This is the accessible text file for GAO report number GAO-03-678G entitled 'Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs' which was released on May 01, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-03-678G: United States General Accounting Office: Washington, D.C. 20548: Audit Guide: Auditing and Investigating the Internal Control of Government Purchase Card Programs: November 1, 2002: Preface. The federal government of the United States--the largest and most complex organization in the world--expended approximately $15 billion through federal organizations'[Footnote 1] purchase card programs[Footnote 2] in fiscal year 2002. As the steward of taxpayer dollars, federal agencies are accountable for how purchase cards are used and how the funds are spent. To that end, federal agencies are responsible for establishing and maintaining internal control to provide reasonable assurance that (1) the goals and objectives of the purchase card program are met and (2) safeguards against fraudulent, improper, and abusive purchases are adequate. Recent congressional testimony and Inspector General and GAO reports show that some federal agencies do not have adequate internal control over their purchase card programs. Without effective internal control, management has little assurance that fraudulent, improper, and abusive purchases are being prevented or, if occurring, are being promptly detected with appropriate corrective actions taken. A key element of internal control is monitoring that assesses the quality of performance over time and ensures that the findings of audits and other reviews are promptly resolved. Monitoring provides for regular management and supervisory activities, as well as evaluations by inspector generals or external auditors. This guide focuses on audits of internal control activities--designed primarily to prevent or detect significant fraudulent, improper, and abusive purchases--in a government purchase card program. It is intended to provide practical guidance for consideration by internal and external auditors, investigators, and program management oversight personnel in assessing the adequacy and performance of those control activities, and identifying areas of internal control for potential improvement. This guide is based primarily on GAO's experiences in auditing and investigating internal control over federal government purchase card programs at the Departments of Defense, Education, Housing and Urban Development, and other federal agencies. This guide was prepared at the request of former Chairman Stephen Horn, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, House Committee on Government Reform. This is one of a series of projects we have undertaken for the Subcommittee concerning weaknesses in internal control over government purchase and travel card programs. We invite you to review and comment on the audit approach and methodologies contained in this guide. This draft document will be available for comment for 60 days, until August 1, 2003. Please address any questions or comments to me at (202) 512-2600, steinhoffj@gao.gov, or Stephen W. Lipscomb at (303) 572-7328, lipscombs@gao.gov, or: Stephen W. Lipscomb: U.S. General Accounting Office: 1244 Speer Blvd. Suite 800: Denver, CO 80204: This guide was prepared under the direction of Gregory Kutz, Director, Financial Management and Assurance. Other GAO contacts and key contributors are listed in appendix VII. Jeffrey C. Steinhoff: Managing Director: Financial Management and Assurance: Signed by Jeffrey C. Steinhoff: Table of Contents: Preface: Section 1: Introduction: Objective of the Guide, Scope and Methodology: Government Purchase Card Programs: GAO's Approach to Auditing Purchase Card Programs: The Applicability of Auditing Standards: Section 2: Understanding the Purchase Card Program: The Risk of Fraudulent, Improper, and Abusive Purchases: Potentially Fraudulent, Improper or Abusive: Indications and Categories of Fraud: Relevant Laws and Regulations: Establishment and Operation of the Purchase Card Program: Procurement Methods and Standards: Purposes for which an Organization's Appropriations May Be Used: The Organization's Operations and Programs: Understanding the Organization's Operations: Understanding the Organization's Purchase Card Program: Understanding the Bank Service Provider's Program: Internal Control and the Control Environment: The Standards of Internal Control: Testing Key Elements of the Control Environment: Section 3: Making, Documenting, and Using the Preliminary Assessment: Assessing the Adequacy of the Design of Control Activities: Using the Preliminary Assessment: Section 4: Testing the Effectiveness of Key Control Activities: Obtaining Transaction Data: Coordinating with the Bank Service Provider: Selecting Purchase Card Transactions: Considerations in Designing a Statistical Sample: The Sampling Plan: Extracting Selected Transaction Data Elements: Reporting Sample Results: Analysis of Results from Statistical Samples: Obtaining Documentation Evidencing Performance of Control Activities: Obtaining Documentation from the Organization: Evidence of Performance: Testing Control Activities: Transaction Control Activities: Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases: Data Mining for Detection, Illustration, and Disclosure: Follow-up and Investigation: Follow-up: Referral for Investigation: Appendixes: Appendix I - Selected Relevant GAO Reports and Testimonies: Appendix II - Selected Relevant Laws and Regulations: Appendix III - Example Purchase Transaction Flow Chart and Narrative ( Request Through Payment): Appendix IV - Example Purchase Card Program Organization Chart: Appendix V - Example Audit Program: Appendix VI - Guidelines for Initiating an Investigation of Purchase Card Fraud: Appendix VII - GAO Contact and Staff Acknowledgments: : Section 1: Introduction. Federal government purchase card programs, which have been in existence governmentwide since 1989, were established to streamline federal agency acquisition processes by providing a low-cost, efficient vehicle for obtaining goods and services directly from vendors. As shown by the chart, purchase card programs have experienced dramatic growth and accounted for $15.2 billion in government expenditures in fiscal year 2002. Growth of federal government purchase card programs: [See PDF for image] [End of figure] With the establishment in 1998 of the General Services Administration's (GSA) SmartPay® program, federal agencies had a new way to pay for commercial goods and services. GSA negotiated charge card service provider contracts with five commercial banks: Citibank, First National Bank of Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal government departments and agencies were to choose the service provider with capabilities meeting agency requirements. Purchase card programs are widespread throughout the federal government and range in size from the Department of Defense (DOD) with 214,000 cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S. Tax Court with 1 cardholder and $102,000 of fiscal year 2002 purchases. However, the design and implementation of internal control did not keep up with the growth in the programs audited by GAO (see app. I - Selected Relevant GAO Reports and Testimonies). With the increase in purchase card use came increases in risk, revelations of significant weaknesses in internal control, and resulting fraudulent, improper, and abusive or questionable purchases. Objective of the Guide, Scope and Methodology; The primary objective of this guide is to provide practical guidance for consideration in performance audits and investigations of government purchase card programs. The guide provides auditors and fraud investigators with a basis for understanding the operations, risks, and internal control of a government purchase card program, which in turn provides a basis for conducting investigations of fraud in a government purchase card program. Although this guide is primarily an audit and investigative guide, it can also be applied by program management oversight personnel in assessing the adequacy of policies, procedures, and internal controls, and conducting ongoing monitoring of adherence to internal control activities. In that context, the use of the term "auditor" throughout this guide is intended to include program management oversight personnel as well as internal and external auditors. While this guide is based on approaches and methodologies developed in audits of federal purchase card programs, the basic concepts and criteria may also be applicable to state and local government purchase card programs. This guide focuses on auditing the internal control policies, procedures, and activities designed primarily to prevent or detect fraudulent, improper, and abusive purchase card transactions in a government purchase card program; seeks to foster critical, creative thinking by auditors, investigators, and management personnel responsible for identifying risks and opportunities open to those who would misuse the purchase card; provides practical guidance in identifying potentially fraudulent, improper, and abusive purchase card transactions, and in conducting the appropriate follow-up and investigation; and: illustrates the beneficial effect of involving fraud investigators in the planning and execution of audit procedures. The guide is intended to supplement existing guidance[Footnote 3] for review and oversight of federal government purchase card programs. Different parties may accomplish audits of purchase card programs for different purposes. Law, regulation, or third party request may direct external and internal auditors to accomplish a performance or other audit in accordance with generally accepted government auditing standards (GAGAS)[Footnote 4]. The guide is not intended to and does not provide guidance sufficient to address all potential purchase card program performance audit objectives (e.g., economy and efficiency, compliance with legal or other requirements). The guide is also not intended to comprehensively address all five of the standards of internal control[Footnote 5] (e.g., management's risk assessment, information and communication). In addition, the guide is not intended to and does not provide guidance sufficient to develop investigative cases that establish evidence to prove specific allegations of criminal wrongdoing. Government Purchase Card Programs: The operations and controls of government purchase card programs can vary among organizations. However, the U.S. Department of the Treasury's Financial Manual[Footnote 6] prescribes procedures (illustrated in fig. 1), including program controls and invoice payment, that apply to all departments and agencies that use the government purchase card. Additionally, the Federal Acquisition Regulation (FAR), which prescribes governmentwide policies and procedures for acquisition by all executive agencies, provides that agencies are to establish procedures for use and control of the card that comply with the Treasury Financial Manual.[Footnote 7] [See PDF for image] [End of figure] The manual further states that, with some exceptions, small purchases of up to $25,000[Footnote 8] should be made using the government purchase card, and establishes key control activities, personnel, and their roles, including the following. A written delegation of authority is to be issued by responsible agency personnel that establishes authorized cardholder(s)[Footnote 9] and specifies spending and usage limitations unique to that cardholder. The cardholder is the government employee to whom a government purchase card, bearing the employee's name, is issued. The card can be used only by that employee for official purchases, in adherence with agency regulations. The cardholder statement listing all transactions during the billing period is sent to each cardholder. The approving official (AO) reviews cardholder statement(s), is responsible for authorizing cardholder purchases (for official use only), and ensures that statement(s) are reconciled and submitted to the designated billing office in a timely manner. A designated billing office receives the official invoice--a designated billing office report listing all cardholder charges for the area the office serves--and ensures its payment in accordance with Prompt Payment Act deadlines. The manual requires each agency to develop its own internal procedures for using the purchase card, and establishes processing and internal controls that must be in place prior to using the government purchase card, including the following. Designate an office (usually the procurement office) to manage the program, and assure that (1) training required for all cardholders, approving officials, and other employees involved in the program is provided, (2) a current list of cardholders and approving officials is maintained, and (3) an annual oversight review of the program is conducted. (This position is generally referred to as the Agency Program Coordinator (APC) in DOD purchase card programs.): Establish procedures for (1) the timely submission of cardholder statements to the agency designated billing office, (2) maintaining security of the cards, (3) handling disputes and returned, refused, damaged, or unacceptable items and partial deliveries, and (4) purchase card renewal. The manual also provides that invoices, payments, access and review of account and master file data, and reports may be accomplished electronically, and that electronic funds transfer (EFT) should be adopted as the standard method of payment for all federal program payments originated by agencies or their agents. GAO's Approach to Auditing Purchase Card Programs; The approach presented in this guide is based on GAO's experience in auditing internal control over government purchase card programs at the Departments of Defense, Education, Housing and Urban Development, and other federal agencies (see app. I - Selected Relevant GAO Reports and Testimonies). In general, GAO's approach is to: (1) gain a thorough understanding of the organization's operations and purchase card program, and relevant system of internal control, (2) based on that understanding, and any needed additional review and analysis, make a preliminary assessment of the adequacy of the design of the system of internal control, (3) test the effectiveness of internal control using statistical sampling, and (4) use data mining to detect instances of potentially fraudulent, improper, and abusive transactions to illustrate the effects of breakdowns in internal control. [See PDF for image] [End of figure] GAO's approach includes involving fraud investigators throughout the audit. An experienced fraud investigator will bring valuable perspectives and insight to the process of identifying opportunities for fraud in the program's operations and in evaluating the effectiveness of control activities. They can also bring new and creative thinking to identifying the opportunities for circumvention of the existing controls. Fraud investigators should be involved in the preliminary assessment process, designing tests of controls, identifying criteria and relationships for data mining, and in follow- up of potentially fraudulent transactions. Program policy and procedure documents obtained and understandings gained of the purchase card program and related internal controls should be made available to the fraud investigator. The Applicability of Auditing Standards; Auditors performing an audit in accordance with GAGAS standards for performance audits are required to adhere to the general and fieldwork standards. These standards can be found on GAO's website[Footnote 10]. The following three general standards are key to providing assurance that integrity, objectivity, and independence are adequate in planning, conducting, and reporting results of audits. Independence - Audit organizations and individual auditors, whether government or public, are required to be free both in fact and appearance from personal, external, and organizational impairments to independence, in all matters relating to the audit work. Professional judgment - Auditors complying with GAGAS are required to use professional judgment in planning and performing audits and in reporting the results. Competence - Audit staff are required to collectively possess adequate professional competence for the tasks required. We encourage all users of this guide, including internal auditors and program management oversight personnel, to (1) become familiar with these standards and the basic concepts embodied in them, (2) consider their relative applicability to the circumstances, and (3) apply them as appropriate when using this guide. Section 2: Understanding the Purchase Card Program. Evaluating the adequacy of internal control designed to mitigate the risk of fraudulent, improper, and abusive transactions, requires the auditor to gain an in-depth understanding of (1) the risk of fraud, (2) the relevant laws and regulations, and (3) the specific organization's mission activity operations, and its purchase card program operations (from purchase request to payment). This in-depth understanding is necessary so that an auditor can make a preliminary judgment about the adequacy of design of an organization's control activities. The Risk of Fraudulent, Improper, and Abusive Purchases; The potential for fraudulent, improper, and abusive purchases in a purchase card program should be viewed by management as a risk of significant financial loss, possibly resulting in operational inefficiency and impairment of mission readiness. This is particularly true in the government environment where taxpayer dollars are at risk. Fraudulent, improper, and abusive purchases often