£ g% *
V PR0^°
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
L/.S. Chemical Safety Board
CSB's Fiscal Year 2014
Purchase Card Program
Assessed as High Risk
Report No. 15-N-0171
June 29, 2015
Scan this mobile
code to learn more
about the EPA OIG.
-------�
Report Contributors:
Cara Lindsey
Gloria Taylor-Upshaw
Michael D. Davis
Abbreviations
CSB U.S. Chemical Safety and Hazard Investigation Board
FY Fiscal Year
GSA U.S. General Services Administration
OIG Office of Inspector General
OMB Office of Management and Budget
Are you aware of fraud, waste or abuse in an
EPA or CSB program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.qov
More information at www.epa.qov/oiq/hotline.html.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (241OT)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoiq
Send us your Project Suggestions
-------�
X^£D S7/W
U.S. Environmental Protection Agency 15-N-0171
' ^L\ Office of Inspector General June 29,2015
*32/ - -
At a Glance
Why We Did This Review
The Government Charge Card
Abuse Prevention Act of 2012
requires the Inspector General
of each executive agency to
conduct periodic assessments
of the agency purchase card or
convenience check programs.
Risk assessments should
identify and analyze risks of
illegal, improper or erroneous
purchases and payments.
These risk assessments are
used to determine the scope,
frequency and number of
periodic audits of purchase
card or convenience check
transactions.
As the Inspector General for
the U.S. Chemical Safety and
Hazard Investigation Board
(CSB), our objective was to
perform a risk assessment of
agency purchase cards usage,
as required by the act.
This report addresses the
following CSB goal:
• Preserve the public trust by
maintaining and improving
organizational excellence.
CSB's Fiscal Year 2014 Purchase Card Program
Assessed as High Risk
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
The full report is at:
www.epa.gov/oig/reports/2015/
20150629-15-N-0171.pdf
What We Found
Our risk assessment determined that CSB's
fiscal year (FY) 2014 purchase card program
was at high risk for illegal, improper or
erroneous purchases and payments. The
program did not meet federal requirements.
CSB's purchase card program had the following
deficiencies:
CSB's $280,000 purchase
card program for FY 2014 was
assessed as high risk for
illegal, improper or erroneous
purchases and payments.
• CSB did not have a written Charge Card Management Plan until November
2014. CSB was unaware of the requirement to submit its plan to the Office
of Management and Budget by the required January 2014 deadline.
• CSB's management made assurances it had the appropriate policies and
controls in place for purchase cards in FY 2014, but CSB did not establish
written policies and controls in a management plan until FY 2015.
• CSB's management plan did not identify all key management officials.
• CSB's management plan did not contain the required compliance summary
and internal control assurance assessment.
• CSB did not obtain prior written supervisory approvals for purchases.
Because CSB's purchase card program is at high risk for illegal, improper or
erroneous purchases and payments, we will conduct an audit of CSB's purchase
card program in FY 2016.
In response to our draft report, CSB agreed that it did not timely submit a
Charge Card Management Plan to the Office of Management and Budget by the
required deadline, and did not include the compliance summary in its
management plan. CSB has also agreed that it did not obtain prior written
supervisory approval for some purchases.
However, CSB disagrees that it certified controls without written internal policies
and procedures. CSB maintains that it follows the Bureau of the Fiscal Service's
purchase card procedures and the management plan formalized CSB's
longstanding purchase card procedures. We did not find evidence that CSB staff
were made aware that there were no agency-specific policies and therefore they
were required to follow Bureau of the Fiscal Service guidance. CSB also
disagrees that the management plan did not identify key management officials.
We believe that the CSB Managing Director approves funding for all purchase
card transactions and should be listed as a key management official.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
June 29, 2015
The Honorable Mark Griffon
The Honorable Manuel Ehrlich Jr.
The Honorable Rick Engler
Board Members
U.S. Chemical Safety and Hazard Investigation Board
2175 K Street, NW, Suite 400
Washington, D.C. 20037-1809
Dear Board Members:
This report addresses the requirement to complete a risk assessment of the U.S. Chemical Safety and
Hazard Investigation Board's charge card program. This report represents the position of the results of
the risk assessment conducted by the Office of Inspector General (OIG) of the U.S. Environmental
Protection Agency.
Action Required
Because this report has no recommendations, you are not required to respond to this report. However, if
you submit a response, it will be posted on the OIG's public website, along with our comment on your
response. Your response should be provided as an Adobe PDF file that complies with the accessibility
requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should
not contain data that you do not want to be released to the public; if your response contains such data,
you should identify the data for redaction or removal along with corresponding justification.
We will post this report to our website at http://www.epa.gov/oig.
Sincerely,
Arthur A. Elkins Jr.
-------�
CSB's Fiscal Year 2014 Purchase Card Program
Assessed as High Risk
15-N-0171
Table of C
Purpose 1
Background 1
Scope and Methodology 3
Results of Risk Assessment 4
CSB Did Not Timely Submit a Charge Card Management Plan to OMB 4
CSB Certified Controls Without Written Internal Policies and Procedures 4
CSB's Management Plan Did Not Identify All Key Management Officials 5
Compliance Summary Was Not Included in Management Plan 5
CSB Did Not Obtain Prior Written Approval for Purchases 5
Conclusion 6
CSB Response and OIG Evaluation 6
Appendices
A CSB Response to Draft Report 7
B Distribution 10
-------�
Purpose
As the Inspector General for the U.S. Chemical Safety and Hazard Investigation
Board (CSB), our objective was to conduct a risk assessment of agency purchase
cards usage, as required by the Government Charge Card Abuse Prevention Act
of2012.
Background
CSB is an independent federal agency charged with investigating industrial
chemical accidents. Headquartered in Washington, D.C., the agency's board
members are appointed by the President and confirmed by the Senate. CSB is
authorized by the Clean Air Act Amendments of 1990 and became operational in
January 1998.
CSB has an interagency agreement with the U.S. Bureau of the Fiscal Service's
Administrative Resource Center that provides a full range of procurement
services, including services related to purchase cards. The bureau is part of the
U.S. Department of the Treasury. CSB follows the bureau's purchase card
guidance, which all cardholders must read and certify that they understand. The
bureau's guide instructs employees on the proper use of government purchase
cards. From fiscal years (FY) 2013 to 2014, CSB had 1,255 purchase card
transactions that totaled over $500,000 for combined fiscal years.
On October 5, 2012, the President signed into law the Government Charge Card
Abuse Prevention Act of 2012 (Charge Card Act), which reinforced
administrative efforts to prevent waste, fraud and abuse of governmentwide
charge card programs. Consistent with existing guidance from the Office of
Management and Budget (OMB), the Charge Card Act requires all executive
branch agencies to establish and maintain safeguards and internal controls for
purchase cards, travel cards, integrated cards and centrally billed accounts. The
guidance also states that the Inspector General will conduct periodic risk
assessments of agency purchase cards, combined integrated card programs, and
travel card programs to analyze the risks of illegal, improper or erroneous
purchases. An Office of Inspector General (OIG) will use these risk assessments
to determine the necessary scope, frequency and number of Inspector General
audits or reviews that it needs to conduct of these programs
OMB Memorandum M-13-21, Implementation of the Government Charge Card
Abuse Prevention Act of 2012, dated September 6, 2013, states:
To ensure compliance with the Charge Card Act, as of
September 30, 2013, each agency head shall provide an annual
certification that the appropriate policies and controls are in place
or that corrective actions have been taken to mitigate the risk of
fraud and inappropriate charge card practices. The annual
15-N-0171
1
-------�
certification should be included as part of the existing annual
assurance statement under the Federal Managers' Financial
Integrity Act of 1982 (31 U.S.C. 3512 (d)(2)). In addition, each
agency will continue to maintain and annually submit Charge Card
Management Plans no later than January 31, as required by OMB
Circular A-123, Appendix B.
Based upon OMB Circular A-123, Appendix B, Revised, Improving the
Management of Government Charge Card Programs, dated January 15, 2009, the
elements required in the charge card management plan are:
• Identification of key management officials and their responsibilities for
each charge card program. These officials will include, but are not limited
to, Agency/Organization Program Coordinator, Approving Officials or
other equivalent officials, and other accountable/billing officials.
• Establishment of a process for formal appointment of cardholders and
approving officials, where applicable.
• Implementation of a process to ensure the credit worthiness of new charge
card applicants consistent with Chapter 6 of this guidance.
• Description of agency training requirements.
• Management controls, policies and practices for ensuring appropriate
charge card and convenience check usage and oversight of payment
delinquencies, fraud, misuse or abuse.
• Establishment of appropriate authorization controls.
• Implementation of policies and practices to ensure strategic sourcing
consistent with Chapter 8 of this guidance.
• Explanation of how available reports and data are used for monitoring
delinquency, misuse, performance metrics, spend analysis, and other
relevant transactions and program management issues.
• Documentation and record retention requirements.
• Recovery of charge cards and other documentation when employees
terminate employment, and, if applicable, when an employee moves to a
different organization.
• Description of how the agency will ensure the ongoing effectiveness of the
actions taken pursuant to the guidance, including, but not limited to,
evaluating the effectiveness of training (Chapter 3), risk management
controls (Chapters 4 and 6), refund management controls (Chapter 7),
strategic sourcing policies (Chapter 8), and tax recovery efforts (Chapter 11).
The OMB Memorandum M-13-21 states that, at a minimum, all agency Charge
Card Management Plans shall be reviewed and updated, as necessary, to reflect
the following internal control activities to:
• Prevent an individual from being reimbursed for a bill already paid by the
government, by ensuring that agency officials who approve or settle
official travel verify that charges paid directly by the government to the
15-N-0171
2
-------�
bank are not also reimbursed to an employee or an employee's
individually billed account.
• Prevent the government from spending money on unused tickets by
verifying the agency submits requests to servicing common carriers for
refunds of fully or partially unused tickets, and tracks the status of these
tickets to ensure resolution.
• Deter employee misuse of government cards by implementing penalties
for charge card violations that are jointly developed by agency charge card
management and human resource components. These penalties will
include salary offset for instances of personal liability, and disciplinary
actions for a cardholder or approving official's illegal, improper or
erroneous purchases made with a purchase card, convenience check,
integrated card or travel card. Disciplinary actions should include
dismissal, as appropriate. The plan will define and apply appropriate and
consistent employee disciplinary procedures, and comply with joint
external reporting required of the Inspector General and agency
management.
The U.S. General Services Administration (GSA), Federal Acquisition Service,
Smart Bulletin No. 021, OMB Memorandum M-13-21 and Charge Card
Compliance Summary, dated November 18, 2013, provides a summary of the
requirements in OMB Memorandum M-13-21. Further, it provides
Agency/Organization Program Coordinators with a copy of the compliance
summary document addressed in the memorandum. Agencies were to summarize
their overall results in their completed compliance summary and internal control
assurance assessments in their annual Charge Card Management Plans, beginning
with the January 31, 2014, submission to OMB. The compliance summary should
also be available for review by the Inspector General.
Scope and Methodology
The work performed in this risk assessment does not constitute an audit conducted
in accordance with generally accepted government auditing standards, issued by
the Comptroller General of the United States. We conducted this risk assessment
from November 2014 to May 2015.
To perform an assessment of CSB purchase card usage and determine the risk,
we reviewed CSB's charge card management plan and sampled purchase card
transactions. We interviewed, held discussions with and exchanged emails with
CSB officials.
We judgmentally selected five purchase card transactions to review from CSB's
1,255 transactions from October 2012 to September 2014. Two transactions were
selected from the higher-value purchases and two from purchases with negative
values due to returned items. We also selected a vendor with multiple purchases
that totaled over $4,000.
15-N-0171
3
-------�
Results of Risk Assessment
Our risk assessment identified five areas in which CSB's purchase card program
was deficient:
• CSB did not have a written Charge Card Management Plan until
November 2014. CSB was unaware of the requirement to submit its plan
to OMB by the required January 2014 deadline.
• CSB's management made assurances it had the appropriate policies and
controls in place for purchase cards in FY 2014, but CSB did not actually
establish written policies and controls in a management plan until FY 2015.
• CSB's management plan did not identify all key management officials.
• CSB's management plan did not contain the required compliance
summary and internal control assurance assessment.
• CSB did not obtain prior written supervisory approvals for purchases.
Based on these identified deficiencies, we determined CSB's purchase card
program is high risk for illegal, improper or erroneous purchases and payments
requiring an annual audit.
CSB Did Not Timely Submit a Charge Card Management Plan to OMB
According to OMB Memorandum M-13-21, each agency will continue to
maintain and annually submit Charge Card Management Plans no later than
January 31, as required by OMB Circular A-123, Appendix B. However, CSB did
not submit its Charge Card Management Plan to OMB by the January 31, 2014,
deadline. In our notification letter, dated November 6, 2014, we requested a copy
of CSB's Charge Card Management Plan, and CSB provided an unsigned copy of
the plan to the OIG on November 18, 2014. According to CSB, this was its first
written Charge Card Management Plan and the document was provided as
submitted to OMB. CSB stated it was not aware of any other written policies or
procedures regarding charge cards and their use. On February 2, 2015, CSB
submitted its FY 2015 Charge Card Management Plan to OMB.
CSB Certified Controls Without Written Internal Policies and
Procedures
As part of CSB's 2014 Performance and Accountability Report, CSB's
management made assurances that its internal management control system will:
help provide assurance that obligations and costs comply with applicable law;
assets are safeguarded against waste, loss and unauthorized use or
misappropriation; and revenues and expenditures are properly accounted for and
recorded. This includes appropriate policies and controls to mitigate the risk of
fraud and inappropriate charge card practices. CSB stated that it follows Bureau
of the Fiscal Service guidance for purchase cards. However, we found that CSB
15-N-0171
4
-------�
did not have any internal written policies and procedures regarding purchase cards
in FY 2014.
CSB's Management Plan Did Not Identify All Key Management
Officials
CSB's Charge Card Management Plan submitted to the OIG in November 2014
covers all the elements required by OMB Circular A-123, Appendix B, Section 2.3.
One element of the management plan requires the identification of key
management officials and their responsibilities for each charge card program.
These officials are to include the Agency/Organization Program Coordinator,
Approving Officials or other equivalent officials, and other accountable/billing
officials.
The CSB's Charge Card Management Plan key personnel list was incomplete.
A CSB official (the Managing Director) who approved funding for purchase card
transactions was not listed as a key management official. Furthermore, this
approving official did not obtain the required charge card management training.
According to OMB Circular A-123, Appendix B, Section 3.3, all program
participants—including cardholder, charge card manager and other
accountable/billing officials—must be trained in charge card management.
Compliance Summary Was Not Included in Management Plan
According to OMB Memorandum M-13-21, GSA developed a compliance
assessment tool to help document whether the required safeguards are in place.
The tool requires completion of an internal control assurance assessment with the
results documented in a compliance summary. The compliance summary is to be
submitted to OMB annually starting in January 2014 and should be available for
Inspector General review. CSB did not complete the compliance summaries and
internal control assurance assessment in the Charge Card Management Plan
provided to the OIG in November 2014. CSB was unaware of the requirement for
the compliance summary and assurance assessment. However, once we identified
this deficiency, CSB included a compliance summary in its FY 2015 Charge Card
Management Plan submitted to OMB on February 2, 2015.
CSB Did Not Obtain Prior Written Approval for Purchases
The Bureau of the Fiscal Service's guide states in Section 5, Use of the Purchase
Cards, paragraph 2, that the cardholder must ensure proper use of the purchase
card. This includes documenting funds availability prior to purchase, maintaining
a purchase log, receiving prior approval of the purchase from the Approving
Official, and reconciling the monthly e-statements. Of the five purchase card
transactions reviewed, we found that for one transaction, the check date was
before the supervisory approval date. Another transaction noted the invoice and
payment dates were before the supervisory approval date. CSB stated that
cardholders occasionally make purchases before obtaining written approval.
15-N-0171
5
-------�
Conclusion
Based on our risk assessment of CSB's purchase card program, we have
determined that CSB is at high risk of illegal, improper or erroneous purchases
and payments made through its $280,000 purchase card program for FY 2014.
We made this determination due to CSB not having a written Charge Card
Management Plan until November 2014 and not being aware of the January 2014
deadline to submit the plan to OMB. We also noted charge card plan deficiencies
and the need for supervisory approvals on transactions. As such, we will conduct
an audit of CSB's purchase card program in FY 2016.
CSB Response and OIG Evaluation
In response to our draft report, CSB agreed with our results for the Charge Card
Management Plan submission, the compliance summary, and the need to have
prior written approval for purchases.
CSB disagreed that it certified controls without written internal policies and
procedures. CSB further stated that the OIG implied that the written Charge Card
Management Plan needed to be the basis for certifying controls. CSB stated that its
plan formalized its longstanding purchase card procedures, the Bureau of the Fiscal
Service annually reviews charge card program activities, and the bureau has not
identified problems with charge card program controls. According to OMB Circular
A-123, Appendix B, Revised, Section 2.1, each agency must develop and maintain
written policies and procedures for the appropriate use of charge cards consistent
with the requirements of this guidance. During our risk assessment, CSB stated that
it did not have internal written policies and procedures for purchase cards. In
addition, we did not find evidence that CSB staff were made aware that there were
no agency-specific policies and therefore they were required to follow Bureau of
the Fiscal Service guidance.
CSB disagreed that its management plan did not identify all key management
officials. CSB stated that its plan does not identify the Managing Director because
he does not serve as an approving official for the charge card program. The
Bureau of the Fiscal Service's guide states in Section 5, Use of the Purchase
Cards, paragraph 2, that the approving official must ensure government funds are
available prior to granting purchase approval. It is our position that since the
Managing Director approves funding for all purchase card transactions, he is an
integral part of CSB's purchase card program. Therefore, the Managing Director
should be listed as a key management official and attend the required charge card
management training.
CSB's complete response to our draft report is in Appendix A.
15-N-0171
6
-------�
Appendix A
CSB Response to Draft Report
U.S. Chemical Safety and
Hazard Investigation Board
2175 K Street, NW • Suite 650 • Washington, DC 20037-1809
Phone: (202) 261-7600 • Fax: (202) 261-7650
www.csb.gov
Mark Griffon
Board Member (Interim Chairperson)
Manny Ehrlich, Jr.
Board Member
Rick Engler
Board Member
May 27, 2015
Mr. Kevin Christensen
Assistant Inspector General for Audits
Office of Inspector General
U.S. Environmental Protection Agency
1200 Pennsylvania Avenue, N.W.,
(241OT) Washington, DC 20460
Dear Mr. Christensen:
Thank you for the opportunity to review and comment on the draft report on the
CSB's purchase card program. As a general matter, we agree with you that purchase
card programs (regardless of agency) are at a high risk for illegal, improper or
erroneous purchases and payments. As you know, the CSB identifies the purchase
card program as a high risk area to OIG financial auditors each year. To mitigate
these inherent risks with purchase cards, the CSB has internal controls over the
program and follows guidance from the Treasury Department's Bureau of the Fiscal
Service (BFS). The existing guidance and controls are now formally documented in
the Charge Card Management Plan provided to your office in November 2014.
Although the CSB believes purchase card programs are inherently high risk we are
concerned that your report is misleading because it does not recognize CSB efforts
that have successfully mitigated the risks. In addition the report leaves the erroneous
impression that the CSB's program may be at higher risk than other such programs
across the government. The BFS conducts detailed annual reviews of CSB purchase
card activities, which are complimentary of CSB's purchase card program. In fact, for
FY 2014 BFS reported:
Overall, the purchases were well documented and necessary for the
completion of CSB's mission. We would like to express our
appreciation for your management support to ensure the purchase
cards are used appropriately and the related procedures are followed.
15-N-0171 7
-------�
We are very impressed at how well the cardholders are maintaining
their supporting documentation and the forms that they are required
to complete. The documentation provided was very organized. Keep up
the good work!
The CSB acknowledges it was not timely in submitting its Charge Card Management
Plan to OMB, and that we can make improvements to the plan. However, this should not
overshadow the fact that CSB runs an effective charge card program, and that no
improper use of the purchase cards was identified. The attachment addresses the specific
concerns raised in your draft report. If you or your staff have any questions about this
response, please feel free to contact Anna Brown, Audit Liaison, at 202-261-7639.
Sincerely,
/S/
Mark Griffon
Board Member
15-N-0171
8
-------�
Specific OIG Concerns and CSB Responses
OIG Concern
CSB Response
CSB Did Not Timely
Submit a Charge Card
Management Plan to OMB
Agree. The CSB did not formally document its longstanding
purchase card procedures until we prepared the written charge
card plan in November 2014. The plan was submitted to OMB on
February 2, 2015.
CSB Certified Controls
Without Written Internal
Policies and Procedures
Disagree. The OIG implies that the written Charge Card
Management Plan needed to be the basis for certifying controls.
However, this plan formalized CSB's longstanding purchase card
procedures to:
• Follow BFS purchase card procedures;
• Issue memos with monthly statements to cardholders
and their supervisors that spells out the cardholder and
supervisor's responsibilities. The memos reiterated the
process to ensure that charges were authorized,
approved, and properly documented; and
• Have every transaction on monthly statements
reviewed and approved by financial operations staff
who serve as charge card approving officials, and do
not hold or issue purchase cards.
In addition, BFS annually reviews charge card program activities
which have not identified problems with charge card program
controls.
CSB's Management Plan
Did Not Identify All Key
Management Officials
Disagree. The Charge Card Management Plan identifies key
management officials and their responsibilities for the charge card
program. CSB's plan does not identify the Managing Director
because he does not serve as an approving official for the charge
card program.
Compliance Summary
Was Not Included in
Management Plan
Agree. The compliance summary was not included in the
November 2014 Management Plan. However, the compliance
summary was included in the plans submitted to OMB on
February 2, 2015.
CSB Did Not Obtain Prior
Written Approval for
Purchases
Agree. The CSB is aware that cardholders occasionally make
purchases before obtaining written approval. We will reiterate to
cardholders and supervisors the importance of prior written
approval. However, we note that even when cardholders did not
receive prior approval, all purchases were ultimately approved
and were determined to have been proper.
15-N-0171
9
-------�
Appendix B
Distribution
Board Members, U.S. Chemical Safety and Hazard Investigation Board
Managing Director, U.S. Chemical Safety and Hazard Investigation Board
General Counsel, U.S. Chemical Safety and Hazard Investigation Board
Director of Administration and Audit Liaison, U.S. Chemical Safety and Hazard
Investigation Board
Finance Director, U.S. Chemical Safety and Hazard Investigation Board
Communications Manager, U.S. Chemical Safety and Hazard Investigation Board
15-N-0171
10
-------� |