Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity

DHS concurred with this recommendation and, in November 2006, finalized and published the DHS Purchase Card Manual containing policies and procedures that addressed, among other areas, training, independent receipt and acceptance, accountable property, and disciplinary or administrative actions. For example, in requirements for training, the manual established that employees nominated to be either approving officials (AOs) or cardholders (CHs) must complete approved purchase card training prior to issuance of the purchase card or designation as an AO. Such training includes the GSA on-line purchase card training program, supplemented by DHS-specific training, as well as annual refresher training. The manual also mandated targeted training to certain CHs and AOs needing purchase card authority above the micro-purchase threshold and/or using the purchase card as a payment mechanism against established contracts. Finally, the manual provided documentation requirements as a means to certify that individual CHs and AOs had completed their required training. The other three areas noted above were also adequately covered in the manual. Subsequent revisions of the manual were completed in 2008, and again in October 2009. Each revision reiterated and, in some areas, strengthened the policy and procedures established in November 2006.

DHS concurred with the recommendation to improve the existing electronic systems to allow better oversight of the reconciliation and certifying duties conducted by cardholders and approving officials. At the time, under SmartPay1, DHS worked with then-contractor U.S. Bank to improve the existing electronic system structure for reporting and oversight. Currently, under the SmartPay2 program, DHS's contractor, J.P. Morgan Chase, provides PaymentNet, an electronic bankcard transaction and management system that allows for oversight of the review and approval process. Of particular relevance, PaymentNet has a Certification Report, which identifies cardholders and approving officials that have not reviewed and approved transactions in the PaymentNet system. By enhancing the capabilities of their purchase card management system, DHS can now fully access and review the reconciliation and certification activities of cardholders and approving officials.

DHS concurred with this recommendation and indicated the Office of the Chief Financial Officer (CFO) would conduct reviews to determine if adequate resources are devoted to the purchase card program at both the agency and component level and develop oversight responsibilities for the program. In May 2007, the CFO conducted an organizational design and leading practice study of the Office of Financial Management. The study resulted in increasing staff resources to the Department's Charge Card Program. In addition, an Internal Control Division was established to dedicate staff towards improving Department-wide internal control, including controls over purchase cards. In FY 2008 and 2009, the Internal Control Division and Office of Financial Management executed internal control tools to assess purchase and other charge card programs to support the implementation and promotion of charge card policies. Development of an overall Charge Card Management Plan has included establishing a key internal control checklist for purchase cards, using the checklist to complete annual reviews and assessments of purchase card controls for each DHS component agency, statistical sampling of each component's card transactions, and post payment audit procedures to improve monitoring and oversight of transactions for fraud, waste, and abuse.

DHS concurred with the recommendation to adopt prudent purchasing practices through arrangements with dependable government sources and/or private-sector vendors. The agency began a re-tooling effort to establish contractual relationships for known emergency supplies and services prior to a disaster so there would be fewer unplanned transactions. It developed procedures to standardize the procurement process for emergency requirements using required sources of supply, instituted training programs consistent with the new procedures, and provided specific information to contracting personnel on contractual vehicles to be used for emergency contracting situations. For example, in FY 2008, DHS developed the FEMA Disaster Plan for Purchase Card Usage which sets out standard operating procedures for purchase card use during a presidential emergency or disaster declaration to ensure that policies and procedures are consistently applied and acquisitions are made in compliance with federal acquisition regulations. Also in 2008, DHS's Strategic Sourcing Office retracted its mandate for ordering certain supplies and services from one designated single source in order to allow DHS customers to use multiple ordering mediums for commonly purchased supplies/services, and emphasized the use of DHS blanket purchase agreements, wherever possible, to achieve more favorable prices.

The DHS Purchase Card Manual published in November 2006 included policies and procedures to limit approving officials' spans of control and to ensure approving officials have an appropriate number of transactions so that they can conduct a thorough and proper review of supporting documentation for each transaction. Specifically, language regarding span of control in the 2006 Purchase Card Manual stated that organizational program coordinators (OPCs) would determine the actual number of cardholders managed by each approving official (AO) and that each AO would provide approval, validation, oversight, and monitoring of purchase card activity over their designated cardholders. The manual stated that a single individual may not be an AO for more than 7 cardholders, or approve more than 300 transactions a month on a regular basis. Subsequent versions of the DHS Purchase Card Manual that were published in 2008 and most recently in October 2009 contain these same requirements.

DHS concurred with the recommendation concerning the monitoring and reviewing of open accounts and reported in December 2006 that it had closed out about 2,000 cards. Subsequently, DHS transitioned to the current purchase card reporting system, SmartPay2, and has continued to review all open accounts, closing those accounts that were no longer active or necessary. DHS currently uses several reports to continuously monitor and review all open accounts--an Account Activity Report that identifies accounts with no activity and an Account Renewal Report that identifies the "date last used" for each account. Both of these reports are generated in real time by the system and can be accessed at any time by the purchase card program coordinators for card reissuance and/or cancellation. These reports are accessed and reviewed at least monthly, but they can be reviewed more frequently to meet program needs.