CFPB Report: 2013-AE-C-017 September 30, 2013
Our overall objective for this audit was to determine the effectiveness of the Consumer Financial Protection Bureau's (CFPB's) internal controls for its government travel card (GTC) program. Specifically, we assessed compliance with policies and procedures and whether internal controls were designed and operating effectively to (1) prevent and detect fraudulent or unauthorized use of travel cards and (2) provide reasonable assurance that cards are properly issued, monitored, and closed out.
The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act)1 requires Offices of Inspector General (OIGs) to conduct periodic audits or reviews of travel card programs. Other OIGs and the Government Accountability Office (GAO) have performed travel card audits and have found evidence of waste, fraud, and abuse within travel card programs government-wide. We conducted this audit in light of prior reports of travel card abuse in other agencies and the GTC program's susceptibility to waste, fraud, and abuse, as well as the amount the CFPB has expended on official travel.
Through its GTC program, the CFPB provides its employees with the necessary resources to arrange and pay for official business travel and other travel-related expenses and receive reimbursements for authorized expenses. The CFPB's Office of Travel and Relocation (Travel Office), which is a part of the Office of the Chief Financial Officer, oversees the GTC program. The Travel Office consists of four staff members, including the manager. As of April 30, 2013, the CFPB had 743 active cardholder accounts. During the period of our audit, May 1, 2012, through April 30, 2013, 280 GTC accounts were opened and 61 were closed, for a net increase of 219 cardholders. In fiscal year 2012, the CFPB spent more than $10 million, or about 3 percent of its incurred expenses, on travel.
The CFPB acquires GTC services through the Department of the Treasury's task order to the General Services Administration's (GSA's) master contract with Citibank.2 Citibank issues GTCs to CFPB employees, and each cardholder is responsible for all expenses incurred on his or her GTC. The Department of the Treasury's Bureau of Public Debt, Administrative Resource Center (BPD ARC), provides the CFPB with travel card administration services for the GTC through an interagency agreement. This agreement states that BPD ARC will provide a full range of financial management accounting services for the period of October 1, 2012, through September 30, 2013.
The Citibank cardholder agreement provides the specific requirements for use of the GTC. The cardholder agreement states that cardholders should use their GTC for official travel and official travel-related expenses only. Cardholders are bound to the terms of the cardholder agreement when the cardholder activates, signs, or uses the card. The cardholder agreement also states that Citibank will seek payment for all charges directly from the cardholder regardless of whether the cardholder has been reimbursed by the agency. The Travel Office has access to the Citibank Custom Reporting System (CCRS), which provides customized reports on GTC usage, such as the Account Activity Report and Declined Authorization Report.
The CFPB is subject to the Charge Card Act, which requires agencies with travel expenditures of $10 million or more and employees who use GTCs to establish and maintain safeguards and internal control activities to ensure the proper, efficient, and effective use of the GTC. For example, the law requires that agencies (1) provide training to each cardholder and each official responsible for oversight of the use of GTCs; (2) ensure that the GTC of each employee who ceases to be employed by the agency is invalidated immediately upon termination of the employment; (3) use effective systems, techniques, and technologies to prevent or identify unauthorized purchases and conduct periodic reviews; and (4) provide for the appropriate adverse personnel actions to be imposed on employees who fail to comply with applicable GTC terms and conditions or agency regulations or who commit fraud with respect to the GTC, including removal in appropriate cases.
The CFPB complies with the Federal Managers' Financial Integrity Act of 1982, which requires it to establish internal controls in compliance with GAO standards. The Federal Managers' Financial Integrity Act of 1982 required the GAO to issue standards for internal control in the government. Subsequently, the GAO issued Standards for Internal Control in the Federal Government, which provides the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. These standards state that internal control is a major part of managing an organization and that internal control comprises the plans, methods, and procedures used to meet missions, goals, and objectives. These standards also state that internal control serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud.
The CFPB has determined that it is not required to follow the Federal Travel Regulation (FTR)3 because its travel program does not currently receive appropriated funds.4 However, the CFPB's Policy on Travel Cards and Temporary Duty Travel (Travel Card policy), which was approved on June 4, 2012, instructs cardholders to refer to section 301 of the FTR for guidance on issues on which the policy is silent. Section 301 of the FTR provides the general provisions for travel by federal civilian employees and others authorized to travel at the expense of the U.S. government.
In addition, GTC cardholders are required to follow GSA's SmartPay2 program guidelines. These guidelines include information on cardholders' responsibilities, payment of the charge card bill, and the reporting of a lost or stolen card. For example, cardholders should use the GTC to pay for official travel, obtain a cash advance for official travel through an ATM if authorized by the agency, submit payments in full for each monthly bill, and be aware that misuse of the travel charge card could result in disciplinary actions by the agency. Further, cardholders should not use the GTC for personal use, obtain travel advances through the ATM that exceed the expected out-of-pocket expenditures for a trip, or obtain travel advances through the ATM unless on travel or beginning travel shortly.
The Travel Card policy and Travel Office practices provide a framework for the responsibilities of travelers and the Travel Office.5 Among other things, travelers are responsible for the following:
The responsibilities of the Travel Office include, but are not limited to, the following:
In addition to the Travel Card policy, on October 1, 2012, the CFPB issued the Summary of Travel Policy Clarifications and Changes in response to employees' frequently asked questions concerning the FTR. This document provides guidance for claiming lodging, laundry, and transportation expenses, such as the following:
The Travel Office is ultimately responsible for the administration of the CFPB's GTC program; however, BPD ARC assists with the administration of most of the program's functions. Administering the program involves four major processes: (1) coordinating the issuance of cards, (2) reviewing and approving travel authorizations and vouchers, (3) monitoring GTC usage, and (4) closing accounts. Each of these processes is described in more detail below.
A CFPB employee who travels four or more times a year must obtain and use a GTC. The employee must first complete the GSA online training and then complete the application and forward it to the CFPB's Travel Office. The Travel Office records receipt of the application and reviews it for completeness, including the certificate of GSA training. The Travel Office then forwards the application to BPD ARC for processing. BPD ARC personnel work directly with Citibank and the applicant to process applications. Upon credit review and approval, Citibank mails the card directly to the Travel Office, which then mails the card, along with information about the card agreement and its terms, to the applicant's home address. Currently, all GTCs are issued with an initial credit limit of $11,000 or $12,000, based on the applicant's creditworthiness, and initial cash-advance limits of $210 per day and $1,050 per week.
Prior to official travel, a cardholder completes a TAF, which lists the travel dates and the location of the temporary duty travel. The TAF is submitted to the supervisor for approval. The cardholder then creates a travel authorization in GovTrip, which contains the estimated travel expenses, lodging, and mode of transportation. The cardholder attaches the TAF to the travel authorization in the GovTrip system and submits it for review and approval by the Travel Office. Then, the Travel Office reviews the travel authorization for completeness and estimated allowable expenses before approving and ticketing.
When a cardholder returns from a trip, he or she uses GovTrip to complete a travel voucher for all allowable expenses incurred. After the cardholder signs and submits the voucher, the Travel Office reviews and approves it for payment. After the Travel Office approves the voucher for payment, it is submitted to BPD ARC for payment processing.
If the Travel Office finds errors in either the travel authorization or the travel voucher, the office returns the form or forms electronically to the cardholder for correction or amendment. After the cardholder makes the correction or amendment, he or she must re-sign and resubmit the returned form or forms to the Travel Office.
The Travel Office performs monitoring activities related to the GTC. These activities include monitoring for the appropriate use of the GTC, for past-due accounts, and for purchases of premium-class travel tickets.
The Travel Office performs a monthly review of GTC cardholders' statements to determine whether travel cards are being used for personal, non-work-related expenses. The office randomly selects 10 GTC accounts for review each month. The Travel Office reviews the individual charges on statements of these selected cardholders in the Citibank system and, if noncompliance is detected, the CFO is notified and the following notifications are sent:
The Travel Office uses the CCRS monthly Delinquency Reports, which it receives from BPD ARC, to send to cardholders, as well as the CFO, notifications of past-due accounts identified in the report. According to the CFPB's Travel Card policy, cardholders are to receive notifications for accounts that are 30 days past due. Cardholders and their supervisors are to receive notifications for accounts that are 31–60 days past due, and for those GTC accounts that are more than 60 days past due, cardholders, their supervisors, and the OHC all receive the past-due notification. According to the Travel Office, supervisors may have discussions with cardholders when notifications are received.
Finally, the Travel Office obtains a report from BPD ARC that shows GTC cardholders who purchased premium-class travel tickets. The Travel Office is required to report to GSA any and all instances of other-than-coach-class transportation accommodations paid for by the government.
BPD ARC closes GTC accounts in GovTrip and with Citibank. According to BPD ARC, the CFPB's OHC and BPD's Human Resources Office separately send exit clearance notices for separating CFPB employees to BPD ARC. When BPD ARC receives an exit clearance notice, a BPD ARC staff member reviews the separating employee's Citibank statement for unpaid balances. If the employee does not have an unpaid balance, BPD ARC closes the account. If there is an unpaid balance, BPD ARC notifies the CFPB's Travel Office, which is then responsible for notifying the separating employee of the unpaid balance.