result directly from a lack of adherence to policies, procedures, and control activities. This lack of adherence can result in misuse of the card. As program personnel predisposed to misuse the card become aware of such weaknesses, the door opens wider for fraudulent, improper, and abusive purchases. [See PDF for image] [End of figure] One organization's actions included recommending remedial training and suspension of repeat offenders' purchase card accounts for lack of adherence to internal control policies and procedures. Repeated nonadherence to established internal control policies and procedures, such as inadequate documentation of purchase card transactions or supervisory reviews, in and of themselves may not constitute a violation of law or regulation. However if allowed to continue, they will contribute to an erosion and weakening of the control system. Prompt administrative and disciplinary actions (e.g., informal admonishment, formal reprimand, additional required training, suspension of card privileges, cancellation of the cardholder's account, termination of employment) can be effective in reducing persistent lack of adherence to policies and procedures by cardholders and other program personnel. When administrative corrective actions are taken and documented, program management, oversight personnel, and auditors will be able to identify repeat offenders and determine that appropriate steps are being taken to address potentially significant problems before they escalate. [See PDF for image] [End of figure] Potentially Fraudulent, Improper or Abusive; Our audits of purchase card programs detected transactions which were not in accordance with laws and regulations, or were not an appropriate or legitimate use of government funds. We used four terms to characterize such purchases: potentially fraudulent, improper, abusive, and questionable purchases. The following are explanations of these terms as used in this guide. A cardholder made 62 unauthorized transactions totaling $12,832 to pay for repairs to a car and buy groceries, clothing, and various other items for personal use. Fraudulent purchases - Use of the government purchase card to acquire goods or services that are unauthorized and intended for personal use or gain constitute a fraud against the government. A cardholder's unauthorized purchase of power tools for his home, a vendor's intentional charges for services not provided, and the unauthorized use by a third party of a cardholder's compromised or stolen account for personal gain are examples of fraudulent purchase card transactions. In GAO reports, these and similar purchase card transactions are generally referred to as "potentially fraudulent" unless there has already been a fraud conviction in a court of law. Day planners costing $3,100 were purchased from Franklin Covey. One item cost $199 and another $250. In contrast, cardholders could have purchased day planners from JWOD for about $40. Improper purchases - Government purchase card transactions that are intended for government use, but are not permitted by law, regulation, or organization policy generally are considered improper. Examples include certain types of purchases of meals or refreshments for government employees within their normal duty station[Footnote 11]s, purchases split to circumvent micropurchase or other single purchase limits, and purchases from other than statutorily designated sources, such as the Javits-Wagner-O'Day program (JWO[Footnote 12]D).: A cardholder purchased Bose bedside clock radios costing $349 each, when other models costing about $15 were available. Abusive purchases - Purchases of authorized goods or services, at terms (e.g., price, quantity) that are excessive, or are for a questionable government need, or both, are considered abusive. Examples of such transactions include purchases of items such as $300 day planners, $350 bedside radios, and allowable refreshments at excessive cost, purchases of designer leather goods, and year-end and other bulk purchases of computer and electronic equipment for a questionable government need. Indications and Categories of Fraud; Figure 2 shows key signs, signals, and patterns that are indicative of the potential for fraud in a government purchase card program. Figure 2: Signs, signals, and patterns indicative of the potential for fraud. [See PDF for image] Signs, signals, and patterns indicative of the potential for fraud: Weak management; Signs, signals, and patterns indicative of the potential for fraud: Weak internal controls; Signs, signals, and patterns indicative of the potential for fraud: History of impropriety; Signs, signals, and patterns indicative of the potential for fraud: Failure to follow legal or technical advice; Signs, signals, and patterns indicative of the potential for fraud: Promise of gain with little likelihood of being caught; Signs, signals, and patterns indicative of the potential for fraud: Unexplained decisions and/or transactions. Signs, signals, and patterns indicative of the potential for fraud: Unethical leadership; Signs, signals, and patterns indicative of the potential for fraud: Missing or altered documents; Signs, signals, and patterns indicative of the potential for fraud: Source: International Journal of Government Auditing. [End of figure] An inmate at a local county jail made three purchase card transactions at local florist shops on a government purchase card that had either been lost or stolen. GAO audits of government purchase card programs have reported fraudulent and potentially fraudulent purchases by cardholders, vendors, and third parties using compromised accounts falling into the following broad categories of fraud. Theft involves property, facilities, and services. An authorized or unauthorized cardholder purchase of goods or services intended for personal use or gain is theft. Theft can also occur when an unauthorized user compromises a cardholder's account by gaining knowledge of and using the purchase card account number. A maintenance supervisor allegedly made $52,000 in fraudulent transactions to a suspect contractor for work that was not performed.; Two purchase cardholders conspiring with at least seven vendors received kickbacks on purchases with inflated prices and/or quantities. Criminal investigation resulted in confinement or restriction, a bad conduct discharge, and a reduction in rank. Fictitious transactions can involve a single party (e.g., a cardholder supports the acquisition of goods or services for personal use with false documentation, or a vendor bills the government for goods or services never delivered). In addition, fictitious transactions can include collusion (e.g., a cardholder knowingly approves documentation supporting a vendor's invoice for goods or services never provided, and the two share in the amount paid by the government). Although collusion can circumvent what otherwise might be effective internal control activities, a robust system of guidance, internal control activities, and oversight can provide reasonable assurance of preventing or quickly detecting fraud. Kickbacks may be offered by a vendor or solicited by a contractor or government buyer. Kickbacks in a government purchase card program can include collusion between a cardholder and a vendor. The cardholder makes authorized purchases from the vendor, who charges the government an excessive price and "kicks back" a percentage of the amounts received to the cardholder. A cardholder and his supervisor conspired to make nearly $400,000 in fraudulent purchases from companies owned by the supervisor, his sister, friends, and acquaintances. Conflict of interest is present when a government official participates in approving or deciding a matter in which the official or a relative has a financial interest. The potential for a conflict of interest in a purchase card transaction exists whenever a cardholder or a relative has a significant financial interest in a vendor or contractor. Purchases of goods or services from that vendor or contractor would be suspect and, if not prohibited by the organization, should require special review and approval prior to and subsequent to the purchase. The auditor should be aware of the potential for the previous categories of fraud in the day-to-day operational risk of the organization. Fraudulent, improper, and abusive purchases generally involve individual cardholders, supervisors, approving officials, and vendors, and occasionally collusion between them. Another source of fraudulent purchases of significant concern occurs when an account is compromised (e.g., someone other than authorized program personnel gains knowledge of account numbers). In any event, a strong system of controls should guard against significant loss to the government for all such potentially fraudulent, improper, and abusive purchases. Any potentially fraudulent transaction detected should be considered for follow-up, as discussed in the Follow-up and Investigation section of this guide. To better understand the risk of fraud within a specific organization's purchase card program, auditors and investigators should identify and study known cases of such fraud. Summary memoranda prepared by fraud investigators detailing the nature and extent of the suspected fraud, the investigative process, the conclusions reached, and the actions taken can provide valuable additional insight. Relevant Laws and Regulations; A federal organization's purchase card program must comply with the laws, regulations, contracts, and governmentwide and organization policies and procedures that (1) govern the establishment and operation of the purchase card program, (2) prescribe procurement methods and standards, and (3) pertain to the purposes for which an organization's appropriations and other sources of funds may be used. When evaluating the merits of individual purchases, all three areas should be considered. (see app. II - Selected Relevant Laws and Regulations): Establishment and Operation of the Purchase Card Program; Federal organization purchase card programs operate under a governmentwide GSA contract, the GSA SmartPay® Master Contract. Organization purchase card programs must comply with the terms of the contract and the task order under which the organization placed its order for purchase card services. Organization purchase card programs must also comply with Department of the Treasury regulations found in the Treasury Financial Manual, Vol. I, Part 4-4500, "Government Purchase Cards." The Federal Acquisition Regulation (FAR), 48 C.F.R. § 13.301(b) (2002), provides that agencies are to establish procedures for use and control of the card that comply with the Treasury Financial Manual and that are consistent with the terms and conditions of the current GSA credit card contract. Individual organizations may be subject to specific statutory criteria for the management of purchase cards (e.g., Title 10 U.S.C. 2784, directing the Secretary of Defense to prescribe regulations governing the use of purchase cards). As such, each organization should have guidance concerning the implementation, establishment, and operation of its purchase card program. Procurement Methods and Standards; Purchases made with the purchase card should be made in accordance with generally applicable procurement laws, regulations, and organization procurement policies and procedures. The FAR provides governmentwide policies and procedures for acquisition by all executive agencies. Agencies frequently issue supplemental acquisition regulations as well. One cardholder split about $17,000 of purchases of boots on 1 day into 8 transactions. Another cardholder split over $30,000 of purchases from an electronic supply store on 1 day into 14 transactions. Contracting activities carried out by the federal government generally must be conducted by warranted contracting officers; however, the purchase card may also be used by other government personnel for purchases at or below the micropurchase threshold. The FAR provides that such individuals must be delegated the authority to do so in writing in accordance with organization procedures. Regardless of the value of a purchase, the FAR prohibits cardholders from splitting organization needs into smaller purchases in order to circumvent applicable acquisition laws, regulations, and policies. Organization policies can also prohibit cardholders from splitting a purchase into smaller purchases in order to avoid individual cardholder purchase limits. Despite representations that hotels were authorized to bill only for audiovisual equipment and conference room rental, detailed bills acquired by GAO auditors showed that about $7,000 was inappropriately expended for prohibited breakfasts, lunches, and snacks. Authorized personnel may use the purchase card for purchases at or below the micropurchase threshold (currently $2,500, except that the limit is $2,000 for certain construction costs).[Footnote 13] Micropurchases are subject to the requirements of FAR Subpart 8, which provides that certain products be acquired from designated sources, including statutorily preferred vendors. Micropurchases must also be made in accordance with various laws and regulations concerning environmentally preferable products and services. Cardholders may make micropurchases without soliciting competitive quotations from vendors if they consider the price to be reasonable. However, cardholders are required to distribute micropurchases equally among qualified suppliers to the extent practicable. For purchases above the micropurchase threshold, warranted contracting officers may use the purchase card to place and/or pay for orders against already existing contracts. For these larger transactions, the card is frequently referred to as a "payment card" because it pays for acquisitions made under a legally executed contract. Purposes for which an Organization's Appropriations May Be Used; Individual purchases must be for a purpose allowable under an organization's appropriations or other sources of funds (e.g., nonappropriated funds) and must not otherwise be prohibited by law. Organizations may use appropriated funds only for legitimate or bona fide needs that arise in or continue to exist in the fiscal year(s) for which those funds are appropriated. Agencies are restricted to purchasing only those items that will be used during such fiscal year(s) except when they qualify under certain categories, such as to maintain inventories of necessary items at reasonable levels. However, agencies generally may not purchase items in excessive amounts at the end of a fiscal year in order to solely avoid the expiration of funds. The Organization's Operations and Programs; To appropriately plan an audit and investigation of the internal control over an organization's purchase card program requires a thorough understanding of: the organization's mission activities and operations, its purchase card program operations and the end-to-end flow of transactions through it from request to payment, the system of internal control over the purchase card program, and: the environment in which the control activities operate. Understanding the organization's operations and its specific purchase card program is critical in developing audit objectives and the scope and methodology for the work needed to achieve them. In addition, issues such as program significance, visibility, age, sensitivity, and the potential use of audit results should be considered in the audit planning process.[Footnote 14] Gaining and documenting an understanding of the operations of a government purchase card program can be accomplished in several ways, all of which will require access to the appropriate personnel and relevant documents. The first step should be to establish contact and coordinate that effort with both the organization and the bank service provider. One manner of obtaining access to operations and program personnel is to coordinate audit arrangements with the organization's management. Access to the appropriate personnel and to written policies and procedures is essential to understanding the organization's operations, the purchase card program, and internal controls. In addition, documentation evidencing adherence to internal control policies and procedures will be necessary when testing for performance of control activities. Further, access to program personnel will be necessary to clarify information received and/or to follow up on potentially fraudulent, improper, and abusive purchases. Understanding the Organization's Operations; Understanding the organization's mission and objectives, and how those missions and objectives are accomplished provides the auditor with critical insight used in (1) developing audit objectives, (2) identifying opportunities for purchase card fraud, (3) making preliminary assessments of the adequacy of program controls, (4) designing tests of internal control, and (5) identifying criteria for data mining. Understanding gained of the organization's operation(s) might include: the nature and size of overall operations; what the individual activities involved in the purchase card program do, and how they do it; the general job descriptions, level of education, and number of personnel in those activities; and: the volume and appropriate type(s) of purchase activity to expect. An understanding of the organization's operations and activities can be gained by interviews with operations personnel, and by reviewing existing documents such as program descriptions, policies and procedures, and operations manuals. Understanding the Organization's Purchase Card Program; The initial understanding of the organizational level purchase card program (from request to payment) and the internal control at work throughout that process, ideally would be obtained from existing documents such as purchase card program descriptions, policies and procedures, operational manuals, or instructions. Interviews with program personnel can supplement existing documented evidence of program operations and controls, or establish a starting point if such documentation is insufficient or nonexistent. In either circumstance, correctly structured interviews can be a valuable source of inquiry to understand and clarify (1) the extent to which to which control activities are in place and operating, (2) the environment in which those controls operate, (3) the overall managerial organization and operations of the program, and (4) the flow of purchase card transactions. A Practical Guide for Reviewing Government Purchase Card Programs - June 2002, by the President's Council on Integrity and Efficiency contains interview guides, which will be helpful when conducting interviews for this purpose. In addition, conducting walkthroughs of selected purchase card transactions is a key process in (1) gaining a thorough understanding of the program's operations from purchase request to payment of the bill, (2) identifying control points through that process, and (3) observing the operation of control activities and transaction flows. GAGAS requires auditors to prepare documentation supporting significant judgments and conclusions. The auditor should obtain or prepare narratives and/or flowcharts that summarize and document their understanding of the organization's purchase card program and the flow of typical purchase card transactions. Understanding gained of how the purchase card program operates, the flow of transactions from request to payment, and the key controls over the entire end-to-end process form the basis for making preliminary judgments about the adequacy of the design of control activities and for designing tests of those controls. Narrative and flowchart documentation also provides effective communication of the processes and control points to other interested parties (e.g., audit staff, program management, oversight personnel). Appendixes III and IV of this guide provide example flowcharts of an organizational level structure for a federal government purchase card program and the end-to-end flow, and related narrative, of typical purchase card transactions through it. [See PDF for image] [End of figure] Understanding the Bank Service Provider's Program; Coordinating the audit effort with the bank service provider might provide the opportunity to gain an understanding of (1) the operation of the provider's program, (2) the processes for purchase card authorization, issuance, and credit limits, (3) the transaction processing, review, authorization, and manual override (e.g., single transactions limits) system, (4) the merchant category code (MCC) blocking features and any manual override, and (5) the internal controls over these processes. Additionally, as shown in figure 3, the GSA SmartPay® master contract requires bank service providers to provide federal organizations with various ad hoc, standard commercial, and other reports specific to the purchase card program. Figure 3: Agency/organization reports required by GSA's SmartPay® master contract to be provided by the bank service provider. General reporting requirements; Ad-hoc report generation capability; Standard commercial reports; Additional essential reports; The Official Invoice; Invoice Status Report; Transaction Dispute Report; Pre- Suspension/Pre-Cancellation Report; Suspension/Cancellation Report; Renewal Report; Delinquency Report; Detailed Electronic Transaction File; Reporting specific to the Purchase Card Program; Account Activity Report; Statistical Summary Report; Summary Quarterly Purchase Report; Figure 3: Agency/organization reports required by GSA's SmartPay® master contract to be provided by the bank service provider: Other agency reports; Account Activity Report; Master File Report; Statistical Summary Report; Account Change Report; Exception Report; Current Accounts Report; 1099 Report Information; 1057 Report; Payment Performance and Refund Report; Write-Off Report; Summary Quarterly Merchant Report; Summary Quarterly Vendor Analysis Report; Summary Quarterly Vendor Ranking Report. Source: GSA's SmartPay® Master Contract, Section C.38 - Agency Reporting Requirements, and Section CC.12 - Agency Reporting Requirements For The Purchase Card Program. [End of figure] Conducting interviews with bank service provider personnel may provide the necessary understanding of the provider's purchase card operations, processes, and controls, as well as valuable insights and understanding in using the various reports being produced. Internal Control and the Control Environment; Internal control is an integral component of an organization's purchase card program that provides reasonable assurance that the objectives of effective and efficient operations and compliance with applicable laws and regulations are being achieved. The minimum level of quality acceptable for internal control in a government purchase card program is defined by the five standards for internal control included in Standards for Internal Control in the Federal Government[Footnote 15]. Those standards, and elements of the control environment standard which are significant in a government purchase card program, are discussed in this section of the guide. The Standards of Internal Control; All of the following internal control standards are applicable to achieving reasonable assurance that fraudulent, improper, and abusive purchases do not have a significant adverse effect on the effectiveness or efficiency of a government purchase card program. The control environment - A positive control environment--the foundation for all other internal control standards--is established by management and employees creating and maintaining an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. Specific key elements affecting the control environment of a purchase card program are discussed in more detail later in this section of the guide. Management's risk assessment - Internal control should provide for an assessment of the risks the organization faces from both external and internal sources, and identify and deal with any special risks prompted by changes in economic, industry, regulatory, and operating conditions. Control activities - Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives and help ensure that actions are taken to address risks. Control activities in a government purchase card program include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, reviews, and the creation and maintenance of related records that provide evidence of execution of these activities. Specific transaction-level control activities significant to a purchase card program are discussed in more detail in the Transaction Control Activities section of this guide. Information and communications - Information should be recorded and communicated to government purchase card program managers and others within the program who need it in a form and within a time frame that enables them to carry out their internal control and other responsibilities. Monitoring - Ongoing monitoring--regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties--should be performed continually and be ingrained in the course of normal operations of a government purchase card program (e.g., review and analysis of bank service provider reports, periodic reviews for adherence to program policies and procedures, review and follow-up of audit findings). Testing Key Elements of the Control Environment; Recent GAO purchase card audit reports have identified the following six elements as significantly affecting the control environment surrounding a purchase card program. Management's philosophy (tone at the top), Span of control, Financial exposure, Training, Discipline, and: Purchasing and reviewing authorities. This guide discusses each of these elements, the relevant documentation, and tests which the auditor can perform. Testing of some of these elements of the control environment can be accomplished either before the preliminary assessment is completed, or later as part of testing the effectiveness of control activities. Testing of these elements of the control environment is accomplished through analytical, sampling, and nonsampling methods as discussed in each element. Analytical testing is accomplished by utilizing electronic reports, data files, and other data obtained from the bank service provider and/or the organization. The discussion of some of these elements identifies them as lending themselves to efficient testing in conjunction with transaction-level control activity tests, discussed in the Transaction Control Activities section of this guide. Therefore, the data needed to conduct tests of these elements should be obtained for each cardholder and approving official for purchase card transactions selected for transaction-level control activity testing. In a recent GAO audit, management's proactive attitude in implementing change was credited for establishing a positive control environment at one unit, in contrast to another unit where management supported the status quo of weak control, effectively diminishing the likelihood of substantive change. Management's philosophy and operating style, sometimes referred to as tone at the top, determines the degree of risk the organization is willing to take in operations and programs. The attitude and philosophy of management toward information systems, accounting, personnel functions, monitoring, and audits and evaluations can have a profound effect on internal control. Insights gained by the auditor through interviews conducted with program personnel, and review of prior audit findings and managements responses will assist in assessing this element of internal control. Professional judgment is necessary when attempting to assess the effect of tone at the top, positive or negative, on internal control and on the design of control activities. Tests of transaction-level control activities and follow-up of potentially fraudulent, improper, and abusive purchases may provide the auditor with additional insight into the tone at the top. In response to a GAO report criticizing an unreasonable 1,153:1 ratio of cardholders to approving official the department issued guidance limiting this span of control ratio to 7:1 for all its agencies. Span of control, in a government purchase card program, refers to the extent of review responsibilities placed on a single approving official for the purchase card transactions of one or more cardholders. In establishing the reasonableness of this responsibility, the auditor should consider (1) the number of cardholders assigned, (2) the number and complexity of purchase card transactions being reviewed each billing period, and (3) perhaps the most potentially detrimental, demands of other responsibilities assigned to the approving official. Additional insight into the reasonableness of these relationships can be obtained during interviews with cardholders and approving officials and during control tests of selected transactions. The auditor should consider independently evaluating the reasonableness of existing span of control relationships by obtaining bank service provider reports containing the information necessary to determine the number of cardholders assigned to individual approving officials. Two related organizations provided purchase cards with credit limits of $20,000 or more to over 1,700 employees, resulting in an excessive monthly financial exposure of over $34 million, while actual monthly purchases amounted to only about $6 million. The total number of authorized cardholders in the organization, their single transaction and monthly credit limits, and the approving official credit limits directly affect the financial responsibility of the individuals involved and the extent of potential loss to the organization from fraudulent, improper, and abusive purchases. Financial exposure in a government purchase card program can become excessive when management does not exercise judgment and restraint in issuing purchase cards and in determining single purchase and monthly credit limits. We have found that by limiting the number of purchase cards and related credit limits to the levels necessary to meet operational requirements, an agency can better manage and control its purchase card program. Purchase cards should be issued in controlled limited quantities (e.g., special justification and authorization for more than one card per cardholder), and only to government employees with a legitimate need to have the card. Single purchase and monthly credit limits should be established based on the expected monthly purchases of the cardholder. Both of these determinations require an objective effort by operational supervisors and management, with assistance from purchase card program management, to evaluate the existing and continuing needs of operations and cardholders. The auditor should evaluate management's process for establishing the number of cardholders and their credit limits reasonably necessary to operational requirements. Documentation of management's decision- making process should be obtained and reviewed for propriety. Examples of management's consideration of objective, analytical data include the following. Supervisory review of cardholder purchase history, both number of transactions and dollars purchased (very few purchase transactions in the previous year might indicate the lack of a need for the card, while lower than expected dollar volume of purchases might indicate a lower reasonable cardholder credit limit). Annual positive assertions by supervisors and/or managers of continuing cardholder needs, both for the card and for the related credit limits. The auditor should consider independently evaluating the reasonableness of the organization's existing financial exposure by obtaining bank service provider reports--which provide information necessary to determine the total cardholder monthly credit limits--and comparing that total to the organization's average monthly and highest monthly purchase card expenditures. [See PDF for image] [End of figure] Management should identify the appropriate knowledge and skills needed in the purchase card program, require the needed training, and maintain documentation evidencing that required training is current for all program personnel. The extent and type of training provided should vary in relation to authority and responsibility in the program, and to the amount of transaction authorization given to the cardholder. At a minimum, a cardholder should receive the standard purchase cardholder training provided by the organization and/or by GSA, before receiving a purchase card, and periodic (biannual) refresher training thereafter.[Footnote 16] Of approximately $68 million in fiscal year 2000 purchase card transactions at two related organizations, approximately $17.7 million (26 percent) were made by cardholders for whom there was no documented evidence of required initial or refresher purchase card training. The auditor should obtain and evaluate documentation evidencing adherence with this element of the control environment for the cardholders and approving officials related to and in conjunction with transactions selected for tests of transaction-level control activities. Both the appropriateness of training received as well as the attributes discussed below can be reviewed, when evaluating this element of the control environment. Training documentation and relevant attributes to consider include the following. Certificates/record of training, for both initial and refresher courses, should clearly show: (1) the type of training received (e.g., instructor led, computer based, internet based), (2) that the training was relevant to the purchase card program, (3) that the training was appropriate to the level of authorized spending and program authority of the individual, (4) the signature of the cardholder and the instructor (if applicable), (5) that the date of initial training is prior to purchase card account activation, and/or (6) that the date of refresher training is within the required period. Centralized training records, or a database of cardholder, approving official, and APC training should: (1) provide detail information similar to that contemplated above for certificates of training, and (2) be available to the appropriate levels of program management to facilitate monitoring of adherence to program training requirements. The auditor should consider assessing the adequacy of centralized training records by tracing cardholders and approving officials associated with the purchase card transactions selected for control tests to such records. Testing in association with transaction control tests is desirable because, selecting and testing a representative sample from the centralized records would not identify cardholders and others who have not received training and are therefore not in the centralized records. Inquiries and other corroborating evidence could provide confirmation that centralized training records or databases are maintained current, and are being used to monitor adherence with training requirements. Candid and constructive counseling, performance appraisals, and discipline can provide reinforcement of the system of internal control. Internal control polices and procedures should identify the specific actions or lack of adherence to internal control within the purchase card program that warrant counseling and/or discipline. The auditor should obtain and evaluate documentation evidencing this element of the control