oversight

Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs (Superseded by GAO-04-87G)

Published by the Government Accountability Office on 2003-05-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

              United States General Accounting Office

GAO           Exposure Draft




May 2003
              AUDIT GUIDE
              Auditing and
              Investigating the
              Internal Control of
              Government Purchase
              Card Programs




GAO-03-678G
              a
Preface




          The federal government of the United States—the largest and most complex
          organization in the world—expended approximately $15 billion through
                                1                         2
          federal organizations’ purchase card programs in fiscal year 2002. As the
          steward of taxpayer dollars, federal agencies are accountable for how
          purchase cards are used and how the funds are spent. To that end, federal
          agencies are responsible for establishing and maintaining internal control to
          provide reasonable assurance that (1) the goals and objectives of the
          purchase card program are met and (2) safeguards against fraudulent,
          improper, and abusive purchases are adequate.

          Recent congressional testimony and Inspector General and GAO reports
          show that some federal agencies do not have adequate internal control over
          their purchase card programs. Without effective internal control,
          management has little assurance that fraudulent, improper, and abusive
          purchases are being prevented or, if occurring, are being promptly detected
          with appropriate corrective actions taken. A key element of internal control
          is monitoring that assesses the quality of performance over time and ensures
          that the findings of audits and other reviews are promptly resolved.
          Monitoring provides for regular management and supervisory activities, as
          well as evaluations by inspector generals or external auditors.

          This guide focuses on audits of internal control activities—designed
          primarily to prevent or detect significant fraudulent, improper, and abusive
          purchases—in a government purchase card program. It is intended to
          provide practical guidance for consideration by internal and external
          auditors, investigators, and program management oversight personnel in
          assessing the adequacy and performance of those control activities, and
          identifying areas of internal control for potential improvement. This guide is
          based primarily on GAO’s experiences in auditing and investigating internal
          control over federal government purchase card programs at the
          Departments of Defense, Education, Housing and Urban Development, and
          other federal agencies.

          This guide was prepared at the request of former Chairman Stephen Horn,
          Subcommittee on Government Efficiency, Financial Management and
          Intergovernmental Relations, House Committee on Government Reform.
          This is one of a series of projects we have undertaken for the Subcommittee
          concerning weaknesses in internal control over government purchase and
          travel card programs.


          1
            The term “organization”, as used throughout this guide, refers to a government, its divisions,
          or subdivisions (e.g., department, agency, activity, unit).
          2
            The term “program”, as used throughout this guide, refers to a government purchase card
          program at the organization level.

          Page 1                        GAO-03-678G Purchase Card Audit Guide Exposure Draft
We invite you to review and comment on the audit approach and
methodologies contained in this guide. This draft document will be
available for comment for 60 days, until August 1, 2003. Please address any
questions or comments to me at (202) 512-2600, steinhoffj@gao.gov, or
Stephen W. Lipscomb at (303) 572-7328, lipscombs@gao.gov, or

         Stephen W. Lipscomb
         U.S. General Accounting Office
         1244 Speer Blvd. Suite 800
         Denver, CO 80204

This guide was prepared under the direction of Gregory Kutz, Director,
Financial Management and Assurance. Other GAO contacts and key
contributors are listed in appendix VII.




Jeffrey C. Steinhoff
Managing Director
Financial Management and Assurance




Page 2                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
TABLE OF CONTENTS

Preface                                                                    1

Section 1: Introduction                                                    5
  OBJECTIVE OF THE GUIDE, SCOPE AND METHODOLOGY                            6
  GOVERNMENT PURCHASE CARD PROGRAMS                                        7
  GAO’S APPROACH TO AUDITING PURCHASE CARD PROGRAMS                        9
  THE APPLICABILITY OF AUDITING STANDARDS                                 10

Section 2: Understanding the Purchase Card
Program                                                                   11
  THE RISK OF FRAUDULENT, IMPROPER, AND ABUSIVE PURCHASES                 11
    Potentially Fraudulent, Improper or Abusive                           12
    Indications and Categories of Fraud                                   13
  RELEVANT LAWS AND REGULATIONS                                           15
    Establishment and Operation of the Purchase Card Program              15
    Procurement Methods and Standards                                     15
    Purposes for which an Organization’s Appropriations May Be Used       16
  THE ORGANIZATION’S OPERATIONS AND PROGRAMS                              16
    Understanding the Organization’s Operations                           17
    Understanding the Organization’s Purchase Card Program                17
    Understanding the Bank Service Provider’s Program                     18
  INTERNAL CONTROL AND THE CONTROL ENVIRONMENT                            19
    The Standards of Internal Control                                     20
    Testing Key Elements of the Control Environment                       20

Section 3: Making, Documenting, and Using the
Preliminary Assessment                      27
  ASSESSING THE ADEQUACY OF THE DESIGN OF CONTROL ACTIVITIES              27
  USING THE PRELIMINARY ASSESSMENT                                        29

Section 4: Testing the Effectiveness of Key
Control Activities                                                        30
  OBTAINING TRANSACTION DATA                                              31
    Coordinating with the Bank Service Provider                           31
  SELECTING PURCHASE CARD TRANSACTIONS                                    32
    Considerations in Designing a Statistical Sample                      33
    The Sampling Plan                                                     35
    Extracting Selected Transaction Data Elements                         36
    Reporting Sample Results                                              36
    Analysis of Results from Statistical Samples                          36




Page 3                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
  OBTAINING DOCUMENTATION EVIDENCING PERFORMANCE OF CONTROL
  ACTIVITIES                                                          38
   Obtaining Documentation from the Organization                      38
   Evidence of Performance                                            39
  TESTING CONTROL ACTIVITIES                                          39
   Transaction Control Activities                                     39

Section 5: Pursuing Fraudulent, Improper, and
Abusive Purchases                           45
  DATA MINING FOR DETECTION, ILLUSTRATION, AND DISCLOSURE             45
  FOLLOW-UP AND INVESTIGATION                                         49
   Follow-up                                                          50
   Referral for Investigation                                         53

Appendixes                                                            54
  APPENDIX I – SELECTED RELEVANT GAO REPORTS AND TESTIMONIES          55
  APPENDIX II – SELECTED RELEVANT LAWS AND REGULATIONS                56
  APPENDIX III – EXAMPLE PURCHASE TRANSACTION FLOW CHART AND
  NARRATIVE ( REQUEST THROUGH PAYMENT)                                57
  APPENDIX IV – EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION
  CHART                                                               60
  APPENDIX V – EXAMPLE AUDIT PROGRAM                                  61
  APPENDIX VI – GUIDELINES FOR INITIATING AN INVESTIGATION OF
  PURCHASE CARD FRAUD                                                 76
  APPENDIX VII – GAO CONTACT AND STAFF ACKNOWLEDGMENTS                77




Page 4               GAO-03-678G Purchase Card Audit Guide Exposure Draft
Section 1: Introduction




               Federal government purchase card programs, which have been in existence
               governmentwide since 1989, were established to streamline federal agency
               acquisition processes by providing a low-cost, efficient vehicle for obtaining
               goods and services directly from vendors. As shown by the chart, purchase
               card programs have experienced dramatic growth and accounted for $15.2
               billion in government expenditures in fiscal year 2002.




               With the establishment in 1998 of the General Services Administration’s
               (GSA) SmartPay® program, federal agencies had a new way to pay for
               commercial goods and services. GSA negotiated charge card service
               provider contracts with five commercial banks: Citibank, First National
               Bank of Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal
               government departments and agencies were to choose the service provider
               with capabilities meeting agency requirements.

               Purchase card programs are widespread throughout the federal government
               and range in size from the Department of Defense (DOD) with 214,000
               cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S. Tax
               Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
               However, the design and implementation of internal control did not keep up
               with the growth in the programs audited by GAO (see app. I – Selected
               Relevant GAO Reports and Testimonies). With the increase in purchase
               card use came increases in risk, revelations of significant weaknesses in
               internal control, and resulting fraudulent, improper, and abusive or
               questionable purchases.


               Page 5                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
OBJECTIVE OF THE GUIDE,   The primary objective of this guide is to provide practical guidance for
SCOPE AND METHODOLOGY     consideration in performance audits and investigations of government
                          purchase card programs. The guide provides auditors and fraud
                          investigators with a basis for understanding the operations, risks, and
                          internal control of a government purchase card program, which in turn
                          provides a basis for conducting investigations of fraud in a government
                          purchase card program. Although this guide is primarily an audit and
                          investigative guide, it can also be applied by program management oversight
                          personnel in assessing the adequacy of policies, procedures, and internal
                          controls, and conducting ongoing monitoring of adherence to internal
                          control activities. In that context, the use of the term “auditor” throughout
                          this guide is intended to include program management oversight personnel
                          as well as internal and external auditors. While this guide is based on
                          approaches and methodologies developed in audits of federal purchase card
                          programs, the basic concepts and criteria may also be applicable to state
                          and local government purchase card programs. This guide:

                          •     focuses on auditing the internal control policies, procedures, and
                                activities designed primarily to prevent or detect fraudulent, improper,
                                and abusive purchase card transactions in a government purchase card
                                program;
                          •     seeks to foster critical, creative thinking by auditors, investigators, and
                                management personnel responsible for identifying risks and
                                opportunities open to those who would misuse the purchase card;
                          •     provides practical guidance in identifying potentially fraudulent,
                                improper, and abusive purchase card transactions, and in conducting
                                the appropriate follow-up and investigation; and
                          •     illustrates the beneficial effect of involving fraud investigators in the
                                planning and execution of audit procedures.
                                                                                          3
                          The guide is intended to supplement existing guidance for review and
                          oversight of federal government purchase card programs. Different parties
                          may accomplish audits of purchase card programs for different purposes.
                          Law, regulation, or third party request may direct external and internal
                          auditors to accomplish a performance or other audit in accordance with
                                                                                        .4
                          generally accepted government auditing standards (GAGAS).

                          The guide is not intended to and does not provide guidance sufficient to
                          address all potential purchase card program performance audit objectives
                          (e.g., economy and efficiency, compliance with legal or other requirements).
                          The guide is also not intended to comprehensively address all five of the
                                                       5
                          standards of internal control (e.g., management’s risk assessment,
                          information and communication). In addition, the guide is not intended to
                          and does not provide guidance sufficient to develop investigative cases that
                          establish evidence to prove specific allegations of criminal wrongdoing.

                          3
                            President’s Council on Integrity and Efficiency, A Practical Guide for Reviewing
                          Government Purchase Card Programs (Washington, D.C. June 2002), and U.S. General
                                                                     ®
                          Services Administration, GSA Smart Pay , Blueprint for Success: Purchase Card Oversight
                          (Arlington, Va., April 2002).
                          4
                            U.S. General Accounting Office, Government Auditing Standards – 2002 Revision -
                          Exposure Draft, GAO-02-340G (Washington, D.C.: January 2002).
                          5
                            U.S. General Accounting Office, Standards for Internal Control in the Federal Government,
                          GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), p7.

                          Page 6                       GAO-03-678G Purchase Card Audit Guide Exposure Draft
GOVERNMENT PURCHASE CARD   The operations and controls of government purchase card programs can
PROGRAMS                   vary among organizations. However, the U.S. Department of the Treasury’s
                                            6
                           Financial Manual prescribes procedures (illustrated in fig. 1), including
                           program controls and invoice payment, that apply to all departments and
                           agencies that use the government purchase card. Additionally, the Federal
                           Acquisition Regulation (FAR), which prescribes governmentwide policies
                           and procedures for acquisition by all executive agencies, provides that
                           agencies are to establish procedures for use and control of the card that
                                                                       7
                           comply with the Treasury Financial Manual.




                           The manual further states that, with some exceptions, small purchases of up
                                      8
                           to $25,000 should be made using the government purchase card, and
                           establishes key control activities, personnel, and their roles, including the
                           following.

                               •   A written delegation of authority is to be issued by responsible agency
                                                                                         9
                                   personnel that establishes authorized cardholder(s) and specifies
                                   spending and usage limitations unique to that cardholder.

                               •   The cardholder is the government employee to whom a government
                                   purchase card, bearing the employee's name, is issued. The card can

                           6
                             Treasury Financial Manual, Volume 1 - Part 4 - Chapter 4500, GOVERNMENT PURCHASE
                           CARDS, http://www.fms.treas.gov/tfm/vol1/v1p4c450.txt.
                           7
                             48 C.F.R. § 13.301(b) (2002).
                           8
                             See the Relevant Laws and Regulations section of this guide for further information on the
                           FAR provisions applicable to specific purchase amounts.
                           9
                             The FAR allows personnel other than warranted contracting officers to use the purchase
                           card. 48 C.F.R. §§ 1.603-3(b) and 13.301(a) (2002).

                           Page 7                        GAO-03-678G Purchase Card Audit Guide Exposure Draft
     be used only by that employee for official purchases, in adherence with
     agency regulations.

 •   The cardholder statement listing all transactions during the billing
     period is sent to each cardholder.

 •   The approving official (AO) reviews cardholder statement(s), is
     responsible for authorizing cardholder purchases (for official use only),
     and ensures that statement(s) are reconciled and submitted to the
     designated billing office in a timely manner.

 •   A designated billing office receives the official invoice—a designated
     billing office report listing all cardholder charges for the area the office
     serves—and ensures its payment in accordance with Prompt Payment
     Act deadlines.

The manual requires each agency to develop its own internal procedures for
using the purchase card, and establishes processing and internal controls
that must be in place prior to using the government purchase card, including
the following.

 •   Designate an office (usually the procurement office) to manage the
     program, and assure that (1) training required for all cardholders,
     approving officials, and other employees involved in the program is
     provided, (2) a current list of cardholders and approving officials is
     maintained, and (3) an annual oversight review of the program is
     conducted. (This position is generally referred to as the Agency
     Program Coordinator (APC) in DOD purchase card programs.)

 •   Establish procedures for (1) the timely submission of cardholder
     statements to the agency designated billing office, (2) maintaining
     security of the cards, (3) handling disputes and returned, refused,
     damaged, or unacceptable items and partial deliveries, and (4)
     purchase card renewal.

The manual also provides that invoices, payments, access and review of
account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer (EFT) should be adopted as
the standard method of payment for all federal program payments originated
by agencies or their agents.




Page 8                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
GAO’S APPROACH TO AUDITING   The approach presented in this guide is based
PURCHASE CARD PROGRAMS       on GAO’s experience in auditing internal
                             control over government purchase card
                             programs at the Departments of Defense,
                             Education, Housing and Urban Development,
                             and other federal agencies (see app. I –
                             Selected Relevant GAO Reports and
                             Testimonies). In general, GAO’s approach is
                             to: (1) gain a thorough understanding of the
                             organization’s operations and purchase card
                             program, and relevant system of internal
                             control, (2) based on that understanding, and
                             any needed additional review and analysis,
                             make a preliminary assessment of the
                             adequacy of the design of the system of
                             internal control, (3) test the effectiveness of
                             internal control using statistical sampling, and
                             (4) use data mining to detect instances of potentially fraudulent, improper,
                             and abusive transactions to illustrate the effects of breakdowns in internal
                             control.

                             GAO’s approach includes involving fraud investigators throughout the audit.
                             An experienced fraud investigator will bring valuable perspectives and
                             insight to the process of identifying opportunities for fraud in the program’s
                             operations and in evaluating the effectiveness of control activities. They can
                             also bring new and creative thinking to identifying the opportunities for
                             circumvention of the existing controls. Fraud investigators should be
                             involved in the preliminary assessment process, designing tests of controls,
                             identifying criteria and relationships for data mining, and in follow-up of
                             potentially fraudulent transactions. Program policy and procedure
                             documents obtained and understandings gained of the purchase card
                             program and related internal controls should be made available to the fraud
                             investigator.




                             Page 9                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
THE APPLICABILITY OF   Auditors performing an audit in accordance with GAGAS standards for
AUDITING STANDARDS     performance audits are required to adhere to the general and fieldwork
                                                                                    10
                       standards. These standards can be found on GAO’s website. The following
                       three general standards are key to providing assurance that integrity,
                       objectivity, and independence are adequate in planning, conducting, and
                       reporting results of audits.

                              Independence – Audit organizations and individual auditors, whether
                              government or public, are required to be free both in fact and
                              appearance from personal, external, and organizational impairments to
                              independence, in all matters relating to the audit work.

                              Professional judgment – Auditors complying with GAGAS are required
                              to use professional judgment in planning and performing audits and in
                              reporting the results.

                              Competence – Audit staff are required to collectively possess adequate
                              professional competence for the tasks required.

                       We encourage all users of this guide, including internal auditors and
                       program management oversight personnel, to (1) become familiar with these
                       standards and the basic concepts embodied in them, (2) consider their
                       relative applicability to the circumstances, and (3) apply them as
                       appropriate when using this guide.




                       10
                            <http://www.gao.gov/govaud/ybk01.htm>.

                       Page 10                       GAO-03-678G Purchase Card Audit Guide Exposure Draft
       Section 2: Understanding the Purchase Card Program




                            Evaluating the adequacy of internal control designed to mitigate the risk of
                            fraudulent, improper, and abusive transactions, requires the auditor to gain
                            an in-depth understanding of (1) the risk of fraud, (2) the relevant laws and
                            regulations, and (3) the specific organization’s mission activity operations,
                            and its purchase card program operations (from purchase request to
                            payment). This in-depth understanding is necessary so that an auditor can
                            make a preliminary judgment about the adequacy of design of an
                            organization’s control activities.

THE RISK OF FRAUDULENT,     The potential for fraudulent, improper, and
IMPROPER, AND ABUSIVE       abusive purchases in a purchase card program
PURCHASES                   should be viewed by management as a risk of
                            significant financial loss, possibly resulting in
                            operational inefficiency and impairment of
                            mission readiness. This is particularly true in
                            the government environment where taxpayer
                            dollars are at risk. Fraudulent, improper, and
                            abusive purchases often result directly from a
                            lack of adherence to policies, procedures, and
                            control activities. This lack of adherence can
                            result in misuse of the card. As program personnel predisposed to misuse
                            the card become aware of such weaknesses, the door opens wider for
                            fraudulent, improper, and abusive purchases.

                            Repeated nonadherence to established internal control policies and
                            procedures, such as inadequate documentation of purchase card
One organization’s          transactions or supervisory reviews, in and of themselves may not constitute
actions included            a violation of law or regulation. However if allowed to continue, they will
recommending remedial       contribute to an erosion and weakening of the control system. Prompt
training and suspension     administrative and disciplinary actions (e.g., informal admonishment, formal
of repeat offenders’        reprimand, additional required training, suspension of card privileges,
purchase card accounts      cancellation of the cardholder’s account, termination of employment) can be
for lack of adherence to    effective in reducing persistent lack of adherence to policies and procedures
internal control policies   by cardholders and other program personnel. When administrative
and procedures.             corrective actions are taken and documented, program management,
                            oversight personnel, and auditors will be able to identify repeat offenders
                            and determine that appropriate steps are being taken to address potentially
                            significant problems before they escalate.




                            Page 11                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Potentially Fraudulent, Improper   Our audits of purchase card programs detected transactions which were not
or Abusive                         in accordance with laws and regulations, or were not an appropriate or
                                   legitimate use of government funds. We used four terms to characterize
                                   such purchases: potentially fraudulent, improper, abusive, and questionable
                                   purchases. The following are explanations of these terms as used in this
                                   guide.

                                      Fraudulent purchases – Use of the government purchase card to
 A cardholder made 62                 acquire goods or services that are unauthorized and intended for
 unauthorized                         personal use or gain constitute a fraud against the government. A
 transactions totaling                cardholder’s unauthorized purchase of power tools for his home, a
 $12,832 to pay for repairs           vendor’s intentional charges for services not provided, and the
 to a car and buy                     unauthorized use by a third party of a cardholder’s compromised or
 groceries, clothing, and             stolen account for personal gain are examples of fraudulent purchase
 various other items for              card transactions. In GAO reports, these and similar purchase card
 personal use.                        transactions are generally referred to as “potentially fraudulent” unless
                                      there has already been a fraud conviction in a court of law.




                                   Page 12                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
Day planners costing
                                     Improper purchases – Government purchase card transactions that
$3,100 were purchased
from Franklin Covey.                 are intended for government use, but are not permitted by law,
One item cost $199 and               regulation, or organization policy generally are considered improper.
                                     Examples include certain types of purchases of meals or refreshments
another $250. In                                                                                   11
                                     for government employees within their normal duty stations, purchases
contrast, cardholders
                                     split to circumvent micropurchase or other single purchase limits, and
could have purchased day
                                     purchases from other than statutorily designated sources, such as the
planners from JWOD for                                                       12
                                     Javits-Wagner-O’Day program (JWOD).
about $40.
                                     Abusive purchases – Purchases of authorized goods or services, at
A cardholder purchased
                                     terms (e.g., price, quantity) that are excessive, or are for a questionable
Bose bedside clock radios
                                     government need, or both, are considered abusive. Examples of such
costing $349 each, when
                                     transactions include purchases of items such as $300 day planners, $350
other models costing
                                     bedside radios, and allowable refreshments at excessive cost, purchases
about $15 were available.
                                     of designer leather goods, and year-end and other bulk purchases of
                                     computer and electronic equipment for a questionable government need.

Indications and Categories of   Figure 2 shows key signs, signals, and patterns that are indicative of the
Fraud                           potential for fraud in a government purchase card program.



                                Figure 2: Signs, signals, and patterns indicative of the potential for
                                fraud
                                • Weak management              • Weak internal controls        • History of impropriety

                                • Failure to follow legal      • Promise of gain with          • Unexplained decisions
                                  or technical advice            little likelihood of            and/or transactions
                                                                 being caught
                                • Unethical leadership         • Missing or altered
                                                                 documents

                                Source: International Journal of Government Auditing.


                                GAO audits of government purchase card programs have reported
                                fraudulent and potentially fraudulent purchases by cardholders, vendors,
                                and third parties using compromised accounts falling into the following
An inmate at a local            broad categories of fraud.
county jail made three
purchase card                        Theft involves property, facilities, and services. An authorized or
transactions at local                unauthorized cardholder purchase of goods or services intended for
florist shops on a                   personal use or gain is theft. Theft can also occur when an unauthorized
government purchase                  user compromises a cardholder’s account by gaining knowledge of and
card that had either been            using the purchase card account number.
lost or stolen.




                                11
                                  72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
                                12
                                  JWOD establishes mandatory sources of supply for all federal entities, requiring federal
                                agencies to purchase supplies and services furnished by nonprofit agencies—such as the
                                National Industries for the Blind and the National Industries of the Severely Handicapped
                                (NIB/NISH).

                                Page 13                       GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                 Fictitious transactions can involve a single party (e.g., a cardholder
A maintenance                    supports the acquisition of goods or services for personal use with false
supervisor allegedly             documentation, or a vendor bills the government for goods or services
made $52,000 in                  never delivered). In addition, fictitious transactions can include
fraudulent transactions          collusion (e.g., a cardholder knowingly approves documentation
to a suspect contractor          supporting a vendor’s invoice for goods or services never provided, and
for work that was not            the two share in the amount paid by the government). Although
performed.                       collusion can circumvent what otherwise might be effective internal
                                 control activities, a robust system of guidance, internal control activities,
                                 and oversight can provide reasonable assurance of preventing or quickly
Two purchase                     detecting fraud.
cardholders conspiring
with at least seven              Kickbacks may be offered by a vendor or solicited by a contractor or
vendors received                 government buyer. Kickbacks in a government purchase card program
kickbacks on purchases           can include collusion between a cardholder and a vendor. The
with inflated prices             cardholder makes authorized purchases from the vendor, who charges
and/or quantities.               the government an excessive price and “kicks back” a percentage of the
Criminal investigation           amounts received to the cardholder.
resulted in confinement
or restriction, a bad            Conflict of interest is present when a government official participates
conduct discharge, and a         in approving or deciding a matter in which the official or a relative has a
reduction in rank.               financial interest. The potential for a conflict of interest in a purchase
                                 card transaction exists whenever a cardholder or a relative has a
A cardholder and his             significant financial interest in a vendor or contractor. Purchases of
supervisor conspired to          goods or services from that vendor or contractor would be suspect and,
make nearly $400,000 in          if not prohibited by the organization, should require special review and
fraudulent purchases             approval prior to and subsequent to the purchase.
from companies owned by
the supervisor, his sister,   The auditor should be aware of the potential for the previous categories of
friends, and                  fraud in the day-to-day operational risk of the organization. Fraudulent,
acquaintances.                improper, and abusive purchases generally involve individual cardholders,
                              supervisors, approving officials, and vendors, and occasionally collusion
                              between them. Another source of fraudulent purchases of significant
                              concern occurs when an account is compromised (e.g., someone other than
                              authorized program personnel gains knowledge of account numbers). In
                              any event, a strong system of controls should guard against significant loss
                              to the government for all such potentially fraudulent, improper, and abusive
                              purchases. Any potentially fraudulent transaction detected should be
                              considered for follow-up, as discussed in the Follow-up and Investigation
                              section of this guide.

                              To better understand the risk of fraud within a specific organization’s
                              purchase card program, auditors and investigators should identify and study
                              known cases of such fraud. Summary memoranda prepared by fraud
                              investigators detailing the nature and extent of the suspected fraud, the
                              investigative process, the conclusions reached, and the actions taken can
                              provide valuable additional insight.




                              Page 14                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
RELEVANT LAWS AND                A federal organization’s purchase card
REGULATIONS                      program must comply with the laws,
                                 regulations, contracts, and governmentwide
                                 and organization policies and procedures that
                                 (1) govern the establishment and operation of
                                 the purchase card program, (2) prescribe
                                 procurement methods and standards, and (3)
                                 pertain to the purposes for which an
                                 organization’s appropriations and other
                                 sources of funds may be used. When
                                 evaluating the merits of individual purchases, all three areas should be
                                 considered. (see app. II – Selected Relevant Laws and Regulations)

Establishment and Operation of   Federal organization purchase card programs operate under a
the Purchase Card Program        governmentwide GSA contract, the GSA SmartPay® Master Contract.
                                 Organization purchase card programs must comply with the terms of the
                                 contract and the task order under which the organization placed its order
                                 for purchase card services. Organization purchase card programs must also
                                 comply with Department of the Treasury regulations found in the Treasury
                                 Financial Manual, Vol. I, Part 4-4500, “Government Purchase Cards.” The
                                 Federal Acquisition Regulation (FAR), 48 C.F.R. § 13.301(b) (2002), provides
                                 that agencies are to establish procedures for use and control of the card that
                                 comply with the Treasury Financial Manual and that are consistent with the
                                 terms and conditions of the current GSA credit card contract. Individual
                                 organizations may be subject to specific statutory criteria for the
                                 management of purchase cards (e.g., Title 10 U.S.C. 2784, directing the
                                 Secretary of Defense to prescribe regulations governing the use of purchase
                                 cards). As such, each organization should have guidance concerning the
                                 implementation, establishment, and operation of its purchase card program.

Procurement Methods and          Purchases made with the purchase card should be made in accordance with
Standards                        generally applicable procurement laws, regulations, and organization
                                 procurement policies and procedures. The FAR provides governmentwide
                                 policies and procedures for acquisition by all executive agencies. Agencies
                                 frequently issue supplemental acquisition regulations as well.

                                 Contracting activities carried out by the federal government generally must
 One cardholder split            be conducted by warranted contracting officers; however, the purchase card
 about $17,000 of                may also be used by other government personnel for purchases at or below
 purchases of boots on 1         the micropurchase threshold. The FAR provides that such individuals must
 day into 8 transactions.        be delegated the authority to do so in writing in accordance with
 Another cardholder split        organization procedures. Regardless of the value of a purchase, the FAR
 over $30,000 of                 prohibits cardholders from splitting organization needs into smaller
 purchases from an               purchases in order to circumvent applicable acquisition laws, regulations,
 electronic supply store         and policies. Organization policies can also prohibit cardholders from
 on 1 day into 14                splitting a purchase into smaller purchases in order to avoid individual
 transactions.                   cardholder purchase limits.

                                 Authorized personnel may use the purchase card for purchases at or below
                                 the micropurchase threshold (currently $2,500, except that the limit is $2,000
                                                                 13
                                 for certain construction costs). Micropurchases are subject to the
                                 13
                                      48 C.F.R. §§ 2.101 and 13.201(g).

                                 Page 15                          GAO-03-678G Purchase Card Audit Guide Exposure Draft
 Despite representations        requirements of FAR Subpart 8, which provides that certain products be
 that hotels were               acquired from designated sources, including statutorily preferred vendors.
 authorized to bill only        Micropurchases must also be made in accordance with various laws and
 for audiovisual                regulations concerning environmentally preferable products and services.
 equipment and                  Cardholders may make micropurchases without soliciting competitive
 conference room rental,        quotations from vendors if they consider the price to be reasonable.
 detailed bills acquired        However, cardholders are required to distribute micropurchases equally
 by GAO auditors showed         among qualified suppliers to the extent practicable.
 that about $7,000 was
 inappropriately                For purchases above the micropurchase threshold, warranted contracting
 expended for prohibited        officers may use the purchase card to place and/or pay for orders against
 breakfasts, lunches, and       already existing contracts. For these larger transactions, the card is
 snacks.                        frequently referred to as a “payment card” because it pays for acquisitions
                                made under a legally executed contract.

Purposes for which an           Individual purchases must be for a purpose allowable under an
Organization’s Appropriations   organization’s appropriations or other sources of funds (e.g.,
May Be Used                     nonappropriated funds) and must not otherwise be prohibited by law.
                                Organizations may use appropriated funds only for legitimate or bona fide
                                needs that arise in or continue to exist in the fiscal year(s) for which those
                                funds are appropriated. Agencies are restricted to purchasing only those
                                items that will be used during such fiscal year(s) except when they qualify
                                under certain categories, such as to maintain inventories of necessary items
                                at reasonable levels. However, agencies generally may not purchase items
                                in excessive amounts at the end of a fiscal year in order to solely avoid the
                                expiration of funds.


THE ORGANIZATION’S              To appropriately plan an audit and
OPERATIONS AND PROGRAMS         investigation of the internal control over an
                                organization’s purchase card program
                                requires a thorough understanding of:

                                •      the organization’s mission activities and
                                       operations,
                                •      its purchase card program operations and
                                       the end-to-end flow of transactions
                                       through it from request to payment,
                                •      the system of internal control over the purchase card program, and
                                •      the environment in which the control activities operate.

                                Understanding the organization’s operations and its specific purchase card
                                program is critical in developing audit objectives and the scope and
                                methodology for the work needed to achieve them. In addition, issues such
                                as program significance, visibility, age, sensitivity, and the potential use of
                                                                                                    14
                                audit results should be considered in the audit planning process. Gaining
                                and documenting an understanding of the operations of a government
                                purchase card program can be accomplished in several ways, all of which
                                will require access to the appropriate personnel and relevant documents.
                                The first step should be to establish contact and coordinate that effort with
                                both the organization and the bank service provider.


                                14
                                     GAO-02-340G, ¶ 7.8 - 7.10.

                                Page 16                           GAO-03-678G Purchase Card Audit Guide Exposure Draft
                               One manner of obtaining access to operations and program personnel is to
                               coordinate audit arrangements with the organization’s management. Access
                               to the appropriate personnel and to written policies and procedures is
                               essential to understanding the organization’s operations, the purchase card
                               program, and internal controls. In addition, documentation evidencing
                               adherence to internal control policies and procedures will be necessary
                               when testing for performance of control activities. Further, access to
                               program personnel will be necessary to clarify information received and/or
                               to follow up on potentially fraudulent, improper, and abusive purchases.

Understanding the              Understanding the organization’s mission and objectives, and how those
Organization’s Operations      missions and objectives are accomplished provides the auditor with critical
                               insight used in (1) developing audit objectives, (2) identifying opportunities
                               for purchase card fraud, (3) making preliminary assessments of the
                               adequacy of program controls, (4) designing tests of internal control, and (5)
                               identifying criteria for data mining. Understanding gained of the
                               organization’s operation(s) might include:

                               •   the nature and size of overall operations;
                               •   what the individual activities involved in the purchase card program do,
                                   and how they do it;
                               •   the general job descriptions, level of education, and number of personnel
                                   in those activities; and
                               •   the volume and appropriate type(s) of purchase activity to expect.

                               An understanding of the organization’s operations and activities can be
                               gained by interviews with operations personnel, and by reviewing existing
                               documents such as program descriptions, policies and procedures, and
                               operations manuals.

Understanding the              The initial understanding of the organizational level purchase card program
Organization’s Purchase Card   (from request to payment) and the internal control at work throughout that
Program                        process, ideally would be obtained from existing documents such as
                               purchase card program descriptions, policies and procedures, operational
                               manuals, or instructions. Interviews with program personnel can
                               supplement existing documented evidence of program operations and
                               controls, or establish a starting point if such documentation is insufficient or
                               nonexistent. In either circumstance, correctly structured interviews can be
                               a valuable source of inquiry to understand and clarify (1) the extent to
                               which to which control activities are in place and operating, (2) the
                               environment in which those controls operate, (3) the overall managerial
                               organization and operations of the program, and (4) the flow of purchase
                               card transactions. A Practical Guide for Reviewing Government Purchase
                               Card Programs – June 2002, by the President’s Council on Integrity and
                               Efficiency contains interview guides, which will be helpful when conducting
                               interviews for this purpose. In addition, conducting walkthroughs of
                               selected purchase card transactions is a key process in (1) gaining a
                               thorough understanding of the program’s operations from purchase request
                               to payment of the bill, (2) identifying control points through that process,
                               and (3) observing the operation of control activities and transaction flows.

                               GAGAS requires auditors to prepare documentation supporting significant
                               judgments and conclusions. The auditor should obtain or prepare narratives
                               and/or flowcharts that summarize and document their understanding of the
                               organization’s purchase card program and the flow of typical purchase card
                               Page 17                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                 transactions. Understanding gained of how the purchase card program
                                 operates, the flow of transactions from request to payment, and the key
                                 controls over the entire end-to-end process form the basis for making
                                 preliminary judgments about the adequacy of the design of control activities
                                 and for designing tests of those controls. Narrative and flowchart
                                 documentation also provides effective communication of the processes and
                                 control points to other interested parties (e.g., audit staff, program
                                 management, oversight personnel). Appendixes III and IV of this guide
                                 provide example flowcharts of an organizational level structure for a federal
                                 government purchase card program and the end-to-end flow, and related
                                 narrative, of typical purchase card transactions through it.




Understanding the Bank Service   Coordinating the audit effort with the bank service provider might provide
Provider’s Program               the opportunity to gain an understanding of (1) the operation of the
                                 provider’s program, (2) the processes for purchase card authorization,
                                 issuance, and credit limits, (3) the transaction processing, review,
                                 authorization, and manual override (e.g., single transactions limits) system,
                                 (4) the merchant category code (MCC) blocking features and any manual
                                 override, and (5) the internal controls over these processes. Additionally, as
                                 shown in figure 3, the GSA SmartPay® master contract requires bank
                                 service providers to provide federal organizations with various ad hoc,
                                 standard commercial, and other reports specific to the purchase card
                                 program.




                                 Page 18                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                Figure 3: Agency/organization reports required by GSA’s SmartPay®
                                master contract to be provided by the bank service provider
                                General reporting requirements      Other agency reports
                                   Ad-hoc report generation             Account Activity Report
                                   capability                           Master File Report
                                   Standard commercial reports          Statistical Summary Report
                                Additional essential reports            Account Change Report
                                   The Official Invoice                 Exception Report
                                   Invoice Status Report                Current Accounts Report
                                   Transaction Dispute Report           1099 Report Information
                                   Pre-Suspension/Pre-                  1057 Report
                                   Cancellation Report                  Payment Performance and
                                   Suspension/Cancellation              Refund Report
                                   Report                               Write-Off Report
                                   Renewal Report                       Summary Quarterly Merchant
                                   Delinquency Report                   Report
                                   Detailed Electronic                  Summary Quarterly Vendor
                                   Transaction File                     Analysis Report
                                                                        Summary Quarterly Vendor
                                Reporting specific to the Purchase
                                                                        Ranking Report
                                Card Program
                                   Account Activity Report
                                   Statistical Summary Report
                                   Summary Quarterly Purchase
                                   Report

                                Source: GSA’s SmartPay® Master Contract, Section C.38 – Agency Reporting Requirements,
                                and Section CC.12 – Agency Reporting Requirements For The Purchase Card Program.

                           Conducting interviews with bank service provider personnel may provide
                           the necessary understanding of the provider’s purchase card operations,
                           processes, and controls, as well as valuable insights and understanding in
                           using the various reports being produced.

INTERNAL CONTROL AND THE   Internal control is an integral component of
CONTROL ENVIRONMENT        an organization’s purchase card program that
                           provides reasonable assurance that the
                           objectives of effective and efficient
                           operations and compliance with applicable
                           laws and regulations are being achieved. The
                           minimum level of quality acceptable for
                           internal control in a government purchase
                           card program is defined by the five standards
                           for internal control included in Standards for
                                                                        15
                           Internal Control in the Federal Government. Those standards, and
                           elements of the control environment standard which are significant in a
                           government purchase card program, are discussed in this section of the
                           guide.




                           15
                                GAO/AIMD-00-21.3.1.

                           Page 19                        GAO-03-678G Purchase Card Audit Guide Exposure Draft
The Standards of Internal     All of the following internal control standards are applicable to achieving
Control                       reasonable assurance that fraudulent, improper, and abusive purchases do
                              not have a significant adverse effect on the effectiveness or efficiency of a
                              government purchase card program.

                              •   The control environment – A positive control environment—the
                                  foundation for all other internal control standards—is established by
                                  management and employees creating and maintaining an environment
                                  throughout the organization that sets a positive and supportive attitude
                                  toward internal control and conscientious management. Specific key
                                  elements affecting the control environment of a purchase card program
                                  are discussed in more detail later in this section of the guide.

                              •   Management’s risk assessment – Internal control should provide for
                                  an assessment of the risks the organization faces from both external and
                                  internal sources, and identify and deal with any special risks prompted
                                  by changes in economic, industry, regulatory, and operating conditions.

                              •   Control activities – Control activities are the policies, procedures,
                                  techniques, and mechanisms that enforce management’s directives and
                                  help ensure that actions are taken to address risks. Control activities in
                                  a government purchase card program include a wide range of diverse
                                  activities such as approvals, authorizations, verifications,
                                  reconciliations, reviews, and the creation and maintenance of related
                                  records that provide evidence of execution of these activities. Specific
                                  transaction-level control activities significant to a purchase card
                                  program are discussed in more detail in the Transaction Control
                                  Activities section of this guide.

                              •   Information and communications – Information should be recorded
                                  and communicated to government purchase card program managers and
                                  others within the program who need it in a form and within a time frame
                                  that enables them to carry out their internal control and other
                                  responsibilities.

                              •   Monitoring – Ongoing monitoring—regular management and
                                  supervisory activities, comparisons, reconciliations, and other actions
                                  people take in performing their duties—should be performed continually
                                  and be ingrained in the course of normal operations of a government
                                  purchase card program (e.g., review and analysis of bank service
                                  provider reports, periodic reviews for adherence to program policies and
                                  procedures, review and follow-up of audit findings).


Testing Key Elements of the   Recent GAO purchase card audit reports have identified the following six
Control Environment           elements as significantly affecting the control environment surrounding a
                              purchase card program.

                              •   Management’s philosophy (tone at the top),
                              •   Span of control,
                              •   Financial exposure,
                              •   Training,

                              Page 20                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                             •   Discipline, and
                             •   Purchasing and reviewing authorities.

                             This guide discusses each of these elements, the relevant documentation,
                             and tests which the auditor can perform. Testing of some of these elements
                             of the control environment can be accomplished either before the
                             preliminary assessment is completed, or later as part of testing the
                             effectiveness of control activities.

                             Testing of these elements of the control environment is accomplished
                             through analytical, sampling, and nonsampling methods as discussed in each
                             element. Analytical testing is accomplished by utilizing electronic reports,
                             data files, and other data obtained from the bank service provider and/or the
                             organization. The discussion of some of these elements identifies them as
                             lending themselves to efficient testing in conjunction with transaction-level
                             control activity tests, discussed in the Transaction Control Activities section
                             of this guide. Therefore, the data needed to conduct tests of these elements
                             should be obtained for each cardholder and approving official for purchase
                             card transactions selected for transaction-level control activity testing.

                                                              Management’s philosophy and operating
In a recent GAO audit,                                        style, sometimes referred to as tone at the
management’s proactive                                        top, determines the degree of risk the
attitude in implementing                                      organization is willing to take in operations
change was credited for                                       and programs. The
establishing a positive                                       attitude and philosophy of management
control environment at                                        toward information systems, accounting,
one unit, in contrast to                                      personnel functions, monitoring, and
another unit where           audits and evaluations can have a profound effect on internal control.
management supported
the status quo of weak       Insights gained by the auditor through interviews conducted with program
control, effectively         personnel, and review of prior audit findings and managements responses
diminishing the              will assist in assessing this element of internal control. Professional
likelihood of substantive    judgment is necessary when attempting to assess the effect of tone at the
                             top, positive or negative, on internal control and on the design of control
change.
                             activities. Tests of transaction-level control activities and follow-up of
                             potentially fraudulent, improper, and abusive purchases may provide the
                             auditor with additional insight into the tone at the top.

                                                               Span of control, in a government purchase
 In response to a GAO                                          card program, refers to the extent of
 report criticizing an                                         review responsibilities placed on a single
 unreasonable 1,153:1                                          approving official for the purchase card
 ratio of cardholders to                                       transactions of one or more cardholders.
 approving official the
 department issued                                             In establishing the reasonableness of this
 guidance limiting this                                        responsibility, the auditor should consider
 span of control ratio to    (1) the number of cardholders assigned, (2) the number and complexity of
 7:1 for all its agencies.   purchase card transactions being reviewed each billing period, and (3)
                             perhaps the most potentially detrimental, demands of other responsibilities
                             assigned to the approving official. Additional insight into the
                             reasonableness of these relationships can be obtained during interviews
                             with cardholders and approving officials and during control tests of selected
                             transactions.


                             Page 21                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                              The auditor should consider independently evaluating the reasonableness of
                              existing span of control relationships by obtaining bank service provider
                              reports containing the information necessary to determine the number of
                              cardholders assigned to individual approving officials.

                                                                The total number of authorized
                                                                cardholders in the organization, their single
                                                                transaction and monthly credit limits, and
                                                                the approving official credit limits directly
                                                                affect the financial responsibility of the
                                                                individuals involved and the extent of
                                                                potential loss to the organization from
                                                                fraudulent, improper, and abusive
                              purchases. Financial exposure in a government purchase card program can
Two related                   become excessive when management does not exercise judgment and
organizations provided        restraint in issuing purchase cards and in determining single purchase and
purchase cards with           monthly credit limits. We have found that by limiting the number of
credit limits of $20,000 or   purchase cards and related credit limits to the levels necessary to meet
more to over 1,700            operational requirements, an agency can better manage and control its
employees, resulting in       purchase card program.
an excessive monthly
financial exposure of         Purchase cards should be issued in controlled limited quantities (e.g.,
over $34 million, while       special justification and authorization for more than one card per
actual monthly                cardholder), and only to government employees with a legitimate need to
purchases amounted to         have the card. Single purchase and monthly credit limits should be
only about $6 million.        established based on the expected monthly purchases of the cardholder.
                              Both of these determinations require an objective effort by operational
                              supervisors and management, with assistance from purchase card program
                              management, to evaluate the existing and continuing needs of operations
                              and cardholders.

                              The auditor should evaluate management’s process for establishing the
                              number of cardholders and their credit limits reasonably necessary to
                              operational requirements. Documentation of management’s decision-
                              making process should be obtained and reviewed for propriety. Examples
                              of management’s consideration of objective, analytical data include the
                              following.

                              •   Supervisory review of cardholder purchase history, both number of
                                  transactions and dollars purchased (very few purchase transactions in
                                  the previous year might indicate the lack of a need for the card, while
                                  lower than expected dollar volume of purchases might indicate a lower
                                  reasonable cardholder credit limit).

                              •   Annual positive assertions by supervisors and/or managers of continuing
                                  cardholder needs, both for the card and for the related credit limits.

                              The auditor should consider independently evaluating the reasonableness of
                              the organization’s existing financial exposure by obtaining bank service
                              provider reports—which provide information necessary to determine the
                              total cardholder monthly credit limits—and comparing that total to the
                              organization’s average monthly and highest monthly purchase card
                              expenditures.



                              Page 22                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Page 23   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                              Management should identify the
                                                              appropriate knowledge and skills needed
                                                              in the purchase card program, require the
                                                              needed training, and maintain
                                                              documentation evidencing that required
                                                              training is current for all program
                                                              personnel. The extent and type of training
                                                              provided should vary in relation to
                            authority and responsibility in the program, and to the amount of
                            transaction authorization given to the cardholder. At a minimum, a
                            cardholder should receive the standard purchase cardholder training
                            provided by the organization and/or by GSA, before receiving a purchase
                                                                                          16
                            card, and periodic (biannual) refresher training thereafter.

                            The auditor should obtain and evaluate documentation evidencing
Of approximately $68        adherence with this element of the control environment for the cardholders
million in fiscal year      and approving officials related to and in conjunction with transactions
2000 purchase card          selected for tests of transaction-level control activities. Both the
transactions at two         appropriateness of training received as well as the attributes discussed
related organizations,      below can be reviewed, when evaluating this element of the control
                            environment. Training documentation and relevant attributes to consider
approximately $17.7
                            include the following.
million (26 percent) were
made by cardholders for
whom there was no           •    Certificates/record of training, for both initial and refresher courses,
documented evidence of           should clearly show: (1) the type of training received (e.g., instructor led,
required initial or              computer based, internet based), (2) that the training was relevant to the
refresher purchase card          purchase card program, (3) that the training was appropriate to the level
training.                        of authorized spending and program authority of the individual, (4) the
                                 signature of the cardholder and the instructor (if applicable), (5) that the
                                 date of initial training is prior to purchase card account activation,
                                 and/or (6) that the date of refresher training is within the required
                                 period.

                            •    Centralized training records, or a database of cardholder, approving
                                 official, and APC training should: (1) provide detail information similar
                                 to that contemplated above for certificates of training, and (2) be
                                 available to the appropriate levels of program management to facilitate
                                 monitoring of adherence to program training requirements. The auditor
                                 should consider assessing the adequacy of centralized training records
                                 by tracing cardholders and approving officials associated with the
                                 purchase card transactions selected for control tests to such records.
                                 Testing in association with transaction control tests is desirable because,
                                 selecting and testing a representative sample from the centralized
                                 records would not identify cardholders and others who have not
                                 received training and are therefore not in the centralized records.
                                 Inquiries and other corroborating evidence could provide confirmation
                                 that centralized training records or databases are maintained current,
                                 and are being used to monitor adherence with training requirements.



                            16
                              The GSA website
                            (http://www.fss.gsa.gov/webtraining/trainingdocs/smartpaytraining/index.cfm) provides
                            access to relevant purchase card training materials.

                            Page 24                      GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                               Candid and constructive counseling,
                                                               performance appraisals, and discipline
                                                               can provide reinforcement of the system
                                                               of internal control. Internal control
                                                               polices and procedures should identify the
                                                               specific actions or lack of adherence to
                                                               internal control within the purchase card
                                                               program that warrant counseling and/or
                            discipline.

                            The auditor should obtain and evaluate documentation evidencing this
                            element of the control environment for the cardholders and approving
                            officials related to and in conjunction with transactions selected for tests of
                            transaction-level control activities. The documentation and relevant
                            attributes of discipline to consider evaluating fall into two general
                            categories:

                            •   Constructive counseling might be provided to cardholders and approving
                                officials in response to isolated instances of lack of adherence to
                                internal control policies, procedures, and activities. The auditor should
                                obtain and review for propriety documentation of counseling provided
                                for isolated instances of lack of adherence to controls detected in the
                                transactions selected for control testing.

                            •   Disciplinary actions to be taken in response to recurring and/or
                                persistent lack of adherence to internal controls, and specific
                                consequences for improper and abusive purchases should be adopted by
Despite operating
                                the organization as part of the system of internal control. Such
instructions providing
                                consequences can vary with the severity and persistence of the policy
for restitution and
                                violation, and might include formal and informal reprimands, suspension
revocation of card
                                or cancellation of the purchase card account, termination of
privileges, repeat
                                employment, and referral to investigative authorities in cases of
violators of regulations
                                suspected fraud. Instances warranting discipline should be documented
and internal controls did
                                and included in personnel files and, if applicable, performance
not lose their purchase
                                appraisals. The auditor should obtain and review documentation of
cards and did not repay
                                disciplinary actions taken for the instances of significant lack of
the government for
                                adherence to controls, and for improper and abusive purchases detected
unauthorized purchases.
                                during the control activities testing. Documentation should also be
                                obtained of all cases of detected potential fraud occurring during the
                                period under audit and included in considerations for follow-up, as
                                discussed in the Follow-up and Investigation section of this guide.
                                Disciplinary actions alone may be an insufficient response to detected
                                fraud. For that reason, instances of fraud that are declined for
                                prosecution and referred to management for disciplinary action should
                                be followed up to ensure that, in the professional judgment of the
                                auditor, appropriate actions were taken by organization management.

                                                              In a government purchase card program,
                                                              purchasing authority establishes a
                                                              cardholder’s authority to possess and use a
                                                              government purchase card. It also
                                                              establishes the cardholder’s single-
                                                              transaction and credit limits. Some
                                                              organizations will assign different spending
                                                              limit authorities to the same cardholder,
                            Page 25                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
which apply to different uses of the card. For example, a cardholder who is
a warranted contracting officer is assigned two purchasing authorities: (1) a
$2,500 single-transaction limit with a $40,000 monthly purchase limit for
purchases of goods or services, and (2) a $100,000 single-transaction limit
with a $500,000 credit limit for use of the purchase card as a method of
payment on a preexisting contract. Authority is also established for
approving officials to review and authorize payment of cardholder accounts.
Approving official authority should also identify the specific cardholder(s)
for which review and certification responsibilities have been assigned, and
the approving official’s credit limits should relate to the total cumulative
monthly purchasing limits of the cardholders assigned to them.

The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and approving
officials related to and in conjunction with transactions selected for tests of
transaction-level control activities. For evaluation and testing purposes,
each level of purchasing authority given to a cardholder (e.g., $2,500 single-
transaction limit for local vendor purchases, $100,000 limit for purchases on
an existing contract) should be deemed a separate cardholder.
Documentation evidencing purchasing authority for cardholders, and review
and certification authority for approving officials, should be obtained and
evaluated for instances of significant lack of adherence to controls
including: (1) documentation of the cardholder’s purchasing authorization
(e.g., organizational standard form) dated prior to the transaction date and
(2) documentation of the approving official’s authorization (e.g.,
organizational standard form) dated prior to the transaction date. Attributes
which the auditor should consider reviewing when evaluating the
effectiveness of this control include the following: (1) the date of the
purchase transaction, compared to the date of the cardholder’s purchasing
authority, compared to the date of the approving official’s authorization, (2)
the amount of the transaction, compared to the amount of the cardholder’s
single transaction authority, (3) the total amount of the cardholder’s billing
statement, compared to the cardholder’s and approving official’s authorized
credit limits, (4) the cardholder account single-transaction and credit limit
carried in the bank’s system, compared to that authorized in the
cardholder’s purchasing authority, and (5) that the approving official’s
assignment of responsibility includes the specific cardholder account.




Page 26                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
       Section 3: Making, Documenting, and Using the
       Preliminary Assessment




                            The preliminary assessment is a critical analysis of whether, in the
                            professional judgment of the auditor, the existing internal control policies,
                            procedures, and activities as designed, if in place and operating, will provide
                            management with reasonable assurance that significant fraudulent,
                            improper, and abusive purchases will be prevented or promptly detected. A
                            preliminary assessment of the organization’s plan of internal control will
                            assist the auditor in (1) identifying significant weaknesses in designed
                            control activities, (2) planning and designing control tests, and (3)
                            identifying data-mining criteria.

                            The auditor, considering the overall control environment, should make a
                            critical comparison of the risk/opportunities for fraudulent, improper, and
                            abusive purchases and the internal control policies, procedures, and
                            activities designed to guard against them. The knowledge gained in the
                            Understanding Operations and Programs section of this guide will provide
                            information useful to the preliminary assessment of internal control. In
                            some circumstances, this information may need to be supplemented with
                            additional inquiries, observations, and/or nonsampling tests of controls.
                            When reaching conclusions in the preliminary assessment, the auditor
                            should also consider the bank service provider’s systems and controls, the
                            audit objectives, prior audit findings and recommendations, and
                            management's responses and corrective actions taken.


ASSESSING THE ADEQUACY OF   Our audits of purchase card programs have
THE DESIGN OF CONTROL       identified (1) the determination of a
ACTIVITIES                  legitimate government need, (2) screening
                            for required sources of supply, (3)
                            independent receipt and acceptance, (4)
                            establishing accountability over certain
                            property, (5) cardholder reconciliation, and
                            (6) approving official review as key
                            transaction-level control activities in
                            mitigating the risk of fraudulent, improper, and abusive purchases. These
                            key control activities should be included in the auditor’s preliminary
                            assessment of the adequacy of the design of control activities. It will also be
                            helpful to the auditor’s critical comparison process to prepare a list of the
                            identified risk/opportunities for potentially fraudulent, improper, and
                            abusive purchases to occur, and a list of the existing relevant control
                            activities. An individual control activity will probably address multiple risks
                            of potentially fraudulent, improper, and abusive purchases, and an
                            individual risk may be addressed by more than one control activity.
                            Therefore, a simple one-to-one comparison will probably not be effective.

                            Page 27                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
For example, the control activity of independent receipt and acceptance can
be instrumental in mitigating the risk of paying for services not performed,
as well as mitigating the risk of purchased accountable property not being
recorded in the organization’s property record system. One way to proceed
is to prepare a simple schedule, as illustrated in figure 3, which lists the
identified risk/opportunities for potentially fraudulent, improper, and
abusive purchases down the left hand side, and provides space for
identifying (1) the related control activities, (2) the auditor’s preliminary
assessment conclusions, (3) the effects on the design of audit control tests,
and (4) potential criteria for audit data mining.

Figure 4: Illustration of the process of assessing and concluding on the
adequacy of designed control activities
      Identified                Control           Auditor’s
 risk/opportunity for        activities (in    conclusion on                               Identified
potentially fraudulent,        order of         adequacy of                                potential
improper, and abusive       significance to   design of control    Effect on design of    criteria for
       purchase                  risk)            activities       audit control tests    data mining

Unintentional purchase     • Training         Adequate             Test for current      None
of goods or services                                               training & AO
prohibited by law or       • Approving                             review.
organizational policy.       official
                             review
Purchased service not      • Cardholder       Adequate             Test attributes of    None
received by the              reconciliation                        receipt control
government.                                                        and AO review.
                           • Independent
                             receipt and
                             acceptance
                           • Approving
                             official
                             review
Purchased item of          • Independent      Inadequate – No      Consider              Include
accountable property         receipt and      designed control     stratifying sample    accountable
not in possession of the     acceptance       provides             to key on             property
government.                                   reasonable           accountable           purchases in
                           • Cardholder       assurance of         property, and test    potential
                             reconciliation   recording in         all sample            criteria for
                                              accountable          transactions          data mining.
                           • Approving
                                              property records.    acquiring
                             official
                                              However,             accountable
                             review
                                              interviews and       property to
                                              walkthroughs         determine the
                                              disclose that some   extent of physical
                                              units are making     control and
                                              efforts to control   accountability
                                              this risk.           being achieved.


The above (figure 4) is provided as an illustration only of the process of
making, documenting, and using the preliminary assessment of the design of
internal control activities. The illustrated risks, controls, conclusions,
effects, and identifications are highly dependent upon the facts and
circumstances of specific organization operations and purchase card
programs. Auditors will need to exercise professional judgment when
making these determinations.




Page 28                          GAO-03-678G Purchase Card Audit Guide Exposure Draft
USING THE PRELIMINARY   Auditors should find the observations and
ASSESSMENT              conclusions made in the preliminary
                        assessment useful in determining the nature
                        and extent of further audit work on an
                        organization’s purchase card program. These
                        observations and conclusions can be useful
                        in determining a strategy for internal control
                        testing, including designing sample
                        selections. For example, a preliminary
                        assessment conclusion might be that the design of an internal control policy
                        and one or more related control activities is strong and can provide
                        management with reasonable assurance of preventing or promptly detecting
                        fraudulent, improper, and abusive purchases. If the policy and control
                        activities are considered to be strong, tests designed to determine the extent
                        to which the control activities are being performed would likely be an
                        efficient and cost-effective audit procedure. However, if the auditor
                        considers the policy and/or the control activity to be ineffective or
                        nonexistent, tests for performance of control activities would generally not
                        be appropriate or cost effective. Whether to design and conduct tests of
                        performance for controls considered to be weak will require professional
                        judgment and consideration of the facts and circumstances of individual
                        cases.

                        The results of the preliminary assessment can also be useful to the auditor’s
                        consideration of other procedures (such as data mining discussed in a later
                        section of this report) designed to detect fraudulent, improper, and abusive
                        transactions resulting from identified weakness in the design of controls.
                        For example, if the preliminary assessment is that the design of internal
                        control does not provide reasonable assurance of compliance with
                        requirements to purchase from statutory sources of supply, then purchase
                        card transactions with other vendors who sell similar goods and services
                        may provide examples of the result of that control weakness.




                        Page 29                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Section 4: Testing the Effectiveness of Key Control
Activities




                A well designed system of internal control for a purchase card program is
                needed to provide reasonable assurance that the program is operating as
                intended and is not vulnerable to significant fraudulent, improper, and
                abusive purchases. However, a system of internal control, no matter how
                well designed, cannot be relied on if control activities are not in place and
                operating effectively on an ongoing basis. Control activities identified
                during the preliminary assessment process, as likely to be effective at
                preventing or detecting fraudulent, improper, and abusive purchases, should
                be tested to determine if they are being adequately adhered to. This section
                discusses (1) obtaining and verifying the completeness of the purchase card
                transactions database, (2) designing a statistical sample of purchase card
                transactions, (3) obtaining the documentary evidence of performance of
                control activities, and (4) the design and conduct of tests to determine if key
                control activities are in place and operating as intended.

                In our audits of purchase card programs, we used two basic types of control
                                             17
                testing— statistical sampling (selections representative of and projectable,
                with quantifiable accuracy, to a population) and nonrepresentative
                selections (selections not representative of or projectable to a
                population)—to evaluate the effectiveness of internal control activities.

                This guide considers control designed to prevent or detect fraudulent,
                improper, and abusive transactions in a purchase card program, to operate
                on two basic levels: (1) control activities that operate at the transaction level
                (e.g., independent receipt and acceptance, cardholder reconciliation), and
                (2) controls that operate at some other level (e.g., training, span of control).
                Elements of the control environment discussed in the Internal Control and
                the Control Environment section of this guide are not considered
                transaction-level control activities. However, testing and evaluating certain
                of these elements (i.e. training, discipline, and purchasing and reviewing
                authority) can be efficiently accomplished in conjunction with the testing of
                transaction level control activities.




                17
                  Sampling selections representative of a population can be either statistical or nonstatistical
                –statistical concepts are considered, but not explicitly used to determine sample size, select
                sample items, or evaluate the results. However, projections of nonstatistical sample results
                are not quantifiably accurate, and GAO discourages their use in government audits.

                Page 30                       GAO-03-678G Purchase Card Audit Guide Exposure Draft
OBTAINING TRANSACTION DATA   Tests of control activities which operate at
                             the transaction level are applied to selected
                             purchase card transactions, generally
                             contained in an electronic file database. The
                             auditor will need to identify and obtain the
                             appropriate database of purchase card
                             transactions, select the transactions to test,
                             and extract the appropriate transaction
                             information from the database. In order to
                             obtain the appropriate population of
                             purchase card transactions, the auditor will
                             need to establish and define the scope of the audit. The scope of the audit
                             can be defined in terms of control activities in place and operating for a time
                             period, a unit, or an activity, or a combination of those terms (e.g., all
                             purchase card transactions executed by the organization during the fiscal
                             year ended September 30, 2003). Also, if the data are stored in an electronic
                             database(s), the auditor will need to determine that the transaction data
                             elements necessary to achieve the audit objectives are included in the
                             database obtained.

                             The purchase card transactions selected for testing should be selected from
                             a population which includes all relevant transactions in the scope of the
                             audit. In order to assure the relevance and completeness of the population
                             transaction database, the auditor should obtain value and quantity control
                             totals from a source independent of the database provider, and agree them
                             to the data obtained. For example, a transaction database supplied by the
                             bank service provider could be agreed or reconciled to the organization’s
                             records of purchase card activities, or the bank service provider may supply
                             control totals to verify a transaction database provided directly by the
                             organization.

Coordinating with the Bank   Establishing a contact and coordinating the audit effort with the bank
Service Provider             service provider presents the auditor with an opportunity to gain a current
                             understanding of the bank’s program operations, processes, and controls, as
                             more fully discussed in the Understanding the Bank Service Provider’s
                             Program section of this guide. Coordination with the bank can also provide
                             the needed transaction databases and/or the ability to verify organization
                             transaction databases by comparison to independent control totals. Fraud
                             investigators involved in the purchase card audit may also be afforded an
                             opportunity to evaluate the bank’s fraud investigation and detection
                             methodologies, and benefit from other information provided by the bank’s
                             credit card fraud investigators.




                             Page 31                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
SELECTING PURCHASE CARD   One of the first decisions the auditor will
TRANSACTIONS              need to make is whether to use statistical
                          sampling to select transactions for testing. In
                          most audit circumstances, statistical
                          sampling is the recommended approach for
                          making estimates about and drawing
                          conclusions from a population of
                          transactions, and for estimating the
                          percentage of transactions in the population
                          for which control activities were or were not
                          in place and operating as intended.
                          Statistical sampling is appropriate:

                          •   if there is a desire to estimate whether control activities for a population
                              of transactions are in place and operating as intended, and to quantify
                              the accuracy of this assessment based on statistical theory;

                          •   if there is a desire to estimate whether some control activities for a
                              population of transactions are operating as intended to a greater or
                              lesser degree than other activities, and to quantify the accuracy of this
                              assessment based on statistical theory; and

                          •   if it is desirable to estimate, and to quantify the accuracy of the
                              assessment based on statistical theory, the dollar value for a population
                              of purchase card transactions subject to detected control weaknesses
                              and/or failures.

                          In these cases, a statistical sample should be designed so that statistical
                          theory can be used to estimate failure rates and/or the dollar value of
                          transactions subject to ineffective controls in the population and to quantify
                          the accuracy of those estimates.

                          In other audits of purchase card programs, making statistical estimates of
                          the failure rate in the population of transactions may not be important. For
                          example, if there are no control activities, or if the design of controls is
                          clearly inadequate, there would be little point in testing control activities
                          and estimating the associated failure rates. As another example, certain
                          control activities may only apply to a very small portion of transactions. In
                          these cases, an assessment might be made of the effectiveness of control
                          activities through means such as observation, inquiry, and/or inspection of a
                          nonrepresentative selection of transactions. However, it should be
                          understood at the outset, that when experience and understanding of the
                          subject matter are used to assess the effectiveness of control activities
                          based solely on observation, inquiry, and/or inspection of a
                          nonrepresentative selection of transactions, the results cannot be reliably or
                          statistically projected to all transactions of that type.




                          Page 32                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Considerations in Designing a   The auditor, in conjunction with a statistician, will need to consider a
Statistical Sample              number of issues in order to design statistical samples for government
                                purchase card programs. These issues include, but are not limited to, the
                                following.

                                •   The organization of the population of purchase card transactions -
                                    Typically, these records are organized in one or more electronic files. In
                                    this case, various sampling options are available. Two of these options
                                    are (1) simple random sampling of transactions, and (2) partitioning
                                    transactions into non-overlapping groups (strata), followed by selecting
                                    simple random samples of transactions in each stratum.

                                •   The organization of the documentation evidencing performance of
                                    control activities - These documents may be stored in one or more
                                    geographic locations, which may or may not limit or impair accessibility
                                    by the auditor. In either case, a sample design should account for the
                                    geographic dispersion. The following are examples of available options.

                                          Geographic strata – If personnel are available to collect data from
                                          each location, then a sample design might have locations as strata,
                                          with appropriate sampling methods within each stratum. A stratified
                                          design would protect against the possibility of an "unlucky" sample,
                                          i.e., having no or few transactions from one or more locations in a
                                          random sample selected from the population of all transactions. It
                                          may also provide more precise estimates than a random sample of
                                          the same size selected from the population of all transactions.

                                          Geographic location sample – If it is not possible to collect data
                                          from each geographic location, then a two stage statistical sample
                                          can be made of (stage one) geographic locations, with appropriate
                                          sampling methods used (stage two) within each selected location. If
                                          the geographic locations are chosen using statistical sampling, the
                                          auditor will be able to make estimates about all purchase card
                                          transactions in the population.

                                          Case study approach - The auditor may find, however, that the
                                          documents that will be examined to determine whether control
                                          activities are being performed are so geographically dispersed that it
                                          is not cost effective to collect data from statistically sampled
                                          locations. In this case, the auditor may wish to consider a case study
                                          approach. In a case study approach, locations are selected for
                                          specific reasons instead of being chosen using statistical sampling.
                                          Statistical samples of transactions are then selected for each of the
                                          selected locations. The auditor should note, however, that data
                                          collected from a case study approach can only be used to assess
                                          adherence to controls at the specified locations. Sample data from a
                                          case study approach cannot be used to make assessments about
                                          adherence to controls for the entire population of purchase card
                                          transactions.




                                Page 33                    GAO-03-678G Purchase Card Audit Guide Exposure Draft
•   Information about the approximate level of nonadherence to controls –
    Such information may be obtainable from (1) similar studies performed

Page 34                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
                        in the recent past, (2) estimates by subject matter experts, or (3)
                        information obtained by the auditor during the preliminary assessment
                        relating to nonadherence rates. These “guesstimates” are very useful to
                        the statistician in estimating what sample size might be needed to
                        achieve specified precision levels on estimated nonadherence rates.

                    •   The relationship between the approximate nonadherence rate, and the
                        acceptable nonadherence/adherence rates -- At what rate of failure
                        would the auditor consider a control to be ineffective? Effective? If the
                        expected level of nonadherence (or adherence) is close to the minimum
                        rate that is considered unacceptable (or acceptable), a larger sample
                        may be required to assert nonadherence (or adherence) to controls.

                    •   Inherent strengths/weakness - Certain types of transactions may be
                        expected to have different rates of nonadherence to controls than other
                        types (e.g., transactions for large dollar amounts processed at a higher
                        level by personnel who likely have taken contractor officer training). If
                        there are, the population of transactions can be partitioned into strata so
                        the expected rate of nonadherence differs from one stratum to the next.
                        Separate samples of transactions can then be taken in each stratum. A
                        stratified design that takes advantage of expected differences in
                        nonadherence rates across strata can provide more precise estimates
                        than a random sample of the same size selected from the population of
                        all transactions.

                    •   Time and resources – The total amount of time available, the time it will
                        take to evaluate the effectiveness of controls for each purchase card
                        transaction, and the number of audit staff available are practical
                        considerations that will have a direct influence on the design and size of
                        a sample.

The Sampling Plan   The auditor and the statistician should develop a written sampling plan for
                    inclusion in the audit work papers. The sampling plan should include, but is
                    not limited to:

                    •   the reasons that a sample was developed,
                    •   the type of sample (e.g., statistical or nonstatistical) and sampling
                        method (e.g., random) being used,
                    •   a description of the population (e.g., nature, data elements, source,
                        control totals),
                    •   the sample design (e.g., confidence level, strata criteria, number of items
                        and/or dollars in population and strata, sample size by strata and
                        population) selected along with a discussion of the factors considered
                        and conclusion reached,
                    •   guidelines about the types of evidence and attributes the auditor(s) will
                        accept as clear evidence of performance of control activities,
                    •   information about the anticipated precision of the sample estimates,
                    •   a definition of what nonadherence to controls means,
                    •   expectations (if any) about the rate of nonadherence to controls, and
                    •   examples of the types of conclusions the auditor expects to be able to
                        make after the sample data are analyzed (and projected to the
                        population).



                    Page 35                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Extracting Selected Transaction   Data elements of transactions selected for control activity testing (as well as
Data Elements                     those identified by data mining) will need to be extracted—identified,
                                  selected, copied, and accumulated in a separate electronic file for further
                                  auditor analysis—from the population transactions database. At a
                                  minimum, those data elements should include the identification and other
                                  data elements necessary to facilitate control activity testing. The following
                                  are examples of data elements which might be included in such extracts.
                                                                                                            Approving
                                  Transaction              Cardholder                   Vendor               Official
                                       Amount             Name                       Name                     Name
                                       Sale date          Account number             Merchant                 Work
                                       Post date          Account address            category code            location
                                                                                     (MCC)                    Work
                                                          Work location
                                                                                     Address                  telephone
                                                          Work telephone
                                                                                     Business
                                                                                     telephone



Reporting Sample Results          The auditor should prepare a workpaper/file detailing the pass/fail results of
                                  tests of control activities (e.g., the number and dollar value of transactions
                                  failing a control activity) performed on each sample item, in accordance
                                  with the sample design (e.g., sampled strata). These results can then be
                                  provided to the statistician, who should project the sample results to the
                                  population, and provide the auditor with a report recapping the population,
                                  the sampling plan used, the control tests performed by the auditor, the
                                  statistical estimates (e.g., attribute failure rates, dollar values), and the
                                  associated confidence intervals. The auditor should then prepare a
                                  summary memo that incorporates the sample tests results and the
                                  statistician’s report and recaps the rules used to assess the effectiveness of
                                  controls and the audit conclusions drawn from the projected sample results.

Analysis of Results from          The primary questions that can be answered from analyzing the result of a
Statistical Samples               statistical sample of attribute tests for control activity performance are:
                                  1. What is the estimated failure rate and the accuracy of that estimate?
                                  2. Does the failure rate of performance of the control activity result in
                                      assessing the control as effective, ineffective, or partially effective?
                                  To answer the first question, the failure rate from the statistical sample
                                  should be estimated taking the design of the sample into account. Since the
                                  statistical sample is only one of a large number of samples that could be
                                  drawn, a two-sided interval should be generated that will contain the actual
                                  (unknown) population failure rate for a specified percent of samples that
                                  could be drawn. This interval is called a “confidence interval,” and the
                                                                                      18
                                  specified percent is called the “confidence level”.




                                  18
                                    For nonfinancial audits, GAO commonly uses a confidence level of 95 percent. “The 95
                                  percent confidence level appears to be used more frequently in practice than any other
                                  level…90 percent and 99 percent confidence levels seem to be next in popularity.” Hahn and
                                  Meeker, Statistical Intervals, A Guide For Practitioners, 1st Edition (New York, N.Y. John
                                  Wiley and Sons, Inc., 1991), p 38.

                                  Page 36                      GAO-03-678G Purchase Card Audit Guide Exposure Draft
To answer the second question, the statistical sample results should be
compared to a pre-set standard (e.g., control activities with adherence
failure rates greater than 10 percent will be considered ineffective) and/or
professional judgment.




Page 37                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                               For each audit of a government purchase card program, the auditor should
                               choose the failure rates that classify (or make the professional judgments
                               that conclude) that the performance of control activities is effective,
                               ineffective, or partially effective. Partially effective controls are those for
                               which the evidence does not support a conclusion that the control is either
                               effective or ineffective.


OBTAINING DOCUMENTATION        Documentation provides the auditor an
EVIDENCING PERFORMANCE OF      opportunity to inspect evidence of ongoing
CONTROL ACTIVITIES             adherence to internal control policies and
                               performance of control activities. The data
                               evidencing performance of transaction-
                               related control activities will most likely, but
                               not necessarily, reside within the
                               organization. Examples of documentation
                               that might evidence performance of specific
                               control activities are included in the Testing
                               Control Activities section of this guide. The
                               lack of such documentation, although a strong indicator of a lack of
                               adherence and performance, does not necessarily preclude adherence or
                               performance. However, all lack of adequate documentation should initially
                               be considered as a failure of the relevant control activity test. Missing
                               documentation should elevate the level of the auditor’s professional
                               skepticism when conducting any additional audit procedures considered
                               appropriate (e.g., additional inquiry, consideration of other supporting
                               documentation, direct interviews with cardholders and/or approving
                               officials). Transactions and cardholders with significant or persistent lack
                               of documentation should be considered for follow-up in accordance with the
                               Follow-up and Investigation section of this guide.

