Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse (13-MAR-02, GAO-02-506T). 	 
								 
This testimony discusses GAO's follow-up on the audit of key	 
internal controls over purchase card activity at two San	 
Diego-based units, the Space and Naval Warfare Systems Command	 
(SPAWAR) Systems Center and the Navy Public Works Center (NPWC). 
GAO found a breakdown in internal controls over $68 million in	 
fiscal year 2000 purchase card transactions, leaving these two	 
units vulnerable to fraudulent, improper, and abusive purchases  
and theft and misuse of government property. For fiscal year	 
2001, internal controls at SPAWAR Systems Center and NPWC	 
continued ineffective. Both units improved the overall control	 
environment, primarily after the end of fiscal year 2001. Key	 
improvements included reductions in the number of cardholders, an
increased number of approving officials, and a decrease in	 
purchase card usage. However, serious weaknesses remained in	 
three key control environment areas. First, SPAWAR Systems Center
needs to ensure that all cardholders receive required training	 
and that this training is documented. Second, SPAWAR Systems	 
Center needs to more carefully implement internal review and	 
oversight activities, which have been ineffective. Third, GAO	 
identified a significant impairment of management "tone at the	 
top" at SPAWAR Systems Center during the last quarter of fiscal  
year 2001. The two basic internal controls over the purchase card
program that GAO tested remained ineffective during the last	 
quarter of fiscal year 2001 at both units. These weaknesses	 
contributed to additional purchases that GAO believes are	 
fraudulent, improper, abusive, or otherwise questionable. GAO	 
also identified abusive or questionable purchases by SPAWAR	 
Systems Center cardholders that were at an excessive cost, for a 
questionable government need, or both.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-506T					        
    ACCNO:   A02895						        
  TITLE:     Purchase Cards: Continued Control Weaknesses Leave Two   
Navy Units Vulnerable to Fraud and Abuse			 
     DATE:   03/13/2002 
  SUBJECT:   Accounting procedures				 
	     Credit sales					 
	     Fraud						 
	     Internal controls					 
	     Naval procurement					 
	     DOD Information Technology Security		 
	     Certification and Accreditation Process		 
								 
	     Navy Hazardous Substance Management		 
	     System						 
								 
	     Javits-Wagner-O'Day Program			 
	     Navy Enterprise Resource Planning System		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-506T
     
United States General Accounting Office

GAO Testimony

Before the Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations, Committee on Government Reform, House of
Representatives

For Release on Delivery Expected at 10 a.m. Wednesday, March 13, 2002

PURCHASE CARDS

Continued Control Weaknesses Leave Two Navy Units Vulnerable to Fraud and
Abuse

Statement of Gregory D. Kutz
Director, Financial Management and Assurance

Statement of John J. Ryan
Assistant Director, Office of Special Investigations

                                      a

GAO-02-506T

Mr. Chairman, Members of the Subcommittee, and Senator Grassley:

I appreciate the opportunity to present follow-up information on our
previous testimony1 on internal control weaknesses related to use of the
government purchase card at two Navy units. The Navy reported that it used
purchase cards-Citibank MasterCards issued to civilian and military
personnel-for more than 2.8 million transactions valued at $1.8 billion in
fiscal year 2001. As we previously reported, the Department of Defense (DOD)
has increased the use of purchase cards with the intention of eliminating
the bureaucracy and paperwork long associated with making small purchases
and intends to expand the use of purchase cards over the next several years.

However, the benefits of the purchase card may be substantially reduced if
controls are not in place to ensure its proper use. As the comptroller
general testified2 on March 6, 2002, following the events of September 11,
reducing fraud, waste, and abuse is even more imperative to ensure that
DOD's resources are available to meet national priorities such as homeland
security and the war on terrorism. We believe that DOD, with its
long-standing problems in financial management, must take steps to ensure
the proper stewardship of the increasing amounts of taxpayer dollars devoted
to its vital missions. Careful examination of the controls over the purchase
card program is one aspect of ensuring that DOD is getting the most from
every dollar.

1U.S. General Accounting Office, Purchase Cards: Control Weaknesses Leave
Two Navy Units Vulnerable to Fraud and Abuse, GAO-01-995T (Washington, D.C.:
July 30, 2001).

2U.S. General Accounting Office, DOD Financial Management: Integrated
Approach, Accountability, Transparency, and Incentives Are Keys to Effective
Reform, GAO-02-497T (Washington, D.C.: Mar. 6, 2002).

At this subcommittee's July 30, 2001, hearing, we testified on the results
of our audit of key internal controls over purchase card activity at two
Navy units based in San Diego-the Space and Naval Warfare Systems Command
(SPAWAR) Systems Center and the Navy Public Works Center (NPWC).3 Overall,
we found a significant breakdown in internal controls over $68 million4 in
fiscal year 2000 purchase card transactions, leaving these two units
vulnerable to fraudulent, improper, and abusive purchases and theft and
misuse of government property. We also reported that weak internal controls
contributed to five recent cases of alleged purchase card fraud related to
Navy purchase card programs in the San Diego area and investigated by the
Naval Criminal Investigative Service (NCIS) and other cases that we referred
to our own Office of Special Investigations for further review.

Our July 2001 testimony was followed by a report5 in which we summarized our
findings and offered 29 recommendations for improving Navy purchase card
controls. We will report to you separately on the status of these 29
recommendations as part of our ongoing audit of the Navy's fiscal year 2001
purchase card activity.

The subcommittee and Senator Grassley asked us to perform a follow-up audit
at the two Navy units and discuss the status of corrective actions. In
addition, we were asked to follow up on the status of fraud cases that we
reported on in July 2001 and any other fraud cases we identified as part of
this follow-up audit. Today, I will discuss the results of our follow-up
work, including (1) the purchase card control environment at the two Navy
units' San Diego activities for fiscal year 2001 including any implemented
or planned improvements, (2) the results of our test work on statistical

3SPAWAR Systems Center and the Navy Public Works Center are working capital
fund activities. SPAWAR Systems Center performs research, engineering, and
technical support, and the Navy Public Works Center provides maintenance,
construction, and operations support to Navy programs. Both of these Navy
programs have locations throughout the United States. Our review focused on
the purchase card program at the San Diego units only. For SPAWAR, this
included SPAWAR Headquarters, which is located in San Diego, and SPAWAR
Systems Center San Diego, which we will refer to collectively as SPAWAR
Systems Center.

4SPAWAR Systems Center and NPWC made about $75 million in fiscal year 2000
purchase card transactions. We audited the $68 million of those purchases
made by SPAWAR Systems Center and NPWC cardholders located in San Diego.

5U.S. General Accounting Office, Purchase Cards: Control Weaknesses Leave
Two Navy Units Vulnerable to Fraud and Abuse, GAO-02-32 (Washington, D.C.:
Nov. 30, 2001).

samples of purchase card transactions at the two Navy units for the fourth
quarter of fiscal year 2001, which identified continuing weaknesses in two
critical areas, and (3) potentially fraudulent, improper, and abusive or
questionable transactions made by the two Navy units during fiscal year
2001. In this testimony, we also report on the status of two cases
investigated by our Office of Special Investigations as a result of our
audit of NPWC and SPAWAR Systems Center purchase card activity for fiscal
year 2000. Background information on the Navy purchase card program is
included in appendix I.

Summary For fiscal year 2001, internal controls at SPAWAR Systems Center and
NPWC continued to be ineffective, leaving both units vulnerable to
fraudulent, improper, and abusive purchases and to theft and misuse of
government property. Both units had made some improvements in the overall
control environment, primarily after the end of fiscal year 2001. Key
improvements included reductions in the number of cardholders, an increase
in the number of approving officials, an overall decrease in the aggregate
monthly credit limits, and a decrease in purchase card usage.

At the same time, serious weaknesses remained in three key control
environment areas, particularly at SPAWAR Systems Center. First, while both
SPAWAR Systems Center and NPWC have taken steps to implement our
recommendations regarding cardholder training and proper documentation of
training, SPAWAR Systems Center still needs to do more to make sure all
cardholders receive required training and to document the training taken by
cardholders. For example, as of January 21, 2002 there was no documentation
demonstrating that 146 cardholders had taken certain required training. As
of February 15, 2002, SPAWAR Systems Center had suspended the accounts of
only 5 of the cardholders who had not taken the required training. In
contrast, NPWC has taken steps to provide cardholders and approving
officials the necessary training and to assure itself that untrained
personnel do not remain purchase card holders. On October 26, 2001, NPWC
cancelled the cards of its 15 employees who had not complied with training
requirements.

Second, both SPAWAR Systems Center and NPWC have recently made some efforts
to implement new policies directed at improving internal review and
oversight activities, which, as we previously testified, had been
ineffective. Both units performed a Navy-mandated "stand-down" review of
purchase card transactions, but neither performed an in-depth analysis of
the selected transactions. We question SPAWAR Systems Center's

results in particular because it reported that it reviewed about 16,000
transactions and ultimately identified only one purchase that was not for a
legitimate government purchase-a case in which the cardholder accidentally
used the purchase card instead of a personal credit card. By comparison, our
follow-up work identified numerous examples of potentially fraudulent,
improper and abusive or questionable transactions that occurred in a similar
time frame.

Third, we identified a significant impairment of management "tone at the
top" at SPAWAR Systems Center during the last quarter of fiscal year 2001.
The former commanding officer testified at the July 30, 2001, hearing before
this subcommittee that the purchase card program at SPAWAR Systems Center
had effective management controls and indicated that the trust SPAWAR
Systems Center management had in its staff was an acceptable substitute for
a cost-effective system of internal controls. Following the hearing, for the
most part, the "tone at the top" at SPAWAR Systems Center was "business as
usual." In contrast, the commanding officer at NPWC was proactive in
addressing the weaknesses we identified and took immediate action to address
any improper or prohibited uses of the purchase card. In December 2001, the
former SPAWAR Systems Center commanding officer was relieved of duty for
findings of dereliction of duty and conduct unbecoming an officer in matters
unrelated to the purchase card program.

We are encouraged by the commitment of the new commanding officer to ensure
that an effective, well-controlled purchase card program is implemented at
SPAWAR Systems Center. However, we remain concerned that there will be
significant cultural resistance to change in the internal control
environment. For example, up to the time we completed our fieldwork in
February 2002, some cardholders and managers continued to rationalize the
questionable purchases we brought to their attention- including expensive
laptop carrying cases, Lego robot kits, clothing, food, and designer day
planners-as discussed later in this statement. Such an attitude perpetuates
an overall environment that tacitly condones possibly fraudulent, wasteful,
abusive, or otherwise questionable spending of government funds.

The two basic internal controls over the purchase card program that we
tested remained ineffective during the last quarter of fiscal year 2001 at
the two units. Specifically, SPAWAR Systems Center did not have independent,
documented evidence that it received and accepted items ordered and paid for
with the purchase card for about 56 percent of its fourth quarter fiscal

year 2001 transactions. NPWC significantly improved its adherence to this
internal control, although its 16 percent failure rate is still too high.
The improved results for NPWC are the result of management attention to this
important control and increased training for cardholders. We again tested
independent, documented certification of monthly purchase card statements
and found that for the fourth quarter of fiscal year 2001, the two units
continued to pay the monthly credit card bills without any independent
review prior to payment to ensure transactions represented valid, necessary
government purchases.

In addition, we attempted to test whether easily pilferable or sensitive
items were being recorded in the units' property records to help prevent and
detect theft, loss, and misuse of government assets. Our previous work
showed that this was a serious problem. However, we were unable to perform
those tests as part of our follow-up work because SPAWAR Systems Center, in
accordance with a Navy policy change, recently revised its policy and no
longer maintains accountability over easily pilferable items such as
personal digital assistants and digital cameras. We disagree with the Navy
and SPAWAR Systems Center policy and believe that property that is
pilferable and easily converted to personal use should be accounted for.
NPWC generally does not use purchase cards to buy pilferable items, and our
statistical sample at NPWC did not identify any accountable property items.

In our June 30, 2001, testimony, we identified a number of potential fraud
cases related to the two San Diego Navy units. We followed up on two of
those cases, which highlighted the major role that poor internal control
plays in fraud. In one case, we investigated about $12,000 of potentially
fraudulent fiscal year 2000 transactions related to the purchase card of a
former NPWC employee. The purchases-made between December 20 and 26,
1999-included an Amana range, Compaq computers, gift certificates,
groceries, and clothing. The cardholder's supervisor approved the purchase
card statement that included these charges without reviewing it. NPWC also
did not properly cancel this purchase card account after the cardholder had
moved on to another organization within the Navy, and the cardholder
subsequently used the purchase card for a personal car rental that was
approved for payment by NPWC. This individual now works at the Pentagon.

We also followed up on the previously reported compromise in September 1999
of up to 2,600 purchase card accounts assigned to Navy activities in the San
Diego area. Immediate cancellation of these accounts was

imperative, especially since the weaknesses in controls over receipt and
acceptance and certification of monthly statements at SPAWAR Systems Center
and NPWC would severely hamper the detection of fraudulent purchases
associated with compromised accounts. We reported that Navy investigators
were only able to identify a partial list consisting of 681 compromised
accounts. In December 2001, Navy notified us that all 681 compromised
accounts identified in the July testimony were cancelled, including 22
active SPAWAR Systems Center accounts. However, no other action was taken by
the Navy to identify or cancel the remaining over 1,900 compromised
accounts. Our investigators subsequently identified the source of the
compromised accounts as the database of a Navy vendor. In January 2002, the
vendor provided our investigators with the entire listing of the 2,595
compromised accounts. We provided this list to the Navy and recommended that
it immediately cancel the remaining 1,914 compromised account numbers.
Included on the list were 78 SPAWAR Systems Center and 10 NPWC accounts that
were active as of December 2001.

The specific internal control weaknesses at SPAWAR Systems Center and NPWC
contributed to additional purchases during fiscal year 2001 that we believe
are fraudulent, improper, abusive, or otherwise questionable. Most of the
problem transactions were at SPAWAR Systems Center and had been approved and
represented to us as being appropriate, proper uses of the purchase card.
The number and severity of the problems we identified at NPWC were
substantially less than at SPAWAR Systems Center. In addition, rather than
dispute our findings on each transaction, NPWC showed a proactive response
and not only concurred with our findings but immediately took action to help
prevent future fraudulent, improper, or abusive transactions from occurring.
As discussed in appendix II, our work was not designed to identify, and we
cannot determine, the extent of fraudulent, improper, abusive, or otherwise
questionable transactions.

We found a number of improper purchases at SPAWAR Systems Center and NPWC
that were not permitted by law, regulation, or DOD policy. For example, we
identified about $8,500 in food and refreshments that should not have been
purchased for SPAWAR Systems Center and NPWC employees. Without statutory
authority, appropriated funds may not be used to furnish meals or
refreshments to employees within their normal duty stations.6 In most of
these cases, it appears that the cardholders were aware of the prohibition
on food purchases but made the purchases

672 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).

anyway. The monthly certification process failed to detect the improper food
purchases. Moreover, while NPWC officials acknowledged the impropriety of
the food purchases we identified, SPAWAR Systems Center officials indicated
that most of the food purchases made by their cardholders were a legitimate
government expense, a conclusion with which we disagree.

Further, we identified abusive or questionable purchases by SPAWAR Systems
Center cardholders that were at an excessive cost, for a questionable
government need, or both. For example, we identified purchases of day
planners and calendars from commercial vendors, including calendar refills
and designer leather holders purchased from Louis Vuitton and Franklin
Covey. With the cost of a single Louis Vuitton day planner cover at about
$250, the issue of excessive cost and abuse is clear. Further, by law,
government agencies are directed to purchase certain products, including day
planners and calendars, from certified nonprofit agencies that employ people
who are blind or severely disabled. The most expensive day planner available
from these agencies costs about $40. In addition, we identified about
$33,000 of abusive or questionable purchases from Franklin Covey of designer
and high-cost leather briefcases, totes (purses), portfolios, Palm Pilot
carrying cases, and wallets. Other examples include abusive and wasteful
usage of cell phones, a trip for about 30 staff for an organizational
meeting in Las Vegas, and clothing. We also identified abusive and possibly
fraudulent purchases of luggage, Lego robot kits, and high-cost computer
bags that were given away by SPAWAR Systems Center employees. Only one of
the cardholders referred to in this testimony or our July 30, 2001,
testimony had formal disciplinary action-in the form of removal of the
purchase card-taken against them.

Scope and Methodology

We conducted our audit work from November 2001 through February 2002 in
accordance with U.S. generally accepted government auditing standards, and
we performed our investigative work in accordance with standards prescribed
by the President's Council on Integrity and Efficiency. We briefed officials
from the Department of Defense Purchase Card Program Management Office,
Naval Supply Systems Command (NAVSUP), assistant secretaries of Navy for
financial management (comptroller) and research development and acquisition,
SPAWAR Systems Center, and NPWC on the details of our audit, including our
objectives, scope, and methodology and our findings and conclusions. We
referred instances of potentially fraudulent transactions that we identified
during our work to our Office of

Special Investigations for further investigation. Our control tests were
based on stratified random probability samples of 50 SPAWAR Systems Center
purchase card transactions and 94 NPWC transactions. We also reviewed a
nonrepresentative selection of transactions using data mining intended to
identify potentially fraudulent, improper, abusive, or otherwise
questionable transactions. In total, we audited 161 SPAWAR Systems Center
and 145 NPWC fiscal year 2001 transactions. Our work was not designed to
identify, and therefore we did not determine, the extent of fraudulent,
improper, or abusive transactions and related activities. Further details on
our objectives, scope, and methodology are included in appendix II.

Some Improvements to Purchase Card Control Environment but Weaknesses Remain

In our follow-up audit, we found that both units had made some improvements
in the overall control environment, primarily after the end of fiscal year
2001. However, the control environment at SPAWAR Systems Center continued to
have significant weaknesses, while NPWC had made major strides towards a
positive control environment. GAO's Standards for Internal Control in the
Federal Government (GAO/AIMD-00-21.3.1, November 1999) state that, "A
positive control environment is the foundation for all other standards. It
provides discipline and structure as well as the climate which influences
the quality of internal control." Our previous work found that a weak
internal control environment at SPAWAR Systems Center and NPWC contributed
to internal control weaknesses and fraudulent, improper, and abusive or
questionable activity. In July 2001, we testified that the specific factors
that contributed to the lack of a positive control environment at these two
units included a proliferation of cardholders, ineffective training of
cardholders and certifying officers, and a lack of monitoring and oversight.
The following sections provide an update on the status of these conditions
as well as information on several additional factors that affected the
overall control environment at these Navy units.

Number of Cardholders Reduced but Significant Financial Exposure Continued

Although both units have reduced the number of cardholders, balancing the
business needs of the unit with the training, monitoring, and oversight
needed for a substantial number of cardholders remains a key issue. In
October 2001, NAVSUP issued an interim change to its existing purchase card
instructions to establish minimum criteria that prospective purchase card
holders must meet before a purchase card account (including convenience
check accounts7) can be established in the employee's name. The interim
change issued by NAVSUP also established a maximum "span of control" of 5 to
7 cardholders to each approving official8 and required that Navy activities
establish local policies and procedures for approving and issuing purchase
cards to activity personnel. The Navy's span of control requirement reflects
guidance issued by the Department of Defense Purchase Card Program
Management Office on July 5, 2001, shortly before the Subcommittee hearing.
The revised guidance stated that, generally, an approving official's span of
control-cardholders per approving official- should not exceed a ratio of 7
to 1. Neither of the two units increased the number of approving officials
to meet the suggested ratio until well after the start of fiscal year 2002.
Table 1 summarizes the progress made by both units.

7Convenience checks, also referred to as accommodation checks, are used for
vendors that do not have the capability to accept payment by credit card.
For the Navy, each unit generally has one individual authorized to write
convenience checks.

8The approving official is responsible for reviewing and verifying the
monthly purchase card statements of the cardholders under their purview. The
approving official is responsible for verifying that all purchases were
necessary and for official government purposes in accordance with applicable
policies, laws, and regulations. Unless otherwise specified, the approving
official must also be the certifying officer for his/her cardholders and in
that capacity must certify that the monthly purchase card statement is
appropriate and ready for payment.

Table 1:  Number of  Cardholders and Approving  Officials at SPAWAR  Systems
Center and NPWC

Source:
Citibank, SPAWAR
Systems Center,
and NPWC
records.

The data in
table 1 show
that from
September 21,
2000, to January
21, 2002, SPAWAR
Systems Center
had a net
reduction in the
number of
cardholders of 360 (31 percent) and NPWC, 107 (37 percent). In addition, in
fiscal year 2002, SPAWAR Systems Center increased the number of approving
officials to 203 and NPWC, to 43. As a result, the approving official ratio
for SPAWAR Systems Center and NPWC is now in line with DOD's criterion of no
more that 7 cardholders per official. However, as of January 21, 2002,
SPAWAR Systems Center still had 23 approving officials who were responsible
for more than 7 cardholders and therefore did not comply with the DOD and
Navy span of control requirements.

SPAWAR Systems Center records show that it significantly reduced the number
of cardholders, primarily through canceling cards of those that did not need
them and through employee attrition. According to SPAWAR Systems Center
officials, some SPAWAR Systems Center purchase cards were canceled because
of misuse; however, we were unable to determine from SPAWAR Systems Center
records how many of the cards were canceled for this reason. We previously
reported that SPAWAR Systems Center had a significant span-of-control issue
with one approving official responsible for certifying monthly purchase card
statements for all of its cardholders. According to Citibank and SPAWAR
Systems Center records, effective for the billing period ending January 21,
2002, SPAWAR Systems Center increased from 1 to 203 the number of approving
officials responsible for certifying monthly summary invoices. This change
reduced SPAWAR Systems Center's average span of control to 4 cardholders to
each approving official, which is in line with DOD and Navy guidelines. We
did not perform any testing for fiscal year 2002 transactions to determine
whether the approving officials were in place and performing effective

reviews. SPAWAR Systems Center management told us that they are continuing
to evaluate the number of cardholders and the impact any further cuts would
have on management's ability to support operations and keep employees
working efficiently.

NPWC reduced the number of its cardholders through employee attrition and by
canceling the cards of individuals who no longer needed them, had not taken
required training, or had misused the card. Specifically, on July 6, 2001,
the agency program coordinator (APC) gave each business line manager an
analysis of monthly purchase card usage data for each of the cardholders
under his or her supervision. The business line managers were instructed to
analyze cardholder monthly transaction volume and reduce the number of
cardholders by eliminating those cardholders they believed no longer needed
a purchase card. NPWC also recently increased its number of approving
officials from 7 as of September 21, 2001, to 43 by January 21, 2002. This
significant increase brought the ratio of cardholders to approving officials
in line with DOD and Navy guidelines.

Another key factor in minimizing the government's financial exposure is
assessing the monthly credit limits available to cardholders. The
undersecretary of defense for acquisition and technology emphasized in an
August 2001 memorandum to the directors of all defense agencies, among
others, that not every cardholder needs to have the maximum transaction or
monthly limit and that supervisors should set reasonable limits based on
what each person needs to buy as part of his or her job. We concur with the
undersecretary's statements and continue to recommend that cardholder
spending authority be limited as a way of minimizing the federal
government's financial exposure.

As shown in table 2, total financial exposure, as evidenced by monthly
credit limits for SPAWAR Systems Center and NPWC cardholders, has decreased
substantially.

   Table 2: SPAWAR Systems Center and NPWC Total Cardholder Credit Limits

Dollars in millions

Source:
Citibank, SPAWAR
Systems Center,
and NPWC
records.

SPAWAR Systems
Center reduced the overall credit limits of it cardholders by about $29
million primarily by (1) eliminating nearly $10 million of credit assigned
to each of two cardholders and (2) reducing the net number of cardholders by
360. As we previously reported, most SPAWAR Systems Center cardholders had a
$25,000 credit limit, and no cardholder had a credit limit of less than
$25,000. We continue to believe that a $25,000 minimum credit limit is more
than most SPAWAR Systems Center cardholders need to perform their mission.
This point is best demonstrated by the fact that even when we used SPAWAR
Systems Center's reduced number of cardholders, the average monthly purchase
card bill in fiscal year 2001 would have been less than $5,000.

As shown in table 2, Citibank's records indicate that between September 21,
2000, and January 21, 2002, NPWC reduced its cardholder exposure from about
$13.5 million to $12.1 million-a $1.4 million reduction. NPWC achieved this
reduction primarily by reducing by 107 the number of individuals who had
purchase cards and by reevaluating cardholders' monthly credit limits. We
previously reported that most NPWC cardholders were granted a monthly credit
limit of $20,000. Currently, about 20 NPWC cardholders have a credit limit
of less than $20,000, about 42 percent still have a $20,000 credit limit,
and the remaining cardholders have higher credit limits to meet job needs.
Further, the average monthly purchase card bill (using the reduced number of
cardholders) in fiscal year 2001 for NPWC cardholders would have been about
$11,500. On September 7, 2001, the NPWC agency program coordinator
distributed spreadsheet analyses of individual cardholder actual monthly and
average charges, along with suggested new monthly cardholder limits, to the
respective cardholder's business line managers. The agency program
coordinator required the business line managers to respond to the agency
program coordinator with new limits for cardholders

by the close of business on September 21, 2001. At the exit meeting we held
with NPWC officials, NPWC provided Citibank records documenting that NPWC
further reduced its cardholder credit limits to $5.6 million in February
2002.

In addition to the reductions in the number of cardholders and aggregate
financial exposure, the dollar volume of transactions decreased
significantly in fiscal year 2001 when compared to fiscal year 2000, as
shown in table 3.

Table 3: SPAWAR Systems Center and NPWC Purchase Card Spending, Fiscal Years
2000 and 2001

                            Dollars in millions

aSPAWAR Systems
Center and NPWC
used the
purchase card in
fiscal year 2000
to make a total of about $75 million in acquisitions. About $68 million of
those acquisitions were made by cardholders located in San Diego.

bSPAWAR Systems Center and NPWC used the purchase card in fiscal year 2001
to make a total of about $64 million in acquisitions. About $50 million of
those acquisitions were made by cardholders located in San Diego.

Source: Citibank, SPAWAR Systems Center, and NPWC records.

The NPWC agency program coordinator attributed a portion of this decrease to
increased controls over the use of purchase cards, resulting in a reduction
in unnecessary and improper card usage. Other reasons were a reduction in
the number of projects worked on during fiscal year 2001 and the use of more
contracts for goods and services, which are paid by means other than the
purchase card. The SPAWAR Systems Center senior military contracting
official told us that SPAWAR Systems Center's reduction in purchase card use
is a result of a decrease in workload and an increase in concern over
purchase card controls brought on as a result of our audit and the
congressional hearing.

Training of Cardholders While both SPAWAR Systems Center and NPWC have taken
steps to implement our recommendations regarding cardholder training and
proper documentation of training, SPAWAR Systems Center still needs to do
more

to make sure all cardholders receive required training and to document the
training taken by cardholders. We previously reported that the lack of
documented evidence of purchase card training contributed to a weak internal
control environment at these two units. GAO's internal control standards
emphasize that effective management of an organization's workforce-its human
capital-is essential to achieving results and is an important part of
internal control. Training is key to ensuring that the workforce has the
skills necessary to achieve organizational goals. In accordance with NAVSUP
Instruction 4200.94, all cardholders and approving officials must receive
purchase card training. Specifically, NAVSUP 4200.94 requires that prior to
the issuance of a purchase card, all prospective cardholders and approving
officials must receive training regarding both Navy policies and procedures
as well as local internal operating procedures. Once initial training is
received, the Instruction requires all cardholders to receive refresher
training every 2 years. Further, in response to our previous audit and the
July 30, 2001, hearing, NAVSUP sent a message in August 2001 to all Navy
units directing them to train all of their cardholders concerning the proper
use of the purchase cards on or about September 12, 2001.

