Monday, May 18, 2015

Purchase Card Programs - How Effective are Your Internal Controls

We finished last week by discussing the House Committee on Veterans' Affairs hearing on waste, fraud, and abuse in the Veteran Administration's (VA) purchase card program. Although the hearing was limited to problems in the VA, issues with purchase card programs is widespread among Government contractors and can significantly affect contractors' ability to ensure the propriety of costs charged to Government contracts. By studying the Government's purchase card problems, the methods used by its oversight arms to ferret out fraud, waste, and abuse, and the internal controls established to reduce the risk of fraud in the program, we might be able to offer up best practices for contractors.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act or CCA) requires agencies to establish and maintain safeguards and internal controls for purchase cards. Under the CCA, Inspectors General must conduct periodic risk assessments of agency purchase card programs to analyze the risks of illegal, improper, or erroneous purchases. Inspectors General then use these risk assessments to determine the necessary scope, frequency, and number of audits or reviews of these programs. Long time readers of this blog and those involved in internal audits will recognize the "risk assessment" is the second of the five elements of internal controls.

At the Hearing, the VA's Assistant Inspector General for Audits and Evaluations described their risk assessment as follows:
For the fiscal year (FY) 2015 risk assessment, we performed data mining on credit card transactions using a set of defined criteria designed to identify transactions or patters of activity that appear to represent potential fraud, waste, or abuse. Our risk assessment examined
  • Cardholders with a high volume of transactions
  • Multiple transactions made on the same day with the same vendor, amount and purchase card
  • Credit card purchases that exceeded established purchase card limits
  • Recurring transactions made with the same vendor
  • Transactions occurring on holidays, weekends, in the last two months of the fiscal year, and during unusual times of the day
  • Transactions made by a facility that were more than double the nationwide average number of transactions and costs per purchase card.
This would seem like a likely starting point for contractors to assess their risks and vulnerabilities in purchase card programs. There doesn't seem to be anything in this listing that would test or point to the use of cards to make "personal" purchases so that might be an additional risk factor that contractors consider.

Continuing on with the testimony, the Assistant IG  noted that from the above risk assessment, the organization identified seven high risk areas that included:

  • Cardholder transactions that exceed authorized purchase limits including unauthorized commitments.
  • Inadequate financial controls prohibiting duplicative and split payments
  • An excessive number of cardholders making purchases with inadequate justifications
  • An unmanageable span of control resulting from an unbalanced ratio or cardholders to approving officials.
  • Inadequate recording or reporting of financial information.
  • Insufficient oversight of year-end spending
  • Inadequate review of purchases by approving officials.
Based on the risk assessments, the IG plans to conduct audits and reviews to identify control weaknesses, strengthen program control, and address inefficiencies in VA’s Purchase Card Program. Its recent work has identified significant control weaknesses that did not prevent transactions involving unauthorized commitments, improper payments, split purchases, and purchases that lacked appropriate supporting documentation.  

So evidently, the controls that are in place to prevent unauthorized commitments, improper payments, split purchases, and purchases that lacked supporting documentation were not working. Now its up to the auditors and management to improve its system of internal controls to prevent that from happening in the future.

No comments:

Post a Comment