Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: December 23, 2014

Fiscal Year 2014 Risk Assessment of the CFPB’s Purchase Card and Travel Card Programs

available formats

  • Executive Summary:

    HTML
  • Full Memorandum:

    PDF | HTML

OFFICE OF INSPECTOR GENERAL
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
CONSUMER FINANCIAL PROTECTION BUREAU

December 23, 2014

Memorandum

TO:

Richard Cordray
Director
Consumer Financial Protection Bureau

FROM:

Mark Bialek  /signed/
Inspector General

SUBJECT:

Fiscal Year 2014 Risk Assessment of the CFPB’s Purchase Card and Travel Card Programs

Executive Summary

The Office of Inspector General (OIG) has conducted a risk assessment of the Consumer Financial Protection Bureau’s (CFPB) purchase card and travel card programs to determine the frequency and scope of future audits of these programs. This fiscal year 2014 risk assessment is the OIG’s first risk assessment of the CFPB’s purchase card and travel card programs. The results of the risk assessment show that the risk of illegal, improper, or erroneous use in the CFPB’s purchase card program is low and the risk level for the travel card program is medium. As a result, we will include an audit of the travel card program in the OIG’s 2015 annual audit plan, and we will not include an audit of the purchase card program in that plan.

The results of the risk assessment should not be interpreted to mean that a lower-risk program is free of illegal, improper, or erroneous use or internal control deficiencies or that a high-risk program is likely to have illegal, improper, or erroneous use. An audit of these programs may identify issues not previously noted in the risk assessment. For instance, the overall risk level for the purchase card program may be assessed as low based on the design of internal controls and the size of the program; however, an audit may find that controls are not working effectively or that illegal, improper, or erroneous activity has taken place.

Background

The Government Charge Card Abuse Prevention Act of 2012 requires Inspectors General of executive agencies to conduct periodic assessments or audits of purchase card and travel card programs to identify and analyze the risks of illegal, improper, or erroneous purchases and payments. Through these risk assessments, the Inspectors General develop a plan to determine the scope, frequency, and number of periodic audits of these programs. In September 2013, the Office of Management and Budget (OMB) issued OMB Memorandum M-13-21, Implementation of the Government Charge Card Abuse Prevention Act of 2012, which states that Inspectors General will conduct annual risk assessments of agency purchase cards and travel cards to analyze the risks of illegal, improper, or erroneous purchases.

The CFPB’s Purchase Card and Travel Card Programs 

The CFPB participates in the U.S. General Services Administration’s SmartPay2 program through a task order with the U.S. Department of the Treasury’s master contract with Citibank. Within the U.S. Department of the Treasury, the Bureau of Fiscal Services’ Administrative Resource Center provides purchase card and travel card administrative services and acts as the liaison between the CFPB and Citibank.

The CFPB’s Office of Procurement is responsible for managing the operation of the purchase card program and ensuring that the program complies with applicable laws, regulations, policies, and procedures. The CFPB’s Office of Procurement also monitors the effectiveness of the purchase card program as a payment vehicle while working to ensure that the proper controls are in place. The CFPB operates its purchase card program under the policies and procedures set forth in the Purchase Card Policy and Management Plan, which was finalized in July 2014. As of September 30, 2014, the CFPB had 384 active cardholders, and these cardholders made approximately 3,500 transactions totaling approximately $2.2 million in fiscal year 2014.

The CFPB’s Travel and Relocation Office (Travel Office) within the Office of the Chief Financial Officer oversees the travel card program. The Policy on Travel Cards and Temporary Duty Travel and its addendum (Travel Card policy), as well as Travel Office practices, provide a framework for the responsibilities of travelers and the Travel Office. As of September 30, 2014, the CFPB spent more than $11 million, or about 2 percent of its incurred expenses, on travel card spending and had 1,203 active cardholder accounts.

Objective, Scope, and Methodology

Our overall objective was to analyze the risks of illegal, improper, or erroneous purchases and payments associated with the CFPB’s purchase card and travel card programs. To conduct our risk assessment, we obtained and reviewed the responsible offices’ objectives; the relevant purchase card and travel card policies and procedures; the results of prior external and internal audits and reviews of the programs; and the status of open recommendations, if applicable, for the purchase card and travel card programs. In addition, we surveyed the responsible agency officials to identify risks that could prevent the offices from achieving their goals, as well as the controls to mitigate these risks. We conducted our risk assessment work from July 2014 through November 2014.

We used five risk categories in our risk assessment—financial, strategic, operational, compliance, and reputational—as defined below:

  • Financial: The risk that an event related to the purchase card or the travel card could occur that has a significant financial impact on the agency or the responsible office’s budget process.
  • Strategic: The risk that an event related to the purchase card or the travel card could impact the agency’s or the responsible office’s ability to achieve its mission and strategic objectives.
  • Operational: The risk that an event related to the purchase card or the travel card could be negatively impacted by inadequate, ineffective, or failed (1) business processes, (2) human capital, or (3) technology and information management.
  • Compliance: The risk that an event related to the purchase card or the travel card could impact the relevant program’s ability to comply with applicable laws, regulations, or internal policies and procedures.
  • Reputational: The risk that an internal or external event related to the purchase card or the travel card could diminish the responsible office’s or the agency’s stature, credibility, or effectiveness.

Each program office identified inherent risks by relevant risk category and assessed their impact and likelihood. Impact is the likely magnitude of deficiency that could result from the risk. Likelihood is the level of possibility that a risk will occur. Our office then assessed the impact and likelihood of risks by risk category considering the effect of internal controls, the results of prior audits, and other relevant documentation, and we assigned a level of low, medium, or high using the criteria in table 1. We then combined the impact and likelihood of individual risk category levels to arrive at an average overall risk level.

Table 1: Definition of Likelihood and Impact

Level Risk impact definition Risk likelihood definition
High Significant impact on current operations and long-term objectives Almost certain to occur
Medium Limited impact on current operations and long-term objectives Likely: event could occur
Low Minimal impact on current operations and long-term objectives Remote: unlikely to occur

Source: OIG auditors’ analysis.

Results of Risk Assessment

Tables 2 and 3 show each risk category’s level for impact and likelihood for the purchase card and travel card programs, respectively. The average overall risk level determines the final risk assessment for CFPB’s purchase card and travel card programs.

Table 2: Risk Levels by Risk Category for the CFPB’s Purchase Card Program

Risk category Impact Likelihood Overall risk level
Financial Low Low Low
Strategic Low Low Low
Operational Medium Low Low
Compliance Medium Low Low
Reputational Low Low Low
Average risk level Low Low Low

Source: OIG auditors’ analysis.

Table 3: Risk Levels by Risk Category for the CFPB’s Travel Card Program

Risk category Impact Likelihood Overall risk level
Financial Low Medium Low
Strategic Medium Medium Medium
Operational Medium Medium Medium
Compliance High Medium Medium
Reputational Medium Medium Medium
Average risk level Medium Medium Medium

Source: OIG auditors’ analysis.

Conclusion

The results of the risk assessment show that the risk of illegal, improper, or erroneous use in the CFPB’s purchase card program is low and the risk level for the travel card program is medium. As a result, we will include an audit of the travel card program in the OIG’s 2015 annual audit plan, and we will not include an audit of the purchase card program in that plan. Nevertheless, the Office of Procurement and the Travel Office should continue to take appropriate actions to ensure proper oversight of their respective programs.

This report was provided for informational purposes, and a response is not required. The OIG appreciates the cooperation and assistance provided by your staff during this risk assessment. If you have any questions, please contact me at 202-973-5005 or Melissa Heist, Associate Inspector General for Audits and Evaluations, at 202-973-5024.

cc:

Sartaj Alag, Chief Operating Officer
Stephen Agostini, Chief Financial Officer
David Gragan, Chief Procurement Officer
J. Anthony Ogden, Deputy Inspector General