This is the accessible text file for GAO report number GAO-04-87G
entitled 'Audit Guide: Auditing and Investigating the Internal Control
of Government Purchase Card Programs' which was released on November
01, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Preface:
The federal government of the United States--the largest and most
complex organization in the world--expended approximately $15 billion
through federal organizations'[Footnote 1] purchase card
programs[Footnote 2] in fiscal year 2002. As the steward of taxpayer
dollars, federal agencies are accountable for how purchase cards are
used and how the funds are spent. To that end, federal agencies are
responsible for establishing and maintaining internal control to
provide reasonable assurance that (1) the goals and objectives of the
purchase card program are met and (2) safeguards against fraudulent,
improper, and abusive purchases are adequate.
Recent congressional testimony and inspector general and GAO reports
show that some federal agencies do not have adequate internal control
over their purchase card programs. Without effective internal control,
management has little assurance that fraudulent, improper, and abusive
purchases are being prevented or, if occurring, are being promptly
detected with appropriate corrective actions taken. A key element of
internal control is monitoring that assesses the quality of performance
over time and ensures that the findings of audits and other reviews are
promptly resolved. Monitoring provides for regular management and
supervisory activities as well as evaluations by inspector generals or
external auditors.
This guide focuses on audits of internal control activities--designed
primarily to prevent or detect significant fraudulent, improper, and
abusive purchases--in government purchase card programs. It is intended
to provide practical guidance for consideration by internal and
external auditors, investigators, and program management oversight
personnel in assessing the adequacy and performance of those control
activities and identifying areas of internal control for potential
improvement. This guide is based primarily on GAO's experiences in
auditing and investigating internal control over federal government
purchase card programs at the Departments of Defense, Education, and
Housing and Urban Development and other federal agencies.
This guide was prepared at the request of former Chairman Stephen Horn,
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations, House Committee on Government Reform. This
is one in a series of projects we have undertaken for the Subcommittee
concerning weaknesses in internal control over government purchase and
travel card programs. This guide was prepared under the direction of
Gregory Kutz, Director, Financial Management and Assurance. Other GAO
contacts and key contributors are listed in appendix VII. Questions can
be directed to Mr. Kutz at (202) 512-9505 or kutzg@gao.gov, or Stephen
W. Lipscomb at (303) 572-7328, lipscombs@gao.gov, or:
Stephen W. Lipscomb:
U.S. General Accounting Office:
1244 Speer Blvd., Suite 800:
Denver, CO 80204:
Signed by:
Jeffrey C. Steinhoff:
Managing Director:
Financial Management and Assurance:
Table of Contents:
Preface:
Section 1: Introduction:
Objective of the Guide, Scope and Methodology:
Government Purchase Card Programs:
GAO's Approach to Auditing Purchase Card Programs:
The Applicability of Auditing Standards:
Section 2: Understanding the Purchase Card Program:
The Risk of Fraudulent, Improper, and Abusive Purchases:
The Risk of Fraudulent, Improper, and Abusive Purchases: Potentially
Fraudulent, Improper, or Abusive Purchases:
The Risk of Fraudulent, Improper, and Abusive Purchases: Indications
and Categories of Fraud:
Relevant Laws and Regulations:
Relevant Laws and Regulations: Establishment and Operation of the
Purchase Card Program:
Relevant Laws and Regulations: Procurement Methods and Standards:
Relevant Laws and Regulations: Purposes for which an Organization's
Appropriations May Be Used:
The Organization's Operations and Programs:
The Organization's Operations and Programs: Understanding the
Organization's Operations:
The Organization's Operations and Programs: Understanding the
Organization's Purchase Card Program:
The Organization's Operations and Programs: Understanding the Bank
Service Provider's Program:
Internal Control and the Control Environment:
Internal Control and the Control Environment: The Standards of Internal
Control:
Internal Control and the Control Environment: Testing Key Elements of
the Control Environment:
Section 3: Making, Documenting, and Using the Preliminary Assessment:
Assessing the Adequacy of the Design of Control Activities:
Using the Preliminary Assessment:
Section 4: Testing the Effectiveness of Key Control Activities:
Obtaining Transaction Data:
Obtaining Transaction Data: Coordinating with the Bank Service
Provider:
Selecting Purchase Card Transactions:
Selecting Purchase Card Transactions: Considerations in Designing a
Statistical Sample:
Selecting Purchase Card Transactions: The Sampling Plan:
Selecting Purchase Card Transactions: Extracting Selected Transaction
Data Elements:
Selecting Purchase Card Transactions: Reporting Sample Results:
Selecting Purchase Card Transactions: Analysis of Results from
Statistical Samples:
Obtaining Documentation Evidencing Performance of Control Activities:
Obtaining Documentation Evidencing Performance of Control Activities:
Obtaining Documentation from the Organization:
Obtaining Documentation Evidencing Performance of Control Activities:
Evidence of Performance:
Testing Control Activities:
Testing Control Activities: Transaction Control Activities:
Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases:
Data Mining for Detection, Illustration, and Disclosure: Follow-up and
Investigation:
Data Mining for Detection, Illustration, and Disclosure: Follow-up:
Data Mining for Detection, Illustration, and Disclosure: Referral for
Investigation:
Appendixes:
Appendix I - Selected Relevant GAO Reports and Testimonies:
Appendix II - Selected Relevant Laws and Regulations:
Appendix III - Example Purchase Transaction Flow Chart and Narrative
(Request Through Payment):
Appendix IV - Example Purchase Card Program Organization Chart:
Appendix V - Example Audit Program:
Appendix VI - Guidelines for Initiating an Investigation of Purchase
Card Fraud:
Appendix VII - GAO Contact and Staff Acknowledgments:
Section 1: Introduction.
Federal government purchase card programs, which have been in existence
governmentwide since 1989, were established to streamline federal
agency acquisition processes by providing a low-cost, efficient vehicle
for obtaining goods and services directly from vendors. As shown by the
chart, purchase card programs have experienced dramatic growth and
accounted for $15.2 billion in government expenditures in fiscal year
2002.
Growth in federal government purchase card programs:
[See PDF for image]
[End of figure]
With the establishment in 1998 of the General Services Administration's
(GSA) SmartPay® program, federal agencies had a new way to pay for
commercial goods and services. GSA negotiated charge card service
provider contracts with five commercial banks: Citibank, First National
Bank of Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal
government departments and agencies were to choose the service provider
with capabilities meeting agency requirements.
Purchase card programs are widespread throughout the federal government
and range in size from the Department of Defense (DOD) with 214,000
cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S.
Tax Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
However, the design and implementation of internal control did not keep
up with the growth in the programs audited by GAO (see app. I -
Selected Relevant GAO Reports and Testimonies). With the increase in
purchase card use came increases in risk; revelations of significant
weaknesses in internal control; and resulting fraudulent, improper, and
abusive purchases.
Objective of the Guide, Scope and Methodology:
The primary objective of this guide is to provide practical guidance
for consideration in performance audits and investigations of
government purchase card programs. The guide provides auditors and
fraud investigators with a basis for understanding the operations,
risks, and internal control of a government purchase card program,
which in turn provides a basis for conducting investigations of fraud
in a government purchase card program. Although this guide is primarily
an audit and investigative guide, it can also be applied by program
management oversight personnel in assessing the adequacy of policies,
procedures, and internal controls and conducting ongoing monitoring of
adherence to internal control activities. In that context, the use of
the term "auditor" throughout this guide is intended to include program
management oversight personnel as well as internal and external
auditors. While this guide is based on approaches and methodologies
developed in audits of federal purchase card programs, the basic
concepts and criteria may also be applicable to state and local
government purchase card programs. This guide:
* focuses on auditing the internal control policies, procedures, and
activities designed primarily to prevent or detect fraudulent,
improper, and abusive purchase card transactions in government purchase
card programs;
* seeks to foster critical, creative thinking by auditors,
investigators, and management personnel responsible for identifying
risks and opportunities open to those who would misuse purchase cards;
* provides practical guidance in identifying potentially fraudulent,
improper, and abusive purchase card transactions and in conducting the
appropriate follow-up and investigation; and:
* illustrates the benefits of involving fraud investigators in the
planning and execution of audit procedures.
The guide is intended to supplement existing guidance[Footnote 3] for
review and oversight of federal government purchase card programs.
Different parties may accomplish audits of purchase card programs for
different purposes. Law, regulation, or third party request may direct
external and internal auditors to accomplish a performance or other
audit in accordance with generally accepted government auditing
standards (GAGAS).[Footnote 4]
The guide is not intended to and does not provide guidance sufficient
to address all potential purchase card program performance audit
objectives (e.g., economy and efficiency, compliance with legal or
other requirements). The guide is also not intended to comprehensively
address all five of the standards of internal control[Footnote 5]
(e.g., management's risk assessment, information and communication). In
addition, the guide is not intended to and does not provide guidance
sufficient to develop investigative cases that establish evidence to
prove specific allegations of criminal wrongdoing.
Government Purchase Card Programs:
The operations and controls of government purchase card programs can
vary among organizations. However, the Department of the Treasury's
Financial Manual[Footnote 6] prescribes procedures (illustrated in fig.
1), including program controls and invoice payment, that apply to all
departments and agencies that use government purchase cards.
Additionally, the Federal Acquisition Regulation (FAR), which
prescribes acquisition policies and procedures for all executive
agencies, provides that agencies are to establish procedures for use
and control of the card that comply with the Treasury Financial
Manual.[Footnote 7]
Figure 1: Basic procedures of a government purchase card program:
[See PDF for image]
[End of figure]
The manual further states that, with some exceptions, small purchases
of up to $25,000[Footnote 8] should be made using the government
purchase card and establishes key control activities, personnel, and
their roles, including the following.
* A written delegation of authority is to be issued by responsible
agency personnel that establishes authorized cardholder(s)[Footnote 9]
and specifies spending and usage limitations unique to the cardholders.
* The cardholder is the government employee to whom a government purchase
card, bearing the employee's name, is issued. The card can be used only
by that employee for official purchases, in adherence with agency
regulations.
* The cardholder statement listing all transactions during the billing
period is sent to each cardholder.
The approving official (AO) reviews cardholder statements, is
responsible for authorizing cardholder purchases (for official use
only), and ensures that statements are reconciled and submitted to the
designated billing office in a timely manner.
A designated billing office receives the official invoice--a designated
billing office report listing all cardholder charges for the area the
office serves--and ensures its payment in accordance with Prompt
Payment Act deadlines.
The manual requires each agency to develop its own internal procedures
for using the purchase card and establishes processing and internal
controls that must be in place prior to using the government purchase
card, including the following.
Designate an office (usually the procurement office) to manage the
program and ensure that (1) training required for all cardholders, AOs,
and other employees involved in the program is provided, (2) a current
list of cardholders and AOs is maintained, and (3) an annual oversight
review of the program is conducted. (The position is generally referred
to as the agency program coordinator (APC) in DOD purchase card
programs.):
Establish procedures for (1) the timely submission of cardholder
statements to the agency designated billing office, (2) maintaining
security of the cards, (3) handling disputes and returned, refused,
damaged, or unacceptable items and partial deliveries, and (4) renewing
purchase cards.
The manual also provides that invoices, payments, access and review of
account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer should be adopted as
the standard method of payment for all federal program payments
originated by agencies or their agents.
The Treasury Financial Manual and FAR requirements would apply to all
purchase card transactions, including convenience check transactions--
courtesy checks provided by the purchase card-issuing bank--that are
charged to a related purchase card account.
GAO's Approach to Auditing Purchase Card Programs:
GAO's Audit Approach:
[See PDF for image] – graphic text:
Gain understandings:
Risk of fraud:
Laws and regulations:
Operations and programs:
Internal control/environment:
Preliminary assessment:
Control activities:
Use the assessment:
Test control activities:
Obtain transactiondata:
Selecting transactions:
Obtain performanceevidence:
Test controlactivities:
Pursue fraud and abuse:
Data mine:
Follow-up/investigate:
[End of figure]
The approach presented in this guide is based on GAO's experience in
auditing internal control over government purchase card programs at the
Departments of Defense, Education, Housing and Urban Development, and
other federal agencies (see app. I - Selected Relevant GAO Reports and
Testimonies). In general, GAO's approach is to (1) gain a thorough
understanding of the organization's operations and purchase card
program, and relevant system of internal control, (2) based on that
understanding, and any needed additional review and analysis, make a
preliminary assessment of the adequacy of the design of the system of
internal control, (3) test the effectiveness of internal control using
statistical sampling, and (4) use data mining to detect instances of
potentially fraudulent, improper, and abusive transactions to
illustrate the effects of breakdowns in internal control.
GAO's approach includes involving fraud investigators throughout the
audit. An experienced fraud investigator will bring valuable
perspectives and insight to the process of identifying opportunities
for fraud in the program's operations and in evaluating the
effectiveness of control activities. They can also bring new and
creative thinking to identifying the opportunities for circumventing
the existing controls. Fraud investigators should be involved in the
preliminary assessment process, designing tests of controls,
identifying criteria and relationships for data mining, and in follow-
up of potentially fraudulent transactions. Program policy and procedure
documents obtained and understandings gained of the purchase card
program and related internal controls should be made available to the
fraud investigator.
The Applicability of Auditing Standards:
Auditors performing an audit in accordance with GAGAS for performance
audits are required to adhere to the general and fieldwork standards.
These standards can be found on GAO's web site[Footnote 10]. The
following three general standards are key to providing assurance that
integrity, objectivity, and independence are adequate in planning,
conducting, and reporting results of audits.
* Independence. Audit organizations and individual auditors, whether
government or public, are required to be free both in fact and
appearance from personal, external, and organizational impairments to
independence, in all matters relating to the audit work.
* Professional judgment. Auditors complying with GAGAS are required to
use professional judgment in planning and performing audits and in
reporting the results.
* Competence. Audit staff are required to collectively possess adequate
professional competence for the tasks required.
We encourage all users of this guide, including internal auditors and
program management oversight personnel, to (1) become familiar with
these standards and the basic concepts embodied in them, (2) consider
their relative applicability to the circumstances, and (3) apply them
as appropriate when using this guide.
Section 2: Understanding the Purchase Card Program.
Evaluating the adequacy of internal control designed to mitigate the
risk of fraudulent, improper, and abusive transactions, requires the
auditor to gain an in-depth understanding of (1) the risk of fraud, (2)
the relevant laws and regulations, and (3) the specific organization's
mission activity operations and its purchase card program operations
(from purchase request to payment). This in-depth understanding is
necessary so that an auditor can make a preliminary judgment about the
adequacy of design of an organization's control activities.
The Risk of Fraudulent, Improper, and Abusive Purchases:
The potential for fraudulent, improper, and abusive purchases in a
purchase card program should be viewed by management as a risk of
significant financial loss, possibly resulting in operational
inefficiency and impairment of mission readiness. This is particularly
true in the government environment where taxpayer dollars are at risk.
Fraudulent, improper, and abusive purchases often result directly from
a lack of adherence to policies, procedures, and control activities.
This lack of adherence can result in misuse of the card. As program
personnel predisposed to misuse the card become aware of such
weaknesses, the door opens wider for fraudulent, improper, and abusive
purchases.
SIDEBAR:
One organization's actions included recommending remedial training and
suspension of repeat offenders' purchase card accounts for lack of
adherence to internal control policies and procedures.
[End of sidebar]
Repeated nonadherence to established internal control policies and
procedures, such as inadequate documentation of purchase card
transactions or supervisory reviews, may not constitute a violation of
law or regulation. However, if allowed to continue, they will
contribute to an erosion and weakening of the control system. Prompt
administrative and disciplinary actions (e.g., informal admonishment,
formal reprimand, additional required training, suspension of card
privileges, cancellation of the cardholder's account, termination of
employment) can be effective in reducing persistent lack of adherence
to policies and procedures by cardholders and other program personnel.
When administrative corrective actions are taken and documented,
program management, oversight personnel, and auditors will be able to
identify repeat offenders and determine that appropriate steps are
being taken to address potentially significant problems before they
escalate.
Case Illustration:
Exploitation of known weakness in internal control:
In a recent audit of the internal control over a purchase card program,
GAO reported that a cardholder defrauded the government of $30,000
from April 25 to June 20, 2001. The cardholder took advantage of a
situation in which the cardholder's approving official was on
temporary duty for several months. The cardholder believed that the
alternate approving official would certify the statement for payment
without reviewing the transactions or their documentation. With this
belief, the cardholder purchased items for personal gain, including a
computer, purses, rings, and clothing. These fraudulent transactions
were not discovered until the resource managerwho monitored the
unit's budget noticed a large increase in spending by the cardholder.
The cardholder had destroyed all documentation for the 3-month
period during which these transactions took place. However,
investigators found merchandise and invoices that showed that the
cardholder had fraudulently used the government credit card. The
cardholder was court-martialed in April 2002 and sentenced to 18
months incarceration. These fraudulent transactions might not have
occurred if the cardholder had known that the approving official
would review the transactions . At aminimum, prompt approving
official review would have detected the fraudulent transactions.
Potentially Fraudulent, Improper, or Abusive Purchases:
Our audits of purchase card programs detected transactions that were
not in accordance with laws and regulations or were not appropriate or
legitimate uses of government funds. The terms we used to characterize
such purchases included potentially fraudulent, improper, and abusive
purchases. The following are explanations of these terms as used in
this guide.
SIDEBAR:
A cardholder made 62 unauthorized transactions totaling $12,832 to pay
for repairs to a car and buy groceries, clothing, and various other
items for personal use.
[End of sidebar]
* Fraudulent purchases. Use of the government purchase card to acquire
goods or services that are unauthorized and intended for personal use
or gain constitute a fraud against the government. A cardholder's
unauthorized purchase of power tools for his home, a vendor's
intentional charges for services not provided, and the unauthorized use
by a third party of a cardholder's compromised or stolen account for
personal gain are examples of fraudulent purchase card transactions. In
GAO reports, these and similar purchase card transactions are generally
referred to as "potentially fraudulent" unless there has already been a
fraud conviction in a court of law.
SIDEBAR:
Day planners costing a total of $3,100 were purchased from Franklin
Covey. One item cost $199 and another $250. In contrast, cardholders
could have purchased day planners from JWOD for about $40.
[End of sidebar]
* Improper purchases. Government purchase card transactions that are
intended for government use but are not permitted by law, regulation,
or organization policy generally are considered improper. Examples
include certain types of purchases of meals or refreshments for
government employees within their normal duty station[Footnote 11]s,
purchases split to circumvent micropurchase or other single purchase
limits, and purchases from other than statutorily designated sources,
such as the Javits-Wagner-O'Day program (JWOD). [Footnote 12]
SIDEBAR:
A cardholder purchased Bose bedside clock radios costing $349 each,
when other models costing about $15 were available.
[End of sidebar]
* Abusive purchases. Purchases of authorized goods or services, at
terms (e.g., price, quantity) that are excessive, are for a
questionable government need, or both are considered abusive. Examples
of such transactions include purchases of items such as $300 day
planners, $350 bedside radios, and allowable refreshments at excessive
cost; purchases of designer leather goods; and year-end and other bulk
purchases of computer and electronic equipment for a questionable
government need.
Indications and Categories of Fraud:
Figure 2 shows key signs, signals, and patterns that indicate the
potential for fraud in a government purchase card program.
Figure 2: Signs, signals, and patterns indicating the potential for
fraud.
* Weak management;
* Weak internal controls;
* History of impropriety;
* Failure to follow legal or technical advice;
* Promise of gain with little likelihood of being caught;
* Unexplained decisions, transactions, or both;
* Unethical leadership;
* Missing or altered documents.
Source: International Journal of Government Auditing.
[End of figure]
SIDEBAR:
An inmate at a local county jail made three purchase card transactions
at local florist shops on a government purchase card that had either
been lost or stolen.
[End of sidebar]
GAO audits of government purchase card programs have reported
fraudulent and potentially fraudulent purchases by cardholders,
vendors, and third parties using compromised accounts falling into the
following broad categories of fraud.
* Theft involves property, facilities, and services. An authorized or
unauthorized cardholder purchase of goods or services intended for
personal use or gain is theft. Theft can also occur when an
unauthorized user compromises a cardholder's account by gaining
knowledge of and using the purchase card account number.
SIDEBAR:
A maintenance supervisor allegedly made $52,000 in fraudulent
transactions to a suspect contractor for work that was not performed.
Two purchase cardholders conspiring with at least seven vendors
received kickbacks on purchases with inflated prices, quantities, or
both. Criminal investigation resulted in confinement or restriction, a
bad conduct discharge, and a reduction in rank.
[End of sidebar]
* Fictitious transactions can involve a single party (e.g., a
cardholder supports the acquisition of goods or services for personal
use with false documentation, or a vendor bills the government for
goods or services never delivered). In addition, fictitious
transactions can include collusion (e.g., a cardholder knowingly
approves documentation supporting a vendor's invoice for goods or
services never provided, and the two share in the amount paid by the
government). Although collusion can circumvent what otherwise might be
effective internal control activities, a robust system of guidance,
internal control activities, and oversight can provide reasonable
assurance of preventing or quickly detecting fraud.
* Kickbacks may be offered by a vendor or solicited by a contractor or
government buyer. Kickbacks in a government purchase card program can
include collusion between a cardholder and a vendor. The cardholder
makes authorized purchases from the vendor, who charges the government
an excessive price and "kicks back" a percentage of the amounts
received to the cardholder.
SIDEBAR:
A cardholder and his supervisor conspired to make nearly $400,000 in
fraudulent purchases from companies owned by the supervisor, his
sister, friends, and acquaintances.
[End of sidebar]
* Conflict of interest is present when a government official
participates in approving or deciding a matter in which the official
or a relative has a financial interest. The potential for a conflict
of interest in a purchase card transaction exists whenever a cardholder
or a relative has a significant financial interest in a vendor or
contractor. Purchases of goods or services from that vendor or
contractor would be suspect and, if not prohibited by the organization,
should require special review and approval prior to and subsequent to
the purchase.
The auditor should be aware of the potential for the previous
categories of fraud in the day-to-day operational risk of the
organization. Fraudulent, improper, and abusive purchases generally
involve individual cardholders, supervisors, approving officials, and
vendors, and occasionally collusion between them. Another source of
fraudulent purchases of significant concern occurs when an account is
compromised (e.g., someone other than authorized program personnel
gains knowledge of account numbers). In any event, a strong system of
controls should guard against significant loss to the government for
all such potentially fraudulent, improper, and abusive purchases. Any
potentially fraudulent transaction detected should be considered for
follow-up, as discussed in the Follow-up and Investigation section of
this guide.
To better understand the risk of fraud within a specific organization's
purchase card program, auditors and investigators should identify and
study known cases of such fraud. Summary memorandums prepared by fraud
investigators detailing the nature and extent of the suspected fraud,
the investigative process, the conclusions reached, and the actions
taken can provide valuable additional insight.
Relevant Laws and Regulations:
A federal organization's purchase card program must comply with the
laws, regulations, contracts, and governmentwide and organizational
policies and procedures that (1) govern the establishment and operation
of the purchase card program, (2) prescribe procurement methods and
standards, and (3) pertain to the purposes for which an organization's
appropriations and other sources of funds may be used. When evaluating
the merits of individual purchases, all three areas should be
considered. (See app. II - Selected Relevant Laws and Regulations):
Establishment and Operation of the Purchase Card Program:
Federal organization purchase card programs operate under a
governmentwide GSA contract, the GSA SmartPay® Master Contract.
Organization purchase card programs must comply with the terms of the
contract and the task order under which the organization placed its
order for purchase card services. Organization purchase card programs
must also comply with Department of the Treasury regulations found in
the Treasury Financial Manual, Volume I, Part 4-4500, "Government
Purchase Cards." FAR, 48 C.F.R. § 13.301(b) (2002), provides that
agencies are to establish procedures for use and control of the card
that comply with the Treasury Financial Manual and that are consistent
with the terms and conditions of the current GSA credit card contract.
Individual organizations may be subject to specific statutory criteria
for the management of purchase cards (e.g., 10 U.S.C. § 2784, directing
the Secretary of Defense to prescribe regulations governing the use of
purchase cards). As such, each organization should have guidance
concerning the implementation, establishment, and operation of its
purchase card program.
Procurement Methods and Standards:
Purchases made with the purchase card should be made in accordance with
generally applicable procurement laws, regulations, and organization
procurement policies and procedures. FAR provides governmentwide
policies and procedures for acquisition by all executive agencies.
Agencies frequently issue supplemental acquisition regulations as well.
SIDEBAR:
One cardholder split about $17,000 of purchases of boots on 1 day into
8 transactions. Another cardholder split over $30,000 of purchases from
an electronic supply store on 1 day into 14 transactions.
[End of sidebar]
Contracting activities carried out by the federal government generally
must be conducted by warranted contracting officers; however, the
purchase card may also be used by other government personnel for
purchases at or below the micropurchase threshold. FAR provides that
such individuals must be delegated the authority to do so in writing in
accordance with organization procedures. Regardless of the value of a
purchase, FAR prohibits cardholders from splitting organization needs
into smaller purchases in order to circumvent applicable acquisition
laws, regulations, and policies. Organization policies can also
prohibit cardholders from splitting purchases into smaller purchases in
order to avoid individual cardholder purchase limits.
Authorized personnel may use the purchase card for purchases at or
below the micropurchase threshold (currently $2,500, except that the
limit is $2,000 for certain construction costs).[Footnote 13]
Micropurchases are subject to the requirements of FAR Subpart 8, which
provides that certain products be acquired from designated sources,
including statutorily preferred vendors. Micropurchases must also be
made in accordance with various laws and regulations concerning
environmentally preferable products and services. Cardholders may make
micropurchases without soliciting competitive quotations from vendors
if they consider the price to be reasonable. However, cardholders are
required to distribute micropurchases equally among qualified suppliers
to the extent practicable.
SIDEBAR:
Despite representations that hotels were authorized to bill only for
audiovisual equipment and conference room rental, detailed bills
acquired by GAO auditors showed that about $7,000 was inappropriately
expended for prohibited breakfasts, lunches, and snacks.
[End of sidebar]
For purchases above the micropurchase threshold, warranted contracting
officers may use the purchase card to place and pay for orders against
already existing contracts. For these larger transactions, the card is
frequently referred to as a "payment card" because it pays for
acquisitions made under a legally executed contract.
Purposes for which an Organization's Appropriations May Be Used:
Individual purchases must be for a purpose allowable under an
organization's appropriations or other sources of funds (e.g.,
nonappropriated funds) and must not otherwise be prohibited by law.
Organizations may use appropriated funds only for legitimate or bona
fide needs that arise in or continue to exist in the fiscal year(s) for
which those funds are appropriated. Agencies are restricted to
purchasing only those items that will be used during such fiscal
year(s) except when they qualify under certain categories, such as to
maintain inventories of necessary items at reasonable levels. However,
agencies generally may not purchase items in excessive amounts at the
end of a fiscal year solely to avoid the expiration of funds.
The Organization's Operations and Programs:
To appropriately plan an audit and investigation of the internal
control over an organization's purchase card program requires a
thorough understanding of:
* the organization's mission activities and operations,
* its purchase card program operations and the end-to-end flow of
transactions through it from request to payment,
* the system of internal control over the purchase card program, and:
* the environment in which the control activities operate.
Understanding the organization's operations and its specific purchase
card program is critical in developing audit objectives and the scope
and methodology for the work needed to achieve them. In addition,
issues such as program significance, visibility, age, sensitivity, and
the potential use of audit results should be considered in the audit
planning process.[Footnote 14] Gaining and documenting an understanding
of the operations of a government purchase card program can be
accomplished in several ways, all of which will require access to the
appropriate personnel and relevant documents. The first step should be
to establish contact and coordinate that effort with both the
organization and the bank service provider.
One manner of obtaining access to operations and program personnel is
to coordinate audit arrangements with the organization's management.
Access to the appropriate personnel and to written policies and
procedures is essential to understanding the organization's operations,
the purchase card program, and internal controls. In addition,
documentation evidencing adherence to internal control policies and
procedures will be necessary when testing for performance of control
activities. Further, access to program personnel will be necessary to
clarify information received and to follow up on potentially
fraudulent, improper, and abusive purchases.
Understanding the Organization's Operations:
Understanding the organization's mission and objectives, and how those
missions and objectives are accomplished, provides the auditor with
critical insight used in (1) developing audit objectives, (2)
identifying opportunities for purchase card fraud, (3) making
preliminary assessments of the adequacy of program controls, (4)
designing tests of internal control, and (5) identifying criteria for
data mining. Understanding gained of the organization's operation(s)
might include:
* the nature and size of overall operations;
* what the individual activities involved in the purchase card program
do, and how they do it;
* the general job descriptions, level of education, and number of
personnel in those activities; and:
* the volume and appropriate type(s) of purchase activity to expect.
An understanding of the organization's operations and activities can be
gained by interviews with operations personnel and by reviewing
existing documents such as program descriptions, policies and
procedures, and operations manuals.
Understanding the Organization's Purchase Card Program:
The initial understanding of the organizational level purchase card
program (from request to payment) and the internal control at work
throughout that process, ideally would be obtained from existing
documents such as purchase card program descriptions, policies and
procedures, operational manuals, or instructions. Interviews with
program personnel can supplement existing documented evidence of
program operations and controls, or establish a starting point if such
documentation is insufficient or nonexistent. In either circumstance,
correctly structured interviews can be a valuable source of inquiry to
understand and clarify (1) the extent to which control activities are
in place and operating, (2) the environment in which those controls
operate, (3) the overall managerial organization and operations of the
program, and (4) the flow of purchase card transactions. A Practical
Guide for Reviewing Government Purchase Card Programs - June 2002, by
the President's Council on Integrity and Efficiency, contains interview
guides, which will be helpful when conducting interviews for this
purpose. In addition, conducting walk-throughs of selected purchase
card transactions is a key process in (1) gaining a thorough
understanding of the program's operations from purchase request to
payment of the bill, (2) identifying control points through that
process, and (3) observing the operation of control activities and
transaction flows.
GAGAS require auditors to prepare documentation supporting significant
judgments and conclusions. Auditors should obtain or prepare
narratives, flowcharts, or both that summarize and document their
understanding of the organization's purchase card program and the flow
of typical purchase card transactions. Understanding how the purchase
card program operates, the flow of transactions from request to
payment, and the key controls over the entire end-to-end process form
the basis for making preliminary judgments about the adequacy of the
design of control activities and for designing tests of those controls.
Narrative and flowchart documentation also provides effective
communication of the processes and control points to other interested
parties (e.g., audit staff, program management, oversight personnel).
Appendixes III and IV of this guide provide example flowcharts of an
organizational level structure for a federal government purchase card
program and the end-to-end flow, and related narrative, of typical
purchase card transactions through it.
Case Illustration: Understanding the organization's program and related
controls:
[See PDF for image]
[End of figure]
Understanding the Bank Service Provider's Program:
Coordinating the audit effort with the bank service provider might
provide the opportunity to gain an understanding of (1) the operation
of the provider's program, (2) the processes for purchase card
authorization, issuance, and credit limits, (3) the transaction
processing, review, authorization, and manual override (e.g., single
transactions limits) system, (4) the merchant category code (MCC)
blocking features and any manual override, and (5) the internal
controls over these processes. Additionally, as shown in figure 3, the
GSA SmartPay® master contract requires bank service providers to
provide federal organizations with various ad hoc, standard commercial,
and other reports specific to the purchase card program.
Figure 3: Agency/organization reports required by GSA's SmartPay®
master contract to be provided by the bank service provider.
General reporting requirements: Ad-hoc report generation capability;
General reporting requirements: Standard commercial reports;
Additional essential reports: The official invoice;
Additional essential reports: Invoice status report;
Additional essential reports: Transaction dispute report;
Additional essential reports: Pre-suspension/pre-cancellation report;
Additional essential reports: Suspension/cancellation report;
Additional essential reports: Renewal report;
Additional essential reports: Delinquency report;
Additional essential reports: Detailed electronic transaction file;
Reporting specific to the Purchase Card Program: Account activity
report;
Reporting specific to the Purchase Card Program: Statistical summary
report;
Reporting specific to the Purchase Card Program: Summary quarterly
purchase report;
Other agency reports: Account activity report;
Other agency reports: Master file report;
Other agency reports: Statistical summary report;
Other agency reports: Account change report;
Other agency reports: Exception report;
Other agency reports: Current accounts report;
Other agency reports: 1099 report information;
Other agency reports: 1057 report;
Payment performance and refund report;
Other agency reports: Write-off report;
Other agency reports: Summary quarterly merchant report;
Other agency reports: Summary quarterly vendor analysis report;
Other agency reports: Summary quarterly vendor ranking report.
Source: GSA's SmartPay® Master Contract, Section C.38 - Agency
Reporting Requirements, and Section CC.12 - Agency Reporting
Requirements for the Purchase Card Program.
[End of figure]
Conducting interviews with bank service provider personnel may provide
the necessary understanding of the provider's purchase card operations,
processes, and controls, as well as valuable insights and understanding
in using the various reports being produced.
Internal Control and the Control Environment:
Internal control is an integral component of an organization's purchase
card program that provides reasonable assurance that the objectives of
effective and efficient operations and compliance with applicable laws
and regulations are being achieved. The minimum level of quality
acceptable for internal control in a government purchase card program
is defined by the five standards for internal control included in
Standards for Internal Control in the Federal Government[Footnote 15].
Those standards, and elements of the control environment standard that
are significant in a government purchase card program, are discussed in
this section of the guide.
The Standards of Internal Control:
All of the following internal control standards are applicable to
achieving reasonable assurance that fraudulent, improper, and abusive
purchases do not have a significant adverse effect on the effectiveness
or efficiency of a government purchase card program.
* The control environment. A positive control environment--the
foundation for all other internal control standards--is established by
management and employees creating and maintaining an environment
throughout the organization that sets a positive and supportive
attitude toward internal control and conscientious management.
Specific key elements affecting the control environment of a purchase
card program are discussed in more detail later in this section.
* Management's risk assessment. Internal control should provide for an
assessment of the risks the organization faces, from both external and
internal sources, and identify and deal with any special risks prompted
by changes in economic, industry, regulatory, and operating conditions.
* Control activities. Control activities are the policies, procedures,
techniques, and mechanisms that enforce management's directives and
help ensure that actions are taken to address risks. Control activities
in a government purchase card program include a wide range of diverse
activities, such as approvals, authorizations, verifications,
reconciliations, reviews, and creation and maintenance of related
records that provide evidence of execution of these activities.
Specific transaction-level control activities significant to a purchase
card program are discussed in more detail in the Transaction Control
Activities section of this guide.
* Information and communications. Information should be recorded and
communicated to government purchase card program managers and others
within the program who need it in a form and within a time frame that
enables them to carry out their internal control and other
responsibilities.
* Monitoring. Ongoing monitoring--regular management and supervisory
activities, comparisons, reconciliations, and other actions people take
in performing their duties--should be performed continually and be
ingrained in the normal operations of a government purchase card
program (e.g., review and analysis of bank service provider reports,
periodic reviews for adherence to program policies and procedures,
review and follow-up of audit findings).
Testing Key Elements of the Control Environment:
Recent GAO purchase card audit reports have identified the following
six elements as significantly affecting the control environment
surrounding a purchase card program:
* management's philosophy (tone at the top),
* span of control,
* financial exposure,
* training,
* discipline, and:
* purchasing and reviewing authorities.
This guide discusses each of these elements, the relevant
documentation, and tests that the auditor can perform. Testing of some
of these elements of the control environment can be accomplished either
before the preliminary assessment is completed or later as part of
testing the effectiveness of control activities.
Testing of these elements of the control environment is accomplished
through analytical, sampling, and nonsampling methods as discussed in
each element. Analytical testing is accomplished by utilizing
electronic reports, data files, and other data obtained from the bank
service provider and the organization. The discussion of some of these
elements identifies them as lending themselves to efficient testing in
conjunction with transaction-level control activity tests, discussed in
the Transaction Control Activities section of this guide. Therefore,
the data needed to conduct tests of these elements should be obtained
for each cardholder and approving official for purchase card
transactions selected for transaction-level control activity testing.
SIDEBAR:
In a recent GAO audit, management's proactive attitude in implementing
change was credited for establishing a positive control environment at
one unit, in contrast to another unit where management supported the
status quo of weak control, effectively diminishing the likelihood of
substantive change.
[End of sidebar]
Management's philosophy and operating style, sometimes referred to as
tone at the top, determines the degree of risk the organization is
willing to take in operations and programs. The attitude and philosophy
of management toward information systems, accounting, personnel
functions, monitoring, and audits and evaluations can have a profound
effect on internal control.
Insights gained by the auditor through interviews conducted with
program personnel and review of prior audit findings and management's
responses will assist in assessing this element of internal control.
Professional judgment is necessary when attempting to assess the effect
of tone at the top, positive or negative, on internal control and on
the design of control activities. Tests of transaction-level control
activities and follow-up of potentially fraudulent, improper, and
abusive purchases may provide the auditor with additional insight into
the tone at the top.
SIDEBAR:
In response to a GAO report criticizing an unreasonable 1,153: 1 ratio
of cardholders to approving official the department issued guidance
limiting this span of control ratio to 7: 1 for all its agencies.
[End of sidebar]
Span of control, in a government purchase card program, refers to the
extent of review responsibilities placed on a single AO for the
purchase card transactions of one or more cardholders.
In establishing the reasonableness of this responsibility, the auditor
should consider (1) the number of cardholders assigned, (2) the number
and complexity of purchase card transactions being reviewed each
billing period, and (3) perhaps the most potentially detrimental,
demands of other responsibilities assigned to the approving official.
Additional insight into the reasonableness of these relationships can
be obtained during interviews with cardholders and AOs and during
control tests of selected transactions.
The auditor should consider independently evaluating the reasonableness
of existing span of control relationships by obtaining bank service
provider reports containing the information necessary to determine the
number of cardholders assigned to individual AOs.
SIDEBAR:
Two related organizations provided purchase cards with credit limits of
$20,000 or more to over 1,700 employees, resulting in an excessive
monthly financial exposure of over $34 million, while actual monthly
purchases amounted to only about $6 million.
[End of sidebar]
The total number of authorized cardholders in the organization, their
single transaction and monthly credit limits, and the AO credit limits
directly affect the financial responsibility of the individuals
involved and the extent of potential loss to the organization from
fraudulent, improper, and abusive purchases. Financial exposure in a
government purchase card program can become excessive when management
does not exercise judgment and restraint in issuing purchase cards and
in determining single purchase and monthly credit limits. We have found
that by limiting the number of purchase cards and related credit limits
to the levels necessary to meet operational requirements, an agency can
better manage and control its purchase card program.
Purchase cards should be issued in controlled, limited quantities
(e.g., special justification and authorization for more than one card
per cardholder) and only to government employees with legitimate needs
to have the cards. Single purchase and monthly credit limits should be
established based on the expected monthly purchases of the cardholder.
Both of these determinations require an objective effort by operational
supervisors and management, with assistance from purchase card program
management, to evaluate the existing and continuing needs of operations
and cardholders.
The auditor should evaluate management's process for establishing the
number of cardholders and their credit limits reasonably necessary to
operational requirements. Documentation of management's decision-
making process should be obtained and reviewed for propriety. Examples
of management's consideration of objective, analytical data include the
following.
* Supervisory review of cardholder purchase history, both number of
transactions and dollars purchased (very few purchase transactions in
the previous year might indicate the lack of a need for the card, while
lower than expected dollar volume of purchases might indicate a lower
reasonable cardholder credit limit).
* Annual positive assertions by supervisors, managers, or both of
continuing cardholder needs, both for the card and for the related
credit limits.
The auditor should consider independently evaluating the reasonableness
of the organization's existing financial exposure by obtaining bank
service provider reports--which provide information necessary to
determine the total cardholder monthly credit limits--and comparing
that total to the organization's average monthly and highest monthly
purchase card expenditures.
Case Illustration: Review and adjustment of span of control and
financial exposure:
[See PDF for image]
[End of figure]
Management should identify the appropriate knowledge and skills needed
in the purchase card program, require the needed training, and maintain
documentation evidencing that required training is current for all
program personnel. The extent and type of training provided should vary
in relation to authority and responsibility in the program and to the
amount of transaction authorization given to the cardholder. At a
minimum, a cardholder should receive the standard purchase cardholder
training provided by the organization or GSA before receiving a
purchase card.[Footnote 16] Periodic (biannual) refresher training
provided to cardholders can be beneficial in maintaining their
knowledge and awareness of control activities.
SIDEBAR:
Of approximately $68 million in fiscal year 2000 purchase card
transactions at two related organizations, approximately $17.7 million
(26 percent) were made by cardholders for whom there was no documented
evidence of required initial or refresher purchase card training.
[End of sidebar]
The auditor should obtain and evaluate documentation evidencing
adherence with this element of the control environment for the
cardholders and AOs related to and in conjunction with transactions
selected for tests of transaction-level control activities. Both the
appropriateness of training received as well as the attributes
discussed below can be reviewed when evaluating this element of the
control environment. Training documentation and relevant attributes to
consider include the following.
* Certificates/record of training, for both initial and refresher
courses, should clearly show (1) the type of training received (e.g.,
instructor led, computer based, internet based), (2) that the training
was relevant to the purchase card program, (3) that the training was
appropriate to the level of authorized spending and program authority
of the individual, (4) the signature of the cardholder and the
instructor (if applicable), (5) that the date of initial training is
prior to purchase card account activation, and (6) that the date of
refresher training is within the required period.
* Centralized training records, or a database of cardholder, AO, and
APC training should (1) provide detailed information similar to that
contemplated above for certificates of training and (2) be available to
the appropriate levels of program management to facilitate monitoring
of adherence to program training requirements. The auditor should
consider assessing the adequacy of centralized training records by
tracing cardholders and AOs associated with the purchase card
transactions selected for control tests to such records. Testing in
association with transaction control tests is desirable because
selecting and testing a representative sample from the centralized
records would not identify cardholders and others who have not received
training and are therefore not in the centralized records. Inquiries
and other corroborating evidence could provide confirmation that
centralized training records or databases are current, and are being
used to monitor adherence to training requirements.
Candid and constructive counseling, performance appraisals, and
discipline can provide reinforcement of the system of internal control.
Internal control policies and procedures should identify the specific
actions or lack of adherence to internal control within the purchase
card program that warrants counseling, discipline, or both.
The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and AOs related
to and in conjunction with transactions selected for tests of
transaction-level control activities. The documentation and relevant
attributes of discipline to consider evaluating fall into two general
categories:
* Constructive counseling might be provided to cardholders and AOs in
response to isolated instances of lack of adherence to internal control
policies, procedures, and activities. The auditor should obtain and
review for propriety documentation of counseling provided for isolated
instances of lack of adherence to controls detected in the transactions
selected for control testing.
SIDEBAR:
A GAO audit found that despite agency operating instructions providing
for restitution and revocation of card privileges, repeat violators of
regulations and internal controls did not lose their purchase cards and
did not repay the government for unauthorized purchases.
[End of sidebar]
* Disciplinary actions to be taken in response to recurring or
persistent lack of adherence to internal controls and specific
consequences for improper and abusive purchases should be adopted by
the organization as part of the system of internal control. Such
consequences can vary with the severity and persistence of the policy
violation, and might include formal and informal reprimands, suspension
or cancellation of the purchase card account, termination of
employment, and referral to investigative authorities in cases of
suspected fraud. Instances warranting discipline should be documented
and included in personnel files and, if applicable, performance
appraisals. The auditor should obtain and review documentation of
disciplinary actions taken for instances of significant lack of
adherence to controls and for improper and abusive purchases detected
during the control activities testing. Documentation should also be
obtained of all cases of detected potential fraud occurring during the
period under audit and included in considerations for follow-up, as
discussed in the Follow-up and Investigation section of this guide.
Disciplinary actions alone may be an insufficient response to detected
fraud. For that reason, instances of fraud that are declined for
prosecution and referred to management for disciplinary action should
be followed up to ensure that, in the professional judgment of the
auditor, appropriate actions were taken by organization management.
In a government purchase card program, purchasing authority establishes
a cardholder's authority to possess and use a government purchase card.
It also establishes the cardholder's single-transaction and credit
limits. Some organizations will assign different spending limit
authorities to the same cardholder, which apply to different uses of
the card. For example, a cardholder who is a warranted contracting
officer is assigned two purchasing authorities, on either a single or
on two different purchase card accounts: (1) a $2,500 single-
transaction limit with a $40,000 monthly purchase limit for purchases
of goods or services and (2) a $100,000 single-transaction limit with a
$500,000 credit limit for use of the purchase card as a method of
payment on a preexisting contract. Authority is also established for
AOs to review and authorize payment of cardholder accounts. AO
authority should also identify the specific cardholder(s) for which
review and certification responsibilities have been assigned. GAO has
suggested that AO's credit limits relate to the total cumulative
monthly purchasing limits of the cardholders assigned to them.
The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and AOs related
to and in conjunction with transactions selected for tests of
transaction-level control activities. For evaluation and testing
purposes, each level of purchasing authority given to a cardholder
(e.g., $2,500 single-transaction limit for local vendor purchases,
$100,000 limit for purchases on an existing contract) should be deemed
a separate cardholder.
Documentation evidencing purchasing authority for cardholders, and
review and certification authority for AOs, should be obtained and
evaluated for instances of significant lack of adherence to controls,
including (1) documentation of the cardholder's purchasing
authorization (e.g., organizational standard form) dated prior to the
transaction date and (2) documentation of the AO's authorization (e.g.,
organizational standard form) dated prior to the transaction date.
Attributes that the auditor should consider reviewing when evaluating
the effectiveness of this control include the following: (1) the date
of the purchase transaction, compared to the date of the cardholder's
purchasing authority, compared to the date of the AO's authorization,
(2) the amount of the transaction, compared to the amount of the
cardholder's single transaction authority, (3) the total amount of the
cardholder's billing statement, compared to the cardholder's and AO's
authorized credit limits, (4) the cardholder account single-transaction
and credit limit carried in the bank's system, compared to those
authorized in the cardholder's purchasing authority, and (5) that the
AO's assignment of responsibility includes the specific cardholder's
account.
Section 3: Making, Documenting, and Using the Preliminary Assessment:
The preliminary assessment is a critical analysis of whether, in the
professional judgment of the auditor, the existing internal control
policies, procedures, and activities as designed, if in place and
operating, will provide management with reasonable assurance that
significant fraudulent, improper, and abusive purchases will be
prevented or promptly detected. A preliminary assessment of the
organization's plan of internal control will assist the auditor in (1)
identifying significant weaknesses in designed control activities, (2)
planning and designing control tests, and (3) identifying data-mining
criteria.
The auditor, considering the overall control environment, should make a
critical comparison of the risk/opportunities for fraudulent, improper,
and abusive purchases and the internal control policies, procedures,
and activities designed to guard against them. The knowledge gained in
the Understanding Operations and Programs section of this guide will
provide information useful in the preliminary assessment of internal
control. In some circumstances, this information may need to be
supplemented with additional inquiries, observations, and nonsampling
tests of controls. When reaching conclusions in the preliminary
assessment, the auditor should also consider the bank service
provider's systems and controls, the audit objectives, prior audit
findings and recommendations, and management's responses and corrective
actions taken.
Assessing the Adequacy of the Design of Control Activities:
Our audits of purchase card programs have identified (1) the
determination of a legitimate government need, (2) screening for
required sources of supply, (3) independent receipt and acceptance, (4)
establishing accountability over certain property, (5) cardholder
reconciliation, and (6) AO review as key transaction-level control
activities in mitigating the risk of fraudulent, improper, and abusive
purchases. These key control activities should be included in the
auditor's preliminary assessment of the adequacy of the design of
control activities. It will also be helpful to the auditor's critical
comparison process to prepare a list of the identified risk/
opportunities for potentially fraudulent, improper, and abusive
purchases to occur and a list of the existing relevant control
activities. An individual control activity will probably address
multiple risks of potentially fraudulent, improper, and abusive
purchases, and an individual risk may be addressed by more than one
control activity. Therefore, a simple one-to-one comparison will
probably not be effective. For example, the control activity of
independent receipt and acceptance can be instrumental in mitigating
the risk of paying for services not performed, as well as mitigating
the risk of purchased accountable property not being recorded in the
organization's property record system.
One way to proceed is to prepare a simple schedule, as illustrated in
figure 4, which lists the identified risk/opportunities for potentially
fraudulent, improper, and abusive purchases and provides space for
identifying (1) the related control activities, (2) the auditor's
preliminary assessment conclusions, (3) the effects on the design of
audit control tests, and (4) potential criteria for audit data mining.
Figure 4: Illustration of the process of assessing and concluding on
the adequacy of designed control activities.
[See PDF for image]
[End of figure]
The above (figure 4) is provided as an illustration only of the process
of making, documenting, and using the preliminary assessment of the
design of internal control activities. The illustrated risks, controls,
conclusions, effects, and identifications are highly dependent on the
facts and circumstances of specific organization operations and
purchase card programs. Auditors will need to exercise professional
judgment when making these determinations.
Using the Preliminary Assessment:
Auditors should find the observations and conclusions made in the
preliminary assessment useful in determining the nature and extent of
further audit work on an organization's purchase card program. These
observations and conclusions can be useful in determining a strategy
for internal control testing, including designing sample selections.
For example, a preliminary assessment conclusion might be that the
design of an internal control policy and one or more related control
activities is strong and can provide management with reasonable
assurance of preventing or promptly detecting fraudulent, improper, and
abusive purchases. If the policy and control activities are considered
to be strong, tests designed to determine the extent to which the
control activities are being performed would likely be an efficient and
cost-effective audit procedure. However, if the auditor considers the
policy or the control activity to be ineffective or nonexistent, tests
for performance of control activities would generally not be
appropriate or cost effective. Whether to design and conduct tests of
performance for controls considered to be weak will require
professional judgment and consideration of the facts and circumstances
of individual cases.
The results of the preliminary assessment can also be useful to the
auditor's consideration of other procedures (such as data mining, which
is discussed later in this guide) designed to detect fraudulent,
improper, and abusive transactions resulting from identified weakness
in the design of controls. For example, if the preliminary assessment
is that the design of internal control does not provide reasonable
assurance of compliance with requirements to purchase from statutory
sources of supply, then purchase card transactions with other vendors
who sell similar goods and services may provide examples of the result
of that control weakness.
Section 4: Testing the Effectiveness of Key Control Activities.
A well-designed system of internal control for a purchase card program
is needed to provide reasonable assurance that the program is operating
as intended and is not vulnerable to significant fraudulent, improper,
and abusive purchases. However, a system of internal control, no matter
how well designed, cannot be relied on if control activities are not in
place and operating effectively on an ongoing basis. Control
activities, identified during the preliminary assessment process as
likely to be effective at preventing or detecting fraudulent, improper,
and abusive purchases, should be tested to determine if they are being
adequately adhered to. This section discusses (1) obtaining and
verifying the completeness of the purchase card transactions database,
(2) designing a statistical sample of purchase card transactions, (3)
obtaining the documentary evidence of performance of control
activities, and (4) designing and conducting tests to determine if key
control activities are in place and operating as intended.
In our audits of purchase card programs, we used two basic types of
control testing to evaluate the effectiveness of internal control
activities:
* statistical sampling[Footnote 17] (selections expected to be
representative of and are projectable, with quantifiable accuracy, to
that population), which is discussed in this section of the guide, and:
* nonrepresentative selections (selections not expected to be
representative of or projectable to a population), such as data mining,
which is discussed in section 5 of the guide.
This guide considers control activities designed to prevent or detect
fraudulent, improper, and abusive transactions in a purchase card
program, to operate on two basic levels (1) control activities that
operate at the transaction level (e.g., independent receipt and
acceptance, cardholder reconciliation) and (2) controls that operate at
some other level (e.g., training, span of control). Elements of the
control environment discussed in the Internal Control and the Control
Environment section of this guide are not considered transaction-level
control activities. However, testing and evaluating certain of these
elements (i.e., training, discipline, and purchasing and reviewing
authority) can be efficiently accomplished in conjunction with the
testing of transaction-level control activities.
Obtaining Transaction Data:
Tests of control activities that operate at the transaction level are
applied to selected purchase card transactions, generally contained in
an electronic file database. The auditor will need to identify and
obtain the appropriate database of purchase card transactions, select
the transactions to test, and extract the appropriate transaction
information from the database. In order to obtain the appropriate
population of purchase card transactions, the auditor will need to
establish and define the scope of the audit. The scope of the audit can
be defined in terms of control activities in place and operating for a
period, a unit, or an activity, or a combination of those terms (e.g.,
all purchase card transactions executed by the organization during the
fiscal year ended September 30, 2003). Also, if the data are stored in
an electronic database, the auditor will need to determine that the
transaction data elements necessary to achieve the audit objectives are
included in the database obtained.
The purchase card transactions selected for testing should be selected
from a population that includes all relevant transactions, including
convenience checks, in the scope of the audit. In order to ensure the
relevance and completeness of the population transaction database, the
auditor should obtain value and quantity-control totals from a source
independent of the database provider and agree them to the data
obtained. For example, a transaction database supplied by the bank
service provider could be agreed or reconciled to the organization's
records of purchase card activities, or the bank service provider may
supply control totals to verify a transaction database provided
directly by the organization.
Coordinating with the Bank Service Provider:
Establishing a contact and coordinating the audit effort with the bank
service provider presents the auditor with an opportunity to gain a
current understanding of the bank's program operations, processes, and
controls, as more fully discussed in the Understanding the Bank Service
Provider's Program section of this guide. Coordination with the bank
can also provide the needed transaction databases or the ability to
verify organization transaction databases by comparison to independent
control totals. Fraud investigators involved in the purchase card audit
may also be afforded an opportunity to evaluate the bank's fraud
investigation and detection methodologies and benefit from other
information provided by the bank's credit card fraud investigators.
Selecting Purchase Card Transactions:
One of the first decisions the auditor will need to make is whether to
use statistical sampling to select transactions for testing. In most
audit circumstances, statistical sampling is the recommended approach
for making estimates about and drawing conclusions from a population of
transactions and for estimating the percentage of transactions in the
population for which control activities were or were not in place and
operating as intended. Statistical sampling is appropriate:
* if there is a desire to estimate whether control activities for a
population of transactions are in place and operating as intended, and
to quantify the accuracy of this assessment based on statistical
theory;
* if there is a desire to estimate whether some control activities for
a population of transactions are operating as intended to a greater or
lesser degree than other activities, and to quantify the accuracy of
this assessment based on statistical theory; and:
* if it is desirable to estimate the dollar value for a population of
purchase card transactions subject to detected control weaknesses or
failures, and to quantify the accuracy of the assessment based on
statistical theory.
In these cases, a statistical sample should be designed so that
statistical theory can be used to estimate failure rates and the dollar
value of transactions subject to ineffective controls in the population
and to quantify the accuracy of those estimates.
In other audits of purchase card programs, making statistical estimates
of the failure rate in the population of transactions may not be
important. For example, if there are no control activities, or if the
design of controls is clearly inadequate, there would be little point
in testing control activities and estimating the associated failure
rates. As another example, certain control activities may only apply to
a very small portion of transactions. In these cases, an assessment
might be made of the effectiveness of control activities through means
such as observation, inquiry, and inspection of a nonrepresentative
selection of transactions. However, it should be understood at the
outset that when experience and understanding of the subject matter are
used to assess the effectiveness of control activities based solely on
observation, inquiry, or inspection of a nonrepresentative selection of
transactions, the results cannot be reliably or statistically projected
to all transactions of that type.
Considerations in Designing a Statistical Sample:
The auditor, in conjunction with a statistician, will need to consider
a number of issues in order to design statistical samples for
government purchase card programs. These issues include, but are not
limited to, the following.
* The organization of the population of purchase card transactions.
Typically, these records are organized in one or more electronic files.
In this case, various sampling options are available. Two of these
options are (1) simple random sampling of transactions and (2)
partitioning transactions into non-overlapping groups (strata),
followed by selecting simple random samples of transactions in each
stratum.
* The organization of the documentation evidencing performance of
control activities. These documents may be stored in one or more
geographic locations, which may or may not limit or impair
accessibility by the auditor. In either case, a sample design should
account for the geographic dispersion. The following are examples of
available options.
* Geographic strata. If personnel are available to collect data from
each location, then a sample design might have locations as strata,
with appropriate sampling methods within each stratum. A stratified
design would protect against the possibility of an "unlucky" sample,
that is one having no or few transactions from one or more locations in
a random sample selected from the population of all transactions. It
may also provide more precise estimates than a random sample of the
same size selected from the population of all transactions.
* Geographic location sample. If it is not possible to collect data
from each geographic location, then a two-stage statistical sample can
be made of (stage one) geographic locations, with appropriate sampling
methods used (stage two) within each selected location. If the
geographic locations are chosen using statistical sampling, the auditor
will be able to make estimates about all purchase card transactions in
the population.
* Case study approach. The auditor may find, however, that the
documents that will be examined to determine whether control activities
are being performed are so geographically dispersed that it is not cost
effective to collect data from statistically sampled locations. In this
case, the auditor may wish to consider a case study approach. In a case
study approach, locations are selected for specific reasons instead of
being chosen using statistical sampling. Statistical samples of
transactions are then selected for each of the selected locations. The
auditor should note, however, that data collected from a case study
approach can only be used to assess adherence to controls at the
specified locations. Sample data from a case study approach cannot be
used to make assessments about adherence to controls for the entire
population of purchase card transactions.
Case Illustration: Statistical sample design:
[See PDF for image]
[End of figure]
* Information about the approximate level of nonadherence to controls.
Such information may be obtained from (1) similar studies performed in
the recent past, (2) estimates by subject matter experts, or (3)
information obtained by the auditor during the preliminary assessment
relating to nonadherence rates. These "guesstimates" are very useful to
the statistician in estimating what sample size might be needed to
achieve specified precision levels on estimated nonadherence rates.
* The relationship between the approximate nonadherence rate and the
acceptable nonadherence/adherence rates.- At what rate of failure would
the auditor consider a control to be ineffective? Effective? If the
expected level of nonadherence (or adherence) is close to the minimum
rate that is considered unacceptable (or acceptable), a larger sample
may be required to assert nonadherence (or adherence) to controls.
* Inherent strengths/weakness. Certain types of transactions may be
expected to have different rates of nonadherence to controls than other
types (e.g., transactions for large dollar amounts processed at a
higher level by personnel who likely have taken contractor officer
training). If so, the population of transactions can be partitioned
into strata so the expected rate of nonadherence differs from one
stratum to the next. Separate samples of transactions can then be taken
in each stratum. A stratified design that takes advantage of expected
differences in nonadherence rates across strata can provide more
precise estimates than a random sample of the same size selected from
the population of all transactions.
* Time and resources. The total amount of time available, the time it
will take to evaluate the effectiveness of controls for each purchase
card transaction, and the number of audit staff available are practical
considerations that will directly influence the design and size of a
sample.
The Sampling Plan:
The auditor and the statistician should develop a written sampling plan
for inclusion in the audit work papers. The sampling plan should
include, but is not limited to,
* the reasons that a sample was developed,
* the type of sample (e.g., statistical or nonstatistical) and sampling
method (e.g., random) being used,
* a description of the population (e.g., nature, data elements, source,
control totals),
* the sample design (e.g., confidence level, stratum criteria, number
of items and dollars in population and stratum, sample size by stratum
and population) selected along with a discussion of the factors
considered and conclusion reached,
* guidelines about the types of evidence and attributes the auditor
will accept as clear evidence of performance of control activities,
* information about the anticipated precision of the sample estimates,
* a definition of nonadherence to controls,
* expectations (if any) about the rate of nonadherence to controls,
and:
* examples of the types of conclusions the auditor expects to be able
to make after the sample data are analyzed (and projected to the
population).
Extracting Selected Transaction Data Elements:
Data elements of transactions selected for control activity testing (as
well as those identified by data mining) will need to be extracted--
identified, selected, copied, and accumulated in a separate electronic
file for further auditor analysis--from the population transactions
database. At a minimum, those data elements should include the
identification and other data elements necessary to facilitate control
activity testing. The following are examples of data elements that
might be included in such extracts.
Transaction: Amount;
Transaction: Sale date;
Transaction: Post date;
Cardholder: Name;
Cardholder: Account number;
Cardholder: Account address;
Cardholder: Work location;
Cardholder: Work telephone;
Vendor: Name;
Vendor: MCC;
Vendor: Address;
Vendor: Business telephone;
AO: Name;
AO: Work location;
AO: Work telephone.
Reporting Sample Results:
The auditor should prepare a workpaper/file detailing the pass/fail
results of tests of control activities (e.g., the number and dollar
value of transactions failing a control activity) performed on each
sample item, in accordance with the sample design (e.g., sampled
strata). These results can then be provided to the statistician, who
should project the sample results to the population and provide the
auditor with a report recapping the population, the sampling plan used,
the control tests performed by the auditor, the statistical estimates
(e.g., attribute failure rates, dollar values), and the associated
confidence intervals. The auditor should then prepare a summary
memorandum that incorporates the sample tests results and the
statistician's report and recaps the rules used to assess the
effectiveness of controls and the audit conclusions drawn from the
projected sample results.
Analysis of Results from Statistical Samples:
The primary questions that can be answered from analyzing the result of
a statistical sample of attribute tests for control activity
performance are as follows:
1. What is the estimated failure rate and how accurate is that
estimate?
2. Does the failure rate of performance of the control activity result
in assessing the control as effective or ineffective?
To answer the first question, the failure rate from the statistical
sample should be estimated taking the design of the sample into
account. Since the statistical sample is only one of a large number of
samples that could be drawn, a two-sided interval should be generated
that will contain the actual (unknown) population failure rate for a
specified percentage of samples that could be drawn. This interval is
called a "confidence interval," and the specified percentage is called
the "confidence level."[Footnote 18]
Case Illustration: Estimating the failure rate and the accuracy of the
estimate:
[See PDF for image]
[End of figure]
To answer the second question, the statistical sample results should be
compared to a preset standard (e.g., control activities with adherence
failure rates greater than 5 percent will be considered ineffective)
and professional judgment.
Case Illustration:
Assessing the control as effective or ineffective:
[See PDF for image]
[End of figure]
For each audit of a government purchase card program, the auditor
should choose the failure rate that classifies the performance of
control activities as effective or ineffective. If the calculated
results of the statistical sample are considered inconclusive (e.g.,
the predetermined effective/ineffective rate of adherence falls within
the confidence interval of the estimated failure rate of a control
activity), the auditor should use professional judgment in reaching the
appropriate conclusion(s).
Obtaining Documentation Evidencing Performance of Control Activities:
Documentation provides the auditor an opportunity to inspect evidence
of ongoing adherence to internal control policies and performance of
control activities. The data evidencing performance of transaction-
related control activities will most likely, but not necessarily,
reside within the organization. Examples of documentation that might
evidence performance of specific control activities are included in the
Testing Control Activities section of this guide. The lack of such
documentation, although a strong indicator of a lack of adherence and
performance, does not necessarily preclude adherence or performance.
However, all lack of adequate documentation should initially be
considered as a failure of the relevant control activity test. Missing
documentation should elevate the level of the auditor's professional
skepticism when conducting any additional audit procedures considered
appropriate (e.g., additional inquiry, consideration of other
supporting documentation, direct interviews with cardholders and AOs).
Transactions and cardholders with significant or persistent lack of
documentation should be considered for follow-up in accordance with the
Follow-up and Investigation section of this guide.
Original documents should be reviewed whenever possible. The extent
that copies of original documents are retained for audit work papers
will depend on the circumstances and professional judgment. However,
the work papers should include copies of documents supporting findings
of a significant lack of adherence to policies; performance of control
activities: and any potentially fraudulent, improper, and abusive
purchases. As discussed later in the Follow-up and Investigation
section of this guide, copies of documents will also be necessary to
the follow-up process.
Obtaining Documentation from the Organization:
The auditor will need to provide the organization sufficient
information to identify the specific transactions selected for testing
(e.g., cardholder name and number, transaction sale or post date, and
amount). The auditor should, during planning, allow sufficient time for
this step since documentation may be in geographically diverse
locations, and the organization may need to send out requests for the
needed information. The auditor should consider the knowledge gained
about the control environment and other factors and exercise
professional judgment when making decisions about (1) supplying
selected transaction information to the organization, (2) when and how
to receive documentation, and (3) the amount of time to allow the
organization to produce documentation. The auditor and the organization
should agree to (and the auditor should communicate in writing) the
rules of the engagement, in advance, establishing time limits for
providing requested documentation, after which audit conclusions will
be based on the documentation provided.
Evidence of Performance:
The auditor should design tests that clearly and specifically identify
acceptable attributes that evidence actual performance of control
activities. Guidelines should be developed about what constitutes
"clear evidence of performance" before testing begins. Such evidence
may include appropriate sequencing of dates, cardholder and AO tick
marks or other indications on individual transactions, and
corroborating representations of performance by management personnel.
Developing these guidelines in advance and including them in the
sampling plan will enhance the ability of audit staff to make
consistent assessments across sampled transactions. If there will be a
cadre of audit staff assessing whether there is clear evidence of
performance, they should be trained before data collection begins to
enhance their collective ability to make consistent assessments. Also,
appropriate supervisory review and validation of the assessments made
by the audit staff will be needed. An independent supervisory
assessment of selected sample items is one way to accomplish that
review.
Testing Control Activities:
Tests for performance of control activities should be performed using
the data gathered. For purposes of this guide, many control activities
are considered transaction specific (e.g., independent receipt and
acceptance, AO review), and the related tests should be accomplished at
the transaction level. Also, as discussed in the Internal Control and
the Control Environment section of this guide, some of the key elements
of the control environment (e.g., training, discipline, purchasing and
approving authority) lend themselves to efficient testing in
conjunction with the testing of transaction-level control activities.
The auditor should consider coordinating tests of those elements of the
control environment with the tests of the following transaction control
activities.
Transaction Control Activities:
This guide discusses the following six control activities directly
related to purchase card transactions and their supporting
documentation and performance attributes for consideration by the
auditor:
* determining a legitimate government need,
* screening for required vendors,
* independent receipt and acceptance,
* establishing accountability over property,
* cardholder reconciliation, and:
* AO review.
The specific tests of control activities accomplished, the specific
documents reviewed, and the attributes considered may vary as audit
objectives vary. When conducting the transaction control test discussed
below, auditors should also evaluate purchases for compliance with
relevant laws and regulations (e.g., exemption from sales tax). The
auditor should consider consulting with legal counsel for assistance in
evaluating questions of the existence of a legitimate government need.
The auditor should also consider conducting follow-up, as discussed
later in this guide, in instances of a questionable legitimate
government need or prohibited or otherwise inappropriate government
purchases.
SIDEBAR:
Prepurchase approvals were found in up to 98 percent of purchase card
transactions tested in a recent GAO audit.
[End of sidebar]
Determining a legitimate government need provides reasonable assurance
to the organization that its resources are not being wasted. A
legitimate need for the goods or services being acquired should be
determined before a purchase is made. In a government purchase card
program, the initial responsibility for making this determination may
be assigned to the cardholder through the organization's policies and
procedures. Prepurchase requests or other authorization prepared by a
supervisor, or prepared by operations personnel and signed by a
supervisor, can provide the cardholder with documentation of a
legitimate government need. Organization policies may leave
verification and documentation that purchases are for a legitimate
government need to the discretion of the cardholder--a practice usually
considered a weakness in the design of control. The organization's
policies and procedures may identify specific items or types of
purchases requiring special approval. However, prepurchase
authorizations are not required by all government organizations, and
some organizations may provide blanket authorization for routine
purchases. When there is no documentation of a legitimate government
need for other than routine items, the auditor should view such
purchases with an elevated level of professional skepticism. Further,
the organization's policies and procedures may restrict or prohibit the
purchase of certain items or types of goods and services. Auditors
should be aware of these requirements, restrictions, and prohibitions
and the requirement, or lack thereof, for documentation establishing
the government's need.
SIDEBAR:
Auditors questioned whether a valid need had been identified, when "to
get enough goodies for everyone" 80 Palm Pilots costing $30,000 were
purchased and inventoried to be issued to personnel when requested.
[End of sidebar]
Documentation evidencing the determination of a legitimate government
need should be obtained and reviewed. This could include (1) a
prepurchase request or authorization, (2) written blanket authorization
for small routine purchases (e.g., office supplies), (3) written
justification by the cardholder or other program personnel of the
government need for the purchase, (4) other required documentation for
specifically controlled or restricted purchases (e.g., a purchase
justification or business need analysis for computer equipment), and
(5) the vendor invoice describing the goods or services purchased.
Attributes to consider evaluating include (1) the date of government
need determination, compared to date of the purchase, (2) whether the
purchased item is included on the organization's prohibited or
restricted list, and (3) the item purchased on the vendor invoice,
compared to the item for which a need was determined. The auditor
should consider the knowledge gained in previous sections of the guide
of the organization's operations and the control environment, and, with
an appropriate level of professional skepticism, exercise professional
judgment and evaluate the reasonableness of the legitimate government
need determination.
Screening for required vendors provides the organization with
reasonable assurance of compliance with laws and regulations related to
statutory sources of supply. One such regulation is FAR Subpart 8,
Required Sources of Supplies and Services. This regulation generally
requires federal agencies to purchase supplies, services, and printing
from designated sources, such as the Federal Prison Industries, the
National Industries for the Blind, NISH (serving people with a range of
disabilities), and the Government Printing Office. Auditors should be
aware of these and other laws, regulations, contractual agreements, and
policies and procedures, which direct the organization to acquire goods
and services from sources such as GSA schedules and contracts, blanket
purchase agreements, and single source suppliers. Auditors should also
be aware of exceptions provided to these and other requirements,
generally having to do with practicality and availability.
SIDEBAR:
Despite laws and regulations requiring priority be given to certain
required vendors, a recent GAO audit found failure rates in this
control ranging from 70 to 90 percent of purchases tested.
[End of sidebar]
* Documentation evidencing screening for required vendors should be
obtained and reviewed, including (1) a purchase log, required by policy
at some organizations, (2) other documents evidencing appropriate
screening, and (3) a waiver or other documentation of the applicability
of exceptions made to required sources of supply.
* Attributes to consider evaluating include (1) the date and cardholder
signature or initial for screening, compared to the transaction date,
and (2) the date and appropriate signature on waiver of purchase from
required sources, compared to the transaction's date. Professional
skepticism should be exercised when evaluating the appropriateness of
any exceptions to required sources of supply.
SIDEBAR:
Two related organizations could not demonstrate independent receipt and
acceptance for about $27.4 million in purchased goods and services.
[End of sidebar]
Independent--someone other than the cardholder--receipt and acceptance
of goods and services provides reasonable assurance that the
organization actually received what it is paying for. The inclusion of
independence in the receipt and acceptance activity significantly
strengthens the control by adding segregation of duties to the
activity. In purchase card programs, the cardholder is usually
responsible for verifying that independent receipt and acceptance has
occurred before completing reconciliation.
* Documentation evidencing independent receipt and acceptance (e.g., a
signature or initial on the vendor invoice, receipt, or shipping
document) should be obtained and reviewed, including (1) the vendor
invoice, (2) the shipping, receiving, or warehouse receipt for goods or
services provided, and (3) the relevant cardholder billing statement.
* Attributes to consider evaluating include (1) the date of signed
receipt, compared to the purchase date and cardholder reconciliation
date, (2) the signature or initial, evidencing receipt by someone other
than the cardholder, (3) notations (e.g., tick marks) indicating
verification of quantities for appropriate purchases, (4) the invoice
amount, compared to the cardholder billing statement amount, and (5)
the invoice item description(s) and quantity, compared to receiving
document description(s) and quantity.
SIDEBAR:
Of 114 tested purchases of accountable property acquired with purchase
cards, 60 (53 percent) were not recorded in property records, and 35
(31 percent) could not be located.
[End of sidebar]
Physical control and accountability over pilferable and other
vulnerable property acquired by the purchase card, which is initiated
at the purchase card transaction level, provides reasonable assurance
to the organization that pilferable property (i.e., items that are
portable and can be easily converted to personal use) is appropriately
recorded and asset-safeguarding control is established at the time of
purchase and receipt. Organizational requirements for this activity may
vary with the volume, value, and sensitivity of pilferable property
acquisitions. Control activities required of the cardholder should
include initially identifying the pilferable property requiring asset
control, notifying appropriate property management personnel within the
organization of the acquisition, and supplying the information required
to establish a record in the property control system. Audit procedures
should include verification of the record in the property control
system, and can be extended to physical inspection and verification
that the property is in the possession of the government.
* Documentation evidencing performance of this activity should be
obtained and reviewed, including (1) the vendor invoice, (2) evidence
of independent receipt and acceptance, (3) the cardholder's billing
statement, (4) the cardholder's notification of pilferable property
submitted to property control system personnel, (5) the property
control system record, and (6) if applicable, item serial numbers,
which, if not evident in the existing transaction documentation, should
be obtained by the auditor directly from the supplier or manufacturer.
* Attributes to consider evaluating include (1) the vendor invoice's
quantity, description, and unique identifying numbers, such as serial
numbers (considered a critical attribute for this control), compared to
those attributes in the property control system record, (2) the date of
purchase (sale date on the cardholder's statement), compared to the
date of signed receipt, the date of cardholder notification to
appropriate property personnel, and the date of property record entry,
and (3) the property control system's description, assigned property
number (e.g., bar code number), property item unique identifying number
(e.g., serial number), and location, compared to those same attributes
from a physical inspection or independent verification that the
accountable property is in the possession of the government.
SIDEBAR:
Tests of a statistical sample of purchase card transactions at four
related organizations disclosed little evidence of cardholder
reconciliation of purchases back to supporting documentation before
payment of the bill.
[End of sidebar]
Cardholder reconciliation provides the organization with reasonable
assurance that all transactions appearing on the cardholder's billing
statement are appropriate charges for goods and services purchased for
and received by the organization. Private individuals generally review
their personal credit card statements to ensure that the purchases and
amounts included are appropriate and correct. Government purchase
cardholders should perform a substantially greater level of review.
Cardholder reconciliation is the process of the cardholder gathering,
reviewing, and providing the documentation to support that each
purchase transaction appearing on the cardholder's billing statement is
an appropriate, legitimate government purchase. The cardholder is
responsible for identifying purchase card transactions that are
unauthorized or that otherwise should not be paid by the government.
The cardholder should promptly dispute unauthorized charges appearing
on the billing statement with the bank service provider. For those
charges for which the cardholder is unable to verify independent
receipt and acceptance, the auditor should look for evidence of either
a credit by the vendor or a formal dispute filed with the bank service
provider.
The cardholder reconciliation and the AO review and certification for
payment may be accomplished either manually or electronically. The
electronic system may not require a signature or date and may leave
little or no audit trail of the application of control activities to
billing statements and individual transactions. The auditor should
obtain, review, and use professional judgment and skepticism in
considering the value of system-generated reports and screen prints as
evidence of actual performance, when evaluating adherence to control
activities. The attributes described in this section remain relevant to
audit considerations and evaluations regardless of whether cardholder
reconciliation is performed manually or electronically. If the
available documentation is insufficient to evidence the actual
performance of a control activity, the selected purchase card
transaction should be considered as failing that activity. In this
circumstance, the auditor may consider it necessary to extend audit
procedures to the general and application controls of the electronic
data processing (EDP) system, which is outside the scope of this guide.
* Documentation evidencing performance of cardholder reconciliation
should be obtained and reviewed, including (1) the monthly purchase
cardholder statement in a manual system, or other bank system-generated
list of billing-period transactions in an electronic system, (2) the
vendor invoice or sales receipt, and (3) evidence of formal dispute
(e.g., organizational standard form) of unauthorized charges appearing
on the cardholder's billing statement.
* Attributes to consider evaluating include (1) the cardholder's
reconciliation signature, (2) the date of reconciliation, compared to
organizational requirements, the AO review, and payment certification
dates, (3) notations (e.g., tick marks, system notes) indicating that
all transactions on the statement were individually reconciled, (4) the
transaction date, amount, and vendor name on the vendor invoice,
compared to those same attributes on the cardholder's statement, and
(5) the transaction date, amount, and vendor name on formal dispute
documentation, compared to those same attributes on the cardholder's
statement. The auditor should consider following up on the appropriate
resolution of disputed items.
SIDEBAR:
Tests of a statistical sample of purchase card transactions at five
related organizations disclosed numerous instances of AOs certifying
bills for payment without reviewing cardholder reconciliations or
supporting documentation.
[End of sidebar]
AO review of the cardholder's reconciliation process provides
reasonable assurance to the organization that the cardholder is timely
and appropriately performing the reconciliation and is complying with
all significant relevant controls to prevent or detect fraudulent,
improper, and abusive purchases. The review also provides a basis for
the AO to accept responsibility that the purchases are appropriate,
legitimate government purchases before the billing statement total is
certified for payment. The AO review, a critical control activity in a
government purchase card program, should include a review of the
cardholder reconciliation for timeliness and completeness and for the
appropriateness of the supporting documentation for individual
transactions. In evaluating the effectiveness of this control activity,
the auditor should consider (1) the extent of the AO's review of the
supporting documentation for a cardholder's individual transactions and
(2) the extent of documentation (e.g., tick marks, system notes) of
that review. To gain a better understanding of the extent of the AO's
review of cardholder reconciliations, the auditor may consider
interviewing the AO, in addition to reviewing documentation evidencing
the review process.
As discussed in the section on cardholder reconciliation, the AO review
and certification for payment may be accomplished either manually or
electronically. The auditor should obtain, review, and use professional
judgment and skepticism in considering the value of system-generated
reports and screen prints as evidence of actual performance when
evaluating adherence to control activities. The attributes described in
this section remain relevant to audit considerations and evaluations
regardless of whether the AO review is performed manually or
electronically. If the available documentation is insufficient to
evidence the actual performance of a control activity, the selected
purchase card transaction should be considered as failing that
activity. In this circumstance, the auditor may consider it necessary
to extend audit procedures to the general and application controls of
the EDP system, which is outside the scope of this guide.
* Documentation evidencing performance of this activity should be
obtained and reviewed, including (1) the cardholder's reconciliation
documentation, as discussed above, (2) documentation of the AO's review
of the cardholder's reconciliation, (3) the AO's account billing
statement, and (4) documentation of the AO's (or billing official's)
certification for payment of the balance on his or her account billing
statement.
* Attributes to consider evaluating include (1) the AO's review
signature, (2) the date of the AO's review compared to organizational
policy requirements, the date of the cardholder's reconciliation, and
the date of the AO's (or billing official's) certification for payment,
and (3) notations (e.g., tick marks, system notes) on cardholder's
individual purchase card transactions, evidencing the AO's review and
evaluation of the appropriateness of the transactions and the
documentation supporting the cardholder's performance of other control
activities.
Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases:
In addition to testing internal controls, GAO's purchase card
methodology includes procedures designed specifically to identify
potentially fraudulent, improper, and abusive purchase card
transactions. Designing and conducting procedures specifically for the
purpose of detecting such transactions serves multiple purposes,
including the potential discovery of a previously unrecognized risk in
the program. Additionally, top management will likely be more receptive
to recommendations for corrective actions when a face is put on the
consequences of weak control, and the effects are illustrated by
instances of fraudulent, improper, and abusive purchases. GAO's
methodology described in this guide is a two-step process similar to
the process of selecting transactions and testing controls. It entails
the pursuit of fraudulent, improper, and abusive purchases by (1)
making nonrepresentative selections of transactions or patterns of
activity in a process referred to as data mining and (2) conducting
follow-up procedures, rather than control tests, using forensic
auditing techniques on selected transactions and on cases of
potentially fraudulent purchases detected during the audit process.
Data Mining for Detection, Illustration, and Disclosure:
Data mining is the act of searching or "mining" data to identify
transactions or patterns of activity exhibiting predetermined
characteristics, associations, or sequences and anomalies between
different pieces of information. Data mining produces leads for follow-
up by auditors and investigators; consequently, the concept of data
mining, as used in this guide, also includes performing audit
procedures and investigations as necessary to evaluate the leads.
Active continual data mining by organization management can also be
used to identify and initiate investigations of instances of
potentially fraudulent, improper, and abusive purchases, which can
serve as an effective deterrent to such transactions in the future.
Data mining, when conducted in concert with the tests of control
activities, can provide additional evidence of significant instances of
noncompliance with laws and regulations, such as those discussed in the
Relevant Laws and Regulations section of this guide, and lack of
adherence to internal control policies and procedures. In addition, it
can identify previously unrecognized or underappreciated risks in the
program. Revelations from data-mining results can often generate the
upper management motivation necessary to bring about meaningful change
in policies and procedures. The results of data mining should also be
considered when evaluating the overall effectiveness of systems of
internal control over government purchase card programs. However, since
data mining is nonrepresentative, its results cannot be projected, and
conclusions should not be reached on the population of purchase card
transactions.
GAO's approach to data mining is designed to support its overall
evaluation of the effectiveness of internal control of a government
purchase card program and to provide examples of the results of
weakness in internal control. That approach generally consists of:
* identifying the population of transactions to data mine,
* identifying criteria and design search queries, and:
* extracting or summarizing transactions or patterns of activity from
the population for further analysis, selection, audit, and
investigation.
The source of data for mining would generally be the same population as
the source used to select transactions for control tests. The same
population of transactions must be used if examples of control failures
detected by data mining are to be relevant to the population of
transactions and to the period covered by the control tests. This would
allow the results of data mining to be considered in the overall
evaluation of the effectiveness of internal control.
An experienced credit card fraud investigator will bring valuable
perspective and insight and should be involved in the process of
identifying criteria, associations, and characteristics for data mining
for fraudulent, improper, and abusive purchases. When identifying and
selecting data-mining criteria, the auditor should also consider the
risks of potentially fraudulent, improper, and abusive purchases; data-
mining criteria identified by the auditor during the preliminary
assessment; and the data-mining criteria discussed in the following
examples.
The following examples of data-mining queries, summaries, and
extractions are appropriate to support an evaluation of the internal
control of a government purchase card program as contemplated in this
guide, and are intended to be used to identify and extract potentially
fraudulent, improper, and abusive purchases from a transaction
database.
SIDEBAR:
Data mining of purchase card transactions at five related organizations
disclosed numerous purchases of items for personal use, including
digital cameras, computers, clothing, and food.
[End of sidebar]
* Questionable vendors are those vendors that sell goods or services
that generally do not meet legitimate government needs, or are
restricted or prohibited by law, regulation, or policy. Recent GAO
audits of purchase card programs have identified potentially
fraudulent, improper, and abusive purchases of goods and services from
vendors such as restaurants, grocery stores, casinos, clothing or
luggage stores, home furnishing stores, personal electronic stores,
businesses providing pornographic or sexually oriented goods or
services (e.g., escort services), automobile dealers, and gasoline
service stations. The understanding gained of the organization's
mission and operations, in accordance with a previous section of this
guide, should provide the auditor with the insight necessary to make
preliminary identification of vendors selling goods and services that
likely do not meet legitimate government needs. The following are
examples of ways to identify, extract, and select purchases from these
vendors.
By name: Questionable vendors, which can be expected to sell unneeded
or prohibited goods or services, can be identified by name. This can be
accomplished by manually reviewing a comprehensive list of vendor names
extracted and sorted alphabetically from the population database. The
selection process can be greatly enhanced by including selected
summarized data by vendor name (e.g., number of transactions, dollars
of purchases, number of cardholders making purchases). For example,
because of the goods and services provided by vendors specializing in
toys, stylish personal calendar/planners, and consumer electronics,
purchases from them generally have a high likelihood of being
potentially fraudulent, improper, or abusive.
SIDEBAR:
A recent GAO audit disclosed a purchase card transaction with a
prohibited escort service vendor. The bank service provider had
accepted the transaction despite the blocked vendor MCC.
[End of sidebar]
By MCC: Questionable vendors can be identified by using MCCs--standard
codes that the credit card industry maintains to categorize merchants-
-assigned to vendors that may sell personal or prohibited goods or
services. Purchase card transactions carrying the identified codes can
then be extracted from the population database. Sorting and summarizing
the extracted transactions by vendor may further enhance the selection
processes. Organizations have the ability to block purchases from
vendors with selected MCCs at the bank service provider. Ideally, any
attempt to charge a purchase from a vendor with a blocked MCC should be
automatically rejected at the point of purchase. However, auditors
should be aware that (1) vendors may circumvent this control by
providing false or misleading information and obtaining MCCs intended
to disguise the types of goods or services they provide, and (2) bank
service providers do not always reject purchase card transactions with
blocked vendor MCCs.
All transactions associated with the identified vendor names and MCCs
should initially be considered potentially fraudulent, improper, and
abusive and extracted into a questionable vendor transactions database
for further selection and follow-up.
SIDEBAR:
GAO testified that approximately $12,000 in potentially fraudulent
cardholder purchases, including an Amana range, Compaq computers, gift
certificates, groceries, and clothes, occurred primarily from December
20 through December 26, 1999.
[End of sidebar]
* Weekend and holiday purchases, in the operations of a normal
governmental organization, could also offer a high probability of
identifying potentially fraudulent, improper, and abusive
transactions. However, using this approach to select transactions would
not be effective if the organization's operations routinely involve
weekend and holiday purchases. During the previously discussed process
of gaining an understanding of the organization's operations, the
auditor should look for and be aware of this and similar exceptions to
normal operations when designing data-mining criteria. Purchase card
transactions on weekends and holidays within the audit period should be
identified and extracted into a suspect date transactions database for
further selection.
SIDEBAR:
Data mining purchases at five related organizations disclosed numerous
occurrences of purchases split to circumvent the $2,500 micropurchase
threshold, including $16,000 for furniture for an approving official's
office.
[End of sidebar]
* Split transactions are two or more transactions that would have
normally been a single-purchase transaction, but were split to
circumvent the micropurchase threshold (generally $2,500) or other
legal or internal control single-purchase limits. For purposes of
identifying sets of potential split transactions, all purchase card
transactions in the audit period that meet the following criteria can
be extracted into a potential split transactions database for further
analysis:
* the transactions are with the same vendor, and:
* the transaction dates are on the same day, and:
* the transactions total in excess of $2,500, and:
* the transactions are by the same cardholder, or the transactions are
by the same activity/department. (Broadening the selection criteria to
the same activity/department considers the potential for collusion
among cardholders to circumvent single-purchase limits.)
SIDEBAR:
An organization approved and paid 75 purchase card transactions, all
close to the micropurchase threshold, totaling $164,000, with a
telecommunications contractor. The organization could not provide
documentation of the nature of or receipt and acceptance of the
services provided. After completing follow-up, GAO referred this case
for criminal investigation.
[End of sidebar]
A nonrepresentative selection of transactions can then be made from the
potential split transactions database and submitted to the follow-up
procedures described in the Follow-up and Investigation section of this
guide. For purposes of determining circumvention of single-purchase
limits, all applicable limits should be considered (e.g., micropurchase
limit, cardholder organization authorized single-purchase limit, the
bank service provider's system cardholder single-purchase limit).
* Transactions of unusual amounts or relationships may be fraudulent,
improper, or abusive. The auditor should review the database for the
existence of unusual purchase card transaction amounts, patterns, and
relationships. Examples of such transactions include:
* frequent amounts with the same vendor just under the micropurchase
threshold, which, for example, may indicate that a vendor is exploiting
weak controls and charging for goods or services that are not being
provided or rendered, and:
* multiple transactions for the same amount, which, for example, may
indicate intentional or unintentional duplicate billings for the same
goods or services.
SIDEBAR:
An organization used year-end funds to purchase computers and monitors
costing $47,372. Nine months later, over half of the computers remained
in storage, raising questions of whether a legitimate need existed when
purchased.
[End of sidebar]
Purchase card transactions in the audit period for unusual amounts or
relationships should be extracted into an unusual transactions database
for further selection.
* Year-end spending may include purchases for which there are not
legitimate government needs (e.g., bulk purchases of computer or
electronic equipment). All purchase card transactions that exceed an
established larger dollar value (e.g., $25,000) and occur in the last
month of the fiscal year can be extracted into a year-end transactions
database for further selection.
* Purchase card transactions by vendor for the audit period can be
summarized to provide statistical data such as:
* the number of cardholders making acquisitions with a vendor,
* the number of transactions with a vendor, and:
* the dollar volume of transactions with a vendor.
A critical analysis of the resulting vendor transaction summary totals,
and their relationships, can identify opportunities for further data
mining. Vendor summary totals at the extremes of activity, both high
and low, warrant special attention. For example, a summary that shows
that only one or two cardholders made purchases from a vendor,
particularly if the dollar volume is high, may indicate a conflict of
interest or fraudulent (e.g., kickbacks), improper, or abusive
transactions. High dollar volumes of purchases may indicate a vendor
with which the government should have a discounted price agreement. A
vendor having only one transaction might indicate a questionable
legitimate government need. If these summaries are accomplished using a
software audit tool, the individual purchase card transaction detail
underlying each vendor's summary totals will usually be available,
facilitating further review and selection.
Cardholders and AOs considered to have suspicious activities might be
identified as the result of following up on previous data-mining
transactions, a referral to an organizational fraud hotline, previous
audit findings, or other means. Purchase card transactions for such
cardholders and AOs can be extracted into separate transaction
databases for further analysis. Follow-up and investigation of these
transactions can assist in developing cases for referral for criminal
investigation and prosecutorial authorities.
Since the data being mined are usually contained in a database of
individual purchase card transactions, a software audit tool that
facilitates summaries, comparisons, and extractions of transactions and
data elements selected for follow-up is recommended. Several over-the-
counter audit tools of this type are available. Using professional
judgment and considering the understandings gained and the results of
the preliminary assessment, the auditor should select transaction leads
provided by data mining and submit them to the procedures described in
the Follow-up and Investigation section of this guide. Unless adequate
follow-up procedures are accomplished, the auditor will not have
sufficient support to either report or refer the findings.
Follow-up and Investigation:
The concept of follow-up, as used in this guide, contemplates an
extension of audit procedures and documentation beyond those generally
necessary to test for adherence to internal control policies or
performance of control activities. GAO's approach to the follow-up
process assesses purchase card transactions in three incremental stages
(1) an initial evaluation of the cardholder documentation supporting
selected data-mined transactions for the purpose of discerning
potentially fraudulent, improper, and abusive transactions, (2) conduct
of follow-up procedures discussed in this section on those
transactions, and (3) referral of any instance of likely fraud to the
appropriate criminal investigative personnel.
Because of the characteristics of fraudulent, improper, and abusive
purchases, professional skepticism--an attitude that includes a
questioning mind and a critical assessment of audit evidence--is
especially important when following up on these purchase card
transactions.
Follow-up:
The conduct of follow-up procedures utilizes forensic auditing
techniques. In the context of this guide, forensic auditing (follow-up)
contemplates increased scrutiny and documentation by the auditor of the
facts and circumstances (including judgments made and actions taken by
individuals party to the transaction) surrounding potentially
fraudulent, improper, and abusive transactions. In the instance of
fraudulent purchase card transactions, the follow-up process is
designed to support a subsequent criminal investigation.
The auditor should consider consulting with the appropriate fraud
investigative staff when determining the appropriate follow-up
procedures for potentially fraudulent transactions or cases detected
through control tests or data mining. An experienced purchase card
fraud investigator can bring valuable perspectives and insight to the
follow-up process. Investigators may have procedures and protocols that
establish boundaries designed to preserve a successful investigation
and prosecution of fraud, within which the auditor's follow-up and
referral procedures should be constrained (e.g., cautions against
contacting and inadvertently alerting the vendor suspected of fraud).
To begin the follow-up process for transactions selected by data mining
or other means, the auditor should obtain and review transaction
documentation similar to that obtained and reviewed in the tests of
transaction control activities (e.g., determination of legitimate
government need, vendor invoice, independent receipt and acceptance,
accountable property record, the cardholder billing statement). This
documentation should be analyzed to determine whether it supports a
preliminary conclusion of (1) an appropriate government transaction
that meets a legitimate government need or (2) a potentially
fraudulent, improper, or abusive transaction.
Detected or selected potentially fraudulent transactions should always
be submitted to follow-up procedures. However, the auditor should use
professional judgment and consider the results of cardholder
documentation review; the overall objectives of pursuing fraudulent,
improper, and abusive purchases; and the overall objectives of the
audit in making a decision to perform follow-up procedures for
transactions detected during tests for performance of control
activities and for the transactions selected in the data-mining
process.
Professional judgment, input from qualified fraud investigators, and an
elevated level of professional skepticism should be exercised when
conducting follow-up procedures and evaluating (1) justifications
offered for lack of adherence to policies and performance of control
activities, (2) additional supporting documentation provided, and (3)
unsupported representations made in interviews with program and
organization personnel.
The following are examples of follow-up procedures and are not a
complete list of possible procedures.
* Request additional documentation to (1) support adherence to internal
control policies or performance of control activities (e.g., legitimate
government need, independent receipt and acceptance, exception to
prohibited item purchases), (2) provide missing relevant details of the
transactions, (3) support authorization for an otherwise improper
purchase, or (4) document other issues significant or useful to the
process.
* Interview the cardholder for explanation, clarification, and other
additional information concerning the transaction and corroboration of
verbal representations made by others.
* Interview the AO for explanation, clarification, and other additional
information concerning the transaction and corroboration of verbal
representations made by others.
* Interview other organization personnel who may have been identified
as parties with corroborating or clarifying knowledge of the facts and
circumstances of the transaction (e.g., supervisors and coworkers).
* Contact the vendor for clarification of the specifics of the
transaction (e.g., quantities, dates, time, description of goods or
services provided). Request copies of supporting documentation from the
vendor, especially when the cardholder's supporting documentation is
missing.
* Fraud investigators provided relevant reports and information to GAO
auditors during follow-up on potentially fraudulent purchase card
transactions.
* Fraud investigative staff assisting in the follow-up, or gathering
evidence to make and prove specific allegations of wrongdoing, may be
able to provide other items (e.g., credit reports, criminal records)
that can provide additional insight to the follow-up process.
All interviews conducted as part of the follow-up process should be
documented in the audit work papers. At the conclusion of the follow-up
process, the auditor should summarize the facts, findings, and
resolution or disposition of the potentially fraudulent, improper, and
abusive item in a memorandum for inclusion in the work paper file. If
at any time during the follow-up process the auditor's professional
judgment is that a transaction is likely fraudulent, referral of the
transaction to the appropriate fraud investigative staff (e.g.,
inspectors general, military service fraud investigation offices)
should be immediately considered.
Case Illustration: Follow-up of a potentially fradulent, improper, and
abusive purchase card transaction:
[See PDF for image]
[End of figure]
Referral for Investigation:
Referral of a likely fraudulent government purchase card transaction or
case should be made to the appropriate federal criminal investigative
body. We made such referrals to GAO's Office of Special Investigations,
whose investigators have substantial experience in credit card fraud.
The referral should be accomplished in a written communication. That
communication would generally include, but not be limited to, the
following information:
* the date of the communication,
* the name of the referring organization,
* the name and telephone number of the referring contact,
* the organization and program under audit,
* a description of the potentially fraudulent transaction or case
(e.g., goods or services purchased, amounts paid, impropriety of the
transaction),
* the reason(s) for concluding the transaction to be potentially
fraudulent,
* the names and positions of the individuals involved (e.g., John Doe -
cardholder, Jane Doe - vendor),
* the date(s) of the purchase transaction,
* a description of the indicators alerting the auditor to the
potentially fraudulent transaction (e.g., altered supporting
documentation, personnel interview, or record discrepancies), and:
* a statement as to whether the relevant documents (copies or
originals) are attached or are available (e.g., cardholder billing
statement, vendor invoice(s), follow-up interview(s)).
[End of section]
Appendixes:
Appendix I - Selected Relevant GAO Reports and Testimonies:
Department of Education and Department of Housing and Urban
Development:
Financial Management: Strategies to Address Improper Payments at HUD,
Education, and Other Federal Agencies. GAO-03-167T. Washington, D.C.:
October 3, 2002.
Education Financial Management: Weak Internal Controls Led to Instances
of Fraud and Other Improper Payments. GAO-02-406. Washington, D.C.:
March 2002.
Financial Management: Poor Internal Control Exposes Department of
Education to Improper Payments. GAO-01-997T. Washington, D.C.: July 24,
2001.
Department of Defense - Army:
Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud,
Waste, and Abuse. GAO-02-844T. Washington, D.C.: July 17, 2002.
Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud,
Waste, and Abuse. GAO-02-732. Washington, D.C.: June 2002.
Department of Defense - Air Force:
Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to
Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 2002.
Department of Defense - Navy:
Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action
to Resolve Control Weaknesses. GAO-03-154T. Washington, D.C.: October
8, 2002.
Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking
Action to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.:
September 27, 2002.
Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse. GAO-02-506T. Washington, D.C.: March 13,
2002.
Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-02-32. Washington, D.C.: November 2001.
Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-01-995T. Washington, D.C.: July 30, 2001.
[End of section]
Appendix II - Selected Relevant Laws and Regulations:
This appendix contains some of the laws and regulations and guidance
that are applicable governmentwide to the federal government purchase
card program. Additional laws and regulations and other agency-or
organization-specific guidance may apply as well.
Establishment and Operation of the Purchase Card Program:
GSA SmartPay® Master Contract:
Treasury Financial Manual, vol. I, part 4-4500, "Government Purchase
Cards":
41 U.S.C. § 426 Use of Electronic Commerce in Federal Procurement:
48 C.F.R. § 13.301(b) Governmentwide Commercial Purchase Card:
31 U.S.C. §§ 3901-3907 Prompt Payment Act:
5 C.F.R. part 1315, Prompt Payment:
Procurement Methods and Standards:
41 U.S.C. § 253 Competition Requirements:
41 U.S.C. § 403(11) Definitions:
41 U.S.C. § 427 Simplified Acquisition Procedures:
41 U.S.C. § 428 Procedures Applicable to Purchases Below Micropurchase
Threshold:
41 U.S.C. § 429 List of Laws Inapplicable to Contracts Not Greater Than
the Simplified Acquisition Threshold in Federal Acquisition Regulation:
48 C.F.R. § 1.603-3(b) Appointment:
48 C.F.R. part 2.101, Definitions:
48 C.F.R. part 8, Required Sources of Supplies and Services:
48 C.F.R. part 13, Simplified Acquisition Procedures:
Purposes for Which an Organization's Appropriations May Be Used:
31 U.S.C. § 1301(a) "Purpose Statute":
U.S. General Accounting Office, Principals of Federal Appropriations
Law, vol. I, c. 4 (2d ed. 1991):
Bona Fide Needs Rule, See, e.g., 68 Comp. Gen. 170, 171 (1989); 58
Comp. Gen. 471, 473 (1979); 54 Comp. Gen. 962, 966 (1975):
3 Comp. Gen. 433 (1924) Comptroller General McCarl to the Secretary of
War:
B-288266 (Jan. 27, 2003) Use of Appropriated Funds to Purchase Light
Refreshments at Conferences:
72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers - Use of
Appropriated Funds to Pay for Meals:
65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards Ceremony:
64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L. Ryan -
Meals at Headquarters Incident to Meetings:
B-289683 (Oct. 7, 2002) Matter of: Purchase of Cold Weather Clothing,
Rock Island District, U.S. Army Corps of Engineers:
63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled Parkas:
[End of section]
Appendix III - Example Purchase Transaction Flow Chart and Narrative
(Request Through Payment):
[See PDF for image]
Source: GAO-02-1041.
[End of figure]
Approving Official:
If internal controls are operating effectively, the approving official
is responsible for ensuring that all purchases made by the cardholders
within his or her cognizance are appropriate and that the charges are
accurate. The approving official is supposed to resolve all
questionable purchases with the cardholder before certifying the bill
for payment. In the event an unauthorized purchase is detected, the
approving official is to notify the agency program coordinator and
other appropriate personnel within the command in accordance with the
command procedures. After reviewing the monthly statement, the
approving official is to certify the monthly invoice and send it to the
Defense Finance and Accounting Service (DFAS) for payment.
Cardholders:
A purchase cardholder is a Navy employee who has been issued a purchase
card. The purchase card bears the cardholder's name and the account
number that has been assigned to the individual. The cardholder is
expected to safeguard the purchase card as if it were cash.
Designation of Cardholders:
When a supervisor requests that a staff member receive a purchase card,
the agency program coordinator is to first provide training on purchase
card policies and procedures and then establish a credit limit and
issue a purchase card to the staff member.
Ordering Goods and Services:
Purchase cardholders are delegated limited contracting officer ordering
responsibilities. As limited contracting officers, purchase
cardholders do not negotiate or manage contracts. Rather, cardholders
use purchase cards to order goods and services for their units and
their customers. Cardholders may pick up items ordered directly from
the vendor or request that items be shipped directly to an end user
(requesters). Upon receipt of purchased items, the cardholder is to
record the transaction in his or her purchase log and obtain documented
independent confirmation from the end user, the supervisor, or another
individual that the items have been received and accepted by the
government. The cardholder is also to notify the property book officer
of accountable items received so that these items can be recorded in
the accountable property records.
Payment Processing:
The purchase card payment process begins with receipt of the monthly
purchase card billing statements. The Department of Defense is required
by 10 U.S.C. § 2784 to issue regulations that ensure that purchase
cardholders and each official with authority to authorize expenditures
charged to purchase cards reconcile charges with receipts and other
supporting documentation before paying the monthly purchase card
statement. Naval Supply Systems Command Instruction 4200.94 states that
upon receipt of the individual cardholder statement, the cardholder has
5 days to reconcile the transactions appearing on the statement by
verifying their accuracy to documentation supporting the transactions
and to notify the approving official in writing of any discrepancies in
the statement.
In addition, under NAVSUP Instruction 4200.94, before the credit card
bill is paid, the approving official is responsible for (1) ensuring
that all purchases made by the cardholders within his or her cognizance
are appropriate and that the charges are accurate and (2) timely
certifying the monthly summary statement for payment by DFAS. The
instruction further states that within 5 days of receipt, the approving
official must review and certify for payment the monthly billing
statement, which is a summary invoice of all transactions of
cardholders under the approving official's purview.
The approving official is instructed to presume that all transactions
on the monthly statements are proper unless notified in writing by the
cardholder to the contrary. However, the presumption does not relieve
the approving official from reviewing the statements for blatantly
improper purchase card transactions and taking the appropriate action
before certifying the invoice for payment. In addition, the approving
official is responsible for forwarding disputed charge forms for
submission to Citibank for credit. Under the Navy's task order,
Citibank allows the Navy up to 60 days after the statement date to
dispute invalid transactions and request a credit.
Upon receipt of the certified monthly purchase card summary statement,
a DFAS vendor payment clerk is to (1) review the statement and
supporting documents to confirm that the prompt-payment certification
form has been properly completed and (2) subject it to automated and
manual validations. DFAS effectively serves as a payment processing
service and relies on the approving-official certification of the
monthly bill as support to make the payment. The DFAS vendor payment
system then batches all of the certified purchase card payments for
that day and generates a tape for a single payment to Citibank by
electronic funds transfer.
[End of section]
Appendix IV - Example Purchase Card Program Organization Chart:
Navy Purchase Card Program Management Structure, September 2001:
[See PDF for image]
Source: GAO analysis of Navy purchase card program organization.
[End of figure]
[End of section]
Appendix V - Example Audit Program:
Government Purchase Card Program:
Example Internal Control Performance Audit Program:
Program Overview:
This is an example only audit program, and should be tailored to meet
the requirements of the individual organization’s purchase card
program. The approaches, methodologies, and concepts applied in this
example, and the accompanying audit guide, are appropriate for use by
management oversight personnel as well as internal and external
auditors. To facilitate ongoing internal control monitoring efforts by
management, sections C and D can be performed independently of each
other, and section D can be applied on a continuous basis.
A: Gain Necessary Understandings:
A1: Understand the risk of fraudulent, improper, and abusive purchases;
A2: Understand internal control;
A3: Understand the relevant laws and regulations;
A4: Understand the organization and purchase card program operations;
A5: Understand and assess key elements of the control environment;
B: Preliminarily Assess the Adequacy of Designed Control Activities:
B1: Identify risks and control activities, and assess the adequacy of
designed control activities;
B2: Determine the effects of the assessment on the design of
performance tests and the identification of potential data-mining
criteria;
C: Test Adherence to Policies and Performance of Control Activities:
C1: Obtain transaction data for transaction-level testing;
C2: Select purchase card transactions;
C3: Obtain data evidencing performance of control activities;
C4: Test key control activities;
D: Pursue Fraudulent, Improper, and Abusive Purchases:
D1: Data mine to identify potentially fraudulent, improper, and abusive
purchase card transactions;
D2: Follow-up on selected purchase card transactions and refer likely
fraud for investigation;
This is an example only audit program, and should be tailored to meet
the requirements of the individual organization’s purchase card
program. The approaches, methodologies, and concepts applied in this
example, and the accompanying audit guide, are appropriate for use by
management oversight personnel as well as internal and external
auditors.
Organization Name:
Audit Period/Scope:
Auditor/Manager-in-Charge:
Other:
A – Gain Necessary Understandings:
A1: Understand the risk of fraudulent, improper, and abusive purchases:
1.0: Obtain and review relevant reports on audits of internal control
over government purchase card programs. (See app. I of this guide for
a list of GAO reports.);
2.0: Obtain and review recent reports on audits and reviews of
internal control over the organization’s purchase card program, and:
* determine management’s response to findings and recommendations and:
* determine the status of corrective actions taken by management;
3.0: Review the “Understanding the Purchase Card Program – The Risk of
Fraudulent, Improper, and Abusive Purchases” section of this guide;
3.1: Obtain and review detailed summaries prepared by the
organization’s fraud investigative personnel (e.g., inspector general)
of all purchase card fraud detected within the prior ___________ (e.g.,
2 years);
A2: Understand internal control:
1.0: Obtain and review:
* GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal
Government (Green Book),
* GAO-01-1008G, Internal Control Management and Evaluation Tool, and:
* GAO/AFMD-8.1.2, Guide for Evaluating and Testing Controls Over
Sensitive Payments.
2.0: Review the “Understanding the Purchase Card Program – Internal
Control and the Control Environment” section of this guide:
A3: Understand the relevant laws and regulations:
1.0: Obtain and review laws and regulations relevant to the
government’s purchase card program. (See app. II of this guide for a
list of selected relevant federal laws and regulations.);
2.0: Review the “Understanding the Purchase Card Program – Relevant
Laws and Regulations” section of this guide;
A4: Understand the organization and purchase card program operations:
1.0: To facilitate the following and subsequent audit procedures, the
auditor and program oversight personnel should establish contact with
management personnel at both:
* the organization’s purchase card program and:
* the bank purchase card service provider;
The organization’s operations:
2.0: Obtain and review the organization’s written policies and
procedures describing its operations and activities. Such documents
might include:
* mission statement(s), activity descriptions, or both, and:
* operational policies, procedures, or instructions. (The auditor
should review these and other relevant documents, which, when
considered with subsequent personnel interviews, serve to provide an
understanding of the current mission-related operations and activities
of the organization.);
2.1: Identify and interview selected organization personnel to
supplement and clarify the auditor’s understanding of the
organization’s mission and operating activities;
The organization’s purchase card program:
3.0: Obtain and review the organization’s written policies and
procedures describing and controlling their purchase card program.
Such documents might include:
* purchase card program policies, procedures, or instructions and:
* contractual agreements with the bank service provider. (The auditor
should review these and other relevant documents, which, when
considered with subsequent personnel interviews and walk-throughs,
should serve to provide or reinforce an understanding of the current
operations of the purchase card program.);
4.0: Identify and interview selected purchase card program personnel,
including personnel from the following categories, for the purpose of
supplementing and clarifying the auditor’s understanding gained from
review of the organization’s written policies and procedures:
* purchase cardholders,
* approving officials, and:
* program coordinator;
5.0: Determine and document the organization’s policies and procedures
(or control activities) related to the control environment, including
the following key areas:
5.1 * Span of control:
> Also, determine the current total number of cardholders at the
organization and
> determine the current total number of approving officials at the
organization;
5.2 * Financial exposure:
> Also, determine whether and how the organization initially and
periodically verifies that purchase cards are issued to, and continue
to be held by, individuals who need them to perform their assigned
duties and:
> determine whether and how the organization initially and
periodically determines that cardholder and approving official credit
limits are appropriate to their needs;
5.3 * Training:
> Also, determine how and when the organization provides and documents
initial and refresher training for cardholders, approving officials,
and agency/organization program coordinators;
5.4 * Discipline:
> Also, determine the organization’s process for investigating
allegations of fraudulent purchase card activity and:
> determine how the organization decides and documents disciplinary
actions taken for lack of adherence to internal control policies and
performance of control activities;
5.5 * Purchasing and reviewing authorities for cardholders and
approving officials:
> Also, determine how the organization approves and documents
purchasing credit and single-transaction limits for cardholders and:
> determine how the organization approves and documents cardholder
review responsibility and payment authorization credit limits for
approving officials;
6.0: Determine and document the organization’s policies and procedures
(or control activities) related to purchase card transactions,
including the following key areas:
6.1 * The determination of a legitimate government need prior to making
the purchase;
6.2 * The requirement for and documentation of independent receipt and
acceptance of goods and services;
6.3 * The establishment of physical control and accountability over
pilferable and other vulnerable property;
6.4 * The process and documentation requirements for cardholder
reconciliation of monthly purchase card statements;
6.5 * The process and documentation requirements for approving official
review and approval for payment of assigned cardholders’ monthly
purchase card transactions;
7.0: Determine and document the organization’s policies and procedures
(or control activities) related to management’s risk assessment;
8.0: Determine and document the organization’s policies and procedures
(or control activities) related to information and communications;
9.0: Determine and document the organization’s policies and procedures
(or control activities) related to monitoring, including the following
key areas;
9.1 * Agency/organization program coordinator’s routine audits of
internal control over the organization’s purchase card program;
9.2 * Bank service provider management reports:
> What reports are provided and to whom?
> How often is participant information updated?
> How does management use them?
9.3 * Internal review (or similar function) evaluation of internal
control and the effectiveness of the organization’s purchase card
program;
10.0: Identify the computer-based controls that the organization has
established over the purchase card program, including those:
10.1 * over the payment of monthly purchase card bills,
10.2 * designed to prevent duplicate payments, and:
10.3 * designed to prevent unauthorized access to purchase card
transaction and master file information;
11.0: Perform a walk-through of one or more selected purchase card
transactions to confirm the understandings of:
* the flow of a typical purchase card transaction and:
* the system of internal control (including control activities);
11.1: Obtain examples of documentation evidencing the performance of
all key control activities;
12.0: Using the knowledge gained from:
* reviews of written policies and procedures,
* interviews with program personnel, and:
* walk-throughs of purchase card transactions, develop a flowchart and
narrative that depict and explain the typical purchase card transaction
process from request to payment. Include routine exceptions, such as
disputed transactions and late receipts. Highlight and discuss all key
controls in the process;
12.1: Discuss the flowchart with appropriate purchase card program
office personnel and obtain their concurrence with the process flow and
key controls;
The bank service provider:
13.0: Obtain and review documents describing the bank service
provider’s policies and procedures controlling the operation and
interface of the purchase card program with the organization. Such
documents might include:
* operational policies, procedures, or instructions and:
* purchase card program training manuals or instructions;
14.0: Identify and interview selected bank service provider personnel,
including personnel from the following categories, for the purpose of
supplementing and clarifying the auditor’s understanding gained from
review of the operation and control documents:
* program operations,
* customer service, and:
* fraud detection and investigation;
15.0: Obtain a database of purchase card transactions for the period or
scope of the audit. Obtain and agree control totals from an independent
source to the purchase card transactions database (see step C1-1.0);
16.0: Obtain a list of program reports available from the bank provider
and:
16.1 * gain an understanding of the information contained in the
reports and their intended use,
16.2 * compare the list to the reports being obtained and used by the
organization, and:
16.3* identify and request the available reports that facilitate the
auditor’s determination of adherence to control environment policies
(e.g., span of control, financial exposure);
A5: Understand and assess key elements of the control environment:
1.0: Based on the understandings gained through document reviews and
personnel interviews, preliminarily assess management’s operating
philosophy and attitude (i.e., tone at the top) as having a positive
or negative effect on internal control across the organization;
2.0: Obtain data (e.g., electronic reports and data files) from the
bank service provider and the organization necessary to perform the
following;
2.1: Test the following key elements of the control environment for
adherence to internal control policies on an organization wide (macro
level):
2.2 * span of control and:
2.3 * financial exposure;
2.4: Document for inclusion in the work papers the results of the
evaluation process and the preliminary conclusions of the effect of
these elements of the control environment on the effectiveness of
internal control;
3.0: Obtain data from the organization necessary to perform tests of
controls for the following key elements of the control environment
(see step C3-1.4). Data should be obtained for each cardholder and
approving official on transactions selected for control activity
testing;
3.1: Test the following key elements of the control environment in
conjunction with tests of transaction-level control activities (see
step C4-2.0):
* training,
* discipline, and:
* purchasing and reviewing authorities;
3.2: Document for inclusion in the work papers the results of the
evaluation process and the preliminary conclusions of the effects of
these elements of the control environment on internal control;
4.0: Upon completion of testing of all the key elements of the control
environment, prepare a summary memorandum for inclusion in the work
papers on the auditor’s conclusion of the overall effect of tone at the
top, span of control, financial exposure, training, discipline, and
purchasing and reviewing authorities on the control environment, and on
the overall effectiveness of internal control;
B – Preliminarily Assess the Adequacy of Designed Control Activities:
B1: Identify risks and related designed control activities, and assess
the adequacy of those activities:
1.0: Identify and list the significant risk/opportunities of
fraudulent, improper, and abusive transactions in the organization’s
purchase card program. Such risks can be control environment related
(e.g., span of control, training), purchase transaction related (e.g.,
no legitimate government need, inadequate approving official review),
or related to other significant areas (e.g., monitoring);
2.0: Identify the internal control policies and procedures (control
activities) designed to prevent or promptly detect each above
significant risk/opportunity;
3.0: For each significant risk/opportunity identified, preliminarily
assess, as strong, weak, or ineffective (including nonexistent), the
likely effectiveness of the related designed control activities (if in
place and operating) to provide management with reasonable assurance
that significant fraudulent, improper, and abusive purchase card
transactions will be prevented or promptly detected;
B2: Determine the effects of the assessment on the design of
performance tests and the identification of potential data-mining
criteria:
1.0: For each above risk/opportunity control activity relationship
evaluated, determine its effect on the design of audit tests for
adherence to policies and performance of control activity;
2.0: For each above risk/opportunity control activity relationship
evaluated, consider potential criteria for data mining identified, if
any;
3.0: Consider documenting for the audit work papers:
* the identification of each risk/opportunity,
* the related control activities,
* the preliminary assessment of effectiveness,
* the effects of the assessment on the design of tests for adherence
to control policies and performance of control activities, and:
* the identification of potential data-mining criteria;
C – Test Adherence to Policies and Performance of Control Activities:
C1: Obtain transaction data:
1.0: Obtain a database (the population) of purchase card transactions
for the audit scope or period, and:
1.1: verify its completeness by agreeing control totals to an
independent source (e.g., bank service provider, organization records)
(see step A4 15);
C2: Select purchase card transactions:
1.0: Consider the:
* understandings gained of the operations of the organization and the
purchase card program,
* the designed internal control policies and procedures, and:
* the results of the preliminary assessment of the adequacy of internal
control and determine whether to use statistical (recommended) or
nonstatistical sampling in selecting transactions. If a statistical
sample selection is to be made, have a statistician design the sample;
1.1: Document the significant considerations made and conclusions
reached in a detailed sampling plan for inclusion in the work papers,
to include the following:
* the reasons that a sample was developed,
* the type of sample (e.g., statistical or nonstatistical) and sampling
method (e.g., random) being used,
* a description of the population (e.g., nature, data elements, source, control totals),
* the sample design (e.g., desired precision, stratum criteria, number
of items and dollars in the population and stratum, sample size by
strata and population) selected along with a discussion of the factors
considered and conclusion reached,
* guidelines about the types of evidence and attributes the auditor
will accept as clear evidence of performance of control activities,
* information about the anticipated precision of the sample estimates,
* a definition of nonadherence to controls,
* expectations (if any) about the rate of nonadherence to controls,
and:
* examples of the types of conclusions the auditor expects to be able
to make after the sample data are analyzed (and projected to the
population);
2.0: Extract transactions, in accordance with the sampling plan, from
the population to perform tests for performance of transaction-related
control activities;
C3: Obtain data for testing performance of control activities:
1.0: Coordinate with the organization’s purchase card program
management and obtain access to program personnel and original
documentation evidencing performance of transaction-level and related
control activities for each selected transaction. The following are
examples of such personnel and documents;
1.1: Personnel include:
* cardholders for selected transactions,
* approving officials for selected transactions,
* agency/organization purchase card program coordinator, and:
* operations supervisory personnel as needed;
1.2: Documents directly related and relevant to selected individual
purchase card transactions include:
* cardholder monthly billing statement;
* approving official monthly billing statement;
* cardholder log (or equivalent) of purchases made;
* prepurchase request, approval, authorization, or other determination
of a legitimate government need;
* evidence of screening for required/statutory vendors;
* waiver on required sources of supply, if applicable;
* evidence of bid solicitations and receipt, if applicable;
* vendor invoice or receipt for goods or services;
* packing slip;
* evidence of independent receipt and acceptance;
* bank dispute/affidavit forms, if transaction disputed;
* cardholder reconciliation and certification of bill; and:
* approving official review and certification for payment;
1.3: Additional documents relevant to purchases of accountable property
include:
* cardholder notification to property book, and:
* property book record;
1.4: Control environment documents evidencing adherence and performance
of key elements include (see step A5 3.0):
* cardholder purchase and credit limits authorization,
* approving official review responsibilities and authorized limits,
* cardholder training certificates/records,
* approving official training certificates/records,
* cardholder account closure/final bill, if account is closed, and:
* disciplinary actions taken against cardholder or approving official
in the last_____________________________;
C4: Test Key Control Activities:
Transaction control activity testing:
1.0: Using relevant documentation obtained for the selected purchase
card transactions, accomplish attribute testing designed to determine
the performance of transaction control activities, including:
* determination of a legitimate government purchase,
* screening for required vendors,
* independent receipt and acceptance,
* physical control and accountability over pilferable and other
vulnerable property,
* cardholder reconciliation, and:
* approving official review;
1.1: Document for inclusion in the work papers pass/fail of attribute
tests performed for each control activity to that facilitate summary of
the number of transactions that fail by attribute and by control
activity, and the dollar value of those transactions consistent with
the design of the sampling plan (e.g., by each stratum);
Testing key elements of the control environment:
2.0: Using the relevant documentation obtained for testing key elements
of the control environment (see step A5 3.1) in conjunction with tests
of selected purchase card transactions, accomplish attribute testing
designed to determine adherence to policy for each selected
transaction, including:
* training,
* discipline, and:
* purchasing and reviewing authorities;
2.1: Document for inclusion in the work papers the pass/fail results
of attribute tests performed for each control activity to facilitate
summary of the number of transactions that fail by attribute and by
control activity, and the dollar value of those transactions consistent
with the design of the sampling plan (e.g., by each stratum);
Potentially fraudulent, improper, and abusive purchases:
3.0: Evaluate each selected transaction for criteria identifying a
potential fraudulent, improper, or abusive purchase, including:
* questionable vendors,
* weekend and holiday purchases,
* split purchases,
* unusual amounts or relationships, and:
* year-end spending;
3.1: Conduct follow-up of all transactions exhibiting such criteria,
and refer any likely fraud for investigation;
3.2: Document for inclusion in the work papers the results of follow-up
and referrals to facilitate summary of the number of transactions
considered fraudulent, improper, or abusive, and the dollar value of
those transactions consistent with the design of the sampling plan
(e.g., by each stratum);
Analyzing and documenting sample results:
4.0: Project the results of the sample transactions tests to the
population in accordance with the sampling plan. If statistical
sampling was used, provide the sample test results to the statistician
for projection to the population, and stratum if appropriate;
4.1: Obtain a written memorandum from the statistician of the
statistical results of the projection(s) in accordance with the
sampling plan, recapping the population and the sampling plan used,
the control tests performed by the auditor, the statistical estimates
(e.g., attribute pass/fail, dollar values) by stratum if appropriate,
and the associated confidence intervals;
4.2: Prepare a summary memorandum, for inclusion in the work papers,
that incorporates the sample test results and the statistician’s
report, recaps the rules used to assess the effectiveness of controls,
and documents the auditor’s conclusions about the effectiveness of
individual control activities;
4.3: Consider the results of transaction-level and other control tests,
and the results of data mining and follow-up of potentially fraudulent,
improper, and abusive transactions, and prepare a memorandum for
inclusion in the work papers documenting the considerations made and
conclusions reached by the auditor on the overall effectiveness of the
design and performance of internal control designed to prevent and
detect potentially fraudulent, improper, and abusive purchase card
transactions;
D – Pursue Fraudulent, Improper, and Abusive Purchases:
D1: Data mine to identify potentially fraudulent, improper, and abusive
purchases:
1.0: Based on:
* understandings gained about the operations of the organization and
its purchase card program,
* the results of the preliminary assessment of internal control,
* insights provided by involving credit card fraud investigators, and:
* insights provided by conducting tests of performance of control
activities, determine the criteria (e.g., characteristics,
associations, or sequences and pattern clusters) that indicate
potentially fraudulent, improper, and abusive purchases;
2.0: Obtain a database of purchase card transactions for the audit
scope or period (usually the same “population” database obtained for
selecting transactions for control activity testing);
3.0: Perform analysis of the database to identify transactions
exhibiting the characteristics of potentially fraudulent, improper,
and abusive purchases. Include analysis which key on the following:
* questionable vendors,
* weekend and holiday purchases,
* split purchases,
* unusual amounts or relationships,
* year-end spending,
* transactions by vendor analysis, and:
* suspicious cardholders and approving officials;
4.0: Extract transactions identified above into discrete smaller
databases for further analysis;
5.0: Select nonrepresentative transactions from the above discrete
extracts for follow-up, referral, and investigation;
D2: Follow-up and referral of selected purchase card transactions:
1.0: Obtain supporting cardholder purchase documentation for all
potentially fraudulent, improper, and abusive purchase card
transactions identified and selected in the above data-mining
approaches. Such documentation would normally include the documents
directly related and relevant to selected individual purchase card
transactions listed in the Obtain Data for Testing Performance of
Control Activities section of this example audit program (see step C3
1.2);
2.0: Review the initial supporting documentation for the selected
transactions and make a preliminary determination of the
appropriateness of the purchase;
3.0: For those data-mined purchase card transactions that continue to
be (and those control activity test transactions) considered
potentially fraudulent, improper, or abusive, accomplish follow-up
procedures as indicated by the circumstances, such as:
* request additional documentation,
* interview the cardholder,
* interview the approving official,
* interview operational supervisors and coworkers,
* contact the vendor directly, and:
* request relevant items from fraud investigators;
4.0: Document for the audit work papers each interview conducted during
the follow-up process;
5.0: Document for the audit work papers the results of each follow-up
process in a summary memorandum, and attach all interviews and relevant
supporting documentation;
6.0: Refer all purchase card transactions, which after the completion
of the follow-up process are considered to be likely fraudulent, to
the appropriate fraud investigative body. The referral communication
should be written and should include the following information:
* the date of the communication,
* the name of the referring organization,
* the name and telephone number of the referring contact,
* the organization and program under audit,
* a description of the potentially fraudulent transaction (e.g., goods
or services purchased, amounts paid, impropriety of the transaction).:
* the reason(s) for concluding that the transaction is potentially
fraudulent,
* the names and positions of the individuals involved (e.g., John Buck
– cardholder, Jane Doe – vendor),
* the date(s) of the purchase transaction(s),
* a description of the indicators alerting the auditor to the
potentially fraudulent transaction (e.g., altered supporting
documentation, personnel interview, or record discrepancies), and:
* a statement as to whether the relevant documents (copies or
originals) are attached or are available (e.g., cardholder billing
statement, vendor invoice(s), follow-up interview(s)). Retain a copy of
all referral communications and attachments for the audit work papers;
6.1: Request memorandums of investigations at the end of the audit
period detailing the conduct, progress, and status of all such
referred purchase card transactions;
[End of section]
Appendix VI – Guidelines for Initiating an Investigation of Purchase
Card Fraud:
For purchase card transactions that have been identified as potentially
fraudulent, the investigator should review information provided as part
of the follow-up and referral process and, to the extent necessary,
take the following actions:
* Obtain from the organization, auditor, or manager the names of
cardholder(s) for accounts involved with the transaction(s).
* Obtain account histories from the bankcard service provider for
specific accounts to identify any patterns of similar or other
questionable transactions and the vendors involved with those
transactions.
* Identify the organization’s approval process and determine who:
> requested the goods or services purchased,
> approved the transactions, and
> signed off on the monthly statement indicating that he or she had
reviewed the transactions.
* Obtain from the organization, auditor, or manager documentation
related to the transaction(s), such as invoices, shipping receipts,
and any contact telephone numbers.
* Determine the organization’s policies for accountability for
pilferable and other property.
* Interview the individuals involved with requesting the goods or
services and the individuals that reviewed the monthly bank statements
to determine if he or she was aware of (1) the transaction(s) and (2)
whether the cardholder filed a dispute form concerning the
transactions.
* Interview the cardholder to determine who made the purchases, the
purpose of the purchases, and whether he or she disputed the
transactions.
* Interview the vendor(s) from which questionable transactions were
made and:
> obtain any documentation relating to the transactions, including
detailed descriptions of items purchased, serial numbers, or specific
services provided;
> determine where property was delivered or where the services were
provided;
> determine whether the vendor records the telephone number from which
the order for foods or services was made; and
> determine whether the vendor maintains a database of purchase card
numbers and whether this database has been compromised.
* Interview organization officials responsible for maintaining property
inventory and determine:
> whether the items purchased were included in inventory and
> how property delivered to the organization is accounted for.
[End of section]
Appendix VII - GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen Wm. Lipscomb, (303) 572-7328:
Staff Acknowledgments:
In addition to the person named above, David Childress, Francine
DelVecchio, Don Fulwider, Charles R. Hodge, Jeffrey Jacobson, Jason
Kelly, Julia Matta, John Ryan, and Sidney Schwartz made important
contributions to this guide.
[End of section]
FOOTNOTES
[1] The term "organization," as used throughout this guide, refers to a
government, its divisions, or subdivisions (e.g., department, agency,
activity, unit).
[2] The term "program," as used throughout this guide, refers to a
government purchase card program at the organization level.
[3] President's Council on Integrity and Efficiency, A Practical Guide
for Reviewing Government Purchase Card Programs (Washington, D.C.: June
2002), and U.S. General Services Administration, GSA Smart PayÆ,
Blueprint for Success: Purchase Card Oversight (Arlington, Va.: April
2002).
[4] U.S. General Accounting Office, Government Auditing Standards -
2003 Revision, GAO-03-673G (Washington, D.C.: June 2003).
[5] U.S. General Accounting Office, Standards for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November
1999), 7.
[6] U.S, Department of Treasury, Treasury Financial Manual, Vol. 1 -
Part 4 - Chapter 4500, Government Purchase Cards, (Washington D.C.: May
2003) http://www.fms.treas.gov/tfm/vol1/v1p4c450.txt (viewed May
2003).
[7] 48 C.F.R. § 13.301(b) (2002).
[8] See the Relevant Laws and Regulations section of this guide for
further information on FAR provisions applicable to specific purchase
amounts.
[9] FAR allows personnel other than warranted contracting officers to
use the purchase card. 48 C.F.R. §§ 1.603-3(b) and 13.301(a) (2002).
[10] see .
[11] 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
[12] JWOD establishes mandatory sources of supply for all federal
entities. It requires federal agencies to purchase supplies and
services that are furnished by nonprofit agencies--such as the National
Industries for the Blind and NISH (serving people with a range of
disabilities).
[13] 48 C.F.R. §§ 2.101 and 13.201(g).
[14] GAO-03-673G, 7.8 - 7.10.
[15] GAO/AIMD-00-21.3.1.
[16] The GSA web site (http://www.fss.gsa.gov/webtraining/
trainingdocs/smartpaytraining/index.cfm) provides access to relevant
purchase card training materials.
[17] Sampling selections expected to be representative of a population
can be either statistical or nonstatistical-statistical concepts are
considered but not explicitly used to determine sample size, select
sample items, or evaluate the results. However, projections of
nonstatistical sample results are not quantifiably accurate, and GAO
discourages their use in government audits.
[18] For nonfinancial audits, GAO commonly uses a confidence level of
95 percent. "The 95 percent confidence level appears to be used more
frequently in practice than any other level…90 percent and 99 percent
confidence levels seem to be next in popularity." Hahn and Meeker,
Statistical Intervals, A Guide For Practitioners, 1ST ed. (New York:
John Wiley and Sons, Inc., 1991), 38.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: