Report Number I-2000-011
March 31, 2000
March 31, 2000
|MEMORANDUM FOR||STEPHEN R. COLGATE
ASSISTANT ATTORNEY GENERAL
MARY H. MURGUIA
|FROM:||ROBERT L. ASHBAUGH
ACTING INSPECTOR GENERAL
|SUBJECT:||Internal Controls Over Procurement Credit Cards,
Report Number I-2000-011
In mid-February, the Office of the Inspector General (OIG) interviewed a Department of Justice employee whose job responsibilities included the use of a credit card to make "micropurchases" on behalf of her component field office (a United States Attorney's Office [USAO]). (Sentence deleted pursuant to the Privacy Act.) Further investigation of many, many transactions charged to her card and to other cards that came under her control tend to establish that she was able to purchase items and services for personal use that are very likely to exceed a quarter of a million dollars in total amount. Moreover, many of the charges, extending over a year's time, involved purchases at department stores, for cruise ship excursions, and for foreign travel that presumptively signal possible card misuse for personal purposes.
The details of this employee's activities are the subject of a continuing criminal investigation. For that reason, this report is issued as "Limited Official Use" (LOU) and will not describe the transactions or circumstances that occasioned this very serious crime. 1 Nonetheless, the discovery called for inquiry as to whether the Department had in operation mechanisms to monitor credit card usage that should have detected such patently personal transactions. Accordingly, the OIG initiated a limited review, conducted by its Inspections Division, to determine whether existing oversight safeguards should have caught this defalcation.
During the course of that review, we interviewed officials from the Justice Management Division's (JMD) Procurement Services Staff (PSS), which administers the procurement credit card program for the Department's Offices, Boards, and Divisions (OBDs); the Executive Office for United States Attorneys (EOUSA), including individuals from the Evaluation and Review Staff (EARS); and Bank One, which is the current contractor for the procurement credit card for the Department. While we did not visit any USAOs during the course of our review, we did review documents (i.e., JMD's guidance, EARS reports from 1996 and 1999) and other information that allowed us to render some conclusions about internal controls at USAOs.
The Importance of Internal Controls
Effective internal controls work to prevent, detect, or correct errors, irregularities, fraud, waste, and abuse. A good internal control system relies on a network of checks and balances (control techniques) placed at key levels of program responsibility to ensure it operates, as intended. The Department has established standards for internal control that apply to procurement credit cards usage at the component or field office level, which we will discuss later. But, based on our review, we found virtually no oversight of procurement credit card usage at the departmental level. In consequence, the Department is unlikely to detect credit card fraud or misuse by a cardholder. The Department is also unlikely to detect if a component field office, such as a USAO, has failed to establish the requisite internal controls or has allowed those that once were established to atrophy.
We also conclude that if controls at USAOs are implemented and adhered to as designed, those controls should provide reasonable protection from fraud and the misuse of the procurement credit card. However, we found that, if certain controls at USAOs do not exist, are not working properly, or are circumvented, the remaining controls do not adequately protect the USAO and the Department from financial risk.
Limited Oversight at the Department Level
Within JMD, the PSS administers the procurement credit card program. It is responsible for thousands of cards that are regularly used by the OBDs. PSS receives monthly transaction records from Bank One and told the OIG that it randomly reviews an estimated one percent of the approximate 6,500 monthly transactions. 2 This limited review reduces PSS's chances of identifying patterns of fraud or misuse. This is the only oversight or review mechanism established at the departmental level.
PSS cannot report on the status of internal controls at USAOs. JMD has provided written guidance to USAOs detailing specific controls and the appropriate roles and responsibilities of cardholders, approving officials, and other officials at USAOs. However, PSS has not conducted reviews, onsite or otherwise, to determine whether USAOs have properly implemented and are adhering to controls. We suspect, but have not verified, that the other OBDs for which PSS provides this card service are similarly situated, i.e., are not being reviewed in these particulars either.
EOUSA does not have a delegated oversight role in the procurement credit card program. EOUSA only acts as a liaison between USAOs and PSS, and helps schedule training for cardholders and approving officials. EOUSA informed us, and PSS confirmed, that EOUSA does not receive and therefore has not had the opportunity to review records of procurement credit card transactions; the records are sent by Bank One directly to the individual USAO cardholders and approving officials.
The periodic reviews conducted by the EOUSA's EARS are not designed to identify procurement credit card fraud or misuse. These reviews are designed to provide an independent opinion from EOUSA to the United States Attorney on the operations (e.g., administrative, management) at a particular USAO. 3 If, for example, EARS identifies internal control problems related to the procurement credit card, EARS will recommend changes to address those problems. However, EARS does not audit the transactions to ascertain whether the internal control problems have permitted a fraud or misuse of the procurement credit card.
In the present case, we examined the last two EARS reports relative to the USAO that was victimized by this employee's fraud. We found that the most recent EARS report, issued in late-fall 1999, uncovered significant internal control deficiencies relative to the USAO's usage of its procurement credit cards. The EARS review did not include any audit of individual transactions -- had it done so, such a review almost surely would have led to the discovery of the abuses and fraud present in that office.
Thus, under current practices, EOUSA does not surveil card usage. EOUSA's principal opportunity to ensure correct usage of such credit cards would lie in the conduct of EARS reviews. But, because EARS reviews evaluate USAO compliance with regulations and the verification that internal control measures seem to be in place, and do not involve transactional testing, EOUSA does not have a practical means of verifying the integrity of card usage practices in the USAOs.
Bank One Oversight Mechanisms
At the time of our review, PSS was in the process of converting over to a pilot software program, which Bank One supplied in late 1998. This software program might allow PSS to search for questionable transactions (e.g., charges at up-scale department stores, purchases split into multiple transactions to circumvent single-purchase limits) more effectively and efficiently. Although PSS started testing the software program in February 1999, "bugs" in the program have delayed full implementation until the end of calendar year 2000 at the earliest. Consequently, it remains unclear whether or not this program will improve PSS's ability to oversee card transactions. 4
Bank One's procedures for addressing questionable transactions may allow the cardholder to provide false or misleading information to Bank One, and may deprive the approving official or the JMD program coordinator of information about possible questionable activity. Bank One reviews transactions searching for questionable purchases made on procurement credit cards. If it identifies questionable activity, Bank One's policy is to contact the cardholder directly; no further contacts occur if Bank One receives what it believes is a satisfactory response from the cardholder. Only if Bank One does not receive a satisfactory response or if questionable transactions continue will Bank One call the approving official or the JMD program coordinator.
Other Controls on Cards May Not Adequately Protect the Department
Various controls exist to limit how much a cardholder can spend on any given transaction or during any given 30-day cycle. These controls, set by the individual USAOs, are supposed to be established based on the office's resources and business needs. If the control parameters are overly broad, they do not protect USAOs from excessive financial risk. To evaluate this concern, we reviewed PSS records for the 611 USAO procurement credit card accounts in use throughout the country. We found the following:
We also found that procurement credit cards issued by Bank One do not have merchant-code controls automatically established. If used, these controls prevent purchases at specific types of vendors, such as sporting goods stores or grocery stores, where it is unlikely an individual would make a legitimate business purchase for the USAO. Although similar controls were implemented on a department-wide basis under the previous credit card contract, use of these controls under the Bank One contract is left to the discretion of each USAO. According to PSS, few USAOs have established these limits -- and, indeed, many may be unaware that they have the option to do so.
Procurement credit cards do provide a more convenient way for government offices to make purchases. 6 Overly restrictive limits could make using the card inconvenient, resulting in offices using more costly and less efficient purchase orders. Nonetheless, we believe some USAOs should reassess existing controls to ensure that the office and the Department are not exposed to excessive financial risk.
A Separation of Duties Can Also Reduce Risks to the Department
JMD's guidance allows a single cardholder to obligate funds, make purchases, and repost transactions in the Financial Management Information System. If internal controls are not working properly or are circumvented, this lack of separation of duties places the USAO at extreme financial risk.
Supplemental Internal Controls at the Local Level
We examined the guidance that JMD provides the USAOs on procurement credit card usage. In this particular case, the USAO developed supplemental procedures that set forth detailed operating procedures. These procedures describe cardholder and approving official responsibilities, the approval process, procurement credit card limits, supporting documentation requirements, and procurement credit card statement reconciliation steps and time frames. If followed, these procedures provide a reasonable assurance that card transactions will be for legitimate purchases.
The Inspections Division was assigned to conduct an accelerated review without intruding upon the parallel investigation that the OIG was conducting into the criminal conduct of the Department employee suspected of the card abuses. Because of the limitations on our review, we do not make formal recommendations, but do offer observations and suggestions for management in JMD and EOUSA to consider.
In the end, we conclude that the responsibility for oversight of procurement credit card transactions is most efficiently vested in the immediate component where direct supervision over the cardholder and direct knowledge of the circumstances behind the purchases exist. No other allocation of this primary oversight responsibility makes sense. However, as this case proved, the department is vulnerable when a field office or unit neglects to fulfill its oversight and review responsibilities or allows internal controls to become lax. Consequently, there should be some fallback protection against the possibility that local controls might fail. In particular, we believe that the EARS review should be expanded to include some transactional reviews of credit cards and other office expenditures or disbursements to ensure that they conform to legal and Department standards.
In addition, PSS should take the necessary steps to accelerate the implementation of the current Bank One software in order to have a greater capacity to conduct at least limited testing to identify anomalies in card usage. If the current software proves incapable of performing this function, then PSS should negotiate with Bank One to design additional transaction reports for the benefit of the Department. Furthermore, it is not satisfactory to have the sole response by Bank One to questionable transactions consist of a telephone call to the cardholder. PSS should insist upon a better procedure. Finally, we believe that it is feasible and desirable for JMD or EOUSA to set some universal parameters regarding purchase limits, cycle limits, and acceptable vendor codes that are realistically tailored to office business purposes and historical use. Of course, exceptions should be readily available when justified.
Because we are not making formal recommendations and because we wish to deliver the results of our work as soon as possible, we are issuing this report in final. We would appreciate any comments you might wish to offer regarding the subjects discussed here. We specifically ask that you provide us with your views concerning the suggestions we provided for management's consideration and whether you will implement them or other corrective actions that you may deem appropriate.
|cc:||Vickie L. Sloan
Departmental Audit Liaison Office
|Return to the USDOJ/OIG Home Page|