FDIC Procurement Credit Card
Program
January 31, 2003 Audit Report No.
03-013
Federal Deposit Insurance
Corporation Office of Audits Office of Inspector
General Washington, D.C. 20434
DATE: January 31, 2003
TO: Arleas Upton Kea, Director, Division of Administration;
and Fred S. Selby, Director, Division of Finance
FROM: Russell A. Rau [Electronically produced version;
original signed by Sharon M. Smith], Assistant Inspector General for
Audits
SUBJECT: FDIC Procurement Credit Card Program (Audit
Report No. 03-013)
The Federal Deposit Insurance Corporation (FDIC) Office of
Inspector General (OIG) has completed an audit of the FDIC’s
procurement credit card program. In May 2000, we issued another
audit report regarding the FDIC’s procurement credit card program.
(Note: FDIC OIG Audit Report No. 00-015, Audit of the
Corporation’s Procurement and Travel Card Programs, dated May
24, 2000.) Our May 2000 report focused on an
evaluation of established policies and procedures and administrative
compliance reviews performed by the FDIC’s Division of
Administration (DOA). DOA performed the reviews of procurement
credit card transactions to ensure compliance with the policies and
procedures. The audit showed that the FDIC adequately implemented
those control activities, and employees properly utilized the cards.
In September 2001, we received a request from Senator Charles E.
Grassley, Ranking Minority Member, U.S. Senate Committee on Finance,
regarding the FDIC’s use of government charge cards. We undertook
two additional audits in response, one related to the FDIC’s travel
card program and the subject review related to the Corporation’s
procurement credit card program. (Note: FDIC OIG Audit Report No.
02-030, FDIC Travel Card Program, dated August 30, 2002.) The
objective of our current audit was to determine whether the FDIC had
implemented effective internal control over its procurement credit
card program to reduce the risk of improper procurement credit card
usage. (Note: The five standards for internal control in the federal
government as prescribed by the U.S. General Accounting Office (GAO)
in Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1, November 1999) are: (1) the control
environment, (2) risk assessment, (3) control activities, (4)
information and communications, and (5) monitoring. These standards
provide a general framework. In implementing these standards,
management is responsible for developing the detailed policies,
procedures, and practices to fit their agency’s operations and to
ensure that they are built into and an integral part of operations.)
Appendix I provides details of our scope and methodology.
BACKGROUND
In an effort to streamline the procurement process for low dollar
goods and services, the General Services Administration (GSA)
initiated the Government-Wide Credit Card Program. The
Government-Wide Credit Card Program allows appropriately authorized
federal employees to make official government purchases using a
procurement credit card. The program was designed to reduce the
administrative timeframes and costs generally associated with low
dollar value procurements.
The GSA awarded contracts to various banks to provide the
procurement credit card services for federal agencies. Each
participating agency was permitted to select a bank to provide its
credit card services. The FDIC elected to participate in the credit
card program and selected the Bank of America. Each month the Bank
of America provides the FDIC with a billing statement reflecting all
procurement credit card purchases.
In order to provide guidelines for conducting its credit card
program, the FDIC developed the FDIC Acquisition Policy Manual
(APM), Section 9.E., entitled FDIC Procurement Credit Card
Program. The policy describes control activities, the roles and
responsibilities of individuals and the FDIC offices that conduct
the program, guidelines for credit card usage, purchase limits, and
administrative procedures such as how to request a card. Key roles
within the FDIC’s procurement credit card program include the Agency
Program Coordinator (APC) within DOA, Approving Officials (AO),
Cardholders, and Accounting Contacts. The APC serves as the liaison
to the Bank of America, and GSA and is responsible for oversight and
administration of the FDIC program nationwide. Also, the APC
develops program policies, provides clarification and guidance to
program participants, and is responsible for reporting program
activities to FDIC executive management.
AOs are representatives of an FDIC division or office who are
responsible for reviewing and approving all charges incurred by
cardholders. According to the APM, AOs are responsible for
periodically reviewing purchase receipts in conjunction with the
approval of the monthly statements; verifying proper documentation;
assisting with the resolution of disputed items, when necessary; and
ensuring compliance with the FDIC billing office’s requirements for
statement verification and approval and cardholders exceeding
established monthly procurement limits. The APM requires AOs to
ensure that the cardholder maintains complete records of all credit
card charges, including the original monthly billing statement,
charge slips, and original receipts. In addition, the APM requires
AOs to review purchase receipts to ensure that cardholders do not
split purchases to circumvent their single purchase limit and the
combined charges of cardholders do not exceed established monthly
procurement limits.
The APM also provides guidelines for cardholders. AOs designate
cardholders and the APC approves the designation. Cardholders make
purchases for their respective FDIC office or division and are
responsible for:
- maintaining physical security of their card and safeguarding
the credit card account number;
- ensuring that the card is used solely for official FDIC
business, in accordance with FDIC policy;
- obtaining fair and reasonable prices for all purchases and
ensuring that the prices do not include sales taxes;
- maintaining sufficient documentation and descriptions to
justify card charges; and
- verifying the accuracy of the charges reflected on their
monthly billing statements from the Bank of America.
Another function involved in the FDIC’s procurement credit card
program is the Accounting Contact. AOs designate an Accounting
Contact for their FDIC division or office. The Accounting Contact
assists with the payment process by reconciling the cardholder’s
record of purchases to the monthly cardholder statement of credit
card charges from the Bank of America and preparing an Excel
spreadsheet. The spreadsheet contains all the purchasing information
during the billing cycle, and the Accounting Contact provides this
information to the FDIC Division of Administration’s Acquisition and
Corporate Services Branch, Acquisition Section. The Acquisition
Section prepares a Purchase Authorization Voucher and forwards this
voucher to the Division of Finance for final payment to the Bank of
America for items or services procured.
The FDIC’s APM also establishes procurement thresholds. The
maximum single purchase limit for any cardholder is $5,000 unless
approved by the APC. In addition, according to the APM, the monthly
procurement limit for a cardholder is $50,000 unless a higher amount
is approved by the APC. However, in practice, many cardholders have
thresholds of $2,500 for a single purchase and $25,000 monthly. As
the procurement credit card program has evolved, the APC has
approved higher thresholds for certain cardholders. These thresholds
range from $25,000 for single and $150,000 for monthly purchases to
$250,000 for single and $1,000,000 for monthly purchases. (Note:
Only one FDIC employee, the Chief, Administration Contracting Group,
has a threshold of $250,000 for single and $1,000,000 for monthly
purchases.)
In addition to the above guidelines, the APM describes the types
of purchases that are acceptable and those that are prohibited. Some
examples of acceptable purchases include: building repairs,
equipment purchases, external training courses, membership fees and
association dues, advertising, carpet repair, and non-monetary
awards. Some examples of prohibited purchases include official
travel expenses, rental or lease of buildings, telecommunications
services, artwork, and computer software/hardware warranties.
