This is the accessible text file for GAO report number GAO-03-678G
entitled 'Audit Guide: Auditing and Investigating the Internal Control
of Government Purchase Card Programs' which was released on May 01,
2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-03-678G:
United States General Accounting Office:
Washington, D.C. 20548:
Audit Guide: Auditing and Investigating the Internal Control of
Government Purchase Card Programs:
November 1, 2002:
Preface.
The federal government of the United States--the largest and most
complex organization in the world--expended approximately $15 billion
through federal organizations'[Footnote 1] purchase card
programs[Footnote 2] in fiscal year 2002. As the steward of taxpayer
dollars, federal agencies are accountable for how purchase cards are
used and how the funds are spent. To that end, federal agencies are
responsible for establishing and maintaining internal control to
provide reasonable assurance that (1) the goals and objectives of the
purchase card program are met and (2) safeguards against fraudulent,
improper, and abusive purchases are adequate.
Recent congressional testimony and Inspector General and GAO reports
show that some federal agencies do not have adequate internal control
over their purchase card programs. Without effective internal control,
management has little assurance that fraudulent, improper, and abusive
purchases are being prevented or, if occurring, are being promptly
detected with appropriate corrective actions taken. A key element of
internal control is monitoring that assesses the quality of performance
over time and ensures that the findings of audits and other reviews are
promptly resolved. Monitoring provides for regular management and
supervisory activities, as well as evaluations by inspector generals or
external auditors.
This guide focuses on audits of internal control activities--designed
primarily to prevent or detect significant fraudulent, improper, and
abusive purchases--in a government purchase card program. It is
intended to provide practical guidance for consideration by internal
and external auditors, investigators, and program management oversight
personnel in assessing the adequacy and performance of those control
activities, and identifying areas of internal control for potential
improvement. This guide is based primarily on GAO's experiences in
auditing and investigating internal control over federal government
purchase card programs at the Departments of Defense, Education,
Housing and Urban Development, and other federal agencies.
This guide was prepared at the request of former Chairman Stephen Horn,
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations, House Committee on Government Reform. This
is one of a series of projects we have undertaken for the Subcommittee
concerning weaknesses in internal control over government purchase and
travel card programs.
We invite you to review and comment on the audit approach and
methodologies contained in this guide. This draft document will be
available for comment for 60 days, until August 1, 2003. Please address
any questions or comments to me at (202) 512-2600, steinhoffj@gao.gov,
or Stephen W. Lipscomb at (303) 572-7328, lipscombs@gao.gov, or:
Stephen W. Lipscomb:
U.S. General Accounting Office:
1244 Speer Blvd. Suite 800:
Denver, CO 80204:
This guide was prepared under the direction of Gregory Kutz, Director,
Financial Management and Assurance. Other GAO contacts and key
contributors are listed in appendix VII.
Jeffrey C. Steinhoff:
Managing Director:
Financial Management and Assurance:
Signed by Jeffrey C. Steinhoff:
Table of Contents:
Preface:
Section 1: Introduction:
Objective of the Guide, Scope and Methodology:
Government Purchase Card Programs:
GAO's Approach to Auditing Purchase Card Programs:
The Applicability of Auditing Standards:
Section 2: Understanding the Purchase Card Program:
The Risk of Fraudulent, Improper, and Abusive Purchases:
Potentially Fraudulent, Improper or Abusive:
Indications and Categories of Fraud:
Relevant Laws and Regulations:
Establishment and Operation of the Purchase Card Program:
Procurement Methods and Standards:
Purposes for which an Organization's Appropriations May Be Used:
The Organization's Operations and Programs:
Understanding the Organization's Operations:
Understanding the Organization's Purchase Card Program:
Understanding the Bank Service Provider's Program:
Internal Control and the Control Environment:
The Standards of Internal Control:
Testing Key Elements of the Control Environment:
Section 3: Making, Documenting, and Using the Preliminary Assessment:
Assessing the Adequacy of the Design of Control Activities:
Using the Preliminary Assessment:
Section 4: Testing the Effectiveness of Key Control Activities:
Obtaining Transaction Data:
Coordinating with the Bank Service Provider:
Selecting Purchase Card Transactions:
Considerations in Designing a Statistical Sample:
The Sampling Plan:
Extracting Selected Transaction Data Elements:
Reporting Sample Results:
Analysis of Results from Statistical Samples:
Obtaining Documentation Evidencing Performance of Control Activities:
Obtaining Documentation from the Organization:
Evidence of Performance:
Testing Control Activities:
Transaction Control Activities:
Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases:
Data Mining for Detection, Illustration, and Disclosure:
Follow-up and Investigation:
Follow-up:
Referral for Investigation:
Appendixes:
Appendix I - Selected Relevant GAO Reports and Testimonies:
Appendix II - Selected Relevant Laws and Regulations:
Appendix III - Example Purchase Transaction Flow Chart and Narrative (
Request Through Payment):
Appendix IV - Example Purchase Card Program Organization Chart:
Appendix V - Example Audit Program:
Appendix VI - Guidelines for Initiating an Investigation of Purchase
Card Fraud:
Appendix VII - GAO Contact and Staff Acknowledgments:
:
Section 1: Introduction.
Federal government purchase card programs, which have been in existence
governmentwide since 1989, were established to streamline federal
agency acquisition processes by providing a low-cost, efficient vehicle
for obtaining goods and services directly from vendors. As shown by the
chart, purchase card programs have experienced dramatic growth and
accounted for $15.2 billion in government expenditures in fiscal year
2002.
Growth of federal government purchase card programs:
[See PDF for image]
[End of figure]
With the establishment in 1998 of the General Services Administration's
(GSA) SmartPay® program, federal agencies had a new way to pay for
commercial goods and services. GSA negotiated charge card service
provider contracts with five commercial banks: Citibank, First National
Bank of Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal
government departments and agencies were to choose the service provider
with capabilities meeting agency requirements.
Purchase card programs are widespread throughout the federal government
and range in size from the Department of Defense (DOD) with 214,000
cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S.
Tax Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
However, the design and implementation of internal control did not keep
up with the growth in the programs audited by GAO (see app. I -
Selected Relevant GAO Reports and Testimonies). With the increase in
purchase card use came increases in risk, revelations of significant
weaknesses in internal control, and resulting fraudulent, improper, and
abusive or questionable purchases.
Objective of the Guide, Scope and Methodology;
The primary objective of this guide is to provide practical guidance
for consideration in performance audits and investigations of
government purchase card programs. The guide provides auditors and
fraud investigators with a basis for understanding the operations,
risks, and internal control of a government purchase card program,
which in turn provides a basis for conducting investigations of fraud
in a government purchase card program. Although this guide is primarily
an audit and investigative guide, it can also be applied by program
management oversight personnel in assessing the adequacy of policies,
procedures, and internal controls, and conducting ongoing monitoring of
adherence to internal control activities. In that context, the use of
the term "auditor" throughout this guide is intended to include program
management oversight personnel as well as internal and external
auditors. While this guide is based on approaches and methodologies
developed in audits of federal purchase card programs, the basic
concepts and criteria may also be applicable to state and local
government purchase card programs. This guide
focuses on auditing the internal control policies, procedures, and
activities designed primarily to prevent or detect fraudulent,
improper, and abusive purchase card transactions in a government
purchase card program;
seeks to foster critical, creative thinking by auditors, investigators,
and management personnel responsible for identifying risks and
opportunities open to those who would misuse the purchase card;
provides practical guidance in identifying potentially fraudulent,
improper, and abusive purchase card transactions, and in conducting the
appropriate follow-up and investigation; and:
illustrates the beneficial effect of involving fraud investigators in
the planning and execution of audit procedures.
The guide is intended to supplement existing guidance[Footnote 3] for
review and oversight of federal government purchase card programs.
Different parties may accomplish audits of purchase card programs for
different purposes. Law, regulation, or third party request may direct
external and internal auditors to accomplish a performance or other
audit in accordance with generally accepted government auditing
standards (GAGAS)[Footnote 4].
The guide is not intended to and does not provide guidance sufficient
to address all potential purchase card program performance audit
objectives (e.g., economy and efficiency, compliance with legal or
other requirements). The guide is also not intended to comprehensively
address all five of the standards of internal control[Footnote 5]
(e.g., management's risk assessment, information and communication). In
addition, the guide is not intended to and does not provide guidance
sufficient to develop investigative cases that establish evidence to
prove specific allegations of criminal wrongdoing.
Government Purchase Card Programs:
The operations and controls of government purchase card programs can
vary among organizations. However, the U.S. Department of the
Treasury's Financial Manual[Footnote 6] prescribes procedures
(illustrated in fig. 1), including program controls and invoice
payment, that apply to all departments and agencies that use the
government purchase card. Additionally, the Federal Acquisition
Regulation (FAR), which prescribes governmentwide policies and
procedures for acquisition by all executive agencies, provides that
agencies are to establish procedures for use and control of the card
that comply with the Treasury Financial Manual.[Footnote 7]
[See PDF for image]
[End of figure]
The manual further states that, with some exceptions, small purchases
of up to $25,000[Footnote 8] should be made using the government
purchase card, and establishes key control activities, personnel, and
their roles, including the following.
A written delegation of authority is to be issued by responsible agency
personnel that establishes authorized cardholder(s)[Footnote 9] and
specifies spending and usage limitations unique to that cardholder.
The cardholder is the government employee to whom a government purchase
card, bearing the employee's name, is issued. The card can be used only
by that employee for official purchases, in adherence with agency
regulations.
The cardholder statement listing all transactions during the billing
period is sent to each cardholder.
The approving official (AO) reviews cardholder statement(s), is
responsible for authorizing cardholder purchases (for official use
only), and ensures that statement(s) are reconciled and submitted to
the designated billing office in a timely manner.
A designated billing office receives the official invoice--a designated
billing office report listing all cardholder charges for the area the
office serves--and ensures its payment in accordance with Prompt
Payment Act deadlines.
The manual requires each agency to develop its own internal procedures
for using the purchase card, and establishes processing and internal
controls that must be in place prior to using the government purchase
card, including the following.
Designate an office (usually the procurement office) to manage the
program, and assure that (1) training required for all cardholders,
approving officials, and other employees involved in the program is
provided, (2) a current list of cardholders and approving officials is
maintained, and (3) an annual oversight review of the program is
conducted. (This position is generally referred to as the Agency
Program Coordinator (APC) in DOD purchase card programs.):
Establish procedures for (1) the timely submission of cardholder
statements to the agency designated billing office, (2) maintaining
security of the cards, (3) handling disputes and returned, refused,
damaged, or unacceptable items and partial deliveries, and (4) purchase
card renewal.
The manual also provides that invoices, payments, access and review of
account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer (EFT) should be
adopted as the standard method of payment for all federal program
payments originated by agencies or their agents.
GAO's Approach to Auditing Purchase Card Programs;
The approach presented in this guide is based on GAO's experience in
auditing internal control over government purchase card programs at the
Departments of Defense, Education, Housing and Urban Development, and
other federal agencies (see app. I - Selected Relevant GAO Reports and
Testimonies). In general, GAO's approach is to: (1) gain a thorough
understanding of the organization's operations and purchase card
program, and relevant system of internal control, (2) based on that
understanding, and any needed additional review and analysis, make a
preliminary assessment of the adequacy of the design of the system of
internal control, (3) test the effectiveness of internal control using
statistical sampling, and (4) use data mining to detect instances of
potentially fraudulent, improper, and abusive transactions to
illustrate the effects of breakdowns in internal control.
[See PDF for image]
[End of figure]
GAO's approach includes involving fraud investigators throughout the
audit. An experienced fraud investigator will bring valuable
perspectives and insight to the process of identifying opportunities
for fraud in the program's operations and in evaluating the
effectiveness of control activities. They can also bring new and
creative thinking to identifying the opportunities for circumvention of
the existing controls. Fraud investigators should be involved in the
preliminary assessment process, designing tests of controls,
identifying criteria and relationships for data mining, and in follow-
up of potentially fraudulent transactions. Program policy and procedure
documents obtained and understandings gained of the purchase card
program and related internal controls should be made available to the
fraud investigator.
The Applicability of Auditing Standards;
Auditors performing an audit in accordance with GAGAS standards for
performance audits are required to adhere to the general and fieldwork
standards. These standards can be found on GAO's website[Footnote 10].
The following three general standards are key to providing assurance
that integrity, objectivity, and independence are adequate in planning,
conducting, and reporting results of audits.
Independence - Audit organizations and individual auditors, whether
government or public, are required to be free both in fact and
appearance from personal, external, and organizational impairments to
independence, in all matters relating to the audit work.
Professional judgment - Auditors complying with GAGAS are required to
use professional judgment in planning and performing audits and in
reporting the results.
Competence - Audit staff are required to collectively possess adequate
professional competence for the tasks required.
We encourage all users of this guide, including internal auditors and
program management oversight personnel, to (1) become familiar with
these standards and the basic concepts embodied in them, (2) consider
their relative applicability to the circumstances, and (3) apply them
as appropriate when using this guide.
Section 2: Understanding the Purchase Card Program.
Evaluating the adequacy of internal control designed to mitigate the
risk of fraudulent, improper, and abusive transactions, requires the
auditor to gain an in-depth understanding of (1) the risk of fraud, (2)
the relevant laws and regulations, and (3) the specific organization's
mission activity operations, and its purchase card program operations
(from purchase request to payment). This in-depth understanding is
necessary so that an auditor can make a preliminary judgment about the
adequacy of design of an organization's control activities.
The Risk of Fraudulent, Improper, and Abusive Purchases;
The potential for fraudulent, improper, and abusive purchases in a
purchase card program should be viewed by management as a risk of
significant financial loss, possibly resulting in operational
inefficiency and impairment of mission readiness. This is particularly
true in the government environment where taxpayer dollars are at risk.
Fraudulent, improper, and abusive purchases often result directly from
a lack of adherence to policies, procedures, and control activities.
This lack of adherence can result in misuse of the card. As program
personnel predisposed to misuse the card become aware of such
weaknesses, the door opens wider for fraudulent, improper, and abusive
purchases.
[See PDF for image]
[End of figure]
One organization's actions included recommending remedial training and
suspension of repeat offenders' purchase card accounts for lack of
adherence to internal control policies and procedures.
Repeated nonadherence to established internal control policies and
procedures, such as inadequate documentation of purchase card
transactions or supervisory reviews, in and of themselves may not
constitute a violation of law or regulation. However if allowed to
continue, they will contribute to an erosion and weakening of the
control system. Prompt administrative and disciplinary actions (e.g.,
informal admonishment, formal reprimand, additional required training,
suspension of card privileges, cancellation of the cardholder's
account, termination of employment) can be effective in reducing
persistent lack of adherence to policies and procedures by cardholders
and other program personnel. When administrative corrective actions are
taken and documented, program management, oversight personnel, and
auditors will be able to identify repeat offenders and determine that
appropriate steps are being taken to address potentially significant
problems before they escalate.
[See PDF for image]
[End of figure]
Potentially Fraudulent, Improper or Abusive;
Our audits of purchase card programs detected transactions which were
not in accordance with laws and regulations, or were not an appropriate
or legitimate use of government funds. We used four terms to
characterize such purchases: potentially fraudulent, improper,
abusive, and questionable purchases. The following are explanations of
these terms as used in this guide.
A cardholder made 62 unauthorized transactions totaling $12,832 to pay
for repairs to a car and buy groceries, clothing, and various other
items for personal use.
Fraudulent purchases - Use of the government purchase card to acquire
goods or services that are unauthorized and intended for personal use
or gain constitute a fraud against the government. A cardholder's
unauthorized purchase of power tools for his home, a vendor's
intentional charges for services not provided, and the unauthorized use
by a third party of a cardholder's compromised or stolen account for
personal gain are examples of fraudulent purchase card transactions. In
GAO reports, these and similar purchase card transactions are generally
referred to as "potentially fraudulent" unless there has already been a
fraud conviction in a court of law.
Day planners costing $3,100 were purchased from Franklin Covey. One
item cost $199 and another $250. In contrast, cardholders could have
purchased day planners from JWOD for about $40.
Improper purchases - Government purchase card transactions that are
intended for government use, but are not permitted by law, regulation,
or organization policy generally are considered improper. Examples
include certain types of purchases of meals or refreshments for
government employees within their normal duty station[Footnote 11]s,
purchases split to circumvent micropurchase or other single purchase
limits, and purchases from other than statutorily designated sources,
such as the Javits-Wagner-O'Day program (JWO[Footnote 12]D).:
A cardholder purchased Bose bedside clock radios costing $349 each,
when other models costing about $15 were available.
Abusive purchases - Purchases of authorized goods or services, at terms
(e.g., price, quantity) that are excessive, or are for a questionable
government need, or both, are considered abusive. Examples of such
transactions include purchases of items such as $300 day planners, $350
bedside radios, and allowable refreshments at excessive cost, purchases
of designer leather goods, and year-end and other bulk purchases of
computer and electronic equipment for a questionable government need.
Indications and Categories of Fraud;
Figure 2 shows key signs, signals, and patterns that are indicative of
the potential for fraud in a government purchase card program.
Figure 2: Signs, signals, and patterns indicative of the potential for
fraud.
[See PDF for image]
Signs,
signals, and patterns indicative of the potential for fraud:
Weak management; Signs, signals, and patterns indicative of
the potential for fraud: Weak internal controls; Signs,
signals, and patterns indicative of the potential for fraud: History of
impropriety;
Signs,
signals, and patterns indicative of the potential for fraud:
Failure to follow legal or technical advice; Signs, signals,
and patterns indicative of the potential for fraud: Promise of gain
with little likelihood of being caught; Signs, signals, and
patterns indicative of the potential for fraud: Unexplained decisions
and/or transactions.
Signs,
signals, and patterns indicative of the potential for fraud:
Unethical leadership; Signs, signals, and patterns indicative
of the potential for fraud: Missing or altered documents;
Signs, signals, and patterns indicative of the potential for fraud:
Source: International Journal of Government Auditing.
[End of figure]
An inmate at a local county jail made three purchase card transactions
at local florist shops on a government purchase card that had either
been lost or stolen.
GAO audits of government purchase card programs have reported
fraudulent and potentially fraudulent purchases by cardholders,
vendors, and third parties using compromised accounts falling into the
following broad categories of fraud.
Theft involves property, facilities, and services. An authorized or
unauthorized cardholder purchase of goods or services intended for
personal use or gain is theft. Theft can also occur when an
unauthorized user compromises a cardholder's account by gaining
knowledge of and using the purchase card account number.
A maintenance supervisor allegedly made $52,000 in fraudulent
transactions to a suspect contractor for work that was not performed.;
Two purchase cardholders conspiring with at least seven vendors
received kickbacks on purchases with inflated prices and/or quantities.
Criminal investigation resulted in confinement or restriction, a bad
conduct discharge, and a reduction in rank.
Fictitious transactions can involve a single party (e.g., a cardholder
supports the acquisition of goods or services for personal use with
false documentation, or a vendor bills the government for goods or
services never delivered). In addition, fictitious transactions can
include collusion (e.g., a cardholder knowingly approves documentation
supporting a vendor's invoice for goods or services never provided, and
the two share in the amount paid by the government). Although collusion
can circumvent what otherwise might be effective internal control
activities, a robust system of guidance, internal control activities,
and oversight can provide reasonable assurance of preventing or quickly
detecting fraud.
Kickbacks may be offered by a vendor or solicited by a contractor or
government buyer. Kickbacks in a government purchase card program can
include collusion between a cardholder and a vendor. The cardholder
makes authorized purchases from the vendor, who charges the government
an excessive price and "kicks back" a percentage of the amounts
received to the cardholder.
A cardholder and his supervisor conspired to make nearly $400,000 in
fraudulent purchases from companies owned by the supervisor, his
sister, friends, and acquaintances.
Conflict of interest is present when a government official participates
in approving or deciding a matter in which the official or a relative
has a financial interest. The potential for a conflict of interest in a
purchase card transaction exists whenever a cardholder or a relative
has a significant financial interest in a vendor or contractor.
Purchases of goods or services from that vendor or contractor would be
suspect and, if not prohibited by the organization, should require
special review and approval prior to and subsequent to the purchase.
The auditor should be aware of the potential for the previous
categories of fraud in the day-to-day operational risk of the
organization. Fraudulent, improper, and abusive purchases generally
involve individual cardholders, supervisors, approving officials, and
vendors, and occasionally collusion between them. Another source of
fraudulent purchases of significant concern occurs when an account is
compromised (e.g., someone other than authorized program personnel
gains knowledge of account numbers). In any event, a strong system of
controls should guard against significant loss to the government for
all such potentially fraudulent, improper, and abusive purchases. Any
potentially fraudulent transaction detected should be considered for
follow-up, as discussed in the Follow-up and Investigation section of
this guide.
To better understand the risk of fraud within a specific organization's
purchase card program, auditors and investigators should identify and
study known cases of such fraud. Summary memoranda prepared by fraud
investigators detailing the nature and extent of the suspected fraud,
the investigative process, the conclusions reached, and the actions
taken can provide valuable additional insight.
Relevant Laws and Regulations;
A federal organization's purchase card program must comply with the
laws, regulations, contracts, and governmentwide and organization
policies and procedures that (1) govern the establishment and operation
of the purchase card program, (2) prescribe procurement methods and
standards, and (3) pertain to the purposes for which an organization's
appropriations and other sources of funds may be used. When evaluating
the merits of individual purchases, all three areas should be
considered. (see app. II - Selected Relevant Laws and Regulations):
Establishment and Operation of the Purchase Card Program;
Federal organization purchase card programs operate under a
governmentwide GSA contract, the GSA SmartPay® Master Contract.
Organization purchase card programs must comply with the terms of the
contract and the task order under which the organization placed its
order for purchase card services. Organization purchase card programs
must also comply with Department of the Treasury regulations found in
the Treasury Financial Manual, Vol. I, Part 4-4500, "Government
Purchase Cards." The Federal Acquisition Regulation (FAR), 48 C.F.R. §
13.301(b) (2002), provides that agencies are to establish procedures
for use and control of the card that comply with the Treasury Financial
Manual and that are consistent with the terms and conditions of the
current GSA credit card contract. Individual organizations may be
subject to specific statutory criteria for the management of purchase
cards (e.g., Title 10 U.S.C. 2784, directing the Secretary of Defense
to prescribe regulations governing the use of purchase cards). As such,
each organization should have guidance concerning the implementation,
establishment, and operation of its purchase card program.
Procurement Methods and Standards;
Purchases made with the purchase card should be made in accordance with
generally applicable procurement laws, regulations, and organization
procurement policies and procedures. The FAR provides governmentwide
policies and procedures for acquisition by all executive agencies.
Agencies frequently issue supplemental acquisition regulations as well.
One cardholder split about $17,000 of purchases of boots on 1 day into
8 transactions. Another cardholder split over $30,000 of purchases from
an electronic supply store on 1 day into 14 transactions.
Contracting activities carried out by the federal government generally
must be conducted by warranted contracting officers; however, the
purchase card may also be used by other government personnel for
purchases at or below the micropurchase threshold. The FAR provides
that such individuals must be delegated the authority to do so in
writing in accordance with organization procedures. Regardless of the
value of a purchase, the FAR prohibits cardholders from splitting
organization needs into smaller purchases in order to circumvent
applicable acquisition laws, regulations, and policies. Organization
policies can also prohibit cardholders from splitting a purchase into
smaller purchases in order to avoid individual cardholder purchase
limits.
Despite representations that hotels were authorized to bill only for
audiovisual equipment and conference room rental, detailed bills
acquired by GAO auditors showed that about $7,000 was inappropriately
expended for prohibited breakfasts, lunches, and snacks.
Authorized personnel may use the purchase card for purchases at or
below the micropurchase threshold (currently $2,500, except that the
limit is $2,000 for certain construction costs).[Footnote 13]
Micropurchases are subject to the
requirements of FAR Subpart 8, which provides that certain products be
acquired from designated sources, including statutorily preferred
vendors. Micropurchases must also be made in accordance with various
laws and regulations concerning environmentally preferable products and
services. Cardholders may make micropurchases without soliciting
competitive quotations from vendors if they consider the price to be
reasonable. However, cardholders are required to distribute
micropurchases equally among qualified suppliers to the extent
practicable.
For purchases above the micropurchase threshold, warranted contracting
officers may use the purchase card to place and/or pay for orders
against already existing contracts. For these larger transactions, the
card is frequently referred to as a "payment card" because it pays for
acquisitions made under a legally executed contract.
Purposes for which an Organization's Appropriations May Be Used;
Individual purchases must be for a purpose allowable under an
organization's appropriations or other sources of funds (e.g.,
nonappropriated funds) and must not otherwise be prohibited by law.
Organizations may use appropriated funds only for legitimate or bona
fide needs that arise in or continue to exist in the fiscal year(s) for
which those funds are appropriated. Agencies are restricted to
purchasing only those items that will be used during such fiscal
year(s) except when they qualify under certain categories, such as to
maintain inventories of necessary items at reasonable levels. However,
agencies generally may not purchase items in excessive amounts at the
end of a fiscal year in order to solely avoid the expiration of funds.
The Organization's Operations and Programs;
To appropriately plan an audit and investigation of the internal
control over an organization's purchase card program requires a
thorough understanding of:
the organization's mission activities and operations,
its purchase card program operations and the end-to-end flow of
transactions through it from request to payment,
the system of internal control over the purchase card program, and:
the environment in which the control activities operate.
Understanding the organization's operations and its specific purchase
card program is critical in developing audit objectives and the scope
and methodology for the work needed to achieve them. In addition,
issues such as program significance, visibility, age, sensitivity, and
the potential use of
audit results should be considered in the audit planning
process.[Footnote 14] Gaining and documenting an understanding of the
operations of a government purchase card program can be accomplished in
several ways, all of which will require access to the appropriate
personnel and relevant documents. The first step should be to establish
contact and coordinate that effort with both the organization and the
bank service provider.
One manner of obtaining access to operations and program personnel is
to coordinate audit arrangements with the organization's management.
Access to the appropriate personnel and to written policies and
procedures is essential to understanding the organization's operations,
the purchase card program, and internal controls. In addition,
documentation evidencing adherence to internal control policies and
procedures will be necessary when testing for performance of control
activities. Further, access to program personnel will be necessary to
clarify information received and/or to follow up on potentially
fraudulent, improper, and abusive purchases.
