Purchase Cards
Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity Gao ID: GAO-06-1117 September 28, 2006In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
A weak control environment and breakdowns in key controls exposed DHS to fraud and abuse in its use of the purchase card. While DHS's draft Purchase Card Manual generally contained effective control procedures, it was not finalized due to a lack of leadership by the Chief Financial Officer in resolving disagreements over its implementation. This led to DHS cardholders following different procedures. Inadequate staffing, insufficient training, and ineffective monitoring, along with inconsistent purchase card policies contributed to a weak control environment and breakdowns in specific key controls. GAO and DHS OIG found a lack of documentation that key purchase card internal controls were performed. Based on a statistical sample, GAO and DHS OIG estimated that 45 percent of DHS's purchase card transactions were not properly authorized, 63 percent did not have evidence that the goods or services were received, and 53 percent did not give priority to designated procurement sources. GAO and DHS OIG also found cardholders who failed to dispute improper charges, which resulted in losses to the federal government. Because of the urgent needs caused by the hurricanes, DHS made a number of noncompetitive purchase card acquisitions. GAO recognizes that DHS had the authority to make noncompetitive purchases; however, GAO found transactions where DHS cardholders could have exercised greater prudence without jeopardizing relief efforts. The weak control environment and ineffective internal control activities allowed potentially fraudulent, improper, and abusive or questionable transactions to occur. Although this work was not designed to identify, and we cannot determine the full extent of fraud, waste, and abuse, GAO and the DHS OIG identified numerous examples of potentially fraudulent, improper, and abusive or questionable transactions. This report lists examples of potentially fraudulent activity related to items acquired with DHS purchase cards. In addition, poor control over accountable property acquired with purchase cards may have resulted in lost or misappropriated assets. GAO and DHS OIG also found examples of improper use of the purchase card such as the use of convenience checks to pay $460,000 for pre-packaged meals. Other instances of abusive or questionable transactions included the purchase of a beer brewing kit, a 63-inch plasma television costing $8,000 which was found unused in its original box 6 months after being purchased, and tens of thousands of dollars for training at golf and tennis resorts. GAO referred cardholders responsible for many of these and other purchases to DHS management for administrative action.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-1117, Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity
This is the accessible text file for GAO report number GAO-06-1117
entitled 'Purchase Cards: Control Weaknesses Leave DHS Highly
Vulnerable to Fraudulent, Improper, and Abusive Activity' which was
released on September 28, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Joint Report by the United States Government Accountability Office and
the Office of the Inspector General--Department of Homeland Security to
Congressional Committees:
September 2006:
Purchase Cards:
Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper,
and Abusive Activity:
GAO-06-1117:
GAO Highlights:
Highlights of GAO-06-1117, a report to congressional committees
Why GAO Did This Study:
In the wake of the 2005 hurricanes in the Gulf Region, GAO and the
Department of Homeland Security Office of Inspector General (DHS OIG)
initiated a number of audits and investigations addressing the federal
government‘s response to those events. On July 19, 2006, GAO testified
on the results of its purchase card work. This report summarizes the
testimony and provides recommendations.
Department of Homeland Security (DHS) cardholders made thousands of
transactions related to hurricane relief operations. GAO analyzed
transactions between June and November of 2005 to determine if (1)
DHS‘s control environment and management of purchase card usage were
effective; (2) DHS‘s key internal control activities operated
effectively and provided reasonable assurance that purchase cards were
used appropriately; and (3) potentially fraudulent, improper, and
abusive purchase card activity existed at DHS.
What GAO Found:
A weak control environment and breakdowns in key controls exposed DHS
to fraud and abuse in its use of the purchase card. While DHS‘s draft
Purchase Card Manual generally contained effective control procedures,
it was not finalized due to a lack of leadership by the Chief Financial
Officer in resolving disagreements over its implementation. This led to
DHS cardholders following different procedures. Inadequate staffing,
insufficient training, and ineffective monitoring, along with
inconsistent purchase card policies contributed to a weak control
environment and breakdowns in specific key controls. GAO and DHS OIG
found a lack of documentation that key purchase card internal controls
were performed. Based on a statistical sample, GAO and DHS OIG
estimated that 45 percent of DHS‘s purchase card transactions were not
properly authorized, 63 percent did not have evidence that the goods or
services were received, and 53 percent did not give priority to
designated procurement sources. GAO and DHS OIG also found cardholders
who failed to dispute improper charges, which resulted in losses to the
federal government. Because of the urgent needs caused by the
hurricanes, DHS made a number of noncompetitive purchase card
acquisitions. GAO recognizes that DHS had the authority to make
noncompetitive purchases; however, GAO found transactions where DHS
cardholders could have exercised greater prudence without jeopardizing
relief efforts.
The weak control environment and ineffective internal control
activities allowed potentially fraudulent, improper, and abusive or
questionable transactions to occur. Although this work was not designed
to identify, and we cannot determine the full extent of fraud, waste,
and abuse, GAO and the DHS OIG identified numerous examples of
potentially fraudulent, improper, and abusive or questionable
transactions. The table below lists examples of potentially fraudulent
activity related to items acquired with DHS purchase cards. In
addition, poor control over accountable property acquired with purchase
cards may have resulted in lost or misappropriated assets.
Table: Examples of Potential Fraud:
Item Purchased: Lap Tops (FEMA); Description: Over 100 missing and
presumed stolen; Amount of transaction: $300,000.
Item Purchased: Boast (FEMA);
Description: Unauthorized use of card by a vendor; Amount of
transaction: $208,000.
Item Purchased: Printers (FEMA); Description: Over 20 missing and
presumed stolen; Amount of Transaction: $84,000.
Item purchased: Lap Tops (Coast Guard); Description: 3 missing and
reported stolen; Amount of transaction: $8,000.
Source: GAO and DHS OIG investigation.
[End of Table]
GAO and DHS OIG also found examples of improper use of the purchase
card such as the use of convenience checks to pay $460,000 for pre-
packaged meals. Other instances of abusive or questionable transactions
included the purchase of a beer brewing kit, a 63-inch plasma
television costing $8,000 which was found unused in its original box 6
months after being purchased, and tens of thousands of dollars for
training at golf and tennis resorts. GAO referred cardholders
responsible for many of these and other purchases to DHS management for
administrative action.
What GAO Recommends:
To provide reasonable assurance that fraud, waste, and abuse related to
the use of purchase cards is minimized, GAO recommends that DHS (1)
make changes to the draft purchase card manual and issue a final,
agencywide version (2) establish policies and procedures to ensure more
effective oversight and enforcement of the purchase card program. DHS
concurred with all of our recommendations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-1117].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Greg Kutz at (202) 512-
7455 or kutzg@gao.gov or Matthew Jadacki at (202) 254-4100 or
matt.jadacki@dhs.gov.
[End of Section]
Contents:
Letter:
Overview of Testimony:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Testimony GAO-06-957T:
Appendix II: Comments from the Department of Homeland Security:
Abbreviations:
DHS: U.S. Department of Homeland Security:
DHS OIG: U.S. Department of Homeland Security Office of Inspector
General:
FEMA: Federal Emergency Management Agency:
GSA: General Services Agency:
September 28, 2006:
Congressional Committees:
On July 19, 2006, GAO testified before the Committee on Homeland
Security and Governmental Affairs on the results of our audit and
investigation of purchase card transactions at the Department of
Homeland Security (DHS) for the 5-month period beginning in June
2005.[Footnote 1] The General Service Administration's SmartPay®
purchase card program has proven to be a valuable tool for the
government by providing federal agencies and their employees a more
flexible and efficient way to purchase commercial goods and services.
However, to ensure the most effective use of the purchase card, federal
agencies must foster a strong control environment and establish sound
internal controls related to the use of the card. To this end, agencies
must establish policies and procedures that ensure appropriate
oversight of their purchase card programs. Our work focused on
determining whether (1) DHS's control environment and management of
purchase card usage were effective; (2) DHS's key internal control
activities operated effectively and provided reasonable assurance that
purchase cards were used appropriately; and (3) potentially fraudulent,
improper, and abusive or questionable purchase card activity existed at
DHS.
This report summarizes the GAO testimony, which is reprinted in
appendix I, and makes specific recommendations for corrective actions.
We hope that these recommendations; the criminal referrals we provided
to the Katrina Fraud Task Force, the Coast Guard Investigative Service,
and the Federal Bureau of Investigation; as well as the administrative
referrals we provided to DHS serve to assist DHS in its ongoing effort
to improve the purchase card program. We conducted our audit work from
November 2005 through June 2006 in accordance with U.S. generally
accepted government auditing standards. We performed our investigative
work in accordance with standards prescribed by the President's Council
on Integrity and Efficiency.
Overview of Testimony:
In our testimony, we stated that a weak control environment and
breakdowns in key controls exposed DHS to fraud, waste, and abuse in
its purchase card program. While DHS's draft Purchase Card Manual
generally incorporated adequately designed controls, disagreements
among DHS organizational elements concerning the implementation of the
manual prevented a final copy from being issued. As a result of DHS not
finalizing the Purchase Card Manual and not making it applicable to all
organizational elements within DHS, a weak control environment resulted
where cardholders adopted inconsistent and inadequate purchase card
practices. For example, some cardholders at the U.S. Coast Guard
believed that obtaining written authorization prior to purchase was
required while others did not.
The testimony described how inadequate staffing and ineffective
monitoring contributed to a weak control environment, which, in
addition to the prevalence of thousands of unused purchase cards, left
DHS vulnerable to fraud, waste, and abuse. DHS had roughly 13,900
purchase cards but failed to assign sufficient resources to manage its
purchase card program as evidenced by the fact that we found numerous
instances where approving officials assumed oversight responsibilities
for an excessive number of cardholders. We found, for example, three
approving officials who were responsible for more than 30 cardholders
each. In contrast, GAO has issued an audit guide[Footnote 2]
prescribing that the ratio of cardholders to approving officials should
not exceed seven to one. As an example of ineffective monitoring, we
found that the U.S. Coast Guard has only one individual responsible for
administering and overseeing its purchase card activity, which totaled
over $227 million in goods and services with their purchase cards in
fiscal year 2005.
Further, our testimony showed that we were unable to obtain evidence to
confirm that DHS is providing appropriate training to enable
cardholders to be aware of and follow internal controls related to use
of the purchase card. We found that for 60 of the 96 transactions in
our statistical sample, the cardholder lacked documentation showing
that they received either the required initial training or the
refresher training. Without adequate training, DHS can not expect
cardholders and approving officials to understand and comply with
purchase card policies, thus elevating the risk associated with card
usage.
Our testimony also described DHS's failure to conduct timely and
effective postpayment audits. The postpayment audit is conducted by DHS
after cardholders have made purchases and requires that cardholders
submit purchase-related documentation for transactions selected for
audit. We also found that DHS failed to suspend cards and discipline
cardholders who did not provide the required supporting documentation
for audit. Without a strong postpayment audit process, DHS is not able
to obtain reasonable assurance that purchases are valid and
appropriate, which needlessly exposes DHS to additional risk of fraud,
waste, and abuse.
GAO and DHS's Office of Inspector General (DHS OIG) performed
statistical testing on purchase card transactions and identified weak
implementation of several key internal controls. On the basis of a
statistical sample of DHS's purchase card transactions for a 5-month
period beginning in June 2005, we estimated that 45 percent lacked
prior written authorization, 8 percent failed to provide required sales
documentation, 63 percent lacked documentation evidencing proper
receipt and acceptance, and 53 percent did not give priority to
designated sources.
Our work also identified specific incidents of (1) potentially
fraudulent, (2) improper, and (3) abusive or questionable purchases
made by DHS cardholders. A U.S. Coast Guard employee potentially
committed fraud by misappropriating laptops and then falsifying records
to hide the fraud. As an example of an improper purchase, we identified
an instance where a DHS cardholder failed to dispute an improper
transaction in a timely manner, resulting in losses to the federal
government of $153,000. Also, a U.S. Coast Guard cardholder used his
purchase card to acquire a beer brewing kit--a questionable use of
taxpayer money.
Further, we found purchases where DHS cardholders failed to adopt
prudent pricing practices, resulting in waste of government funds.
Although DHS had the authority to make noncompetitive purchases in
response to the hurricanes in the Gulf Region, GAO identified instances
where DHS cardholders could have saved the government money by
purchasing items from GSA vendors, or by using the government's
substantial purchasing power to negotiate better pricing and or
delivery terms. In one case, a Federal Emergency Management Agency
(FEMA) cardholder used his purchase card to acquire flat-bottom boats
at double the retail price. We also found unnecessary purchases due to
procurement problems. For example, a FEMA cardholder unnecessarily
purchased items totaling $68,000 that was inadvertently included on a
provision list. Although these procurement problems are not isolated to
purchase card acquisitions, they do represent examples in which DHS
cardholders used the government purchase card and wasted tax dollars.
Finally, our testing found many instances where assets acquired using
the purchase card were not promptly or accurately entered into a
property tracking system. The way DHS used purchase cards to acquire
accountable property allowed for such assets to be susceptible to the
risk of not being properly tracked in the property system. As a result,
we found a significant number of assets that DHS could not locate. By
not following procedures to appropriately track assets in a property
system, DHS is subject to greater risk of misappropriation of its
assets. Of the 433 assets we attempted to locate and which were
obtained with DHS purchase cards, 154 could not be located by GAO or
DHS (e.g., boats, laptops, and printers).
Conclusions:
The purchase card has proven to be a valuable tool for the government
to purchase commercial goods and services. However, empowering
approximately 14,000 DHS cardholders with purchasing authority, while
not implementing effective controls and performing adequate management
oversight, allowed potentially fraudulent, improper, and abusive or
questionable usage of purchase cards to go undetected. Many of the
transactions we highlighted as examples of misuse of the purchase card
in our testimony were related to hurricane response efforts in the Gulf
Region, demonstrating that the government is particularly vulnerable
when purchase cards are used during times of disaster and even more so
if an effective internal control structure is not in place and
faithfully implemented. Taking immediate actions to improve its
purchase card program will help DHS maximize the value and benefit of
the purchase card program and provide reasonable assurance that fraud,
waste, and abuse are minimized.
Recommendations for Executive Action:
To provide reasonable assurance that fraud, waste, and abuse related to
DHS's purchase card program are minimized and that government assets
acquired with purchase cards are controlled, we are making six
recommendations. Specifically, we recommend that the Secretary of DHS
take the following actions:
* Implement changes to DHS's draft Purchase Card Manual to include
policies and procedures addressing the four areas detailed below. After
implementing the changes, the Purchase Card Manual should be finalized
agencywide.
- Training: Establish policies and procedures that document that all
cardholders have completed the appropriate training. The documentation
should include the date of the training, a description of the training,
and the name of the recipient of the training.
- Independent Receipt and Acceptance: Develop policies and procedures
for the performance and documentation of independent receipt and
acceptance attesting to the receipt of goods or the complete rendering
of services. This documentation would be maintained along with other
required documentation supporting each transaction.
- Accountable Property: Develop policies and procedures to provide
reasonable assurance that highly pilferable assets such as laptop
computers, cell phones, personal digital assistants, memory storage
devices, and other pilferable property acquired with a purchase card
are entered into an accountable property system immediately after being
received. Cardholders should be required to contact accountable
property officers (or others acting in a similar capacity) before
acquiring accountable property, or within a reasonable time thereafter,
so that the property is properly bar coded and tracked in the property
system. This should be completed prior to placement of the asset in
service. The property system should include accurate information on the
location of the asset, the individual responsible for the asset, the
manufacturer's serial number, as well as the agency's unique
identification code for the asset (e.g., a bar code).
- Disciplinary or Administrative Actions: The agency should develop a
range of potential disciplinary and administrative actions that may
occur as a result of a cardholder or others failing to comply with the
policies and procedures in the Purchase Card Manual.
* Improve the existing electronic systems to allow those with oversight
responsibilities the ability to determine if cardholders and approving
officials performed their reconciliation and certifying duties in a
meaningful way.
* Conduct a review to determine if adequate resources are devoted to
administering, maintaining, and enforcing the purchase card program at
both the agency level and the organizational element level. DHS should
further develop specific oversight responsibilities that need to be
carried out at both the agency level and at the organizational element
level.
* Adopt prudent purchasing practices by entering into arrangements with
dependable sources in the government or vendors who can provide
reasonable pricing for specific goods and services with a foreseeable
demand in the event of an emergency. In anticipation of future
emergencies, DHS should take the following actions:
- Identify specific sources in the federal government or vendors in the
private sector that can reliably supply the necessary goods and
services for DHS to accomplish its mission in emergency situations.
- In the case of vendors in the private sector, negotiate pricing and
delivery terms with these sources using the federal government's
substantial purchasing power so that in a time of crisis DHS will be
able to efficiently obtain the necessary goods and services.
* Develop policies and procedures to limit approving officials' span of
control. The number of cardholders and card accounts that any one
approving official is responsible for should be reasonable and should
be established in consideration of the approving official's other
responsibilities. In addition, approving officials should have an
appropriate number of transactions so that they may conduct a thorough
and proper review of supporting documentation for each transaction.
* Continuously monitor and review open accounts to provide reasonable
assurance that only cardholders who have a documented need to acquire
items for the government are issued a purchase card. Instances where
cards have not been used for over a year should be analyzed to
determine if a valid need for the card exists. If a valid need can not
be established, the purchase card should be suspended or the account
closed.
Agency Comments:
In written comments dated September 15, 2006, on a draft of this
report, DHS concurred with all of our recommendations. In the comments,
which are reprinted in appendix II, DHS stated that it has incorporated
the relevant changes into its Purchase Card Manual and offered
additional details on the actions it has taken or which it plans to
take in the near future.
Specifically, DHS offered the language it had added to the draft
Purchase Card Manual relating to: training; independent receipt and
acceptance; tracking of accountable property; disciplinary and
administrative actions; and approving official span-of-control.
Furthermore, and importantly, DHS issued the finalized DHS Purchase
Card Manual on September 15, 2006, after incorporating the recommended
changes. For other recommendations, DHS stated that it is working to
develop policies and procedures to enhance its purchase card control
environment. For example, DHS said it is working with its purchase card
vendor to incorporate specific control activities into the automated
system which will address the validity of cardholder reconciliations
and approving official certifications.
As agreed with your offices, we will send copies to interested
congressional committees and the Office of the Chief Financial Officer
at DHS. We will make copies available to others upon request. In
addition, the report will be available at no charge on the GAO Web site
at [Hyperlink, http://www.gao.gov]. Please contact Gregory Kutz at
(202) 512-7455 or kutzg@gao.gov, or Matt Jadacki at (202) 254-4100 or
matt.jadacki@dhs.gov if you or your staffs have any questions
concerning this report. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report.
Signed by:
Gregory D. Kutz:
Managing Director:
Forensic Audits and Special Investigations:
Signed by:
Matthew Jadacki:
Special Inspector General:
Department of Homeland Security:
List of Committees:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Charles E. Grassley:
Chairman:
The Honorable Max Baucus:
Ranking Minority Member:
Committee on Finance:
United States Senate:
The Honorable Tom Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
The Honorable Harold Rogers:
Chairman:
The Honorable Martin Olav Sabo:
Ranking Minority Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
House of Representatives:
The Honorable Michael McCaul:
Chairman:
The Honorable Bob Etheridge:
Ranking Minority Member:
Subcommittee on Investigations:
Committee on Homeland Security:
House of Representatives:
The Honorable Anthony Weiner:
House of Representatives:
[End of section]
Appendix I: Testimony GAO-06-957T:
This is the accessible text file for GAO report number GAO-06-957T
entitled 'Purchase Cards: Control Weaknesses Leave DHS Highly
Vulnerable to Fraudulent, Improper, and Abusive Activity' which was
released on July 19, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Senate Homeland Security and Governmental Affairs Committee:
For release on Delivery Expected:
10:00 a.m. EST:
Wednesday, July 19, 2006:
Purchase Cards:
Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper,
and Abusive Activity:
Statement of Gregory D. Kutz, Managing Director: Forensic Audits and
Special Investigations:
John J. Ryan, Assistant Director:
Forensic Audits and Special Investigations:
GAO-06-957T:
GAO Highlights:
Highlights of GAO-06-957T, a testimony before the Committee on Homeland
Security and Governmental Affairs, U.S. Senate,
Why GAO Did This Study:
In the wake of the 2005 hurricanes in the Gulf Region, GAO and the
Department of Homeland Security Office of Inspector General (DHS OIG)
initiated a number of audits and investigations addressing the federal
government‘s response to those events.
Department of Homeland Security (DHS) cardholders made thousands of
transactions related to hurricane rescue and relief operations. GAO,
working with DHS OIG, interviewed DHS personnel and reviewed purchase
card policies and procedures to assess the control environment. GAO and
DHS OIG conducted statistical tests from a random sample of
transactions and performed data mining on all DHS purchase card
transactions for a 5-month period beginning in June 2005. GAO and DHS
OIG looked at all transactions in this period because the database did
not distinguish hurricane related from routine purchases. GAO and DHS
OIG used the testing results to determine the extent of control
weaknesses and identify instances of fraud, waste, and abuse.
This testimony addresses whether (1) DHS‘s control environment and
management of purchase card usage were effective; (2) DHS‘s key
internal control activities operated effectively and provided
reasonable assurance that purchase cards were used appropriately; and
(3) indications existed of potentially fraudulent, improper, and
abusive or questionable purchase card activity at DHS.
What GAO Found:
A weak control environment and breakdowns in key controls exposed DHS
to fraud and abuse in its use of the purchase card. While DHS‘s draft
Purchase Card Manual generally contained effective control procedures,
it was not finalized due to a lack of leadership by the CFO in
resolving disagreements over its implementation. This led to DHS
cardholders not following the same procedures. Inadequate staffing,
insufficient training, and ineffective monitoring also contributed to
the weak control environment. The weak control environment and
inconsistent purchase card policies contributed to breakdowns in
specific key controls. GAO and DHS OIG found a lack of documentation
that key purchase card internal controls were performed. Based on a
statistical sample, GAO and DHS OIG estimated that 45 percent of DHS‘s
purchase card transactions were not properly authorized, 63 percent did
not have evidence that the goods or services were received, and 53
percent did not give priority to designated sources. GAO and DHS OIG
also found cardholders who failed to dispute improper transactions,
which resulted in losses to the federal government. Because of the
urgent needs caused by the hurricanes, DHS made a number of
noncompetitive purchase card acquisitions. GAO recognizes that DHS had
the authority to make noncompetitive purchases; however, GAO found
transactions where DHS cardholders could have exercised greater
prudence without jeopardizing relief efforts.
The weak control environment and ineffective internal control
activities allowed potentially fraudulent, improper, and abusive or
questionable transactions to occur. Although this work was not designed
to identify, and we cannot determine, the full extent of fraud, waste,
and abuse, GAO and DHS OIG identified numerous examples of potentially
fraudulent, improper, and abusive or questionable transactions. The
table below lists the potentially fraudulent activity related to items
acquired with DHS purchase cards. In addition, poor control over
accountable property acquired with purchase cards may have resulted in
lost or misappropriated assets.
Table: Examples of Potential Fraud:
Item Purchased: Lap Tops (FEMA);
Description: Over 100 missing and presumed stolen; Amount of
transaction: $300,000.
Item Purchased: Boast (FEMA);
Description: Unauthorized use of card by a vendor; Amount of
transaction: $208,000.
Item Purchased: Printers (FEMA);
Description: Over 20 missing and presumed stolen; Amount of
Transaction: $84,000.
Item purchased: Lap Tops (Coast Guard); Description: 3 missing and
reported stolen; Amount of transaction: $8,000.
Source: GAO and DHS OIG investigation.
[End of Table]
GAO and DHS OIG also found examples of improper use of the purchase
card such as the use of convenience checks to pay $460,000 for pre-
packaged meals. Further, they found instances of abusive or
questionable transactions that included the purchase of a beer brewing
kit, a 63“ plasma television costing $8,000 which was found unused in
its original box 6 months after being purchased, and tens of thousands
of dollars for training at golf and tennis resorts. GAO intends to
refer the cardholders responsible for many of these and other purchases
to DHS management for administrative action.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-957T].
To view the full product, click on the link above. For more
information, contact Gregory D. Kutz at (202) 512-7455 or kutz@gao.gov
and Matthew A. Jadacki at (202) 254-5477 or matt.jadacki@dhs.gov.
[End of Section]
Madam Chairman and Members of the Committee:
Thank you for the opportunity to discuss the results of the forensic
audit and investigation of the Department of Homeland Security's (DHS)
purchase card program, a joint audit by GAO and DHS's Office of
Inspector General (DHS OIG). This joint audit is one among a number of
audits and investigations that GAO and DHS OIG initiated in the wake of
Hurricanes Katrina and Rita to review the effectiveness of the federal
government's disaster response. A crucial tool DHS used to expedite the
government's response to the two disasters was the SmartPay® purchase
card program, a program implemented to provide federal agencies and
their employees a more flexible and efficient way to purchase
commercial goods and services. GAO and DHS OIG support the use of a
well-controlled purchase card program, which our experience shows
reduces transaction processing costs and provides agencies with
flexibility to achieve their mission objectives. This testimony builds
on GAO's substantial experience in identifying fraud, waste, and abuse
in government purchase card programs (see app. I for previous audit
reports) and DHS OIG's significant experience auditing one of our
nation's largest federal agencies.
With the creation of DHS in 2002,[Footnote 1] the management of
thousands of purchase cardholders from 22 separate federal agencies was
combined under one umbrella program, the DHS Purchase Card Program. The
legacy agencies such as the Federal Emergency Management Agency (FEMA),
the U.S. Coast Guard (Coast Guard), and the U.S. Customs and Border
Protection (CBP) are now referred to as DHS organizational elements.
During fiscal year 2005, these organizational elements accumulated more
than $420 million in charges, ranking DHS among the top purchase card
users in the federal government. In response to Hurricanes Katrina and
Rita, DHS made thousands of purchase card transactions to buy goods and
services for hurricane rescue and relief operations. For Katrina-
related procurements, Congress authorized an increase to the
micropurchase threshold from $2,500 to $250,000.[Footnote 2] When
making micropurchases, authorized cardholders are not required to
solicit competitive bids if they consider the price to be reasonable.
For further details on the DHS purchase card program, see appendix II.
Our testimony today addresses whether (1) DHS's control environment and
management of the purchase card program were effective; (2) DHS's key
control activities operated effectively and provided reasonable
assurance that purchase cards were used appropriately; and (3)
indications existed of potentially fraudulent, improper, and abusive or
questionable activity related to items acquired with DHS purchase
cards.[Footnote 3] Following this testimony, we plan to issue a joint
report with recommendations to DHS for improving internal controls over
its purchase card activities.
The scope of our joint audit covered all DHS purchase card transactions
from June 13, 2005, through November 12, 2005. We selected all
transactions during this period because we could not distinguish
between routine and hurricane-related purchases in the database
provided by U.S. Bank (DHS's purchase card contractor). To assess the
design and implementation of controls over purchase card transactions,
we conducted interviews of purchase card administrators and compared
DHS's purchase card policies and procedures to the Office of Management
and Budget's (OMB) Circular No. A-123, GAO's Standards for Internal
Controls in the Federal Government (Standards for Internal Controls)
and to the best practices for purchase card programs outlined in GAO's
Audit Guide: Auditing and Investigating the Internal Control of
Government Purchase Card Programs (GAO's Audit Guide). Using purchase
card data provided by U.S. Bank, we conducted statistical tests from a
random sample of transactions and performed other audit work to
evaluate the design and implementation of key internal control
activities.
We also performed data mining on the transactions to determine whether
there were potentially fraudulent, improper, abusive, or questionable
activities related to the purchase card program. Our data mining
efforts included reviewing and analyzing transactions to determine
whether split payments occurred,[Footnote 4] whether DHS maintained
appropriate controls over property accountability, and whether DHS was
able to leverage the hundreds of millions of dollars it spends with a
purchase card to obtain favorable pricing from frequently used vendors,
among others. We used forensic audit and investigative techniques to
determine if the purchase card was used in a potentially fraudulent
manner. Although we did identify some potentially fraudulent, improper,
and abusive or questionable transactions, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper,
and abusive or questionable transactions. See appendix III for further
details on our scope and methodology. We conducted our audit work from
November 2005 through June 2006 in accordance with U.S. generally
accepted government auditing standards. We performed our investigative
work in accordance with standards prescribed by the President's Council
on Integrity and Efficiency. We briefed DHS on the details of our work,
including our scope, and methodology and our findings.
Summary:
A weak control environment and breakdowns in key internal controls
exposed DHS to fraud, waste, and abuse in its purchase card program.
Our review of DHS's draft Purchase Card Manual (draft manual) found
that the draft manual generally incorporated well-designed internal
controls for an agencywide purchase card program that were consistent
with OMB's Circular No. A-123, GAO's Standards for Internal Controls,
and the best practices for purchase card programs outlined in GAO's
Audit Guide.[Footnote 5] However, according to representatives from the
Office of the Chief Financial Officer, the draft manual was not issued
in its final format due to ongoing disagreements with DHS
organizational elements over its implementation. Without a final
policy, DHS organizational elements adopted inconsistent purchase card
practices. Some organizational elements followed purchase card policies
from their legacy agencies, others observed requirements from the draft
DHS policy, and yet others relied on a combination. Overall, we found
that a lack of leadership in finalizing the draft manual, inadequate
resources devoted to the purchase card program, insufficient training,
and ineffective monitoring and oversight each contributed to a weak
control environment.
We also found weaknesses in specific key control activities over
purchase card transactions. Specifically, we found a lack of
documentation that required internal controls over purchase card
transactions were performed. Based on our sample of DHS purchase card
transactions, we estimated that 45 percent did not have prior written
authorization, 8 percent did not provide required sales documentation,
63 percent did not have evidence that the goods or services were
actually received, and 53 percent did not give priority to required or
preferred vendors (designated sources). We also found instances where
DHS cardholders failed to dispute improper transactions, resulting in
losses to the federal government from improper and potentially
fraudulent purchases. Further, DHS did not invoke the special authority
provided to increase the threshold for micropurchases from $2,500 to
$250,000. Instead, DHS invoked other clauses in the Federal Acquisition
Regulations (FAR) to make noncompetitive purchases under existing
procurement authority. While we recognize that DHS has authority to
make such noncompetitive purchases under the FAR, we identified
transactions where DHS cardholders could have obtained better pricing
without jeopardizing relief efforts or where the purchase was
unnecessary. Later in our testimony, we identify examples of poor
pricing and unnecessary purchases, but also highlight instances where
the cardholder acted prudently to obtain the best pricing.
The weak control environment and weak implementation of specific
internal control activities allowed potentially fraudulent, improper,
abusive, or questionable transactions to go undetected. In one
potential fraud case, ineffective procurement practices resulted in DHS
paying double the retail price for 20 flat-bottom boats. The vendor in
this case improperly used the DHS purchase card number to purchase
boats from retailers before reselling them to DHS. In another
potentially fraudulent case, breakdowns in property accountability
controls allowed a DHS employee to submit falsified records related to
three stolen laptops. As an example of improper use of a purchase card,
we identified a cardholder who used convenience checks to pay a vendor
who normally accepted credit cards but who did not want to pay credit
card transaction fees for a large purchase--in which case the
cardholder violated DHS policy. As a result of this policy violation,
the DHS incurred $8,000 in unnecessary processing fees related to the
use of convenience checks.
Other cardholders abused their purchase card privileges or made
questionable purchases. For example, one cardholder purchased a beer
brewing kit and ingredients to brew beer for official parties. Another
cardholder, based on questionable need, purchased a Samsung 63-inch
plasma screen television for about $8,000 at the end of the fiscal
year. We observed this large-screen television unused and in its
original packaging 6 months after it was purchased. In cases where
appropriate, we plan to refer cardholders responsible for these and
other purchases to DHS management for possible administrative action.
We also found instances where items acquired with a DHS purchase card
highlight weaknesses in DHS's inventory control and procurement
practices that led to potentially fraudulent and abusive or
questionable activity. For example, over 100 laptops were lost or
misappropriated when shipped to New Orleans as part of the relief
efforts. The above examples of potential fraud, improper use of the
purchase card, and abusive or questionable activity relating to items
acquired with DHS purchases cards are further detailed below.
Weaknesses in DHS's Overall Control Environment Contributed to
Ineffective Purchase Card Program Controls:
DHS has not established an effective internal control environment to
manage its government purchase card program. Specifically, for the last
two years, DHS did not finalize its departmentwide purchase card policy
that detailed the internal control policies and procedures that
organizational elements must follow. As a result, cardholders did not
consistently apply basic control procedures, which were necessary to
provide reasonable assurance that acquisitions made with purchase cards
adhered to governmentwide requirements. Inadequate staffing and
training, and a weak postpayment audit function further contributed to
a weak overall internal control environment and left DHS vulnerable to
fraud, waste, and abuse.
Unimplemented Agencywide Manual Contributes to Inconsistency and
Confusion:
DHS's Chief Financial Officer (CFO) distributed the agency's most
recent draft of the departmentwide purchase card policies and
procedures in March 2004. Since then the draft manual has been out for
agencywide comment twice. The internal control procedures described in
that draft document were largely consistent with OMB Circular No. A-
123, GAO's Standards for Internal Controls, and GAO's Audit Guide.
According to the Office of the Chief Financial Officer, the draft
policies were not accepted and implemented across DHS due to disputes
with organizational elements over implementation of the draft manual.
Further, officials within the Office of the Chief Financial Officer do
not have a plan or timeline for resolving these disputes in order to
finalize DHS's draft manual. Consequently, some organizational elements
are following internal control policies that existed in their legacy
environments prior to their absorption into DHS, while others adopted
DHS's draft policies. Others are adhering to elements from both. We
found that although some internal control policies from legacy agencies
were consistent with GAO's Standards for Internal Controls and GAO's
Audit Guide, others were not. For example, the Organizational Program
Coordinator (OPC) for the Purchase Card Program at the Coast Guard
stated that written authorization prior to purchase is generally
required. In contrast, CBP indicated that written authorization is not
required prior to use by a CBP cardholder.
As a result of the unimplemented DHS draft manual, organizational
elements were confused about and did not consistently apply purchase
card policies and procedures, which negatively affected the control
environment. As an example, the OPC at the Coast Guard, in charge of
the largest purchase card program within DHS, informed us that some
cardholders within Coast Guard followed the draft DHS manual, while
others did not consider the manual applicable.
Insufficient Resources Committed to Purchase Card Program:
DHS failed to assign sufficient resources to manage its purchase card
program. As a result, we found many instances where approving officials
had oversight responsibilities for an excessive number of cardholders.
Additionally, we found that DHS lacked sufficient staffing to
effectively manage and oversee the purchase card program.
GAO's Audit Guide and OMB Circular No. A-123 emphasize the importance
of establishing reasonable levels of responsibility for approving
officials who are responsible for reviewing and certifying purchase
card transactions. Assigning approving officials more cardholders than
they can effectively supervise is a symptom of a weak control
environment, as it is unreasonable to expect approving officials who
have too many transactions to conduct a thorough and proper review of
supporting documentation for each transaction. Basic fraud prevention
concepts and our previous audits of purchase card programs have shown
that opportunities for fraud and abuse arise if cardholders know that
their purchases are not being properly reviewed.
We found that DHS's draft manual contained requirements for approving
officials that are consistent with OMB Circular A-123 and GAO's Audit
Guide. Specifically, the proposed DHS policy stipulates that a single
approving official may not oversee more than 7 cardholders. However,
our work showed that DHS organizational elements did not adhere to this
guidance. As shown in table 1, as of the end of fiscal year 2005, we
found that 176 DHS approving officials, out of approximately 3,300
approving officials departmentwide, had oversight responsibilities for
more than 7 cardholders.[Footnote 6] At the Coast Guard alone, 147
approving officials supervised more than 7 cardholders, with 3
individuals managing more than 30 cardholders. According to the OPC at
the Coast Guard, insufficient staff to monitor and oversee the purchase
card program is a primary cause for the large number of approving
officials with excessive span of control. Having approving officials
responsible for more than 7 cardholders is inconsistent with the DHS
draft manual and is contrary to GAO's best practices guidance.
Table 1: Number of Approving Officials at DHS Organizational Elements
with Excessive Span of Control:
Organizational element: U.S. Coast Guard;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 84;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 53;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 7;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 3;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 147.
Organizational element: U.S. Customs and Border Protection;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 7;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 3;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 10.
Organizational element: Federal Emergency Management Agency;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 5;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 3;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 8.
Organizational element: U.S. Secret Service;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 3;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 2;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 2;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 7.
Organizational element: DHS Science and Technology;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 1;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 1.
Organizational element: Transportation Security Administration;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 1;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 1.
Organizational element: U.S. Citizenship and Immigration Services;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 1;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 1.
Organizational element: Federal Air Marshal Service;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 1;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 0;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 1.
Organizational element: Total;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 8-10: 102;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 11-20: 62;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: 21-30: 7;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: >30: 5;
Number of Approving officials with excessive span of control,
stratified by number of cardholders managed: Total: 176.
Source: GAO analysis of U.S. Bank data.
[End of table]
Our analysis of purchase card data uncovered other fundamental
breakdowns in controls. For example, we identified 6 cardholder
accounts where the approving official and the cardholder were the same
individual--a major conflict of interest. We also identified 2,468 open
accounts--19 percent of DHS's purchase cards--that as of December 13,
2005, had not been used since before January 2005. According to OMB and
the U.S. General Services Administration (GSA),[Footnote 7] purchase
cards should only be issued to individuals who have a documented need
to acquire items for the government with the purchase card. It is
difficult to argue that the 2,468 individuals who have not made a
single purchase in an entire year have such a need. Consequently, those
accounts should have been closed to minimize the risk of fraud, waste,
and abuse.
Furthermore, we found that at both the DHS level and organizational
element level, there were inadequate resources to effectively manage
the program. As stated in GAO's Audit Guide, it is vital for purchase
card programs to be sufficiently staffed to manage the program. At the
DHS agencywide level, the DHS Agency Program Coordinator (APC) is the
sole person responsible for overseeing not only DHS's Purchase Card
Program, one of the government's largest purchase card programs, but
also DHS's Travel Charge Card Program and Fleet Charge Card
Program.[Footnote 8] In total, DHS spent nearly $1 billion on these
three charge card programs during fiscal year 2005. Based on our
assessment of the control environment and discussions with the APC, a
lack of adequate resources caused insufficient management and oversight
of the purchase card program at the DHS agencywide level.
At the organizational element level, we found a similar lack of
staffing resources devoted to the management of the purchase card
program. For example, as shown in table 2, the number of personnel
assisting the OPC at the organizational element level is not consistent
with the risk of exposure, as measured by expenditures. In fact, the
largest organizational element, the Coast Guard, provides no additional
staff to the OPC to assist in managing and overseeing the purchase card
program. Based on our assessment of the control environment and
discussions with the OPC at the Coast Guard, the Coast Guard did not
have adequate resources to both administer the purchase card program
and provide adequate compliance control.
Table 2: Employees Responsible for Management of the Purchase Card
Program at Four of the Largest Organizational Elements within DHS:
Organizational element: U.S. Coast Guard;
Staff devoted to purchase card: 1 (OPC);
Fiscal year 2005 total purchase card dollars (millions): $ 227.
Organizational element: Federal Emergency Management Agency;
Staff devoted to purchase card: 2 (1 OPC and 1 additional staff);
Fiscal year 2005 total purchase card dollars (millions): 32.
Organizational element: U.S. Immigration and Customs Enforcement;
Staff devoted to purchase card: 4 (1 OPC and 3 additional staff);
Fiscal year 2005 total purchase card dollars (millions): 21.
Organizational element: U.S. Customs and Border Protection;
Staff devoted to purchase card: 6 (1 OPC and 5 additional staff);
Fiscal year 2005 total purchase card dollars (millions): 66.
Source: DHS data.
[End of table]
Evidence Lacking that Most Cardholders Received Required Training:
Evidence was not provided to show that DHS is providing the training
necessary to obtain reasonable assurance that its cardholders
understand the purchase card program's key controls. Adequate training
is essential to ensuring that the cardholders and approving officials
have the skills necessary to achieve organizational goals in an
effective and efficient manner. OMB Circular A-123 and DHS's draft
manual require that all cardholders be trained prior to receiving a
purchase card and receive annual refresher training. We found that for
60 of the 96 transactions in our statistical sample, the cardholder
lacked documentation showing that they received either the required
initial training or the refresher training.
Monitoring and Oversight Needs Improvement:
Our review of the DHS purchase card program found that DHS had
ineffective procedures to monitor and oversee cardholder's compliance
with agencywide and governmentwide purchase card policies through
postpayment audits. The purpose of the postpayment audit is to provide
reasonable assurance that the purchases made by cardholders, and
payments made to the bank, were valid and appropriate. However, our
audit found that DHS did not conduct postpayment audits effectively.
Specifically, we found that the organizational elements did not follow
up with cardholders who failed to provide the required supporting
documentation. We identified 10,339 transactions between December 2003
and February 2006 that were selected for audit, but which were not
audited because cardholders did not submit the required supporting
documentation. Many of the cardholders who failed to submit the
required supporting documentation were nevertheless allowed to continue
using their purchase cards. Failure to suspend those cards and
discipline users exposed DHS to fraud, waste, and abuse in its purchase
card program.
Inconsistently Implemented Control Activities Leave DHS Vulnerable to
Fraud, Waste, and Abuse:
The results of our testing of key controls at DHS revealed significant
failure rates that bring into question the efficacy of DHS's
implementation of internal controls. Internal control activities
associated with purchase card transactions occur at various levels
within an agency. Activities include a wide range of diverse actions
such as authorizations, verifications, reconciliations, certifications,
and the production of records and documentation. However, our
statistical tests of DHS purchase card transactions from June 13, 2005,
through November 12, 2005, found that several key transaction-level
controls were ineffective, with failure rates ranging from 8 percent to
63 percent. In addition, the high rates of failure associated with
authorization and independent receipt and acceptance also led us to
question the effectiveness of the DHS reconciliation and certification
process. Specifically, DHS's automated systems and practices associated
with reconciling and certifying purchase card transactions for payment
were not effective to provide reasonable assurance that charges
appearing on the cardholder's bank statements were valid. We also found
instances where DHS lacked effective controls to ensure proper follow-
through of disputed transactions, leaving DHS at an increased risk of
fraud, waste, and abuse associated with the payment of purchase card
transactions.
Finally, while DHS did not rely on its increased micropurchase
threshold authority, DHS did activate certain FAR provisions to
streamline the acquisition process for transactions made in response to
the hurricane disaster in the Gulf Region. We are not questioning the
authority on which DHS relied. However, we have identified examples
where DHS did not exercise prudent pricing practices.
Statistical Tests Indicated Weak Internal Controls:
Control activities we tested included whether (1) cardholders obtained
written authorization prior to purchases, (2) invoices supporting the
transactions existed, (3) independent receipt and acceptance of goods
and services occurred, and (4) cardholders screened for required or
preferred vendors (designated sources). As shown in table 3, the
failure rates for the four attributes that we tested ranged from 8
percent to 63 percent. We looked for documented evidence that these
control activities were followed; therefore, these rates may be higher
than actual failures rates if control activities were followed but not
documented.
Table 3: Results of Statistical Testing for Four Key Internal Controls
(percent):
Internal control: Authorization;
Point estimate[A]: 45;
95-percent confidence interval[B]: 35-55.
Internal control: Sales documentation;
Point estimate[A]: 8;
95-percent confidence interval[B]: 4 - 16.
Internal control: Independent receipt and acceptance;
Point estimate[A]: 63;
95-percent confidence interval[B]: 53 - 73.
Internal control: Priority for designated sources;
Point estimate[A]: 53;
95-percent confidence interval[B]: 43-63.
Source: GAO and DHS OIG testing and statistical analysis of DHS
purchase card transactions provided by U.S. Bank.
[A] The numbers represent point estimates for the population based on
our random sample rounded to the nearest percentage point.
[B] The numbers represent a 2-sided confidence interval assuming a 95
percent confidence level.
[End of table]
Lack of Written Authorization--In 45 percent of the sample
transactions, the cardholders did not obtain written authorization
prior to obtaining the items in question. Requiring the cardholder to
obtain written authorization prior to using the purchase card is key to
providing reasonable assurance that the purchase represents a
legitimate government need. The draft manual addresses this fundamental
internal control element by proposing to require written authorization
prior to purchases. However, as indicated by the high rate of failure,
cardholders did not consistently adhere to this internal control
standard, thereby exposing DHS to misuse of the purchase card. For
example, a cardholder from CBP acquired nearly $2,500 in rain jackets
without written preauthorization. Had the cardholder been subject to
DHS's requirement for written authorization prior to purchase, as
outlined in the draft manual, this improper purchase may have been
prevented.
Lack of Sales Documentation Supporting Purchases--We estimate that 8
percent of DHS cardholders failed to provide sales documentation, such
as a receipt, for the items obtained with a purchase card. This is
inconsistent with the draft manual, which would require cardholders to
obtain and retain all sales documentation relevant to their
transaction. Requiring cardholders to obtain and retain sales related
documentation from the vendor is a basic internal control to reduce the
risk of fraud, waste, and abuse. Without sales documentation, an
approving official has no means of reasonably determining whether the
item purchased represents a legitimate government need or is
fraudulent, improper, or abusive.
Lack of Independent Receipt and Acceptance--We estimate that 63 percent
of DHS transactions did not have independent receipt and acceptance.
Receipt and acceptance of goods and services by someone other than the
cardholder provides reasonable assurance that the organization actually
received what it purchased. This internal control procedure segregates
the duties involved in the acquisition of goods and services and
thereby reduces the risk of fraud, waste, and abuse. According to GAO's
Audit Guide, a properly documented independent receipt and acceptance
must contain the signature of the independent individual, who should
also document the date of receipt. Failure to adhere to proper receipt
and acceptance procedures exposes agencies to increased risk of fraud,
waste, and abuse. For example, a transaction we sampled involved the
purchase of three laptop computers by a Coast Guard cardholder.
However, independent receipt and acceptance was not performed, and the
laptops were not recorded in the property records. Subsequently, the
laptops could not be located and were later reported as stolen. If
proper receipt and acceptance had been performed, theft of the laptops
may have been prevented.
Failure to Give Priority to Designated Sources--We estimate that in 53
percent of the sampled transactions, the cardholder failed to document
whether they gave priority to designated sources. In one example, a
cardholder purchased 25 portable global positioning system (GPS) units
at full retail price from Best Buy when the same units could have been
obtained through a GSA Advantage[Footnote 9] vendor for 15 percent
less. The DHS draft manual would require that cardholders use
designated sources if the source is capable of providing the goods or
services as needed. GSA Advantage is identified as a designated source
in the draft manual. Generally, the goods and services provided by
designated sources will be offered at reasonable prices.[Footnote 10]
In this case, the failure to consider designated source resulted in the
cardholder paying Best Buy about $2,700 more than if the units were
acquired through GSA Advantage. Although the cardholder was acquiring
the GPS units for an emergency situation, we found that GSA Advantage
can often deliver goods on an expedited basis. Alternatively, the
cardholder could have obtained a special discount from Best Buy if he
had opened a government account.
Online Reconciliation and Certification Processes Not Fully Effective:
Effective reconciliation and certification are crucial in helping to
provide reasonable assurance that all charges appearing on the
cardholder's bank statement are valid. However, our review of the DHS
purchase card systems found that the practices used by the Coast Guard,
FEMA, CBP, and U.S. Immigration and Customs Enforcement (ICE) were not
fully effective. Each of these organizational elements primarily relied
upon online reconciliation and certification capabilities inherent in
their respective purchase card systems, but none of these systems
provided sufficient evidence to determine if a comprehensive
reconciliation and certification was actually performed. While online
processes can provide an efficient and effective means for
accomplishing such tasks without the burden of a paper-laden
environment, reliance upon online processes requires effective internal
controls (e.g., sufficient audit trails, implementation of sound
business practices) to gain reasonable assurance that the processes
were properly performed. However, none of these DHS components had
fully effective systems or practices to provide reasonable assurance
that cardholders exercised due diligence in reconciling their
statements. One attribute lacking was notations, such as the ability to
enter check marks indicating that transactions on the cardholder's
monthly statements were individually reviewed and reconciled. In
addition, these components did not demonstrate that they had fully
effective systems or practices that would allow them to track the
length of time a cardholder spent performing their reconciliation and
an approving official spent certifying statements to rule out the
possibility of merely "rubber stamping" monthly statements. Further, we
found many instances where approving officials did not certify their
respective cardholders' statements. DHS's draft manual requires
approving officials to certify a cardholder's bill within 14 days of
the close of billing cycle. Based on the results of our analysis, we
identified 8,630 uncertified statements that were pending approving
official certification as of February 12, 2006.
As previously discussed, given the insufficient resources committed to
the purchase card program and the high rates of failure associated with
the authorization and independent receipt and acceptance, comprehensive
reconciliations and certifications are crucial in helping to provide
reasonable assurance that all charges are valid. As a result of these
internal control weaknesses, DHS's compliance with controls to prevent
or detect fraudulent, improper, or abusive purchases is in question.
Pay and Confirm Environment Increased Risk of Fraud, Waste, and Abuse:
We found instances where DHS cardholders failed to dispute unauthorized
transactions. The dispute process is especially critical in DHS's pay
and confirm environment, called SmartPay®. One feature of GSA's
SmartPay® program is that, unlike a normal credit card monthly billing
process, the agency pays charges daily. By agreeing to pay first and
confirm later, agencies can reduce costs since the bank provides
rebates[Footnote 11] based on how quickly the charges are paid.
However, the pay and confirm environment requires diligence on the part
of cardholders to perform thorough and comprehensive reconciliations of
their charges and to submit timely disputes of improper charges to the
bank for credit. Because agencies have already paid the bank for the
potential unauthorized charges prior to receiving the monthly billing
statement, the payment will not be reversed unless a dispute is
submitted.
Because of weaknesses in the implementation of the dispute process in
some instances, DHS did not identify and obtain credits for
unauthorized transactions. In one instance, a cardholder appropriately
initiated the dispute process when a vendor improperly charged the
government $153,000 prior to completion of contracted services.
However, the cardholder failed to perform appropriate follow-through
and submit the required dispute documentation. Consequently, DHS made a
second payment to the vendor when services were complete, resulting in
a double payment of $153,000. FEMA was unaware of the double payment
until we questioned the payments in May 2006. At that time, FEMA
contacted the vendor and recovered the overpayment. In another example,
discussed later in this testimony, a cardholder's failure to dispute
$30,000 in unauthorized charges resulted in FEMA making payments for
potentially fraudulent and improper charges for flat-bottom boats. In
this case, the cardholder and the approving official failed to dispute
the unauthorized charges.
Although the pay and confirm environment can bring economic benefits
(i.e., rebates) to federal agencies, it requires the implementation of
effective controls to detect and correct charges that should be
disputed and reversed. The high rates of failure in our tests of key
internal controls and the examples highlighted above bring into
question whether DHS's pay and confirm process exposes DHS to
unacceptable levels of risk for fraud, waste, and abuse.
DHS Used a Provision of the Federal Acquisitions Regulations to Avoid
Obtaining Competitive Bids:
To facilitate the government's response to hurricanes Katrina and Rita,
Congress authorized an increase to the micropurchase threshold from
$2,500 to $250,000. When making micropurchases, authorized cardholders
need not solicit for competitive bids if they consider the price
reasonable. Executive agencies such as DHS could have extended this
authority to certain cardholders directly supporting hurricane-related
rescue and relief operations. However DHS told us that they did not
implement the increased threshold because they had the flexibility they
needed to make noncompetitive purchases under existing procurement
authority. DHS cited their justification for other than full and open
competition under the Unusual and Compelling Urgency provisions of the
Federal Acquisition Regulations.[Footnote 12] Under these provisions,
cardholders had discretion to select contractors noncompetitively as
long as the purchase was directly related to Hurricane Katrina response
efforts.
Although DHS has authority to make purchases without competition, we
highlight transactions where DHS cardholders failed to adopt prudent
pricing practices and subsequently wasted government funds. Part of
DHS's mission is to respond to emergency situations like Katrina and
Rita and a reasonable person would expect DHS to be more prepared for
relief and rescue operations than other agencies with routine
functions. In this light, we question the propriety of several of the
noncompetitive transactions that we investigated for potential fraud.
In the next section we identify many examples of potential fraud,
improper purchases, and abusive or questionable transactions. Some of
the examples are multifaceted and touch on several issues including the
pricing and requirements management issues discussed previously.
Potentially Fraudulent, Improper, Abusive, or Questionable
Transactions:
Our forensic audit and investigative work identified numerous
transactions where DHS failed to prevent or detect potential
fraudulent, improper, abusive, or questionable purchases. Many of these
examples also show that the government could have obtained better
pricing. However, our work was not designed to identify all instances
of, or estimate the full extent of fraud, waste, and abuse. Therefore
we did not determine, and make no representations regarding, the
overall extent of fraudulent, improper, and abusive or questionable
transactions.
Potentially Fraudulent and Improper Activity Related to Purchase Card
Acquisitions:
Our data mining work identified many instances of both potentially
fraudulent and improper use of the purchase cards, and potentially
fraudulent and improper activity related to items acquired with the
purchase card. We considered potentially fraudulent purchases to be
those which were unauthorized and intended for personal use. The
transactions we determined to be improper are those intended for
government use, but which are not for a purpose that is permitted by
law, regulation, or policy.
Potentially Fraudulent Activity--Table 4 shows five cases of potential
fraud involving both use of a DHS purchase card and weaknesses with
DHS's accountable property[Footnote 13] controls that led to
potentially fraudulent misappropriation of government assets. Property
that is unaccounted for may simply be misplaced; or it may be that the
assets were misappropriated for a use other than that of the
government. The misappropriation of government assets (theft)
represents fraudulent activity. These five potentially fraudulent cases
involve 154 missing items out of the 433 accountable property items
that we tested. Because only a limited number of transactions in our
statistical sample contained accountable or pilferable property, we did
not attempt to estimate the extent to which DHS could not account for
pilferable property.
Table 4: Potentially Fraudulent Activity:
Case: 1;
Items purchased: Laptop computers;
Organizational element: FEMA;
Vendor: CDW;
Additional facts: 107 of 200 not located;
Amount of transaction: $300,000.
Case: 2;
Items purchased: Flat-bottom boats;
Organizational element: FEMA;
Vendor: Banita Creek Hall;
Additional facts: Unauthorized use of purchase card by a vendor, 12 of
20 boats not in property system;
Amount of transaction: 177,000.
Case: 3;
Items purchased: Printers;
Organizational element: FEMA;
Vendor: CDW;
Additional facts: 22 of 100 not located;
Amount of transaction: 84,000.
Case: 4;
Items purchased: GPS units;
Organizational element: FEMA;
Vendor: Best Buy;
Additional facts: 2 of 25 not located;
Amount of transaction: 18,000.
Case: 5;
Items purchased: Laptop computers;
Organizational element: Coast Guard;
Vendor: Best Buy;
Additional facts: 3 of 3 reported as stolen;
Amount of transaction: 13,000.
Source: GAO and DHS OIG investigation.
[End of table]
Our testing work for the above transactions included traveling to the
location of the accountable property to observe the item and determine
if the asset existed or was in possession of the government. More
detailed information is as follows:
* In cases 1, 3, and 4, FEMA purchased 200 laptops, 100 printers, and
25 GPS units in five separate transactions totaling about $400,000.
While FEMA documented independent receipt and acceptance for the
laptops and the GPS units, it did not do so for the printers. Further,
FEMA did not properly record and track some of the assets in its
property records. As a result, FEMA could not locate the accountable
property items when asked, and consequently was not able to account for
107 laptops, 22 printers, and 2 GPS units that cost about $170,000.
Based on the information FEMA provided for the location of the assets
in question, in March 2006 we traveled to the FEMA field offices in New
Orleans and Baton Rouge to observe assets acquired using a purchase
card. After arriving at these locations, however, FEMA gave us
different location information. We were instead informed that the
laptops were shipped directly to and currently located in a conference
room at the Royal Sonesta Hotel in the French Quarter, which was
serving as the Joint Command Post for the various federal, state, and
local authorities. We were told that many of the laptops and printers
were being used by the New Orleans Police Department (NOPD) at the
Joint Command Post. However, as shown in figure 1, when FEMA's
accountable property officer took us to the conference room, it was
vacant and the laptops and printers were missing.
Figure 1. Hotel Conference Room Where FEMA Laptops and Printers Were
Supposed to Be:
[See PDF for Image]
Source: GAO.
[End of Figure]
We questioned NOPD to find the location of the laptops and printers and
we were able to account for 28 laptops and 16 printers in the
possession of NOPD personnel and 4 laptops in possession of the
Louisiana District Attorneys Office (LADA). These assets were on loan
to NOPD and LADA to assist them in their hurricane response efforts. We
subsequently accounted for 61 laptops, 72 printers, and 23 GPS units at
FEMA field offices in Baton Rouge and New Orleans. Despite substantial
efforts to locate the property, neither FEMA, GAO, or DHS OIG was able
to find all the accountable property at the time of our field testing.
Ultimately, FEMA could not account for 107 laptops, 22 printers, and 2
GPS units with a total value of about $170,000.
Significantly, we found that FEMA failed to enter the laptops into
their accountable property system until two months after delivery. In
addition, when FEMA did add the laptops to the property system, they
failed to accurately record who was in possession of the laptops. In
February 2006, after we made inquiries regarding the laptops, FEMA made
an effort to track down the laptops and properly record who was in
possession of and accountable for the laptops. However, they were
unable to do so for most of the laptops. The process for using a
purchase card to obtain highly pilferable and expensive equipment such
as laptops should include controls that ensure such property is
accurately recorded and tracked in a property system. In this case, the
absence of effective controls led to potential fraud and a substantial
cost to the taxpayer.
* For case 2, FEMA paid a vendor $208,000, or twice the retail price,
to deliver 20 flat-bottom boats (with motors and trailers) needed for
relief operations in New Orleans. This vendor, a broker who did not
possess any boats himself, used the FEMA purchase card account number
to pay for the boats prior to delivery to FEMA. He also used the card
number to make two unauthorized payments for 6 of the 20 boats totaling
about $30,000. Although the vendor billed FEMA for all 20 of the boats,
the vendor failed to pay one retailer who provided 11 of the 20 boats.
This retailer provided the boats to the broker believing he was dealing
with a FEMA representative, and therefore the retailer did not require
payment up-front. The retailer has since reported the 11 boats as
stolen and not provided title to the vendor. Further, FEMA only has 8
of the 20 boats in its property records and could not provide the
location for the other 12 boats.
Many issues surround the purchase of the 20 boats, but the most
significant involve the vendor. We estimate that the vendor walked away
with over $150,000, including the profit he made on the 11 boats that
the vendor obtained without payment. We are coordinating our
investigation with both local law enforcement and the Federal Bureau of
Investigation. Key control breakdowns relating to this transaction
include the cardholder not obtaining adequate receipt and acceptance as
evidenced by the fact that FEMA did not receive title to at least 11
boats, and the fact that neither the cardholder or the approving
official flagged two unauthorized charges on the monthly purchase card
statement.
* Case 3 involved one or more Coast Guard employees who submitted
falsified records and provided false information pertaining to the
theft of three laptop computers. Our investigative work found that a
Coast Guard cardholder, accompanied by an Information Technology (IT)
specialist, purchased 13 laptops from Best Buy using his government
purchase card. The cardholder placed the laptops in an unsecured
trailer, but did not immediately record the serial numbers so they
could be entered into an accountable property system. According to the
cardholder, 3 laptops went missing the next day. In an interview with
our investigator and the Coast Guard Investigative Service, the
cardholder admitted that he did not record the serial numbers
immediately as instructed by his superior, and the property log was
subsequently falsified to include fictitious serial numbers for the
missing laptops. During separate interviews with the cardholder and the
IT specialist, we noted inconsistencies in their explanations. We
attempted to conduct a follow-up interview with the IT specialist, but
after being notified to report for the scheduled interview, the IT
specialist took actions that made himself unavailable. The Coast Guard
Investigative Service is continuing to investigate the stolen laptops.
Improper Transactions--We identified numerous instances where
cardholders used their purchase cards to make improper purchases.
According to the FAR, purchase cards may be used only for purchases
that are otherwise authorized by law, regulation, or organizational
policy. Table 5 contains some examples of improper transactions.
Table 5. Examples of Improper Purchase Card Transactions:
Case: 1;
Items purchased: Meals ready to eat (MRE's);
Organizational element: CBP;
Vendor: MRE Foods.com;
Amount of transaction: $465,000.
Case: 2;
Items purchased: Waste removal;
Organizational element: FEMA;
Vendor: EMO Energy Solutions;
Amount of transaction: 153,000.
Case: 3;
Items purchased: Rain jackets;
Organizational element: CBP;
Vendor: Helly Hansen;
Amount of transaction: 2,500.
Case: 4;
Items purchased: Men's clothing;
Organizational element: ICE;
Vendor: Hecht's;
Amount of transaction: 430.
Source: DHS data.
[End of table]
The following contains detailed information on some improper
transactions shown in table 5:
* Case 1 related to the improper use of convenience checks, where a CBP
cardholder improperly issued five convenience checks totaling about
$465,000 to prepay for a 2 months' supply of meals-ready-to-eat (MRE),
about $30,000 of which was for shipping. The MREs were sent to the Gulf
Region for consumption by CBP employees who were deployed to assist in
the response to the hurricanes. In general, DHS policies consider the
use of convenience checks a tool of last resort, that is, to be used
only after "maximum efforts" have been made to find alternate vendors
who accept the government purchase card. However, we found that the CBP
cardholder violated DHS policies related to use of convenience checks.
In addition, the CBP employees who were sent to the Gulf Region were
pulled out earlier than anticipated and almost half of the MREs
purchased were delivered to a CBP training facility in El Paso, Texas.
Because the cardholder prepaid for the MREs, the cardholder precluded
the option of buying in increments as the fluid circumstances might
have dictated. Because the demand did not materialize, thousands of
MREs are sitting in a warehouse in El Paso, Texas.
The cardholder in this instance relied on the Unusual and Compelling
Urgency provisions of the Federal Acquisition Regulations to expedite
the purchase and meet an apparent need. While we are not questioning
the cardholder's reliance on these provisions, we identified actions
taken by the cardholder that unnecessarily increased the cost to the
taxpayer:
* Instead of contracting with the Defense Logistics Agency[Footnote 14]
(DLA) to deliver MREs on an as-needed basis, the cardholder acquired
about 62,000 MREs from a vendor on the internet. However, DLA informed
us that it had a large supply of MREs when Hurricane Katrina hit the
Gulf Region and would have been able to meet CBP's demand for MREs and
provide free shipping. Further, we found that a GSA Advantage vendor
was selling similar MRE's at a substantially lower price than what the
cardholder paid. The vendor selected by the cardholder was not a GSA
Advantage vendor and the cardholder acknowledged that she did not
contact this GSA Advantage vendor. Had the cardholder contacted the GSA
Advantage vendor, she may have saved taxpayers over $100,000.
* The website of the vendor selected by the cardholder clearly shows
that it accepts credit cards. However, according to the cardholder, the
vendor did not want to incur a credit card processing fee on the large
order. The cardholder therefore paid the vendor using convenience
checks, which cost the government a 1.75 percent processing fee.
Therefore, due to the cardholder's improper use of convenience checks,
DHS paid $8,000 in processing fees unnecessarily.
* In case 3, a CBP cardholder improperly used his purchase card to
acquire 37 black rain jackets from Helly Hansen for nearly $2,500 and
obtained a government discount to the personal benefit of CBP
employees. The purchase violated CBP's policy against using a purchase
card to acquire clothing. The cardholder claimed the rain jackets were
personal protective equipment (PPE) for which there is an exception.
The cardholder explained that the black rain jackets are given to
safety officials on the firing range and allow these officials to be
readily identified. However, these officials are issued red shirts for
safety and identification purposes and when it rains, the red shirts
are covered by the rain jackets. Other individuals who are not safety
officials also wear black rain jackets, making these other individuals
indistinguishable from safety officials. Therefore, the rain jackets do
not serve a safety purpose and are not PPE. The cardholder also
admitted that when the rain is heavy, the firing range is normally shut
down. Furthermore, the rain jackets were not kept on the firing range
but were given to range officials to keep, without any record of who
was receiving the rain jackets. While safety of CBP employees should be
a primary concern, the facts in this case indicate that cardholder
obtained a government discount from the vendor to provide personal
clothing to CBP employees and for which no safety related purpose was
served.
Abusive and Questionable Transactions:
We identified numerous examples of abusive and questionable items
acquired with DHS purchase cards during our testing. We defined abusive
transactions as those that were authorized, but the items purchased
were at an excessive cost (unreasonable pricing) or were not needed by
the government, or both. As an organization whose mandate is to deal
with security and emergency needs, DHS and its employees should adopt
prudent purchasing practices by implementing existing agreements with
vendors to allow favorable pricing even in times of disaster.
Questionable transactions are defined as transactions that appear to be
improper or abusive but for which there is insufficient documentation
on which to conclude.[Footnote 15]
Obtaining reasonable pricing for goods or services includes not only
avoiding excessive pricing, but also includes taking reasonable steps
to obtain appropriate discounts. However, vendors often will not
provide discounts unless the government cardholder asks if a discount
is available. We found instances where it was likely a vendor discount
could have been obtained but was not. However, we noted several
occasions where cardholders obtained a point-of-sale discount. For
example, an ICE cardholder obtained 60 sleeping bags and cots from
Cabela's. The sleeping bags and cots were acquired to meet the needs of
those affected by the hurricanes. The cardholder was able to obtain a
10 percent point-of-sale discount from the manager. By asking for the
discount, the cardholder was able to save the taxpayer over $750. In
another example, FEMA purchased over $600,000 in medical equipment and
supplies from Medtronic Physio-Control in three separate transactions
in order to supply special medical response teams after the hurricanes.
FEMA obtained almost $18,000 in point-of-sale discounts from this
vendor.
In order to obtain the best pricing, it is often beneficial to make
arrangements with vendors in advance of potential spikes in demand for
goods or services. We noted numerous instances where we believe better
pricing could have been obtained had various DHS organizational
elements made arrangements with vendors in advance of the devastating
hurricanes along the Gulf Region. If DHS does not anticipate its needs
and get prearranged pricing from quality vendors, then it must often
scramble to acquire the necessary goods and services during a crisis.
Frequently, the emphasis shifts from efficiency to expediency when
acquiring goods and services during a crisis, resulting in additional
and unnecessary costs to the government. Table 6 lists some examples of
abusive and questionable purchases that we identified at DHS.
Table 6: Abusive and Questionable Transactions:
Transaction: 1;
Item purchased: Shower units;
Organizational element: CBP;
Vendor: MD Descant;
Nature of transaction: Abusive;
Amount: $71,000.
Transaction: 2;
Item purchased: Dog booties;
Organizational element: FEMA;
Vendor: Backcountry Gear Limited;
Nature of transaction: Abusive;
Amount: $68,000.
Transaction: 3;
Item purchased: GPS units;
Organizational element: FEMA;
Vendor: Best Buy;
Nature of transaction: Abusive;
Amount: $18,000.
Transaction: 4;
Item purchased: 63" Plasma screen television;
Organizational element: FEMA;
Vendor: Jan-Tronics;
Nature of transaction: Abusive;
Amount: $8,000.
Transaction: 5;
Item purchased: iPod Nanos and Shuffles;
Organizational element: USSS;
Vendor: Apple;
Nature of transaction: Questionable;
Amount: $7,000.
Transaction: 6;
Item purchased: Training seminar;
Organizational element: CBP;
Vendor: Sea Palms Golf and Tennis Resort;
Nature of transaction: Abusive;
Amount: $2,000.
Transaction: 7;
Item purchased: Leadership conference;
Organizational element: CIS;
Vendor: Hyatt Golf Resort, Spa & Marina;
Nature of transaction: Abusive;
Amount: $2,000.
Transaction: 8;
Item purchased: Beer brewing kit;
Organizational element: Coast Guard;
Vendor: Beer and Wine Hobby;
Nature of transaction: Abusive;
Amount: $230.
Source: GAO and DHS OIG investigations of DHS data.
[End of table]
The following provides further details on a number of transactions
listed above:
* The first case involved a CBP cardholder who paid for three 6-person
portable shower units when less expensive units could have been rented.
In this instance, CBP represented to us that they did not have time to
obtain competing bids because of the need to prepare immediate shower
units for CBP personnel in the Gulf Region responding to hurricanes.
However, because CBP did not specify the need for hot water and sinks,
the portable shower units did not come with this capability. In
contrast, a vendor in GSA Advantage could have rented two prefabricated
16-person mobile shower units with hot water capabilities and had them
delivered in less time than it took the original vendor to deliver. The
cost from the GSA Advantage vendor would have been approximately
$45,000, or 36 percent less than the nearly $71,000 CBP paid.
* In case 2, a FEMA cardholder unnecessarily purchased over 2,000 sets
of canine booties at a cost exceeding $68,000. Canine booties are used
to protect the dog's paws in a debris laden environment. According to
FEMA, after the terrorist attacks of 9-11 many donated dog booties were
placed in storage facilities and were mistakenly placed on emergency
provisioning lists. When the hurricanes struck the Gulf Region, FEMA
acquired items on the provisioning lists including thousands of
additional dog booties unnecessarily. However, we were informed by FEMA
that since most of the search and rescue dogs in the Gulf Region were
not accustomed to wearing booties, the canine booties continue to sit
unused in FEMA storage facilities. The error of placing the booties on
the emergency provisioning list resulted in a $68,000 unnecessary
expenditure.
* In case 4, a FEMA cardholder abused a purchase card to acquire a
Samsung 63 inch plasma screen television on September 16, 2005 for
almost $8,000, lacking a government need. The plasma screen, which was
not timely recorded in an accountable property system, was still unused
and in its original box six months after its purchase. The fact that it
was unused after such an extended period of time casts significant
doubt as to whether there was a legitimate government need for
acquiring the 63 inch plasma screen in the first place. In addition, as
the cost of high-end electronic equipment can fall dramatically in a
short period of time, we found that the same 63 inch plasma screen
television could have been obtained for $1,200 less at the time we
observed it in the box at FEMA. Considering the plasma screen was
bought at the end of the fiscal year and that it was unused 6 months
after the purchase, a concern arises regarding whether the purchase was
made to use up remaining funds at the end of the fiscal year.
* In case 5, the U.S. Secret Service (USSS) spent over $7,000 to
acquire 12 Apple iPod Nanos and 42 iPod Shuffles. This purchase is
questionable because iPods are generally used to store and play music--
not a legitimate government need. In addition the USSS did not enter
the iPod shuffles into its accountable property system. After we
questioned the validity of the purchase, USSS provided a memorandum
justifying the purchase on the basis that the iPods were used for
training and data storage. However, we found that other memory devices
existed that were not primarily designed to play music but would have
satisfied the need for data storage. USSS did not provide evidence to
support its claim that the iPods were used in training. Further, USSS
represented to us that they did not track the iPod shuffles because the
iPods cost less than the $300 threshold required for accountable
property. This is inconsistent with established DHS policy that
requires all memory devices be tracked in a property system. Without
appropriate substantiation, we could not obtain assurance that the
iPods were used for legitimate government needs.
* Case 6 involved the abusive use of government funds to hold a CBP
training seminar at the Sea Palms Resort at Saint Simons Island in
Georgia. We identified a purchase card transaction related to this
event for about $2,000 and performed additional audit work to determine
the basis for selecting the resort. We found that the golf and tennis
resort was used to train 32 newly hired attorneys when the nearby
Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia,
could have been used with a savings of approximately $10,000. According
to the CBP officials we interviewed, CBP had determined that the FLETC
facility could not accommodate their training. However, CBP could not
produce any documentation such as a request form indicating that CBP
had contacted FLETC for determining availability. Further, a FLETC
official in charge of scheduling informed us that FLETC did not receive
a request from CBP and that had CBP given FLETC sufficient notice, it
was more than likely that FLETC would have been able to accommodate
CBP. While training is a necessary investment in human capital,
cardholders and government officials need to be careful stewards of
taxpayer's funds. By not contacting FLETC and instead using the resort
for training, CBP failed to act prudently with taxpayer dollars.
* In case 7, the U.S. Citizenship and Immigration Services (CIS) held
its annual leadership conference at the Hyatt Regency Chesapeake Bay
Golf Resort, Spa and Marina in Cambridge, MD, which cost the government
about $40,000 in additional travel expenses. We initially selected this
transaction because a CIS cardholder had paid the resort about $2,300
for materials used in a team building exercise. Irrespective of the
merits of the team building exercise expenses, holding the annual
leadership conference about 90 miles outside Washington, D.C. resulted
in roughly 50 Washington, D.C. based staff incurring travel expenses
for lodging, meals, and other expenses. About 110 CIS employees
attended the July 2005 conference. According to a March 25, 2005, CIS
memorandum documenting the CIS conference planning efforts, CIS
officials only contacted resorts outside the Washington, D.C. normal
commuting area. If CIS had held the annual conference within the
Washington, D.C. commuting area, the 50 of the employees would not have
incurred travel expenses and the savings to the government would have
been about $40,000.
* Case 8 involved a Coast Guard cardholder who abused his purchase card
to obtain beer brewing equipment and ingredients, and wasted government
resources by brewing alcohol while on duty. The cardholder, whose
duties involved planning, procuring, and organizing social functions
for the Coast Guard Academy, purchased a beer brewing kit for about
$230 and additional ingredients. According to the Coast Guard, the beer
kit provided the Academy with both a cost savings and a quality product
for official parties attended by cadets, dignitaries, and other guests
of the Superintendent. The Coast Guard also explained that the Coast
Guard beer, with the custom Coast Guard themed labels, functioned as an
"ice-breaker" for discussion at these official parties.
Our subsequent work indicated that the Academy achieved no cost savings
by brewing their own beer. From early August 2005 through March 2006,
the Academy used an additional $800 on beer brewing
ingredients[Footnote 16] to brew 532 bottles of beer, or 12 batches.
The Coast Guard estimated that it took two hours to brew, bottle, and
label each batch of Coast Guard beer. Given a conservative approximate
hourly labor rate of $15, it would cost over $13 for a six-pack of
Coast Guard beer--considering the variable costs alone (ingredients and
labor). The Coast Guard provided GAO with a detailed 5-year analysis
showing a cost savings but the analysis failed to account for any labor
costs. Absent the purported cost savings and the dubious need for the
government to brew its own alcohol, the purchase of the kit and the
beer brewing activity itself fall short of prudent use of taxpayer
dollars and therefore exemplify purchase card abuse.
Concluding Observations:
The purchase card has proven to be a valuable tool that provides the
government flexibility in making purchases and saves money on
transaction processing. However, putting purchasing decisions in the
hands of about 9,000 DHS employees with ineffective management
oversight and control has allowed potentially fraudulent, improper, and
abusive or questionable usage of these purchase cards to go undetected.
Some of the examples highlighted in this testimony related to
Hurricanes Katrina and Rita show that the government is particularly
vulnerable when purchase cards are used during times of disaster.
Taking immediate action to improve the processes and internal controls
over its purchase card program will help DHS maximize the value and
benefit of the purchase card and provide reasonable assurance that
fraud, waste, and abuse are minimized.
Madam Chairman and Members of the Committee, this concludes our
statement. We would be pleased to answer any questions that you or
other members of the committee may have at this time.
Contacts and Acknowledgments:
For further information about this testimony, please contact Gregory D.
Kutz at (202) 512-7455 or kutzg@gao.gov at GAO or Matt A. Jadacki at
(202) 254-5477 or matt.jadacki@dhs.gov at DHS OIG. GAO individuals
making key contributions to this testimony included James Ashley, Kord
Basnight, James Berry, Beverly Burke, Jennifer Costello, Danielle Free,
Christine Hodakievic, Ryan Holden, Aaron Holling, John Kelly, Tram Le,
John Ledford, Barbara Lewis, Jenny Li, John Ryan, Robert Sharpe,
Bethany Smith, Tuyet-Quan Thai, Patrick Tobo, and Michael Zola. DHS OIG
individuals making key contributions to this testimony included Modupe
Akinsika, Andre Marseille, and Frank Parrott.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this testimony.
Appendix I: Prior GAO Purchase Card Audits:
VHA Purchase Cards: Internal Controls Over the Purchase Card Program
Need Improvement. GAO-04-737. Washington, D.C.: June 7, 2004.
Purchase Cards: Increased Management Oversight and Control Could Save
Hundreds of Millions of Dollars. GAO-04-717T. Washington, D.C.: April
28, 2004.
Forest Service Purchase Cards: Internal Control Weaknesses Resulted in
Instances of Improper, Wasteful, and Questionable Purchases. GAO-03-
786. Washington, D.C.: August 11, 2003.
HUD Purchase Cards: Poor Internal Controls Resulted in Improper and
Questionable Purchases. GAO-03-489. Washington, D.C.: April 11, 2003.
Purchase Cards: Steps Taken to Improve DOD Program Management, but
Actions Needed to Address Misuse. GAO-04-156. Washington, D.C.:
December 2, 2003.
FAA Purchase Cards: Weak Controls Resulted in Instances of Improper and
Wasteful Purchases and Missing Assets. GAO-03-405. Washington, D.C.:
March 21, 2003.
Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to
Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 20,
2002.
Purchase Cards: Navy is Vulnerable to Fraud and Abuse but Is Taking
Action to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.:
September 27, 2002.
Government Purchase Cards: Control Weaknesses Expose Agencies to Fraud
and Abuse. GAO-02-676T. Washington, D.C.: May 1, 2002.
Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud,
Waste, and Abuse. GAO-02-732. Washington, D.C.: June 27, 2002.
Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-02-32. Washington, D.C.: November 30, 2001.
Appendix II: Background:
The Department of Homeland Security's (DHS) purchase card program is
part of the General Services Administration's (GSA) Smart Pay® program,
which was established to streamline federal agency acquisition
processes for eligible purchases by providing a low-cost, efficient
vehicle for obtaining goods and services directly from vendors. Under
the GSA blanket contract, DHS has contracted with U.S. Bank for its
purchase card services.
To assist DHS organizational elements in carrying out their various
missions, such as that of the U.S. Coast Guard (Coast Guard),[Footnote
17] U.S. Customs and Border Protection (CBP),[Footnote 18]
Transportation Security Administration (TSA),[Footnote 19] and the
Federal Emergency Management Agency (FEMA),[Footnote 20] DHS reported
that it used purchase cards for more than 1.1 million transactions
valued at more than $420 million in fiscal year 2005. According to DHS
data, the purchase card activity for the Coast Guard, CBP, TSA, and
FEMA accounted for $364 million or about 86 percent of the more than
$420 million in fiscal year 2005 DHS purchase card payments. Table 1
identifies the number and dollar amount of purchase card transactions
during fiscal year 2005 for these and other DHS components.
Table 7: Number and Amount of Fiscal Year 2005 Purchase Card
Transactions:
DHS Component: Coast Guard;
Number of transactions (in thousands): 568;
Amount of transactions (in millions): $227;
Percentage of; DHS purchase card payments: 54%.
DHS Component: CBP;
Number of transactions (in thousands): 295;
Amount of transactions (in millions): 66;
Percentage of; DHS purchase card payments: 16.
DHS Component: TSA;
Number of transactions (in thousands): 74;
Amount of transactions (in millions): 38;
Percentage of; DHS purchase card payments: 9.
DHS Component: FEMA;
Number of transactions (in thousands): 31;
Amount of transactions (in millions): 32;
Percentage of; DHS purchase card payments: 8.
DHS Component: Other DHS components;
Number of transactions (in thousands): 178;
Amount of transactions (in millions): 60;
Percentage of; DHS purchase card payments: 13.
Total;
Number of transactions (in thousands): 1,146;
Amount of transactions (in millions): $423;
Percentage of; DHS purchase card payments: 100%.
Source: GAO analysis of U.S. Coast Guard Finance Center's reports.
[End of table]
Management of the DHS Purchase Card Program:
DHS's Purchase Card Program Management Office, which is within the
office of the Under Secretary for Management--Chief Financial Officer
(CFO), is responsible for the overall management of the DHS purchase
card program. In carrying out its management responsibilities, the
Purchase Card Program Management Office has a directive for use by all
DHS components on the Government Purchase Card Program. In addition,
the Office of the Chief Financial Officer developed a draft manual,
which has been in draft since March 8, 2004. This draft manual
describes the various roles and responsibilities of key program
management functions and the overall business process for carrying out
the purchase card program. Regarding key management functions, the
Agency Program Coordinator has responsibility for managing the overall
program and working through the CFO and Chief Procurement Officer on
purchase card issues; developing, implementing, and updating the
program policies, procedures, and guidelines; and ensuring the
implementation of and compliance with adequate internal controls in the
management of the program, as well as serve as the communication
liaison between DHS and the U.S. Bank. Further, within each DHS
component, an Organizational Program Coordinator(s) is designated to
oversee the purchase card program within that component (e.g., Coast
Guard). Their responsibilities include controlling issuance,
revocation, and the closing of purchase cards; providing, monitoring,
and maintaining training prior to issuance of the purchase card and
annual refresher training for all cardholders and approving officials;
and managing and conducting oversight of the program (includes span of
control and ongoing and annual reviews to ensure compliance with the
program requirements). Figure 3 illustrates DHS's business process for
carrying out the purchase card program.
Figure 2: DHS Purchase Card Program Flowchart:
[See PDF for Image]
Source: GAO analysis of the business process for the DHS Purchase Card
Program.
[End of Figure]
Coast Guard Is a Steward for DHS's Purchase Card Program:
Since February 2004, the U.S. Coast Guard Finance Center (Finance
Center) has been operating under a Memorandum of Understanding with DHS
to be the servicing agent providing centralized invoicing and payment
of all DHS purchase card activity. The Finance Center has developed and
implemented a system that supports the receipt of daily invoices from
U.S. Bank for all DHS components, supports the payment of those
invoices within one business day of receipt, and provides transmission
of an electronic file containing transaction data to each component's
accounting system. The intent of the daily payment is to maximize the
performance rebates earned by the purchase card program.
On a daily basis, U.S. Bank's Customer Automation and Reporting
Environment generates an invoice file containing transaction level data
for all DHS purchase card activity posted on the previous day and
submits the file to the Finance Center, where the file is loaded into
the Finance Center's Consolidated Billing System. Among other things,
this system is used to process all purchase card transactions and
provide data to participating DHS components. Cardholders are
responsible for identifying any discrepancies on their billing
statements and contacting the merchant to resolve any disputed
transactions. If the cardholder is unable to resolve the dispute with
the merchant, he or she has up to 60 days from the statement date to
file a dispute form with U.S. Bank and request a credit. Approving
officials are responsible for (1) receiving and reviewing their
assigned cardholders' monthly statement to ensure all charges were
allowable and conducted within acquisition guidelines, (2) determining
that the goods or services were received, and documentation is
complete, and (3) verifying that the cardholder follows through in
resolving any disputed transactions with the merchant and U.S. Bank. An
approving official's certification of the monthly billing statement
cannot occur until the cardholder, or in some cases, the approving
official, performs and completes a reconciliation of all charges on the
statement.
Appendix III: Scope and Methodology:
To assess whether DHS's internal control policies and procedures are
adequately designed to provide reasonable assurance that fraud, waste,
and abuse are minimized and are operating effectively to prevent or
detect potentially fraudulent, abusive, and improper purchase card use,
we reviewed and tested key purchase card controls over purchase card
use by DHS's major organizational elements.[Footnote 21] Our review of
purchase card controls covered:
* DHS's and its organizational elements' overall management control
environment, including (1) management's role in establishing needed
controls, (2) the numbers of cardholders, cardholder accounts,
approving/billing officials, and program coordinators, (3) training
provided for cardholders, (4) monitoring and audit of purchase card
activity, and (5) effectiveness of purchase card infrastructure;
* attribute tests on a statistical sample of key controls over purchase
card transactions made during the period from June 13, 2005 through
November 12, 2005, including (1) proper written preauthorization of
purchases, (2) maintenance of sales documentation, (3) documented
performance of independent confirmation that items or services paid for
with the purchase card were received, and (4) documentation that
cardholders gave priority to designated sources; and:
* data mining of the population of transactions made during the above
mentioned test period to identify potentially fraudulent, improper, and
abusive or questionable purchase card transactions.
Departmental and Organizational Element Control Environment:
To assess the overall management control environment for DHS's purchase
card program, we obtained an understanding of the processes utilized by
DHS and its major organizational elements by interviewing officials
involved in overseeing and managing the various purchase card
activities, analyzing each entity's control procedures and processes,
and performing walk-throughs of the detailed processes utilized at the
major organizational elements to request, approve/authorize, make,
document, and verify/certify transactions using purchase cards. We also
analyzed the database of active cardholders to assess the ratios of
approving/billing officials to assigned cardholders and cardholder
accounts and assessed cardholder training. For these tests, we utilized
the active member cardholder database provided by U.S. Bank covering
the period from June 2005 through December 2005. We also visited and
interviewed officials of the Coast Guard's Finance Center, Chesapeake,
Virginia, DHS's purchase card paying agent, to discuss the payment and
management oversight processes utilized to ensure the timely processing
of payments and the reasonableness and appropriateness of transactions.
Statistical Sample of Internal Control Procedures:
We obtained and reviewed the U.S. Bank-provided database of purchase
card transactions covering the period from June 13, 2005, through
November 12, 2005, and analyzed a random probability sample of these
transactions to assess compliance with key internal controls. The
sample design was a simple random probability sample of 96
transactions. The sample size was calculated to achieve a precision of
any estimated internal control error rate for the category (except
accountable property) to be +/-10 percentage points or less. With this
probability sample, each transaction in the population had a known,
nonzero probability of being selected. Each selected transaction was
subsequently weighted in the analysis to account statistically for all
the transactions in the population, including those not selected.
Because we selected a sample of transactions, our results are estimates
of a population of transactions and thus are subject to sample errors
that are associated with samples of this size and type. Our confidence
in the precision of the results from this sample is expressed in 95-
percent confidence intervals. The 95-percent confidence intervals are
expected to include the actual results in 95 percent of the samples of
this type. We calculated confidence intervals for this sample based on
methods that are appropriate for a simple random probability sample.
To test compliance with internal controls, we applied procedures in
GAO's Audit Guide: Auditing and Investigating the Internal Control of
Government Purchase Card Programs (GAO-04-87G, Washington, D.C.:
November 2003) and internal control standards included in the draft
manual dated March 8, 2004. We utilized DHS's draft manual because we
found that DHS had not issued an official standardized set of purchase
card policies and procedures since the department was established by
the Homeland Security Act in November 2002. Further, our review of the
draft procedures showed that the procedures contained a reasonable set
of standards that were generally consistent with good purchase card
operating policies and procedures utilized by other governmental
entities we had audited and covered in GAO's Audit Guide. We also
reviewed (1) OMB Circular No. A-123, (2) Treasury Financial Manual Vol.
1 Part 4-4500 "Government Purchase Cards," (3) FAR, (4) organizational
policies, including draft organizational policies, and (5) GAO's
Standards for Internal Controls.
Data Mining:
In addition to selecting statistically projectable samples of
transactions to test specific internal controls, we also made
nonrepresentative selections of transactions from these entities. We
conducted separate analysis of transactions that appeared on the
surface to be potentially fraudulent, improper, and abusive or
questionable.
Our data mining for transactions was limited in scope. For this review,
we scanned the population of transactions for vendor names and merchant
codes that are likely to sell goods or services that are personal in
nature, listed on DHS's restricted/prohibited lists, or are otherwise
questionable. Our expectation was that transactions with certain
vendors had a more likely chance of being fraudulent, improper, and
abusive or questionable. We reviewed and made inquiries about 200
transactions with vendors that sold such items as sporting goods,
sporting event tickets, groceries, clothing, jewelry, alcohol,
entertainment, or were third-party payers, such as PayPal. Our
inquiries also identified some purchases that turned out to be
legitimate in terms of need but could have been obtained from vendors
at significant price savings. We found other purchases were made during
conditions of exigency that under normal operating conditions would not
or should not have been made. While we identified, and performed
limited inquiries about, some potentially fraudulent, improper, and
abusive or questionable transactions, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper,
and abusive or questionable transactions.
We briefed DHS on the details of our work, including our scope, and
methodology and our findings. We conducted our audit work from October
2005 through June 2006 in accordance with U.S. generally accepted
government auditing standards, and we performed our investigative work
in accordance with standards prescribed by the President's Council on
Integrity and Efficiency.
(192211):
FOOTNOTES
[1] The Homeland Security Act of 2002, Pub. L. No. 107-296, led to the
creation in January 2003 of DHS--the most substantial reorganization of
the federal government since the 1940s. The creation of DHS, which
began operations in March 2003, represents the fusion of 22 federal
agencies to coordinate and centralize the leadership of many homeland
security activities under a single department.
[2] Second Emergency Supplemental Appropriations Act to Meet Immediate
Needs Arising from the Consequences of Hurricane Katrina, 2005, Pub. L.
No. 109-62, Sec. 101 (Sept. 8, 2005).
[3] We considered potentially fraudulent purchases to be those which
were unauthorized and intended for personal use. The transactions we
determined to be improper are those purchases intended for government
use, but are not for a purpose that is permitted by law, regulation, or
policy. We also identified as improper a number of purchases made on
the same day from the same vendor, and which appeared to circumvent
cardholder single transaction limits or bidding requirements. We
defined abusive transactions as those that may be authorized, but the
items purchased were at an excessive cost or were not needed by the
government, or both. Questionable transactions could be improper or
abusive but for which there is insufficient documentation to conclude
either.
[4] A split payment occurs when a cardholder splits a transaction into
more than one segment to circumvent the requirement to obtain
competitive prices for purchases over the $2,500 micropurchase
threshold (in the case of Hurricanes Katrina and Rita, a micropurchase
threshold of up to $250,000) or to avoid other established credit
limits.
[5] Because we believe DHS's draft manual, Department of Homeland
Security Purchase Card Manual (Washington, D.C.: Mar. 8, 2004) is
largely consistent with GAO's Audit Guide: Auditing and Investigating
the Internal Control of Government Purchase Card Programs, GAO-04-87G
(Washington, D.C.: Nov. 1, 2003) and Standards for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C. Nov.
1999), we generally used the draft manual as the criteria against which
we tested internal controls.
[6] On an agencywide basis, 2,150 cardholders, or over 20 percent of
DHS's over 9,000 cardholders, were managed by approving officials whose
span of control exceeded the 7:1 cardholder to approving official
internal control as contained in the DHS draft manual.
[7] Federal agency purchase card programs operate under a government
wide GSA SmartPay® master contract. Agency purchase card programs must
comply with the terms of the contract and task orders under which the
agency placed its order for purchase card services.
[8] The GSA offers SmartPay®, a federal government charge card program
that improves travel, purchase, and fleet payment services for federal
employees by simplifying payments and cutting administrative costs.
[9] GSA Advantage, a program offered by the GSA, is a convenient one-
stop shopping source to meet federal agencies' procurement needs by
selecting and listing vendors who may offer the best value.
[10] Using designated sources results in the agency obtaining
reasonable prices or purchasing goods and services that meet other
policy objectives, such as creating jobs and training opportunities for
people who are blind or have other severe disabilities.
[11] As part of GSA's SmartPay® program, contracting banks provide
rebates (refunds) to agencies based on sales volume (payments) and
payment timeliness.
[12] 6.302-2 and 41 U.S.C. § 253(c)(2), state that "[a]n executive
agency may use procedures other than competitive procedures only when .
. . the executive agency's need for the property or services is of such
an unusual and compelling urgency that the Government would be
seriously injured unless the executive agency is permitted to limit the
number of sources from which it solicits bids or proposals." See also
48 C.F.R. § 6.302-2, Unusual and compelling urgency.
[13] DHS's Personal Property Management Directive 565 defines
accountable property as personal property with an initial acquisition
cost at or above a specific threshold, and items designated as
sensitive. These items are to be recorded in the organization's
automated control system. DHS's Capitalization and Inventory of
Personal Property Management Directive 1120 establishes differing
thresholds for tracking accountable property. Generally, DHS requires
its organizational elements to track electronic communications
equipment with a cost greater than or equal to $1,000, information
technology equipment with memory at any cost, and other personal
property with a cost greater than or equal to $5,000.
[14] DLA provides worldwide logistics support for the missions of the
military departments and the Unified Combatant Commands under
conditions of peace and war. It also provides logistics support to
other DOD components and certain federal agencies such as DHS.
[15] GAO's Guide for Evaluating and Testing Controls Over Sensitive
Payments (GAO/AFMD-8.1.2, May 1993) states: "Abuse is distinct from
illegal acts (non-compliance). When abuse occurs, no law or regulation
is violated. Rather, abuse occurs when the conduct of a government
organization, program, activity, or function falls short of societal
expectations of prudent behavior."
[16] According to Coast Guard finance personnel, funds from the Coast
Guard Foundation, Inc. were used to purchase the beer brewing
ingredients. The Foundation is a public nonprofit organization that
provides annual funding to support the men and women of the U.S. Coast
Guard and Coast Guard Academy. The Foundation's fundraising efforts
address needs not met through traditional governmental and military
funding sources. The Foundation supports such activities as a holiday
calling-card program, capital improvements, and education grants.
Although the ingredients were not purchased with appropriated funds,
the resources provided by the Foundation could have been spent for
other purposes, for example educational grants, had they not been used
to brew beer.
[17] The Coast Guard's mission is to protect the public, the
environment, and U.S. economic interest in the nation's ports and
waterways, along the coast, on international waters, or in any maritime
region as required to support national security.
[18] CBP is responsible for protecting U.S. borders in order to prevent
terrorists and terrorists' weapons from entering the U.S. while
facilitating the flow of legitimate trade and travel.
[19] TSA's mission is to protect the nation's transportation systems to
ensure freedom of movement for people and commerce.
[20] FEMA is responsible for preparing the nation for hazards, managing
federal responses and recovery efforts following any national incidents
or disasters, and administering the National Flood Insurance Program.
[21] Major organizational elements include the U.S. Secret Service,
U.S. Coast Guard, Transportation Security Administration, U.S. Customs
and Border Protection, U.S. Citizenship and Immigration Services, U.S.
Immigration and Customs Enforcement, Federal Emergency Management
Agency, Federal Law Enforcement Training Center, and other headquarters-
level entities.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
Homeland Security:
September 15, 2006:
Mr. Gregory Kutz:
Managing Director:
Forensic Audits and Special Investigations:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Kutz:
Thank you for the opportunity to review and comment on the Government
Accountability Office's (GAO's) draft report entitled, Purchase Cards:
Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper
and Abusive Activity (GAO-06-743).
The Department of Homeland Security (DHS) appreciates the effort you
undertook to review our purchase card program. We concur with your
recommendations and have incorporated the relevant changes into our
Purchase Card Manual.
Below, in more detail, is a summary of your recommendations and the
actions that we have already taken or plan to take in the near future.
Recommendation 1: Implement changes to DHS's draft Purchase Card Manual
to include policies and procedures addressing the four areas detailed
below. After implementing the changes, the Purchase Card Manual should
be finalized agencywide.
* Training: Establish policies and procedures that document that all
cardholders have completed the appropriate training. The documentation
should include the date of the training, a description of the training,
and the name of the recipient of the training.
* Independent Receipt and Acceptance: Develop policies and procedures
for the performance and documentation of independent receipt and
acceptance attesting to the receipt of goods or the complete rendering
of services. This documentation would be maintained along with other
required documentation supporting each transaction.
* Accountable Property: Develop policies and procedures to provide
reasonable assurance that highly pilferable assets such as laptop
computers, cell phones, personal digital assistants, memory storage
devices, and other pilferable property acquired with a purchase card
are entered into an accountable property system immediately after being
received. Cardholders should be required to contact accountable
property officers (or others acting in a similar capacity) before
acquiring accountable property, or within a reasonable time thereafter,
so that the property is properly bar coded and tracked in the property
system. This should be completed prior to placement of the asset in
service. The property system should include accurate information on the
location of the asset, the individual responsible for the asset, the
manufacturer's serial number, as well as the agency's unique
identification code for the asset (e.g. a bar code).
* Disciplinary or Administrative Actions: The agency should develop a
range of potential disciplinary and administrative actions that may
occur as a result of a cardholder or others failing to comply with the
policies and procedures in the Purchase Card Manual.
Response:
With respect to training, the following language appears in the
Department's Purchase Card Manual that was issued 9/15/06:
Section 2.1.A.2 "All DHS CHs and all AOs shall successfully complete
the GSA on-line purchase card training program to be supplemented by
DHS-specific training before being issued a purchase card. All CHs and
AOs shall also complete annual refresher training in order to continue
to use purchase cards assigned."
Section 2.1.A.3 "In addition to training requirements above, additional
training is required before CHs and AOs may receive purchase card
authority above the micro-purchase threshold. This training will
include directions for CHs with delegated authority to use the purchase
card as a payment mechanism against established contracts."
Section 3.6.B. "Single purchase limits may not be permanently increased
to exceed $2,500 unless the CH and his/her AO have completed the DHS
simplified acquisition training requirement as stipulated in DHS
Management Directive 0740.2 and specialized authority has been given by
the Chief Procurement Officer or subordinate procurement authority."
Further language was added to Section 2.1.A.4 that: "Certificates of
training will be retained by the OPC for 6 years, 3 months in
accordance with the National Archives and Records Administration
records retention requirements. The certificates will include the name
of the recipient, the date(s) of training and a description (title) of
the training."
With respect to independent receipt and acceptance:
Section 3.8.C.1. has been added to detail requirements for purchase
card receipt and acceptance:
"Receipt occurs when goods that have been ordered are delivered.
Receipt is evidenced by an independent third party (neither the
cardholder, nor the authorizing official) signing or initialing a
receiving report form, commercial shipping document, or packing list to
indicate that the items listed (and only those listed) are present in
the delivery. A copy of the receipt document is maintained for use in
the acceptance process. Acceptance is an official acknowledgment by an
identifiable individual that supplies delivered or services performed
conform to what was ordered or contracted for. Acceptance may be
performed at time of delivery or performance or within five business
days of receipt. The organization(s) responsible for ordering the goods
and services should be the party(s) responsible for accepting them.
Acceptance reports shall be forwarded to the ordering cardholder's
office by the fifth working day after acceptance and should be retained
as documentation based on records retention criteria. The following
information is required on or with a receiving report or delivery
ticket:
Vendor name:
Contract number or other delivery authorization:
Item description, unit of measure, and quantity received Dates of
receipt and acceptance:
Printed name, title, telephone number, mailing address, and signature
(or electronic alternative) of the accepting or approving official.
Cardholders will not certify transactions on their monthly statement
unless they have an email or written acknowledgment of receipt and
acceptance. OPCs may grant waivers in circumstances that do not allow
for segregation of duties. However, but there must be adequate
compensating controls, such as periodic third party reviews of waived
transactions to provide adequate assurance that there is no fraud,
waste or abuse. Waivers and compensating controls must be thoroughly
documented and retained for potential future audits."
With respect to accountable property:
Section 1.1.I.10. Cardholders shall: "Notify a local property officer
before or within a reasonable time after acquiring accountable,
sensitive and/or hazardous personal property so that the property may
be recorded in the proper system of record. This must be completed
prior to placing the asset in service."
Section 3.8.C.2:
"The cardholder must seek out a procurement official to provide input,
guidance, and direction to support purchase card and contract actions
for personal and accountable property, as required in accordance with
the Federal Acquisition Regulation and internal DHS asset management
and inventory standards. See MD 0565, Personal Property Management for
explanation of categories of personal property; to include accountable,
sensitive and hazardous personal property. (Note: certain property that
can easily be stolen or "pilfered" is addressed in MD 0565.) The
cardholder should consult this procurement official about the propriety
of any acquisition about which they are in doubt. The procurement
official should counsel the cardholder on the use of any required
sources or existing contracts that must be used for their purchases.
The cardholder must notify a local property officer (LPO) before or
within a reasonable time after acquiring accountable, sensitive and/or
hazardous personal property so that the property may be recorded in the
proper system of record. This must be completed prior to placing the
property item in service. Cardholders are required to report all costs
of the property to the LPO. This means any cost associated with the
acquisition of the item including, but not limited to, payments to
vendors for freight, handling, storage, design, construction, and
installation. (See Federal Accounting Standards Advisory Board Number 6
for detailed information on acquisition cost.) The cardholder will
provide the LPO with copies of written receipts and invoices (email
copies are acceptable) to document each property transaction. The
cardholder is also responsible for providing documentation of all costs
as referenced above in order for the LPO to record these items
correctly."
With respect to disciplinary or administrative actions:
Section 2.6 "The following discussion pertains to the Department's
civilian employees. Members of the military service, employed by the
United States Coast Guard, are subject to the Uniform Code of Military
Justice and/or other appropriate administrative policies, rules,
regulations or policies which are tailored and applicable to military
personnel. Supervisors are responsible, and will be held accountable,
for failing to monitor purchase card usage consistent with applicable
law, rules, and procedures. Additionally, the DHS Office of the Chief
Financial Officer and the DHS Office of the Inspector General (OIG)
have and will exercise the right to monitor purchase card transactions
on a constant basis. The OIG retains all audit and investigation
authorities. The OIG and the CFO have access to an electronic system to
monitor program operations and transactions on an ongoing basis.
When using the purchase card, a CH must comply with all applicable
statutory and regulatory provisions and federal and DHS prohibitions,
controls, limitations, and approval requirements, with special
attention to section 3.4 of this issuance (which contains examples of
appropriate purchases) and section 3.8 (which covers use). Examples of
unauthorized use or misuse include, but are not limited to, the
following:
1. Using or authorizing the use of the purchase card, for other than
official government business;
2. Violating purchase card policies;
3. Making purchases that do not meet the needs of the Government;
4. Making false statements, submitting altered or false documents, or
knowingly permitting such behavior in relation to the use of a
Government purchase card; or,
5. Negligence in performing official duties related to the use or
approval of Government purchase cards.
Each of these actions may be considered acts of abuse and attempts to
commit fraud against the government, or other types of unacceptable
conduct, or misconduct. Abuse and/or fraud will result in immediate
cancellation of the employee's purchase card. In addition, the CH may
be subject to disciplinary action up to and including termination of
employment. An employee also may be personally liable to the Government
for the amount of any unauthorized transaction and may be subject to
criminal prosecution.
NOTE: In all situations where disciplinary action may be warranted,
before any action is imposed, the servicing Employee Relations office
must be consulted, along with the appropriate legal counsel's office,
and, in some cases, the Office of the Inspector General (OIG) to ensure
consistency and fairness, that facts have been established, and that
employees are given proper due process. "
Recommendation 2: Improve the existing electronic systems to allow
those with oversight responsibilities the ability to determine if
cardholders and approving officials performed their reconciliation and
certifying duties in a meaningful way.
Response:
DHS concurs with this recommendation but must point out that under the
GSA SmartPay contract all electronic systems are provided by the
contracting Bank. Changes in capabilities must be agreed to be
implemented by the Bank based on the contract requirements and are
therefore not necessarily going to be guided by agency requests. The
costs associated with these systems changes sometimes outweigh the
perceived benefit to the Bank of offering additional services. This may
be something that can be negotiated with SmartPay2 scheduled to be bid
in 2008. Our contractor U.S. Bank intends to augment its current
reporting system by replacing the Customer Automation and Reporting
Environment (C.A.R.E.) system with Access On-line sometime in the next
fiscal year. It is not clear what additional capabilities will be
included in this system but we are negotiating with them to add these
capabilities. The current C.A.R.E. system does allow for daily
reconciliations and history reports can be run ad hoc to record
activity, but this requires manipulation of data files and report
creation by OPCs that may be outside their current capabilities. Part
of our retraining effort will also include C.A.R.E. and Access On-line
system training for all card program participants.
Recommendation 3: Conduct a review to determine if adequate resources
are devoted to administering, maintaining, and enforcing the purchase
card program at both the agency level and the organizational element
level. DHS should further develop specific oversight responsibilities
that need to be carried out at both the agency level and at the
organizational element level.
Response:
The Office of the Chief Financial Officer plans to conduct reviews to
determine if adequate resources are devoted to the purchase card
program at both the agency and component level and develop oversight
responsibilities for the program. This will be accomplished by the
establishment of a Management Assurance Team that will conduct regular
reviews of key programs, including the purchase card program.
Recommendation 4: Adopt prudent purchasing practices by entering into
arrangements with dependable sources in the government or vendors who
can provide reasonable pricing for specific goods and services with a
foreseeable demand in the event of an emergency. In anticipation of
future emergencies, DHS should take the following actions:
* Identify specific sources in the federal government or vendors in the
private sector that can reliably supply the necessary goods and
services for DHS to accomplish its mission in emergency situations.
* In the case of vendors in the private sector, negotiate pricing and
delivery terms with these sources using the federal government's
substantial purchasing power so that in a time of crisis DHS will be
able to efficiently obtain the necessary goods and services.
Response:
DHS concurs with the GAO recommendation to procure emergency supplies
and services efficiently from qualified vendors at the best possible
prices. DHS is implementing this recommendation as part of the FEMA Re-
tooling effort by establishing contractual relationships for known
emergency supplies and services prior to a disaster so there should be
fewer unplanned transactions. DHS is participating in the government
wide forum to create standard procedures for emergency contracting and
instituting training consistent with the new procedures, including
training on the use of the Government Purchase Card during emergencies.
These procedures standardize the process for required sources of supply
and provide specific information on contractual vehicles that can be
used to satisfy the emergency requirements. FEMA specifically has
issued a field guide that also includes the required priority for
sources of supply with the necessary information to order against pre
existing contracts where appropriate. DHS Strategic Sourcing
establishes DHS-wide contracting vehicles for commonly purchased
supplies and services. For items such as office supplies, Strategic
Sourcing has created DHS Wall that has demonstrated pricing savings and
prompt delivery terms for standard government supplies. Similar
contract vehicles may be established for emergency items where
appropriate.
Recommendation S: Develop policies and procedures to limit approving
officials' span of control. The number of cardholders and card accounts
that any one approving official is responsible for should be reasonable
and should be established in consideration of the approving official's
other responsibilities. In addition, approving officials should have an
appropriate number of transactions so that they may conduct a thorough
and proper review of supporting documentation for each transaction.
Response:
The following language regarding span of control can be found in the
recently issued Purchase Card Manual:
Section 1.5.G.3. The Organizational Program Coordinator (OPC) shall:
"Determine the number of cardholders managed by each AO (A single
individual may not be an AO for more than 7 CHs, or approve more than
300 transactions a month on a regular basis.)";
Section1.5.H.1 The Approving Official shall: "Provide approval,
validation, oversight, and monitoring of purchase card activity over
their designated cardholders. (A single individual may not be an AO for
more than 7 CHs, or approve more than 300 transactions a month on a
regular basis.)"
Recommendation 6: Continuously monitor and review open accounts to
provide reasonable assurance that only cardholders who have a
documented need to acquire items for the government are issued a
purchase card. Instances where cards have not been used for over a year
should be analyzed to determine if a valid need for the card exists. If
a valid need can not be established, the purchase card should be
suspended or the account closed.
Response:
DHS has contacted U.S. Bank to create a custom monthly report to
capture this information and require monthly review by OPCs.
Thank you again for the opportunity to comment on this draft report and
we look forward to working with you on future homeland security issues.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of Section]
(192192):
FOOTNOTES
[1] GAO, Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable
to Fraudulent, Improper, and Abusive Activity, GAO-06-957T (Washington,
D.C.: July 19, 2006).
[2] GAO, Audit Guide: Auditing and Investigating the Internal Control
of Government Purchase Card Programs, GAO-04-87G (Washington, D.C.:
Nov. 1, 2003).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
