Purchase Cards
Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse Gao ID: GAO-02-506T March 13, 2002This testimony discusses GAO's follow-up on the audit of key internal controls over purchase card activity at two Navy units based in San Diego--the Space and Naval Warfare Systems Command (SPAWAR) Systems Center and the Navy Public Works Center (NPWC). A breakdown in internal controls over $68 million purchase card transactions in fiscal year 2000 left these two units vulnerable to fraudulent, improper, and abusive purchases and to theft and misuse of government property. Although both units improved the overall control environment, including reducing the number of cardholders, increasing the number of approving officials, and decreased purchase card usage, serious weaknesses persisted in three key control environment areas. First, SPAWAR Systems Center needs to ensure that all cardholders receive required training and that this training is documented. Second, SPAWAR Systems Center needs to more carefully implement internal review and oversight activities, which have been ineffective. Third, GAO identified a significant impairment of management "tone at the top" at SPAWAR Systems Center during the last quarter of fiscal year 2001. The two basic internal controls over the purchase card program that GAO tested remained ineffective during the last quarter of fiscal year 2001 at both units. These weaknesses contributed to additional fraudulent, improper, abusive, or otherwise questionable purchases. GAO also identified purchases by SPAWAR Systems Center cardholders that were either excessively expensive or for questionable government needs.
GAO-02-506T, Purchase Cards: Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse
This is the accessible text file for GAO report number GAO-02-506T
entitled 'Purchase Cards: Continued Control Weaknesses Leave Two Navy
Units Vulnerable to Fraud and Abuse' which was released on March 13,
2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the
printed version. The portable document format (PDF) file is an exact
electronic replica of the printed version. We welcome your feedback.
Please E-mail your comments regarding the contents or accessibility
features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States General Accounting Office:
GAO:
Testimony:
Before the Subcommittee on Government Efficiency, Financial Management
and Intergovernmental Relations, Committee on Government Reform, House
of Representatives:
For Release on Delivery:
Expected at 10 a.m.
Wednesday, March 13, 2002:
Purchase Cards:
Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud
and Abuse:
Statement of Gregory D. Kutz:
Director, Financial Management and Assurance:
Statement of John J. Ryan:
Assistant Director, Office of Special Investigations:
GAO-02-506T:
Mr. Chairman, Members of the Subcommittee, and Senator Grassley:
I appreciate the opportunity to present follow-up information on our
previous testimony[Footnote 1] on internal control weaknesses related
to use of the government purchase card at two Navy units. The Navy
reported that it used purchase cards”Citibank MasterCards issued to
civilian and military personnel”for more than 2.8 million transactions
valued at $1.8 billion in fiscal year 2001. As we previously reported,
the Department of Defense (DOD) has increased the use of purchase
cards with the intention of eliminating the bureaucracy and paperwork
long associated with making small purchases and intends to expand the
use of purchase cards over the next several years.
However, the benefits of the purchase card may be substantially
reduced if controls are not in place to ensure its proper use. As the
comptroller general testified[Footnote 2] on March 6, 2002, following
the events of September 11, reducing fraud, waste, and abuse is even
more imperative to ensure that DOD's resources are available to meet
national priorities such as homeland security and the war on
terrorism. We believe that DOD, with its longstanding problems in
financial management, must take steps to ensure the proper stewardship
of the increasing amounts of taxpayer dollars devoted to its vital
missions. Careful examination of the controls over the purchase card
program is one aspect of ensuring that DOD is getting the most from
every dollar.
At this subcommittee's July 30, 2001, hearing, we testified on the
results of our audit of key internal controls over purchase card
activity at two Navy units based in San Diego”the Space and Naval
Warfare Systems Command (SPAWAR) Systems Center and the Navy Public
Works Center (NPWC).[Footnote 3] Overall, we found a significant
breakdown in internal controls over $68 million[Footnote 4] in fiscal
year 2000 purchase card transactions, leaving these two units
vulnerable to fraudulent, improper, and abusive purchases and theft
and misuse of government property. We also reported that weak internal
controls contributed to five recent cases of alleged purchase card
fraud related to Navy purchase card programs in the San Diego area and
investigated by the Naval Criminal Investigative Service (NCIS) and
other cases that we referred to our own Office of Special
Investigations for further review.
Our July 2001 testimony was followed by a report[Footnote 5] in which
we summarized our findings and offered 29 recommendations for
improving Navy purchase card controls. We will report to you
separately on the status of these 29 recommendations as part of our
ongoing audit of the Navy's fiscal year 2001 purchase card activity.
The subcommittee and Senator Grassley asked us to perform a follow-up
audit at the two Navy units and discuss the status of corrective
actions. In addition, we were asked to follow up on the status of
fraud cases that we reported on in July 2001 and any other fraud cases
we identified as part of this follow-up audit. Today, I will discuss
the results of our follow-up work, including (1) the purchase card
control environment at the two Navy units' San Diego activities for
fiscal year 2001 including any implemented or planned improvements,
(2) the results of our test work on statistical samples of purchase
card transactions at the two Navy units for the fourth quarter of
fiscal year 2001, which identified continuing weaknesses in two
critical areas, and (3) potentially fraudulent, improper, and abusive
or questionable transactions made by the two Navy units during fiscal
year 2001. In this testimony, we also report on the status of two
cases investigated by our Office of Special Investigations as a result
of our audit of NPWC and SPAWAR Systems Center purchase card activity
for fiscal year 2000. Background information on the Navy purchase card
program is included in appendix I.
Summary:
For fiscal year 2001, internal controls at SPAWAR Systems Center and
NPWC continued to be ineffective, leaving both units vulnerable to
fraudulent, improper, and abusive purchases and to theft and misuse of
government property. Both units had made some improvements in the
overall control environment, primarily after the end of fiscal year
2001. Key improvements included reductions in the number of
cardholders, an increase in the number of approving officials, an
overall decrease in the aggregate monthly credit limits, and a
decrease in purchase card usage.
At the same time, serious weaknesses remained in three key control
environment areas, particularly at SPAWAR Systems Center. First, while
both SPAWAR Systems Center and NPWC have taken steps to implement our
recommendations regarding cardholder training and proper documentation
of training, SPAWAR Systems Center still needs to do more to make sure
all cardholders receive required training and to document the training
taken by cardholders. For example, as of January 21, 2002 there was no
documentation demonstrating that 146 cardholders had taken certain
required training. As of February 15, 2002, SPAWAR Systems Center had
suspended the accounts of only 5 of the cardholders who had not taken
the required training. In contrast, NPWC has taken steps to provide
cardholders and approving officials the necessary training and to
assure itself that untrained personnel do not remain purchase card
holders. On October 26, 2001, NPWC canceled the cards of its 15
employees who had not complied with training requirements.
Second, both SPAWAR Systems Center and NPWC have recently made some
efforts to implement new policies directed at improving internal
review and oversight activities, which, as we previously testified,
had been ineffective. Both units performed a Navy-mandated "stand-
down" review of purchase card transactions, but neither performed an
in-depth analysis of the selected transactions. We question SPAWAR
Systems Center's results in particular because it reported that it
reviewed about 16,000 transactions and ultimately identified only one
purchase that was not for a legitimate government purchase”a case in
which the cardholder accidentally used the purchase card instead of a
personal credit card. By comparison, our follow-up work identified
numerous examples of potentially fraudulent, improper and abusive or
questionable transactions that occurred in a similar time frame.
Third, we identified a significant impairment of management "tone at
the top" at SPAWAR Systems Center during the last quarter of fiscal
year 2001. The former commanding officer testified at the July 30,
2001, hearing before this subcommittee that the purchase card program
at SPAWAR Systems Center had effective management controls and
indicated that the trust SPAWAR Systems Center management had in its
staff was an acceptable substitute for a cost-effective system of
internal controls. Following the hearing, for the most part, the "tone
at the top" at SPAWAR Systems Center was "business as usual." In
contrast, the commanding officer at NPWC was proactive in addressing
the weaknesses we identified and took immediate action to address any
improper or prohibited uses of the purchase card. In December 2001,
the former SPAWAR Systems Center commanding officer was relieved of
duty for findings of dereliction of duty and conduct unbecoming an
officer in matters unrelated to the purchase card program.
We are encouraged by the commitment of the new commanding officer to
ensure that an effective, well-controlled purchase card program is
implemented at SPAWAR Systems Center. However, we remain concerned
that there will be significant cultural resistance to change in the
internal control environment. For example, up to the time we completed
our fieldwork in February 2002, some cardholders and managers
continued to rationalize the questionable purchases we brought to
their attention”including expensive laptop carrying cases, Lego robot
kits, clothing, food, and designer day planners”as discussed later in
this statement. Such an attitude perpetuates an overall environment
that tacitly condones possibly fraudulent, wasteful, abusive, or
otherwise questionable spending of government funds.
The two basic internal controls over the purchase card program that we
tested remained ineffective during the last quarter of fiscal year
2001 at the two units. Specifically, SPAWAR Systems Center did not
have independent, documented evidence that it received and accepted
items ordered and paid for with the purchase card for about 56 percent
of its fourth quarter fiscal year 2001 transactions. NPWC
significantly improved its adherence to this internal control,
although its 16 percent failure rate is still too high. The improved
results for NPWC are the result of management attention to this
important control and increased training for cardholders. We again
tested independent, documented certification of monthly purchase card
statements and found that for the fourth quarter of fiscal year 2001,
the two units continued to pay the monthly credit card bills without
any independent review prior to payment to ensure transactions
represented valid, necessary government purchases.
In addition, we attempted to test whether easily pilferable or
sensitive items were being recorded in the units' property records to
help prevent and detect theft, loss, and misuse of government assets.
Our previous work showed that this was a serious problem. However, we
were unable to perform those tests as part of our follow-up work
because SPAWAR Systems Center, in accordance with a Navy policy
change, recently revised its policy and no longer maintains
accountability over easily pilferable items such as personal digital
assistants and digital cameras. We disagree with the Navy and SPAWAR
Systems Center policy and believe that property that is pilferable and
easily converted to personal use should be accounted for. NPWC
generally does not use purchase cards to buy pilferable items, and our
statistical sample at NPWC did not identify any accountable property
items.
In our June 30, 2001, testimony, we identified a number of potential
fraud cases related to the two San Diego Navy units. We followed up on
two of those cases, which highlighted the major role that poor
internal control plays in fraud. In one case, we investigated about
$12,000 of potentially fraudulent fiscal year 2000 transactions
related to the purchase card of a former NPWC employee. The purchases”
made between December 20 and 26, 1999”included an Amana range, Compaq
computers, gift certificates, groceries, and clothing. The
cardholder's supervisor approved the purchase card statement that
included these charges without reviewing it. NPWC also did not
properly cancel this purchase card account after the cardholder had
moved on to another organization within the Navy, and the cardholder
subsequently used the purchase card for a personal car rental that was
approved for payment by NPWC. This individual now works at the
Pentagon.
We also followed up on the previously reported compromise in September
1999 of up to 2,600 purchase card accounts assigned to Navy activities
in the San Diego area. Immediate cancellation of these accounts was
imperative, especially since the weaknesses in controls over receipt
and acceptance and certification of monthly statements at SPAWAR
Systems Center and NPWC would severely hamper the detection of
fraudulent purchases associated with compromised accounts. We reported
that Navy investigators were only able to identify a partial list
consisting of 681 compromised accounts. In December 2001, Navy
notified us that all 681 compromised accounts identified in the July
testimony were canceled, including 22 active SPAWAR Systems Center
accounts. However, no other action was taken by the Navy to identify
or cancel the remaining over 1,900 compromised accounts. Our
investigators subsequently identified the source of the compromised
accounts as the database of a Navy vendor. In January 2002, the vendor
provided our investigators with the entire listing of the 2,595
compromised accounts. We provided this list to the Navy and
recommended that it immediately cancel the remaining 1,914 compromised
account numbers. Included on the list were 78 SPAWAR Systems Center
and 10 NPWC accounts that were active as of December 2001.
The specific internal control weaknesses at SPAWAR Systems Center and
NPWC contributed to additional purchases during fiscal year 2001 that
we believe are fraudulent, improper, abusive, or otherwise
questionable. Most of the problem transactions were at SPAWAR Systems
Center and had been approved and represented to us as being
appropriate, proper uses of the purchase card. The number and severity
of the problems we identified at NPWC were substantially less than at
SPAWAR Systems Center. In addition, rather than dispute our findings
on each transaction, NPWC showed a proactive response and not only
concurred with our findings but immediately took action to help
prevent future fraudulent, improper, or abusive transactions from
occurring. As discussed in appendix II, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper,
abusive, or otherwise questionable transactions.
We found a number of improper purchases at SPAWAR Systems Center and
NPWC that were not permitted by law, regulation, or DOD policy. For
example, we identified about $8,500 in food and refreshments that
should not have been purchased for SPAWAR Systems Center and NPWC
employees. Without statutory authority, appropriated funds may not be
used to furnish meals or refreshments to employees within their normal
duty stations.[Footnote 6] In most of these cases, it appears that the
cardholders were aware of the prohibition on food purchases but made
the purchases anyway. The monthly certification process failed to
detect the improper food purchases. Moreover, while NPWC officials
acknowledged the impropriety of the food purchases we identified,
SPAWAR Systems Center officials indicated that most of the food
purchases made by their cardholders were a legitimate government
expense, a conclusion with which we disagree.
Further, we identified abusive or questionable purchases by SPAWAR
Systems Center cardholders that were at an excessive cost, for a
questionable government need, or both. For example, we identified
purchases of day planners and calendars from commercial vendors,
including calendar refills and designer leather holders purchased from
Louis Vuitton and Franklin Covey. With the cost of a single Louis
Vuitton day planner cover at about $250, the issue of excessive cost
and abuse is clear. Further, by law, government agencies are directed
to purchase certain products, including day planners and calendars,
from certified nonprofit agencies that employ people who are blind or
severely disabled. The most expensive day planner available from these
agencies costs about $40. In addition, we identified about $33,000 of
abusive or questionable purchases from Franklin Covey of designer and
high-cost leather briefcases, totes (purses), portfolios, Palm Pilot
carrying cases, and wallets. Other examples include abusive and
wasteful usage of cell phones, a trip for about 30 staff for an
organizational meeting in Las Vegas, and clothing. We also identified
abusive and possibly fraudulent purchases of luggage, Lego robot kits,
and high-cost computer bags that were given away by SPAWAR Systems
Center employees. Only one of the cardholders referred to in this
testimony or our July 30, 2001, testimony had formal disciplinary
action”in the form of removal of the purchase card”taken against them.
Scope and Methodology:
We conducted our audit work from November 2001 through February 2002
in accordance with U.S. generally accepted government auditing
standards, and we performed our investigative work in accordance with
standards prescribed by the President's Council on Integrity and
Efficiency. We briefed officials from the Department of Defense
Purchase Card Program Management Office, Naval Supply Systems Command
(NAVSUP), assistant secretaries of Navy for financial management
(comptroller) and research development and acquisition, SPAWAR Systems
Center, and NPWC on the details of our audit, including our
objectives, scope, and methodology and our findings and conclusions.
We referred instances of potentially fraudulent transactions that we
identified during our work to our Office of Special Investigations for
further investigation. Our control tests were based on stratified
random probability samples of 50 SPAWAR Systems Center purchase card
transactions and 94 NPWC transactions. We also reviewed a
nonrepresentative selection of transactions using data mining intended
to identify potentially fraudulent, improper, abusive, or otherwise
questionable transactions. In total, we audited 161 SPAWAR Systems
Center and 145 NPWC fiscal year 2001 transactions. Our work was not
designed to identify, and therefore we did not determine, the extent
of fraudulent, improper, or abusive transactions and related
activities. Further details on our objectives, scope, and methodology
are included in appendix II.
Some Improvements to Purchase Card Control Environment but Weaknesses
Remain:
In our follow-up audit, we found that both units had made some
improvements in the overall control environment, primarily after the
end of fiscal year 2001. However, the control environment at SPAWAR
Systems Center continued to have significant weaknesses, while NPWC
had made major strides towards a positive control environment. GAO's
Standards for Internal Control in the Federal Government (GAO/AIMD-00-
21.3.1, November 1999) state that, "A positive control environment is
the foundation for all other standards. It provides discipline and
structure as well as the climate which influences the quality of
internal control." Our previous work found that a weak internal
control environment at SPAWAR Systems Center and NPWC contributed to
internal control weaknesses and fraudulent, improper, and abusive or
questionable activity. In July 2001, we testified that the specific
factors that contributed to the lack of a positive control environment
at these two units included a proliferation of cardholders,
ineffective training of cardholders and certifying officers, and a
lack of monitoring and oversight. The following sections provide an
update on the status of these conditions as well as information on
several additional factors that affected the overall control
environment at these Navy units.
Number of Cardholders Reduced but Significant Financial Exposure
Continued:
Although both units have reduced the number of cardholders, balancing
the business needs of the unit with the training, monitoring, and
oversight needed for a substantial number of cardholders remains a key
issue. In October 2001, NAVSUP issued an interim change to its
existing purchase card instructions to establish minimum criteria that
prospective purchase card holders must meet before a purchase card
account (including convenience check accounts[Footnote 7]) can be
established in the employee's name. The interim change issued by
NAVSUP also established a maximum "span of control" of 5 to 7
cardholders to each approving official[Footnote 8] and required that
Navy activities establish local policies and procedures for approving
and issuing purchase cards to activity personnel. The Navy's span of
control requirement reflects guidance issued by the Department of
Defense Purchase Card Program Management Office on July 5, 2001,
shortly before the Subcommittee hearing. The revised guidance stated
that, generally, an approving official's span of control”cardholders
per approving official”should not exceed a ratio of 7 to 1. Neither of
the two units increased the number of approving officials to meet the
suggested ratio until well after the start of fiscal year 2002. Table
1 summarizes the progress made by both units.
Table 1: Number of Cardholders and Approving Officials at SPAWAR
Systems Center and NPWC:
Number of cardholders:
SPAWAR: 9/21/00: 1,153;
SPAWAR: 9/21/01: 950;
SPAWAR: 1/21/02: 793;
NPWC: 9/21/00: 292;
NPWC: 9/21/01: 226;
NPWC: 1/21/02: 185.
Percent of employees who were cardholders:
SPAWAR: 9/21/00: 27%;
SPAWAR: 9/21/01: 22%;
SPAWAR: 1/21/02: 19%;
NPWC: 9/21/00: 17%;
NPWC: 9/21/01: 14%;
NPWC: 1/21/02: 12%.
Ratio of cardholders to approving officials:
SPAWAR: 9/21/00: 1,153:1;
SPAWAR: 9/21/01: 950:1;
SPAWAR: 1/21/02: 4:1;
NPWC: 9/21/00: 42:1;
NPWC: 9/21/01: 32:1;
NPWC: 1/21/02: 4:1.
Source: Citibank, SPAWAR Systems Center, and NPWC records.
[End of table]
The data in table 1 show that from September 21, 2000, to January 21,
2002, SPAWAR Systems Center had a net reduction in the number of
cardholders of 360 (31 percent) and NPWC, 107 (37 percent). In
addition, in fiscal year 2002, SPAWAR Systems Center increased the
number of approving officials to 203 and NPWC, to 43. As a result, the
approving official ratio for SPAWAR Systems Center and NPWC is now in
line with DOD's criterion of no more that 7 cardholders per official.
However, as of January 21, 2002, SPAWAR Systems Center still had 23
approving officials who were responsible for more than 7 cardholders
and therefore did not comply with the DOD and Navy span of control
requirements.
SPAWAR Systems Center records show that it significantly reduced the
number of cardholders, primarily through canceling cards of those that
did not need them and through employee attrition. According to SPAWAR
Systems Center officials, some SPAWAR Systems Center purchase cards
were canceled because of misuse; however, we were unable to determine
from SPAWAR Systems Center records how many of the cards were canceled
for this reason. We previously reported that SPAWAR Systems Center had
a significant span-of-control issue with one approving official
responsible for certifying monthly purchase card statements for all of
its cardholders. According to Citibank and SPAWAR Systems Center
records, effective for the billing period ending January 21, 2002,
SPAWAR Systems Center increased from 1 to 203 the number of approving
officials responsible for certifying monthly summary invoices. This
change reduced SPAWAR Systems Center's average span of control to 4
cardholders to each approving official, which is in line with DOD and
Navy guidelines. We did not perform any testing for fiscal year 2002
transactions to determine whether the approving officials were in
place and performing effective reviews. SPAWAR Systems Center
management told us that they are continuing to evaluate the number of
cardholders and the impact any further cuts would have on management's
ability to support operations and keep employees working efficiently.
NPWC reduced the number of its cardholders through employee attrition
and by canceling the cards of individuals who no longer needed them,
had not taken required training, or had misused the card.
Specifically, on July 6, 2001, the agency program coordinator (APC)
gave each business line manager an analysis of monthly purchase card
usage data for each of the cardholders under his or her supervision.
The business line managers were instructed to analyze cardholder
monthly transaction volume and reduce the number of cardholders by
eliminating those cardholders they believed no longer needed a
purchase card. NPWC also recently increased its number of approving
officials from 7 as of September 21, 2001, to 43 by January 21, 2002.
This significant increase brought the ratio of cardholders to
approving officials in line with DOD and Navy guidelines.
Another key factor in minimizing the government's financial exposure
is assessing the monthly credit limits available to cardholders. The
undersecretary of defense for acquisition and technology emphasized in
an August 2001 memorandum to the directors of all defense agencies,
among others, that not every cardholder needs to have the maximum
transaction or monthly limit and that supervisors should set
reasonable limits based on what each person needs to buy as part of
his or her job. We concur with the undersecretary's statements and
continue to recommend that cardholder spending authority be limited as
a way of minimizing the federal government's financial exposure.
As shown in table 2, total financial exposure, as evidenced by monthly
credit limits for SPAWAR Systems Center and NPWC cardholders, has
decreased substantially.
Table 2: SPAWAR Systems Center and NPWC Total Cardholder Credit Limits:
Date: September 21, 2000:
SPAWAR: $56.9 million;
NPWC: $13.5 million.
Date: September 21, 2001:
SPAWAR: 33.0 million;
NPWC: 12.9 million.
Date: January 21, 2002:
SPAWAR: 28.0 million;
NPWC: 12.1 million.
Total reduction:
SPAWAR: 50.8%;
NPWC: 10.4%.
Source: Citibank, SPAWAR Systems Center, and NPWC records.
[End of table]
SPAWAR Systems Center reduced the overall credit limits of it
cardholders by about $29 million primarily by (1) eliminating nearly
$10 million of credit assigned to each of two cardholders and (2)
reducing the net number of cardholders by 360. As we previously
reported, most SPAWAR Systems Center cardholders had a $25,000 credit
limit, and no cardholder had a credit limit of less than $25,000. We
continue to believe that a $25,000 minimum credit limit is more than
most SPAWAR Systems Center cardholders need to perform their mission.
This point is best demonstrated by the fact that even when we used
SPAWAR Systems Center's reduced number of cardholders, the average
monthly purchase card bill in fiscal year 2001 would have been less
than $5,000.
As shown in table 2, Citibank's records indicate that between
September 21, 2000, and January 21, 2002, NPWC reduced its cardholder
exposure from about $13.5 million to $12.1 million”a $1.4 million
reduction. NPWC achieved this reduction primarily by reducing by 107
the number of individuals who had purchase cards and by reevaluating
cardholders' monthly credit limits. We previously reported that most
NPWC cardholders were granted a monthly credit limit of $20,000.
Currently, about 20 NPWC cardholders have a credit limit of less than
$20,000, about 42 percent still have a $20,000 credit limit, and the
remaining cardholders have higher credit limits to meet job needs.
Further, the average monthly purchase card bill (using the reduced
number of cardholders) in fiscal year 2001 for NPWC cardholders would
have been about $11,500. On September 7, 2001, the NPWC agency program
coordinator distributed spreadsheet analyses of individual cardholder
actual monthly and average charges, along with suggested new monthly
cardholder limits, to the respective cardholder's business line
managers. The agency program coordinator required the business line
managers to respond to the agency program coordinator with new limits
for cardholders by the close of business on September 21, 2001. At the
exit meeting we held with NPWC officials, NPWC provided Citibank
records documenting that NPWC further reduced its cardholder credit
limits to $5.6 million in February 2002.
In addition to the reductions in the number of cardholders and
aggregate financial exposure, the dollar volume of transactions
decreased significantly in fiscal year 2001 when compared to fiscal
year 2000, as shown in table 3.
Table 3: SPAWAR Systems Center and NPWC Purchase Card Spending, Fiscal
Years 2000 and 2001:
SPAWAR:
FY 2000[A]: $45;
FY 2001[B]: $39;
Reduction: ($6);
Percent reduction: 13%.
NPWC
FY 2000[A]: $30;
FY 2001[B]: $25;
Reduction: ($5);
Percent reduction: 17%.
[A] SPAWAR Systems Center and NPWC used the purchase card in fiscal
year 2000 to make a total of about $75 million in acquisitions. About
$68 million of those acquisitions were made by cardholders located in
San Diego.
[B] SPAWAR Systems Center and NPWC used the purchase card in fiscal
year 2001 to make a total of about $64 million in acquisitions. About
$50 million of those acquisitions were made by cardholders located in
San Diego.
Source: Citibank, SPAWAR Systems Center, and NPWC records.
[End of table]
The NPWC agency program coordinator attributed a portion of this
decrease to increased controls over the use of purchase cards,
resulting in a reduction in unnecessary and improper card usage. Other
reasons were a reduction in the number of projects worked on during
fiscal year 2001 and the use of more contracts for goods and services,
which are paid by means other than the purchase card. The SPAWAR
Systems Center senior military contracting official told us that
SPAWAR Systems Center's reduction in purchase card use is a result of
a decrease in workload and an increase in concern over purchase card
controls brought on as a result of our audit and the congressional
hearing.
Training of Cardholders:
While both SPAWAR Systems Center and NPWC have taken steps to
implement our recommendations regarding cardholder training and proper
documentation of training, SPAWAR Systems Center still needs to do
more to make sure all cardholders receive required training and to
document the training taken by cardholders. We previously reported
that the lack of documented evidence of purchase card training
contributed to a weak internal control environment at these two units.
GAO's internal control standards emphasize that effective management
of an organization's workforce”its human capital”is essential to
achieving results and is an important part of internal control.
Training is key to ensuring that the workforce has the skills
necessary to achieve organizational goals. In accordance with NAVSUP
Instruction 4200.94, all cardholders and approving officials must
receive purchase card training. Specifically, NAVSUP 4200.94 requires
that prior to the issuance of a purchase card, all prospective
cardholders and approving officials must receive training regarding
both Navy policies and procedures as well as local internal operating
procedures. Once initial training is received, the Instruction
requires all cardholders to receive refresher training every 2 years.
Further, in response to our previous audit and the July 30, 2001,
hearing, NAVSUP sent a message in August 2001 to all Navy units
directing them to train all of their cardholders concerning the proper
use of the purchase cards on or about September 12, 2001.
SPAWAR Systems Center training records indicated that as of January
21, 2002, 146 cardholders either had not completed the NAVSUP-mandated
training or had not produced a certificate evidencing completion of
the training. In addition, 13 active cardholders had not satisfied the
requirement to take refresher training every 2 years. SPAWAR Systems
Center officials told us that they intended to suspend the accounts of
cardholders who had not taken the required training; however, as of
February 15, 2002, the accounts of only 5 cardholders had been
suspended.
NPWC has taken well-documented steps to provide cardholders and
approving officials the necessary training and to assure itself that
untrained personnel do not remain purchase card holders. As a result
of our previous audit findings in this area, NPWC held mandatory
cardholder training sessions in June 2001 and July 2001, which all
cardholders and their supervisors attended. In addition, NPWC
presented NAVSUP-prepared training for all cardholders and approving
officials in September 2001. The mandatory NAVSUP training addressed
the issues of receipt and acceptance, spending limits, accounting,
unauthorized or personal use of the card, policies and procedures,
improper transactions, NPWC internal procedures, other required
training, the NAVSUP and Citibank Web sites, and our findings from the
previous purchase card testimony and related report. All but 15 of
NPWC's cardholders and approving officials attended the mandatory
NAVSUP training, and on October 26, 2001, NPWC canceled the 15
remaining cardholder accounts for noncompliance with the training
requirements.
Monitoring and Oversight:
Both SPAWAR Systems Center and NPWC have recently made some efforts to
implement new policies directed at improving internal review and
oversight activities, which, as we previously testified, were
ineffective. We also testified that the Navy's purchase card policies
and procedures did not require that the results of internal reviews be
documented or that corrective actions be monitored to help ensure that
they are effectively implemented. While still relatively ineffective,
this area has great potential to strengthen the control environment at
these two Navy units.
We also previously testified that, although the SPAWAR Headquarters
Command inspector general (IG) reviewed purchase card transactions
generated by Headquarter cardholders during fiscal year 2000 and
prepared a draft report summarizing the results of this review, the
final report had not been issued at the conclusion of our fieldwork
for the July 30, 2001, testimony. The final report[Footnote 9] of this
review was issued on July 19, 2001, and identified many of the
internal control findings discussed in our prior review; however, the
IG's report did not identify the kind of abusive transactions we
identified. Also, on August 13, 2001, the Command IG began a limited
review of the 2 most recent months of purchase card activity for
Headquarters cardholders. The summary findings, which were released in
a report dated October 16, 2001, have many of the internal control
findings discussed later in this statement and similarly point to the
need for clear, comprehensive policies, procedures, and training to
resolve many of the control weaknesses and instances of questionable
transactions. The IG also reported that it found some "transactions
that appeared to be either 'excessive' or may have been of
questionable good judgment," but did not provide examples of these
potentially abusive transactions. The IG also reported that several
cardholders had stated that they felt uncomfortable making purchases,
but did not want to tell their supervisor "no" and suffer potentially
adverse career consequences.
At the July 30, 2001, hearing we reported that the Naval Audit Service
had conducted an audit of the NPWC purchase card program for which a
report had not been issued. The Naval Audit Service completed its
audit in December 2000 and reviewed transactions primarily occurring
from March 1999 through August 2000. The Naval Audit Service issued
its report[Footnote 10] over 1 year later, on January 10, 2002. Some
of the Naval Audit Service findings are of the same nature and
significance as the findings reported in our previous testimony,
although the Naval Audit Service report did not identify the improper
or abusive transactions we discussed. The Naval Audit Service
concluded that management of the purchase card program at NPWC was not
sufficient to ensure the integrity of the command's purchase card
program and that NPWC's internal operating procedures did not clearly
define duties and responsibilities or adequately control the various
processes involved in purchase card transactions. Further, the Naval
Audit Service reported that maintenance and repair services were
obtained on a "piece-meal" basis instead of being aggregated and
performed as entire projects, which resulted in NPWC not taking
advantage of its buying power to obtain discounts on its recurring
purchases.
Further, in August 2001, following the July 30, 2001, purchase card
congressional hearing, NAVSUP directed all Navy units to review 12
months of purchase card transactions. In response to this requirement,
both SPAWAR Systems Center and NPWC reviewed samples of transactions,
although neither performed an in-depth analysis of the selected
transactions. For example, SPAWAR Systems Center told us that it
reviewed 16,393 of the 45,318 transactions for the 9-month period
ended July 2001. According to SPAWAR Systems Center, its stand-down
review identified 187 split purchases and 9 transactions that
initially appeared questionable or suspicious. After completing their
review, SPAWAR Systems Center officials concluded that only one of
these nine transactions was not for a legitimate government purpose,
because the cardholder in question accidentally used the purchase card
instead of a personal credit card. However, we question whether the
stand-down review was designed and performed to be a thorough and
critical analysis of the nature and magnitude of the control
weaknesses and the extent to which fraudulent, improper, or abusive
transactions were occurring during the 9-month period reviewed. Our
own statistical sample of 50 transactions from just the last 3 billing
cycles of fiscal year 2001 found one potentially fraudulent and
subsequently disputed purchase and a total of 11 abusive or improper
transactions on the monthly statements for 9 cardholders. Furthermore,
as detailed later, we found numerous examples of abusive and improper
transactions occurring in the first nine billing cycles of fiscal year
2001.
NPWC's stand-down review subjected 9,099 transactions out of 50,850
for the 12-month period ended August 31, 2001, to a documentation
review. The review identified several cases of potential improper use
and 320 cases of potential split purchases. However, the primary
finding related to the use of the card for prohibited acquisitions of
"noncommonly used" hazardous materials. NPWC estimated that
approximately 600 of the transactions reviewed violated the Navy's
prohibition against using the purchase card to acquire noncommonly
used hazardous materials. Specifically, Navy purchase card policies
and procedures require that prior to acquiring potentially hazardous
materials, cardholders must first determine that a requested purchase
meets the definition of a commonly used hazardous material and that
the materials are carried on the unit's Authorized Use List. If the
requested purchase does not meet the "commonly used" definition, the
hazardous materials are to be procured by other means that bring the
hazardous material under the control of a Hazardous Substance
Management System (HSMS). Compliance with these requirements would
then help ensure the safe storage, use, and disposal of the hazardous
materials.
NPWC found that cardholders were using the purchase card to acquire
noncommonly used hazardous materials such as bacterial control agents
and toxic, corrosive solvents used to descale and deodorize sewage
systems. Such hazardous material purchases were not being subjected to
the required controls and, consequently, NPWC had no assurance that
the approximately 600 reported purchases were stored, used, and
disposed of in a safe and environmentally acceptable manner. To
alleviate this problem, NPWC is working with the Fleet Industrial
Supply Service to coordinate the maintenance and control of Navy
hazardous materials. NPWC's identification and proactive attitude
towards resolving this matter again demonstrate a positive control
environment.
Management "Tone at the Top" Was Significantly Impaired at SPAWAR
Systems Center:
GAO's internal control standards[Footnote 11] state that management
plays a key role in demonstrating and maintaining an organization's
integrity and ethical values, "especially in setting and maintaining
the organization's ethical tone, providing guidance for proper
behavior, removing temptations for unethical behavior, and providing
discipline when appropriate." At the time we began our follow-up
review, the SPAWAR Systems Center commanding officer not only did not
demonstrate a commitment to improving management controls but openly
supported the status quo. Consequently, the lack of a positive control
environment continued. In contrast, the commanding officer at NPWC
continued to support a proactive attitude in addressing the weaknesses
we identified and took immediate action to address any improper or
prohibited uses of the purchase card. It is not surprising that, given
these differences in the management tone at the two units, we
continued to find numerous examples of potentially improper, abusive,
and otherwise questionable use of the purchase card at SPAWAR Systems
Center, while we found few such cases at NPWC.
The former SPAWAR Systems Center commanding officer testified on July
30, 2001, that the purchase card program at SPAWAR Systems Center had
effective management controls and an honest and trustworthy workforce.
The commanding officer went on to incorrectly characterize our audit
approach and findings by stating that there was not a pervasive
and serious abuse and fraud problem at SPAWAR Systems Center and that
over 99.98 percent of purchases made by cardholders were for
legitimate government purposes. The commanding officer did not
acknowledge that the serious weaknesses in SPAWAR Systems Center's
system of internal controls over the purchase card program left SPAWAR
Systems Center vulnerable to the types of abusive and improper
transactions that we found and that such abuses could occur without
being detected.
Upon his return to San Diego following the hearing, the commanding
officer held an "all-hands" meeting at a SPAWAR Systems Center
auditorium that cardholders, approving officials, and managers were
particularly encouraged to attend "...to clarify the substantial
differences between the perception of problems reported in the press
and the reality of the situation." At the meeting, the commanding
officer showed a videotape of the entire congressional hearing. By
denying that these weaknesses resulted in undetected misuse of
purchase cards, the commanding officer effectively diminished the
likelihood that substantive changes would be implemented or, if
implemented, taken seriously. The underlying message of his testimony,
his subsequent "all hands" meeting, and his meetings with us, was that
the trust SPAWAR Systems Center management had in its staff was an
acceptable substitute for a cost-effective system of internal controls.
The commanding officer was relieved of duty in December 2001 for
matters unrelated to the purchase card program. The admiral in charge
of SPAWAR held a nonjudicial punishment hearing on December 8, 2001,
and found that the commanding officer had violated two articles of the
Uniform Code of Military Justice, including dereliction of duty and
conduct unbecoming an officer. The admiral issued the commanding
officer a Punitive Letter of Reprimand, relieved him of his command at
SPAWAR Systems Center, and endorsed his request for retirement from
the Navy.
The new commanding officer at SPAWAR Systems Center now has an
opportunity to set a "tone at the top" that reflects a true commitment
to establishing a positive control environment. Based on our
discussions with the commanding officer and some of the actions we
have observed, we are encouraged by her commitment to ensure that an
effective, well-controlled purchase card program is implemented at
SPAWAR Systems Center. At the same time, we remain concerned that
there will be significant cultural resistance to change in the
internal control environment. For example, up to the time we completed
our fieldwork in February 2002, some cardholders and managers
continued to rationalize the questionable purchases we brought to
their attention”including expensive laptop carrying cases, Lego robot
kits, clothing, food, and designer day planners”as discussed later in
this statement. Such an attitude perpetuates an overall environment
that tacitly condones possibly fraudulent wasteful, abusive, or
otherwise questionable spending of government funds.
Critical Internal Controls Remained Ineffective:
Basic internal controls over the purchase card program remained
ineffective during the last quarter of fiscal year 2001 at the two
units we reviewed. Based on our tests of statistical samples of
purchase card transactions, we determined that the two key transaction-
level controls that we tested were ineffective, rendering SPAWAR
Systems Center and NPWC purchase card transactions vulnerable to
fraudulent and abusive purchases and theft and misuse of government
property. As shown in table 4, the specific controls that we tested
were (1) independent, documented receipt and acceptance of goods and
services and (2) independent, documented review and certification of
monthly purchase card statements.
Table 4: Estimate of Fiscal Year 2001 Transactions That Failed Control
Tests[A]:
Breakdowns in key purchase card controls[A]:
Navy units in San Diego: SPAWAR Systems Center;
Independent, documented receipt of items purchased, Percent failure:
56%
Proper certification of purchase card statements for payment, Percent
failure: 100%[B];
Navy units in San Diego: NPWC;
Independent, documented receipt of items purchased, Percent failure:
16%
Proper certification of purchase card statements for payment, Percent
failure: 100%[C].
[A] The numbers represent point estimates for the population based on
our sampling tests. The confidence intervals for our sampling
estimates are presented in appendix II of this testimony.
[B] For the last quarter of fiscal year 2001, SPAWAR Systems Center
continued to have only one certifying officer for almost 1,000
cardholders. This unacceptable span of control led us to conclude that
all transactions selected as part of our statistical sample were not
properly reviewed and approved by a certifying officer.
[C] Our statistical testing identified one transaction that was
reconciled by the cardholder and approving official prior to payment.
The projected error rate was 99.9 percent, which we rounded to 100
percent.
[End of table]
In addition, we attempted to test whether the accountable items”easily
pilferable or sensitive items”included in some of the transactions in
our samples were recorded in the units' property records to help
prevent theft, loss, and misuse of government assets. However, we were
unable to perform those tests because SPAWAR Systems Center had
recently changed its policy and no longer maintains accountability
over easily pilferable items such as personal digital assistants and
digital cameras. Further, our statistical sample at NPWC did not
identify any accountable property items.
NPWC Made Significant Improvements in Independent Receipt and
Acceptance, While SPAWAR Systems Center Results Were Unchanged:
SPAWAR Systems Center did not have independent, documented evidence
that they received and accepted items ordered and paid for with the
purchase card, which is required by Navy policy. That is, they
generally did not have a receipt for the acquired goods and services
that was signed and dated by someone other than the cardholder. As a
result, there is no documented evidence that the government received
the items purchased or that those items were not lost, stolen, or
misused. Based on our testing, we estimate that SPAWAR Systems Center
did not have independent, documented evidence to confirm the receipt
and acceptance of goods and services acquired with the purchase card
for about 56 percent of its fourth quarter fiscal year 2001
transactions. We previously reported a 65 percent control failure rate
for fiscal year 2000.
NPWC improved its adherence to the internal control of documenting
independent receipt and acceptance of items acquired with a purchase
card, although its 16 percent failure rate in this control technique
remained unacceptable. We previously testified that NPWC generally did
not have documented independent receipt and acceptance for goods and
services and reported a 47 percent control failure rate for fiscal
year 2000. The improved results for NPWC are the result of management
attention to this important control and increased training for
cardholders.
Review and Certification of Monthly Purchase Card Statements Remained
a Significant Weakness at Both Units:
Throughout fiscal year 2001, SPAWAR Systems Center and NPWC still did
not properly review and certify the monthly purchase card statements
for payment. We previously reported that SPAWAR Systems Center and
NPWC approving officials who certify the monthly purchase card
statements for payment generally rely upon the silence of a cardholder
to assume that all purchase card transactions listed on the monthly
statements are valid government purchases. However, this process does
not compensate for the fact that a cardholder might have failed to
forward corrections or exceptions to the account statement in a timely
manner or, even worse, may not have reviewed the statement. As a
result of the breakdown of this control, for the fourth quarter of
fiscal year 2001, SPAWAR Systems Center and NPWC were paying the
monthly credit card bills without any independent review of the
monthly cardholder statements prior to payment to verify that the
purchases were for a valid, necessary government need.
Under 31 U.S.C. 3325 and DOD's Financial Management Regulation,
[Footnote 12] disbursements are required to be made on the basis of a
voucher certified by an authorized agency official. The certifying
official is responsible for ensuring (1) the adequacy of supporting
documentation, (2) the accuracy of payment calculations, and (3) the
legality of the proposed payment under the appropriation or fund
charged. The certification function is a preventive control that
requires and provides the incentive for certifying officers to
maintain proper controls over public funds. It also helps detect
fraudulent and improper payments, including unsupported or prohibited
transactions, split purchases, and duplicate payments. Further,
section 933 of the National Defense Authorization Act for Fiscal Year
2000 requires the Secretary of Defense to prescribe regulations that
ensure, among other things, that each purchase card holder and
approving official is responsible for reconciling charges on a billing
statement with receipts and other supporting documentation before
certification of the monthly bill.
We previously reported that NAVSUP policy is inconsistent with the
purpose of certifying vouchers prior to payment and made
recommendations to revise the policy appropriately. Navy agreed with
our recommendations concerning the need to change this portion of the
purchase card instruction.
For the last quarter of fiscal year 2001, SPAWAR Systems Center
continued to have only one approving official to certify for payment
the monthly purchase card statements of almost 1,000 cardholders. This
unacceptable span of control led us to conclude that all transactions
selected as part of our statistical sample were not properly reviewed
and approved by a certifying officer. NPWC also continued to
inappropriately certify purchase card statements for payment before
receiving cardholder assurance that the purchases were proper. Our
review of purchase card transactions disclosed that no significant
change in this process had taken place during the fourth quarter of
fiscal year 2001, and we therefore identified a 100 percent failure
rate for this control at SPAWAR Systems Center and NPWC.
However, in keeping with its proactive attitude, instead of waiting
for NAVSUP to issue its new purchase card payment certification
procedures, the NPWC agency program coordinator issued local guidance
in December 2001 that requires approving officials, prior to
certifying their summary invoice for payment, to obtain notifications
from cardholders that their statements do not include disputed items.
The guidance also indicates that approving officials and cardholders
should conduct ongoing reviews during the month of the transactions in
their purchase card accounts using Citidirect online services. While
this does not fully implement the recommendation that we made in our
November 30, 2001 report,[Footnote 13] this is a positive interim
step. Given the significant reduction in individual approving
officials' span of control this measure provides NPWC an opportunity
to strengthen this control.
Citing Policy Change, SPAWAR Systems Center Failed to Maintain
Accountability for Pilferable Items:
We disagree with a change in SPAWAR Systems Center policy that
eliminated the accountability of certain property items considered to
be pilferable. Recording items in the property records that are easily
converted to personal use and maintaining serial number and bar code
control is an important step in ensuring accountability and financial
control over such assets and, along with periodic inventory, in
preventing theft or improper use of government property. We previously
testified that most of the accountable items”easily pilferable or
sensitive items”in our samples for fiscal year 2000 were not recorded
in property records.
On August 1, 2001, the Department of the Navy changed its definition
for what constitutes pilferable property. Unlike the previous policy,
which was prescriptive in identifying what was pilferable, the new
policy provides commanding officers with latitude in determining what
is and what is not pilferable. Specifically, the new policy defines
pilferable to be an item”regardless of cost”that is portable, can be
easily converted to personal use, is critical to the activity's
business/mission, and is hard to repair or replace. Citing the "hard
to repair or replace" criteria in the new policy, on November 1, 2001,
SPAWAR Systems Center determined that only computer systems and
notebook/laptop computers would be considered pilferable items. Thus,
based on our fiscal year 2000 and 2001 audit work, SPAWAR Systems
Center did not maintain accountability over numerous sensitive and
pilferable items, such as digital cameras and personal digital
assistants (PDA), leaving them subject to possible theft, misuse, or
transfer to personal use.
SPAWAR Systems Center's new commanding officer and executive director
told us that they do not believe that it is cost beneficial to account
for and track these assets, but instead rely on supervisory oversight
and personal employee trust to provide the necessary accountability of
these assets. The commanding officer and the executive director stated
that SPAWAR Systems Center is a diversified organization in which its
scientists and engineers are working on as many as 1,000 different
projects at any one time, which would make it difficult to keep track
of these lower cost items. We acknowledge the important mission that
SPAWAR Systems Center serves, but we also believe that the diverse
nature of its operations is one of the key reasons why SPAWAR Systems
Center needs to maintain accountability of its pilferable items. As
discussed later in this testimony, we believe that SPAWAR Systems
Center's lack of accountability over items that are pilferable
contributed to several abusive and questionable purchases.
Although NPWC also had the opportunity to redefine what constitutes
pilferable property, NPWC did not institute a similar policy change.
Unlike SPAWAR Systems Center, NPWC generally does not use the purchase
card to buy property items that are pilferable or easily converted to
personal use. As a result, our sample of fourth quarter fiscal year
2001 NPWC transactions did not include any accountable items.
Status of ERP Implementation at SPAWAR Systems Center:
SPAWAR Systems Center officials stated that they have implemented a
new Enterprise Resource Planning (ERP) system that is designed to
address most of the weaknesses that we identified in our July 2001
testimony. Once effectively implemented, the ERP system would
facilitate on-line review, reconciliation, and monitoring of credit
card activity. The system would also result in reduced storage needs
because ERP requires receipt and acceptance documentation to be
scanned into a database storage container. However, our limited
assessment of the control environment identified several weaknesses.
Although the new system has the stated capability to address the
weaknesses we identified in the purchase card program, until it is
effectively implemented and individuals comply with purchase card
policies and procedures, SPAWAR Systems Center has little assurance
that the weaknesses we previously identified will be corrected or
mitigated.
For example, the implementation of the ERP system at the time of our
review did not provide for an adequate separation of duties or proper
certification of purchase card transactions for payment. Specifically,
a systems administrator with high-level administrative access
privileges on the system performed both cardholder and approving
official duties. In addition, the administrator pushed transactions
through the system as an approving official without the required
cardholder reconciliation or any knowledge of the transactions.
Further, the administrator, who performed approving official duties,
did not review the transactions to determine if they complied with
Navy policies and procedures. That responsibility remained with the
existing approving official; however, as we previously testified about
the manual process, we found no evidence that the approving official
verified compliance. SPAWAR Systems Center officials stated that by
the end of February 2002, the administrator should no longer have
these duties because all of the newly designated approving officials
will have completed the required ERP training. We have not verified
this corrective action or whether the approving officials are properly
performing their duties.
In assessing the control environment, we attempted, but were unable,
to obtain documentation such as (1) the DOD Information Technology
Security Certification and Accreditation Process (DITSCAP)[Footnote
14] for the system and (2) formal procedures on granting and removing
access to the ERR First, SPAWAR Systems Center officials stated that
the certification and accreditation for the ERP system was not
complete and that it was currently operating under interim authority.
The DITSCAP would give an indication as to whether SPAWAR Systems
Center had established its information security requirements and
whether the system implementation meets the established security
requirements. Second, although SPAWAR Systems Center had an informal
process for granting and removing system access, these procedures had
not yet been formally documented. Establishing such formal control
procedures helps ensure that authorized users have the appropriate
access to perform their job duties.
Potentially Fraudulent, Improper, Abusive, and Questionable
Transactions:
We identified numerous examples of improper, abusive, or questionable
transactions at SPAWAR Systems Center during fiscal year 2001. Given
the weaknesses in the overall internal control environment and
ineffective specific internal controls, it is not surprising that
SPAWAR Systems Center did not detect or prevent these types of
transactions. In fact, most of the transactions that we identified as
improper, abusive, or questionable at SPAWAR Systems Center were
approved and represented to us as being an appropriate, proper use of
the purchase card. In contrast, using the same data mining techniques
at NPWC, the number and severity of the problems we identified were
substantially less than at SPAWAR Systems Center. In addition, rather
than dispute our findings on each transaction, NPWC showed a proactive
response and not only concurred with our findings but immediately took
action to prevent future improper or abusive transactions from
occurring. As discussed in appendix II, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper,
and abusive or otherwise questionable transactions.
Further, our review of SPAWAR Systems Center and NPWC transactions for
potentially fraudulent, improper, and abusive or otherwise
questionable purchases was limited and not intended to represent the
population of SPAWAR Systems Center and NPWC transactions.
Specifically, we reviewed a total of 161 SPAWAR Systems Center and 145
NPWC fiscal year 2001 transactions and performed additional analysis
of related activity at three specific vendors as discussed in appendix
II. To test those transactions and related activity, we examined all
available documentation supporting the transactions, and when
necessary we interviewed NPWC and SPAWAR Systems Center staff. To put
the number of transactions that we reviewed into perspective, during
fiscal year 2001 SPAWAR Systems Center and NPWC processed a total of
about 83,000 transactions. Thus, the potentially fraudulent, improper,
and abusive or questionable transactions we identified relate to the
306 transactions and associated activity we reviewed. We cannot
project the extent of potentially fraudulent, improper, or abusive
transactions for SPAWAR Systems Center or NPWC to the entire
population of fiscal year 2001 transactions. See appendix II for a
more detailed discussion of our objectives, scope, and methodology.
Potentially Fraudulent Transactions:
We considered potentially fraudulent purchases to include those made
by cardholders that were unauthorized and intended for personal use.
Some of these instances involved the use of compromised accounts, in
which an actual Navy purchase card or an active account number was
stolen and used to make a fraudulent purchase. Other cases involved
vendors charging Navy purchase cards for unauthorized transactions.
Both SPAWAR Systems Center and NPWC had policies and procedures that
were designed to prevent the payment of fraudulent purchases; however,
our tests showed that although both units made some improvements,
particularly NPWC, they did not implement the controls as intended.
For example, as discussed previously, controls were ineffective for
independent verification of receipt and acceptance and proper review
and certification of monthly statements prior to payment. Fraudulent
activities must therefore be detected after the fact, during
supervisor or internal reviews, and disputed charge procedures must be
initiated to obtain a credit from Citibank. Table 5 shows examples of
potentially fraudulent transactions that we identified at SPAWAR
Systems Center. Using the same audit techniques, we did not find
documented evidence of potentially fraudulent NPWC transactions for
fiscal year 2001. However, as noted previously, our tests were not
designed to identify all fraudulent transactions, and considering the
control weaknesses identified at SPAWAR Systems Center and NPWC, and
the substantial number of compromised accounts discussed later,
fraudulent transactions may have occurred during fiscal year 2001 and
not have been detected.
Table 5: Examples of Potentially Fraudulent Purchase Card Transactions
at SPAWAR Systems Center:
Type of items purchased: Car rentals;
Vendor: Dollar Rent a Car;
Total amount: $338;
Source: Cardholder.
Type of items purchased: Unknown;
Vendor: Kids R Us;
Total amount: $826;
Source: Compromised account.
Type of items purchased: Phone calls;
Vendor: 800-Collect;
Total amount: $516;
Source: Compromised account.
Type of items purchased: Unknown;
Vendor: Car Club;
Total amount: $9,486;
Source: Compromised account.
Type of items purchased: Adult entertainment, other Internet purchases;
Vendor: Paycom.net, Ibillcs.com;
Total amount: $285;
Source: Unknown.
Type of items purchased: Unknown;
Vendor: Safety product vendor;
Total amount: $10,600;
Source: Vendor.
[End of table]
The fact that all of the unauthorized transactions in table 5 were
authorized for payment by SPAWAR Systems Center clearly demonstrates
the lack of an effective review and monthly certification process.
SPAWAR Systems Center officials told us that they were aware of all of
these potentially fraudulent transactions and eventually received a
credit from either the vendor or Citibank or reimbursement from the
cardholder, but in some cases after many months. For example, the car
rental transaction related to a SPAWAR Systems Center employee who
stated that she had inadvertently used the purchase card rather than a
personal credit card. However, it took the employee 5 months to
reimburse the government for this personal and unauthorized charge.
Three of the examples in table 5 relate to the 2,595 Navy purchase
card compromised accounts discussed below. The card numbers used to
make the internet purchases were not on the list of compromised
accounts. These cardholders reported to Citibank that the transactions
were unauthorized, and Citibank provided credits to their accounts for
disputed amounts up to three months after SPAWAR Systems Center paid
the bill. The $10,600 of potentially fraudulent charges represent
numerous unauthorized charges, many of which were about $500 each,
during fiscal year 2001 by a safety product vendor that SPAWAR Systems
Center paid despite the fact that no goods were received. As of
January 21, 2002, SPAWAR Systems Center had not received a credit from
the bank or the vendor for about $3,100 of the unauthorized charges.
In our July 2001 testimony, we identified about $12,000 in potentially
fraudulent fiscal year 2000 transactions on the purchase card of a
former NPWC employee. NPWC Command Evaluation staff researched the
potentially fraudulent charges, and NPWC eventually disputed them and
recovered the full amount from the bank. Our Office of Special
Investigations conducted an investigation of the suspect employee to
determine if these transactions were indeed fraudulent. This
investigation identified the following.
* The purchases occurred primarily between December 20 and 26, 1999,
and included an Amana range, Compaq computers, gift certificates,
groceries, and clothes. Based on our research, most of the merchants
noted that these were not phone orders and someone presented the
purchase card in question to make the purchases.
* The cardholder brought the January 2000 credit card statement, with
the above charges on the bill, to her supervisor for his approval and
signature. According to the supervisor, the cardholder told him that
she needed the statement signed immediately because she was late in
processing it. The supervisor signed the credit card statement without
reviewing it.
* The cardholder claims to have disputed the charges on January 31,
2000. Citibank indicated that it did not receive the dispute
documentation until August 23, 2000, and the bank did not credit the
Navy for these charges until April 2001.
* Based on an examination of the handwriting specimens by the U.S.
Secret Service Forensic Services Division, the fraudulent purchase
receipts were probably signed by someone other than the cardholder and
all appear to have been signed by the same individual.
* The Amana range was bought with a gift card that was purchased in
the name of the cardholder's alleged ex-boyfriend's mother.
* The cardholder left NPWC to work for the U.S. Pacific Fleet from
June to November of 2000 and now works at the Pentagon. After leaving
work on her last day at NPWC, the cardholder improperly used the NPWC
purchase card”which should have been canceled”for a personal
automobile rental that was initially paid by NPWC and subsequently
reversed through a credit from Citibank. The cardholder was supposed
to, but has not yet, repaid Citibank the $358 owed.
* The cardholder also misused a government travel card by purchasing
three airline tickets for personal use. The cardholder partially repaid
the cost of the tickets but had a remaining balance of $379. The Bank
of America has written off the balance of the cardholder's account.
The facts of this case demonstrate a complete breakdown in internal
controls, particularly in the area of proper review and certification
of monthly statements. The individual who approved the payment to
Citibank for these fraudulent charges told us that he signed off on
the January 2000 statement without reviewing it to determine if the
transactions were valid. It is unclear whether the credit NPWC
ultimately received was the result of the Citibank investigation of
the case or NPWC's determining some time after payment of the bill
that the charges were fraudulent. NPWC also did not properly cancel
the purchase card account of this cardholder after the cardholder had
moved on to another organization within the Navy. Further, NPWC paid
the purchase card bill that included this cardholder's personal
automobile rental, a clear indication that the monthly review and
certification of bills was not being done. Finally, as of February 6,
2002, no disciplinary actions had been taken against this cardholder.
Our Office of Special Investigations referred this case back to the
Naval Criminal Investigative Service for further investigation and, if
warranted, prosecution.
We also followed up on the previously reported September 1999
compromise of up to 2,600 purchase card accounts assigned to Navy
activities in the San Diego area. We reported that Navy investigators
were able to identify only a partial list consisting of 681
compromised accounts. We recommended that the Navy act immediately to
cancel all known active compromised accounts. In December 2001, Navy
notified us that all 681 compromised accounts we identified in the
July testimony were canceled, including 22 active SPAWAR Systems
Center accounts. However, no other action was taken by the Navy to
identify or cancel the remaining nearly 2,000 accounts that were
compromised in September 1999. Our investigators subsequently
identified the source of the compromised accounts as the database of a
Navy vendor, which provided NCIS with the names of its former
employees who were possible suspects in the theft of data. In January
2002, the vendor provided our investigators with the entire list of
the 2,595 compromised accounts. We provided this list to the Navy and
recommended that it immediately cancel the remaining 1,914 compromised
account numbers. We found that 78 SPAWAR Systems Center and 10 NPWC
compromised accounts were active as of December 2001. As noted
previously, 3 of the examples of potentially fraudulent SPAWAR Systems
Center activity reported in table 5 involved these compromised
accounts.
As we reported in our previous testimony, as of January 2001, at least
30 of the nearly 2,600 compromised account numbers were used by 27
alleged suspects to make more than $27,000 in fraudulent transactions
for pizza, jewelry, phone calls, tires, and flowers. However, with the
lack of effective controls over independent receipt for goods and
services and proper review and certification of purchase card
statements for payment that we identified at the two units, it will be
difficult, if not impossible, for the Navy”including SPAWAR Systems
Center and NPWC”to identify fraudulent purchases as they occur, or to
determine the extent of the fraudulent use of compromised accounts. On
December 11, 2001, the NCIS case on the compromised Navy purchase card
numbers was presented to the U.S. Attorney's Office, Southern District
of California, San Diego, for prosecution. The U.S. Attorney's Office
declined prosecution of the case due to the low known dollar loss of
$28,734. The NCIS case was closed on December 20, 2001.
The following are other cases of potential fraudulent activity.
* A fraud hotline call alerted NPWC to a case involving two NPWC
employees, an air conditioning equipment mechanic”who was a purchase
card holder”and his supervisor. The alleged fraud includes the element
of collusion, which internal controls generally are not designed to
prevent. However, adequate monitoring of purchase card transactions,
along with the enforcement of controls”such as documentation of
independent confirmation of receipt and acceptance and recording of
accountable items in property records”will make detection easier. In
this case, the cardholder allegedly made fraudulent purchase card
acquisitions during the period of April 1999 through December 1999 to
obtain electronic planners, leather organizers, a digital camera, a
scanner/printer, and various cellular telephone accessories for
himself and his supervisor. These items totaled more than $2,500. NPWC
initiated administrative action and gave a notice of proposed removal
to the cardholder on August 15, 2000, and to the supervisor on August
1, 2000. Both employees resigned after they had repaid the Navy nearly
$6,000 but before formal removal. Criminal actions were not taken
against the individuals.
* SPAWAR Systems Center's Command Evaluation is currently
investigating purchases made by cardholders in one of SPAWAR Systems
Center's divisions. This is an ongoing investigation focused on
transactions made during the period August 2000 through April 2001.
Preliminary findings resulted in a request from Command Evaluation to
the SPAWAR Systems Center agency program coordinator to suspend
purchase card authority for all cardholders and approving officials in
the affected division until the investigation is completed.
* Our Office of Special Investigations is conducting a further
investigation of about $164,000 in transactions during fiscal year
2001 between SPAWAR Systems Center and one of its contractors for
potentially fraudulent activity. The SPAWAR Systems Center division
responsible for these purchase card transactions is the same
department that SPAWAR Systems Center's Command Evaluation is
currently reviewing, as discussed in the previous bullet. This case is
discussed in more detail in the following section on improper
purchases.
Improper Transactions:
Transactions Not Permitted by Law, Regulation, or DOD Policy
We identified transactions for SPAWAR Systems Center and NPWC that
were improper, including some that involved the improper use of
federal funds. The transactions we determined to be improper are those
purchases intended for government use, but are not for a purpose that
is permitted by law, regulation, or DOD policy. We also identified as
improper numerous purchases made on the same day from the same vendor
that appeared to circumvent cardholder single transaction limits.
Federal Acquisition Regulation and NAVSUP Instruction 4200.94
guidelines prohibit splitting purchase requirements into more than one
transaction to avoid the need to obtain competitive bids on purchases
over the $2,500 micropurchase threshold or to circumvent higher single
transaction limits for payments on deliverables under requirements
contracts. We identified these improper transactions as part of our
review of about 161 SPAWAR Systems Center and 145 NPWC fiscal year
2001 transactions and related activity. We identified most of these
transactions as part of our data mining of transactions with
questionable vendors, although several were identified as part of our
statistical sample.
Transactions Not Permitted by Law, Regulation, or DOD Policy:
The Federal Acquisition Regulation, 48 C.F.R. 13.301(a), provides that
the governmentwide commercial purchase card "may be used only for
purchases that are otherwise authorized by law or regulations."
Therefore, a procurement using the purchase card is lawful only if it
would be lawful using conventional procurement methods. Under 31
U.S.C. 1301(a), "appropriations shall only be applied to the objects
for which the appropriations were made..." In the absence of specific
statutory authority, appropriated funds may only be used to purchase
items for official purposes, and may not be used to acquire items for
the personal benefit of a government employee. As previously discussed
NPWC identified approximately 600 transactions that violated the
Navy's prohibition against using the purchase card to acquire
noncommonly used hazardous materials. As shown in table 6, we found
examples of purchases that were not authorized by law, regulation, or
policy.
Table 6: Transactions Not Permitted by Law, Regulation, or Policy:
Type of items purchased: Food and refreshments;
Unit: Both;
Example vendors: Admiral Kidd Catering, Omni Hotel, Expressly Gourmet,
Dave's Snack Bar, Embassy Suites;
Nature of improper transaction: Not authorized by law;
Total transaction amounts: $8,500.
Type of items purchased: Clothing;
Unit: SPAWAR;
Example vendors: Sport Chalet, Twig's Alaskan Gifts;
Nature of improper transaction: Not authorized by law; see additional
clothing in table 8;
Total transaction amounts: $282.
Type of items purchased: Luxury rental cars (e.g., Lincoln Town Car);
Unit: NPWC;
Example vendors: Enterprise, Courtesy, Fuller;
Nature of improper transaction: Not in accordance with DOD policy;
abusive;
Total transaction amounts: $7,028.
Type of items purchased: Contracted services;
Unit: SPAWAR;
Example vendors: Telecommunications contractor;
Nature of improper transaction: Not in accordance with Navy policy;
potentially fraudulent;
Total transaction amounts: $164,143.
Type of items purchased: Convenience check;
Unit: SPAWAR;
Example vendors: U.S. Postal Service;
Nature of improper transaction: Not in accordance with DOD policy;
abusive;
Total transaction amounts: $347,120.
Type of items purchased: Printing services;
Unit: SPAWAR;
Example vendors: Kinko's;
Nature of improper transaction: Not in accordance with policy to use
the Defense Automated Printing Service;
Total transaction amounts: $3,763.
Type of items purchased: Sales tax;
Unit: SPAWAR;
Example vendors: Numerous;
Not authorized by law;
Total transaction amounts: $283.
[End of table]
Food. We found a number of purchases of food at SPAWAR Headquarters,
SPAWAR Systems Center and NPWC that represent an improper use of
federal funds. Without statutory authority, appropriated funds may not
be used to furnish meals or refreshments to employees within their
normal duty stations.[Footnote 15] Free food and other refreshments
normally cannot be justified as a necessary expense of an agency's
appropriation because these items are considered personal expenses
that federal employees should pay for from their own salaries.
[Footnote 16] In January 2000, the General Services Administration
(GSA) amended the government travel regulations to permit agencies to
provide light refreshments to employees attending conferences
involving travel. In response to GSA's action, DOD amended the Joint
Travel Regulation (JTR) and Joint Federal Travel Regulation (JFTR) to
permit similar light refreshments for DOD civilian employees and
military members. In April 2001, DOD clarified the JTR/JFTR rule to
permit light refreshments only when a majority of the attendees (51
percent or more) are in travel status.[Footnote 17] The following food
purchases should not have been paid for with appropriated funds.
* Three instances in which NPWC purchased primarily meals and light
refreshments for employee-related activities, including team meetings,
at a cost of about $4,100. The supporting documentation we were
provided initially by NPWC showed these purchases to be the rental of
rooms for meetings. However, after our further inquiry of the Admiral
Kidd Catering Center we found that a large portion of the purchases
were related to food and refreshments including luncheon buffets.
Officials from the Admiral Kidd Catering Center indicated that the
invoices for these events do not show the food purchases because they
knew that the Navy is not allowed to pay for food at these conferences.
* Five instances in which SPAWAR Headquarters or Systems Center
cardholders purchased primarily light refreshments for employee team
meetings or training sessions when less than a majority of the
attendees were on travel, at a total cost of about $1,000.
* One transaction in which a SPAWAR Headquarters program management
office had a 2-day off-site meeting at a San Diego hotel for about 20
staff, and SPAWAR Headquarters provided all participants with lunch
and refreshments. The cardholder provided us with documentation
indicating that SPAWAR Headquarters spent $2,400 to rent a room at the
hotel where the meeting was held. The assistant program manager told
us that the $2,400 charge was just for the meeting room rental.
However, we obtained documents directly from the hotel, which were
signed by the assistant program manager, that prove that SPAWAR
Headquarters paid about $1,400 for lunch and refreshments for both
days. Furthermore, by comparing the hotel's copy of the event
confirmation form with the copy of the same form provided by SPAWAR
Headquarters, it appeared that the form had been altered to indicate
that the $2,400 was only for rent. After briefing SPAWAR Headquarters
and System Center management of our findings, the SPAWAR Headquarters
inspector general opened an investigation of this matter that is still
ongoing.
Clothing. We identified several purchases of clothing by SPAWAR
Systems Center employees that should not have been purchased with
appropriated funds. According to 5 U.S.C. 7903, agencies are
authorized to purchase protective clothing for employee use if the
agency can show that (1) the item is special and not part of the
ordinary furnishings that an employee is expected to supply, (2) the
item is essential for the safe and successful accomplishment of the
agency's mission, not solely for the employee's protection, and (3)
the employee is engaged in hazardous duty. Further, according to a
comptroller general decision dated March 6, 1984,[Footnote 18]
clothing purchased pursuant to this statute is property of the U.S.
government and must only be used for official government business.
Thus, except for rare circumstances in which a clothing purchase meets
stringent requirements, it is usually considered a personal item that
should be purchased by the individual.
For the transactions that we tested, we found that several SPAWAR
Systems Center employees had purchased clothing, such as a lightweight
hooded jacket, long pants, and a shirt that should have been purchased
by the employees with their own money. One of the cardholders told us
that he believed his purchases of clothing were appropriate because
other SPAWAR Systems Center employees were also purchasing clothing.
As a result of this statement, we expanded our analysis and found that
during fiscal year 2001 SPAWAR Systems Center cardholders purchased
about $4,400 worth of socks, gloves, parkas, jackets, hats, shirts,
and sweatpants from REI and Cabela's that appear to also be improper.
Because we did not test each of these transactions to determine if
they were adequately justified, we included the $4,400 as questionable
clothing purchases in table 8.
Luxury car rentals. We identified 34 fiscal year 2001 purchases
totaling $7,028 in which NPWC could not support the representation
that rentals of Lincoln Town Cars or similar luxury cars were for
individuals authorized to obtain a luxury car. DOD policy provides
that only four-star admirals and above (or equivalent) qualify to rent
such luxury vehicles. Our analysis of NPWC's fiscal year 2001 purchase
card transactions for rentals of commercial vehicles disclosed 42
instances of rentals of luxury vehicles (e.g., Lincoln Town Cars and
Cadillac DeVilles). NPWC cardholder documentation showed that only 8
of the 42 rentals were for four-star admirals. In the other 34
instances, cardholder documentation either disclosed that a rental of
a Lincoln Town Car or similar vehicle was for a Navy captain or lower-
ranking admiral, or the documentation was insufficient to determine
who rented the automobile. As a result of its inappropriately renting
the Lincolns and other luxury cars, we estimated that NPWC spent about
$2,000 more than it would have if NPWC had rented an automobile that
was consistent with DOD policy. Consistent with NPWC's proactive
approach, the day after we brought this issue to management's
attention, controls and procedures were put in place to resolve this
issue. Because these purchases were at an excessive cost, they also
fall under the definition of abusive transactions.
Prepayment of goods and services. We also identified 75 SPAWAR Systems
Center purchase card transactions, for about $164,000 with a
telecommunications contractor, that appear to be advance payments for
electrical engineering services. Section 3324 of title 31, United
States Code, prohibits an agency from paying for goods or services
before the government has received them (with limited exceptions).
Further, Navy purchase card procedures prohibit advance payment for
goods and services, except in cases such as subscriptions and post
office box rentals. SPAWAR Systems Center project managers gave us
with several conflicting explanations of the nature of the arrangement
with the contractor, first indicating that the charges were for time
and materials and later stating that each purchase was a fixed-fee
agreement. No documentation was provided to support either
explanation. We were also told by SPAWAR Systems Center employees that
the purchase card was used to expedite the procurement of goods and
services from the contractor because the preparation, approval, and
issuance of a delivery order was too time-consuming in certain
circumstances.
For all 75 transactions, we found that the contractor's estimated
costs were almost always equal or close to the $2,500 micropurchase
threshold. Because we found no documentation of independent receipt
and acceptance of the services provided or any documentation that the
work for these charges was performed, these charges are also
potentially fraudulent. We therefore referred the SPAWAR Systems
Center purchase card activity with this contractor to our Office of
Special Investigations for further investigation.
Convenience checks. We found that SPAWAR Systems Center improperly
used convenience checks in fiscal year 2001, which ultimately resulted
in NAVSUP canceling the use of these checks at SPAWAR Systems Center
in November 2001, after we made inquires concerning the number of
SPAWAR Systems Center convenience checks issued that exceeded the
$2,500-per-check limit. Convenience checks are charged directly to the
government purchase card account and are used to pay vendors and other
government agencies that do not accept the purchase card. According to
the SPAWAR Systems Center agency program coordinator, two Citibank
convenience check accounts were established in December 1998,
presumably before NAVSUP changed its policy allowing only one account
per unit. The SPAWAR Systems Center head of supply and contracts
canceled one of these accounts on November 15, 2001, after we made
inquires concerning SPAWAR Systems Center's convenience check usage.
We found that the two employees responsible for these two accounts had
issued 187 checks during fiscal year 2001, 30 of which were in excess
of the $2,500 limit for individual checks, for a total of over
$347,000. The checks that exceeded the $2,500 limit were issued to pay
for postage meter charges, various services to vendors who were sole
source providers, and training. After we made inquires to the DOD
Purchase Card Program Office regarding the propriety of SPAWAR Systems
Center's writing convenience checks in excess of $2,500, NAVSUP
canceled SPAWAR Systems Center's convenience check privileges on
November 20, 2001. We also believe the use of convenience checks for
over $2,500 purchases is not economical because of the 1.25 percent
fee charged per transaction. For example, SPAWAR Systems Center used
convenience checks to make one purchase of $10,000 for postage, which
resulted in a fee of $125.
Printing. In addition, we identified several instances in which SPAWAR
Systems Center did not adhere to DOD's policy to use the Defense
Automated Printing Service (DAPS) to perform all printing jobs.
Further, the Navy's purchase card list of prohibited or special-
approval items states that cardholders are prohibited from buying
printing or duplication services from entities other than DAPS. In two
of the transactions that we audited, SPAWAR Systems Center paid about
$3,800 to Kinko's for printing manuals.
Sales tax. We identified eight instances of sales taxes paid on SPAWAR
Systems Center purchases. Payment of sales tax for the purchase of
goods and services for the government is not authorized by law.
According to SPAWAR Systems Center employees, these sales tax payments
generally occurred when the vendors did not know how to process a
nontaxable transaction.
Split Purchases:
Our analysis of the population of fiscal year 2001 transactions made
by one or more cardholders on the same day from the same vendor, which
appeared to circumvent cardholder single transaction limits,
identified about $7.5 million in SPAWAR Systems Center potential split
purchases and nearly $3 million in NPWC potential split purchases. The
Federal Acquisition Regulation and Navy purchase card policies and
procedures prohibit splitting a purchase into more than one
transaction to avoid the requirement to obtain competitive bids for
purchases over the $2,500 micropurchase threshold or to avoid other
established credit limits. Once items exceed the $2,500 micropurchase
threshold, they are to be purchased in accordance with simplified
acquisition procedures, which are more stringent than those for
micropurchases.
Our analysis of the population of fiscal year 2001 SPAWAR Systems
Center and NPWC transactions identified a substantial number of
potential split purchases. To determine whether these were, in fact,
split purchases, we obtained and analyzed the supporting documentation
for 30 potential split purchases at SPAWAR Systems Center and 20
potential split purchases at NPWC. We found that in many instances,
cardholders made multiple purchases from the same vendor within a few
minutes or a few hours for items such as computers, computer-related
equipment, cell phone services, and small contracts that involved the
same, sequential, or nearly sequential purchase order and vendor
invoice numbers. Based on our analyses, we concluded that 13 of the 30
SPAWAR Systems Center and 10 of the 20 NPWC purchases that we examined
were split into two or more transactions to avoid micropurchase
thresholds. Table 7 provides several examples of cardholder purchases
that we believe represent split purchases intended to circumvent the
$2,500 micropurchase limit or other cardholder single transaction
limit.
Table 7: Examples of Potential SPAWAR Systems Center and Navy Public
Works Center San Diego Split Purchases:
Navy unit: SPAWAR;
Vendor: Nextel Wireless;
Date: 7/17/2001;
Charge: 10 charges;
Items purchased: Cell phone service;
Cost of items: $24,482;
Indicator of split purchase: 10 separate charges of about $2,500 each
to pay July monthly bill.
Navy unit: SPAWAR;
Vendor: World Wide Technology;
Date: 9/05/2001;
Charge: 1;
Items purchased: Computer equipment;
Cost of items: $1,938;
Indicator of split purchase: Computer equipment resides within the
cabinet;
Charge: 2
Items purchased: Cabinet;
Cost of items: $2,214;
Indicator of split purchase: [Empty].
Navy unit: SPAWAR;
Vendor: CompUSA;
Date: 9/11/2001;
Charge: 1;
Items purchased: Software;
Cost of items: $2,240;
Indicator of split purchase: Orders placed only minutes apart for
similar products;
Charge: 2;
Items purchased: Software;
Cost of items: $1,160;
Indicator of split purchase: [Empty].
Navy unit: NPWC;
Vendor: Construction Fence Rental;
Date: 7/12/01;
Charge: 1;
Items purchased: Security fence;
Cost of items: $2,442;
Indicator of split purchase: Rental of security fence on the same day
for the same construction project;
Charge: 2;
Items purchased: Security fence;
Cost of items: $2,310;
Indicator of split purchase: [Empty];
Charge: 3;
Items purchased: Security fence;
Cost of items: $75;
Indicator of split purchase: [Empty].
Navy unit: NPWC;
Vendor: Comlogic NCC Computers;
Date: 9/17/2001;
Charge: 1;
Items purchased: Computer;
Cost of items: $2,495;
Indicator of split purchase: Multiple charges on the same day for
items listed on the same authorization;
Charge: 2;
Items purchased: Computer parts;
Cost of items: $1,401;
Indicator of split purchase: [Empty];
Charge: 3;
Items purchased: Computer software;
Cost of items: $149;
Indicator of split purchase: [Empty].
Navy unit: NPWC;
Vendor: Union Electric Motors;
Date: 7/5/2001;
Charge: 1;
Items purchased: Custom control panel and components;
Cost of items: $2,485;
Indicator of split purchase: Purchases were on the same day and vendor
invoice was sequentially numbered; vendor said transactions were part
of single sale;
Charge: 2;
Additional component for control panel;
Cost of items: $885;
Indicator of split purchase: [Empty].
Note: All cardholders making these transactions had $2,500 single-
transaction limits.
[End of table]
By circumventing the competitive requirements of the simplified
acquisition procedures, we believe that in many instances SPAWAR
Systems Center and NPWC may not be getting the best prices possible
for the government. As a result, these split purchases are likely
increasing the cost of government procurements using the purchase card
and, thus, at least partially offsetting its benefits.
Abusive and Questionable Transactions:
We identified numerous examples of abusive and questionable
transactions at SPAWAR Systems Center during fiscal year 2001. Several
of the improper transactions for NPWC discussed previously are also
abusive or questionable; however, we found no other abusive items
related to NPWC in our statistical sample or data mining. We defined
abusive transactions as those that were authorized, but the items
purchased were at an excessive cost (e.g., "gold plated") or for a
questionable government need, or both. Questionable transactions are
those that appear to be improper or abusive but for which there is
insufficient documentation to conclude either. For all abusive or
questionable items, we concluded that cardholders purchased items for
which there was not a reasonable and/or documented justification.
Many of the purchases we found to be abusive or questionable fall into
categories described in GAO's Guide for Evaluating and Testing
Controls Over Sensitive Payments (GAO/AFMD-8.1.2, May 1993). The guide
states: "Abuse is distinct from illegal acts (noncompliance). When
abuse occurs, no law or regulation is violated. Rather, abuse occurs
when the conduct of a government organization, program, activity, or
function falls short of societal expectations of prudent behavior."
Table 8 shows the potentially abusive and questionable transactions we
identified at SPAWAR Systems Center for fiscal year 2001.
Further, several of these items fall into the category of pilferable
items, which, as discussed previously, SPAWAR Systems Center no longer
records in its property records and therefore does not maintain
accountability over them. For example, the cell phones and headset are
items that could easily be converted to personal use without detection
as they are not subject to bar coding and periodic inventory. In
addition, items that may have limited use on one project could be made
available for use on other projects, if their existence and location
were recorded in centralized property records. Such visibility could
serve to avoid duplicative purchases as well as provide the control
needed to help prevent misuse of government property.
Table 8: Abusive and Questionable Transactions at SPAWAR Systems
Center:
Type of items purchased: Room rental and refreshments;
Example vendors: Bally's in Las Vegas;
Nature of transaction: Organization meeting for about 30 staff members
in Las Vegas;
Abusive/questionable: Questionable;
Total amount: $2,308.
Type of items purchased: Cellular phones and services;
Example vendors: Nextel, SprintPCS, AT&T Wireless;
Nature of transaction: Abusive and uneconomical procurement, physical
control, and usage of services;
Abusive/questionable: Abusive and questionable;
Total amount: $74,936.
Type of items purchased: Clothing (see also table 6);
Example vendors: Cabela's, REI, Sport Chalet;
Nature of transaction: Purchase of personal items such as socks,
gloves, parkas, jackets, hats, shirts, and sweatpants;
Abusive/questionable: Questionable;
Total amount: $4,668.
Type of items purchased: Luggage;
Example vendors: The Luggage Center;
Nature of transaction: Numerous wallets, passport holders, backpacks,
neck pouches, and other items given away;
Abusive/questionable: Abusive;
Total amount: $775.
Type of items purchased: Designer leather goods;
Example vendors: Louis Vuitton, Franklin Covey;
Nature of transaction: Purchase of designer and high-cost leather
briefcases, portfolios, totes, day planners, palm pilot cases,
wallets, and purses;
Abusive/questionable: Abusive and questionable; improper for
nonmandatory source of supply;
Total amount: $33,054
Type of items purchased: Computer bags;
Example vendors: SkyMall;
Nature of transaction: Purchase of computer bags at an excessive
cost, two given away;
Abusive/questionable: Abusive;
Total amount: $731
Type of items purchased: Headset;
Example vendors: Bose;
Nature of transaction: High-cost headset purchased, questionable need;
Abusive/questionable: Abusive;
Total amount: $299.
Type of items purchased: Lego "Mindstorm" robots;
Example vendors: Toys R Us;
Nature of transaction: Four computer robot kits given away or at
employee's home;
Abusive/questionable: Abusive;
Total amount: $800.
[End of table]
Room rental and refreshments. We identified meeting room rental and
refreshments at Bally's, a hotel and casino in Las Vegas, which is a
questionable transaction. This charge was related to a trip for about
30 staff members from SPAWAR Headquarters. SPAWAR officials told us
that the trip was an organizational meeting to work out the details of
a planned merger of two program management working groups. According
to SPAWAR Headquarters officials, the staff members who attended the
organizational meeting spent the first morning of the 3-day trip at
Nellis Air Force Base discussing issues related to an ongoing project
involving a test and evaluation squadron. The cost of the transaction
we reviewed was about $2,300, and we estimate the total cost of the
trip was between $15,000 and $20,000. For the specific transaction we
reviewed, we found that the same control weaknesses we reported
earlier applied, including lack of independent receipt of goods and
proper certification of the monthly bill. There was no documentation
showing that this transaction had been authorized in advance or that
management had fully considered the cost of this trip and potentially
less costly alternatives.
GAO's Guide for Evaluating and Testing Controls Over Sensitive
Payments notes the importance of the control environment and the need
for effective controls related to sensitive payments. A trip for about
30 employees to a Las Vegas hotel and casino for 3 days at a
significant cost to the government is clearly sensitive and should be
subjected to a high level of scrutiny, with clear documentation and
approval in advance of the event. We would expect to see authorization
in advance of the procurement by someone at a higher level than the
most senior individual involved in the event”in this case, a captain.
We found no documented justification to indicate a valid need for this
3-day meeting to be held in Las Vegas nor did we find an evaluation of
the cost-benefit of having the meeting in Las Vegas versus alternative
sites. Thus, we question whether the entire cost of the trip was a
prudent expenditure of government funds. We did not review the travel
vouchers and related documentation for the other component costs of
the trip such as airfare, rental cars, or hotel bills; however, in
estimating the total cost of the trip, we reviewed available
documentation related to travel card usage from Bank of America.
Cell phone usage. We found significant breakdowns in controls at
SPAWAR Systems Center over the use of cell phones and related
services, resulting in abusive and wasteful expenditures of government
resources. In addition, we found a proliferation of cell phone
agreements, with the purchase card being used to purchase equipment
and services from more than 40 different cell phone companies at a
total cost of $341,000 for fiscal year 2001. According to SPAWAR
Systems Center management, they have a master cell phone contract with
AT&T Wireless. However, lack of management oversight and a large
number of available purchase cards has resulted in individuals with
purchase cards or their supervisors deciding who needs a cell phone,
which cell phone company to use, and what type of calling plan to
purchase. For all but one of the transactions that we audited, we did
not find any evidence that the monthly cell phone bills had been
independently reviewed to ensure the transactions were reasonable and
for valid government purposes.
In the large case we audited, we identified a $24,000 monthly bill for
about 200 Nextel cell phones and related services that were acquired
to provide a voice communication system for coordination and control
among various groups during a demonstration and test of a military
wide area relay network. The Nextel phones were selected for
evaluation as an alternative not for their standard cellular phone-to-
phone capability, but for their "group-talk" feature, which provides a
wireless "walkie-talkie" like capability for preprogrammed work
groups. One of the key control failures with this cell phone
procurement was related to SPAWAR Systems Center's handing out cell
phones to project team members and government contractors without
keeping an inventory of who had each cell phone. Contractors that used
these government cell phones told us that SPAWAR Systems Center
officials brought a box of 60 or 70 cell phones to a meeting and
handed them out to contractors that were part of the team. The
contractors told us that SPAWAR Systems Center provided them with no
instructions on proper use of the cell phone. The approximately 200
cell phones were not physically controlled and SPAWAR Systems Center
did not have a list of who had the cell phones. Based on further
investigation, we found that these contractors were using the cell
phones to call friends and family and to conduct other personal
business. Based on our review of the bills for this Nextel account”
which totaled about $74,000 during fiscal year 2001”we estimated that
about $9,200 was spent on long distance and other local telephone
calls, which was not the primary intended purpose of these cell phones.
In addition to the Nextel contract, we also identified cell phone
contracts with large monthly fees for phones that were either used
infrequently or not at all. For example, we audited one account with
five cell phones. The service for each phone included 500 minutes of
airtime, and the basic service cost of each cell phone was $50 a
month. For the 3 months of activity we audited, we found that three of
the five phones had either no voice activity or very little. For
example, one of these cell phones had only 2 minutes of calls during a
month that we audited. This is the equivalent of the government paying
$25 per minute for airtime.
We identified a number of other abusive and questionable charges
including the following.
* One cardholder purchased $775 of luggage including wallets, passport
holders, backpacks, neck pouches, and other items. The cardholder told
us that these items were used to carry or ship equipment to
universities for outreach activities. At the end of the events, the
individual told us that the items were given away. There is no
documentation available showing the authorization and need to purchase
this luggage for purposes of carrying or shipping equipment. This
purchase appears abusive because a valid government need is neither
apparent nor documented, particularly since the cardholder gave away
government property that could easily be converted to personal use.
* As part of our data mining, we identified purchases of day planners
from commercial vendors, including calendar refills along with
designer leather holders purchased from Louis Vuitton. By law,
government agencies are directed to purchase certain products,
including day planners and calendars, from certified nonprofit
agencies that employ people who are blind or severely disabled. This
program is referred to as the Javits-Wagner-O'Day (JWOD) program,
which is intended to provide employment opportunities for thousands of
people with disabilities to earn good wages and move toward greater
independence. In addition, DOD's policy requires the use of JWOD
sources, whether or not the procurement is made using a purchase card,
unless the central JWOD agency specifically authorizes an exception.
In this year's audit, we found that SPAWAR Systems Center employees
had purchased three Louis Vuitton calendar refills for $27 each, and
we identified three purchases of Louis Vuitton calendar holders at a
cost of $255 each in fiscal year 2000. The most expensive JWOD
calendar holders”specifically designed for DOD”cost about $40.
* In addition, we identified about $33,000 in purchases from Franklin
Covey of designer and high-cost leather briefcases, purses (totes),
portfolios, day planners and refills, palm pilot cases, and wallets.
For example, we found leather purses costing up to $195 each and
portfolios costing up to $135 each. Many of these purchases are of a
questionable government need and should be paid for by the individual.
To the extent the day planners and calendar refills were proper
government purchases, they were at an excessive cost and, as with the
Louis Vuitton day planners, should have been purchased from a JWOD
source at a substantially lower cost. Circumventing the JWOD
requirements and purchasing these items from commercial vendors is not
only an abuse and waste of taxpayer dollars, but shows particularly
poor judgment and serious internal control weaknesses.
* We identified the purchase of three computer bags from SkyMall at a
cost of $161 each, and another purchase of a computer bag at a store
in Italy for almost $250. All three computer bags were purchased by
employees who were traveling on SPAWAR Systems Center business. The
cost of these computer bag purchases is excessive compared to other
standard bags we found purchased for $25. In addition, the cardholder
who purchased the SkyMall bags told us that one of the two bags, along
with another bag purchased in a separate transaction, was given to non-
SPAWAR Systems Center government employees working on the project.
* We identified the purchase of a Bose headset at a cost of $299. The
cardholder told us that the headset was originally purchased for a
project but had never been used on the project. The cardholder stated
that he has used the headset to listen to music on official government
travel aboard airplanes.
* We identified four Lego "Mindstorm" computer robot kits that were
purchased at Toys R Us at a total cost of $800. The SPAWAR Systems
Center employee who requested that these robots be purchased initially
told us that they were purchased as a learning tool for new
professionals and junior engineers to learn cooperative behavior
between robots and to conduct robotic research. However, during our
interview, this SPAWAR Systems Center employee stated that at the time
of these purchases his division did not have any new professionals
scheduled to rotate through his assignment. Within 6 weeks of
purchasing the kits, the employee removed all four from SPAWAR Systems
Center, brought two of them to a local elementary school where he
mentors an after school science club, and brought two to his home. We
believe this purchase is abusive because there does not appear to be a
valid government need for the purchase, and because the cardholder
effectively gave away government property that could easily be
converted to personal use. As part of the NAVSUP mandated stand-down
transaction review, SPAWAR Systems Center also reviewed the
transactions for the Lego robot kits and initially questioned their
propriety. However, contrary to our conclusion that these purchases
were abusive, SPAWAR Systems Center ultimately considered the Lego
kits to be a valid government purchase.
Disciplinary Action Seldom Taken Against Cardholders Who Made
Abusive Purchases:
In our November 30, 2001, report[Footnote 19] on the purchase card
controls at SPAWAR Systems Center and NPWC, we recommended that action
be taken to help ensure that cardholders adhere to applicable purchase
card laws, regulations, internal control and accounting standards, and
policies and procedures. Specifically, we recommended that the
commander, Naval Supply Systems Command, revise NAVSUP Instruction
4200.94 to include specific consequences for noncompliance with
purchase card policies and procedures. DOD did not concur with that
recommendation and stated that existing Navy policy clearly identifies
consequences for fraud, abuse, and misuse. We continue to believe that
Navy needs to establish specific consequences for these purchase card
problems because the Navy policy does not identify any specific
consequences for failure to follow control requirements. Enforcement
of the consequences is also critical. For example, only one of the
cardholders referred to in this testimony or our July 30, 2001,
testimony had formal disciplinary or administrative action”in the form
of removal of the purchase card”taken against them.
Thus, we reiterate our previous recommendation that the Navy enforce
purchase card controls by establishing specific formal disciplinary
and/or administrative consequences”such as withdrawal of cardholder
status, reprimand, suspension from employment for several days, and,
if necessary, firing. Unless cardholders and approving officials are
held accountable for following key internals controls, the Navy is
likely to continue to experience the types of fraudulent, improper,
and abusive and questionable transactions identified in our work.
Conclusions:
The weaknesses identified in the purchase card program at these two
Navy units are emblematic of broader financial management and business
process reform issues across DOD. The comptroller general testified on
March 6, 2002, before the Subcommittee on Readiness and Management
Support, Senate Committee on Armed Services, on the major challenges
facing the department in its business process transformation efforts.
[Footnote 20] In light of the events of September 11, and the federal
government's short- and long-term budget challenges, it is more
important than ever that DOD get the most from every dollar spent. As
Secretary Rumsfeld has noted, billions of dollars of resources could
be freed up for national defense priorities by eliminating waste and
inefficiencies in existing DOD business processes. The cultural issues
we identified at SPAWAR Systems Center”such as the failure to
acknowledge significant control weaknesses in the purchase card
program, the parochial approach to program management without regard
to broader Navy and DOD initiatives, and the lack of consequences on a
personal or organizational level for failure to adhere to controls”are
a major impediment to the improvements that are needed to stop
wasteful and abusive purchases and ensure that taxpayer dollars are
spent where national priorities dictate. In response to requests from
this Subcommittee and Senator Grassley, we have ongoing audits related
to the purchase and travel card programs at the Army, Navy, and Air
Force and plan to offer additional recommendations to strengthen the
controls over these programs.
Contacts and Acknowledgments:
For future contacts regarding this testimony, please contact Gregory
D. Kutz at (202) 512-9095 or kutzg@gao.gov or John J. Ryan at (202)
512-9587 or ryanj@gao.gov. Individuals who made key contributions to
this testimony include Beatrice Alff, Cindy Brown-Barnes, Bertram
Berlin, Sharon Byrd, Lee Carroll, Douglas Delacruz, Francine
DelVecchio, Stephen Donahue, Douglas Ferry, Kenneth Hill, Jeffrey
Jacobson, Kristi Karls, John Kelly, Yola Lewis, Stephen Lipscomb,
Scott McNulty, Sidney Schwartz, and Jennifer Wilson.
[End of section]
Appendix I: Background:
The Navy's purchase card program is part of the Governmentwide
Commercial Purchase Card Program, which was established to streamline
federal agency acquisition processes by providing a low-cost,
efficient vehicle for obtaining goods and services directly from
vendors. According to GSA, DOD reported that it used purchase cards
for more than 10.7 million transactions, valued at $6.1 billion,
during fiscal year 2001. The Navy's reported purchase card activity”
MasterCards issued to civilian and military personnel”totaled about
2.8 million transactions, valued at $1.8 billion, during fiscal year
2001. This represented nearly 30 percent of DOD's activity for fiscal
year 2001. According to unaudited DOD data, SPAWAR Systems Center and
NPWC made about $64 million in purchase card acquisitions during
fiscal year 2001. Because these two units have cardholders located
outside the San Diego area, we limited our testing to only those
SPAWAR Systems Center and NPWC cardholders who are located in San
Diego, California. Those cardholders accounted for about $50 million
of SPAWAR Systems Center and NPWC's $64 million in purchase card
transactions.
SPAWAR Systems Center and NPWC are both working capital fund
activities. SPAWAR Systems Center performs research, engineering, and
technical support, and NPWC provides maintenance, construction, and
operations support to Navy programs. Both of these Navy programs have
locations throughout the United States. Our review focused on the
purchase card program at the San Diego units only. For SPAWAR Systems
Center, this included SPAWAR Headquarters, which is located in San
Diego, and SPAWAR Systems Center San Diego.
Governmentwide Purchase Card Program Guidelines:
Under the Federal Acquisition Streamlining Act of 1994, the Defense
Federal Acquisition Regulation Supplement guidelines, eligible
purchases include (1) micropurchases (transactions up to $2,500, for
which competitive bids are not needed); (2) purchases for training
services up to $25,000; and (3) payment for items costing over $2,500
that are on the General Services Administration's (GSA) preapproved
schedule, including items on requirements contracts. The streamlined
acquisition threshold for such contract payments is $100,000 per
transaction. Accordingly, cardholders may have single-transaction
purchase limits of $2,500 or $25,000, and a few cardholders may have
transaction limits of up to $100,000 or more. Under the GSA blanket
contract, the Navy has contracted with Citibank for its purchase card
services, while the Army and the Air Force have contracted with U.S.
Bank.
The Federal Acquisition Regulation, Part 13, "Simplified Acquisition
Procedures," establishes criteria for using purchase cards to place
orders and make payments. U.S. Treasury regulations issued pursuant to
provisions of law in 31 U.S.C. 3321, 3322, 3325, 3327, and 3335,
govern purchase card payment certification, processing, and
disbursement. DOD's Purchase Card Joint Program Management Office,
which is in the office of the assistant secretary of the army for
acquisition, logistics, and technology, has established departmentwide
policies and procedures governing the use of purchase cards.
Navy Purchase Card Acquisition and Payment Processes:
The NAVSUP is responsible for the overall management of the Navy's
purchase card program, and has published the NAVSUP Instruction
4200.94, Department of the Navy Policies and Procedures for
Implementing the Governmentwide Purchase Card Program. Under the
NAVSUP Instruction, each Navy Command's head contracting officer
authorizes purchase card program coordinators in local Navy units to
obtain purchase cards and establish credit limits. The program
coordinators are responsible for administering the purchase card
program within their designated span of control and serve as the
communication link between Navy units and the purchase card issuing
bank. The other key personnel in the purchase card program are the
approving officials and the cardholders.
Approving Officials:
If operating effectively, the approving official is responsible for
ensuring that all purchases made by the cardholders within his or her
cognizance were appropriate and that the charges are accurate. The
approving official is supposed to resolve all questionable purchases
with the cardholder before certifying the bill for payment. In the
event an unauthorized purchase is detected, the approving official is
supposed to notify the agency program coordinator and other
appropriate personnel within the command in accordance with the
command procedures. After reviewing the monthly statement, the
approving official is to certify the monthly invoice and send it to
the Defense Finance and Accounting Service for payment.
Cardholders:
A purchase card holder is a Navy employee who has been issued a
purchase card. The purchase card bears the cardholder's name and the
account number that has been assigned to the individual. The
cardholder is expected to safeguard the purchase card as if it were
cash.
Designation of Cardholders:
When a supervisor requests that a staff member receive a purchase
card, the agency program coordinator is to first provide training on
purchase card policies and procedures and then establish a credit
limit and issue a purchase card to the staff member.
Ordering Goods and Services:
Purchase card holders are delegated limited contracting officer
ordering responsibilities, but they do not negotiate or manage
contracts. SPAWAR Systems Center and NPWC cardholders use purchase
cards to order goods and services for their units as well as their
customers. Cardholders may pick up items ordered directly from the
vendor or request that items be shipped directly to end users
(requesters). Upon receipt of items acquired by purchase cards,
cardholders are to record the transaction in their purchase log and
obtain documented independent confirmation from the end user, their
supervisor, or another individual that the items have been received
and accepted by the government. They are also to notify the property
book officer of accountable items received so that these items can be
recorded in the accountable property records.
Payment Processing:
The purchase card payment process begins with receipt of the monthly
purchase card billing statements. Section 933 of the National Defense
Authorization Act for Fiscal Year 2000, Public Law 106-65, requires
DOD to issue regulations that ensure that purchase card holders and
each official with authority to authorize expenditures charged to the
purchase card reconcile charges with receipts and other supporting
documentation before paying the monthly purchase card statement.
NAVSUP Instruction 4200.94 states that upon receipt of the individual
cardholder statement, the cardholder has 5 days to reconcile the
transactions appearing on the statement by verifying their accuracy to
the transactions appearing on the statement and notify the approving
official in writing of any discrepancies in the statement.
In addition, under the NAVSUP Instruction, before the credit card bill
is paid the approving official is responsible for (1) ensuring that
all purchases made by the cardholders within his or her cognizance are
appropriate and that the charges are accurate and (2) the timely
certification of the monthly summary statement for payment by the
Defense Finance and Accounting Service (DFAS). The Instruction further
states that within 5 days of receipt, the approving official must
review and certify for payment the monthly billing statement, which is
a summary invoice of all transactions of the cardholders under the
approving official's purview. The approving official is to presume
that all transactions on the monthly statements are proper unless
notified in writing by the purchase card holder. However, the
presumption does not relieve the approving official from reviewing for
blatantly improper purchase card transactions and taking the
appropriate action prior to certifying the invoice for payment. In
addition, the approving official is to forward disputed charge forms
to the unit's comptroller's office for submission to Citibank for
credit. Under the Navy's contract, Citibank allows the Navy up to 60
days after the statement date to dispute invalid transactions and
request a credit.
In our November 30, 2001, report[Footnote 21] we recommended that the
Navy modify its payment certification policy to require (1)
cardholders to notify approving officials prior to payment that
purchase card statements have been reconciled to supporting
documentation, (2) approving officials to certify monthly statements
only after reviewing them for potentially fraudulent improper and
abusive transactions, and (3) approving officials to verify, on a
sample basis, supporting documentation for various cardholder
transactions prior to certifying monthly statements for payment. DOD
concurred with this recommendation and stated the Navy would modify
its payment certification procedures; however, as of February 26,
2002, Navy had not yet issued those changes to its procedures.
Upon receipt of the certified monthly purchase card summary statement,
a DFAS vendor payment clerk is to (1) review the statement and
supporting documents to confirm that the prompt-payment certification
form has been properly completed and (2) subject it to automated and
manual validations. DFAS effectively serves as a payment processing
service and relies on the approving-official certification of the
monthly payment as support to make the payment. The DFAS vendor
payment system then batches all of the certified purchase card
payments for that day and generates a tape for a single payment to
Citibank by electronic funds transfer. Figure 1 illustrates the
current design of the purchase card payment process for SPAWAR Systems
Center and NPWC.
Figure 1: SPAWAR and Navy Public Works Center Purchase Card Process:
[Refer to PDF for image: illustration]
1) Vendor:
Items picked up:
2) Purchase cardholder orders/charges goods and services:
Items shipped:
3) Independent documentation that items have been received and
accepted:
4) Pilferable items are recorded in accountable property records:
5) Monthly purchase card statements are received from bank:
6) Cardholder reconciles underlying receipts/sales slips to monthly
purchase card statements, identifies any invalid charges, and prepares
dispute forms:
7) Cardholder logs items not received and follows up to (1) confirm
receipt or (2) dispute the charge:
8) Approving official reviews cardholder support, establishes
obligation, and certifies monthly statements for payment:
9) DFAS processes purchase card payments to Citibank;
10) Cardholder or approving official logs disputed charges and sends
forms to Citibank for credit:
11) Citibank reverses disputed charges and credits monthly statement:
cycle repeats starting at step 5.
[End of figure]
[End of appendix]
Appendix II: Scope and Methodology:
We reviewed purchase card controls for two Navy units based in San
Diego, SPAWAR Systems Center and NPWC, and assessed changes that these
two units made to their control environment since we notified the
units of the problems with their respective purchase card programs in
early June 2001. In addition we followed up on the status of fraud
cases that we reported on in July 2001, and any other fraud cases we
identified as part of this follow-up audit. Specifically, our
assessment of SPAWAR Systems Center and the NPWC purchase card
controls covered:
* the overall management control environment, including (1) span of
control issues related to the number of cardholders, (2) training for
cardholders and accountable officers,22 (3) monitoring and audit of
purchase card activity, and (4) management's attitude in establishing
the needed controls, or "tone at the top;"
* tests of statistical samples of key controls over fourth quarter
fiscal year 2001 purchase card transactions, including (1)
documentation of independent confirmation that items or services paid
for with the purchase card were received and (2) proper certification
of the monthly purchase card statement for payment;
* to the extent feasible, substantive tests of accountable items in
our sample transactions to verify whether they were recorded in
property records and whether they could be found;
* data mining of the universe of fiscal year 2001 transactions to
identify any potentially fraudulent, improper, and abusive or
questionable transactions;[Footnote 23]
* analysis and audit work related to invoices and other information
obtained from three vendors”Cabela's, REI, and Franklin Covey”from
which, based on interviews with cardholders and our review of other
transactions, we had reason to believe that SPAWAR Systems Center had
made significant improper and abusive or questionable purchases during
fiscal year 2001; and:
* analysis of the universe of fourth-quarter fiscal year 2001 purchase
card transactions to identify purchases that were split into one or
more transactions to avoid micropurchase thresholds or other spending
limits.
In addition, our Office of Special Investigations worked with DOD's
criminal investigative agencies, Citibank, and credit card industry
representatives to identify known and potentially fraudulent purchase
card scams. Our Office of Special Investigations also investigated
potentially fraudulent or abusive purchase card transactions that we
identified while analyzing SPAWAR Systems Center and NPWC fiscal year
2001 purchase card transactions.
We used as our primary criteria applicable laws and regulations; our
Standards for Internal Control in the Federal Government;[Footnote 24]
and our Guide for Evaluating and Testing Controls Over Sensitive
Payments. [Footnote 25] To assess the management control environment,
we applied the fundamental concepts and standards in the GAO internal
control standards to the practices followed by management in the four
areas reviewed.
Statistical Sample of Internal Control Procedures:
To test controls, we used a two-step sampling process for purchase
card transactions that were recorded by Navy during the fourth quarter
of fiscal year 2001. At SPAWAR Systems Center, we selected stratified
random probability samples of 50 purchase card transactions from a
population of 7,267 transactions totaling $5,919,635. Because the
majority of SPAWAR Systems Center transactions failed the control test
we did not have to expand our sampling size. At NPWC, we initially
selected a sample of 50 purchase card transactions from a population
of 11,021 transactions totaling $6,030,501. In light of NPWC's
improvements in the area of documenting independent receipt and
acceptance, we increased our sample size of NPWC transactions to 94 to
generate a more accurate assessment of the control failure rate at
NPWC.
We stratified the each of the samples into two groups”transactions
from vendors likely to represent purchases of computer equipment and
other vendors. With this statistically valid probability sample, each
transaction in the population had a nonzero probability of being
included, and that probability could be computed for any transaction.
Each sample element was subsequently weighted in the analysis to
account statistically for all the transactions in the population,
including those that were not selected. Table 9 presents our test
results on three key transaction-level controls and shows the
confidence intervals for the estimates for the universes of fiscal
year 2001 purchase card transactions made by SPAWAR Systems Center and
NPWC.
Table 9: Estimate of Fiscal Year 2001 Transactions That Failed Control
Tests[A]:
Breakdowns in key purchase card controls:
Navy units in San Diego: SPAWAR Systems Center;
Independent, documented receipt of items purchased, Percent failure:
56% (39-72%);
Proper certification of purchase card statements for payment, Percent
failure: 100%[B].
Navy units in San Diego: Navy Public Works Center;
Independent, documented receipt of items purchased, Percent failure:
16% (9-27%);
Proper certification of purchase card statements for payment, Percent
failure: 100%[C] (93-100%).
[A] The projections represent point estimates for the population based
on our sampling tests at a 95-percent confidence level.
[B] For the last quarter of fiscal year 2001, SPAWAR Systems Center
continued to have only one certifying officer for almost 1,000
cardholders. This unacceptable span of control led us to conclude that
all transactions selected as part of our statistical sample were not
properly reviewed and approved by a certifying officer.
[C] Our statistical testing identified one transaction that was
reconciled by the cardholder and approving official prior to payment.
The projected error rate was 99.9 percent, which we rounded to 100
percent.
[End of table]
In addition to selecting statistical samples of SPAWAR Systems Center
and NPWC transactions to test specific internal controls, we also made
nonrepresentative selections of SPAWAR Systems Center and NPWC
transactions based on data mining of fiscal year 2001 transactions. The
purpose of the data mining procedures was twofold. Specifically, we
conducted separate analysis of acquisitions that were (1) potentially
fraudulent, improper, and abusive or otherwise questionable and (2)
split into multiple transactions to circumvent either the
micropurchase or cardholder transaction thresholds.
Our data mining for potentially fraudulent, improper, and abusive or
questionable transactions was limited to cardholders who worked in San
Diego and covered 36,216 fiscal year 2001 transactions totaling about
$26.1 million at SPAWAR Systems Center, and 46,709 fiscal year
transactions totaling about $23.9 million at the NPWC. For this
review, we scanned the two units' San Diego-based activities for
transactions with vendors that are likely to sell goods or services
(1) on NAVSUP's list of prohibited items, (2) that are personal items,
and (3) that are otherwise questionable. Our expectation was that
transactions with certain vendors had a more likely chance of being
fraudulent, improper, abusive, or questionable. Because of the large
number of transactions that met these criteria we did not look at all
potential abuses of the purchase card. Rather, we made
nonrepresentative selections of transactions based on transactions
with the vendors who fit these criteria. For example, we reviewed, and
in some cases made inquires, concerning 162 transactions and other
related transactions on the same monthly purchase card statement with
vendors that sold such items as sporting goods, groceries, luggage,
flowers, and clothing. While we identified some improper and
potentially fraudulent and abusive transactions, our work was not
designed to identify, and we cannot determine, the extent of
fraudulent, improper, and abusive or questionable transactions.
Our data mining also included nonrepresentative selections of
acquisitions that SPAWAR Systems Center and NPWC entered into during
the period June 22, 2001, through September 21, 2001, that were
potentially split into multiple transactions to circumvent either the
micropurchase competition requirements or cardholder single
transaction thresholds. We limited our data mining to this period
because senior SPAWAR Systems Center and NPWC officials acknowledged
to us in early June 2001 that cardholders had made split transactions
and that they would attempt to correct the problem. Therefore, to
allow the two units an opportunity to resolve this issue, we limited
our review to transactions that occurred subsequent to SPAWAR Systems
Center and NPWC's acknowledging a problem with splitting purchases.
We briefed DOD managers, including officials in DOD's Purchase Card
Joint Program Management Office, and Navy managers, including NAVSUP,
SPAWAR Systems Center, and NPWC officials, on the details of our
review, including our objectives, scope, and methodology and our
findings and conclusions. Where appropriate, we incorporated their
comments into this testimony. We conducted our audit work from
November 2001 through February 2002 in accordance with U.S. generally
accepted government auditing standards, and we performed our
investigative work in accordance with standards prescribed by the
President's Council on Integrity and Efficiency.
[End of appendix]
Footnotes:
[1] U.S. General Accounting Office, Purchase Cards: Control Weaknesses
Leave Two Navy Units Vulnerable to Fraud and Abuse, [hyperlink,
http://www.gao.gov/products/GAO-01-995T] (Washington, D.C.: July 30,
2001).
[2] U.S. General Accounting Office, DOD Financial Management:
Integrated Approach, Accountability, Transparency, and Incentives Are
Keys to Effective Reform, [hyperlink,
http://www.gao.gov/products/GAO-02-497T] (Washington, D.C.: Mar. 6,
2002).
[3] SPAWAR Systems Center and the Navy Public Works Center are working
capital fund activities. SPAWAR Systems Center performs research,
engineering, and technical support, and the Navy Public Works Center
provides maintenance, construction, and operations support to Navy
programs. Both of these Navy programs have locations throughout the
United States. Our review focused on the purchase card program at the
San Diego units only. For SPAWAR, this included SPAWAR Headquarters,
which is located in San Diego, and SPAWAR Systems Center San Diego,
which we will refer to collectively as SPAWAR Systems Center.
[4] SPAWAR Systems Center and NPWC made about $75 million in fiscal
year 2000 purchase card transactions. We audited the $68 million of
those purchases made by SPAWAR Systems Center and NPWC cardholders
located in San Diego.
[5] U.S. General Accounting Office, Purchase Cards: Control Weaknesses
Leave Two Navy Units Vulnerable to Fraud and Abuse, [hyperlink,
http://www.gao.gov/products/GAO-02-32] (Washington, D.C.: Nov. 30,
2001).
[6] 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
[7] Convenience checks, also referred to as accommodation checks, are
used for vendors that do not have the capability to accept payment by
credit card. For the Navy, each unit generally has one individual
authorized to write convenience checks.
[8] The approving official is responsible for reviewing and verifying
the monthly purchase card statements of the cardholders under their
purview. The approving official is responsible for verifying that all
purchases were necessary and for official government purposes in
accordance with applicable policies, laws, and regulations. Unless
otherwise specified, the approving official must also be the
certifying officer for his/her cardholders and in that capacity must
certify that the monthly purchase card statement is appropriate and
ready for payment.
[9] SPAWAR Headquarters Command Inspector General, Review of
International Merchant Purchase Authorization (IMPAC) Card at SPAWAR,
98-16 (San Diego, Calif.: July19, 2001).
[10] Naval Audit Service, Management of Purchase Card Program at
Public Works Center, San Diego, CA, N2002-0023 (Washington, D.C.: Jan.
10, 2002).
[11] U.S. General Accounting Office, GAO's Standards for Internal
Control in the Federal Government, [hyperlink,
http://www.gao.gov/products/GAO/AILVID-00-21.3.1] (Washington, D.C.:
Nov. 1999).
[12] DOD Financial Management Regulation, Volume 5, Chapter 33,
"Accountable Officials and Certifying Officers."
[13] [hyperlink, http://www.gao.gov/products/GA0-02-32].
[14] DOD Instruction 5200.40, December 30, 1997, and OPNAV Instruction
5239.1B, November 9, 1999, requires any DOD system that collects,
stores, transmits, or processes unclassified or classified information
to comply with the DITSCAP process to establish a more secure system
operations.
[15] 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).
[16] 65 Comp. Gen. 738, 739 (1986).
[17] For purposes of this testimony, we determined a purchase of food
to be improper if it did not comply with the JTR/JFI'R light
refreshment rule. However, we have some questions about the validity
of this rule and therefore do not necessarily conclude that food
purchases in accordance with this rule are proper. We are currently
working on a legal decision concerning the validity of the GSA and DOD
light refreshment policies.
[18] 63 Comp. Gen. 245, 247 (1984). In requesting the comptroller
general's approval of the purchases, the agency represented that "the
parkas would be labeled as [agency] property, centrally controlled,
and issued and reissued to employees only for job requirements."
SPAWAR Systems Center officials have not made a similar representation.
[19] [hyperlink, http://www.gao.gov/products/GA0-02-32].
[20] U.S. General Accounting Office, DOD Financial Management:
Integrated Approach, Accountability, Transparency, and Incentives Are
Keys to Effective Reform, [hyperlink,
http://www.gao.gov/products/GAO-02-497T] (Washington, D.C.: Mar. 6,
2002).
[21] [hyperlink, http://www.gao.gov/products/GA0-02-32].
[22] We also tested statistical samples of transactions to determine
whether the two units had documented evidence that cardholders had
received required purchase card training.
[23] We considered potentially fraudulent purchases to include those
made by cardholders that were unauthorized and intended for personal
use. The transactions we determined to be improper are those purchases
intended for government use, but are not for a purpose that is
permitted by law, regulation, or DOD policy. We also identified as
improper numerous purchases made on the same day from the same vendor
that appeared to circumvent cardholder single transaction limits. Many
of the purchases we found to be abusive or questionable fall into
categories described in GAO's Guide for Evaluating and Testing
Controls Over Sensitive Payments [hyperlink,
http://www.gao.gov/products/GAO/AFMD-8.1.2], May 1993. The guide
states that "Abuse is distinct from illegal acts (noncompliance). When
abuse occurs, no law or regulation is violated. Rather, abuse occurs
when the conduct of a government organization, program, activity, or
function falls short of societal expectations of prudent behavior."
[24] Standards for Internal Control in the Federal Government
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] was
prepared to fulfill our statutory requirement under the Federal
Managers' Financial Integrity Act to issue standards that provide the
overall framework for establishing and maintaining internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.
[25] Guide for Evaluating and Testing Controls Over Sensitive Payments
[hyperlink, http://www.gao.gov/products/GAO/AFMD-8.1.2] provides a
framework for evaluating and testing the effectiveness of internal
controls that have been established in various sensitive payment areas.
[End of section]
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site [hyperlink,
http://www.gao.gov] contains abstracts and full text files of current
reports and testimony and an expanding archive of older products. The
Web site features a search engine to help you locate documents using
key words and phrases. You can print these documents in their entirety,
including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
[hyperlink, http://www.gao.gov] and select ’Subscribe to daily E-mail
alert for newly released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov:
(202) 512-4800:
U.S. General Accounting Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