Understanding the Organization's Operations;
Understanding the organization's mission and objectives, and how those
missions and objectives are accomplished provides the auditor with
critical insight used in (1) developing audit objectives, (2)
identifying opportunities for purchase card fraud, (3) making
preliminary assessments of the adequacy of program controls, (4)
designing tests of internal control, and (5) identifying criteria for
data mining. Understanding gained of the organization's operation(s)
might include:
the nature and size of overall operations;
what the individual activities involved in the purchase card program
do, and how they do it;
the general job descriptions, level of education, and number of
personnel in those activities; and:
the volume and appropriate type(s) of purchase activity to expect.
An understanding of the organization's operations and activities can be
gained by interviews with operations personnel, and by reviewing
existing documents such as program descriptions, policies and
procedures, and operations manuals.
Understanding the Organization's Purchase Card Program;
The initial understanding of the organizational level purchase card
program (from request to payment) and the internal control at work
throughout that process, ideally would be obtained from existing
documents such as purchase card program descriptions, policies and
procedures, operational manuals, or instructions. Interviews with
program personnel can supplement existing documented evidence of
program operations and controls, or establish a starting point if such
documentation is insufficient or nonexistent. In either circumstance,
correctly structured interviews can be a valuable source of inquiry to
understand and clarify (1) the extent to which to which control
activities are in place and operating, (2) the environment in which
those controls operate, (3) the overall managerial organization and
operations of the program, and (4) the flow of purchase card
transactions. A Practical Guide for Reviewing Government Purchase Card
Programs - June 2002, by the President's Council on Integrity and
Efficiency contains interview guides, which will be helpful when
conducting interviews for this purpose. In addition, conducting
walkthroughs of selected purchase card transactions is a key process in
(1) gaining a thorough understanding of the program's operations from
purchase request to payment of the bill, (2) identifying control points
through that process, and (3) observing the operation of control
activities and transaction flows.
GAGAS requires auditors to prepare documentation supporting significant
judgments and conclusions. The auditor should obtain or prepare
narratives and/or flowcharts that summarize and document their
understanding of the organization's purchase card program and the flow
of typical purchase card transactions. Understanding gained of how the
purchase card program operates, the flow of transactions from request
to payment, and the key controls over the entire end-to-end process
form the basis for making preliminary judgments about the adequacy of
the design of control activities and for designing tests of those
controls. Narrative and flowchart documentation also provides effective
communication of the processes and control points to other interested
parties (e.g., audit staff, program management, oversight personnel).
Appendixes III and IV of this guide provide example flowcharts of an
organizational level structure for a federal government purchase card
program and the end-to-end flow, and related narrative, of typical
purchase card transactions through it.
[See PDF for image]
[End of figure]
Understanding the Bank Service Provider's Program;
Coordinating the audit effort with the bank service provider might
provide the opportunity to gain an understanding of (1) the operation
of the provider's program, (2) the processes for purchase card
authorization, issuance, and credit limits, (3) the transaction
processing, review, authorization, and manual override (e.g., single
transactions limits) system, (4) the merchant category code (MCC)
blocking features and any manual override, and (5) the internal
controls over these processes. Additionally, as shown in figure 3, the
GSA SmartPay® master contract requires bank service providers to
provide federal organizations with various ad hoc, standard commercial,
and other reports specific to the purchase card program.
Figure 3: Agency/organization reports required by GSA's SmartPay®
master contract to be provided by the bank service provider.
General reporting requirements; Ad-hoc report generation capability;
Standard commercial reports; Additional essential reports; The Official
Invoice; Invoice Status Report; Transaction Dispute Report; Pre-
Suspension/Pre-Cancellation Report; Suspension/Cancellation Report;
Renewal Report; Delinquency Report; Detailed Electronic Transaction
File; Reporting specific to the Purchase Card Program; Account Activity
Report; Statistical Summary Report; Summary Quarterly Purchase Report;
Figure 3: Agency/organization reports required by GSA's SmartPay®
master contract to be provided by the bank service provider: Other
agency reports; Account Activity Report; Master File Report;
Statistical Summary Report; Account Change Report; Exception Report;
Current Accounts Report; 1099 Report Information; 1057 Report; Payment
Performance and Refund Report; Write-Off Report; Summary Quarterly
Merchant Report; Summary Quarterly Vendor Analysis Report; Summary
Quarterly Vendor Ranking Report.
Source: GSA's SmartPay® Master Contract, Section C.38 - Agency
Reporting Requirements, and Section CC.12 - Agency Reporting
Requirements For The Purchase Card Program.
[End of figure]
Conducting interviews with bank service provider personnel may provide
the necessary understanding of the provider's purchase card operations,
processes, and controls, as well as valuable insights and understanding
in using the various reports being produced.
Internal Control and the Control Environment;
Internal control is an integral component of an organization's purchase
card program that provides reasonable assurance that the objectives of
effective and efficient operations and compliance with applicable laws
and regulations are being achieved. The minimum level of quality
acceptable for internal control in a government purchase card program
is defined by the five standards for internal control included in
Standards for Internal Control in the Federal Government[Footnote 15].
Those standards, and elements of the control environment standard which
are significant in a government purchase card program, are discussed in
this section of the guide.
The Standards of Internal Control;
All of the following internal control standards are applicable to
achieving reasonable assurance that fraudulent, improper, and abusive
purchases do not have a significant adverse effect on the effectiveness
or efficiency of a government purchase card program.
The control environment - A positive control environment--the
foundation for all other internal control standards--is established by
management and employees creating and maintaining an environment
throughout the organization that sets a positive and supportive
attitude toward internal control and conscientious management. Specific
key elements affecting the control environment of a purchase card
program are discussed in more detail later in this section of the
guide.
Management's risk assessment - Internal control should provide for an
assessment of the risks the organization faces from both external and
internal sources, and identify and deal with any special risks prompted
by changes in economic, industry, regulatory, and operating conditions.
Control activities - Control activities are the policies, procedures,
techniques, and mechanisms that enforce management's directives and
help ensure that actions are taken to address risks. Control activities
in a government purchase card program include a wide range of diverse
activities such as approvals, authorizations, verifications,
reconciliations, reviews, and the creation and maintenance of related
records that provide evidence of execution of these activities.
Specific transaction-level control activities significant to a purchase
card program are discussed in more detail in the Transaction Control
Activities section of this guide.
Information and communications - Information should be recorded and
communicated to government purchase card program managers and others
within the program who need it in a form and within a time frame that
enables them to carry out their internal control and other
responsibilities.
Monitoring - Ongoing monitoring--regular management and supervisory
activities, comparisons, reconciliations, and other actions people take
in performing their duties--should be performed continually and be
ingrained in the course of normal operations of a government purchase
card program (e.g., review and analysis of bank service provider
reports, periodic reviews for adherence to program policies and
procedures, review and follow-up of audit findings).
Testing Key Elements of the Control Environment;
Recent GAO purchase card audit reports have identified the following
six elements as significantly affecting the control environment
surrounding a purchase card program.
Management's philosophy (tone at the top),
Span of control,
Financial exposure,
Training,
Discipline, and:
Purchasing and reviewing authorities.
This guide discusses each of these elements, the relevant
documentation, and tests which the auditor can perform. Testing of some
of these elements of the control environment can be accomplished either
before the preliminary assessment is completed, or later as part of
testing the effectiveness of control activities.
Testing of these elements of the control environment is accomplished
through analytical, sampling, and nonsampling methods as discussed in
each element. Analytical testing is accomplished by utilizing
electronic reports, data files, and other data obtained from the bank
service provider and/or the organization. The discussion of some of
these elements identifies them as lending themselves to efficient
testing in conjunction with transaction-level control activity tests,
discussed in the Transaction Control Activities section of this guide.
Therefore, the data needed to conduct tests of these elements should be
obtained for each cardholder and approving official for purchase card
transactions selected for transaction-level control activity testing.
In a recent GAO audit, management's proactive attitude in implementing
change was credited for establishing a positive control environment at
one unit, in contrast to another unit where management supported the
status quo of weak control, effectively diminishing the likelihood of
substantive change.
Management's philosophy and operating style, sometimes referred to as
tone at the top, determines the degree of risk the organization is
willing to take in operations and programs. The
attitude and philosophy of management toward information systems,
accounting, personnel functions, monitoring, and audits and evaluations
can have a profound effect on internal control.
Insights gained by the auditor through interviews conducted with
program personnel, and review of prior audit findings and managements
responses will assist in assessing this element of internal control.
Professional judgment is necessary when attempting to assess the effect
of tone at the top, positive or negative, on internal control and on
the design of control activities. Tests of transaction-level control
activities and follow-up of potentially fraudulent, improper, and
abusive purchases may provide the auditor with additional insight into
the tone at the top.
In response to a GAO report criticizing an unreasonable 1,153:1 ratio
of cardholders to approving official the department issued guidance
limiting this span of control ratio to 7:1 for all its agencies.
Span of control, in a government purchase card program, refers to the
extent of review responsibilities placed on a single approving official
for the purchase card transactions of one or more cardholders.
In establishing the reasonableness of this responsibility, the auditor
should consider (1) the number of cardholders assigned, (2) the number
and complexity of purchase card transactions being reviewed each
billing period, and (3) perhaps the most potentially detrimental,
demands of other responsibilities assigned to the approving official.
Additional insight into the reasonableness of these relationships can
be obtained during interviews with cardholders and approving officials
and during control tests of selected transactions.
The auditor should consider independently evaluating the reasonableness
of existing span of control relationships by obtaining bank service
provider reports containing the information necessary to determine the
number of cardholders assigned to individual approving officials.
Two related organizations provided purchase cards with credit limits of
$20,000 or more to over 1,700 employees, resulting in an excessive
monthly financial exposure of over $34 million, while actual monthly
purchases amounted to only about $6 million.
The total number of authorized cardholders in the organization, their
single transaction and monthly credit limits, and the approving
official credit limits directly affect the financial responsibility of
the individuals involved and the extent of potential loss to the
organization from fraudulent, improper, and abusive purchases.
Financial exposure in a government purchase card program can become
excessive when management does not exercise judgment and restraint in
issuing purchase cards and in determining single purchase and monthly
credit limits. We have found that by limiting the number of purchase
cards and related credit limits to the levels necessary to meet
operational requirements, an agency can better manage and control its
purchase card program.
Purchase cards should be issued in controlled limited quantities (e.g.,
special justification and authorization for more than one card per
cardholder), and only to government employees with a legitimate need to
have the card. Single purchase and monthly credit limits should be
established based on the expected monthly purchases of the cardholder.
Both of these determinations require an objective effort by operational
supervisors and management, with assistance from purchase card program
management, to evaluate the existing and continuing needs of operations
and cardholders.
The auditor should evaluate management's process for establishing the
number of cardholders and their credit limits reasonably necessary to
operational requirements. Documentation of management's decision-
making process should be obtained and reviewed for propriety. Examples
of management's consideration of objective, analytical data include the
following.
Supervisory review of cardholder purchase history, both number of
transactions and dollars purchased (very few purchase transactions in
the previous year might indicate the lack of a need for the card, while
lower than expected dollar volume of purchases might indicate a lower
reasonable cardholder credit limit).
Annual positive assertions by supervisors and/or managers of continuing
cardholder needs, both for the card and for the related credit limits.
The auditor should consider independently evaluating the reasonableness
of the organization's existing financial exposure by obtaining bank
service provider reports--which provide information necessary to
determine the total cardholder monthly credit limits--and comparing
that total to the organization's average monthly and highest monthly
purchase card expenditures.
[See PDF for image]
[End of figure]
Management should identify the appropriate knowledge and skills needed
in the purchase card program, require the needed training, and maintain
documentation evidencing that required training is current for all
program personnel. The extent and type of training provided should vary
in relation to authority and responsibility in the program, and to the
amount of transaction authorization given to the cardholder. At a
minimum, a cardholder should receive the standard purchase cardholder
training provided by the organization and/or by GSA, before receiving a
purchase card, and periodic (biannual) refresher training
thereafter.[Footnote 16]
Of approximately $68 million in fiscal year 2000 purchase card
transactions at two related organizations, approximately $17.7 million
(26 percent) were made by cardholders for whom there was no documented
evidence of required initial or refresher purchase card training.
The auditor should obtain and evaluate documentation evidencing
adherence with this element of the control environment for the
cardholders and approving officials related to and in conjunction with
transactions selected for tests of transaction-level control
activities. Both the appropriateness of training received as well as
the attributes discussed below can be reviewed, when evaluating this
element of the control environment. Training documentation and relevant
attributes to consider include the following.
Certificates/record of training, for both initial and refresher
courses, should clearly show: (1) the type of training received (e.g.,
instructor led, computer based, internet based), (2) that the training
was relevant to the purchase card program, (3) that the training was
appropriate to the level of authorized spending and program authority
of the individual, (4) the signature of the cardholder and the
instructor (if applicable), (5) that the date of initial training is
prior to purchase card account activation, and/or (6) that the date of
refresher training is within the required period.
Centralized training records, or a database of cardholder, approving
official, and APC training should: (1) provide detail information
similar to that contemplated above for certificates of training, and
(2) be available to the appropriate levels of program management to
facilitate monitoring of adherence to program training requirements.
The auditor should consider assessing the adequacy of centralized
training records by tracing cardholders and approving officials
associated with the purchase card transactions selected for control
tests to such records. Testing in association with transaction control
tests is desirable because, selecting and testing a representative
sample from the centralized records would not identify cardholders and
others who have not received training and are therefore not in the
centralized records. Inquiries and other corroborating evidence could
provide confirmation that centralized training records or databases are
maintained current, and are being used to monitor adherence with
training requirements.
Candid and constructive counseling, performance appraisals, and
discipline can provide reinforcement of the system of internal control.
Internal control polices and procedures should identify the specific
actions or lack of adherence to internal control within the purchase
card program that warrant counseling and/or discipline.
The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and approving
officials related to and in conjunction with transactions selected for
tests of transaction-level control activities. The documentation and
relevant attributes of discipline to consider evaluating fall into two
general categories:
Constructive counseling might be provided to cardholders and approving
officials in response to isolated instances of lack of adherence to
internal control policies, procedures, and activities. The auditor
should obtain and review for propriety documentation of counseling
provided for isolated instances of lack of adherence to controls
detected in the transactions selected for control testing.
Disciplinary actions to be taken in response to recurring and/or
persistent lack of adherence to internal controls, and specific
consequences for improper and abusive purchases should be adopted by
the organization as part of the system of internal control. Such
consequences can vary with the severity and persistence of the policy
violation, and might include formal and informal reprimands, suspension
or cancellation of the purchase card account, termination of
employment, and referral to investigative authorities in cases of
suspected fraud. Instances warranting discipline should be documented
and included in personnel files and, if applicable, performance
appraisals. The auditor should obtain and review documentation of
disciplinary actions taken for the instances of significant lack of
adherence to controls, and for improper and abusive purchases detected
during the control activities testing. Documentation should also be
obtained of all cases of detected potential fraud occurring during the
period under audit and included in considerations for follow-up, as
discussed in the Follow-up and Investigation section of this guide.
Disciplinary actions alone may be an insufficient response to detected
fraud. For that reason, instances of fraud that are declined for
prosecution and referred to management for disciplinary action should
be followed up to ensure that, in the professional judgment of the
auditor, appropriate actions were taken by organization management.
Despite operating instructions providing for restitution and revocation
of card privileges, repeat violators of regulations and internal
controls did not lose their purchase cards and did not repay the
government for unauthorized purchases.
In a government purchase card program, purchasing authority establishes
a cardholder's authority to possess and use a government purchase card.
It also establishes the cardholder's single-transaction and credit
limits. Some organizations will assign different spending limit
authorities to the same cardholder, which apply to different uses of
the card. For example, a cardholder who is a warranted contracting
officer is assigned two purchasing authorities: (1) a $2,500 single-
transaction limit with a $40,000 monthly purchase limit for purchases
of goods or services, and (2) a $100,000 single-transaction limit with
a $500,000 credit limit for use of the purchase card as a method of
payment on a preexisting contract. Authority is also established for
approving officials to review and authorize payment of cardholder
accounts. Approving official authority should also identify the
specific cardholder(s) for which review and certification
responsibilities have been assigned, and the approving official's
credit limits should relate to the total cumulative monthly purchasing
limits of the cardholders assigned to them.
The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and approving
officials related to and in conjunction with transactions selected for
tests of transaction-level control activities. For evaluation and
testing purposes, each level of purchasing authority given to a
cardholder (e.g., $2,500 single-transaction limit for local vendor
purchases, $100,000 limit for purchases on an existing contract) should
be deemed a separate cardholder. Documentation evidencing purchasing
authority for cardholders, and review and certification authority for
approving officials, should be obtained and evaluated for instances of
significant lack of adherence to controls including: (1) documentation
of the cardholder's purchasing authorization (e.g., organizational
standard form) dated prior to the transaction date and (2)
documentation of the approving official's authorization (e.g.,
organizational standard form) dated prior to the transaction date.
Attributes which the auditor should consider reviewing when evaluating
the effectiveness of this control include the following: (1) the date
of the purchase transaction, compared to the date of the cardholder's
purchasing authority, compared to the date of the approving official's
authorization, (2) the amount of the transaction, compared to the
amount of the cardholder's single transaction authority, (3) the total
amount of the cardholder's billing statement, compared to the
cardholder's and approving official's authorized credit limits, (4) the
cardholder account single-transaction and credit limit carried in the
bank's system, compared to that authorized in the cardholder's
purchasing authority, and (5) that the approving official's assignment
of responsibility includes the specific cardholder account.
Section 3: Making, Documenting, and Using the Preliminary Assessment.
The preliminary assessment is a critical analysis of whether, in the
professional judgment of the auditor, the existing internal control
policies, procedures, and activities as designed, if in place and
operating, will provide management with reasonable assurance that
significant fraudulent, improper, and abusive purchases will be
prevented or promptly detected. A preliminary assessment of the
organization's plan of internal control will assist the auditor in (1)
identifying significant weaknesses in designed control activities, (2)
planning and designing control tests, and (3) identifying data-mining
criteria.
The auditor, considering the overall control environment, should make a
critical comparison of the risk/opportunities for fraudulent, improper,
and abusive purchases and the internal control policies, procedures,
and activities designed to guard against them. The knowledge gained in
the Understanding Operations and Programs section of this guide will
provide information useful to the preliminary assessment of internal
control. In some circumstances, this information may need to be
supplemented with additional inquiries, observations, and/or
nonsampling tests of controls. When reaching conclusions in the
preliminary assessment, the auditor should also consider the bank
service provider's systems and controls, the audit objectives, prior
audit findings and recommendations, and management's responses and
corrective actions taken.
Assessing the Adequacy of the Design of Control Activities;
Our audits of purchase card programs have identified (1) the
determination of a legitimate government need, (2) screening for
required sources of supply, (3) independent receipt and acceptance, (4)
establishing accountability over certain property, (5) cardholder
reconciliation, and (6) approving official review as key transaction-
level control activities in mitigating the risk of fraudulent,
improper, and abusive purchases. These key control activities should be
included in the auditor's preliminary assessment of the adequacy of the
design of control activities. It will also be helpful to the auditor's
critical comparison process to prepare a list of the identified risk/
opportunities for potentially fraudulent, improper, and abusive
purchases to occur, and a list of the existing relevant control
activities. An individual control activity will probably address
multiple risks of potentially fraudulent, improper, and abusive
purchases, and an individual risk may be addressed by more than one
control activity. Therefore, a simple one-to-one comparison will
probably not be effective. For example, the control activity of
independent receipt and acceptance can be instrumental in mitigating
the risk of paying for services not performed, as well as mitigating
the risk of purchased accountable property not being recorded in the
organization's property record system. One way to proceed is to prepare
a simple schedule, as illustrated in figure 3, which lists the
identified risk/opportunities for potentially fraudulent, improper,
and abusive purchases down the left hand side, and provides space for
identifying (1) the related control activities, (2) the auditor's
preliminary assessment conclusions, (3) the effects on the design of
audit control tests, and (4) potential criteria for audit data mining.
Figure 4: Illustration of the process of assessing and concluding on
the adequacy of designed control activities.
[See PDF for image]
[End of figure]
The above (figure 4) is provided as an illustration only of the process
of making, documenting, and using the preliminary assessment of the
design of internal control activities. The illustrated risks, controls,
conclusions, effects, and identifications are highly dependent upon the
facts and circumstances of specific organization operations and
purchase card programs. Auditors will need to exercise professional
judgment when making these determinations.
Using the Preliminary Assessment;
Auditors should find the observations and conclusions made in the
preliminary assessment useful in determining the nature and extent of
further audit work on an organization's purchase card program. These
observations and conclusions can be useful in determining a strategy
for internal control testing, including designing sample selections.
For example, a preliminary assessment conclusion might be that the
design of an internal control policy and one or more related control
activities is strong and can provide management with reasonable
assurance of preventing or promptly detecting fraudulent, improper, and
abusive purchases. If the policy and control activities are considered
to be strong, tests designed to determine the extent to which the
control activities are being performed would likely be an efficient and
cost-effective audit procedure. However, if the auditor considers the
policy and/or the control activity to be ineffective or nonexistent,
tests for performance of control activities would generally not be
appropriate or cost effective. Whether to design and conduct tests of
performance for controls considered to be weak will require
professional judgment and consideration of the facts and circumstances
of individual cases.
The results of the preliminary assessment can also be useful to the
auditor's consideration of other procedures (such as data mining
discussed in a later section of this report) designed to detect
fraudulent, improper, and abusive transactions resulting from
identified weakness in the design of controls. For example, if the
preliminary assessment is that the design of internal control does not
provide reasonable assurance of compliance with requirements to
purchase from statutory sources of supply, then purchase card
transactions with other vendors who sell similar goods and services may
provide examples of the result of that control weakness.
Section 4: Testing the Effectiveness of Key Control Activities.
A well designed system of internal control for a purchase card program
is needed to provide reasonable assurance that the program is operating
as intended and is not vulnerable to significant fraudulent, improper,
and abusive purchases. However, a system of internal control, no matter
how well designed, cannot be relied on if control activities are not in
place and operating effectively on an ongoing basis. Control activities
identified during the preliminary assessment process, as likely to be
effective at preventing or detecting fraudulent, improper, and abusive
purchases, should be tested to determine if they are being adequately
adhered to. This section discusses (1) obtaining and verifying the
completeness of the purchase card transactions database, (2) designing
a statistical sample of purchase card transactions, (3) obtaining the
documentary evidence of performance of control activities, and (4) the
design and conduct of tests to determine if key control activities are
in place and operating as intended.
In our audits of purchase card programs, we used two basic types of
control testing--statistical sampling[Footnote 17] (selections
representative of and projectable, with quantifiable accuracy, to a
population) and nonrepresentative selections (selections not
representative of or projectable to a population)--to evaluate the
effectiveness of internal control activities.
This guide considers control designed to prevent or detect fraudulent,
improper, and abusive transactions in a purchase card program, to
operate on two basic levels: (1) control activities that operate at the
transaction level (e.g., independent receipt and acceptance, cardholder
reconciliation), and (2) controls that operate at some other level
(e.g., training, span of control). Elements of the control environment
discussed in the Internal Control and the Control Environment section
of this guide are not considered transaction-level control activities.
However, testing and evaluating certain of these elements (i.e.
training, discipline, and purchasing and reviewing authority) can be
efficiently accomplished in conjunction with the testing of transaction
level control activities.
Obtaining Transaction Data;
Tests of control activities which operate at the transaction level are
applied to selected purchase card transactions, generally contained in
an electronic file database. The auditor will need to identify and
obtain the appropriate database of purchase card transactions, select
the transactions to test, and extract the appropriate transaction
information from the database. In order to obtain the appropriate
population of purchase card transactions, the auditor will need to
establish and define the scope of the audit. The scope of the audit can
be defined in terms of control activities in place and operating for a
time period, a unit, or an activity, or a combination of those terms
(e.g., all purchase card transactions executed by the organization
during the fiscal year ended September 30, 2003). Also, if the data are
stored in an electronic database(s), the auditor will need to determine
that the transaction data elements necessary to achieve the audit
objectives are included in the database obtained.
The purchase card transactions selected for testing should be selected
from a population which includes all relevant transactions in the scope
of the audit. In order to assure the relevance and completeness of the
population transaction database, the auditor should obtain value and
quantity control totals from a source independent of the database
provider, and agree them to the data obtained. For example, a
transaction database supplied by the bank service provider could be
agreed or reconciled to the organization's records of purchase card
activities, or the bank service provider may supply control totals to
verify a transaction database provided directly by the organization.
Coordinating with the Bank Service Provider;
Establishing a contact and coordinating the audit effort with the bank
service provider presents the auditor with an opportunity to gain a
current understanding of the bank's program operations, processes, and
controls, as more fully discussed in the Understanding the Bank Service
Provider's Program section of this guide. Coordination with the bank
can also provide the needed transaction databases and/or the ability to
verify organization transaction databases by comparison to independent
control totals. Fraud investigators involved in the purchase card audit
may also be afforded an opportunity to evaluate the bank's fraud
investigation and detection methodologies, and benefit from other
information provided by the bank's credit card fraud investigators.
Selecting Purchase Card Transactions;
One of the first decisions the auditor will need to make is whether to
use statistical sampling to select transactions for testing. In most
audit circumstances, statistical sampling is the recommended approach
for making estimates about and drawing conclusions from a population of
transactions, and for estimating the percentage of transactions in the
population for which control activities were or were not in place and
operating as intended. Statistical sampling is appropriate:
if there is a desire to estimate whether control activities for a
population of transactions are in place and operating as intended, and
to quantify the accuracy of this assessment based on statistical
theory;
if there is a desire to estimate whether some control activities for a
population of transactions are operating as intended to a greater or
lesser degree than other activities, and to quantify the accuracy of
this assessment based on statistical theory; and:
if it is desirable to estimate, and to quantify the accuracy of the
assessment based on statistical theory, the dollar value for a
population of purchase card transactions subject to detected control
weaknesses and/or failures.
In these cases, a statistical sample should be designed so that
statistical theory can be used to estimate failure rates and/or the
dollar value of transactions subject to ineffective controls in the
population and to quantify the accuracy of those estimates.
In other audits of purchase card programs, making statistical estimates
of the failure rate in the population of transactions may not be
important. For example, if there are no control activities, or if the
design of controls is clearly inadequate, there would be little point
in testing control activities and estimating the associated failure
rates. As another example, certain control activities may only apply to
a very small portion of transactions. In these cases, an assessment
might be made of the effectiveness of control activities through means
such as observation, inquiry, and/or inspection of a nonrepresentative
selection of transactions. However, it should be understood at the
outset, that when experience and understanding of the subject matter
are used to assess the effectiveness of control activities based solely
on observation, inquiry, and/or inspection of a nonrepresentative
selection of transactions, the results cannot be reliably or
statistically projected to all transactions of that type.