                               Original documents should be reviewed whenever possible. The extent that
                               copies of original documents are retained for audit work papers will depend
                               on the circumstances and professional judgment. However, the work papers
                               should include copies of documents supporting findings of a significant lack
                               of adherence to policies, performance of control activities, and any
                               potentially fraudulent, improper, and abusive purchases. As discussed later
                               in the Follow-up and investigation section of this guide, copies of documents
                               will also be necessary to the follow-up process.

Obtaining Documentation from   The auditor will need to provide the organization sufficient information to
the Organization               identify the specific transactions selected for testing (e.g., cardholder name
                               and number, transaction sale or post date, and amount). The auditor should
                               in planning allowed sufficient time for this step since documentation may be
                               in geographically diverse locations and the organization may need to send
                               out requests for the needed information. The auditor should consider the
                               knowledge gained about the control environment and other factors, and
                               exercise professional judgment when making decisions about (1) supplying
                               selected transaction information to the organization, (2) when and how to
                               receive documentation, and (3) the amount of time to allow the organization
                               to produce documentation. The auditor and the organization should agree,
                               and/or the auditor should communicate the rules of the engagement, in
                               advance, establishing time limits for providing requested documentation,
                               after which audit conclusions will be based on the documentation provided.

                               Page 38                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Evidence of Performance          The auditor should design tests that clearly and specifically identify
                                 acceptable attributes that evidence actual performance of control activities.
                                 Guidelines should be developed about what constitutes “clear evidence of
                                 performance” before testing begins. Such evidence may include appropriate
                                 sequencing of dates, cardholder and/or approving official tick marks or
                                 other indications on individual transactions, corroborating representations
                                 of performance by management personnel, and so forth. Developing these
                                 guidelines in advance and including them in the sampling plan will enhance
                                 the ability of audit staff to make consistent assessments across sampled
                                 transactions. If there will be a cadre of audit staff assessing whether there is
                                 clear evidence of performance, they should be trained before data collection
                                 begins to enhance their collective ability to make consistent assessments.
                                 Also, appropriate supervisory review and validation of the assessments
                                 made by the audit staff will be needed. An independent supervisory
                                 assessment of selected sample items is one way to accomplish that review.


TESTING CONTROL ACTIVITIES       Tests for performance of control activities
                                 should be performed utilizing the data
                                 gathered. For purposes of this guide, many
                                 control activities are considered transaction
                                 specific (e.g., independent receipt and
                                 acceptance, approving official review) and
                                 the related tests should be accomplished at
                                 the transaction level. Also, as discussed in
                                 the Internal Control and the Control
                                 Environment section of this guide, some of
                                 the key elements of the control environment
                                 (e.g., training, discipline, purchasing and approving authority) lend
                                 themselves to efficient testing in conjunction with the testing of transaction-
                                 level control activities. The auditor should consider coordinating tests of
                                 those elements of the control environment with the tests of the following
                                 transaction control activities.

Transaction Control Activities   This guide discusses the following six control activities directly related to
                                 purchase card transactions and their supporting documentation and
                                 performance attributes for consideration by the auditor:

                                    determining a legitimate government need,
                                    screening for required vendors,
                                    independent receipt and acceptance,
                                    establishing accountability over property,
                                    cardholder reconciliation, and
                                    approving official review.

                                 The specific tests of control activities accomplished, the specific documents
                                 reviewed, and the attributes considered may vary as audit objectives vary.
                                 When conducting the transaction control test discussed below, auditors
                                 should also evaluate purchases for compliance with relevant laws and
                                 regulations (e.g., exemption from sales tax). The auditor should consider
                                 consulting with legal counsel for assistance in evaluating questions of the
                                 existence of a legitimate government need. The auditor should also
                                 consider conducting follow-up, as discussed later in this guide, in instances
                                 Page 39                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                              of a questionable legitimate government need, or prohibited or otherwise
                              inappropriate government purchases.

                                                                 Determination of a legitimate government
                                                                 need provides reasonable assurance to the
                                                                 organization that its resources are not
                                                                 being wasted. A legitimate need for the
                                                                 goods or service being acquired should be
                                                                 determined before a purchase is made. In
                                                                 a government purchase card program, the
                                                                 initial responsibility for making this
                              determination may be assigned by the organization’s policies and
                              procedures to the cardholder. Prepurchase requests or other authorization
Prepurchase approvals         prepared by a supervisor, or prepared by operations personnel and signed
were found in up to 98        by a supervisor, can provide the cardholder with documentation of a
percent of purchase card      legitimate government need. Organization policies may leave verification
transactions tested in a      and documentation that purchases are for a legitimate government need to
recent GAO audit.             the discretion of the cardholder—a practice usually considered a weakness
                              in the design of control. The organization’s policies and procedures may
                              identify specific items or types of purchases requiring special approval.
                              However, prepurchase authorizations are not required by all government
                              organizations, and some organizations may provide blanket authorization for
                              routine purchases. When there is no documentation of a legitimate
                              government need for other than routine items, the auditor should view
                              purchases with an elevated level of professional skepticism. Further, the
                              organization’s policies and procedures may restrict or prohibit the purchase
                              of certain items or types of goods and services. Auditors should be aware of
                              these requirements, restrictions, and prohibitions, and the requirement, or
                              lack thereof, for documentation establishing the government’s need.
                                  Documentation evidencing the determination of a legitimate government
                                  need should be obtained and reviewed. This could include (1) a
                                  prepurchase request or authorization, (2) written blanket authorization
Auditors questioned               for small routine purchases (e.g., office supplies), (3) written
whether a valid need had          justification by the cardholder or other program personnel of the
been identified, when “to         government need for the purchase, (4) other required documentation for
get enough goodies for            specifically controlled or restricted purchases (e.g., a purchase
everyone” 80 Palm Pilots          justification or business need analysis for computer equipment), and (5)
costing $30,000 were              the vendor invoice describing the goods or services purchased.
purchased and                     Attributes to consider evaluating include (1) the date of government
inventoried to be issued to       need determination, compared to date of the purchase, (2) whether the
personnel when                    purchased item is included on the organization’s prohibited or restricted
requested.                        list, and (3) the item purchased on the vendor invoice, compared to the
                                  item for which a need was determined. The auditor should consider the
                                  knowledge of the organization’s operations and the control environment
                                  gained in previous sections of the guide, and exercise profession
                                  judgment, with an appropriate level of professional skepticism, and
                                  evaluate the reasonableness of the legitimate government need
                                  determination.




                              Page 40                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                                 Screening for required vendors provides
                                                                 the organization with reasonable assurance
                                                                 of compliance with laws and regulations
                                                                 related to statutory sources of supply. One
                                                                 such regulation is the Federal Acquisition
                                                                 Regulation (FAR) Part 8, Required Sources
                                                                 of Supplies and Services. This regulation
                                                                 generally requires federal agencies to
                             purchase supplies, services, and printing, from designated sources (e.g.,
                             Federal Prison Industries, the National Institute for the Blind, the National
                             Institute for the Severely Handicapped, the Government Printing Office).
                             Auditors should be aware of these and other laws, regulations, contractual
                             agreements, and policies and procedures, which direct the organization to
                             acquire goods and services from sources such as GSA schedules and
Despite laws and             contracts, blanket purchase agreements, and single source suppliers.
regulations requiring        Auditors should also be aware of exceptions provided to these and other
priority be given to         requirements, generally having to do with practicality and availability.
certain required vendors,        Documentation evidencing screening for required vendors should be
a recent GAO audit found         obtained and reviewed including (1) a purchase log, required by policy
failure rates in this            by some organizations, (2) other documents evidencing appropriate
control ranging from 70          screening, and (3) a waiver or other documentation of the applicability
to 90 percent of                 of exceptions made to required sources of supply.
purchases tested.                Attributes to consider evaluating include (1) the date and cardholder
                                 signature or initial for screening, compared to the transaction date, and
                                 (2) the date and appropriate signature on waiver of purchase from
                                 required sources, compared to the transactions date. Professional
                                 skepticism should be exercised when evaluating the appropriateness of
                                 any exceptions to required sources of supply.

                                                                 Independent—someone other than the
                                                                 cardholder—receipt and acceptance of
                                                                 goods and services provides reasonable
                                                                 assurance that the organization actually
                                                                 received what it is paying for. The
                                                                 inclusion of independence in the receipt
                                                                 and acceptance activity significantly
                                                                 strengthens the control by adding
Two related                  segregation of duties to the activity. In purchase card programs, the
organizations could not      cardholder is usually responsible for verifying that independent receipt and
demonstrate independent      acceptance has occurred before completing the reconciliation activity
receipt and acceptance       discussed below.
for about $27.4 million in       Documentation evidencing independent receipt and acceptance (e.g., a
purchased goods and              signature or initial on the vendor invoice, receipt, or shipping document)
services.                        should be obtained and reviewed including (1) the vendor invoice, (2)
                                 the shipping, receiving, and/or warehouse receipt for goods or services
                                 provided, and (3) the relevant cardholder billing statement.
                                 Attributes to consider evaluating include (1) the date of signed receipt,
                                 compared to the purchase date and cardholder reconciliation date, (2)
                                 the signature or initial, evidencing receipt by someone other than the
                                 cardholder, (3) notations (e.g., tick marks) indicating verification of
                                 quantities for appropriate purchases, (4) the invoice amount, compared
                                 to cardholder billing statement amount, and (5) the invoice item
                                 description(s) and quantity, compared to receiving document
                                 description(s) and quantity.

                             Page 41                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                               Physical control and accountability over
                                                               pilferable and other vulnerable property
                                                               acquired by the purchase card, which is
                                                               initiated at the purchase card transaction
                                                               level, provides reasonable assurance to the
                                                               organization that pilferable property (i.e.,
                                                               an item that is portable and can be easily
                                                               converted to personal use) is appropriately
                            recorded and asset-safeguarding control is established at the time of
                            purchase and receipt. Organizational requirements for this activity may vary
                            with the volume, value, and sensitivity of pilferable property acquisitions.
Of 114 tested purchases     Control activities required of the cardholder should include initially
of accountable property     identifying the pilferable property requiring asset control, notifying
acquired with purchase      appropriate property management personnel within the organization of the
cards, 60 (53 percent)      acquisition, and supplying the information required to establish a record in
                            the property control system. Audit procedures should include verification of
were not recorded in
                            the record in the property control system, and can be extended to physical
property records, and 35
                            inspection and/or verification that the property is in the possession of the
(31 percent) could not be
                            government.
located.
                                Documentation evidencing performance of this activity should be
                                obtained and reviewed, including (1) the vendor invoice, (2) evidence of
                                independent receipt and acceptance, discussed above, (3) the
                                cardholder’s billing statement, (4) the cardholder’s notification of
                                pilferable property, submitted to property control system personnel, (5)
                                the property control system record, and (6) if they are not evident in the
                                existing transaction document, the auditor should obtain item serial
                                number(s) directly from the supplier or manufacturer.
                                Attributes to consider evaluating include (1) the vendor invoice’s
                                quantity, description, and unique identifying number(s), such as a serial
                                number (considered a critical attribute for this control), compared to
                                those attributes in the property control system record, (2) the date of
                                purchase (sale date on the cardholder’s statement), compared to the
                                date of signed receipt, the date of cardholder notification to appropriate
                                property personnel, and the date of property record entry, and (3) the
                                property control system’s description, assigned property number (e.g.,
                                bar code number), property item unique identifying number (e.g., serial
                                number), and location, compared to those same attributes from a
                                physical inspection and/or independent verification that the accountable
                                property is in the possession of the government.

                                                               Cardholder reconciliation provides the
                                                               organization with reasonable assurance
                                                               that all transactions appearing on the
                                                               cardholder’s billing statement are
                                                               appropriate charges for goods and services
                                                               purchased for and received by the
                                                               organization. Much the same as
                                                               individuals reviewing their personal credit
                            card statements to assure themselves that the purchases and amounts
                            included were actually made by them, government purchase cardholders
                            should perform no less than that level of review. Cardholder reconciliation
                            is the process of the cardholder gathering, reviewing, and providing the
                            documentation to support that each purchase transaction appearing on the
                            cardholder’s billing statement is an appropriate, legitimate government

                            Page 42                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Tests of a statistical
sample of purchase card        purchase. The cardholder is responsible for identifying purchase card
transactions at four           transactions that are unauthorized or that otherwise should not be paid by
related organizations          the government. The cardholder should promptly dispute unauthorized
                               charges appearing in the cardholder’s billing statement with the bank
disclosed little evidence of
                               service provider. For those charges that the cardholder is unable to verify
cardholder reconciliation
                               independent receipt and acceptance, the auditor should look for evidence of
of purchases back to
                               either a credit by the vendor or a formal dispute filed with the bank service
supporting
                               provider.
documentation before
payment of the bill.
                               The cardholder reconciliation and/or the approving official review and
                               certification for payment may be accomplished either manually or
                               electronically. The electronic system may not require a signature or date,
                               and may leave little or no audit trail of the application of control activities to
                               billing statements and/or individual transactions. The auditor should obtain,
                               review, and use professional judgment and skepticism in considering the
                               value of electronic system-generated reports and/or screen prints as audit
                               evidence of actual performance, when evaluating adherence with control
                               activities. The attributes described in this section remain relevant to audit
                               considerations and evaluations regardless of whether the cardholder
                               reconciliation control activity is performed manually or electronically. If the
                               available documentation is insufficient to evidence the actual performance
                               of a control activity, the selected purchase card transaction should be
                               considered as failing that activity. In this circumstance, the auditor may
                               consider it necessary to extend audit procedures to the general and
                               application controls of the electronic data processing (EDP) system, which
                               is outside the scope of this guide.
                                    Documentation evidencing performance of cardholder reconciliation
                                    should be obtained and reviewed including: (1) the monthly purchase
                                    cardholder statement in a manual system, or other bank system-
                                    generated listing of billing-period transactions in an electronic system,
                                    (2) the vendor invoice, and (3) evidence of formal dispute (e.g.,
                                    organizational standard form) of unauthorized charges appearing on the
                                    cardholder’s billing statement.
                                    Attributes to consider evaluating include: (1) the cardholder’s
                                    reconciliation signature, (2) the date of reconciliation, compared to
                                    organizational requirements, the approving official review, and payment
                                    certification dates, (3) notations (e.g., tick marks, system notes)
                                    indicating that all transactions on the statement were individually
                                    reconciled, (4) the transaction date, amount, and vendor name on the
                                    vendor invoice, compared to those same attributes on the cardholder’s
                                    statement, and (5) the transaction date and amount, and vendor name on
                                    formal dispute documentation, compared to the same attributes on the
                                    cardholder’s statement. The auditor should consider following up on the
                                    appropriate resolution of disputed items.




                               Page 43                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                              Approving official review of the
                                                              cardholder’s reconciliation process
                                                              provides reasonable assurance to the
                                                              organization that the cardholder is timely
Tests of a statistical                                        and appropriately performing the
sample of purchase card                                       reconciliation and is complying with all
transactions at five                                          significant relevant controls to prevent or
related organizations                                         detect fraudulent, improper, and abusive
disclosed numerous         purchases. The review also provides a basis for the approving official to
instances of approving     accept responsibility that the purchases are appropriate, legitimate
officials certifying the   government purchases before the billing statement total is certified for
bill for payment without   payment. The approving official review, a critical control activity in a
review of cardholder       government purchase card program, should include a review of the
reconciliation or          cardholder reconciliation for timeliness and completeness and for the
supporting                 appropriateness of the supporting documentation for individual
documentation.             transactions. In evaluating the effectiveness of this control activity, the
                           auditor should consider (1) the extent of the approving official’s review of
                           the supporting documentation for a cardholder’s individual transactions, and
                           (2) the extent of documentation (e.g., tick marks, system notes) of that
                           review. To gain a better understanding of the extent of the approving
                           official’s review of cardholder reconciliations, the auditor may consider
                           interviewing the approving official, in addition to reviewing documentation
                           evidencing the review process.

                           As discussed in the section on cardholder reconciliation, the approving
                           official review and the certification for payment may be accomplished either
                           manually or electronically. The auditor should obtain, review, and use
                           professional judgment and skepticism in considering the value of electronic
                           system-generated reports and/or screen prints as audit evidence of actual
                           performance when evaluating adherence with control activities. The
                           attributes described in this section remain relevant to audit considerations
                           and evaluations regardless of whether the approving official review control
                           activity is performed manually or electronically. If the available
                           documentation is insufficient to evidence the actual performance of a
                           control activity, the selected purchase card transaction should be
                           considered as failing that activity. In this circumstance, the auditor may
                           consider it necessary to extend audit procedures to the general and
                           application controls of the EDP system, which is outside the scope of this
                           guide.
                               Documentation evidencing performance of this activity should be
                               obtained and reviewed including (1) the cardholder’s reconciliation
                               documentation as discussed above, (2) documentation of the approving
                               official’s review of the cardholder’s reconciliation, (3) the approving
                               official’s account billing statement, and (4) documentation of the
                               approving (or billing) official’s certification for payment of the balance
                               on his/her account billing statement.
                               Attributes to consider evaluating include (1) the approving official’s
                               review signature, (2) the date of the approving official’s review,
                               compared to organizational policy requirements, the date of the
                               cardholder’s reconciliation, and the date of the approving (or billing)
                               official’s certification for payment, and (3) notations (e.g., tick marks,
                               system notes) on cardholder’s individual purchase card transactions,
                               evidencing the approving official’s review and evaluation of the
                               appropriateness of the transactions and the documentation supporting
                               the cardholder’s performance of other control activities.

                           Page 44                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
       Section 5: Pursuing Fraudulent, Improper, and Abusive
       Purchases




                               In addition to testing internal controls, GAO’s purchase card methodology
                               includes procedures designed specifically to identify potentially fraudulent,
                               improper, and abusive purchase card transactions. Designing and
                               conducting procedures specifically for the purpose of detecting such
                               transactions serves multiple purposes, including the potential discovery of a
                               previously unrecognized risk in the program. Additionally, top management
                               will likely be more receptive to recommendations for corrective actions
                               when a face is put on the consequences of weak control, and the effects are
                               illustrated by instances of fraudulent, improper, and abusive purchases.
                               GAO’s methodology described in this guide is a two-step process similar to
                               the process of selecting transactions and testing controls. It entails the
                               pursuit of fraudulent, improper, and abusive purchases by (1) making
                               nonrepresentative selections of transactions or patterns of activity in a
                               process referred to as data mining, and (2) conducting follow-up
                               procedures, rather than control tests, utilizing forensic auditing techniques
                               on selected transactions and on cases of potentially fraudulent purchases
                               detected during the audit process.

DATA MINING FOR DETECTION,     Data mining is the act of searching or
ILLUSTRATION, AND DISCLOSURE   ‘mining’ data to identify transactions or
                               patterns of activity exhibiting predetermined
                               characteristics, associations, or sequences,
                               and anomalies between different pieces of
                               information. Data mining produces leads for
                               follow-up by auditors and investigators;
                               consequently the concept of data mining, as
                               used in this guide, also includes performing
                               audit procedures and investigations as necessary to evaluate the leads. An
                               active continuous data-mining program by organization management can
                               also be used to identify and initiate investigations of instances of potentially
                               fraudulent, improper, and abusive purchases, and can serve as an effective
                               deterrent to such transactions. Data mining, when conducted in concert
                               with the tests of control activities, can provide additional evidence of
                               significant instances of noncompliance with laws and regulations, such as
                               those discussed in the Relevant Laws and Regulations section of this guide,
                               and lack of adherence to internal control polices and procedures. In
                               addition, it can identify previously unrecognized or under-appreciated risk in
                               the program. Revelations by data-mining results can often generate the
                               upper management motivation necessary to bring about meaningful change
                               in policies and procedures. The results of data mining should also be
                               considered when evaluating the overall effectiveness of systems of internal
                               control over government purchase card programs. However, since data


                               Page 45                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                            mining is nonrepresentative, its results cannot be projected, and conclusions
                            should not be reached on the population of purchase card transactions.

                            GAO’s approach to data mining is designed to support its overall evaluation
                            of the internal control of a government purchase card program and to
                            provide examples of the results of weakness in internal control. That
                            approach generally consists of:

                                identifying the population of transactions to data mine,
                                identifying criteria and design search queries, and
                                extracting or summarizing transactions or patterns of activity from the
                                population for further analysis, selection, audit, and investigation.

                                                               The source of data for mining would
                                                               generally be the same population as the
                                                               source used to select transactions for
                                                               control tests. The same population of
                                                               transactions must be used if examples of
                            control failures detected by data mining are to be relevant to the population
                            of transactions and to the period covered by the control tests. This would
                            allow the results of data mining to be considered in the overall evaluation of
                            effectiveness of internal control.

                                                               An experienced credit card fraud
                                                               investigator will bring valuable perspective
                                                               and insight, and should be involved in the
                                                               process of identifying criteria, associations,
                                                               and characteristics for data mining for
                            fraudulent, improper, and abusive purchases. When identifying and
                            selecting data-mining criteria the auditor should also consider the risks of
                            potentially fraudulent, improper, and abusive purchases, data-mining criteria
                            identified by the auditor during the preliminary assessment, and the data-
                            mining criteria discussed in the following examples.

                            The following examples of data-mining queries, summaries and/or
                            extractions are appropriate to support an evaluation of the internal control
                            of a government purchase card program as contemplated in this guide, and
                            are intended to be used to identify and extract potentially fraudulent,
                            improper, and abusive purchases from a transaction database.

                            •    Questionable vendors are those vendors who sell goods or services
                                 that generally are not considered to meet a legitimate government
Data mining of purchase          need, or which are restricted or prohibited by law, regulation, or
card transactions at five        policy. Recent GAO audits of purchase card programs have identified
related organizations            potentially fraudulent, improper, and abusive purchases of goods and
disclosed numerous               services from vendors such as restaurants, grocery stores, casinos,
purchases of items for           clothing or luggage stores, home furnishings, personal electronics,
personal use including           pornographic or sexually oriented goods or services (e.g., escort
digital cameras,                 services), automobile dealers, and gasoline service stations. The
computers, clothing, and         understanding gained of the organization’s operations, in accordance
food.                            with a previous section of this guide, should provide the insight
                                 necessary to make preliminary identification of vendors selling goods
                                 and services which likely do not meet a legitimate government need.
                                 The following are examples of ways to identify, extract, and select
                                 purchases from these vendors.

                            Page 46                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                      By name: Questionable vendors, who can be expected to sell
                                      unneeded or prohibited goods or services, by name. This can be
                                      accomplished by manually reviewing a comprehensive list of
                                      vendor names extracted and sorted alphabetically from the
                                      population database. The selection process can be greatly
                                      enhanced by including selected summarized data by vendor
                                      name (e.g., number of transactions, dollars of purchases, number
                                      of cardholders making purchases). For example, because of the
                                      goods and services provided by vendors specializing in toys,
                                      stylish personal calendar/planners, and consumer electronics,
                                      purchases from them have a high likelihood of being potentially
                                      fraudulent, improper, or abusive.

                                      By merchant category code (MCC): Questionable vendors can
                                      be identified by using MCC codes—standard codes that the
                                      credit card industry maintains to categorize merchants—
                                      assigned to vendors that may sell personal or prohibited goods or
A recent GAO audit                    services. Purchase card transactions carrying the identified
disclosed a purchase                  codes can then be extracted from the population database.
card transaction with a               Sorting and/or summarizing the extracted transactions by vendor
prohibited escort service             may further enhance the selection processes. Organizations have
vendor. The bank service              the ability to block purchases from vendors with selected MCC
provider had accepted                 codes at the bank service provider. Ideally, any attempt to
the transaction despite               charge a purchase from a vendor with a blocked MCC code
the blocked vendor MCC                should be automatically rejected at the point of purchase.
code.                                 However, auditors should be aware that (1) vendors may
                                      circumvent this control by providing false or misleading
                                      information and obtaining an MCC code intended to disguise the
                                      types of goods or services provided by the vendor, and (2) bank
                                      service providers do not always reject purchase card
                                      transactions with blocked vendor MCC codes.

                                 All transactions associated with the identified vendor names and/or
                                 MCC codes should be considered potentially fraudulent, improper, and
                                 abusive and extracted into a questionable vendor transactions
                                 database(s) for further selection and follow-up.

GAO testified that          •    Weekend and holiday purchases, in the operations of a normal
approximately $12,000 in         governmental organization, could also offer a high probability of
potentially fraudulent           identifying potentially fraudulent, improper, and abusive transactions.
cardholder purchases             However, using this approach to select transactions would not be
including an Amana               effective if the organization’s operations routinely involve weekend
range, Compaq                    and holiday purchasing activity. During the previously discussed
computers, gift                  process of gaining an understanding of the organization’s operations,
certificates, groceries,         the auditor should look for and be aware of this and similar exceptions
and clothes occurred             to normal operations when designing data-mining criteria. Purchase
primarily between                card transactions on weekends and holidays within the audit period
December 20 and 26,              should be identified and extracted into a suspect date transactions
1999.                            database for further selection.




                            Page 47                GAO-03-678G Purchase Card Audit Guide Exposure Draft
                             •    Split transactions are two or more transactions that would have
                                  normally been a single-purchase transaction, but were split to
                                  circumvent the micropurchase threshold (generally $2,500) or other
Data mining purchases             legal or internal control single-purchase limit(s). For purposes of
at five related                   identifying sets of potential split transactions, all purchase card
organizations disclosed           transactions in the audit period that meet the following criteria can be
numerous occurrences of           extracted into a potential split transactions database for further
purchases split to                analysis:
circumvent the $2,500
micropurchase                           the transactions are with the same vendor, and
threshold, including                    the transaction dates are on the same day, and
$16,000 for furniture for               the transactions total in excess of $2,500, and
an approving official’s                 the transactions are by the same cardholder, or the transactions
office.                                 are by the same activity/department. (Broadening the selection
                                        criteria to the same activity/department considers the potential
                                        for collusion among cardholders to circumvent single-purchase
                                        limits.)

An organization                   A nonrepresentative selection of transactions can then be made from
approved and paid 75              the potential split transactions database and submitted to the follow-
purchase card                     up procedures described in the Follow-up and Investigation section of
transactions, all close to        this guide. For purposes of determining circumvention of single-
the micro purchase                purchase limits, all applicable limits should be considered (e.g.,
threshold, totaling               micropurchase, cardholder organization authorized single-purchase
$164,000, with a                  limit, bank service provider system cardholder control single-purchase
telecommunications                limit).
contractor. The
organization could not       •    Transactions of unusual amounts or relationships may be
provide documentation of          fraudulent, improper, or abusive. The auditor should review the
the nature or of receipt          database for the existence of unusual purchase card transaction
and acceptance of the             amounts, patterns, and relationships. Examples of such transactions
services provided. After          include:
completing follow-up,
GAO referred this case                  frequent amounts with the same vendor just under the
for criminal                            micropurchase threshold which, for example, may indicate that a
investigation.                          vendor is exploiting weak controls and charging for goods or
                                        services that are not being provided or rendered; and

                                        multiple transactions for the same amount which, for example,
                                        may indicate intentional or unintentional duplicate billings for
                                        the same goods or service.

                                 Purchase card transactions in the audit period for unusual amounts or
                                 relationships should be extracted into an unusual-transactions database
                                 for further selection.
An organization used
year-end funds to
purchase computers and       •    Year-end spending may include purchases for which there is not a
monitors costing $47,372.         legitimate government need (e.g., bulk purchases of computer or
Nine months later over            electronic equipment). All purchase card transactions that exceed an
                                  established larger dollar value (e.g., $25,000) and occur in the last
half of the computers
                                  month of the fiscal year can be extracted into a year-end transactions
remained in storage,
                                  database for further selection.
raising questions of a
legitimate need when
purchased.                   •    Purchase card transactions by vendor for the audit period can be
                                  summarized to provide statistical data such as:
                             Page 48                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                         the number of cardholders making acquisitions with a vendor,
                                         the number of transactions with a vendor, and
                                         the dollar volume of transactions with a vendor.

                                   A critical analysis of the resulting vendor transaction summary totals,
                                   and their relationships, can identify opportunities for further data
                                   mining. Vendor summary totals at the extremes of activity, both high
                                   and low, warrant special attention. A vendor with only one or two
                                   cardholders making purchases, particularly if the dollar volume is high,
                                   may indicate a conflict of interest or fraudulent (e.g., kickbacks),
                                   improper, or abusive transactions. High dollar volumes of purchases
                                   may indicate a vendor with whom the government should have a
                                   discounted price agreement. A vendor with only one transaction might
                                   indicate a questionable legitimate government need. If these
                                   summaries are accomplished utilizing a software audit tool, the
                                   individual purchase card transaction detail underlying each vendor’s
                                   summary totals will usually be available, facilitating further review and
                                   selection.

                              •    Cardholders and/or their approving officials considered to
                                   have suspicious activities might be identified as the result of
                                   following up on previous data-mining transactions, a referral to an
                                   organizational fraud hotline, previous audit findings, or other means.
                                   Purchase card transactions for such cardholders and/or approving
                                   officials can be extracted into separate transactions databases for
                                   further analysis. Follow-up and investigation of these transactions can
                                   assist in developing cases for referral to criminal investigation and
                                   prosecutorial authorities.

                                                                 Since the data being mined are usually
                                                                 contained in a database of individual
                                                                 purchase card transactions, a software
                                                                 audit tool that facilitates summaries,
                                                                 comparisons, and extractions of
                              transactions and data elements selected for follow-up is recommended.
                              Several over the counter audit tools of this type are available. Using
                              professional judgment and considering the understandings gained and the
                              results of the preliminary assessment, the auditor should select transaction
                              leads provided by data mining and submit them to the procedures described
                              in the Follow-up and Investigation section of this guide. Unless adequate
                              follow-up procedures are accomplished, the auditor will not have sufficient
                              support to either report or refer the findings.

FOLLOW-UP AND INVESTIGATION   The concept of follow-up, as used in this
                              guide, contemplates an extension of audit
                              procedures and documentation beyond those
                              generally necessary to test for adherence to
                              internal control policies or performance of
                              control activities. GAO’s approach to the
                              follow-up process assesses purchase card
                              transactions in three incremental stages: (1)
                              an initial evaluation of the cardholder
                              documentation supporting selected data-mined transactions for the purpose
                              of discerning potentially fraudulent, improper, and abusive transactions, (2)
                              Page 49                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
            the conduct of follow-up procedures discussed in this section on those
            transactions, and (3) referral of any instance of detected likely fraud to the
            appropriate criminal investigative personnel.

            Because of the characteristics of fraudulent, improper, and abusive
            purchases, the exercise of professional skepticism—an attitude that
            includes a questioning mind and a critical assessment of audit evidence—is
            especially important when following up on these purchase card
            transactions.

Follow-up   The conduct of follow-up procedures utilizes forensic auditing techniques.
            In the context of this guide, forensic auditing (follow-up) contemplates
            increased scrutiny and documentation by the auditor of the facts and
            circumstances (including judgments made and actions taken by individuals
            party to the transaction) surrounding potentially fraudulent, improper, and
            abusive transactions. In the instance of fraudulent purchase card
            transactions, the follow-up process is designed to support a subsequent
            criminal investigation.

            The auditor should consider consulting with the appropriate fraud
            investigative staff when determining the appropriate follow-up procedures
            for potentially fraudulent transactions or cases detected through control
            tests or data mining. An experienced purchase card fraud investigator can
            bring valuable perspectives and insight to the follow-up process.
            Investigators may have procedures and protocols that establish boundaries
            designed to preserve a successful investigation and prosecution of a fraud
            within which the auditor’s follow-up and referral procedures should be
            constrained (e.g., cautions against contacting and inadvertently alerting the
            vendor suspected of fraud).

            To begin the follow-up process for transactions selected by data mining or
            other means, the auditor should obtain and review transaction
            documentation similar to that obtained and reviewed in the tests of
            transaction control activities (e.g., determination of legitimate government
            need, vendor invoice, independent receipt and acceptance, accountable
            property record, the cardholder billing statement). This documentation
            should be analyzed to determine whether it supports a preliminary
            conclusion of (1) an appropriate government transaction that meets a
            legitimate government need, or (2) a potentially fraudulent, improper, or
            abusive transaction.

            Detected or selected potentially fraudulent transactions should always be
            submitted to follow-up procedures. However, the auditor should use
            professional judgment and consider the results of cardholder documentation
            review, the overall objectives of pursuing fraudulent, improper, and abusive
            purchases, and the overall objectives of the audit, in making a decision to
            accomplish follow-up procedures for transactions detected during tests for
            performance of control activities, and the transactions selected in the data-
            mining process.

            Professional judgment, inputs from qualified fraud investigators, and an
            elevated level of professional skepticism should be exercised when
            conducting follow-up procedures and evaluating: (1) justifications offered
            for lack of adherence to policies and/or performance of control activities,
            (2) additional supporting documentation provided, and (3) unsupported

            Page 50                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
                            representations made in interviews with program and organization
                            personnel.

                            The following are intended as examples of follow-up procedures, and are
                            not a complete list of possible procedures.

                            • Request additional documentation to (1) support adherence to
                            internal control policies or performance of control activities (e.g., legitimate
                            government need, independent receipt and acceptance, exception to
                            prohibited item purchases), (2) provide missing relevant details of the
                            transactions, (3) support authorization for an otherwise improper purchase,
                            or (4) document other issues significant or useful to the process.

                            • Interview the cardholder for explanation, clarification, and other
                            additional information concerning the transaction, and corroboration of
                            verbal representations made by others.

                            • Interview the approving official for explanation, clarification, and
                            other additional information concerning the transaction, and corroboration
                            of verbal representations made by others.

                            • Interview other organization personnel who may have been
                            identified as parties with corroborating or clarifying knowledge of the facts
                            and circumstances of the transaction (e.g., supervisors and coworkers).

                            • Contact the vendor for clarification of the specifics of the transaction
                            (e.g., quantities, dates, time, description of goods or services provided).
                            Request copies of supporting documentation from the vendor, especially
                            when cardholder supporting documentation is missing.
Fraud investigators
                            • Fraud investigative staff assisting in the follow-up, or gathering
provided relevant reports
                            evidence to make and prove specific allegations of wrongdoing, may be able
and information to GAO
                            to provide other items (e.g., credit reports, criminal records) that can
auditors during follow-
                            provide additional insight to the follow-up process.
up on potentially
fraudulent purchase         All interviews conducted as part of the follow-up process should be
card transactions.          documented in the audit work papers. At the conclusion of the follow-up
                            process, consider summarizing the facts, findings, and resolution or
                            disposition of the potentially fraudulent, improper, and abusive item in a
                            memorandum for inclusion in the work paper file. If at any time during the
                            follow-up process the auditor’s professional judgment is that a transaction is
                            likely fraudulent, referral of the transaction to the appropriate fraud
                            investigative staff (e.g., inspectors general, military service fraud
                            investigation offices) should be immediately considered.




                            Page 51                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Page 52   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Referral for Investigation   Referral of a likely fraudulent government purchase card transaction or case
                             should be made to the appropriate federal criminal investigative body. We
                             made such referrals to GAO’s Office of Special Investigations, whose
                             investigators have substantial experience in credit card fraud. The referral
                             should be accomplished in a written communication. That communication
                             would generally include, but not be limited to, the following information:

                             •   the date of the communication,
                             •   the name of the referring organization,
                             •   the name and telephone number of the referring contact,
                             •   the organization and program under audit,
                             •   a description of the potentially fraudulent transaction or case (e.g.,
                                 goods or services purchased, amounts paid, impropriety of the
                                 transaction),
                             •   the reason(s) for concluding the transaction to be potentially fraudulent,
                             •   the names and positions of the individuals involved (e.g., John Doe –
                                 cardholder, Jane Doe – vendor),
                             •   the date(s) of the purchase transaction,
                             •   a description of the indicators alerting the auditor to the potentially
                                 fraudulent transaction (e.g., altered supporting documentation,
                                 personnel interview, or record discrepancies), and
                             •   a statement as to whether the relevant documents (copies or originals)
                                 are attached or are available (e.g., cardholder billing statement, vendor
                                 invoice(s), follow-up interview(s)).




                             Page 53                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
Appendixes




Page 54      GAO-03-678G Purchase Card Audit Guide Exposure Draft
APPENDIX I – SELECTED RELEVANT GAO REPORTS AND TESTIMONIES

Department of Education
Department of Housing and Urban Development

Financial Management: Poor Internal Control Exposes Department of Education to Improper
Payments. GAO-01-997T. Washington, D.C.: July 24, 2001.

Education Financial Management: Weak Internal Controls Led to Instances of Fraud and
Other Improper Payments. GAO-02-406. Washington, D.C.: March 2002.

Financial Management: Strategies to Address Improper Payments at HUD, Education, and
Other Federal Agencies. GAO-03-167T. Washington, D.C.: October 3, 2002.

Department of Defense – Army

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse.
GAO-02-732. Washington, D.C.: June 2002.

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse.
GAO-02-844T. Washington, D.C.: July 17, 2002.

Department of Defense – Air Force

Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to Fraud, Waste, and
Abuse. GAO-03-292. Washington, D.C.: December 2002.

Department of Defense - Navy

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse.
GAO-01-995T. Washington, D.C.: July 30, 2001.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse.
GAO-02-32. Washington, D.C.: November 2001.

Purchase Cards: Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud
and Abuse. GAO-02-506T. Washington, D.C.: March 13, 2002.

Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking Action to Resolve
Control Weaknesses. GAO-02-1041. Washington, D.C.: September 27, 2002.

Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action to Resolve Control
Weaknesses. GAO-03-154T. Washington, D.C.: October 8, 2002.




Page 55                GAO-03-678G Purchase Card Audit Guide Exposure Draft
APPENDIX II – SELECTED RELEVANT LAWS AND REGULATIONS


This appendix contains some of the laws and regulations and other guidance that are applicable
governmentwide to the federal government purchase card program. Additional laws and
regulations and other agency- or organization-specific guidance may apply as well.

Establishment and operation of the purchase card program
   GSA SmartPay® Master Contract
   Treasury Financial Manual, Vol. I, Part 4-4500, “Government Purchase Cards”
   41 U.S.C. § 426 Use of electronic commerce in Federal procurement
   48 C.F.R. § 13.301(b) Governmentwide commercial purchase card
   31 U.S.C. §§ 3901 – 3907 Prompt Payment Act
   5 C.F.R. Part 1315 Prompt Payment

Procurement methods and standards
   41 U.S.C. § 253 Competition requirements
   41 U.S.C. § 403(11) Definitions
   41 U.S.C. § 427 Simplified acquisition procedures
   41 U.S.C. § 428 Procedures applicable to purchases below micropurchase threshold
   41 U.S.C. § 429 List of laws inapplicable to contracts not greater than the simplified
   acquisition threshold in Federal Acquisition Regulation
   48 C.F.R. § 1.603-3(b) Appointment
   48 C.F.R. Part 2.101 Definitions
   48 C.F.R. Part 8 Required Sources of Supplies and Services
   48 C.F.R. Part 13 Simplified Acquisition Procedures

Purposes for which an organization’s appropriations may be used
   31 U.S.C. § 1301(a) “Purpose Statute”
   Bona Fide Needs Rule, See, e.g. 68 Comp. Gen. 170, 171 (1989); 58 Comp. Gen. 471, 473
   (1979); 54 Comp. Gen. 962, 966 (1975)
   3 Comp. Gen. 433 (1924) Comptroller General McCarl to the Secretary of War
   B-288266 (Jan. 27, 2003) Use of Appropriated Funds to Purchase Light Refreshments at
   Conferences
   72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers – Use of Appropriated Funds to Pay
   for Meals
   65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards Ceremony
   64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L. Ryan – Meals at
   Headquarters Incident to Meetings
   B-289683 (Oct. 7, 2002) Matter of: Purchase of Cold Weather Clothing, Rock Island District,
   U.S. Army Corps of Engineers
   63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled Parkas




Page 56                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
APPENDIX III – EXAMPLE PURCHASE TRANSACTION FLOW CHART AND NARRATIVE

(REQUEST THROUGH PAYMENT)


  Navy Purchase Card Process



                                                Purchase cardholder           Items picked up
                                                orders/charges goods                                   Vendor
                                                and services
                                                                                 Items shipped



                                                Independent
                                                documentation that items                         Pilferable items are
                                                have been received and                           recorded in accountable
                                                accepted                                         property records




          Citibank reverses                     Monthly purchase card
          disputed charges and                  statements are received
          credits monthly statement             from bank




                                                Cardholder reconciles
                                                underlying receipts/sales                        Cardholder logs items
                                                slips to monthly purchase                        not received and follows
                                                card statements,                                 up to (1) confirm receipt
                                                identifies any invalid                           or (2) dispute the charge
                                                charges, and prepares
                                                dispute forms




          Cardholder or                          Approving official reviews                      DFAS processes
          approving official logs                cardholder support,                             purchase card payments
          disputed charges and
                                                 and certifies monthly                           to Citibank
          sends forms to Citibank
          for credit                             statements for payment




Source: GAO-02-1041




Page 57                               GAO-03-678G Purchase Card Audit Guide Exposure Draft
Approving Official
If operating effectively, the approving official is responsible for ensuring that all purchases made
by the cardholders within his or her cognizance are appropriate and that the charges are
accurate. The approving official is supposed to resolve all questionable purchases with the
cardholder before certifying the bill for payment. In the event an unauthorized purchase is
detected, the approving official is supposed to notify the agency program coordinator and other
appropriate personnel within the command in accordance with the command procedures. After
reviewing the monthly statement, the approving official is to certify the monthly invoice and send
it to the Defense Finance and Accounting Service (DFAS) for payment.

Cardholders
A purchase cardholder is a Navy employee who has been issued a purchase card. The purchase
card bears the cardholder’s name and the account number that has been assigned to the
individual. The cardholder is expected to safeguard the purchase card as if it were cash.

Designation of Cardholders
When a supervisor requests that a staff member receive a purchase card, the agency program
coordinator is to first provide training on purchase card policies and procedures and then
establish a credit limit and issue a purchase card to the staff member.

Ordering Goods and Services
Purchase cardholders are delegated limited contracting officer ordering responsibilities. As
limited contracting officers, purchase cardholders do not negotiate or manage contracts. Rather,
cardholders use purchase cards to order goods and services for their units and their customers
as well. Cardholders may pick up items ordered directly from the vendor or request that items
be shipped directly to an end user (requesters). Upon receipt of purchased items, the cardholder
is to record the transaction in his or her purchase log and obtain documented independent
confirmation from the end user, the supervisor, or another individual that the items have been
received and accepted by the government. The cardholder is also to notify the property book-
officer of accountable items received so that these items can be recorded in the accountable
property records.

Payment Processing
The purchase card payment process begins with receipt of the monthly purchase card billing
statements. Section 2784 of title 10, United States Code, requires DOD to issue regulations that
ensure that purchase cardholders and each official with authority to authorize expenditures
charged to the purchase card reconcile charges with receipts and other supporting
documentation before paying the monthly purchase card statement. NAVSUP Instruction
4200.94 states that upon receipt of the individual cardholder statement, the cardholder has 5 days
to reconcile the transactions appearing on the statement by verifying their accuracy to
documentation supporting the transactions and to notify the approving official in writing of any
discrepancies in the statement.

In addition, under NAVSUP Instruction 4200.94, before the credit card bill is paid, the approving
official is responsible for (1) ensuring that all purchases made by the cardholders within his or
her cognizance are appropriate and that the charges are accurate and (2) the timely certification
of the monthly summary statement for payment by DFAS. The instruction further states that
within 5 days of receipt, the approving official must review and certify for payment the monthly




Page 58                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
billing statement, which is a summary invoice of all transactions of the cardholders under the
approving official’s purview.

The approving official is instructed to presume that all transactions on the monthly statements
are proper unless notified in writing by the purchase cardholder to the contrary. However, the
presumption does not relieve the approving official from reviewing the statements for blatantly
improper purchase card transactions and taking the appropriate action before certifying the
invoice for payment. In addition, the approving official is responsible for forwarding disputed
charge forms for submission to Citibank for credit. Under the Navy’s task order, Citibank allows
the Navy up to 60 days after the statement date to dispute invalid transactions and request a
credit.

Upon receipt of the certified monthly purchase card summary statement, a DFAS vendor
payment clerk is to (1) review the statement and supporting documents to confirm that the
prompt-payment certification form has been properly completed and (2) subject it to automated
and manual validations. DFAS effectively serves as a payment processing service and relies on
the approving-official certification of the monthly bill as support to make the payment. The
DFAS vendor payment system then batches all of the certified purchase card payments for that
day and generates a tape for a single payment to Citibank by electronic funds transfer.




Page 59                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
 APPENDIX IV – EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION CHART


 Navy Purchase Card Program Management Structure, September 2001


                                                Department of Defense
                                                     Purchase Card
                                               Program Management Office




                                        Department of Navy eBusiness Operations Office

                                               Navy Agency Program Coordinator




Atlantic Fleet                 Pacific Fleet                       Naval Sea Systems           U.S. Marine Corps
                                                                   Command
Major Command Agency           Major Command Agency                                            Major Command Agency
Program Coordinator            Program Coordinator                 Major Command Agency        Program Coordinator
                                                                   Program Coordinator




   Norfolk, VA Area              San Diego, CA Area                   Norfolk, VA Area             Camp Lejeune, NC

Agency Program                 Agency Program                      Agency Program              Agency Program
Coordinators at                Coordinators at                     Coordinators at             Coordinators at
Subordinate Units     98       Subordinate Units     66            Subordinate Units     10    Subordinate Units      15

Approving Officials   286      Approving Officials   168           Approving Officials   78    Approving Officials   173

                                                                   Cardholders           235   Cardholders           496
Cardholders           769      Cardholders           417




 Source: GAO analysis of Navy purchase card program organization.




 Page 60                     GAO-03-678G Purchase Card Audit Guide Exposure Draft
     APPENDIX V – EXAMPLE AUDIT PROGRAM


Government Purchase Card Program
Example Internal Control Performance Audit Program

                                          Program Overview

This is an example only audit program, and should be tailored to meet the requirements of the individual
organization’s purchase card program. The approaches, methodologies, and concepts applied in this
example, and the accompanying audit guide, are appropriate for use by management oversight personnel as
well as internal and external auditors.
To facilitate ongoing internal control monitoring efforts by management, sections C and D can be performed
independently of each other, and section D can be applied on a continuous basis.

A     Gain Necessary Understandings
A1    Understand the risk of fraudulent, improper, and abusive purchases
A2    Understand internal control
A3    Understand the relevant laws and regulations
A4    Understand the organization and purchase card program operations
A5    Understand and assess key elements of the control environment

B     Preliminarily Assess the Adequacy of Designed Control Activities
B1    Identify risks and control activities, and assess the adequacy of designed control activities
B2    Determine the effects of the assessment on the design of performance tests and the
      identification of potential data-mining criteria

C     Test Adherence to Policies and Performance of Control Activities
C1    Obtain transaction data for transaction-level testing
C2    Select purchase card transactions
C3    Obtain data evidencing performance of control activities
C4    Test key control activities

D     Pursue Fraudulent, Improper, and Abusive Purchases
D1 Data mine to identify potentially fraudulent, improper, and abusive purchase card transactions
D2 Follow-up on selected purchase card transactions and refer likely fraud for investigation




     Page 61                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                                           Page           of
                                                                                                            Work            Initial /
Sec          #                                      Audit Steps                                             Paper            Date
                                                                                                          Reference        Competed
This is an example only audit program, and should be tailored to meet the requirements of the individual organization’s purchase card
program. The approaches, methodologies, and concepts applied in this example, and the accompanying audit guide, are appropriate for
use by management oversight personnel as well as internal and external auditors.

Organization Name    :
Audit Period/Scope   :
Auditor/Manager in Charge   :
Other   :
A – Gain Necessary Understandings
 A1         Understand the risk of fraudulent, improper and abusive purchases
             1.0 Obtain and review relevant reports on audits of internal control over
                    government purchase card programs. (See app. I of this guide for a
                    list of GAO reports.)
             2.0 Obtain and review recent reports on audits of internal control over the
                    organization’s purchase card program, and:
                         determine management’s response to findings and
                         recommendations, and
                         determine the status of corrective actions taken by management.
             3.0 Review the “Understanding the Purchase Card Program – The Risk of
                    Fraudulent, Improper, and Abusive Purchases” section of this guide.
                    and
             3.1 Obtain and review detail summaries prepared by the organization’s
                    fraud investigative personnel (e.g., inspector general) of all purchase
                    card fraud detected within the prior ___________ (e.g. 2 years).
 A2         Understand internal control
             1.0 Obtain and review:
                         GAO/AIMD-00-21.3.1 Standards for Internal Control in the Federal
                         Government (Green Book)
                         GAO-01-1008G Internal Control Management and Evaluation Tool,
                         and
                         GAO/AFMD-8.1.2 Guide for Evaluating and Testing Controls Over
                         Sensitive Payments.
             2.0 Review the “Understanding the Purchase Card Program – Internal
                    Control and the Control Environment” section of this guide.
 A3         Understand the relevant laws and regulations
             1.0 Obtain and review laws and regulations relevant to the government’s
                    purchase card program. (See app. II of this guide for a list of selected
                    relevant federal laws and regulations.)




    Page 62                          GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                      Page       of
                                                                                        Work       Initial /
Sec    #                                  Audit Steps                                   Paper       Date
                                                                                      Reference   Competed
       2.0 Review the “Understanding the Purchase Card Program – Relevant
             Laws and Regulations” section of this guide.
A4    Understand the organization and purchase card program operations
       1.0 To facilitate the following and subsequent audit procedures, the auditor
             and program oversight personnel should establish contact with
             management personnel at both:
               the organization’s purchase card program, and
               the bank purchase card service provider.
      The organization’s operations
       2.0 Obtain and review the organization’s written policies and procedures
             describing their operations and activities. Such documents might
             include:
               mission statement(s) and/or activity descriptions, and
               operational policies, procedures, or instructions.
             (The auditor should review these and other relevant documents,
             which when considered with subsequent personnel interviews serve
             to provide an understanding of the current mission-related
             operations and activities of the organization.)
       2.1     Identify and interview selected organization personnel for the
               purpose of supplementing and clarifying the auditor’s understanding
               of the organization’s mission and/or operating activities.
      The organization’s purchase card program
       3.0 Obtain and review the organization’s written policies and procedures
             describing and controlling their purchase card program. Such
             documents might include:
               purchase card program polices, procedures, or instructions, and
               contractual agreement with the bank service provider.
             (The auditor should review these and other relevant documents,
             which when considered with subsequent personnel interviews and
             walkthroughs should serve to provide and/or reinforce an
             understanding of the current operations of the purchase card
             program.)
       4.0 Identify and interview selected purchase card program personnel,
             including personnel from the following categories, for the purpose of
             supplementing and clarifying the auditor’s understanding gained from
             review of the organization’s written policies and procedures:
               purchase cardholders,
               approving officials, and
               program coordinator.
       5.0 Determine and document the organization’s policies and procedures


  Page 63                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                   Audit Steps                                    Paper       Date
                                                                                        Reference   Competed
             (or control activities) related to the control environment, including
             the following key areas:
       5.1     Span of control, also:
                    determine the current total number of cardholders at the
                    organization, and
                    determine the current total number of approving officials at the
                    organization.
       5.2     Financial exposure, also:
                    determine whether and how the organization initially and
                    periodically verifies that purchase cards are issued to, and
                    continue to be held by, individuals who need one to perform
                    their assigned duties, and
                    determine whether and how the organization initially and
                    periodically determines that cardholder and approving official
                    credit limits are appropriate to their needs.
       5.3     Training, also:
                    determine how and when the organization provides and
                    documents initial and refresher training for cardholders,
                    approving officials, and agency/organization program
                    coordinators.
       5.4     Discipline, also:
                    determine the organization’s process for investigating
                    allegations of fraudulent purchase card activity, and
                    determine how the organization decides and documents
                    disciplinary actions taken for lack of adherence to internal
                    control policies and performance of control activities.
       5.5     Purchasing and reviewing authorities for cardholders and approving
               officials, also:
                    determine how the organization approves and documents
                    purchasing credit and single transactions limits for cardholders,
                    and
                    determine how the organization approves and documents
                    cardholder review responsibility and payment authorization
                    credit limits for approving officials.
       6.0 Determine and document the organization’s policies and procedures
             (or control activities) related to purchase card transactions,
             including the following key areas:
       6.1     determining a legitimate government need prior to making the
               purchase;
       6.2     requiring and documenting independent receipt and acceptance of
               goods and services;




  Page 64                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                       Page       of
                                                                                         Work       Initial /
Sec    #                                   Audit Steps                                   Paper       Date
                                                                                       Reference   Competed
       6.3      establishing physical control and accountability over pilferable and
                other vulnerable property;
       6.4      process and documentation requirements for cardholder
                reconciliation of monthly purchase card statements; and
       6.5      process and documentation requirements for approving official
                review and approval for payment of assigned cardholders’ monthly
                purchase card transactions.
       7.0 Determine and document the organization’s policies and procedures
             (or control activities) related to management’s risk assessment.
       8.0 Determine and document the organization’s policies and procedures
             (or control activities) related to information and communications.
       9.0 Determine and document the organization’s policies and procedures
             (or control activities) related to monitoring, including the following
             key areas.
       9.1      Agency/organization program coordinator’s routine audits of
                internal control over the organization’s purchase card program.
       9.2      Bank service provider management reports:
                    what reports are provided,
                    who gets the reports, and
                    what are they used for.
       9.3      Internal review (or similar function) evaluation of internal control
                and the effectiveness of the organization’s purchase card program.
      10.0 Identify the computer-based controls that the organization has
             established over the purchase card program, including those:
      10.1      over the payment of monthly purchase card bills,
      10.2      designed to prevent duplicate payments, and
      10.3      designed to prevent unauthorized access to purchase card
                transaction and master file information.
      11.0 Perform a walk-through of one or more selected purchase card
             transactions to confirm the understandings of:
                the flow of a typical purchase card transaction, and
                the system of internal control (including control activities).
      11.1 Obtain examples of documentation evidencing the performance of all
             key control activities.
      12.0 Using the knowledge gained from:
                reviews of written policies and procedures,
                interviews with program personnel, and
                walkthroughs of purchase card transactions:



  Page 65                    GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                       Page       of
                                                                                         Work       Initial /
Sec    #                                  Audit Steps                                    Paper       Date
                                                                                       Reference   Competed
             develop a flowchart and narrative which depict and explain the typical
             purchase card transaction process from request to payment. Include
             routine exceptions, such as disputed transactions and late receipts.
             Highlight and discuss all key controls in the process.
      12.1 Discuss the flowchart with appropriate purchase card program office
             personnel and obtain their concurrence with the process flow and key
             controls.
      The bank service provider
      13.0 Obtain and review documents describing the bank service provider’s
             policies and procedures controlling the operation and interface of the
             purchase card program with the organization. Such documents might
             include:
                operational policies, procedures, or instructions; and
                purchase card program training manuals or instructions.
      14.0 Identify and interview selected bank service provider personnel,
             including personnel from the following categories, for the purpose of
             supplementing and clarifying the auditor’s understanding gained from
             review of the operation and control documents:
                program operations,
                customer service representative, and
                fraud detection and investigation.
      15.0 Obtain a database of purchase card transactions for the period or scope
             of the audit. Obtain and agree control totals from an independent
             source to the purchase card transactions database (see step C1-1.0).
      16.0 Obtain a listing of program reports available from the bank provider
             and:
      16.1      gain an understanding of the information contained in the reports
                and their intended use,
      16.2      compare the list to the reports being obtained and used by the
                organization, and
      16.3      identify and request the available reports which facilitate the
                auditor’s determination of adherence to control environment
                policies (e.g., span of control, financial exposure).
A5    Understand and assess key elements of the control environment
       1.0 Based on the understandings gained through document reviews and
             personnel interviews, preliminarily assess management’s operating
             philosophy and attitude (i.e., Tone at the top) as having a positive or
             negative effect on internal control across the organization.
       2.0 Obtain data (e.g., electronic reports and data files) from the bank
             service provider and/or the organization, necessary to perform tests of
             the following key elements of the control environment.



  Page 66                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                         Page       of
                                                                                           Work       Initial /
Sec    #                                   Audit Steps                                     Paper       Date
                                                                                         Reference   Competed
       2.1 Test the following key elements of the control environment for
             adherence to internal control policies on an organization-wide (marco-
             level):
       2.2      span of control, and
       2.3      financial exposure.
       2.4 Document for inclusion in the workpapers the results of the evaluation
             process, and the preliminary conclusions of the effect of these
             elements of the control environment on the effectiveness of internal
             control.
       3.0 Obtain data from the organization necessary to perform tests of
             controls for the following key elements of the control environment (see
             step C3-1.4). Data should be obtained for each cardholder and
             approving official on transactions selected for control activity testing.
       3.1 Test the following key elements of the control environment in
             conjunction with tests of transaction-level control activities (see step
             C4-2.0):
                training,
                discipline and,
                purchasing and reviewing authorities,
       3.2 Document for inclusion in the workpapers the results of the evaluation
             process, and the preliminary conclusions of the effects of these
             elements of the control environment on internal control.
       4.0 Upon completion of testing of all the key elements of the control
             environment, prepare a summary memorandum for inclusion in the
             workpapers on the auditor’s conclusion of the overall effect of tone at
             the top, span of control, financial exposure, training, discipline, and
             purchasing and reviewing authorities on the control environment, and
             on the overall effectiveness of internal control.




  Page 67                    GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                   Audit Steps                                    Paper       Date
                                                                                        Reference   Competed
B – Preliminarily Assess the Adequacy of Designed Control Activities
B1    Identify risks and related designed control activities, and assess the adequacy of those
      activities
       1.0 Identify and list the significant risk/opportunities of fraudulent,
            improper, or abusive and questionable transactions in the
            organization’s purchase card program.
                 Such risks can be control environment related (e.g., span of
                 control, training), purchase transaction related (e.g., no
                 legitimate government need, inadequate approving official
                 review), or related to other significant areas (e.g.,
                 monitoring).
       2.0 Identify the internal control policy and procedure (control activity)
            designed to prevent or promptly detect each above significant
            risk/opportunity.
       3.0 For each significant risk identified, preliminarily assess, as (1) strong,
            (2) weak, or (3) ineffective (including nonexistent), the likely
            effectiveness of the related designed control activities (if in place and
            operating) to provide management with reasonable assurance that
            significant fraudulent, improper, and abusive purchase card
            transactions will be prevented or promptly detected.
B2    Determine the effects of the assessment on the design of performance tests and the
      identification of potential data-mining criteria
       1.0 For each above risk/opportunity control activity relationship evaluated,
            determine their effect on the design of audit tests for adherence to
            policies and/or performance of control activity.
       2.0 For each above risk/opportunity control activity relationship evaluated,
            consider potential criteria for data mining identified, if any.
       3.0 Consider documenting for the audit work papers:
               the identification of each risk/opportunity,
               the related control activities,
               the preliminary assessment of effectiveness,
               the effects of the assessment on the design of tests for adherence to
               control policies and performance of control activities, and
               the identification of potential data-mining criteria.




  Page 68                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                                                           Work       Initial /
Sec    #                                  Audit Steps                                      Paper       Date
                                                                                         Reference   Competed
C – Test Adherence to Policies and Performance of Control Activities
C1    Obtain transaction data
       1.0 Obtain a database (the population) of purchase card transactions for
            the audit scope or period, and
       1.1 verify its completeness by agreeing control totals to an independent
            source (e.g., bank service provider, organization records) (see step A4
            15).
C2    Select purchase card transactions
       1.0 Consider the:
               understandings gained of the operations of the organization and the
               purchase card program,
               the designed internal control policies and procedures, and
               the results of the preliminary assessment of the adequacy of internal
               control,
            and determine whether to use statistical (recommended) or
            nonstatistical sampling in selecting transactions. If a statistical sample
            selection is to be made, have a statistician design the sample.
       1.1 Document the significant considerations made and conclusions
            reached in a detailed sampling plan for inclusion in the work papers, to
            include the following:
               the reasons that a sample was developed,
               the type of sample (e.g., statistical or nonstatistical) and sampling
               method (e.g., random) being used,
               a description of the population (e.g., nature, data elements, source,
               control totals),
               the sample design (e.g., confidence level, strata criteria, number of
               items and/or dollars in population and strata, sample size by strata
               and population) selected along with a discussion of the factors
               considered and conclusion reached,
               guidelines about the types of evidence and attributes the auditor(s)
               will accept as clear evidence of performance of control activities,
               information about the anticipated precision of the sample estimates,
               a definition of what nonadherence to controls means,
               expectations (if any) about the rate of nonadherence to controls,
               and
               examples of the types of conclusions the auditor expects to be able
               to make after the sample data are analyzed (and projected to the
               population).
       2.0 Extract transactions, in accordance with the sampling plan, from the
            population to perform tests for performance of transaction-related
            control activities.
C3    Obtain data for testing performance of control activities



  Page 69                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                                                         Work       Initial /
Sec    #                                  Audit Steps                                    Paper       Date
                                                                                       Reference   Competed
       1.0 Coordinate with the organization’s purchase card program
            management and obtain access to program personnel and original
            documentation evidencing performance of transaction-level and related
            control activities for each selected transaction. The following are
            examples of such personnel and documents.
       1.1 Personnel:
               cardholders for selected transactions,
               approving officials for selected transactions,
               agency/organization purchase card program coordinator, and
               operations supervisory personnel as needed.
       1.2 Documents directly related and relevant to selected individual
            purchase card transactions:
               cardholder monthly billing statement,
               approving official monthly billing statement,
               cardholder log (or equivalent) of purchases made,
               prepurchase request, approval, authorization, or other
               determination of a legitimate government need,
               evidence of screening for required/statutory vendors,
               waiver on required sources of supply, if applicable
               evidence of bid solicitations and receipt, if applicable,
               vendor invoice or receipt for goods or services,
               packing slip,
               evidence of independent receipt and acceptance,
               bank dispute/affidavit forms, if transaction disputed,
               cardholder reconciliation and certification of bill, and
               approving official review, and certification for payment.
       1.3 Additional documents relevant to purchases of accountable property:
               cardholder notification to property book , and
               property book record.
       1.4 Control environment documents evidencing adherence and
            performance of key elements: (see step A5 3.0)
               cardholder purchase and credit limits authorization,
               approving official review responsibilities and authorized limits,
               cardholder training certificates/records,
               approving official training certificates/records,
               cardholder account closure/final bill, if account closed, and
               disciplinary actions taken on cardholder and/or approving official in
               the last _____________________________________.
C4    Test Key Control Activities



  Page 70                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                                                         Work       Initial /
Sec    #                                    Audit Steps                                  Paper       Date
                                                                                       Reference   Competed
      Transaction control activity testing
       1.0 Using the relevant documentation obtained for the selected purchase
            card transactions, accomplish attribute testing designed to determine
            the performance of transaction control activities, including:
               determination of a legitimate government purchase,
               screening for required vendors,
               independent receipt and acceptance,
               physical control and accountability over pilferable and other
               vulnerable property,
               cardholder reconciliation, and
               approving official review.
       1.1 Document for inclusion in the workpapers pass/fail of attribute tests
            performed for each control activity in such a manner that facilitates
            summary of the number of transactions which fail by attribute and by
            control activity, and the dollar value of those transactions, for each
            strata identified in the sampling plan.
      Testing key elements of the control environment
       2.0 Using the relevant documentation obtained for testing key elements of
            the control environment (see step A5 3.1) in conjunction with tests of
            selected purchase card transactions, accomplish attribute testing
            designed to determine adherence to policy for each selected
            transaction, including:
               training,
               discipline, and
               purchasing and reviewing authorities.
       2.1 Document for inclusion in the workpapers the pass/fail results of
            attribute tests performed for each control activity in such a manner
            that facilitates summary of the number of transactions which fail by
            attribute and by control activity, and the dollar value of those
            transactions, for each strata identified in the sampling plan.
      Potentially fraudulent, improper, and abusive purchases
       3.0 Evaluate each selected transaction for criteria identifying a potential
            fraudulent, improper, and abusive purchase, including:
               questionable vendors,
               weekend and holiday purchases,
               split purchases,
               unusual amounts or relationships, and
               year end spending.
       3.1 Conduct follow-up of all transactions exhibiting such criteria, and refer
            any likely fraud for investigation.
       3.2 Document for inclusion in the work papers the results of follow-up and
            referrals in such a manner that facilitates summary of the number of



  Page 71                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
                                                                                          Work       Initial /
Sec    #                                  Audit Steps                                     Paper       Date
                                                                                        Reference   Competed
            transactions considered fraudulent, improper, abusive, or questionable,
            and the dollar value of those transactions, for each strata identified in
            the sampling plan.
      Analyzing and documenting sample results
       4.0 Project the results of the sample transactions tests to the population in
            accordance with the sampling plan. If statistical sampling was used,
            provide the sample test results to the statistician for projection to the
            population/strata.
       4.1 Obtain a written memorandum from the statistician of the statistical
            results of the projection(s) in accordance with the sampling plan,
            recapping the population and the sampling plan used, the control tests
            performed by the auditor, the statistical estimates (e.g., attribute
            pass/fail, dollar values) for each strata, and the associated confidence
            intervals.
       4.2 Prepare a summary memorandum, for inclusion in the work papers,
            that incorporates the sample test results and the statistician’s report,
            recaps the rules used to assess the effectiveness of controls, and
            documents the auditor’s conclusions about the effectiveness of
            individual control activities.
       4.3 Consider the results of transaction-level and other control tests, and
            the results of data mining and follow-up of potentially fraudulent,
            improper, and abusive transactions, and prepare a memorandum for
            inclusion in the work papers documenting the considerations made and
            conclusions reached by the auditor on the overall effectiveness of the
            design and performance of internal control designed to prevent and
            detect potentially fraudulent, improper, and abusive purchase card
            transactions.




  Page 72                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                  Audit Steps                                     Paper       Date
                                                                                        Reference   Competed
D – Pursue Fraudulent, Improper, and Abusive Purchases
D1    Data mine to identify potentially fraudulent, improper, and abusive purchases
       1.0 Based on:
               understandings gained about the operations of the organization and
               its purchase card program,
               the results of the preliminary assessment of internal control,
               insights provided by involving credit card fraud investigators, and
               insights provided by conducting tests of performance of control
               activities,
            determine the criteria (e.g., characteristics, associations, or sequences
            and pattern clusters) which signify potentially fraudulent, improper,
            and abusive purchases.
       2.0 Obtain a database of purchase card transactions for the audit scope or
            period (usually the same “population” database obtained for selecting
            transactions for control activity testing).
       3.0 Perform analysis of the database to identify transactions exhibiting the
            characteristics of potentially fraudulent, improper, and abusive
            purchases. Such analysis should include the following approaches:
               questionable vendors,
               weekend and holiday purchases,
               split purchases,
               unusual amounts or relationships,
               year-end spending,
               transactions by vendor analysis, and
               suspicious cardholders and/or approving officials.
       4.0 Extract transactions identified above into discrete smaller databases
            for further analysis.
       5.0 Select nonrepresentative transactions from the above discrete extracts
            for follow-up, referral, and investigation.
D2    Follow-up and referral of selected purchase card transactions
       1.0 Obtain supporting cardholder purchase documentation for all
            potentially fraudulent, improper, and abusive purchase card
            transactions identified and selected in the above data-mining
            approaches.
                Such documentation would normally include the documents
                directly related and relevant to selected individual purchase
                card transactions listed in the Obtain Data for Testing
                Performance of Control Activities section of this example



  Page 73                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                         Page       of
                                                                                           Work       Initial /
Sec    #                                   Audit Steps                                     Paper       Date
                                                                                         Reference   Competed
                audit program. (see step C3 1.2)
       2.0 Review the initial supporting documentation for the selected
            transactions and make a preliminary determination of the
            appropriateness of the purchase.
       3.0 For those data-mined purchase card transactions which continue to be
            (and those control activity test transactions) considered potentially
            fraudulent, improper, and abusive or questionable, accomplish follow-
            up procedures as indicated by the circumstances, such as:
               request additional documentation,
               interview the cardholder,
               interview the approving official,
               interview operational supervisors and/or coworkers,
               contact the vendor directly, and
               request relevant items from fraud investigators.
       4.0 Document for the audit work papers each interview conducted during
            the follow-up process.
       5.0 Document for the audit work papers the results of each follow-up
            process in a summary memorandum, and attach all interviews and
            relevant supporting documentation.
       6.0 Refer all purchase card transactions, which after the completion of the
            follow-up process are considered to be likely fraudulent, to the
            appropriate fraud investigative body.
            The referral communication should be written and should include the
            following information:
               the date of the communication,
               the name of the referring organization,
               the name and telephone number of the referring contact,
               the organization and program under audit,
               a description of the potentially fraudulent transaction (e.g., goods or
               services purchased, amounts paid, impropriety of the transaction).
               the reason(s) for concluding the transaction to be potentially
               fraudulent,
               the names and positions of the individuals involved (e.g., John Buck
               – cardholder, Jane Doe – vendor),
               the date(s) of the purchase transaction,
               a description of the indicators alerting the auditor to the potentially
               fraudulent transaction (e.g., altered supporting documentation,
               personnel interview, or record discrepancies), and
               a statement as to whether the relevant documents (copies or
               originals) are attached or are available (e.g., cardholder billing


  Page 74                   GAO-03-678G Purchase Card Audit Guide Exposure Draft
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                 Audit Steps                                      Paper       Date
                                                                                        Reference   Competed
               statement, vendor invoice(s), follow-up interview(s)).
            Retain a copy of all referral communications and attachments for the
            audit work papers.
       6.1 Request memorandums of investigations at the end of the audit period
            detailing the conduct, progress, and status of all such referred purchase
            card transactions.




  Page 75                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
APPENDIX VI – GUIDELINES FOR INITIATING AN INVESTIGATION OF PURCHASE CARD

FRAUD


For purchase card transactions that have been identified as potentially fraudulent the
investigator should review information provided as part of the follow-up and referral process,
and to the extent necessary take the following actions:

•   Obtain from the organization, auditor, or manager the names of cardholder(s) for accounts
    involved with the transaction(s).

•   Obtain account histories from the bankcard service provider for specific accounts to identify
    any patterns of similar or other questionable transactions and the vendors involved with
    those transactions.

•   Identify the organization’s approval process and determine who:
       requested the goods or services purchased,
       approved the transactions, and
       signed off on the monthly statement indicating that they had reviewed the transactions.

•   Obtain from the organization, auditor, or manager documentation related to the
    transaction(s), such as invoices, shipping receipts, any contact telephone numbers, etc.

•   Determine the organization’s policies for accountability of pilferable and other property.

•   Interview the organization individual(s) involved with requesting the goods or services and
    the individual(s) that review the monthly bank statements to determine if they were aware of
    (1) the transaction(s), and (2) whether the cardholder(s) filed a dispute form concerning the
    transactions(s).

•   Interview the cardholder(s) to determine who made the purchases, the purpose of the
    purchases, and whether they disputed the transactions.

•   Interview the vendor(s) where questionable transactions were made and:
        obtain any documentation relating to the transactions including detailed description of
        items purchased, such as serial numbers, or specific services provided;
        determine where property was delivered or where the services were provided;
        determine whether the vendor records the telephone number from which the order for
        foods or services was made; and
        determine whether the vendor maintains a database of purchase card numbers and
        whether this database has been compromised.

•   Interview organization officials responsible for maintaining property inventory and
    determine:
        whether the items purchased were included in inventory, and
        how property delivered to the organization is accounted for.




Page 76                  GAO-03-678G Purchase Card Audit Guide Exposure Draft
APPENDIX VII – GAO CONTACT AND STAFF ACKNOWLEDGMENTS


GAO Contact

Stephen Wm. Lipscomb                (303) 572-7328

Staff Acknowledgments

In addition to the person named above, David Childress, Francine Delvecchio, Don Fulwider,
Charles R. Hodge, Jeffrey Jacobson, Jason Kelly, Julia Matta, John Ryan, and Sidney Schwartz
made important contributions to this report.




Page 77                 GAO-03-678G Purchase Card Audit Guide Exposure Draft
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal
                         government for the American people. GAO examines the use of public funds;
                         evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail
                         this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily
                         E-mail alert for newly released products” under the GAO Reports heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a
                         single address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice:    (202) 512-6000
                                                TDD:      (202) 512-2537
                                                Fax:      (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548