U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report LIMITED SCOPE AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S PURCHASE CARD TRANSACTIONS Report Number 4A-OO-00-17-046 November 27, 2017 --CAUTION-- EXECUTIVE SUMMARY Limited Scope Audit of the U.S. Office of Personnel Management’s Purchase Card Transactions Report No. 4A-OO-00-17-046 November 27, 2017 Why Did We Conduct the Audit? What Did We Find? The objective of our limited scope audit We selected a random statistical sample of 46 purchase card was to determine whether the U.S. Office transactions, totaling $24,187, from October 1, 2016, through of Personnel Management (OPM) made March 31, 2017. We found that 23 purchase card transactions, purchase card transactions that were totaling $12,956, had one or more of the following exceptions: potentially illegal, improper, or erroneous. Number of Exception Occurrences What Did We Audit? Lacks Approving Official Review 7 The Office of the Inspector General completed a performance audit on Missing All Documentation 2 OPM’s purchase card transactions. Our audit fieldwork was conducted from Lacks Purchase Receipt - Missing Documentation 1 March 6 through August 30, 2017, at OPM headquarters, located in Washington D.C. Lacks Requisition Request - Missing 5 Documentation Receipt of Goods and Services - Missing 7 Documentation Lacks Written Justification for Any Exception to 13 Policies Questionable Government Need 0 Error Amount Charged and Invoice Disagrees 1 _______________________ Michael R. Esser Assistant Inspector General for Audits i ABBREVIATIONS AO Approving Official APC Agency Program Coordinator CIGIE Council of the Inspectors General on Integrity and Efficiency FY Fiscal Year IT Information Technology MCC Merchant Category Code OIG Office of the Inspector General OPM U.S. Office of Personnel Management ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ......................................................................................... i ABBREVIATIONS…………………………….. ....................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................4 III. AUDIT RESULTS .......................................................................................................7 APPENDIX Exceptions and Causes Tables, as defined by the Council of the Inspectors General on Integrity and Efficiency’s Information Technology Committee REPORT FRAUD, WASTE, AND MISMANAGEMENT I. BACKGROUND This final audit report details the results from our limited scope performance audit of the U.S. Office of Personnel Management’s (OPM) purchase card transactions. The audit was performed by OPM’s Office of the Inspector General (OIG), as authorized by the Inspector General Act of 1978, as amended. In October 2016, the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) Information Technology (IT) Committee initiated a Government-wide project, led by the U.S. Department of Agriculture, to analyze and review government purchase card data to determine risks associated with purchase card transactions. The CIGIE IT community created a set of algorithms1 to assist participating Inspectors General in performing data-analysis and identifying high-risk transactions. Additionally, the CIGIE IT community provided data-analytical and statistical tools, such as excel spreadsheets and random numbers, to support the reviews and provide uniformity for processing and reporting the results across the CIGIE community. The set of algorithms provided by the CIGIE IT is listed in Table 1. A report with the aggregated information for all participating Inspectors General will be published by CIGIE, and will discuss the risks associated with purchase card transactions and the number of purchase card transactions failing the algorithms. 1 Procedures to be performed during our audit. 1 Report No. 4A-OO-00-17-046 Table 1 Algorithm Purchase Card Algorithms Numbers 1 Closed Account Activities - transactions where the transaction date is after the account closed date. 2 Prohibited Merchant Category Code (MCC)2 - transactions that were processed using a prohibited MCC. 3 Questionable MCC3 - transactions that were processed using a questionable MCC. 4 Billing Amount is Greater than Cardholder’s Single Purchase Limit - transactions where billing amounts are greater than the single purchase limit. 5 Sales Taxes - transactions with sales tax. 6 PayPal and Amazon Transactions - transactions processed by PayPal or Amazon. 7 Weekend Transactions - transactions processed over a weekend. 8 Holiday Transaction - transactions processed on a holiday. 9 Potentially Split Transactions - potential purchase splits within one day. PREVIOUS OFFICE OF THE INSPECTOR GENERAL REPORTS In fiscal year (FY) 2016, the OIG conducted an audit of OPM’s purchase card program. 4 The final report was issued on July 7, 2017. Our audit found that OPM needed to strengthen controls over its purchase card operations processes in the following five areas: 1. Of the 164 active purchase cards in OPM at the time of our audit, we found that 23, which had been issued to a former agency program coordinator, were not immediately canceled when the employee separated from OPM. Five of the cards were used for purchases, totaling $54,212, by unauthorized users. 2 Merchant category codes are established by the card issuing bank and are assigned to vendors as a means to identify the merchant type. Each cardholder account is set up with default merchant category codes that will allow the processing of transactions that fall under the specified merchant category code. If a cardholder attempts to submit a purchase through a vendor with a blocked (prohibited) merchant category code, the transaction will be denied at the point of attempted purchase. 3 Merchant category codes identified by OPM as questionable. 4 OPM-Office of the Inspector General Audit Report Number 4A-OO-00-16-046. 2 Report No. 4A-OO-00-17-046 2. For Agency Reporting, we found that OPM could not provide documentation to support the $238,400 outstanding balance reported in Table 19 of OPM’s FY 2015 Agency Financial Report. In addition, OPM’s FY 2016, third quarter (April 1 through June 30, 2016) statistical report was incomplete. 3. OPM had not blocked, in JPMorgan Chase’s PaymentNet, seven merchant category codes for items that were restricted or prohibited from being purchased with a Government purchase card. None of the restricted and prohibited codes were used during the scope of the audit. 4. Training records for purchase card program participants were either outdated or incomplete. 5. We found no evidence that cardholders were using their Government purchase card to purchase items that did not represent a legitimate business need; however, OPM’s internal controls need improvement in the areas of: transaction documentation retention; payment of sales taxes; and reallocating and approving transactions in OPM’s financial system. All recommendations are currently open. 3 Report No. 4A-OO-00-17-046 II. OBJECTIVE, SCOPE, AND METHODOLOGY OBJECTIVE The objective of our audit was to determine whether OPM made purchase card transactions that were potentially illegal, improper, or erroneous. SCOPE AND METHODOLOGY We conducted this performance audit in accordance with generally accepted government auditing standards as established by the Comptroller General of the United States. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. The scope of our audit covered purchase card transactions, including convenience checks, from October 1, 2016, through March 31, 2017, and the policies and procedures pertaining to these transactions. OPM processed 8,777 transactions, totaling $4,914,457, from October 1, 2016, through March 31, 2017. We performed our audit from March 6 through August 30, 2017, at OPM’s headquarters, located in Washington, D.C. To accomplish our audit objective noted above, we used IDEA5 to run CIGIE’s data analytic tool, which analyzed transactions and identified the universe of high-risk transactions based on the algorithms listed in Table 1. There were 1,910 high-risk transactions, totaling $1,223,347, for the scope of the audit. Specifically: x 1,095 transactions, totaling $643,579, were identified as high-risk transactions for fiscal year 2017, Quarter 1 (October 1 through December 31, 2016); and x 815 transactions, totaling $579,768, were identified as high-risk transactions for fiscal year 2017, Quarter 2 (January 1 through March 31, 2017). We used CIGIE’s Sample Selection Instructions and Random Numbers Microsoft Excel spreadsheet to randomly select a statistical sample of 46 high-risk transactions, totaling $24,187. The number of samples selected for each algorithm, in each quarter, is outlined in Table 2. 5 CaseWare Analytics’ data analysis software. 4 Report No. 4A-OO-00-17-046 Table 2: Number of Samples Selected For Each Algorithm Quarter 1 Quarter 2 (October 1 through (January 1 through March December 31, 2016) 31, 2017) Algorithm Sample Size Dollar Sample Size Dollar Value Value Closed Accounts 3 $8,114 0 $0 Prohibited MCC 0 $0 0 $0 Questionable MCC 0 $0 0 $0 Billing Amount > 0 $0 0 $0 Cardholder’s Single Purchase Limit Sales Taxes 3 $527 46 $755 PayPal/Amazon 2 $117 1 $7 Weekend/Holiday 7 $1,018 14 $7,044 Potentially Split 8 $3,192 4 $3,412 TOTAL 23 $12,968 23 $11,218 In planning our work and gaining an understanding of the internal controls over OPM’s purchase card transactions, we considered, but did not rely on, OPM’s internal control structure to the extent necessary to perform our audit procedures. These procedures were substantive in nature. We gained an understanding of management procedures and controls to the extent necessary to achieve our audit objective. The purpose of our audit was not to provide an opinion on internal controls but merely to evaluate controls over OPM’s purchase card transactions. 6 One sample selected in quarter two hit both the sales taxes and the weekend and holiday algorithms. We counted the sample within the sales taxes sample size. 5 Report No. 4A-OO-00-17-046 Our audit included such tests and analysis of OPM’s records, documented policies and procedures, transactional data, and other applicable information as we considered necessary under the circumstances. The results of our tests were provided to USDA on September 25, 2017. In conducting our audit, we relied to varying degrees on computer-generated data. To assess the reliability of computer-processed data obtained from PaymentNet7, we looked for obvious errors in accuracy and completeness. We determined that the data was sufficiently reliable for the purpose of achieving our audit objective. We did not evaluate the effectiveness of the general application controls over computer-processed performance data. The results from the statistical sample will be projected by the U.S. Department of Agriculture, and reported in a consolidated Government-wide report. 7 JPMorgan Chase’s purchase card account management system used by OPM to order new cards, assign merchant category codes, cancel cards, modify spending limits, review transactions, and generate management reports. 6 Report No. 4A-OO-00-17-046 III. AUDIT RESULTS We found that 23 purchase card transactions, totaling $12,956, out of our sample of 46 transactions, had one or more exceptions, as outlined in Table 3. Table 3: Results Number of Exceptions8 Causes Occurrences9 Lacks Approving 7 Transactions not reviewed/monitored by Official Review Agency Program Coordinator. Missing All 2 x Agency lacks procedures to identify error Documentation and x Cardholder or Approving Official no longer employed by the agency. Lacks Purchase 1 Receipt - Missing Documentation Lacks Requisition 5 Request - Missing Documentation Receipt of Goods and 7 Agency lacks procedures to identify error. Services - Missing Documentation Lacks Written 13 Justification for Any Exception to Policies Error Amount 1 Charged and Invoice Disagrees No exceptions were identified for the “Questionable Government Need” exception category. 8 The exceptions and causes, as defined by CIGIE’s IT committee, are in the Appendix. 9 The results in the table for each condition are independent of each other. 7 Report No. 4A-OO-00-17-046 APPENDIX Exception Definition No Exceptions Transaction is valid and has all necessary documentation. Lacks Approving Official The Approving Official (AO) is the individual (typically a supervisor) Review that ensures that the purchase card is used properly. The AO also authorizes cardholder purchases (for official use only), ensures that the statements are reconciled, and submitted to the designated billing office in a timely manner. This feature is normally automated with the AO having an "approval queue" of cardholder transactions. After review, the AO signs the account statement and maintains the documentation in accordance with agency procedures. Missing All There is no documentation to support the transaction. Documentation Lacks Purchase Receipt - Purchase receipt describing the merchant and items purchased has not Missing Documentation been maintained. Lacks Requisition The request for purchase can be documented by either email, letter, or Request - Missing requisition form that describes the item needed and quantities. Documentation Receipt of Goods and Documentation from either the requestor or other authorized recipient that Services - Missing the item has actually been received. Documentation Lacks Written If policy has been waived, there is written documentation for the Justification for Any exception such as purchasing from prohibited MCC, exceeding purchase Exception to Policies limit, split purchase, etc. Questionable Government Items purchased which have no official agency use. Need Error Amount Charged The amount billed on the credit card and the purchase receipt amount are and Invoice Disagrees not the same. Cause or Definition Control Failure No Exceptions Transaction is valid and has all necessary documentation. Transactions not Charge Card Managers are those managers responsible for ensuring Cardholders reviewed/monitored and the AOs are following agency policy and they may suspend accounts. These by Charge Card managers should have tools and reports to show if cardholders and AO are Managers routinely reconciling and approving purchases. This may be the responsibility in some agencies of the Agency Program Coordinator (APC) or the local APC. Cardholder same as Cardholders and the AOs should not be the same. Approving Official/No Separation of Duties Requestor and Those requiring the purchase should not be the same as the cardholder. Cardholder same/No Separation of Duties Lack of The agency has the exception due to a lack of policy. Documented Policy Lack of Proper Training has not covered the exception to policy or refresher training has not Training occurred in the last three years (U.S. Office of Management and Budget A-123 Appendix B, 3.4). Agency Lacks Policy may exist but there is a lack of procedures to ensure compliance. Procedures to Identify Error Cardholder or Cardholders and Approving Officials have not certified because they are no Approving Official longer employed by the agency. No Longer Employed Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to-report-fraud-waste- or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100
Limited Scope Audit Of The U.S. Office Of Personnel Management's Purchase Card Transactions
Published by the Office of Personnel Management, Office of Inspector General on 2017-11-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)