Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC's Purchase Card Program

This is the accessible text file for FDIC OIG report number AUD-14-007 entitled 'The FDIC’s Purchase Card Program'.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

Federal Deposit Insurance Corporation

Office of Inspector General

March 2014

Executive Summary

Why We Did The Audit

The Government Charge Card Abuse Prevention Act of 2012, while not applicable to the FDIC, requires executive agencies that issue and use purchase cards (P-Cards) and convenience checks to establish and maintain appropriate safeguards and internal controls over those forms of payment. The statute also requires Inspectors General covered by the Act to conduct periodic risk assessments and audits of agency P-Card and convenience check programs. Consistent with the spirit of the Act, we conducted an audit of the FDIC’s P-Card Program.

The objective of this performance audit was to determine the effectiveness of internal controls intended to minimize improper transactions executed under the P-Card Program. For purposes of the audit, we considered a transaction to be improper if it did not comply with FDIC policy, procedures, or guidelines. The FDIC Office of Inspector General engaged the independent firm of Reed & Associates, CPAs, Inc., to provide technical assistance during the audit.

Background

The FDIC participates in the government-wide charge card program known as the General Services Administration (GSA) SmartPay 2 Program. Under the program, GSA manages a set of master contracts with major U.S. financial institutions through which agencies and organizations may obtain charge card services to accomplish their mission. In 2008, the FDIC entered into a 10-year contract under the program with U.S. Bank National Association (U.S. Bank). The contract authorizes U.S. Bank to issue PCards to designated FDIC employees and to bill the FDIC for cardholder purchases. The contract also provides for the use of convenience checks in order to accommodate purchases from vendors who do not accept P-Cards.

Within the FDIC, the Division of Administration (DOA) has overall responsibility for administering the P-Card Program. Key roles in the program include an Agency Program Coordinator who is responsible for the day-to-day administrative oversight of the P-Card Program, Division/Office Coordinators who serve as liaisons with DOA and oversee their division’s or office’s compliance with the program, and Approving Officials who are responsible for monitoring cardholders, reviewing and approving purchases and charges, and ensuring that charges are adequately supported.

The Office of Management and Budget, the Government Accountability Office, GSA, and other federal agencies have published requirements and suggested best practices (referred to herein as recognized best practices) for government charge card programs. Although the FDIC is generally not subject to these recognized best practices, they do define prudent concepts and business practices that can reduce the risk of fraud, waste, and error in charge card programs.

Audit Results

The FDIC established a number of internal controls intended to minimize the risk of improper transactions under the P-Card Program that were generally consistent with recognized best practices. Such controls include written policies and procedures governing the use of P-Cards and convenience checks, mandatory training for cardholders and Approving Officials, and various risk management controls, such as periodic internal reviews and reconciliations of cardholder statements. Further, the FDIC’s card service provider—U.S. Bank—implemented certain controls to prevent and detect improper transactions. While these controls address many recognized best practices, we found that the FDIC could improve the effectiveness of its P-Card Program controls by:

- making greater use of transaction data to detect patterns, trends, and anomalies that may be indicative of potential fraud or misuse;

- performing periodic, program-level reviews of cardholder purchase limits to ensure they remain appropriate and monitoring convenience check transactions for compliance with established purchase limits;

- conducting periodic, program-level assessments of the reasonableness of the ratio of Approving Officials to cardholders and the volume of transactions that Approving officials are responsible for reviewing;

- ensuring that cardholder accounts are disabled in a timely manner when cardholders leave the FDIC;

- prohibiting cardholders from using the P-Card to purchase non-monetary awards on their own behalf; and

- reviewing and clarifying, as appropriate, the role and responsibilities of the Division/Office Coordinator.

We reviewed a non-statistical sample of 150 P-Card transactions processed between April 1, 2011, and December 31, 2012, to determine whether they complied with FDIC policies, procedures, and guidelines. Non-statistical samples are judgmental and cannot be projected to the population of transactions. We found that all of the transactions had been approved by an Approving Official. However, we did note some form of noncompliance for 26 of the transactions. Most instances of noncompliance involved cardholders not retaining receipts to support purchases. We referred these 26 transactions to appropriate FDIC management officials for follow-up action. Our review of P-Card transactions also identified a wide range of items that were purchased using the Internet as non-monetary awards for employees. Although such purchases are not prohibited by FDIC policy, using the P-Card to purchase non-monetary awards that are of a personal nature presents a reputational risk to the FDIC. The FDIC should consider this risk and clarify its P-Card and non-monetary awards policy, as appropriate.

Recommendations and Corporation Comments

Our report contains eight recommendations addressed to the Director, DOA, that are intended to strengthen internal controls related to the P-Card Program. The Director, DOA, provided a written response, dated March 26, 2014, to a draft of this report. In the response, the Director concurred with all eight of the report’s recommendations and described ongoing and planned actions that address the recommendations.

[End of Section]

Contents

Background

Results of Audit

Alignment of P-Card Program Controls to Recognized Best Practices

Review of Selected P-Card Transactions

Corporation Comments and OIG Evaluation

Appendices 1. Objective, Scope, and Methodology 2. Glossary of Terms 3. Acronyms and Abbreviations 4. Corporation Comments 5. Summary of the Corporation’s Corrective Actions

Tables 1.Selected P-Card Program Statistics for the Years Ended 2. Assessment of P-Card Program Controls

[End of section]

[FDIC OIG letterhead]

FDIC Federal Deposit Insurance Corporation Office of Inspector General Office of Audits and Evaluations

3501 Fairfax Drive, Arlington, Virginia 22226

[End of letterhead]

DATE: March 31, 2014

MEMORANDUM TO: Arleas Upton Kea, Director Division of Administration

FROM: Stephen M. Beard /Signed/ Deputy Inspector General for Audits and Evaluations

SUBJECT: The FDIC’s Purchase Card Program (Report No. AUD-14-007)

This report presents the results of our audit of the FDIC’s Purchase Card (P-Card) Program. The Government Charge Card Abuse Prevention Act of 2012, while not applicable to the FDIC, requires executive agencies that issue and use P-Cards and convenience checks to establish and maintain appropriate safeguards and internal controls over those forms of payment.1 The statute also requires Inspectors General covered by the Act to conduct periodic risk assessments and audits of agency P-Card and convenience check programs. Consistent with the spirit of the Act, we conducted an audit of the FDIC’s P-Card Program.2

Footnote 1: Terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.

Footnote 2: The FDIC’s P-Card Program includes both P-Cards and convenience checks.

The audit objective was to determine the effectiveness of internal controls intended to minimize improper transactions executed under the P-Card Program. For purposes of the audit, we considered a transaction to be improper if it did not comply with FDIC policy, procedures, or guidelines. To address our objective, we compared the FDIC’s P-Card Program controls to government-wide requirements and recognized best practices and reviewed a non-statistical sample of P-Card and convenience check transactions for compliance with the FDIC policies, procedures, and guidelines.3 We also spoke with officials in the Division of Administration (DOA) and other divisions and offices who had responsibility for administering and implementing the P-Card Program.

Footnote 3: A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for details regarding our sampling methodology.

We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report includes additional details about our objective, scope, and methodology; Appendix 2 contains a glossary of key terms; Appendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the Corporation’s comments on this report; and Appendix 5 contains a summary of the Corporation’s corrective actions.

Background

The FDIC participates in the government-wide charge card program known as the General Services Administration (GSA) SmartPay 2 Program. The program provides agencies and other organizations with a low-cost, efficient vehicle for obtaining goods and services directly from vendors. Under the SmartPay 2 Program, GSA manages a set of master contracts with major U.S. financial institutions through which agencies and organizations may obtain charge card services to accomplish their mission. In 2008, the FDIC entered into a 10-year contract under the program with U.S. Bank National Association (U.S. Bank). The contract authorizes U.S. Bank to issue P-Cards to designated FDIC employees and to bill the FDIC for cardholder purchases. The contract also provides for the use of convenience checks in order to accommodate purchases from vendors who do not accept P-Cards. However, the use of convenience checks is considered to be the least preferred means of paying for goods and services and should only be used when the P-Card is not accepted.

The FDIC Purchase Card Guide (P-Card Guide) defines the FDIC’s P-Card Program policies, procedures, processes, and guidelines, as well as the roles and responsibilities of key program participants.4 According to the P-Card Guide, DOA’s Acquisition Services Branch (ASB), Policy and Systems Section, has overall responsibility for administering the P-Card Program. Other key roles and responsibilities defined in the P-Card Guide, include, but are not limited to, the following:

Footnote 4: The P-Card Guide, dated August 2008, is an appendix to the Procedures, Guidance, and Information (PGI) document, which accompanies the FDIC Acquisition Policy Manual (APM). The APM establishes the FDIC’s policy for procuring goods and services from the private sector. The PGI document contains procedures for implementing the APM.

- Agency Program Coordinator (APC). An ASB official with day-to-day administrative responsibility for operating the P-Card Program, providing guidance to program participants, and serving as the FDIC’s primary liaison with U.S. Bank and GSA.

- Division/Office Coordinators (D/OC). Officials appointed by each participating division or office to serve as a liaison with ASB. Among other things, D/OCs are responsible for ensuring that ASB has a current list of cardholders and Approving Officials (AO) and that cardholders and AOs verify and approve transactions each month and receive appropriate training. D/OCs are also responsible for requesting the establishment and cancellation of cardholder accounts and requesting revised purchase limits, as appropriate.

- Approving Officials. Division or office officials responsible for monitoring cardholder compliance with regulations and procedures. Among other things, AOs are responsible for reviewing and approving purchases and charges and ensuring that charges are supported with vendor receipts or other evidence of the receipt of goods or services (collectively referred to herein as transaction documentation).

- Cardholders. FDIC employees designated by an AO or D/OC and appointed by the DOA Assistant Director, Policy and Systems Section, or the APC. Cardholders are responsible for using the P-Card (and convenience checks if they have been delegated authority to use that form of payment) to purchase goods and services for official use only and for complying with the P-Card Guide and any restrictions in their Cardholder Appointment Memorandum.

DOA’s homepage on the FDIC’s internal network also contains information about the P-Card Program, such as procedures for obtaining P-Card accounts, reconciling cardholder statements with the FDIC’s accounting system known as the New Financial Environment (NFE), approving cardholder purchases, and obtaining training.

P-Card Usage at the FDIC

P-Cards are the FDIC’s preferred method for purchasing and paying for goods and services valued at $5,000 or less. P-Cards may also be used to acquire commercially available goods and services valued above $5,000, provided that the cardholder complies with the P-Card Guide and appropriate sections of the APM and PGI document.5 In addition, P-Cards may be used for recurring purchases provided that the cumulative total of any recurring requirement does not exceed $100,000 in a 12-month period.

Footnote 5: The FDIC has independent procurement authority under the Federal Deposit Insurance Act and, therefore, is not required to follow the Federal Acquisition Regulation.

Table 1 contains selected statistics pertaining to the FDIC’s P-Card Program for the calendar years ended December 31, 2008 through 2012. As shown in the table, the number of cardholder accounts and P-Card transactions peaked in 2010 during the financial crisis and has declined gradually since that time.

Table 1: Selected P-Card Program Statistics for the Years Ended 2008-2012

Row 1 Program Statistic: Number of Cardholder Accounts 2012: 571 2011: 648 2010: 742 2009: 617 2008: 492

Row 2 Program Statistic: Number of P-Card Transactions 2012: 21,138 2011: 26,836 2010: 27,865 2009: 25,715 2008: 18,964

Row 3 Program Statistic: Number of Convenience Check Transactions 2012: 1,317 2011: 1,705 2010: 1,940 2009: 2,112 2008: 1,354

Row 4 Program Statistic: Total Purchase Amounts 2012: $23,332,018 2011: $30,226,751 2010: $33,303,154 2009: $30,097,438 2008: $21,775,183

Source: Office of Inspector General (OIG) analysis of data provided by DOA for 2008 and U.S. Bank for 2009-2012.

[End of table]

Government-wide Requirements and Best Practices

The Office of Management and Budget’s (OMB) Circular No. A-123, Management’s Responsibility for Internal Control, Appendix B Revised, Improving the Management of Government Charge Card Programs, (OMB A-123, Appendix B) dated January 15, 2009, defines minimum requirements and suggested best practices for government charge card programs. Although the FDIC is not subject to OMB A-123, Appendix B, it defines prudent concepts and business practices that can reduce the risk of fraud and misuse in charge card programs. Among other things, the appendix states that charge card programs should include:

- written policies and procedures for the appropriate use of charge cards;

- mandatory training for cardholders and other program participants;

- risk management controls, such as reviews of cardholder statements and transaction documentation, separation of duties for key functions, and reviews of available data (including the use of data mining, if available) to detect instances of fraud and misuse;

- periodic reviews of controls to evaluate their effectiveness; and

- controls to mitigate the use of convenience checks.

GSA, the Government Accountability Office (GAO), and other federal agencies have also published best practices related to government charge card programs. For purposes of this report, we refer to these best practices and OMB A-123, Appendix B, as recognized best practices.

[End of section]

Results of Audit

The FDIC established a number of internal controls intended to minimize the risk of improper transactions under the P-Card Program that were generally consistent with recognized best practices. Such controls include written policies and procedures governing the use of P-Cards and convenience checks, mandatory training for cardholders and AOs, and various risk management controls, such as periodic internal reviews and reconciliations of cardholder statements. Further, the FDIC’s card service provider—U.S. Bank—implemented certain controls to prevent and detect improper transactions. While these controls address many recognized best practices, we found that the FDIC could improve the effectiveness of its P-Card Program controls by:

- making greater use of transaction data to detect patterns, trends, and anomalies that may be indicative of potential fraud or misuse;

- performing periodic, program-level reviews of cardholder purchase limits to ensure they remain appropriate and monitoring convenience check transactions for compliance with established purchase limits;

- conducting periodic, program-level assessments of the reasonableness of the ratio of AOs to cardholders and the volume of transactions that AOs are responsible for reviewing;

- ensuring that cardholder accounts are disabled in a timely manner when cardholders leave the FDIC;

- prohibiting cardholders from using the P-Card to purchase non-monetary awards on their own behalf; and

- reviewing and clarifying, as appropriate, the role and responsibilities of the D/OC.

We reviewed a non-statistical sample of 150 P-Card transactions processed between April 1, 2011, and December 31, 2012, to determine whether they complied with FDIC policies, procedures, and guidelines. We found that all of the transactions had been approved by an AO. However, we did note some form of noncompliance for 26 of the transactions. Most instances of noncompliance involved cardholders not retaining receipts to support purchases. We referred these 26 transactions to appropriate FDIC management officials for follow-up action. Our review of P-Card transactions also identified a wide range of items that were purchased using the Internet as non-monetary awards for employees. Although such purchases are not prohibited by FDIC policy, using the P-Card to purchase non-monetary awards that are of a personal nature presents a reputational risk to the FDIC. The FDIC should consider this risk and clarify its P-Card and non-monetary awards policy, as appropriate.

[End of section]

Alignment of P-Card Program Controls to Recognized Best Practices

We reviewed the FDIC’s P-Card Program controls to assess the extent to which they aligned with 11 recognized best practices for mitigating the risk of fraud and misuse. We identified the 11 best practices based on our review of relevant P-Card-related statutes, policies, procedures, guidance, and reports.6 Overall, we determined that the establishment and implementation of the FDIC’s P-Card Program controls generally aligned with the best practices that we selected for review. However, we did note exceptions. Table 2 on the following page summarizes the results of our assessment. A detailed description of each exception that we noted follows the table.

Footnote 6: See Appendix I for the statutes, policies, procedures, guidance, and reports that we reviewed

Table 2: Assessment of P-Card Program Controls

Row 1 Controls Intended to Mitigate the Risk of Fraud and Misuse: Reviews available transaction data (using automated techniques, such as data mining) to detect fraud and misuse Addressed Addressed in Policies, Procedures, or Guidelines?: control was not addressed in policies, procedures, or guidance and/or was not implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 2 Controls Intended to Mitigate the Risk of Fraud and Misuse: Sets reasonable cardholder purchase limits Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 3 Controls Intended to Mitigate the Risk of Fraud and Misuse: Reviews cardholder purchases Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was addressed in policies, procedures, or guidelines and/or was implemented.

Row 4 Controls Intended to Mitigate the Risk of Fraud and Misuse: Blocks merchant category codes Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was addressed in policies, procedures, or guidelines and/or was implemented.

Row 5 Controls Intended to Mitigate the Risk of Fraud and Misuse: Conducts annual reviews of the number of AOs to cardholders, cardholder limits, and transactions Addressed in Policies, Procedures, or Guidelines?: control was not addressed in policies, procedures, or guidance and/or was not implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 6 Controls Intended to Mitigate the Risk of Fraud and Misuse: Reconciles accounts and certification of services Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was addressed in policies, procedures, or guidelines and/or was implemented.

Row 7 Controls Intended to Mitigate the Risk of Fraud and Misuse: Defines criteria for deactivating/ cancelling cardholder accounts Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 8 Controls Intended to Mitigate the Risk of Fraud and Misuse: Takes disciplinary action against individuals who abuse their accounts or otherwise engage in potentially fraudulent activity Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was addressed in policies, procedures, or guidelines and/or was implemented.

Row 9 Controls Intended to Mitigate the Risk of Fraud and Misuse: Ensures appropriate separation of duties for key functions Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 10 Controls Intended to Mitigate the Risk of Fraud and Misuse: Identifies key program officials and their responsibilities Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was partially addressed in policies, procedures, or guidelines and/or was partially implemented.

Row 11 Controls Intended to Mitigate the Risk of Fraud and Misuse: Defines and requires training for program participants Addressed in Policies, Procedures, or Guidelines?: control was addressed in policies, procedures, or guidelines and/or was implemented. Implemented?: control was addressed in policies, procedures, or guidelines and/or was implemented.

Source: OIG analysis of 11 recognized best practices, the FDIC’s P-Card Program policies, procedures, and guidelines, and the results of selected control assessments.

[End of table]

Review of Available Data to Detect Fraud and Misuse. Each month, U.S. Bank provides the FDIC with a file containing basic P-Card and convenience check transaction data, such as merchant names and locations, transaction amounts, and transaction dates. The file is uploaded to NFE, and cardholders and AOs log into NFE to review and approve their transactions. U.S. Bank also maintains, but does not routinely provide, more detailed data for some of the FDIC’s P-Card transactions. This more detailed data—commonly referred to as Level III line item detail—includes item descriptions and quantities. In addition, U.S. Bank offers its customers a payment analytics tool that can analyze transaction data and generate a wide variety of standard and custom reports. The tool uses defined parameters to flag suspicious transactions and violations and can correlate seemingly unrelated events that may represent a risk. The use of automated techniques, such as the payment analytics tool, to analyze detailed transaction data for patterns, trends, and anomalies that may be indicative of fraud or misuse is a recognized best practice.

We found that the APC and one other DOA employee reviewed 4 of 25 standard payment analytics reports offered by U.S. Bank.7 In addition, DOA and several other divisions have performed various internal reviews of their P-Card and convenience check usage in recent years and reported the results to their division’s management. However, the FDIC’s P-Card policies, procedures, and guidelines do not provide for an ongoing program-level review of detailed transaction data maintained by U.S. Bank for patterns, trends, or anomalies that may indicate potential fraud or misuse. Our review of U.S. Bank’s payment analytics tool and related reports found that they could be better leveraged by DOA in its efforts to identify potential fraud, misuse, or noncompliance with FDIC policies, procedures, or guidelines. Doing so would help mitigate risk in the P-Card Program.

Footnote 7: The four reports were Possible Split Purchases, Possible Split Transactions in a Single Day, Weekend or Holiday Transactions, and Monitor Possible Conference Transactions.

Cardholder Purchase Limits. GSA’s publication, entitled Managing GSA SmartPay Purchase Card Use, a Plan for Success, states that organizations should set realistic, but not excessive, purchase limits as a means of deterring cardholder misuse. In addition, GAO’s November 2003 audit guide, entitled Auditing and Investigating the Internal Control of Government Purchase Card Programs, states that purchase limits directly affect the extent of potential loss to an organization from fraudulent, improper, and abusive purchases. Further, periodic reviews of cardholder limits are an important control for ensuring that limits remain at appropriate levels to meet operational requirements and allow organizations to better manage and control their P-Card risks.

Cardholders in the P-Card Program receive a Cardholder Appointment Memorandum that, among other things, establishes the following three types of purchase limits:

- Single Purchase Limit. The maximum amount a cardholder may charge for any single purchase using the P-Card.

- Convenience Check Limit. The maximum amount a cardholder may pay when using a convenience check. A cardholder’s convenience check limit may be less than his or her single purchase limit. Convenience checks are issued to some, but not all, cardholders.

- Monthly Purchase Limit. The maximum cumulative amount a cardholder may charge during any monthly billing cycle. The monthly purchase limit includes purchases made with both the P-Card and convenience checks.

We compared 44,404 P-Card and convenience check transactions processed between April 1, 2011, and December 31, 2012, against established single and monthly purchase limits and found no exceptions. However, we did note that 234 of the 571 P-Card accounts (or 41 percent) that were active as of December 31, 2012, had single purchase limits that were more than 5 times the cardholders’ maximum transaction amount during the 21-month period that we reviewed. In addition, 491 of the 571 P-Card accounts (or 86 percent) had monthly purchase limits that were more than 5 times the cardholders’ maximum monthly purchase amount during the same period. This disparity can be attributed, in part, to elevated limits that were established during the recent financial crisis. Internal reviews of P-Card usage for selected FDIC divisions have also identified cardholder limits that needed to be reduced. Further, the APC has taken some steps to reduce cardholder limits. The results of our analysis indicate that further review and action to adjust cardholder purchase limits is warranted.

We also compared all 2,616 convenience check transactions processed during the time period referenced above against established convenience check limits and found that 32 (or about 1 percent) exceeded those limits. These 32 convenience checks were written by 15 of the 192 cardholders (or about 8 percent) who were authorized to write convenience checks during the same period. We spoke with 12 of the 15 cardholders regarding the exceptions we identified and determined that none were aware that they had exceeded their convenience check limit.8 Eight of the twelve cardholders mistakenly thought that their convenience check limit was the same as their single purchase limit for the P-Card. The remaining four cardholders appropriately requested that the APC increase their limits before they wrote the checks, but for various reasons, the increases were not processed by the APC. The APC was also unaware of the 32 limit exceptions that we identified because a mechanism to effectively monitor convenience checks for limit exceptions had not been established. Absent monitoring and appropriate follow-up action with cardholders to address exceptions, there is an increased risk of fraud, misuse, and noncompliance with FDIC policies, procedures, or guidelines.

Footnote 8: We were unable to speak with the remaining three cardholders because they were no longer employed by the FDIC.

Ratio of Approving Officials to Cardholders. The P-Card Guide states that AOs are responsible for assuring that all cardholder statement charges are supported by a vendor receipt or other evidence of FDIC receipt of goods or services and for verifying cardholder documentation to ensure purchases are justified. GSA’s Blueprint for Success: A Guide for Purchase Card Oversight, states that the number of cardholders and the volume of transactions for which an AO is responsible needs to be reasonable in order to allow AOs ample time to review transactions. Timely reviews of transactions are necessary to ensure the detection of card misuse and fraud. Although there is no definitive AO to cardholder ratio, the GSA guide states that the most common ratios range between 1:4 and 1:10.

We reviewed the span of control for 135 AOs and that found 13 (or 10 percent) had AO to cardholder ratios greater than 1:10. The ratios for these 13 officials ranged from 1:11 to 1:52. We also interviewed a non-statistical sample of 9 AOs who had responsibility for more than 10 cardholders and/or who had a high amount of transactions based on transaction dollars and volume. Six of the 9 AOs that we spoke with stated that they did not have time to look at the documentation underlying every transaction. In many cases, the AOs either spot checked transaction documentation or relied on other staff to review and verify the documentation.

AOs are responsible for ensuring that all purchases made by their cognizant cardholders are appropriate and that charges are accurate and supported. As such, AOs are the first line of defense against potential fraud and misuse and must have the requisite time to review transaction details to ensure that purchases comply with FDIC policies, procedures, and guidelines. The FDIC can achieve greater assurance that AOs have ample time to effectively review transactions by establishing a policy or procedure for conducting periodic, program-level reviews of the ratios of AOs to cardholders and the volume of transactions AOs are responsible for reviewing. The FDIC should also determine whether it is appropriate for AOs to delegate their responsibility to review and verify transaction documentation to other employees and/or to spot check documentation based on some form of risk analysis. To the extent that such practices are determined to be appropriate, the FDIC should clarify AO responsibilities and expectations.

Cancelling Cardholder Accounts for Separating Employees. The P-Card Guide states that cardholders must notify their AO if they plan to leave the FDIC and that the AO must in turn notify the APC in writing of the cardholder’s effective separation date prior to the departure. The APC must then cancel the cardholder’s account and submit a written confirmation of the cancellation to the AO.

We reviewed the accounts of all cardholders who separated from the FDIC between May 1, 2011, and December 31, 2012, to determine whether the accounts had been cancelled prior to the cardholder’s departure. Of the 98 accounts that we reviewed, 22 had not been cancelled prior to the cardholder’s separation from the FDIC. Thirteen of the 22 accounts were cancelled more than 7 days after the employee’s departure. In most instances, the accounts were not cancelled prior to the cardholders’ separation because the AOs did not provide timely notification of the separations to the APC.

Importantly, no new purchases were made under the 22 accounts following the cardholders’ separations. Nevertheless, untimely cancellation of cardholder accounts for separating employees presents an increased risk of unauthorized use of the accounts.

Separation of Duties. GSA’s Blueprint for Success: A Guide for Purchase Card Oversight, states that agency P-Card policies should address separation of duties to minimize the risk of fraud and/or loss of property. In particular, the responsibilities of cardholders, AOs, and APCs should not overlap to ensure that management controls are not circumvented. The P-Card Guide defines separation of duties for key program participants. Among other things, the guide states that AOs must not be subordinate to any cardholder within their approval hierarchy.

We reviewed a non-statistical sample of 150 of the 44,404 P-Card transactions that were processed between April 1, 2011, and December 31, 2012, and found that eight involved a cardholder purchasing a non-monetary award on their own behalf. In each instance, an AO approved the transaction. However, for 7 of the 8 transactions, the description of the transaction in NFE merely stated “non-monetary award” without any indication of who actually received the award. Such a practice presents a risk that a cardholder could deliberately enter generic non-monetary award descriptions in NFE for purchases they make on their own behalf. The risk is further elevated by the fact that some AOs do not have ample time to review underlying transaction documentation as described earlier.

We also found that one of the nine AOs that we interviewed was a subordinate to a cardholder. The P-Card Guide prohibits employees from serving as AOs when they are a subordinate to a cardholder. We notified DOA of this situation and corrective action was taken prior to the close of the audit.

Role of the Division/Office Coordinator. The P-Card Guide identifies the D/OC as one of four roles associated with the success of the P-Card Program. According to the guide, a D/OC must be appointed by each participating division or office to serve as a liaison with ASB and to function at an organizational level for purposes of coordinating APC requests to the division or office, and for internal control purposes. The responsibilities of D/OCs include:

- ensuring that ASB has a current list of cardholders and AOs and that the hierarchy structure of the program is correct (e.g., that cardholders are subject to approval by the correct AOs);

- acting as the primary point of contact with ASB for disseminating information about the program;

- ensuring cardholders and AOs have verified and approved all transactions on a monthly basis;

- ensuring that cardholders and AOs have received appropriate training;

- ensuring that all convenience check data is submitted monthly to the APC;

- requesting the establishment and cancellation of cardholder accounts and revised purchase limits, as appropriate; and

- reporting suspected P-Card misuse to the APC immediately upon becoming aware of possible misuse.

The APC informed us that, in practice, the involvement of the D/OCs in the P-Card Program is informal and that D/OCs are generally only consulted on an as needed basis when DOA requires their assistance. In addition, the APC was not maintaining a current listing of individuals serving as D/OCs and two offices—the Office of Minority and Women Inclusion and the Office of International Affairs—did not have a designated D/OC. DOA should review the role of the D/OC in the P-Card Program to determine whether it is functioning as intended and clarify the D/OC’s responsibilities, if warranted.

Recommendations

We recommend that the Director, DOA:

1. Make greater use of P-Card transaction data and reports to detect patterns, trends, and anomalies that may be indicative of potential fraud or misuse.

2. Strengthen oversight of purchase limits by (a) performing periodic, program-level reviews of cardholder purchase limits to ensure they remain appropriate, (b) establishing processes to monitor convenience checks for potential limit exceptions, and (c) reiterating to cardholders the difference between single purchase limits for P-Cards and convenience checks.

3. Establish a policy or procedure for conducting periodic, program-level reviews of the ratios of AOs to cardholders and the volume of transactions AOs are responsible for reviewing to ensure they remain appropriate.

4. Review and clarify, as appropriate, AO responsibilities and expectations for reviewing and verifying documentation supporting P-Card transactions.

5. Reinforce to cardholders and AOs their responsibility to provide timely notification to the APC of pending cardholder separations.

6. Update P-Card policies and procedures to prohibit cardholders from using the P-Card to purchase non-monetary awards on their own behalf.

7. Review and clarify, as appropriate, the role and responsibilities of the Division/Office Coordinator

[End of section]

Review of Selected P-Card Transactions

We reviewed a non-statistical sample of 150 of the 44,404 P-Card transactions that were processed between April 1, 2011, and December 31, 2012, to determine whether they complied with FDIC policies, procedures, and guidelines. We found that all 150 of the transactions had been approved by an AO. However, we did note some form of noncompliance for 26 of the transactions. Most instances of noncompliance involved cardholders not retaining receipts to support purchases. The remaining instances involved the purchase of prohibited items, the payment of sales taxes, transaction splitting to circumvent a purchase limit, and not coordinating with another division or office before purchasing a good or service that required such coordination. These policy exceptions appear to have been caused by oversights or a lack of awareness of policy requirements on the part of cardholders. We referred all 26 instances of noncompliance to the DOA Assistant Director, Policy and Systems Section, for appropriate action.

Non-monetary Awards. Circular 2420.1, FDIC Rewards and Recognition Program, allows divisions and offices to use the P-Card to purchase non-monetary awards for employees. The circular states that the type of items that may be awarded is left to the discretion and creativity of the individual approving the award. Our review of the 150 P-Card transactions identified a wide range of items that were purchased as non-monetary awards using the Internet. These items were generally valued at $25 or less. Although the non-monetary award items that we reviewed were permissible under FDIC policy, using the P-Card to purchase awards that are of a personal nature presents a reputational risk to the FDIC. We spoke with DOA management officials about this risk and were informed that consideration is being given to modifying Circular 2420.1 to limit the types of items that would qualify as non-monetary awards. The FDIC should consider the risk associated with using the P-Card to purchase non-monetary awards and clarify the Corporation’s P-Card and non-monetary awards policies and guidance, as appropriate.

Recommendation

We recommend that the Director, DOA:

8. Review and clarify, as appropriate, corporate policy and guidance related to the types of items that may be purchased as non-monetary awards using the P-Card.

[End of section]

Corporation Comments and OIG Evaluation

The Director, DOA, provided a written response, dated March 26, 2014, to a draft of this report. The response is presented in its entirety in Appendix 4. In the response, the Director concurred with all eight of the report’s recommendations and described ongoing and planned corrective actions that address the recommendations. A summary of the Corporation’s corrective actions is presented in Appendix 5. The planned corrective actions are responsive to the recommendations and the recommendations are resolved.

[End of section]

Appendix 1

Objective, Scope, and Methodology

Objective

The audit objective was to determine the effectiveness of internal controls intended to minimize improper transactions executed under the P-Card program.

We conducted this performance audit from April 2013 through February 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. The conclusions and findings in this report are based on information provided by the FDIC and certain analyses that we performed through February 2014. We caution that projecting the results of our audit to future periods is subject to the risk that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate.

Scope and Methodology

To obtain a proper understanding of relevant government-wide requirements and best practices related to P-Card usage, we:

- Reviewed and analyzed government-wide statutes, policies, procedures, guidance, and reports including, but not limited to:

- The Government Charge Card Abuse Prevention Act of 2012 - OMB A-123, Appendix B - The Council of the Inspectors General on Integrity and Efficiency’s Government Purchase Card Audit Framework, dated January 2012 - GAO’s audit guide, entitled Auditing and Investigating the Internal Control of Government Purchase Card Programs, dated November 2003 - GAO’s report, entitled Governmentwide Purchase Cards: Actions Needed to Strengthen Internal Controls to Reduce Fraudulent, Improper, and Abusive Purchases, dated March 2008 - GSA’s Blueprint for Success: A Guide for Purchase Card Oversight - GSA’s Managing GSA SmartPay Purchase Card Use: A Plan for Success

- Contacted officials in GSA’s SmartPay Program to obtain their perspectives on P-Card program controls.

- Interviewed selected OIG officials at other federal agencies to discuss their approach for conducting P-Card audits.

To obtain an understanding of the FDIC’s internal controls intended to minimize improper P-Card transactions, we:

- Reviewed and analyzed P-Card Program policies, procedures, guidelines, and reports, including:

- The P-Card Guide - Procedures and guidance on DOA’s internal Web site pertaining to such things as NFE reconciliations and approvals, training, communications on temporary limit increases and convenience check usage, and frequently asked questions - DRR Circular 3700, FDIC Purchase Card Program, dated June 20, 2008. - DOA’s report, entitled Overview of the FDIC Purchase Card Program and Business Processes, dated February 2011 - Internal review reports issued by DOA and other divisions

- Interviewed officials in DOA, including the APC, and other divisions and offices, such as AOs and cardholders, who had responsibility for administering and implementing the P-Card Program.

- Interviewed the U.S. Bank representative to the FDIC to determine the types of internal controls that U.S. Bank employs.

To determine the effectiveness of internal controls intended to minimize improper transactions, we compared the FDIC’s P-Card Program controls to 11 recognized best practices that we determined to be key in mitigating the risk of fraud and misuse in government charge card programs. We also performed various analyses of program controls, such as computing the ratio of AOs to cardholders and the total transaction volume that AOs are responsible for and compared that information to best practices; comparing cardholder credit limits to cardholder transactions to determine cardholder utilization of available credit; comparing all convenience check transactions against cardholder convenience check limits for the population of transactions; and determining the timeliness of account cancellations for cardholders who separated from the FDIC from May 1, 2011, through December 31, 2012.

In addition to program controls, we reviewed a non-statistical sample of transactions for compliance with FDIC policies, procedures, and guidelines. Non-statistical samples are judgmental and cannot be projected to the population of transactions. A description of our sampling methodology follows.

We obtained a dataset of all P-Card and convenience check transactions from U.S. Bank for the period April 1, 2011, through December 31, 2012. The dataset contained a total of 44,404 transactions, consisting of 41,788 P-Card transactions totaling $40.7 million and 2,616 convenience check transactions totaling $5.2 million. We selected 150 transactions totaling $962,478 from the population by using 13 filters (or business rules) that we developed based on our review of government-wide requirements, best practices, and reports. These business rules were designed to identify “at risk” transactions that had an elevated potential for non-compliance with FDIC policies, procedures, or guidelines. We engaged the independent firm of Reed & Associates, CPAs, Inc., to assist us in developing automated queries to filter the dataset using the 13 business rules to develop our sample of 150 transactions. For each transaction that we selected, we performed the following steps:

- Requested that the cognizant cardholder provide us with documentation supporting the transaction and the rationale for procuring the goods or services.

- Verified whether each transaction had been approved by an AO in NFE.

- Determined whether the business reason provided for the transaction was consistent with information contained in NFE.

We performed our work at the FDIC’s Virginia Square Offices in Arlington, Virginia.

Internal Control, Reliance on Computer-processed Information, Performance Measurement, and Compliance with Laws and Regulations

As described in the Scope and Methodology section of this Appendix, we performed audit procedures to identify and obtain an understanding of the FDIC’s internal controls for minimizing improper transactions executed under the P-Card program. We also compared the FDIC’s P-Card Program controls to recognized best practices and reviewed selected transactions for compliance with the FDIC’s P-Card policies, procedures, and guidelines. Consistent with our audit objective, we did not assess the adequacy of the FDIC’s overall internal control or management control environment. Our report identifies certain internal control weaknesses warranting management’s attention.

We relied on data provided by U.S. Bank to select a sample of transactions for detailed analysis. We determined that the data provided was sufficiently reliable for purposes of selecting a sample by performing various procedures, such as reconciling P-Card transaction data from U.S. Bank to NFE; discussing the data with a U.S. Bank representative and DOA officials; and comparing the data to figures in published reports, such as Annual Review Reports issued by U.S. Bank and an internal FDIC report on P-Cards, and information generated by NFE. We did not perform an assessment of data reliability controls in U.S. Bank’s systems or NFE. However, we did review the accuracy and completeness of selected data in U.S. Bank’s system and NFE for the 150 transactions we selected by comparing information in the systems to supporting documentation (when it was available).

The Government Performance and Results Act of 1993 (the Results Act), as amended, directs executive branch agencies to develop a customer-focused strategic plan, align agency programs and activities with concrete missions and goals, and prepare and report on annual performance plans. For this audit, we did not assess the strengths and weaknesses of FDIC’s annual performance plan in meeting the requirements of the Results Act because such an assessment was not part of the audit objective.

We did not perform tests of compliance with the Government Charge Card Abuse Prevention Act of 2012 because the FDIC is not subject to the statute. However, we did consider the provisions of the statute in selecting the 11 recognized best practices that were used as the principal criteria for our assessment of P-Card program controls. We assessed the risk of fraud and abuse related to our objective when selecting audit criteria, designing audit procedures, and evaluating audit evidence.

[End of section]

Appendix 2

Glossary of Terms

Term: Cardholder Appointment Memorandum Definition: A memorandum issued by the DOA Assistant Director, Policy and Systems Section, or the APC that delegates to the cardholder the authority to make authorized purchases for the FDIC using the P-Card (and in some cases, convenience checks). The memorandum specifies purchase limits and any restrictions on the use of the P-Card or convenience checks.

Term: Convenience Check Definition: A paper check associated with a cardholder account.

Term: Data Mining Definition: An automated process used to analyze data to detect patterns, trends, and/or anomalies for use in risk management and other areas of analysis

Term: Fraud Definition: Any act of corruption or attempt to cheat the government or corrupt the government’s agents, including but not limited to, the use of government charge cards to transact business that is not sanctioned, not authorized, not in one’s official government capacity, not for the purpose for which the card was issued, or not as part of official government business.

Term: Merchant Category Code (MCC) Definition: A four-digit code used to identify the type of business a merchant conducts (e.g., gas stations, restaurants, airlines). Merchants select a code based on their primary business. Organizations may prohibit purchases from merchants with certain Merchant Category Codes as a means of reducing the risk of improper transactions.

Term: Misuse Definition: In the case of government P-Cards, intentional use of a P-Card for other than official government transactions. Depending on the circumstances, misuse may involve fraud.

Term: P-Card Definition: An account established by a commercial financial institution on behalf of agencies or individual agency employees to which the cost of purchasing goods and services may be charged.

Term: Purchase Limit Definition: The maximum amount that a cardholder may charge to a P-Card account in a single purchase (i.e., transaction) or in a single monthly billing cycle. The term also refers to the maximum amount a cardholder may pay when using a convenience check. The FDIC’s purchase limits are defined in Cardholder Appointment Memoranda

Term: SmartPay 2 Definition: A government-wide purchase card program administered by GSA. Under the program, agencies and organizations issue task orders against master contracts that GSA has with Citibank, JPMorgan Chase, and U.S. Bank. These banks provide charge cards to the agency or organization employees to make purchases on behalf of the agency or organization. Agencies can obtain different types of charge card products and services under the SmartPay 2 Program, including purchase, travel, fleet, and integrated cards.

Term: Transaction Definition: The swipe of a credit card through a point of sale terminal, completion of an online transaction, or use of a convenience check. A transaction may involve the purchase of one or more items.

[End of section]

Appendix 3

Acronyms and Abbreviations

Acronym/Abbreviation Explanation

AO - Approving Official APC - Agency Program Coordinator APM - Acquisition Policy Manual ASB - Acquisition Services Branch DOA - Division of Administration D/OC - Division/Office Coordinator DRR - Division of Resolutions and Receiverships FDIC - Federal Deposit Insurance Corporation GAO - Government Accountability Office GSA - General Services Administration NFE - New Financial Environment OIG - Office of Inspector General OMB - Office of Management and Budget PAB - Procurement Administrative Bulletin P-Card - Purchase Card PGI - Procedures, Guidance, and Information Document U.S. - Bank U.S. Bank National Association

[End of section]

Appendix 4

Corporation Comments

[letterhead]

FDIC Federal Deposit Insurance Corporation 3501 Fairfax Drive, Arlington, VA 22226 Division of Administration

[End of letterhead]

DATE: March 26, 2014

MEMRANDUM TO: Stephen M. Beard, Deputy Inspector General for Audits and Evaluations

FROM: Arleas Upton Kea, Director, Division of Administration, /Signed/

SUBJECT: Management Response to the Office of the Inspector General Draft Audit Report Entitled, The FDIC’s Purchase Card Program (Assignment No. 2013-020)

The Division of Administration (DOA) has completed its review of the subject Office of Inspector General (OIG) Draft Audit Report dated February 26, 2014. We appreciate the review performed by the OIG and are pleased to see that the DOA has established a number of internal controls to minimize the risk of improper transactions and that these controls were generally consistent with recognized best practices.

Although the OIG found that the FDIC purchase card (P-Card) program was consistent with recognized best practices, the OIG did identify opportunities for FDIC to improve the P-Card program controls; and made eight recommendations to the DOA. We have reviewed each recommendation and have provided our management response along with the planned corrective actions that DOA will take for each recommendation.

MANAGEMENT DECISION

Recommendation 1: Make greater use of P-Card transaction data and reports to detect patterns, trends and anomalies that may be indicative of potential fraud or misuse.

DOA Management Response: DOA concurs with this recommendation.

In 2012, U.S. Bank created a “Payment Analytics” reporting tool that consisted of various types of payment alerts that could be made available to the FDIC in its management of the P-card program. The Agency Program Coordinator (APC), located in the DOA Acquisition Services Branch (ASB), who provides the day-to-day administrative oversight of the program, did evaluate the payment analytics reports offered by U.S. Bank. As a result, the APC selected four reports from the payment analytics tool that would be helpful in managing the P-Card program. The four reports include: Possible Split Purchase; Possible Split Transactions in a Single Day; Weekend or Holiday Transactions; and Possible Conferences Transactions. The APC believed the selection of the four payment analytics reports combined with the other U.S. Bank online reports - program management, financial management, supplier management and administration reports - provided the necessary control activities to administer the program effectively.

Given that DOA always looks for opportunities to improve the P-Card program, DOA 's Acquisition Services Branch (ASB) will re-evaluate the available payment analytics reports offered by U.S. Bank to determine how DOA can leverage the information and other reporting alerts to enhance the overall management and oversight of the FDIC P-Card program. This would include the use of the payment analytics tool to identity any patterns, trends and anomalies that may be an indicator of potential fraud or misuse by P-Cardholders.

In addition, DOA's MSB Internal Review Section will also incorporate periodic program-level reviews that utilize "Level 3" transaction data into its testing of the P-Card program.

Corrective Action: DOA ASB will re-evaluate the U.S. Bank payments analytics reporting tool to determine whether there are other reporting alerts that could be incorporated into its administrative oversight ofthc P-card program to assist in identifying suspicious transactions and purchase violations.

Completion date: DOA ASB will identify and implement additional payment analytic reporting alerts by May 31, 2014.

Recommendation 2: Strengthen oversight of purchase limits by (a) performing periodic, program-level reviews of cardholder purchase limits to ensure they remain appropriate; (b) establishing processes to monitor convenience checks for potential limit exceptions; and (c) reiterating to cardholders the difference between single purchase limits for P-Cards and convenience checks.

DOA Management Response: DOA concurs with this recommendation.

a) Performing Periodic Program-Level Reviews. As part of the DOA internal review program, the DOA Management Services Branch (MSB) has conducted a number of reviews of our P-Card program to include reviews of cardholder purchase limits as well as a comprehensive review of the program control environment. The MSB study found that the P-Card program has been designed to provide reasonable assurance that its operating objtectives can be met as it pertains to:

- Effectiveness and efficiency of operations; - Reliability of financial reporting; - Compliance with applicable laws and regulations; - Compliance with corporate directives, policies and procedures; and - Safeguarding of assets.

In addition, the ASB has established a portfolio of internal controls over the P-Card program that arc appropriate to safeguard resources and manage risks. Notwithstanding DOA 's ctTorts to proactively oversee and manage the program, we recognize that there are always opportunities to improve the program. As such, DOA's MSB Internal Review Section will incorporate an annual review of all authorized P-Cardholders into its internal review plan. This annual review will focus on both the continued need for the P-Card by authorized users, as well as appropriate purchase limits, based on an analysis of usage patterns. The intention would be for annual adjustments to be made in both areas, based on the results of the review.

b) Monitoring Convenience Checks. Currently, the ASB P-Card program office monitors convenience check use through two processes: 1) U.S. Bank "Check Force Post" email notification; and 2) U.S. Bank Monthly Convenience Check Report.

1) U.S. Bank - Check Force Post: The "Check Force Post" email notification is a proactive monitoring process for those cardholders who have written convenience checks that exceed their authorized single purchase credit limit. Through this process, P-Card program staffs receive immediate email notification from U.S. Bank. Upon receipt of the email, P-Card program staff follow-up immediately with the cardholder to determine the reason and the action(s) to be taken.

2) U.S. Bank- Monthly Convenience Check Report: ASB P-Card program staff receive a monthly convenience check report approximately 10 days after each closing period from U.S. Bank. The report identifies convenience check transaction activity for all cardholders that have exceeded their check limit authorization. Although the program staff monitors this report monthly, DOA recognizes that improvements to the monitoring process could be enhanced. Looking prospectively, our PRCard program office will incorporate a monthly email notification process to those cardholders that have exceeded their authorized check limit without obtaining prior approval. The email notification will cite language from the FDIC Purchase Card Policy, Section 1.9 entitled "Misuse/Unauthorized UseRConsequences and Penalties" that outlines the corrective actions that FDIC may take for cardholder misuse of the PRCard. The email notification will also be sent to the cardholder's Approving Official (AO).

DOA also recognizes that not all of the monitoring processes in place are real-time. Our ASB P-Card program office will also work with U.S. Bank to determine whether the Payment Analytics tool could provide real-time alerts when a P-Cardholder exceeds their authorized check limit.

3) Single Purchase Limits for P-Cards and Convenience Checks. DOA is concerned that P-Cardholders were not aware of their authorized convenience check limit and proceeded to write convenience checks that exceeded their limit. We believe all P-Cardholders should have a clear understanding and can differentiate between the single purchase limits for convenience checks and P-Cards since corporate P-Cardholders are required to complete P-Card training prior to the issuance of their P-Card. In addition, each P-Cardholder is issued a "Cardholder Appointment Memorandum" that clearly states the maximum single convenience check limit for the cardholder. The FDIC Purchase Card Guide also provides policy guidance on convenience checks limits to P-Cardholders. Additionally, the purchase limit authorization is printed on all newly issued convenience checks so cardholders are further reminded of their authorized limit. As a result of the OIG finding, DOA ASB will reiterate to all P-Cardholders the difference between single purchase limits for PRCards and convenience checks.

Corrective Action:

a) DOA MSB will incorporate periodic reviews into its annual internal review plan that will evaluate purchase limits and recommend cancelation of unused cards.

b) DOA ASB will issue a monthly email alert to P-Cardholders that have written convenience checks that exceeded their authorized limit and their AO's. ASB will also work with U.S. Bank to determine whether the payment analytics reporting tool can provide a more immediate notification when a convenience check exceeds the authorized check limit.

c) DOA ASB will issue a periodic email to all P-Cardholders that reiterate the difference between single purchase limits for P-Cards and convenience checks.

Completion Date:

a) First review will be completed by June 30, 2014; and thereafter, by June 30th of each year or more frequently as necessary.

b) Email notification to P-cardholders and AOs and additional payment analytics reporting alerts related to convenience checks will be identified and implemented by May 31, 2014.

c) DOA ASB will issue its first reminder email by April 30, 2014.

Recommendation 3: Establish a policy or procedure for conducting periodic, program-level reviews of the ratios of Approving Officials (AOs) to cardholders and the volume of transactions AOs are responsible for reviewing to ensure they remain appropriate.

DOA Management Response: DOA concurs with this recommendation.

DOA agrees that the ratio of AOs to P-Cardholders should be reasonable in order to allow ample time for an AO to properly review transactions. The AO is a critical control activity in the P-Card program for ensuring that purchases made under the program are appropriate, accurate and fully supported. DOA MSB will incorporate periodic ratio analysis of AO to cardholder into the DOA's annual internal review plan.

Corrective Action: DOA MSB will conduct periodic reviews of the ratio of AO to P-Cardholders to ensure that FDIC is generally in line with GSA's "Blueprint for Success" suggested ratio of 1: 10.

Completion Date: First review will be completed by September 30, 2014.

Recommendation 4: Review and clarify, as appropriate, AO responsibilities and expectations for reviewing and verifying documentation supporting P-Card transactions.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA ASB will issue an email to all AOs that reiterate the responsibilities and expectations for reviewing and verifying documentation to support P-Card transactions.

Completion Date: DOA ASB will issue email by April 30, 2014.

Recommendation 5: Reinforce to cardholders and AOs their responsibility to provide timely notification to the ASB Agency Program Coordinator (APC) of pending cardholder separations.

DOA Management Response: DOA concurs with this recommendation.

Currently, there are three key control activities in place to notify the DOA ASB P-Card program office of an employee separation or other event that would result in the cancelation of a P-card. First, the AO is required to notify the APC in writing of the cardholder's effective separation date prior to the departure. This is an important control process since this alerts the APC to cancel the P-Card prior to the employee's separation. Second, the APC will learn of the employee separation through the FDIC pre-exit clearance process and will then take action to cancel the P-Card. Third, through the pre-exit clearance process, the P-Card program office receives a bi-weekly employee separation report that is used to initiate cancelation of the P-Card. The employee separation report serves as a detective control to ensure P-Cards have been canceled for separated employees.

DOA ASB will explore the option of entering a cancellation date into the U.S. Bank system once the P-Card program office receives notice of an employee's separation date. This process would automatically cancel the P-Card on the employee's effective separation date.

Corrective Action: DOA ASB will issue an email to all P-Cardholders and AOs that reiterates the importance of providing timely notification of a pending cardholder separation to the P-Card program office.

Completion Date: DOA ASB will issue email by April 30, 2014.

Recommendation 6: Update P-Card policies and procedures to prohibit cardholders from using the P-Cards to purchase non-monetary awards on their own behalf.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA ASB will issue a Procurement Administrative Bulletin (PAB) that will update the FDIC Purchase Card Guidance, Section 3.102 entitled, "Prohibited Use", to include a statement that cardholders are prohibited from making a non-monetary award purchase on their own behalf.

Completion Date: DOA ASB will issue a PAB by May 30, 2014.

Recommendation 7: Review and clarify, as appropriate, the role and responsibilities of the Division/Office Coordinator.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: The DOA ASB will review the roles and responsibilities of the Division /Office Coordinator (D/OC) in the FDIC Purchase Card Guide for possible changes that can be made in order to provide further clarity on the D/OC's roles and responsibilities under the P-Card program. If changes are made to the D/OC roles and responsibilities, DOA ASB may need to coordinate with FDIC Corporate University to incorporate such changes into the P-Card Online Training Course.

Completion Date: DOA ASB will identify changes to D/OC roles and responsibilities by May 30, 2014. If such changes do not impact the guidance provided in the P-Card Online Training Course a PAB will be issued by June 30, 2014, to incorporate updated D/OC roles and responsibilities. lf, however, changes need to be made to the P-Card Online Training Course, DOA ASB will request FDIC CU to incorporate such changes into the online course, and a PAB will be issued when such changes can be made to the online course material. Anticipated completion would then be December 31,2014.

Recommendation 8: Review and clarify, as appropriate, corporate policy and guidance related to the types of items that may be purchased as non-monetary awards using the P-Card.

DOA Management Response: DOA concurs with this recommendation.

Corrective Action: DOA HRB will modify the language in Circular 2420.1 entitled FDIC Rewards and Recognition Program to be more restrictive than what is currently stated. Specifically, DOA's update to Circular 2420.1 will limit non-monetary award purchases to those items in the FDIC Online Store. The Circular will also state that Purchase Cardholders are prohibited from purchasing non-monetary awards from the FDIC online store on their own behalf. The draft Circular language will be subject to review and negotiations with the National Treasury Employees Union (NTEU), and FDIC's Standard Directive review process. DOA's MSB Internal Review Section will periodically sample transactions involving non-monetary awards to assess compliance with policies and procedures and recommend corrective action when necessary.

Completion Date: DOA HR will draft changes to language stated in Circular 2420.1 and submit to NTEU for review by April30, 2014. Once that process is completed, DOA plans to issue the revised change to Circular 2420.1 by December 31, 2014.

Any questions regarding this response should be directed to Andrew Nickle at (703) 562-2126.

cc: Steven 0. App, Deputy to the Chairman and CFO Elaine Stankiewicz, Senior Advisor, Deputy to the Chairman and CFO Thomas D. Harris, Deputy Director, DOA, Acquisition Services Branch Daniel H. Bendler, Assistant Director, DOA, Management Services Branch Julie A. Rothermel, Assistant Director, DOA, ASB- Policy & Systems Section

[End of section]

Appendix 5

Summary of the Corporation’s Corrective Actions

This table presents corrective actions taken or planned by the Corporation in response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1 Rec. No.: 1 Corrective Action: Taken or Planned: DOA will re-evaluate payment analytics reports offered by U.S. Bank to determine how this information and other reporting alerts can be leveraged to enhance the overall management and oversight of the P-Card Program. As part of this effort, DOA will consider the use of payment analytics information in identifying patterns, trends, and anomalies that may be indicative of potential fraud or misuse.

In addition, DOA’s Internal Review Section will incorporate periodic program-level reviews that utilize Level III transaction data in P-Card Program testing.

Expected Completion Date: 5/31/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 2 Rec. No.: 2 Corrective Action: Taken or Planned: With respect to cardholder purchase limits, DOA’s Internal Review Section will incorporate periodic reviews of all authorized P-Cardholders into its annual review plan. These reviews, the first of which will be completed by June 30, 2014, will evaluate cardholder purchase limits based on usage and recommend cancellation of unused P-Cards and limit adjustments, as appropriate.

With respect to the monitoring of convenience checks, DOA will develop a monthly email notification process to address cardholders (and their requisite AOs) who exceed their authorized check limits. In addition, DOA will work with U.S. Bank to determine whether a real-time means of flagging convenience check limit exceptions can be developed. Such efforts will be completed by May 31, 2014.

With respect to awareness of the difference between single purchase limits for P-Cards and convenience checks, DOA will issue periodic emails starting April 30, 2014, to all P-Cardholders that reiterate the difference between these types of limits.

Expected Completion Date: 6/30/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 3 Rec. No.: 3 Corrective Action: Taken or Planned: DOA will conduct periodic reviews of the ratio of AOs to PCardholders to ensure the ratios are generally in line with recognized best practices.

Expected Completion Date: 9/30/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 4 Rec. No.: 4 Corrective Action: Taken or Planned: DOA will issue an email to all AOs that reiterates the responsibilities and expectations for reviewing and verifying documentation supporting P-Card transactions.

Expected Completion Date: 4/30/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 5 Rec. No.: 5 Corrective Action: Taken or Planned: DOA will issue an email to all PCardholders and AOs reiterating the importance of providing timely notification to the P-Card program office of pending cardholder separations. DOA will also explore the possibility of entering a cancellation date into U.S. Bank’s system once the P-Card program office is notified of a cardholder separation. Such a process could be used to automatically cancel the P-Card on the employee’s effective separation date

Expected Completion Date: 4/30/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 6 Rec. No.: 6 Corrective Action: Taken or Planned: DOA will issue a Procurement Administrative Bulletin (PAB) that updates the P-Card Guide to prohibit cardholders from purchasing non-monetary awards on their own behalf.

Expected Completion Date: 5/30/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 7 Rec. No.: 7 Corrective Action: Taken or Planned: DOA will review the roles and responsibilities of the D/OC and determine whether changes to the P-Card Guide are needed by May 30, 2014. Such changes may require that DOA coordinate with the FDIC’s Corporate University to adjust the P-Card Online Training Course. If changes to the training course are required, DOA will issue a PAB describing the changes by December 31, 2014. If changes to the training course are not required, DOA will issue a PAB describing the changes by June 30, 2014.

Expected Completion Date: 12/31/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

Row 8 Rec. No.: 8 Corrective Action: Taken or Planned: DOA will modify Circular 2420.1, FDIC Rewards and Recognition Program, to limit non-monetary award purchases to those items in the FDIC Online Store. The Circular will also be clarified to prohibit cardholders from purchasing non-monetary awards from the FDIC online store on their own behalf. The draft circular will be subject to (a) review and negotiation with the National Treasury Employees Union and (b) the FDIC’s standard directive review process.

In addition, DOA’s Internal Review Section will periodically sample P-Card transactions involving non-monetary awards to assess compliance with policies and procedures and recommend corrective action when necessary.

Expected Completion Date: 12/31/14 Monetary Benefits: N/A Resolved:a Yes or No: Yes Open or Closedb: Open

a Resolved – (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation, but alternative action meets the intent of the recommendation. (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions are complete or (b) in the case of recommendations that the OIG determines to be particularly significant, when the OIG confirms that corrective actions have been completed and are responsive.

[End of table]

[End of section]

[End of report]

Print Print
Close