oversight

HUD Did Not Evaluate and Report Potential Violations of Its Government Purchase Card Program

Published by the Department of Housing and Urban Development, Office of Inspector General on 2015-07-07.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

        U.S. Department of Housing and
              Urban Development,
               Washington, DC
             The Government Purchase Card Program




Office of Audit, Financial Audits Division   Audit Report Number: 2015-FO-0006
Headquarters                                                        July 7, 2015
To:            Keith W. Surber, Acting Chief Procurement Office, N
               Towanda Brooks, Acting Chief Human Capital Officer, A

                    //s//
From:          Thomas R. McEnanly, Director of the Financial Audits Division, GAF
Subject:       HUD Did Not Evaluate and Report Potential Violations of Its Government
               Purchase Card Program




Attached is the U.S. Department of Housing and Urban Development (HUD), Office of Inspector
General’s (OIG) final results of our review of HUD’s purchase card program.
HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on
recommended corrective actions. For each recommendation without a management decision,
please respond and provide status reports in accordance with the HUD Handbook. Please furnish
us copies of any correspondence or directives issued because of the audit.
The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its
publicly available reports on the OIG Web site. Accordingly, this report will be posted at
http://www.hudoig.gov.
If you have any questions or comments about this report, please do not hesitate to call me at
(202) 402-8216.
                        Audit Report Number: 2015-FO-0006
                        Date: July 7, 2015

                        HUD Did Not Evaluate and Report Potential Violations of Its Government
                        Purchase Card Program




Highlights

What We Audited and Why
We audited the U.S. Department of Housing and Urban Development’s (HUD) administration of
its purchase card program in accordance with the Charge Card Abuse Prevention Act of 2012.
Our 2013 risk assessment review identified HUD’s purchase card program at medium to high
risk for fraud or misuse,1 and our review of HUD’s Semiannual Purchase Card Violation Report
(audit memorandum number 2014-FO-0801) raised concerns regarding HUD’s internal controls
over the purchases made within this program. The objective of the audit was to determine
whether HUD evaluated and reported improper and potentially illegal uses of government
purchase cards.

What We Found
Purchase card transactions were generally supported. However, HUD did not evaluate a
potential violation to determine whether it constituted a significant weakness and could have
provided better transparency by reporting the potential purchase card violation in its reports to
the Office of Management and Budget. Specifically, HUD did not evaluate or report a violation
in which an employee made fraudulent purchases totaling $11,938 from August through October
2013.

What We Recommend
We recommend that HUD revise existing procedures to include the evaluation of the impact of
identified violations on HUD’s purchase card program controls and how violations will be
reported.




1
  The Office of Inspector General’s fiscal year 2013 risk assessment of HUD’s agencywide charge card program
identified potential split purchase transactions, questionable purchases made with third-party credit card processors,
and missing purchase card activity data.
Table of Contents
Background and Objective......................................................................................3
Results of Audit ........................................................................................................................ 4
          Finding: HUD Did Not Evaluate and Report a Potential Purchase Card Violation . 4

Scope and Methodology ...........................................................................................7

Internal Controls ......................................................................................................8

Appendix ...................................................................................................................9
          A. Auditee Comments and OIG’s Evaluation ............................................................... 9




                                                                    2
Background and Objective
The General Services Administration (GSA) administers the Government Charge Card program,
also known as the GSA SmartPay program. This program provides purchase charge cards to
agencies or departments throughout the U.S. Government to streamline small purchases, facilitate
payment processes, minimize paperwork, and simplify the administrative effort associated with
procuring goods and services. GSA negotiates master contracts with national banks, such as
Citibank, JP Morgan Chase, and U.S. Bank, to provide charge cards to Federal employees. The
U.S. Department of Housing and Urban Development (HUD) uses Citibank as its purchase card
provider.
On October 5, 2012, President Obama signed the Charge Card Abuse Prevention Act of 2012,
Public Law 112-194. This law requires all executive branch agencies to establish and maintain
safeguards and internal controls for their use of purchase cards, travel cards, integrated cards, and
centrally billed accounts. On September 6, 2013, the Office of Management and Budget (OMB)
issued Memorandum M-13-21, which provides guidance on the implementation of the Charge Card
Act.
The Charge Card Act was designed to prevent recurring fraud, waste, and abuse in governmentwide
charge programs. It requires offices of inspector general (OIG) to (1) conduct periodic assessments
of the agency charge card programs; (2) identify and analyze the risk of illegal, improper, or
erroneous purchases and payments; (3) perform analyses or audits as necessary; (4) report to the
head of the executive agency concerns regarding the results of such analyses or audits; and (5)
report to OMB on the implementation of recommendations made to the head of the executive
agency. In addition, the Charge Card Act requires the OIGs of each executive agency to submit
semiannual joint purchase and integrated card violation reports2 to the Director of OMB that at a
minimum, provide summary descriptions of confirmed violations involving the misuse of charge
cards and disciplinary actions taken. The Charge Card Act requires agencies to submit a
semiannual report summarizing descriptions of (a) confirmed violations involving misuse of a
purchase card, and (b) all adverse personnel actions, punishments, or other actions taken in
response to each reportable violation involving misuse of a purchase card to OMB.
Our audit objective was to determine whether HUD evaluated and reported improper and
potentially illegal uses of government purchase cards.




2
  According to the Charge Card Act and OMB guidance, a semiannual joint purchase and integrated card violation
report is to be prepared by the agency head and inspector general for submission to OMB 120 days after the end of
the semiannual reporting periods (that is, April 1 to September 30 and October 1 to March 30). The violation report
should be incorporated into the existing charge card management plans, which are due to OMB on January 31and
July 31 of each year.



                                                         3
Results of Audit
Finding: HUD Did Not Evaluate and Report a Potential Purchase
Card Violation
Purchase card transactions were supported. However, HUD did not evaluate a potential violation
to determine whether it constituted a significant weakness and could have provided better
transparency by reporting the potential purchase card violation in its reports to OMB.
Specifically, HUD did not evaluate or report a violation in which an employee made fraudulent
purchases totaling $11,938 from August 2013 through October 2013. This occurred because
HUD’s existing purchase card policies did not include specific procedures to evaluate violations
for purchase card program weaknesses and criteria to report violations to OMB. As a result,
HUD did not determine whether its program was at risk for future abuses, and its report may not
have been transparent or include all required disclosures. OMB uses the report to ensure that
misuse is addressed and resolved.
Purchase Card Transactions Were Generally Supported
During fiscal year 2014, HUD significantly reduced the number of unblocked merchant category
codes to reduce the risk of improper transactions. HUD also implemented a standardized process
to review transactions monthly and a requirement that purchase cardholders make purchases
through the GSA Advantage system. This requirement ensures that HUD gets GSA-negotiated
prices from GSA-approved vendors. We reviewed a sample of purchase card transactions and
found that HUD complied with its purchase card policies and the Federal Strategic Sourcing
Initiative. For questionable purchases, we determined that purchase cardholders provided
documentation to support the use and purpose of the purchases and the purchases were properly
approved by the user’s immediate supervisor. We also found no significant incident involving
split purchase transactions.
Purchase Card Violations Were Not Evaluated or Reported
HUD did not evaluate or report a purchase card violation by a HUD employee who made
$11,938 in fraudulent purchases from August through October 2013. The HUD employee
charged the amounts below for personal use using the employee’s government purchase card.
The employee was placed on administrative leave, and the violation was referred to OIG. OIG
obtained an indictment against the employee in January 2014.




                                               4
         Merchant category         Merchant category description         Amount
               code
         5411                   Grocery stores and supermarkets           $7,357
         5331                   Variety stores                              $2
         7011                   Lodging (hotels, motels, and resorts)     $2,039
         4814                   Call through use of magnetic stripe,       $203
                                reading telephones, or
                                telecommunication services
         5912                   Drug stores and pharmacies                $1,280
         4812                   Telecommunications equipment,              $176
                                including telephone sales
         4899                   Cable, satellite, and other pay            $488
                                television and radio services
         7399                   Business services not elsewhere             $30
                                classified
         7299                   Other services not elsewhere                $21
                                classified
         4111                   Transportation – suburban and local        $190
                                commuter passenger, including
                                ferries
         5812                   Eating places, restaurants                 $152
         Total amount                                                     $11,938

The Charge Card Act requires that confirmed violations be reported in the semiannual joint
purchase and integrated card violation reports to OMB. OMB defines a confirmed violation as a
deficiency that, according to management’s judgment, should be communicated to OMB because
it represents significant weaknesses in the design or operation of the charge card program.
Further, a confirmed violation is one that adversely affects the organization’s ability to meet its
internal control objectives, as envisioned by the Charge Card Act, to prevent fraud or abuse of
government charge cards.

HUD did not report the violation because it believed it should not do so until OIG confirmed that
the transactions violated Federal regulations. Typically, these investigations, if accepted by OIG,
may take months or years to complete. According to the Charge Card Act, HUD is responsible
for determining whether a violation represented a significant weakness in its controls. Therefore,
HUD has the authority and responsibility to independently determine whether a reportable
violation occurred. HUD stated that it evaluated the matter immediately after discovery and took
several actions to strengthen the controls over the program, however evidence of these actions
was not provided and accordingly were not part of our audit.




                                                 5
HUD should not have waited for the results of the OIG investigation to determine whether the
purchase card misuse constituted a significant weakness and whether or not to report the
violation. HUD’s existing policies did not include procedures and criteria to (a) complete an
evaluation of a violation to determine if it is indicative of a significant weakness in controls and
(b) determine what constitutes a violation that is reportable in the semiannual joint purchase and
integrated card violation report to OMB. Reporting violations as soon as HUD completes its
evaluation would provide better transparency to OMB regarding weaknesses in HUD’s purchase
card program.

Accordingly, the semiannual joint purchase and integrated card violation reports submitted to
OMB on January 31 and July 31, 2014, did not include this violation and may not have included
any other violations that occurred during the reporting period because some violations might
have been under OIG review at the time. However, an OIG investigation should not prevent
HUD from determining whether weaknesses in the design or operation of its purchase card
program caused the violation and reporting such instances in the semiannual joint purchase and
integrated card violation report.

Conclusion
HUD did not report the violation because its existing policies did not include procedures to
complete an evaluation of violation to determine whether weaknesses in HUD’s purchase card
program existed. Additionally, HUD’s existing policy did not include criteria and procedures to
report violations in the semiannual joint purchase and integrated card violation report to OMB.
As a result, HUD did not determine whether its program was at risk for future abuses and its
report may not have been transparent or include all required disclosures.
Recommendations
We recommend that Office of the Chief Procurement Officer

       1A.     Improve existing policies to include (a) robust procedures to evaluate violations to
               determine whether they constitute a significant weakness in the design or
               operation of the purchase card program and (b) specific criteria to determine
               which violations will be reported.




                                                  6
Scope and Methodology
We performed our review from May 2014 through January 2015 at HUD headquarters in
Washington, DC. Our review covered the period April 1, 2013, through March 31, 2014.
To accomplish our objective, we
       Reviewed applicable laws and regulations,
       Reviewed HUD’s Government Purchase Card Program Policy Guide,
       Reviewed prior OIG reports,
       Interviewed HUD staff,
       Randomly selected and tested individual purchase card transactions, and
       Reviewed monthly purchase card transaction reports.
The universe of the credit card transactions covered the period April 1, 2013, to March 31, 2014,
and consisted of 10,182 transactions totaling more than $3.3 million. This review did not include
travel card transactions.3
Our review of HUD’s purchase card transactions included tests for

       Blocked and overridden merchant category codes,
       Compliance with GSA’s Federal Strategic Sourcing Initiative,
       Split purchases, and
       Unusual restaurant merchant category code transactions

To achieve our audit objective, we relied on HUD’s computer-processed data. We used the data
to select a sample of disbursements to review. Although we did not perform a detailed
assessment of the reliability of the data, we performed a minimal level of testing and found the
data to be adequate for our purposes.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective(s). We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




3
 This universe excludes separately monitored purchase card transactions made within the Real Estate Assessment
Center’s Reverse Auction mortgage and Federal Housing Administration programs.




                                                        7
Internal Controls
Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

   Effectiveness and efficiency of operations,
   Reliability of financial reporting, and
   Compliance with applicable laws and regulations.
Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.
Relevant Internal Controls
We determined that the following internal controls were relevant to our audit objective:

   HUD’s controls for reporting to OMB.
We assessed the relevant controls identified above.
A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, the
reasonable opportunity to prevent, identify, or correct (1) impairments to effectiveness or
efficiency of operations, (2) misstatements in financial or performance information, or (3)
violations of laws and regulations on a timely basis.
Significant Deficiencies
Based on our review, we believe that the following is a significant deficiency:

   HUD did not develop procedures for evaluating purchase card violations to determine
    whether internal control weaknesses are required to be reported to OMB (finding).




                                                  8
Appendix

Appendix A
             Auditee Comments and OIG’s Evaluation



Ref to OIG    Auditee Comments
Evaluation




Comment 1




                               9
Ref to OIG   Auditee Comments
Evaluation




Comment 2




Comment 3


Comment 4




Comment 5




                            10
Ref to OIG   Auditee Comments
Evaluation


Comment 5
(cont)




                            11
                         OIG Evaluation of Auditee Comments


Comment 1   We disagree with HUD’s response. Although HUD stated that it reported the
            misuse of the purchase card in its quarterly report to OMB dated January 31,
            2014, HUD did not report the violation in its semiannual joint purchase and
            integrated card violation reports submitted to OMB on January 31 and July 31,
            2014 as is required by the Charge Card Act. The semiannual report is different in
            that it requires agencies to report summary descriptions of (a) confirmed
            violations involving misuse of a purchase card, and (b) all adverse personnel
            actions, punishments, or other actions taken in response to each reportable
            violation involving misuse of a purchase card; details which were not included in
            the quarterly report to OMB. Further, the current HUD’s Government Purchase
            Card Program Policy Guide does not state that OIG has to confirm the purchase
            card violations before reporting it to OMB.

            In addition, HUD did not provide the documentation to support that it evaluated
            the matter immediately after discovery of the incident and took the actions listed
            in their formal comments in order to strengthen its controls and accordingly, they
            were not reviewed as part of this audit.

Comment 2   We disagree with HUD’s response. As stated in comment 1 above, HUD states
            that they evaluated the violation as required, however documentation to support
            the evaluation was not provided for our review. Further, HUD did not report the
            violation in its semiannual joint purchase and integrated card violation reports to
            OMB.

            HUD needs to include in its policy criteria to determine which identified
            violations constitute significant weaknesses to the purchase card program and
            which violations will be reported to OMB.

Comment 3   OMB memo M-13-21 requires that the agency or OIG confirm the identified
            violations; therefore, the agency can make the determination without OIG’s
            confirmation. In addition, HUD’s current Government Purchase Card Program
            Policy Guide does not state that OIG has to confirm the purchase card violations
            before reporting it in the semiannual joint purchase and integrated card violation
            report to OMB. HUD has the authority and responsibility to independently
            determine whether a reportable violation occurred. It should work with OIG in
            cases that are referred and accepted to ensure that reporting will not interfere in an
            investigation.

Comment 4    As mentioned in comment 1 above, HUD did not provide the documentation to
            support that it determined if the violation found in our review constituted a
            significant weakness for the purchase card program; therefore we do not have
            evidence that its evaluation was conducted. In addition, HUD did not report the



                                               12
              violation in its semiannual joint purchase and integrated card violation reports
              submitted to OMB on January 31 and July 31, 2014. Existing policies do not
              include HUD’s procedures to conduct an evaluation and criteria to follow when
              determining if a violation has occurred that warrants reporting. Language clarify
              that HUD’s existing policies did not include these procedures have been added to
              the final report.

Comments 5 The procedures outlined serve as a starting point and should be expanded upon
           and incorporated into formal policy to be followed by responsible HUD
           personnel. The completion of such actions will be evaluated during the audit
           resolution process. The recommendation will remain open until sufficient
           evidence is provided to satisfactorily close out the recommendation.




                                               13