CFPB Report: 2013-AE-C-017 September 30, 2013
We found that controls are not designed or operating effectively to prevent and detect fraudulent or unauthorized use of the GTC. As a result, we found that 21 of the 743 CFPB cardholders claimed and received reimbursement for unallowable expenses or made unauthorized transactions. Federal and agency-level regulations and guidance contain the following cardholder and agency responsibilities regarding GTCs:
The Travel Office is not providing cardholders with periodic refresher training beyond the required GSA and new employee GTC training and is not using effective systems, techniques, and technologies to detect fraudulent or unauthorized GTC use. In addition, cardholders' supervisors are not required to approve travel authorizations and vouchers. Without effective and efficient controls, the CFPB is at risk of paying fraudulent claims. Further, the CFPB does not have reasonable assurance that its employees are complying with the Travel Card policy and the FTR and does not have reasonable assurance that it is in compliance with the Charge Card Act.
We performed two tests to identify fraudulent use of the GTC and found that five cardholders charged, claimed, and received reimbursement for a total of $320 in laundry and dry-cleaning expenses that were incurred before the fourth consecutive night of travel. We also found that two cardholders claimed and received reimbursement for a total of $324 in potentially unallowable lodging and related meals and incidental expenses (M&IE) while using credit hours as leave.
For our first test, we used the Account Activity Report in the CCRS to review all 64 laundry and dry-cleaning transactions that were processed against the following three merchant category codes (MCCs)7 to determine whether these transactions had occurred after the fourth consecutive night of travel:
We found that 11 of the 64 transactions, made by five cardholders, occurred before the fourth night of travel. These transactions amounted to $320. Further, we found that for 10 of the 11 transactions, the transaction date provided on the voucher did not match the expense date; the expense was actually incurred on a date prior to the date provided on the voucher for reimbursement.
For our second test, we tested a randomly selected sample of 40 of the 223 instances in which GTC cardholders took eight or more hours of leave during an official business trip to determine whether cardholders made transactions on the GTC or claimed reimbursement for lodging and M&IE for those days of leave. These 40 instances of eight or more hours of leave were related to 31 cardholders. We found that travel vouchers for 11 of the 31 cardholders did not indicate that leave had been taken during the business trip. Further testing showed that 9 of these cardholders took sick leave during the business trip; however, the remaining 2 cardholders charged, claimed, and received reimbursement for potentially unallowable expenses while using credit hours as leave. FTR §301-70.501 states that lodging and M&IE can be claimed by cardholders who become ill or injured and take leave (annual or sick) during a business trip. The potentially unallowable lodging claimed by the 2 cardholders was $217, and the potentially unallowable M&IE claimed by these 2 cardholders was $107, for a total of $324.
Travel Office staff were not aware of these unallowable transactions until we brought them to their attention. We sent the details of our sample results to the Travel Office for further review, and we requested that it provide to us a written explanation of the actions that have been or will be taken.
FTR §301-51.7 states that a traveler may not use the government contractor-issued travel charge card for personal reasons while on official travel. Additionally, FTR § 301-11.31 states that laundry expenses are reimbursable when incurred at the temporary duty station location after four consecutive nights of travel. Further, the CFPB's Summary of Travel Policy Clarification and Changes states that pursuant to FTR §301-52.8, employees are responsible for properly itemizing and documenting any expenses they are claiming from the CFPB and may only seek reimbursement for authorized expenses.
According to GAO's Standards for Internal Control in the Federal Government, internal controls are an integral part of an entity's accountability for stewardship of government resources. Internal controls occur at all levels and functions of an entity and include a wide range of diverse activities, such as authorizations, approvals, verifications, and/or reconciliations. For example, in the CFPB's purchase card program, approving officials—who typically are the supervisors of the purchase cardholders—review and approve cardholders' purchases and cardholders' monthly statements.
While cardholders are required to complete an online GSA training on the GTC when they apply for a card and the Travel Office provides initial training at new employee orientation, periodic refresher training on allowable reimbursements is not provided. We believe that employees should receive periodic reminders on the proper use of the GTC, including the policy associated with laundry expenses.
Additionally, the Travel Office does not use the Account Activity Report to review laundry transactions and does not review personnel leave data to ensure that vouchers do not include any unallowable charges. We believe that the CFO should consider, based on a cost-benefit analysis, having the Travel Office conduct further review of laundry transactions using the Account Activity Report in the CCRS, since our audit only tested transactions during our scope period. In addition, the CFO could have the Travel Office review leave data against GovTrip voucher data.
Currently, cardholders' supervisors are not required to review travel authorizations or vouchers in the GovTrip system. Employees are required to indicate on the TAF anticipated leave during travel; however, GovTrip does not specifically prompt cardholders to indicate (1) anticipated leave during business travel on their travel authorization or (2) leave taken during business travel on their travel voucher. This information, however, can be captured in the GovTrip "Trip Details" feature, and we observed that some cardholders did use this feature to indicate leave during business travel on both authorizations and vouchers. We believe that supervisory review of travel authorizations and vouchers can enhance internal controls and accountability. In the absence of a specific field in GovTrip for leave, reviews of travel authorizations and vouchers by cardholders' supervisors may identify instances in which cardholders plan to take leave during business travel and instances in which cardholders claim reimbursement for expenses incurred on days of leave, because supervisors should be knowledgeable of their staff's leave schedule.
While our review of transactions from our scope period identified seven GTC cardholders who received reimbursement for claimed unallowable and potentially unallowable expenses, the total reimbursement of claims for unallowable expenses may be greater. Without effective and efficient controls, the CFPB is at risk of paying fraudulent or unallowable expense claims submitted by cardholders. As a result, the level of risk associated with fraud, waste, and abuse may be heightened for the CFPB's GTC program.
On October 1, 2012, the CFPB issued the Summary of Travel Policy Clarifications and Changes in response to employees' frequently asked questions concerning the FTR. This document provides guidance for claiming lodging, laundry, and transportation expenses. With regard to laundry, it states that travelers are required to provide receipts with their travel vouchers for laundry expenses claimed for reimbursement regardless of the amount. Our testing of 64 laundry transactions included 32 transactions that required receipts. We found that receipts for these transactions were included with vouchers in compliance with the guidance.
We found 24 transactions made by 15 cardholders that constituted unauthorized use of the GTC. These transactions totaled approximately $1,880 and were associated with dry-cleaning and laundry services, transportation services, gasoline stations, restaurants, and cash advances. We did not find any voucher reimbursement claims for the transactions we identified.
Specifically, during the first test described above, we found that 4 of the 64 transactions in the dry-cleaning and laundry testing were unauthorized because they were not associated with an official business trip. These 4 transactions amounted to approximately $180 and were made by two cardholders. 8
In our third test related to fraudulent and unauthorized use, we judgmentally selected 57 GTC transactions made by cardholders while on leave. After further testing, we found that 20 of the 57 transactions, made by 13 cardholders, constituted unauthorized use of the GTC. These transactions totaled approximately $1,700 and were associated with gasoline stations, transportation services, restaurants, and cash advances.9 Based on explanations and our review of documentation provided by the Travel Office, we determined that the remaining 37 transactions were allowable transactions.
Travel Office staff were not aware of the unauthorized transactions until we brought them to their attention. We sent the details of our sample results to the Travel Office for further review, and we requested that it provide to us a written explanation of the actions that have been or will be taken.
The Citibank cardholder agreement states that the GTC (1) is only to be used for official travel and official travel-related expenses away from the traveler's official duty station and (2) is not to be used for personal, family, or household purposes. Similarly, the GSA SmartPay2 guidelines state that the GTC should not be used for personal expenses. The Charge Card Act requires agencies to use effective systems, techniques, and technologies to identify unauthorized purchases and conduct periodic reviews. The act also requires that agencies must provide for appropriate adverse personnel actions to be imposed on employees who fail to comply with applicable GTC terms and conditions or agency regulations or who commit fraud with respect to the GTC, including removal in appropriate cases.
Although cardholders are required to complete an online GSA training on the GTC when they apply for a card and the Travel Office provides initial training at new employee orientation, periodic training on the proper use of the GTC is not provided to all cardholders. We believe that employees should receive periodic reminders and/or training on the proper use of the GTC and on any disciplinary actions that may be taken for unauthorized use of the GTC.
While our review of transactions made during our scope period identified 15 GTC cardholders who made unauthorized purchases on the GTC, the total number of GTC cardholders making unauthorized purchases may be greater. Although cardholders are responsible for all charges incurred on the GTC, going forward, the Travel Office could use the Account Activity Report in the CCRS to identify unauthorized purchases made by cardholders. Without effective GTC preventative controls and monitoring techniques, the CFPB cannot be assured that its employees are complying with the Citibank cardholder agreement and GSA SmartPay2 guidelines. Further, the CFPB does not have reasonable assurance that unauthorized use of the GTC is identified timely and that cardholders engaging in unauthorized use are disciplined appropriately, and, thus, that the agency is fully complying with the Charge Card Act.
Controls are not designed or operating effectively to prevent and detect fraudulent or unauthorized use of the GTC. Specifically, the CFPB's Travel Office is not providing periodic training on allowable reimbursements and is not using effective systems, techniques, and technologies to prevent and detect fraudulent or unauthorized use, such as analyzing account data from CCRS reports and leave data that can be provided by OHC. Further, we believe that requiring cardholders' supervisors to review travel authorizations and vouchers in the GovTrip system is a key internal control. Without supervisory review and approval of travel authorizations and vouchers, the CFPB lacks accountability at every stage of the travel approval process. Because our testing was performed on a selection of transactions from our scope period, noncompliance may be greater than our results indicate. Without effective monitoring, the CFPB is at risk of paying fraudulent or unallowable claims. As a result, the CFPB does not have assurance that its employees are complying with the Travel Card policy and the Citibank cardholder agreement, and that the agency is fully complying with the Charge Card Act.
We recommend that the Chief Financial Officer
The CFPB concurs with the objectives of these recommendations and is in the process of enhancing its travel program to mitigate the identified risks and promote greater accountability in the use of CFPB resources. This summer, the CFPB initiated a voucher postpayment validation process for certain travel vouchers in order to verify claimed amounts for reimbursement. Further, as noted above, the CFPB established an internal group to evaluate the travel program and identify opportunities for improvement. Informed by the CFPB's internal review and the OIG's review, the new policies and procedures will address the recommendations above, including enhanced controls to better monitor travel card usage and to identify potential cases of improper usage, periodic trainings and reminders on travel card policies and procedures, and recoupment of reimbursements for unallowable expenses. Most notably, the CFPB is developing a travel approval process modeled after the practices of other federal financial regulators involving an open travel authorization for all employees followed by supervisor review and approval of travel vouchers. This process would eliminate the need for cardholders' supervisors to review and approve individual travel authorizations. The CFPB anticipates implementing the new travel program, including the modified authorization and voucher processes, over the next several months.
The CFPB stated that it concurs with our recommendations and is already taking actions to strengthen the internal controls for its travel card program. The CFPB will develop new or adjust existing policies and procedures, as appropriate, to incorporate our recommendations. Specifically in relation to recommendation 8, which requires cardholders' supervisors to review and approve in a timely manner travel authorizations and travel vouchers, the CFPB is modifying its travel process. The CFPB is eliminating the need for cardholders' supervisors to review and approve individual travel authorizations by implementing open travel authorizations for all employees followed by supervisor review and approval of travel vouchers. We plan to follow up on the Office of the Chief Financial Officer's actions to ensure that each recommendation is fully addressed.
