Audit Guide: Auditing and Investigating the Internal Control of  
Government Purchase Card Programs (01-MAY-03, GAO-03-678G).	 
                                                                 
The federal government of the United States--the largest and most
complex organization in the world--expended approximately $15	 
billion through federal organizations' purchase card programs in 
fiscal year 2002. As the steward of taxpayer dollars, federal	 
agencies are accountable for how purchase cards are used and how 
the funds are spent. To that end, federal agencies are		 
responsible for establishing and maintaining internal control to 
provide reasonable assurance that (1) the goals and objectives of
the purchase card program are met and (2) safeguards against	 
fraudulent, improper, and abusive purchases are adequate. Recent 
congressional testimony and Inspector General and GAO reports	 
show that some federal agencies do not have adequate internal	 
control over their purchase card programs. Without effective	 
internal control, management has little assurance that		 
fraudulent, improper, and abusive purchases are being prevented  
or, if occurring, are being promptly detected with appropriate	 
corrective actions taken. A key element of internal control is	 
monitoring that assesses the quality of performance over time and
ensures that the findings of audits and other reviews are	 
promptly resolved. Monitoring provides for regular management and
supervisory activities, as well as evaluations by inspector	 
generals or external auditors.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-678G					        
    ACCNO:   A06982						        
  TITLE:     Audit Guide: Auditing and Investigating the Internal     
Control of Government Purchase Card Programs			 
     DATE:   05/01/2003 
  SUBJECT:   Accountability					 
	     Audit oversight					 
	     Credit sales					 
	     Federal agencies					 
	     Internal controls					 
	     Fraud						 
	     Credit						 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-678G

a

GAO United States General Accounting Office

Exposure Draft

May 2003 AUDIT GUIDE Auditing and Investigating the Internal Control of
Government Purchase Card Programs

GAO- 03- 678G

Page 1 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft Preface

The federal government of the United States* the largest and most complex
organization in the world* expended approximately $15 billion through
federal organizations* 1 purchase card programs 2 in fiscal year 2002. As
the steward of taxpayer dollars, federal agencies are accountable for how
purchase cards are used and how the funds are spent. To that end, federal
agencies are responsible for establishing and maintaining internal control
to provide reasonable assurance that (1) the goals and objectives of the
purchase card program are met and (2) safeguards against fraudulent,
improper, and abusive purchases are adequate.

Recent congressional testimony and Inspector General and GAO reports show
that some federal agencies do not have adequate internal control over
their purchase card programs. Without effective internal control,

management has little assurance that fraudulent, improper, and abusive
purchases are being prevented or, if occurring, are being promptly
detected with appropriate corrective actions taken. A key element of
internal control is monitoring that assesses the quality of performance
over time and ensures that the findings of audits and other reviews are
promptly resolved. Monitoring provides for regular management and
supervisory activities, as well as evaluations by inspector generals or
external auditors.

This guide focuses on audits of internal control activities* designed
primarily to prevent or detect significant fraudulent, improper, and
abusive purchases* in a government purchase card program. It is intended
to provide practical guidance for consideration by internal and external
auditors, investigators, and program management oversight personnel in
assessing the adequacy and performance of those control activities, and
identifying areas of internal control for potential improvement. This
guide is based primarily on GAO*s experiences in auditing and
investigating internal control over federal government purchase card
programs at the Departments of Defense, Education, Housing and Urban
Development, and other federal agencies. This guide was prepared at the
request of former Chairman Stephen Horn, Subcommittee on Government
Efficiency, Financial Management and

Intergovernmental Relations, House Committee on Government Reform. This is
one of a series of projects we have undertaken for the Subcommittee
concerning weaknesses in internal control over government purchase and
travel card programs.

1 The term *organization*, as used throughout this guide, refers to a
government, its divisions, or subdivisions (e. g., department, agency,
activity, unit). 2 The term *program*, as used throughout this guide,
refers to a government purchase card

program at the organization level.

Page 2 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

We invite you to review and comment on the audit approach and
methodologies contained in this guide. This draft document will be
available for comment for 60 days, until August 1, 2003. Please address
any questions or comments to me at (202) 512- 2600, steinhoffj@ gao. gov,
or Stephen W. Lipscomb at (303) 572- 7328, lipscombs@ gao. gov, or

Stephen W. Lipscomb U. S. General Accounting Office 1244 Speer Blvd. Suite
800 Denver, CO 80204

This guide was prepared under the direction of Gregory Kutz, Director,
Financial Management and Assurance. Other GAO contacts and key
contributors are listed in appendix VII.

Jeffrey C. Steinhoff Managing Director Financial Management and Assurance

Page 3 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft TABLE OF
CONTENTS Preface 1 Section 1: Introduction 5 OBJECTIVE OF THE GUIDE, SCOPE
AND METHODOLOGY 6 GOVERNMENT PURCHASE CARD PROGRAMS 7 GAO*S APPROACH TO
AUDITING PURCHASE CARD PROGRAMS 9 THE APPLICABILITY OF AUDITING STANDARDS
10 Section 2: Understanding the Purchase Card

Program 11 THE RISK OF FRAUDULENT, IMPROPER, AND ABUSIVE PURCHASES 11
Potentially Fraudulent, Improper or Abusive 12 Indications and Categories
of Fraud 13 RELEVANT LAWS AND REGULATIONS 15 Establishment and Operation
of the Purchase Card Program 15 Procurement Methods and Standards 15
Purposes for which an Organization*s Appropriations May Be Used 16 THE
ORGANIZATION*S OPERATIONS AND PROGRAMS 16 Understanding the Organization*s
Operations 17 Understanding the Organization*s Purchase Card Program 17
Understanding the Bank Service Provider*s Program 18 INTERNAL CONTROL AND
THE CONTROL ENVIRONMENT 19 The Standards of Internal Control 20 Testing
Key Elements of the Control Environment 20 Section 3: Making, Documenting,
and Using the Preliminary Assessment 27 ASSESSING THE ADEQUACY OF THE
DESIGN OF CONTROL ACTIVITIES 27 USING THE PRELIMINARY ASSESSMENT 29
Section 4: Testing the Effectiveness of Key Control Activities 30
OBTAINING TRANSACTION DATA 31 Coordinating with the Bank Service Provider
31 SELECTING PURCHASE CARD TRANSACTIONS 32 Considerations in Designing a
Statistical Sample 33 The Sampling Plan 35 Extracting Selected Transaction
Data Elements 36 Reporting Sample Results 36 Analysis of Results from
Statistical Samples 36

Page 4 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

OBTAINING DOCUMENTATION EVIDENCING PERFORMANCE OF CONTROL ACTIVITIES 38
Obtaining Documentation from the Organization 38 Evidence of Performance
39 TESTING CONTROL ACTIVITIES 39 Transaction Control Activities 39 Section
5: Pursuing Fraudulent, Improper, and Abusive Purchases 45 DATA MINING FOR
DETECTION, ILLUSTRATION, AND DISCLOSURE 45 FOLLOW- UP AND INVESTIGATION 49
Follow- up 50 Referral for Investigation 53 Appendixes 54 APPENDIX I *
SELECTED RELEVANT GAO REPORTS AND TESTIMONIES 55 APPENDIX II * SELECTED
RELEVANT LAWS AND REGULATIONS 56 APPENDIX III * EXAMPLE PURCHASE
TRANSACTION FLOW CHART AND

NARRATIVE ( REQUEST THROUGH PAYMENT) 57 APPENDIX IV * EXAMPLE PURCHASE
CARD PROGRAM ORGANIZATION CHART 60 APPENDIX V * EXAMPLE AUDIT PROGRAM 61
APPENDIX VI * GUIDELINES FOR INITIATING AN INVESTIGATION OF PURCHASE CARD
FRAUD 76 APPENDIX VII * GAO CONTACT AND STAFF ACKNOWLEDGMENTS 77

Page 5 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Federal government purchase card programs, which have been in existence
governmentwide since 1989, were established to streamline federal agency
acquisition processes by providing a low- cost, efficient vehicle for
obtaining

goods and services directly from vendors. As shown by the chart, purchase
card programs have experienced dramatic growth and accounted for $15. 2
billion in government expenditures in fiscal year 2002.

With the establishment in 1998 of the General Services Administration*s
(GSA) SmartPay(R) program, federal agencies had a new way to pay for
commercial goods and services. GSA negotiated charge card service provider
contracts with five commercial banks: Citibank, First National Bank of
Chicago, Mellon Bank, NationsBank, and U. S. Bank. Federal government
departments and agencies were to choose the service provider with
capabilities meeting agency requirements.

Purchase card programs are widespread throughout the federal government
and range in size from the Department of Defense (DOD) with 214,000
cardholders and $6.8 billion of fiscal year 2002 purchases, to the U. S.
Tax Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
However, the design and implementation of internal control did not keep up
with the growth in the programs audited by GAO (see app. I * Selected
Relevant GAO Reports and Testimonies). With the increase in purchase card
use came increases in risk, revelations of significant weaknesses in
internal control, and resulting fraudulent, improper, and abusive or
questionable purchases. Section 1: Introduction

Page 6 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The primary objective of this guide is to provide practical guidance for
consideration in performance audits and investigations of government
purchase card programs. The guide provides auditors and fraud
investigators with a basis for understanding the operations, risks, and
internal control of a government purchase card program, which in turn
provides a basis for conducting investigations of fraud in a government
purchase card program. Although this guide is primarily an audit and
investigative guide, it can also be applied by program management
oversight personnel in assessing the adequacy of policies, procedures, and
internal controls, and conducting ongoing monitoring of adherence to
internal control activities. In that context, the use of the term
*auditor* throughout this guide is intended to include program management
oversight personnel as well as internal and external auditors. While this
guide is based on approaches and methodologies developed in audits of
federal purchase card programs, the basic concepts and criteria may also
be applicable to state and local government purchase card programs. This
guide:

focuses on auditing the internal control policies, procedures, and
activities designed primarily to prevent or detect fraudulent, improper,
and abusive purchase card transactions in a government purchase card
program;

seeks to foster critical, creative thinking by auditors, investigators,
and management personnel responsible for identifying risks and
opportunities open to those who would misuse the purchase card;

provides practical guidance in identifying potentially fraudulent,
improper, and abusive purchase card transactions, and in conducting the
appropriate follow- up and investigation; and illustrates the beneficial
effect of involving fraud investigators in the

planning and execution of audit procedures. The guide is intended to
supplement existing guidance 3 for review and oversight of federal
government purchase card programs. Different parties may accomplish audits
of purchase card programs for different purposes. Law, regulation, or
third party request may direct external and internal auditors to
accomplish a performance or other audit in accordance with generally
accepted government auditing standards (GAGAS). .4 The guide is not
intended to and does not provide guidance sufficient to

address all potential purchase card program performance audit objectives
(e. g., economy and efficiency, compliance with legal or other
requirements). The guide is also not intended to comprehensively address
all five of the standards of internal control 5 (e. g., management*s risk
assessment, information and communication). In addition, the guide is not
intended to and does not provide guidance sufficient to develop
investigative cases that

establish evidence to prove specific allegations of criminal wrongdoing. 3
President*s Council on Integrity and Efficiency, A Practical Guide for
Reviewing Government Purchase Card Programs (Washington, D. C. June 2002),
and U. S. General Services Administration, GSA Smart Pay (R) , Blueprint
for Success: Purchase Card Oversight (Arlington, Va., April 2002).

4 U. S. General Accounting Office, Government Auditing Standards * 2002
Revision - Exposure Draft, GAO- 02- 340G (Washington, D. C.: January
2002). 5 U. S. General Accounting Office, Standards for Internal Control
in the Federal Government, GAO/ AIMD- 00- 21.3.1 (Washington, D. C.:
November 1999), p7.

OBJECTIVE OF THE GUIDE, SCOPE AND METHODOLOGY

Page 7 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The operations and controls of government purchase card programs can vary
among organizations. However, the U. S. Department of the Treasury*s
Financial Manual 6 prescribes procedures (illustrated in fig. 1),
including program controls and invoice payment, that apply to all
departments and agencies that use the government purchase card.
Additionally, the Federal Acquisition Regulation (FAR), which prescribes
governmentwide policies

and procedures for acquisition by all executive agencies, provides that
agencies are to establish procedures for use and control of the card that
comply with the Treasury Financial Manual. 7 The manual further states
that, with some exceptions, small purchases of up

to $25,000 8 should be made using the government purchase card, and
establishes key control activities, personnel, and their roles, including
the following.

A written delegation of authority is to be issued by responsible agency
personnel that establishes authorized cardholder( s) 9 and specifies
spending and usage limitations unique to that cardholder.

The cardholder is the government employee to whom a government purchase
card, bearing the employee's name, is issued. The card can

6 Treasury Financial Manual, Volume 1 - Part 4 - Chapter 4500, GOVERNMENT
PURCHASE CARDS, http:// www. fms. treas. gov/ tfm/ vol1/ v1p4c450. txt. 7
48 C. F. R. S: 13. 301( b) (2002). 8 See the Relevant Laws and Regulations
section of this guide for further information on the FAR provisions
applicable to specific purchase amounts. 9 The FAR allows personnel other
than warranted contracting officers to use the purchase card. 48 C. F. R.
S:S: 1.603- 3( b) and 13. 301( a) (2002). GOVERNMENT PURCHASE CARD
PROGRAMS

Page 8 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

be used only by that employee for official purchases, in adherence with
agency regulations.

The cardholder statement listing all transactions during the billing
period is sent to each cardholder.

The approving official (AO) reviews cardholder statement( s), is
responsible for authorizing cardholder purchases (for official use only),
and ensures that statement( s) are reconciled and submitted to the
designated billing office in a timely manner.

A designated billing office receives the official invoice* a designated
billing office report listing all cardholder charges for the area the
office serves* and ensures its payment in accordance with Prompt Payment
Act deadlines.

The manual requires each agency to develop its own internal procedures for
using the purchase card, and establishes processing and internal controls
that must be in place prior to using the government purchase card,
including the following.

Designate an office (usually the procurement office) to manage the
program, and assure that (1) training required for all cardholders,
approving officials, and other employees involved in the program is
provided, (2) a current list of cardholders and approving officials is
maintained, and (3) an annual oversight review of the program is
conducted. (This position is generally referred to as the Agency Program
Coordinator (APC) in DOD purchase card programs.)

Establish procedures for (1) the timely submission of cardholder
statements to the agency designated billing office, (2) maintaining
security of the cards, (3) handling disputes and returned, refused,
damaged, or unacceptable items and partial deliveries, and (4) purchase
card renewal. The manual also provides that invoices, payments, access and
review of

account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer (EFT) should be adopted
as the standard method of payment for all federal program payments
originated by agencies or their agents.

Page 9 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The approach presented in this guide is based on GAO*s experience in
auditing internal control over government purchase card programs at the
Departments of Defense, Education, Housing and Urban Development, and
other federal agencies (see app. I * Selected Relevant GAO Reports and
Testimonies). In general, GAO*s approach is to: (1) gain a thorough
understanding of the organization*s operations and purchase card program,
and relevant system of internal control, (2) based on that understanding,
and any needed additional review and analysis, make a preliminary
assessment of the adequacy of the design of the system of internal
control, (3) test the effectiveness of internal control using statistical
sampling, and (4) use data mining to detect instances of potentially
fraudulent, improper,

and abusive transactions to illustrate the effects of breakdowns in
internal control.

GAO*s approach includes involving fraud investigators throughout the
audit. An experienced fraud investigator will bring valuable perspectives
and insight to the process of identifying opportunities for fraud in the
program*s operations and in evaluating the effectiveness of control
activities. They can also bring new and creative thinking to identifying
the opportunities for circumvention of the existing controls. Fraud
investigators should be involved in the preliminary assessment process,
designing tests of controls, identifying criteria and relationships for
data mining, and in follow- up of potentially fraudulent transactions.
Program policy and procedure documents obtained and understandings gained
of the purchase card program and related internal controls should be made
available to the fraud investigator. GAO*S APPROACH TO AUDITING PURCHASE
CARD PROGRAMS

Page 10 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Auditors performing an audit in accordance with GAGAS standards for
performance audits are required to adhere to the general and fieldwork
standards. These standards can be found on GAO*s website. 10 The following
three general standards are key to providing assurance that integrity,
objectivity, and independence are adequate in planning, conducting, and
reporting results of audits.

Independence * Audit organizations and individual auditors, whether
government or public, are required to be free both in fact and appearance
from personal, external, and organizational impairments to independence,
in all matters relating to the audit work.

Professional judgment * Auditors complying with GAGAS are required to use
professional judgment in planning and performing audits and in reporting
the results.

Competence * Audit staff are required to collectively possess adequate
professional competence for the tasks required. We encourage all users of
this guide, including internal auditors and program management oversight
personnel, to (1) become familiar with these standards and the basic
concepts embodied in them, (2) consider their relative applicability to
the circumstances, and (3) apply them as appropriate when using this
guide. 10 . THE APPLICABILITY OF AUDITING STANDARDS

Page 11 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Evaluating the adequacy of internal control designed to mitigate the risk
of fraudulent, improper, and abusive transactions, requires the auditor to
gain an in- depth understanding of (1) the risk of fraud, (2) the relevant
laws and regulations, and (3) the specific organization*s mission activity
operations, and its purchase card program operations (from purchase
request to payment). This in- depth understanding is necessary so that an
auditor can make a preliminary judgment about the adequacy of design of an
organization*s control activities.

The potential for fraudulent, improper, and abusive purchases in a
purchase card program should be viewed by management as a risk of

significant financial loss, possibly resulting in operational inefficiency
and impairment of mission readiness. This is particularly true in the
government environment where taxpayer dollars are at risk. Fraudulent,
improper, and abusive purchases often result directly from a lack of
adherence to policies, procedures, and control activities. This lack of
adherence can result in misuse of the card. As program personnel
predisposed to misuse the card become aware of such weaknesses, the door
opens wider for fraudulent, improper, and abusive purchases.

Repeated nonadherence to established internal control policies and
procedures, such as inadequate documentation of purchase card transactions
or supervisory reviews, in and of themselves may not constitute a
violation of law or regulation. However if allowed to continue, they will
contribute to an erosion and weakening of the control system. Prompt
administrative and disciplinary actions (e. g., informal admonishment,
formal reprimand, additional required training, suspension of card
privileges, cancellation of the cardholder*s account, termination of
employment) can be effective in reducing persistent lack of adherence to
policies and procedures by cardholders and other program personnel. When
administrative corrective actions are taken and documented, program
management, oversight personnel, and auditors will be able to identify
repeat offenders and determine that appropriate steps are being taken to
address potentially significant problems before they escalate. Section 2:
Understanding the Purchase Card Program THE RISK OF FRAUDULENT,

IMPROPER, AND ABUSIVE PURCHASES O On ne e o or rg ga an ni iz za at ti io
on n* *s s a ac ct ti io on ns s i in nc cl lu ud de ed d r re ec co om mm
me en nd di in ng g r re em me ed di ia al l t tr ra ai in ni in ng g a an
nd d s su us sp pe en ns si io on n o of f r re ep pe ea at t o of ff fe
en nd de er rs s* * p pu ur rc ch ha as se e c ca ar rd d a ac cc co ou un
nt ts s f fo or r l la ac ck k o of f a ad dh he er re en nc ce e t to o i
in nt te er rn na al l c co on nt tr ro ol l p po ol li ic ci ie es s a an
nd d p pr ro oc ce ed du ur re es s. .

Page 12 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Our audits of purchase card programs detected transactions which were not
in accordance with laws and regulations, or were not an appropriate or
legitimate use of government funds. We used four terms to characterize
such purchases: potentially fraudulent, improper, abusive, and
questionable purchases. The following are explanations of these terms as
used in this guide.

Fraudulent purchases * Use of the government purchase card to acquire
goods or services that are unauthorized and intended for personal use or
gain constitute a fraud against the government. A cardholder*s
unauthorized purchase of power tools for his home, a vendor*s intentional
charges for services not provided, and the unauthorized use by a third
party of a cardholder*s compromised or stolen account for personal gain
are examples of fraudulent purchase card transactions. In GAO reports,
these and similar purchase card transactions are generally referred to as
*potentially fraudulent* unless there has already been a fraud conviction
in a court of law. Potentially Fraudulent, Improper

or Abusive A A c ca ar rd dh ho ol ld de er r m ma ad de e 6 62 2 u un na
au ut th ho or ri iz ze ed d t tr ra an ns sa ac ct ti io on ns s t to ot
ta al li in ng g $ $1 12 2, ,8 83 32 2 t to o p pa ay y f fo or r r re ep
pa ai ir rs s t to o a a c ca ar r a an nd d b bu uy y g gr ro oc ce er ri
ie es s, , c cl lo ot th hi in ng g, , a an nd d v va ar ri io ou us s o
ot th he er r i it te em ms s f fo or r p pe er rs so on na al l u us se
e. .

Page 13 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Improper purchases * Government purchase card transactions that are
intended for government use, but are not permitted by law, regulation, or
organization policy generally are considered improper. Examples include
certain types of purchases of meals or refreshments for government
employees within their normal duty stations, 11 purchases split to
circumvent micropurchase or other single purchase limits, and purchases
from other than statutorily designated sources, such as the Javits-
Wagner- O*Day program (JWOD). 12 Abusive purchases * Purchases of
authorized goods or services, at

terms (e. g., price, quantity) that are excessive, or are for a
questionable government need, or both, are considered abusive. Examples of
such transactions include purchases of items such as $300 day planners,
$350 bedside radios, and allowable refreshments at excessive cost,
purchases

of designer leather goods, and year- end and other bulk purchases of
computer and electronic equipment for a questionable government need.
Figure 2 shows key signs, signals, and patterns that are indicative of the
potential for fraud in a government purchase card program. GAO audits of
government purchase card programs have reported

fraudulent and potentially fraudulent purchases by cardholders, vendors,
and third parties using compromised accounts falling into the following
broad categories of fraud.

Theft involves property, facilities, and services. An authorized or
unauthorized cardholder purchase of goods or services intended for
personal use or gain is theft. Theft can also occur when an unauthorized
user compromises a cardholder*s account by gaining knowledge of and using
the purchase card account number.

11 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986). 12 JWOD
establishes mandatory sources of supply for all federal entities,
requiring federal agencies to purchase supplies and services furnished by
nonprofit agencies* such as the National Industries for the Blind and the
National Industries of the Severely Handicapped

(NIB/ NISH).

D Da ay y p pl la an nn ne er rs s c co os st ti in ng g $ $3 3, ,1 10 00
0 w we er re e p pu ur rc ch ha as se ed d f fr ro om m F Fr ra an nk kl
li in n C Co ov ve ey y. . O On ne e i it te em m c co os st t $ $1 19 99
9 a an nd d a an no ot th he er r $ $2 25 50 0. . I In n c co on nt tr ra
as st t, , c ca ar rd dh ho ol ld de er rs s c co ou ul ld d h ha av ve e
p pu ur rc ch ha as se ed d d da ay y p pl la an nn ne er rs s f fr ro om
m J JW WO OD D f fo or r a ab bo ou ut t $ $4 40 0. . A A c ca ar rd dh ho
ol ld de er r p pu ur rc ch ha as se ed d B Bo os se e b be ed ds si id de
e c cl lo oc ck k r ra ad di io os s c co os st ti in ng g $ $3 34 49 9 e
ea ac ch h, , w wh he en n o ot th he er r m mo od de el ls s c co os st
ti in ng g a ab bo ou ut t $ $1 15 5 w we er re e a av va ai il la ab bl
le e. . Indications and Categories of Fraud

Figure 2: Signs, signals, and patterns indicative of the potential for
fraud

Weak management Weak internal controls History of impropriety

Failure to follow legal or technical advice Promise of gain with little
likelihood of being caught

Unexplained decisions and/ or transactions

Unethical leadership Missing or altered documents

Source: International Journal of Government Auditing. A An n i in nm ma at
te e a at t a a l lo oc ca al l c co ou un nt ty y j ja ai il l m ma ad de
e t th hr re ee e p pu ur rc ch ha as se e c ca ar rd d t tr ra an ns sa
ac ct ti io on ns s a at t l lo oc ca al l f fl lo or ri is st t s sh ho
op ps s o on n a a g go ov ve er rn nm me en nt t p pu ur rc ch ha as se e
c ca ar rd d t th ha at t h ha ad d e ei it th he er r b be ee en n l lo
os st t o or r s st to ol le en n. .

Page 14 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Fictitious transactions can involve a single party (e. g., a cardholder
supports the acquisition of goods or services for personal use with false
documentation, or a vendor bills the government for goods or services
never delivered). In addition, fictitious transactions can include
collusion (e. g., a cardholder knowingly approves documentation supporting
a vendor*s invoice for goods or services never provided, and the two share
in the amount paid by the government). Although

collusion can circumvent what otherwise might be effective internal
control activities, a robust system of guidance, internal control
activities, and oversight can provide reasonable assurance of preventing
or quickly detecting fraud.

Kickbacks may be offered by a vendor or solicited by a contractor or
government buyer. Kickbacks in a government purchase card program can
include collusion between a cardholder and a vendor. The

cardholder makes authorized purchases from the vendor, who charges the
government an excessive price and *kicks back* a percentage of the amounts
received to the cardholder. Conflict of interest is present when a
government official participates

in approving or deciding a matter in which the official or a relative has
a financial interest. The potential for a conflict of interest in a
purchase card transaction exists whenever a cardholder or a relative has a
significant financial interest in a vendor or contractor. Purchases of
goods or services from that vendor or contractor would be suspect and, if
not prohibited by the organization, should require special review and
approval prior to and subsequent to the purchase.

The auditor should be aware of the potential for the previous categories
of fraud in the day- to- day operational risk of the organization.
Fraudulent, improper, and abusive purchases generally involve individual
cardholders, supervisors, approving officials, and vendors, and
occasionally collusion between them. Another source of fraudulent
purchases of significant concern occurs when an account is compromised (e.
g., someone other than authorized program personnel gains knowledge of
account numbers). In any event, a strong system of controls should guard
against significant loss to the government for all such potentially
fraudulent, improper, and abusive

purchases. Any potentially fraudulent transaction detected should be
considered for follow- up, as discussed in the Follow- up and
Investigation section of this guide.

To better understand the risk of fraud within a specific organization*s
purchase card program, auditors and investigators should identify and
study known cases of such fraud. Summary memoranda prepared by fraud
investigators detailing the nature and extent of the suspected fraud, the
investigative process, the conclusions reached, and the actions taken can
provide valuable additional insight. A A m ma ai in nt te en na an nc ce e
s su up pe er rv vi is so or r a al ll le eg ge ed dl ly y m ma ad de e $
$5 52 2, ,0 00 00 0 i in n f fr ra au ud du ul le en nt t t tr ra an ns sa
ac ct ti io on ns s t to o a a s su us sp pe ec ct t c co on nt tr ra ac
ct to or r f fo or r w wo or rk k t th ha at t w wa as s n no ot t p pe er
rf fo or rm me ed d. . T Tw wo o p pu ur rc ch ha as se e c ca ar rd dh ho
ol ld de er rs s c co on ns sp pi ir ri in ng g w wi it th h a at t l le
ea as st t s se ev ve en n v ve en nd do or rs s r re ec ce ei iv ve ed d
k ki ic ck kb ba ac ck ks s o on n p pu ur rc ch ha as se es s w wi it th
h i in nf fl la at te ed d p pr ri ic ce es s a an nd d/ /o or r q qu ua
an nt ti it ti ie es s. . C Cr ri im mi in na al l i in nv ve es st ti ig
ga at ti io on n r re es su ul lt te ed d i in n c co on nf fi in ne em me
en nt t o or r r re es st tr ri ic ct ti io on n, , a a b ba ad d c co on
nd du uc ct t d di is sc ch ha ar rg ge e, , a an nd d a a r re ed du uc
ct ti io on n i in n r ra an nk k. . A A c ca ar rd dh ho ol ld de er r a
an nd d h hi is s s su up pe er rv vi is so or r c co on ns sp pi ir re ed
d t to o m ma ak ke e n ne ea ar rl ly y $ $4 40 00 0, ,0 00 00 0 i in n f
fr ra au ud du ul le en nt t p pu ur rc ch ha as se es s f fr ro om m c co
om mp pa an ni ie es s o ow wn ne ed d b by y t th he e s su up pe er rv
vi is so or r, , h hi is s s si is st te er r, , f fr ri ie en nd ds s, ,
a an nd d a ac cq qu ua ai in nt ta an nc ce es s. .

Page 15 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

A federal organization*s purchase card program must comply with the laws,
regulations, contracts, and governmentwide and organization policies and
procedures that (1) govern the establishment and operation of the purchase
card program, (2) prescribe procurement methods and standards, and (3)
pertain to the purposes for which an organization*s appropriations and
other sources of funds may be used. When evaluating the merits of
individual purchases, all three areas should be

considered. (see app. II * Selected Relevant Laws and Regulations) Federal
organization purchase card programs operate under a governmentwide GSA
contract, the GSA SmartPay(R) Master Contract. Organization purchase card
programs must comply with the terms of the contract and the task order
under which the organization placed its order for purchase card services.
Organization purchase card programs must also comply with Department of
the Treasury regulations found in the Treasury Financial Manual, Vol. I,
Part 4- 4500, *Government Purchase Cards.* The Federal Acquisition
Regulation (FAR), 48 C. F. R. S: 13. 301( b) (2002), provides that
agencies are to establish procedures for use and control of the card that
comply with the Treasury Financial Manual and that are consistent with the
terms and conditions of the current GSA credit card contract. Individual
organizations may be subject to specific statutory criteria for the
management of purchase cards (e. g., Title 10 U. S. C. 2784, directing the
Secretary of Defense to prescribe regulations governing the use of
purchase cards). As such, each organization should have guidance
concerning the implementation, establishment, and operation of its
purchase card program.

Purchases made with the purchase card should be made in accordance with
generally applicable procurement laws, regulations, and organization
procurement policies and procedures. The FAR provides governmentwide
policies and procedures for acquisition by all executive agencies.
Agencies frequently issue supplemental acquisition regulations as well.

Contracting activities carried out by the federal government generally
must be conducted by warranted contracting officers; however, the purchase
card may also be used by other government personnel for purchases at or
below the micropurchase threshold. The FAR provides that such individuals
must be delegated the authority to do so in writing in accordance with
organization procedures. Regardless of the value of a purchase, the FAR
prohibits cardholders from splitting organization needs into smaller
purchases in order to circumvent applicable acquisition laws, regulations,
and policies. Organization policies can also prohibit cardholders from
splitting a purchase into smaller purchases in order to avoid individual
cardholder purchase limits.

Authorized personnel may use the purchase card for purchases at or below
the micropurchase threshold (currently $2,500, except that the limit is
$2,000 for certain construction costs). 13 Micropurchases are subject to
the

13 48 C. F. R. S:S: 2. 101 and 13.201( g).

RELEVANT LAWS AND REGULATIONS Establishment and Operation of

the Purchase Card Program Procurement Methods and Standards

One cardholder split about $17,000 of purchases of boots on 1 day into 8
transactions. Another cardholder split over $30,000 of purchases from an
electronic supply store on 1 day into 14 transactions.

Page 16 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

requirements of FAR Subpart 8, which provides that certain products be
acquired from designated sources, including statutorily preferred vendors.
Micropurchases must also be made in accordance with various laws and
regulations concerning environmentally preferable products and services.
Cardholders may make micropurchases without soliciting competitive
quotations from vendors if they consider the price to be reasonable.
However, cardholders are required to distribute micropurchases equally
among qualified suppliers to the extent practicable.

For purchases above the micropurchase threshold, warranted contracting
officers may use the purchase card to place and/ or pay for orders against
already existing contracts. For these larger transactions, the card is
frequently referred to as a *payment card* because it pays for
acquisitions made under a legally executed contract.

Individual purchases must be for a purpose allowable under an
organization*s appropriations or other sources of funds (e. g.,
nonappropriated funds) and must not otherwise be prohibited by law.
Organizations may use appropriated funds only for legitimate or bona fide
needs that arise in or continue to exist in the fiscal year( s) for which
those funds are appropriated. Agencies are restricted to purchasing only
those items that will be used during such fiscal year( s) except when they
qualify under certain categories, such as to maintain inventories of
necessary items at reasonable levels. However, agencies generally may not
purchase items in excessive amounts at the end of a fiscal year in order
to solely avoid the expiration of funds.

To appropriately plan an audit and investigation of the internal control
over an organization*s purchase card program requires a thorough
understanding of: the organization*s mission activities and

operations,

its purchase card program operations and the end- to- end flow of
transactions through it from request to payment, the system of internal
control over the purchase card program, and

the environment in which the control activities operate. Understanding the
organization*s operations and its specific purchase card program is
critical in developing audit objectives and the scope and methodology for
the work needed to achieve them. In addition, issues such as program
significance, visibility, age, sensitivity, and the potential use of audit
results should be considered in the audit planning process. 14 Gaining

and documenting an understanding of the operations of a government
purchase card program can be accomplished in several ways, all of which
will require access to the appropriate personnel and relevant documents.
The first step should be to establish contact and coordinate that effort
with both the organization and the bank service provider.

14 GAO- 02- 340G, P: 7.8 - 7.10. Despite representations that hotels were

authorized to bill only for audiovisual equipment and conference room
rental, detailed bills acquired by GAO auditors showed that about $7,000
was inappropriately

expended for prohibited breakfasts, lunches, and snacks.

Purposes for which an Organization*s Appropriations May Be Used

THE ORGANIZATION*S OPERATIONS AND PROGRAMS

Page 17 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

One manner of obtaining access to operations and program personnel is to
coordinate audit arrangements with the organization*s management. Access
to the appropriate personnel and to written policies and procedures is
essential to understanding the organization*s operations, the purchase
card program, and internal controls. In addition, documentation evidencing
adherence to internal control policies and procedures will be necessary

when testing for performance of control activities. Further, access to
program personnel will be necessary to clarify information received and/
or to follow up on potentially fraudulent, improper, and abusive
purchases.

Understanding the organization*s mission and objectives, and how those
missions and objectives are accomplished provides the auditor with
critical insight used in (1) developing audit objectives, (2) identifying
opportunities for purchase card fraud, (3) making preliminary assessments
of the adequacy of program controls, (4) designing tests of internal
control, and (5) identifying criteria for data mining. Understanding
gained of the organization*s operation( s) might include:

the nature and size of overall operations;

what the individual activities involved in the purchase card program do,
and how they do it;

the general job descriptions, level of education, and number of personnel
in those activities; and

the volume and appropriate type( s) of purchase activity to expect. An
understanding of the organization*s operations and activities can be
gained by interviews with operations personnel, and by reviewing existing
documents such as program descriptions, policies and procedures, and
operations manuals.

The initial understanding of the organizational level purchase card
program (from request to payment) and the internal control at work
throughout that process, ideally would be obtained from existing documents
such as purchase card program descriptions, policies and procedures,
operational manuals, or instructions. Interviews with program personnel
can supplement existing documented evidence of program operations and
controls, or establish a starting point if such documentation is
insufficient or nonexistent. In either circumstance, correctly structured
interviews can be a valuable source of inquiry to understand and clarify
(1) the extent to which to which control activities are in place and
operating, (2) the environment in which those controls operate, (3) the
overall managerial organization and operations of the program, and (4) the
flow of purchase card transactions. A Practical Guide for Reviewing
Government Purchase Card Programs * June 2002, by the President*s Council
on Integrity and Efficiency contains interview guides, which will be
helpful when conducting

interviews for this purpose. In addition, conducting walkthroughs of
selected purchase card transactions is a key process in (1) gaining a
thorough understanding of the program*s operations from purchase request
to payment of the bill, (2) identifying control points through that
process, and (3) observing the operation of control activities and
transaction flows.

GAGAS requires auditors to prepare documentation supporting significant
judgments and conclusions. The auditor should obtain or prepare narratives
and/ or flowcharts that summarize and document their understanding of the
organization*s purchase card program and the flow of typical purchase card
Understanding the

Organization*s Operations Understanding the Organization*s Purchase Card
Program

Page 18 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

transactions. Understanding gained of how the purchase card program
operates, the flow of transactions from request to payment, and the key
controls over the entire end- to- end process form the basis for making
preliminary judgments about the adequacy of the design of control
activities and for designing tests of those controls. Narrative and
flowchart documentation also provides effective communication of the
processes and control points to other interested parties (e. g., audit
staff, program management, oversight personnel). Appendixes III and IV of
this guide provide example flowcharts of an organizational level structure
for a federal government purchase card program and the end- to- end flow,
and related narrative, of typical purchase card transactions through it.

Coordinating the audit effort with the bank service provider might provide
the opportunity to gain an understanding of (1) the operation of the
provider*s program, (2) the processes for purchase card authorization,
issuance, and credit limits, (3) the transaction processing, review,
authorization, and manual override (e. g., single transactions limits)
system, (4) the merchant category code (MCC) blocking features and any
manual override, and (5) the internal controls over these processes.
Additionally, as shown in figure 3, the GSA SmartPay(R) master contract
requires bank service providers to provide federal organizations with
various ad hoc, standard commercial, and other reports specific to the
purchase card program. Understanding the Bank Service

Provider*s Program

Page 19 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Conducting interviews with bank service provider personnel may provide the
necessary understanding of the provider*s purchase card operations,
processes, and controls, as well as valuable insights and understanding in
using the various reports being produced.

Internal control is an integral component of an organization*s purchase
card program that provides reasonable assurance that the objectives of
effective and efficient operations and compliance with applicable

laws and regulations are being achieved. The minimum level of quality
acceptable for internal control in a government purchase card program is
defined by the five standards for internal control included in Standards
for Internal Control in the Federal Government. 15 Those standards, and
elements of the control environment standard which are significant in a
government purchase card program, are discussed in this section of the

guide. 15 GAO/ AIMD- 00- 21.3.1. Figure 3: Agency/ organization reports
required by GSA*s SmartPay(R)

master contract to be provided by the bank service provider General
reporting requirements Ad- hoc report generation

capability Standard commercial reports

Additional essential reports The Official Invoice Invoice Status Report
Transaction Dispute Report Pre- Suspension/ PreCancellation

Report Suspension/ Cancellation Report

Renewal Report Delinquency Report Detailed Electronic Transaction File
Reporting specific to the Purchase

Card Program Account Activity Report Statistical Summary Report Summary
Quarterly Purchase Report Other agency reports Account Activity Report
Master File Report

Statistical Summary Report Account Change Report Exception Report

Current Accounts Report 1099 Report Information 1057 Report Payment
Performance and Refund Report Write- Off Report Summary Quarterly Merchant
Report Summary Quarterly Vendor Analysis Report Summary Quarterly Vendor
Ranking Report Source: GSA*s SmartPay(R) Master Contract, Section C. 38 *
Agency Reporting Requirements,

and Section CC. 12 * Agency Reporting Requirements For The Purchase Card
Program.

INTERNAL CONTROL AND THE CONTROL ENVIRONMENT

Page 20 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

All of the following internal control standards are applicable to
achieving reasonable assurance that fraudulent, improper, and abusive
purchases do not have a significant adverse effect on the effectiveness or
efficiency of a government purchase card program. The control environment
* A positive control environment* the

foundation for all other internal control standards* is established by
management and employees creating and maintaining an environment
throughout the organization that sets a positive and supportive attitude
toward internal control and conscientious management. Specific key
elements affecting the control environment of a purchase card program are
discussed in more detail later in this section of the guide.

Management*s risk assessment * Internal control should provide for an
assessment of the risks the organization faces from both external and
internal sources, and identify and deal with any special risks prompted by
changes in economic, industry, regulatory, and operating conditions.
Control activities * Control activities are the policies, procedures,

techniques, and mechanisms that enforce management*s directives and help
ensure that actions are taken to address risks. Control activities in a
government purchase card program include a wide range of diverse
activities such as approvals, authorizations, verifications,
reconciliations, reviews, and the creation and maintenance of related
records that provide evidence of execution of these activities. Specific
transaction- level control activities significant to a purchase card
program are discussed in more detail in the Transaction Control Activities
section of this guide.

Information and communications * Information should be recorded and
communicated to government purchase card program managers and others
within the program who need it in a form and within a time frame that
enables them to carry out their internal control and other
responsibilities.

Monitoring * Ongoing monitoring* regular management and supervisory
activities, comparisons, reconciliations, and other actions people take in
performing their duties* should be performed continually and be ingrained
in the course of normal operations of a government purchase card program
(e. g., review and analysis of bank service provider reports, periodic
reviews for adherence to program policies and procedures, review and
follow- up of audit findings).

Recent GAO purchase card audit reports have identified the following six
elements as significantly affecting the control environment surrounding a
purchase card program.

Management*s philosophy (tone at the top),

Span of control,

Financial exposure,

Training, The Standards of Internal

Control Testing Key Elements of the Control Environment

Page 21 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Discipline, and

Purchasing and reviewing authorities. This guide discusses each of these
elements, the relevant documentation, and tests which the auditor can
perform. Testing of some of these elements of the control environment can
be accomplished either before the preliminary assessment is completed, or
later as part of testing the effectiveness of control activities.

Testing of these elements of the control environment is accomplished
through analytical, sampling, and nonsampling methods as discussed in each
element. Analytical testing is accomplished by utilizing electronic
reports, data files, and other data obtained from the bank service
provider and/ or the organization. The discussion of some of these
elements identifies them as lending themselves to efficient testing in
conjunction with transaction- level control activity tests, discussed in
the Transaction Control Activities section of this guide. Therefore, the
data needed to conduct tests of these elements should be obtained for each
cardholder and approving official for purchase card transactions selected
for transaction- level control activity testing.

Management*s philosophy and operating style, sometimes referred to as tone
at the top, determines the degree of risk the organization is willing to
take in operations and programs. The attitude and philosophy of management
toward information systems, accounting, personnel functions, monitoring,
and audits and evaluations can have a profound effect on internal control.

Insights gained by the auditor through interviews conducted with program
personnel, and review of prior audit findings and managements responses
will assist in assessing this element of internal control. Professional
judgment is necessary when attempting to assess the effect of tone at the
top, positive or negative, on internal control and on the design of
control

activities. Tests of transaction- level control activities and follow- up
of potentially fraudulent, improper, and abusive purchases may provide the
auditor with additional insight into the tone at the top.

Span of control, in a government purchase card program, refers to the
extent of review responsibilities placed on a single

approving official for the purchase card transactions of one or more
cardholders.

In establishing the reasonableness of this responsibility, the auditor
should consider (1) the number of cardholders assigned, (2) the number and
complexity of purchase card transactions being reviewed each billing
period, and (3) perhaps the most potentially detrimental, demands of other
responsibilities assigned to the approving official. Additional insight
into the reasonableness of these relationships can be obtained during
interviews with cardholders and approving officials and during control
tests of selected transactions.

In a recent GAO audit, management*s proactive attitude in implementing
change was credited for establishing a positive control environment at one
unit, in contrast to another unit where

management supported the status quo of weak control, effectively
diminishing the likelihood of substantive change.

In response to a GAO report criticizing an unreasonable 1,153: 1 ratio of
cardholders to approving official the department issued guidance limiting
this span of control ratio to

7: 1 for all its agencies.

Page 22 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The auditor should consider independently evaluating the reasonableness of
existing span of control relationships by obtaining bank service provider
reports containing the information necessary to determine the number of
cardholders assigned to individual approving officials.

The total number of authorized cardholders in the organization, their
single transaction and monthly credit limits, and the approving official
credit limits directly affect the financial responsibility of the
individuals involved and the extent of potential loss to the organization
from

fraudulent, improper, and abusive purchases. Financial exposure in a
government purchase card program can become excessive when management does
not exercise judgment and restraint in issuing purchase cards and in
determining single purchase and monthly credit limits. We have found that
by limiting the number of purchase cards and related credit limits to the
levels necessary to meet operational requirements, an agency can better
manage and control its purchase card program.

Purchase cards should be issued in controlled limited quantities (e. g.,
special justification and authorization for more than one card per
cardholder), and only to government employees with a legitimate need to
have the card. Single purchase and monthly credit limits should be

established based on the expected monthly purchases of the cardholder.
Both of these determinations require an objective effort by operational
supervisors and management, with assistance from purchase card program
management, to evaluate the existing and continuing needs of operations

and cardholders. The auditor should evaluate management*s process for
establishing the number of cardholders and their credit limits reasonably
necessary to operational requirements. Documentation of management*s
decisionmaking process should be obtained and reviewed for propriety.
Examples of management*s consideration of objective, analytical data
include the following.

Supervisory review of cardholder purchase history, both number of
transactions and dollars purchased (very few purchase transactions in the
previous year might indicate the lack of a need for the card, while lower
than expected dollar volume of purchases might indicate a lower reasonable
cardholder credit limit).

Annual positive assertions by supervisors and/ or managers of continuing
cardholder needs, both for the card and for the related credit limits.

The auditor should consider independently evaluating the reasonableness of
the organization*s existing financial exposure by obtaining bank service
provider reports* which provide information necessary to determine the
total cardholder monthly credit limits* and comparing that total to the
organization*s average monthly and highest monthly purchase card
expenditures.

Two related organizations provided purchase cards with credit limits of
$20,000 or more to over 1,700 employees, resulting in an excessive monthly
financial exposure of

over $34 million, while actual monthly purchases amounted to only about $6
million.

Page 23 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Page 24 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Management should identify the appropriate knowledge and skills needed in
the purchase card program, require the needed training, and maintain
documentation evidencing that required training is current for all program
personnel. The extent and type of training provided should vary in
relation to authority and responsibility in the program, and to the amount
of transaction authorization given to the cardholder. At a minimum, a
cardholder should receive the standard purchase cardholder training
provided by the organization and/ or by GSA, before receiving a purchase
card, and periodic (biannual) refresher training thereafter. 16 The
auditor should obtain and evaluate documentation evidencing

adherence with this element of the control environment for the cardholders
and approving officials related to and in conjunction with transactions
selected for tests of transaction- level control activities. Both the
appropriateness of training received as well as the attributes discussed
below can be reviewed, when evaluating this element of the control
environment. Training documentation and relevant attributes to consider
include the following.

Certificates/ record of training, for both initial and refresher courses,
should clearly show: (1) the type of training received (e. g., instructor
led, computer based, internet based), (2) that the training was relevant
to the purchase card program, (3) that the training was appropriate to the
level of authorized spending and program authority of the individual, (4)
the signature of the cardholder and the instructor (if applicable), (5)
that the date of initial training is prior to purchase card account
activation, and/ or (6) that the date of refresher training is within the
required period.

Centralized training records, or a database of cardholder, approving
official, and APC training should: (1) provide detail information similar
to that contemplated above for certificates of training, and (2) be
available to the appropriate levels of program management to facilitate
monitoring of adherence to program training requirements. The auditor
should consider assessing the adequacy of centralized training records by
tracing cardholders and approving officials associated with the purchase
card transactions selected for control tests to such records. Testing in
association with transaction control tests is desirable because, selecting
and testing a representative sample from the centralized records would not
identify cardholders and others who have not received training and are
therefore not in the centralized records. Inquiries and other
corroborating evidence could provide confirmation that centralized
training records or databases are maintained current, and are being used
to monitor adherence with training requirements.

16 The GSA website (http:// www. fss. gsa. gov/ webtraining/ trainingdocs/
smartpaytraining/ index. cfm) provides access to relevant purchase card
training materials.

Of approximately $68 million in fiscal year 2000 purchase card
transactions at two related organizations, approximately $17.7

million (26 percent) were made by cardholders for whom there was no
documented evidence of required initial or refresher purchase card
training.

Page 25 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Candid and constructive counseling, performance appraisals, and discipline
can provide reinforcement of the system of internal control. Internal
control

polices and procedures should identify the specific actions or lack of
adherence to internal control within the purchase card program that
warrant counseling and/ or discipline.

The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and approving
officials related to and in conjunction with transactions selected for
tests of transaction- level control activities. The documentation and
relevant attributes of discipline to consider evaluating fall into two
general categories:

Constructive counseling might be provided to cardholders and approving
officials in response to isolated instances of lack of adherence to
internal control policies, procedures, and activities. The auditor should
obtain and review for propriety documentation of counseling provided for
isolated instances of lack of adherence to controls detected in the
transactions selected for control testing.

Disciplinary actions to be taken in response to recurring and/ or
persistent lack of adherence to internal controls, and specific
consequences for improper and abusive purchases should be adopted by the
organization as part of the system of internal control. Such

consequences can vary with the severity and persistence of the policy
violation, and might include formal and informal reprimands, suspension or
cancellation of the purchase card account, termination of employment, and
referral to investigative authorities in cases of suspected fraud.
Instances warranting discipline should be documented and included in
personnel files and, if applicable, performance appraisals. The auditor
should obtain and review documentation of disciplinary actions taken for
the instances of significant lack of adherence to controls, and for
improper and abusive purchases detected during the control activities
testing. Documentation should also be

obtained of all cases of detected potential fraud occurring during the
period under audit and included in considerations for follow- up, as
discussed in the Follow- up and Investigation section of this guide.
Disciplinary actions alone may be an insufficient response to detected
fraud. For that reason, instances of fraud that are declined for

prosecution and referred to management for disciplinary action should be
followed up to ensure that, in the professional judgment of the auditor,
appropriate actions were taken by organization management. In a government
purchase card program, purchasing authority establishes a

cardholder*s authority to possess and use a government purchase card. It
also establishes the cardholder*s singletransaction and credit limits.
Some organizations will assign different spending limit authorities to the
same cardholder,

Despite operating instructions providing for restitution and revocation of
card privileges, repeat violators of regulations and internal controls did
not lose their purchase cards and did not repay the government for
unauthorized purchases.

Page 26 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

which apply to different uses of the card. For example, a cardholder who
is a warranted contracting officer is assigned two purchasing authorities:
(1) a $2,500 single- transaction limit with a $40,000 monthly purchase
limit for purchases of goods or services, and (2) a $100,000 single-
transaction limit with a $500,000 credit limit for use of the purchase
card as a method of payment on a preexisting contract. Authority is also
established for approving officials to review and authorize payment of
cardholder accounts. Approving official authority should also identify the
specific cardholder( s) for which review and certification
responsibilities have been assigned, and the approving official*s credit
limits should relate to the total cumulative

monthly purchasing limits of the cardholders assigned to them. The auditor
should obtain and evaluate documentation evidencing this element of the
control environment for the cardholders and approving officials related to
and in conjunction with transactions selected for tests of transaction-
level control activities. For evaluation and testing purposes, each level
of purchasing authority given to a cardholder (e. g., $2,500
singletransaction limit for local vendor purchases, $100,000 limit for
purchases on an existing contract) should be deemed a separate cardholder.

Documentation evidencing purchasing authority for cardholders, and review
and certification authority for approving officials, should be obtained
and evaluated for instances of significant lack of adherence to controls
including: (1) documentation of the cardholder*s purchasing authorization
(e. g., organizational standard form) dated prior to the transaction date
and (2) documentation of the approving official*s authorization (e. g.,

organizational standard form) dated prior to the transaction date.
Attributes which the auditor should consider reviewing when evaluating the
effectiveness of this control include the following: (1) the date of the
purchase transaction, compared to the date of the cardholder*s purchasing
authority, compared to the date of the approving official*s authorization,
(2) the amount of the transaction, compared to the amount of the
cardholder*s single transaction authority, (3) the total amount of the
cardholder*s billing statement, compared to the cardholder*s and approving
official*s authorized credit limits, (4) the cardholder account single-
transaction and credit limit carried in the bank*s system, compared to
that authorized in the cardholder*s purchasing authority, and (5) that the
approving official*s assignment of responsibility includes the specific
cardholder account.

Page 27 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The preliminary assessment is a critical analysis of whether, in the
professional judgment of the auditor, the existing internal control
policies, procedures, and activities as designed, if in place and
operating, will provide

management with reasonable assurance that significant fraudulent,
improper, and abusive purchases will be prevented or promptly detected. A
preliminary assessment of the organization*s plan of internal control will
assist the auditor in (1) identifying significant weaknesses in designed
control activities, (2) planning and designing control tests, and (3)
identifying data- mining criteria.

The auditor, considering the overall control environment, should make a
critical comparison of the risk/ opportunities for fraudulent, improper,
and abusive purchases and the internal control policies, procedures, and
activities designed to guard against them. The knowledge gained in the
Understanding Operations and Programs section of this guide will provide
information useful to the preliminary assessment of internal control. In
some circumstances, this information may need to be supplemented with
additional inquiries, observations, and/ or nonsampling tests of controls.
When reaching conclusions in the preliminary assessment, the auditor
should also consider the bank service provider*s systems and controls, the
audit objectives, prior audit findings and recommendations, and
management's responses and corrective actions taken.

Our audits of purchase card programs have identified (1) the determination
of a legitimate government need, (2) screening for required sources of
supply, (3) independent receipt and acceptance, (4) establishing
accountability over certain property, (5) cardholder reconciliation, and
(6) approving official review as key transaction- level control activities
in mitigating the risk of fraudulent, improper, and abusive purchases.
These key control activities should be included in the auditor*s
preliminary assessment of the adequacy of the design of control
activities. It will also be helpful to the auditor*s critical comparison
process to prepare a list of the identified risk/ opportunities for
potentially fraudulent, improper, and abusive purchases to occur, and a
list of the existing relevant control activities. An individual control
activity will probably address multiple risks of potentially fraudulent,
improper, and abusive purchases, and an individual risk may be addressed
by more than one control activity. Therefore, a simple one- to- one
comparison will probably not be effective. Section 3: Making, Documenting,
and Using the Preliminary Assessment

ASSESSING THE ADEQUACY OF THE DESIGN OF CONTROL ACTIVITIES

Page 28 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

For example, the control activity of independent receipt and acceptance
can be instrumental in mitigating the risk of paying for services not
performed, as well as mitigating the risk of purchased accountable
property not being recorded in the organization*s property record system.
One way to proceed is to prepare a simple schedule, as illustrated in
figure 3, which lists the identified risk/ opportunities for potentially
fraudulent, improper, and abusive purchases down the left hand side, and
provides space for identifying (1) the related control activities, (2) the
auditor*s preliminary assessment conclusions, (3) the effects on the
design of audit control tests, and (4) potential criteria for audit data
mining.

Figure 4: Illustration of the process of assessing and concluding on the
adequacy of designed control activities

Identified risk/ opportunity for potentially fraudulent, improper, and
abusive

purchase Control

activities (in order of significance to risk) Auditor*s

conclusion on adequacy of design of control activities

Effect on design of audit control tests

Identified potential criteria for data mining

Unintentional purchase of goods or services prohibited by law or
organizational policy.

Training Approving official review Adequate Test for current

training & AO review.

None Purchased service not received by the government.

Cardholder reconciliation

Independent receipt and acceptance Approving

official review Adequate Test attributes of receipt control and AO review.

None Purchased item of accountable property not in possession of the
government.

Independent receipt and acceptance Cardholder

reconciliation

Approving official review Inadequate * No designed control provides

reasonable assurance of recording in accountable property records.
However, interviews and

walkthroughs disclose that some units are making efforts to control this
risk.

Consider stratifying sample to key on

accountable property, and test all sample transactions acquiring

accountable property to determine the extent of physical control and
accountability being achieved.

Include accountable property purchases in potential criteria for data
mining.

The above (figure 4) is provided as an illustration only of the process of
making, documenting, and using the preliminary assessment of the design of
internal control activities. The illustrated risks, controls, conclusions,
effects, and identifications are highly dependent upon the facts and
circumstances of specific organization operations and purchase card
programs. Auditors will need to exercise professional judgment when making
these determinations.

Page 29 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Auditors should find the observations and conclusions made in the
preliminary assessment useful in determining the nature and extent of
further audit work on an organization*s purchase card program. These
observations and conclusions can be useful in determining a strategy for
internal control testing, including designing sample selections. For
example, a preliminary assessment conclusion might be that the design of
an internal control policy and one or more related control activities is
strong and can provide management with reasonable assurance of preventing
or promptly detecting fraudulent, improper, and abusive purchases. If the
policy and control activities are considered to be strong, tests designed
to determine the extent to which the control activities are being
performed would likely be an efficient and cost- effective audit
procedure. However, if the auditor considers the policy and/ or the
control activity to be ineffective or nonexistent, tests for performance
of control activities would generally not be appropriate or cost
effective. Whether to design and conduct tests of

performance for controls considered to be weak will require professional
judgment and consideration of the facts and circumstances of individual
cases.

The results of the preliminary assessment can also be useful to the
auditor*s consideration of other procedures (such as data mining discussed
in a later section of this report) designed to detect fraudulent,
improper, and abusive transactions resulting from identified weakness in
the design of controls. For example, if the preliminary assessment is that
the design of internal

control does not provide reasonable assurance of compliance with
requirements to purchase from statutory sources of supply, then purchase
card transactions with other vendors who sell similar goods and services
may provide examples of the result of that control weakness.

USING THE PRELIMINARY ASSESSMENT

Page 30 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

A well designed system of internal control for a purchase card program is
needed to provide reasonable assurance that the program is operating as
intended and is not vulnerable to significant fraudulent, improper, and
abusive purchases. However, a system of internal control, no matter how
well designed, cannot be relied on if control activities are not in place
and operating effectively on an ongoing basis. Control activities
identified during the preliminary assessment process, as likely to be
effective at preventing or detecting fraudulent, improper, and abusive
purchases, should be tested to determine if they are being adequately
adhered to. This section discusses (1) obtaining and verifying the
completeness of the purchase card transactions database, (2) designing a
statistical sample of purchase card transactions, (3) obtaining the
documentary evidence of performance of control activities, and (4) the
design and conduct of tests to determine if key control activities are in
place and operating as intended.

In our audits of purchase card programs, we used two basic types of
control testing* statistical sampling 17 (selections representative of and
projectable, with quantifiable accuracy, to a population) and
nonrepresentative selections (selections not representative of or
projectable to a population)* to evaluate the effectiveness of internal
control activities. This guide considers control designed to prevent or
detect fraudulent,

improper, and abusive transactions in a purchase card program, to operate
on two basic levels: (1) control activities that operate at the
transaction level (e. g., independent receipt and acceptance, cardholder
reconciliation), and (2) controls that operate at some other level (e. g.,
training, span of control).

Elements of the control environment discussed in the Internal Control and
the Control Environment section of this guide are not considered
transaction- level control activities. However, testing and evaluating
certain of these elements (i. e. training, discipline, and purchasing and
reviewing authority) can be efficiently accomplished in conjunction with
the testing of transaction level control activities.

17 Sampling selections representative of a population can be either
statistical or nonstatistical *statistical concepts are considered, but
not explicitly used to determine sample size, select sample items, or
evaluate the results. However, projections of nonstatistical sample
results are not quantifiably accurate, and GAO discourages their use in
government audits. Section 4: Testing the Effectiveness of Key Control
Activities

Page 31 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Tests of control activities which operate at the transaction level are
applied to selected purchase card transactions, generally contained in an
electronic file database. The

auditor will need to identify and obtain the appropriate database of
purchase card transactions, select the transactions to test, and extract
the appropriate transaction information from the database. In order to
obtain the appropriate population of purchase card transactions, the
auditor will need to establish and define the scope of the audit. The
scope of the audit can be defined in terms of control activities in place
and operating for a time period, a unit, or an activity, or a combination
of those terms (e. g., all

purchase card transactions executed by the organization during the fiscal
year ended September 30, 2003). Also, if the data are stored in an
electronic database( s), the auditor will need to determine that the
transaction data elements necessary to achieve the audit objectives are
included in the

database obtained. The purchase card transactions selected for testing
should be selected from a population which includes all relevant
transactions in the scope of the audit. In order to assure the relevance
and completeness of the population transaction database, the auditor
should obtain value and quantity control totals from a source independent
of the database provider, and agree them to the data obtained. For
example, a transaction database supplied by the

bank service provider could be agreed or reconciled to the organization*s
records of purchase card activities, or the bank service provider may
supply control totals to verify a transaction database provided directly
by the organization. Establishing a contact and coordinating the audit
effort with the bank

service provider presents the auditor with an opportunity to gain a
current understanding of the bank*s program operations, processes, and
controls, as more fully discussed in the Understanding the Bank Service
Provider*s Program section of this guide. Coordination with the bank can
also provide the needed transaction databases and/ or the ability to
verify organization transaction databases by comparison to independent
control totals. Fraud investigators involved in the purchase card audit
may also be afforded an opportunity to evaluate the bank*s fraud
investigation and detection methodologies, and benefit from other
information provided by the bank*s credit card fraud investigators.

OBTAINING TRANSACTION DATA Coordinating with the Bank Service Provider

Page 32 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

One of the first decisions the auditor will need to make is whether to use
statistical sampling to select transactions for testing. In most audit
circumstances, statistical sampling is the recommended approach for making
estimates about and drawing conclusions from a population of transactions,
and for estimating the percentage of transactions in the population for
which control activities were or were not in place and operating as
intended. Statistical sampling is appropriate:

if there is a desire to estimate whether control activities for a
population of transactions are in place and operating as intended, and to
quantify the accuracy of this assessment based on statistical theory; if
there is a desire to estimate whether some control activities for a

population of transactions are operating as intended to a greater or
lesser degree than other activities, and to quantify the accuracy of this
assessment based on statistical theory; and

if it is desirable to estimate, and to quantify the accuracy of the
assessment based on statistical theory, the dollar value for a population
of purchase card transactions subject to detected control weaknesses and/
or failures.

In these cases, a statistical sample should be designed so that
statistical theory can be used to estimate failure rates and/ or the
dollar value of transactions subject to ineffective controls in the
population and to quantify the accuracy of those estimates.

In other audits of purchase card programs, making statistical estimates of
the failure rate in the population of transactions may not be important.
For example, if there are no control activities, or if the design of
controls is clearly inadequate, there would be little point in testing
control activities and estimating the associated failure rates. As another
example, certain control activities may only apply to a very small portion
of transactions. In these cases, an assessment might be made of the
effectiveness of control

activities through means such as observation, inquiry, and/ or inspection
of a nonrepresentative selection of transactions. However, it should be
understood at the outset, that when experience and understanding of the
subject matter are used to assess the effectiveness of control activities
based solely on observation, inquiry, and/ or inspection of a
nonrepresentative selection of transactions, the results cannot be
reliably or statistically projected to all transactions of that type.
SELECTING PURCHASE CARD TRANSACTIONS

Page 33 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The auditor, in conjunction with a statistician, will need to consider a
number of issues in order to design statistical samples for government
purchase card programs. These issues include, but are not limited to, the
following.

The organization of the population of purchase card transactions -
Typically, these records are organized in one or more electronic files. In
this case, various sampling options are available. Two of these options

are (1) simple random sampling of transactions, and (2) partitioning
transactions into non- overlapping groups (strata), followed by selecting
simple random samples of transactions in each stratum.

The organization of the documentation evidencing performance of control
activities - These documents may be stored in one or more geographic
locations, which may or may not limit or impair accessibility by the
auditor. In either case, a sample design should account for the geographic
dispersion. The following are examples of available options. Geographic
strata * If personnel are available to collect data from

each location, then a sample design might have locations as strata, with
appropriate sampling methods within each stratum. A stratified design
would protect against the possibility of an "unlucky" sample, i. e.,
having no or few transactions from one or more locations in a random
sample selected from the population of all transactions. It may also
provide more precise estimates than a random sample of the same size
selected from the population of all transactions.

Geographic location sample * If it is not possible to collect data from
each geographic location, then a two stage statistical sample can be made
of (stage one) geographic locations, with appropriate sampling methods
used (stage two) within each selected location. If the geographic
locations are chosen using statistical sampling, the auditor will be able
to make estimates about all purchase card transactions in the population.

Case study approach - The auditor may find, however, that the documents
that will be examined to determine whether control activities are being
performed are so geographically dispersed that it is not cost effective to
collect data from statistically sampled locations. In this case, the
auditor may wish to consider a case study approach. In a case study
approach, locations are selected for specific reasons instead of being
chosen using statistical sampling. Statistical samples of transactions are
then selected for each of the selected locations. The auditor should note,
however, that data collected from a case study approach can only be used
to assess adherence to controls at the specified locations. Sample data
from a case study approach cannot be used to make assessments about
adherence to controls for the entire population of purchase card
transactions. Considerations in Designing a

Statistical Sample

Page 34 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Information about the approximate level of nonadherence to controls * Such
information may be obtainable from (1) similar studies performed

Page 35 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

in the recent past, (2) estimates by subject matter experts, or (3)
information obtained by the auditor during the preliminary assessment
relating to nonadherence rates. These *guesstimates* are very useful to
the statistician in estimating what sample size might be needed to achieve
specified precision levels on estimated nonadherence rates.

The relationship between the approximate nonadherence rate, and the
acceptable nonadherence/ adherence rates -- At what rate of failure would
the auditor consider a control to be ineffective? Effective? If the
expected level of nonadherence (or adherence) is close to the minimum rate
that is considered unacceptable (or acceptable), a larger sample may be
required to assert nonadherence (or adherence) to controls.

Inherent strengths/ weakness - Certain types of transactions may be
expected to have different rates of nonadherence to controls than other
types (e. g., transactions for large dollar amounts processed at a higher
level by personnel who likely have taken contractor officer training). If
there are, the population of transactions can be partitioned into strata
so the expected rate of nonadherence differs from one stratum to the next.
Separate samples of transactions can then be taken in each stratum. A

stratified design that takes advantage of expected differences in
nonadherence rates across strata can provide more precise estimates than a
random sample of the same size selected from the population of all
transactions.

Time and resources * The total amount of time available, the time it will
take to evaluate the effectiveness of controls for each purchase card
transaction, and the number of audit staff available are practical
considerations that will have a direct influence on the design and size of
a sample.

The auditor and the statistician should develop a written sampling plan
for inclusion in the audit work papers. The sampling plan should include,
but is not limited to:

the reasons that a sample was developed,

the type of sample (e. g., statistical or nonstatistical) and sampling
method (e. g., random) being used,

a description of the population (e. g., nature, data elements, source,
control totals),

the sample design (e. g., confidence level, strata criteria, number of
items and/ or dollars in population and strata, sample size by strata and
population) selected along with a discussion of the factors considered and
conclusion reached, guidelines about the types of evidence and attributes
the auditor( s) will

accept as clear evidence of performance of control activities,

information about the anticipated precision of the sample estimates,

a definition of what nonadherence to controls means,

expectations (if any) about the rate of nonadherence to controls, and

examples of the types of conclusions the auditor expects to be able to
make after the sample data are analyzed (and projected to the population).
The Sampling Plan

Page 36 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Data elements of transactions selected for control activity testing (as
well as those identified by data mining) will need to be extracted*
identified, selected, copied, and accumulated in a separate electronic
file for further auditor analysis* from the population transactions
database. At a minimum, those data elements should include the
identification and other data elements necessary to facilitate control
activity testing. The following

are examples of data elements which might be included in such extracts.
The auditor should prepare a workpaper/ file detailing the pass/ fail
results of tests of control activities (e. g., the number and dollar value
of transactions failing a control activity) performed on each sample item,
in accordance with the sample design (e. g., sampled strata). These
results can then be provided to the statistician, who should project the
sample results to the population, and provide the auditor with a report
recapping the population, the sampling plan used, the control tests
performed by the auditor, the statistical estimates (e. g., attribute
failure rates, dollar values), and the associated confidence intervals.
The auditor should then prepare a summary memo that incorporates the
sample tests results and the statistician*s report and recaps the rules
used to assess the effectiveness of controls and the audit conclusions
drawn from the projected sample results.

The primary questions that can be answered from analyzing the result of a
statistical sample of attribute tests for control activity performance
are: 1. What is the estimated failure rate and the accuracy of that
estimate? 2. Does the failure rate of performance of the control activity
result in

assessing the control as effective, ineffective, or partially effective?
To answer the first question, the failure rate from the statistical sample
should be estimated taking the design of the sample into account. Since
the statistical sample is only one of a large number of samples that could
be drawn, a two- sided interval should be generated that will contain the
actual (unknown) population failure rate for a specified percent of
samples that could be drawn. This interval is called a *confidence
interval,* and the specified percent is called the *confidence level*. 18
18 For nonfinancial audits, GAO commonly uses a confidence level of 95
percent. *The 95

percent confidence level appears to be used more frequently in practice
than any other level* 90 percent and 99 percent confidence levels seem to
be next in popularity.* Hahn and Meeker, Statistical Intervals, A Guide
For Practitioners, 1 st Edition (New York, N. Y. John Wiley and Sons,
Inc., 1991), p 38. Extracting Selected Transaction

Data Elements

Transaction Cardholder Vendor Approving Official

Amount Sale date Post date Name

Account number Account address Work location Work telephone Name

Merchant category code (MCC)

Address Business telephone Name

Work location

Work telephone

Reporting Sample Results Analysis of Results from Statistical Samples

Page 37 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

To answer the second question, the statistical sample results should be
compared to a pre- set standard (e. g., control activities with adherence
failure rates greater than 10 percent will be considered ineffective) and/
or professional judgment.

Page 38 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

For each audit of a government purchase card program, the auditor should
choose the failure rates that classify (or make the professional judgments
that conclude) that the performance of control activities is effective,
ineffective, or partially effective. Partially effective controls are
those for

which the evidence does not support a conclusion that the control is
either effective or ineffective. Documentation provides the auditor an

opportunity to inspect evidence of ongoing adherence to internal control
policies and performance of control activities. The data evidencing
performance of transactionrelated control activities will most likely, but
not necessarily, reside within the organization. Examples of documentation
that might evidence performance of specific control activities are
included in the Testing Control Activities section of this guide. The lack
of such documentation, although a strong indicator of a lack of adherence
and performance, does not necessarily preclude adherence or performance.
However, all lack of adequate documentation should initially be considered
as a failure of the relevant control activity test. Missing documentation
should elevate the level of the auditor*s professional skepticism when
conducting any additional audit procedures considered appropriate (e. g.,
additional inquiry, consideration of other supporting documentation,
direct interviews with cardholders and/ or approving officials).
Transactions and cardholders with significant or persistent lack of
documentation should be considered for follow- up in accordance with the
Follow- up and Investigation section of this guide.

Original documents should be reviewed whenever possible. The extent that
copies of original documents are retained for audit work papers will
depend on the circumstances and professional judgment. However, the work
papers should include copies of documents supporting findings of a
significant lack of adherence to policies, performance of control
activities, and any potentially fraudulent, improper, and abusive
purchases. As discussed later in the Follow- up and investigation section
of this guide, copies of documents will also be necessary to the follow-
up process.

The auditor will need to provide the organization sufficient information
to identify the specific transactions selected for testing (e. g.,
cardholder name and number, transaction sale or post date, and amount).
The auditor should in planning allowed sufficient time for this step since
documentation may be in geographically diverse locations and the
organization may need to send out requests for the needed information. The
auditor should consider the knowledge gained about the control environment
and other factors, and exercise professional judgment when making
decisions about (1) supplying selected transaction information to the
organization, (2) when and how to receive documentation, and (3) the
amount of time to allow the organization to produce documentation. The
auditor and the organization should agree, and/ or the auditor should
communicate the rules of the engagement, in advance, establishing time
limits for providing requested documentation, after which audit
conclusions will be based on the documentation provided.

OBTAINING DOCUMENTATION EVIDENCING PERFORMANCE OF CONTROL ACTIVITIES
Obtaining Documentation from

the Organization

Page 39 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

The auditor should design tests that clearly and specifically identify
acceptable attributes that evidence actual performance of control
activities. Guidelines should be developed about what constitutes *clear
evidence of performance* before testing begins. Such evidence may include
appropriate sequencing of dates, cardholder and/ or approving official
tick marks or other indications on individual transactions, corroborating
representations of performance by management personnel, and so forth.
Developing these guidelines in advance and including them in the sampling
plan will enhance the ability of audit staff to make consistent
assessments across sampled transactions. If there will be a cadre of audit
staff assessing whether there is clear evidence of performance, they
should be trained before data collection begins to enhance their
collective ability to make consistent assessments. Also, appropriate
supervisory review and validation of the assessments

made by the audit staff will be needed. An independent supervisory
assessment of selected sample items is one way to accomplish that review.

Tests for performance of control activities should be performed utilizing
the data gathered. For purposes of this guide, many control activities are
considered transaction specific (e. g., independent receipt and
acceptance, approving official review) and the related tests should be
accomplished at the transaction level. Also, as discussed in the Internal
Control and the Control Environment section of this guide, some of the key
elements of the control environment (e. g., training, discipline,
purchasing and approving authority) lend themselves to efficient testing
in conjunction with the testing of transactionlevel control activities.
The auditor should consider coordinating tests of those elements of the
control environment with the tests of the following transaction control
activities.

This guide discusses the following six control activities directly related
to purchase card transactions and their supporting documentation and
performance attributes for consideration by the auditor:

determining a legitimate government need, screening for required vendors,
independent receipt and acceptance, establishing accountability over
property,

cardholder reconciliation, and approving official review.

The specific tests of control activities accomplished, the specific
documents reviewed, and the attributes considered may vary as audit
objectives vary. When conducting the transaction control test discussed
below, auditors

should also evaluate purchases for compliance with relevant laws and
regulations (e. g., exemption from sales tax). The auditor should consider
consulting with legal counsel for assistance in evaluating questions of
the existence of a legitimate government need. The auditor should also
consider conducting follow- up, as discussed later in this guide, in
instances Evidence of Performance

TESTING CONTROL ACTIVITIES Transaction Control Activities

Page 40 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

of a questionable legitimate government need, or prohibited or otherwise
inappropriate government purchases.

Determination of a legitimate government need provides reasonable
assurance to the organization that its resources are not being wasted. A
legitimate need for the goods or service being acquired should be
determined before a purchase is made. In a government purchase card
program, the initial responsibility for making this determination may be
assigned by the organization*s policies and procedures to the cardholder.
Prepurchase requests or other authorization prepared by a supervisor, or
prepared by operations personnel and signed by a supervisor, can provide
the cardholder with documentation of a legitimate government need.
Organization policies may leave verification and documentation that
purchases are for a legitimate government need to

the discretion of the cardholder* a practice usually considered a weakness
in the design of control. The organization*s policies and procedures may
identify specific items or types of purchases requiring special approval.
However, prepurchase authorizations are not required by all government
organizations, and some organizations may provide blanket authorization
for routine purchases. When there is no documentation of a legitimate
government need for other than routine items, the auditor should view
purchases with an elevated level of professional skepticism. Further, the
organization*s policies and procedures may restrict or prohibit the
purchase of certain items or types of goods and services. Auditors should
be aware of these requirements, restrictions, and prohibitions, and the
requirement, or lack thereof, for documentation establishing the
government*s need.

Documentation evidencing the determination of a legitimate government need
should be obtained and reviewed. This could include (1) a prepurchase
request or authorization, (2) written blanket authorization for small
routine purchases (e. g., office supplies), (3) written justification by
the cardholder or other program personnel of the government need for the
purchase, (4) other required documentation for specifically controlled or
restricted purchases (e. g., a purchase justification or business need
analysis for computer equipment), and (5) the vendor invoice describing
the goods or services purchased. Attributes to consider evaluating include
(1) the date of government need determination, compared to date of the
purchase, (2) whether the purchased item is included on the organization*s
prohibited or restricted list, and (3) the item purchased on the vendor
invoice, compared to the item for which a need was determined. The auditor
should consider the knowledge of the organization*s operations and the
control environment gained in previous sections of the guide, and exercise
profession judgment, with an appropriate level of professional skepticism,
and evaluate the reasonableness of the legitimate government need
determination.

Prepurchase approvals were found in up to 98 percent of purchase card
transactions tested in a recent GAO audit. A Au ud di it to or rs s q qu
ue es st ti io on ne ed d w wh he et th he er r a a v va al li id d n ne
ee ed d h ha ad d b be ee en n i id de en nt ti if fi ie ed d, , w wh he
en n * *t to o g ge et t e en no ou ug gh h g go oo od di ie es s f fo or
r e ev ve er ry yo on ne e* * 8 80 0 P Pa al lm m P Pi il lo ot ts s c co
os st ti in ng g $ $3 30 0, ,0 00 00 0 w we er re e p pu ur rc ch ha as se
ed d a an nd d i in nv ve en nt to or ri ie ed d t to o b be e i is ss su
ue ed d t to o p pe er rs so on nn ne el l w wh he en n r re eq qu ue es
st te ed d. .

Page 41 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Screening for required vendors provides the organization with reasonable
assurance of compliance with laws and regulations related to statutory
sources of supply. One such regulation is the Federal Acquisition
Regulation (FAR) Part 8, Required Sources of Supplies and Services. This
regulation generally requires federal agencies to purchase supplies,
services, and printing, from designated sources (e. g., Federal Prison
Industries, the National Institute for the Blind, the National

Institute for the Severely Handicapped, the Government Printing Office).
Auditors should be aware of these and other laws, regulations, contractual
agreements, and policies and procedures, which direct the organization to
acquire goods and services from sources such as GSA schedules and
contracts, blanket purchase agreements, and single source suppliers.
Auditors should also be aware of exceptions provided to these and other
requirements, generally having to do with practicality and availability.

Documentation evidencing screening for required vendors should be obtained
and reviewed including (1) a purchase log, required by policy by some
organizations, (2) other documents evidencing appropriate

screening, and (3) a waiver or other documentation of the applicability of
exceptions made to required sources of supply. Attributes to consider
evaluating include (1) the date and cardholder

signature or initial for screening, compared to the transaction date, and
(2) the date and appropriate signature on waiver of purchase from required
sources, compared to the transactions date. Professional skepticism should
be exercised when evaluating the appropriateness of any exceptions to
required sources of supply.

Independent* someone other than the cardholder* receipt and acceptance of
goods and services provides reasonable assurance that the organization
actually received what it is paying for. The inclusion of independence in
the receipt and acceptance activity significantly strengthens the control
by adding segregation of duties to the activity. In purchase card
programs, the

cardholder is usually responsible for verifying that independent receipt
and acceptance has occurred before completing the reconciliation activity
discussed below.

Documentation evidencing independent receipt and acceptance (e. g., a
signature or initial on the vendor invoice, receipt, or shipping document)
should be obtained and reviewed including (1) the vendor invoice, (2) the
shipping, receiving, and/ or warehouse receipt for goods or services
provided, and (3) the relevant cardholder billing statement. Attributes to
consider evaluating include (1) the date of signed receipt, compared to
the purchase date and cardholder reconciliation date, (2) the signature or
initial, evidencing receipt by someone other than the cardholder, (3)
notations (e. g., tick marks) indicating verification of quantities for
appropriate purchases, (4) the invoice amount, compared to cardholder
billing statement amount, and (5) the invoice item description( s) and
quantity, compared to receiving document description( s) and quantity.

Despite laws and regulations requiring priority be given to

certain required vendors, a recent GAO audit found failure rates in this
control ranging from 70 to 90 percent of purchases tested.

Two related organizations could not demonstrate independent receipt and
acceptance for about $27.4 million in

purchased goods and services.

Page 42 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Physical control and accountability over pilferable and other vulnerable
property acquired by the purchase card, which is initiated at the purchase
card transaction level, provides reasonable assurance to the organization
that pilferable property (i. e., an item that is portable and can be
easily converted to personal use) is appropriately recorded and asset-
safeguarding control is established at the time of purchase and receipt.
Organizational requirements for this activity may vary with the volume,
value, and sensitivity of pilferable property acquisitions. Control
activities required of the cardholder should include initially identifying
the pilferable property requiring asset control, notifying appropriate
property management personnel within the organization of the acquisition,
and supplying the information required to establish a record in the
property control system. Audit procedures should include verification of
the record in the property control system, and can be extended to physical
inspection and/ or verification that the property is in the possession of
the government. Documentation evidencing performance of this activity
should be

obtained and reviewed, including (1) the vendor invoice, (2) evidence of
independent receipt and acceptance, discussed above, (3) the cardholder*s
billing statement, (4) the cardholder*s notification of

pilferable property, submitted to property control system personnel, (5)
the property control system record, and (6) if they are not evident in the
existing transaction document, the auditor should obtain item serial
number( s) directly from the supplier or manufacturer. Attributes to
consider evaluating include (1) the vendor invoice*s quantity,
description, and unique identifying number( s), such as a serial number
(considered a critical attribute for this control), compared to those
attributes in the property control system record, (2) the date of purchase
(sale date on the cardholder*s statement), compared to the

date of signed receipt, the date of cardholder notification to appropriate
property personnel, and the date of property record entry, and (3) the
property control system*s description, assigned property number (e. g.,
bar code number), property item unique identifying number (e. g., serial
number), and location, compared to those same attributes from a

physical inspection and/ or independent verification that the accountable
property is in the possession of the government. Cardholder reconciliation
provides the organization with reasonable assurance that all transactions
appearing on the cardholder*s billing statement are appropriate charges
for goods and services purchased for and received by the organization.
Much the same as individuals reviewing their personal credit card
statements to assure themselves that the purchases and amounts included
were actually made by them, government purchase cardholders should perform
no less than that level of review. Cardholder reconciliation is the
process of the cardholder gathering, reviewing, and providing the
documentation to support that each purchase transaction appearing on the
cardholder*s billing statement is an appropriate, legitimate government

Of 114 tested purchases of accountable property acquired with purchase
cards, 60 (53 percent) were not recorded in

property records, and 35 (31 percent) could not be located.

Page 43 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

purchase. The cardholder is responsible for identifying purchase card
transactions that are unauthorized or that otherwise should not be paid by
the government. The cardholder should promptly dispute unauthorized

charges appearing in the cardholder*s billing statement with the bank
service provider. For those charges that the cardholder is unable to
verify independent receipt and acceptance, the auditor should look for
evidence of

either a credit by the vendor or a formal dispute filed with the bank
service provider.

The cardholder reconciliation and/ or the approving official review and
certification for payment may be accomplished either manually or
electronically. The electronic system may not require a signature or date,
and may leave little or no audit trail of the application of control
activities to billing statements and/ or individual transactions. The
auditor should obtain, review, and use professional judgment and
skepticism in considering the value of electronic system- generated
reports and/ or screen prints as audit evidence of actual performance,
when evaluating adherence with control activities. The attributes
described in this section remain relevant to audit considerations and
evaluations regardless of whether the cardholder reconciliation control
activity is performed manually or electronically. If the available
documentation is insufficient to evidence the actual performance of a
control activity, the selected purchase card transaction should be
considered as failing that activity. In this circumstance, the auditor may
consider it necessary to extend audit procedures to the general and
application controls of the electronic data processing (EDP) system, which
is outside the scope of this guide.

Documentation evidencing performance of cardholder reconciliation should
be obtained and reviewed including: (1) the monthly purchase cardholder
statement in a manual system, or other bank systemgenerated listing of
billing- period transactions in an electronic system, (2) the vendor
invoice, and (3) evidence of formal dispute (e. g., organizational
standard form) of unauthorized charges appearing on the cardholder*s
billing statement. Attributes to consider evaluating include: (1) the
cardholder*s reconciliation signature, (2) the date of reconciliation,
compared to

organizational requirements, the approving official review, and payment
certification dates, (3) notations (e. g., tick marks, system notes)
indicating that all transactions on the statement were individually
reconciled, (4) the transaction date, amount, and vendor name on the
vendor invoice, compared to those same attributes on the cardholder*s
statement, and (5) the transaction date and amount, and vendor name on
formal dispute documentation, compared to the same attributes on the
cardholder*s statement. The auditor should consider following up on the
appropriate resolution of disputed items.

Tests of a statistical sample of purchase card transactions at four
related organizations disclosed little evidence of

cardholder reconciliation of purchases back to supporting documentation
before payment of the bill.

Page 44 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Approving official review of the cardholder*s reconciliation process
provides reasonable assurance to the organization that the cardholder is
timely and appropriately performing the reconciliation and is complying
with all significant relevant controls to prevent or detect fraudulent,
improper, and abusive purchases. The review also provides a basis for the
approving official to accept responsibility that the purchases are
appropriate, legitimate

government purchases before the billing statement total is certified for
payment. The approving official review, a critical control activity in a
government purchase card program, should include a review of the

cardholder reconciliation for timeliness and completeness and for the
appropriateness of the supporting documentation for individual
transactions. In evaluating the effectiveness of this control activity,
the auditor should consider (1) the extent of the approving official*s
review of

the supporting documentation for a cardholder*s individual transactions,
and (2) the extent of documentation (e. g., tick marks, system notes) of
that review. To gain a better understanding of the extent of the approving
official*s review of cardholder reconciliations, the auditor may consider
interviewing the approving official, in addition to reviewing
documentation evidencing the review process.

As discussed in the section on cardholder reconciliation, the approving
official review and the certification for payment may be accomplished
either manually or electronically. The auditor should obtain, review, and
use professional judgment and skepticism in considering the value of
electronic system- generated reports and/ or screen prints as audit
evidence of actual performance when evaluating adherence with control
activities. The attributes described in this section remain relevant to
audit considerations and evaluations regardless of whether the approving
official review control activity is performed manually or electronically.
If the available documentation is insufficient to evidence the actual
performance of a control activity, the selected purchase card transaction
should be considered as failing that activity. In this circumstance, the
auditor may consider it necessary to extend audit procedures to the
general and application controls of the EDP system, which is outside the
scope of this guide.

Documentation evidencing performance of this activity should be obtained
and reviewed including (1) the cardholder*s reconciliation documentation
as discussed above, (2) documentation of the approving official*s review
of the cardholder*s reconciliation, (3) the approving official*s account
billing statement, and (4) documentation of the approving (or billing)
official*s certification for payment of the balance on his/ her account
billing statement. Attributes to consider evaluating include (1) the
approving official*s

review signature, (2) the date of the approving official*s review,
compared to organizational policy requirements, the date of the
cardholder*s reconciliation, and the date of the approving (or billing)
official*s certification for payment, and (3) notations (e. g., tick
marks, system notes) on cardholder*s individual purchase card
transactions, evidencing the approving official*s review and evaluation of
the appropriateness of the transactions and the documentation supporting
the cardholder*s performance of other control activities.

Tests of a statistical sample of purchase card transactions at five
related organizations disclosed numerous

instances of approving officials certifying the bill for payment without
review of cardholder reconciliation or

supporting documentation.

Page 45 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

In addition to testing internal controls, GAO*s purchase card methodology
includes procedures designed specifically to identify potentially
fraudulent, improper, and abusive purchase card transactions. Designing
and conducting procedures specifically for the purpose of detecting such
transactions serves multiple purposes, including the potential discovery
of a previously unrecognized risk in the program. Additionally, top
management will likely be more receptive to recommendations for corrective
actions when a face is put on the consequences of weak control, and the
effects are illustrated by instances of fraudulent, improper, and abusive
purchases. GAO*s methodology described in this guide is a two- step
process similar to the process of selecting transactions and testing
controls. It entails the pursuit of fraudulent, improper, and abusive
purchases by (1) making nonrepresentative selections of transactions or
patterns of activity in a process referred to as data mining, and (2)
conducting follow- up procedures, rather than control tests, utilizing
forensic auditing techniques on selected transactions and on cases of
potentially fraudulent purchases detected during the audit process.

Data mining is the act of searching or *mining* data to identify
transactions or patterns of activity exhibiting predetermined
characteristics, associations, or sequences, and anomalies between
different pieces of information. Data mining produces leads for follow- up
by auditors and investigators; consequently the concept of data mining, as
used in this guide, also includes performing audit procedures and
investigations as necessary to evaluate the leads. An active continuous
data- mining program by organization management can

also be used to identify and initiate investigations of instances of
potentially fraudulent, improper, and abusive purchases, and can serve as
an effective deterrent to such transactions. Data mining, when conducted
in concert with the tests of control activities, can provide additional
evidence of significant instances of noncompliance with laws and
regulations, such as those discussed in the Relevant Laws and Regulations
section of this guide, and lack of adherence to internal control polices
and procedures. In addition, it can identify previously unrecognized or
under- appreciated risk in the program. Revelations by data- mining
results can often generate the upper management motivation necessary to
bring about meaningful change in policies and procedures. The results of
data mining should also be considered when evaluating the overall
effectiveness of systems of internal control over government purchase card
programs. However, since data

Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases

DATA MINING FOR DETECTION, ILLUSTRATION, AND DISCLOSURE

Page 46 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

mining is nonrepresentative, its results cannot be projected, and
conclusions should not be reached on the population of purchase card
transactions. GAO*s approach to data mining is designed to support its
overall evaluation

of the internal control of a government purchase card program and to
provide examples of the results of weakness in internal control. That
approach generally consists of:

identifying the population of transactions to data mine, identifying
criteria and design search queries, and extracting or summarizing
transactions or patterns of activity from the

population for further analysis, selection, audit, and investigation. The
source of data for mining would generally be the same population as the
source used to select transactions for control tests. The same population
of transactions must be used if examples of

control failures detected by data mining are to be relevant to the
population of transactions and to the period covered by the control tests.
This would allow the results of data mining to be considered in the
overall evaluation of effectiveness of internal control.

An experienced credit card fraud investigator will bring valuable
perspective and insight, and should be involved in the process of
identifying criteria, associations, and characteristics for data mining
for fraudulent, improper, and abusive purchases. When identifying and
selecting data- mining criteria the auditor should also consider the risks
of potentially fraudulent, improper, and abusive purchases, data- mining
criteria identified by the auditor during the preliminary assessment, and
the datamining criteria discussed in the following examples.

The following examples of data- mining queries, summaries and/ or
extractions are appropriate to support an evaluation of the internal
control of a government purchase card program as contemplated in this
guide, and are intended to be used to identify and extract potentially
fraudulent, improper, and abusive purchases from a transaction database.

Questionable vendors are those vendors who sell goods or services that
generally are not considered to meet a legitimate government need, or
which are restricted or prohibited by law, regulation, or policy. Recent
GAO audits of purchase card programs have identified potentially
fraudulent, improper, and abusive purchases of goods and services from
vendors such as restaurants, grocery stores, casinos, clothing or luggage
stores, home furnishings, personal electronics, pornographic or sexually
oriented goods or services (e. g., escort services), automobile dealers,
and gasoline service stations. The understanding gained of the
organization*s operations, in accordance with a previous section of this
guide, should provide the insight necessary to make preliminary
identification of vendors selling goods and services which likely do not
meet a legitimate government need. The following are examples of ways to
identify, extract, and select purchases from these vendors.

Data mining of purchase card transactions at five related organizations
disclosed numerous

purchases of items for personal use including digital cameras, computers,
clothing, and food.

Page 47 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft By name:
Questionable vendors, who can be expected to sell unneeded or prohibited
goods or services, by name. This can be

accomplished by manually reviewing a comprehensive list of vendor names
extracted and sorted alphabetically from the population database. The
selection process can be greatly enhanced by including selected summarized
data by vendor

name (e. g., number of transactions, dollars of purchases, number of
cardholders making purchases). For example, because of the goods and
services provided by vendors specializing in toys, stylish personal
calendar/ planners, and consumer electronics, purchases from them have a
high likelihood of being potentially fraudulent, improper, or abusive.

By merchant category code (MCC): Questionable vendors can be identified by
using MCC codes* standard codes that the credit card industry maintains to
categorize merchants* assigned to vendors that may sell personal or
prohibited goods or services. Purchase card transactions carrying the
identified codes can then be extracted from the population database.
Sorting and/ or summarizing the extracted transactions by vendor

may further enhance the selection processes. Organizations have the
ability to block purchases from vendors with selected MCC codes at the
bank service provider. Ideally, any attempt to charge a purchase from a
vendor with a blocked MCC code should be automatically rejected at the
point of purchase. However, auditors should be aware that (1) vendors may
circumvent this control by providing false or misleading information and
obtaining an MCC code intended to disguise the types of goods or services
provided by the vendor, and (2) bank service providers do not always
reject purchase card

transactions with blocked vendor MCC codes. All transactions associated
with the identified vendor names and/ or MCC codes should be considered
potentially fraudulent, improper, and abusive and extracted into a
questionable vendor transactions database( s) for further selection and
follow- up.

Weekend and holiday purchases, in the operations of a normal governmental
organization, could also offer a high probability of identifying
potentially fraudulent, improper, and abusive transactions. However, using
this approach to select transactions would not be effective if the
organization*s operations routinely involve weekend and holiday purchasing
activity. During the previously discussed process of gaining an
understanding of the organization*s operations, the auditor should look
for and be aware of this and similar exceptions to normal operations when
designing data- mining criteria. Purchase card transactions on weekends
and holidays within the audit period should be identified and extracted
into a suspect date transactions database for further selection.

A recent GAO audit disclosed a purchase card transaction with a prohibited
escort service vendor. The bank service provider had accepted the
transaction despite the blocked vendor MCC code.

GAO testified that approximately $12,000 in potentially fraudulent
cardholder purchases including an Amana

range, Compaq computers, gift certificates, groceries, and clothes
occurred primarily between December 20 and 26, 1999.

Page 48 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Split transactions are two or more transactions that would have normally
been a single- purchase transaction, but were split to circumvent the
micropurchase threshold (generally $2,500) or other legal or internal
control single- purchase limit( s). For purposes of identifying sets of
potential split transactions, all purchase card transactions in the audit
period that meet the following criteria can be extracted into a potential
split transactions database for further analysis:

the transactions are with the same vendor, and the transaction dates are
on the same day, and the transactions total in excess of $2, 500, and the
transactions are by the same cardholder, or the transactions are by the
same activity/ department. (Broadening the selection criteria to the same
activity/ department considers the potential for collusion among
cardholders to circumvent single- purchase

limits.) A nonrepresentative selection of transactions can then be made
from the potential split transactions database and submitted to the
followup procedures described in the Follow- up and Investigation section
of this guide. For purposes of determining circumvention of singlepurchase
limits, all applicable limits should be considered (e. g., micropurchase,
cardholder organization authorized single- purchase limit, bank service
provider system cardholder control single- purchase limit).

Transactions of unusual amounts or relationships may be fraudulent,
improper, or abusive. The auditor should review the database for the
existence of unusual purchase card transaction amounts, patterns, and
relationships. Examples of such transactions include:

frequent amounts with the same vendor just under the micropurchase
threshold which, for example, may indicate that a vendor is exploiting
weak controls and charging for goods or services that are not being
provided or rendered; and

multiple transactions for the same amount which, for example, may indicate
intentional or unintentional duplicate billings for the same goods or
service.

Purchase card transactions in the audit period for unusual amounts or
relationships should be extracted into an unusual- transactions database
for further selection. Year- end spending may include purchases for which
there is not a

legitimate government need (e. g., bulk purchases of computer or
electronic equipment). All purchase card transactions that exceed an
established larger dollar value (e. g., $25,000) and occur in the last
month of the fiscal year can be extracted into a year- end transactions
database for further selection.

Purchase card transactions by vendor for the audit period can be
summarized to provide statistical data such as:

Data mining purchases at five related organizations disclosed numerous
occurrences of purchases split to circumvent the $2,500 micropurchase
threshold, including $16,000 for furniture for an approving official*s
office.

An organization approved and paid 75 purchase card transactions, all close
to the micro purchase threshold, totaling $164,000, with a
telecommunications contractor. The organization could not provide
documentation of the nature or of receipt and acceptance of the services
provided. After completing follow- up, GAO referred this case for criminal
investigation.

An organization used year- end funds to purchase computers and monitors
costing $47,372. Nine months later over half of the computers remained in
storage, raising questions of a legitimate need when purchased.

Page 49 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

the number of cardholders making acquisitions with a vendor, the number of
transactions with a vendor, and the dollar volume of transactions with a
vendor.

A critical analysis of the resulting vendor transaction summary totals,
and their relationships, can identify opportunities for further data
mining. Vendor summary totals at the extremes of activity, both high and
low, warrant special attention. A vendor with only one or two cardholders
making purchases, particularly if the dollar volume is high, may indicate
a conflict of interest or fraudulent (e. g., kickbacks),

improper, or abusive transactions. High dollar volumes of purchases may
indicate a vendor with whom the government should have a discounted price
agreement. A vendor with only one transaction might indicate a
questionable legitimate government need. If these summaries are
accomplished utilizing a software audit tool, the individual purchase card
transaction detail underlying each vendor*s summary totals will usually be
available, facilitating further review and selection.

Cardholders and/ or their approving officials considered to have
suspicious activities might be identified as the result of following up on
previous data- mining transactions, a referral to an organizational fraud
hotline, previous audit findings, or other means. Purchase card
transactions for such cardholders and/ or approving officials can be
extracted into separate transactions databases for further analysis.
Follow- up and investigation of these transactions can assist in
developing cases for referral to criminal investigation and prosecutorial
authorities. Since the data being mined are usually

contained in a database of individual purchase card transactions, a
software audit tool that facilitates summaries, comparisons, and
extractions of transactions and data elements selected for follow- up is
recommended. Several over the counter audit tools of this type are
available. Using professional judgment and considering the understandings
gained and the results of the preliminary assessment, the auditor should
select transaction leads provided by data mining and submit them to the
procedures described in the Follow- up and Investigation section of this
guide. Unless adequate follow- up procedures are accomplished, the auditor
will not have sufficient

support to either report or refer the findings. The concept of follow- up,
as used in this guide, contemplates an extension of audit procedures and
documentation beyond those generally necessary to test for adherence to
internal control policies or performance of control activities. GAO*s
approach to the follow- up process assesses purchase card transactions in
three incremental stages: (1) an initial evaluation of the cardholder
documentation supporting selected data- mined transactions for the purpose
of discerning potentially fraudulent, improper, and abusive transactions,
(2) FOLLOW- UP AND INVESTIGATION

Page 50 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

the conduct of follow- up procedures discussed in this section on those
transactions, and (3) referral of any instance of detected likely fraud to
the appropriate criminal investigative personnel.

Because of the characteristics of fraudulent, improper, and abusive
purchases, the exercise of professional skepticism* an attitude that
includes a questioning mind and a critical assessment of audit evidence*
is especially important when following up on these purchase card
transactions.

The conduct of follow- up procedures utilizes forensic auditing
techniques. In the context of this guide, forensic auditing (follow- up)
contemplates increased scrutiny and documentation by the auditor of the
facts and circumstances (including judgments made and actions taken by
individuals party to the transaction) surrounding potentially fraudulent,
improper, and abusive transactions. In the instance of fraudulent purchase
card transactions, the follow- up process is designed to support a
subsequent criminal investigation. The auditor should consider consulting
with the appropriate fraud

investigative staff when determining the appropriate follow- up procedures
for potentially fraudulent transactions or cases detected through control
tests or data mining. An experienced purchase card fraud investigator can
bring valuable perspectives and insight to the follow- up process.
Investigators may have procedures and protocols that establish boundaries
designed to preserve a successful investigation and prosecution of a fraud
within which the auditor*s follow- up and referral procedures should be
constrained (e. g., cautions against contacting and inadvertently alerting
the vendor suspected of fraud).

To begin the follow- up process for transactions selected by data mining
or other means, the auditor should obtain and review transaction
documentation similar to that obtained and reviewed in the tests of
transaction control activities (e. g., determination of legitimate
government need, vendor invoice, independent receipt and acceptance,
accountable property record, the cardholder billing statement). This
documentation

should be analyzed to determine whether it supports a preliminary
conclusion of (1) an appropriate government transaction that meets a
legitimate government need, or (2) a potentially fraudulent, improper, or
abusive transaction.

Detected or selected potentially fraudulent transactions should always be
submitted to follow- up procedures. However, the auditor should use
professional judgment and consider the results of cardholder documentation
review, the overall objectives of pursuing fraudulent, improper, and
abusive purchases, and the overall objectives of the audit, in making a
decision to accomplish follow- up procedures for transactions detected
during tests for performance of control activities, and the transactions
selected in the datamining process.

Professional judgment, inputs from qualified fraud investigators, and an
elevated level of professional skepticism should be exercised when
conducting follow- up procedures and evaluating: (1) justifications
offered for lack of adherence to policies and/ or performance of control
activities, (2) additional supporting documentation provided, and (3)
unsupported Follow- up

Page 51 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

representations made in interviews with program and organization
personnel. The following are intended as examples of follow- up
procedures, and are

not a complete list of possible procedures.

Request additional documentation to (1) support adherence to internal
control policies or performance of control activities (e. g., legitimate
government need, independent receipt and acceptance, exception to
prohibited item purchases), (2) provide missing relevant details of the
transactions, (3) support authorization for an otherwise improper
purchase, or (4) document other issues significant or useful to the
process.

Interview the cardholder for explanation, clarification, and other
additional information concerning the transaction, and corroboration of
verbal representations made by others.

Interview the approving official for explanation, clarification, and other
additional information concerning the transaction, and corroboration of
verbal representations made by others.

Interview other organization personnel who may have been identified as
parties with corroborating or clarifying knowledge of the facts and
circumstances of the transaction (e. g., supervisors and coworkers).
Contact the vendor for clarification of the specifics of the transaction

(e. g., quantities, dates, time, description of goods or services
provided). Request copies of supporting documentation from the vendor,
especially when cardholder supporting documentation is missing.

Fraud investigative staff assisting in the follow- up, or gathering
evidence to make and prove specific allegations of wrongdoing, may be able
to provide other items (e. g., credit reports, criminal records) that can
provide additional insight to the follow- up process.

All interviews conducted as part of the follow- up process should be
documented in the audit work papers. At the conclusion of the follow- up
process, consider summarizing the facts, findings, and resolution or
disposition of the potentially fraudulent, improper, and abusive item in a
memorandum for inclusion in the work paper file. If at any time during the
follow- up process the auditor*s professional judgment is that a
transaction is likely fraudulent, referral of the transaction to the
appropriate fraud investigative staff (e. g., inspectors general, military
service fraud investigation offices) should be immediately considered.

Fraud investigators provided relevant reports and information to GAO
auditors during followup on potentially fraudulent purchase card
transactions.

Page 52 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Page 53 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Referral of a likely fraudulent government purchase card transaction or
case should be made to the appropriate federal criminal investigative
body. We made such referrals to GAO*s Office of Special Investigations,
whose investigators have substantial experience in credit card fraud. The
referral should be accomplished in a written communication. That
communication would generally include, but not be limited to, the
following information:

the date of the communication,

the name of the referring organization,

the name and telephone number of the referring contact,

the organization and program under audit,

a description of the potentially fraudulent transaction or case (e. g.,
goods or services purchased, amounts paid, impropriety of the
transaction),

the reason( s) for concluding the transaction to be potentially
fraudulent, the names and positions of the individuals involved (e. g.,
John Doe * cardholder, Jane Doe * vendor),

the date( s) of the purchase transaction,

a description of the indicators alerting the auditor to the potentially
fraudulent transaction (e. g., altered supporting documentation, personnel
interview, or record discrepancies), and

a statement as to whether the relevant documents (copies or originals) are
attached or are available (e. g., cardholder billing statement, vendor
invoice( s), follow- up interview( s)). Referral for Investigation

Page 54 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft Appendixes

Page 55 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX I
* SELECTED RELEVANT GAO REPORTS AND TESTIMONIES Department of Education
Department of Housing and Urban Development Financial Management: Poor
Internal Control Exposes Department of Education to Improper

Payments. GAO- 01- 997T. Washington, D. C.: July 24, 2001.

Education Financial Management: Weak Internal Controls Led to Instances of
Fraud and Other Improper Payments. GAO- 02- 406. Washington, D. C.: March
2002. Financial Management: Strategies to Address Improper Payments at
HUD, Education, and

Other Federal Agencies. GAO- 03- 167T. Washington, D. C.: October 3, 2002.
Department of Defense * Army Purchase Cards: Control Weaknesses Leave Army
Vulnerable to Fraud, Waste, and Abuse.

GAO- 02- 732. Washington, D. C.: June 2002.

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste,
and Abuse.

GAO- 02- 844T. Washington, D. C.: July 17, 2002. Department of Defense *
Air Force Purchase Cards: Control Weaknesses Leave the Air Force
Vulnerable to Fraud, Waste, and

Abuse. GAO- 03- 292. Washington, D. C.: December 2002. Department of
Defense - Navy Purchase Cards: Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse.

GAO- 01- 995T. Washington, D. C.: July 30, 2001.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO- 02- 32. Washington, D. C.: November 2001.

Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse. GAO- 02- 506T. Washington, D. C.: March 13,
2002.

Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking Action
to Resolve Control Weaknesses. GAO- 02- 1041. Washington, D. C.: September
27, 2002.

Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action to
Resolve Control Weaknesses. GAO- 03- 154T. Washington, D. C.: October 8,
2002.

Page 56 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX II
* SELECTED RELEVANT LAWS AND REGULATIONS This appendix contains some of
the laws and regulations and other guidance that are applicable
governmentwide to the federal government purchase card program. Additional
laws and

regulations and other agency- or organization- specific guidance may apply
as well.

Establishment and operation of the purchase card program GSA SmartPay(R)
Master Contract Treasury Financial Manual, Vol. I, Part 4- 4500,
*Government Purchase Cards* 41 U. S. C. S: 426 Use of electronic commerce
in Federal procurement 48 C. F. R. S: 13. 301( b) Governmentwide
commercial purchase card 31 U. S. C. S:S: 3901 * 3907 Prompt Payment Act 5
C. F. R. Part 1315 Prompt Payment

Procurement methods and standards 41 U. S. C. S: 253 Competition
requirements 41 U. S. C. S: 403( 11) Definitions 41 U. S. C. S: 427
Simplified acquisition procedures 41 U. S. C. S: 428 Procedures applicable
to purchases below micropurchase threshold 41 U. S. C. S: 429 List of laws
inapplicable to contracts not greater than the simplified acquisition
threshold in Federal Acquisition Regulation 48 C. F. R. S: 1.603- 3( b)
Appointment 48 C. F. R. Part 2.101 Definitions 48 C. F. R. Part 8 Required
Sources of Supplies and Services 48 C. F. R. Part 13 Simplified
Acquisition Procedures

Purposes for which an organization*s appropriations may be used 31 U. S.
C. S: 1301( a) *Purpose Statute* Bona Fide Needs Rule, See, e. g. 68 Comp.
Gen. 170, 171 (1989); 58 Comp. Gen. 471, 473 (1979); 54 Comp. Gen. 962,
966 (1975) 3 Comp. Gen. 433 (1924) Comptroller General McCarl to the
Secretary of War B- 288266 (Jan. 27, 2003) Use of Appropriated Funds to
Purchase Light Refreshments at Conferences 72 Comp. Gen. 178 (1993) Matter
of: Corps of Engineers * Use of Appropriated Funds to Pay

for Meals 65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards
Ceremony 64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L.
Ryan * Meals at Headquarters Incident to Meetings B- 289683 (Oct. 7, 2002)
Matter of: Purchase of Cold Weather Clothing, Rock Island District, U. S.
Army Corps of Engineers 63 Comp. Gen. 245 (1984) Matter of: Purchase of
Down- Filled Parkas

Page 57 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX
III * EXAMPLE PURCHASE TRANSACTION FLOW CHART AND NARRATIVE

(REQUEST THROUGH PAYMENT)

Source: GAO- 02- 1041

Independent documentation that items have been received and accepted
Purchase cardholder orders/ charges goods and services Monthly purchase
card statements are received from bank Cardholder reconciles underlying
receipts/ sales slips to monthly purchase card statements, identifies any
invalid charges, and prepares dispute forms Approving official reviews

cardholder support, and certifies monthly statements for payment DFAS
processes purchase card payments

to Citibank Cardholder logs items not received and follows up to (1)
confirm receipt or (2) dispute the charge Pilferable items are recorded in
accountable property records Citibank reverses disputed charges and
credits monthly statement Navy Purchase Card Process Items shipped Items
picked up Vendor Cardholder or approving official logs disputed charges
and sends forms to Citibank for credit

Page 58 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft Approving
Official

If operating effectively, the approving official is responsible for
ensuring that all purchases made by the cardholders within his or her
cognizance are appropriate and that the charges are accurate. The
approving official is supposed to resolve all questionable purchases with
the cardholder before certifying the bill for payment. In the event an
unauthorized purchase is detected, the approving official is supposed to
notify the agency program coordinator and other appropriate personnel
within the command in accordance with the command procedures. After
reviewing the monthly statement, the approving official is to certify the
monthly invoice and send it to the Defense Finance and Accounting Service
(DFAS) for payment. Cardholders

A purchase cardholder is a Navy employee who has been issued a purchase
card. The purchase card bears the cardholder*s name and the account number
that has been assigned to the individual. The cardholder is expected to
safeguard the purchase card as if it were cash.

Designation of Cardholders

When a supervisor requests that a staff member receive a purchase card,
the agency program coordinator is to first provide training on purchase
card policies and procedures and then establish a credit limit and issue a
purchase card to the staff member.

Ordering Goods and Services

Purchase cardholders are delegated limited contracting officer ordering
responsibilities. As limited contracting officers, purchase cardholders do
not negotiate or manage contracts. Rather, cardholders use purchase cards
to order goods and services for their units and their customers as well.
Cardholders may pick up items ordered directly from the vendor or request
that items be shipped directly to an end user (requesters). Upon receipt
of purchased items, the cardholder is to record the transaction in his or
her purchase log and obtain documented independent confirmation from the
end user, the supervisor, or another individual that the items have been
received and accepted by the government. The cardholder is also to notify
the property bookofficer of accountable items received so that these items
can be recorded in the accountable property records.

Payment Processing The purchase card payment process begins with receipt
of the monthly purchase card billing statements. Section 2784 of title 10,
United States Code, requires DOD to issue regulations that ensure that
purchase cardholders and each official with authority to authorize
expenditures charged to the purchase card reconcile charges with receipts
and other supporting documentation before paying the monthly purchase card
statement. NAVSUP Instruction 4200.94 states that upon receipt of the
individual cardholder statement, the cardholder has 5 days to reconcile
the transactions appearing on the statement by verifying their accuracy to
documentation supporting the transactions and to notify the approving
official in writing of any

discrepancies in the statement. In addition, under NAVSUP Instruction
4200.94, before the credit card bill is paid, the approving official is
responsible for (1) ensuring that all purchases made by the cardholders
within his or her cognizance are appropriate and that the charges are
accurate and (2) the timely certification of the monthly summary statement
for payment by DFAS. The instruction further states that within 5 days of
receipt, the approving official must review and certify for payment the
monthly

Page 59 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

billing statement, which is a summary invoice of all transactions of the
cardholders under the approving official*s purview.

The approving official is instructed to presume that all transactions on
the monthly statements are proper unless notified in writing by the
purchase cardholder to the contrary. However, the presumption does not
relieve the approving official from reviewing the statements for blatantly
improper purchase card transactions and taking the appropriate action
before certifying the invoice for payment. In addition, the approving
official is responsible for forwarding disputed charge forms for
submission to Citibank for credit. Under the Navy*s task order, Citibank
allows the Navy up to 60 days after the statement date to dispute invalid
transactions and request a credit.

Upon receipt of the certified monthly purchase card summary statement, a
DFAS vendor payment clerk is to (1) review the statement and supporting
documents to confirm that the prompt- payment certification form has been
properly completed and (2) subject it to automated and manual validations.
DFAS effectively serves as a payment processing service and relies on the
approving- official certification of the monthly bill as support to make
the payment. The DFAS vendor payment system then batches all of the
certified purchase card payments for that day and generates a tape for a
single payment to Citibank by electronic funds transfer.

Page 60 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX IV
* EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION CHART Navy Purchase Card
Program Management Structure, September 2001

Source: GAO analysis of Navy purchase card program organization.

Department of Defense Purchase Card Program Management Office Department
of Navy eBusiness Operations Office Navy Agency Program Coordinator
Atlantic Fleet Major Command Agency Program Coordinator Norfolk, VA Area
Agency Program Coordinators at

Subordinate Units 98 Approving Officials 286 Cardholders 769

Pacific Fleet

Major Command Agency Program Coordinator Naval Sea Systems Command Major
Command Agency Program Coordinator U. S. Marine Corps Major Command Agency
Program Coordinator San Diego, CA Area Agency Program Coordinators at

Subordinate Units 66 Approving Officials 168 Cardholders 417

Norfolk, VA Area Agency Program Coordinators at Subordinate Units 10
Approving Officials 78 Cardholders 235

Camp Lejeune, NC Agency Program Coordinators at Subordinate Units 15
Approving Officials 173 Cardholders 496

Page 61 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX V
* EXAMPLE AUDIT PROGRAM Government Purchase Card Program

Example Internal Control Performance Audit Program

Program Overview

This is an example only audit program, and should be tailored to meet the
requirements of the individual organization*s purchase card program. The
approaches, methodologies, and concepts applied in this example, and the
accompanying audit guide, are appropriate for use by management oversight
personnel as well as internal and external auditors.

To facilitate ongoing internal control monitoring efforts by management,
sections C and D can be performed independently of each other, and section
D can be applied on a continuous basis. A Gain Necessary Understandings

A1 Understand the risk of fraudulent, improper, and abusive purchases

A2 Understand internal control

A3 Understand the relevant laws and regulations

A4 Understand the organization and purchase card program operations

A5 Understand and assess key elements of the control environment

B Preliminarily Assess the Adequacy of Designed Control Activities B1
Identify risks and control activities, and assess the adequacy of designed
control activities

B2 Determine the effects of the assessment on the design of performance
tests and the identification of potential data- mining criteria

C Test Adherence to Policies and Performance of Control Activities C1
Obtain transaction data for transaction- level testing

C2 Select purchase card transactions

C3 Obtain data evidencing performance of control activities

C4 Test key control activities

D Pursue Fraudulent, Improper, and Abusive Purchases D1 Data mine to
identify potentially fraudulent, improper, and abusive purchase card
transactions

D2 Follow- up on selected purchase card transactions and refer likely
fraud for investigation

Page 62 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed This is an example only audit program, and should
be tailored to meet the requirements of the individual organization*s
purchase card program. The approaches, methodologies, and concepts applied
in this example, and the accompanying audit guide, are appropriate for use
by management oversight personnel as well as internal and external
auditors. Organization Name : Audit Period/ Scope : Auditor/ Manager in
Charge : Other : A * Gain Necessary Understandings A1 Understand the risk
of fraudulent, improper and abusive purchases

1.0 Obtain and review relevant reports on audits of internal control over
government purchase card programs. (See app. I of this guide for a list of
GAO reports.) 2.0 Obtain and review recent reports on audits of internal
control over the

organization*s purchase card program, and: determine management*s response
to findings and recommendations, and

determine the status of corrective actions taken by management. 3.0 Review
the *Understanding the Purchase Card Program * The Risk of Fraudulent,
Improper, and Abusive Purchases* section of this guide. and 3.1 Obtain and
review detail summaries prepared by the organization*s

fraud investigative personnel (e. g., inspector general) of all purchase
card fraud detected within the prior ___________ (e. g. 2 years).

A2 Understand internal control 1.0 Obtain and review:

GAO/ AIMD- 00- 21. 3. 1 Standards for Internal Control in the Federal
Government (Green Book) GAO- 01- 1008G Internal Control Management and
Evaluation Tool,

and GAO/ AFMD- 8. 1.2 Guide for Evaluating and Testing Controls Over
Sensitive Payments. 2.0 Review the *Understanding the Purchase Card
Program * Internal Control and the Control Environment* section of this
guide.

A3 Understand the relevant laws and regulations 1.0 Obtain and review laws
and regulations relevant to the government*s

purchase card program. (See app. II of this guide for a list of selected
relevant federal laws and regulations.)

Page 63 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed 2.0 Review the *Understanding the Purchase Card
Program * Relevant Laws and Regulations* section of this guide.

A4 Understand the organization and purchase card program operations 1.0 To
facilitate the following and subsequent audit procedures, the auditor

and program oversight personnel should establish contact with management
personnel at both:

the organization*s purchase card program, and the bank purchase card
service provider. The organization*s operations

2.0 Obtain and review the organization*s written policies and procedures
describing their operations and activities. Such documents might include:

mission statement( s) and/ or activity descriptions, and operational
policies, procedures, or instructions. (The auditor should review these
and other relevant documents, which when considered with subsequent
personnel interviews serve to provide an understanding of the current
mission- related operations and activities of the organization.) 2.1
Identify and interview selected organization personnel for the

purpose of supplementing and clarifying the auditor*s understanding of the
organization*s mission and/ or operating activities. The organization*s
purchase card program 3.0 Obtain and review the organization*s written
policies and procedures

describing and controlling their purchase card program. Such documents
might include: purchase card program polices, procedures, or instructions,
and

contractual agreement with the bank service provider.

(The auditor should review these and other relevant documents, which when
considered with subsequent personnel interviews and walkthroughs should
serve to provide and/ or reinforce an understanding of the current
operations of the purchase card program.) 4.0 Identify and interview
selected purchase card program personnel, including personnel from the
following categories, for the purpose of

supplementing and clarifying the auditor*s understanding gained from
review of the organization*s written policies and procedures: purchase
cardholders, approving officials, and program coordinator. 5.0 Determine
and document the organization*s policies and procedures

Page 64 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed (or control activities) related to the control
environment, including the following key areas:

5.1 Span of control, also: determine the current total number of
cardholders at the organization, and

determine the current total number of approving officials at the
organization. 5.2 Financial exposure, also: determine whether and how the
organization initially and periodically verifies that purchase cards are
issued to, and continue to be held by, individuals who need one to perform

their assigned duties, and determine whether and how the organization
initially and periodically determines that cardholder and approving
official credit limits are appropriate to their needs. 5.3 Training, also:

determine how and when the organization provides and documents initial and
refresher training for cardholders, approving officials, and agency/
organization program coordinators. 5.4 Discipline, also:

determine the organization*s process for investigating allegations of
fraudulent purchase card activity, and determine how the organization
decides and documents

disciplinary actions taken for lack of adherence to internal control
policies and performance of control activities. 5.5 Purchasing and
reviewing authorities for cardholders and approving officials, also:
determine how the organization approves and documents

purchasing credit and single transactions limits for cardholders, and
determine how the organization approves and documents cardholder review
responsibility and payment authorization credit limits for approving
officials. 6.0 Determine and document the organization*s policies and
procedures

(or control activities) related to purchase card transactions, including
the following key areas: 6.1 determining a legitimate government need
prior to making the purchase; 6.2 requiring and documenting independent
receipt and acceptance of goods and services;

Page 65 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed 6.3 establishing physical control and
accountability over pilferable and other vulnerable property;

6.4 process and documentation requirements for cardholder reconciliation
of monthly purchase card statements; and

6.5 process and documentation requirements for approving official review
and approval for payment of assigned cardholders* monthly purchase card
transactions. 7.0 Determine and document the organization*s policies and
procedures

(or control activities) related to management*s risk assessment. 8.0
Determine and document the organization*s policies and procedures (or
control activities) related to information and communications.

9.0 Determine and document the organization*s policies and procedures (or
control activities) related to monitoring, including the following key
areas. 9.1 Agency/ organization program coordinator*s routine audits of
internal control over the organization*s purchase card program.

9.2 Bank service provider management reports: what reports are provided,
who gets the reports, and what are they used for. 9.3 Internal review (or
similar function) evaluation of internal control and the effectiveness of
the organization*s purchase card program. 10.0 Identify the computer-
based controls that the organization has

established over the purchase card program, including those: 10.1 over the
payment of monthly purchase card bills, 10.2 designed to prevent duplicate
payments, and 10.3 designed to prevent unauthorized access to purchase
card

transaction and master file information. 11.0 Perform a walk- through of
one or more selected purchase card transactions to confirm the
understandings of: the flow of a typical purchase card transaction, and
the system of internal control (including control activities). 11.1 Obtain
examples of documentation evidencing the performance of all key control
activities. 12.0 Using the knowledge gained from:

reviews of written policies and procedures, interviews with program
personnel, and walkthroughs of purchase card transactions:

Page 66 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed develop a flowchart and narrative which depict and
explain the typical purchase card transaction process from request to
payment. Include routine exceptions, such as disputed transactions and
late receipts. Highlight and discuss all key controls in the process.

12.1 Discuss the flowchart with appropriate purchase card program office
personnel and obtain their concurrence with the process flow and key
controls.

The bank service provider 13.0 Obtain and review documents describing the
bank service provider*s policies and procedures controlling the operation
and interface of the purchase card program with the organization. Such
documents might

include: operational policies, procedures, or instructions; and purchase
card program training manuals or instructions.

14.0 Identify and interview selected bank service provider personnel,
including personnel from the following categories, for the purpose of
supplementing and clarifying the auditor*s understanding gained from
review of the operation and control documents: program operations,
customer service representative, and

fraud detection and investigation. 15.0 Obtain a database of purchase card
transactions for the period or scope

of the audit. Obtain and agree control totals from an independent source
to the purchase card transactions database (see step C1- 1.0). 16.0 Obtain
a listing of program reports available from the bank provider

and: 16.1 gain an understanding of the information contained in the
reports and their intended use, 16.2 compare the list to the reports being
obtained and used by the organization, and

16.3 identify and request the available reports which facilitate the
auditor*s determination of adherence to control environment policies (e.
g., span of control, financial exposure).

A5 Understand and assess key elements of the control environment 1.0 Based
on the understandings gained through document reviews and

personnel interviews, preliminarily assess management*s operating
philosophy and attitude (i. e., Tone at the top) as having a positive or
negative effect on internal control across the organization. 2.0 Obtain
data (e. g., electronic reports and data files) from the bank service
provider and/ or the organization, necessary to perform tests of the
following key elements of the control environment.

Page 67 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed 2.1 Test the following key elements of the control
environment for adherence to internal control policies on an organization-
wide (marcolevel):

2.2 span of control, and 2.3 financial exposure. 2.4 Document for
inclusion in the workpapers the results of the evaluation process, and the
preliminary conclusions of the effect of these elements of the control
environment on the effectiveness of internal control. 3.0 Obtain data from
the organization necessary to perform tests of controls for the following
key elements of the control environment (see

step C3- 1.4). Data should be obtained for each cardholder and approving
official on transactions selected for control activity testing.

3.1 Test the following key elements of the control environment in
conjunction with tests of transaction- level control activities (see step
C4- 2.0):

training, discipline and, purchasing and reviewing authorities, 3.2
Document for inclusion in the workpapers the results of the evaluation
process, and the preliminary conclusions of the effects of these elements
of the control environment on internal control. 4.0 Upon completion of
testing of all the key elements of the control environment, prepare a
summary memorandum for inclusion in the workpapers on the auditor*s
conclusion of the overall effect of tone at the top, span of control,
financial exposure, training, discipline, and purchasing and reviewing
authorities on the control environment, and on the overall effectiveness
of internal control.

Page 68 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed B * Preliminarily Assess the Adequacy of Designed
Control Activities B1 Identify risks and related designed control
activities, and assess the adequacy of those

activities 1.0 Identify and list the significant risk/ opportunities of
fraudulent, improper, or abusive and questionable transactions in the

organization*s purchase card program. Such risks can be control
environment related (e. g., span of control, training), purchase
transaction related (e. g., no legitimate government need, inadequate
approving official review), or related to other significant areas (e. g.,
monitoring). 2.0 Identify the internal control policy and procedure
(control activity)

designed to prevent or promptly detect each above significant risk/
opportunity.

3.0 For each significant risk identified, preliminarily assess, as (1)
strong, (2) weak, or (3) ineffective (including nonexistent), the likely
effectiveness of the related designed control activities (if in place and
operating) to provide management with reasonable assurance that
significant fraudulent, improper, and abusive purchase card transactions
will be prevented or promptly detected.

B2 Determine the effects of the assessment on the design of performance
tests and the identification of potential data- mining criteria 1.0 For
each above risk/ opportunity control activity relationship evaluated,

determine their effect on the design of audit tests for adherence to
policies and/ or performance of control activity. 2.0 For each above risk/
opportunity control activity relationship evaluated,

consider potential criteria for data mining identified, if any. 3.0
Consider documenting for the audit work papers: the identification of each
risk/ opportunity, the related control activities, the preliminary
assessment of effectiveness, the effects of the assessment on the design
of tests for adherence to control policies and performance of control
activities, and the identification of potential data- mining criteria.

Page 69 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Sec # Audit Steps Work Paper Reference

Initial / Date Competed C * Test Adherence to Policies and Performance of
Control Activities C1 Obtain transaction data

1.0 Obtain a database (the population) of purchase card transactions for
the audit scope or period, and 1.1 verify its completeness by agreeing
control totals to an independent source (e. g., bank service provider,
organization records) (see step A4 15). C2 Select purchase card
transactions

1.0 Consider the: understandings gained of the operations of the
organization and the purchase card program, the designed internal control
policies and procedures, and

the results of the preliminary assessment of the adequacy of internal
control, and determine whether to use statistical (recommended) or
nonstatistical sampling in selecting transactions. If a statistical sample
selection is to be made, have a statistician design the sample. 1.1
Document the significant considerations made and conclusions reached in a
detailed sampling plan for inclusion in the work papers, to

include the following: the reasons that a sample was developed, the type
of sample (e. g., statistical or nonstatistical) and sampling

method (e. g., random) being used, a description of the population (e. g.,
nature, data elements, source, control totals), the sample design (e. g.,
confidence level, strata criteria, number of items and/ or dollars in
population and strata, sample size by strata and population) selected
along with a discussion of the factors considered and conclusion reached,

guidelines about the types of evidence and attributes the auditor( s) will
accept as clear evidence of performance of control activities, information
about the anticipated precision of the sample estimates, a definition of
what nonadherence to controls means, expectations (if any) about the rate
of nonadherence to controls,

and examples of the types of conclusions the auditor expects to be able to
make after the sample data are analyzed (and projected to the population).
2.0 Extract transactions, in accordance with the sampling plan, from the

population to perform tests for performance of transaction- related
control activities.

C3 Obtain data for testing performance of control activities

Page 70 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Sec # Audit Steps Work Paper Reference

Initial / Date Competed 1.0 Coordinate with the organization*s purchase
card program management and obtain access to program personnel and
original documentation evidencing performance of transaction- level and
related

control activities for each selected transaction. The following are
examples of such personnel and documents.

1.1 Personnel: cardholders for selected transactions, approving officials
for selected transactions, agency/ organization purchase card program
coordinator, and operations supervisory personnel as needed. 1.2 Documents
directly related and relevant to selected individual purchase card
transactions: cardholder monthly billing statement,

approving official monthly billing statement, cardholder log (or
equivalent) of purchases made, prepurchase request, approval,
authorization, or other determination of a legitimate government need,
evidence of screening for required/ statutory vendors, waiver on required
sources of supply, if applicable

evidence of bid solicitations and receipt, if applicable, vendor invoice
or receipt for goods or services, packing slip, evidence of independent
receipt and acceptance, bank dispute/ affidavit forms, if transaction
disputed, cardholder reconciliation and certification of bill, and

approving official review, and certification for payment. 1.3 Additional
documents relevant to purchases of accountable property: cardholder
notification to property book , and property book record. 1.4 Control
environment documents evidencing adherence and performance of key
elements: (see step A5 3.0)

cardholder purchase and credit limits authorization, approving official
review responsibilities and authorized limits, cardholder training
certificates/ records, approving official training certificates/ records,
cardholder account closure/ final bill, if account closed, and

disciplinary actions taken on cardholder and/ or approving official in the
last _____________________________________.

C4 Test Key Control Activities

Page 71 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Sec # Audit Steps Work Paper Reference

Initial / Date Competed Transaction control activity testing 1.0 Using the
relevant documentation obtained for the selected purchase

card transactions, accomplish attribute testing designed to determine the
performance of transaction control activities, including: determination of
a legitimate government purchase, screening for required vendors,
independent receipt and acceptance, physical control and accountability
over pilferable and other vulnerable property,

cardholder reconciliation, and approving official review. 1.1 Document for
inclusion in the workpapers pass/ fail of attribute tests

performed for each control activity in such a manner that facilitates
summary of the number of transactions which fail by attribute and by
control activity, and the dollar value of those transactions, for each
strata identified in the sampling plan. Testing key elements of the
control environment 2.0 Using the relevant documentation obtained for
testing key elements of

the control environment (see step A5 3.1) in conjunction with tests of
selected purchase card transactions, accomplish attribute testing designed
to determine adherence to policy for each selected transaction, including:
training, discipline, and

purchasing and reviewing authorities. 2.1 Document for inclusion in the
workpapers the pass/ fail results of attribute tests performed for each
control activity in such a manner that facilitates summary of the number
of transactions which fail by attribute and by control activity, and the
dollar value of those transactions, for each strata identified in the
sampling plan. Potentially fraudulent, improper, and abusive purchases

3.0 Evaluate each selected transaction for criteria identifying a
potential fraudulent, improper, and abusive purchase, including:
questionable vendors, weekend and holiday purchases, split purchases,

unusual amounts or relationships, and year end spending. 3.1 Conduct
follow- up of all transactions exhibiting such criteria, and refer any
likely fraud for investigation. 3.2 Document for inclusion in the work
papers the results of follow- up and referrals in such a manner that
facilitates summary of the number of

Page 72 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Sec # Audit Steps Work Paper

Reference Initial /

Date Competed transactions considered fraudulent, improper, abusive, or
questionable, and the dollar value of those transactions, for each strata
identified in the sampling plan. Analyzing and documenting sample results

4.0 Project the results of the sample transactions tests to the population
in accordance with the sampling plan. If statistical sampling was used,
provide the sample test results to the statistician for projection to the

population/ strata. 4.1 Obtain a written memorandum from the statistician
of the statistical results of the projection( s) in accordance with the
sampling plan, recapping the population and the sampling plan used, the
control tests performed by the auditor, the statistical estimates (e. g.,
attribute pass/ fail, dollar values) for each strata, and the associated
confidence intervals.

4.2 Prepare a summary memorandum, for inclusion in the work papers, that
incorporates the sample test results and the statistician*s report, recaps
the rules used to assess the effectiveness of controls, and documents the
auditor*s conclusions about the effectiveness of individual control
activities.

4.3 Consider the results of transaction- level and other control tests,
and the results of data mining and follow- up of potentially fraudulent,
improper, and abusive transactions, and prepare a memorandum for inclusion
in the work papers documenting the considerations made and conclusions
reached by the auditor on the overall effectiveness of the

design and performance of internal control designed to prevent and detect
potentially fraudulent, improper, and abusive purchase card transactions.

Page 73 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed D * Pursue Fraudulent, Improper, and Abusive
Purchases D1 Data mine to identify potentially fraudulent, improper, and
abusive purchases

1.0 Based on: understandings gained about the operations of the
organization and its purchase card program, the results of the preliminary
assessment of internal control, insights provided by involving credit card
fraud investigators, and

insights provided by conducting tests of performance of control
activities,

determine the criteria (e. g., characteristics, associations, or sequences
and pattern clusters) which signify potentially fraudulent, improper, and
abusive purchases. 2.0 Obtain a database of purchase card transactions for
the audit scope or

period (usually the same *population* database obtained for selecting
transactions for control activity testing).

3.0 Perform analysis of the database to identify transactions exhibiting
the characteristics of potentially fraudulent, improper, and abusive
purchases. Such analysis should include the following approaches:
questionable vendors, weekend and holiday purchases, split purchases,

unusual amounts or relationships, year- end spending, transactions by
vendor analysis, and suspicious cardholders and/ or approving officials.
4.0 Extract transactions identified above into discrete smaller databases

for further analysis. 5.0 Select nonrepresentative transactions from the
above discrete extracts for follow- up, referral, and investigation. D2
Follow- up and referral of selected purchase card transactions

1.0 Obtain supporting cardholder purchase documentation for all
potentially fraudulent, improper, and abusive purchase card transactions
identified and selected in the above data- mining

approaches. Such documentation would normally include the documents
directly related and relevant to selected individual purchase card
transactions listed in the Obtain Data for Testing Performance of Control
Activities section of this example

Page 74 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed audit program. (see step C3 1.2)

2.0 Review the initial supporting documentation for the selected
transactions and make a preliminary determination of the appropriateness
of the purchase. 3.0 For those data- mined purchase card transactions
which continue to be (and those control activity test transactions)
considered potentially

fraudulent, improper, and abusive or questionable, accomplish followup
procedures as indicated by the circumstances, such as:

request additional documentation, interview the cardholder, interview the
approving official, interview operational supervisors and/ or coworkers,
contact the vendor directly, and request relevant items from fraud
investigators. 4.0 Document for the audit work papers each interview
conducted during

the follow- up process. 5.0 Document for the audit work papers the results
of each follow- up process in a summary memorandum, and attach all
interviews and relevant supporting documentation. 6.0 Refer all purchase
card transactions, which after the completion of the

follow- up process are considered to be likely fraudulent, to the
appropriate fraud investigative body. The referral communication should be
written and should include the following information: the date of the
communication, the name of the referring organization, the name and
telephone number of the referring contact, the organization and program
under audit, a description of the potentially fraudulent transaction (e.
g., goods or services purchased, amounts paid, impropriety of the
transaction). the reason( s) for concluding the transaction to be
potentially fraudulent, the names and positions of the individuals
involved (e. g., John Buck * cardholder, Jane Doe * vendor), the date( s)
of the purchase transaction, a description of the indicators alerting the
auditor to the potentially fraudulent transaction (e. g., altered
supporting documentation, personnel interview, or record discrepancies),
and a statement as to whether the relevant documents (copies or originals)
are attached or are available (e. g., cardholder billing

Page 75 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft

Government Purchase Card Program Example Internal Control Performance
Audit Program Page of Sec # Audit Steps Work

Paper Reference

Initial / Date Competed statement, vendor invoice( s), follow- up
interview( s)). Retain a copy of all referral communications and
attachments for the

audit work papers. 6.1 Request memorandums of investigations at the end of
the audit period detailing the conduct, progress, and status of all such
referred purchase card transactions.

Page 76 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX VI
* GUIDELINES FOR INITIATING AN INVESTIGATION OF PURCHASE CARD FRAUD For
purchase card transactions that have been identified as potentially
fraudulent the

investigator should review information provided as part of the follow- up
and referral process, and to the extent necessary take the following
actions:

Obtain from the organization, auditor, or manager the names of cardholder(
s) for accounts involved with the transaction( s).

Obtain account histories from the bankcard service provider for specific
accounts to identify any patterns of similar or other questionable
transactions and the vendors involved with those transactions.

Identify the organization*s approval process and determine who: requested
the goods or services purchased, approved the transactions, and signed off
on the monthly statement indicating that they had reviewed the
transactions.

Obtain from the organization, auditor, or manager documentation related to
the transaction( s), such as invoices, shipping receipts, any contact
telephone numbers, etc.

Determine the organization*s policies for accountability of pilferable and
other property.

Interview the organization individual( s) involved with requesting the
goods or services and the individual( s) that review the monthly bank
statements to determine if they were aware of (1) the transaction( s), and
(2) whether the cardholder( s) filed a dispute form concerning the
transactions( s).

Interview the cardholder( s) to determine who made the purchases, the
purpose of the purchases, and whether they disputed the transactions.

Interview the vendor( s) where questionable transactions were made and:
obtain any documentation relating to the transactions including detailed
description of items purchased, such as serial numbers, or specific
services provided; determine where property was delivered or where the
services were provided; determine whether the vendor records the telephone
number from which the order for foods or services was made; and determine
whether the vendor maintains a database of purchase card numbers and
whether this database has been compromised.

Interview organization officials responsible for maintaining property
inventory and determine: whether the items purchased were included in
inventory, and how property delivered to the organization is accounted
for.

Page 77 GAO- 03- 678G Purchase Card Audit Guide Exposure Draft APPENDIX
VII * GAO CONTACT AND STAFF ACKNOWLEDGMENTS GAO Contact

Stephen Wm. Lipscomb (303) 572- 7328

Staff Acknowledgments

In addition to the person named above, David Childress, Francine
Delvecchio, Don Fulwider, Charles R. Hodge, Jeffrey Jacobson, Jason Kelly,
Julia Matta, John Ryan, and Sidney Schwartz made important contributions
to this report.

The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO*s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO*s Web site (www. gao. gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as *Today*s Reports,* on its
Web site daily. The list contains links to the full- text document files.
To have GAO e- mail

this list to you every afternoon, go to www. gao. gov and select
*Subscribe to daily E- mail alert for newly released products* under the
GAO Reports heading.

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to: U. S. General Accounting Office 441 G Street NW, Room LM
Washington, D. C. 20548 To order by Phone: Voice: (202) 512- 6000

TDD: (202) 512- 2537 Fax: (202) 512- 6061

Contact: Web site: www. gao. gov/ fraudnet/ fraudnet. htm E- mail:
fraudnet@ gao. gov Automated answering system: (800) 424- 5454 or (202)
512- 7470 Jeff Nelligan, Managing Director, NelliganJ@ gao. gov (202) 512-
4800

U. S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.
C. 20548 GAO*s Mission Obtaining Copies of

GAO Reports and Testimony

Order by Mail or Phone To Report Fraud, Waste, and Abuse in Federal
Programs Public Affairs
*** End of document. ***