Considerations in Designing a Statistical Sample;
The auditor, in conjunction with a statistician, will need to consider
a number of issues in order to design statistical samples for
government purchase card programs. These issues include, but are not
limited to, the following.
The organization of the population of purchase card transactions -
Typically, these records are organized in one or more electronic files.
In this case, various sampling options are available. Two of these
options are (1) simple random sampling of transactions, and (2)
partitioning transactions into non-overlapping groups (strata),
followed by selecting simple random samples of transactions in each
stratum.
The organization of the documentation evidencing performance of control
activities - These documents may be stored in one or more geographic
locations, which may or may not limit or impair accessibility by the
auditor. In either case, a sample design should account for the
geographic dispersion. The following are examples of available options.
Geographic strata - If personnel are available to collect data from
each location, then a sample design might have locations as strata,
with appropriate sampling methods within each stratum. A stratified
design would protect against the possibility of an "unlucky" sample,
i.e., having no or few transactions from one or more locations in a
random sample selected from the population of all transactions. It may
also provide more precise estimates than a random sample of the same
size selected from the population of all transactions.
Geographic location sample - If it is not possible to collect data from
each geographic location, then a two stage statistical sample can be
made of (stage one) geographic locations, with appropriate sampling
methods used (stage two) within each selected location. If the
geographic locations are chosen using statistical sampling, the auditor
will be able to make estimates about all purchase card transactions in
the population.
Case study approach - The auditor may find, however, that the documents
that will be examined to determine whether control activities are being
performed are so geographically dispersed that it is not cost effective
to collect data from statistically sampled locations. In this case, the
auditor may wish to consider a case study approach. In a case study
approach, locations are selected for specific reasons instead of being
chosen using statistical sampling. Statistical samples of transactions
are then selected for each of the selected locations. The auditor
should note, however, that data collected from a case study approach
can only be used to assess adherence to controls at the specified
locations. Sample data from a case study approach cannot be used to
make assessments about adherence to controls for the entire population
of purchase card transactions.
[See PDF for image]
[End of figure]
Information about the approximate level of nonadherence to controls -
Such information may be obtainable from (1) similar studies performed
in the recent past, (2) estimates by subject matter experts, or (3)
information obtained by the auditor during the preliminary assessment
relating to nonadherence rates. These "guesstimates" are very useful to
the statistician in estimating what sample size might be needed to
achieve specified precision levels on estimated nonadherence rates.
The relationship between the approximate nonadherence rate, and the
acceptable nonadherence/adherence rates -- At what rate of failure
would the auditor consider a control to be ineffective? Effective? If
the expected level of nonadherence (or adherence) is close to the
minimum rate that is considered unacceptable (or acceptable), a larger
sample may be required to assert nonadherence (or adherence) to
controls.
Inherent strengths/weakness - Certain types of transactions may be
expected to have different rates of nonadherence to controls than other
types (e.g., transactions for large dollar amounts processed at a
higher level by personnel who likely have taken contractor officer
training). If there are, the population of transactions can be
partitioned into strata so the expected rate of nonadherence differs
from one stratum to the next. Separate samples of transactions can then
be taken in each stratum. A stratified design that takes advantage of
expected differences in nonadherence rates across strata can provide
more precise estimates than a random sample of the same size selected
from the population of all transactions.
Time and resources - The total amount of time available, the time it
will take to evaluate the effectiveness of controls for each purchase
card transaction, and the number of audit staff available are practical
considerations that will have a direct influence on the design and size
of a sample.
The Sampling Plan;
The auditor and the statistician should develop a written sampling plan
for inclusion in the audit work papers. The sampling plan should
include, but is not limited to:
the reasons that a sample was developed,
the type of sample (e.g., statistical or nonstatistical) and sampling
method (e.g., random) being used,
a description of the population (e.g., nature, data elements, source,
control totals),
the sample design (e.g., confidence level, strata criteria, number of
items and/or dollars in population and strata, sample size by strata
and population) selected along with a discussion of the factors
considered and conclusion reached,
guidelines about the types of evidence and attributes the auditor(s)
will accept as clear evidence of performance of control activities,
information about the anticipated precision of the sample estimates,
a definition of what nonadherence to controls means,
expectations (if any) about the rate of nonadherence to controls, and:
examples of the types of conclusions the auditor expects to be able to
make after the sample data are analyzed (and projected to the
population).
:
Extracting Selected Transaction Data Elements;
Data elements of transactions selected for control activity testing (as
well as those identified by data mining) will need to be extracted--
identified, selected, copied, and accumulated in a separate electronic
file for further auditor analysis--from the population transactions
database. At a minimum, those data elements should include the
identification and other data elements necessary to facilitate control
activity testing. The following are examples of data elements which
might be included in such extracts.
[See PDF for image]
[End of figure]
The auditor should prepare a workpaper/file detailing the pass/fail
results of tests of control activities (e.g., the number and dollar
value of transactions failing a control activity) performed on each
sample item, in accordance with the sample design (e.g., sampled
strata). These results can then be provided to the statistician, who
should project the sample results to the population, and provide the
auditor with a report recapping the population, the sampling plan used,
the control tests performed by the auditor, the statistical estimates
(e.g., attribute failure rates, dollar values), and the associated
confidence intervals. The auditor should then prepare a summary memo
that incorporates the sample tests results and the statistician's
report and recaps the rules used to assess the effectiveness of
controls and the audit conclusions drawn from the projected sample
results.
Analysis of Results from Statistical Samples;
The primary questions that can be answered from analyzing the result of
a statistical sample of attribute tests for control activity
performance are:
What is the estimated failure rate and the accuracy of that estimate?
Does the failure rate of performance of the control activity result in
assessing the control as effective, ineffective, or partially
effective?
To answer the first question, the failure rate from the statistical
sample should be estimated taking the design of the sample into
account. Since the statistical sample is only one of a large number of
samples that could be drawn, a two-sided interval should be generated
that will contain the actual (unknown) population failure rate for a
specified percent of samples that could be drawn. This interval is
called a "confidence interval," and the specified percent is called the
"confidence level".[Footnote 18]
[See PDF for image]
[End of figure]
To answer the second question, the statistical sample results should be
compared to a pre-set standard (e.g., control activities with adherence
failure rates greater than 10 percent will be considered ineffective)
and/or professional judgment.
[See PDF for image]
[End of figure]
For each audit of a government purchase card program, the auditor
should choose the failure rates that classify (or make the professional
judgments that conclude) that the performance of control activities is
effective, ineffective, or partially effective. Partially effective
controls are those for which the evidence does not support a conclusion
that the control is either effective or ineffective.
Obtaining Documentation Evidencing Performance of Control Activities;
Documentation provides the auditor an opportunity to inspect evidence
of ongoing adherence to internal control policies and performance of
control activities. The data evidencing performance of transaction-
related control activities will most likely, but not necessarily,
reside within the organization. Examples of documentation that might
evidence performance of specific control activities are included in the
Testing Control Activities section of this guide. The lack of such
documentation, although a strong indicator of a lack of adherence and
performance, does not necessarily preclude adherence or performance.
However, all lack of adequate documentation should initially be
considered as a failure of the relevant control activity test. Missing
documentation should elevate the level of the auditor's professional
skepticism when conducting any additional audit procedures considered
appropriate (e.g., additional inquiry, consideration of other
supporting documentation, direct interviews with cardholders and/or
approving officials). Transactions and cardholders with significant or
persistent lack of documentation should be considered for follow-up in
accordance with the Follow-up and Investigation section of this guide.
Original documents should be reviewed whenever possible. The extent
that copies of original documents are retained for audit work papers
will depend on the circumstances and professional judgment. However,
the work papers should include copies of documents supporting findings
of a significant lack of adherence to policies, performance of control
activities, and any potentially fraudulent, improper, and abusive
purchases. As discussed later in the Follow-up and investigation
section of this guide, copies of documents will also be necessary to
the follow-up process.
Obtaining Documentation from the Organization;
The auditor will need to provide the organization sufficient
information to identify the specific transactions selected for testing
(e.g., cardholder name and number, transaction sale or post date, and
amount). The auditor should in planning allowed sufficient time for
this step since documentation may be in geographically diverse
locations and the organization may need to send out requests for the
needed information. The auditor should consider the knowledge gained
about the control environment and other factors, and exercise
professional judgment when making decisions about (1) supplying
selected transaction information to the organization, (2) when and how
to receive documentation, and (3) the amount of time to allow the
organization to produce documentation. The auditor and the organization
should agree, and/or the auditor should communicate the rules of the
engagement, in advance, establishing time limits for providing
requested documentation, after which audit conclusions will be based on
the documentation provided.
Evidence of Performance;
The auditor should design tests that clearly and specifically identify
acceptable attributes that evidence actual performance of control
activities. Guidelines should be developed about what constitutes
"clear evidence of performance" before testing begins. Such evidence
may include appropriate sequencing of dates, cardholder and/or
approving official tick marks or other indications on individual
transactions, corroborating representations of performance by
management personnel, and so forth. Developing these guidelines in
advance and including them in the sampling plan will enhance the
ability of audit staff to make consistent assessments across sampled
transactions. If there will be a cadre of audit staff assessing whether
there is clear evidence of performance, they should be trained before
data collection begins to enhance their collective ability to make
consistent assessments. Also, appropriate supervisory review and
validation of the assessments made by the audit staff will be needed.
An independent supervisory assessment of selected sample items is one
way to accomplish that review.
Testing Control Activities;
Tests for performance of control activities should be performed
utilizing the data gathered. For purposes of this guide, many control
activities are considered transaction specific (e.g., independent
receipt and acceptance, approving official review) and the related
tests should be accomplished at the transaction level. Also, as
discussed in the Internal Control and the Control Environment section
of this guide, some of the key elements of the control environment
(e.g., training, discipline, purchasing and approving authority) lend
themselves to efficient testing in conjunction with the testing of
transaction-level control activities. The auditor should consider
coordinating tests of those elements of the control environment with
the tests of the following transaction control activities.
Transaction Control Activities;
This guide discusses the following six control activities directly
related to purchase card transactions and their supporting
documentation and performance attributes for consideration by the
auditor:
determining a legitimate government need,
screening for required vendors,
independent receipt and acceptance,
establishing accountability over property,
cardholder reconciliation, and:
approving official review.
The specific tests of control activities accomplished, the specific
documents reviewed, and the attributes considered may vary as audit
objectives vary. When conducting the transaction control test discussed
below, auditors should also evaluate purchases for compliance with
relevant laws and regulations (e.g., exemption from sales tax). The
auditor should consider consulting with legal counsel for assistance in
evaluating questions of the existence of a legitimate government need.
The auditor should also consider conducting follow-up, as discussed
later in this guide, in instances of a questionable legitimate
government need, or prohibited or otherwise inappropriate government
purchases.
Prepurchase approvals were found in up to 98 percent of purchase card
transactions tested in a recent GAO audit.
Determination of a legitimate government need provides reasonable
assurance to the organization that its resources are not being wasted.
A legitimate need for the goods or service being acquired should be
determined before a purchase is made. In a government purchase card
program, the initial responsibility for making this determination may
be assigned by the organization's policies and procedures to the
cardholder. Prepurchase requests or other authorization prepared by a
supervisor, or prepared by operations personnel and signed by a
supervisor, can provide the cardholder with documentation of a
legitimate government need. Organization policies may leave
verification and documentation that purchases are for a legitimate
government need to the discretion of the cardholder--a practice usually
considered a weakness in the design of control. The organization's
policies and procedures may identify specific items or types of
purchases requiring special approval. However, prepurchase
authorizations are not required by all government organizations, and
some organizations may provide blanket authorization for routine
purchases. When there is no documentation of a legitimate government
need for other than routine items, the auditor should view purchases
with an elevated level of professional skepticism. Further, the
organization's policies and procedures may restrict or prohibit the
purchase of certain items or types of goods and services. Auditors
should be aware of these requirements, restrictions, and prohibitions,
and the requirement, or lack thereof, for documentation establishing
the government's need.
Auditors questioned whether a valid need had been identified, when "to
get enough goodies for everyone" 80 Palm Pilots costing $30,000 were
purchased and inventoried to be issued to personnel when requested.
Documentation evidencing the determination of a legitimate government
need should be obtained and reviewed. This could include (1) a
prepurchase request or authorization, (2) written blanket authorization
for small routine purchases (e.g., office supplies), (3) written
justification by the cardholder or other program personnel of the
government need for the purchase, (4) other required documentation for
specifically controlled or restricted purchases (e.g., a purchase
justification or business need analysis for computer equipment), and
(5) the vendor invoice describing the goods or services purchased.
Attributes to consider evaluating include (1) the date of government
need determination, compared to date of the purchase, (2) whether the
purchased item is included on the organization's prohibited or
restricted list, and (3) the item purchased on the vendor invoice,
compared to the item for which a need was determined. The auditor
should consider the knowledge of the organization's operations and the
control environment gained in previous sections of the guide, and
exercise profession judgment, with an appropriate level of professional
skepticism, and evaluate the reasonableness of the legitimate
government need determination.
Screening for required vendors provides the organization with
reasonable assurance of compliance with laws and regulations related to
statutory sources of supply. One such regulation is the Federal
Acquisition Regulation (FAR) Part 8, Required Sources of Supplies and
Services. This regulation generally requires federal agencies to
purchase supplies, services, and printing, from designated sources
(e.g., Federal Prison Industries, the National Institute for the Blind,
the National Institute for the Severely Handicapped, the Government
Printing Office). Auditors should be aware of these and other laws,
regulations, contractual agreements, and policies and procedures, which
direct the organization to acquire goods and services from sources such
as GSA schedules and contracts, blanket purchase agreements, and single
source suppliers. Auditors should also be aware of exceptions provided
to these and other requirements, generally having to do with
practicality and availability.
Despite laws and regulations requiring priority be given to certain
required vendors, a recent GAO audit found failure rates in this
control ranging from 70 to 90 percent of purchases tested.
Documentation evidencing screening for required vendors should be
obtained and reviewed including (1) a purchase log, required by policy
by some organizations, (2) other documents evidencing appropriate
screening, and (3) a waiver or other documentation of the applicability
of exceptions made to required sources of supply.
Attributes to consider evaluating include (1) the date and cardholder
signature or initial for screening, compared to the transaction date,
and (2) the date and appropriate signature on waiver of purchase from
required sources, compared to the transactions date. Professional
skepticism should be exercised when evaluating the appropriateness of
any exceptions to required sources of supply.
Two related organizations could not demonstrate independent receipt and
acceptance for about $27.4 million in purchased goods and services.
Independent--someone other than the cardholder--receipt and acceptance
of goods and services provides reasonable assurance that the
organization actually received what it is paying for. The inclusion of
independence in the receipt and acceptance activity significantly
strengthens the control by adding segregation of duties to the
activity. In purchase card programs, the cardholder is usually
responsible for verifying that independent receipt and acceptance has
occurred before completing the reconciliation activity discussed below.
Documentation evidencing independent receipt and acceptance (e.g., a
signature or initial on the vendor invoice, receipt, or shipping
document) should be obtained and reviewed including (1) the vendor
invoice, (2) the shipping, receiving, and/or warehouse receipt for
goods or services provided, and (3) the relevant cardholder billing
statement.
Attributes to consider evaluating include (1) the date of signed
receipt, compared to the purchase date and cardholder reconciliation
date, (2) the signature or initial, evidencing receipt by someone other
than the cardholder, (3) notations (e.g., tick marks) indicating
verification of quantities for appropriate purchases, (4) the invoice
amount, compared to cardholder billing statement amount, and (5) the
invoice item description(s) and quantity, compared to receiving
document description(s) and quantity.
Physical control and accountability over pilferable and other
vulnerable property acquired by the purchase card, which is initiated
at the purchase card transaction level, provides reasonable assurance
to the organization that pilferable property (i.e., an item that is
portable and can be easily converted to personal use) is appropriately
recorded and asset-safeguarding control is established at the time of
purchase and receipt. Organizational requirements for this activity may
vary with the volume, value, and sensitivity of pilferable property
acquisitions. Control activities required of the cardholder should
include initially identifying the pilferable property requiring asset
control, notifying appropriate property management personnel within the
organization of the acquisition, and supplying the information required
to establish a record in the property control system. Audit procedures
should include verification of the record in the property control
system, and can be extended to physical inspection and/or verification
that the property is in the possession of the government.
Of 114 tested purchases of accountable property acquired with purchase
cards, 60 (53 percent) were not recorded in property records, and 35
(31 percent) could not be located.
Documentation evidencing performance of this activity should be
obtained and reviewed, including (1) the vendor invoice, (2) evidence
of independent receipt and acceptance, discussed above, (3) the
cardholder's billing statement, (4) the cardholder's notification of
pilferable property, submitted to property control system personnel,
(5) the property control system record, and (6) if they are not evident
in the existing transaction document, the auditor should obtain item
serial number(s) directly from the supplier or manufacturer.
Attributes to consider evaluating include (1) the vendor invoice's
quantity, description, and unique identifying number(s), such as a
serial number (considered a critical attribute for this control),
compared to those attributes in the property control system record, (2)
the date of purchase (sale date on the cardholder's statement),
compared to the date of signed receipt, the date of cardholder
notification to appropriate property personnel, and the date of
property record entry, and (3) the property control system's
description, assigned property number (e.g., bar code number), property
item unique identifying number (e.g., serial number), and location,
compared to those same attributes from a physical inspection and/or
independent verification that the accountable property is in the
possession of the government.
Cardholder reconciliation provides the organization with reasonable
assurance that all transactions appearing on the cardholder's billing
statement are appropriate charges for goods and services purchased for
and received by the organization. Much the same as individuals
reviewing their personal credit card statements to assure themselves
that the purchases and amounts included were actually made by them,
government purchase cardholders should perform no less than that level
of review. Cardholder reconciliation is the process of the cardholder
gathering, reviewing, and providing the documentation to support that
each purchase transaction appearing on the cardholder's billing
statement is an appropriate, legitimate government purchase. The
cardholder is responsible for identifying purchase card transactions
that are unauthorized or that otherwise should not be paid by the
government. The cardholder should promptly dispute unauthorized charges
appearing in the cardholder's billing statement with the bank service
provider. For those charges that the cardholder is unable to verify
independent receipt and acceptance, the auditor should look for
evidence of either a credit by the vendor or a formal dispute filed
with the bank service provider.
Tests of a statistical sample of purchase card transactions at four
related organizations disclosed little evidence of cardholder
reconciliation of purchases back to supporting documentation before
payment of the bill.
The cardholder reconciliation and/or the approving official review and
certification for payment may be accomplished either manually or
electronically. The electronic system may not require a signature or
date, and may leave little or no audit trail of the application of
control activities to billing statements and/or individual
transactions. The auditor should obtain, review, and use professional
judgment and skepticism in considering the value of electronic system-
generated reports and/or screen prints as audit evidence of actual
performance, when evaluating adherence with control activities. The
attributes described in this section remain relevant to audit
considerations and evaluations regardless of whether the cardholder
reconciliation control activity is performed manually or
electronically. If the available documentation is insufficient to
evidence the actual performance of a control activity, the selected
purchase card transaction should be considered as failing that
activity. In this circumstance, the auditor may consider it necessary
to extend audit procedures to the general and application controls of
the electronic data processing (EDP) system, which is outside the scope
of this guide.
Documentation evidencing performance of cardholder reconciliation
should be obtained and reviewed including: (1) the monthly purchase
cardholder statement in a manual system, or other bank system-generated
listing of billing-period transactions in an electronic system, (2) the
vendor invoice, and (3) evidence of formal dispute (e.g.,
organizational standard form) of unauthorized charges appearing on the
cardholder's billing statement.
Attributes to consider evaluating include: (1) the cardholder's
reconciliation signature, (2) the date of reconciliation, compared to
organizational requirements, the approving official review, and payment
certification dates, (3) notations (e.g., tick marks, system notes)
indicating that all transactions on the statement were individually
reconciled, (4) the transaction date, amount, and vendor name on the
vendor invoice, compared to those same attributes on the cardholder's
statement, and (5) the transaction date and amount, and vendor name on
formal dispute documentation, compared to the same attributes on the
cardholder's statement. The auditor should consider following up on the
appropriate resolution of disputed items.
Tests of a statistical sample of purchase card transactions at five
related organizations disclosed numerous instances of approving
officials certifying the bill for payment without review of cardholder
reconciliation or supporting documentation.
Approving official review of the cardholder's reconciliation process
provides reasonable assurance to the organization that the cardholder
is timely and appropriately performing the reconciliation and is
complying with all significant relevant controls to prevent or detect
fraudulent, improper, and abusive purchases. The review also provides a
basis for the approving official to accept responsibility that the
purchases are appropriate, legitimate government purchases before the
billing statement total is certified for payment. The approving
official review, a critical control activity in a government purchase
card program, should include a review of the cardholder reconciliation
for timeliness and completeness and for the appropriateness of the
supporting documentation for individual transactions. In evaluating the
effectiveness of this control activity, the auditor should consider (1)
the extent of the approving official's review of the supporting
documentation for a cardholder's individual transactions, and (2) the
extent of documentation (e.g., tick marks, system notes) of that
review. To gain a better understanding of the extent of the approving
official's review of cardholder reconciliations, the auditor may
consider interviewing the approving official, in addition to reviewing
documentation evidencing the review process.
As discussed in the section on cardholder reconciliation, the approving
official review and the certification for payment may be accomplished
either manually or electronically. The auditor should obtain, review,
and use professional judgment and skepticism in considering the value
of electronic system-generated reports and/or screen prints as audit
evidence of actual performance when evaluating adherence with control
activities. The attributes described in this section remain relevant to
audit considerations and evaluations regardless of whether the
approving official review control activity is performed manually or
electronically. If the available documentation is insufficient to
evidence the actual performance of a control activity, the selected
purchase card transaction should be considered as failing that
activity. In this circumstance, the auditor may consider it necessary
to extend audit procedures to the general and application controls of
the EDP system, which is outside the scope of this guide.
Documentation evidencing performance of this activity should be
obtained and reviewed including (1) the cardholder's reconciliation
documentation as discussed above, (2) documentation of the approving
official's review of the cardholder's reconciliation, (3) the approving
official's account billing statement, and (4) documentation of the
approving (or billing) official's certification for payment of the
balance on his/her account billing statement.
Attributes to consider evaluating include (1) the approving official's
review signature, (2) the date of the approving official's review,
compared to organizational policy requirements, the date of the
cardholder's reconciliation, and the date of the approving (or billing)
official's certification for payment, and (3) notations (e.g., tick
marks, system notes) on cardholder's individual purchase card
transactions, evidencing the approving official's review and evaluation
of the appropriateness of the transactions and the documentation
supporting the cardholder's performance of other control activities.
Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases.
In addition to testing internal controls, GAO's purchase card
methodology includes procedures designed specifically to identify
potentially fraudulent, improper, and abusive purchase card
transactions. Designing and conducting procedures specifically for the
purpose of detecting such transactions serves multiple purposes,
including the potential discovery of a previously unrecognized risk in
the program. Additionally, top management will likely be more receptive
to recommendations for corrective actions when a face is put on the
consequences of weak control, and the effects are illustrated by
instances of fraudulent, improper, and abusive purchases. GAO's
methodology described in this guide is a two-step process similar to
the process of selecting transactions and testing controls. It entails
the pursuit of fraudulent, improper, and abusive purchases by (1)
making nonrepresentative selections of transactions or patterns of
activity in a process referred to as data mining, and (2) conducting
follow-up procedures, rather than control tests, utilizing forensic
auditing techniques on selected transactions and on cases of
potentially fraudulent purchases detected during the audit process.
Data Mining for Detection, Illustration, and Disclosure;
Data mining is the act of searching or 'mining' data to identify
transactions or patterns of activity exhibiting predetermined
characteristics, associations, or sequences, and anomalies between
different pieces of information. Data mining produces leads for follow-
up by auditors and investigators; consequently the concept of data
mining, as used in this guide, also includes performing audit
procedures and investigations as necessary to evaluate the leads. An
active continuous data-mining program by organization management can
also be used to identify and initiate investigations of instances of
potentially fraudulent, improper, and abusive purchases, and can serve
as an effective deterrent to such transactions. Data mining, when
conducted in concert with the tests of control activities, can provide
additional evidence of significant instances of noncompliance with laws
and regulations, such as those discussed in the Relevant Laws and
Regulations section of this guide, and lack of adherence to internal
control polices and procedures. In addition, it can identify previously
unrecognized or under-appreciated risk in the program. Revelations by
data-mining results can often generate the upper management motivation
necessary to bring about meaningful change in policies and procedures.
The results of data mining should also be considered when evaluating
the overall effectiveness of systems of internal control over
government purchase card programs. However, since data mining is
nonrepresentative, its results cannot be projected, and conclusions
should not be reached on the population of purchase card transactions.
GAO's approach to data mining is designed to support its overall
evaluation of the internal control of a government purchase card
program and to provide examples of the results of weakness in internal
control. That approach generally consists of:
identifying the population of transactions to data mine,
identifying criteria and design search queries, and:
extracting or summarizing transactions or patterns of activity from the
population for further analysis, selection, audit, and investigation.
The source of data for mining would generally be the same population as
the source used to select transactions for control tests. The same
population of transactions must be used if examples of control failures
detected by data mining are to be relevant to the population of
transactions and to the period covered by the control tests. This would
allow the results of data mining to be considered in the overall
evaluation of effectiveness of internal control.
An experienced credit card fraud investigator will bring valuable
perspective and insight, and should be involved in the process of
identifying criteria, associations, and characteristics for data mining
for fraudulent, improper, and abusive purchases. When identifying and
selecting data-mining criteria the auditor should also consider the
risks of potentially fraudulent, improper, and abusive purchases, data-
mining criteria identified by the auditor during the preliminary
assessment, and the data-mining criteria discussed in the following
examples.
The following examples of data-mining queries, summaries and/or
extractions are appropriate to support an evaluation of the internal
control of a government purchase card program as contemplated in this
guide, and are intended to be used to identify and extract potentially
fraudulent, improper, and abusive purchases from a transaction
database.
Data mining of purchase card transactions at five related organizations
disclosed numerous purchases of items for personal use including
digital cameras, computers, clothing, and food.
Questionable vendors are those vendors who sell goods or services that
generally are not considered to meet a legitimate government need, or
which are restricted or prohibited by law, regulation, or policy.