environment for the cardholders and approving officials related to and in conjunction with transactions selected for tests of transaction-level control activities. The documentation and relevant attributes of discipline to consider evaluating fall into two general categories: Constructive counseling might be provided to cardholders and approving officials in response to isolated instances of lack of adherence to internal control policies, procedures, and activities. The auditor should obtain and review for propriety documentation of counseling provided for isolated instances of lack of adherence to controls detected in the transactions selected for control testing. Disciplinary actions to be taken in response to recurring and/or persistent lack of adherence to internal controls, and specific consequences for improper and abusive purchases should be adopted by the organization as part of the system of internal control. Such consequences can vary with the severity and persistence of the policy violation, and might include formal and informal reprimands, suspension or cancellation of the purchase card account, termination of employment, and referral to investigative authorities in cases of suspected fraud. Instances warranting discipline should be documented and included in personnel files and, if applicable, performance appraisals. The auditor should obtain and review documentation of disciplinary actions taken for the instances of significant lack of adherence to controls, and for improper and abusive purchases detected during the control activities testing. Documentation should also be obtained of all cases of detected potential fraud occurring during the period under audit and included in considerations for follow-up, as discussed in the Follow-up and Investigation section of this guide. Disciplinary actions alone may be an insufficient response to detected fraud. For that reason, instances of fraud that are declined for prosecution and referred to management for disciplinary action should be followed up to ensure that, in the professional judgment of the auditor, appropriate actions were taken by organization management. Despite operating instructions providing for restitution and revocation of card privileges, repeat violators of regulations and internal controls did not lose their purchase cards and did not repay the government for unauthorized purchases. In a government purchase card program, purchasing authority establishes a cardholder's authority to possess and use a government purchase card. It also establishes the cardholder's single-transaction and credit limits. Some organizations will assign different spending limit authorities to the same cardholder, which apply to different uses of the card. For example, a cardholder who is a warranted contracting officer is assigned two purchasing authorities: (1) a $2,500 single- transaction limit with a $40,000 monthly purchase limit for purchases of goods or services, and (2) a $100,000 single-transaction limit with a $500,000 credit limit for use of the purchase card as a method of payment on a preexisting contract. Authority is also established for approving officials to review and authorize payment of cardholder accounts. Approving official authority should also identify the specific cardholder(s) for which review and certification responsibilities have been assigned, and the approving official's credit limits should relate to the total cumulative monthly purchasing limits of the cardholders assigned to them. The auditor should obtain and evaluate documentation evidencing this element of the control environment for the cardholders and approving officials related to and in conjunction with transactions selected for tests of transaction-level control activities. For evaluation and testing purposes, each level of purchasing authority given to a cardholder (e.g., $2,500 single-transaction limit for local vendor purchases, $100,000 limit for purchases on an existing contract) should be deemed a separate cardholder. Documentation evidencing purchasing authority for cardholders, and review and certification authority for approving officials, should be obtained and evaluated for instances of significant lack of adherence to controls including: (1) documentation of the cardholder's purchasing authorization (e.g., organizational standard form) dated prior to the transaction date and (2) documentation of the approving official's authorization (e.g., organizational standard form) dated prior to the transaction date. Attributes which the auditor should consider reviewing when evaluating the effectiveness of this control include the following: (1) the date of the purchase transaction, compared to the date of the cardholder's purchasing authority, compared to the date of the approving official's authorization, (2) the amount of the transaction, compared to the amount of the cardholder's single transaction authority, (3) the total amount of the cardholder's billing statement, compared to the cardholder's and approving official's authorized credit limits, (4) the cardholder account single-transaction and credit limit carried in the bank's system, compared to that authorized in the cardholder's purchasing authority, and (5) that the approving official's assignment of responsibility includes the specific cardholder account. Section 3: Making, Documenting, and Using the Preliminary Assessment. The preliminary assessment is a critical analysis of whether, in the professional judgment of the auditor, the existing internal control policies, procedures, and activities as designed, if in place and operating, will provide management with reasonable assurance that significant fraudulent, improper, and abusive purchases will be prevented or promptly detected. A preliminary assessment of the organization's plan of internal control will assist the auditor in (1) identifying significant weaknesses in designed control activities, (2) planning and designing control tests, and (3) identifying data-mining criteria. The auditor, considering the overall control environment, should make a critical comparison of the risk/opportunities for fraudulent, improper, and abusive purchases and the internal control policies, procedures, and activities designed to guard against them. The knowledge gained in the Understanding Operations and Programs section of this guide will provide information useful to the preliminary assessment of internal control. In some circumstances, this information may need to be supplemented with additional inquiries, observations, and/or nonsampling tests of controls. When reaching conclusions in the preliminary assessment, the auditor should also consider the bank service provider's systems and controls, the audit objectives, prior audit findings and recommendations, and management's responses and corrective actions taken. Assessing the Adequacy of the Design of Control Activities; Our audits of purchase card programs have identified (1) the determination of a legitimate government need, (2) screening for required sources of supply, (3) independent receipt and acceptance, (4) establishing accountability over certain property, (5) cardholder reconciliation, and (6) approving official review as key transaction- level control activities in mitigating the risk of fraudulent, improper, and abusive purchases. These key control activities should be included in the auditor's preliminary assessment of the adequacy of the design of control activities. It will also be helpful to the auditor's critical comparison process to prepare a list of the identified risk/ opportunities for potentially fraudulent, improper, and abusive purchases to occur, and a list of the existing relevant control activities. An individual control activity will probably address multiple risks of potentially fraudulent, improper, and abusive purchases, and an individual risk may be addressed by more than one control activity. Therefore, a simple one-to-one comparison will probably not be effective. For example, the control activity of independent receipt and acceptance can be instrumental in mitigating the risk of paying for services not performed, as well as mitigating the risk of purchased accountable property not being recorded in the organization's property record system. One way to proceed is to prepare a simple schedule, as illustrated in figure 3, which lists the identified risk/opportunities for potentially fraudulent, improper, and abusive purchases down the left hand side, and provides space for identifying (1) the related control activities, (2) the auditor's preliminary assessment conclusions, (3) the effects on the design of audit control tests, and (4) potential criteria for audit data mining. Figure 4: Illustration of the process of assessing and concluding on the adequacy of designed control activities. [See PDF for image] [End of figure] The above (figure 4) is provided as an illustration only of the process of making, documenting, and using the preliminary assessment of the design of internal control activities. The illustrated risks, controls, conclusions, effects, and identifications are highly dependent upon the facts and circumstances of specific organization operations and purchase card programs. Auditors will need to exercise professional judgment when making these determinations. Using the Preliminary Assessment; Auditors should find the observations and conclusions made in the preliminary assessment useful in determining the nature and extent of further audit work on an organization's purchase card program. These observations and conclusions can be useful in determining a strategy for internal control testing, including designing sample selections. For example, a preliminary assessment conclusion might be that the design of an internal control policy and one or more related control activities is strong and can provide management with reasonable assurance of preventing or promptly detecting fraudulent, improper, and abusive purchases. If the policy and control activities are considered to be strong, tests designed to determine the extent to which the control activities are being performed would likely be an efficient and cost-effective audit procedure. However, if the auditor considers the policy and/or the control activity to be ineffective or nonexistent, tests for performance of control activities would generally not be appropriate or cost effective. Whether to design and conduct tests of performance for controls considered to be weak will require professional judgment and consideration of the facts and circumstances of individual cases. The results of the preliminary assessment can also be useful to the auditor's consideration of other procedures (such as data mining discussed in a later section of this report) designed to detect fraudulent, improper, and abusive transactions resulting from identified weakness in the design of controls. For example, if the preliminary assessment is that the design of internal control does not provide reasonable assurance of compliance with requirements to purchase from statutory sources of supply, then purchase card transactions with other vendors who sell similar goods and services may provide examples of the result of that control weakness. Section 4: Testing the Effectiveness of Key Control Activities. A well designed system of internal control for a purchase card program is needed to provide reasonable assurance that the program is operating as intended and is not vulnerable to significant fraudulent, improper, and abusive purchases. However, a system of internal control, no matter how well designed, cannot be relied on if control activities are not in place and operating effectively on an ongoing basis. Control activities identified during the preliminary assessment process, as likely to be effective at preventing or detecting fraudulent, improper, and abusive purchases, should be tested to determine if they are being adequately adhered to. This section discusses (1) obtaining and verifying the completeness of the purchase card transactions database, (2) designing a statistical sample of purchase card transactions, (3) obtaining the documentary evidence of performance of control activities, and (4) the design and conduct of tests to determine if key control activities are in place and operating as intended. In our audits of purchase card programs, we used two basic types of control testing--statistical sampling[Footnote 17] (selections representative of and projectable, with quantifiable accuracy, to a population) and nonrepresentative selections (selections not representative of or projectable to a population)--to evaluate the effectiveness of internal control activities. This guide considers control designed to prevent or detect fraudulent, improper, and abusive transactions in a purchase card program, to operate on two basic levels: (1) control activities that operate at the transaction level (e.g., independent receipt and acceptance, cardholder reconciliation), and (2) controls that operate at some other level (e.g., training, span of control). Elements of the control environment discussed in the Internal Control and the Control Environment section of this guide are not considered transaction-level control activities. However, testing and evaluating certain of these elements (i.e. training, discipline, and purchasing and reviewing authority) can be efficiently accomplished in conjunction with the testing of transaction level control activities. Obtaining Transaction Data; Tests of control activities which operate at the transaction level are applied to selected purchase card transactions, generally contained in an electronic file database. The auditor will need to identify and obtain the appropriate database of purchase card transactions, select the transactions to test, and extract the appropriate transaction information from the database. In order to obtain the appropriate population of purchase card transactions, the auditor will need to establish and define the scope of the audit. The scope of the audit can be defined in terms of control activities in place and operating for a time period, a unit, or an activity, or a combination of those terms (e.g., all purchase card transactions executed by the organization during the fiscal year ended September 30, 2003). Also, if the data are stored in an electronic database(s), the auditor will need to determine that the transaction data elements necessary to achieve the audit objectives are included in the database obtained. The purchase card transactions selected for testing should be selected from a population which includes all relevant transactions in the scope of the audit. In order to assure the relevance and completeness of the population transaction database, the auditor should obtain value and quantity control totals from a source independent of the database provider, and agree them to the data obtained. For example, a transaction database supplied by the bank service provider could be agreed or reconciled to the organization's records of purchase card activities, or the bank service provider may supply control totals to verify a transaction database provided directly by the organization. Coordinating with the Bank Service Provider; Establishing a contact and coordinating the audit effort with the bank service provider presents the auditor with an opportunity to gain a current understanding of the bank's program operations, processes, and controls, as more fully discussed in the Understanding the Bank Service Provider's Program section of this guide. Coordination with the bank can also provide the needed transaction databases and/or the ability to verify organization transaction databases by comparison to independent control totals. Fraud investigators involved in the purchase card audit may also be afforded an opportunity to evaluate the bank's fraud investigation and detection methodologies, and benefit from other information provided by the bank's credit card fraud investigators. Selecting Purchase Card Transactions; One of the first decisions the auditor will need to make is whether to use statistical sampling to select transactions for testing. In most audit circumstances, statistical sampling is the recommended approach for making estimates about and drawing conclusions from a population of transactions, and for estimating the percentage of transactions in the population for which control activities were or were not in place and operating as intended. Statistical sampling is appropriate: if there is a desire to estimate whether control activities for a population of transactions are in place and operating as intended, and to quantify the accuracy of this assessment based on statistical theory; if there is a desire to estimate whether some control activities for a population of transactions are operating as intended to a greater or lesser degree than other activities, and to quantify the accuracy of this assessment based on statistical theory; and: if it is desirable to estimate, and to quantify the accuracy of the assessment based on statistical theory, the dollar value for a population of purchase card transactions subject to detected control weaknesses and/or failures. In these cases, a statistical sample should be designed so that statistical theory can be used to estimate failure rates and/or the dollar value of transactions subject to ineffective controls in the population and to quantify the accuracy of those estimates. In other audits of purchase card programs, making statistical estimates of the failure rate in the population of transactions may not be important. For example, if there are no control activities, or if the design of controls is clearly inadequate, there would be little point in testing control activities and estimating the associated failure rates. As another example, certain control activities may only apply to a very small portion of transactions. In these cases, an assessment might be made of the effectiveness of control activities through means such as observation, inquiry, and/or inspection of a nonrepresentative selection of transactions. However, it should be understood at the outset, that when experience and understanding of the subject matter are used to assess the effectiveness of control activities based solely on observation, inquiry, and/or inspection of a nonrepresentative selection of transactions, the results cannot be reliably or statistically projected to all transactions of that type. Considerations in Designing a Statistical Sample; The auditor, in conjunction with a statistician, will need to consider a number of issues in order to design statistical samples for government purchase card programs. These issues include, but are not limited to, the following. The organization of the population of purchase card transactions - Typically, these records are organized in one or more electronic files. In this case, various sampling options are available. Two of these options are (1) simple random sampling of transactions, and (2) partitioning transactions into non-overlapping groups (strata), followed by selecting simple random samples of transactions in each stratum. The organization of the documentation evidencing performance of control activities - These documents may be stored in one or more geographic locations, which may or may not limit or impair accessibility by the auditor. In either case, a sample design should account for the geographic dispersion. The following are examples of available options. Geographic strata - If personnel are available to collect data from each location, then a sample design might have locations as strata, with appropriate sampling methods within each stratum. A stratified design would protect against the possibility of an "unlucky" sample, i.e., having no or few transactions from one or more locations in a random sample selected from the population of all transactions. It may also provide more precise estimates than a random sample of the same size selected from the population of all transactions. Geographic location sample - If it is not possible to collect data from each geographic location, then a two stage statistical sample can be made of (stage one) geographic locations, with appropriate sampling methods used (stage two) within each selected location. If the geographic locations are chosen using statistical sampling, the auditor will be able to make estimates about all purchase card transactions in the population. Case study approach - The auditor may find, however, that the documents that will be examined to determine whether control activities are being performed are so geographically dispersed that it is not cost effective to collect data from statistically sampled locations. In this case, the auditor may wish to consider a case study approach. In a case study approach, locations are selected for specific reasons instead of being chosen using statistical sampling. Statistical samples of transactions are then selected for each of the selected locations. The auditor should note, however, that data collected from a case study approach can only be used to assess adherence to controls at the specified locations. Sample data from a case study approach cannot be used to make assessments about adherence to controls for the entire population of purchase card transactions. [See PDF for image] [End of figure] Information about the approximate level of nonadherence to controls - Such information may be obtainable from (1) similar studies performed in the recent past, (2) estimates by subject matter experts, or (3) information obtained by the auditor during the preliminary assessment relating to nonadherence rates. These "guesstimates" are very useful to the statistician in estimating what sample size might be needed to achieve specified precision levels on estimated nonadherence rates. The relationship between the approximate nonadherence rate, and the acceptable nonadherence/adherence rates -- At what rate of failure would the auditor consider a control to be ineffective? Effective? If the expected level of nonadherence (or adherence) is close to the minimum rate that is considered unacceptable (or acceptable), a larger sample may be required to assert nonadherence (or adherence) to controls. Inherent strengths/weakness - Certain types of transactions may be expected to have different rates of nonadherence to controls than other types (e.g., transactions for large dollar amounts processed at a higher level by personnel who likely have taken contractor officer training). If there are, the population of transactions can be partitioned into strata so the expected rate of nonadherence differs from one stratum to the next. Separate samples of transactions can then be taken in each stratum. A stratified design that takes advantage of expected differences in nonadherence rates across strata can provide more precise estimates than a random sample of the same size selected from the population of all transactions. Time and resources - The total amount of time available, the time it will take to evaluate the effectiveness of controls for each purchase card transaction, and the number of audit staff available are practical considerations that will have a direct influence on the design and size of a sample. The Sampling Plan; The auditor and the statistician should develop a written sampling plan for inclusion in the audit work papers. The sampling plan should include, but is not limited to: the reasons that a sample was developed, the type of sample (e.g., statistical or nonstatistical) and sampling method (e.g., random) being used, a description of the population (e.g., nature, data elements, source, control totals), the sample design (e.g., confidence level, strata criteria, number of items and/or dollars in population and strata, sample size by strata and population) selected along with a discussion of the factors considered and conclusion reached, guidelines about the types of evidence and attributes the auditor(s) will accept as clear evidence of performance of control activities, information about the anticipated precision of the sample estimates, a definition of what nonadherence to controls means, expectations (if any) about the rate of nonadherence to controls, and: examples of the types of conclusions the auditor expects to be able to make after the sample data are analyzed (and projected to the population). : Extracting Selected Transaction Data Elements; Data elements of transactions selected for control activity testing (as well as those identified by data mining) will need to be extracted-- identified, selected, copied, and accumulated in a separate electronic file for further auditor analysis--from the population transactions database. At a minimum, those data elements should include the identification and other data elements necessary to facilitate control activity testing. The following are examples of data elements which might be included in such extracts. [See PDF for image] [End of figure] The auditor should prepare a workpaper/file detailing the pass/fail results of tests of control activities (e.g., the number and dollar value of transactions failing a control activity) performed on each sample item, in accordance with the sample design (e.g., sampled strata). These results can then be provided to the statistician, who should project the sample results to the population, and provide the auditor with a report recapping the population, the sampling plan used, the control tests performed by the auditor, the statistical estimates (e.g., attribute failure rates, dollar values), and the associated confidence intervals. The auditor should then prepare a summary memo that incorporates the sample tests results and the statistician's report and recaps the rules used to assess the effectiveness of controls and the audit conclusions drawn from the projected sample results. Analysis of Results from Statistical Samples; The primary questions that can be answered from analyzing the result of a statistical sample of attribute tests for control activity performance are: What is the estimated failure rate and the accuracy of that estimate? Does the failure rate of performance of the control activity result in assessing the control as effective, ineffective, or partially effective? To answer the first question, the failure rate from the statistical sample should be estimated taking the design of the sample into account. Since the statistical sample is only one of a large number of samples that could be drawn, a two-sided interval should be generated that will contain the actual (unknown) population failure rate for a specified percent of samples that could be drawn. This interval is called a "confidence interval," and the specified percent is called the "confidence level".[Footnote 18] [See PDF for image] [End of figure] To answer the second question, the statistical sample results should be compared to a pre-set standard (e.g., control activities with adherence failure rates greater than 10 percent will be considered ineffective) and/or professional judgment. [See PDF for image] [End of figure] For each audit of a government purchase card program, the auditor should choose the failure rates that classify (or make the professional judgments that conclude) that the performance of control activities is effective, ineffective, or partially effective. Partially effective controls are those for which the evidence does not support a conclusion that the control is either effective or ineffective. Obtaining Documentation Evidencing Performance of Control Activities; Documentation provides the auditor an opportunity to inspect evidence of ongoing adherence to internal control policies and performance of control activities. The data evidencing performance of transaction- related control activities will most likely, but not necessarily, reside within the organization. Examples of documentation that might evidence performance of specific control activities are included in the Testing Control Activities section of this guide. The lack of such documentation, although a strong indicator of a lack of adherence and performance, does not necessarily preclude adherence or performance. However, all lack of adequate documentation should initially be considered as a failure of the relevant control activity test. Missing documentation should elevate the level of the auditor's professional skepticism when conducting any additional audit procedures considered appropriate (e.g., additional inquiry, consideration of other supporting documentation, direct interviews with cardholders and/or approving officials). Transactions and cardholders with significant or persistent lack of documentation should be considered for follow-up in accordance with the Follow-up and Investigation section of this guide. Original documents should be reviewed whenever possible. The extent that copies of original documents are retained for audit work papers will depend on the circumstances and professional judgment. However, the work papers should include copies of documents supporting findings of a significant lack of adherence to policies, performance of control activities, and any potentially fraudulent, improper, and abusive purchases. As discussed later in the Follow-up and investigation section of this guide, copies of documents will also be necessary to the follow-up process. Obtaining Documentation from the Organization; The auditor will need to provide the organization sufficient information to identify the specific transactions selected for testing (e.g., cardholder name and number, transaction sale or post date, and amount). The auditor should in planning allowed sufficient time for this step since documentation may be in geographically diverse locations and the organization may need to send out requests for the needed information. The auditor should consider the knowledge gained about the control environment and other factors, and exercise professional judgment when making decisions about (1) supplying selected transaction information to the organization, (2) when and how to receive documentation, and (3) the amount of time to allow the organization to produce documentation. The auditor and the organization should agree, and/or the auditor should communicate the rules of the engagement, in advance, establishing time limits for providing requested documentation, after which audit conclusions will be based on the documentation provided. Evidence of Performance; The auditor should design tests that clearly and specifically identify acceptable attributes that evidence actual performance of control activities. Guidelines should be developed about what constitutes "clear evidence of performance" before testing begins. Such evidence may include appropriate sequencing of dates, cardholder and/or approving official tick marks or other indications on individual transactions, corroborating representations of performance by management personnel, and so forth. Developing these guidelines in advance and including them in the sampling plan will enhance the ability of audit staff to make consistent assessments across sampled transactions. If there will be a cadre of audit staff assessing whether there is clear evidence of performance, they should be trained before data collection begins to enhance their collective ability to make consistent assessments. Also, appropriate supervisory review and validation of the assessments made by the audit staff will be needed. An independent supervisory assessment of selected sample items is one way to accomplish that review. Testing Control Activities; Tests for performance of control activities should be performed utilizing the data gathered. For purposes of this guide, many control activities are considered transaction specific (e.g., independent receipt and acceptance, approving official review) and the related tests should be accomplished at the transaction level. Also, as discussed in the Internal Control and the Control Environment section of this guide, some of the key elements of the control environment (e.g., training, discipline, purchasing and approving authority) lend themselves to efficient testing in conjunction with the testing of transaction-level control activities. The auditor should consider coordinating tests of those elements of the control environment with the tests of the following transaction control activities. Transaction Control Activities; This guide discusses the following six control activities directly related to purchase card transactions and their supporting documentation and performance attributes for consideration by the auditor: determining a legitimate government need, screening for required vendors, independent receipt and acceptance, establishing accountability over property, cardholder reconciliation, and: approving official review. The specific tests of control activities accomplished, the specific documents reviewed, and the attributes considered may vary as audit objectives vary. When conducting the transaction control test discussed below, auditors should also evaluate purchases for compliance with relevant laws and regulations (e.g., exemption from sales tax). The auditor should consider consulting with legal counsel for assistance in evaluating questions of the existence of a legitimate government need. The auditor should also consider conducting follow-up, as discussed later in this guide, in instances of a questionable legitimate government need, or prohibited or otherwise inappropriate government purchases. Prepurchase approvals were found in up to 98 percent of purchase card transactions tested in a recent GAO audit. Determination of a legitimate government need provides reasonable assurance to the organization that its resources are not being wasted. A legitimate need for the goods or service being acquired should be determined before a purchase is made. In a government purchase card program, the initial responsibility for making this determination may be assigned by the organization's policies and procedures to the cardholder. Prepurchase requests or other authorization prepared by a supervisor, or prepared by operations personnel and signed by a supervisor, can provide the cardholder with documentation of a legitimate government need. Organization policies may leave verification and documentation that purchases are for a legitimate government need to the discretion of the cardholder--a practice usually considered a weakness in the design of control. The organization's policies and procedures may identify specific items or types of purchases requiring special approval. However, prepurchase authorizations are not required by all government organizations, and some organizations may provide blanket authorization for routine purchases. When there is no documentation of a legitimate government need for other than routine items, the auditor should view purchases with an elevated level of professional skepticism. Further, the organization's policies and procedures may restrict or prohibit the purchase of certain items or types of goods and services. Auditors should be aware of these requirements, restrictions, and prohibitions, and the requirement, or lack thereof, for documentation establishing the government's need. Auditors questioned whether a valid need had been identified, when "to get enough goodies for everyone" 80 Palm Pilots costing $30,000 were purchased and inventoried to be issued to personnel when requested. Documentation evidencing the determination of a legitimate government need should be obtained and reviewed. This could include (1) a prepurchase request or authorization, (2) written blanket authorization for small routine purchases (e.g., office supplies), (3) written justification by the cardholder or other program personnel of the government need for the purchase, (4) other required documentation for specifically controlled or restricted purchases (e.g., a purchase justification or business need analysis for computer equipment), and (5) the vendor invoice describing the goods or services purchased. Attributes to consider evaluating include (1) the date of government need determination, compared to date of the purchase, (2) whether the purchased item is included on the organization's prohibited or restricted list, and (3) the item purchased on the vendor invoice, compared to the item for which a need was determined. The auditor should consider the knowledge of the organization's operations and the control environment gained in previous sections of the guide, and exercise profession judgment, with an appropriate level of professional skepticism, and evaluate the reasonableness of the legitimate government need determination. Screening for required vendors provides the organization with reasonable assurance of compliance with laws and regulations related to statutory sources of supply. One such regulation is the Federal Acquisition Regulation (FAR) Part 8, Required Sources of Supplies and Services. This regulation generally requires federal agencies to purchase supplies, services, and printing, from designated sources (e.g., Federal Prison Industries, the National Institute for the Blind, the National Institute for the Severely Handicapped, the Government Printing Office). Auditors should be aware of these and other laws, regulations, contractual agreements, and policies and procedures, which direct the organization to acquire goods and services from sources such as GSA schedules and contracts, blanket purchase agreements, and single source suppliers. Auditors should also be aware of exceptions provided to these and other requirements, generally having to do with practicality and availability. Despite laws and regulations requiring priority be given to certain required vendors, a recent GAO audit found failure rates in this control ranging from 70 to 90 percent of purchases tested. Documentation evidencing screening for required vendors should be obtained and reviewed including (1) a purchase log, required by policy by some organizations, (2) other documents evidencing appropriate screening, and (3) a waiver or other documentation of the applicability of exceptions made to required sources of supply. Attributes to consider evaluating include (1) the date and cardholder signature or initial for screening, compared to the transaction date, and (2) the date and appropriate signature on waiver of purchase from required sources, compared to the transactions date. Professional skepticism should be exercised when evaluating the appropriateness of any exceptions to required sources of supply. Two related organizations could not demonstrate independent receipt and acceptance for about $27.4 million in purchased goods and services. Independent--someone other than the cardholder--receipt and acceptance of goods and services provides reasonable assurance that the organization actually received what it is paying for. The inclusion of independence in the receipt and acceptance activity significantly strengthens the control by adding segregation of duties to the activity. In purchase card programs, the cardholder is usually responsible for verifying that independent receipt and acceptance has occurred before completing the reconciliation activity discussed below. Documentation evidencing independent receipt and acceptance (e.g., a signature or initial on the vendor invoice, receipt, or shipping document) should be obtained and reviewed including (1) the vendor invoice, (2) the shipping, receiving, and/or warehouse receipt for goods or services provided, and (3) the relevant cardholder billing statement. Attributes to consider evaluating include (1) the date of signed receipt, compared to the purchase date and cardholder reconciliation date, (2) the signature or initial, evidencing receipt by someone other than the cardholder, (3) notations (e.g., tick marks) indicating verification of quantities for appropriate purchases, (4) the invoice amount, compared to cardholder billing statement amount, and (5) the invoice item description(s) and quantity, compared to receiving document description(s) and quantity. Physical control and accountability over pilferable and other vulnerable property acquired by the purchase card, which is initiated at the purchase card transaction level, provides reasonable assurance to the organization that pilferable property (i.e., an item that is portable and can be easily converted to personal use) is appropriately recorded and asset-safeguarding control is established at the time of purchase and receipt. Organizational requirements for this activity may vary with the volume, value, and sensitivity of pilferable property acquisitions. Control activities required of the cardholder should include initially identifying the pilferable property requiring asset control, notifying appropriate property management personnel within the organization of the acquisition, and supplying the information required to establish a record in the property control system. Audit procedures should include verification of the record in the property control system, and can be extended to physical inspection and/or verification that the property is in the possession of the government. Of 114 tested purchases of accountable property acquired with purchase cards, 60 (53 percent) were not recorded in property records, and 35 (31 percent) could not be located. Documentation evidencing performance of this activity should be obtained and reviewed, including (1) the vendor invoice, (2) evidence of independent receipt and acceptance, discussed above, (3) the cardholder's billing statement, (4) the cardholder's notification of pilferable property, submitted to property control system personnel, (5) the property control system record, and (6) if they are not evident in the existing transaction document, the auditor should obtain item serial number(s) directly from the supplier or manufacturer. Attributes to consider evaluating include (1) the vendor invoice's quantity, description, and unique identifying number(s), such as a serial number (considered a critical attribute for this control), compared to those attributes in the property control system record, (2) the date of purchase (sale date on the cardholder's statement), compared to the date of signed receipt, the date of cardholder notification to appropriate property personnel, and the date of property record entry, and (3) the property control system's description, assigned property number (e.g., bar code number), property item unique identifying number (e.g., serial number), and location, compared to those same attributes from a physical inspection and/or independent verification that the accountable property is in the possession of the government. Cardholder reconciliation provides the organization with reasonable assurance that all transactions appearing on the cardholder's billing statement are appropriate charges for goods and services purchased for and received by the organization. Much the same as individuals reviewing their personal credit card statements to assure themselves that the purchases and amounts included were actually made by them, government purchase cardholders should perform no less than that level of review. Cardholder reconciliation is the process of the cardholder gathering, reviewing, and providing the documentation to support that each purchase transaction appearing on the cardholder's billing statement is an appropriate, legitimate government purchase. The cardholder is responsible for identifying purchase card transactions that are unauthorized or that otherwise should not be paid by the government. The cardholder should promptly dispute unauthorized charges appearing in the cardholder's billing statement with the bank service provider. For those charges that the cardholder is unable to verify independent receipt and acceptance, the auditor should look for evidence of either a credit by the vendor or a formal dispute filed with the bank service provider. Tests of a statistical sample of purchase card transactions at four related organizations disclosed little evidence of cardholder reconciliation of purchases back to supporting documentation before payment of the bill. The cardholder reconciliation and/or the approving official review and certification for payment may be accomplished either manually or electronically. The electronic system may not require a signature or date, and may leave little or no audit trail of the application of control activities to billing statements and/or individual transactions. The auditor should obtain, review, and use professional judgment and skepticism in considering the value of electronic system- generated reports and/or screen prints as audit evidence of actual performance, when evaluating adherence with control activities. The attributes described in this section remain relevant to audit considerations and evaluations regardless of whether the cardholder reconciliation control activity is performed manually or electronically. If the available documentation is insufficient to evidence the actual performance of a control activity, the selected purchase card transaction should be considered as failing that activity. In this circumstance, the auditor may consider it necessary to extend audit procedures to the general and application controls of the electronic data processing (EDP) system, which is outside the scope of this guide. Documentation evidencing performance of cardholder reconciliation should be obtained and reviewed including: (1) the monthly purchase cardholder statement in a manual system, or other bank system-generated listing of billing-period transactions in an electronic system, (2) the vendor invoice, and (3) evidence of formal dispute (e.g., organizational standard form) of unauthorized charges appearing on the cardholder's billing statement. Attributes to consider evaluating include: (1) the cardholder's reconciliation signature, (2) the date of reconciliation, compared to organizational requirements, the approving official review, and payment certification dates, (3) notations (e.g., tick marks, system notes) indicating that all transactions on the statement were individually reconciled, (4) the transaction date, amount, and vendor name on the vendor invoice, compared to those same attributes on the cardholder's statement, and (5) the transaction date and amount, and vendor name on formal dispute documentation, compared to the same attributes on the cardholder's statement. The auditor should consider following up on the appropriate resolution of disputed items. Tests of a statistical sample of purchase card transactions at five related organizations disclosed numerous instances of approving officials certifying the bill for payment without review of cardholder reconciliation or supporting documentation. Approving official review of the cardholder's reconciliation process provides reasonable assurance to the organization that the cardholder is timely and appropriately performing the reconciliation and is complying with all significant relevant controls to prevent or detect fraudulent, improper, and abusive purchases. The review also provides a basis for the approving official to accept responsibility that the purchases are appropriate, legitimate government purchases before the billing statement total is certified for payment. The approving official review, a critical control activity in a government purchase card program, should include a review of the cardholder reconciliation for timeliness and completeness and for the appropriateness of the supporting documentation for individual transactions. In evaluating the effectiveness of this control activity, the auditor should consider (1) the extent of the approving official's review of the supporting documentation for a cardholder's individual transactions, and (2) the extent of documentation (e.g., tick marks, system notes) of that review. To gain a better understanding of the extent of the approving official's review of cardholder reconciliations, the auditor may consider interviewing the approving official, in addition to reviewing documentation evidencing the review process. As discussed in the section on cardholder reconciliation, the approving official review and the certification for payment may be accomplished either manually or electronically. The auditor should obtain, review, and use professional judgment and skepticism in considering the value of electronic system-generated reports and/or screen prints as audit evidence of actual performance when evaluating adherence with control activities. The attributes described in this section remain relevant to audit considerations and evaluations regardless of whether the approving official review control activity is performed manually or electronically. If the available documentation is insufficient to evidence the actual performance of a control activity, the selected purchase card transaction should be considered as failing that activity. In this circumstance, the auditor may consider it necessary to extend audit procedures to the general and application controls of the EDP system, which is outside the scope of this guide. Documentation evidencing performance of this activity should be obtained and reviewed including (1) the cardholder's reconciliation documentation as discussed above, (2) documentation of the approving official's review of the cardholder's reconciliation, (3) the approving official's account billing statement, and (4) documentation of the approving (or billing) official's certification for payment of the balance on his/her account billing statement. Attributes to consider evaluating include (1) the approving official's review signature, (2) the date of the approving official's review, compared to organizational policy requirements, the date of the cardholder's reconciliation, and the date of the approving (or billing) official's certification for payment, and (3) notations (e.g., tick marks, system notes) on cardholder's individual purchase card transactions, evidencing the approving official's review and evaluation of the appropriateness of the transactions and the documentation supporting the cardholder's performance of other control activities. Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases. In addition to testing internal controls, GAO's purchase card methodology includes procedures designed specifically to identify potentially fraudulent, improper, and abusive purchase card transactions. Designing and conducting procedures specifically for the purpose of detecting such transactions serves multiple purposes, including the potential discovery of a previously unrecognized risk in the program. Additionally, top management will likely be more receptive to recommendations for corrective actions when a face is put on the consequences of weak control, and the effects are illustrated by instances of fraudulent, improper, and abusive purchases. GAO's methodology described in this guide is a two-step process similar to the process of selecting transactions and testing controls. It entails the pursuit of fraudulent, improper, and abusive purchases by (1) making nonrepresentative selections of transactions or patterns of activity in a process referred to as data mining, and (2) conducting follow-up procedures, rather than control tests, utilizing forensic auditing techniques on selected transactions and on cases of potentially fraudulent purchases detected during the audit process. Data Mining for Detection, Illustration, and Disclosure; Data mining is the act of searching or 'mining' data to identify transactions or patterns of activity exhibiting predetermined characteristics, associations, or sequences, and anomalies between different pieces of information. Data mining produces leads for follow- up by auditors and investigators; consequently the concept of data mining, as used in this guide, also includes performing audit procedures and investigations as necessary to evaluate the leads. An active continuous data-mining program by organization management can also be used to identify and initiate investigations of instances of potentially fraudulent, improper, and abusive purchases, and can serve as an effective deterrent to such transactions. Data mining, when conducted in concert with the tests of control activities, can provide additional evidence of significant instances of noncompliance with laws and regulations, such as those discussed in the Relevant Laws and Regulations section of this guide, and lack of adherence to internal control polices and procedures. In addition, it can identify previously unrecognized or under-appreciated risk in the program. Revelations by data-mining results can often generate the upper management motivation necessary to bring about meaningful change in policies and procedures. The results of data mining should also be considered when evaluating the overall effectiveness of systems of internal control over government purchase card programs. However, since data mining is nonrepresentative, its results cannot be projected, and conclusions should not be reached on the population of purchase card transactions. GAO's approach to data mining is designed to support its overall evaluation of the internal control of a government purchase card program and to provide examples of the results of weakness in internal control. That approach generally consists of: identifying the population of transactions to data mine, identifying criteria and design search queries, and: extracting or summarizing transactions or patterns of activity from the population for further analysis, selection, audit, and investigation. The source of data for mining would generally be the same population as the source used to select transactions for control tests. The same population of transactions must be used if examples of control failures detected by data mining are to be relevant to the population of transactions and to the period covered by the control tests. This would allow the results of data mining to be considered in the overall evaluation of effectiveness of internal control. An experienced credit card fraud investigator will bring valuable perspective and insight, and should be involved in the process of identifying criteria, associations, and characteristics for data mining for fraudulent, improper, and abusive purchases. When identifying and selecting data-mining criteria the auditor should also consider the risks of potentially fraudulent, improper, and abusive purchases, data- mining criteria identified by the auditor during the preliminary assessment, and the data-mining criteria discussed in the following examples. The following examples of data-mining queries, summaries and/or extractions are appropriate to support an evaluation of the internal control of a government purchase card program as contemplated in this guide, and are intended to be used to identify and extract potentially fraudulent, improper, and abusive purchases from a transaction database. Data mining of purchase card transactions at five related organizations disclosed numerous purchases of items for personal use including digital cameras, computers, clothing, and food. Questionable vendors are those vendors who sell goods or services that generally are not considered to meet a legitimate government need, or which are restricted or prohibited by law, regulation, or policy. Recent GAO audits of purchase card programs have identified potentially fraudulent, improper, and abusive purchases of goods and services from vendors such as restaurants, grocery stores, casinos, clothing or luggage stores, home furnishings, personal electronics, pornographic or sexually oriented goods or services (e.g., escort services), automobile dealers, and gasoline service stations. The understanding gained of the organization's operations, in accordance with a previous section of this guide, should provide the insight necessary to make preliminary identification of vendors selling goods and services which likely do not meet a legitimate government need. The following are examples of ways to identify, extract, and select purchases from these vendors. By name: Questionable vendors, who can be expected to sell unneeded or prohibited goods or services, by name. This can be accomplished by manually reviewing a comprehensive list of vendor names extracted and sorted alphabetically from the population database. The selection process can be greatly enhanced by including selected summarized data by vendor name (e.g., number of transactions, dollars of purchases, number of cardholders making purchases). For example, because of the goods and services provided by vendors specializing in toys, stylish personal calendar/planners, and consumer electronics, purchases from them have a high likelihood of being potentially fraudulent, improper, or abusive. By merchant category code (MCC): Questionable vendors can be identified by using MCC codes--standard codes that the credit card industry maintains to categorize merchants--assigned to vendors that may sell personal or prohibited goods or services. Purchase card transactions carrying the identified codes can then be extracted from the population database. Sorting and/or summarizing the extracted transactions by vendor may further enhance the selection processes. Organizations have the ability to block purchases from vendors with selected MCC codes at the bank service provider. Ideally, any attempt to charge a purchase from a vendor with a blocked MCC code should be automatically rejected at the point of purchase. However, auditors should be aware that (1) vendors may circumvent this control by providing false or misleading information and obtaining an MCC code intended to disguise the types of goods or services provided by the vendor, and (2) bank service providers do not always reject purchase card transactions with blocked vendor MCC codes. A recent GAO audit disclosed a purchase card transaction with a prohibited escort service vendor. The bank service provider had accepted the transaction despite the blocked vendor MCC code. All transactions associated with the identified vendor names and/or MCC codes should be considered potentially fraudulent, improper, and abusive and extracted into a questionable vendor transactions database(s) for further selection and follow-up. GAO testified that approximately $12,000 in potentially fraudulent cardholder purchases including an Amana range, Compaq computers, gift certificates, groceries, and clothes occurred primarily between December 20 and 26, 1999. Weekend and holiday purchases, in the operations of a normal governmental organization, could also offer a high probability of identifying potentially fraudulent, improper, and abusive transactions. However, using this approach to select transactions would not be effective if the organization's operations routinely involve weekend and holiday purchasing activity. During the previously discussed process of gaining an understanding of the organization's operations, the auditor should look for and be aware of this and similar exceptions to normal operations when designing data-mining criteria. Purchase card transactions on weekends and holidays within the audit period should be identified and extracted into a suspect date transactions database for further selection. Data mining purchases at five related organizations disclosed numerous occurrences of purchases split to circumvent the $2,500 micropurchase threshold, including $16,000 for furniture for an approving official's office. Split transactions are two or more transactions that would have normally been a single-purchase transaction, but were split to circumvent the micropurchase threshold (generally $2,500) or other legal or internal control single-purchase limit(s). For purposes of identifying sets of potential split transactions, all purchase card transactions in the audit period that meet the following criteria can be extracted into a potential split transactions database for further analysis: the transactions are with the same vendor, and: the transaction dates are on the same day, and: the transactions total in excess of $2,500, and: the transactions are by the same cardholder, or the transactions are by the same activity/department. (Broadening the selection criteria to the same activity/department considers the potential for collusion among cardholders to circumvent single-purchase limits.): An organization approved and paid 75 purchase card transactions, all close to the micro purchase threshold, totaling $164,000, with a telecommunications contractor. The organization could not provide documentation of the nature or of receipt and acceptance of the services provided. After completing follow-up, GAO referred this case for criminal investigation. A nonrepresentative selection of transactions can then be made from the potential split transactions database and submitted to the follow-up procedures described in the Follow-up and Investigation section of this guide. For purposes of determining circumvention of single-purchase limits, all applicable limits should be considered (e.g., micropurchase, cardholder organization authorized single-purchase limit, bank service provider system cardholder control single-purchase limit). Transactions of unusual amounts or relationships may be fraudulent, improper, or abusive. The auditor should review the database for the existence of unusual purchase card transaction amounts, patterns, and relationships. Examples of such transactions include: frequent amounts with the same vendor just under the micropurchase threshold which, for example, may indicate that a vendor is exploiting weak controls and charging for goods or services that are not being provided or rendered; and: multiple transactions for the same amount which, for example, may indicate intentional or unintentional duplicate billings for the same goods or service. An organization used year-end funds to purchase computers and monitors costing $47,372. Nine months later over half of the computers remained in storage, raising questions of a legitimate need when purchased. Purchase card transactions in the audit period for unusual amounts or relationships should be extracted into an unusual-transactions database for further selection. Year-end spending may include purchases for which there is not a legitimate government need (e.g., bulk purchases of computer or electronic equipment). All purchase card transactions that exceed an established larger dollar value (e.g., $25,000) and occur in the last month of the fiscal year can be extracted into a year-end transactions database for further selection. Purchase card transactions by vendor for the audit period can be summarized to provide statistical data such as: the number of cardholders making acquisitions with a vendor, the number of transactions with a vendor, and: the dollar volume of transactions with a vendor. A critical analysis of the resulting vendor transaction summary totals, and their relationships, can identify opportunities for further data mining. Vendor summary totals at the extremes of activity, both high and low, warrant special attention. A vendor with only one or two cardholders making purchases, particularly if the dollar volume is high, may indicate a conflict of interest or fraudulent (e.g., kickbacks), improper, or abusive transactions. High dollar volumes of purchases may indicate a vendor with whom the government should have a discounted price agreement. A vendor with only one transaction might indicate a questionable legitimate government need. If these summaries are accomplished utilizing a software audit tool, the individual purchase card transaction detail underlying each vendor's summary totals will usually be available, facilitating further review and selection. Cardholders and/or their approving officials considered to have suspicious activities might be identified as the result of following up on previous data-mining transactions, a referral to an organizational fraud hotline, previous audit findings, or other means. Purchase card transactions for such cardholders and/or approving officials can be extracted into separate transactions databases for further analysis. Follow-up and investigation of these transactions can assist in developing cases for referral to criminal investigation and prosecutorial authorities. Since the data being mined are usually contained in a database of individual purchase card transactions, a software audit tool that facilitates summaries, comparisons, and extractions of transactions and data elements selected for follow-up is recommended. Several over the counter audit tools of this type are available. Using professional judgment and considering the understandings gained and the results of the preliminary assessment, the auditor should select transaction leads provided by data mining and submit them to the procedures described in the Follow-up and Investigation section of this guide. Unless adequate follow-up procedures are accomplished, the auditor will not have sufficient support to either report or refer the findings. Follow-up and Investigation; The concept of follow-up, as used in this guide, contemplates an extension of audit procedures and documentation beyond those generally necessary to test for adherence to internal control policies or performance of control activities. GAO's approach to the follow-up process assesses purchase card transactions in three incremental stages: (1) an initial evaluation of the cardholder documentation supporting selected data-mined transactions for the purpose of discerning potentially fraudulent, improper, and abusive transactions, (2) the conduct of follow-up procedures discussed in this section on those transactions, and (3) referral of any instance of detected likely fraud to the appropriate criminal investigative personnel. Because of the characteristics of fraudulent, improper, and abusive purchases, the exercise of professional skepticism--an attitude that includes a questioning mind and a critical assessment of audit evidence--is especially important when following up on these purchase card transactions. Follow-up; The conduct of follow-up procedures utilizes forensic auditing techniques. In the context of this guide, forensic auditing (follow-up) contemplates increased scrutiny and documentation by the auditor of the facts and circumstances (including judgments made and actions taken by individuals party to the transaction) surrounding potentially fraudulent, improper, and abusive transactions. In the instance of fraudulent purchase card transactions, the follow-up process is designed to support a subsequent criminal investigation. The auditor should consider consulting with the appropriate fraud investigative staff when determining the appropriate follow-up procedures for potentially fraudulent transactions or cases detected through control tests or data mining. An experienced purchase card fraud investigator can bring valuable perspectives and insight to the follow-up process. Investigators may have procedures and protocols that establish boundaries designed to preserve a successful investigation and prosecution of a fraud within which the auditor's follow-up and referral procedures should be constrained (e.g., cautions against contacting and inadvertently alerting the vendor suspected of fraud). To begin the follow-up process for transactions selected by data mining or other means, the auditor should obtain and review transaction documentation similar to that obtained and reviewed in the tests of transaction control activities (e.g., determination of legitimate government need, vendor invoice, independent receipt and acceptance, accountable property record, the cardholder billing statement). This documentation should be analyzed to determine whether it supports a preliminary conclusion of (1) an appropriate government transaction that meets a legitimate government need, or (2) a potentially fraudulent, improper, or abusive transaction. Detected or selected potentially fraudulent transactions should always be submitted to follow-up procedures. However, the auditor should use professional judgment and consider the results of cardholder documentation review, the overall objectives of pursuing fraudulent, improper, and abusive purchases, and the overall objectives of the audit, in making a decision to accomplish follow-up procedures for transactions detected during tests for performance of control activities, and the transactions selected in the data-mining process. Professional judgment, inputs from qualified fraud investigators, and an elevated level of professional skepticism should be exercised when conducting follow-up procedures and evaluating: (1) justifications offered for lack of adherence to policies and/or performance of control activities, (2) additional supporting documentation provided, and (3) unsupported representations made in interviews with program and organization personnel. The following are intended as examples of follow-up procedures, and are not a complete list of possible procedures. Request additional documentation to (1) support adherence to internal control policies or performance of control activities (e.g., legitimate government need, independent receipt and acceptance, exception to prohibited item purchases), (2) provide missing relevant details of the transactions, (3) support authorization for an otherwise improper purchase, or (4) document other issues significant or useful to the process. Interview the cardholder for explanation, clarification, and other additional information concerning the transaction, and corroboration of verbal representations made by others. Interview the approving official for explanation, clarification, and other additional information concerning the transaction, and corroboration of verbal representations made by others. Interview other organization personnel who may have been identified as parties with corroborating or clarifying knowledge of the facts and circumstances of the transaction (e.g., supervisors and coworkers). Contact the vendor for clarification of the specifics of the transaction (e.g., quantities, dates, time, description of goods or services provided). Request copies of supporting documentation from the vendor, especially when cardholder supporting documentation is missing. Fraud investigators provided relevant reports and information to GAO auditors during follow-up on potentially fraudulent purchase card transactions. Fraud investigative staff assisting in the follow-up, or gathering evidence to make and prove specific allegations of wrongdoing, may be able to provide other items (e.g., credit reports, criminal records) that can provide additional insight to the follow-up process. All interviews conducted as part of the follow-up process should be documented in the audit work papers. At the conclusion of the follow-up process, consider summarizing the facts, findings, and resolution or disposition of the potentially fraudulent, improper, and abusive item in a memorandum for inclusion in the work paper file. If at any time during the follow-up process the auditor's professional judgment is that a transaction is likely fraudulent, referral of the transaction to the appropriate fraud investigative staff (e.g., inspectors general, military service fraud investigation offices) should be immediately considered. [See PDF for image] [End of figure] Referral for Investigation; Referral of a likely fraudulent government purchase card transaction or case should be made to the appropriate federal criminal investigative body. We made such referrals to GAO's Office of Special Investigations, whose investigators have substantial experience in credit card fraud. The referral should be accomplished in a written communication. That communication would generally include, but not be limited to, the following information: * the date of the communication, * the name of the referring organization, * the name and telephone number of the referring contact, * the organization and program under audit, * a description of the potentially fraudulent transaction or case (e.g., goods or services purchased, amounts paid, impropriety of the transaction), * the reason(s) for concluding the transaction to be potentially fraudulent, * the names and positions of the individuals involved (e.g., John Doe - cardholder, Jane Doe - vendor), * the date(s) of the purchase transaction, * a description of the indicators alerting the auditor to the potentially fraudulent transaction (e.g., altered supporting documentation, personnel interview, or record discrepancies), and: * a statement as to whether the relevant documents (copies or originals) are attached or are available (e.g., cardholder billing statement, vendor invoice(s), follow-up interview(s)). Appendixes: Appendix I: Selected Relevant GAO Reports and Testimonies: Department of Education: Department of Housing and Urban Development: Financial Management: Poor Internal Control Exposes Department of Education to Improper Payments. GAO-01-997T. Washington, D.C.: July 24, 2001. Education Financial Management: Weak Internal Controls Led to Instances of Fraud and Other Improper Payments. GAO-02-406. Washington, D.C.: March 2002. Financial Management: Strategies to Address Improper Payments at HUD, Education, and Other Federal Agencies. GAO-03-167T. Washington, D.C.: October 3, 2002. Department of Defense - Army: Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse. GAO-02-732. Washington, D.C.: June 2002. Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste, and Abuse. GAO-02-844T. Washington, D.C.: July 17, 2002. Department of Defense - Air Force: Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 2002. Department of Defense - Navy: Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse. GAO-01-995T. Washington, D.C.: July 30, 2001. Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse. GAO-02-32. Washington, D.C.: November 2001. Purchase Cards: Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and Abuse. GAO-02-506T. Washington, D.C.: March 13, 2002. Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking Action to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.: September 27, 2002. Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action to Resolve Control Weaknesses. GAO-03-154T. Washington, D.C.: October 8, 2002. Appendix II: Selected Relevant Laws and Regulations: This appendix contains some of the laws and regulations and other guidance that are applicable governmentwide to the federal government purchase card program. Additional laws and regulations and other agency-or organization-specific guidance may apply as well. Establishment and operation of the purchase card program: GSA SmartPay® Master Contract: Treasury Financial Manual, Vol. I, Part 4-4500, "Government Purchase Cards": 41 U.S.C. § 426 Use of electronic commerce in Federal procurement: 48 C.F.R. § 13.301(b) Governmentwide commercial purchase card: 31 U.S.C. §§ 3901 - 3907 Prompt Payment Act: 5 C.F.R. Part 1315 Prompt Payment: Procurement methods and standards: 41 U.S.C. § 253 Competition requirements: 41 U.S.C. § 403(11) Definitions: 41 U.S.C. § 427 Simplified acquisition procedures: 41 U.S.C. § 428 Procedures applicable to purchases below micropurchase threshold: 41 U.S.C. § 429 List of laws inapplicable to contracts not greater than the simplified acquisition threshold in Federal Acquisition Regulation: 48 C.F.R. § 1.603-3(b) Appointment: 48 C.F.R. Part 2.101 Definitions: 48 C.F.R. Part 8 Required Sources of Supplies and Services: 48 C.F.R. Part 13 Simplified Acquisition Procedures: Purposes for which an organization's appropriations may be used: 31 U.S.C. § 1301(a) "Purpose Statute": Bona Fide Needs Rule, See, e.g. 68 Comp. Gen. 170, 171 (1989); 58 Comp. Gen. 471, 473 (1979); 54 Comp. Gen. 962, 966 (1975): 3 Comp. Gen. 433 (1924) Comptroller General McCarl to the Secretary of War: B-288266 (Jan. 27, 2003) Use of Appropriated Funds to Purchase Light Refreshments at Conferences: 72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers - Use of Appropriated Funds to Pay for Meals: 65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards Ceremony: 64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L. Ryan - Meals at Headquarters Incident to Meetings: B-289683 (Oct. 7, 2002) Matter of: Purchase of Cold Weather Clothing, Rock Island District, U.S. Army Corps of Engineers: 63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled Parkas: Appendix III: Example Purchase Transaction Flow Chart and Narrative (Request Through Payment): [See PDF for image] Source: GAO-02-1041. [End of figure] Approving Official: If operating effectively, the approving official is responsible for ensuring that all purchases made by the cardholders within his or her cognizance are appropriate and that the charges are accurate. The approving official is supposed to resolve all questionable purchases with the cardholder before certifying the bill for payment. In the event an unauthorized purchase is detected, the approving official is supposed to notify the agency program coordinator and other appropriate personnel within the command in accordance with the command procedures. After reviewing the monthly statement, the approving official is to certify the monthly invoice and send it to the Defense Finance and Accounting Service (DFAS) for payment. Cardholders: A purchase cardholder is a Navy employee who has been issued a purchase card. The purchase card bears the cardholder's name and the account number that has been assigned to the individual. The cardholder is expected to safeguard the purchase card as if it were cash. Designation of Cardholders: When a supervisor requests that a staff member receive a purchase card, the agency program coordinator is to first provide training on purchase card policies and procedures and then establish a credit limit and issue a purchase card to the staff member. Ordering Goods and Services: Purchase cardholders are delegated limited contracting officer ordering responsibilities. As limited contracting officers, purchase cardholders do not negotiate or manage contracts. Rather, cardholders use purchase cards to order goods and services for their units and their customers as well. Cardholders may pick up items ordered directly from the vendor or request that items be shipped directly to an end user (requesters). Upon receipt of purchased items, the cardholder is to record the transaction in his or her purchase log and obtain documented independent confirmation from the end user, the supervisor, or another individual that the items have been received and accepted by the government. The cardholder is also to notify the property book- officer of accountable items received so that these items can be recorded in the accountable property records. Payment Processing: The purchase card payment process begins with receipt of the monthly purchase card billing statements. Section 2784 of title 10, United States Code, requires DOD to issue regulations that ensure that purchase cardholders and each official with authority to authorize expenditures charged to the purchase card reconcile charges with receipts and other supporting documentation before paying the monthly purchase card statement. NAVSUP Instruction 4200.94 states that upon receipt of the individual cardholder statement, the cardholder has 5 days to reconcile the transactions appearing on the statement by verifying their accuracy to documentation supporting the transactions and to notify the approving official in writing of any discrepancies in the statement. In addition, under NAVSUP Instruction 4200.94, before the credit card bill is paid, the approving official is responsible for (1) ensuring that all purchases made by the cardholders within his or her cognizance are appropriate and that the charges are accurate and (2) the timely certification of the monthly summary statement for payment by DFAS. The instruction further states that within 5 days of receipt, the approving official must review and certify for payment the monthly billing statement, which is a summary invoice of all transactions of the cardholders under the approving official's purview. The approving official is instructed to presume that all transactions on the monthly statements are proper unless notified in writing by the purchase cardholder to the contrary. However, the presumption does not relieve the approving official from reviewing the statements for blatantly improper purchase card transactions and taking the appropriate action before certifying the invoice for payment. In addition, the approving official is responsible for forwarding disputed charge forms for submission to Citibank for credit. Under the Navy's task order, Citibank allows the Navy up to 60 days after the statement date to dispute invalid transactions and request a credit. Upon receipt of the certified monthly purchase card summary statement, a DFAS vendor payment clerk is to (1) review the statement and supporting documents to confirm that the prompt-payment certification form has been properly completed and (2) subject it to automated and manual validations. DFAS effectively serves as a payment processing service and relies on the approving-official certification of the monthly bill as support to make the payment. The DFAS vendor payment system then batches all of the certified purchase card payments for that day and generates a tape for a single payment to Citibank by electronic funds transfer. Appendix IV - Example Purchase Card Program Organization Chart: Navy Purchase Card Program Management Structure, September 2001: Department of Defense Purchase Card Program Management Office: Department of Navy eBusiness Operations Office: Navy Agency Program Coordinator: U.S. Marine Corps: Major Command Agency Program Coordinator: Atlantic Fleet: Major Command Agency Program Coordinator: Naval Sea Systems Command: Major Command Agency Program Coordinator: Pacific Fleet: Major Command Agency Program Coordinator: Camp Lejeune, NC: Agency Program Coordinators at Subordinate Units: 15: Approving Officials: 173: Cardholders: 496: Norfolk, VA Area: Agency Program Coordinators at Subordinate Units: 98: Approving Officials: 286: Cardholders: 769: San Diego, CA Area: Agency Program Coordinators at Subordinate Units: 66: Approving Officials: 168: Cardholders: 417: Norfolk, VA Area: Agency Program Coordinators at Subordinate Units10: Approving Officials: 78: Cardholders: 235: Source: GAO analysis of Navy purchase card program organization. [End of figure] Appendix V: Example Audit Program: Government Purchase Card Program; Example Internal Control Performance Audit Program; Program Overview; This is an example only audit program, and should be tailored to meet the requirements of the individual organization's purchase card program. The approaches, methodologies, and concepts applied in this example, and the accompanying audit guide, are appropriate for use by management oversight personnel as well as internal and external auditors.; To facilitate ongoing internal control monitoring efforts by management, sections C and D can be performed independently of each other, and section D can be applied on a continuous basis. [See PDF for image] [End of figure] [End of section] Appendix VI: Guidelines for Initiating an Investigation of Purchase Card Fraud: For purchase card transactions that have been identified as potentially fraudulent the investigator should review information provided as part of the follow-up and referral process, and to the extent necessary take the following actions: Obtain from the organization, auditor, or manager the names of cardholder(s) for accounts involved with the transaction(s). Obtain account histories from the bankcard service provider for specific accounts to identify any patterns of similar or other questionable transactions and the vendors involved with those transactions. Identify the organization's approval process and determine who: requested the goods or services purchased, approved the transactions, and: signed off on the monthly statement indicating that they had reviewed the transactions. Obtain from the organization, auditor, or manager documentation related to the transaction(s), such as invoices, shipping receipts, any contact telephone numbers, etc. Determine the organization's policies for accountability of pilferable and other property. Interview the organization individual(s) involved with requesting the goods or services and the individual(s) that review the monthly bank statements to determine if they were aware of (1) the transaction(s), and (2) whether the cardholder(s) filed a dispute form concerning the transactions(s). Interview the cardholder(s) to determine who made the purchases, the purpose of the purchases, and whether they disputed the transactions. Interview the vendor(s) where questionable transactions were made and: obtain any documentation relating to the transactions including detailed description of items purchased, such as serial numbers, or specific services provided; determine where property was delivered or where the services were provided; determine whether the vendor records the telephone number from which the order for foods or services was made; and: determine whether the vendor maintains a database of purchase card numbers and whether this database has been compromised. Interview organization officials responsible for maintaining property inventory and determine: whether the items purchased were included in inventory, and: how property delivered to the organization is accounted for. Appendix VII: GAO Contact and Staff Acknowledgments: GAO Contact: Stephen Wm. Lipscomb(303) 572-7328: Staff Acknowledgments: In addition to the person named above, David Childress, Francine Delvecchio, Don Fulwider, Charles R. Hodge, Jeffrey Jacobson, Jason Kelly, Julia Matta, John Ryan, and Sidney Schwartz made important contributions to this report. FOOTNOTES [1] The term "organization", as used throughout this guide, refers to a government, its divisions, or subdivisions (e.g., department, agency, activity, unit). [2] The term "program", as used throughout this guide, refers to a government purchase card program at the organization level. [3] President's Council on Integrity and Efficiency, A Practical Guide for Reviewing Government Purchase Card Programs (Washington, D.C. June 2002), and U.S. General Services Administration, GSA Smart PayÆ, Blueprint for Success: Purchase Card Oversight (Arlington, Va., April 2002). [4] U.S. General Accounting Office, Government Auditing Standards - 2002 Revision - Exposure Draft, GAO-02-340G (Washington, D.C.: January 2002). [5] U.S. General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), p7. [6] Treasury Financial Manual, Volume 1 - Part 4 - Chapter 4500, GOVERNMENT PURCHASE CARDS, http://www.fms.treas.gov/tfm/vol1/ v1p4c450.txt. [7] 48 C.F.R. § 13.301(b) (2002). [8] See the Relevant Laws and Regulations section of this guide for further information on the FAR provisions applicable to specific purchase amounts. [9] The FAR allows personnel other than warranted contracting officers to use the purchase card. 48 C.F.R. §§ 1.603-3(b) and 13.301(a) (2002). [10] . [11] 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986). [12] JWOD establishes mandatory sources of supply for all federal entities, requiring federal agencies to purchase supplies and services furnished by nonprofit agencies--such as the National Industries for the Blind and the National Industries of the Severely Handicapped (NIB/ NISH). [13] 48 C.F.R. §§ 2.101 and 13.201(g). [14] GAO-02-340G, ¶ 7.8 - 7.10. [15] GAO/AIMD-00-21.3.1. [16] The GSA website (http://www.fss.gsa.gov/webtraining/trainingdocs/ smartpaytraining/index.cfm) provides access to relevant purchase card training materials. [17] Sampling selections representative of a population can be either statistical or nonstatistical -statistical concepts are considered, but not explicitly used to determine sample size, select sample items, or evaluate the results. However, projections of nonstatistical sample results are not quantifiably accurate, and GAO discourages their use in government audits. [18] For nonfinancial audits, GAO commonly uses a confidence level of 95 percent. "The 95 percent confidence level appears to be used more frequently in practice than any other level…90 percent and 99 percent confidence levels seem to be next in popularity." Hahn and Meeker, Statistical Intervals, A Guide For Practitioners, 1ST Edition (New York, N.Y. John Wiley and Sons, Inc., 1991), p 38. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to daily E-mail alert for newly released products" under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: