Audit Guide: Auditing and Investigating the Internal Control of  
Government Purchase Card Programs (01-NOV-03, GAO-04-87G).	 
                                                                 
The federal government of the United States--the largest and most
complex organization in the world--expended approximately $15	 
billion through federal organizations' purchase card programs in 
fiscal year 2002. As the steward of taxpayer dollars, federal	 
agencies are accountable for how purchase cards are used and how 
the funds are spent. To that end, federal agencies are		 
responsible for establishing and maintaining internal control to 
provide reasonable assurance that (1) the goals and objectives of
the purchase card program are met and (2) safeguards against	 
fraudulent, improper, and abusive purchases are adequate. Recent 
congressional testimony and inspector general and GAO reports	 
show that some federal agencies do not have adequate internal	 
control over their purchase card programs. Without effective	 
internal control, management has little assurance that		 
fraudulent, improper, and abusive purchases are being prevented  
or, if occurring, are being promptly detected with appropriate	 
corrective actions taken. A key element of internal control is	 
monitoring that assesses the quality of performance over time and
ensures that the findings of audits and other reviews are	 
promptly resolved. Monitoring provides for regular management and
supervisory activities as well as evaluations by inspector	 
generals or external auditors. This guide focuses on audits of	 
internal control activities--designed primarily to prevent or	 
detect significant fraudulent, improper, and abusive		 
purchases--in government purchase card programs. It is intended  
to provide practical guidance for consideration by internal and  
external auditors, investigators, and program management	 
oversight personnel in assessing the adequacy and performance of 
those control activities and identifying areas of internal	 
control for potential improvement. This guide is based primarily 
on GAO's experiences in auditing and investigating internal	 
control over federal government purchase card programs at the	 
Departments of Defense, Education, and Housing and Urban	 
Development and other federal agencies. 			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-87G 					        
    ACCNO:   A08845						        
  TITLE:     Audit Guide: Auditing and Investigating the Internal     
Control of Government Purchase Card Programs			 
     DATE:   11/01/2003 
  SUBJECT:   Audit reports					 
	     Federal agencies					 
	     Internal controls					 
	     Program management 				 
	     Credit sales					 
	     Risk management					 
	     Fraud						 
	     Program abuses					 
	     Monitoring 					 
	     Accountability					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-87G

United States General Accounting Office

GAO

Financial Management and Assurance

November 2003

AUDIT GUIDE

  Auditing and Investigating the Internal Control of Government Purchase Card
                                    Programs

                                       a

GAO-04-87G

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

Preface

The federal government of the United States-the largest and most complex
organization in the world-expended approximately $15 billion through
federal organizations'1 purchase card programs2 in fiscal year 2002. As
the steward of taxpayer dollars, federal agencies are accountable for how
purchase cards are used and how the funds are spent. To that end, federal
agencies are responsible for establishing and maintaining internal control
to provide reasonable assurance that (1) the goals and objectives of the
purchase card program are met and (2) safeguards against fraudulent,
improper, and abusive purchases are adequate.

Recent congressional testimony and inspector general and GAO reports show
that some federal agencies do not have adequate internal control over
their purchase card programs. Without effective internal control,
management has little assurance that fraudulent, improper, and abusive
purchases are being prevented or, if occurring, are being promptly
detected with appropriate corrective actions taken. A key element of
internal control is monitoring that assesses the quality of performance
over time and ensures that the findings of audits and other reviews are
promptly resolved. Monitoring provides for regular management and
supervisory activities as well as evaluations by inspector generals or
external auditors.

This guide focuses on audits of internal control activities-designed
primarily to prevent or detect significant fraudulent, improper, and
abusive purchases-in government purchase card programs. It is intended to
provide practical guidance for consideration by internal and external
auditors, investigators, and program management oversight personnel in
assessing the adequacy and performance of those control activities and
identifying areas of internal control for potential improvement. This
guide is based primarily on GAO's experiences in auditing and
investigating internal control over federal government purchase card
programs at the Departments of Defense, Education, and Housing and Urban
Development and other federal agencies.

This guide was prepared at the request of former Chairman Stephen Horn,
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations, House Committee on Government Reform. This is
one in a series of projects we have undertaken for the Subcommittee
concerning weaknesses in internal control over government purchase and
travel card programs. This guide was prepared under the direction of
Gregory Kutz, Director, Financial Management and Assurance. Other GAO

1 The term "organization," as used throughout this guide, refers to a
government, its divisions, or subdivisions (e.g., department, agency,
activity, unit). 2 The term "program," as used throughout this guide,
refers to a government purchase card program at the organization level.

contacts and key contributors are listed in appendix VII. Questions can be
directed to Mr. Kutz at (202) 512-9505 or [email protected], or Stephen W.
Lipscomb at (303) 572-7328, [email protected], or

Stephen W. Lipscomb
U.S. General Accounting Office
1244 Speer Blvd., Suite 800
Denver, CO 80204

Jeffrey C. Steinhoff
Managing Director
Financial Management and Assurance

TABLE OF CONTENTS

Preface 1

Section 1: Introduction 5

OBJECTIVE OF THE GUIDE, SCOPE AND METHODOLOGY 6

GOVERNMENT PURCHASE CARD PROGRAMS 7

GAO'S APPROACH TO AUDITING PURCHASE CARD PROGRAMS 9

THE APPLICABILITY OF AUDITING STANDARDS 10
Section 2: Understanding the Purchase Card

  Program 11

THE RISK OF FRAUDULENT, IMPROPER, AND ABUSIVE PURCHASES 11

Potentially Fraudulent, Improper, or Abusive Purchases 12

Indications and Categories of Fraud 13
RELEVANT LAWS AND REGULATIONS 15

Establishment and Operation of the Purchase Card Program 15

Procurement Methods and Standards 15

Purposes for which an Organization's Appropriations May Be Used 16
THE ORGANIZATION'S OPERATIONS AND PROGRAMS 16

Understanding the Organization's Operations 17

Understanding the Organization's Purchase Card Program 17

Understanding the Bank Service Provider's Program 18
INTERNAL CONTROL AND THE CONTROL ENVIRONMENT 19

The Standards of Internal Control 20

Testing Key Elements of the Control Environment 20
Section 3: Making, Documenting, and Using

the Preliminary Assessment 27

ASSESSING THE ADEQUACY OF THE DESIGN OF CONTROL ACTIVITIES 27
USING THE PRELIMINARY ASSESSMENT 29

Section 4: Testing the Effectiveness of Key

Control Activities

OBTAINING TRANSACTION DATA

Coordinating with the Bank Service Provider

SELECTING PURCHASE CARD TRANSACTIONS

Considerations in Designing a Statistical Sample
The Sampling Plan
Extracting Selected Transaction Data Elements
Reporting Sample Results
Analysis of Results from Statistical Samples

30

31

31

32

33 35 36 36 36

           OBTAINING DOCUMENTATION EVIDENCING PERFORMANCE OF CONTROL

ACTIVITIES 38

Obtaining Documentation from the Organization

38

Evidence of Performance

39

TESTING CONTROL ACTIVITIES 39

Transaction Control Activities 39
Section 5: Pursuing Fraudulent, Improper,

and Abusive Purchases 45

DATA MINING FOR DETECTION, ILLUSTRATION, AND DISCLOSURE 45
FOLLOW-UP AND INVESTIGATION 49

Follow-up 50

Referral for Investigation 53

Appendixes 54

APPENDIX I - SELECTED RELEVANT GAO REPORTS AND TESTIMONIES 55
APPENDIX II - SELECTED RELEVANT LAWS AND REGULATIONS 56
APPENDIX III - EXAMPLE PURCHASE TRANSACTION FLOW CHART AND

NARRATIVE (REQUEST THROUGH PAYMENT) 57
APPENDIX IV - EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION

CHART 60
APPENDIX V - EXAMPLE AUDIT PROGRAM 61
APPENDIX VI - GUIDELINES FOR INITIATING AN INVESTIGATION OF

PURCHASE CARD FRAUD 76
APPENDIX VII - GAO CONTACT AND STAFF ACKNOWLEDGMENTS 77

Section 1: Introduction

Federal government purchase card programs, which have been in existence
governmentwide since 1989, were established to streamline federal agency
acquisition processes by providing a low-cost, efficient vehicle for
obtaining goods and services directly from vendors. As shown by the chart,
purchase card programs have experienced dramatic growth and accounted for
$15.2 billion in government expenditures in fiscal year 2002.

With the establishment in 1998 of the General Services Administration's
(GSA) SmartPay(R) program, federal agencies had a new way to pay for
commercial goods and services. GSA negotiated charge card service provider
contracts with five commercial banks: Citibank, First National Bank of
Chicago, Mellon Bank, NationsBank, and U.S. Bank. Federal government
departments and agencies were to choose the service provider with
capabilities meeting agency requirements.

Purchase card programs are widespread throughout the federal government
and range in size from the Department of Defense (DOD) with 214,000
cardholders and $6.8 billion of fiscal year 2002 purchases, to the U.S.
Tax Court with 1 cardholder and $102,000 of fiscal year 2002 purchases.
However, the design and implementation of internal control did not keep up
with the growth in the programs audited by GAO (see app. I - Selected
Relevant GAO Reports and Testimonies). With the increase in purchase card
use came increases in risk; revelations of significant weaknesses in
internal control; and resulting fraudulent, improper, and abusive
purchases.

OBJECTIVE OF THE GUIDE, SCOPE AND METHODOLOGY

The primary objective of this guide is to provide practical guidance for
consideration in performance audits and investigations of government
purchase card programs. The guide provides auditors and fraud
investigators with a basis for understanding the operations, risks, and
internal control of a government purchase card program, which in turn
provides a basis for conducting investigations of fraud in a government
purchase card program. Although this guide is primarily an audit and
investigative guide, it can also be applied by program management
oversight personnel in assessing the adequacy of policies, procedures, and
internal controls and conducting ongoing monitoring of adherence to
internal control activities. In that context, the use of the term
"auditor" throughout this guide is intended to include program management
oversight personnel as well as internal and external auditors. While this
guide is based on approaches and methodologies developed in audits of
federal purchase card programs, the basic concepts and criteria may also
be applicable to state and local government purchase card programs. This
guide

o

o   o   o

focuses on auditing the internal control policies, procedures, and
activities designed primarily to prevent or detect fraudulent, improper,
and abusive purchase card transactions in government purchase card
programs;
seeks to foster critical, creative thinking by auditors, investigators,
and
management personnel responsible for identifying risks and
opportunities open to those who would misuse purchase cards;
provides practical guidance in identifying potentially fraudulent,
improper, and abusive purchase card transactions and in conducting
the appropriate follow-up and investigation; and
illustrates the benefits of involving fraud investigators in the planning
and execution of audit procedures.

The guide is intended to supplement existing guidance3 for review and
oversight of federal government purchase card programs. Different parties
may accomplish audits of purchase card programs for different purposes.
Law, regulation, or third party request may direct external and internal
auditors to accomplish a performance or other audit in accordance with
generally accepted government auditing standards (GAGAS)..4

The guide is not intended to and does not provide guidance sufficient to
address all potential purchase card program performance audit objectives
(e.g., economy and efficiency, compliance with legal or other
requirements). The guide is also not intended to comprehensively address
all five of the standards of internal control5 (e.g., management's risk
assessment, information and communication). In addition, the guide is not
intended to and does not provide guidance sufficient to develop
investigative cases that establish evidence to prove specific allegations
of criminal wrongdoing.

3 President's Council on Integrity and Efficiency, A Practical Guide for
Reviewing
Government Purchase Card Programs (Washington, D.C.: June 2002), and U.S.
General
Services Administration, GSA Smart Pay(R), Blueprint for Success: Purchase
Card Oversight
(Arlington, Va.: April 2002).
4 U.S. General Accounting Office, Government Auditing Standards - 2003
Revision, GAO
03-673G (Washington, D.C.: June 2003).
5 U.S. General Accounting Office, Standards for Internal Control in the
Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), 7.

GOVERNMENT PURCHASE CARD PROGRAMS

The operations and controls of government purchase card programs can vary
among organizations. However, the Department of the Treasury's Financial
Manual6 prescribes procedures (illustrated in fig. 1), including program
controls and invoice payment, that apply to all departments and agencies
that use government purchase cards. Additionally, the Federal Acquisition
Regulation (FAR), which prescribes acquisition policies and procedures for
all executive agencies, provides that agencies are to establish procedures
for use and control of the card that comply with the Treasury

7

Financial Manual.

The manual further states that, with some exceptions, small purchases of
up to $25,0008 should be made using the government purchase card and
establishes key control activities, personnel, and their roles, including
the following.

o  	A written delegation of authority is to be issued by responsible
agency personnel that establishes authorized cardholder(s)9 and specifies
spending and usage limitations unique to the cardholders.

6 U.S, Department of Treasury, Treasury Financial Manual, Vol. 1 - Part 4
-Chapter 4500, Government Purchase Cards, (Washington D.C.: May 2003)
http://www.fms.treas.gov/tfm/vol1/v1p4c450.txt (viewed May 2003).

7 48 C.F.R. S: 13.301(b) (2002).

8 See the Relevant Laws and Regulations section of this guide for further
information on FAR provisions applicable to specific purchase amounts.