Recent GAO audits of purchase card programs have identified potentially
fraudulent, improper, and abusive purchases of goods and services from
vendors such as restaurants, grocery stores, casinos, clothing or
luggage stores, home furnishings, personal electronics, pornographic or
sexually oriented goods or services (e.g., escort services), automobile
dealers, and gasoline service stations. The understanding gained of the
organization's operations, in accordance with a previous section of
this guide, should provide the insight necessary to make preliminary
identification of vendors selling goods and services which likely do
not meet a legitimate government need. The following are examples of
ways to identify, extract, and select purchases from these vendors.
By name: Questionable vendors, who can be expected to sell unneeded or
prohibited goods or services, by name. This can be accomplished by
manually reviewing a comprehensive list of vendor names extracted and
sorted alphabetically from the population database. The selection
process can be greatly enhanced by including selected summarized data
by vendor name (e.g., number of transactions, dollars of purchases,
number of cardholders making purchases). For example, because of the
goods and services provided by vendors specializing in toys, stylish
personal calendar/planners, and consumer electronics, purchases from
them have a high likelihood of being potentially fraudulent, improper,
or abusive.
By merchant category code (MCC): Questionable vendors can be identified
by using MCC codes--standard codes that the credit card industry
maintains to categorize merchants--assigned to vendors that may sell
personal or prohibited goods or services. Purchase card transactions
carrying the identified codes can then be extracted from the population
database. Sorting and/or summarizing the extracted transactions by
vendor may further enhance the selection processes. Organizations have
the ability to block purchases from vendors with selected MCC codes at
the bank service provider. Ideally, any attempt to charge a purchase
from a vendor with a blocked MCC code should be automatically rejected
at the point of purchase. However, auditors should be aware that (1)
vendors may circumvent this control by providing false or misleading
information and obtaining an MCC code intended to disguise the types of
goods or services provided by the vendor, and (2) bank service
providers do not always reject purchase card transactions with blocked
vendor MCC codes.
A recent GAO audit disclosed a purchase card transaction with a
prohibited escort service vendor. The bank service provider had
accepted the transaction despite the blocked vendor MCC code.
All transactions associated with the identified vendor names and/or MCC
codes should be considered potentially fraudulent, improper, and
abusive and extracted into a questionable vendor transactions
database(s) for further selection and follow-up.
GAO testified that approximately $12,000 in potentially fraudulent
cardholder purchases including an Amana range, Compaq computers, gift
certificates, groceries, and clothes occurred primarily between
December 20 and 26, 1999.
Weekend and holiday purchases, in the operations of a normal
governmental organization, could also offer a high probability of
identifying potentially fraudulent, improper, and abusive
transactions. However, using this approach to select transactions would
not be effective if the organization's operations routinely involve
weekend and holiday purchasing activity. During the previously
discussed process of gaining an understanding of the organization's
operations, the auditor should look for and be aware of this and
similar exceptions to normal operations when designing data-mining
criteria. Purchase card transactions on weekends and holidays within
the audit period should be identified and extracted into a suspect date
transactions database for further selection.
Data mining purchases at five related organizations disclosed numerous
occurrences of purchases split to circumvent the $2,500 micropurchase
threshold, including $16,000 for furniture for an approving official's
office.
Split transactions are two or more transactions that would have
normally been a single-purchase transaction, but were split to
circumvent the micropurchase threshold (generally $2,500) or other
legal or internal control single-purchase limit(s). For purposes of
identifying sets of potential split transactions, all purchase card
transactions in the audit period that meet the following criteria can
be extracted into a potential split transactions database for further
analysis:
the transactions are with the same vendor, and:
the transaction dates are on the same day, and:
the transactions total in excess of $2,500, and:
the transactions are by the same cardholder, or the transactions are by
the same activity/department. (Broadening the selection criteria to the
same activity/department considers the potential for collusion among
cardholders to circumvent single-purchase limits.):
An organization approved and paid 75 purchase card transactions, all
close to the micro purchase threshold, totaling $164,000, with a
telecommunications contractor. The organization could not provide
documentation of the nature or of receipt and acceptance of the
services provided. After completing follow-up, GAO referred this case
for criminal investigation.
A nonrepresentative selection of transactions can then be made from the
potential split transactions database and submitted to the follow-up
procedures described in the Follow-up and Investigation section of this
guide. For purposes of determining circumvention of single-purchase
limits, all applicable limits should be considered (e.g.,
micropurchase, cardholder organization authorized single-purchase
limit, bank service provider system cardholder control single-purchase
limit).
Transactions of unusual amounts or relationships may be fraudulent,
improper, or abusive. The auditor should review the database for the
existence of unusual purchase card transaction amounts, patterns, and
relationships. Examples of such transactions include:
frequent amounts with the same vendor just under the micropurchase
threshold which, for example, may indicate that a vendor is exploiting
weak controls and charging for goods or services that are not being
provided or rendered; and:
multiple transactions for the same amount which, for example, may
indicate intentional or unintentional duplicate billings for the same
goods or service.
An organization used year-end funds to purchase computers and monitors
costing $47,372. Nine months later over half of the computers remained
in storage, raising questions of a legitimate need when purchased.
Purchase card transactions in the audit period for unusual amounts or
relationships should be extracted into an unusual-transactions database
for further selection.
Year-end spending may include purchases for which there is not a
legitimate government need (e.g., bulk purchases of computer or
electronic equipment). All purchase card transactions that exceed an
established larger dollar value (e.g., $25,000) and occur in the last
month of the fiscal year can be extracted into a year-end transactions
database for further selection.
Purchase card transactions by vendor for the audit period can be
summarized to provide statistical data such as:
the number of cardholders making acquisitions with a vendor,
the number of transactions with a vendor, and:
the dollar volume of transactions with a vendor.
A critical analysis of the resulting vendor transaction summary totals,
and their relationships, can identify opportunities for further data
mining. Vendor summary totals at the extremes of activity, both high
and low, warrant special attention. A vendor with only one or two
cardholders making purchases, particularly if the dollar volume is
high, may indicate a conflict of interest or fraudulent (e.g.,
kickbacks), improper, or abusive transactions. High dollar volumes of
purchases may indicate a vendor with whom the government should have a
discounted price agreement. A vendor with only one transaction might
indicate a questionable legitimate government need. If these summaries
are accomplished utilizing a software audit tool, the individual
purchase card transaction detail underlying each vendor's summary
totals will usually be available, facilitating further review and
selection.
Cardholders and/or their approving officials considered to have
suspicious activities might be identified as the result of following up
on previous data-mining transactions, a referral to an organizational
fraud hotline, previous audit findings, or other means. Purchase card
transactions for such cardholders and/or approving officials can be
extracted into separate transactions databases for further analysis.
Follow-up and investigation of these transactions can assist in
developing cases for referral to criminal investigation and
prosecutorial authorities.
Since the data being mined are usually contained in a database of
individual purchase card transactions, a software audit tool that
facilitates summaries, comparisons, and extractions of transactions and
data elements selected for follow-up is recommended. Several over the
counter audit tools of this type are available. Using professional
judgment and considering the understandings gained and the results of
the preliminary assessment, the auditor should select transaction leads
provided by data mining and submit them to the procedures described in
the Follow-up and Investigation section of this guide. Unless adequate
follow-up procedures are accomplished, the auditor will not have
sufficient support to either report or refer the findings.
Follow-up and Investigation;
The concept of follow-up, as used in this guide, contemplates an
extension of audit procedures and documentation beyond those generally
necessary to test for adherence to internal control policies or
performance of control activities. GAO's approach to the follow-up
process assesses purchase card transactions in three incremental
stages: (1) an initial evaluation of the cardholder documentation
supporting selected data-mined transactions for the purpose of
discerning potentially fraudulent, improper, and abusive transactions,
(2) the conduct of follow-up procedures discussed in this section on
those transactions, and (3) referral of any instance of detected likely
fraud to the appropriate criminal investigative personnel.
Because of the characteristics of fraudulent, improper, and abusive
purchases, the exercise of professional skepticism--an attitude that
includes a questioning mind and a critical assessment of audit
evidence--is especially important when following up on these purchase
card transactions.
Follow-up;
The conduct of follow-up procedures utilizes forensic auditing
techniques. In the context of this guide, forensic auditing (follow-up)
contemplates increased scrutiny and documentation by the auditor of the
facts and circumstances (including judgments made and actions taken by
individuals party to the transaction) surrounding potentially
fraudulent, improper, and abusive transactions. In the instance of
fraudulent purchase card transactions, the follow-up process is
designed to support a subsequent criminal investigation.
The auditor should consider consulting with the appropriate fraud
investigative staff when determining the appropriate follow-up
procedures for potentially fraudulent transactions or cases detected
through control tests or data mining. An experienced purchase card
fraud investigator can bring valuable perspectives and insight to the
follow-up process. Investigators may have procedures and protocols that
establish boundaries designed to preserve a successful investigation
and prosecution of a fraud within which the auditor's follow-up and
referral procedures should be constrained (e.g., cautions against
contacting and inadvertently alerting the vendor suspected of fraud).
To begin the follow-up process for transactions selected by data mining
or other means, the auditor should obtain and review transaction
documentation similar to that obtained and reviewed in the tests of
transaction control activities (e.g., determination of legitimate
government need, vendor invoice, independent receipt and acceptance,
accountable property record, the cardholder billing statement). This
documentation should be analyzed to determine whether it supports a
preliminary conclusion of (1) an appropriate government transaction
that meets a legitimate government need, or (2) a potentially
fraudulent, improper, or abusive transaction.
Detected or selected potentially fraudulent transactions should always
be submitted to follow-up procedures. However, the auditor should use
professional judgment and consider the results of cardholder
documentation review, the overall objectives of pursuing fraudulent,
improper, and abusive purchases, and the overall objectives of the
audit, in making a decision to accomplish follow-up procedures for
transactions detected during tests for performance of control
activities, and the transactions selected in the data-mining process.
Professional judgment, inputs from qualified fraud investigators, and
an elevated level of professional skepticism should be exercised when
conducting follow-up procedures and evaluating: (1) justifications
offered for lack of adherence to policies and/or performance of control
activities, (2) additional supporting documentation provided, and (3)
unsupported representations made in interviews with program and
organization personnel.
The following are intended as examples of follow-up procedures, and are
not a complete list of possible procedures.
Request additional documentation to (1) support adherence to internal
control policies or performance of control activities (e.g., legitimate
government need, independent receipt and acceptance, exception to
prohibited item purchases), (2) provide missing relevant details of the
transactions, (3) support authorization for an otherwise improper
purchase, or (4) document other issues significant or useful to the
process.
Interview the cardholder for explanation, clarification, and other
additional information concerning the transaction, and corroboration of
verbal representations made by others.
Interview the approving official for explanation, clarification, and
other additional information concerning the transaction, and
corroboration of verbal representations made by others.
Interview other organization personnel who may have been identified as
parties with corroborating or clarifying knowledge of the facts and
circumstances of the transaction (e.g., supervisors and coworkers).
Contact the vendor for clarification of the specifics of the
transaction (e.g., quantities, dates, time, description of goods or
services provided). Request copies of supporting documentation from the
vendor, especially when cardholder supporting documentation is missing.
Fraud investigators provided relevant reports and information to GAO
auditors during follow-up on potentially fraudulent purchase card
transactions.
Fraud investigative staff assisting in the follow-up, or gathering
evidence to make and prove specific allegations of wrongdoing, may be
able to provide other items (e.g., credit reports, criminal records)
that can provide additional insight to the follow-up process.
All interviews conducted as part of the follow-up process should be
documented in the audit work papers. At the conclusion of the follow-up
process, consider summarizing the facts, findings, and resolution or
disposition of the potentially fraudulent, improper, and abusive item
in a memorandum for inclusion in the work paper file. If at any time
during the follow-up process the auditor's professional judgment is
that a transaction is likely fraudulent, referral of the transaction to
the appropriate fraud investigative staff (e.g., inspectors general,
military service fraud investigation offices) should be immediately
considered.
[See PDF for image]
[End of figure]
Referral for Investigation;
Referral of a likely fraudulent government purchase card transaction or
case should be made to the appropriate federal criminal investigative
body. We made such referrals to GAO's Office of Special Investigations,
whose investigators have substantial experience in credit card fraud.
The referral should be accomplished in a written communication. That
communication would generally include, but not be limited to, the
following information:
* the date of the communication,
* the name of the referring organization,
* the name and telephone number of the referring contact,
* the organization and program under audit,
* a description of the potentially fraudulent transaction or case
(e.g., goods or services purchased, amounts paid, impropriety of the
transaction),
* the reason(s) for concluding the transaction to be potentially
fraudulent,
* the names and positions of the individuals involved (e.g., John Doe -
cardholder, Jane Doe - vendor),
* the date(s) of the purchase transaction,
* a description of the indicators alerting the auditor to the
potentially fraudulent transaction (e.g., altered supporting
documentation, personnel interview, or record discrepancies), and:
* a statement as to whether the relevant documents (copies or
originals) are attached or are available (e.g., cardholder billing
statement, vendor invoice(s), follow-up interview(s)).
Appendixes:
Appendix I: Selected Relevant GAO Reports and Testimonies:
Department of Education:
Department of Housing and Urban Development:
Financial Management: Poor Internal Control Exposes Department of
Education to Improper Payments. GAO-01-997T. Washington, D.C.: July 24,
2001.
Education Financial Management: Weak Internal Controls Led to Instances
of Fraud and Other Improper Payments. GAO-02-406. Washington, D.C.:
March 2002.
Financial Management: Strategies to Address Improper Payments at HUD,
Education, and Other Federal Agencies. GAO-03-167T. Washington, D.C.:
October 3, 2002.
Department of Defense - Army:
Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud,
Waste, and Abuse. GAO-02-732. Washington, D.C.: June 2002.
Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud,
Waste, and Abuse. GAO-02-844T. Washington, D.C.: July 17, 2002.
Department of Defense - Air Force:
Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to
Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 2002.
Department of Defense - Navy:
Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-01-995T. Washington, D.C.: July 30, 2001.
Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-02-32. Washington, D.C.: November 2001.
Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse. GAO-02-506T. Washington, D.C.: March 13,
2002.
Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking
Action to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.:
September 27, 2002.
Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action
to Resolve Control Weaknesses. GAO-03-154T. Washington, D.C.: October
8, 2002.
Appendix II: Selected Relevant Laws and Regulations:
This appendix contains some of the laws and regulations and other
guidance that are applicable governmentwide to the federal government
purchase card program. Additional laws and regulations and other
agency-or organization-specific guidance may apply as well.
Establishment and operation of the purchase card program:
GSA SmartPay® Master Contract:
Treasury Financial Manual, Vol. I, Part 4-4500, "Government Purchase
Cards":
41 U.S.C. § 426 Use of electronic commerce in Federal procurement:
48 C.F.R. § 13.301(b) Governmentwide commercial purchase card:
31 U.S.C. §§ 3901 - 3907 Prompt Payment Act:
5 C.F.R. Part 1315 Prompt Payment:
Procurement methods and standards:
41 U.S.C. § 253 Competition requirements:
41 U.S.C. § 403(11) Definitions:
41 U.S.C. § 427 Simplified acquisition procedures:
41 U.S.C. § 428 Procedures applicable to purchases below micropurchase
threshold:
41 U.S.C. § 429 List of laws inapplicable to contracts not greater than
the simplified acquisition threshold in Federal Acquisition Regulation:
48 C.F.R. § 1.603-3(b) Appointment:
48 C.F.R. Part 2.101 Definitions:
48 C.F.R. Part 8 Required Sources of Supplies and Services:
48 C.F.R. Part 13 Simplified Acquisition Procedures:
Purposes for which an organization's appropriations may be used:
31 U.S.C. § 1301(a) "Purpose Statute":
Bona Fide Needs Rule, See, e.g. 68 Comp. Gen. 170, 171 (1989); 58 Comp.
Gen. 471, 473 (1979); 54 Comp. Gen. 962, 966 (1975):
3 Comp. Gen. 433 (1924) Comptroller General McCarl to the Secretary of
War:
B-288266 (Jan. 27, 2003) Use of Appropriated Funds to Purchase Light
Refreshments at Conferences:
72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers - Use of
Appropriated Funds to Pay for Meals:
65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards Ceremony:
64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L. Ryan -
Meals at Headquarters Incident to Meetings:
B-289683 (Oct. 7, 2002) Matter of: Purchase of Cold Weather Clothing,
Rock Island District, U.S. Army Corps of Engineers:
63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled Parkas:
Appendix III: Example Purchase Transaction Flow Chart and Narrative
(Request Through Payment):
[See PDF for image]
Source: GAO-02-1041.
[End of figure]
Approving Official:
If operating effectively, the approving official is responsible for
ensuring that all purchases made by the cardholders within his or her
cognizance are appropriate and that the charges are accurate. The
approving official is supposed to resolve all questionable purchases
with the cardholder before certifying the bill for payment. In the
event an unauthorized purchase is detected, the approving official is
supposed to notify the agency program coordinator and other appropriate
personnel within the command in accordance with the command procedures.
After reviewing the monthly statement, the approving official is to
certify the monthly invoice and send it to the Defense Finance and
Accounting Service (DFAS) for payment.
Cardholders:
A purchase cardholder is a Navy employee who has been issued a purchase
card. The purchase card bears the cardholder's name and the account
number that has been assigned to the individual. The cardholder is
expected to safeguard the purchase card as if it were cash.
Designation of Cardholders:
When a supervisor requests that a staff member receive a purchase card,
the agency program coordinator is to first provide training on purchase
card policies and procedures and then establish a credit limit and
issue a purchase card to the staff member.
Ordering Goods and Services:
Purchase cardholders are delegated limited contracting officer ordering
responsibilities. As limited contracting officers, purchase
cardholders do not negotiate or manage contracts. Rather, cardholders
use purchase cards to order goods and services for their units and
their customers as well. Cardholders may pick up items ordered directly
from the vendor or request that items be shipped directly to an end
user (requesters). Upon receipt of purchased items, the cardholder is
to record the transaction in his or her purchase log and obtain
documented independent confirmation from the end user, the supervisor,
or another individual that the items have been received and accepted by
the government. The cardholder is also to notify the property book-
officer of accountable items received so that these items can be
recorded in the accountable property records.
Payment Processing:
The purchase card payment process begins with receipt of the monthly
purchase card billing statements. Section 2784 of title 10, United
States Code, requires DOD to issue regulations that ensure that
purchase cardholders and each official with authority to authorize
expenditures charged to the purchase card reconcile charges with
receipts and other supporting documentation before paying the monthly
purchase card statement. NAVSUP Instruction 4200.94 states that upon
receipt of the individual cardholder statement, the cardholder has 5
days to reconcile the transactions appearing on the statement by
verifying their accuracy to documentation supporting the transactions
and to notify the approving official in writing of any discrepancies in
the statement.
In addition, under NAVSUP Instruction 4200.94, before the credit card
bill is paid, the approving official is responsible for (1) ensuring
that all purchases made by the cardholders within his or her cognizance
are appropriate and that the charges are accurate and (2) the timely
certification of the monthly summary statement for payment by DFAS. The
instruction further states that within 5 days of receipt, the approving
official must review and certify for payment the monthly billing
statement, which is a summary invoice of all transactions of the
cardholders under the approving official's purview.
The approving official is instructed to presume that all transactions
on the monthly statements are proper unless notified in writing by the
purchase cardholder to the contrary. However, the presumption does not
relieve the approving official from reviewing the statements for
blatantly improper purchase card transactions and taking the
appropriate action before certifying the invoice for payment. In
addition, the approving official is responsible for forwarding disputed
charge forms for submission to Citibank for credit. Under the Navy's
task order, Citibank allows the Navy up to 60 days after the statement
date to dispute invalid transactions and request a credit.
Upon receipt of the certified monthly purchase card summary statement,
a DFAS vendor payment clerk is to (1) review the statement and
supporting documents to confirm that the prompt-payment certification
form has been properly completed and (2) subject it to automated and
manual validations. DFAS effectively serves as a payment processing
service and relies on the approving-official certification of the
monthly bill as support to make the payment. The DFAS vendor payment
system then batches all of the certified purchase card payments for
that day and generates a tape for a single payment to Citibank by
electronic funds transfer.
Appendix IV - Example Purchase Card Program Organization Chart:
Navy Purchase Card Program Management Structure, September 2001:
Department of Defense Purchase Card Program Management Office:
Department of Navy eBusiness Operations Office:
Navy Agency Program Coordinator:
U.S. Marine Corps: Major Command Agency Program Coordinator:
Atlantic Fleet: Major Command Agency Program Coordinator:
Naval Sea Systems Command: Major Command Agency Program Coordinator:
Pacific Fleet: Major Command Agency Program Coordinator:
Camp Lejeune, NC:
Agency Program Coordinators at Subordinate Units: 15:
Approving Officials: 173:
Cardholders: 496:
Norfolk, VA Area:
Agency Program Coordinators at Subordinate Units: 98:
Approving Officials: 286:
Cardholders: 769:
San Diego, CA Area:
Agency Program Coordinators at Subordinate Units: 66:
Approving Officials: 168:
Cardholders: 417:
Norfolk, VA Area:
Agency Program Coordinators at Subordinate Units10:
Approving Officials: 78:
Cardholders: 235:
Source: GAO analysis of Navy purchase card program organization.
[End of figure]
Appendix V: Example Audit Program:
Government Purchase Card Program; Example Internal Control Performance
Audit Program;
Program Overview;
This is an example only audit program, and should be tailored to meet
the requirements of the individual organization's purchase card
program. The approaches, methodologies, and concepts applied in this
example, and the accompanying audit guide, are appropriate for use by
management oversight personnel as well as internal and external
auditors.; To facilitate ongoing internal control monitoring efforts by
management, sections C and D can be performed independently of each
other, and section D can be applied on a continuous basis.
[See PDF for image]
[End of figure]
[End of section]
Appendix VI: Guidelines for Initiating an Investigation of Purchase
Card Fraud:
For purchase card transactions that have been identified as potentially
fraudulent the investigator should review information provided as part
of the follow-up and referral process, and to the extent necessary take
the following actions:
Obtain from the organization, auditor, or manager the names of
cardholder(s) for accounts involved with the transaction(s).
Obtain account histories from the bankcard service provider for
specific accounts to identify any patterns of similar or other
questionable transactions and the vendors involved with those
transactions.
Identify the organization's approval process and determine who:
requested the goods or services purchased,
approved the transactions, and:
signed off on the monthly statement indicating that they had reviewed
the transactions.
Obtain from the organization, auditor, or manager documentation related
to the transaction(s), such as invoices, shipping receipts, any contact
telephone numbers, etc.
Determine the organization's policies for accountability of pilferable
and other property.
Interview the organization individual(s) involved with requesting the
goods or services and the individual(s) that review the monthly bank
statements to determine if they were aware of (1) the transaction(s),
and (2) whether the cardholder(s) filed a dispute form concerning the
transactions(s).
Interview the cardholder(s) to determine who made the purchases, the
purpose of the purchases, and whether they disputed the transactions.
Interview the vendor(s) where questionable transactions were made and:
obtain any documentation relating to the transactions including
detailed description of items purchased, such as serial numbers, or
specific services provided;
determine where property was delivered or where the services were
provided;
determine whether the vendor records the telephone number from which
the order for foods or services was made; and:
determine whether the vendor maintains a database of purchase card
numbers and whether this database has been compromised.
Interview organization officials responsible for maintaining property
inventory and determine:
whether the items purchased were included in inventory, and:
how property delivered to the organization is accounted for.
Appendix VII: GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen Wm. Lipscomb(303) 572-7328:
Staff Acknowledgments:
In addition to the person named above, David Childress, Francine
Delvecchio, Don Fulwider, Charles R. Hodge, Jeffrey Jacobson, Jason
Kelly, Julia Matta, John Ryan, and Sidney Schwartz made important
contributions to this report.
FOOTNOTES
[1] The term "organization", as used throughout this guide, refers to a
government, its divisions, or subdivisions (e.g., department, agency,
activity, unit).
[2] The term "program", as used throughout this guide, refers to a
government purchase card program at the organization level.
[3] President's Council on Integrity and Efficiency, A Practical Guide
for Reviewing Government Purchase Card Programs (Washington, D.C. June
2002), and U.S. General Services Administration, GSA Smart PayÆ,
Blueprint for Success: Purchase Card Oversight (Arlington, Va., April
2002).
[4] U.S. General Accounting Office, Government Auditing Standards -
2002 Revision - Exposure Draft, GAO-02-340G (Washington, D.C.: January
2002).
[5] U.S. General Accounting Office, Standards for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November
1999), p7.
[6] Treasury Financial Manual, Volume 1 - Part 4 - Chapter 4500,
GOVERNMENT PURCHASE CARDS, http://www.fms.treas.gov/tfm/vol1/
v1p4c450.txt.
[7] 48 C.F.R. § 13.301(b) (2002).
[8] See the Relevant Laws and Regulations section of this guide for
further information on the FAR provisions applicable to specific
purchase amounts.
[9] The FAR allows personnel other than warranted contracting officers
to use the purchase card. 48 C.F.R. §§ 1.603-3(b) and 13.301(a) (2002).
[10] .
[11] 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
[12] JWOD establishes mandatory sources of supply for all federal
entities, requiring federal agencies to purchase supplies and services
furnished by nonprofit agencies--such as the National Industries for
the Blind and the National Industries of the Severely Handicapped (NIB/
NISH).
[13] 48 C.F.R. §§ 2.101 and 13.201(g).
[14] GAO-02-340G, ¶ 7.8 - 7.10.
[15] GAO/AIMD-00-21.3.1.
[16] The GSA website (http://www.fss.gsa.gov/webtraining/trainingdocs/
smartpaytraining/index.cfm) provides access to relevant purchase card
training materials.
[17] Sampling selections representative of a population can be either
statistical or nonstatistical -statistical concepts are considered, but
not explicitly used to determine sample size, select sample items, or
evaluate the results. However, projections of nonstatistical sample
results are not quantifiably accurate, and GAO discourages their use in
government audits.
[18] For nonfinancial audits, GAO commonly uses a confidence level of
95 percent. "The 95 percent confidence level appears to be used more
frequently in practice than any other level…90 percent and 99 percent
confidence levels seem to be next in popularity." Hahn and Meeker,
Statistical Intervals, A Guide For Practitioners, 1ST Edition (New
York, N.Y. John Wiley and Sons, Inc., 1991), p 38.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to daily E-mail alert for newly
released products" under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: