OFFICE OF INSPECTOR GENERAL
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
CONSUMER FINANCIAL PROTECTION BUREAU
December 23, 2014
Richard Cordray
Director
Consumer Financial Protection Bureau
Mark Bialek /signed/
Inspector General
Fiscal Year 2014 Risk Assessment of the CFPB’s Purchase Card and Travel Card Programs
The Office of Inspector General (OIG) has conducted a risk assessment of the Consumer Financial Protection Bureau’s (CFPB) purchase card and travel card programs to determine the frequency and scope of future audits of these programs. This fiscal year 2014 risk assessment is the OIG’s first risk assessment of the CFPB’s purchase card and travel card programs. The results of the risk assessment show that the risk of illegal, improper, or erroneous use in the CFPB’s purchase card program is low and the risk level for the travel card program is medium. As a result, we will include an audit of the travel card program in the OIG’s 2015 annual audit plan, and we will not include an audit of the purchase card program in that plan.
The results of the risk assessment should not be interpreted to mean that a lower-risk program is free of illegal, improper, or erroneous use or internal control deficiencies or that a high-risk program is likely to have illegal, improper, or erroneous use. An audit of these programs may identify issues not previously noted in the risk assessment. For instance, the overall risk level for the purchase card program may be assessed as low based on the design of internal controls and the size of the program; however, an audit may find that controls are not working effectively or that illegal, improper, or erroneous activity has taken place.
The Government Charge Card Abuse Prevention Act of 2012 requires Inspectors General of executive agencies to conduct periodic assessments or audits of purchase card and travel card programs to identify and analyze the risks of illegal, improper, or erroneous purchases and payments. Through these risk assessments, the Inspectors General develop a plan to determine the scope, frequency, and number of periodic audits of these programs. In September 2013, the Office of Management and Budget (OMB) issued OMB Memorandum M-13-21, Implementation of the Government Charge Card Abuse Prevention Act of 2012, which states that Inspectors General will conduct annual risk assessments of agency purchase cards and travel cards to analyze the risks of illegal, improper, or erroneous purchases.
The CFPB participates in the U.S. General Services Administration’s SmartPay2 program through a task order with the U.S. Department of the Treasury’s master contract with Citibank. Within the U.S. Department of the Treasury, the Bureau of Fiscal Services’ Administrative Resource Center provides purchase card and travel card administrative services and acts as the liaison between the CFPB and Citibank.
The CFPB’s Office of Procurement is responsible for managing the operation of the purchase card program and ensuring that the program complies with applicable laws, regulations, policies, and procedures. The CFPB’s Office of Procurement also monitors the effectiveness of the purchase card program as a payment vehicle while working to ensure that the proper controls are in place. The CFPB operates its purchase card program under the policies and procedures set forth in the Purchase Card Policy and Management Plan, which was finalized in July 2014. As of September 30, 2014, the CFPB had 384 active cardholders, and these cardholders made approximately 3,500 transactions totaling approximately $2.2 million in fiscal year 2014.
The CFPB’s Travel and Relocation Office (Travel Office) within the Office of the Chief Financial Officer oversees the travel card program. The Policy on Travel Cards and Temporary Duty Travel and its addendum (Travel Card policy), as well as Travel Office practices, provide a framework for the responsibilities of travelers and the Travel Office. As of September 30, 2014, the CFPB spent more than $11 million, or about 2 percent of its incurred expenses, on travel card spending and had 1,203 active cardholder accounts.
Our overall objective was to analyze the risks of illegal, improper, or erroneous purchases and payments associated with the CFPB’s purchase card and travel card programs. To conduct our risk assessment, we obtained and reviewed the responsible offices’ objectives; the relevant purchase card and travel card policies and procedures; the results of prior external and internal audits and reviews of the programs; and the status of open recommendations, if applicable, for the purchase card and travel card programs. In addition, we surveyed the responsible agency officials to identify risks that could prevent the offices from achieving their goals, as well as the controls to mitigate these risks. We conducted our risk assessment work from July 2014 through November 2014.
We used five risk categories in our risk assessment—financial, strategic, operational, compliance, and reputational—as defined below:
Each program office identified inherent risks by relevant risk category and assessed their impact and likelihood. Impact is the likely magnitude of deficiency that could result from the risk. Likelihood is the level of possibility that a risk will occur. Our office then assessed the impact and likelihood of risks by risk category considering the effect of internal controls, the results of prior audits, and other relevant documentation, and we assigned a level of low, medium, or high using the criteria in table 1. We then combined the impact and likelihood of individual risk category levels to arrive at an average overall risk level.
Table 1: Definition of Likelihood and Impact
| Level | Risk impact definition | Risk likelihood definition |
|---|---|---|
| High | Significant impact on current operations and long-term objectives | Almost certain to occur |
| Medium | Limited impact on current operations and long-term objectives | Likely: event could occur |
| Low | Minimal impact on current operations and long-term objectives | Remote: unlikely to occur |
Source: OIG auditors’ analysis.
Tables 2 and 3 show each risk category’s level for impact and likelihood for the purchase card and travel card programs, respectively. The average overall risk level determines the final risk assessment for CFPB’s purchase card and travel card programs.
Table 2: Risk Levels by Risk Category for the CFPB’s Purchase Card Program
| Risk category | Impact | Likelihood | Overall risk level |
|---|---|---|---|
| Financial | Low | Low | Low |
| Strategic | Low | Low | Low |
| Operational | Medium | Low | Low |
| Compliance | Medium | Low | Low |
| Reputational | Low | Low | Low |
| Average risk level | Low | Low | Low |
Source: OIG auditors’ analysis.
Table 3: Risk Levels by Risk Category for the CFPB’s Travel Card Program
| Risk category | Impact | Likelihood | Overall risk level |
|---|---|---|---|
| Financial | Low | Medium | Low |
| Strategic | Medium | Medium | Medium |
| Operational | Medium | Medium | Medium |
| Compliance | High | Medium | Medium |
| Reputational | Medium | Medium | Medium |
| Average risk level | Medium | Medium | Medium |
Source: OIG auditors’ analysis.
The results of the risk assessment show that the risk of illegal, improper, or erroneous use in the CFPB’s purchase card program is low and the risk level for the travel card program is medium. As a result, we will include an audit of the travel card program in the OIG’s 2015 annual audit plan, and we will not include an audit of the purchase card program in that plan. Nevertheless, the Office of Procurement and the Travel Office should continue to take appropriate actions to ensure proper oversight of their respective programs.
This report was provided for informational purposes, and a response is not required. The OIG appreciates the cooperation and assistance provided by your staff during this risk assessment. If you have any questions, please contact me at 202-973-5005 or Melissa Heist, Associate Inspector General for Audits and Evaluations, at 202-973-5024.
Sartaj Alag, Chief Operating Officer
Stephen Agostini, Chief Financial Officer
David Gragan, Chief Procurement Officer
J. Anthony Ogden, Deputy Inspector General
