Controls over the Board's Purchase Card Program Can Be Strengthened

Appendix A Scope and Methodology

To accomplish our objectives, we reviewed the Board's Acquisition policy, Purchase Card Procedures, and relevant administrative documentation to gain detailed knowledge of program operations. We interviewed the program coordinator and his staff responsible for managing the Board's purchase card program to obtain information on program operations and controls. We also spoke with JPMC personnel to get an understanding of administrative reports available through PaymentNet, JPMC's Electronic Access System. We did not review individual division processes or procedures that may exist for obtaining approval prior to making purchase card transactions. Based on the information we gathered and our understanding of the Board's purchase card program, we developed detailed summaries of the program's processes and procedures and identified relevant controls to test during our fieldwork.

The scope of our review included transactions made from December 31, 2010, to January 1, 2012. We assessed the effectiveness of controls for issuing cards, ensuring proper use, and detecting and preventing unauthorized transactions, as well as controls for cardholder compliance, by conducting the following tests:

• We reviewed e-mail requests and training records for all nine new accounts opened during 2011 to verify the process for issuing cards.
• We compared the Board's personnel records to the account status in PaymentNet to verify the process for canceling cards.
• We reviewed invoices and transaction logs for a judgmentally selected sample of 362 of the 7,325 purchases (approximately 5 percent) made by 25 cardholders to ascertain whether cardholders complied with procedures for recording, reconciling, and allocating purchases and whether they properly used the cards.
• We used JPMC's Transaction Detail report to identify single purchases greater than $5,000 and reviewed all available supporting documentation for all six transactions identified to determine whether cardholders followed proper procedures.
• We conducted a survey of a judgmentally selected sample of 49 of the 92 cardholders, and we evaluated the 37 survey responses received to determine how often cardholders received refresher training.
• We conducted a survey of a judgmentally selected sample of 24 of the 46 approving officials, and we evaluated the 18 survey responses received to determine whether approving officials received training on their responsibilities.
• We evaluated the types of MCCs that the Board allows, flags, and blocks to detect and prevent unauthorized or fraudulent transactions.
• We inspected JPMC's PaymentNet report listing to identify reports available for detecting possible unauthorized and fraudulent transactions.
• We inspected all five of the program coordinator's cardholder reviews to assess compliance with oversight responsibilities.

We began fieldwork in November 2011 and concluded in November 2012. We performed our work in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained during the audit provides a reasonable basis for our findings and conclusions based on our objectives.