The internal controls for the CFPB's purchase card program are adequate and operating effectively to ensure that the program is generally in compliance with applicable laws, regulations, and the CFPB's policies and procedures and to prevent and detect improper or fraudulent use of purchase cards. We did, however, note several instances of noncompliance with applicable policies and procedures. Specifically, we noted that (1) cardholders were missing purchase card files or missing supporting documentation in their purchase card files; (2) cardholders paid sales taxes; (3) a cardholder improperly used a convenience check instead of using a purchase card, and cardholders did not always document the reason for using the convenience check; and (4) cardholders did not document the reason for purchases that had the appearance of a split transaction. These instances of noncompliance occurred because cardholders were unaware of the requirements set forth in the applicable policies and procedures, did not ensure taxes were excluded on the invoices, and inadvertently used a convenience check instead of a purchase card. Further, the APC was not using reports available from the Citibank Custom Reporting System (CCRS) as a monitoring tool. As a result, the CFPB did not have adequate assurance that cardholders were adhering to applicable policies and procedures, and it incurred unnecessary costs associated with convenience check usage and sales taxes.
We reviewed supporting documentation for 78 of the 3,324 transactions under $3,000 during our scope to determine whether these micropurchases were in compliance with applicable policies and procedures. Our testing revealed that 5 of the 78 transactions totaling $479.07 were missing purchase card files, and 3 of those 5 transactions totaling $407.61 were made by employees who had separated from the CFPB after they made the purchase. Although the APC specifically instructed the separating employees to leave their purchase card files with their AOs, the cardholders did not do so.
In addition, our testing revealed that the purchase card files for 3 of the 78 transactions were missing supporting documentation, such as a purchase card checklist or receipt. Some cardholders were not aware of the supporting documentation requirement and the three-year record retention requirement.
According to the BPD's Government Purchase Card Procedures, all purchase cardholders must ensure proper use of the purchase card by maintaining a purchase card log and appropriate documentation. In addition to these requirements, the CFPB's Purchase Card Guides for the Mobile Workforce and Flagship Cardholders require that all purchase cardholders complete a checklist for each purchase, retain all documents for three years after final payment has been made on an order, and send their purchase card files to the AO when leaving the agency. If cardholders do not maintain the required documentation, the Office of Procurement cannot conduct oversight and ensure that cardholders have used purchase cards in accordance with applicable laws, regulations, and policies and procedures.
In March 2013, the Office of Procurement implemented new exit procedures, including an exit checklist and related system to ensure that separating employees send their purchase card files to their AOs prior to separation. In addition, based on feedback from the CFPB's fiscal year 2012 internal controls review, the Office of Procurement implemented a quarterly compliance review in April 2013 to ensure that purchases comply with applicable policies and procedures. As part of the quarterly review, the APC reviews a sample of purchase card files to ensure that cardholders are maintaining appropriate documentation (e.g., a checklist, a purchase card log, and a preapproval). Due to the recent implementation of these additional controls, we did not conduct further testing to assess the effectiveness of this new quarterly compliance review and the new exit procedures.
We reviewed supporting documentation for 21 of the 105 transactions with blocked MCCs to determine whether these transactions were proper and authorized and in compliance with applicable policies and procedures. Although the 21 sample transactions were proper and authorized, we found that 3 of these 21 transactions, made by three different cardholders, included sales tax that totaled $16.93. Two of these three cardholders stated that they advised the vendors of the tax exemption policy; however, the vendors included sales tax on these purchases. The cardholders did not check the invoices to ensure that sales tax was excluded and, thus, did not request a refund of the sales tax amount from the vendors. The third cardholder indicated that she was not aware of the tax exemption policy and did not request a refund from the vendor.
The BPD's Government Purchase Card Procedures states that cardholders should notify vendors that purchases are for official CFPB purposes. Such purchases are not subject to state or local sales tax.
Although sales tax was included on the invoices, the APC and the AO were not aware that tax was paid because sales tax did not appear as a separate line item on the Citibank statements. The Office of Procurement indicated that some vendors do not have the ability to separate taxes from total transaction amounts, and in such cases, taxes paid do not appear separately on the Citibank statements. It should be noted that the APC's quarterly compliance checklist does not currently include review of receipts and invoices to ensure that tax is not paid.
Based on our inquiry, CFPB personnel requested that the three vendors involved with the three transactions in our sample refund sales tax paid. One vendor complied with this request, and as a result, the Office of Procurement recouped $117.35 for taxes paid on 10 previous purchases. The other two requests are pending.
We reviewed supporting documentation for 5 of the 27 convenience check transactions to determine whether they were appropriately used. Our testing revealed that for 4 of the transactions, convenience checks were used appropriately, but for 1 transaction, a convenience check was used even though there was an option to pay by credit card. Because Citibank charges a fee (2 percent of the check amount plus $1) each time a convenience check is used, the CFPB paid a fee of $101.00 for using a check for this transaction. The cardholder stated that using a convenience check was an oversight.
In addition, for all five convenience check transactions, the reason for using a check was not documented in the convenience check log. The current log format does not have a column or place to note the reason for using a check.
According to the BPD's Government Purchase Card Procedures, convenience checks should only be used as a last resort and only when no vendor can be located who will accept the purchase card. In addition, the procedures require the cardholder to document the reason for using a convenience check in his or her purchase card log.
The CFPB incurred an unnecessary expense when the cardholder used a convenience check even though paying by credit card was an option. In addition, the current log format does not facilitate oversight of convenience check usage.
Upon our inquiry, the Office of Procurement took corrective action to revise the convenience check log to include a field to note the reason for using a convenience check. Due to the recent implementation of this change to the log, we did not conduct further testing to assess the effectiveness of this new control.
We reviewed supporting documentation for 36 of the 48 transactions that had the appearance of being a split transaction to determine (1) whether cardholders split purchases into two or more transactions to circumvent single purchase limitations and (2) whether the reasons for these purchases were documented. Although we did not conclude that any of these transactions were split purchases, 33 of the 36 transactions had the appearance of being split, and the cardholders did not document the reason for these purchases. Upon closer examination, the other three transactions were clearly not split and required no additional documentation.
BPD's Government Purchase Card Procedures states that, in general, the total of a single purchase may be composed of multiple items but cannot exceed the assigned single purchase limitation. The cardholder must document the reason for any "buy" that may have the appearance of a split transaction.
The cardholders indicated that they either were not aware they were making purchases that could be interpreted as split purchases, or they did not realize the total amount for the purchases exceeded their single purchase limit. We found evidence to indicate that the AOs reviewed and approved these cardholders' monthly statements, which included these purchases. We also noted that the APC has been identifying potential split transactions by manually sorting monthly transactions and was not aware of the automated Split Ticket Report that can be generated from the CCRS. This report can be used to readily identify purchases that have the appearance of being split for appropriate follow-up, thereby enhancing oversight.
The CFPB's purchase card program controls were generally effective. However, the instances of noncompliance shown in our samples indicate that the CFPB can take advantage of opportunities to further ensure that cardholders properly use purchase cards and comply with applicable laws, regulations, and the CFPB's policies and procedures. In addition, we determined that efficiencies in monitoring could be achieved if the CFPB used reports available from the CCRS.
We recommend that the Assistant Director for Procurement
The Assistant Director for Procurement concurred with our recommendations. Excerpts from the Assistant Director's response are below.
Regarding recommendation 1, the Assistant Director stated the following:
a. Concur. On September 12, 2013, the Senior Procurement Executive sent a memorandum to all approving officials reinforcing the importance of periodically checking cardholder files to ensure they are maintaining required records.
b. Concur. As noted in the report, CFPB immediately updated the convenience check logs to include a column for each cardholder to note the reason for using a convenience check, rather than a credit card.
c. Concur. In the course of its audit of 3,324 micro-purchases, OIG identified one transaction that initially appeared to be split. The Bureau was pleased to learn that the transaction was ultimately validated as proper (i.e., it was not, in fact, split). The APC's quarterly compliance review has been updated to include a review of a CCRS report on split tickets for the period to avoid the appearance of split tickets in the future. The APC will follow up with cardholders and document the results of the report.
Regarding recommendation 2, the Assistant Director stated the following:
a. Concur. The quarterly compliance audit template has been updated to include the review of receipts, invoices, and payment of taxes.
b. Concur. The quarterly compliance audit template has been updated to include the review of the effectiveness of current exit procedures for cardholders separating from service at the Bureau.
c. Concur. The quarterly review has been updated to include the use of the CCRS report for split tickets.
See appendix B for additional management comments related to these recommendations.
We believe that the actions described by the Office of Procurement are responsive to our recommendations. We plan to follow up on the Office of Procurement's actions to ensure that each recommendation is fully addressed.
Management's response to recommendation 1.c. indicates that the OIG identified one transaction that initially appeared to be split and the transaction was ultimately validated as proper (i.e., it was not, in fact, split). As the report states, we identified 36 transactions that had the appearance of being split; upon closer examination we determined that 3 of these transactions were clearly not split and therefore required no additional documentation.