHS. [15] GAO's Guide for Evaluating and Testing Controls Over Sensitive Payments (GAO/AFMD-8.1.2, May 1993) states: "Abuse is distinct from illegal acts (non-compliance). When abuse occurs, no law or regulation is violated. Rather, abuse occurs when the conduct of a government organization, program, activity, or function falls short of societal expectations of prudent behavior." [16] According to Coast Guard finance personnel, funds from the Coast Guard Foundation, Inc. were used to purchase the beer brewing ingredients. The Foundation is a public nonprofit organization that provides annual funding to support the men and women of the U.S. Coast Guard and Coast Guard Academy. The Foundation's fundraising efforts address needs not met through traditional governmental and military funding sources. The Foundation supports such activities as a holiday calling-card program, capital improvements, and education grants. Although the ingredients were not purchased with appropriated funds, the resources provided by the Foundation could have been spent for other purposes, for example educational grants, had they not been used to brew beer. [17] The Coast Guard's mission is to protect the public, the environment, and U.S. economic interest in the nation's ports and waterways, along the coast, on international waters, or in any maritime region as required to support national security. [18] CBP is responsible for protecting U.S. borders in order to prevent terrorists and terrorists' weapons from entering the U.S. while facilitating the flow of legitimate trade and travel. [19] TSA's mission is to protect the nation's transportation systems to ensure freedom of movement for people and commerce. [20] FEMA is responsible for preparing the nation for hazards, managing federal responses and recovery efforts following any national incidents or disasters, and administering the National Flood Insurance Program. [21] Major organizational elements include the U.S. Secret Service, U.S. Coast Guard, Transportation Security Administration, U.S. Customs and Border Protection, U.S. Citizenship and Immigration Services, U.S. Immigration and Customs Enforcement, Federal Emergency Management Agency, Federal Law Enforcement Training Center, and other headquarters- level entities. [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: Homeland Security: September 15, 2006: Mr. Gregory Kutz: Managing Director: Forensic Audits and Special Investigations: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Kutz: Thank you for the opportunity to review and comment on the Government Accountability Office's (GAO's) draft report entitled, Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper and Abusive Activity (GAO-06-743). The Department of Homeland Security (DHS) appreciates the effort you undertook to review our purchase card program. We concur with your recommendations and have incorporated the relevant changes into our Purchase Card Manual. Below, in more detail, is a summary of your recommendations and the actions that we have already taken or plan to take in the near future. Recommendation 1: Implement changes to DHS's draft Purchase Card Manual to include policies and procedures addressing the four areas detailed below. After implementing the changes, the Purchase Card Manual should be finalized agencywide. * Training: Establish policies and procedures that document that all cardholders have completed the appropriate training. The documentation should include the date of the training, a description of the training, and the name of the recipient of the training. * Independent Receipt and Acceptance: Develop policies and procedures for the performance and documentation of independent receipt and acceptance attesting to the receipt of goods or the complete rendering of services. This documentation would be maintained along with other required documentation supporting each transaction. * Accountable Property: Develop policies and procedures to provide reasonable assurance that highly pilferable assets such as laptop computers, cell phones, personal digital assistants, memory storage devices, and other pilferable property acquired with a purchase card are entered into an accountable property system immediately after being received. Cardholders should be required to contact accountable property officers (or others acting in a similar capacity) before acquiring accountable property, or within a reasonable time thereafter, so that the property is properly bar coded and tracked in the property system. This should be completed prior to placement of the asset in service. The property system should include accurate information on the location of the asset, the individual responsible for the asset, the manufacturer's serial number, as well as the agency's unique identification code for the asset (e.g. a bar code). * Disciplinary or Administrative Actions: The agency should develop a range of potential disciplinary and administrative actions that may occur as a result of a cardholder or others failing to comply with the policies and procedures in the Purchase Card Manual. Response: With respect to training, the following language appears in the Department's Purchase Card Manual that was issued 9/15/06: Section 2.1.A.2 "All DHS CHs and all AOs shall successfully complete the GSA on-line purchase card training program to be supplemented by DHS-specific training before being issued a purchase card. All CHs and AOs shall also complete annual refresher training in order to continue to use purchase cards assigned." Section 2.1.A.3 "In addition to training requirements above, additional training is required before CHs and AOs may receive purchase card authority above the micro-purchase threshold. This training will include directions for CHs with delegated authority to use the purchase card as a payment mechanism against established contracts." Section 3.6.B. "Single purchase limits may not be permanently increased to exceed $2,500 unless the CH and his/her AO have completed the DHS simplified acquisition training requirement as stipulated in DHS Management Directive 0740.2 and specialized authority has been given by the Chief Procurement Officer or subordinate procurement authority." Further language was added to Section 2.1.A.4 that: "Certificates of training will be retained by the OPC for 6 years, 3 months in accordance with the National Archives and Records Administration records retention requirements. The certificates will include the name of the recipient, the date(s) of training and a description (title) of the training." With respect to independent receipt and acceptance: Section 3.8.C.1. has been added to detail requirements for purchase card receipt and acceptance: "Receipt occurs when goods that have been ordered are delivered. Receipt is evidenced by an independent third party (neither the cardholder, nor the authorizing official) signing or initialing a receiving report form, commercial shipping document, or packing list to indicate that the items listed (and only those listed) are present in the delivery. A copy of the receipt document is maintained for use in the acceptance process. Acceptance is an official acknowledgment by an identifiable individual that supplies delivered or services performed conform to what was ordered or contracted for. Acceptance may be performed at time of delivery or performance or within five business days of receipt. The organization(s) responsible for ordering the goods and services should be the party(s) responsible for accepting them. Acceptance reports shall be forwarded to the ordering cardholder's office by the fifth working day after acceptance and should be retained as documentation based on records retention criteria. The following information is required on or with a receiving report or delivery ticket: Vendor name: Contract number or other delivery authorization: Item description, unit of measure, and quantity received Dates of receipt and acceptance: Printed name, title, telephone number, mailing address, and signature (or electronic alternative) of the accepting or approving official. Cardholders will not certify transactions on their monthly statement unless they have an email or written acknowledgment of receipt and acceptance. OPCs may grant waivers in circumstances that do not allow for segregation of duties. However, but there must be adequate compensating controls, such as periodic third party reviews of waived transactions to provide adequate assurance that there is no fraud, waste or abuse. Waivers and compensating controls must be thoroughly documented and retained for potential future audits." With respect to accountable property: Section 1.1.I.10. Cardholders shall: "Notify a local property officer before or within a reasonable time after acquiring accountable, sensitive and/or hazardous personal property so that the property may be recorded in the proper system of record. This must be completed prior to placing the asset in service." Section 3.8.C.2: "The cardholder must seek out a procurement official to provide input, guidance, and direction to support purchase card and contract actions for personal and accountable property, as required in accordance with the Federal Acquisition Regulation and internal DHS asset management and inventory standards. See MD 0565, Personal Property Management for explanation of categories of personal property; to include accountable, sensitive and hazardous personal property. (Note: certain property that can easily be stolen or "pilfered" is addressed in MD 0565.) The cardholder should consult this procurement official about the propriety of any acquisition about which they are in doubt. The procurement official should counsel the cardholder on the use of any required sources or existing contracts that must be used for their purchases. The cardholder must notify a local property officer (LPO) before or within a reasonable time after acquiring accountable, sensitive and/or hazardous personal property so that the property may be recorded in the proper system of record. This must be completed prior to placing the property item in service. Cardholders are required to report all costs of the property to the LPO. This means any cost associated with the acquisition of the item including, but not limited to, payments to vendors for freight, handling, storage, design, construction, and installation. (See Federal Accounting Standards Advisory Board Number 6 for detailed information on acquisition cost.) The cardholder will provide the LPO with copies of written receipts and invoices (email copies are acceptable) to document each property transaction. The cardholder is also responsible for providing documentation of all costs as referenced above in order for the LPO to record these items correctly." With respect to disciplinary or administrative actions: Section 2.6 "The following discussion pertains to the Department's civilian employees. Members of the military service, employed by the United States Coast Guard, are subject to the Uniform Code of Military Justice and/or other appropriate administrative policies, rules, regulations or policies which are tailored and applicable to military personnel. Supervisors are responsible, and will be held accountable, for failing to monitor purchase card usage consistent with applicable law, rules, and procedures. Additionally, the DHS Office of the Chief Financial Officer and the DHS Office of the Inspector General (OIG) have and will exercise the right to monitor purchase card transactions on a constant basis. The OIG retains all audit and investigation authorities. The OIG and the CFO have access to an electronic system to monitor program operations and transactions on an ongoing basis. When using the purchase card, a CH must comply with all applicable statutory and regulatory provisions and federal and DHS prohibitions, controls, limitations, and approval requirements, with special attention to section 3.4 of this issuance (which contains examples of appropriate purchases) and section 3.8 (which covers use). Examples of unauthorized use or misuse include, but are not limited to, the following: 1. Using or authorizing the use of the purchase card, for other than official government business; 2. Violating purchase card policies; 3. Making purchases that do not meet the needs of the Government; 4. Making false statements, submitting altered or false documents, or knowingly permitting such behavior in relation to the use of a Government purchase card; or, 5. Negligence in performing official duties related to the use or approval of Government purchase cards. Each of these actions may be considered acts of abuse and attempts to commit fraud against the government, or other types of unacceptable conduct, or misconduct. Abuse and/or fraud will result in immediate cancellation of the employee's purchase card. In addition, the CH may be subject to disciplinary action up to and including termination of employment. An employee also may be personally liable to the Government for the amount of any unauthorized transaction and may be subject to criminal prosecution. NOTE: In all situations where disciplinary action may be warranted, before any action is imposed, the servicing Employee Relations office must be consulted, along with the appropriate legal counsel's office, and, in some cases, the Office of the Inspector General (OIG) to ensure consistency and fairness, that facts have been established, and that employees are given proper due process. " Recommendation 2: Improve the existing electronic systems to allow those with oversight responsibilities the ability to determine if cardholders and approving officials performed their reconciliation and certifying duties in a meaningful way. Response: DHS concurs with this recommendation but must point out that under the GSA SmartPay contract all electronic systems are provided by the contracting Bank. Changes in capabilities must be agreed to be implemented by the Bank based on the contract requirements and are therefore not necessarily going to be guided by agency requests. The costs associated with these systems changes sometimes outweigh the perceived benefit to the Bank of offering additional services. This may be something that can be negotiated with SmartPay2 scheduled to be bid in 2008. Our contractor U.S. Bank intends to augment its current reporting system by replacing the Customer Automation and Reporting Environment (C.A.R.E.) system with Access On-line sometime in the next fiscal year. It is not clear what additional capabilities will be included in this system but we are negotiating with them to add these capabilities. The current C.A.R.E. system does allow for daily reconciliations and history reports can be run ad hoc to record activity, but this requires manipulation of data files and report creation by OPCs that may be outside their current capabilities. Part of our retraining effort will also include C.A.R.E. and Access On-line system training for all card program participants. Recommendation 3: Conduct a review to determine if adequate resources are devoted to administering, maintaining, and enforcing the purchase card program at both the agency level and the organizational element level. DHS should further develop specific oversight responsibilities that need to be carried out at both the agency level and at the organizational element level. Response: The Office of the Chief Financial Officer plans to conduct reviews to determine if adequate resources are devoted to the purchase card program at both the agency and component level and develop oversight responsibilities for the program. This will be accomplished by the establishment of a Management Assurance Team that will conduct regular reviews of key programs, including the purchase card program. Recommendation 4: Adopt prudent purchasing practices by entering into arrangements with dependable sources in the government or vendors who can provide reasonable pricing for specific goods and services with a foreseeable demand in the event of an emergency. In anticipation of future emergencies, DHS should take the following actions: * Identify specific sources in the federal government or vendors in the private sector that can reliably supply the necessary goods and services for DHS to accomplish its mission in emergency situations. * In the case of vendors in the private sector, negotiate pricing and delivery terms with these sources using the federal government's substantial purchasing power so that in a time of crisis DHS will be able to efficiently obtain the necessary goods and services. Response: DHS concurs with the GAO recommendation to procure emergency supplies and services efficiently from qualified vendors at the best possible prices. DHS is implementing this recommendation as part of the FEMA Re- tooling effort by establishing contractual relationships for known emergency supplies and services prior to a disaster so there should be fewer unplanned transactions. DHS is participating in the government wide forum to create standard procedures for emergency contracting and instituting training consistent with the new procedures, including training on the use of the Government Purchase Card during emergencies. These procedures standardize the process for required sources of supply and provide specific information on contractual vehicles that can be used to satisfy the emergency requirements. FEMA specifically has issued a field guide that also includes the required priority for sources of supply with the necessary information to order against pre existing contracts where appropriate. DHS Strategic Sourcing establishes DHS-wide contracting vehicles for commonly purchased supplies and services. For items such as office supplies, Strategic Sourcing has created DHS Wall that has demonstrated pricing savings and prompt delivery terms for standard government supplies. Similar contract vehicles may be established for emergency items where appropriate. Recommendation S: Develop policies and procedures to limit approving officials' span of control. The number of cardholders and card accounts that any one approving official is responsible for should be reasonable and should be established in consideration of the approving official's other responsibilities. In addition, approving officials should have an appropriate number of transactions so that they may conduct a thorough and proper review of supporting documentation for each transaction. Response: The following language regarding span of control can be found in the recently issued Purchase Card Manual: Section 1.5.G.3. The Organizational Program Coordinator (OPC) shall: "Determine the number of cardholders managed by each AO (A single individual may not be an AO for more than 7 CHs, or approve more than 300 transactions a month on a regular basis.)"; Section1.5.H.1 The Approving Official shall: "Provide approval, validation, oversight, and monitoring of purchase card activity over their designated cardholders. (A single individual may not be an AO for more than 7 CHs, or approve more than 300 transactions a month on a regular basis.)" Recommendation 6: Continuously monitor and review open accounts to provide reasonable assurance that only cardholders who have a documented need to acquire items for the government are issued a purchase card. Instances where cards have not been used for over a year should be analyzed to determine if a valid need for the card exists. If a valid need can not be established, the purchase card should be suspended or the account closed. Response: DHS has contacted U.S. Bank to create a custom monthly report to capture this information and require monthly review by OPCs. Thank you again for the opportunity to comment on this draft report and we look forward to working with you on future homeland security issues. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: [End of Section] (192192): FOOTNOTES [1] GAO, Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity, GAO-06-957T (Washington, D.C.: July 19, 2006). [2] GAO, Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs, GAO-04-87G (Washington, D.C.: Nov. 1, 2003). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: