o
'->< OFFICE OF INSPECTOR GENERAL
O \X!/^ I U.S. ENVIRONMENTAL PROTECTION AGENCY
V'V
Financial Management
Risk for EPA's Fiscal Year
2016 Purchase Card and
Convenience Check Program
Warrants an Audit
Report No. 17-P-0113 February 14, 2017
KLgdM 5b7fl TU
1234 Valid Thru 1 2/31/18
JOHN SMITH
SmartPay 2 United States of America
Supporting your mission If misuse suspected, call (800) xxx-xxxx
U. S. GovernmentTax Exempt
-------�
Report Contributors:
Michael Petscavage
Madeline Mullen
Eileen Collins
Abbreviations
EPA U.S. Environmental Protection Agency
FY Fiscal Year
OIG Office of Inspector General
OMB Office of Management and Budget
PNET PaymentNet®
Cover photo: A sample government purchase card. (U.S. General Services Administration)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
tftD STA/.
* _j-|_
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
February 14, 2017
MEMORANDUM
SUBJECT: Risk for EPA's Fiscal Year 2016 Purchase Card and Convenience Check Program
Warrants an Audit
This is our report on the subject risk assessment conducted by the Office of Inspector General (OIG)
of the U.S. Environmental Protection Agency (EPA). The project number for this risk assessment was
OA-FY16-0229. This report represents the opinion of the OIG and does not necessarily represent the
final EPA position.
Because this report contains no recommendations, you are not required to respond to this report.
However, if you submit a response, it will be posted on the OIG's public website, along with our
memorandum commenting on your response. Your response should be provided as an Adobe PDF file
that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as
amended. The final response should not contain data that you do not want to be released to the public;
if your response contains such data, you should identify the data for redaction or removal along with
corresponding justification.
FROM:
Arthur A. Elkins Jr.
TO:
Donna Vizian, Acting Assistant Administrator
Office of Administration and Resources Management
David Bloom, Acting Chief Financial Officer
Office of the Chief Financial Officer
We will post this report to our website at www.epa.gov/oig.
-------�
Risk for EPA's Fiscal Year 2016 Purchase Card and
Convenience Check Program Warrants an Audit
17-P-0113
Table of C
Purpose 1
Background 1
Responsible Offices 2
Scope and Methodology 2
Results of Risk Assessment 3
Other Noncompliance 4
Action Taken by the Agency 5
Conclusion 5
Appendix
A Distribution 6
-------�
Purpose
The Office of Inspector General (OIG) conducted a fiscal year (FY) 2016 risk
assessment of the U.S. Environmental Protection Agency's (EPA's) purchase card
and convenience check program, as required by the Government Charge Card
Abuse Prevention Act of 2012 and Office of Management and Budget (OMB)
Memorandum M-13-21. Our objective was to assess the risk of illegal, improper
and erroneous purchases made through the agency's purchase card and
convenience check program and determine the nature, timing and extent of testing
necessary.
Background
The Government Charge Card Abuse Prevention Act of 2012, enacted October 5,
2012, requires the Inspector General of each executive agency to conduct periodic
assessments of its agency's purchase card or convenience check programs. The
assessments are conducted to identify and analyze risks of illegal, improper or
erroneous purchases and payments. The assessments are used to determine the
scope, frequency and number of audits of purchase card or convenience check
transactions. OMB M-13-21, issued September 6, 2013, clarified "periodic" to be
annually, at a minimum.
According to EPA reports, for the first 9 months of FY 2016, the EPA had a total
of 38,928 purchase card and convenience transactions totaling $19,048,218.
The EPA OIG has issued several reports on purchase cards and convenience
checks:
• On March 4, 2014, the EPA OIG issued a report, Ineffective Oversight of
Purchase Cards Results in Inappropriate Purchases at EPA, Report No.
14-P-0128. The report found that the EPA did not provide effective
oversight to ensure that purchase card holders and approving officials
comply with internal control procedures. Of $152,602 in sampled
transactions, $79,254 was for prohibited, improper and erroneous
purchases. The OIG made seven recommendations, involving regular
transaction reviews, training, agencywide standard operating procedures,
and revisions to the Contracts Management Manual. The EPA reported
that all corrective actions were completed.
• On March 29, 2016, the EPA OIG issued a report, EPA's Fiscal Year 2015
Purchase Card and Convenience Check Program Assessed as Low Risk,
Report No. 16-P-0124. assessing the risk as low. This was based on the
EPA's recently strengthened internal controls. The OIG made no
recomm endati ons.
17-P-0113
1
-------�
Responsible Offices
The Office of Acquisition Management, within the EPA's Office of
Administration and Resources Management, is responsible for implementing and
overseeing the EPA's purchase card and convenience check program. The EPA's
Office of the Chief Financial Officer is responsible for the distribution of bank
rebates, and provides support for financial aspects of the program.
Scope and Methodology
We conducted this risk assessment from July through November 2016 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the work to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our objective.
To assess the risk for the EPA's purchase card and convenience check program,
we performed the following:
• Reviewed applicable laws and EPA purchase card policies and procedures.
• Followed up on the March 2014 EPA OIG audit recommendations for
EPA purchase cards.
• Judgmentally selected 18 transactions, totaling $48,345, and obtained
documentation from PaymentNet® (PNET), the vendor bank's system,
and the EPA's Acquisition System. We tested the effectiveness of
14 internal controls of EPA's Acquisition Guide and EPA's Agency-wide
Purchase Card Standard Operating Procedures, PNET Purchase Card
Automation Process. We conducted follow-up with the Office of
Acquisition Management for missing documentation. We selected three
transactions from each of the following transaction groups:
o At large, based upon review of vendor names,
o Blocked Merchant Category Codes.1
o Restricted transactions (based upon vendor name),
o Transactions $3,500 or above,
o Third-party processors,
o Convenience checks.
1 Merchant Category Codes are the four-digit codes used to identify types of business a merchant conducts (such as
gas stations, restaurants, airlines). The EPA blocked certain codes to prevent transactions considered to be high risk.
17-P-0113
2
-------�
• Interviewed EPA staff and management involved with purchase card
oversight, as well as those involved with purchase card rebates.
Results of Risk Assessment
We assessed that the risk of illegal, improper and erroneous purchases for the
EPA's purchase card and convenience check program is high enough to warrant
an audit because of noncompliance with existing internal controls. OMB Circular
A-123, Appendix B, prescribes policies and procedures to maintain internal
controls to reduce the risk of fraud, waste and error in the government charge card
program.
Tested Transactions Did Not Comply With Internal Controls
As a result of the transaction testing, we found that none of the 18 transactions
complied with all tested internal controls. For example, one transaction did not
comply, or compliance could not be verified, with the following tested internal
controls:
• Approving official did not give prior approval as required.
• Records were not placed in PNET as required.
• An acquisition professional card holder was not used for a restricted
transaction as required.
• Cost was not allocated within 10 days of receipt as required.
• The transaction was not reviewed by the card holder within 10 days of
posting as required.
Two of the 18 transactions tested, totaling $14,985, were advance payments for
fitness memberships.2 Comptroller General Decision B-288013, dated
December 11, 2001, notes advance payment of fitness memberships prior to the
employees' use of the facilities, when the government could have requested
monthly invoices, violates the advance payment provisions of 31 United States
Code, Section 3324.
Three of the 18 transactions tested were to vendors whose Merchant Category
Codes were blocked by the EPA. The EPA blocked certain Merchant Category
Codes to prevent transactions considered to be high risk, as those transactions
require closer scrutiny. To complete the purchase, card holders must submit
supporting documentation for review and override. According to the card holders
involved, only one of the three tested transactions was declined by the bank as
intended and, subsequently, required the card holder to request an override from
2 Comptroller General Decision B-240371, dated January 18, 1991, states that appropriated funds can be used to
establish health fitness programs, but the purchase of fitness club memberships for the use of employees on a
continuing basis should be undertaken only when all other resources have been considered and rejected, and when
employee use of the program will be carefully monitored as part of a bona fide preventive program related to health.
