oversight

Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs (Supersedes GAO-03-678G)

Published by the Government Accountability Office on 2003-11-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Financial Management and Assurance




November 2003
                AUDIT GUIDE
                Auditing and
                Investigating the
                Internal Control of
                Government Purchase
                Card Programs




GAO-04-87G
                a
This is a work of the U.S. government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. However, because this work may contain copyrighted images or
other material, permission from the copyright holder may be necessary if you wish to
reproduce this material separately.
Preface




          The federal government of the United States—the largest and most complex
          organization in the world—expended approximately $15 billion through
                                1                         2
          federal organizations’ purchase card programs in fiscal year 2002. As the
          steward of taxpayer dollars, federal agencies are accountable for how
          purchase cards are used and how the funds are spent. To that end, federal
          agencies are responsible for establishing and maintaining internal control to
          provide reasonable assurance that (1) the goals and objectives of the
          purchase card program are met and (2) safeguards against fraudulent,
          improper, and abusive purchases are adequate.

          Recent congressional testimony and inspector general and GAO reports
          show that some federal agencies do not have adequate internal control over
          their purchase card programs. Without effective internal control,
          management has little assurance that fraudulent, improper, and abusive
          purchases are being prevented or, if occurring, are being promptly detected
          with appropriate corrective actions taken. A key element of internal control
          is monitoring that assesses the quality of performance over time and ensures
          that the findings of audits and other reviews are promptly resolved.
          Monitoring provides for regular management and supervisory activities as
          well as evaluations by inspector generals or external auditors.

          This guide focuses on audits of internal control activities—designed
          primarily to prevent or detect significant fraudulent, improper, and abusive
          purchases—in government purchase card programs. It is intended to
          provide practical guidance for consideration by internal and external
          auditors, investigators, and program management oversight personnel in
          assessing the adequacy and performance of those control activities and
          identifying areas of internal control for potential improvement. This guide is
          based primarily on GAO’s experiences in auditing and investigating internal
          control over federal government purchase card programs at the
          Departments of Defense, Education, and Housing and Urban Development
          and other federal agencies.

          This guide was prepared at the request of former Chairman Stephen Horn,
          Subcommittee on Government Efficiency, Financial Management and
          Intergovernmental Relations, House Committee on Government Reform.
          This is one in a series of projects we have undertaken for the Subcommittee
          concerning weaknesses in internal control over government purchase and
          travel card programs. This guide was prepared under the direction of
          Gregory Kutz, Director, Financial Management and Assurance. Other GAO

          1
            The term “organization,” as used throughout this guide, refers to a government, its divisions,
          or subdivisions (e.g., department, agency, activity, unit).
          2
            The term “program,” as used throughout this guide, refers to a government purchase card
          program at the organization level.

          Page 1                                            GAO-04-87G Purchase Card Audit Guide
contacts and key contributors are listed in appendix VII. Questions can be
directed to Mr. Kutz at (202) 512-9505 or kutzg@gao.gov, or Stephen W.
Lipscomb at (303) 572-7328, lipscombs@gao.gov, or

         Stephen W. Lipscomb
         U.S. General Accounting Office
         1244 Speer Blvd., Suite 800
         Denver, CO 80204




Jeffrey C. Steinhoff
Managing Director
Financial Management and Assurance




Page 2                                 GAO-04-87G Purchase Card Audit Guide
TABLE OF CONTENTS

Preface         1
Section 1: Introduction                                                    5
 OBJECTIVE OF THE GUIDE, SCOPE AND METHODOLOGY                             6
 GOVERNMENT PURCHASE CARD PROGRAMS                                         7
 GAO’S APPROACH TO AUDITING PURCHASE CARD PROGRAMS                         9
 THE APPLICABILITY OF AUDITING STANDARDS                                  10

Section 2: Understanding the Purchase Card
           Program                         11
 THE RISK OF FRAUDULENT, IMPROPER, AND ABUSIVE PURCHASES                  11
   Potentially Fraudulent, Improper, or Abusive Purchases                 12
   Indications and Categories of Fraud                                    13
 RELEVANT LAWS AND REGULATIONS                                            15
   Establishment and Operation of the Purchase Card Program               15
   Procurement Methods and Standards                                      15
   Purposes for which an Organization’s Appropriations May Be Used        16
 THE ORGANIZATION’S OPERATIONS AND PROGRAMS                               16
   Understanding the Organization’s Operations                            17
   Understanding the Organization’s Purchase Card Program                 17
   Understanding the Bank Service Provider’s Program                      18
 INTERNAL CONTROL AND THE CONTROL ENVIRONMENT                             19
   The Standards of Internal Control                                      20
   Testing Key Elements of the Control Environment                        20

Section 3: Making, Documenting, and Using
           the Preliminary Assessment     27
 ASSESSING THE ADEQUACY OF THE DESIGN OF CONTROL ACTIVITIES               27
 USING THE PRELIMINARY ASSESSMENT                                         29

Section 4: Testing the Effectiveness of Key
           Control Activities                                            30
 OBTAINING TRANSACTION DATA                                               31
   Coordinating with the Bank Service Provider                            31
 SELECTING PURCHASE CARD TRANSACTIONS                                     32
   Considerations in Designing a Statistical Sample                       33
   The Sampling Plan                                                      35
   Extracting Selected Transaction Data Elements                          36
   Reporting Sample Results                                               36
   Analysis of Results from Statistical Samples                           36




Page 3                                   GAO-04-87G Purchase Card Audit Guide
 OBTAINING DOCUMENTATION EVIDENCING PERFORMANCE OF CONTROL
  ACTIVITIES                                                      38
   Obtaining Documentation from the Organization                  38
   Evidence of Performance                                        39
 TESTING CONTROL ACTIVITIES                                       39
   Transaction Control Activities                                 39

Section 5: Pursuing Fraudulent, Improper,
           and Abusive Purchases                                 45
 DATA MINING FOR DETECTION, ILLUSTRATION, AND DISCLOSURE          45
 FOLLOW-UP AND INVESTIGATION                                      49
   Follow-up                                                      50
   Referral for Investigation                                     53

Appendixes                                                       54
 APPENDIX I – SELECTED RELEVANT GAO REPORTS AND TESTIMONIES       55
 APPENDIX II – SELECTED RELEVANT LAWS AND REGULATIONS             56
 APPENDIX III – EXAMPLE PURCHASE TRANSACTION FLOW CHART AND
  NARRATIVE (REQUEST THROUGH PAYMENT)                             57
 APPENDIX IV – EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION
  CHART                                                           60
 APPENDIX V – EXAMPLE AUDIT PROGRAM                               61
 APPENDIX VI – GUIDELINES FOR INITIATING AN INVESTIGATION OF
  PURCHASE CARD FRAUD                                             76
 APPENDIX VII – GAO CONTACT AND STAFF ACKNOWLEDGMENTS             77




Page 4                           GAO-04-87G Purchase Card Audit Guide
Section 1: Introduction




                    Federal government purchase card programs, which have been in existence
                    governmentwide since 1989, were established to streamline federal agency
                    acquisition processes by providing a low-cost, efficient vehicle for obtaining
                    goods and services directly from vendors. As shown by the chart, purchase
                    card programs have experienced dramatic growth and accounted for $15.2
                    billion in government expenditures in fiscal year 2002.




                    With the establishment in 1998 of the General Services Administration’s
                    (GSA) SmartPay® program, federal agencies had a new way to pay for
                    commercial goods and services. GSA negotiated charge card service
                    provider contracts with five commercial banks: Citibank, First National
                    Bank of Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal
                    government departments and agencies were to choose the service provider
                    with capabilities meeting agency requirements.

                    Purchase card programs are widespread throughout the federal government
                    and range in size from the Department of Defense (DOD) with 214,000
                    cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S. Tax
                    Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
                    However, the design and implementation of internal control did not keep up
                    with the growth in the programs audited by GAO (see app. I – Selected
                    Relevant GAO Reports and Testimonies). With the increase in purchase
                    card use came increases in risk; revelations of significant weaknesses in
                    internal control; and resulting fraudulent, improper, and abusive purchases.



                    Page 5                                   GAO-04-87G Purchase Card Audit Guide
OBJECTIVE OF THE GUIDE,   The primary objective of this guide is to provide practical guidance for
SCOPE AND METHODOLOGY     consideration in performance audits and investigations of government
                          purchase card programs. The guide provides auditors and fraud
                          investigators with a basis for understanding the operations, risks, and
                          internal control of a government purchase card program, which in turn
                          provides a basis for conducting investigations of fraud in a government
                          purchase card program. Although this guide is primarily an audit and
                          investigative guide, it can also be applied by program management oversight
                          personnel in assessing the adequacy of policies, procedures, and internal
                          controls and conducting ongoing monitoring of adherence to internal
                          control activities. In that context, the use of the term “auditor” throughout
                          this guide is intended to include program management oversight personnel
                          as well as internal and external auditors. While this guide is based on
                          approaches and methodologies developed in audits of federal purchase card
                          programs, the basic concepts and criteria may also be applicable to state
                          and local government purchase card programs. This guide

                          •     focuses on auditing the internal control policies, procedures, and
                                activities designed primarily to prevent or detect fraudulent, improper,
                                and abusive purchase card transactions in government purchase card
                                programs;
                          •     seeks to foster critical, creative thinking by auditors, investigators, and
                                management personnel responsible for identifying risks and
                                opportunities open to those who would misuse purchase cards;
                          •     provides practical guidance in identifying potentially fraudulent,
                                improper, and abusive purchase card transactions and in conducting
                                the appropriate follow-up and investigation; and
                          •     illustrates the benefits of involving fraud investigators in the planning
                                and execution of audit procedures.
                                                                                          3
                          The guide is intended to supplement existing guidance for review and
                          oversight of federal government purchase card programs. Different parties
                          may accomplish audits of purchase card programs for different purposes.
                          Law, regulation, or third party request may direct external and internal
                          auditors to accomplish a performance or other audit in accordance with
                                                                                        .4
                          generally accepted government auditing standards (GAGAS).

                          The guide is not intended to and does not provide guidance sufficient to
                          address all potential purchase card program performance audit objectives
                          (e.g., economy and efficiency, compliance with legal or other requirements).
                          The guide is also not intended to comprehensively address all five of the
                                                       5
                          standards of internal control (e.g., management’s risk assessment,
                          information and communication). In addition, the guide is not intended to
                          and does not provide guidance sufficient to develop investigative cases that
                          establish evidence to prove specific allegations of criminal wrongdoing.

                          3
                            President’s Council on Integrity and Efficiency, A Practical Guide for Reviewing
                          Government Purchase Card Programs (Washington, D.C.: June 2002), and U.S. General
                                                                     ®
                          Services Administration, GSA Smart Pay , Blueprint for Success: Purchase Card Oversight
                          (Arlington, Va.: April 2002).
                          4
                            U.S. General Accounting Office, Government Auditing Standards – 2003 Revision, GAO-
                          03-673G (Washington, D.C.: June 2003).
                          5
                            U.S. General Accounting Office, Standards for Internal Control in the Federal Government,
                          GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), 7.

                          Page 6                                         GAO-04-87G Purchase Card Audit Guide
GOVERNMENT PURCHASE CARD   The operations and controls of government purchase card programs can
PROGRAMS                   vary among organizations. However, the Department of the Treasury’s
                                              6
                           Financial Manual prescribes procedures (illustrated in fig. 1), including
                           program controls and invoice payment, that apply to all departments and
                           agencies that use government purchase cards. Additionally, the Federal
                           Acquisition Regulation (FAR), which prescribes acquisition policies and
                           procedures for all executive agencies, provides that agencies are to establish
                           procedures for use and control of the card that comply with the Treasury
                                               7
                           Financial Manual.




                           The manual further states that, with some exceptions, small purchases of up
                                      8
                           to $25,000 should be made using the government purchase card and
                           establishes key control activities, personnel, and their roles, including the
                           following.

                               •   A written delegation of authority is to be issued by responsible agency
                                                                                         9
                                   personnel that establishes authorized cardholder(s) and specifies
                                   spending and usage limitations unique to the cardholders.


                           6
                             U.S, Department of Treasury, Treasury Financial Manual, Vol. 1 - Part 4 - Chapter 4500,
                           Government Purchase Cards, (Washington D.C.: May 2003)
                           http://www.fms.treas.gov/tfm/vol1/v1p4c450.txt (viewed May 2003).
                           7
                             48 C.F.R. § 13.301(b) (2002).
                           8
                             See the Relevant Laws and Regulations section of this guide for further information on FAR
                           provisions applicable to specific purchase amounts.
                           9
                             FAR allows personnel other than warranted contracting officers to use the purchase card.
                           48 C.F.R. §§ 1.603-3(b) and 13.301(a) (2002).

                           Page 7                                          GAO-04-87G Purchase Card Audit Guide
 •   The cardholder is the government employee to whom a government
     purchase card, bearing the employee's name, is issued. The card can
     be used only by that employee for official purchases, in adherence with
     agency regulations.

 •   The cardholder statement listing all transactions during the billing
     period is sent to each cardholder.

 •   The approving official (AO) reviews cardholder statements, is
     responsible for authorizing cardholder purchases (for official use only),
     and ensures that statements are reconciled and submitted to the
     designated billing office in a timely manner.

 •   A designated billing office receives the official invoice—a designated
     billing office report listing all cardholder charges for the area the office
     serves—and ensures its payment in accordance with Prompt Payment
     Act deadlines.

The manual requires each agency to develop its own internal procedures for
using the purchase card and establishes processing and internal controls
that must be in place prior to using the government purchase card, including
the following.

 •   Designate an office (usually the procurement office) to manage the
     program and ensure that (1) training required for all cardholders, AOs,
     and other employees involved in the program is provided, (2) a current
     list of cardholders and AOs is maintained, and (3) an annual oversight
     review of the program is conducted. (The position is generally referred
     to as the agency program coordinator (APC) in DOD purchase card
     programs.)

 •   Establish procedures for (1) the timely submission of cardholder
     statements to the agency designated billing office, (2) maintaining
     security of the cards, (3) handling disputes and returned, refused,
     damaged, or unacceptable items and partial deliveries, and (4)
     renewing purchase cards.

The manual also provides that invoices, payments, access and review of
account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer should be adopted as the
standard method of payment for all federal program payments originated by
agencies or their agents.

The Treasury Financial Manual and FAR requirements would apply to all
purchase card transactions, including convenience check transactions—
courtesy checks provided by the purchase card-issuing bank—that are
charged to a related purchase card account.




Page 8                                    GAO-04-87G Purchase Card Audit Guide
GAO’S APPROACH TO AUDITING   The approach presented in this guide is based
PURCHASE CARD PROGRAMS       on GAO’s experience in auditing internal
                             control over government purchase card
                             programs at the Departments of Defense,
                             Education, Housing and Urban Development,
                             and other federal agencies (see app. I –
                             Selected Relevant GAO Reports and
                             Testimonies). In general, GAO’s approach is
                             to (1) gain a thorough understanding of the
                             organization’s operations and purchase card
                             program, and relevant system of internal
                             control, (2) based on that understanding, and
                             any needed additional review and analysis,
                             make a preliminary assessment of the
                             adequacy of the design of the system of
                             internal control, (3) test the effectiveness of
                             internal control using statistical sampling, and
                             (4) use data mining to detect instances of potentially fraudulent, improper,
                             and abusive transactions to illustrate the effects of breakdowns in internal
                             control.

                             GAO’s approach includes involving fraud investigators throughout the audit.
                             An experienced fraud investigator will bring valuable perspectives and
                             insight to the process of identifying opportunities for fraud in the program’s
                             operations and in evaluating the effectiveness of control activities. They can
                             also bring new and creative thinking to identifying the opportunities for
                             circumventing the existing controls. Fraud investigators should be involved
                             in the preliminary assessment process, designing tests of controls,
                             identifying criteria and relationships for data mining, and in follow-up of
                             potentially fraudulent transactions. Program policy and procedure
                             documents obtained and understandings gained of the purchase card
                             program and related internal controls should be made available to the fraud
                             investigator.




                             Page 9                                   GAO-04-87G Purchase Card Audit Guide
THE APPLICABILITY OF   Auditors performing an audit in accordance with GAGAS for performance
AUDITING STANDARDS     audits are required to adhere to the general and fieldwork standards. These
                                                                  10
                       standards can be found on GAO’s web site. The following three general
                       standards are key to providing assurance that integrity, objectivity, and
                       independence are adequate in planning, conducting, and reporting results of
                       audits.

                            Independence. Audit organizations and individual auditors, whether
                            government or public, are required to be free both in fact and
                            appearance from personal, external, and organizational impairments to
                            independence, in all matters relating to the audit work.

                            Professional judgment. Auditors complying with GAGAS are required
                            to use professional judgment in planning and performing audits and in
                            reporting the results.

                            Competence. Audit staff are required to collectively possess adequate
                            professional competence for the tasks required.

                       We encourage all users of this guide, including internal auditors and
                       program management oversight personnel, to (1) become familiar with these
                       standards and the basic concepts embodied in them, (2) consider their
                       relative applicability to the circumstances, and (3) apply them as
                       appropriate when using this guide.




                       10
                        see <http://www.gao.gov/govaud/ybk01.htm>.
                       Page 10                                       GAO-04-87G Purchase Card Audit Guide
Section 2: Understanding the Purchase Card Program




                            Evaluating the adequacy of internal control designed to mitigate the risk of
                            fraudulent, improper, and abusive transactions, requires the auditor to gain
                            an in-depth understanding of (1) the risk of fraud, (2) the relevant laws and
                            regulations, and (3) the specific organization’s mission activity operations
                            and its purchase card program operations (from purchase request to
                            payment). This in-depth understanding is necessary so that an auditor can
                            make a preliminary judgment about the adequacy of design of an
                            organization’s control activities.

THE RISK OF FRAUDULENT,     The potential for fraudulent, improper, and
IMPROPER, AND ABUSIVE       abusive purchases in a purchase card program
PURCHASES                   should be viewed by management as a risk of
                            significant financial loss, possibly resulting in
                            operational inefficiency and impairment of
                            mission readiness. This is particularly true in
                            the government environment where taxpayer
                            dollars are at risk. Fraudulent, improper, and
                            abusive purchases often result directly from a
                            lack of adherence to policies, procedures, and
                            control activities. This lack of adherence can
                            result in misuse of the card. As program personnel predisposed to misuse
                            the card become aware of such weaknesses, the door opens wider for
                            fraudulent, improper, and abusive purchases.

                            Repeated nonadherence to established internal control policies and
                            procedures, such as inadequate documentation of purchase card
One organization’s          transactions or supervisory reviews, may not constitute a violation of law or
actions included            regulation. However, if allowed to continue, they will contribute to an
recommending remedial       erosion and weakening of the control system. Prompt administrative and
training and suspension     disciplinary actions (e.g., informal admonishment, formal reprimand,
of repeat offenders’        additional required training, suspension of card privileges, cancellation of
purchase card accounts      the cardholder’s account, termination of employment) can be effective in
for lack of adherence to    reducing persistent lack of adherence to policies and procedures by
internal control policies   cardholders and other program personnel. When administrative corrective
and procedures.             actions are taken and documented, program management, oversight
                            personnel, and auditors will be able to identify repeat offenders and
                            determine that appropriate steps are being taken to address potentially
                            significant problems before they escalate.




                            Page 11                                  GAO-04-87G Purchase Card Audit Guide
Potentially Fraudulent,          Our audits of purchase card programs detected transactions that were not in
Improper, or Abusive Purchases   accordance with laws and regulations or were not appropriate or legitimate
                                 uses of government funds. The terms we used to characterize such
                                 purchases included potentially fraudulent, improper, and abusive purchases.
                                 The following are explanations of these terms as used in this guide.

                                    Fraudulent purchases. Use of the government purchase card to
 A cardholder made 62               acquire goods or services that are unauthorized and intended for
 unauthorized                       personal use or gain constitute a fraud against the government. A
 transactions totaling              cardholder’s unauthorized purchase of power tools for his home, a
 $12,832 to pay for repairs         vendor’s intentional charges for services not provided, and the
 to a car and buy                   unauthorized use by a third party of a cardholder’s compromised or
 groceries, clothing, and           stolen account for personal gain are examples of fraudulent purchase
 various other items for            card transactions. In GAO reports, these and similar purchase card
 personal use.                      transactions are generally referred to as “potentially fraudulent” unless
                                    there has already been a fraud conviction in a court of law.




                                 Page 12                                 GAO-04-87G Purchase Card Audit Guide
Day planners costing a
                                       Improper purchases. Government purchase card transactions that are
total of $3,100 were
purchased from Franklin                intended for government use but are not permitted by law, regulation, or
Covey. One item cost                   organization policy generally are considered improper. Examples
                                       include certain types of purchases of meals or refreshments for
$199 and another $250.                                                                         11
                                       government employees within their normal duty stations, purchases
In contrast, cardholders
                                       split to circumvent micropurchase or other single purchase limits, and
could have purchased day
                                       purchases from other than statutorily designated sources, such as the
planners from JWOD for                                                        12
                                       Javits-Wagner-O’Day program (JWOD).
about $40.
                                       Abusive purchases. Purchases of authorized goods or services, at
A cardholder purchased
                                       terms (e.g., price, quantity) that are excessive, are for a questionable
Bose bedside clock radios
                                       government need, or both are considered abusive. Examples of such
costing $349 each, when
                                       transactions include purchases of items such as $300 day planners, $350
other models costing
                                       bedside radios, and allowable refreshments at excessive cost; purchases
about $15 were available.
                                       of designer leather goods; and year-end and other bulk purchases of
                                       computer and electronic equipment for a questionable government need.

Indications and Categories of   Figure 2 shows key signs, signals, and patterns that indicate the potential for
Fraud                           fraud in a government purchase card program.

                                Figure 2: Signs, signals, and patterns indicating the potential for
                                fraud
                                • Weak management                            • Weak internal controls   • History of impropriety

                                • Failure to follow legal                    • Promise of gain with     • Unexplained
                                  or technical advice                          little likelihood of       decisions,
                                                                               being caught               transactions, or both
                                • Unethical leadership                       • Missing or altered
                                                                               documents

                                Source: International Journal of Government Auditing.




                                GAO audits of government purchase card programs have reported
                                fraudulent and potentially fraudulent purchases by cardholders, vendors,
                                and third parties using compromised accounts falling into the following
An inmate at a local            broad categories of fraud.
county jail made three
purchase card                          Theft involves property, facilities, and services. An authorized or
transactions at local                  unauthorized cardholder purchase of goods or services intended for
florist shops on a                     personal use or gain is theft. Theft can also occur when an unauthorized
government purchase                    user compromises a cardholder’s account by gaining knowledge of and
card that had either been              using the purchase card account number.
lost or stolen.




                                11
                                  72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
                                12
                                  JWOD establishes mandatory sources of supply for all federal entities. It requires federal
                                agencies to purchase supplies and services that are furnished by nonprofit agencies—such as
                                the National Industries for the Blind and NISH (serving people with a range of disabilities).

                                Page 13                                                     GAO-04-87G Purchase Card Audit Guide
                                 Fictitious transactions can involve a single party (e.g., a cardholder
A maintenance                    supports the acquisition of goods or services for personal use with false
supervisor allegedly             documentation, or a vendor bills the government for goods or services
made $52,000 in                  never delivered). In addition, fictitious transactions can include
fraudulent transactions          collusion (e.g., a cardholder knowingly approves documentation
to a suspect contractor          supporting a vendor’s invoice for goods or services never provided, and
for work that was not            the two share in the amount paid by the government). Although
performed.                       collusion can circumvent what otherwise might be effective internal
                                 control activities, a robust system of guidance, internal control activities,
                                 and oversight can provide reasonable assurance of preventing or quickly
Two purchase                     detecting fraud.
cardholders conspiring
with at least seven              Kickbacks may be offered by a vendor or solicited by a contractor or
vendors received                 government buyer. Kickbacks in a government purchase card program
kickbacks on purchases           can include collusion between a cardholder and a vendor. The
with inflated prices,            cardholder makes authorized purchases from the vendor, who charges
quantities, or both.             the government an excessive price and “kicks back” a percentage of the
Criminal investigation           amounts received to the cardholder.
resulted in confinement
or restriction, a bad            Conflict of interest is present when a government official participates
conduct discharge, and a         in approving or deciding a matter in which the official or a relative has a
reduction in rank.               financial interest. The potential for a conflict of interest in a purchase
                                 card transaction exists whenever a cardholder or a relative has a
A cardholder and his             significant financial interest in a vendor or contractor. Purchases of
supervisor conspired to          goods or services from that vendor or contractor would be suspect and,
make nearly $400,000 in          if not prohibited by the organization, should require special review and
fraudulent purchases             approval prior to and subsequent to the purchase.
from companies owned by
the supervisor, his sister,   The auditor should be aware of the potential for the previous categories of
friends, and                  fraud in the day-to-day operational risk of the organization. Fraudulent,
acquaintances.                improper, and abusive purchases generally involve individual cardholders,
                              supervisors, approving officials, and vendors, and occasionally collusion
                              between them. Another source of fraudulent purchases of significant
                              concern occurs when an account is compromised (e.g., someone other than
                              authorized program personnel gains knowledge of account numbers). In
                              any event, a strong system of controls should guard against significant loss
                              to the government for all such potentially fraudulent, improper, and abusive
                              purchases. Any potentially fraudulent transaction detected should be
                              considered for follow-up, as discussed in the Follow-up and Investigation
                              section of this guide.

                              To better understand the risk of fraud within a specific organization’s
                              purchase card program, auditors and investigators should identify and study
                              known cases of such fraud. Summary memorandums prepared by fraud
                              investigators detailing the nature and extent of the suspected fraud, the
                              investigative process, the conclusions reached, and the actions taken can
                              provide valuable additional insight.




                              Page 14                                  GAO-04-87G Purchase Card Audit Guide
RELEVANT LAWS AND                A federal organization’s purchase card
REGULATIONS                      program must comply with the laws,
                                 regulations, contracts, and governmentwide
                                 and organizational policies and procedures
                                 that (1) govern the establishment and
                                 operation of the purchase card program, (2)
                                 prescribe procurement methods and
                                 standards, and (3) pertain to the purposes for
                                 which an organization’s appropriations and
                                 other sources of funds may be used. When
                                 evaluating the merits of individual purchases, all three areas should be
                                 considered. (See app. II – Selected Relevant Laws and Regulations)

Establishment and Operation of   Federal organization purchase card programs operate under a
the Purchase Card Program        governmentwide GSA contract, the GSA SmartPay® Master Contract.
                                 Organization purchase card programs must comply with the terms of the
                                 contract and the task order under which the organization placed its order
                                 for purchase card services. Organization purchase card programs must also
                                 comply with Department of the Treasury regulations found in the Treasury
                                 Financial Manual, Volume I, Part 4-4500, “Government Purchase Cards.”
                                 FAR, 48 C.F.R. § 13.301(b) (2002), provides that agencies are to establish
                                 procedures for use and control of the card that comply with the Treasury
                                 Financial Manual and that are consistent with the terms and conditions of
                                 the current GSA credit card contract. Individual organizations may be
                                 subject to specific statutory criteria for the management of purchase cards
                                 (e.g., 10 U.S.C. § 2784, directing the Secretary of Defense to prescribe
                                 regulations governing the use of purchase cards). As such, each
                                 organization should have guidance concerning the implementation,
                                 establishment, and operation of its purchase card program.

Procurement Methods and          Purchases made with the purchase card should be made in accordance with
Standards                        generally applicable procurement laws, regulations, and organization
                                 procurement policies and procedures. FAR provides governmentwide
                                 policies and procedures for acquisition by all executive agencies. Agencies
                                 frequently issue supplemental acquisition regulations as well.

                                 Contracting activities carried out by the federal government generally must
 One cardholder split            be conducted by warranted contracting officers; however, the purchase card
 about $17,000 of                may also be used by other government personnel for purchases at or below
 purchases of boots on 1         the micropurchase threshold. FAR provides that such individuals must be
 day into 8 transactions.        delegated the authority to do so in writing in accordance with organization
 Another cardholder split        procedures. Regardless of the value of a purchase, FAR prohibits
 over $30,000 of                 cardholders from splitting organization needs into smaller purchases in
 purchases from an               order to circumvent applicable acquisition laws, regulations, and policies.
 electronic supply store         Organization policies can also prohibit cardholders from splitting purchases
 on 1 day into 14                into smaller purchases in order to avoid individual cardholder purchase
 transactions.                   limits.

                                 Authorized personnel may use the purchase card for purchases at or below
                                 the micropurchase threshold (currently $2,500, except that the limit is $2,000
                                                                 13
                                 for certain construction costs). Micropurchases are subject to the
                                 13
                                      48 C.F.R. §§ 2.101 and 13.201(g).

                                 Page 15                                  GAO-04-87G Purchase Card Audit Guide
Despite representations          requirements of FAR Subpart 8, which provides that certain products be
that hotels were                acquired from designated sources, including statutorily preferred vendors.
authorized to bill only         Micropurchases must also be made in accordance with various laws and
for audiovisual                 regulations concerning environmentally preferable products and services.
equipment and                   Cardholders may make micropurchases without soliciting competitive
conference room rental,         quotations from vendors if they consider the price to be reasonable.
detailed bills acquired         However, cardholders are required to distribute micropurchases equally
by GAO auditors showed          among qualified suppliers to the extent practicable.
that about $7,000 was
inappropriately                 For purchases above the micropurchase threshold, warranted contracting
expended for prohibited         officers may use the purchase card to place and pay for orders against
breakfasts, lunches, and        already existing contracts. For these larger transactions, the card is
snacks.                         frequently referred to as a “payment card” because it pays for acquisitions
                                made under a legally executed contract.

Purposes for which an           Individual purchases must be for a purpose allowable under an
Organization’s Appropriations   organization’s appropriations or other sources of funds (e.g.,
May Be Used                     nonappropriated funds) and must not otherwise be prohibited by law.
                                Organizations may use appropriated funds only for legitimate or bona fide
                                needs that arise in or continue to exist in the fiscal year(s) for which those
                                funds are appropriated. Agencies are restricted to purchasing only those
                                items that will be used during such fiscal year(s) except when they qualify
                                under certain categories, such as to maintain inventories of necessary items
                                at reasonable levels. However, agencies generally may not purchase items
                                in excessive amounts at the end of a fiscal year solely to avoid the
                                expiration of funds.

THE ORGANIZATION’S              To appropriately plan an audit and
OPERATIONS AND PROGRAMS         investigation of the internal control over an
                                organization’s purchase card program
                                requires a thorough understanding of

                                •      the organization’s mission activities and
                                       operations,
                                •      its purchase card program operations and
                                       the end-to-end flow of transactions
                                       through it from request to payment,
                                •      the system of internal control over the purchase card program, and
                                •      the environment in which the control activities operate.

                                Understanding the organization’s operations and its specific purchase card
                                program is critical in developing audit objectives and the scope and
                                methodology for the work needed to achieve them. In addition, issues such
                                as program significance, visibility, age, sensitivity, and the potential use of
                                                                                                    14
                                audit results should be considered in the audit planning process. Gaining
                                and documenting an understanding of the operations of a government
                                purchase card program can be accomplished in several ways, all of which
                                will require access to the appropriate personnel and relevant documents.
                                The first step should be to establish contact and coordinate that effort with
                                both the organization and the bank service provider.




                                14
                                     GAO-03-673G, ¶7.8 - 7.10.

                                Page 16                                   GAO-04-87G Purchase Card Audit Guide
                               One manner of obtaining access to operations and program personnel is to
                               coordinate audit arrangements with the organization’s management. Access
                               to the appropriate personnel and to written policies and procedures is
                               essential to understanding the organization’s operations, the purchase card
                               program, and internal controls. In addition, documentation evidencing
                               adherence to internal control policies and procedures will be necessary
                               when testing for performance of control activities. Further, access to
                               program personnel will be necessary to clarify information received and to
                               follow up on potentially fraudulent, improper, and abusive purchases.

Understanding the              Understanding the organization’s mission and objectives, and how those
Organization’s Operations      missions and objectives are accomplished, provides the auditor with critical
                               insight used in (1) developing audit objectives, (2) identifying opportunities
                               for purchase card fraud, (3) making preliminary assessments of the
                               adequacy of program controls, (4) designing tests of internal control, and (5)
                               identifying criteria for data mining. Understanding gained of the
                               organization’s operation(s) might include

                               •   the nature and size of overall operations;
                               •   what the individual activities involved in the purchase card program do,
                                   and how they do it;
                               •   the general job descriptions, level of education, and number of personnel
                                   in those activities; and
                               •   the volume and appropriate type(s) of purchase activity to expect.

                               An understanding of the organization’s operations and activities can be
                               gained by interviews with operations personnel and by reviewing existing
                               documents such as program descriptions, policies and procedures, and
                               operations manuals.

Understanding the              The initial understanding of the organizational level purchase card program
Organization’s Purchase Card   (from request to payment) and the internal control at work throughout that
Program                        process, ideally would be obtained from existing documents such as
                               purchase card program descriptions, policies and procedures, operational
                               manuals, or instructions. Interviews with program personnel can
                               supplement existing documented evidence of program operations and
                               controls, or establish a starting point if such documentation is insufficient or
                               nonexistent. In either circumstance, correctly structured interviews can be
                               a valuable source of inquiry to understand and clarify (1) the extent to
                               which control activities are in place and operating, (2) the environment in
                               which those controls operate, (3) the overall managerial organization and
                               operations of the program, and (4) the flow of purchase card transactions. A
                               Practical Guide for Reviewing Government Purchase Card Programs –
                               June 2002, by the President’s Council on Integrity and Efficiency, contains
                               interview guides, which will be helpful when conducting interviews for this
                               purpose. In addition, conducting walk-throughs of selected purchase card
                               transactions is a key process in (1) gaining a thorough understanding of the
                               program’s operations from purchase request to payment of the bill, (2)
                               identifying control points through that process, and (3) observing the
                               operation of control activities and transaction flows.

                               GAGAS require auditors to prepare documentation supporting significant
                               judgments and conclusions. Auditors should obtain or prepare narratives,
                               flowcharts, or both that summarize and document their understanding of the
                               organization’s purchase card program and the flow of typical purchase card
                               Page 17                                  GAO-04-87G Purchase Card Audit Guide
                                 transactions. Understanding how the purchase card program operates, the
                                 flow of transactions from request to payment, and the key controls over the
                                 entire end-to-end process form the basis for making preliminary judgments
                                 about the adequacy of the design of control activities and for designing tests
                                 of those controls. Narrative and flowchart documentation also provides
                                 effective communication of the processes and control points to other
                                 interested parties (e.g., audit staff, program management, oversight
                                 personnel). Appendixes III and IV of this guide provide example flowcharts
                                 of an organizational level structure for a federal government purchase card
                                 program and the end-to-end flow, and related narrative, of typical purchase
                                 card transactions through it.




Understanding the Bank Service   Coordinating the audit effort with the bank service provider might provide
Provider’s Program               the opportunity to gain an understanding of (1) the operation of the
                                 provider’s program, (2) the processes for purchase card authorization,
                                 issuance, and credit limits, (3) the transaction processing, review,
                                 authorization, and manual override (e.g., single transactions limits) system,
                                 (4) the merchant category code (MCC) blocking features and any manual
                                 override, and (5) the internal controls over these processes. Additionally, as
                                 shown in figure 3, the GSA SmartPay® master contract requires bank
                                 service providers to provide federal organizations with various ad hoc,
                                 standard commercial, and other reports specific to the purchase card
                                 program.




                                 Page 18                                  GAO-04-87G Purchase Card Audit Guide
                                Figure 3: Agency/organization reports required by GSA’s
                                SmartPay® master contract to be provided by the bank service
                                provider
                                General reporting requirements     Other agency reports
                                   Ad-hoc report generation           Account activity report
                                   capability                         Master file report
                                   Standard commercial reports        Statistical summary report
                                Additional essential reports          Account change report
                                   The official invoice               Exception report
                                   Invoice status report              Current accounts report
                                   Transaction dispute report         1099 report information
                                   Pre-suspension/pre-cancellation    1057 report
                                   report                             Payment performance and
                                   Suspension/cancellation report     refund report
                                   Renewal report                     Write-off report
                                   Delinquency report                 Summary quarterly merchant
                                   Detailed electronic transaction    report
                                   file                               Summary quarterly vendor
                                                                      analysis report
                                Reporting specific to the Purchase
                                                                      Summary quarterly vendor
                                Card Program
                                                                      ranking report
                                   Account activity report
                                   Statistical summary report
                                   Summary quarterly purchase
                                   report

                                Source: GSA’s SmartPay® Master Contract, Section C.38 – Agency Reporting Requirements, and Section CC.12 – Agency Reporting
                                Requirements for the Purchase Card Program.



                           Conducting interviews with bank service provider personnel may provide
                           the necessary understanding of the provider’s purchase card operations,
                           processes, and controls, as well as valuable insights and understanding in
                           using the various reports being produced.

INTERNAL CONTROL AND THE   Internal control is an integral component of
CONTROL ENVIRONMENT        an organization’s purchase card program that
                           provides reasonable assurance that the
                           objectives of effective and efficient
                           operations and compliance with applicable
                           laws and regulations are being achieved. The
                           minimum level of quality acceptable for
                           internal control in a government purchase
                           card program is defined by the five standards
                           for internal control included in Standards for
                                                                         15
                           Internal Control in the Federal Government. Those standards, and
                           elements of the control environment standard that are significant in a
                           government purchase card program, are discussed in this section of the
                           guide.




                           15
                                GAO/AIMD-00-21.3.1.

                           Page 19                                                              GAO-04-87G Purchase Card Audit Guide
The Standards of Internal     All of the following internal control standards are applicable to achieving
Control                       reasonable assurance that fraudulent, improper, and abusive purchases do
                              not have a significant adverse effect on the effectiveness or efficiency of a
                              government purchase card program.

                              •   The control environment. A positive control environment—the
                                  foundation for all other internal control standards—is established by
                                  management and employees creating and maintaining an environment
                                  throughout the organization that sets a positive and supportive attitude
                                  toward internal control and conscientious management. Specific key
                                  elements affecting the control environment of a purchase card program
                                  are discussed in more detail later in this section.

                              •   Management’s risk assessment. Internal control should provide for
                                  an assessment of the risks the organization faces, from both external and
                                  internal sources, and identify and deal with any special risks prompted
                                  by changes in economic, industry, regulatory, and operating conditions.

                              •   Control activities. Control activities are the policies, procedures,
                                  techniques, and mechanisms that enforce management’s directives and
                                  help ensure that actions are taken to address risks. Control activities in
                                  a government purchase card program include a wide range of diverse
                                  activities, such as approvals, authorizations, verifications,
                                  reconciliations, reviews, and creation and maintenance of related
                                  records that provide evidence of execution of these activities. Specific
                                  transaction-level control activities significant to a purchase card
                                  program are discussed in more detail in the Transaction Control
                                  Activities section of this guide.

                              •   Information and communications. Information should be recorded
                                  and communicated to government purchase card program managers and
                                  others within the program who need it in a form and within a time frame
                                  that enables them to carry out their internal control and other
                                  responsibilities.

                              •   Monitoring. Ongoing monitoring—regular management and
                                  supervisory activities, comparisons, reconciliations, and other actions
                                  people take in performing their duties—should be performed continually
                                  and be ingrained in the normal operations of a government purchase
                                  card program (e.g., review and analysis of bank service provider reports,
                                  periodic reviews for adherence to program policies and procedures,
                                  review and follow-up of audit findings).


Testing Key Elements of the   Recent GAO purchase card audit reports have identified the following six
Control Environment           elements as significantly affecting the control environment surrounding a
                              purchase card program:

                              •   management’s philosophy (tone at the top),
                              •   span of control,
                              •   financial exposure,
                              •   training,

                              Page 20                                  GAO-04-87G Purchase Card Audit Guide
                             •   discipline, and
                             •   purchasing and reviewing authorities.

                             This guide discusses each of these elements, the relevant documentation,
                             and tests that the auditor can perform. Testing of some of these elements of
                             the control environment can be accomplished either before the preliminary
                             assessment is completed or later as part of testing the effectiveness of
                             control activities.

                             Testing of these elements of the control environment is accomplished
                             through analytical, sampling, and nonsampling methods as discussed in each
                             element. Analytical testing is accomplished by utilizing electronic reports,
                             data files, and other data obtained from the bank service provider and the
                             organization. The discussion of some of these elements identifies them as
                             lending themselves to efficient testing in conjunction with transaction-level
                             control activity tests, discussed in the Transaction Control Activities section
                             of this guide. Therefore, the data needed to conduct tests of these elements
                             should be obtained for each cardholder and approving official for purchase
                             card transactions selected for transaction-level control activity testing.

                                                               Management’s philosophy and operating
In a recent GAO audit,                                         style, sometimes referred to as tone at the
management’s proactive                                         top, determines the degree of risk the
attitude in implementing                                       organization is willing to take in
change was credited for                                        operations and programs. The attitude
establishing a positive                                        and philosophy of management toward
control environment at                                         information systems, accounting,
one unit, in contrast to                                       personnel functions, monitoring, and
another unit where           audits and evaluations can have a profound effect on internal control.
management supported
the status quo of weak       Insights gained by the auditor through interviews conducted with program
control, effectively         personnel and review of prior audit findings and management’s responses
diminishing the              will assist in assessing this element of internal control. Professional
likelihood of substantive    judgment is necessary when attempting to assess the effect of tone at the
                             top, positive or negative, on internal control and on the design of control
change.
                             activities. Tests of transaction-level control activities and follow-up of
                             potentially fraudulent, improper, and abusive purchases may provide the
                             auditor with additional insight into the tone at the top.

                                                               Span of control, in a government purchase
 In response to a GAO                                          card program, refers to the extent of
 report criticizing an                                         review responsibilities placed on a single
 unreasonable 1,153:1                                          AO for the purchase card transactions of
 ratio of cardholders to                                       one or more cardholders.
 approving official the
 department issued                                             In establishing the reasonableness of this
 guidance limiting this                                        responsibility, the auditor should consider
 span of control ratio to    (1) the number of cardholders assigned, (2) the number and complexity of
 7:1 for all its agencies.   purchase card transactions being reviewed each billing period, and (3)
                             perhaps the most potentially detrimental, demands of other responsibilities
                             assigned to the approving official. Additional insight into the
                             reasonableness of these relationships can be obtained during interviews
                             with cardholders and AOs and during control tests of selected transactions.



                             Page 21                                  GAO-04-87G Purchase Card Audit Guide
                              The auditor should consider independently evaluating the reasonableness of
                              existing span of control relationships by obtaining bank service provider
                              reports containing the information necessary to determine the number of
                              cardholders assigned to individual AOs.

                                                                  The total number of authorized
                                                                  cardholders in the organization, their single
                                                                  transaction and monthly credit limits, and
                                                                  the AO credit limits directly affect the
                                                                  financial responsibility of the individuals
                                                                  involved and the extent of potential loss to
                                                                  the organization from fraudulent,
                                                                  improper, and abusive purchases.
                              Financial exposure in a government purchase card program can become
Two related                   excessive when management does not exercise judgment and restraint in
organizations provided        issuing purchase cards and in determining single purchase and monthly
purchase cards with           credit limits. We have found that by limiting the number of purchase cards
credit limits of $20,000 or   and related credit limits to the levels necessary to meet operational
more to over 1,700            requirements, an agency can better manage and control its purchase card
employees, resulting in       program.
an excessive monthly
financial exposure of         Purchase cards should be issued in controlled, limited quantities (e.g.,
over $34 million, while       special justification and authorization for more than one card per
actual monthly                cardholder) and only to government employees with legitimate needs to
purchases amounted to         have the cards. Single purchase and monthly credit limits should be
only about $6 million.        established based on the expected monthly purchases of the cardholder.
                              Both of these determinations require an objective effort by operational
                              supervisors and management, with assistance from purchase card program
                              management, to evaluate the existing and continuing needs of operations
                              and cardholders.

                              The auditor should evaluate management’s process for establishing the
                              number of cardholders and their credit limits reasonably necessary to
                              operational requirements. Documentation of management’s decision-
                              making process should be obtained and reviewed for propriety. Examples
                              of management’s consideration of objective, analytical data include the
                              following.

                              •   Supervisory review of cardholder purchase history, both number of
                                  transactions and dollars purchased (very few purchase transactions in
                                  the previous year might indicate the lack of a need for the card, while
                                  lower than expected dollar volume of purchases might indicate a lower
                                  reasonable cardholder credit limit).

                              •   Annual positive assertions by supervisors, managers, or both of
                                  continuing cardholder needs, both for the card and for the related credit
                                  limits.

                              The auditor should consider independently evaluating the reasonableness of
                              the organization’s existing financial exposure by obtaining bank service
                              provider reports—which provide information necessary to determine the
                              total cardholder monthly credit limits—and comparing that total to the
                              organization’s average monthly and highest monthly purchase card
                              expenditures.


                              Page 22                                   GAO-04-87G Purchase Card Audit Guide
Page 23   GAO-04-87G Purchase Card Audit Guide
                                                              Management should identify the
                                                              appropriate knowledge and skills needed
                                                              in the purchase card program, require the
                                                              needed training, and maintain
                                                              documentation evidencing that required
                                                              training is current for all program
                                                              personnel. The extent and type of training
                                                              provided should vary in relation to
                            authority and responsibility in the program and to the amount of transaction
                            authorization given to the cardholder. At a minimum, a cardholder should
                            receive the standard purchase cardholder training provided by the
                                                                                    16
                            organization or GSA before receiving a purchase card. Periodic (biannual)
                            refresher training provided to cardholders can be beneficial in maintaining
                            their knowledge and awareness of control activities.

                            The auditor should obtain and evaluate documentation evidencing
Of approximately $68        adherence with this element of the control environment for the cardholders
million in fiscal year      and AOs related to and in conjunction with transactions selected for tests of
2000 purchase card          transaction-level control activities. Both the appropriateness of training
transactions at two         received as well as the attributes discussed below can be reviewed when
                            evaluating this element of the control environment. Training documentation
related organizations,
                            and relevant attributes to consider include the following.
approximately $17.7
million (26 percent) were
made by cardholders for     •    Certificates/record of training, for both initial and refresher courses,
whom there was no                should clearly show (1) the type of training received (e.g., instructor led,
documented evidence of           computer based, internet based), (2) that the training was relevant to the
required initial or              purchase card program, (3) that the training was appropriate to the level
refresher purchase card          of authorized spending and program authority of the individual, (4) the
training.                        signature of the cardholder and the instructor (if applicable), (5) that the
                                 date of initial training is prior to purchase card account activation, and
                                 (6) that the date of refresher training is within the required period.

                            •    Centralized training records, or a database of cardholder, AO, and APC
                                 training should (1) provide detailed information similar to that
                                 contemplated above for certificates of training and (2) be available to
                                 the appropriate levels of program management to facilitate monitoring
                                 of adherence to program training requirements. The auditor should
                                 consider assessing the adequacy of centralized training records by
                                 tracing cardholders and AOs associated with the purchase card
                                 transactions selected for control tests to such records. Testing in
                                 association with transaction control tests is desirable because selecting
                                 and testing a representative sample from the centralized records would
                                 not identify cardholders and others who have not received training and
                                 are therefore not in the centralized records. Inquiries and other
                                 corroborating evidence could provide confirmation that centralized
                                 training records or databases are current, and are being used to monitor
                                 adherence to training requirements.




                            16
                              The GSA web site
                            (http://www.fss.gsa.gov/webtraining/trainingdocs/smartpaytraining/index.cfm) provides
                            access to relevant purchase card training materials.

                            Page 24                                        GAO-04-87G Purchase Card Audit Guide
                                                              Candid and constructive counseling,
                                                              performance appraisals, and discipline
                                                              can provide reinforcement of the system
                                                              of internal control. Internal control
                                                              policies and procedures should identify
                                                              the specific actions or lack of adherence
                                                              to internal control within the purchase
                                                              card program that warrants counseling,
                            discipline, or both.

                            The auditor should obtain and evaluate documentation evidencing this
                            element of the control environment for the cardholders and AOs related to
                            and in conjunction with transactions selected for tests of transaction-level
                            control activities. The documentation and relevant attributes of discipline to
                            consider evaluating fall into two general categories:

                            •   Constructive counseling might be provided to cardholders and AOs in
                                response to isolated instances of lack of adherence to internal control
                                policies, procedures, and activities. The auditor should obtain and
                                review for propriety documentation of counseling provided for isolated
                                instances of lack of adherence to controls detected in the transactions
                                selected for control testing.

                            •   Disciplinary actions to be taken in response to recurring or persistent
                                lack of adherence to internal controls and specific consequences for
                                improper and abusive purchases should be adopted by the organization
A GAO audit found that
                                as part of the system of internal control. Such consequences can vary
despite agency operating
                                with the severity and persistence of the policy violation, and might
instructions providing
                                include formal and informal reprimands, suspension or cancellation of
for restitution and
                                the purchase card account, termination of employment, and referral to
revocation of card
                                investigative authorities in cases of suspected fraud. Instances
privileges, repeat
                                warranting discipline should be documented and included in personnel
violators of regulations
                                files and, if applicable, performance appraisals. The auditor should
and internal controls did
                                obtain and review documentation of disciplinary actions taken for
not lose their purchase
                                instances of significant lack of adherence to controls and for improper
cards and did not repay
                                and abusive purchases detected during the control activities testing.
the government for
                                Documentation should also be obtained of all cases of detected potential
unauthorized purchases.
                                fraud occurring during the period under audit and included in
                                considerations for follow-up, as discussed in the Follow-up and
                                Investigation section of this guide. Disciplinary actions alone may be an
                                insufficient response to detected fraud. For that reason, instances of
                                fraud that are declined for prosecution and referred to management for
                                disciplinary action should be followed up to ensure that, in the
                                professional judgment of the auditor, appropriate actions were taken by
                                organization management.

                                                             In a government purchase card program,
                                                             purchasing authority establishes a
                                                             cardholder’s authority to possess and use a
                                                             government purchase card. It also
                                                             establishes the cardholder’s single-
                                                             transaction and credit limits. Some
                                                             organizations will assign different spending
                                                             limit authorities to the same cardholder,
                            Page 25                                 GAO-04-87G Purchase Card Audit Guide
which apply to different uses of the card. For example, a cardholder who is
a warranted contracting officer is assigned two purchasing authorities, on
either a single or on two different purchase card accounts: (1) a $2,500
single-transaction limit with a $40,000 monthly purchase limit for purchases
of goods or services and (2) a $100,000 single-transaction limit with a
$500,000 credit limit for use of the purchase card as a method of payment on
a preexisting contract. Authority is also established for AOs to review and
authorize payment of cardholder accounts. AO authority should also
identify the specific cardholder(s) for which review and certification
responsibilities have been assigned. GAO has suggested that AO’s credit
limits relate to the total cumulative monthly purchasing limits of the
cardholders assigned to them.

The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and AOs related to
and in conjunction with transactions selected for tests of transaction-level
control activities. For evaluation and testing purposes, each level of
purchasing authority given to a cardholder (e.g., $2,500 single-transaction
limit for local vendor purchases, $100,000 limit for purchases on an existing
contract) should be deemed a separate cardholder.

Documentation evidencing purchasing authority for cardholders, and review
and certification authority for AOs, should be obtained and evaluated for
instances of significant lack of adherence to controls, including (1)
documentation of the cardholder’s purchasing authorization (e.g.,
organizational standard form) dated prior to the transaction date and (2)
documentation of the AO’s authorization (e.g., organizational standard form)
dated prior to the transaction date. Attributes that the auditor should
consider reviewing when evaluating the effectiveness of this control include
the following: (1) the date of the purchase transaction, compared to the date
of the cardholder’s purchasing authority, compared to the date of the AO’s
authorization, (2) the amount of the transaction, compared to the amount of
the cardholder’s single transaction authority, (3) the total amount of the
cardholder’s billing statement, compared to the cardholder’s and AO’s
authorized credit limits, (4) the cardholder account single-transaction and
credit limit carried in the bank’s system, compared to those authorized in
the cardholder’s purchasing authority, and (5) that the AO’s assignment of
responsibility includes the specific cardholder’s account.




Page 26                                  GAO-04-87G Purchase Card Audit Guide
Section 3: Making, Documenting, and Using the Preliminary
Assessment




                            The preliminary assessment is a critical analysis of whether, in the
                            professional judgment of the auditor, the existing internal control policies,
                            procedures, and activities as designed, if in place and operating, will provide
                            management with reasonable assurance that significant fraudulent,
                            improper, and abusive purchases will be prevented or promptly detected. A
                            preliminary assessment of the organization’s plan of internal control will
                            assist the auditor in (1) identifying significant weaknesses in designed
                            control activities, (2) planning and designing control tests, and (3)
                            identifying data-mining criteria.

                            The auditor, considering the overall control environment, should make a
                            critical comparison of the risk/opportunities for fraudulent, improper, and
                            abusive purchases and the internal control policies, procedures, and
                            activities designed to guard against them. The knowledge gained in the
                            Understanding Operations and Programs section of this guide will provide
                            information useful in the preliminary assessment of internal control. In
                            some circumstances, this information may need to be supplemented with
                            additional inquiries, observations, and nonsampling tests of controls. When
                            reaching conclusions in the preliminary assessment, the auditor should also
                            consider the bank service provider’s systems and controls, the audit
                            objectives, prior audit findings and recommendations, and management's
                            responses and corrective actions taken.

ASSESSING THE ADEQUACY OF   Our audits of purchase card programs have
THE DESIGN OF CONTROL       identified (1) the determination of a
ACTIVITIES                  legitimate government need, (2) screening
                            for required sources of supply, (3)
                            independent receipt and acceptance, (4)
                            establishing accountability over certain
                            property, (5) cardholder reconciliation, and
                            (6) AO review as key transaction-level
                            control activities in mitigating the risk of
                            fraudulent, improper, and abusive purchases. These key control activities
                            should be included in the auditor’s preliminary assessment of the adequacy
                            of the design of control activities. It will also be helpful to the auditor’s
                            critical comparison process to prepare a list of the identified
                            risk/opportunities for potentially fraudulent, improper, and abusive
                            purchases to occur and a list of the existing relevant control activities. An
                            individual control activity will probably address multiple risks of potentially
                            fraudulent, improper, and abusive purchases, and an individual risk may be
                            addressed by more than one control activity. Therefore, a simple one-to-one
                            comparison will probably not be effective. For example, the control activity
                            of independent receipt and acceptance can be instrumental in mitigating the

                            Page 27                                  GAO-04-87G Purchase Card Audit Guide
risk of paying for services not performed, as well as mitigating the risk of
purchased accountable property not being recorded in the organization’s
property record system.

One way to proceed is to prepare a simple schedule, as illustrated in figure
4, which lists the identified risk/opportunities for potentially fraudulent,
improper, and abusive purchases and provides space for identifying (1) the
related control activities, (2) the auditor’s preliminary assessment
conclusions, (3) the effects on the design of audit control tests, and (4)
potential criteria for audit data mining.

Figure 4: Illustration of the process of assessing and concluding on the
adequacy of designed control activities
       Identified               Control           Auditor’s
  risk/opportunity for       activities (in    conclusion on                              Identified
 potentially fraudulent,       order of         adequacy of                               potential
 improper, and abusive      significance to   design of control   Effect on design of    criteria for
        purchase                 risk)            activities      audit control tests    data mining

Unintentional purchase     • Training         Adequate            Test for current      None
of goods or services                                              training and AO
prohibited by law or       • AO review                            review
organizational policy
Purchased service not      • Cardholder       Adequate            Test attributes of    None
received by the              reconciliation                       receipt control and
government                                                        AO review
                           • Independent
                             receipt and
                             acceptance
                           • AO review
Purchased item of          • Independent      Inadequate – No     Consider              Include
accountable property         receipt and      designed control    stratifying sample    accountable
not in possession of the     acceptance       provides            to key on             property
government                                    reasonable          accountable           purchases in
                           • Cardholder       assurance of        property, and test    potential
                             reconciliation   recording in        all sample            criteria for
                                              accountable         transactions          data mining
                           • AO review
                                              property records:   acquiring
                                              however,            accountable
                                              interviews and      property to
                                              walk-throughs       determine the
                                              disclose that       extent of physical
                                              some units are      control and
                                              making efforts to   accountability
                                              control this risk   being achieved

GAO process illustration



The above (figure 4) is provided as an illustration only of the process of
making, documenting, and using the preliminary assessment of the design of
internal control activities. The illustrated risks, controls, conclusions,
effects, and identifications are highly dependent on the facts and
circumstances of specific organization operations and purchase card
programs. Auditors will need to exercise professional judgment when
making these determinations.




Page 28                                              GAO-04-87G Purchase Card Audit Guide
USING THE PRELIMINARY   Auditors should find the observations and
ASSESSMENT              conclusions made in the preliminary
                        assessment useful in determining the nature
                        and extent of further audit work on an
                        organization’s purchase card program. These
                        observations and conclusions can be useful
                        in determining a strategy for internal control
                        testing, including designing sample
                        selections. For example, a preliminary
                        assessment conclusion might be that the design of an internal control policy
                        and one or more related control activities is strong and can provide
                        management with reasonable assurance of preventing or promptly detecting
                        fraudulent, improper, and abusive purchases. If the policy and control
                        activities are considered to be strong, tests designed to determine the extent
                        to which the control activities are being performed would likely be an
                        efficient and cost-effective audit procedure. However, if the auditor
                        considers the policy or the control activity to be ineffective or nonexistent,
                        tests for performance of control activities would generally not be
                        appropriate or cost effective. Whether to design and conduct tests of
                        performance for controls considered to be weak will require professional
                        judgment and consideration of the facts and circumstances of individual
                        cases.

                        The results of the preliminary assessment can also be useful to the auditor’s
                        consideration of other procedures (such as data mining, which is discussed
                        later in this guide) designed to detect fraudulent, improper, and abusive
                        transactions resulting from identified weakness in the design of controls.
                        For example, if the preliminary assessment is that the design of internal
                        control does not provide reasonable assurance of compliance with
                        requirements to purchase from statutory sources of supply, then purchase
                        card transactions with other vendors who sell similar goods and services
                        may provide examples of the result of that control weakness.




                        Page 29                                  GAO-04-87G Purchase Card Audit Guide
Section 4: Testing the Effectiveness of Key Control Activities




                     A well-designed system of internal control for a purchase card program is
                     needed to provide reasonable assurance that the program is operating as
                     intended and is not vulnerable to significant fraudulent, improper, and
                     abusive purchases. However, a system of internal control, no matter how
                     well designed, cannot be relied on if control activities are not in place and
                     operating effectively on an ongoing basis. Control activities, identified
                     during the preliminary assessment process as likely to be effective at
                     preventing or detecting fraudulent, improper, and abusive purchases, should
                     be tested to determine if they are being adequately adhered to. This section
                     discusses (1) obtaining and verifying the completeness of the purchase card
                     transactions database, (2) designing a statistical sample of purchase card
                     transactions, (3) obtaining the documentary evidence of performance of
                     control activities, and (4) designing and conducting tests to determine if key
                     control activities are in place and operating as intended.

                     In our audits of purchase card programs, we used two basic types of control
                     testing to evaluate the effectiveness of internal control activities:

                     •
                                                 17
                          statistical sampling (selections expected to be representative of and are
                          projectable, with quantifiable accuracy, to that population), which is
                          discussed in this section of the guide, and

                     •    nonrepresentative selections (selections not expected to be
                          representative of or projectable to a population), such as data mining,
                          which is discussed in section 5 of the guide.

                     This guide considers control activities designed to prevent or detect
                     fraudulent, improper, and abusive transactions in a purchase card program,
                     to operate on two basic levels (1) control activities that operate at the
                     transaction level (e.g., independent receipt and acceptance, cardholder
                     reconciliation) and (2) controls that operate at some other level (e.g.,
                     training, span of control). Elements of the control environment discussed in
                     the Internal Control and the Control Environment section of this guide are
                     not considered transaction-level control activities. However, testing and
                     evaluating certain of these elements (i.e., training, discipline, and purchasing
                     and reviewing authority) can be efficiently accomplished in conjunction
                     with the testing of transaction-level control activities.



                     17
                       Sampling selections expected to be representative of a population can be either statistical
                     or nonstatistical–statistical concepts are considered but not explicitly used to determine
                     sample size, select sample items, or evaluate the results. However, projections of
                     nonstatistical sample results are not quantifiably accurate, and GAO discourages their use in
                     government audits.

                     Page 30                                          GAO-04-87G Purchase Card Audit Guide
OBTAINING TRANSACTION DATA   Tests of control activities that operate at the
                             transaction level are applied to selected
                             purchase card transactions, generally
                             contained in an electronic file database. The
                             auditor will need to identify and obtain the
                             appropriate database of purchase card
                             transactions, select the transactions to test,
                             and extract the appropriate transaction
                             information from the database. In order to
                             obtain the appropriate population of
                             purchase card transactions, the auditor will
                             need to establish and define the scope of the audit. The scope of the audit
                             can be defined in terms of control activities in place and operating for a
                             period, a unit, or an activity, or a combination of those terms (e.g., all
                             purchase card transactions executed by the organization during the fiscal
                             year ended September 30, 2003). Also, if the data are stored in an electronic
                             database, the auditor will need to determine that the transaction data
                             elements necessary to achieve the audit objectives are included in the
                             database obtained.

                             The purchase card transactions selected for testing should be selected from
                             a population that includes all relevant transactions, including convenience
                             checks, in the scope of the audit. In order to ensure the relevance and
                             completeness of the population transaction database, the auditor should
                             obtain value and quantity-control totals from a source independent of the
                             database provider and agree them to the data obtained. For example, a
                             transaction database supplied by the bank service provider could be agreed
                             or reconciled to the organization’s records of purchase card activities, or the
                             bank service provider may supply control totals to verify a transaction
                             database provided directly by the organization.

Coordinating with the Bank   Establishing a contact and coordinating the audit effort with the bank
Service Provider             service provider presents the auditor with an opportunity to gain a current
                             understanding of the bank’s program operations, processes, and controls, as
                             more fully discussed in the Understanding the Bank Service Provider’s
                             Program section of this guide. Coordination with the bank can also provide
                             the needed transaction databases or the ability to verify organization
                             transaction databases by comparison to independent control totals. Fraud
                             investigators involved in the purchase card audit may also be afforded an
                             opportunity to evaluate the bank’s fraud investigation and detection
                             methodologies and benefit from other information provided by the bank’s
                             credit card fraud investigators.




                             Page 31                                  GAO-04-87G Purchase Card Audit Guide
SELECTING PURCHASE CARD   One of the first decisions the auditor will
TRANSACTIONS              need to make is whether to use statistical
                          sampling to select transactions for testing. In
                          most audit circumstances, statistical
                          sampling is the recommended approach for
                          making estimates about and drawing
                          conclusions from a population of
                          transactions and for estimating the
                          percentage of transactions in the population
                          for which control activities were or were not
                          in place and operating as intended.
                          Statistical sampling is appropriate

                          •   if there is a desire to estimate whether control activities for a population
                              of transactions are in place and operating as intended, and to quantify
                              the accuracy of this assessment based on statistical theory;

                          •   if there is a desire to estimate whether some control activities for a
                              population of transactions are operating as intended to a greater or
                              lesser degree than other activities, and to quantify the accuracy of this
                              assessment based on statistical theory; and

                          •   if it is desirable to estimate the dollar value for a population of purchase
                              card transactions subject to detected control weaknesses or failures, and
                              to quantify the accuracy of the assessment based on statistical theory.

                          In these cases, a statistical sample should be designed so that statistical
                          theory can be used to estimate failure rates and the dollar value of
                          transactions subject to ineffective controls in the population and to quantify
                          the accuracy of those estimates.

                          In other audits of purchase card programs, making statistical estimates of
                          the failure rate in the population of transactions may not be important. For
                          example, if there are no control activities, or if the design of controls is
                          clearly inadequate, there would be little point in testing control activities
                          and estimating the associated failure rates. As another example, certain
                          control activities may only apply to a very small portion of transactions. In
                          these cases, an assessment might be made of the effectiveness of control
                          activities through means such as observation, inquiry, and inspection of a
                          nonrepresentative selection of transactions. However, it should be
                          understood at the outset that when experience and understanding of the
                          subject matter are used to assess the effectiveness of control activities
                          based solely on observation, inquiry, or inspection of a nonrepresentative
                          selection of transactions, the results cannot be reliably or statistically
                          projected to all transactions of that type.




                          Page 32                                   GAO-04-87G Purchase Card Audit Guide
Considerations in Designing a   The auditor, in conjunction with a statistician, will need to consider a
Statistical Sample              number of issues in order to design statistical samples for government
                                purchase card programs. These issues include, but are not limited to, the
                                following.

                                •   The organization of the population of purchase card transactions.
                                    Typically, these records are organized in one or more electronic files. In
                                    this case, various sampling options are available. Two of these options
                                    are (1) simple random sampling of transactions and (2) partitioning
                                    transactions into non-overlapping groups (strata), followed by selecting
                                    simple random samples of transactions in each stratum.

                                •   The organization of the documentation evidencing performance of
                                    control activities. These documents may be stored in one or more
                                    geographic locations, which may or may not limit or impair accessibility
                                    by the auditor. In either case, a sample design should account for the
                                    geographic dispersion. The following are examples of available options.

                                          Geographic strata. If personnel are available to collect data from
                                          each location, then a sample design might have locations as strata,
                                          with appropriate sampling methods within each stratum. A stratified
                                          design would protect against the possibility of an "unlucky" sample,
                                          that is one having no or few transactions from one or more locations
                                          in a random sample selected from the population of all transactions.
                                          It may also provide more precise estimates than a random sample of
                                          the same size selected from the population of all transactions.

                                          Geographic location sample. If it is not possible to collect data from
                                          each geographic location, then a two-stage statistical sample can be
                                          made of (stage one) geographic locations, with appropriate sampling
                                          methods used (stage two) within each selected location. If the
                                          geographic locations are chosen using statistical sampling, the
                                          auditor will be able to make estimates about all purchase card
                                          transactions in the population.

                                          Case study approach. The auditor may find, however, that the
                                          documents that will be examined to determine whether control
                                          activities are being performed are so geographically dispersed that it
                                          is not cost effective to collect data from statistically sampled
                                          locations. In this case, the auditor may wish to consider a case study
                                          approach. In a case study approach, locations are selected for
                                          specific reasons instead of being chosen using statistical sampling.
                                          Statistical samples of transactions are then selected for each of the
                                          selected locations. The auditor should note, however, that data
                                          collected from a case study approach can only be used to assess
                                          adherence to controls at the specified locations. Sample data from a
                                          case study approach cannot be used to make assessments about
                                          adherence to controls for the entire population of purchase card
                                          transactions.




                                Page 33                                    GAO-04-87G Purchase Card Audit Guide
•   Information about the approximate level of nonadherence to controls.
    Such information may be obtained from (1) similar studies performed in
    the recent past, (2) estimates by subject matter experts, or (3)
    information obtained by the auditor during the preliminary assessment
Page 34                                GAO-04-87G Purchase Card Audit Guide
                        relating to nonadherence rates. These “guesstimates” are very useful to
                        the statistician in estimating what sample size might be needed to
                        achieve specified precision levels on estimated nonadherence rates.

                    •   The relationship between the approximate nonadherence rate and the
                        acceptable nonadherence/adherence rates.- At what rate of failure would
                        the auditor consider a control to be ineffective? Effective? If the
                        expected level of nonadherence (or adherence) is close to the minimum
                        rate that is considered unacceptable (or acceptable), a larger sample
                        may be required to assert nonadherence (or adherence) to controls.

                    •   Inherent strengths/weakness. Certain types of transactions may be
                        expected to have different rates of nonadherence to controls than other
                        types (e.g., transactions for large dollar amounts processed at a higher
                        level by personnel who likely have taken contractor officer training). If
                        so, the population of transactions can be partitioned into strata so the
                        expected rate of nonadherence differs from one stratum to the next.
                        Separate samples of transactions can then be taken in each stratum. A
                        stratified design that takes advantage of expected differences in
                        nonadherence rates across strata can provide more precise estimates
                        than a random sample of the same size selected from the population of
                        all transactions.

                    •   Time and resources. The total amount of time available, the time it will
                        take to evaluate the effectiveness of controls for each purchase card
                        transaction, and the number of audit staff available are practical
                        considerations that will directly influence the design and size of a
                        sample.

The Sampling Plan   The auditor and the statistician should develop a written sampling plan for
                    inclusion in the audit work papers. The sampling plan should include, but is
                    not limited to,

                    •   the reasons that a sample was developed,
                    •   the type of sample (e.g., statistical or nonstatistical) and sampling
                        method (e.g., random) being used,
                    •   a description of the population (e.g., nature, data elements, source,
                        control totals),
                    •   the sample design (e.g., confidence level, stratum criteria, number of
                        items and dollars in population and stratum, sample size by stratum and
                        population) selected along with a discussion of the factors considered
                        and conclusion reached,
                    •   guidelines about the types of evidence and attributes the auditor will
                        accept as clear evidence of performance of control activities,
                    •   information about the anticipated precision of the sample estimates,
                    •   a definition of nonadherence to controls,
                    •   expectations (if any) about the rate of nonadherence to controls, and
                    •   examples of the types of conclusions the auditor expects to be able to
                        make after the sample data are analyzed (and projected to the
                        population).




                    Page 35                                  GAO-04-87G Purchase Card Audit Guide
Extracting Selected Transaction   Data elements of transactions selected for control activity testing (as well as
Data Elements                     those identified by data mining) will need to be extracted—identified,
                                  selected, copied, and accumulated in a separate electronic file for further
                                  auditor analysis—from the population transactions database. At a
                                  minimum, those data elements should include the identification and other
                                  data elements necessary to facilitate control activity testing. The following
                                  are examples of data elements that might be included in such extracts.


                                  Transaction           Cardholder                  Vendor                   AO
                                       Amount             Name                         Name                    Name
                                       Sale date          Account number               MCC                     Work
                                       Post date          Account address              Address                 location
                                                          Work location                Business                Work
                                                                                       telephone               telephone
                                                          Work telephone



Reporting Sample Results          The auditor should prepare a workpaper/file detailing the pass/fail results of
                                  tests of control activities (e.g., the number and dollar value of transactions
                                  failing a control activity) performed on each sample item, in accordance
                                  with the sample design (e.g., sampled strata). These results can then be
                                  provided to the statistician, who should project the sample results to the
                                  population and provide the auditor with a report recapping the population,
                                  the sampling plan used, the control tests performed by the auditor, the
                                  statistical estimates (e.g., attribute failure rates, dollar values), and the
                                  associated confidence intervals. The auditor should then prepare a
                                  summary memorandum that incorporates the sample tests results and the
                                  statistician’s report and recaps the rules used to assess the effectiveness of
                                  controls and the audit conclusions drawn from the projected sample results.

Analysis of Results from          The primary questions that can be answered from analyzing the result of a
Statistical Samples               statistical sample of attribute tests for control activity performance are as
                                  follows:
                                  1. What is the estimated failure rate and how accurate is that estimate?
                                  2. Does the failure rate of performance of the control activity result in
                                      assessing the control as effective or ineffective?
                                  To answer the first question, the failure rate from the statistical sample
                                  should be estimated taking the design of the sample into account. Since the
                                  statistical sample is only one of a large number of samples that could be
                                  drawn, a two-sided interval should be generated that will contain the actual
                                  (unknown) population failure rate for a specified percentage of samples that
                                  could be drawn. This interval is called a “confidence interval,” and the
                                                                                         18
                                  specified percentage is called the “confidence level.”




                                  18
                                    For nonfinancial audits, GAO commonly uses a confidence level of 95 percent. “The 95
                                  percent confidence level appears to be used more frequently in practice than any other
                                  level…90 percent and 99 percent confidence levels seem to be next in popularity.” Hahn and
                                  Meeker, Statistical Intervals, A Guide For Practitioners, 1st ed. (New York: John Wiley and
                                  Sons, Inc., 1991), 38.

                                  Page 36                                         GAO-04-87G Purchase Card Audit Guide
To answer the second question, the statistical sample results should be
compared to a preset standard (e.g., control activities with adherence failure
rates greater than 5 percent will be considered ineffective) and professional
judgment.




Page 37                                  GAO-04-87G Purchase Card Audit Guide
                               For each audit of a government purchase card program, the auditor should
                               choose the failure rate that classifies the performance of control activities as
                               effective or ineffective. If the calculated results of the statistical sample are
                               considered inconclusive (e.g., the predetermined effective/ineffective rate of
                               adherence falls within the confidence interval of the estimated failure rate of
                               a control activity), the auditor should use professional judgment in reaching
                               the appropriate conclusion(s).

OBTAINING DOCUMENTATION        Documentation provides the auditor an
EVIDENCING PERFORMANCE OF      opportunity to inspect evidence of ongoing
CONTROL ACTIVITIES             adherence to internal control policies and
                               performance of control activities. The data
                               evidencing performance of transaction-
                               related control activities will most likely, but
                               not necessarily, reside within the
                               organization. Examples of documentation
                               that might evidence performance of specific
                               control activities are included in the Testing
                               Control Activities section of this guide. The
                               lack of such documentation, although a strong indicator of a lack of
                               adherence and performance, does not necessarily preclude adherence or
                               performance. However, all lack of adequate documentation should initially
                               be considered as a failure of the relevant control activity test. Missing
                               documentation should elevate the level of the auditor’s professional
                               skepticism when conducting any additional audit procedures considered
                               appropriate (e.g., additional inquiry, consideration of other supporting
                               documentation, direct interviews with cardholders and AOs). Transactions
                               and cardholders with significant or persistent lack of documentation should
                               be considered for follow-up in accordance with the Follow-up and
                               Investigation section of this guide.

                               Original documents should be reviewed whenever possible. The extent that
                               copies of original documents are retained for audit work papers will depend
                               on the circumstances and professional judgment. However, the work papers
                               should include copies of documents supporting findings of a significant lack
                               of adherence to policies; performance of control activities: and any
                               potentially fraudulent, improper, and abusive purchases. As discussed later
                               in the Follow-up and Investigation section of this guide, copies of
                               documents will also be necessary to the follow-up process.

Obtaining Documentation from   The auditor will need to provide the organization sufficient information to
the Organization               identify the specific transactions selected for testing (e.g., cardholder name
                               and number, transaction sale or post date, and amount). The auditor should,
                               during planning, allow sufficient time for this step since documentation may
                               be in geographically diverse locations, and the organization may need to
                               send out requests for the needed information. The auditor should consider
                               the knowledge gained about the control environment and other factors and
                               exercise professional judgment when making decisions about (1) supplying
                               selected transaction information to the organization, (2) when and how to
                               receive documentation, and (3) the amount of time to allow the organization
                               to produce documentation. The auditor and the organization should agree
                               to (and the auditor should communicate in writing) the rules of the
                               engagement, in advance, establishing time limits for providing requested
                               documentation, after which audit conclusions will be based on the
                               documentation provided.
                               Page 38                                   GAO-04-87G Purchase Card Audit Guide
Evidence of Performance          The auditor should design tests that clearly and specifically identify
                                 acceptable attributes that evidence actual performance of control activities.
                                 Guidelines should be developed about what constitutes “clear evidence of
                                 performance” before testing begins. Such evidence may include appropriate
                                 sequencing of dates, cardholder and AO tick marks or other indications on
                                 individual transactions, and corroborating representations of performance
                                 by management personnel. Developing these guidelines in advance and
                                 including them in the sampling plan will enhance the ability of audit staff to
                                 make consistent assessments across sampled transactions. If there will be a
                                 cadre of audit staff assessing whether there is clear evidence of
                                 performance, they should be trained before data collection begins to
                                 enhance their collective ability to make consistent assessments. Also,
                                 appropriate supervisory review and validation of the assessments made by
                                 the audit staff will be needed. An independent supervisory assessment of
                                 selected sample items is one way to accomplish that review.

TESTING CONTROL ACTIVITIES       Tests for performance of control activities
                                 should be performed using the data gathered.
                                 For purposes of this guide, many control
                                 activities are considered transaction specific
                                 (e.g., independent receipt and acceptance,
                                 AO review), and the related tests should be
                                 accomplished at the transaction level. Also,
                                 as discussed in the Internal Control and the
                                 Control Environment section of this guide,
                                 some of the key elements of the control
                                 environment (e.g., training, discipline,
                                 purchasing and approving authority) lend themselves to efficient testing in
                                 conjunction with the testing of transaction-level control activities. The
                                 auditor should consider coordinating tests of those elements of the control
                                 environment with the tests of the following transaction control activities.

Transaction Control Activities   This guide discusses the following six control activities directly related to
                                 purchase card transactions and their supporting documentation and
                                 performance attributes for consideration by the auditor:

                                    determining a legitimate government need,
                                    screening for required vendors,
                                    independent receipt and acceptance,
                                    establishing accountability over property,
                                    cardholder reconciliation, and
                                    AO review.

                                 The specific tests of control activities accomplished, the specific documents
                                 reviewed, and the attributes considered may vary as audit objectives vary.
                                 When conducting the transaction control test discussed below, auditors
                                 should also evaluate purchases for compliance with relevant laws and
                                 regulations (e.g., exemption from sales tax). The auditor should consider
                                 consulting with legal counsel for assistance in evaluating questions of the
                                 existence of a legitimate government need. The auditor should also
                                 consider conducting follow-up, as discussed later in this guide, in instances
                                 of a questionable legitimate government need or prohibited or otherwise
                                 inappropriate government purchases.

                                 Page 39                                   GAO-04-87G Purchase Card Audit Guide
                                                                 Determining a legitimate government need
                                                                 provides reasonable assurance to the
                                                                 organization that its resources are not
                                                                 being wasted. A legitimate need for the
                                                                 goods or services being acquired should be
                                                                 determined before a purchase is made. In
                                                                 a government purchase card program, the
                                                                 initial responsibility for making this
                              determination may be assigned to the cardholder through the organization’s
                              policies and procedures. Prepurchase requests or other authorization
Prepurchase approvals         prepared by a supervisor, or prepared by operations personnel and signed
were found in up to 98        by a supervisor, can provide the cardholder with documentation of a
percent of purchase card      legitimate government need. Organization policies may leave verification
transactions tested in a      and documentation that purchases are for a legitimate government need to
recent GAO audit.             the discretion of the cardholder—a practice usually considered a weakness
                              in the design of control. The organization’s policies and procedures may
                              identify specific items or types of purchases requiring special approval.
                              However, prepurchase authorizations are not required by all government
                              organizations, and some organizations may provide blanket authorization for
                              routine purchases. When there is no documentation of a legitimate
                              government need for other than routine items, the auditor should view such
                              purchases with an elevated level of professional skepticism. Further, the
                              organization’s policies and procedures may restrict or prohibit the purchase
                              of certain items or types of goods and services. Auditors should be aware of
                              these requirements, restrictions, and prohibitions and the requirement, or
                              lack thereof, for documentation establishing the government’s need.
                                  Documentation evidencing the determination of a legitimate government
                                  need should be obtained and reviewed. This could include (1) a
                                  prepurchase request or authorization, (2) written blanket authorization
Auditors questioned               for small routine purchases (e.g., office supplies), (3) written
whether a valid need had          justification by the cardholder or other program personnel of the
been identified, when “to         government need for the purchase, (4) other required documentation for
get enough goodies for            specifically controlled or restricted purchases (e.g., a purchase
everyone” 80 Palm Pilots          justification or business need analysis for computer equipment), and (5)
costing $30,000 were              the vendor invoice describing the goods or services purchased.
purchased and                     Attributes to consider evaluating include (1) the date of government
inventoried to be issued to       need determination, compared to date of the purchase, (2) whether the
personnel when                    purchased item is included on the organization’s prohibited or restricted
requested.                        list, and (3) the item purchased on the vendor invoice, compared to the
                                  item for which a need was determined. The auditor should consider the
                                  knowledge gained in previous sections of the guide of the organization’s
                                  operations and the control environment, and, with an appropriate level
                                  of professional skepticism, exercise professional judgment and evaluate
                                  the reasonableness of the legitimate government need determination.




                              Page 40                                 GAO-04-87G Purchase Card Audit Guide
                                                                 Screening for required vendors provides
                                                                 the organization with reasonable assurance
                                                                 of compliance with laws and regulations
                                                                 related to statutory sources of supply. One
                                                                 such regulation is FAR Subpart 8, Required
                                                                 Sources of Supplies and Services. This
                                                                 regulation generally requires federal
                                                                 agencies to purchase supplies, services,
                             and printing from designated sources, such as the Federal Prison Industries,
                             the National Industries for the Blind, NISH (serving people with a range of
                             disabilities), and the Government Printing Office. Auditors should be aware
                             of these and other laws, regulations, contractual agreements, and policies
                             and procedures, which direct the organization to acquire goods and services
                             from sources such as GSA schedules and contracts, blanket purchase
Despite laws and             agreements, and single source suppliers. Auditors should also be aware of
regulations requiring        exceptions provided to these and other requirements, generally having to do
priority be given to         with practicality and availability.
certain required vendors,        Documentation evidencing screening for required vendors should be
a recent GAO audit found         obtained and reviewed, including (1) a purchase log, required by policy
failure rates in this            at some organizations, (2) other documents evidencing appropriate
control ranging from 70          screening, and (3) a waiver or other documentation of the applicability
to 90 percent of                 of exceptions made to required sources of supply.
purchases tested.                Attributes to consider evaluating include (1) the date and cardholder
                                 signature or initial for screening, compared to the transaction date, and
                                 (2) the date and appropriate signature on waiver of purchase from
                                 required sources, compared to the transaction’s date. Professional
                                 skepticism should be exercised when evaluating the appropriateness of
                                 any exceptions to required sources of supply.

                                                                Independent—someone other than the
                                                                cardholder—receipt and acceptance of
                                                                goods and services provides reasonable
                                                                assurance that the organization actually
                                                                received what it is paying for. The
                                                                inclusion of independence in the receipt
                                                                and acceptance activity significantly
                                                                strengthens the control by adding
Two related                  segregation of duties to the activity. In purchase card programs, the
organizations could not      cardholder is usually responsible for verifying that independent receipt and
demonstrate independent      acceptance has occurred before completing reconciliation.
receipt and acceptance          Documentation evidencing independent receipt and acceptance (e.g., a
for about $27.4 million in      signature or initial on the vendor invoice, receipt, or shipping document)
purchased goods and             should be obtained and reviewed, including (1) the vendor invoice, (2)
services.                       the shipping, receiving, or warehouse receipt for goods or services
                                provided, and (3) the relevant cardholder billing statement.
                                Attributes to consider evaluating include (1) the date of signed receipt,
                                compared to the purchase date and cardholder reconciliation date, (2)
                                the signature or initial, evidencing receipt by someone other than the
                                cardholder, (3) notations (e.g., tick marks) indicating verification of
                                quantities for appropriate purchases, (4) the invoice amount, compared
                                to the cardholder billing statement amount, and (5) the invoice item
                                description(s) and quantity, compared to receiving document
                                description(s) and quantity.


                             Page 41                                  GAO-04-87G Purchase Card Audit Guide
                                                                  Physical control and accountability over
                                                                  pilferable and other vulnerable property
                                                                  acquired by the purchase card, which is
                                                                  initiated at the purchase card transaction
                                                                  level, provides reasonable assurance to the
                                                                  organization that pilferable property (i.e.,
                                                                  items that are portable and can be easily
                                                                  converted to personal use) is appropriately
                               recorded and asset-safeguarding control is established at the time of
                               purchase and receipt. Organizational requirements for this activity may vary
Of 114 tested purchases        with the volume, value, and sensitivity of pilferable property acquisitions.
of accountable property        Control activities required of the cardholder should include initially
acquired with purchase         identifying the pilferable property requiring asset control, notifying
cards, 60 (53 percent)         appropriate property management personnel within the organization of the
were not recorded in           acquisition, and supplying the information required to establish a record in
property records, and 35       the property control system. Audit procedures should include verification of
(31 percent) could not be      the record in the property control system, and can be extended to physical
located.                       inspection and verification that the property is in the possession of the
                               government.
                                   Documentation evidencing performance of this activity should be
                                   obtained and reviewed, including (1) the vendor invoice, (2) evidence of
                                   independent receipt and acceptance, (3) the cardholder’s billing
                                   statement, (4) the cardholder’s notification of pilferable property
                                   submitted to property control system personnel, (5) the property control
                                   system record, and (6) if applicable, item serial numbers, which, if not
                                   evident in the existing transaction documentation, should be obtained by
                                   the auditor directly from the supplier or manufacturer.
                                   Attributes to consider evaluating include (1) the vendor invoice’s
                                   quantity, description, and unique identifying numbers, such as serial
                                   numbers (considered a critical attribute for this control), compared to
                                   those attributes in the property control system record, (2) the date of
                                   purchase (sale date on the cardholder’s statement), compared to the
                                   date of signed receipt, the date of cardholder notification to appropriate
                                   property personnel, and the date of property record entry, and (3) the
                                   property control system’s description, assigned property number (e.g.,
                                   bar code number), property item unique identifying number (e.g., serial
                                   number), and location, compared to those same attributes from a
                                   physical inspection or independent verification that the accountable
                                   property is in the possession of the government.

                                                                   Cardholder reconciliation provides the
                                                                   organization with reasonable assurance
                                                                   that all transactions appearing on the
Tests of a statistical                                             cardholder’s billing statement are
sample of purchase card                                            appropriate charges for goods and services
transactions at four                                               purchased for and received by the
related organizations                                              organization. Private individuals generally
disclosed little evidence of                                       review their personal credit card
cardholder reconciliation      statements to ensure that the purchases and amounts included are
of purchases back to           appropriate and correct. Government purchase cardholders should perform
supporting                     a substantially greater level of review. Cardholder reconciliation is the
documentation before           process of the cardholder gathering, reviewing, and providing the
payment of the bill.           documentation to support that each purchase transaction appearing on the
                               cardholder’s billing statement is an appropriate, legitimate government
                               purchase. The cardholder is responsible for identifying purchase card

                               Page 42                                  GAO-04-87G Purchase Card Audit Guide
                          transactions that are unauthorized or that otherwise should not be paid by
                          the government. The cardholder should promptly dispute unauthorized
                          charges appearing on the billing statement with the bank service provider.
                          For those charges for which the cardholder is unable to verify independent
                          receipt and acceptance, the auditor should look for evidence of either a
                          credit by the vendor or a formal dispute filed with the bank service provider.

                          The cardholder reconciliation and the AO review and certification for
                          payment may be accomplished either manually or electronically. The
                          electronic system may not require a signature or date and may leave little or
                          no audit trail of the application of control activities to billing statements and
                          individual transactions. The auditor should obtain, review, and use
                          professional judgment and skepticism in considering the value of system-
                          generated reports and screen prints as evidence of actual performance,
                          when evaluating adherence to control activities. The attributes described in
                          this section remain relevant to audit considerations and evaluations
                          regardless of whether cardholder reconciliation is performed manually or
                          electronically. If the available documentation is insufficient to evidence the
                          actual performance of a control activity, the selected purchase card
                          transaction should be considered as failing that activity. In this
                          circumstance, the auditor may consider it necessary to extend audit
                          procedures to the general and application controls of the electronic data
                          processing (EDP) system, which is outside the scope of this guide.
                              Documentation evidencing performance of cardholder reconciliation
                              should be obtained and reviewed, including (1) the monthly purchase
                              cardholder statement in a manual system, or other bank system-
                              generated list of billing-period transactions in an electronic system, (2)
                              the vendor invoice or sales receipt, and (3) evidence of formal dispute
                              (e.g., organizational standard form) of unauthorized charges appearing
                              on the cardholder’s billing statement.
                              Attributes to consider evaluating include (1) the cardholder’s
                              reconciliation signature, (2) the date of reconciliation, compared to
                              organizational requirements, the AO review, and payment certification
                              dates, (3) notations (e.g., tick marks, system notes) indicating that all
                              transactions on the statement were individually reconciled, (4) the
                              transaction date, amount, and vendor name on the vendor invoice,
                              compared to those same attributes on the cardholder’s statement, and
                              (5) the transaction date, amount, and vendor name on formal dispute
                              documentation, compared to those same attributes on the cardholder’s
                              statement. The auditor should consider following up on the appropriate
                              resolution of disputed items.

Tests of a statistical                                        AO review of the cardholder’s
sample of purchase card                                       reconciliation process provides reasonable
transactions at five                                          assurance to the organization that the
related organizations                                         cardholder is timely and appropriately
disclosed numerous                                            performing the reconciliation and is
instances of AOs                                              complying with all significant relevant
certifying bills for                                          controls to prevent or detect fraudulent,
payment without                                               improper, and abusive purchases. The
reviewing cardholder      review also provides a basis for the AO to accept responsibility that the
reconciliations or        purchases are appropriate, legitimate government purchases before the
supporting                billing statement total is certified for payment. The AO review, a critical
documentation.            control activity in a government purchase card program, should include a
                          review of the cardholder reconciliation for timeliness and completeness and

                          Page 43                                   GAO-04-87G Purchase Card Audit Guide
for the appropriateness of the supporting documentation for individual
transactions. In evaluating the effectiveness of this control activity, the
auditor should consider (1) the extent of the AO’s review of the supporting
documentation for a cardholder’s individual transactions and (2) the extent
of documentation (e.g., tick marks, system notes) of that review. To gain a
better understanding of the extent of the AO’s review of cardholder
reconciliations, the auditor may consider interviewing the AO, in addition to
reviewing documentation evidencing the review process.

As discussed in the section on cardholder reconciliation, the AO review and
certification for payment may be accomplished either manually or
electronically. The auditor should obtain, review, and use professional
judgment and skepticism in considering the value of system-generated
reports and screen prints as evidence of actual performance when
evaluating adherence to control activities. The attributes described in this
section remain relevant to audit considerations and evaluations regardless
of whether the AO review is performed manually or electronically. If the
available documentation is insufficient to evidence the actual performance
of a control activity, the selected purchase card transaction should be
considered as failing that activity. In this circumstance, the auditor may
consider it necessary to extend audit procedures to the general and
application controls of the EDP system, which is outside the scope of this
guide.
    Documentation evidencing performance of this activity should be
    obtained and reviewed, including (1) the cardholder’s reconciliation
    documentation, as discussed above, (2) documentation of the AO’s
    review of the cardholder’s reconciliation, (3) the AO’s account billing
    statement, and (4) documentation of the AO’s (or billing official’s)
    certification for payment of the balance on his or her account billing
    statement.
    Attributes to consider evaluating include (1) the AO’s review signature,
    (2) the date of the AO’s review compared to organizational policy
    requirements, the date of the cardholder’s reconciliation, and the date of
    the AO’s (or billing official’s) certification for payment, and (3) notations
    (e.g., tick marks, system notes) on cardholder’s individual purchase card
    transactions, evidencing the AO’s review and evaluation of the
    appropriateness of the transactions and the documentation supporting
    the cardholder’s performance of other control activities.




Page 44                                   GAO-04-87G Purchase Card Audit Guide
Section 5: Pursuing Fraudulent, Improper, and Abusive
Purchases




                               In addition to testing internal controls, GAO’s purchase card methodology
                               includes procedures designed specifically to identify potentially fraudulent,
                               improper, and abusive purchase card transactions. Designing and
                               conducting procedures specifically for the purpose of detecting such
                               transactions serves multiple purposes, including the potential discovery of a
                               previously unrecognized risk in the program. Additionally, top management
                               will likely be more receptive to recommendations for corrective actions
                               when a face is put on the consequences of weak control, and the effects are
                               illustrated by instances of fraudulent, improper, and abusive purchases.
                               GAO’s methodology described in this guide is a two-step process similar to
                               the process of selecting transactions and testing controls. It entails the
                               pursuit of fraudulent, improper, and abusive purchases by (1) making
                               nonrepresentative selections of transactions or patterns of activity in a
                               process referred to as data mining and (2) conducting follow-up procedures,
                               rather than control tests, using forensic auditing techniques on selected
                               transactions and on cases of potentially fraudulent purchases detected
                               during the audit process.

DATA MINING FOR DETECTION,     Data mining is the act of searching or
ILLUSTRATION, AND DISCLOSURE   ”mining” data to identify transactions or
                               patterns of activity exhibiting predetermined
                               characteristics, associations, or sequences
                               and anomalies between different pieces of
                               information. Data mining produces leads for
                               follow-up by auditors and investigators;
                               consequently, the concept of data mining, as
                               used in this guide, also includes performing
                               audit procedures and investigations as necessary to evaluate the leads.
                               Active continual data mining by organization management can also be used
                               to identify and initiate investigations of instances of potentially fraudulent,
                               improper, and abusive purchases, which can serve as an effective deterrent
                               to such transactions in the future. Data mining, when conducted in concert
                               with the tests of control activities, can provide additional evidence of
                               significant instances of noncompliance with laws and regulations, such as
                               those discussed in the Relevant Laws and Regulations section of this guide,
                               and lack of adherence to internal control policies and procedures. In
                               addition, it can identify previously unrecognized or underappreciated risks
                               in the program. Revelations from data-mining results can often generate the
                               upper management motivation necessary to bring about meaningful change
                               in policies and procedures. The results of data mining should also be
                               considered when evaluating the overall effectiveness of systems of internal
                               control over government purchase card programs. However, since data


                               Page 45                                  GAO-04-87G Purchase Card Audit Guide
                            mining is nonrepresentative, its results cannot be projected, and conclusions
                            should not be reached on the population of purchase card transactions.

                            GAO’s approach to data mining is designed to support its overall evaluation
                            of the effectiveness of internal control of a government purchase card
                            program and to provide examples of the results of weakness in internal
                            control. That approach generally consists of

                                identifying the population of transactions to data mine,
                                identifying criteria and design search queries, and
                                extracting or summarizing transactions or patterns of activity from the
                                population for further analysis, selection, audit, and investigation.

                                                              The source of data for mining would
                                                              generally be the same population as the
                                                              source used to select transactions for
                                                              control tests. The same population of
                                                              transactions must be used if examples of
                            control failures detected by data mining are to be relevant to the population
                            of transactions and to the period covered by the control tests. This would
                            allow the results of data mining to be considered in the overall evaluation of
                            the effectiveness of internal control.

                                                               An experienced credit card fraud
                                                               investigator will bring valuable perspective
                                                               and insight and should be involved in the
                                                               process of identifying criteria, associations,
                                                               and characteristics for data mining for
                            fraudulent, improper, and abusive purchases. When identifying and
                            selecting data-mining criteria, the auditor should also consider the risks of
                            potentially fraudulent, improper, and abusive purchases; data-mining criteria
                            identified by the auditor during the preliminary assessment; and the data-
                            mining criteria discussed in the following examples.

                            The following examples of data-mining queries, summaries, and extractions
                            are appropriate to support an evaluation of the internal control of a
                            government purchase card program as contemplated in this guide, and are
                            intended to be used to identify and extract potentially fraudulent, improper,
                            and abusive purchases from a transaction database.

                            •    Questionable vendors are those vendors that sell goods or services
                                 that generally do not meet legitimate government needs, or are
Data mining of purchase          restricted or prohibited by law, regulation, or policy. Recent GAO
card transactions at five        audits of purchase card programs have identified potentially
related organizations            fraudulent, improper, and abusive purchases of goods and services
disclosed numerous               from vendors such as restaurants, grocery stores, casinos, clothing or
purchases of items for           luggage stores, home furnishing stores, personal electronic stores,
personal use, including          businesses providing pornographic or sexually oriented goods or
digital cameras,                 services (e.g., escort services), automobile dealers, and gasoline
computers, clothing, and         service stations. The understanding gained of the organization’s
food.                            mission and operations, in accordance with a previous section of this
                                 guide, should provide the auditor with the insight necessary to make
                                 preliminary identification of vendors selling goods and services that
                                 likely do not meet legitimate government needs. The following are


                            Page 46                                   GAO-04-87G Purchase Card Audit Guide
                                 examples of ways to identify, extract, and select purchases from these
                                 vendors.

                                      By name: Questionable vendors, which can be expected to sell
                                      unneeded or prohibited goods or services, can be identified by
                                      name. This can be accomplished by manually reviewing a
                                      comprehensive list of vendor names extracted and sorted
                                      alphabetically from the population database. The selection
                                      process can be greatly enhanced by including selected
                                      summarized data by vendor name (e.g., number of transactions,
                                      dollars of purchases, number of cardholders making purchases).
                                      For example, because of the goods and services provided by
                                      vendors specializing in toys, stylish personal calendar/planners,
                                      and consumer electronics, purchases from them generally have a
                                      high likelihood of being potentially fraudulent, improper, or
                                      abusive.

                                      By MCC: Questionable vendors can be identified by using
                                      MCCs—standard codes that the credit card industry maintains to
                                      categorize merchants—assigned to vendors that may sell
                                      personal or prohibited goods or services. Purchase card
A recent GAO audit                    transactions carrying the identified codes can then be extracted
disclosed a purchase                  from the population database. Sorting and summarizing the
card transaction with a               extracted transactions by vendor may further enhance the
prohibited escort service             selection processes. Organizations have the ability to block
vendor. The bank service              purchases from vendors with selected MCCs at the bank service
provider had accepted                 provider. Ideally, any attempt to charge a purchase from a
the transaction despite               vendor with a blocked MCC should be automatically rejected at
the blocked vendor MCC.               the point of purchase. However, auditors should be aware that
                                      (1) vendors may circumvent this control by providing false or
                                      misleading information and obtaining MCCs intended to disguise
                                      the types of goods or services they provide, and (2) bank service
                                      providers do not always reject purchase card transactions with
                                      blocked vendor MCCs.

                                 All transactions associated with the identified vendor names and MCCs
                                 should initially be considered potentially fraudulent, improper, and
                                 abusive and extracted into a questionable vendor transactions
                                 database for further selection and follow-up.

GAO testified that          •    Weekend and holiday purchases, in the operations of a normal
approximately $12,000 in         governmental organization, could also offer a high probability of
potentially fraudulent           identifying potentially fraudulent, improper, and abusive transactions.
cardholder purchases,            However, using this approach to select transactions would not be
including an Amana               effective if the organization’s operations routinely involve weekend
range, Compaq                    and holiday purchases. During the previously discussed process of
computers, gift                  gaining an understanding of the organization’s operations, the auditor
certificates, groceries,         should look for and be aware of this and similar exceptions to normal
and clothes, occurred            operations when designing data-mining criteria. Purchase card
primarily from December          transactions on weekends and holidays within the audit period should
20 through December 26,          be identified and extracted into a suspect date transactions database
1999.                            for further selection.




                            Page 47                                 GAO-04-87G Purchase Card Audit Guide
                              •    Split transactions are two or more transactions that would have
                                   normally been a single-purchase transaction, but were split to
                                   circumvent the micropurchase threshold (generally $2,500) or other
 Data mining purchases             legal or internal control single-purchase limits. For purposes of
 at five related                   identifying sets of potential split transactions, all purchase card
 organizations disclosed           transactions in the audit period that meet the following criteria can be
 numerous occurrences of           extracted into a potential split transactions database for further
 purchases split to                analysis:
 circumvent the $2,500
 micropurchase                           the transactions are with the same vendor, and
 threshold, including                    the transaction dates are on the same day, and
 $16,000 for furniture for               the transactions total in excess of $2,500, and
 an approving official’s                 the transactions are by the same cardholder, or the transactions
 office.                                 are by the same activity/department. (Broadening the selection
                                         criteria to the same activity/department considers the potential
                                         for collusion among cardholders to circumvent single-purchase
                                         limits.)

 An organization                   A nonrepresentative selection of transactions can then be made from
 approved and paid 75              the potential split transactions database and submitted to the follow-
 purchase card                     up procedures described in the Follow-up and Investigation section of
 transactions, all close to        this guide. For purposes of determining circumvention of single-
 the micropurchase                 purchase limits, all applicable limits should be considered (e.g.,
 threshold, totaling               micropurchase limit, cardholder organization authorized single-
 $164,000, with a                  purchase limit, the bank service provider’s system cardholder single-
 telecommunications                purchase limit).
 contractor. The
 organization could not       •    Transactions of unusual amounts or relationships may be
 provide documentation of          fraudulent, improper, or abusive. The auditor should review the
 the nature of or receipt          database for the existence of unusual purchase card transaction
 and acceptance of the             amounts, patterns, and relationships. Examples of such transactions
 services provided. After          include
 completing follow-up,
 GAO referred this case                  frequent amounts with the same vendor just under the
 for criminal                            micropurchase threshold, which, for example, may indicate that
 investigation.                          a vendor is exploiting weak controls and charging for goods or
                                         services that are not being provided or rendered, and

                                         multiple transactions for the same amount, which, for example,
                                         may indicate intentional or unintentional duplicate billings for
                                         the same goods or services.
An organization used
year-end funds to                 Purchase card transactions in the audit period for unusual amounts or
purchase computers and            relationships should be extracted into an unusual transactions database
monitors costing $47,372.         for further selection.
Nine months later, over
half of the computers         •    Year-end spending may include purchases for which there are not
remained in storage,               legitimate government needs (e.g., bulk purchases of computer or
raising questions of               electronic equipment). All purchase card transactions that exceed an
whether a legitimate               established larger dollar value (e.g., $25,000) and occur in the last
need existed when                  month of the fiscal year can be extracted into a year-end transactions
purchased.                         database for further selection.




                              Page 48                                 GAO-04-87G Purchase Card Audit Guide
                              •    Purchase card transactions by vendor for the audit period can be
                                   summarized to provide statistical data such as

                                         the number of cardholders making acquisitions with a vendor,
                                         the number of transactions with a vendor, and
                                         the dollar volume of transactions with a vendor.

                                   A critical analysis of the resulting vendor transaction summary totals,
                                   and their relationships, can identify opportunities for further data
                                   mining. Vendor summary totals at the extremes of activity, both high
                                   and low, warrant special attention. For example, a summary that
                                   shows that only one or two cardholders made purchases from a
                                   vendor, particularly if the dollar volume is high, may indicate a conflict
                                   of interest or fraudulent (e.g., kickbacks), improper, or abusive
                                   transactions. High dollar volumes of purchases may indicate a vendor
                                   with which the government should have a discounted price agreement.
                                   A vendor having only one transaction might indicate a questionable
                                   legitimate government need. If these summaries are accomplished
                                   using a software audit tool, the individual purchase card transaction
                                   detail underlying each vendor’s summary totals will usually be
                                   available, facilitating further review and selection.

                              •    Cardholders and AOs considered to have suspicious activities
                                   might be identified as the result of following up on previous data-
                                   mining transactions, a referral to an organizational fraud hotline,
                                   previous audit findings, or other means. Purchase card transactions
                                   for such cardholders and AOs can be extracted into separate
                                   transaction databases for further analysis. Follow-up and investigation
                                   of these transactions can assist in developing cases for referral for
                                   criminal investigation and prosecutorial authorities.

                                                                 Since the data being mined are usually
                                                                 contained in a database of individual
                                                                 purchase card transactions, a software
                                                                 audit tool that facilitates summaries,
                                                                 comparisons, and extractions of
                              transactions and data elements selected for follow-up is recommended.
                              Several over-the-counter audit tools of this type are available. Using
                              professional judgment and considering the understandings gained and the
                              results of the preliminary assessment, the auditor should select transaction
                              leads provided by data mining and submit them to the procedures described
                              in the Follow-up and Investigation section of this guide. Unless adequate
                              follow-up procedures are accomplished, the auditor will not have sufficient
                              support to either report or refer the findings.

FOLLOW-UP AND INVESTIGATION   The concept of follow-up, as used in this
                              guide, contemplates an extension of audit
                              procedures and documentation beyond those
                              generally necessary to test for adherence to
                              internal control policies or performance of
                              control activities. GAO’s approach to the
                              follow-up process assesses purchase card
                              transactions in three incremental stages (1) an
                              initial evaluation of the cardholder
                              documentation supporting selected data-mined transactions for the purpose
                              Page 49                                  GAO-04-87G Purchase Card Audit Guide
            of discerning potentially fraudulent, improper, and abusive transactions, (2)
            conduct of follow-up procedures discussed in this section on those
            transactions, and (3) referral of any instance of likely fraud to the
            appropriate criminal investigative personnel.

            Because of the characteristics of fraudulent, improper, and abusive
            purchases, professional skepticism—an attitude that includes a questioning
            mind and a critical assessment of audit evidence—is especially important
            when following up on these purchase card transactions.

Follow-up   The conduct of follow-up procedures utilizes forensic auditing techniques.
            In the context of this guide, forensic auditing (follow-up) contemplates
            increased scrutiny and documentation by the auditor of the facts and
            circumstances (including judgments made and actions taken by individuals
            party to the transaction) surrounding potentially fraudulent, improper, and
            abusive transactions. In the instance of fraudulent purchase card
            transactions, the follow-up process is designed to support a subsequent
            criminal investigation.

            The auditor should consider consulting with the appropriate fraud
            investigative staff when determining the appropriate follow-up procedures
            for potentially fraudulent transactions or cases detected through control
            tests or data mining. An experienced purchase card fraud investigator can
            bring valuable perspectives and insight to the follow-up process.
            Investigators may have procedures and protocols that establish boundaries
            designed to preserve a successful investigation and prosecution of fraud,
            within which the auditor’s follow-up and referral procedures should be
            constrained (e.g., cautions against contacting and inadvertently alerting the
            vendor suspected of fraud).

            To begin the follow-up process for transactions selected by data mining or
            other means, the auditor should obtain and review transaction
            documentation similar to that obtained and reviewed in the tests of
            transaction control activities (e.g., determination of legitimate government
            need, vendor invoice, independent receipt and acceptance, accountable
            property record, the cardholder billing statement). This documentation
            should be analyzed to determine whether it supports a preliminary
            conclusion of (1) an appropriate government transaction that meets a
            legitimate government need or (2) a potentially fraudulent, improper, or
            abusive transaction.

            Detected or selected potentially fraudulent transactions should always be
            submitted to follow-up procedures. However, the auditor should use
            professional judgment and consider the results of cardholder documentation
            review; the overall objectives of pursuing fraudulent, improper, and abusive
            purchases; and the overall objectives of the audit in making a decision to
            perform follow-up procedures for transactions detected during tests for
            performance of control activities and for the transactions selected in the
            data-mining process.

            Professional judgment, input from qualified fraud investigators, and an
            elevated level of professional skepticism should be exercised when
            conducting follow-up procedures and evaluating (1) justifications offered for
            lack of adherence to policies and performance of control activities, (2)
            additional supporting documentation provided, and (3) unsupported

            Page 50                                  GAO-04-87G Purchase Card Audit Guide
                            representations made in interviews with program and organization
                            personnel.

                            The following are examples of follow-up procedures and are not a complete
                            list of possible procedures.

                            • Request additional documentation to (1) support adherence to
                            internal control policies or performance of control activities (e.g., legitimate
                            government need, independent receipt and acceptance, exception to
                            prohibited item purchases), (2) provide missing relevant details of the
                            transactions, (3) support authorization for an otherwise improper purchase,
                            or (4) document other issues significant or useful to the process.

                            • Interview the cardholder for explanation, clarification, and other
                            additional information concerning the transaction and corroboration of
                            verbal representations made by others.

                            • Interview the AO for explanation, clarification, and other additional
                            information concerning the transaction and corroboration of verbal
                            representations made by others.

                            • Interview other organization personnel who may have been
                            identified as parties with corroborating or clarifying knowledge of the facts
                            and circumstances of the transaction (e.g., supervisors and coworkers).

                            • Contact the vendor for clarification of the specifics of the transaction
                            (e.g., quantities, dates, time, description of goods or services provided).
                            Request copies of supporting documentation from the vendor, especially
                            when the cardholder’s supporting documentation is missing.
Fraud investigators
                            • Fraud investigative staff assisting in the follow-up, or gathering
provided relevant reports
                            evidence to make and prove specific allegations of wrongdoing, may be able
and information to GAO
                            to provide other items (e.g., credit reports, criminal records) that can
auditors during follow-
                            provide additional insight to the follow-up process.
up on potentially
fraudulent purchase         All interviews conducted as part of the follow-up process should be
card transactions.          documented in the audit work papers. At the conclusion of the follow-up
                            process, the auditor should summarize the facts, findings, and resolution or
                            disposition of the potentially fraudulent, improper, and abusive item in a
                            memorandum for inclusion in the work paper file. If at any time during the
                            follow-up process the auditor’s professional judgment is that a transaction is
                            likely fraudulent, referral of the transaction to the appropriate fraud
                            investigative staff (e.g., inspectors general, military service fraud
                            investigation offices) should be immediately considered.




                            Page 51                                   GAO-04-87G Purchase Card Audit Guide
Page 52   GAO-04-87G Purchase Card Audit Guide
Referral for Investigation   Referral of a likely fraudulent government purchase card transaction or case
                             should be made to the appropriate federal criminal investigative body. We
                             made such referrals to GAO’s Office of Special Investigations, whose
                             investigators have substantial experience in credit card fraud. The referral
                             should be accomplished in a written communication. That communication
                             would generally include, but not be limited to, the following information:

                             •   the date of the communication,
                             •   the name of the referring organization,
                             •   the name and telephone number of the referring contact,
                             •   the organization and program under audit,
                             •   a description of the potentially fraudulent transaction or case (e.g.,
                                 goods or services purchased, amounts paid, impropriety of the
                                 transaction),
                             •   the reason(s) for concluding the transaction to be potentially fraudulent,
                             •   the names and positions of the individuals involved (e.g., John Doe –
                                 cardholder, Jane Doe – vendor),
                             •   the date(s) of the purchase transaction,
                             •   a description of the indicators alerting the auditor to the potentially
                                 fraudulent transaction (e.g., altered supporting documentation,
                                 personnel interview, or record discrepancies), and
                             •   a statement as to whether the relevant documents (copies or originals)
                                 are attached or are available (e.g., cardholder billing statement, vendor
                                 invoice(s), follow-up interview(s)).




                             Page 53                                  GAO-04-87G Purchase Card Audit Guide
Appendixes




Page 54      GAO-04-87G Purchase Card Audit Guide
APPENDIX I – SELECTED RELEVANT GAO REPORTS AND TESTIMONIES

Department of Education and Department of Housing and Urban Development

Financial Management: Strategies to Address Improper Payments at HUD, Education, and
Other Federal Agencies. GAO-03-167T. Washington, D.C.: October 3, 2002.

Education Financial Management: Weak Internal Controls Led to Instances of Fraud and
Other Improper Payments. GAO-02-406. Washington, D.C.: March 2002.

Financial Management: Poor Internal Control Exposes Department of Education to Improper
Payments. GAO-01-997T. Washington, D.C.: July 24, 2001.

Department of Defense – Army

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse.
GAO-02-844T. Washington, D.C.: July 17, 2002.

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse.
GAO-02-732. Washington, D.C.: June 2002.

Department of Defense – Air Force

Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to Fraud, Waste, and
Abuse. GAO-03-292. Washington, D.C.: December 2002.

Department of Defense – Navy

Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action to Resolve Control
Weaknesses. GAO-03-154T. Washington, D.C.: October 8, 2002.

Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking Action to Resolve
Control Weaknesses. GAO-02-1041. Washington, D.C.: September 27, 2002.

Purchase Cards: Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud
and Abuse. GAO-02-506T. Washington, D.C.: March 13, 2002.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse.
GAO-02-32. Washington, D.C.: November 2001.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse.
GAO-01-995T. Washington, D.C.: July 30, 2001.




Page 55                              GAO-04-87G Purchase Card Audit Guide
APPENDIX II – SELECTED RELEVANT LAWS AND REGULATIONS


This appendix contains some of the laws and regulations and guidance that are applicable
governmentwide to the federal government purchase card program. Additional laws and
regulations and other agency- or organization-specific guidance may apply as well.

Establishment and Operation of the Purchase Card Program
   GSA SmartPay® Master Contract
   Treasury Financial Manual, vol. I, part 4-4500, “Government Purchase Cards”
   41 U.S.C. § 426 Use of Electronic Commerce in Federal Procurement
   48 C.F.R. § 13.301(b) Governmentwide Commercial Purchase Card
   31 U.S.C. §§ 3901–3907 Prompt Payment Act
   5 C.F.R. part 1315, Prompt Payment

Procurement Methods and Standards
   41 U.S.C. § 253 Competition Requirements
   41 U.S.C. § 403(11) Definitions
   41 U.S.C. § 427 Simplified Acquisition Procedures
   41 U.S.C. § 428 Procedures Applicable to Purchases Below Micropurchase Threshold
   41 U.S.C. § 429 List of Laws Inapplicable to Contracts Not Greater Than the Simplified
   Acquisition Threshold in Federal Acquisition Regulation
   48 C.F.R. § 1.603-3(b) Appointment
   48 C.F.R. part 2.101, Definitions
   48 C.F.R. part 8, Required Sources of Supplies and Services
   48 C.F.R. part 13, Simplified Acquisition Procedures

Purposes for Which an Organization’s Appropriations May Be Used
   31 U.S.C. § 1301(a) “Purpose Statute”
   U.S. General Accounting Office, Principals of Federal Appropriations Law, vol. I, c. 4 (2d
   ed. 1991)
   Bona Fide Needs Rule, See, e.g., 68 Comp. Gen. 170, 171 (1989); 58 Comp. Gen. 471, 473
   (1979); 54 Comp. Gen. 962, 966 (1975)
   3 Comp. Gen. 433 (1924) Comptroller General McCarl to the Secretary of War
   B-288266 (Jan. 27, 2003) Use of Appropriated Funds to Purchase Light Refreshments at
   Conferences
   72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers – Use of Appropriated Funds to Pay
   for Meals
   65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards Ceremony
   64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L. Ryan – Meals at
   Headquarters Incident to Meetings
   B-289683 (Oct. 7, 2002) Matter of: Purchase of Cold Weather Clothing, Rock Island District,
   U.S. Army Corps of Engineers
   63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled Parkas




Page 56                                GAO-04-87G Purchase Card Audit Guide
APPENDIX III – EXAMPLE PURCHASE TRANSACTION FLOW CHART AND NARRATIVE

(REQUEST THROUGH PAYMENT)


  Navy Purchase Card Process, September 2001



                                      Purchase cardholder          Items picked up
                                      orders/charges goods                                  Vendor
                                      and services
                                                                      Items shipped



                                      Independent
                                      documentation that items                        Pilferable items are
                                      have been received and                          recorded in accountable
                                      accepted                                        property records




          Citibank reverses           Monthly purchase card
          disputed charges and        statements are received
          credits monthly statement   from bank




                                      Cardholder reconciles
                                      underlying receipts/sales                       Cardholder logs items
                                      slips to monthly purchase                       not received and follows
                                      card statements,                                up to (1) confirm receipt
                                      identifies any invalid                          or (2) dispute the charge
                                      charges, and prepares
                                      dispute forms




          Cardholder or               Approving official reviews                      DFAS processes
          approving official logs     cardholder support,                             purchase card payments
          disputed charges and
                                      and certifies monthly                           to Citibank
          sends forms to Citibank
          for credit                  statements for payment




Source: GAO-02-1041




Page 57                                      GAO-04-87G Purchase Card Audit Guide
Approving Official
If internal controls are operating effectively, the approving official is responsible for ensuring
that all purchases made by the cardholders within his or her cognizance are appropriate and that
the charges are accurate. The approving official is supposed to resolve all questionable
purchases with the cardholder before certifying the bill for payment. In the event an
unauthorized purchase is detected, the approving official is to notify the agency program
coordinator and other appropriate personnel within the command in accordance with the
command procedures. After reviewing the monthly statement, the approving official is to certify
the monthly invoice and send it to the Defense Finance and Accounting Service (DFAS) for
payment.

Cardholders
A purchase cardholder is a Navy employee who has been issued a purchase card. The purchase
card bears the cardholder’s name and the account number that has been assigned to the
individual. The cardholder is expected to safeguard the purchase card as if it were cash.

Designation of Cardholders
When a supervisor requests that a staff member receive a purchase card, the agency program
coordinator is to first provide training on purchase card policies and procedures and then
establish a credit limit and issue a purchase card to the staff member.

Ordering Goods and Services
Purchase cardholders are delegated limited contracting officer ordering responsibilities. As
limited contracting officers, purchase cardholders do not negotiate or manage contracts. Rather,
cardholders use purchase cards to order goods and services for their units and their customers.
Cardholders may pick up items ordered directly from the vendor or request that items be shipped
directly to an end user (requesters). Upon receipt of purchased items, the cardholder is to
record the transaction in his or her purchase log and obtain documented independent
confirmation from the end user, the supervisor, or another individual that the items have been
received and accepted by the government. The cardholder is also to notify the property book
officer of accountable items received so that these items can be recorded in the accountable
property records.

Payment Processing
The purchase card payment process begins with receipt of the monthly purchase card billing
statements. The Department of Defense is required by 10 U.S.C. § 2784 to issue regulations that
ensure that purchase cardholders and each official with authority to authorize expenditures
charged to purchase cards reconcile charges with receipts and other supporting documentation
before paying the monthly purchase card statement. Naval Supply Systems Command
Instruction 4200.94 states that upon receipt of the individual cardholder statement, the
cardholder has 5 days to reconcile the transactions appearing on the statement by verifying their
accuracy to documentation supporting the transactions and to notify the approving official in
writing of any discrepancies in the statement.

In addition, under NAVSUP Instruction 4200.94, before the credit card bill is paid, the approving
official is responsible for (1) ensuring that all purchases made by the cardholders within his or
her cognizance are appropriate and that the charges are accurate and (2) timely certifying the
monthly summary statement for payment by DFAS. The instruction further states that within 5
days of receipt, the approving official must review and certify for payment the monthly billing



Page 58                                 GAO-04-87G Purchase Card Audit Guide
statement, which is a summary invoice of all transactions of cardholders under the approving
official’s purview.

The approving official is instructed to presume that all transactions on the monthly statements
are proper unless notified in writing by the cardholder to the contrary. However, the
presumption does not relieve the approving official from reviewing the statements for blatantly
improper purchase card transactions and taking the appropriate action before certifying the
invoice for payment. In addition, the approving official is responsible for forwarding disputed
charge forms for submission to Citibank for credit. Under the Navy’s task order, Citibank allows
the Navy up to 60 days after the statement date to dispute invalid transactions and request a
credit.

Upon receipt of the certified monthly purchase card summary statement, a DFAS vendor
payment clerk is to (1) review the statement and supporting documents to confirm that the
prompt-payment certification form has been properly completed and (2) subject it to automated
and manual validations. DFAS effectively serves as a payment processing service and relies on
the approving-official certification of the monthly bill as support to make the payment. The
DFAS vendor payment system then batches all of the certified purchase card payments for that
day and generates a tape for a single payment to Citibank by electronic funds transfer.




Page 59                                GAO-04-87G Purchase Card Audit Guide
 APPENDIX IV – EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION CHART


 Navy Purchase Card Program Management Structure, September 2001


                                                                     Department of Defense
                                                                          Purchase Card
                                                                    Program Management Office




                                                         Department of Navy eBusiness Operations Office

                                                                    Navy Agency Program Coordinator




Atlantic Fleet                                Pacific Fleet                            Naval Sea Systems           U.S. Marine Corps
                                                                                       Command
Major Command Agency                          Major Command Agency                                                 Major Command Agency
Program Coordinator                           Program Coordinator                      Major Command Agency        Program Coordinator
                                                                                       Program Coordinator




   Norfolk, VA area                             San Diego, CA area                         Norfolk, VA area            Camp Lejeune, NC

Agency program                                Agency program                           Agency program              Agency program
coordinators at                               coordinators at                          coordinators at             coordinators at
subordinate units          98                 subordinate units           66           subordinate units      10   subordinate units      15

Approving officials       286                 Approving officials        168           Approving officials    78   Approving officials   173

                                                                                       Cardholders           235   Cardholders           496
Cardholders               769                 Cardholders                417




 Source: GAO analysis of Navy purchase card program organization.




 Page 60                                                             GAO-04-87G Purchase Card Audit Guide
     APPENDIX V – EXAMPLE AUDIT PROGRAM


Government Purchase Card Program
Example Internal Control Performance Audit Program

                                          Program Overview

This is an example only audit program, and should be tailored to meet the requirements of the individual
organization’s purchase card program. The approaches, methodologies, and concepts applied in this
example, and the accompanying audit guide, are appropriate for use by management oversight personnel as
well as internal and external auditors.
To facilitate ongoing internal control monitoring efforts by management, sections C and D can be performed
independently of each other, and section D can be applied on a continuous basis.

A     Gain Necessary Understandings
A1    Understand the risk of fraudulent, improper, and abusive purchases
A2    Understand internal control
A3    Understand the relevant laws and regulations
A4    Understand the organization and purchase card program operations
A5    Understand and assess key elements of the control environment

B     Preliminarily Assess the Adequacy of Designed Control Activities
B1    Identify risks and control activities, and assess the adequacy of designed control activities
B2    Determine the effects of the assessment on the design of performance tests and the
      identification of potential data-mining criteria

C     Test Adherence to Policies and Performance of Control Activities
C1    Obtain transaction data for transaction-level testing
C2    Select purchase card transactions
C3    Obtain data evidencing performance of control activities
C4    Test key control activities

D     Pursue Fraudulent, Improper, and Abusive Purchases
D1 Data mine to identify potentially fraudulent, improper, and abusive purchase card transactions
D2 Follow-up on selected purchase card transactions and refer likely fraud for investigation




     Page 61                                 GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                                           Page           of
                                                                                                            Work
                                                                                                                          Initial/Date
Sec        #                                          Audit Steps                                           Paper
                                                                                                                           Competed
                                                                                                          Reference
This is an example only audit program, and should be tailored to meet the requirements of the individual organization’s purchase card
program. The approaches, methodologies, and concepts applied in this example, and the accompanying audit guide, are appropriate for
use by management oversight personnel as well as internal and external auditors.

Organization Name:

Audit Period/Scope:

Auditor/Manager-in-Charge:

Other:

A – Gain Necessary Understandings
 A1      Understand the risk of fraudulent, improper, and abusive purchases
           1.0 Obtain and review relevant reports on audits of internal control over
                  government purchase card programs. (See app. I of this guide for a
                  list of GAO reports.)
           2.0 Obtain and review recent reports on audits and reviews of internal
                  control over the organization’s purchase card program, and
                      determine management’s response to findings and
                      recommendations and
                      determine the status of corrective actions taken by management.
           3.0 Review the “Understanding the Purchase Card Program – The Risk of
                  Fraudulent, Improper, and Abusive Purchases” section of this guide.
           3.1 Obtain and review detailed summaries prepared by the organization’s
                  fraud investigative personnel (e.g., inspector general) of all purchase
                  card fraud detected within the prior ___________ (e.g., 2 years).
 A2      Understand internal control
           1.0 Obtain and review
                      GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal
                      Government (Green Book),
                      GAO-01-1008G, Internal Control Management and Evaluation Tool,
                      and
                      GAO/AFMD-8.1.2, Guide for Evaluating and Testing Controls Over
                      Sensitive Payments.
           2.0 Review the “Understanding the Purchase Card Program – Internal
                  Control and the Control Environment” section of this guide.
 A3      Understand the relevant laws and regulations
           1.0 Obtain and review laws and regulations relevant to the government’s
                  purchase card program. (See app. II of this guide for a list of selected
                  relevant federal laws and regulations.)
           2.0 Review the “Understanding the Purchase Card Program – Relevant
                  L          dR     l ti    ”    ti     f thi     id


    Page 62                                              GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                      Page       of
                                                                                        Work
                                                                                                  Initial/Date
Sec    #                                  Audit Steps                                   Paper
                                                                                                   Competed
                                                                                      Reference
            Laws and Regulations” section of this guide.
A4    Understand the organization and purchase card program operations
       1.0 To facilitate the following and subsequent audit procedures, the auditor
            and program oversight personnel should establish contact with
            management personnel at both
               the organization’s purchase card program and
               the bank purchase card service provider.
      The organization’s operations
       2.0 Obtain and review the organization’s written policies and procedures
            describing its operations and activities. Such documents might include
               mission statement(s), activity descriptions, or both, and
               operational policies, procedures, or instructions.
            (The auditor should review these and other relevant documents,
            which, when considered with subsequent personnel interviews, serve
            to provide an understanding of the current mission-related
            operations and activities of the organization.)
       2.1 Identify and interview selected organization personnel to supplement
            and clarify the auditor’s understanding of the organization’s mission
            and operating activities.
      The organization’s purchase card program
       3.0 Obtain and review the organization’s written policies and procedures
            describing and controlling their purchase card program. Such
            documents might include
               purchase card program policies, procedures, or instructions and
               contractual agreements with the bank service provider.
            (The auditor should review these and other relevant documents,
            which, when considered with subsequent personnel interviews and
            walk-throughs, should serve to provide or reinforce an understanding
            of the current operations of the purchase card program.)
       4.0 Identify and interview selected purchase card program personnel,
            including personnel from the following categories, for the purpose of
            supplementing and clarifying the auditor’s understanding gained from
            review of the organization’s written policies and procedures:
               purchase cardholders,
               approving officials, and
               program coordinator.
       5.0 Determine and document the organization’s policies and procedures
            (or control activities) related to the control environment, including
            the following key areas:




  Page 63                                    GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                       Page       of
                                                                                         Work
                                                                                                   Initial/Date
Sec    #                                  Audit Steps                                    Paper
                                                                                                    Competed
                                                                                       Reference
       5.1     Span of control:
                    Also, determine the current total number of cardholders at the
                    organization and
                    determine the current total number of approving officials at the
                    organization.
       5.2     Financial exposure:
                    Also, determine whether and how the organization initially and
                    periodically verifies that purchase cards are issued to, and
                    continue to be held by, individuals who need them to perform
                    their assigned duties and
                    determine whether and how the organization initially and
                    periodically determines that cardholder and approving official
                    credit limits are appropriate to their needs.
       5.3     Training:
                    Also, determine how and when the organization provides and
                    documents initial and refresher training for cardholders,
                    approving officials, and agency/organization program
                    coordinators.
       5.4     Discipline:
                    Also, determine the organization’s process for investigating
                    allegations of fraudulent purchase card activity and
                    determine how the organization decides and documents
                    disciplinary actions taken for lack of adherence to internal
                    control policies and performance of control activities.
       5.5     Purchasing and reviewing authorities for cardholders and approving
               officials:
                    Also, determine how the organization approves and documents
                    purchasing credit and single-transaction limits for cardholders
                    and
                    determine how the organization approves and documents
                    cardholder review responsibility and payment authorization
                    credit limits for approving officials.
       6.0 Determine and document the organization’s policies and procedures
             (or control activities) related to purchase card transactions,
             including the following key areas.
       6.1     The determination of a legitimate government need prior to making
               the purchase.
       6.2     The requirement for and documentation of independent receipt and
               acceptance of goods and services.
       6.3     The establishment of physical control and accountability over
               pilferable and other vulnerable property.




  Page 64                                     GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                       Page       of
                                                                                         Work
                                                                                                   Initial/Date
Sec    #                                   Audit Steps                                   Paper
                                                                                                    Competed
                                                                                       Reference
       6.4      The process and documentation requirements for cardholder
                reconciliation of monthly purchase card statements.
       6.5      The process and documentation requirements for approving official
                review and approval for payment of assigned cardholders’ monthly
                purchase card transactions.
       7.0 Determine and document the organization’s policies and procedures
             (or control activities) related to management’s risk assessment.
       8.0 Determine and document the organization’s policies and procedures
             (or control activities) related to information and communications.
       9.0 Determine and document the organization’s policies and procedures
             (or control activities) related to monitoring, including the following
             key areas.
       9.1      Agency/organization program coordinator’s routine audits of
                internal control over the organization’s purchase card program.
       9.2      Bank service provider management reports:
                    What reports are provided and to whom?
                    How often is participant information updated?
                    How does management use them?
       9.3      Internal review (or similar function) evaluation of internal control
                and the effectiveness of the organization’s purchase card program.
      10.0 Identify the computer-based controls that the organization has
             established over the purchase card program, including those
      10.1      over the payment of monthly purchase card bills,
      10.2      designed to prevent duplicate payments, and
      10.3      designed to prevent unauthorized access to purchase card
                transaction and master file information.
      11.0 Perform a walk-through of one or more selected purchase card
             transactions to confirm the understandings of
                the flow of a typical purchase card transaction and
                the system of internal control (including control activities).
      11.1 Obtain examples of documentation evidencing the performance of all
             key control activities.
      12.0 Using the knowledge gained from
                reviews of written policies and procedures,
                interviews with program personnel, and
                walk-throughs of purchase card transactions,
             develop a flowchart and narrative that depict and explain the typical
             purchase card transaction process from request to payment. Include



  Page 65                                      GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                           Page       of
                                                                                             Work
                                                                                                       Initial/Date
Sec    #                                   Audit Steps                                       Paper
                                                                                                        Competed
                                                                                           Reference
             routine exceptions, such as disputed transactions and late receipts.
             Highlight and discuss all key controls in the process.
      12.1 Discuss the flowchart with appropriate purchase card program office
             personnel and obtain their concurrence with the process flow and key
             controls.
      The bank service provider
      13.0 Obtain and review documents describing the bank service provider’s
             policies and procedures controlling the operation and interface of the
             purchase card program with the organization. Such documents might
             include
                operational policies, procedures, or instructions and
                purchase card program training manuals or instructions.
      14.0 Identify and interview selected bank service provider personnel,
             including personnel from the following categories, for the purpose of
             supplementing and clarifying the auditor’s understanding gained from
             review of the operation and control documents:
                program operations,
                customer service, and
                fraud detection and investigation.
      15.0 Obtain a database of purchase card transactions for the period or scope
             of the audit. Obtain and agree control totals from an independent
             source to the purchase card transactions database (see step C1-1.0).
      16.0 Obtain a list of program reports available from the bank provider and
      16.1      gain an understanding of the information contained in the reports
                and their intended use,
      16.2      compare the list to the reports being obtained and used by the
                organization, and
      16.3      identify and request the available reports that facilitate the auditor’s
                determination of adherence to control environment policies (e.g.,
                span of control, financial exposure).
A5    Understand and assess key elements of the control environment
       1.0 Based on the understandings gained through document reviews and
             personnel interviews, preliminarily assess management’s operating
             philosophy and attitude (i.e., tone at the top) as having a positive or
             negative effect on internal control across the organization.
       2.0 Obtain data (e.g., electronic reports and data files) from the bank
             service provider and the organization necessary to perform the
             following.
       2.1 Test the following key elements of the control environment for
             adherence to internal control policies on an organization wide (macro
             level):



  Page 66                                      GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                         Page       of
                                                                                           Work
                                                                                                     Initial/Date
Sec    #                                   Audit Steps                                     Paper
                                                                                                      Competed
                                                                                         Reference
       2.2      span of control and
       2.3      financial exposure.
       2.4 Document for inclusion in the work papers the results of the evaluation
             process and the preliminary conclusions of the effect of these elements
             of the control environment on the effectiveness of internal control.
       3.0 Obtain data from the organization necessary to perform tests of
             controls for the following key elements of the control environment (see
             step C3-1.4). Data should be obtained for each cardholder and
             approving official on transactions selected for control activity testing.
       3.1 Test the following key elements of the control environment in
             conjunction with tests of transaction-level control activities (see step
             C4-2.0):
                training,
                discipline, and
                purchasing and reviewing authorities.
       3.2 Document for inclusion in the work papers the results of the evaluation
             process and the preliminary conclusions of the effects of these
             elements of the control environment on internal control.
       4.0 Upon completion of testing of all the key elements of the control
             environment, prepare a summary memorandum for inclusion in the
             work papers on the auditor’s conclusion of the overall effect of tone at
             the top, span of control, financial exposure, training, discipline, and
             purchasing and reviewing authorities on the control environment, and
             on the overall effectiveness of internal control.




  Page 67                                      GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                   Audit Steps                                    Paper       Date
                                                                                        Reference   Competed
B – Preliminarily Assess the Adequacy of Designed Control Activities
B1    Identify risks and related designed control activities, and assess the adequacy of those
      activities
       1.0 Identify and list the significant risk/opportunities of fraudulent,
            improper, and abusive transactions in the organization’s purchase card
            program.
                 Such risks can be control environment related (e.g., span of
                 control, training), purchase transaction related (e.g., no
                 legitimate government need, inadequate approving official
                 review), or related to other significant areas (e.g.,
                 monitoring).
       2.0 Identify the internal control policies and procedures (control activities)
            designed to prevent or promptly detect each above significant
            risk/opportunity.
       3.0 For each significant risk/opportunity identified, preliminarily assess, as
            strong, weak, or ineffective (including nonexistent), the likely
            effectiveness of the related designed control activities (if in place and
            operating) to provide management with reasonable assurance that
            significant fraudulent, improper, and abusive purchase card
            transactions will be prevented or promptly detected.
B2    Determine the effects of the assessment on the design of performance tests and the
      identification of potential data-mining criteria
       1.0 For each above risk/opportunity control activity relationship evaluated,
            determine its effect on the design of audit tests for adherence to
            policies and performance of control activity.
       2.0 For each above risk/opportunity control activity relationship evaluated,
            consider potential criteria for data mining identified, if any.
       3.0 Consider documenting for the audit work papers
               the identification of each risk/opportunity,
               the related control activities,
               the preliminary assessment of effectiveness,
               the effects of the assessment on the design of tests for adherence to
               control policies and performance of control activities, and
               the identification of potential data-mining criteria.




  Page 68                                        GAO-04-87G Purchase Card Audit Guide
                                                                                           Work       Initial /
Sec    #                                  Audit Steps                                      Paper       Date
                                                                                         Reference   Competed
C – Test Adherence to Policies and Performance of Control Activities
C1    Obtain transaction data
       1.0 Obtain a database (the population) of purchase card transactions for
            the audit scope or period, and
       1.1 verify its completeness by agreeing control totals to an independent
            source (e.g., bank service provider, organization records) (see step A4
            15).
C2    Select purchase card transactions
       1.0 Consider the
               understandings gained of the operations of the organization and the
               purchase card program,
               the designed internal control policies and procedures, and
               the results of the preliminary assessment of the adequacy of internal
               control
            and determine whether to use statistical (recommended) or
            nonstatistical sampling in selecting transactions. If a statistical sample
            selection is to be made, have a statistician design the sample.
       1.1 Document the significant considerations made and conclusions
            reached in a detailed sampling plan for inclusion in the work papers, to
            include the following:
               the reasons that a sample was developed,
               the type of sample (e.g., statistical or nonstatistical) and sampling
               method (e.g., random) being used,
               a description of the population (e.g., nature, data elements, source,
               control totals),
               the sample design (e.g., desired precision, stratum criteria, number
               of items and dollars in the population and stratum, sample size by
               strata and population) selected along with a discussion of the
               factors considered and conclusion reached,
               guidelines about the types of evidence and attributes the auditor will
               accept as clear evidence of performance of control activities,
               information about the anticipated precision of the sample estimates,
               a definition of nonadherence to controls,
               expectations (if any) about the rate of nonadherence to controls,
               and
               examples of the types of conclusions the auditor expects to be able
               to make after the sample data are analyzed (and projected to the
               population).
       2.0 Extract transactions, in accordance with the sampling plan, from the
            population to perform tests for performance of transaction-related
            control activities.




  Page 69                                     GAO-04-87G Purchase Card Audit Guide
                                                                                          Work       Initial /
Sec    #                                  Audit Steps                                     Paper       Date
                                                                                        Reference   Competed
C3    Obtain data for testing performance of control activities
       1.0 Coordinate with the organization’s purchase card program
            management and obtain access to program personnel and original
            documentation evidencing performance of transaction-level and related
            control activities for each selected transaction. The following are
            examples of such personnel and documents.
       1.1 Personnel include:
               cardholders for selected transactions,
               approving officials for selected transactions,
               agency/organization purchase card program coordinator, and
               operations supervisory personnel as needed.
       1.2 Documents directly related and relevant to selected individual
            purchase card transactions include:
               cardholder monthly billing statement;
               approving official monthly billing statement;
               cardholder log (or equivalent) of purchases made;
               prepurchase request, approval, authorization, or other
               determination of a legitimate government need;
               evidence of screening for required/statutory vendors;
               waiver on required sources of supply, if applicable;
               evidence of bid solicitations and receipt, if applicable;
               vendor invoice or receipt for goods or services;
               packing slip;
               evidence of independent receipt and acceptance;
               bank dispute/affidavit forms, if transaction disputed;
               cardholder reconciliation and certification of bill; and
               approving official review and certification for payment.
       1.3 Additional documents relevant to purchases of accountable property
            include:
               cardholder notification to property book, and
               property book record.
       1.4 Control environment documents evidencing adherence and
            performance of key elements include (see step A5 3.0):
               cardholder purchase and credit limits authorization,
               approving official review responsibilities and authorized limits,
               cardholder training certificates/records,
               approving official training certificates/records,
               cardholder account closure/final bill, if account is closed, and
               disciplinary actions taken against cardholder or approving official in
               the last _____________________________________.



  Page 70                                     GAO-04-87G Purchase Card Audit Guide
                                                                                           Work       Initial /
Sec    #                                    Audit Steps                                    Paper       Date
                                                                                         Reference   Competed
C4    Test Key Control Activities
      Transaction control activity testing
       1.0 Using relevant documentation obtained for the selected purchase card
            transactions, accomplish attribute testing designed to determine the
            performance of transaction control activities, including
               determination of a legitimate government purchase,
               screening for required vendors,
               independent receipt and acceptance,
               physical control and accountability over pilferable and other
               vulnerable property,
               cardholder reconciliation, and
               approving official review.
       1.1 Document for inclusion in the work papers pass/fail of attribute tests
            performed for each control activity to that facilitate summary of the
            number of transactions that fail by attribute and by control activity, and
            the dollar value of those transactions consistent with the design of the
            sampling plan (e.g., by each stratum).
      Testing key elements of the control environment
       2.0 Using the relevant documentation obtained for testing key elements of
            the control environment (see step A5 3.1) in conjunction with tests of
            selected purchase card transactions, accomplish attribute testing
            designed to determine adherence to policy for each selected
            transaction, including
               training,
               discipline, and
               purchasing and reviewing authorities.
       2.1 Document for inclusion in the work papers the pass/fail results of
            attribute tests performed for each control activity to facilitate summary
            of the number of transactions that fail by attribute and by control
            activity, and the dollar value of those transactions consistent with the
            design of the sampling plan (e.g., by each stratum).
      Potentially fraudulent, improper, and abusive purchases
       3.0 Evaluate each selected transaction for criteria identifying a potential
            fraudulent, improper, or abusive purchase, including
               questionable vendors,
               weekend and holiday purchases,
               split purchases,
               unusual amounts or relationships, and
               year-end spending.
       3.1 Conduct follow-up of all transactions exhibiting such criteria, and refer
            any likely fraud for investigation.




  Page 71                                      GAO-04-87G Purchase Card Audit Guide
                                                                                          Work       Initial /
Sec    #                                  Audit Steps                                     Paper       Date
                                                                                        Reference   Competed
       3.2 Document for inclusion in the work papers the results of follow-up and
            referrals to facilitate summary of the number of transactions
            considered fraudulent, improper, or abusive, and the dollar value of
            those transactions consistent with the design of the sampling plan (e.g.,
            by each stratum).
      Analyzing and documenting sample results
       4.0 Project the results of the sample transactions tests to the population in
            accordance with the sampling plan. If statistical sampling was used,
            provide the sample test results to the statistician for projection to the
            population, and stratum if appropriate.
       4.1 Obtain a written memorandum from the statistician of the statistical
            results of the projection(s) in accordance with the sampling plan,
            recapping the population and the sampling plan used, the control tests
            performed by the auditor, the statistical estimates (e.g., attribute
            pass/fail, dollar values) by stratum if appropriate, and the associated
            confidence intervals.
       4.2 Prepare a summary memorandum, for inclusion in the work papers,
            that incorporates the sample test results and the statistician’s report,
            recaps the rules used to assess the effectiveness of controls, and
            documents the auditor’s conclusions about the effectiveness of
            individual control activities.
       4.3 Consider the results of transaction-level and other control tests, and
            the results of data mining and follow-up of potentially fraudulent,
            improper, and abusive transactions, and prepare a memorandum for
            inclusion in the work papers documenting the considerations made and
            conclusions reached by the auditor on the overall effectiveness of the
            design and performance of internal control designed to prevent and
            detect potentially fraudulent, improper, and abusive purchase card
            transactions.




  Page 72                                     GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                  Audit Steps                                     Paper       Date
                                                                                        Reference   Competed
D – Pursue Fraudulent, Improper, and Abusive Purchases
D1    Data mine to identify potentially fraudulent, improper, and abusive purchases
       1.0 Based on
               understandings gained about the operations of the organization and
               its purchase card program,
               the results of the preliminary assessment of internal control,
               insights provided by involving credit card fraud investigators, and
               insights provided by conducting tests of performance of control
               activities,
            determine the criteria (e.g., characteristics, associations, or sequences
            and pattern clusters) that indicate potentially fraudulent, improper, and
            abusive purchases.
       2.0 Obtain a database of purchase card transactions for the audit scope or
            period (usually the same “population” database obtained for selecting
            transactions for control activity testing).
       3.0 Perform analysis of the database to identify transactions exhibiting the
            characteristics of potentially fraudulent, improper, and abusive
            purchases. Include analysis which key on the following:
               questionable vendors,
               weekend and holiday purchases,
               split purchases,
               unusual amounts or relationships,
               year-end spending,
               transactions by vendor analysis, and
               suspicious cardholders and approving officials.
       4.0 Extract transactions identified above into discrete smaller databases
            for further analysis.
       5.0 Select nonrepresentative transactions from the above discrete extracts
            for follow-up, referral, and investigation.
D2    Follow-up and referral of selected purchase card transactions
       1.0 Obtain supporting cardholder purchase documentation for all
            potentially fraudulent, improper, and abusive purchase card
            transactions identified and selected in the above data-mining
            approaches.
                Such documentation would normally include the documents
                directly related and relevant to selected individual purchase
                card transactions listed in the Obtain Data for Testing
                Performance of Control Activities section of this example



  Page 73                                     GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                         Page       of
                                                                                           Work       Initial /
Sec    #                                   Audit Steps                                     Paper       Date
                                                                                         Reference   Competed
                audit program (see step C3 1.2).
       2.0 Review the initial supporting documentation for the selected
            transactions and make a preliminary determination of the
            appropriateness of the purchase.
       3.0 For those data-mined purchase card transactions that continue to be
            (and those control activity test transactions) considered potentially
            fraudulent, improper, or abusive, accomplish follow-up procedures as
            indicated by the circumstances, such as
               request additional documentation,
               interview the cardholder,
               interview the approving official,
               interview operational supervisors and coworkers,
               contact the vendor directly, and
               request relevant items from fraud investigators.
       4.0 Document for the audit work papers each interview conducted during
            the follow-up process.
       5.0 Document for the audit work papers the results of each follow-up
            process in a summary memorandum, and attach all interviews and
            relevant supporting documentation.
       6.0 Refer all purchase card transactions, which after the completion of the
            follow-up process are considered to be likely fraudulent, to the
            appropriate fraud investigative body.
            The referral communication should be written and should include the
            following information:
               the date of the communication,
               the name of the referring organization,
               the name and telephone number of the referring contact,
               the organization and program under audit,
               a description of the potentially fraudulent transaction (e.g., goods or
               services purchased, amounts paid, impropriety of the transaction).
               the reason(s) for concluding that the transaction is potentially
               fraudulent,
               the names and positions of the individuals involved (e.g., John Buck
               – cardholder, Jane Doe – vendor),
               the date(s) of the purchase transaction(s),
               a description of the indicators alerting the auditor to the potentially
               fraudulent transaction (e.g., altered supporting documentation,
               personnel interview, or record discrepancies), and
               a statement as to whether the relevant documents (copies or
               originals) are attached or are available (e.g., cardholder billing


  Page 74                                     GAO-04-87G Purchase Card Audit Guide
Government Purchase Card Program
Example Internal Control Performance Audit Program                                        Page       of
                                                                                          Work       Initial /
Sec    #                                 Audit Steps                                      Paper       Date
                                                                                        Reference   Competed
               statement, vendor invoice(s), follow-up interview(s)).
            Retain a copy of all referral communications and attachments for the
            audit work papers.
       6.1 Request memorandums of investigations at the end of the audit period
            detailing the conduct, progress, and status of all such referred purchase
            card transactions.




  Page 75                                    GAO-04-87G Purchase Card Audit Guide
APPENDIX VI – GUIDELINES FOR INITIATING AN INVESTIGATION OF PURCHASE CARD

FRAUD


For purchase card transactions that have been identified as potentially fraudulent, the
investigator should review information provided as part of the follow-up and referral process
and, to the extent necessary, take the following actions:

•   Obtain from the organization, auditor, or manager the names of cardholder(s) for accounts
    involved with the transaction(s).

•   Obtain account histories from the bankcard service provider for specific accounts to identify
    any patterns of similar or other questionable transactions and the vendors involved with
    those transactions.

•   Identify the organization’s approval process and determine who
       requested the goods or services purchased,
       approved the transactions, and
       signed off on the monthly statement indicating that he or she had reviewed the
       transactions.

•   Obtain from the organization, auditor, or manager documentation related to the
    transaction(s), such as invoices, shipping receipts, and any contact telephone numbers.

•   Determine the organization’s policies for accountability for pilferable and other property.

•   Interview the individuals involved with requesting the goods or services and the individuals
    that reviewed the monthly bank statements to determine if he or she was aware of (1) the
    transaction(s) and (2) whether the cardholder filed a dispute form concerning the
    transactions.

•   Interview the cardholder to determine who made the purchases, the purpose of the
    purchases, and whether he or she disputed the transactions.

•   Interview the vendor(s) from which questionable transactions were made and
        obtain any documentation relating to the transactions, including detailed descriptions of
        items purchased, serial numbers, or specific services provided;
        determine where property was delivered or where the services were provided;
        determine whether the vendor records the telephone number from which the order for
        foods or services was made; and
        determine whether the vendor maintains a database of purchase card numbers and
        whether this database has been compromised.

•   Interview organization officials responsible for maintaining property inventory and determine
        whether the items purchased were included in inventory and
        how property delivered to the organization is accounted for.




Page 76                                  GAO-04-87G Purchase Card Audit Guide
APPENDIX VII – GAO CONTACT AND STAFF ACKNOWLEDGMENTS


GAO Contact

Stephen Wm. Lipscomb, (303) 572-7328

Staff Acknowledgments

In addition to the person named above, David Childress, Francine DelVecchio, Don Fulwider,
Charles R. Hodge, Jeffrey Jacobson, Jason Kelly, Julia Matta, John Ryan, and Sidney Schwartz
made important contributions to this guide.




Page 77                                GAO-04-87G Purchase Card Audit Guide