oversight

Audit of NSF's Purchase Card Program

Published by the National Science Foundation, Office of Inspector General on 2014-01-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                   National Science Foundation • Office of Inspector General
                   4201 Wilson Boulevard, Suite I-1135, Arlington, Virginia 22230


MEMORANDUM


DATE:                  January 27, 2014

TO:                    Dr. Cora B. Marrett
                       Deputy Director
                       National Science Foundation

FROM:                  Dr. Brett M. Baker
                       Assistant Inspector General for Audit

SUBJECT:               Audit of NSF’s Purchase Card Program, Report No. 14-2-006

Attached is the final report on the subject audit. The report contains one finding on the
need to strengthen NSF’s oversight of the purchase card program with three
recommendations.

In accordance with Office of Management and Budget Circular A-50, Audit Followup,
please provide a written corrective action plan within 60 days to address the report
recommendations. This corrective action plan should detail specific actions and milestone
dates.

We appreciate the courtesies and assistance provided by so many NSF staff during the
review. If you have any questions, please contact Marie Maguire, Director of
Performance Audits, at (703) 292-5009.

Attachment

cc:            Allison Lerner                   Steven Strength
               G. P. Peterson                   Susan Carnohan
               Michael Van Woert                Marie Maguire
               Cliff Gabriel                    Wendell Reid
               Martha Rubenstein                Emily Franko
               Jeffrey Lupis                    Karen Scott
               Greg Steigerwald
Audit of the National Science Foundation’s
         Purchase Card Program




        National Science Foundation
        Office of Inspector General

              January 27, 2014
               OIG 14-2-006




                                      TM#13-P-1-002
Introduction

The National Science Foundation (NSF) participates in the General Services
Administration’s (GSA) government-wide purchase card program, SmartPay. The
purchase card program provides Federal agencies with a flexible and efficient means to
quickly make authorized low dollar value and high volume purchases of general
supplies or services. JPMorgan Chase bank (JPMorgan Chase) provides the credit
cards and banking services to NSF under GSA’s SmartPay program.

The Government Charge Card Abuse Prevention Act of 2012 (the Charge Card Act),
Public Law 112-194, enacted in October 2012, requires all executive branch agencies to
establish and maintain specific safeguards and internal controls for the management of
purchase cards. In addition, the Charge Card Act also establishes additional reporting
and audit requirements relating to the agency purchase cards. On September 6, 2013,
the Office of Management and Budget (OMB) issued Memorandum M-13-21, which
provided further guidance to implement the Charge Card Act.

The Division of Acquisition and Cooperative Support (DACS) within NSF’s Office of
Budget, Finance & Award Management is primarily responsible for administering the
purchase card program. At NSF, the primary participants in the program are the:

    (1) Agency Program Coordinator (APC) in DACS who has responsibility for both
        overall administrative functions relating to the program and general oversight of
        all purchase cardholders;
    (2) purchase cardholders appointed to use the purchase card within their NSF
        organizational unit; and
    (3) approving officials who pre-approve the purchase card use of their assigned
        cardholder(s), monitor account activity, and review cardholders’ monthly account
        statement.

From April 1, 2010 through March 31, 2013, 233 NSF employees used purchase cards
to make approximately 34,300 transactions totaling almost $17 million. DACS reported
that as of February 1, 2013, 272 purchase cards were assigned to 186 employees and
there were 96 approving officials.

The last OIG audit of NSF’s purchase card program, performed in 2002 1, found irregular
transactions, including potential split purchases, payment of sales taxes, and the
purchase of prohibited items such as travel.




1
 Purchase Card Program Controls Need Strengthening, Audit Report No. 02-2-014, issued September
30, 2002.

                                                1
Results of Audit
NSF’s controls to prevent and detect unauthorized purchases and its oversight of the
purchase card program need strengthening. The control to cancel accounts when
cardholders leave NSF was generally working. However, controls over preapprovals of
transactions and reviews of purchase card statements were not always followed. Also,
agency-wide monitoring of the program and reviews of JPMorgan Chase reports
showing agency activity were not often performed. As a result, there was a risk that
inappropriate or fraudulent transactions could occur and not be detected. We did
identify some inappropriate purchases and referred three cardholders’ activity to our
Office of Investigations (OI) for investigation of possible fraud. As a result of one of
these investigations, a cardholder pleaded guilty in December 2013 to stealing more
than $94,000 by using his purchase card to buy electronics, music, and movies for
himself and his family.

NSF recently made improvements in its oversight of the purchase card program,
including updated guidance for the purchase card program in July 2013 and a new
online training course in August 2013. During fiscal year 2013, NSF management
committed more resources to assist the APC to perform targeted reviews of purchase
card activity. DACS began using a contractor to test a sample of transactions. As most
of these improvements occurred after our period under audit, we did not evaluate their
effectiveness. However, a sustained commitment by management to strong oversight is
needed to ensure purchase card holders comply with Federal regulations and agency
policies, and to prevent and detect misuse of the purchase cards.


Oversight of NSF’s Purchase Card Program Needs
Strengthening
NSF’s internal controls to ensure that cardholders properly use purchase cards and
comply with Federal regulations as well as NSF policies and procedures need to be
strengthened and enforced. From our targeted, risk-based sample 2 of 508 transactions,
totaling $314,443 3 for 43 cardholders 4, we found the following control weaknesses.

    Some purchases were not pre-approved.
    There was no evidence of preapproval for 151 transactions totaling $76,877. These
    unapproved purchases were made by 30 of the 43 cardholders tested. These 30
    cardholders had between 1 and 21 unapproved transactions. Per both of NSF’s

2
  See Appendix B: Objectives, Scope and Methodology for details on how we selected which transactions
to test. Because we targeted our testing to the riskiest transactions, the sample is not representative of
the approximately 34,300 transactions in our population and the results should not be projected to the
universe.
3
  This amount is the net of transactions tested, reflecting both charges and credits (refunds, adjustments,
etc.). All totals discussed in this report reflect net amounts.
4
  Includes 10 cardholders who no longer work for NSF.

                                                    2
    policies in effect during our audit period - the VISA Purchase Card Program
    Handbook and Training Manual and the VISA U.S. Government Purchase Card
    Guidance for Approving Officials, dated February 2004 - the approving official is
    responsible for ensuring that transactions were authorized in advance of being made
    by the cardholder.

    Cardholders did not consistently maintain receipts or invoices for transactions, as
    required.
    Of the 43 cardholders tested, NSF could not provide support for 72 transactions
    totaling $46,206 for 21 cardholders. For two former employees, NSF could not
    locate documentation for any of their purchases. Both NSF policy and National
    Archives and Records Administration regulations require that cardholders retain
    records pertaining to purchase card transactions for 3 years after final payment to
    the vendor.

    There was no evidence of approving officials’ review of some purchase card bank
    statements.
    Of the 508 transactions we tested, there was no evidence that the approving official
    reviewed the bank statements for 191 transactions totaling $124,747. Furthermore,
    32 transactions totaling $27,163 were not reviewed within 60 days of the billing date.
    These 223 transactions were made by 37 5 of the 43 cardholders tested. For one
    cardholder we tested, some bank statements were in unopened envelopes. Per
    NSF’s policies, the approving official should approve the cardholder’s monthly
    statement to ensure that the statement and supporting documentation are complete,
    accurate, and reflect only authorized purchases made in accordance with the
    Federal Acquisition Regulation. These policies also require approving officials to
    review monthly transactions for patterns that indicate purchases are being split to
    avoid the micro-purchase limit. The approving official’s review should also ensure
    that sales taxes are not paid in accordance with GSA regulations and NSF policy.
    The approving official is required to sign and date the cardholder’s monthly
    statement. However, NSF’s policies did not prescribe when these reviews must
    occur. Given that cardholders have 60 days to dispute transactions with JPMorgan
    Chase, it is reasonable for the approving officials’ review to take place within this
    time period.




5
 Some of these 37 cardholders had both transactions with no approving official review of the related bank
statement(s) and late approving official review.

                                                    3
Bank activity reports and Merchant Category Codes were not reviewed.
JPMorgan Chase provides the APC various exception reports on purchase card
activity, such as reports of lost or stolen cards, declined or blocked transactions, and
reports containing detailed information on items purchased from certain vendors.
NSF did not regularly obtain and review most of these reports. GSA SmartPay
program recommends that the APC use bank electronic reports to monitor and track
purchases to identify potential misuse and fraud. NSF’s 2004 policy states that
reviews and assessments of monthly administrative reports on the program is an
APC responsibility. Also, OMB Circular No. A-123, Appendix B Revised, dated
January 15, 2009, requires card managers to review account activity reports to
identify questionable or suspicious transactions.

Merchant Category Codes (MCC) identify the vendor’s business category, such as
computer software stores, telecommunications services, restaurants, book stores,
etc. At the APC’s request, JPMorgan Chase can block transactions with merchants
with specified MCC codes. Although MCC codes periodically change, before
February 2013 NSF had not reviewed its allowable and blocked codes since 2008.

We requested a list of blocked and allowable MCC codes and identified some codes;
such as babysitting, massage parlors, dating and escort services, and veterinary
services; that should have been blocked but were not. It is important to note that we
did not identify any NSF purchases to any of these codes. The APC then reviewed
the list provided to us and directed JPMorgan Chase to immediately block these and
other questionable MCC codes. NSF can reduce its risk of improper purchases by
periodically reviewing MCC codes and blocking purchases from vendors with codes
that do not relate to NSF’s business needs.


                                         4
   Some electronic equipment purchased using the purchase card, such as iPads and
   cameras, did not have inventory barcodes to be included in NSF’s inventory system.
   NSF’s purchase card policy requires cardholders to report accountable property
   purchases to the Division of Administrative Services (DAS) to arrange for
   assignment of barcode stickers and to have the items logged into the NSF inventory
   system. NSF’s 2004 policy also requires the approving official to verify that the
   accountable property has been inventoried. Furthermore, NSF’s policy on property
   management for accountable property, issued by DAS, requires items with
   acquisition values under $2,500 considered to be sensitive or highly pilferable, such
   as desktops and laptops, to be inventoried.

We identified four causes that allowed these internal control weaknesses to occur.
First, NSF had not committed sufficient resources to monitor and oversee the purchase
card program. The APC, who is responsible for overseeing NSF’s purchase card
activity, also had other competing time-sensitive job responsibilities, such as serving as
Contracting Officer for several contract awards. Second, in the majority of cases,
cardholders and approving officials received informal training from the APC once, when
they were initially assigned cardholder and approving official responsibilities. This
training was not provided annually despite being required by NSF’s VISA Purchase
Card Program Handbook and Training Manual. In August 2013, NSF developed new
automated training for both cardholders and approving officials. NSF required that this
new training be completed by December 2013. This change should improve
cardholders’ and approving officials’ awareness of their responsibilities under the
program.

Third, some cardholders stated that they were not aware that sensitive or highly
portable property, such as professional cameras and high-end audiovisual equipment,
should be barcoded because NSF’s policy only required computers (laptops and
desktops) and Personal Digital Assistants (PDAs), including Blackberry cell phones, to
be barcoded. NSF’s prior purchase card policy does not require barcoding of other
sensitive or pilferable property, such as cameras and high-end audiovisual items.
NSF’s new 2013 Purchase Card Program Handbook and Policy Manual does state that
the cardholder should inventory equipment with acquisition values under $2,500
considered to be sensitive or highly pilferable, and this Manual lists laptops, desktops,
and PDA’s. The DAS policy, Procedures for Property Management for accountable
property, only lists desktops and laptops as examples of accountable property with
acquisition values under $2,500. However, another DAS guidance document, the
Property Custodian Operational Handbook, which details property management roles
and responsibilities, also includes iPads, iPhones, video cameras, and high-end
audiovisual equipment on its list of sensitive and highly portable equipment to be
barcoded.

Finally, some approving officials did not always ensure that departing cardholders
submitted their purchase card records before they left the agency despite the 3-year
record retention policy.



                                            5
As of result of the conditions we identified, there was a risk that inappropriate or
fraudulent transactions could occur and not be detected. We identified the following
inappropriate purchases:

          •   17 transactions totaling $32,503 made by 6 cardholders were split
              purchases.
          •   17 instances totaling $1,113 in which the purchase card was
              inappropriately used to pay for transportation to airports for two officials
              who were on temporary duty travel. SmartPay provides a separate travel
              card program to be used for travel and travel-related purchases.
          •   10 of the 43 cardholders tested paid $821 of sales taxes for 20
              transactions tested.
          •   Two instances in which cardholders did not fully resolve disputes of items
              that NSF did not purchase. In one case, the cardholder failed to fully
              resolve potential overcharges of $11,594 for computers that the
              cardholder did not purchase.
          •   Some electronic items purchased, such as music players and speakers,
              appear to be of questionable business use or necessity.

Furthermore, we referred purchase card transactions for three cardholders to OI for
investigation of possible fraud. We did not test any transactions for two of these
cardholders, so their transactions are not included in our results. As a result of one of
these investigations, one cardholder, whose purchases are not included in our results,
pleaded guilty on December 5, 2013 to fraudulently purchasing more than $94,000 of
electronics, music, and movies for himself and his family. For another cardholder, OI
determined that the purchase investigated was not inappropriate. The remaining
investigation is ongoing.

During our audit, NSF made improvements in its oversight of the purchase card
program, including issuing updated guidance in July 2013 and requiring cardholders
and approving officials to annually complete a new online training course. NSF
management obtained a contractor to assist the APC to perform targeted reviews of
purchase card activity. These improvements occurred after our period under audit and
therefore, we did not evaluate their effectiveness. However, a sustained commitment
by management to strong oversight is needed to ensure purchase cardholders comply
with Federal regulations and agency policies, and to prevent and detect misuse of the
purchase cards.


Recommendations

   1. The NSF Director should take appropriate actions to monitor and oversee the
      purchase card program. Such actions should include:
         • Continuous monitoring of purchase card transactions, using available
            JPMorgan Chase reports to identify transactions for additional review.

                                             6
         •   Ensuring approving officials are reviewing cardholders’ transactions from
             preapproval to bank statement reconciliation.
         •   Reviewing MCC codes on a periodic basis to determine if additional codes
             should be blocked.
         •   Ensuring compliance with record retention policies for purchase card
             activity.
         •   Ensuring accountable property, including sensitive and highly portable
             items, has been inventoried.

   2. DACS should:
        • Coordinate with DAS to revise the NSF policy, Procedures for Property
           Management for accountable property to include additional examples of
           sensitive and highly portable items to be barcoded, and
        • Update the Purchase Card Program Handbook and Policy Manual and
           training materials to be consistent with the revisions to the DAS policy.

   3. The APC should ensure that cardholders and approving officials meet the new
      annual training requirement.


Summary of Agency Response and OIG Comments

NSF concurs with the conclusions and recommendations. We have included NSF's
response to this report in its entirety as Appendix A.



OIG Contact and Staff Acknowledgements
Marie Maguire – Director of Performance Audits
(703) 292-5009 or mmaguire@nsf.gov

In addition to Ms. Maguire, Wendell Reid and Emily Franko made key contributions to
this report.




                                          7
Appendix A: Agency Response




                         8
9
Appendix B: Objective, Scope and Methodology
The objectives of this performance audit were to determine the adequacy of NSF’s
controls over purchase cards and to identify possible improper charges. Our scope was
purchase card controls and activity from April 1, 2010 through March 31, 2013.

To complete our objectives, we reviewed NSF and federal criteria to understand the
rules governing the purchase card program; interviewed the APC, several cardholders,
and several approving officials to gain an understanding of their procedures to oversee
the program, and make and approve purchase card transactions; utilized data obtained
from JPMorgan Chase; and tested a risk-based sample of purchase card transactions
occurring during our scope period.

To develop this risk-based sample, we developed 19 risk-based transaction tests at
both the transaction level and cardholder level to identify anomalies in purchase card
data that could indicate fraud or abuse. Examples of risk factors at the transaction level
included:

    •   purchases made on a weekend or holiday,
    •   charges to merchant names or Merchant Category Codes that we suspected
        may not be business-related,
    •   suspect charges identified from the JPMorgan Chase report containing detailed
        information on items purchased from certain vendors,
    •   purchases in which only one NSF card holder did business with a particular
        merchant,
    •   purchases made through third party payers (such as Paypal), and
    •   possible split purchases (multiple purchases by a cardholder to the same vendor
        over a 2-3 day period that exceeded the $3,000 micro-purchase limit).

Examples of risk factors at the cardholder level included: cardholders for whom the
approving official’s span of control6 exceeded four purchase cards, and cardholders who
had declined charges and/or lost/stolen card(s) during the audit scope period.

We assigned risk scores for each of the 19 attributes tested and calculated the total risk
score for all 34,300 purchase transactions made between April 1, 2010 and March 31,
2013. Based on our review of the risk scores and number of cardholders with high risk
transactions, we tested 145 transactions with a total risk score above a certain level
made by 26 cardholders. In addition to the highest risk transactions for these 26
cardholders, we manually reviewed and judgmentally selected 225 additional
transactions that appeared unusual. Therefore, we tested a total of 370 transactions for
these 26 cardholders.


6
 The span of control is how many purchase card accounts an approving official is responsible for
overseeing. Auditors considered purchase cardholders whose approving officials had a span of control
exceeding four purchase card accounts as the riskiest.

                                                  10
We also manually reviewed and judgmentally selected 102 other transactions for 15
additional card holders whose transactions did not score the minimum total level but
appeared to be unusual. For example, we decided to test a cardholder with several taxi
purchases in the hundreds of dollars, and a cardholder who was the sole purchaser for
a vendor with a specific merchant category. We also tested 36 of the transactions of
two OIG cardholders, the results of which are included in this report. Therefore, we
tested a cumulative total of 508 transactions, totaling $314,443, made by 43
cardholders.

When testing transactions, we interviewed cardholders and some approving officials
about the training received, physical security of purchase cards, and explanations for
both declined transactions and lost or stolen cards.

Additionally, we performed testing to determine if purchase cardholder accounts were
canceled on a timely basis when cardholders left the agency.

We met with OIG Office of Investigations (OI) throughout our audit to discuss our
methodology and findings. Prior to testing transactions, we shared with OI the results of
our risk factor scores. OI identified two cardholders to examine for possible fraudulent
transactions. The purchases for these two cardholders are not included in our results.
During our testing, we referred another cardholder to OI for possible investigation.

During the course of this audit, we relied on information and data received from
JPMorgan Chase in electronic format that had been entered into a computer system or
that resulted from computer processing. We tested the reliability of JPMorgan Chase’s
computer-processed data by matching transaction dates, transaction amounts, and
vendor names against original source documents. We relied on NSF’s data to test a
limited number of transactions for one cardholder. We performed limited testing of the
reliability of this NSF data by corroborating some results with NSF officials independent
of the computer system. Based on our assessment, we concluded the computer-
processed data was sufficiently reliable to use in meeting the audit’s objectives.

We reviewed NSF’s compliance with applicable provisions of pertinent laws and
guidance, including the:

   •      GSA’s SmartPay guidance,
   •      Federal Acquisition Regulation,
   •      Office of Management and Budget Circular No. A-123, Appendix B Revised,
          dated January 15, 2009,
   •      National Archives and Records Administration’s record retention regulations,
   •      Treasury Financial Manual, and
   •      NSF’s VISA Purchase Card Program Handbook and Training Manual and the
          VISA U.S. Government Purchase Card Guidance for Approving Officials,
          dated February 2004.




                                           11
We identified several instances of noncompliance with these laws and regulations, as
discussed in our audit finding.

Through interviewing NSF staff and reviewing documentation, we also obtained an
understanding of the management controls over the purchase card program. We
identified several internal control deficiencies which we discuss in our finding and
potential instances of fraud, illegal acts, violations, or abuse, which we referred to our
Office of Investigations.

We conducted this performance audit between January 2013 and December 2013 in
accordance with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our finding and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our
finding and conclusions based on our audit objectives.

We held an exit conference with NSF management on December 12, 2013.




                                             12