17-P-0113
3
-------�
the EPA Office of Acquisition Management. As a result, we concluded that the
internal control of blocking Merchant Category Codes does not work.
Review of Card Holder Transaction Reports Not Documented
The EPA Acquisition Guide states that the Purchase Card Team regularly reviews
individual card holder transaction reports. A Purchase Card Team member
explained, that on a weekly basis, she reviews individual card holder transactions
when she receives notices of lapsed training or when card holders call with
questions. She will tell the card holders when documents are missing, but these
reviews are not documented.
Other Noncompliance
We noted other instances of noncompliance that did not affect the risk of illegal,
improper and erroneous purchases, but we are nonetheless reporting them.
Not All Rebate Information Is Reviewed for Accuracy
The Government Charge Card Abuse Prevention Act of 2012 requires safeguards
and internal controls for the management of purchase cards. One of these required
safeguards/internal controls pertains to rebates and refunds. The act requires that
rebates and refunds based on prompt payment, sales volume or other actions be
reviewed for accuracy and properly recorded as a receipt to the EPA. We found the
agency was not reviewing all of the rebate information for accuracy. Specifically,
the agency was not reviewing the sales volume amount, sales refund rate, and
productivity refund rebate adjustment percentage to determine whether the numbers
used by the bank in determining the refund amounts were accurate.
Rebates Are Returned to Offices, Not Necessarily to Appropriations
The Treasury Financial Manual, Section 4530, Agency Refunds, states refunds
must be returned to the appropriation or account from which the purchase was
made that generated the refund (unless statutory authority allows refunds to be
used for other purposes). The EPA did return rebates to the responsible planning
implementation office from which the transactions were paid. The responsible
planning implementation offices decide, at least annually, which appropriations
they want rebates to be returned to—not necessarily to the original appropriation.
The EPA's rebate process does not include a step to assure that rebates are
returned to original appropriations as required.
Agency Did Not Have a Policy Regarding Number of Purchase Cards
The Government Charge Card Abuse Prevention Act of 2012 requires agencies to
have specific policies regarding the number of purchase cards issued by various
components; and categories of component organization, credit limits of various
17-P-0113
4
-------�
categories of card holders, and categories of employees eligible to be issued
purchase cards. The EPA did not have a specific policy. The EPA has a
moratorium on the issuance of new purchase card and convenience check
accounts, with some exceptions. According to the EPA, new account requests are
reviewed to determine that new account is justified and mission critical.
Action Taken by the Agency
On November 15, 2016, we informed the agency of noncompliance with the
tested internal controls. On November 17, 2016, the agency reminded card
holders and approving officials in an email of the recordkeeping requirements,
including timeframes for updating information and uploading documentation into
PNET or the EPA Acquisition System. In addition, the email reminded card
holders of the requirement for timely cost allocation.
Conclusion
In accordance with the requirements of the Government Charge Card Abuse
Prevention Act of 2012, we determined that the EPA's compliance with internal
controls was lacking. As a result, we plan to conduct an audit of the purchase card
and convenience check program for FY 2017.
17-P-0113
5
-------�
Appendix A
Distribution
The Administrator
Assistant Administrator for Administration and Resources Management
Chief Financial Officer
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Deputy Assistant Administrator for Administration and Resources Management
Director, Office of Acquisition Management, Office of Administration and
Resources Management
Director, Office of Resources, Operations and Management, Office of Administration and
Resources Management
Deputy Director, Office of Resources, Operations and Management, Office of Administration
and Resources Management
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Administration and Resources Management
Audit Follow-Up Coordinator, Office of the Chief Financial Officer
Audit Follow-Up Coordinator, Office of Acquisition Management, Office of Administration and
Resources Management
17-P-0113
6
-------� |