SPAWAR Systems Center training records indicated that as of January 21,
2002, 146 cardholders either had not completed the NAVSUP-mandated training
or had not produced a certificate evidencing completion of the training. In
addition, 13 active cardholders had not satisfied the requirement to take
refresher training every 2 years. SPAWAR Systems Center officials told us
that they intended to suspend the accounts of cardholders who had not taken
the required training; however, as of February 15, 2002, the accounts of
only 5 cardholders had been suspended.

NPWC has taken well-documented steps to provide cardholders and approving
officials the necessary training and to assure itself that untrained
personnel do not remain purchase card holders. As a result of our previous
audit findings in this area, NPWC held mandatory cardholder training
sessions in June 2001 and July 2001, which all cardholders and their
supervisors attended. In addition, NPWC presented NAVSUP-prepared training
for all cardholders and approving officials in September 2001. The mandatory
NAVSUP training addressed the issues of receipt and acceptance, spending
limits, accounting, unauthorized or personal use of the card, policies and
procedures, improper transactions, NPWC internal procedures, other required
training, the NAVSUP and Citibank Web sites, and our findings from the
previous purchase card testimony and related report. All but 15 of NPWC's
cardholders and approving officials attended

the mandatory NAVSUP training, and on October 26, 2001, NPWC canceled the 15
remaining   cardholder  accounts   for   noncompliance  with   the  training
requirements.

Monitoring and Oversight Both SPAWAR Systems Center and NPWC have recently
made some efforts to implement new policies directed at improving internal
review and oversight activities, which, as we previously testified, were
ineffective. We also testified that the Navy's purchase card policies and
procedures did not require that the results of internal reviews be
documented or that corrective actions be monitored to help ensure that they
are effectively implemented. While still relatively ineffective, this area
has great potential to strengthen the control environment at these two Navy
units.

We also previously testified that, although the SPAWAR Headquarters Command
inspector general (IG) reviewed purchase card transactions generated by
Headquarter cardholders during fiscal year 2000 and prepared a draft report
summarizing the results of this review, the final report had not been issued
at the conclusion of our fieldwork for the July 30, 2001, testimony. The
final report9 of this review was issued on July 19, 2001, and identified
many of the internal control findings discussed in our prior review;
however, the IG's report did not identify the kind of abusive transactions
we identified. Also, on August 13, 2001, the Command IG began a limited
review of the 2 most recent months of purchase card activity for
Headquarters cardholders. The summary findings, which were released in a
report dated October 16, 2001, have many of the internal control findings
discussed later in this statement and similarly point to the need for clear,
comprehensive policies, procedures, and training to resolve many of the
control weaknesses and instances of questionable transactions. The IG also
reported that it found some "transactions that appeared to be either
`excessive' or may have been of questionable good judgment," but did not
provide examples of these potentially abusive transactions. The IG also
reported that several cardholders had stated that they felt uncomfortable
making purchases, but did not want to tell their supervisor "no" and suffer
potentially adverse career consequences.

9SPAWAR Headquarters Command Inspector General, Review of International
Merchant Purchase Authorization (IMPAC) Card at SPAWAR, 98-16 (San Diego,
Calif.: July19, 2001).

At the July 30, 2001, hearing we reported that the Naval Audit Service had
conducted an audit of the NPWC purchase card program for which a report had
not been issued. The Naval Audit Service completed its audit in December
2000 and reviewed transactions primarily occurring from March 1999 through
August 2000. The Naval Audit Service issued its report10 over 1 year later,
on January 10, 2002. Some of the Naval Audit Service findings are of the
same nature and significance as the findings reported in our previous
testimony, although the Naval Audit Service report did not identify the
improper or abusive transactions we discussed. The Naval Audit Service
concluded that management of the purchase card program at NPWC was not
sufficient to ensure the integrity of the command's purchase card program
and that NPWC's internal operating procedures did not clearly define duties
and responsibilities or adequately control the various processes involved in
purchase card transactions. Further, the Naval Audit Service reported that
maintenance and repair services were obtained on a "piece-meal" basis
instead of being aggregated and performed as entire projects, which resulted
in NPWC not taking advantage of its buying power to obtain discounts on its
recurring purchases.

Further, in August 2001, following the July 30, 2001, purchase card
congressional hearing, NAVSUP directed all Navy units to review 12 months of
purchase card transactions. In response to this requirement, both SPAWAR
Systems Center and NPWC reviewed samples of transactions, although neither
performed an in-depth analysis of the selected transactions. For example,
SPAWAR Systems Center told us that it reviewed 16,393 of the 45,318
transactions for the 9-month period ended July 2001. According to SPAWAR
Systems Center, its stand-down review identified 187 split purchases and 9
transactions that initially appeared questionable or suspicious. After
completing their review, SPAWAR Systems Center officials concluded that only
one of these nine transactions was not for a legitimate government purpose,
because the cardholder in question accidentally used the purchase card
instead of a personal credit card. However, we question whether the
stand-down review was designed and performed to be a thorough and critical
analysis of the nature and magnitude of the control weaknesses and the
extent to which fraudulent, improper, or abusive transactions were occurring
during the 9-month period reviewed. Our own statistical sample of 50
transactions from just the last 3 billing cycles of fiscal year 2001 found
one potentially fraudulent

10Naval Audit Service, Management of Purchase Card Program at Public Works
Center, San Diego, CA, N2002-0023 (Washington, D.C.: Jan. 10, 2002).

and subsequently disputed purchase and a total of 11 abusive or improper
transactions on the monthly statements for 9 cardholders. Furthermore, as
detailed later, we found numerous examples of abusive and improper
transactions occurring in the first nine billing cycles of fiscal year 2001.

NPWC's stand-down review subjected 9,099 transactions out of 50,850 for the
12-month period ended August 31, 2001, to a documentation review. The review
identified several cases of potential improper use and 320 cases of
potential split purchases. However, the primary finding related to the use
of the card for prohibited acquisitions of "noncommonly used" hazardous
materials. NPWC estimated that approximately 600 of the transactions
reviewed violated the Navy's prohibition against using the purchase card to
acquire noncommonly used hazardous materials. Specifically, Navy purchase
card policies and procedures require that prior to acquiring potentially
hazardous materials, cardholders must first determine that a requested
purchase meets the definition of a commonly used hazardous material and that
the materials are carried on the unit's Authorized Use List. If the
requested purchase does not meet the "commonly used" definition, the
hazardous materials are to be procured by other means that bring the
hazardous material under the control of a Hazardous Substance Management
System (HSMS). Compliance with these requirements would then help ensure the
safe storage, use, and disposal of the hazardous materials.

NPWC found that cardholders were using the purchase card to acquire
noncommonly used hazardous materials such as bacterial control agents and
toxic, corrosive solvents used to descale and deodorize sewage systems. Such
hazardous material purchases were not being subjected to the required
controls and, consequently, NPWC had no assurance that the approximately 600
reported purchases were stored, used, and disposed of in a safe and
environmentally acceptable manner. To alleviate this problem, NPWC is
working with the Fleet Industrial Supply Service to coordinate the
maintenance and control of Navy hazardous materials. NPWC's identification
and proactive attitude towards resolving this matter again demonstrate a
positive control environment.

Management "Tone at the Top" Was Significantly Impaired at SPAWAR Systems
Center

GAO's internal control standards11 state that management plays a key role in
demonstrating and maintaining an organization's integrity and ethical
values, "especially in setting and maintaining the organization's ethical
tone, providing guidance for proper behavior, removing temptations for
unethical behavior, and providing discipline when appropriate." At the time
we began our follow-up review, the SPAWAR Systems Center commanding officer
not only did not demonstrate a commitment to improving management controls
but openly supported the status quo. Consequently, the lack of a positive
control environment continued. In contrast, the commanding officer at NPWC
continued to support a proactive attitude in addressing the weaknesses we
identified and took immediate action to address any improper or prohibited
uses of the purchase card. It is not surprising that, given these
differences in the management tone at the two units, we continued to find
numerous examples of potentially improper, abusive, and otherwise
questionable use of the purchase card at SPAWAR Systems Center, while we
found few such cases at NPWC.

The former SPAWAR Systems Center commanding officer testified on July 30,
2001, that the purchase card program at SPAWAR Systems Center had effective
management controls and an honest and trustworthy workforce. The commanding
officer went on to incorrectly characterize our audit approach and findings
by stating that there was not a pervasive and serious abuse and fraud
problem at SPAWAR Systems Center and that over 99.98 percent of purchases
made by cardholders were for legitimate government purposes. The commanding
officer did not acknowledge that the serious weaknesses in SPAWAR Systems
Center's system of internal controls over the purchase card program left
SPAWAR Systems Center vulnerable to the types of abusive and improper
transactions that we found and that such abuses could occur without being
detected.

Upon his return to San Diego following the hearing, the commanding officer
held an "all-hands" meeting at a SPAWAR Systems Center auditorium that
cardholders, approving officials, and managers were particularly encouraged
to attend "... to clarify the substantial differences between the perception
of problems reported in the press and the reality of the situation." At the
meeting, the commanding officer showed a videotape

11U.S.  General Accounting Office,  GAO's Standards  for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999).

of the entire congressional hearing. By denying that these weaknesses
resulted in undetected misuse of purchase cards, the commanding officer
effectively diminished the likelihood that substantive changes would be
implemented or, if implemented, taken seriously. The underlying message of
his testimony, his subsequent "all hands" meeting, and his meetings with us,
was that the trust SPAWAR Systems Center management had in its staff was an
acceptable substitute for a cost-effective system of internal controls.

The commanding officer was relieved of duty in December 2001 for matters
unrelated to the purchase card program. The admiral in charge of SPAWAR held
a nonjudicial punishment hearing on December 8, 2001, and found that the
commanding officer had violated two articles of the Uniform Code of Military
Justice, including dereliction of duty and conduct unbecoming an officer.
The admiral issued the commanding officer a Punitive Letter of Reprimand,
relieved him of his command at SPAWAR Systems Center, and endorsed his
request for retirement from the Navy.

The new commanding officer at SPAWAR Systems Center now has an opportunity
to set a "tone at the top" that reflects a true commitment to establishing a
positive control environment. Based on our discussions with the commanding
officer and some of the actions we have observed, we are encouraged by her
commitment to ensure that an effective, well-controlled purchase card
program is implemented at SPAWAR Systems Center. At the same time, we remain
concerned that there will be significant cultural resistance to change in
the internal control environment. For example, up to the time we completed
our fieldwork in February 2002, some cardholders and managers continued to
rationalize the questionable purchases we brought to their
attention-including expensive laptop carrying cases, Lego robot kits,
clothing, food, and designer day planners- as discussed later in this
statement. Such an attitude perpetuates an overall environment that tacitly
condones possibly fraudulent wasteful, abusive, or otherwise questionable
spending of government funds.

Critical Internal Basic internal controls over the purchase card program
remained

ineffective during the last quarter of fiscal year 2001 at the two units
weControls Remained reviewed. Based on our tests of statistical samples of
purchase card Ineffective transactions, we determined that the two key
transaction-level controls

that we tested were ineffective, rendering SPAWAR Systems Center and

NPWC purchase card transactions vulnerable to fraudulent and abusive

purchases and theft and misuse of government property. As shown in table

4, the specific controls that we tested were (1) independent, documented
receipt and acceptance of goods and services and (2) independent, documented
review and certification of monthly purchase card statements.

Table 4: Estimate of Fiscal Year 2001 Transactions That Failed Control
Testsa 
Breakdowns in key purchase card controlsa

Independent, Proper certification of documented receipt of purchase card
statements items purchased for payment

          Navy units in San Diego Percent failure Percent failure

                      SPAWAR Systems Center 56% 100%b

                               NPWC 16% 100%c

aThe numbers represent point estimates for the population based on our
sampling tests. The confidence intervals for our sampling estimates are
presented in appendix II of this testimony.

bFor the last quarter of fiscal year 2001, SPAWAR Systems Center continued
to have only one certifying officer for almost 1,000 cardholders. This
unacceptable span of control led us to conclude that all transactions
selected as part of our statistical sample were not properly reviewed and
approved by a certifying officer.

cOur statistical testing identified one transaction that was reconciled by
the cardholder and approving official prior to payment. The projected error
rate was 99.9 percent, which we rounded to 100 percent.

In addition, we attempted to test whether the accountable items-easily
pilferable or sensitive items-included in some of the transactions in our
samples were recorded in the units' property records to help prevent theft,
loss, and misuse of government assets. However, we were unable to perform
those tests because SPAWAR Systems Center had recently changed its policy
and no longer maintains accountability over easily pilferable items such as
personal digital assistants and digital cameras. Further, our statistical
sample at NPWC did not identify any accountable property items.

NPWC Made Significant Improvements in Independent Receipt and Acceptance,
While SPAWAR Systems Center Results Were Unchanged

SPAWAR Systems Center did not have independent, documented evidence that
they received and accepted items ordered and paid for with the purchase
card, which is required by Navy policy. That is, they generally did not have
a receipt for the acquired goods and services that was signed and dated by
someone other than the cardholder. As a result, there is no documented
evidence that the government received the items purchased or that those
items were not lost, stolen, or misused. Based on our testing, we estimate
that SPAWAR Systems Center did not have independent,

documented evidence to confirm the receipt and acceptance of goods and
services acquired with the purchase card for about 56 percent of its fourth
quarter fiscal year 2001 transactions. We previously reported a 65 percent
control failure rate for fiscal year 2000.