Additionally, only cardholders in the FDIC Division of Information
Resources Management (DIRM) are authorized to procure information
resources management goods and services.
The FDIC’s procurement credit card program has over 500
cardholders. For the 2-year period beginning January 1, 2000,
purchases made as part of the procurement card program totaled
approximately $15 million. Given this level of usage, the
Corporation uses internal control procedures to ensure proper
procurement credit card usage and assist in preventing and detecting
fraud, abuse, and errors. For example, it has established controls
for spending thresholds and responsibilities of all parties involved
in the program.
Toward the end of our audit fieldwork, the President’s Council on
Integrity and Efficiency, composed of presidentially appointed
Inspectors General (IG), and the Executive Council on Integrity and
Efficiency, mainly composed of the IGs who are appointed by agency
heads, issued A Practical Guide for Reviewing Government Purchase
Card Programs. This guide also incorporates the GAO Control
Standards, and we used it as a reference in conducting our review.
RESULTS OF AUDIT
Internal control over the Corporation’s procurement credit card
program was not fully effective. In line with the GAO’s standards
for internal control, the FDIC took action to foster an environment
for proper use of procurement cards by establishing and
communicating formal policies, procedures, and approval processes to
reduce the risk of improper use of the card. However, we determined
that FDIC employees were not always fully complying with established
policies, procedures, and control activities, and in some cases the
policies and procedures needed reinforcement, modification, or
clarification. It is important to note that individual deficiencies
were not material; however, collectively, they represent systemic
weaknesses that increase the risk of misuse. For example, in some
cases procurement credit cards and numbers were not properly
safeguarded, employees were able to circumvent purchase limits, some
purchases lacked supporting documentation, and employees at times
incurred sales taxes although the APM specifically prohibits paying
these charges. Also, in the absence of clear policies and
procedures, extravagant meals and alcoholic beverages were purchased
with procurement credit cards, as well as other purchases that may
not qualify as "official business." (Note: It should be noted that
no regulatory or contractual prohibitions are in effect for the FDIC
with respect to the purchase of alcoholic beverages.)
The FDIC could strengthen its procedures for monitoring and
overseeing the effectiveness of the procurement card program. The
FDIC does not have effective procedures for canceling the cards for
employees departing the FDIC, and in several cases, former employees
continued to have credit card privileges even after their departure
from the Corporation. In addition, the FDIC did not perform analyses
on a regular basis to determine whether cardholders are using the
procurement credit card and have a business need for the card. Some
employees in our sample were issued cards but rarely used them,
increasing the risk of misuse or undetected loss of the procurement
credit card. Finally, procurement cardholders had spending limits
that exceeded their normal purchase activity, and limits were not
reviewed to ensure they reflected the extent of spending that users
were likely to incur. As a result, the FDIC procurement credit card
program is more vulnerable to fraud and misuse.
The Corporation has not conducted a formal risk analysis to
identify specific types of vulnerabilities and steps to address
them, such as training, revisions to policy, and other means of
communicating information on the proper use of the card. The risk
analysis is another suggested component of GAO’s standards for
internal control.
COMPLIANCE WITH EXISTING FDIC POLICIES
FDIC employees responsible for conducting procurement credit card
functions did not consistently safeguard the cards or comply with
other existing FDIC policies and procedures. For example,
cardholders
- allowed other FDIC employees to use their card to purchase
goods and services for the Corporation,
- circumvented charge card limits by splitting purchases,
- did not retain required documentation,
- purchased items that should have only been purchased by
employees of authorized divisions, and
- paid sales taxes although prohibited.
The GAO’s Internal Control Management and Evaluation Tool
recommends control activities such as training to help employees
understand their roles and responsibilities. However, the FDIC had
not established an ongoing training program for employees involved
in the Corporation’s procurement credit card program. Non-compliance
can result in credit card abuses or losses to the FDIC.
Procurement Credit Cards Not Properly Safeguarded
Procurement cardholders allowed other employees who were not
authorized to purchase goods or services for the FDIC. FDIC APM
9.E.4.c (2) states that cardholders are designated by the AO and
approved by the APC to make purchases for their respective division
location accounts through the use of their procurement credit cards.
These cardholders are responsible for the physical security of their
card and for safeguarding the credit card account number. We
identified four cardholders working in DIRM who allowed other DIRM
employees to purchase goods and services for the FDIC using the
cardholder’s procurement credit card. One of the four DIRM employees
who had a procurement credit card issued to him, with thresholds of
$5,000 per transaction and $50,000 monthly, allowed several other
DIRM employees to charge goods and services on the card. The
procurement cardholder provided the credit card number to these
individuals to use in making purchases. When these individuals made
purchases, the transactions would be recorded on the monthly bill of
the cardholder. The cardholder would then request receipts from the
employees who were making the purchases. Once the cardholder
received the receipts, the cardholder would review the charges and
forward the bill and receipts to the approving official who later
approved all the charges.
The DIRM cardholders stated that it was a business decision to
limit the number of physical procurement credit cards issued in DIRM
so that only higher ranking employees received a card to purchase
goods or services. However, the cardholders provided subordinates
with the card number and permitted them to make purchases. It should
be noted that the DIRM employees making the purchases were doing so
as a standard part of their work requirements. However, by allowing
multiple employees to use the procurement card and exposing the
account number, the FDIC employees increased the risk of an
individual accessing the credit card privileges and improperly
purchasing items. The Agency Program Coordinator, Acquisition
Services Branch, DOA, needs to ensure that all procurement credit
card holders are aware of not allowing other FDIC employees to use
their procurement credit cards. In addition, cardholders need to be
aware of the importance of maintaining security of the credit card
itself and the credit card number.
During our audit, we notified DOA of this matter, and DOA
initiated three actions. First, DOA authorized additional
procurement credit cards for the DIRM employees who were responsible
for making purchases. This facilitated tracking and accounting for
the credit cards and card activity. Second, DOA issued a notice to
procurement credit card program participants, reinforcing the
Corporation’s policy on the authorized use of the procurement credit
card and reminding cardholders of the critical importance of
adhering to the policy. Third, DOA cancelled the credit card
privileges for the DIRM employee whose credit card number was widely
distributed to other employees.
Non-Compliance with FDIC Procurement Credit Card Policies
We noted multiple instances of non-compliance with procurement
credit card policies. The FDIC’s APM prohibits activities such as
splitting purchases to circumvent spending limits, requires rotating
sources to preclude repeated acquisitions from the same vendor, and
requires responsible employees to maintain documentation to support
their purchases. In addition, the policy restricts the purchase of
certain items such as books, office supplies, and information
resources management goods and services to only cardholders in
designated FDIC divisions and states that procurement credit card
charges are not subject to sales taxes.
Twenty-five of 30 cases (84 percent) in our audit sample involved
at least one instance where an employee did not comply with
established requirements. In 7 of the 30 cases, there were 3 or more
instances of non-compliance. Among these, there were instances of
splitting purchases that circumvented procurement credit card
spending limits. Split purchases can also limit competition for
procurements. Not adhering to the Corporation’s guidelines increases
the risk of improper procurement card usage, paying excessive
prices, erroneous payments, or fraudulent purchases.
Table 1 shows the types of non-compliance and the number of
cardholders for each type. (Note: Some cardholders had multiple
instances of non-compliance.
Table 1: Instances of Non-Compliance
Type of Non-Compliance |
Number of Cardholders |
Potential Risks |
No Supporting Receipts/ Charges Not
Properly Documented |
10 |
Unauthorized purchases |
Paid Sales Taxes |
10 |
Excessive costs |
Unresolved disputed amounts |
2 |
Excessive costs |
Use of Card or Card Number by
Employees Other Than Cardholder |
6 |
Unauthorized purchases |
Split Purchases/Multiple Purchases
from Same Vendor |
2 |
Excessive costs due to lack of
competition |
Inappropriately Purchased
Restricted Equipment |
1 |
Excessive costs/ Unauthorized
purchases |
Various Other Types of
Non-Compliance (example-exceeding non-monetary award
limits) |
8 |
Excessive costs/ Unauthorized
purchases |
Source: OIG analysis of cardholder records.
The Corporation does not have an ongoing training program for all
procurement cardholders, approving officials, and accounting
contacts. Rather, management stated that in the past, training has
been provided to cardholders on an inconsistent basis. Specifically,
in 1996 and 1997 mandatory briefings were held for program
participants. In addition, in 2001, briefings were held for
cardholders with increased thresholds. However, this training has
not been provided on a regular basis to all cardholders nor have the
policies been reiterated to cardholders periodically. Periodic
training is a control activity that provides a level of assurance
that employees understand their responsibilities, particularly those
regarding procurement card usage.
In order to ensure that agencies implement adequate systems of
internal control over their programs, the U.S. General Accounting
Office issued Standards for Internal Control in the Federal
Government (Control Standards). Those standards provide a
basic framework for agencies to assess the risks they face and to
determine internal control activities necessary to mitigate those
risks. Internal control activities may vary from agency to agency
depending upon such factors as risk. However, the GAO’s Internal
Control Management Evaluation Tool (GAO-01-1008G, August
2001), which is based on the Control Standards, recognizes
that the effective management of an organization’s workforce, its
human capital, is a common internal control activity. Specifically,
according to GAO, management should provide employees with the
necessary orientation and training to perform their duties and
responsibilities and meet the demands of changing organizational
needs. As noted in Table 1, the high incidence rate of
non-compliance with FDIC procurement credit card policies increases
significantly the risk to the Corporation of unauthorized purchases
and excessive costs, including those caused by a lack of price
competition.
Recommendation
We recommend that the Director, DOA:
- Provide periodic training to procurement cardholders and
approving officials in order to reiterate the policies and
procedures governing the procurement credit card program. The
policies over roles and responsibilities; security over the card;
procurement thresholds; permissible, prohibited, and restricted
use; supporting documentation requirements; repeated acquisitions
from the same vendor (split purchases); refreshment/meal
requirements; payment of sales taxes; and procedures for card
usage should be reinforced.
PROCUREMENT CREDIT CARD USED FOR "EXTRAVAGANT MEALS" AND
QUESTIONABLE BUSINESS PURPOSE
In a very limited number of cases, procurement credit cards were
used for meals and refreshments that could be considered
"extravagant" and where the business purpose was questionable based
on existing FDIC policy. Also, in one case the approving official
for a cardholder was a subordinate. While limited, each of these
instances evidences the lack of clear FDIC policy guidance on
aspects of the procurement credit card program that can result in
increased costs to the FDIC.
Although the FDIC’s APM prohibits purchases of extravagant meals,
it does not define the term "extravagant." For comparative purposes
to judge the extravagance, we used the FDIC’s policies for
reimbursing meals of employees while in a travel status. The FDIC
reimburses employees $22 per day for dinner and $11 per day for
lunch expenses for the geographic locations we reviewed. For
analytical purposes, we considered expenditures that were double the
travel reimbursement rates or greater to be extravagant, i.e., $44
or more for dinner and $22 or more for lunch. In instances noted,
the employees charged meals that exceeded our baseline by as much as
3 times that amount. These charges also included alcoholic
beverages, which is an expense that the FDIC does not reimburse
employees for under its general travel policies. (Note: FDIC’s
General Travel Regulations, Travel Regulations Overview,
Nonreimbursable Expenses.) Table 2 provides a comparison of the cost
of the meals versus our baseline amount for analytical
purposes.
Table 2: Analysis of Meal Costs
OCCASION |
TOTAL PRICE |
NUMBER OF EMPLOYEES |
PRICE PER PERSON |
OIG BASELINE (2 TIMES PER DIEM
RATE) |
1 – Conference Dinner |
$3,886 |
76 |
$51 |
$44 |
2 – Conference Dinner |
$2,238 |
17 |
$132 |
$44 |
3 – Lunch |
$119 |
3 |
$40 |
$22 |
Source: OIG analysis of cardholder records.
Example 1 reflects the cost of dinner and drinks, including
alcoholic beverages, for a meal associated with an FDIC conference.
In example 2, although drinks were included in the price, we were
unable to determine whether alcohol was purchased based on review of
the bill which did not further break down the charges. Example 3 in
the above table represents a purchase at a Washington, D.C.
restaurant where the cardholder used his procurement credit card to
buy lunches for a total of three FDIC employees. The cardholder
intended the purchase as an appreciation or farewell gesture for one
of the attendees. The bill included charges for alcoholic beverages.
In addition to the cost of the lunch being almost twice the
reimbursable lunch per diem rate for Washington, D.C. of only $22,
we question the business purpose of the lunch. Existing FDIC policy
is unclear on whether this is an official FDIC business expense.
Rather than the Corporation paying for meals of employees leaving
the FDIC, this type of more personal expense could be paid for by
the attendees of the farewell lunch.
The FDIC’s APM states that the procurement cards can be used for
refreshments and meals as long as the purchase is non-extravagant
and used during the ordinary course of official FDIC business
conferences, meetings, luncheons, dinners, or other functions.
However, the manual does not further define "official FDIC
business." The examples stated above appear to be extravagant in
nature when reviewing the cost per person and comparing the amount
to the reimbursable per diem rate for an employee on official
travel. In addition, the Corporation should only pay for charges
that are business-related and benefit the Corporation. For example,
credit card charges to celebrate birthdays, retirements, holidays or
other special personal celebrations should be prohibited.
