Limited Scope Audit Of The U.S. Office Of Personnel Management's Purchase Card Transactions

Published by the Office of Personnel Management, Office of Inspector General on 2017-11-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

            OFFICE OF AUDITS

  Final Audit Report

             Report Number 4A-OO-00-17-046
                    November 27, 2017


       Limited Scope Audit of the U.S. Office of Personnel Management’s Purchase Card Transactions

 Report No. 4A-OO-00-17-046                                                                    November 27, 2017

Why Did We Conduct the Audit?              What Did We Find?

The objective of our limited scope audit   We selected a random statistical sample of 46 purchase card
was to determine whether the U.S. Office   transactions, totaling $24,187, from October 1, 2016, through
of Personnel Management (OPM) made         March 31, 2017. We found that 23 purchase card transactions,
purchase card transactions that were       totaling $12,956, had one or more of the following exceptions:
potentially illegal, improper, or
erroneous.                                                                                      Number of
What Did We Audit?
                                            Lacks Approving Official Review                         7
The Office of the Inspector General
completed a performance audit on            Missing All Documentation                                  2
OPM’s purchase card transactions. Our
audit fieldwork was conducted from          Lacks Purchase Receipt - Missing Documentation             1
March 6 through August 30, 2017,
at OPM headquarters, located in
Washington D.C.                             Lacks Requisition Request - Missing                        5

                                            Receipt of Goods and Services - Missing                    7

                                            Lacks Written Justification for Any Exception to          13

                                            Questionable Government Need                               0

                                            Error Amount Charged and Invoice Disagrees                 1

Michael R. Esser
Assistant Inspector General for Audits


AO       Approving Official
APC      Agency Program Coordinator
CIGIE    Council of the Inspectors General on Integrity and Efficiency
FY       Fiscal Year
IT       Information Technology
MCC      Merchant Category Code
OIG      Office of the Inspector General
OPM      U.S. Office of Personnel Management

                         TABLE OF CONTENTS


       EXECUTIVE SUMMARY ......................................................................................... i 

       ABBREVIATIONS…………………………….. ....................................................... ii 

I.     BACKGROUND ..........................................................................................................1 

II.    OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................4 

III.   AUDIT RESULTS .......................................................................................................7 

       APPENDIX Exceptions and Causes Tables, as defined by the Council of the
       Inspectors General on Integrity and Efficiency’s Information Technology Committee

                                    I. BACKGROUND

This final audit report details the results from our limited scope performance audit of the U.S.
Office of Personnel Management’s (OPM) purchase card transactions. The audit was performed
by OPM’s Office of the Inspector General (OIG), as authorized by the Inspector General Act of
1978, as amended.

In October 2016, the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE)
Information Technology (IT) Committee initiated a Government-wide project, led by the U.S.
Department of Agriculture, to analyze and review government purchase card data to determine
risks associated with purchase card transactions. The CIGIE IT community created a set of
algorithms1 to assist participating Inspectors General in performing data-analysis and identifying
high-risk transactions. Additionally, the CIGIE IT community provided data-analytical and
statistical tools, such as excel spreadsheets and random numbers, to support the reviews and
provide uniformity for processing and reporting the results across the CIGIE community. The
set of algorithms provided by the CIGIE IT is listed in Table 1.

A report with the aggregated information for all participating Inspectors General will be
published by CIGIE, and will discuss the risks associated with purchase card transactions and the
number of purchase card transactions failing the algorithms.

    Procedures to be performed during our audit.

                                                   1               Report No. 4A-OO-00-17-046
                                                     Table 1
                                     Purchase Card Algorithms
        1           Closed Account Activities - transactions where the transaction date is after the
                    account closed date.

         2          Prohibited Merchant Category Code (MCC)2 - transactions that were processed using
                    a prohibited MCC.

         3          Questionable MCC3 - transactions that were processed using a questionable MCC.

         4          Billing Amount is Greater than Cardholder’s Single Purchase Limit - transactions
                    where billing amounts are greater than the single purchase limit.

         5          Sales Taxes - transactions with sales tax.
         6          PayPal and Amazon Transactions - transactions processed by PayPal or Amazon.

         7          Weekend Transactions - transactions processed over a weekend.
         8          Holiday Transaction - transactions processed on a holiday.
         9          Potentially Split Transactions - potential purchase splits within one day.


In fiscal year (FY) 2016, the OIG conducted an audit of OPM’s purchase card program. 4 The
final report was issued on July 7, 2017. Our audit found that OPM needed to strengthen controls
over its purchase card operations processes in the following five areas:

    1.	 Of the 164 active purchase cards in OPM at the time of our audit, we found that 23,
        which had been issued to a former agency program coordinator, were not immediately
        canceled when the employee separated from OPM. Five of the cards were used for
        purchases, totaling $54,212, by unauthorized users.

  Merchant category codes are established by the card issuing bank and are assigned to vendors as a means to

identify the merchant type. Each cardholder account is set up with default merchant category codes that will allow 

the processing of transactions that fall under the specified merchant category code. If a cardholder attempts to 

submit a purchase through a vendor with a blocked (prohibited) merchant category code, the transaction will be 

denied at the point of attempted purchase.

  Merchant category codes identified by OPM as questionable. 

  OPM-Office of the Inspector General Audit Report Number 4A-OO-00-16-046.

                                                     2	                         Report No. 4A-OO-00-17-046
   2.	 For Agency Reporting, we found that OPM could not provide documentation to support
       the $238,400 outstanding balance reported in Table 19 of OPM’s FY 2015 Agency
       Financial Report. In addition, OPM’s FY 2016, third quarter (April 1 through June 30,
       2016) statistical report was incomplete.

   3.	 OPM had not blocked, in JPMorgan Chase’s PaymentNet, seven merchant category
       codes for items that were restricted or prohibited from being purchased with a
       Government purchase card. None of the restricted and prohibited codes were used during
       the scope of the audit.

   4.	 Training records for purchase card program participants were either outdated or 


   5.	 We found no evidence that cardholders were using their Government purchase card to
       purchase items that did not represent a legitimate business need; however, OPM’s
       internal controls need improvement in the areas of: transaction documentation retention;
       payment of sales taxes; and reallocating and approving transactions in OPM’s financial

All recommendations are currently open.

                                            3	                    Report No. 4A-OO-00-17-046


The objective of our audit was to determine whether OPM made purchase card transactions that
were potentially illegal, improper, or erroneous.


We conducted this performance audit in accordance with generally accepted government
auditing standards as established by the Comptroller General of the United States. These
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objective.

The scope of our audit covered purchase card transactions, including convenience checks, from
October 1, 2016, through March 31, 2017, and the policies and procedures pertaining to these
transactions. OPM processed 8,777 transactions, totaling $4,914,457, from October 1, 2016,
through March 31, 2017. We performed our audit from March 6 through August 30, 2017, at
OPM’s headquarters, located in Washington, D.C.

To accomplish our audit objective noted above, we used IDEA5 to run CIGIE’s data analytic
tool, which analyzed transactions and identified the universe of high-risk transactions based on
the algorithms listed in Table 1.

There were 1,910 high-risk transactions, totaling $1,223,347, for the scope of the audit.

      x	 1,095 transactions, totaling $643,579, were identified as high-risk transactions for fiscal
         year 2017, Quarter 1 (October 1 through December 31, 2016); and

      x	 815 transactions, totaling $579,768, were identified as high-risk transactions for fiscal
         year 2017, Quarter 2 (January 1 through March 31, 2017).

We used CIGIE’s Sample Selection Instructions and Random Numbers Microsoft Excel
spreadsheet to randomly select a statistical sample of 46 high-risk transactions, totaling $24,187.
The number of samples selected for each algorithm, in each quarter, is outlined in Table 2.

    CaseWare Analytics’ data analysis software.

                                                  4	                  Report No. 4A-OO-00-17-046
              Table 2: Number of Samples Selected For Each Algorithm

                                           Quarter 1                                  Quarter 2
                                   (October 1 through                   (January 1 through March
                                   December 31, 2016)                           31, 2017)

      Algorithm                Sample Size              Dollar            Sample Size              Dollar
                                                        Value                                      Value
    Closed Accounts                    3                $8,114                    0                    $0

    Prohibited MCC                     0                   $0                     0                    $0

  Questionable MCC                     0                   $0                     0                    $0

   Billing Amount >                    0                   $0                     0                    $0
  Cardholder’s Single
    Purchase Limit

       Sales Taxes                     3                  $527                   46                  $755

    PayPal/Amazon                      2                  $117                    1                    $7

   Weekend/Holiday                     7                $1,018                   14                 $7,044

    Potentially Split                  8                $3,192                    4                 $3,412

                 TOTAL                23                $12,968                  23                $11,218

In planning our work and gaining an understanding of the internal controls over OPM’s purchase
card transactions, we considered, but did not rely on, OPM’s internal control structure to the
extent necessary to perform our audit procedures. These procedures were substantive in nature.
We gained an understanding of management procedures and controls to the extent necessary to
achieve our audit objective. The purpose of our audit was not to provide an opinion on internal
controls but merely to evaluate controls over OPM’s purchase card transactions.

  One sample selected in quarter two hit both the sales taxes and the weekend and holiday algorithms. We counted
the sample within the sales taxes sample size.

                                                    5                         Report No. 4A-OO-00-17-046
Our audit included such tests and analysis of OPM’s records, documented policies and
procedures, transactional data, and other applicable information as we considered necessary
under the circumstances. The results of our tests were provided to USDA on September 25,

In conducting our audit, we relied to varying degrees on computer-generated data. To assess the
reliability of computer-processed data obtained from PaymentNet7, we looked for obvious errors
in accuracy and completeness. We determined that the data was sufficiently reliable for the
purpose of achieving our audit objective. We did not evaluate the effectiveness of the general
application controls over computer-processed performance data.

The results from the statistical sample will be projected by the U.S. Department of Agriculture,
and reported in a consolidated Government-wide report.

 JPMorgan Chase’s purchase card account management system used by OPM to order new cards, assign merchant
category codes, cancel cards, modify spending limits, review transactions, and generate management reports.

                                                  6                       Report No. 4A-OO-00-17-046
                                III. AUDIT RESULTS

We found that 23 purchase card transactions, totaling $12,956, out of our sample of 46
transactions, had one or more exceptions, as outlined in Table 3.

                                                Table 3: Results

                                    Number of
        Exceptions8                                                               Causes
    Lacks Approving                         7               Transactions not reviewed/monitored by
    Official Review                                         Agency Program Coordinator.
    Missing All                             2               x Agency lacks procedures to identify error
    Documentation                                              and
                                                            x Cardholder or Approving Official no
                                                               longer employed by the agency.
    Lacks Purchase                          1
    Receipt - Missing
    Lacks Requisition                       5
    Request - Missing
    Receipt of Goods and                    7
                                                              Agency lacks procedures to identify error.
    Services - Missing
    Lacks Written                          13
    Justification for Any
    Exception to Policies
    Error Amount                            1
    Charged and Invoice

No exceptions were identified for the “Questionable Government Need” exception category.

    The exceptions and causes, as defined by CIGIE’s IT committee, are in the Appendix.
    The results in the table for each condition are independent of each other.

                                                      7                         Report No. 4A-OO-00-17-046

       Exception                                  Definition

No Exceptions              Transaction is valid and has all necessary documentation.

Lacks Approving Official   The Approving Official (AO) is the individual (typically a supervisor)
Review                     that ensures that the purchase card is used properly. The AO also
                           authorizes cardholder purchases (for official use only), ensures that the
                           statements are reconciled, and submitted to the designated billing office in
                           a timely manner. This feature is normally automated with the AO having
                           an "approval queue" of cardholder transactions. After review, the AO
                           signs the account statement and maintains the documentation in
                           accordance with agency procedures.

Missing All                There is no documentation to support the transaction.

Lacks Purchase Receipt -   Purchase receipt describing the merchant and items purchased has not
Missing Documentation      been maintained.

Lacks Requisition          The request for purchase can be documented by either email, letter, or
Request - Missing          requisition form that describes the item needed and quantities.

Receipt of Goods and       Documentation from either the requestor or other authorized recipient that
Services - Missing         the item has actually been received.

Lacks Written              If policy has been waived, there is written documentation for the
Justification for Any      exception such as purchasing from prohibited MCC, exceeding purchase
Exception to Policies      limit, split purchase, etc.

Questionable Government    Items purchased which have no official agency use.

Error Amount Charged       The amount billed on the credit card and the purchase receipt amount are
and Invoice Disagrees      not the same.
  Cause or                                  Definition
Control Failure
No Exceptions        Transaction is valid and has all necessary documentation.

Transactions not     Charge Card Managers are those managers responsible for ensuring Cardholders
reviewed/monitored   and the AOs are following agency policy and they may suspend accounts. These
by Charge Card       managers should have tools and reports to show if cardholders and AO are
Managers             routinely reconciling and approving purchases. This may be the responsibility in
                     some agencies of the Agency Program Coordinator (APC) or the local APC.

Cardholder same as   Cardholders and the AOs should not be the same.
Separation of
Requestor and        Those requiring the purchase should not be the same as the cardholder.
Separation of
Lack of              The agency has the exception due to a lack of policy.
Documented Policy

Lack of Proper       Training has not covered the exception to policy or refresher training has not
Training             occurred in the last three years (U.S. Office of Management and Budget A-123
                     Appendix B, 3.4).

Agency Lacks         Policy may exist but there is a lack of procedures to ensure compliance.
Procedures to
Identify Error
Cardholder or        Cardholders and Approving Officials have not certified because they are no
Approving Official   longer employed by the agency.
No Longer
                        Report Fraud, Waste, and

                     Fraud, waste, and mismanagement in Government
                    concerns everyone: Office of the Inspector General
                   staff, agency employees, and the general public. We
                      actively solicit allegations of any inefficient and
                   wasteful practices, fraud, and mismanagement related
                     to OPM programs and operations. You can report
                              allegations to us in several ways:

    By Internet:        http://www.opm.gov/our-inspector-general/hotline-to-report-fraud-waste-

     By Phone:          Toll Free Number:                (877) 499-7295
                        Washington Metro Area:           (202) 606-2423

       By Mail:         Office of the Inspector General
                        U.S. Office of Personnel Management
                        1900 E Street, NW
                        Room 6400
                        Washington, DC 20415-1100