National Science Foundation • Office of Inspector General 4201 Wilson Boulevard, Suite I-1135, Arlington, Virginia 22230 MEMORANDUM DATE: January 27, 2014 TO: Dr. Cora B. Marrett Deputy Director National Science Foundation FROM: Dr. Brett M. Baker Assistant Inspector General for Audit SUBJECT: Audit of NSF’s Purchase Card Program, Report No. 14-2-006 Attached is the final report on the subject audit. The report contains one finding on the need to strengthen NSF’s oversight of the purchase card program with three recommendations. In accordance with Office of Management and Budget Circular A-50, Audit Followup, please provide a written corrective action plan within 60 days to address the report recommendations. This corrective action plan should detail specific actions and milestone dates. We appreciate the courtesies and assistance provided by so many NSF staff during the review. If you have any questions, please contact Marie Maguire, Director of Performance Audits, at (703) 292-5009. Attachment cc: Allison Lerner Steven Strength G. P. Peterson Susan Carnohan Michael Van Woert Marie Maguire Cliff Gabriel Wendell Reid Martha Rubenstein Emily Franko Jeffrey Lupis Karen Scott Greg Steigerwald Audit of the National Science Foundation’s Purchase Card Program National Science Foundation Office of Inspector General January 27, 2014 OIG 14-2-006 TM#13-P-1-002 Introduction The National Science Foundation (NSF) participates in the General Services Administration’s (GSA) government-wide purchase card program, SmartPay. The purchase card program provides Federal agencies with a flexible and efficient means to quickly make authorized low dollar value and high volume purchases of general supplies or services. JPMorgan Chase bank (JPMorgan Chase) provides the credit cards and banking services to NSF under GSA’s SmartPay program. The Government Charge Card Abuse Prevention Act of 2012 (the Charge Card Act), Public Law 112-194, enacted in October 2012, requires all executive branch agencies to establish and maintain specific safeguards and internal controls for the management of purchase cards. In addition, the Charge Card Act also establishes additional reporting and audit requirements relating to the agency purchase cards. On September 6, 2013, the Office of Management and Budget (OMB) issued Memorandum M-13-21, which provided further guidance to implement the Charge Card Act. The Division of Acquisition and Cooperative Support (DACS) within NSF’s Office of Budget, Finance & Award Management is primarily responsible for administering the purchase card program. At NSF, the primary participants in the program are the: (1) Agency Program Coordinator (APC) in DACS who has responsibility for both overall administrative functions relating to the program and general oversight of all purchase cardholders; (2) purchase cardholders appointed to use the purchase card within their NSF organizational unit; and (3) approving officials who pre-approve the purchase card use of their assigned cardholder(s), monitor account activity, and review cardholders’ monthly account statement. From April 1, 2010 through March 31, 2013, 233 NSF employees used purchase cards to make approximately 34,300 transactions totaling almost $17 million. DACS reported that as of February 1, 2013, 272 purchase cards were assigned to 186 employees and there were 96 approving officials. The last OIG audit of NSF’s purchase card program, performed in 2002 1, found irregular transactions, including potential split purchases, payment of sales taxes, and the purchase of prohibited items such as travel. 1 Purchase Card Program Controls Need Strengthening, Audit Report No. 02-2-014, issued September 30, 2002. 1 Results of Audit NSF’s controls to prevent and detect unauthorized purchases and its oversight of the purchase card program need strengthening. The control to cancel accounts when cardholders leave NSF was generally working. However, controls over preapprovals of transactions and reviews of purchase card statements were not always followed. Also, agency-wide monitoring of the program and reviews of JPMorgan Chase reports showing agency activity were not often performed. As a result, there was a risk that inappropriate or fraudulent transactions could occur and not be detected. We did identify some inappropriate purchases and referred three cardholders’ activity to our Office of Investigations (OI) for investigation of possible fraud. As a result of one of these investigations, a cardholder pleaded guilty in December 2013 to stealing more than $94,000 by using his purchase card to buy electronics, music, and movies for himself and his family. NSF recently made improvements in its oversight of the purchase card program, including updated guidance for the purchase card program in July 2013 and a new online training course in August 2013. During fiscal year 2013, NSF management committed more resources to assist the APC to perform targeted reviews of purchase card activity. DACS began using a contractor to test a sample of transactions. As most of these improvements occurred after our period under audit, we did not evaluate their effectiveness. However, a sustained commitment by management to strong oversight is needed to ensure purchase card holders comply with Federal regulations and agency policies, and to prevent and detect misuse of the purchase cards. Oversight of NSF’s Purchase Card Program Needs Strengthening NSF’s internal controls to ensure that cardholders properly use purchase cards and comply with Federal regulations as well as NSF policies and procedures need to be strengthened and enforced. From our targeted, risk-based sample 2 of 508 transactions, totaling $314,443 3 for 43 cardholders 4, we found the following control weaknesses. Some purchases were not pre-approved. There was no evidence of preapproval for 151 transactions totaling $76,877. These unapproved purchases were made by 30 of the 43 cardholders tested. These 30 cardholders had between 1 and 21 unapproved transactions. Per both of NSF’s 2 See Appendix B: Objectives, Scope and Methodology for details on how we selected which transactions to test. Because we targeted our testing to the riskiest transactions, the sample is not representative of the approximately 34,300 transactions in our population and the results should not be projected to the universe. 3 This amount is the net of transactions tested, reflecting both charges and credits (refunds, adjustments, etc.). All totals discussed in this report reflect net amounts. 4 Includes 10 cardholders who no longer work for NSF. 2 policies in effect during our audit period - the VISA Purchase Card Program Handbook and Training Manual and the VISA U.S. Government Purchase Card Guidance for Approving Officials, dated February 2004 - the approving official is responsible for ensuring that transactions were authorized in advance of being made by the cardholder. Cardholders did not consistently maintain receipts or invoices for transactions, as required. Of the 43 cardholders tested, NSF could not provide support for 72 transactions totaling $46,206 for 21 cardholders. For two former employees, NSF could not locate documentation for any of their purchases. Both NSF policy and National Archives and Records Administration regulations require that cardholders retain records pertaining to purchase card transactions for 3 years after final payment to the vendor. There was no evidence of approving officials’ review of some purchase card bank statements. Of the 508 transactions we tested, there was no evidence that the approving official reviewed the bank statements for 191 transactions totaling $124,747. Furthermore, 32 transactions totaling $27,163 were not reviewed within 60 days of the billing date. These 223 transactions were made by 37 5 of the 43 cardholders tested. For one cardholder we tested, some bank statements were in unopened envelopes. Per NSF’s policies, the approving official should approve the cardholder’s monthly statement to ensure that the statement and supporting documentation are complete, accurate, and reflect only authorized purchases made in accordance with the Federal Acquisition Regulation. These policies also require approving officials to review monthly transactions for patterns that indicate purchases are being split to avoid the micro-purchase limit. The approving official’s review should also ensure that sales taxes are not paid in accordance with GSA regulations and NSF policy. The approving official is required to sign and date the cardholder’s monthly statement. However, NSF’s policies did not prescribe when these reviews must occur. Given that cardholders have 60 days to dispute transactions with JPMorgan Chase, it is reasonable for the approving officials’ review to take place within this time period. 5 Some of these 37 cardholders had both transactions with no approving official review of the related bank statement(s) and late approving official review. 3 Bank activity reports and Merchant Category Codes were not reviewed. JPMorgan Chase provides the APC various exception reports on purchase card activity, such as reports of lost or stolen cards, declined or blocked transactions, and reports containing detailed information on items purchased from certain vendors. NSF did not regularly obtain and review most of these reports. GSA SmartPay program recommends that the APC use bank electronic reports to monitor and track purchases to identify potential misuse and fraud. NSF’s 2004 policy states that reviews and assessments of monthly administrative reports on the program is an APC responsibility. Also, OMB Circular No. A-123, Appendix B Revised, dated January 15, 2009, requires card managers to review account activity reports to identify questionable or suspicious transactions. Merchant Category Codes (MCC) identify the vendor’s business category, such as computer software stores, telecommunications services, restaurants, book stores, etc. At the APC’s request, JPMorgan Chase can block transactions with merchants with specified MCC codes. Although MCC codes periodically change, before February 2013 NSF had not reviewed its allowable and blocked codes since 2008. We requested a list of blocked and allowable MCC codes and identified some codes; such as babysitting, massage parlors, dating and escort services, and veterinary services; that should have been blocked but were not. It is important to note that we did not identify any NSF purchases to any of these codes. The APC then reviewed the list provided to us and directed JPMorgan Chase to immediately block these and other questionable MCC codes. NSF can reduce its risk of improper purchases by periodically reviewing MCC codes and blocking purchases from vendors with codes that do not relate to NSF’s business needs. 4 Some electronic equipment purchased using the purchase card, such as iPads and cameras, did not have inventory barcodes to be included in NSF’s inventory system. NSF’s purchase card policy requires cardholders to report accountable property purchases to the Division of Administrative Services (DAS) to arrange for assignment of barcode stickers and to have the items logged into the NSF inventory system. NSF’s 2004 policy also requires the approving official to verify that the accountable property has been inventoried. Furthermore, NSF’s policy on property management for accountable property, issued by DAS, requires items with acquisition values under $2,500 considered to be sensitive or highly pilferable, such as desktops and laptops, to be inventoried. We identified four causes that allowed these internal control weaknesses to occur. First, NSF had not committed sufficient resources to monitor and oversee the purchase card program. The APC, who is responsible for overseeing NSF’s purchase card activity, also had other competing time-sensitive job responsibilities, such as serving as Contracting Officer for several contract awards. Second, in the majority of cases, cardholders and approving officials received informal training from the APC once, when they were initially assigned cardholder and approving official responsibilities. This training was not provided annually despite being required by NSF’s VISA Purchase Card Program Handbook and Training Manual. In August 2013, NSF developed new automated training for both cardholders and approving officials. NSF required that this new training be completed by December 2013. This change should improve cardholders’ and approving officials’ awareness of their responsibilities under the program. Third, some cardholders stated that they were not aware that sensitive or highly portable property, such as professional cameras and high-end audiovisual equipment, should be barcoded because NSF’s policy only required computers (laptops and desktops) and Personal Digital Assistants (PDAs), including Blackberry cell phones, to be barcoded. NSF’s prior purchase card policy does not require barcoding of other sensitive or pilferable property, such as cameras and high-end audiovisual items. NSF’s new 2013 Purchase Card Program Handbook and Policy Manual does state that the cardholder should inventory equipment with acquisition values under $2,500 considered to be sensitive or highly pilferable, and this Manual lists laptops, desktops, and PDA’s. The DAS policy, Procedures for Property Management for accountable property, only lists desktops and laptops as examples of accountable property with acquisition values under $2,500. However, another DAS guidance document, the Property Custodian Operational Handbook, which details property management roles and responsibilities, also includes iPads, iPhones, video cameras, and high-end audiovisual equipment on its list of sensitive and highly portable equipment to be barcoded. Finally, some approving officials did not always ensure that departing cardholders submitted their purchase card records before they left the agency despite the 3-year record retention policy. 5 As of result of the conditions we identified, there was a risk that inappropriate or fraudulent transactions could occur and not be detected. We identified the following inappropriate purchases: • 17 transactions totaling $32,503 made by 6 cardholders were split purchases. • 17 instances totaling $1,113 in which the purchase card was inappropriately used to pay for transportation to airports for two officials who were on temporary duty travel. SmartPay provides a separate travel card program to be used for travel and travel-related purchases. • 10 of the 43 cardholders tested paid $821 of sales taxes for 20 transactions tested. • Two instances in which cardholders did not fully resolve disputes of items that NSF did not purchase. In one case, the cardholder failed to fully resolve potential overcharges of $11,594 for computers that the cardholder did not purchase. • Some electronic items purchased, such as music players and speakers, appear to be of questionable business use or necessity. Furthermore, we referred purchase card transactions for three cardholders to OI for investigation of possible fraud. We did not test any transactions for two of these cardholders, so their transactions are not included in our results. As a result of one of these investigations, one cardholder, whose purchases are not included in our results, pleaded guilty on December 5, 2013 to fraudulently purchasing more than $94,000 of electronics, music, and movies for himself and his family. For another cardholder, OI determined that the purchase investigated was not inappropriate. The remaining investigation is ongoing. During our audit, NSF made improvements in its oversight of the purchase card program, including issuing updated guidance in July 2013 and requiring cardholders and approving officials to annually complete a new online training course. NSF management obtained a contractor to assist the APC to perform targeted reviews of purchase card activity. These improvements occurred after our period under audit and therefore, we did not evaluate their effectiveness. However, a sustained commitment by management to strong oversight is needed to ensure purchase cardholders comply with Federal regulations and agency policies, and to prevent and detect misuse of the purchase cards. Recommendations 1. The NSF Director should take appropriate actions to monitor and oversee the purchase card program. Such actions should include: • Continuous monitoring of purchase card transactions, using available JPMorgan Chase reports to identify transactions for additional review. 6 • Ensuring approving officials are reviewing cardholders’ transactions from preapproval to bank statement reconciliation. • Reviewing MCC codes on a periodic basis to determine if additional codes should be blocked. • Ensuring compliance with record retention policies for purchase card activity. • Ensuring accountable property, including sensitive and highly portable items, has been inventoried. 2. DACS should: • Coordinate with DAS to revise the NSF policy, Procedures for Property Management for accountable property to include additional examples of sensitive and highly portable items to be barcoded, and • Update the Purchase Card Program Handbook and Policy Manual and training materials to be consistent with the revisions to the DAS policy. 3. The APC should ensure that cardholders and approving officials meet the new annual training requirement. Summary of Agency Response and OIG Comments NSF concurs with the conclusions and recommendations. We have included NSF's response to this report in its entirety as Appendix A. OIG Contact and Staff Acknowledgements Marie Maguire – Director of Performance Audits (703) 292-5009 or firstname.lastname@example.org In addition to Ms. Maguire, Wendell Reid and Emily Franko made key contributions to this report. 7 Appendix A: Agency Response 8 9 Appendix B: Objective, Scope and Methodology The objectives of this performance audit were to determine the adequacy of NSF’s controls over purchase cards and to identify possible improper charges. Our scope was purchase card controls and activity from April 1, 2010 through March 31, 2013. To complete our objectives, we reviewed NSF and federal criteria to understand the rules governing the purchase card program; interviewed the APC, several cardholders, and several approving officials to gain an understanding of their procedures to oversee the program, and make and approve purchase card transactions; utilized data obtained from JPMorgan Chase; and tested a risk-based sample of purchase card transactions occurring during our scope period. To develop this risk-based sample, we developed 19 risk-based transaction tests at both the transaction level and cardholder level to identify anomalies in purchase card data that could indicate fraud or abuse. Examples of risk factors at the transaction level included: • purchases made on a weekend or holiday, • charges to merchant names or Merchant Category Codes that we suspected may not be business-related, • suspect charges identified from the JPMorgan Chase report containing detailed information on items purchased from certain vendors, • purchases in which only one NSF card holder did business with a particular merchant, • purchases made through third party payers (such as Paypal), and • possible split purchases (multiple purchases by a cardholder to the same vendor over a 2-3 day period that exceeded the $3,000 micro-purchase limit). Examples of risk factors at the cardholder level included: cardholders for whom the approving official’s span of control6 exceeded four purchase cards, and cardholders who had declined charges and/or lost/stolen card(s) during the audit scope period. We assigned risk scores for each of the 19 attributes tested and calculated the total risk score for all 34,300 purchase transactions made between April 1, 2010 and March 31, 2013. Based on our review of the risk scores and number of cardholders with high risk transactions, we tested 145 transactions with a total risk score above a certain level made by 26 cardholders. In addition to the highest risk transactions for these 26 cardholders, we manually reviewed and judgmentally selected 225 additional transactions that appeared unusual. Therefore, we tested a total of 370 transactions for these 26 cardholders. 6 The span of control is how many purchase card accounts an approving official is responsible for overseeing. Auditors considered purchase cardholders whose approving officials had a span of control exceeding four purchase card accounts as the riskiest. 10 We also manually reviewed and judgmentally selected 102 other transactions for 15 additional card holders whose transactions did not score the minimum total level but appeared to be unusual. For example, we decided to test a cardholder with several taxi purchases in the hundreds of dollars, and a cardholder who was the sole purchaser for a vendor with a specific merchant category. We also tested 36 of the transactions of two OIG cardholders, the results of which are included in this report. Therefore, we tested a cumulative total of 508 transactions, totaling $314,443, made by 43 cardholders. When testing transactions, we interviewed cardholders and some approving officials about the training received, physical security of purchase cards, and explanations for both declined transactions and lost or stolen cards. Additionally, we performed testing to determine if purchase cardholder accounts were canceled on a timely basis when cardholders left the agency. We met with OIG Office of Investigations (OI) throughout our audit to discuss our methodology and findings. Prior to testing transactions, we shared with OI the results of our risk factor scores. OI identified two cardholders to examine for possible fraudulent transactions. The purchases for these two cardholders are not included in our results. During our testing, we referred another cardholder to OI for possible investigation. During the course of this audit, we relied on information and data received from JPMorgan Chase in electronic format that had been entered into a computer system or that resulted from computer processing. We tested the reliability of JPMorgan Chase’s computer-processed data by matching transaction dates, transaction amounts, and vendor names against original source documents. We relied on NSF’s data to test a limited number of transactions for one cardholder. We performed limited testing of the reliability of this NSF data by corroborating some results with NSF officials independent of the computer system. Based on our assessment, we concluded the computer- processed data was sufficiently reliable to use in meeting the audit’s objectives. We reviewed NSF’s compliance with applicable provisions of pertinent laws and guidance, including the: • GSA’s SmartPay guidance, • Federal Acquisition Regulation, • Office of Management and Budget Circular No. A-123, Appendix B Revised, dated January 15, 2009, • National Archives and Records Administration’s record retention regulations, • Treasury Financial Manual, and • NSF’s VISA Purchase Card Program Handbook and Training Manual and the VISA U.S. Government Purchase Card Guidance for Approving Officials, dated February 2004. 11 We identified several instances of noncompliance with these laws and regulations, as discussed in our audit finding. Through interviewing NSF staff and reviewing documentation, we also obtained an understanding of the management controls over the purchase card program. We identified several internal control deficiencies which we discuss in our finding and potential instances of fraud, illegal acts, violations, or abuse, which we referred to our Office of Investigations. We conducted this performance audit between January 2013 and December 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our finding and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our finding and conclusions based on our audit objectives. We held an exit conference with NSF management on December 12, 2013. 12
Audit of NSF's Purchase Card Program
Published by the National Science Foundation, Office of Inspector General on 2014-01-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)