Appendix A Scope and Methodology
The overall objective for this audit was to assess whether the controls for the CFPB's purchase card program were adequate to (1) ensure that purchase card use is appropriate and in compliance with applicable laws, regulations, and the CFPB's policies and procedures and (2) prevent and detect improper or fraudulent use of purchase cards.
To accomplish our objectives, we reviewed the Charge Card Act; OMB Circular A-123, Appendix B; and FAR Part 13. We also reviewed the BPD's 2011 Government Purchase Card Procedures, the CFPB's Purchase Card Guides for the Mobile Workforce and Flagship Cardholders, and other relevant documentation pertaining to the purchase card program. We also reviewed several reports from the CCRS, such as the Transaction Detail Report and the Account Status Report.
We interviewed staff in the CFPB's Office of Procurement, including the APC, to gain an understanding of the program and its internal controls. We also spoke with BPD staff who provide the CFPB with purchase card administrative services, to gain an understanding of their roles and responsibilities in the process.
Based on the information we gathered and our understanding of the CFPB's purchase card program, we developed detailed summaries of the program's processes and procedures and identified relevant controls to test during our fieldwork. The scope of our audit included purchase card data from April 1, 2012, to March 31, 2013.
We accomplished our objective by conducting the following tests:
-
We reviewed the application packages for 39 of the 99 new cardholders to determine whether required training was completed and application was properly processed.
-
We inspected training certificates for all 20 AOs to confirm completion of required training.
-
We reviewed supporting documentation for 78 of the 3,324 transactions under $3,000 to determine whether these micropurchases were in compliance with applicable policies and procedures. Documents reviewed included checklists, purchase card logs, receipts/invoices, prior authorizations, and statement reconciliations for each sample transaction.
-
We reviewed supporting documentation for 3 of the 7 transactions over $3,000 to determine whether purchases exceeding micropurchase threshold were in compliance with applicable policies and procedures. We verified that the required documents were reviewed and approved by designated officials and that each sample transaction was carried out by a warranted contracting officer.
-
We reviewed supporting documentation for all 5 auto-closed statements9 to determine whether the AOs approved these statements in a timely manner.
-
We reviewed supporting documentation for 5 of the 27 convenience check transactions to determine appropriate usage of convenience checks. Specifically, we reviewed the convenience check log, receipt or invoice, and approval documents to determine whether the convenience check was used as the last resort (i.e., the vendor did not accept purchase cards).
-
We reviewed supporting documentation for all 23 closed accounts to determine whether accounts were closed in a timely manner. We also reviewed the Transaction Detail Report from the CCRS to determine whether employees used their purchase card after the account was closed.
-
We reviewed supporting documentation for 36 of the 48 transactions that had the appearance of split purchases to determine whether cardholders split purchases into two or more transactions to circumvent the purchase limitations. Specifically, we reviewed the approval documents, purchase card log, checklist, and receipt or invoice for each sample transaction.
-
We reviewed supporting documentation for 21 of the 105 transactions with blocked MCCs to determine whether these transactions were proper and authorized and in compliance with applicable policies and procedures. Documents we reviewed included checklists, purchase card logs, receipts and invoices, prior authorizations, and reconciliations for each sample transaction.
-
We assessed the APC's oversight activities to ensure that the APC is effectively monitoring the purchase card program for unauthorized or fraudulent transactions. We reviewed APC's various reports and checklists that are associated with the APC's monthly and quarterly monitoring activities.
-
We evaluated the types of MCCs that the CFPB currently allows and blocks to prevent unauthorized or fraudulent transactions. Specifically, we compared the current listing of allowable MCCs to the listing of prohibited purchases to determine the adequacy of the current listing of allowable MCCs.
We performed the audit from March 2013 to August 2013.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.