NPWC improved its adherence to the internal control of documenting
independent receipt and acceptance of items acquired with a purchase card,
although its 16 percent failure rate in this control technique remained
unacceptable. We previously testified that NPWC generally did not have
documented independent receipt and acceptance for goods and services and
reported a 47 percent control failure rate for fiscal year 2000. The
improved results for NPWC are the result of management attention to this
important control and increased training for cardholders.

Review and Certification of Monthly Purchase Card Statements Remained a
Significant Weakness at Both Units

Throughout fiscal year 2001, SPAWAR Systems Center and NPWC still did not
properly review and certify the monthly purchase card statements for
payment. We previously reported that SPAWAR Systems Center and NPWC
approving officials who certify the monthly purchase card statements for
payment generally rely upon the silence of a cardholder to assume that all
purchase card transactions listed on the monthly statements are valid
government purchases. However, this process does not compensate for the fact
that a cardholder might have failed to forward corrections or exceptions to
the account statement in a timely manner or, even worse, may not have
reviewed the statement. As a result of the breakdown of this control, for
the fourth quarter of fiscal year 2001, SPAWAR Systems Center and NPWC were
paying the monthly credit card bills without any independent review of the
monthly cardholder statements prior to payment to verify that the purchases
were for a valid, necessary government need.

Under 31 U.S.C. 3325 and DOD's Financial Management Regulation,12
disbursements are required to be made on the basis of a voucher certified by
an authorized agency official. The certifying official is responsible for
ensuring (1) the adequacy of supporting documentation, (2) the accuracy of
payment calculations, and (3) the legality of the proposed payment under the
appropriation or fund charged. The certification function is a preventive
control that requires and provides the incentive for certifying officers to
maintain proper controls over public funds. It also helps detect

12DOD Financial Management Regulation, Volume 5, Chapter 33, "Accountable
Officials and Certifying Officers."

fraudulent and improper payments, including unsupported or prohibited
transactions, split purchases, and duplicate payments. Further, section 933
of the National Defense Authorization Act for Fiscal Year 2000 requires the
Secretary of Defense to prescribe regulations that ensure, among other
things, that each purchase card holder and approving official is responsible
for reconciling charges on a billing statement with receipts and other
supporting documentation before certification of the monthly bill.

We previously reported that NAVSUP policy is inconsistent with the purpose
of certifying vouchers prior to payment and made recommendations to revise
the policy appropriately. Navy agreed with our recommendations concerning
the need to change this portion of the purchase card instruction.

For the last quarter of fiscal year 2001, SPAWAR Systems Center continued to
have only one approving official to certify for payment the monthly purchase
card statements of almost 1,000 cardholders. This unacceptable span of
control led us to conclude that all transactions selected as part of our
statistical sample were not properly reviewed and approved by a certifying
officer. NPWC also continued to inappropriately certify purchase card
statements for payment before receiving cardholder assurance that the
purchases were proper. Our review of purchase card transactions disclosed
that no significant change in this process had taken place during the fourth
quarter of fiscal year 2001, and we therefore identified a 100 percent
failure rate for this control at SPAWAR Systems Center and NPWC.

However, in keeping with its proactive attitude, instead of waiting for
NAVSUP to issue its new purchase card payment certification procedures, the
NPWC agency program coordinator issued local guidance in December 2001 that
requires approving officials, prior to certifying their summary invoice for
payment, to obtain notifications from cardholders that their statements do
not include disputed items. The guidance also indicates that approving
officials and cardholders should conduct ongoing reviews during the month of
the transactions in their purchase card accounts using Citidirect online
services. While this does not fully implement the recommendation that we
made in our November 30, 2001 report,13 this is a positive interim step.
Given the significant reduction in individual

13GAO-02-32.

approving  officials'  span  of   control  this  measure  provides  NPWC  an
opportunity to strengthen this control.

Citing Policy Change, SPAWAR Systems Center Failed to Maintain
Accountability for Pilferable Items

We disagree with a change in SPAWAR Systems Center policy that eliminated
the accountability of certain property items considered to be pilferable.
Recording items in the property records that are easily converted to
personal use and maintaining serial number and bar code control is an
important step in ensuring accountability and financial control over such
assets and, along with periodic inventory, in preventing theft or improper
use of government property. We previously testified that most of the
accountable items-easily pilferable or sensitive items-in our samples for
fiscal year 2000 were not recorded in property records.

On August 1, 2001, the Department of the Navy changed its definition for
what constitutes pilferable property. Unlike the previous policy, which was
prescriptive in identifying what was pilferable, the new policy provides
commanding officers with latitude in determining what is and what is not
pilferable. Specifically, the new policy defines pilferable to be an item-
regardless of cost-that is portable, can be easily converted to personal
use, is critical to the activity's business/mission, and is hard to repair
or replace. Citing the "hard to repair or replace" criteria in the new
policy, on November 1, 2001, SPAWAR Systems Center determined that only
computer systems and notebook/laptop computers would be considered
pilferable items. Thus, based on our fiscal year 2000 and 2001 audit work,
SPAWAR Systems Center did not maintain accountability over numerous
sensitive and pilferable items, such as digital cameras and personal digital
assistants (PDA), leaving them subject to possible theft, misuse, or
transfer to personal use.

SPAWAR Systems Center's new commanding officer and executive director told
us that they do not believe that it is cost beneficial to account for and
track these assets, but instead rely on supervisory oversight and personal
employee trust to provide the necessary accountability of these assets. The
commanding officer and the executive director stated that SPAWAR Systems
Center is a diversified organization in which its scientists and engineers
are working on as many as 1,000 different projects at any one time, which
would make it difficult to keep track of these lower cost items. We
acknowledge the important mission that SPAWAR Systems Center serves, but we
also believe that the diverse nature of its operations is one of the key
reasons why SPAWAR Systems Center needs to maintain accountability of its
pilferable items. As discussed later in this testimony,

we believe that SPAWAR Systems Center's lack of accountability over items
that are pilferable contributed to several abusive and questionable
purchases.

Although NPWC also had the opportunity to redefine what constitutes
pilferable property, NPWC did not institute a similar policy change. Unlike
SPAWAR Systems Center, NPWC generally does not use the purchase card to buy
property items that are pilferable or easily converted to personal use. As a
result, our sample of fourth quarter fiscal year 2001 NPWC transactions did
not include any accountable items.

Status of ERP Implementation at SPAWAR Systems Center

SPAWAR Systems Center officials stated that they have implemented a new
Enterprise Resource Planning (ERP) system that is designed to address most
of the weaknesses that we identified in our July 2001 testimony. Once
effectively implemented, the ERP system would facilitate on-line review,
reconciliation, and monitoring of credit card activity. The system would
also result in reduced storage needs because ERP requires receipt and
acceptance documentation to be scanned into a database storage container.
However, our limited assessment of the control environment identified
several weaknesses. Although the new system has the stated capability to
address the weaknesses we identified in the purchase card program, until it
is effectively implemented and individuals comply with purchase card
policies and procedures, SPAWAR Systems Center has little assurance that the
weaknesses we previously identified will be corrected or mitigated.

For example, the implementation of the ERP system at the time of our review
did not provide for an adequate separation of duties or proper certification
of purchase card transactions for payment. Specifically, a systems
administrator with high-level administrative access privileges on the system
performed both cardholder and approving official duties. In addition, the
administrator pushed transactions through the system as an approving
official without the required cardholder reconciliation or any knowledge of
the transactions. Further, the administrator, who performed approving
official duties, did not review the transactions to determine if they
complied with Navy policies and procedures. That responsibility remained
with the existing approving official; however, as we previously testified
about the manual process, we found no evidence that the approving official
verified compliance. SPAWAR Systems Center officials stated that by the end
of February 2002, the administrator should no longer have these duties
because all of the newly designated approving officials

will have completed the required ERP training. We have not verified this
corrective action or whether the approving officials are properly performing
their duties.

In assessing the control environment, we attempted, but were unable, to
obtain documentation such as (1) the DOD Information Technology Security
Certification and Accreditation Process (DITSCAP)14 for the system and (2)
formal procedures on granting and removing access to the ERP. First, SPAWAR
Systems Center officials stated that the certification and accreditation for
the ERP system was not complete and that it was currently operating under
interim authority. The DITSCAP would give an indication as to whether SPAWAR
Systems Center had established its information security requirements and
whether the system implementation meets the established security
requirements. Second, although SPAWAR Systems Center had an informal process
for granting and removing system access, these procedures had not yet been
formally documented. Establishing such formal control procedures helps
ensure that authorized users have the appropriate access to perform their
job duties.

Potentially Fraudulent, Improper, Abusive, and Questionable Transactions

We identified numerous examples of improper, abusive, or questionable
transactions at SPAWAR Systems Center during fiscal year 2001. Given the
weaknesses in the overall internal control environment and ineffective
specific internal controls, it is not surprising that SPAWAR Systems Center
did not detect or prevent these types of transactions. In fact, most of the
transactions that we identified as improper, abusive, or questionable at
SPAWAR Systems Center were approved and represented to us as being an
appropriate, proper use of the purchase card. In contrast, using the same
data mining techniques at NPWC, the number and severity of the problems we
identified were substantially less than at SPAWAR Systems Center. In
addition, rather than dispute our findings on each transaction, NPWC showed
a proactive response and not only concurred with our findings but
immediately took action to prevent future improper or abusive transactions
from occurring. As discussed in appendix II, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper, and
abusive or otherwise questionable transactions.

14DOD Instruction 5200.40, December 30, 1997, and OPNAV Instruction 5239.1B,
November 9, 1999, requires any DOD system that collects, stores, transmits,
or processes unclassified or classified information to comply with the
DITSCAP process to establish a more secure system operations.

Further, our review of SPAWAR Systems Center and NPWC transactions for
potentially fraudulent, improper, and abusive or otherwise questionable
purchases was limited and not intended to represent the population of SPAWAR
Systems Center and NPWC transactions. Specifically, we reviewed a total of
161 SPAWAR Systems Center and 145 NPWC fiscal year 2001 transactions and
performed additional analysis of related activity at three specific vendors
as discussed in appendix II. To test those transactions and related
activity, we examined all available documentation supporting the
transactions, and when necessary we interviewed NPWC and SPAWAR Systems
Center staff. To put the number of transactions that we reviewed into
perspective, during fiscal year 2001 SPAWAR Systems Center and NPWC
processed a total of about 83,000 transactions. Thus, the potentially
fraudulent, improper, and abusive or questionable transactions we identified
relate to the 306 transactions and associated activity we reviewed. We
cannot project the extent of potentially fraudulent, improper, or abusive
transactions for SPAWAR Systems Center or NPWC to the entire population of
fiscal year 2001 transactions. See appendix II for a more detailed
discussion of our objectives, scope, and methodology.

Potentially Fraudulent Transactions

We considered potentially fraudulent purchases to include those made by
cardholders that were unauthorized and intended for personal use. Some of
these instances involved the use of compromised accounts, in which an actual
Navy purchase card or an active account number was stolen and used to make a
fraudulent purchase. Other cases involved vendors charging Navy purchase
cards for unauthorized transactions.

Both SPAWAR Systems Center and NPWC had policies and procedures that were
designed to prevent the payment of fraudulent purchases; however, our tests
showed that although both units made some improvements, particularly NPWC,
they did not implement the controls as intended. For example, as discussed
previously, controls were ineffective for independent verification of
receipt and acceptance and proper review and certification of monthly
statements prior to payment. Fraudulent activities must therefore be
detected after the fact, during supervisor or internal reviews, and disputed
charge procedures must be initiated to obtain a credit from Citibank. Table
5 shows examples of potentially fraudulent transactions that we identified
at SPAWAR Systems Center. Using the same audit techniques, we did not find
documented evidence of potentially fraudulent NPWC transactions for fiscal
year 2001. However, as noted previously, our tests were not designed to
identify all fraudulent transactions, and considering the control weaknesses
identified at

SPAWAR Systems Center and NPWC, and the substantial number of compromised
accounts discussed later, fraudulent transactions may have occurred during
fiscal year 2001 and not have been detected.

Table 5:  Examples of  Potentially Fraudulent Purchase Card  Transactions at
SPAWAR Systems Center

The fact that all
of the
unauthorized
transactions in
table 5 were
authorized for
payment by SPAWAR
Systems Center
clearly
demonstrates the
lack of an
effective review
and monthly
certification
process. SPAWAR
Systems Center
officials told us
that they were
aware of all of
these potentially
fraudulent
transactions and eventually received a credit from either the vendor or
Citibank or reimbursement from the cardholder, but in some cases after many
months. For example, the car rental transaction related to a SPAWAR Systems
Center employee who stated that she had inadvertently used the purchase card
rather than a personal credit card. However, it took the employee 5 months
to reimburse the government for this personal and unauthorized charge. Three
of the examples in table 5 relate to the 2,595 Navy purchase card
compromised accounts discussed below. The card numbers used to make the
internet purchases were not on the list of compromised accounts. These
cardholders reported to Citibank that the transactions were unauthorized,
and Citibank provided credits to their accounts for disputed amounts up to
three months after SPAWAR Systems Center paid the bill. The $10,600 of
potentially fraudulent charges represent numerous unauthorized charges, many
of which were about $500 each, during fiscal year 2001 by a safety product
vendor that SPAWAR Systems Center paid despite the fact that no goods were
received. As of

January 21, 2002, SPAWAR Systems Center had not received a credit from the
bank or the vendor for about $3,100 of the unauthorized charges.

In our July 2001 testimony, we identified about $12,000 in potentially
fraudulent fiscal year 2000 transactions on the purchase card of a former
NPWC employee. NPWC Command Evaluation staff researched the potentially
fraudulent charges, and NPWC eventually disputed them and recovered the full
amount from the bank. Our Office of Special Investigations conducted an
investigation of the suspect employee to determine if these transactions
were indeed fraudulent. This investigation identified the following.

* The purchases occurred primarily between December 20 and 26, 1999, and
included an Amana range, Compaq computers, gift certificates, groceries, and
clothes. Based on our research, most of the merchants noted that these were
not phone orders and someone presented the purchase card in question to make
the purchases.

* The cardholder brought the January 2000 credit card statement, with the
above charges on the bill, to her supervisor for his approval and signature.
According to the supervisor, the cardholder told him that she needed the
statement signed immediately because she was late in processing it. The
supervisor signed the credit card statement without reviewing it.

* The cardholder claims to have disputed the charges on January 31, 2000.
Citibank indicated that it did not receive the dispute documentation until
August 23, 2000, and the bank did not credit the Navy for these charges
until April 2001.

* Based on an examination of the handwriting specimens by the U.S. Secret
Service Forensic Services Division, the fraudulent purchase receipts were
probably signed by someone other than the cardholder and all appear to have
been signed by the same individual.

* The Amana range was bought with a gift card that was purchased in the name
of the cardholder's alleged ex-boyfriend's mother.

* The cardholder left NPWC to work for the U.S. Pacific Fleet from June to
November of 2000 and now works at the Pentagon. After leaving work on her
last day at NPWC, the cardholder improperly used the NPWC purchase
card-which should have been canceled-for a personal automobile rental that
was initially paid by NPWC and subsequently reversed through a credit from
Citibank. The cardholder was supposed to, but has not yet, repaid Citibank
the $358 owed.

* The cardholder also misused a government travel card by purchasing three
airline tickets for personal use. The cardholder partially repaid

the cost of the tickets but had a remaining balance of $379. The Bank of
America has written off the balance of the cardholder's account.

The facts of this case demonstrate a complete breakdown in internal
controls, particularly in the area of proper review and certification of
monthly statements. The individual who approved the payment to Citibank for
these fraudulent charges told us that he signed off on the January 2000
statement without reviewing it to determine if the transactions were valid.
It is unclear whether the credit NPWC ultimately received was the result of
the Citibank investigation of the case or NPWC's determining some time after
payment of the bill that the charges were fraudulent. NPWC also did not
properly cancel the purchase card account of this cardholder after the
cardholder had moved on to another organization within the Navy. Further,
NPWC paid the purchase card bill that included this cardholder's personal
automobile rental, a clear indication that the monthly review and
certification of bills was not being done. Finally, as of February 6, 2002,
no disciplinary actions had been taken against this cardholder. Our Office
of Special Investigations referred this case back to the Naval Criminal
Investigative Service for further investigation and, if warranted,
prosecution.

We also followed up on the previously reported September 1999 compromise of
up to 2,600 purchase card accounts assigned to Navy activities in the San
Diego area. We reported that Navy investigators were able to identify only a
partial list consisting of 681 compromised accounts. We recommended that the
Navy act immediately to cancel all known active compromised accounts. In
December 2001, Navy notified us that all 681 compromised accounts we
identified in the July testimony were cancelled, including 22 active SPAWAR
Systems Center accounts. However, no other action was taken by the Navy to
identify or cancel the remaining nearly 2,000 accounts that were compromised
in September 1999. Our investigators subsequently identified the source of
the compromised accounts as the database of a Navy vendor, which provided
NCIS with the names of its former employees who were possible suspects in
the theft of data. In January 2002, the vendor provided our investigators
with the entire list of the 2,595 compromised accounts. We provided this
list to the Navy and recommended that it immediately cancel the remaining
1,914 compromised account numbers. We found that 78 SPAWAR Systems Center
and 10 NPWC compromised accounts were active as of December 2001. As noted
previously, 3 of the examples of potentially fraudulent SPAWAR Systems
Center activity reported in table 5 involved these compromised accounts.

As we reported in our previous testimony, as of January 2001, at least 30 of
the nearly 2,600 compromised account numbers were used by 27 alleged
suspects to make more than $27,000 in fraudulent transactions for pizza,
jewelry, phone calls, tires, and flowers. However, with the lack of
effective controls over independent receipt for goods and services and
proper review and certification of purchase card statements for payment that
we identified at the two units, it will be difficult, if not impossible, for
the Navy-including SPAWAR Systems Center and NPWC-to identify fraudulent
purchases as they occur, or to determine the extent of the fraudulent use of
compromised accounts. On December 11, 2001, the NCIS case on the compromised
Navy purchase card numbers was presented to the U.S. Attorney's Office,
Southern District of California, San Diego, for prosecution. The U.S.
Attorney's Office declined prosecution of the case due to the low known
dollar loss of $28,734. The NCIS case was closed on December 20, 2001.

The following are other cases of potential fraudulent activity.

* A fraud hotline call alerted NPWC to a case involving two NPWC employees,
an air conditioning equipment mechanic-who was a purchase card holder-and
his supervisor. The alleged fraud includes the element of collusion, which
internal controls generally are not designed to prevent. However, adequate
monitoring of purchase card transactions, along with the enforcement of
controls-such as documentation of independent confirmation of receipt and
acceptance and recording of accountable items in property records-will make
detection easier. In this case, the cardholder allegedly made fraudulent
purchase card acquisitions during the period of April 1999 through December
1999 to obtain electronic planners, leather organizers, a digital camera, a
scanner/printer, and various cellular telephone accessories for himself and
his supervisor. These items totaled more than $2,500. NPWC initiated
administrative action and gave a notice of proposed removal to the
cardholder on August 15, 2000, and to the supervisor on August 1, 2000. Both
employees resigned after they had repaid the Navy nearly $6,000 but before
formal removal. Criminal actions were not taken against the individuals.

* SPAWAR Systems Center's Command Evaluation is currently investigating
purchases made by cardholders in one of SPAWAR Systems Center's divisions.
This is an ongoing investigation focused on transactions made during the
period August 2000 through April 2001. Preliminary findings resulted in a
request from Command Evaluation to the SPAWAR Systems Center agency program
coordinator to suspend

   purchase card authority for all cardholders and approving officials in

the affected division until the investigation is completed. * Our Office of
Special Investigations is conducting a further investigation of about
$164,000 in transactions during fiscal year 2001 between SPAWAR Systems
Center and one of its contractors for potentially fraudulent activity. The
SPAWAR Systems Center division responsible for these purchase card
transactions is the same department that SPAWAR Systems Center's Command
Evaluation is currently reviewing, as discussed in the previous bullet. This
case is discussed in more detail in the following section on improper
purchases.

Improper Transactions We identified transactions for SPAWAR Systems Center
and NPWC that were improper, including some that involved the improper use
of federal funds. The transactions we determined to be improper are those
purchases intended for government use, but are not for a purpose that is
permitted by law, regulation, or DOD policy. We also identified as improper
numerous purchases made on the same day from the same vendor that appeared
to circumvent cardholder single transaction limits. Federal Acquisition
Regulation and NAVSUP Instruction 4200.94 guidelines prohibit splitting
purchase requirements into more than one transaction to avoid the need to
obtain competitive bids on purchases over the $2,500 micropurchase threshold
or to circumvent higher single transaction limits for payments on
deliverables under requirements contracts. We identified these improper
transactions as part of our review of about 161 SPAWAR Systems Center and
145 NPWC fiscal year 2001 transactions and related activity. We identified
most of these transactions as part of our data mining of transactions with
questionable vendors, although several were identified as part of our
statistical sample.

Transactions Not Permitted by The Federal Acquisition Regulation, 48 C.F.R.
13.301(a), provides that the

Law, Regulation, or DOD Policy governmentwide commercial purchase card "may
be used only for purchases that are otherwise authorized by law or
regulations." Therefore, a procurement using the purchase card is lawful
only if it would be lawful using conventional procurement methods. Under 31
U.S.C. 1301(a), "[a]ppropriations shall only be applied to the objects for
which the appropriations were made . . ." In the absence of specific
statutory authority, appropriated funds may only be used to purchase items
for official purposes, and may not be used to acquire items for the personal
benefit of a government employee. As previously discussed NPWC identified
approximately 600 transactions that violated the Navy's prohibition against
using the purchase card to acquire noncommonly used

hazardous materials.  As shown  in table 6,  we found examples  of purchases
that were not authorized by law, regulation, or policy.

     Table 6: Transactions Not Permitted by Law, Regulation, or Policy

                                                                                      Total
                                                                               transaction
   Type of items                                       Nature of improper
     purchased       Unit       Example vendors           transaction              amounts
      Food and             Admiral Kidd Catering,      Not authorized by
   refreshments      Both  Omni                               law                  $ 8,500
                             Hotel, Expressly Gourmet,
                                               Dave's
                           Snack Bar, Embassy Suites
                                  Sport Chalet, Twig's Not authorized by
     Clothing       SPAWAR              Alaskan Gifts      law; see                   $282
                                                      additional clothing
                                                          in table 8
 Luxury rental cars           Enterprise, Courtesy,    Not in accordance
      (e.g.,         NPWC            Fuller                with DOD                 $7,028
 Lincoln Town Car)                                      policy; abusive

Contracted services SPAWAR Telecommunications          Not in accordance
                           contractor                      with Navy              $164,143
                                                      policy; potentially
                                                          fraudulent

 Convenience check  SPAWAR    U.S. Postal Service      Not in accordance
                                                           with DOD               $347,120
                                                        policy; abusive
                                                       Not in accordance
 Printing services  SPAWAR          Kinko's             with policy to              $3,763
                                                        use the Defense
                                                           Automated
                                                       Printing Service

     Sales tax      SPAWAR          Numerous           Not authorized by              $283
                                                              law

Food. We found a number of purchases of food at SPAWAR Headquarters, SPAWAR
Systems Center and NPWC that represent an improper use of federal funds.
Without statutory authority, appropriated funds may not be used to furnish
meals or refreshments to employees within their normal duty stations.15 Free
food and other refreshments normally cannot be justified as a necessary
expense of an agency's appropriation because these items are considered
personal expenses that federal employees should pay for from their own
salaries.16 In January 2000, the General Services Administration (GSA)
amended the government travel regulations to permit agencies to provide
light refreshments to employees attending conferences involving travel. In
response to GSA's action, DOD amended the Joint Travel Regulation (JTR) and
Joint Federal Travel Regulation (JFTR) to permit similar light refreshments
for DOD civilian employees and military members. In April 2001, DOD
clarified the JTR/JFTR rule to permit light refreshments only when a
majority of the attendees (51 percent or more) are in travel status.17 The
following food purchases should not have been paid for with appropriated
funds.

* Three instances in which NPWC purchased primarily meals and light
refreshments for employee-related activities, including team meetings, at a
cost of about $4,100. The supporting documentation we were provided
initially by NPWC showed these purchases to be the rental of rooms for
meetings. However, after our further inquiry of the Admiral Kidd Catering
Center we found that a large portion of the purchases were related to food
and refreshments including luncheon buffets. Officials from the Admiral Kidd
Catering Center indicated that the invoices for these events do not show the
food purchases because they knew that the Navy is not allowed to pay for
food at these conferences.

* Five instances in which SPAWAR Headquarters or Systems Center cardholders
purchased primarily light refreshments for employee team meetings or
training sessions when less than a majority of the attendees were on travel,
at a total cost of about $1,000.

1572 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986).

1665 Comp. Gen. 738, 739 (1986).

17For purposes of this testimony, we determined a purchase of food to be
improper if it did not comply with the JTR/JFTR light refreshment rule.
However, we have some questions about the validity of this rule and
therefore do not necessarily conclude that food purchases in accordance with
this rule are proper. We are currently working on a legal decision
concerning the validity of the GSA and DOD light refreshment policies.

* One transaction in which a SPAWAR Headquarters program management office
had a 2-day off-site meeting at a San Diego hotel for about 20 staff, and
SPAWAR Headquarters provided all participants with lunch and refreshments.
The cardholder provided us with documentation indicating that SPAWAR
Headquarters spent $2,400 to rent a room at the hotel where the meeting was
held. The assistant program manager told us that the $2,400 charge was just
for the meeting room rental. However, we obtained documents directly from
the hotel, which were signed by the assistant program manager, that prove
that SPAWAR Headquarters paid about $1,400 for lunch and refreshments for
both days. Furthermore, by comparing the hotel's copy of the event
confirmation form with the copy of the same form provided by SPAWAR
Headquarters, it appeared that the form had been altered to indicate that
the $2,400 was only for rent. After briefing SPAWAR Headquarters and System
Center management of our findings, the SPAWAR Headquarters inspector general
opened an investigation of this matter that is still ongoing.

Clothing. We identified several purchases of clothing by SPAWAR Systems
Center employees that should not have been purchased with appropriated
funds. According to 5 U.S.C. 7903, agencies are authorized to purchase
protective clothing for employee use if the agency can show that (1) the
item is special and not part of the ordinary furnishings that an employee is
expected to supply, (2) the item is essential for the safe and successful
accomplishment of the agency's mission, not solely for the employee's
protection, and (3) the employee is engaged in hazardous duty. Further,
according to a comptroller general decision dated March 6, 1984,18 clothing
purchased pursuant to this statute is property of the U.S. government and
must only be used for official government business. Thus, except for rare
circumstances in which a clothing purchase meets stringent requirements, it
is usually considered a personal item that should be purchased by the
individual.

For the transactions that we tested, we found that several SPAWAR Systems
Center employees had purchased clothing, such as a lightweight hooded
jacket, long pants, and a shirt that should have been purchased by

1863 Comp. Gen. 245, 247 (1984). In requesting the comptroller general's
approval of the purchases, the agency represented that "the parkas would be
labeled as [agency] property, centrally controlled, and issued and reissued
to employees only for job requirements." SPAWAR Systems Center officials
have not made a similar representation.

the employees with their own money. One of the cardholders told us that he
believed his purchases of clothing were appropriate because other SPAWAR
Systems Center employees were also purchasing clothing. As a result of this
statement, we expanded our analysis and found that during fiscal year 2001
SPAWAR Systems Center cardholders purchased about $4,400 worth of socks,
gloves, parkas, jackets, hats, shirts, and sweatpants from REI and Cabela's
that appear to also be improper. Because we did not test each of these
transactions to determine if they were adequately justified, we included the
$4,400 as questionable clothing purchases in table

8.

Luxury car rentals. We identified 34 fiscal year 2001 purchases totaling
$7,028 in which NPWC could not support the representation that rentals of
Lincoln Town Cars or similar luxury cars were for individuals authorized to
obtain a luxury car. DOD policy provides that only four-star admirals and
above (or equivalent) qualify to rent such luxury vehicles. Our analysis of
NPWC's fiscal year 2001 purchase card transactions for rentals of commercial
vehicles disclosed 42 instances of rentals of luxury vehicles (e.g., Lincoln
Town Cars and Cadillac DeVilles). NPWC cardholder documentation showed that
only 8 of the 42 rentals were for four-star admirals. In the other 34
instances, cardholder documentation either disclosed that a rental of a
Lincoln Town Car or similar vehicle was for a Navy captain or lower-ranking
admiral, or the documentation was insufficient to determine who rented the
automobile. As a result of its inappropriately renting the Lincolns and
other luxury cars, we estimated that NPWC spent about $2,000 more than it
would have if NPWC had rented an automobile that was consistent with DOD
policy. Consistent with NPWC's proactive approach, the day after we brought
this issue to management's attention, controls and procedures were put in
place to resolve this issue. Because these purchases were at an excessive
cost, they also fall under the definition of abusive transactions.

Prepayment of goods and services. We also identified 75 SPAWAR Systems
Center purchase card transactions, for about $164,000 with a
telecommunications contractor, that appear to be advance payments for
electrical engineering services. Section 3324 of title 31, United States
Code, prohibits an agency from paying for goods or services before the
government has received them (with limited exceptions). Further, Navy
purchase card procedures prohibit advance payment for goods and services,
except in cases such as subscriptions and post office box rentals. SPAWAR
Systems Center project managers gave us with several conflicting
explanations of the nature of the arrangement with the contractor, first

indicating that the charges were for time and materials and later stating
that each purchase was a fixed-fee agreement. No documentation was provided
to support either explanation. We were also told by SPAWAR Systems Center
employees that the purchase card was used to expedite the procurement of
goods and services from the contractor because the preparation, approval,
and issuance of a delivery order was too time-consuming in certain
circumstances.

For all 75 transactions, we found that the contractor's estimated costs were
almost always equal or close to the $2,500 micropurchase threshold. Because
we found no documentation of independent receipt and acceptance of the
services provided or any documentation that the work for these charges was
performed, these charges are also potentially fraudulent. We therefore
referred the SPAWAR Systems Center purchase card activity with this
contractor to our Office of Special Investigations for further
investigation.

Convenience checks. We found that SPAWAR Systems Center improperly used
convenience checks in fiscal year 2001, which ultimately resulted in NAVSUP
canceling the use of these checks at SPAWAR Systems Center in November 2001,
after we made inquires concerning the number of SPAWAR Systems Center
convenience checks issued that exceeded the $2,500-per-check limit.
Convenience checks are charged directly to the government purchase card
account and are used to pay vendors and other government agencies that do
not accept the purchase card. According to the SPAWAR Systems Center agency
program coordinator, two Citibank convenience check accounts were
established in December 1998, presumably before NAVSUP changed its policy
allowing only one account per unit. The SPAWAR Systems Center head of supply
and contracts canceled one of these accounts on November 15, 2001, after we
made inquires concerning SPAWAR Systems Center's convenience check usage.

We found that the two employees responsible for these two accounts had
issued 187 checks during fiscal year 2001, 30 of which were in excess of the
$2,500 limit for individual checks, for a total of over $347,000. The checks
that exceeded the $2,500 limit were issued to pay for postage meter charges,
various services to vendors who were sole source providers, and training.
After we made inquires to the DOD Purchase Card Program Office regarding the
propriety of SPAWAR Systems Center's writing convenience checks in excess of
$2,500, NAVSUP canceled SPAWAR Systems Center's convenience check privileges
on November 20, 2001. We also believe the use of convenience checks for over
$2,500 purchases is not economical

because of the 1.25 percent fee charged per transaction. For example, SPAWAR
Systems Center used convenience checks to make one purchase of $10,000 for
postage, which resulted in a fee of $125.

Printing. In addition, we identified several instances in which SPAWAR
Systems Center did not adhere to DOD's policy to use the Defense Automated
Printing Service (DAPS) to perform all printing jobs. Further, the Navy's
purchase card list of prohibited or special-approval items states that
cardholders are prohibited from buying printing or duplication services from
entities other than DAPS. In two of the transactions that we audited, SPAWAR
Systems Center paid about $3,800 to Kinko's for printing manuals.

Sales tax. We identified eight instances of sales taxes paid on SPAWAR
Systems Center purchases. Payment of sales tax for the purchase of goods and
services for the government is not authorized by law. According to SPAWAR
Systems Center employees, these sales tax payments generally occurred when
the vendors did not know how to process a nontaxable transaction.

Split Purchases Our analysis of the population of fiscal year 2001
transactions made by one or more cardholders on the same day from the same
vendor, which appeared to circumvent cardholder single transaction limits,
identified about $7.5 million in SPAWAR Systems Center potential split
purchases and nearly $3 million in NPWC potential split purchases. The
Federal Acquisition Regulation and Navy purchase card policies and
procedures prohibit splitting a purchase into more than one transaction to
avoid the requirement to obtain competitive bids for purchases over the
$2,500 micropurchase threshold or to avoid other established credit limits.
Once items exceed the $2,500 micropurchase threshold, they are to be
purchased in accordance with simplified acquisition procedures, which are
more stringent than those for micropurchases.

Our analysis of the population of fiscal year 2001 SPAWAR Systems Center and
NPWC transactions identified a substantial number of potential split
purchases. To determine whether these were, in fact, split purchases, we
obtained and analyzed the supporting documentation for 30 potential split
purchases at SPAWAR Systems Center and 20 potential split purchases at NPWC.
We found that in many instances, cardholders made multiple purchases from
the same vendor within a few minutes or a few hours for items such as
computers, computer-related equipment, cell phone services, and small
contracts that involved the same, sequential, or nearly sequential

purchase order and vendor invoice numbers. Based on our analyses, we
concluded that 13 of the 30 SPAWAR Systems Center and 10 of the 20 NPWC
purchases that we examined were split into two or more transactions to avoid
micropurchase thresholds. Table 7 provides several examples of cardholder
purchases that we believe represent split purchases intended to circumvent
the $2,500 micropurchase limit or other cardholder single transaction limit.

 Table 7: Examples of Potential SPAWAR Systems Center and Navy Public Works
                      Center San Diego Split Purchases

                                                             Cost of
  Navy                                             Items              Indicator of split
  unit       Vendor        Date        Charge   purchased      items       purchase

 SPAWAR  Nextel Wireless                        Cell phone            10 separate charges
                         7/17/2001  10 charges   service     $24,482       of about
                                                                       $2,500 each to pay
                                                                            July monthly
                                                                             bill

 SPAWAR    World Wide                       1    Computer             Computer equipment
                         9/05/2001              equipment     $1,938       resides
           Technology                                                 within the cabinet
                                            2    Cabinet      $2,214

 SPAWAR                                     1    Software             Orders placed only
             CompUSA     9/11/2001                            $2,240       minutes
                                                                       apart for similar
                                                                           products
                                            2    Software     $1,160

  NPWC    Construction                      1                        Rental of security
                          7/12/01             Security fence  $2,442 fence on the

          Fence Rental                                                 same day for the
                                                                             same
                                                                     construction project
                                            2 Security fence  $2,310
                                            3 Security fence     $75

  NPWC                                      1                         Multiple charges on
          Comlogic NCC   9/17/2001               Computer     $2,495       the same
            Computers                                                day for items listed
                                                                             on the same
                                                                        authorization
                                            2 Computer parts  $1,401

                                            3    Computer       $149
                                                 software
NPWC  Union Electric 7/5/2001  1  Custom control panel$2,485  Purchases were on the same
          Motors                    and components            day and vendor invoice was
                                                                   sequentially numbered;
                                                                                  vendor
                                                              said transactions were part
                                                                          of
                                                                     single sale

2 Additional component $885 for control panel

Note: All cardholders making these transactions had $2,500
single-transaction limits.

By circumventing the competitive requirements of the simplified acquisition
procedures, we believe that in many instances SPAWAR

Systems Center and NPWC may not be getting the best prices possible for the
government. As a result, these split purchases are likely increasing the
cost of government procurements using the purchase card and, thus, at least
partially offsetting its benefits.

Abusive and Questionable Transactions

We identified numerous examples of abusive and questionable transactions at
SPAWAR Systems Center during fiscal year 2001. Several of the improper
transactions for NPWC discussed previously are also abusive or questionable;
however, we found no other abusive items related to NPWC in our statistical
sample or data mining. We defined abusive transactions as those that were
authorized, but the items purchased were at an excessive cost (e.g., "gold
plated") or for a questionable government need, or both. Questionable
transactions are those that appear to be improper or abusive but for which
there is insufficient documentation to conclude either. For all abusive or
questionable items, we concluded that cardholders purchased items for which
there was not a reasonable and/or documented justification.

Many of the purchases we found to be abusive or questionable fall into
categories described in GAO's Guide for Evaluating and Testing Controls Over
Sensitive Payments (GAO/AFMD-8.1.2, May 1993). The guide states: "Abuse is
distinct from illegal acts (noncompliance). When abuse occurs, no law or
regulation is violated. Rather, abuse occurs when the conduct of a
government organization, program, activity, or function falls short of
societal expectations of prudent behavior." Table 8 shows the potentially
abusive and questionable transactions we identified at SPAWAR Systems Center
for fiscal year 2001.

Further, several of these items fall into the category of pilferable items,
which, as discussed previously, SPAWAR Systems Center no longer records in
its property records and therefore does not maintain accountability over
them. For example, the cell phones and headset are items that could easily
be converted to personal use without detection as they are not subject to
bar coding and periodic inventory. In addition, items that may have limited
use on one project could be made available for use on other projects, if
their existence and location were recorded in centralized property records.
Such visibility could serve to avoid duplicative purchases as well as
provide the control needed to help prevent misuse of government property.

Table 8: Abusive and Questionable Transactions at SPAWAR Systems Center

   Type of items                                               Abusive/

     purchased            Example vendors Nature of          questionable      Total amount
                                 transaction

  Room rental and     Bally's in Las Vegas Organization
                            meeting for about 30             Questionable           $2,308
    refreshments              staff members in Las Vegas
                     Nextel, SprintPCS, AT&T Abusive and
Cellular phones and             uneconomical                  Abusive and          $74,936

      services          Wireless procurement, physical       questionable
                                control, and
                              usage of services
                         Cabela's, REI, Sport Chalet
 Clothing (see also  Purchase of personal items such as      Questionable           $4,668
      table 6)            socks, gloves, parkas, jackets,
                                                   hats,
                           shirts, and sweatpants
                         The Luggage Center Numerous
      Luggage            wallets, passport holders,             Abusive               $775
                      backpacks, neck pouches, and other
                              items given away
  Designer leather   Louis Vuitton, Franklin Purchase of
       goods               designer and high-cost             Abusive and          $33,054
                       Covey leather briefcases, totes,      questionable;
                                 portfolios,                   improper
                         day planners, palm pilot cases,   for nonmandatory
                             wallets, and purses           source of supply
                      SkyMall Purchase of computer bags
   Computer bags                    at an                       Abusive               $731
                          excessive cost, two given away
      Headset         Bose High-cost headset purchased,         Abusive               $299
                              questionable need
                      Toys R Us Four computer robot kits
  Lego "Mindstorm"               given away                     Abusive               $800
       robots               or at employee's home

Room rental and refreshments. We identified meeting room rental and
refreshments at Bally's, a hotel and casino in Las Vegas, which is a
questionable transaction. This charge was related to a trip for about 30
staff members from SPAWAR Headquarters. SPAWAR officials told us that the
trip was an organizational meeting to work out the details of a planned
merger of two program management working groups. According to SPAWAR
Headquarters officials, the staff members who attended the organizational
meeting spent the first morning of the 3-day trip at Nellis Air Force Base
discussing issues related to an ongoing project involving a test and
evaluation squadron. The cost of the transaction we reviewed was about
$2,300, and we estimate the total cost of the trip was between $15,000 and
$20,000. For the specific transaction we reviewed, we found that the same
control weaknesses we reported earlier applied, including lack of
independent receipt of goods and proper certification of the monthly bill.
There was no documentation showing that this transaction had been authorized
in advance or that management had fully considered the cost of this trip and
potentially less costly alternatives.

GAO's Guide for Evaluating and Testing Controls Over Sensitive Payments
notes the importance of the control environment and the need for effective
controls related to sensitive payments. A trip for about 30 employees to a
Las Vegas hotel and casino for 3 days at a significant cost to the
government is clearly sensitive and should be subjected to a high level of
scrutiny, with clear documentation and approval in advance of the event. We
would expect to see authorization in advance of the procurement by someone
at a higher level than the most senior individual involved in the event-in
this case, a captain. We found no documented justification to indicate a
valid need for this 3-day meeting to be held in Las Vegas nor did we find an
evaluation of the cost-benefit of having the meeting in Las Vegas versus
alternative sites. Thus, we question whether the entire cost of the trip was
a prudent expenditure of government funds. We did not review the travel
vouchers and related documentation for the other component costs of the trip
such as airfare, rental cars, or hotel bills; however, in estimating the
total cost of the trip, we reviewed available documentation related to
travel card usage from Bank of America.

Cell phone usage. We found significant breakdowns in controls at SPAWAR
Systems Center over the use of cell phones and related services, resulting
in abusive and wasteful expenditures of government resources. In addition,
we found a proliferation of cell phone agreements, with the purchase card
being used to purchase equipment and services from more than 40 different
cell phone companies at a total cost of $341,000 for fiscal year 2001.
According to SPAWAR Systems Center management, they have a master cell phone
contract with AT&T Wireless. However, lack of management oversight and a
large number of available purchase cards has resulted in individuals with
purchase cards or their supervisors deciding who needs a cell phone, which
cell phone company to use, and what type of calling plan to purchase. For
all but one of the transactions that we audited, we did not find any
evidence that the monthly cell phone bills had been independently reviewed
to ensure the transactions were reasonable and for valid government
purposes.

In the large case we audited, we identified a $24,000 monthly bill for about
200 Nextel cell phones and related services that were acquired to provide a
voice communication system for coordination and control among various groups
during a demonstration and test of a military wide area relay network. The
Nextel phones were selected for evaluation as an alternative not for their
standard cellular phone-to-phone capability, but for their "group-talk"
feature, which provides a wireless "walkie-talkie" like capability for
preprogrammed work groups. One of the key control failures

with this cell phone procurement was related to SPAWAR Systems Center's
handing out cell phones to project team members and government contractors
without keeping an inventory of who had each cell phone. Contractors that
used these government cell phones told us that SPAWAR Systems Center
officials brought a box of 60 or 70 cell phones to a meeting and handed them
out to contractors that were part of the team. The contractors told us that
SPAWAR Systems Center provided them with no instructions on proper use of
the cell phone. The approximately 200 cell phones were not physically
controlled and SPAWAR Systems Center did not have a list of who had the cell
phones. Based on further investigation, we found that these contractors were
using the cell phones to call friends and family and to conduct other
personal business. Based on our review of the bills for this Nextel
account-which totaled about $74,000 during fiscal year 2001-we estimated
that about $9,200 was spent on long distance and other local telephone
calls, which was not the primary intended purpose of these cell phones.

In addition to the Nextel contract, we also identified cell phone contracts
with large monthly fees for phones that were either used infrequently or not
at all. For example, we audited one account with five cell phones. The
service for each phone included 500 minutes of airtime, and the basic
service cost of each cell phone was $50 a month. For the 3 months of
activity we audited, we found that three of the five phones had either no
voice activity or very little. For example, one of these cell phones had
only 2 minutes of calls during a month that we audited. This is the
equivalent of the government paying $25 per minute for airtime.

We identified a number of other abusive and questionable charges including
the following.

* One cardholder purchased $775 of luggage including wallets, passport
holders, backpacks, neck pouches, and other items. The cardholder told us
that these items were used to carry or ship equipment to universities for
outreach activities. At the end of the events, the individual told us that
the items were given away. There is no documentation available showing the
authorization and need to purchase this luggage for purposes of carrying or
shipping equipment. This purchase appears abusive because a valid government
need is neither apparent nor documented, particularly since the cardholder
gave away government property that could easily be converted to personal
use.

* As part of our data mining, we identified purchases of day planners from
commercial vendors, including calendar refills along with designer leather
holders purchased from Louis Vuitton. By law, government agencies are
directed to purchase certain products, including day planners and calendars,
from certified nonprofit agencies that employ people who are blind or
severely disabled. This program is referred to as the Javits-Wagner-O'Day
(JWOD) program, which is intended to provide employment opportunities for
thousands of people with disabilities to earn good wages and move toward
greater independence. In addition, DOD's policy requires the use of JWOD
sources, whether or not the procurement is made using a purchase card,
unless the central JWOD agency specifically authorizes an exception. In this
year's audit, we found that SPAWAR Systems Center employees had purchased
three Louis Vuitton calendar refills for $27 each, and we identified three
purchases of Louis Vuitton calendar holders at a cost of $255 each in fiscal
year 2000. The most expensive JWOD calendar holders- specifically designed
for DOD-cost about $40.

* In addition, we identified about $33,000 in purchases from Franklin Covey
of designer and high-cost leather briefcases, purses (totes), portfolios,
day planners and refills, palm pilot cases, and wallets. For example, we
found leather purses costing up to $195 each and portfolios costing up to
$135 each. Many of these purchases are of a questionable government need and
should be paid for by the individual. To the extent the day planners and
calendar refills were proper government purchases, they were at an excessive
cost and, as with the Louis Vuitton day planners, should have been purchased
from a JWOD source at a substantially lower cost. Circumventing the JWOD
requirements and purchasing these items from commercial vendors is not only
an abuse and waste of taxpayer dollars, but shows particularly poor judgment
and serious internal control weaknesses.

* We identified the purchase of three computer bags from SkyMall at a cost
of $161 each, and another purchase of a computer bag at a store in Italy for
almost $250. All three computer bags were purchased by employees who were
traveling on SPAWAR Systems Center business. The cost of these computer bag
purchases is excessive compared to other standard bags we found purchased
for $25. In addition, the cardholder who purchased the SkyMall bags told us
that one of the two bags, along with another bag purchased in a separate
transaction, was given to non-SPAWAR Systems Center government employees
working on the project.

* We identified the purchase of a Bose headset at a cost of $299. The
cardholder told us that the headset was originally purchased for a

project but had never been used on the project. The cardholder stated that
he has used the headset to listen to music on official government travel
aboard airplanes.

* We identified four Lego "Mindstorm" computer robot kits that were
purchased at Toys R Us at a total cost of $800. The SPAWAR Systems Center
employee who requested that these robots be purchased initially told us that
they were purchased as a learning tool for new professionals and junior
engineers to learn cooperative behavior between robots and to conduct
robotic research. However, during our interview, this SPAWAR Systems Center
employee stated that at the time of these purchases his division did not
have any new professionals scheduled to rotate through his assignment.
Within 6 weeks of purchasing the kits, the employee removed all four from
SPAWAR Systems Center, brought two of them to a local elementary school
where he mentors an after school science club, and brought two to his home.
We believe this purchase is abusive because there does not appear to be a
valid government need for the purchase, and because the cardholder
effectively gave away government property that could easily be converted to
personal use. As part of the NAVSUP mandated stand-down transaction review,
SPAWAR Systems Center also reviewed the transactions for the Lego robot kits
and initially questioned their propriety. However, contrary to our
conclusion that these purchases were abusive, SPAWAR Systems Center
ultimately considered the Lego kits to be a valid government purchase.

Disciplinary Action Seldom Taken Against Cardholders Who Made Abusive
Purchases

In our November 30, 2001, report19 on the purchase card controls at SPAWAR
Systems Center and NPWC, we recommended that action be taken to help ensure
that cardholders adhere to applicable purchase card laws, regulations,
internal control and accounting standards, and policies and procedures.
Specifically, we recommended that the commander, Naval Supply Systems
Command, revise NAVSUP Instruction 4200.94 to include specific consequences
for noncompliance with purchase card policies and procedures. DOD did not
concur with that recommendation and stated that existing Navy policy clearly
identifies consequences for fraud, abuse, and misuse. We continue to believe
that Navy needs to establish specific consequences for these purchase card
problems because the Navy policy does not identify any specific consequences
for failure to follow control

19GAO-02-32.

requirements. Enforcement of the consequences is also critical. For example,
only one of the cardholders referred to in this testimony or our July 30,
2001, testimony had formal disciplinary or administrative action- in the
form of removal of the purchase card-taken against them.

Thus, we reiterate our previous recommendation that the Navy enforce
purchase card controls by establishing specific formal disciplinary and/or
administrative consequences-such as withdrawal of cardholder status,
reprimand, suspension from employment for several days, and, if necessary,
firing. Unless cardholders and approving officials are held accountable for
following key internals controls, the Navy is likely to continue to
experience the types of fraudulent, improper, and abusive and questionable
transactions identified in our work.

Conclusions The weaknesses identified in the purchase card program at these
two Navy units are emblematic of broader financial management and business
process reform issues across DOD. The comptroller general testified on March
6, 2002, before the Subcommittee on Readiness and Management Support, Senate
Committee on Armed Services, on the major challenges facing the department
in its business process transformation efforts.20 In light of the events of
September 11, and the federal government's short-and long-term budget
challenges, it is more important than ever that DOD get the most from every
dollar spent. As Secretary Rumsfeld has noted, billions of dollars of
resources could be freed up for national defense priorities by eliminating
waste and inefficiencies in existing DOD business processes. The cultural
issues we identified at SPAWAR Systems Center- such as the failure to
acknowledge significant control weaknesses in the purchase card program, the
parochial approach to program management without regard to broader Navy and
DOD initiatives, and the lack of consequences on a personal or
organizational level for failure to adhere to controls-are a major
impediment to the improvements that are needed to stop wasteful and abusive
purchases and ensure that taxpayer dollars are spent where national
priorities dictate. In response to requests from this Subcommittee and
Senator Grassley, we have ongoing audits related to the purchase and travel
card programs at the Army, Navy, and Air Force and

20U.S. General Accounting Office, DOD Financial Management: Integrated
Approach, Accountability, Transparency, and Incentives Are Keys to Effective
Reform, GAO-02-497T (Washington, D.C.: Mar. 6, 2002).

plan  to offer  additional recommendations  to strengthen the  controls over
these programs.

Contacts and Acknowledgments

For future contacts regarding this testimony, please contact Gregory D. Kutz
at (202) 512-9095 or [email protected] or John J. Ryan at (202) 512-9587 or
[email protected]. Individuals who made key contributions to this testimony
include Beatrice Alff, Cindy Brown-Barnes, Bertram Berlin, Sharon Byrd, Lee
Carroll, Douglas Delacruz, Francine DelVecchio, Stephen Donahue, Douglas
Ferry, Kenneth Hill, Jeffrey Jacobson, Kristi Karls, John Kelly, Yola Lewis,
Stephen Lipscomb, Scott McNulty, Sidney Schwartz, and Jenniffer Wilson.

Appendix I

Background

The Navy's purchase card program is part of the Governmentwide Commercial
Purchase Card Program, which was established to streamline federal agency
acquisition processes by providing a low-cost, efficient vehicle for
obtaining goods and services directly from vendors. According to GSA, DOD
reported that it used purchase cards for more than 10.7 million
transactions, valued at $6.1 billion, during fiscal year 2001. The Navy's
reported purchase card activity-MasterCards issued to civilian and military
personnel-totaled about 2.8 million transactions, valued at $1.8 billion,
during fiscal year 2001. This represented nearly 30 percent of DOD's
activity for fiscal year 2001. According to unaudited DOD data, SPAWAR
Systems Center and NPWC made about $64 million in purchase card acquisitions
during fiscal year 2001. Because these two units have cardholders located
outside the San Diego area, we limited our testing to only those SPAWAR
Systems Center and NPWC cardholders who are located in San Diego,
California. Those cardholders accounted for about $50 million of SPAWAR
Systems Center and NPWC's $64 million in purchase card transactions.

SPAWAR Systems Center and NPWC are both working capital fund activities.
SPAWAR Systems Center performs research, engineering, and technical support,
and NPWC provides maintenance, construction, and operations support to Navy
programs. Both of these Navy programs have locations throughout the United
States. Our review focused on the purchase card program at the San Diego
units only. For SPAWAR Systems Center, this included SPAWAR Headquarters,
which is located in San Diego, and SPAWAR Systems Center San Diego.

Governmentwide Purchase Card Program Guidelines

Under the Federal Acquisition Streamlining Act of 1994, the Defense Federal
Acquisition Regulation Supplement guidelines, eligible purchases include (1)
micropurchases (transactions up to $2,500, for which competitive bids are
not needed); (2) purchases for training services up to $25,000; and (3)
payment for items costing over $2,500 that are on the General Services
Administration's (GSA) preapproved schedule, including items on requirements
contracts. The streamlined acquisition threshold for such contract payments
is $100,000 per transaction. Accordingly, cardholders may have
single-transaction purchase limits of $2,500 or $25,000, and a few
cardholders may have transaction limits of up to $100,000 or more. Under the
GSA blanket contract, the Navy has contracted with Citibank for its purchase
card services, while the Army and the Air Force have contracted with U.S.
Bank.

                           Appendix I Background

The Federal Acquisition Regulation, Part 13, "Simplified Acquisition
Procedures," establishes criteria for using purchase cards to place orders
and make payments. U.S. Treasury regulations issued pursuant to provisions
of law in 31 U.S.C. 3321, 3322, 3325, 3327, and 3335, govern purchase card
payment certification, processing, and disbursement. DOD's Purchase Card
Joint Program Management Office, which is in the office of the assistant
secretary of the army for acquisition, logistics, and technology, has
established departmentwide policies and procedures governing the use of
purchase cards.

Navy Purchase Card Acquisition and Payment Processes

Approving Officials

Cardholders

The NAVSUP is responsible for the overall management of the Navy's purchase
card program, and has published the NAVSUP Instruction 4200.94, Department
of the Navy Policies and Procedures for Implementing the Governmentwide
Purchase Card Program. Under the NAVSUP Instruction, each Navy Command's
head contracting officer authorizes purchase card program coordinators in
local Navy units to obtain purchase cards and establish credit limits. The
program coordinators are responsible for administering the purchase card
program within their designated span of control and serve as the
communication link between Navy units and the purchase card issuing bank.
The other key personnel in the purchase card program are the approving
officials and the cardholders.

If operating effectively, the approving official is responsible for ensuring
that all purchases made by the cardholders within his or her cognizance were
appropriate and that the charges are accurate. The approving official is
supposed to resolve all questionable purchases with the cardholder before
certifying the bill for payment. In the event an unauthorized purchase is
detected, the approving official is supposed to notify the agency program
coordinator and other appropriate personnel within the command in accordance
with the command procedures. After reviewing the monthly statement, the
approving official is to certify the monthly invoice and send it to the
Defense Finance and Accounting Service for payment.

A purchase card holder is a Navy employee who has been issued a purchase
card. The purchase card bears the cardholder's name and the account number
that has been assigned to the individual. The cardholder is expected to
safeguard the purchase card as if it were cash.

                           Appendix I Background

Designation of Cardholders When a supervisor requests that a staff member
receive a purchase card, the agency program coordinator is to first provide
training on purchase card policies and procedures and then establish a
credit limit and issue a purchase card to the staff member.

Ordering Goods and Services Purchase card holders are delegated limited
contracting officer ordering responsibilities, but they do not negotiate or
manage contracts. SPAWAR Systems Center and NPWC cardholders use purchase
cards to order goods and services for their units as well as their
customers. Cardholders may pick up items ordered directly from the vendor or
request that items be shipped directly to end users (requesters). Upon
receipt of items acquired by purchase cards, cardholders are to record the
transaction in their purchase log and obtain documented independent
confirmation from the end user, their supervisor, or another individual that
the items have been received and accepted by the government. They are also
to notify the property book officer of accountable items received so that
these items can be recorded in the accountable property records.

Payment Processing The purchase card payment process begins with receipt of
the monthly purchase card billing statements. Section 933 of the National
Defense Authorization Act for Fiscal Year 2000, Public Law 106-65, requires
DOD to issue regulations that ensure that purchase card holders and each
official with authority to authorize expenditures charged to the purchase
card reconcile charges with receipts and other supporting documentation
before paying the monthly purchase card statement. NAVSUP Instruction
4200.94 states that upon receipt of the individual cardholder statement, the
cardholder has 5 days to reconcile the transactions appearing on the
statement by verifying their accuracy to the transactions appearing on the
statement and notify the approving official in writing of any discrepancies
in the statement.

In addition, under the NAVSUP Instruction, before the credit card bill is
paid the approving official is responsible for (1) ensuring that all
purchases made by the cardholders within his or her cognizance are
appropriate and that the charges are accurate and (2) the timely
certification of the monthly summary statement for payment by the Defense
Finance and Accounting Service (DFAS). The Instruction further states that
within 5 days of receipt, the approving official must review and certify for
payment the monthly billing statement, which is a summary invoice of all
transactions of the cardholders under the approving official's purview. The
approving official is to presume that all transactions on the monthly
statements are proper unless notified in writing by the purchase card
holder. However, the

Appendix I Background

presumption does not relieve the approving official from reviewing for
blatantly improper purchase card transactions and taking the appropriate
action prior to certifying the invoice for payment. In addition, the
approving official is to forward disputed charge forms to the unit's
comptroller's office for submission to Citibank for credit. Under the Navy's
contract, Citibank allows the Navy up to 60 days after the statement date to
dispute invalid transactions and request a credit.

In our November 30, 2001, report21 we recommended that the Navy modify its
payment certification policy to require (1) cardholders to notify approving
officials prior to payment that purchase card statements have been
reconciled to supporting documentation, (2) approving officials to certify
monthly statements only after reviewing them for potentially fraudulent
improper and abusive transactions, and (3) approving officials to verify, on
a sample basis, supporting documentation for various cardholder transactions
prior to certifying monthly statements for payment. DOD concurred with this
recommendation and stated the Navy would modify its payment certification
procedures; however, as of February 26, 2002, Navy had not yet issued those
changes to its procedures.

Upon receipt of the certified monthly purchase card summary statement, a
DFAS vendor payment clerk is to (1) review the statement and supporting
documents to confirm that the prompt-payment certification form has been
properly completed and (2) subject it to automated and manual validations.
DFAS effectively serves as a payment processing service and relies on the
approving-official certification of the monthly payment as support to make
the payment. The DFAS vendor payment system then batches all of the
certified purchase card payments for that day and generates a tape for a
single payment to Citibank by electronic funds transfer. Figure 1
illustrates the current design of the purchase card payment process for
SPAWAR Systems Center and NPWC.

21GAO-02-32.

                           Appendix I Background

    Figure 1: SPAWAR and Navy Public Works Center Purchase Card Process

Appendix II

Scope and Methodology

We reviewed purchase card controls for two Navy units based in San Diego,
SPAWAR Systems Center and NPWC, and assessed changes that these two units
made to their control environment since we notified the units of the
problems with their respective purchase card programs in early June 2001. In
addition we followed up on the status of fraud cases that we reported on in
July 2001, and any other fraud cases we identified as part of this follow-up
audit. Specifically, our assessment of SPAWAR Systems Center and the NPWC
purchase card controls covered

* the overall management control environment, including (1) span of control
issues related to the number of cardholders, (2) training for cardholders
and accountable officers,22 (3) monitoring and audit of purchase card
activity, and (4) management's attitude in establishing the needed controls,
or "tone at the top;"

* tests of statistical samples of key controls over fourth quarter fiscal
year 2001 purchase card transactions, including (1) documentation of
independent confirmation that items or services paid for with the purchase
card were received and (2) proper certification of the monthly purchase card
statement for payment;

* to the extent feasible, substantive tests of accountable items in our
sample transactions to verify whether they were recorded in property records
and whether they could be found;

* data mining of the universe of fiscal year 2001 transactions to identify
any potentially fraudulent, improper, and abusive or questionable
transactions;23

* analysis and audit work related to invoices and other information obtained
from three vendors-Cabela's, REI, and Franklin Covey-from which, based on
interviews with cardholders and our review of other

22We also tested statistical samples of transactions to determine whether
the two units had documented evidence that cardholders had received required
purchase card training.

23We considered potentially fraudulent purchases to include those made by
cardholders that were unauthorized and intended for personal use. The
transactions we determined to be improper are those purchases intended for
government use, but are not for a purpose that is permitted by law,
regulation, or DOD policy. We also identified as improper numerous purchases
made on the same day from the same vendor that appeared to circumvent
cardholder single transaction limits. Many of the purchases we found to be
abusive or questionable fall into categories described in GAO's Guide for
Evaluating and Testing Controls Over Sensitive Payments (GAO/AFMD-8.1.2, May
1993). The guide states that "Abuse is distinct from illegal acts
(noncompliance). When abuse occurs, no law or regulation is violated.
Rather, abuse occurs when the conduct of a government organization, program,
activity, or function falls short of societal expectations of prudent
behavior."

                     Appendix II Scope and Methodology

     transactions, we had reason to believe that SPAWAR Systems Center

    had made significant improper and abusive or questionable purchases

during fiscal year 2001; and * analysis of the universe of fourth-quarter
fiscal year 2001 purchase card transactions to identify purchases that were
split into one or more transactions to avoid micropurchase thresholds or
other spending limits.

In addition, our Office of Special Investigations worked with DOD's criminal
investigative agencies, Citibank, and credit card industry representatives
to identify known and potentially fraudulent purchase card scams. Our Office
of Special Investigations also investigated potentially fraudulent or
abusive purchase card transactions that we identified while analyzing SPAWAR
Systems Center and NPWC fiscal year 2001 purchase card transactions.

We used as our primary criteria applicable laws and regulations; our
Standards for Internal Control in the Federal Government;24 and our Guide
for Evaluating and Testing Controls Over Sensitive Payments.25 To assess the
management control environment, we applied the fundamental concepts and
standards in the GAO internal control standards to the practices followed by
management in the four areas reviewed.

Statistical Sample of Internal Control Procedures

To test controls, we used a two-step sampling process for purchase card
transactions that were recorded by Navy during the fourth quarter of fiscal
year 2001. At SPAWAR Systems Center, we selected stratified random
probability samples of 50 purchase card transactions from a population of
7,267 transactions totaling $5,919,635. Because the majority of SPAWAR
Systems Center transactions failed the control test we did not have to
expand our sampling size. At NPWC, we initially selected a sample of 50
purchase card transactions from a population of 11,021 transactions

24Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1) was prepared to fulfill our statutory requirement under
the Federal Managers' Financial Integrity Act to issue standards that
provide the overall framework for establishing and maintaining internal
control and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.

25Guide for Evaluating and Testing Controls Over Sensitive Payments
(GAO/AFMD-8.1.2) provides a framework for evaluating and testing the
effectiveness of internal controls that have been established in various
sensitive payment areas.

                     Appendix II Scope and Methodology

totaling $6,030,501. In light of NPWC's improvements in the area of
documenting independent receipt and acceptance, we increased our sample size
of NPWC transactions to 94 to generate a more accurate assessment of the
control failure rate at NPWC.

We stratified the each of the samples into two groups-transactions from
vendors likely to represent purchases of computer equipment and other
vendors. With this statistically valid probability sample, each transaction
in the population had a nonzero probability of being included, and that
probability could be computed for any transaction. Each sample element was
subsequently weighted in the analysis to account statistically for all the
transactions in the population, including those that were not selected.
Table 10 presents our test results on three key transaction-level controls
and shows the confidence intervals for the estimates for the universes of
fiscal year 2000 purchase card transactions made by SPAWAR Systems Center
and NPWC.

Table 9: Estimate of Fiscal Year 2001 Transactions That Failed Control
Testsa

Breakdowns in key purchase card controls

Independent, Proper certification of documented receipt of purchase card
statements items purchased for payment

aThe projections
represent point
estimates for
the population
based on our
sampling tests
at a 95-percent confidence level.

bFor the last quarter of fiscal year 2001, SPAWAR Systems Center continued
to have only one certifying officer for almost 1,000 cardholders. This
unacceptable span of control led us to conclude that all transactions
selected as part of our statistical sample were not properly reviewed and
approved by a certifying officer.

cOur statistical testing identified one transaction that was reconciled by
the cardholder and approving official prior to payment. The projected error
rate was 99.9 percent, which we rounded to 100 percent.

Data Mining In addition to selecting statistical samples of SPAWAR Systems
Center and NPWC transactions to test specific internal controls, we also
made nonrepresentative selections of SPAWAR Systems Center and NPWC
transactions based on data mining of fiscal year 2001 transactions. The

Appendix II Scope and Methodology

purpose of the data mining procedures was twofold. Specifically, we
conducted separate analysis of acquisitions that were (1) potentially
fraudulent, improper, and abusive or otherwise questionable and (2) split
into multiple transactions to circumvent either the micropurchase or
cardholder transaction thresholds.

Our data mining for potentially fraudulent, improper, and abusive or
questionable transactions was limited to cardholders who worked in San Diego
and covered 36,216 fiscal year 2001 transactions totaling about $26.1
million at SPAWAR Systems Center, and 46,709 fiscal year transactions
totaling about $23.9 million at the NPWC. For this review, we scanned the
two units' San Diego-based activities for transactions with vendors that are
likely to sell goods or services (1) on NAVSUP's list of prohibited items,
(2) that are personal items, and (3) that are otherwise questionable. Our
expectation was that transactions with certain vendors had a more likely
chance of being fraudulent, improper, abusive, or questionable. Because of
the large number of transactions that met these criteria we did not look at
all potential abuses of the purchase card. Rather, we made nonrepresentative
selections of transactions based on transactions with the vendors who fit
these criteria. For example, we reviewed, and in some cases made inquires,
concerning 162 transactions and other related transactions on the same
monthly purchase card statement with vendors that sold such items as
sporting goods, groceries, luggage, flowers, and clothing. While we
identified some improper and potentially fraudulent and abusive
transactions, our work was not designed to identify, and we cannot
determine, the extent of fraudulent, improper, and abusive or questionable
transactions.

Our data mining also included nonrepresentative selections of acquisitions
that SPAWAR Systems Center and NPWC entered into during the period June 22,
2001, through September 21, 2001, that were potentially split into multiple
transactions to circumvent either the micropurchase competition requirements
or cardholder single transaction thresholds. We limited our data mining to
this period because senior SPAWAR Systems Center and NPWC officials
acknowledged to us in early June 2001 that cardholders had made split
transactions and that they would attempt to correct the problem. Therefore,
to allow the two units an opportunity to resolve this issue, we limited our
review to transactions that occurred subsequent to SPAWAR Systems Center and
NPWC's acknowledging a problem with splitting purchases.

Appendix II Scope and Methodology

We briefed DOD managers, including officials in DOD's Purchase Card Joint
Program Management Office, and Navy managers, including NAVSUP, SPAWAR
Systems Center, and NPWC officials, on the details of our review, including
our objectives, scope, and methodology and our findings and conclusions.
Where appropriate, we incorporated their comments into this testimony. We
conducted our audit work from November 2001 through February 2002 in
accordance with U.S. generally accepted government auditing standards, and
we performed our investigative work in accordance with standards prescribed
by the President's Council on Integrity and Efficiency.

GAO's Mission The General Accounting Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to good
government is reflected in its core values of accountability, integrity, and
reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents is through the
Internet. GAO's Web site (www.gao.gov) contains abstracts and full-text
files of current reports and testimony and an expanding archive of older
products. The Web site features a search engine to help you locate documents
using key words and phrases. You can print these documents in their
entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its Web
site daily. The list contains links to the full-text document files. To have
GAO E-mail this list to you every afternoon, go to www.gao.gov and select
"Subscribe to daily e-mail alert for newly released products" under the GAO
Reports heading.

To Report Fraud, Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm,Waste, and Abuse in E-mail:
[email protected], orFederal Programs 1-800-424-5454 or (202) 512-7470
(automated answering system).

Public Affairs Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. General Accounting Office, 441 G. Street NW, Room 7149,
Washington, D.C. 20548
*** End of document. ***