Additionally, although the APM does not specifically prohibit the
purchase of alcoholic beverages using the procurement credit card,
the FDIC’s travel policies provide guidelines concerning
reimbursable employee expenses. Those guidelines prohibit the
reimbursement of employees for purchases of alcoholic beverages. In
addition, FDIC’s Circular 2500.3, FDIC-Sponsored Government Travel
Card Program, states that the travel card is to be used only for
official travel-related services. Because the purchase of alcohol is
not an allowable travel reimbursement, the travel card should not be
used for these types of purchases. Further, the FDIC’s travel card
has a block on purchases made at package stores for items including
beer, wine, and liquor. Therefore, in our opinion, permitting the
purchase of alcoholic beverages using the procurement card is
inconsistent with travel card policies, could adversely impact the
public’s perception of the Corporation and its employees, and could
pose related liability issues to the Corporation.
Finally, the approving official for the cardholder who purchased
the meals totaling $2,238 was the cardholder’s subordinate. It is
not a good business practice to have the approving official as a
subordinate to the cardholder because the cardholder can exercise
influence over the approving official. The current APM is silent on
this issue. Modifying the manual to preclude an approving official
being subordinate to the cardholder can help deter misuse of
procurement credit cards.
Recommendations
We recommend that the Director, DOA, use the FDIC’s Acquisition
Policy Manual, Chapter 9, to:
- Define extravagant meals and refreshments and what constitutes
an allowable and unallowable expense for meal purchases using the
procurement credit card.
- Prohibit the purchase of alcoholic beverages using the
procurement credit card.
- Require approving officials not be subordinates to the
cardholders for whom they approve purchases.
CANCELLATION OF PROCUREMENT CREDIT CARDS
The FDIC did not cancel procurement cards timely for employees
departing FDIC employment. Specifically, the procurement card was
not canceled timely for six of eight former employees in the sample
we reviewed. The FDIC canceled the cards from 3 to 104 days after
the employee was no longer employed by the Corporation. This
occurred because the FDIC did not follow the guidelines in its APM
and the FDIC lacked adequate pre-departure clearance procedures for
employees departing FDIC employment. Untimely cancellation increases
the risk that former employees or others who may have access to the
account number may make unauthorized purchases.
The APM Section 9.E.6.e, Procurement Credit Card Program
–Resignation or Reassignment of Cardholder or Approval
Official, requires that when a cardholder leaves the FDIC or
moves to another FDIC location, the APC, or his/her designee, must
be immediately notified. Before a cardholder’s departure from
his/her office, the AO must ensure that the credit card is retrieved
from the cardholder and destroyed. The APC, or his/her designee,
should notify the Bank of America, and the account will be closed.
Because the FDIC has reorganized and reduced staffing levels
corporate-wide, many individuals have left or will be leaving the
Corporation. Improvements are needed to cancel procurement credit
cards when individuals leave either permanently or to relocate. One
additional means of strengthening controls is to revise Circular
2150.1, Pre-Exit Clearance Procedures for FDIC Employees,
specifically the Pre-Exit Clearance Record for Employees. During the
period of our review, the circular did not incorporate the
requirement in APM 9.E.6.e regarding retrieval of the credit card
from relocating or departing employees. Subsequent to our review,
the FDIC revised the circular to include the procurement credit card
as an item for collection, and the circular now describes specific
actions that need to be taken for departing employees holding the
procurement credit cards. During the course of our review, we
discussed this matter with DOA and issued a memorandum to advise the
Director, DOA, of the weakness in the procurement credit card
cancellation process.
On July 3, 2002, DOA issued a notice to all credit card approving
officials and administrative officers to highlight the corporate
policies pertaining to exiting and relocating employees. The notice
also stated that due to the FDIC’s ongoing reorganization and number
of people leaving the Corporation under the buyout program,
approving officials were requested to provide a list of all
procurement cardholders currently under their authority. Further,
the notice communicated the new procedures contained in Circular
2150.1, Pre-Exit Clearance Procedures for FDIC Employees. DOA issued
the Circular in final on September 17, 2002. The revised circular
includes the following added control activities:
- The procurement credit card and corresponding convenience
checks are listed on the Pre-Exit Clearance Record for Employees
form as items that need to be returned to the FDIC.
- Administrative officers are required to obtain the employee’s
FDIC procurement credit card; any remaining convenience checks;
and cardholder file, including receipts for outstanding charges,
before the last day of official duty. The administrative officer
must also notify the APC of the cardholder’s effective date of
departure, destroy and dispose of the cardholder’s procurement
card and convenience checks upon receipt of cancellation
information from the APC, and return the cardholder file to the
APC with any outstanding receipts.
Implementation of the control activities mentioned above will
reduce the risk of improper procurement credit card usage by former
employees. However, canceling a cardholder’s card and convenience
checks in a more timely manner, specifically, as soon as employees
provide notice that they will leave FDIC employment or in cases
where they relocate and will no longer be in positions requiring use
of the card, will further strengthen internal control. This measure
should help reduce the risk of any unauthorized purchases by the
cardholder between the time that notice is provided to the FDIC and
the actual departure or transfer date and ensure that the
procurement credit card is canceled prior to the employee’s actual
departure or transfer.
Recommendation
We recommend that the Director, DOA:
- Enforce APM Section 9.E.6.e by reminding cardholders/approving
officials of the requirement to immediately notify the APC, or
his/her designee when the cardholder/approving official either
leaves the FDIC or moves to another FDIC position so that the APC
can notify the Bank of America to cancel the card.
ISSUING PROCUREMENT CARDS AND REDUCING PROCUREMENT
THRESHOLDS
Many FDIC procurement cardholders were only using the card for a
limited amount of activity. In addition, procurement cardholders had
spending limits that exceeded their normal purchase activity. For
instance, 79 cardholders used the card five times or fewer during a
2-year period. One of those cardholders had a single purchase limit
of $250,000 and another had a limit of $100,000. The highest dollar
amount that these individuals spent during a 2-year period was
$98,490 and $1,833, respectively. The FDIC had not reviewed
cardholder purchase records to assess cardholder inactivity and
excessive spending limits. The GAO’s Internal Control Management
and Evaluation Tool suggests that the risk of unauthorized use
be controlled by restricting access. Excessive access to procurement
credit card privileges increases the risk of unauthorized usage.
Limiting access to credit card privileges is an essential internal
control activity.
The Director of the Office of Management and Budget (OMB)
recognized the importance of internal control in the federal
government’s credit card program and issued OMB Memorandum M-02-05,
dated April 18, 2002, suggesting that agencies prepare remedial
action plans for their programs. Specifically the memorandum states
"Your plans should also include an examination of the number of
cards issued at your agency. One step that may prove useful would be
to deactivate all current cards and reactivate them selectively for
a smaller number of cardholders, based on demonstrated necessity."
By examining the number of cards issued and the related thresholds,
the FDIC may be able to preclude unnecessary access to credit card
privileges and reduce the risk of unauthorized card usage.
Recommendations
We recommend that the Director, DOA:
- Perform an analysis on a regular basis to determine whether
cardholders are using the card. If a cardholder is not using the
card on a fairly regular basis, consider canceling the card
privileges.
- Review the spending limits for all cardholders and ensure that
the limits reflect the extent of spending that they are likely to
incur.
MANAGEMENT ASSESSMENT OF PROGRAM RISK
Management can enhance its assessment of procurement card program
risk by conducting a risk assessment. Notwithstanding establishment
of an overall control environment, including policies and procedures
to address the risk of improper use of the card, the Corporation has
not conducted a formal risk analysis that may have identified
specific types of vulnerabilities and steps to address them. DOA
does engage in periodic Administrative Compliance Reviews (ACR) of
procurement credit card use. These reviews examine the
appropriateness of procurement credit card use and support for
purchases made after the fact. However, without first devising a
thorough plan for risk management over the entire procurement card
program, these reviews may be a less effective control than they
could be. For example, a risk assessment could identify
vulnerabilities that are not presently tested using the ACRs.
Additionally, lack of an overall risk assessment may have limited
DOA from establishing all other necessary control activities. This
absence of risk identification may make the Corporation’s
procurement credit card program vulnerable to increased misuse.
According to GAO’s Standards for Internal Control, a risk
assessment is an integral component of the entity’s internal control
system. GAO states that management has to formulate an approach for
risk management and decide upon the internal control activities
required to mitigate those risks and achieve the internal control
objectives of efficient and effective operations. Review of both
internal and external risks involved in a program facilitates the
design of effective internal control activities.
Such an assessment of the FDIC procurement credit card program
could have helped identify a need for increased emphasis on
compliance and training, better clarity of policies, appropriateness
of purchase thresholds, more timely cancellation of cards, and other
means of communicating information on the proper use of the card.
Absent full awareness of the risks, management controls were not as
effective as they could have been and the program as a whole was
more vulnerable.
Recommendation
We recommend that the Director, DOA:
- Conduct a risk assessment of the procurement card program and
establish the necessary control activities to mitigate the risks
identified.
CORPORATION COMMENTS AND OIG EVALUATION
On January 24, 2003, the DOA Director provided a written response
to the draft report. The response is presented in Appendix II to
this report. In its written response, DOA management concurred with
recommendations 1, 4, 5, 6, 7, and 8. These recommendations are
considered resolved but will remain undispositioned and open until
we have determined that agreed-to corrective actions have been
completed and are effective. DOA management did not concur with
recommendations 2 and 3, suggest acceptable alternative actions, or
provide information that would convince us to revise either of the
two recommendations. Because these two recommendations remain
unresolved, undispositioned, and open, we are requesting DOA to
reconsider its response to our report and provide us additional
comments. DOA’s responses to the recommendations are summarized
below along with our evaluation of the responses.
Recommendation 1: Provide periodic training to procurement
cardholders and approving officials in order to reiterate the
policies and procedures governing the procurement credit card
program. The policies over roles and responsibilities; security over
the card; procurement thresholds; permissible, prohibited, and
restricted use; supporting documentation requirements; repeated
acquisitions from the same vendor (split purchases);
refreshment/meal requirements; payment of sales taxes; and
procedures for card usage should be reinforced.
DOA concurs with this recommendation. Subsequent to the end of
our fieldwork in September 2002, DOA completed an online procurement
credit card training module in December 2002 which will be available
to program participants by the end of January 2003. The program’s
training policy is also being revised and will require all new
cardholder applicants to take the course and receive a passing score
prior to receiving the procurement credit card. Completion of the
training module will be recorded in the FDIC training server, and
the APC will have access to the training server to monitor
cardholders’ completion of the required training module. Existing
cardholders will also be required to take periodic training to
refresh cardholders on their roles and responsibilities under the
program.
In our view, the efforts made to date by DOA to have an online
training program available to all procurement cardholders will
improve the overall effectiveness of the program. Tracking the
completion of the training for cardholders by the APC will also
improve controls. In addition, to clarify a statement made in DOA’s
response, the OIG reviewed 30 cardholders from a population of 132
cardholders who engaged in at least $1,000 of purchases during the
last quarter of 2001. In total, there were 780 credit card
transactions for the 30 cardholders for this period. DOA stated in
its response that there were 6,188 credit card transactions;
however, this total reflects transactions during calendar years 2000
and 2001. The difference in the number of transactions used by DOA,
6,188 versus 780 in the OIG sample, increases the error rate from 1
percent as computed by DOA to approximately 9 percent.
This recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
Recommendation 2: Define extravagant meals and refreshments and
what constitutes an allowable and unallowable expense for meal
purchases using the procurement credit card.
DOA does not concur with this recommendation. DOA stated that the
focus should not be on creating a definition for extravagant, but
should instead be directed on the adequacy of the internal controls
that govern approval. DOA does not consider that the examples cited
by the OIG meet the intent of the definition of extravagant. DOA
believes that the APM sufficiently addresses the purchase of meals
and refreshments in a manner that minimizes potential risks to the
Corporation. Specifically, the purchase of all refreshments and
meals must be approved in advance and in writing at the Assistant
Director-level or above in headquarters or the Regional
Director/Regional Manager in the field. The current practice
elevates the approval process to an executive level manager who has
the ability to use discretion as circumstances warrant. DOA believes
this high level of advanced written approval serves as an adequate
internal control as it pertains to the use of the procurement card
for refreshments. Further, DOA stated that for each of the
exceptions noted in the OIG report, proper approval was obtained.
The pre-approval process alone will not result in consistent
application of approved expenses throughout the Corporation if the
Corporation does not further define in the APM extravagant meals and
refreshments and what constitutes an allowable and unallowable
expense for meal purchases. As cited in our examples, and from DOA’s
response, individuals have different definitions of extravagance and
different opinions on the allowability of meal purchases. For
example, the OIG considers that spending $132 per person for a meal
and drinks is extravagant. Also, the Corporation should not be
paying for the going away lunch for employees leaving the FDIC. This
type of expense should be paid by the attendees of the farewell
lunch. By defining both extravagant and what constitutes an
allowable and unallowable expense for meal purchases, the FDIC can
better control costs charged to procurement cards. Further, the OIG
did not see evidence that prior written approval was obtained for
the three exceptions noted in the report.
Because this recommendation is unresolved, undispositioned, and
open, we have requested DOA to reconsider its response to our report
and provide us additional comments.
Recommendation 3: Prohibit the purchase of alcoholic beverages
using the procurement credit card.
DOA does not concur with this recommendation. DOA stated as with
recommendation 2, above, that appropriate controls are in place and
alcohol may only be purchased using the procurement credit card
under these circumstances and controls. The current practice
elevates the approval process to an executive level manager who has
the ability to use discretion as circumstances warrant. Other than
this approval process, alcohol may not be purchased using the
procurement credit card.
The OIG’s position is that the APM, Chapter 9, should prohibit
the purchase of alcoholic beverages using the procurement credit
card. Permitting the purchase of alcoholic beverages is inconsistent
with travel card policies, could adversely impact the public’s
perception of the Corporation and its employees, and could pose
related liability issues to the Corporation. Also, because
individuals have different viewpoints on the use of alcohol, policy
prohibiting the purchase of alcohol using the procurement credit
card would provide consistency throughout the Corporation.
Because this recommendation is unresolved, undispositioned, and
open, we have requested DOA to reconsider its response to our report
and provide us additional comments.
Recommendation 4: Require approving officials not be subordinates
to the cardholders for whom they approve purchases.
DOA concurs with this recommendation. DOA agrees that an
approving official should not be a subordinate to a cardholder for
whom they approve purchases. To address this issue, by the first
quarter of 2003, DOA will incorporate language into procurement
credit card policy that clearly articulates the requirements of the
approving official/cardholder relationship before issuance of a
procurement credit card.
This recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
Recommendation 5: Enforce APM Section 9.E.6.e by reminding
cardholders/approving officials of the requirement to immediately
notify the APC, or his/her designee when the cardholder/approving
official either leaves the FDIC or moves to another FDIC position so
that the APC can notify the Bank of America to cancel the
card.
DOA concurs with this recommendation. DOA recently issued interim
guidance to the Corporation that addressed cancellation of the
procurement credit card during the pre-exit clearance process. In
addition, subsequent to issuing this interim guidance, the Pre-Exit
Clearance Circular was updated with the revised requirements. This
also included updating the Pre-Exit Clearance Form to require the
administrative officer to collect the credit card and sign the form
to acknowledge that the action was completed. DOA also stated that
it will issue periodic reminders to the cardholders, approving
officials, and administrative officers of the requirement to
immediately notify the APC, or his/her designee when the
cardholder/approving official either leaves the FDIC or moves to
another FDIC position so that the APC can notify the contractor to
cancel the account. The actions taken by DOA and future reminders to
appropriate staff will improve the internal controls over the
cancellation of procurement credit cards.
This recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
Recommendation 6: Perform an analysis on a regular basis to
determine whether cardholders are using the card. If a cardholder is
not using the card on a fairly regular basis, consider canceling the
card privileges.
DOA concurs with this recommendation. DOA stated that usage
reports for both the credit cards and convenience checks are
obtained from the contractor on a quarterly basis. Analysis of
cardholder usage was conducted, and the results were shared with the
approving officials to determine whether credit cards should be
cancelled for certain cardholders. The APC analyzed the responses
and decided to expand the survey period to obtain a broader
perspective on cardholder usage. DOA is in the process of analyzing
the procurement credit card usage for 2002.
This recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
Recommendation 7: Review the spending limits for all cardholders
and ensure that the limits reflect the extent of spending that they
are likely to incur.
DOA concurs with this recommendation. DOA stated that the APC has
incorporated a process to analyze the spending limits for
cardholders on a quarterly basis to determine whether the spending
thresholds or limits are appropriate. This evaluation is conducted
in conjunction with the APC’s analysis of cardholder usage. DOA is
analyzing the spending limits for all cardholders for 2002 and
expects to complete its analysis by March 31, 2003.
This recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
Recommendation 8: Conduct a risk assessment of the procurement
card program and establish the necessary control activities to
mitigate the risks identified.
DOA concurs with this recommendation. DOA stated that it will
establish the procurement card program as an accountability unit and
test the controls for those identified risks under the Chief
Financial Officers Act. It will establish the accountability unit by
March 31, 2003 and testing will take place as dictated in the
Corporation’s annual Management Control Plan.
The recommendation is resolved but will remain undispositioned
and open until we have determined that agreed-to corrective action
has been completed and is effective.
A summary chart showing management’s responses to
all recommendations is presented in Appendix III.
APPENDIX I
SCOPE AND METHODOLOGY
To accomplish our objective, we:
- Interviewed DOA personnel responsible for monitoring the
FDIC’s procurement credit card program and personnel from various
FDIC divisions and offices responsible for making and approving
credit card purchases.
- Reviewed policies and procedures, including the FDIC
Acquisition Policy Manual, Section 9.E., entitled FDIC
Procurement Credit Card Program.
- Reviewed the President’s Council on Integrity and Efficiency
(PCIE) and Executive Council on Integrity and Efficiency (ECIE)
guide to conducting a review of an agency’s government purchase
card program.
- Reviewed the U.S. General Accounting Office’s (GAO)
Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1, issued November 1999) and GAO’s Internal
Control Management and Evaluation Tool (GAO-01-1008G, issued
August 2001).
- Obtained and relied upon data from the Bank of America that
contained all purchases made by FDIC cardholders for the period of
review, and conducted random attribute testing and data mining. We
examined all cardholder activity during the 2-year period ending
December 31, 2001 to identify trends and indicators of improper
purchases, such as purchases from establishments that sell
alcoholic beverages. From the unusual purchases identified, we
reviewed 32 in detail. In addition, we used data mining to
identify any outstanding procurement credit cards issued to former
employees as of December 15, 2001.
For our random attribute sample, we selected 30 cardholders from
a population of 132 cardholders who had engaged in at least $1,000
of purchases during the last quarter of 2001. This approach enabled
us to select cardholders who had actually used the procurement
credit card. In addition, in order to facilitate testing the
adequacy of control activities nation-wide, the cardholders were
selected from the FDIC’s Washington, Atlanta, Dallas, and Chicago
regional offices.
We conducted the audit from February 2002 through September 2002
in accordance with generally accepted government auditing standards.
APPENDIX II
CORPORATION COMMENTS
Federal Deposit Insurance
Corporation 550 17th
Sreet, NW, Washington, DC 20429 Division of Administration
January 24, 2003
MEMORANDUM TO: Sharon M. Smith, Deputy Assistant Inspector
General for Audits
FROM: Arleas Upton Kea [Electronically produced version;
original signed by Arleas Upton Kea], Director, Division of
Administration
SUBJECT: Management Response to the OIG Report: FDIC
Procurement Credit Card Program
The Division of Administration (DOA) has completed its review of
the subject Office of Inspector General (OIG) report. We appreciate
the review performed by the OIG and its recommendations to enhance
and improve the overall Procurement Credit Card Program. In the OIG
report there are eight recommendations addressed to the FDIC’s
Division of Administration (DOA). We have evaluated each
recommendation, and have provided a detailed response to include
planned corrective actions and expected completion dates as
appropriate.
Management Decision:
Recommendation 1: We recommend that the Director, DOA,
provide periodic training to procurement cardholders and approving
officials in order to reiterate the policies and procedures
governing the procurement credit card program. The policies over
roles and responsibilities; security over the card; procurement
thresholds; permissible, prohibited, and restricted use; supporting
documentation requirements; repeated acquisitions from the same
vendor (split purchases); refreshment/meal requirements; payment of
sales taxes; and procedures for card usage should be reinforced.
Management Response 1: DOA appreciates the recommendation
made by the OIG, and fully agrees that periodic training is
important. As communicated to the OIG auditors during the review,
the DOA Acquisition Services Branch (ASB), as the Agency Program
Coordinator (APC) for the Procurement Credit Card Program, has made
training an integral component of the program in order to fully
educate the universe of corporate users. In the initial training
efforts to roll-out the Procurement Card Program, DOA developed
presentation materials and conducted periodic briefings to the
corporate participants within the various FDIC divisions and offices
to indoctrinate them to the requirements and guidelines that
encompass the program. Attendance to these briefings was mandatory
to all procurement card holders and approving officials.
Moreover, further confirmation of our commitment to ensure
corporate awareness of the program was our development effort of the
online Procurement Credit Card training module that we initiated and
set in motion prior to the commencement of the OIG audit. The
training module was completed in December 2002 and will be rolled
out to program participants by the end of January 2003. The
Program’s training policy is also being revised and will require all
new cardholder applicants to take the course and receive a passing
score prior to receiving the procurement credit card. Completion of
the training module will be recorded in the FDIC Training Server,
and the APC will have access to the training server to monitor
cardholder’s completion of the required training module. Existing
cardholders will also be required to take periodic training to
refresh cardholders of their roles and responsibilities under the
program.
Given the efforts made to date by the DOA APC, we believe
management of the overall program has been effective. In addition to
training that we have provided to existing cardholders, DOA has
established a website dedicated to the program that readily provides
all pertinent information on the program, to include policies and
procedures. Additionally comprehensive oversight of the program is
built into a three tiered approach to mitigate program risks. These
include credit card transaction approval by the Approving Official,
proactive oversight by the APC, and a comprehensive internal review
program that continually evaluates and monitors the overall
corporate-wide program. As an issue is identified, APC takes
immediate action to address the cause for the given condition.
Actions may include working with the Approving Official to address
non-compliance issues, global email reminders, and/or program policy
changes.
As shown in the OIG report, the number of non-compliance
exceptions found (73) represent approximately one percent of the
total credit card transactions (6,188) reviewed by the OIG during
its audit. (Note: Information obtained from the OIG working papers.
Total Credit Card Transactions of 6,188 was compiled by the APC from
the information obtained from the Bank of America for purchases made
during the calendar years 2000 and 2001. The scope was based on the
narrative contained in the Scope and Methodology section of the OIG
draft report.) We believe that the low number of non-compliance
instances cited by the OIG is a direct result of the proactive
oversight and previous training that DOA provided. DOA believes that
an error rate of one percent is evident that the risks associated
with the program are being mitigated by the existing internal
controls that the APC has established and implemented in managing
the program.
Recommendation 2: We recommend that the Director, DOA, use
the FDIC’s Acquisition Policy Manual, Chapter 9, to define
extravagant meals and refreshments and what constitutes an allowable
and unallowable expense for meal purchases using the procurement
credit card.
Management Response 2: DOA does not agree with the
recommendation that "Extravagant Meal and Refreshments" be defined
in the FDIC’s Acquisition Policy Manual. The focus should not be on
creating a definition for "extravagant," but should instead
be directed on the adequacy of the internal controls that govern its
approval. Extravagant, as defined, means "given to imprudent or
lavish spending or exceeding reasonable limits," DOA does not
believe that the examples cited by the OIG meet the intent of the
definition, which we believe is self-explanatory. For each of the
exceptions noted in the OIG report, proper approval was obtained.
We believe that the APM sufficiently addresses the purchase of
meals and refreshments in a manner that minimizes potential risks to
the Corporation. Specifically, the purchase of all refreshments and
meals must be approved in advance and in writing at the Assistant
Director-level or above in Headquarters or the Regional
Director/Regional Manager in the Field. The current practice
elevates the approval process to an executive level manager who has
the ability to use their discretion as circumstances warrant. We
believe this high-level of advanced written approval serves as an
adequate internal control as it pertains to the use of the
procurement card for refreshments and meals.
Recommendation 3: We recommend that the Director, DOA, use
the FDIC’s Acquisition Policy Manual, Chapter 9, to prohibit the
purchase of alcoholic beverages using the procurement credit card.
Management Response 3: DOA does not agree with the
recommendation to prohibit the purchase of alcoholic beverages using
the procurement credit card. As with Response 2, above, appropriate
controls are in place and alcohol may only be purchased using the
procurement credit card under these circumstances and controls. The
current practice elevates the approval process to an executive level
manager who has the ability to use their discretion as
circumstances warrant. Other than this approval
process, alcohol may not be purchased using the procurement credit
card.
Recommendation 4: We recommend that the Director, DOA, use
the FDIC’s Acquisition Policy Manual, Chapter 9, to require
approving officials not be subordinates to the cardholders for whom
they approve purchases.
Management Response 4: DOA fully agrees with the
recommendation that approving officials should not be a subordinate
to a cardholder for whom they approve purchases. Although not
specifically stated in the APM, this practice has always been in
place and enforced by the Agency Program Coordinator (APC). As
discussed with the OIG audit team, the APC was fully aware of the
occurrence noted in the report where a subordinate employee served
as the approving official to senior level employees who were
cardholders. This cardholder/approving official relationship was
established by a Regional Director. When the APC recognized the
atypical arrangement, the APC notified the appropriate parties
within the Division. It was determined that no specific action was
to be taken until completion of the division-wide reorganization.
After the reorganization, APC took appropriate action.
To address this program issue globally, DOA will incorporate
language into procurement credit card policy that clearly
articulates the requirements of the approving official / cardholder
relationship before issuance of a procurement credit card.
Specifically, the APM will prohibit subordinate employees from being
an approving official to a supervisor. DOA will incorporate the
requirement into policy by the end of the first quarter 2003.
Additionally, DOA is in the process of establishing a Letter of
Appointment that will be issued to all Approving Officials detailing
their specific roles and responsibilities. This is in addition to
the Delegation Memos that are currently issued to all procurement
credit card holders.
Recommendation 5: We recommend that the Director, DOA,
enforce APM Section 9.E.6.e by reminding cardholders/approving
officials of the requirement to immediately notify the APC, or
his/her designee when the cardholder/approving official either
leaves the FDIC or moves to another FDIC position so that the APC
can notify the Bank of America to cancel the card.
Management Response 5: DOA appreciates the recommendation
made by the OIG, and agrees that immediate cancellation of the
procurement credit card should be made as cardholders separate from
the Corporation or are reassigned within the FDIC. This practice has
always been an important component of the procurement card program,
and we believe the requirement is clearly communicated in Chapter 9
of the APM. In addition, the APC has directed communiqué to
administrative officers that emphasize the importance that timely
notification is made to the APC in order to cancel the procurement
card immediately. To enforce and effectively monitor this area, the
APC incorporated a process in 2000 to obtain, on a routine basis,
employee separation and reassignment information from the DOA
Personnel Services Branch. The APC staffs review the information to
determine if any of the employees listed are cardholders and
determine whether their procurement card was cancelled
appropriately.
Further efforts by the APC to deal with timely cancellation of
credit cards was made in August 2002 whereby the APC issued interim
guidance to the Corporation that addressed cancellation of the
procurement credit card during the pre-exit clearance process.
Subsequent to this interim guidance, the Pre-Exit Clearance Circular
was updated with the revised requirements. This also included
updating the Pre-Exit Clearance Form to require the Administrative
Officer to collect the credit card and sign the form to acknowledge
that the action was completed.
The internal controls that we have established over the program
are effective; however, as with all important aspects of the
program, we will issue periodic reminders to the cardholders,
approving officials, and administrative officers of the requirement
to immediately notify the APC, or his/her designee when the
cardholder/approving official either leaves the FDIC or moves to
another FDIC position so that the APC can notify the contractor to
cancel the account. DOA expects to issue its first reminder for the
New Year by January 31, 2003.
Recommendation 6: We recommend that the Director, DOA,
perform an analysis on a regular basis to determine whether
cardholders are using the card. If a cardholder is not using a card
on a fairly regular basis, consider canceling the card
privileges.
Management Response 6: DOA concurs with the recommendation.
The APC has incorporated cardholder usage analysis as the program
has evolved and grown over the last six years. The analysis was part
of the evaluative process as major program changes and enhancements
were made. In 2000, APC expanded its oversight program and began
routine analysis of cardholder usage. Usage reports for both the
credit cards and convenience checks are obtained from the contractor
on a quarterly basis. Analysis of the cardholder usage was
conducted, and the results were shared with the Approving Officials
to determine whether credit cards should be cancelled for certain
card holders. The APC analyzed the responses and determined to
expand the survey period to obtain a broader perspective on
cardholder usage. DOA is in the process of analyzing the procurement
credit card usage for 2002. Expected completion will be March 31,
2003.
Recommendation 7: We recommend that the Director, DOA, review
the spending limits for all cardholders and ensure that the limits
reflect the extent of spending that they are likely to see.
Management Response 7: DOA concurs with the recommendation.
The APC has incorporated a process to analyze the spending limits
for cardholders on a quarterly basis to determine whether the
spending thresholds or limits are appropriate. This evaluation is
conducted in conjunction with APC’s analysis of cardholder usage, as
discussed in Management Response 6. DOA is in the process of
analyzing the spending limits for all cardholders for 2002. Expected
completion for this initial analysis will be March 31, 2003.
Recommendation 8: We recommend that the Director, DOA,
conduct a risk assessment of the procurement card program and
establish the necessary control activities to mitigate the risks
identified.
Management Response 8: DOA concurs with this recommendation.
It is important to note that extensive internal controls have been
incorporated into the procurement card program and that oversight of
the program includes routine risk assessment. However, due to the
high-level of attention and interest given to the credit card
programs throughout the federal government, DOA will establish its
program as an Accountability Unit and test the controls for those
identified risks under the Chief Financial Officers Act (CFOA). The
Accountability Unit will be established by March 31, 2003, and
testing will take place as dictated in the annual Management Control
Plan submitted to the Office of Internal Control Management.
If you have any questions regarding the response, our point of
contact for this matter is Andrew Nickle, Audit Liaison for the
Division of Administration. Mr. Nickle can be reached at (202)
942-3190.
cc: Dave McDermott Vijay Deshpande
APPENDIX III
MANAGEMENT RESPONSES TO RECOMMENDATIONS
This presents the management responses that have been made on
recommendations in our report and the status of recommendations as
of the date of report issuance. The information in this table is
based on management’s written response to our report.
Note: The following information applies to the Management
Responses to Recommendations below.
Resolved: (1) Management concurs with the recommendation and
the planned corrective action is consistent with the
recommendation. (2) Management does not concur with the
recommendation but planned alternative action is acceptable
to the OIG. (3) Management agrees to the OIG monetary benefits or a
different amount, or no ($0) amount. Monetary benefits are
considered resolved as long as management provides an amount.
Dispositioned: The agreed-upon corrective action must be
implemented, determined to be effective, and the actual amounts of
monetary benefits achieved through implementation identified. The
OIG is responsible for determining whether the documentation
provided by management is adequate to disposition the
recommendation. Once the OIG dispositions the recommendation, it can
then be closed.
Recommendation Number 1
Corrective Action: Taken or Planned/Status: DOA concurs
with the recommendation and completed an online procurement credit
card training module in December 2002 which will be available to
program participants by the end of January 2003. In addition,
existing cardholders will also be required to take periodic
training to refresh cardholders on their roles and
responsibilities under the program.
Expected Completion Date: January 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 2
Corrective Action: Taken or Planned/Status: DOA does not
agree with this recommendation and stated that the focus should
not be on creating a definition for extravagant, but should
instead be directed on the adequacy of the internal controls that
govern approval. OIG requests that DOA reconsider its response to
our report and provide us additional comments.
Expected Completion Date: (There is no date provided in the
report.)
Monetary Benefits: N/A
Resolved -- Yes or No: No
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 3
Corrective Action: Taken or Planned/Status: DOA does not
agree with this recommendation and stated as with recommendation
2, above, that appropriate controls are in place and alcohol may
only be purchased using the procurement credit card under these
circumstances and controls. OIG requests that DOA reconsider its
response to our report and provide us additional comments.
Expected Completion Date: (There is no date provided in the
report.)
Monetary Benefits: N/A
Resolved -- Yes or No: No
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 4
Corrective Action: Taken or Planned/Status: DOA concurs
with the recommendation and will incorporate language into
procurement credit card policy that clearly articulates the
requirements of the approving official/cardholder relationship
before issuance of a procurement credit card.
Expected Completion Date: March 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 5
Corrective Action: Taken or Planned/Status: DOA concurs
with the recommendation and has revised the Pre-Exit Clearance
Circular. In addition, DOA will issue periodic reminders to the
cardholders, approving officials, and administrative officers of
the requirement to immediately notify the APC, or his/her designee
when the cardholder/approving official either leaves the FDIC or
moves to another FDIC position so that the APC can notify the
contractor to cancel the account.
Expected Completion Date: January 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 6
Corrective Action: Taken or Planned/Status: DOA concurs
with the recommendation and is in the process of analyzing the
procurement credit card usage for 2002.
Expected Completion Date: March 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 7
Corrective Action: Taken or Planned/Status: DOA concurs
with the recommendation and has incorporated a process to analyze
the spending limits for cardholders on a quarterly basis to
determine whether the spending thresholds or limits are
appropriate.
Expected Completion Date: March 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation Number 8
Corrective Action: Taken or Planned/Status: DOA concurred
with the recommendation and will establish its program as an
Accountability Unit and test controls for those identified risks
under the Chief Financial Officers Act.
Expected Completion Date: March 31, 2003
Monetary Benefits: N/A
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed:
Open |