Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2013-AE-C-017 September 30, 2013

The CFPB Should Strengthen Internal Controls for Its Government Travel Card Program to Ensure Program Integrity

available formats

Appendix A Scope and Methodology

Our overall objective for this audit was to determine the effectiveness of the CFPB's internal controls for its GTC program. Specifically, we assessed compliance with policies and procedures, and we assessed whether internal controls were designed and operating effectively to (1) prevent and detect fraudulent or unauthorized use of travel cards and (2) provide reasonable assurance that cards are properly issued, monitored, and closed out. The scope of our audit included travel card data from May 1, 2012, to April 30, 2013.

To accomplish our overall objective, we reviewed the CFPB's Travel Card policy, the draft internal procedures, and the Summary of Travel Policy Clarifications and Changes. We also reviewed the FTR, the Charge Card Act, GAO's Standards for Internal Control in the Federal Government, and other relevant documentation pertaining to the travel card program. We interviewed the Travel Office manager and staff to obtain information on the program's operation and internal controls. We also spoke with BPD ARC officials to gain an understanding of BPD ARC's roles and responsibilities. We obtained data from the CFPB's Travel Office and its OHC, the GovTrip Travel System, and the CCRS.

We did not have direct access to the GovTrip Travel System; therefore, we relied on the CFPB to extract and provide to us requested documentation. We observed Travel Office staff as they extracted documentation from the GovTrip system for our sample selections. We verified the accuracy and completeness of the documentation from GovTrip by tracing data to source documents. CFPB officials noted that the agency is in the process of replacing the GovTrip system with another travel system and that it will consider incorporating a requirement that would permit the OIG direct access to the system to facilitate future audits of the GTC.

For all sample selections, our findings could not be projected to the entire population because we did not use statistical sampling. However, we believe that the evidence obtained from these sample selections provides a reasonable basis for our findings and conclusions.

Based on the information we gathered from all sources and our understanding of the processes and procedures of CFPB's GTC program, we identified the internal controls for complying with policies and procedures and applicable guidance.

To determine compliance with policies and procedures and applicable guidance, we performed the following:

  • We tested a random sample of 120 of the 39,153 cardholder transactions. We excluded travel-related and cash-advance fees.
  • We tested a random sample of 53 of the 10,832 vouchers from GovTrip. We performed further tests on the 10,832 vouchers to determine whether vouchers were approved for payment within 30 calendar days.
  • We randomly selected 10 of the 1,519 centrally billed account14 transactions to determine proper use of the account.

To determine whether internal controls were designed and operating effectively to prevent and detect fraudulent or unauthorized use of travel cards, we performed the following:

  • We tested the CFPB's blocked MCCs to determine whether controls prevent unauthorized or fraudulent transactions by filtering the Account Activity Report in the CCRS for these blocked MCCs. Further, we reviewed Citibank's listing of all allowable MCCs to determine whether any allowable MCCs were suspicious based on our judgment. We did not identify any additional MCCs that should be blocked.
  • We reviewed BPD ARC premium-class travel report to determine whether any GTC cardholders purchased premium-class travel tickets for official travel. We did not find any purchases of premium-class travel tickets.
  • Using data analytics, we performed the following fraud tests:
    • Use of GTC while on leave during business travel. We analyzed the OHC's personnel and leave data and GovTrip data to identify any GTC cardholders who took leave during business travel. We identified 223 instances, attributable to 108 employees, of leave taken during business travel. Of the 223 instances, we selected a random sample of 40 instances and performed further analysis to match vouchers associated with each instance to determine whether cardholders claimed lodging and M&IE during leave.
    • Use of GTC while on leave. We used the OHC's personnel and leave data and the Account Activity Report in the CCRS to identify any GTC cardholders who used their GTC while on eight or more hours of leave. From the Account Activity Report, we excluded payments, miscellaneous credits and debits, airline charges, and most hotel charges. We identified 82 instances in which cardholders had a transaction on the same day they were on leave. We matched the 82 instances with GovTrip data to exclude one day before and one day after official travel, which resulted in 61 instances. We excluded 4 of 61 instances, which appeared to be legitimate charges. We used the GovTrip Travel System to identify the vouchers that corresponded to the 57 transactions to determine whether these GTC cardholders were on official travel and authorized to use the GTC.
    • GTC transactions made by non-CFPB employees. We used the OHC's personnel and leave data and the Account Activity Report in the CCRS to determine whether purchases were made by individuals who were not CPFB employees. We did not identify any use of GTC or purchases made by non-CFPB employees.
    • Laundry and dry cleaning. We used the Account Activity Report in the CCRS to identify MCCs associated with laundry or dry cleaning. We identified 64 transactions associated with three MCCs and requested documentation from the Travel Office to determine whether cardholders claimed laundry or dry-cleaning reimbursements on or after the authorized date (i.e., the fourth consecutive night of travel) and provided the appropriate receipt for the claim.
    • High-dollar travel transaction. We used the Account Activity Report in the CCRS to determine whether transaction amounts were reasonable. We excluded payments, miscellaneous credits, and blank MCC codes. We sorted all transaction amounts from the highest to lowest, and we selected the top 30 transactions for review. We requested documentation for these 30 transactions to determine whether the transaction amounts, such as the per diem rates for lodging, were reasonable. We did not find any transactions that were unreasonable.

To determine whether internal controls provide reasonable assurance that cards are properly issued, monitored, and closed out, we performed the following tests:

  • We tested controls over the GTC issuance process by randomly selecting 10 applications from the 280 GTC accounts that were opened during our scope. We reviewed the application routing process and training certification for our sample to determine whether applications were properly completed and approved and whether proof of training was documented. Further, we tested GTC credit limits for all 280 cardholder accounts that were opened during our scope. We did not find any credit limits that exceeded the prescribed amount. We also tested all cash-advance transactions that occurred during our scope to determine whether controls over GTC issuance prevent travelers from exceeding the authorized amounts. We performed these tests by reviewing related reports in the CCRS, such as the Account Activity Report. We also tested 10 judgmentally selected cash-advance transactions to determine the reasonableness of cash-advance transactions based on a cardholder's expected out-of-pocket expenditures. We did not identify any instances in which the cash-advance transactions exceeded the expected out-of-pocket expenses for the trip.
  • We tested controls over GTC monitoring by selecting a judgmental sample of 24 (2 instances per month) of 1,498 past-due account balances from the Monthly Delinquency Reports in the CCRS to determine whether cardholders, their supervisors, the CFO, or the OHC were notified that accounts were past due. We also inspected all four of the Travel Office's monthly compliance reviews of cardholder statements to ensure that reviews were completed and to determine whether any instances of personal, non-work-related use of the GTC were detected.
  • We tested controls over GTC close-out for all 49 GTC cardholders who separated from the CFPB during the period of our scope to determine whether accounts were closed in a timely manner. We also used the Account Activity Report in the CCRS to determine whether employees used their GTC after separation.

We performed the audit from March 2013 to August 2013. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

  • 14. A centrally billed account is a card/account established by the charge card vendor at the request of the agency/organization. A centrally billed account may be a card or cardless account, and payments are made directly to the charge card vendor by the agency.   Return to text

LINKS TO THE BOARD AND THE CFPB

RELATED SITES AND RESOURCES