9

FAR allows personnel other than warranted contracting officers to use the
purchase card. 48 C.F.R. S:S: 1.603-3(b) and 13.301(a) (2002).

o  	The cardholder is the government employee to whom a government
purchase card, bearing the employee's name, is issued. The card can be
used only by that employee for official purchases, in adherence with
agency regulations.

o  	The cardholder statement listing all transactions during the billing
period is sent to each cardholder.

o  	The approving official (AO) reviews cardholder statements, is
responsible for authorizing cardholder purchases (for official use only),
and ensures that statements are reconciled and submitted to the designated
billing office in a timely manner.

o  	A designated billing office receives the official invoice-a designated
billing office report listing all cardholder charges for the area the
office serves-and ensures its payment in accordance with Prompt Payment
Act deadlines.

The manual requires each agency to develop its own internal procedures for
using the purchase card and establishes processing and internal controls
that must be in place prior to using the government purchase card,
including the following.

o  	Designate an office (usually the procurement office) to manage the
program and ensure that (1) training required for all cardholders, AOs,
and other employees involved in the program is provided, (2) a current
list of cardholders and AOs is maintained, and (3) an annual oversight
review of the program is conducted. (The position is generally referred to
as the agency program coordinator (APC) in DOD purchase card programs.)

o  	Establish procedures for (1) the timely submission of cardholder
statements to the agency designated billing office, (2) maintaining
security of the cards, (3) handling disputes and returned, refused,
damaged, or unacceptable items and partial deliveries, and (4) renewing
purchase cards.

The manual also provides that invoices, payments, access and review of
account and master file data, and reports may be accomplished
electronically, and that electronic funds transfer should be adopted as
the standard method of payment for all federal program payments originated
by agencies or their agents.

The Treasury Financial Manual and FAR requirements would apply to all
purchase card transactions, including convenience check transactions-
courtesy checks provided by the purchase card-issuing bank-that are
charged to a related purchase card account.

GAO'S APPROACH TO AUDITING PURCHASE CARD PROGRAMS

The approach presented in this guide is based
on GAO's experience in auditing internal
control over government purchase card
programs at the Departments of Defense,
Education, Housing and Urban Development,
and other federal agencies (see app. I -
Selected Relevant GAO Reports and
Testimonies). In general, GAO's approach is
to (1) gain a thorough understanding of the
organization's operations and purchase card
program, and relevant system of internal
control, (2) based on that understanding, and
any needed additional review and analysis,
make a preliminary assessment of the
adequacy of the design of the system of
internal control, (3) test the effectiveness of
internal control using statistical sampling, and
(4) use data mining to detect instances of potentially fraudulent,
improper,
and abusive transactions to illustrate the effects of breakdowns in
internal
control.

GAO's approach includes involving fraud investigators throughout the
audit.
An experienced fraud investigator will bring valuable perspectives and
insight to the process of identifying opportunities for fraud in the
program's
operations and in evaluating the effectiveness of control activities. They
can
also bring new and creative thinking to identifying the opportunities for
circumventing the existing controls. Fraud investigators should be
involved
in the preliminary assessment process, designing tests of controls,
identifying criteria and relationships for data mining, and in follow-up
of
potentially fraudulent transactions. Program policy and procedure
documents obtained and understandings gained of the purchase card
program and related internal controls should be made available to the
fraud
investigator.

THE APPLICABILITY OF AUDITING STANDARDS

Auditors performing an audit in accordance with GAGAS for performance
audits are required to adhere to the general and fieldwork standards.
These standards can be found on GAO's web site.10 The following three
general standards are key to providing assurance that integrity,
objectivity, and independence are adequate in planning, conducting, and
reporting results of audits.

   	Independence. Audit organizations and individual auditors, whether
government or public, are required to be free both in fact and appearance
from personal, external, and organizational impairments to independence,
in all matters relating to the audit work.

   	Professional judgment. Auditors complying with GAGAS are required to use
professional judgment in planning and performing audits and in reporting
the results.

   	Competence. Audit staff are required to collectively possess adequate
professional competence for the tasks required.

We encourage all users of this guide, including internal auditors and
program management oversight personnel, to (1) become familiar with these
standards and the basic concepts embodied in them, (2) consider their
relative applicability to the circumstances, and (3) apply them as
appropriate when using this guide.

10

see .

               Section 2: Understanding the Purchase Card Program

Evaluating the adequacy of internal control designed to mitigate the risk
of fraudulent, improper, and abusive transactions, requires the auditor to
gain an in-depth understanding of (1) the risk of fraud, (2) the relevant
laws and regulations, and (3) the specific organization's mission activity
operations and its purchase card program operations (from purchase request
to payment). This in-depth understanding is necessary so that an auditor
can make a preliminary judgment about the adequacy of design of an
organization's control activities.

THE RISK OF FRAUDULENT, IMPROPER, AND ABUSIVE PURCHASES

One organization's actions included recommending remedial training and
suspension of repeat offenders' purchase card accounts for lack of
adherence to internal control policies and procedures.

The potential for fraudulent, improper, and
abusive purchases in a purchase card program
should be viewed by management as a risk of
significant financial loss, possibly resulting in
operational inefficiency and impairment of
mission readiness. This is particularly true in
the government environment where taxpayer
dollars are at risk. Fraudulent, improper, and
abusive purchases often result directly from a
lack of adherence to policies, procedures, and
control activities. This lack of adherence can
result in misuse of the card. As program personnel predisposed to misuse
the card become aware of such weaknesses, the door opens wider for
fraudulent, improper, and abusive purchases.

Repeated nonadherence to established internal control policies and
procedures, such as inadequate documentation of purchase card
transactions or supervisory reviews, may not constitute a violation of law
or
regulation. However, if allowed to continue, they will contribute to an
erosion and weakening of the control system. Prompt administrative and
disciplinary actions (e.g., informal admonishment, formal reprimand,
additional required training, suspension of card privileges, cancellation
of
the cardholder's account, termination of employment) can be effective in
reducing persistent lack of adherence to policies and procedures by
cardholders and other program personnel. When administrative corrective
actions are taken and documented, program management, oversight
personnel, and auditors will be able to identify repeat offenders and
determine that appropriate steps are being taken to address potentially
significant problems before they escalate.

Potentially Fraudulent, Our audits of purchase card programs detected
transactions that were not in

Improper, or Abusive Purchases 	accordance with laws and regulations or
were not appropriate or legitimate uses of government funds. The terms we
used to characterize such purchases included potentially fraudulent,
improper, and abusive purchases. The following are explanations of these
terms as used in this guide.

Fraudulent purchases. Use of the government purchase card to A cardholder
made 62 acquire goods or services that are unauthorized and intended for
unauthorized personal use or gain constitute a fraud against the
government. A transactions totaling cardholder's unauthorized purchase of
power tools for his home, a $12,832 to pay for repairs vendor's
intentional charges for services not provided, and the to a car and buy
unauthorized use by a third party of a cardholder's compromised or
groceries, clothing, and stolen account for personal gain are examples of
fraudulent purchase various other items for card transactions. In GAO
reports, these and similar purchase card personal use. transactions are
generally referred to as "potentially fraudulent" unless

there has already been a fraud conviction in a court of law.

Day planners costing a Improper purchases. Government purchase card
transactions that are
total of $3,100 were
purchased from Franklin intended for government use but are not permitted
by law, regulation, or
Covey. One item cost organization policy generally are considered
improper. Examples
$199 and another $250. include certain types of purchases of meals or
refreshments for
In contrast, cardholders government employees within their normal duty
stations,11 purchases
could have purchased day split to circumvent micropurchase or other single
purchase limits, and
planners from JWOD for purchases from other than statutorily designated
sources, such as the
about $40. Javits-Wagner-O'Day program (JWOD).12

A cardholder purchased Abusive purchases. Purchases of authorized goods or
services, at
Bose bedside clock radios terms (e.g., price, quantity) that are
excessive, are for a questionable
costing $349 each, when government need, or both are considered abusive.
Examples of such
other models costing transactions include purchases of items such as $300
day planners, $350
about $15 were available. bedside radios, and allowable refreshments at
excessive cost; purchases

of designer leather goods; and year-end and other bulk purchases of
computer and electronic equipment for a questionable government need.

Indications and Categories of Figure 2 shows key signs, signals, and
patterns that indicate the potential for Fraud fraud in a government
purchase card program.

Figure 2: Signs, signals, and patterns indicating the potential for fraud

o  Weak management  o  Weak internal controls  o  History of impropriety

o  Failure to follow legal  o  Promise of gain with  o  Unexplained

or technical advice little likelihood of decisions, being caught
transactions, or both

o  	Unethical leadership  o  Missing or altered documents

An inmate at a local county jail made three purchase card transactions at
local florist shops on a government purchase card that had either been
lost or stolen.

Source: International Journal of Government Auditing.

GAO audits of government purchase card programs have reported fraudulent
and potentially fraudulent purchases by cardholders, vendors, and third
parties using compromised accounts falling into the following broad
categories of fraud.

   	Theft involves property, facilities, and services. An authorized or
unauthorized cardholder purchase of goods or services intended for
personal use or gain is theft. Theft can also occur when an unauthorized
user compromises a cardholder's account by gaining knowledge of and using
the purchase card account number.

11 72 Comp. Gen. 178, 179 (1993); 65 Comp. Gen. 508, 509 (1986). 12 JWOD
establishes mandatory sources of supply for all federal entities. It
requires federal agencies to purchase supplies and services that are
furnished by nonprofit agencies-such as the National Industries for the
Blind and NISH (serving people with a range of disabilities).

A maintenance supervisor allegedly made $52,000 in fraudulent transactions
to a suspect contractor for work that was not performed.

Two purchase cardholders conspiring with at least seven vendors received
kickbacks on purchases with inflated prices, quantities, or both. Criminal
investigation resulted in confinement or restriction, a bad conduct
discharge, and a reduction in rank.

A cardholder and his supervisor conspired to make nearly $400,000 in
fraudulent purchases from companies owned by the supervisor, his sister,
friends, and acquaintances.

   	Fictitious transactions can involve a single party (e.g., a cardholder
supports the acquisition of goods or services for personal use with false
documentation, or a vendor bills the government for goods or services
never delivered). In addition, fictitious transactions can include
collusion (e.g., a cardholder knowingly approves documentation supporting
a vendor's invoice for goods or services never provided, and the two share
in the amount paid by the government). Although collusion can circumvent
what otherwise might be effective internal control activities, a robust
system of guidance, internal control activities, and oversight can provide
reasonable assurance of preventing or quickly detecting fraud.

   	Kickbacks may be offered by a vendor or solicited by a contractor or
government buyer. Kickbacks in a government purchase card program can
include collusion between a cardholder and a vendor. The cardholder makes
authorized purchases from the vendor, who charges the government an
excessive price and "kicks back" a percentage of the amounts received to
the cardholder.

   	Conflict of interest is present when a government official participates
in approving or deciding a matter in which the official or a relative has
a financial interest. The potential for a conflict of interest in a
purchase card transaction exists whenever a cardholder or a relative has a
significant financial interest in a vendor or contractor. Purchases of
goods or services from that vendor or contractor would be suspect and, if
not prohibited by the organization, should require special review and
approval prior to and subsequent to the purchase.

The auditor should be aware of the potential for the previous categories
of fraud in the day-to-day operational risk of the organization.
Fraudulent, improper, and abusive purchases generally involve individual
cardholders, supervisors, approving officials, and vendors, and
occasionally collusion between them. Another source of fraudulent
purchases of significant concern occurs when an account is compromised
(e.g., someone other than authorized program personnel gains knowledge of
account numbers). In any event, a strong system of controls should guard
against significant loss to the government for all such potentially
fraudulent, improper, and abusive purchases. Any potentially fraudulent
transaction detected should be considered for follow-up, as discussed in
the Follow-up and Investigation section of this guide.

To better understand the risk of fraud within a specific organization's
purchase card program, auditors and investigators should identify and
study known cases of such fraud. Summary memorandums prepared by fraud
investigators detailing the nature and extent of the suspected fraud, the
investigative process, the conclusions reached, and the actions taken can
provide valuable additional insight.

RELEVANT LAWS AND A federal organization's purchase card

REGULATIONS	program must comply with the laws, regulations, contracts, and
governmentwide and organizational policies and procedures that (1) govern
the establishment and operation of the purchase card program, (2)
prescribe procurement methods and standards, and (3) pertain to the
purposes for which an organization's appropriations and other sources of
funds may be used. When evaluating the merits of individual purchases, all
three areas should be considered. (See app. II - Selected Relevant Laws
and Regulations)

Establishment and Operation of Federal organization purchase card programs
operate under a

the Purchase Card Program 	governmentwide GSA contract, the GSA
SmartPay(R) Master Contract. Organization purchase card programs must
comply with the terms of the contract and the task order under which the
organization placed its order for purchase card services. Organization
purchase card programs must also comply with Department of the Treasury
regulations found in the Treasury Financial Manual, Volume I, Part 4-4500,
"Government Purchase Cards." FAR, 48 C.F.R. S: 13.301(b) (2002), provides
that agencies are to establish procedures for use and control of the card
that comply with the Treasury Financial Manual and that are consistent
with the terms and conditions of the current GSA credit card contract.
Individual organizations may be subject to specific statutory criteria for
the management of purchase cards (e.g., 10 U.S.C. S: 2784, directing the
Secretary of Defense to prescribe regulations governing the use of
purchase cards). As such, each organization should have guidance
concerning the implementation, establishment, and operation of its
purchase card program.

Procurement Methods and Purchases made with the purchase card should be
made in accordance with

Standards 	generally applicable procurement laws, regulations, and
organization procurement policies and procedures. FAR provides
governmentwide policies and procedures for acquisition by all executive
agencies. Agencies frequently issue supplemental acquisition regulations
as well.

Contracting activities carried out by the federal government generally
must

One cardholder split be conducted by warranted contracting officers;
however, the purchase card

about $17,000 of may also be used by other government personnel for
purchases at or below

purchases of boots on 1 the micropurchase threshold. FAR provides that
such individuals must be

day into 8 transactions. delegated the authority to do so in writing in
accordance with organization

Another cardholder split procedures. Regardless of the value of a
purchase, FAR prohibits

over $30,000 of cardholders from splitting organization needs into smaller
purchases in

purchases from an order to circumvent applicable acquisition laws,
regulations, and policies.

electronic supply store Organization policies can also prohibit
cardholders from splitting purchases

on 1 day into 14 into smaller purchases in order to avoid individual
cardholder purchase

transactions. limits.

Authorized personnel may use the purchase card for purchases at or below
the micropurchase threshold (currently $2,500, except that the limit is
$2,000 for certain construction costs).13 Micropurchases are subject to
the

13 48 C.F.R. S:S: 2.101 and 13.201(g).

Despite representations that hotels were authorized to bill only for
audiovisual equipment and conference room rental, detailed bills acquired
by GAO auditors showed that about $7,000 was inappropriately expended for
prohibited breakfasts, lunches, and snacks.

requirements of FAR Subpart 8, which provides that certain products be
acquired from designated sources, including statutorily preferred vendors.
Micropurchases must also be made in accordance with various laws and
regulations concerning environmentally preferable products and services.
Cardholders may make micropurchases without soliciting competitive
quotations from vendors if they consider the price to be reasonable.
However, cardholders are required to distribute micropurchases equally
among qualified suppliers to the extent practicable.

For purchases above the micropurchase threshold, warranted contracting
officers may use the purchase card to place and pay for orders against
already existing contracts. For these larger transactions, the card is
frequently referred to as a "payment card" because it pays for
acquisitions made under a legally executed contract.

Purposes for which an Organization's Appropriations May Be Used

Individual purchases must be for a purpose allowable under an
organization's appropriations or other sources of funds (e.g.,
nonappropriated funds) and must not otherwise be prohibited by law.
Organizations may use appropriated funds only for legitimate or bona fide
needs that arise in or continue to exist in the fiscal year(s) for which
those funds are appropriated. Agencies are restricted to purchasing only
those items that will be used during such fiscal year(s) except when they
qualify under certain categories, such as to maintain inventories of
necessary items at reasonable levels. However, agencies generally may not
purchase items in excessive amounts at the end of a fiscal year solely to
avoid the expiration of funds.

THE ORGANIZATION'S To appropriately plan an audit and

OPERATIONS AND PROGRAMS	investigation of the internal control over an
organization's purchase card program requires a thorough understanding of

o  	the organization's mission activities and operations,

o  	its purchase card program operations and the end-to-end flow of
transactions through it from request to payment,  o  the system of
internal control over the purchase card program, and  o  the environment
in which the control activities operate.

Understanding the organization's operations and its specific purchase card
program is critical in developing audit objectives and the scope and
methodology for the work needed to achieve them. In addition, issues such
as program significance, visibility, age, sensitivity, and the potential
use of audit results should be considered in the audit planning process.14
Gaining and documenting an understanding of the operations of a government
purchase card program can be accomplished in several ways, all of which
will require access to the appropriate personnel and relevant documents.
The first step should be to establish contact and coordinate that effort
with both the organization and the bank service provider.

                         14 GAO-03-673G, P:7.8 - 7.10.

Understanding the Understanding the organization's mission and objectives,
and how those

Organization's Operations 	missions and objectives are accomplished,
provides the auditor with critical insight used in (1) developing audit
objectives, (2) identifying opportunities for purchase card fraud, (3)
making preliminary assessments of the adequacy of program controls, (4)
designing tests of internal control, and (5) identifying criteria for data
mining. Understanding gained of the organization's operation(s) might
include

o  the nature and size of overall operations;

o  	what the individual activities involved in the purchase card program
do, and how they do it;

o  	the general job descriptions, level of education, and number of
personnel in those activities; and

o  the volume and appropriate type(s) of purchase activity to expect.

An understanding of the organization's operations and activities can be
gained by interviews with operations personnel and by reviewing existing
documents such as program descriptions, policies and procedures, and
operations manuals.

Understanding the The initial understanding of the organizational level
purchase card program

Organization's Purchase Card (from request to payment) and the internal
control at work throughout that

Program 	process, ideally would be obtained from existing documents such
as purchase card program descriptions, policies and procedures,
operational One manner of obtaining access to operations and program
personnel is to coordinate audit arrangements with the organization's
management. Access to the appropriate personnel and to written policies
and procedures is essential to understanding the organization's
operations, the purchase card program, and internal controls. In addition,
documentation evidencing adherence to internal control policies and
procedures will be necessary when testing for performance of control
activities. Further, access to program personnel will be necessary to
clarify information received and to follow up on potentially fraudulent,
improper, and abusive purchases.

manuals, or instructions. Interviews with program personnel can supplement
existing documented evidence of program operations and controls, or
establish a starting point if such documentation is insufficient or
nonexistent. In either circumstance, correctly structured interviews can
be a valuable source of inquiry to understand and clarify (1) the extent
to which control activities are in place and operating, (2) the
environment in which those controls operate, (3) the overall managerial
organization and operations of the program, and (4) the flow of purchase
card transactions. A Practical Guide for Reviewing Government Purchase
Card Programs - June 2002, by the President's Council on Integrity and
Efficiency, contains interview guides, which will be helpful when
conducting interviews for this purpose. In addition, conducting
walk-throughs of selected purchase card transactions is a key process in
(1) gaining a thorough understanding of the program's operations from
purchase request to payment of the bill, (2) identifying control points
through that process, and (3) observing the operation of control
activities and transaction flows.

GAGAS require auditors to prepare documentation supporting significant
judgments and conclusions. Auditors should obtain or prepare narratives,
flowcharts, or both that summarize and document their understanding of the
organization's purchase card program and the flow of typical purchase card

transactions. Understanding how the purchase card program operates, the
flow of transactions from request to payment, and the key controls over
the entire end-to-end process form the basis for making preliminary
judgments about the adequacy of the design of control activities and for
designing tests of those controls. Narrative and flowchart documentation
also provides effective communication of the processes and control points
to other interested parties (e.g., audit staff, program management,
oversight personnel). Appendixes III and IV of this guide provide example
flowcharts of an organizational level structure for a federal government
purchase card program and the end-to-end flow, and related narrative, of
typical purchase card transactions through it.

issuance, and credit limits, (3) the transaction processing, review,
authorization, and manual override (e.g., single transactions limits)
system, (4) the merchant category code (MCC) blocking features and any
manual override, and (5) the internal controls over these processes.
Additionally, as shown in figure 3, the GSA SmartPay(R) master contract
requires bank service providers to provide federal organizations with
various ad hoc, standard commercial, and other reports specific to the
purchase card program.

Understanding the Bank Service Coordinating the audit effort with the bank
service provider might provide

Provider's Program 	the opportunity to gain an understanding of (1) the
operation of the provider's program, (2) the processes for purchase card
authorization,

Figure 3: Agency/organization reports required by GSA's SmartPay(R) master
contract to be provided by the bank service provider

General reporting requirements Ad-hoc report generation capability
Standard commercial reports

Additional essential reports
The official invoice
Invoice status report
Transaction dispute report
Pre-suspension/pre-cancellation

report Suspension/cancellation report Renewal report Delinquency report
Detailed electronic transaction

file

Reporting specific to the Purchase
Card Program
Account activity report
Statistical summary report
Summary quarterly purchase

report

Other agency reports
Account activity report
Master file report
Statistical summary report
Account change report
Exception report
Current accounts report
1099 report information
1057 report
Payment performance and

refund report Write-off report Summary quarterly merchant

report Summary quarterly vendor analysis report Summary quarterly vendor
ranking report

Source: GSA's SmartPay(R) Master Contract, Section C.38 - Agency Reporting
Requirements, and Section CC.12 - Agency Reporting Requirements for the
Purchase Card Program.

Conducting interviews with bank service provider personnel may provide the
necessary understanding of the provider's purchase card operations,
processes, and controls, as well as valuable insights and understanding in
using the various reports being produced.

INTERNAL CONTROL AND THE CONTROL ENVIRONMENT

Internal control is an integral component of an organization's purchase
card program that provides reasonable assurance that the objectives of
effective and efficient operations and compliance with applicable laws and
regulations are being achieved. The minimum level of quality acceptable
for internal control in a government purchase card program is defined by
the five standards for internal control included in Standards for

                                       15

Internal Control in the Federal Government. Those standards, and elements
of the control environment standard that are significant in a government
purchase card program, are discussed in this section of the guide.

15 GAO/AIMD-00-21.3.1.

The Standards of Internal

All of the following internal control standards are applicable to
achieving reasonable assurance that fraudulent, improper, and abusive
purchases do

Control

not have a significant adverse effect on the effectiveness or efficiency
of a government purchase card program.

o  	The control environment. A positive control environment-the foundation
for all other internal control standards-is established by management and
employees creating and maintaining an environment throughout the
organization that sets a positive and supportive attitude toward internal
control and conscientious management. Specific key elements affecting the
control environment of a purchase card program are discussed in more
detail later in this section.

o  	Management's risk assessment. Internal control should provide for an
assessment of the risks the organization faces, from both external and
internal sources, and identify and deal with any special risks prompted by
changes in economic, industry, regulatory, and operating conditions.

o  	Control activities. Control activities are the policies, procedures,
techniques, and mechanisms that enforce management's directives and help
ensure that actions are taken to address risks. Control activities in a
government purchase card program include a wide range of diverse
activities, such as approvals, authorizations, verifications,
reconciliations, reviews, and creation and maintenance of related records
that provide evidence of execution of these activities. Specific
transaction-level control activities significant to a purchase card
program are discussed in more detail in the Transaction Control Activities
section of this guide.

o  	Information and communications. Information should be recorded and
communicated to government purchase card program managers and others
within the program who need it in a form and within a time frame that
enables them to carry out their internal control and other
responsibilities.

o  	Monitoring. Ongoing monitoring-regular management and supervisory
activities, comparisons, reconciliations, and other actions people take in
performing their duties-should be performed continually and be ingrained
in the normal operations of a government purchase card program (e.g.,
review and analysis of bank service provider reports, periodic reviews for
adherence to program policies and procedures, review and follow-up of
audit findings).

Testing Key Elements of the Recent GAO purchase card audit reports have
identified the following six

Control Environment 	elements as significantly affecting the control
environment surrounding a purchase card program:

o  management's philosophy (tone at the top),

o  span of control,

o  financial exposure,

o  training,

In a recent GAO audit, management's proactive attitude in implementing
change was credited for establishing a positive control environment at one
unit, in contrast to another unit where management supported the status
quo of weak control, effectively diminishing the likelihood of substantive
change.

In response to a GAO report criticizing an unreasonable 1,153:1 ratio of
cardholders to approving official the department issued guidance limiting
this span of control ratio to 7:1 for all its agencies.

o  discipline, and

o  purchasing and reviewing authorities.

This guide discusses each of these elements, the relevant documentation,
and tests that the auditor can perform. Testing of some of these elements
of the control environment can be accomplished either before the
preliminary assessment is completed or later as part of testing the
effectiveness of control activities.

Testing of these elements of the control environment is accomplished
through analytical, sampling, and nonsampling methods as discussed in each
element. Analytical testing is accomplished by utilizing electronic
reports, data files, and other data obtained from the bank service
provider and the organization. The discussion of some of these elements
identifies them as lending themselves to efficient testing in conjunction
with transaction-level control activity tests, discussed in the
Transaction Control Activities section of this guide. Therefore, the data
needed to conduct tests of these elements should be obtained for each
cardholder and approving official for purchase card transactions selected
for transaction-level control activity testing.

Management's philosophy and operating style, sometimes referred to as tone
at the top, determines the degree of risk the organization is willing to
take in operations and programs. The attitude and philosophy of management
toward information systems, accounting, personnel functions, monitoring,
and audits and evaluations can have a profound effect on internal control.

Insights gained by the auditor through interviews conducted with program
personnel and review of prior audit findings and management's responses
will assist in assessing this element of internal control. Professional
judgment is necessary when attempting to assess the effect of tone at the
top, positive or negative, on internal control and on the design of
control activities. Tests of transaction-level control activities and
follow-up of potentially fraudulent, improper, and abusive purchases may
provide the auditor with additional insight into the tone at the top.

Span of control, in a government purchase card program, refers to the
extent of review responsibilities placed on a single AO for the purchase
card transactions of one or more cardholders.

In establishing the reasonableness of this responsibility, the auditor
should consider (1) the number of cardholders assigned, (2) the number and
complexity of purchase card transactions being reviewed each billing
period, and (3) perhaps the most potentially detrimental, demands of other
responsibilities assigned to the approving official. Additional insight
into the reasonableness of these relationships can be obtained during
interviews with cardholders and AOs and during control tests of selected
transactions.

Two related organizations provided purchase cards with credit limits of
$20,000 or more to over 1,700 employees, resulting in an excessive monthly
financial exposure of over $34 million, while actual monthly purchases
amounted to only about $6 million.

The auditor should consider independently evaluating the reasonableness of
existing span of control relationships by obtaining bank service provider
reports containing the information necessary to determine the number of
cardholders assigned to individual AOs.

The total number of authorized cardholders in the organization, their
single transaction and monthly credit limits, and the AO credit limits
directly affect the financial responsibility of the individuals involved
and the extent of potential loss to the organization from fraudulent,
improper, and abusive purchases. Financial exposure in a government
purchase card program can become excessive when management does not
exercise judgment and restraint in issuing purchase cards and in
determining single purchase and monthly credit limits. We have found that
by limiting the number of purchase cards and related credit limits to the
levels necessary to meet operational requirements, an agency can better
manage and control its purchase card program.

Purchase cards should be issued in controlled, limited quantities (e.g.,
special justification and authorization for more than one card per
cardholder) and only to government employees with legitimate needs to have
the cards. Single purchase and monthly credit limits should be established
based on the expected monthly purchases of the cardholder. Both of these
determinations require an objective effort by operational supervisors and
management, with assistance from purchase card program management, to
evaluate the existing and continuing needs of operations and cardholders.

The auditor should evaluate management's process for establishing the
number of cardholders and their credit limits reasonably necessary to
operational requirements. Documentation of management's decisionmaking
process should be obtained and reviewed for propriety. Examples of
management's consideration of objective, analytical data include the
following.

o  	Supervisory review of cardholder purchase history, both number of
transactions and dollars purchased (very few purchase transactions in the
previous year might indicate the lack of a need for the card, while lower
than expected dollar volume of purchases might indicate a lower reasonable
cardholder credit limit).

o  	Annual positive assertions by supervisors, managers, or both of
continuing cardholder needs, both for the card and for the related credit
limits.

The auditor should consider independently evaluating the reasonableness of
the organization's existing financial exposure by obtaining bank service
provider reports-which provide information necessary to determine the
total cardholder monthly credit limits-and comparing that total to the
organization's average monthly and highest monthly purchase card
expenditures.

Of approximately $68 million in fiscal year 2000 purchase card
transactions at two related organizations, approximately $17.7 million (26
percent) were made by cardholders for whom there was no documented
evidence of required initial or refresher purchase card training.

Management should identify the appropriate knowledge and skills needed in
the purchase card program, require the needed training, and maintain
documentation evidencing that required training is current for all program
personnel. The extent and type of training provided should vary in
relation to authority and responsibility in the program and to the amount
of transaction authorization given to the cardholder. At a minimum, a
cardholder should receive the standard purchase cardholder training
provided by the organization or GSA before receiving a purchase card.16
Periodic (biannual) refresher training provided to cardholders can be
beneficial in maintaining their knowledge and awareness of control
activities.

The auditor should obtain and evaluate documentation evidencing adherence
with this element of the control environment for the cardholders and AOs
related to and in conjunction with transactions selected for tests of
transaction-level control activities. Both the appropriateness of training
received as well as the attributes discussed below can be reviewed when
evaluating this element of the control environment. Training documentation
and relevant attributes to consider include the following.

o  	Certificates/record of training, for both initial and refresher
courses, should clearly show (1) the type of training received (e.g.,
instructor led, computer based, internet based), (2) that the training was
relevant to the purchase card program, (3) that the training was
appropriate to the level of authorized spending and program authority of
the individual, (4) the signature of the cardholder and the instructor (if
applicable), (5) that the date of initial training is prior to purchase
card account activation, and (6) that the date of refresher training is
within the required period.

o  	Centralized training records, or a database of cardholder, AO, and APC
training should (1) provide detailed information similar to that
contemplated above for certificates of training and (2) be available to
the appropriate levels of program management to facilitate monitoring of
adherence to program training requirements. The auditor should consider
assessing the adequacy of centralized training records by tracing
cardholders and AOs associated with the purchase card transactions
selected for control tests to such records. Testing in association with
transaction control tests is desirable because selecting and testing a
representative sample from the centralized records would not identify
cardholders and others who have not received training and are therefore
not in the centralized records. Inquiries and other corroborating evidence
could provide confirmation that centralized training records or databases
are current, and are being used to monitor adherence to training
requirements.

16 The GSA web site
(http://www.fss.gsa.gov/webtraining/trainingdocs/smartpaytraining/index.cfm)
provides access to relevant purchase card training materials.

Candid and constructive counseling, performance appraisals, and discipline
can provide reinforcement of the system of internal control. Internal
control policies and procedures should identify the specific actions or
lack of adherence to internal control within the purchase card program
that warrants counseling, discipline, or both.

The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and AOs related to
and in conjunction with transactions selected for tests of
transaction-level control activities. The documentation and relevant
attributes of discipline to consider evaluating fall into two general
categories:

o  	Constructive counseling might be provided to cardholders and AOs in
response to isolated instances of lack of adherence to internal control
policies, procedures, and activities. The auditor should obtain and review
for propriety documentation of counseling provided for isolated instances
of lack of adherence to controls detected in the transactions selected for
control testing.

o  	Disciplinary actions to be taken in response to recurring or
persistent lack of adherence to internal controls and specific
consequences for improper and abusive purchases should be adopted by the
organization as part of the system of internal control. Such consequences
can vary with the severity and persistence of the policy violation, and
might include formal and informal reprimands, suspension or cancellation
of the purchase card account, termination of employment, and referral to
investigative authorities in cases of suspected fraud. Instances
warranting discipline should be documented and included in personnel files
and, if applicable, performance appraisals. The auditor should obtain and
review documentation of disciplinary actions taken for instances of
significant lack of adherence to controls and for improper and abusive
purchases detected during the control activities testing. Documentation
should also be obtained of all cases of detected potential fraud occurring
during the period under audit and included in considerations for
follow-up, as discussed in the Follow-up and Investigation section of this
guide. Disciplinary actions alone may be an insufficient response to
detected fraud. For that reason, instances of fraud that are declined for
prosecution and referred to management for disciplinary action should be
followed up to ensure that, in the professional judgment of the auditor,
appropriate actions were taken by

A GAO audit found that despite agency operating instructions providing for
restitution and revocation of card privileges, repeat violators of
regulations and internal controls did not lose their purchase cards and
did not repay the government for unauthorized purchases.

                            organization management.

In a government purchase card program, purchasing authority establishes a
cardholder's authority to possess and use a government purchase card. It
also establishes the cardholder's singletransaction and credit limits.
Some organizations will assign different spending limit authorities to the
same cardholder,

which apply to different uses of the card. For example, a cardholder who
is a warranted contracting officer is assigned two purchasing authorities,
on either a single or on two different purchase card accounts: (1) a
$2,500 single-transaction limit with a $40,000 monthly purchase limit for
purchases of goods or services and (2) a $100,000 single-transaction limit
with a $500,000 credit limit for use of the purchase card as a method of
payment on a preexisting contract. Authority is also established for AOs
to review and authorize payment of cardholder accounts. AO authority
should also identify the specific cardholder(s) for which review and
certification responsibilities have been assigned. GAO has suggested that
AO's credit limits relate to the total cumulative monthly purchasing
limits of the cardholders assigned to them.

The auditor should obtain and evaluate documentation evidencing this
element of the control environment for the cardholders and AOs related to
and in conjunction with transactions selected for tests of
transaction-level control activities. For evaluation and testing purposes,
each level of purchasing authority given to a cardholder (e.g., $2,500
single-transaction limit for local vendor purchases, $100,000 limit for
purchases on an existing contract) should be deemed a separate cardholder.

Documentation evidencing purchasing authority for cardholders, and review
and certification authority for AOs, should be obtained and evaluated for
instances of significant lack of adherence to controls, including (1)
documentation of the cardholder's purchasing authorization (e.g.,
organizational standard form) dated prior to the transaction date and (2)
documentation of the AO's authorization (e.g., organizational standard
form) dated prior to the transaction date. Attributes that the auditor
should consider reviewing when evaluating the effectiveness of this
control include the following: (1) the date of the purchase transaction,
compared to the date of the cardholder's purchasing authority, compared to
the date of the AO's authorization, (2) the amount of the transaction,
compared to the amount of the cardholder's single transaction authority,
(3) the total amount of the cardholder's billing statement, compared to
the cardholder's and AO's authorized credit limits, (4) the cardholder
account single-transaction and credit limit carried in the bank's system,
compared to those authorized in the cardholder's purchasing authority, and
(5) that the AO's assignment of responsibility includes the specific
cardholder's account.

Section 3: Making, Documenting, and Using the Preliminary Assessment

The preliminary assessment is a critical analysis of whether, in the
professional judgment of the auditor, the existing internal control
policies, procedures, and activities as designed, if in place and
operating, will provide management with reasonable assurance that
significant fraudulent, improper, and abusive purchases will be prevented
or promptly detected. A preliminary assessment of the organization's plan
of internal control will assist the auditor in (1) identifying significant
weaknesses in designed control activities, (2) planning and designing
control tests, and (3) identifying data-mining criteria.

The auditor, considering the overall control environment, should make a
critical comparison of the risk/opportunities for fraudulent, improper,
and abusive purchases and the internal control policies, procedures, and
activities designed to guard against them. The knowledge gained in the
Understanding Operations and Programs section of this guide will provide
information useful in the preliminary assessment of internal control. In
some circumstances, this information may need to be supplemented with
additional inquiries, observations, and nonsampling tests of controls.
When reaching conclusions in the preliminary assessment, the auditor
should also consider the bank service provider's systems and controls, the
audit objectives, prior audit findings and recommendations, and
management's responses and corrective actions taken.

ASSESSING THE ADEQUACY OF THE DESIGN OF CONTROL ACTIVITIES

Our audits of purchase card programs have
identified (1) the determination of a
legitimate government need, (2) screening
for required sources of supply, (3)
independent receipt and acceptance, (4)
establishing accountability over certain
property, (5) cardholder reconciliation, and
(6) AO review as key transaction-level
control activities in mitigating the risk of
fraudulent, improper, and abusive purchases. These key control activities
should be included in the auditor's preliminary assessment of the adequacy
of the design of control activities. It will also be helpful to the
auditor's
critical comparison process to prepare a list of the identified
risk/opportunities for potentially fraudulent, improper, and abusive
purchases to occur and a list of the existing relevant control activities.
An
individual control activity will probably address multiple risks of
potentially
fraudulent, improper, and abusive purchases, and an individual risk may be
addressed by more than one control activity. Therefore, a simple
one-to-one
comparison will probably not be effective. For example, the control
activity
of independent receipt and acceptance can be instrumental in mitigating
the

risk of paying for services not performed, as well as mitigating the risk
of purchased accountable property not being recorded in the organization's
property record system.

One way to proceed is to prepare a simple schedule, as illustrated in
figure 4, which lists the identified risk/opportunities for potentially
fraudulent, improper, and abusive purchases and provides space for
identifying (1) the related control activities, (2) the auditor's
preliminary assessment conclusions, (3) the effects on the design of audit
control tests, and (4) potential criteria for audit data mining.

Figure 4: Illustration of the process of assessing and concluding on the
adequacy of designed control activities

GAO process illustration

The above (figure 4) is provided as an illustration only of the process of
making, documenting, and using the preliminary assessment of the design of
internal control activities. The illustrated risks, controls, conclusions,
effects, and identifications are highly dependent on the facts and
circumstances of specific organization operations and purchase card
programs. Auditors will need to exercise professional judgment when making
these determinations.

USING THE PRELIMINARY ASSESSMENT

Auditors should find the observations and
conclusions made in the preliminary
assessment useful in determining the nature
and extent of further audit work on an
organization's purchase card program. These
observations and conclusions can be useful
in determining a strategy for internal control
testing, including designing sample
selections. For example, a preliminary
assessment conclusion might be that the design of an internal control
policy
and one or more related control activities is strong and can provide
management with reasonable assurance of preventing or promptly detecting
fraudulent, improper, and abusive purchases. If the policy and control
activities are considered to be strong, tests designed to determine the
extent
to which the control activities are being performed would likely be an
efficient and cost-effective audit procedure. However, if the auditor
considers the policy or the control activity to be ineffective or
nonexistent,
tests for performance of control activities would generally not be
appropriate or cost effective. Whether to design and conduct tests of
performance for controls considered to be weak will require professional
judgment and consideration of the facts and circumstances of individual
cases.

The results of the preliminary assessment can also be useful to the
auditor's
consideration of other procedures (such as data mining, which is discussed
later in this guide) designed to detect fraudulent, improper, and abusive
transactions resulting from identified weakness in the design of controls.
For example, if the preliminary assessment is that the design of internal
control does not provide reasonable assurance of compliance with
requirements to purchase from statutory sources of supply, then purchase
card transactions with other vendors who sell similar goods and services
may provide examples of the result of that control weakness.

         Section 4: Testing the Effectiveness of Key Control Activities

A well-designed system of internal control for a purchase card program is
needed to provide reasonable assurance that the program is operating as
intended and is not vulnerable to significant fraudulent, improper, and
abusive purchases. However, a system of internal control, no matter how
well designed, cannot be relied on if control activities are not in place
and operating effectively on an ongoing basis. Control activities,
identified during the preliminary assessment process as likely to be
effective at preventing or detecting fraudulent, improper, and abusive
purchases, should be tested to determine if they are being adequately
adhered to. This section discusses (1) obtaining and verifying the
completeness of the purchase card transactions database, (2) designing a
statistical sample of purchase card transactions, (3) obtaining the
documentary evidence of performance of control activities, and (4)
designing and conducting tests to determine if key control activities are
in place and operating as intended.

In our audits of purchase card programs, we used two basic types of
control testing to evaluate the effectiveness of internal control
activities:

o  	statistical sampling17 (selections expected to be representative of
and are projectable, with quantifiable accuracy, to that population),
which is discussed in this section of the guide, and

o  	nonrepresentative selections (selections not expected to be
representative of or projectable to a population), such as data mining,
which is discussed in section 5 of the guide.

This guide considers control activities designed to prevent or detect
fraudulent, improper, and abusive transactions in a purchase card program,
to operate on two basic levels (1) control activities that operate at the
transaction level (e.g., independent receipt and acceptance, cardholder
reconciliation) and (2) controls that operate at some other level (e.g.,
training, span of control). Elements of the control environment discussed
in the Internal Control and the Control Environment section of this guide
are not considered transaction-level control activities. However, testing
and evaluating certain of these elements (i.e., training, discipline, and
purchasing and reviewing authority) can be efficiently accomplished in
conjunction with the testing of transaction-level control activities.

17

Sampling selections expected to be representative of a population can be
either statistical or nonstatistical-statistical concepts are considered
but not explicitly used to determine sample size, select sample items, or
evaluate the results. However, projections of nonstatistical sample
results are not quantifiably accurate, and GAO discourages their use in
government audits.

OBTAINING TRANSACTION DATA	Tests of control activities that operate at the
transaction level are applied to selected purchase card transactions,
generally contained in an electronic file database. The auditor will need
to identify and obtain the appropriate database of purchase card
transactions, select the transactions to test, and extract the appropriate
transaction information from the database. In order to obtain the
appropriate population of purchase card transactions, the auditor will
need to establish and define the scope of the audit. The scope of the
audit can be defined in terms of control activities in place and operating
for a period, a unit, or an activity, or a combination of those terms
(e.g., all purchase card transactions executed by the organization during
the fiscal year ended September 30, 2003). Also, if the data are stored in
an electronic database, the auditor will need to determine that the
transaction data elements necessary to achieve the audit objectives are
included in the database obtained.

The purchase card transactions selected for testing should be selected
from a population that includes all relevant transactions, including
convenience checks, in the scope of the audit. In order to ensure the
relevance and completeness of the population transaction database, the
auditor should obtain value and quantity-control totals from a source
independent of the database provider and agree them to the data obtained.
For example, a transaction database supplied by the bank service provider
could be agreed or reconciled to the organization's records of purchase
card activities, or the bank service provider may supply control totals to
verify a transaction database provided directly by the organization.

Coordinating with the Bank Establishing a contact and coordinating the
audit effort with the bank Service Provider service provider presents the
auditor with an opportunity to gain a current understanding of the bank's
program operations, processes, and controls, as more fully discussed in
the Understanding the Bank Service Provider's Program section of this
guide. Coordination with the bank can also provide the needed transaction
databases or the ability to verify organization transaction databases by
comparison to independent control totals. Fraud investigators involved in
the purchase card audit may also be afforded an opportunity to evaluate
the bank's fraud investigation and detection methodologies and benefit
from other information provided by the bank's credit card fraud
investigators.

SELECTING PURCHASE CARD TRANSACTIONS

One of the first decisions the auditor will need to make is whether to use
statistical sampling to select transactions for testing. In most audit
circumstances, statistical sampling is the recommended approach for making
estimates about and drawing conclusions from a population of transactions
and for estimating the percentage of transactions in the population for
which control activities were or were not in place and operating as
intended. Statistical sampling is appropriate

o  	if there is a desire to estimate whether control activities for a
population of transactions are in place and operating as intended, and to
quantify the accuracy of this assessment based on statistical theory;

o  	if there is a desire to estimate whether some control activities for a
population of transactions are operating as intended to a greater or
lesser degree than other activities, and to quantify the accuracy of this
assessment based on statistical theory; and

o  	if it is desirable to estimate the dollar value for a population of
purchase card transactions subject to detected control weaknesses or
failures, and to quantify the accuracy of the assessment based on
statistical theory.

In these cases, a statistical sample should be designed so that
statistical theory can be used to estimate failure rates and the dollar
value of transactions subject to ineffective controls in the population
and to quantify the accuracy of those estimates.

In other audits of purchase card programs, making statistical estimates of
the failure rate in the population of transactions may not be important.
For example, if there are no control activities, or if the design of
controls is clearly inadequate, there would be little point in testing
control activities and estimating the associated failure rates. As another
example, certain control activities may only apply to a very small portion
of transactions. In these cases, an assessment might be made of the
effectiveness of control activities through means such as observation,
inquiry, and inspection of a nonrepresentative selection of transactions.
However, it should be understood at the outset that when experience and
understanding of the subject matter are used to assess the effectiveness
of control activities based solely on observation, inquiry, or inspection
of a nonrepresentative selection of transactions, the results cannot be
reliably or statistically projected to all transactions of that type.

Considerations in Designing a Statistical Sample

The auditor, in conjunction with a statistician, will need to consider a
number of issues in order to design statistical samples for government
purchase card programs. These issues include, but are not limited to, the
following.

o  	The organization of the population of purchase card transactions.
Typically, these records are organized in one or more electronic files. In
this case, various sampling options are available. Two of these options
are (1) simple random sampling of transactions and (2) partitioning
transactions into non-overlapping groups (strata), followed by selecting
simple random samples of transactions in each stratum.

o  	The organization of the documentation evidencing performance of
control activities. These documents may be stored in one or more
geographic locations, which may or may not limit or impair accessibility
by the auditor. In either case, a sample design should account for the
geographic dispersion. The following are examples of available options.

Geographic strata. If personnel are available to collect data from each
location, then a sample design might have locations as strata, with
appropriate sampling methods within each stratum. A stratified design
would protect against the possibility of an "unlucky" sample, that is one
having no or few transactions from one or more locations in a random
sample selected from the population of all transactions. It may also
provide more precise estimates than a random sample of the same size
selected from the population of all transactions.

Geographic location sample. If it is not possible to collect data from
each geographic location, then a two-stage statistical sample can be made
of (stage one) geographic locations, with appropriate sampling methods
used (stage two) within each selected location. If the geographic
locations are chosen using statistical sampling, the auditor will be able
to make estimates about all purchase card transactions in the population.

Case study approach. The auditor may find, however, that the documents
that will be examined to determine whether control activities are being
performed are so geographically dispersed that it is not cost effective to
collect data from statistically sampled locations. In this case, the
auditor may wish to consider a case study approach. In a case study
approach, locations are selected for specific reasons instead of being
chosen using statistical sampling. Statistical samples of transactions are
then selected for each of the selected locations. The auditor should note,
however, that data collected from a case study approach can only be used
to assess adherence to controls at the specified locations. Sample data
from a case study approach cannot be used to make assessments about
adherence to controls for the entire population of purchase card
transactions.

o  	Information about the approximate level of nonadherence to controls.
Such information may be obtained from (1) similar studies performed in the
recent past, (2) estimates by subject matter experts, or (3) information
obtained by the auditor during the preliminary assessment

relating to nonadherence rates. These "guesstimates" are very useful to
the statistician in estimating what sample size might be needed to achieve
specified precision levels on estimated nonadherence rates.

o  	The relationship between the approximate nonadherence rate and the
acceptable nonadherence/adherence rates.- At what rate of failure would
the auditor consider a control to be ineffective? Effective? If the
expected level of nonadherence (or adherence) is close to the minimum rate
that is considered unacceptable (or acceptable), a larger sample may be
required to assert nonadherence (or adherence) to controls.

o  	Inherent strengths/weakness. Certain types of transactions may be
expected to have different rates of nonadherence to controls than other
types (e.g., transactions for large dollar amounts processed at a higher
level by personnel who likely have taken contractor officer training). If
so, the population of transactions can be partitioned into strata so the
expected rate of nonadherence differs from one stratum to the next.
Separate samples of transactions can then be taken in each stratum. A
stratified design that takes advantage of expected differences in
nonadherence rates across strata can provide more precise estimates than a
random sample of the same size selected from the population of all
transactions.

o  	Time and resources. The total amount of time available, the time it
will take to evaluate the effectiveness of controls for each purchase card
transaction, and the number of audit staff available are practical
considerations that will directly influence the design and size of a
sample.

inclusion in the audit work papers. The sampling plan should include, but
is not limited to,

o  the reasons that a sample was developed,

o  	the type of sample (e.g., statistical or nonstatistical) and sampling
method (e.g., random) being used,

o  	a description of the population (e.g., nature, data elements, source,
control totals),

o  	the sample design (e.g., confidence level, stratum criteria, number of
items and dollars in population and stratum, sample size by stratum and
population) selected along with a discussion of the factors considered and
conclusion reached,

o  	guidelines about the types of evidence and attributes the auditor will
accept as clear evidence of performance of control activities,

o  information about the anticipated precision of the sample estimates,

o  a definition of nonadherence to controls,

o  expectations (if any) about the rate of nonadherence to controls, and

o  	examples of the types of conclusions the auditor expects to be able to
make after the sample data are analyzed (and projected to the population).

  The Sampling Plan The auditor and the statistician should develop a written
                               sampling plan for

Extracting Selected Transaction Data elements of transactions selected for
control activity testing (as well as

Data Elements 	those identified by data mining) will need to be
extracted-identified, selected, copied, and accumulated in a separate
electronic file for further auditor analysis-from the population
transactions database. At a minimum, those data elements should include
the identification and other data elements necessary to facilitate control
activity testing. The following are examples of data elements that might
be included in such extracts.

Transaction Amount Sale date Post date Cardholder Name Account number
Account address Work location Work telephone

Vendor AO

Name Name

MCC Work

Address location

Business  Work telephone telephone

Reporting Sample Results 	The auditor should prepare a workpaper/file
detailing the pass/fail results of tests of control activities (e.g., the
number and dollar value of transactions failing a control activity)
performed on each sample item, in accordance with the sample design (e.g.,
sampled strata). These results can then be provided to the statistician,
who should project the sample results to the population and provide the
auditor with a report recapping the population, the sampling plan used,
the control tests performed by the auditor, the statistical estimates
(e.g., attribute failure rates, dollar values), and the associated
confidence intervals. The auditor should then prepare a summary memorandum
that incorporates the sample tests results and the statistician's report
and recaps the rules used to assess the effectiveness of controls and the
audit conclusions drawn from the projected sample results.

Analysis of Results from The primary questions that can be answered from
analyzing the result of a Statistical Samples statistical sample of
attribute tests for control activity performance are as follows:

1. What is the estimated failure rate and how accurate is that estimate?

2. 	Does the failure rate of performance of the control activity result in
assessing the control as effective or ineffective?

To answer the first question, the failure rate from the statistical sample
should be estimated taking the design of the sample into account. Since
the statistical sample is only one of a large number of samples that could
be drawn, a two-sided interval should be generated that will contain the
actual (unknown) population failure rate for a specified percentage of
samples that could be drawn. This interval is called a "confidence
interval," and the specified percentage is called the "confidence
level."18

18 For nonfinancial audits, GAO commonly uses a confidence level of 95
percent. "The 95 percent confidence level appears to be used more
frequently in practice than any other level...90 percent and 99 percent
confidence levels seem to be next in popularity." Hahn and Meeker,
Statistical Intervals, A Guide For Practitioners, 1st ed. (New York: John
Wiley and Sons, Inc., 1991), 38.

To answer the second question, the statistical sample results should be
compared to a preset standard (e.g., control activities with adherence
failure rates greater than 5 percent will be considered ineffective) and
professional judgment.

For each audit of a government purchase card program, the auditor should
choose the failure rate that classifies the performance of control
activities as effective or ineffective. If the calculated results of the
statistical sample are considered inconclusive (e.g., the predetermined
effective/ineffective rate of adherence falls within the confidence
interval of the estimated failure rate of a control activity), the auditor
should use professional judgment in reaching the appropriate
conclusion(s).

OBTAINING DOCUMENTATION Documentation provides the auditor an EVIDENCING
PERFORMANCE OF opportunity to inspect evidence of ongoing CONTROL
ACTIVITIES adherence to internal control policies and

performance of control activities. The data
evidencing performance of transaction
related control activities will most likely, but
not necessarily, reside within the
organization. Examples of documentation
that might evidence performance of specific
control activities are included in the Testing
Control Activities section of this guide. The
lack of such documentation, although a strong indicator of a lack of
adherence and performance, does not necessarily preclude adherence or
performance. However, all lack of adequate documentation should initially
be considered as a failure of the relevant control activity test. Missing
documentation should elevate the level of the auditor's professional
skepticism when conducting any additional audit procedures considered
appropriate (e.g., additional inquiry, consideration of other supporting
documentation, direct interviews with cardholders and AOs). Transactions
and cardholders with significant or persistent lack of documentation
should
be considered for follow-up in accordance with the Follow-up and
Investigation section of this guide.

Original documents should be reviewed whenever possible. The extent that
copies of original documents are retained for audit work papers will
depend
on the circumstances and professional judgment. However, the work papers
should include copies of documents supporting findings of a significant
lack
of adherence to policies; performance of control activities: and any
potentially fraudulent, improper, and abusive purchases. As discussed
later
in the Follow-up and Investigation section of this guide, copies of
documents will also be necessary to the follow-up process.

Obtaining Documentation from The auditor will need to provide the
organization sufficient information to the Organization identify the
specific transactions selected for testing (e.g., cardholder name and
number, transaction sale or post date, and amount). The auditor should,

during planning, allow sufficient time for this step since documentation
may be in geographically diverse locations, and the organization may need
to send out requests for the needed information. The auditor should
consider the knowledge gained about the control environment and other
factors and exercise professional judgment when making decisions about (1)
supplying selected transaction information to the organization, (2) when
and how to receive documentation, and (3) the amount of time to allow the
organization to produce documentation. The auditor and the organization
should agree to (and the auditor should communicate in writing) the rules
of the engagement, in advance, establishing time limits for providing
requested documentation, after which audit conclusions will be based on
the documentation provided.

Evidence of Performance

The auditor should design tests that clearly and specifically identify

acceptable attributes that evidence actual performance of control
activities. Guidelines should be developed about what constitutes "clear
evidence of performance" before testing begins. Such evidence may include
appropriate sequencing of dates, cardholder and AO tick marks or other
indications on individual transactions, and corroborating representations
of performance by management personnel. Developing these guidelines in
advance and including them in the sampling plan will enhance the ability
of audit staff to make consistent assessments across sampled transactions.
If there will be a cadre of audit staff assessing whether there is clear
evidence of performance, they should be trained before data collection
begins to enhance their collective ability to make consistent assessments.
Also, appropriate supervisory review and validation of the assessments
made by the audit staff will be needed. An independent supervisory
assessment of selected sample items is one way to accomplish that review.

TESTING CONTROL ACTIVITIES	Tests for performance of control activities
should be performed using the data gathered. For purposes of this guide,
many control activities are considered transaction specific (e.g.,
independent receipt and acceptance, AO review), and the related tests
should be accomplished at the transaction level. Also, as discussed in the
Internal Control and the Control Environment section of this guide, some
of the key elements of the control environment (e.g., training,
discipline, purchasing and approving authority) lend themselves to
efficient testing in conjunction with the testing of transaction-level
control activities. The auditor should consider coordinating tests of
those elements of the control environment with the tests of the following
transaction control activities.

Transaction Control Activities This guide discusses the following six
control activities directly related to purchase card transactions and
their supporting documentation and performance attributes for
consideration by the auditor:

determining a legitimate government need, screening for required vendors,
independent receipt and acceptance, establishing accountability over
property, cardholder reconciliation, and AO review.

The specific tests of control activities accomplished, the specific
documents reviewed, and the attributes considered may vary as audit
objectives vary. When conducting the transaction control test discussed
below, auditors should also evaluate purchases for compliance with
relevant laws and regulations (e.g., exemption from sales tax). The
auditor should consider consulting with legal counsel for assistance in
evaluating questions of the existence of a legitimate government need. The
auditor should also consider conducting follow-up, as discussed later in
this guide, in instances of a questionable legitimate government need or
prohibited or otherwise inappropriate government purchases.

Prepurchase approvals were found in up to 98 percent of purchase card
transactions tested in a recent GAO audit.

Auditors questioned whether a valid need had been identified, when "to get
enough goodies for everyone" 80 Palm Pilots costing $30,000 were purchased
and inventoried to be issued to personnel when requested.

Determining a legitimate government need

provides reasonable assurance to the

organization that its resources are not

being wasted. A legitimate need for the

goods or services being acquired should be

determined before a purchase is made. In

a government purchase card program, the

initial responsibility for making this determination may be assigned to
the cardholder through the organization's

policies and procedures. Prepurchase requests or other authorization

prepared by a supervisor, or prepared by operations personnel and signed

by a supervisor, can provide the cardholder with documentation of a

legitimate government need. Organization policies may leave verification

and documentation that purchases are for a legitimate government need to

the discretion of the cardholder-a practice usually considered a weakness

in the design of control. The organization's policies and procedures may

identify specific items or types of purchases requiring special approval.

However, prepurchase authorizations are not required by all government

organizations, and some organizations may provide blanket authorization
for

routine purchases. When there is no documentation of a legitimate

government need for other than routine items, the auditor should view such

purchases with an elevated level of professional skepticism. Further, the

organization's policies and procedures may restrict or prohibit the
purchase

of certain items or types of goods and services. Auditors should be aware
of

these requirements, restrictions, and prohibitions and the requirement, or

lack thereof, for documentation establishing the government's need.

   	Documentation evidencing the determination of a legitimate government
need should be obtained and reviewed. This could include (1) a prepurchase
request or authorization, (2) written blanket authorization for small
routine purchases (e.g., office supplies), (3) written justification by
the cardholder or other program personnel of the government need for the
purchase, (4) other required documentation for specifically controlled or
restricted purchases (e.g., a purchase justification or business need
analysis for computer equipment), and (5) the vendor invoice describing
the goods or services purchased.

   	Attributes to consider evaluating include (1) the date of government need
determination, compared to date of the purchase, (2) whether the purchased
item is included on the organization's prohibited or restricted list, and
(3) the item purchased on the vendor invoice, compared to the item for
which a need was determined. The auditor should consider the knowledge
gained in previous sections of the guide of the organization's operations
and the control environment, and, with an appropriate level of
professional skepticism, exercise professional judgment and evaluate the
reasonableness of the legitimate government need determination.

Despite laws and regulations requiring priority be given to certain
required vendors, a recent GAO audit found failure rates in this control
ranging from 70 to 90 percent of purchases tested.

Two related organizations could not demonstrate independent receipt and
acceptance for about $27.4 million in purchased goods and services.

Screening for required vendors provides

the organization with reasonable assurance

of compliance with laws and regulations

related to statutory sources of supply. One

such regulation is FAR Subpart 8, Required

Sources of Supplies and Services. This

regulation generally requires federal agencies to purchase supplies,
services, and printing from designated sources, such as the Federal Prison
Industries,

the National Industries for the Blind, NISH (serving people with a range
of

disabilities), and the Government Printing Office. Auditors should be
aware

of these and other laws, regulations, contractual agreements, and policies

and procedures, which direct the organization to acquire goods and
services

from sources such as GSA schedules and contracts, blanket purchase

agreements, and single source suppliers. Auditors should also be aware of

exceptions provided to these and other requirements, generally having to
do

with practicality and availability.

   	Documentation evidencing screening for required vendors should be
obtained and reviewed, including (1) a purchase log, required by policy at
some organizations, (2) other documents evidencing appropriate screening,
and (3) a waiver or other documentation of the applicability of exceptions
made to required sources of supply.

   	Attributes to consider evaluating include (1) the date and cardholder
signature or initial for screening, compared to the transaction date, and
(2) the date and appropriate signature on waiver of purchase from required
sources, compared to the transaction's date. Professional skepticism
should be exercised when evaluating the appropriateness of any exceptions
to required sources of supply.

Independent-someone other than the

cardholder-receipt and acceptance of

goods and services provides reasonable

assurance that the organization actually

received what it is paying for. The

inclusion of independence in the receipt

and acceptance activity significantly strengthens the control by adding
segregation of duties to the activity. In purchase card programs, the

cardholder is usually responsible for verifying that independent receipt
and

acceptance has occurred before completing reconciliation.

   	Documentation evidencing independent receipt and acceptance (e.g., a
signature or initial on the vendor invoice, receipt, or shipping document)
should be obtained and reviewed, including (1) the vendor invoice, (2) the
shipping, receiving, or warehouse receipt for goods or services provided,
and (3) the relevant cardholder billing statement.

   	Attributes to consider evaluating include (1) the date of signed receipt,
compared to the purchase date and cardholder reconciliation date, (2) the
signature or initial, evidencing receipt by someone other than the
cardholder, (3) notations (e.g., tick marks) indicating verification of
quantities for appropriate purchases, (4) the invoice amount, compared to
the cardholder billing statement amount, and (5) the invoice item
description(s) and quantity, compared to receiving document description(s)
and quantity.

Of 114 tested purchases of accountable property acquired with purchase
cards, 60 (53 percent) were not recorded in property records, and 35 (31
percent) could not be located.

Tests of a statistical sample of purchase card transactions at four
related organizations disclosed little evidence of cardholder
reconciliation of purchases back to supporting documentation before
payment of the bill.

Physical control and accountability over

pilferable and other vulnerable property

acquired by the purchase card, which is

initiated at the purchase card transaction

level, provides reasonable assurance to the

organization that pilferable property (i.e.,

items that are portable and can be easily

converted to personal use) is appropriately recorded and
asset-safeguarding control is established at the time of

purchase and receipt. Organizational requirements for this activity may
vary

with the volume, value, and sensitivity of pilferable property
acquisitions.

Control activities required of the cardholder should include initially

identifying the pilferable property requiring asset control, notifying

appropriate property management personnel within the organization of the

acquisition, and supplying the information required to establish a record
in

the property control system. Audit procedures should include verification
of

the record in the property control system, and can be extended to physical

inspection and verification that the property is in the possession of the

government.

   	Documentation evidencing performance of this activity should be obtained
and reviewed, including (1) the vendor invoice, (2) evidence of
independent receipt and acceptance, (3) the cardholder's billing
statement, (4) the cardholder's notification of pilferable property
submitted to property control system personnel, (5) the property control
system record, and (6) if applicable, item serial numbers, which, if not
evident in the existing transaction documentation, should be obtained by
the auditor directly from the supplier or manufacturer.

   	Attributes to consider evaluating include (1) the vendor invoice's
quantity, description, and unique identifying numbers, such as serial
numbers (considered a critical attribute for this control), compared to
those attributes in the property control system record, (2) the date of
purchase (sale date on the cardholder's statement), compared to the date
of signed receipt, the date of cardholder notification to appropriate
property personnel, and the date of property record entry, and (3) the
property control system's description, assigned property number (e.g., bar
code number), property item unique identifying number (e.g., serial
number), and location, compared to those same attributes from a physical
inspection or independent verification that the accountable property is in
the possession of the government.

Cardholder reconciliation provides the

organization with reasonable assurance

that all transactions appearing on the

cardholder's billing statement are

appropriate charges for goods and services

purchased for and received by the

organization. Private individuals generally review their personal credit
card statements to ensure that the purchases and amounts included are

appropriate and correct. Government purchase cardholders should perform

a substantially greater level of review. Cardholder reconciliation is the

process of the cardholder gathering, reviewing, and providing the

documentation to support that each purchase transaction appearing on the

cardholder's billing statement is an appropriate, legitimate government

purchase. The cardholder is responsible for identifying purchase card

Tests of a statistical sample of purchase card transactions at five
related organizations disclosed numerous instances of AOs certifying bills
for payment without reviewing cardholder reconciliations or supporting
documentation.

transactions that are unauthorized or that otherwise should not be paid by
the government. The cardholder should promptly dispute unauthorized
charges appearing on the billing statement with the bank service provider.
For those charges for which the cardholder is unable to verify independent
receipt and acceptance, the auditor should look for evidence of either a
credit by the vendor or a formal dispute filed with the bank service
provider.

The cardholder reconciliation and the AO review and certification for
payment may be accomplished either manually or electronically. The
electronic system may not require a signature or date and may leave little
or no audit trail of the application of control activities to billing
statements and individual transactions. The auditor should obtain, review,
and use professional judgment and skepticism in considering the value of
systemgenerated reports and screen prints as evidence of actual
performance, when evaluating adherence to control activities. The
attributes described in this section remain relevant to audit
considerations and evaluations regardless of whether cardholder
reconciliation is performed manually or electronically. If the available
documentation is insufficient to evidence the actual performance of a
control activity, the selected purchase card transaction should be
considered as failing that activity. In this circumstance, the auditor may
consider it necessary to extend audit procedures to the general and
application controls of the electronic data processing (EDP) system, which
is outside the scope of this guide. Documentation evidencing performance
of cardholder reconciliation

should be obtained and reviewed, including (1) the monthly purchase
cardholder statement in a manual system, or other bank systemgenerated
list of billing-period transactions in an electronic system, (2) the
vendor invoice or sales receipt, and (3) evidence of formal dispute (e.g.,
organizational standard form) of unauthorized charges appearing on the
cardholder's billing statement.

   	Attributes to consider evaluating include (1) the cardholder's
reconciliation signature, (2) the date of reconciliation, compared to
organizational requirements, the AO review, and payment certification
dates, (3) notations (e.g., tick marks, system notes) indicating that all
transactions on the statement were individually reconciled, (4) the
transaction date, amount, and vendor name on the vendor invoice, compared
to those same attributes on the cardholder's statement, and (5) the
transaction date, amount, and vendor name on formal dispute documentation,
compared to those same attributes on the cardholder's statement. The
auditor should consider following up on the appropriate resolution of
disputed items.

AO review of the cardholder's reconciliation process provides reasonable
assurance to the organization that the cardholder is timely and
appropriately performing the reconciliation and is complying with all
significant relevant controls to prevent or detect fraudulent, improper,
and abusive purchases. The review also provides a basis for the AO to
accept responsibility that the purchases are appropriate, legitimate
government purchases before the billing statement total is certified for
payment. The AO review, a critical control activity in a government
purchase card program, should include a review of the cardholder
reconciliation for timeliness and completeness and

for the appropriateness of the supporting documentation for individual
transactions. In evaluating the effectiveness of this control activity,
the auditor should consider (1) the extent of the AO's review of the
supporting documentation for a cardholder's individual transactions and
(2) the extent of documentation (e.g., tick marks, system notes) of that
review. To gain a better understanding of the extent of the AO's review of
cardholder reconciliations, the auditor may consider interviewing the AO,
in addition to reviewing documentation evidencing the review process.

As discussed in the section on cardholder reconciliation, the AO review
and certification for payment may be accomplished either manually or
electronically. The auditor should obtain, review, and use professional
judgment and skepticism in considering the value of system-generated
reports and screen prints as evidence of actual performance when
evaluating adherence to control activities. The attributes described in
this section remain relevant to audit considerations and evaluations
regardless of whether the AO review is performed manually or
electronically. If the available documentation is insufficient to evidence
the actual performance of a control activity, the selected purchase card
transaction should be considered as failing that activity. In this
circumstance, the auditor may consider it necessary to extend audit
procedures to the general and application controls of the EDP system,
which is outside the scope of this guide. Documentation evidencing
performance of this activity should be

obtained and reviewed, including (1) the cardholder's reconciliation
documentation, as discussed above, (2) documentation of the AO's review of
the cardholder's reconciliation, (3) the AO's account billing statement,
and (4) documentation of the AO's (or billing official's) certification
for payment of the balance on his or her account billing statement.

   	Attributes to consider evaluating include (1) the AO's review signature,
(2) the date of the AO's review compared to organizational policy
requirements, the date of the cardholder's reconciliation, and the date of
the AO's (or billing official's) certification for payment, and (3)
notations (e.g., tick marks, system notes) on cardholder's individual
purchase card transactions, evidencing the AO's review and evaluation of
the appropriateness of the transactions and the documentation supporting
the cardholder's performance of other control activities.

Section 5: Pursuing Fraudulent, Improper, and Abusive Purchases

In addition to testing internal controls, GAO's purchase card methodology
includes procedures designed specifically to identify potentially
fraudulent, improper, and abusive purchase card transactions. Designing
and conducting procedures specifically for the purpose of detecting such
transactions serves multiple purposes, including the potential discovery
of a previously unrecognized risk in the program. Additionally, top
management will likely be more receptive to recommendations for corrective
actions when a face is put on the consequences of weak control, and the
effects are illustrated by instances of fraudulent, improper, and abusive
purchases. GAO's methodology described in this guide is a two-step process
similar to the process of selecting transactions and testing controls. It
entails the pursuit of fraudulent, improper, and abusive purchases by (1)
making nonrepresentative selections of transactions or patterns of
activity in a process referred to as data mining and (2) conducting
follow-up procedures, rather than control tests, using forensic auditing
techniques on selected transactions and on cases of potentially fraudulent
purchases detected during the audit process.

DATA MINING FOR DETECTION, ILLUSTRATION, AND DISCLOSURE

Data mining is the act of searching or
"mining" data to identify transactions or
patterns of activity exhibiting predetermined
characteristics, associations, or sequences
and anomalies between different pieces of
information. Data mining produces leads for
follow-up by auditors and investigators;
consequently, the concept of data mining, as
used in this guide, also includes performing
audit procedures and investigations as necessary to evaluate the leads.
Active continual data mining by organization management can also be used
to identify and initiate investigations of instances of potentially
fraudulent,
improper, and abusive purchases, which can serve as an effective deterrent
to such transactions in the future. Data mining, when conducted in concert
with the tests of control activities, can provide additional evidence of
significant instances of noncompliance with laws and regulations, such as
those discussed in the Relevant Laws and Regulations section of this
guide,
and lack of adherence to internal control policies and procedures. In
addition, it can identify previously unrecognized or underappreciated
risks
in the program. Revelations from data-mining results can often generate
the
upper management motivation necessary to bring about meaningful change
in policies and procedures. The results of data mining should also be
considered when evaluating the overall effectiveness of systems of
internal
control over government purchase card programs. However, since data

mining is nonrepresentative, its results cannot be projected, and
conclusions
should not be reached on the population of purchase card transactions.

GAO's approach to data mining is designed to support its overall
evaluation
of the effectiveness of internal control of a government purchase card
program and to provide examples of the results of weakness in internal
control. That approach generally consists of

identifying the population of transactions to data mine,
identifying criteria and design search queries, and
extracting or summarizing transactions or patterns of activity from the

population for further analysis, selection, audit, and investigation.

The source of data for mining would generally be the same population as
the source used to select transactions for control tests. The same
population of transactions must be used if examples of control failures
detected by data mining are to be relevant to the population of
transactions and to the period covered by the control tests. This would
allow the results of data mining to be considered in the overall
evaluation of the effectiveness of internal control.

An experienced credit card fraud investigator will bring valuable
perspective and insight and should be involved in the process of
identifying criteria, associations, and characteristics for data mining
for fraudulent, improper, and abusive purchases. When identifying and
selecting data-mining criteria, the auditor should also consider the risks
of potentially fraudulent, improper, and abusive purchases; data-mining
criteria identified by the auditor during the preliminary assessment; and
the datamining criteria discussed in the following examples.

The following examples of data-mining queries, summaries, and extractions
are appropriate to support an evaluation of the internal control of a
government purchase card program as contemplated in this guide, and are
intended to be used to identify and extract potentially fraudulent,
improper, and abusive purchases from a transaction database.

o  Questionable vendors are those vendors that sell goods or services

Data mining of purchase card transactions at five related organizations
disclosed numerous purchases of items for personal use, including digital
cameras, computers, clothing, and food.

that generally do not meet legitimate government needs, or are restricted
or prohibited by law, regulation, or policy. Recent GAO audits of purchase
card programs have identified potentially fraudulent, improper, and
abusive purchases of goods and services from vendors such as restaurants,
grocery stores, casinos, clothing or luggage stores, home furnishing
stores, personal electronic stores, businesses providing pornographic or
sexually oriented goods or services (e.g., escort services), automobile
dealers, and gasoline service stations. The understanding gained of the
organization's mission and operations, in accordance with a previous
section of this guide, should provide the auditor with the insight
necessary to make preliminary identification of vendors selling goods and
services that likely do not meet legitimate government needs. The
following are

A recent GAO audit disclosed a purchase card transaction with a prohibited
escort service vendor. The bank service provider had accepted the
transaction despite the blocked vendor MCC.

GAO testified that approximately $12,000 in potentially fraudulent
cardholder purchases, including an Amana range, Compaq computers, gift
certificates, groceries, and clothes, occurred primarily from December 20
through December 26, 1999.

examples of ways to identify, extract, and select purchases from these
vendors.

   	By name: Questionable vendors, which can be expected to sell unneeded or
prohibited goods or services, can be identified by name. This can be
accomplished by manually reviewing a comprehensive list of vendor names
extracted and sorted alphabetically from the population database. The
selection process can be greatly enhanced by including selected summarized
data by vendor name (e.g., number of transactions, dollars of purchases,
number of cardholders making purchases). For example, because of the goods
and services provided by vendors specializing in toys, stylish personal
calendar/planners, and consumer electronics, purchases from them generally
have a high likelihood of being potentially fraudulent, improper, or
abusive.

   	By MCC: Questionable vendors can be identified by using MCCs-standard
codes that the credit card industry maintains to categorize
merchants-assigned to vendors that may sell personal or prohibited goods
or services. Purchase card transactions carrying the identified codes can
then be extracted from the population database. Sorting and summarizing
the extracted transactions by vendor may further enhance the selection
processes. Organizations have the ability to block purchases from vendors
with selected MCCs at the bank service provider. Ideally, any attempt to
charge a purchase from a vendor with a blocked MCC should be automatically
rejected at the point of purchase. However, auditors should be aware that
(1) vendors may circumvent this control by providing false or misleading
information and obtaining MCCs intended to disguise the types of goods or
services they provide, and (2) bank service providers do not always reject
purchase card transactions with blocked vendor MCCs.

All transactions associated with the identified vendor names and MCCs
should initially be considered potentially fraudulent, improper, and
abusive and extracted into a questionable vendor transactions database for
further selection and follow-up.

o  	Weekend and holiday purchases, in the operations of a normal
governmental organization, could also offer a high probability of
identifying potentially fraudulent, improper, and abusive transactions.
However, using this approach to select transactions would not be effective
if the organization's operations routinely involve weekend and holiday
purchases. During the previously discussed process of gaining an
understanding of the organization's operations, the auditor should look
for and be aware of this and similar exceptions to normal operations when
designing data-mining criteria. Purchase card transactions on weekends and
holidays within the audit period should be identified and extracted into a
suspect date transactions database for further selection.

Data mining purchases at five related organizations disclosed numerous
occurrences of purchases split to circumvent the $2,500 micropurchase
threshold, including $16,000 for furniture for an approving official's
office.

An organization approved and paid 75 purchase card transactions, all close
to the micropurchase threshold, totaling $164,000, with a
telecommunications contractor. The organization could not provide
documentation of the nature of or receipt and acceptance of the services
provided. After completing follow-up, GAO referred this case for criminal
investigation.

An organization used year-end funds to purchase computers and monitors
costing $47,372. Nine months later, over half of the computers remained in
storage, raising questions of whether a legitimate need existed when
purchased.

o  	Split transactions are two or more transactions that would have
normally been a single-purchase transaction, but were split to circumvent
the micropurchase threshold (generally $2,500) or other legal or internal
control single-purchase limits. For purposes of identifying sets of
potential split transactions, all purchase card transactions in the audit
period that meet the following criteria can be extracted into a potential
split transactions database for further analysis:

the transactions are with the same vendor, and the transaction dates are
on the same day, and the transactions total in excess of $2,500, and the
transactions are by the same cardholder, or the transactions

are by the same activity/department. (Broadening the selection criteria to
the same activity/department considers the potential for collusion among
cardholders to circumvent single-purchase limits.)

A nonrepresentative selection of transactions can then be made from the
potential split transactions database and submitted to the followup
procedures described in the Follow-up and Investigation section of this
guide. For purposes of determining circumvention of singlepurchase limits,
all applicable limits should be considered (e.g., micropurchase limit,
cardholder organization authorized singlepurchase limit, the bank service
provider's system cardholder singlepurchase limit).

o  	Transactions of unusual amounts or relationships may be fraudulent,
improper, or abusive. The auditor should review the database for the
existence of unusual purchase card transaction amounts, patterns, and
relationships. Examples of such transactions include

   	frequent amounts with the same vendor just under the micropurchase
threshold, which, for example, may indicate that a vendor is exploiting
weak controls and charging for goods or services that are not being
provided or rendered, and

   	multiple transactions for the same amount, which, for example, may
indicate intentional or unintentional duplicate billings for the same
goods or services.

Purchase card transactions in the audit period for unusual amounts or
relationships should be extracted into an unusual transactions database
for further selection.

o  	Year-end spending may include purchases for which there are not
legitimate government needs (e.g., bulk purchases of computer or
electronic equipment). All purchase card transactions that exceed an
established larger dollar value (e.g., $25,000) and occur in the last
month of the fiscal year can be extracted into a year-end transactions
database for further selection.

o  	Purchase card transactions by vendor for the audit period can be
summarized to provide statistical data such as

the number of cardholders making acquisitions with a vendor, the number of
transactions with a vendor, and the dollar volume of transactions with a
vendor.

A critical analysis of the resulting vendor transaction summary totals,
and their relationships, can identify opportunities for further data
mining. Vendor summary totals at the extremes of activity, both high and
low, warrant special attention. For example, a summary that shows that
only one or two cardholders made purchases from a vendor, particularly if
the dollar volume is high, may indicate a conflict of interest or
fraudulent (e.g., kickbacks), improper, or abusive transactions. High
dollar volumes of purchases may indicate a vendor with which the
government should have a discounted price agreement. A vendor having only
one transaction might indicate a questionable legitimate government need.
If these summaries are accomplished using a software audit tool, the
individual purchase card transaction detail underlying each vendor's
summary totals will usually be available, facilitating further review and
selection.

o  	Cardholders and AOs considered to have suspicious activities might be
identified as the result of following up on previous datamining
transactions, a referral to an organizational fraud hotline, previous
audit findings, or other means. Purchase card transactions for such
cardholders and AOs can be extracted into separate transaction databases
for further analysis. Follow-up and investigation of these transactions
can assist in developing cases for referral for criminal investigation and
prosecutorial authorities.

Since the data being mined are usually contained in a database of
individual purchase card transactions, a software audit tool that
facilitates summaries, comparisons, and extractions of transactions and
data elements selected for follow-up is recommended. Several
over-the-counter audit tools of this type are available. Using
professional judgment and considering the understandings gained and the
results of the preliminary assessment, the auditor should select
transaction leads provided by data mining and submit them to the
procedures described in the Follow-up and Investigation section of this
guide. Unless adequate follow-up procedures are accomplished, the auditor
will not have sufficient support to either report or refer the findings.

                          FOLLOW-UP AND INVESTIGATION

The concept of follow-up, as used in this
guide, contemplates an extension of audit
procedures and documentation beyond those
generally necessary to test for adherence to
internal control policies or performance of
control activities. GAO's approach to the
follow-up process assesses purchase card
transactions in three incremental stages (1) an
initial evaluation of the cardholder
documentation supporting selected data-mined transactions for the purpose

    Follow-up The conduct of follow-up procedures utilizes forensic auditing
                                  techniques.

of discerning potentially fraudulent, improper, and abusive transactions,
(2) conduct of follow-up procedures discussed in this section on those
transactions, and (3) referral of any instance of likely fraud to the
appropriate criminal investigative personnel.

Because of the characteristics of fraudulent, improper, and abusive
purchases, professional skepticism-an attitude that includes a questioning
mind and a critical assessment of audit evidence-is especially important
when following up on these purchase card transactions.

In the context of this guide, forensic auditing (follow-up) contemplates
increased scrutiny and documentation by the auditor of the facts and
circumstances (including judgments made and actions taken by individuals
party to the transaction) surrounding potentially fraudulent, improper,
and abusive transactions. In the instance of fraudulent purchase card
transactions, the follow-up process is designed to support a subsequent
criminal investigation.

The auditor should consider consulting with the appropriate fraud
investigative staff when determining the appropriate follow-up procedures
for potentially fraudulent transactions or cases detected through control
tests or data mining. An experienced purchase card fraud investigator can
bring valuable perspectives and insight to the follow-up process.
Investigators may have procedures and protocols that establish boundaries
designed to preserve a successful investigation and prosecution of fraud,
within which the auditor's follow-up and referral procedures should be
constrained (e.g., cautions against contacting and inadvertently alerting
the vendor suspected of fraud).

To begin the follow-up process for transactions selected by data mining or
other means, the auditor should obtain and review transaction
documentation similar to that obtained and reviewed in the tests of
transaction control activities (e.g., determination of legitimate
government need, vendor invoice, independent receipt and acceptance,
accountable property record, the cardholder billing statement). This
documentation should be analyzed to determine whether it supports a
preliminary conclusion of (1) an appropriate government transaction that
meets a legitimate government need or (2) a potentially fraudulent,
improper, or abusive transaction.

Detected or selected potentially fraudulent transactions should always be
submitted to follow-up procedures. However, the auditor should use
professional judgment and consider the results of cardholder documentation
review; the overall objectives of pursuing fraudulent, improper, and
abusive purchases; and the overall objectives of the audit in making a
decision to perform follow-up procedures for transactions detected during
tests for performance of control activities and for the transactions
selected in the data-mining process.

Professional judgment, input from qualified fraud investigators, and an
elevated level of professional skepticism should be exercised when
conducting follow-up procedures and evaluating (1) justifications offered
for lack of adherence to policies and performance of control activities,
(2) additional supporting documentation provided, and (3) unsupported

Fraud investigators provided relevant reports and information to GAO
auditors during follow- up on potentially fraudulent purchase card
transactions.

representations made in interviews with program and organization
personnel.

The following are examples of follow-up procedures and are not a complete
list of possible procedures.

o  Request additional documentation to (1) support adherence to internal
control policies or performance of control activities (e.g., legitimate
government need, independent receipt and acceptance, exception to
prohibited item purchases), (2) provide missing relevant details of the
transactions, (3) support authorization for an otherwise improper
purchase, or (4) document other issues significant or useful to the
process.

o  Interview the cardholder for explanation, clarification, and other
additional information concerning the transaction and corroboration of
verbal representations made by others.

o  Interview the AO for explanation, clarification, and other additional
information concerning the transaction and corroboration of verbal
representations made by others.

o  Interview other organization personnel who may have been identified as
parties with corroborating or clarifying knowledge of the facts and
circumstances of the transaction (e.g., supervisors and coworkers).

o  Contact the vendor for clarification of the specifics of the
transaction (e.g., quantities, dates, time, description of goods or
services provided). Request copies of supporting documentation from the
vendor, especially when the cardholder's supporting documentation is
missing.

o  Fraud investigative staff assisting in the follow-up, or gathering
evidence to make and prove specific allegations of wrongdoing, may be able
to provide other items (e.g., credit reports, criminal records) that can
provide additional insight to the follow-up process.

All interviews conducted as part of the follow-up process should be
documented in the audit work papers. At the conclusion of the follow-up
process, the auditor should summarize the facts, findings, and resolution
or disposition of the potentially fraudulent, improper, and abusive item
in a memorandum for inclusion in the work paper file. If at any time
during the follow-up process the auditor's professional judgment is that a
transaction is likely fraudulent, referral of the transaction to the
appropriate fraud investigative staff (e.g., inspectors general, military
service fraud investigation offices) should be immediately considered.

Referral for Investigation

Referral of a likely fraudulent government purchase card transaction or
case

should be made to the appropriate federal criminal investigative body. We
made such referrals to GAO's Office of Special Investigations, whose
investigators have substantial experience in credit card fraud. The
referral should be accomplished in a written communication. That
communication would generally include, but not be limited to, the
following information:

o  the date of the communication,

o  the name of the referring organization,

o  the name and telephone number of the referring contact,

o  the organization and program under audit,

o  	a description of the potentially fraudulent transaction or case (e.g.,
goods or services purchased, amounts paid, impropriety of the
transaction),

o  the reason(s) for concluding the transaction to be potentially
fraudulent,

o  	the names and positions of the individuals involved (e.g., John Doe -
cardholder, Jane Doe - vendor),

o  the date(s) of the purchase transaction,

o  	a description of the indicators alerting the auditor to the
potentially fraudulent transaction (e.g., altered supporting
documentation, personnel interview, or record discrepancies), and

o  	a statement as to whether the relevant documents (copies or originals)
are attached or are available (e.g., cardholder billing statement, vendor
invoice(s), follow-up interview(s)).

                                   Appendixes

Page 54

GAO-04-87G Purchase Card Audit Guide

APPENDIX I - SELECTED RELEVANT GAO REPORTS AND TESTIMONIES

Department of Education and Department of Housing and Urban Development

Financial Management: Strategies to Address Improper Payments at HUD,
Education, and Other Federal Agencies. GAO-03-167T. Washington, D.C.:
October 3, 2002.

Education Financial Management: Weak Internal Controls Led to Instances of
Fraud and Other Improper Payments. GAO-02-406. Washington, D.C.: March
2002.

Financial Management: Poor Internal Control Exposes Department of
Education to Improper Payments. GAO-01-997T. Washington, D.C.: July 24,
2001.

Department of Defense - Army

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste,
and Abuse.

GAO-02-844T. Washington, D.C.: July 17, 2002.

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste,
and Abuse.

GAO-02-732. Washington, D.C.: June 2002. Department of Defense - Air Force

Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to
Fraud, Waste, and Abuse. GAO-03-292. Washington, D.C.: December 2002.

Department of Defense - Navy

Purchase Cards: Navy Vulnerable to Fraud and Abuse but Is Taking Action to
Resolve Control Weaknesses. GAO-03-154T. Washington, D.C.: October 8,
2002.

Purchase Cards: Navy Is Vulnerable to Fraud and Abuse but Is Taking Action
to Resolve Control Weaknesses. GAO-02-1041. Washington, D.C.: September
27, 2002.

Purchase Cards: Continued Control Weaknesses Leave Two Navy Units
Vulnerable to Fraud and Abuse. GAO-02-506T. Washington, D.C.: March 13,
2002.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse.

GAO-02-32. Washington, D.C.: November 2001.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse.

GAO-01-995T. Washington, D.C.: July 30, 2001.

Page 55

GAO-04-87G Purchase Card Audit Guide

APPENDIX II - SELECTED RELEVANT LAWS AND REGULATIONS

This appendix contains some of the laws and regulations and guidance that
are applicable governmentwide to the federal government purchase card
program. Additional laws and regulations and other agency- or
organization-specific guidance may apply as well.

Establishment and Operation of the Purchase Card Program

GSA SmartPay(R) Master Contract
Treasury Financial Manual, vol. I, part 4-4500, "Government Purchase
Cards"
41 U.S.C. S: 426 Use of Electronic Commerce in Federal Procurement
48 C.F.R. S: 13.301(b) Governmentwide Commercial Purchase Card
31 U.S.C. S:S: 3901-3907 Prompt Payment Act
5 C.F.R. part 1315, Prompt Payment

Procurement Methods and Standards

41 U.S.C. S: 253 Competition Requirements
41 U.S.C. S: 403(11) Definitions
41 U.S.C. S: 427 Simplified Acquisition Procedures
41 U.S.C. S: 428 Procedures Applicable to Purchases Below Micropurchase
Threshold
41 U.S.C. S: 429 List of Laws Inapplicable to Contracts Not Greater Than
the Simplified

Acquisition Threshold in Federal Acquisition Regulation 48 C.F.R. S:
1.603-3(b) Appointment 48 C.F.R. part 2.101, Definitions 48 C.F.R. part 8,
Required Sources of Supplies and Services 48 C.F.R. part 13, Simplified
Acquisition Procedures

Purposes for Which an Organization's Appropriations May Be Used

31 U.S.C. S: 1301(a) "Purpose Statute" U.S. General Accounting Office,
Principals of Federal Appropriations Law, vol. I, c. 4 (2d ed. 1991) Bona
Fide Needs Rule, See, e.g., 68 Comp. Gen. 170, 171 (1989); 58 Comp. Gen.
471, 473

(1979); 54 Comp. Gen. 962, 966 (1975) 3 Comp. Gen. 433 (1924) Comptroller
General McCarl to the Secretary of War B-288266 (Jan. 27, 2003) Use of
Appropriated Funds to Purchase Light Refreshments at

Conferences 72 Comp. Gen. 178 (1993) Matter of: Corps of Engineers - Use
of Appropriated Funds to Pay

for Meals 65 Comp. Gen. 738 (1986) Matter of: Refreshments at Awards
Ceremony 64 Comp. Gen. 406 (1985) Matter of: Randall R. Pope and James L.
Ryan - Meals at

Headquarters Incident to Meetings B-289683 (Oct. 7, 2002) Matter of:
Purchase of Cold Weather Clothing, Rock Island District, U.S. Army Corps
of Engineers 63 Comp. Gen. 245 (1984) Matter of: Purchase of Down-Filled
Parkas

Page 56

GAO-04-87G Purchase Card Audit Guide

APPENDIX III - EXAMPLE PURCHASE TRANSACTION FLOW CHART AND NARRATIVE
(REQUEST THROUGH PAYMENT)

                   Navy Purchase Card Process, September 2001

                              Source: GAO-02-1041

Page 57

GAO-04-87G Purchase Card Audit Guide

Approving Official

If internal controls are operating effectively, the approving official is
responsible for ensuring that all purchases made by the cardholders within
his or her cognizance are appropriate and that the charges are accurate.
The approving official is supposed to resolve all questionable purchases
with the cardholder before certifying the bill for payment. In the event
an unauthorized purchase is detected, the approving official is to notify
the agency program coordinator and other appropriate personnel within the
command in accordance with the command procedures. After reviewing the
monthly statement, the approving official is to certify the monthly
invoice and send it to the Defense Finance and Accounting Service (DFAS)
for payment.

Cardholders

A purchase cardholder is a Navy employee who has been issued a purchase
card. The purchase card bears the cardholder's name and the account number
that has been assigned to the individual. The cardholder is expected to
safeguard the purchase card as if it were cash.

Designation of Cardholders

When a supervisor requests that a staff member receive a purchase card,
the agency program coordinator is to first provide training on purchase
card policies and procedures and then establish a credit limit and issue a
purchase card to the staff member.

Ordering Goods and Services

Purchase cardholders are delegated limited contracting officer ordering
responsibilities. As limited contracting officers, purchase cardholders do
not negotiate or manage contracts. Rather, cardholders use purchase cards
to order goods and services for their units and their customers.
Cardholders may pick up items ordered directly from the vendor or request
that items be shipped directly to an end user (requesters). Upon receipt
of purchased items, the cardholder is to record the transaction in his or
her purchase log and obtain documented independent confirmation from the
end user, the supervisor, or another individual that the items have been
received and accepted by the government. The cardholder is also to notify
the property book officer of accountable items received so that these
items can be recorded in the accountable property records.

Payment Processing

The purchase card payment process begins with receipt of the monthly
purchase card billing statements. The Department of Defense is required by
10 U.S.C. S: 2784 to issue regulations that ensure that purchase
cardholders and each official with authority to authorize expenditures
charged to purchase cards reconcile charges with receipts and other
supporting documentation before paying the monthly purchase card
statement. Naval Supply Systems Command Instruction 4200.94 states that
upon receipt of the individual cardholder statement, the cardholder has 5
days to reconcile the transactions appearing on the statement by verifying
their accuracy to documentation supporting the transactions and to notify
the approving official in writing of any discrepancies in the statement.

In addition, under NAVSUP Instruction 4200.94, before the credit card bill
is paid, the approving official is responsible for (1) ensuring that all
purchases made by the cardholders within his or her cognizance are
appropriate and that the charges are accurate and (2) timely certifying
the monthly summary statement for payment by DFAS. The instruction further
states that within 5 days of receipt, the approving official must review
and certify for payment the monthly billing

Page 58

GAO-04-87G Purchase Card Audit Guide

statement, which is a summary invoice of all transactions of cardholders
under the approving official's purview.

The approving official is instructed to presume that all transactions on
the monthly statements are proper unless notified in writing by the
cardholder to the contrary. However, the presumption does not relieve the
approving official from reviewing the statements for blatantly improper
purchase card transactions and taking the appropriate action before
certifying the invoice for payment. In addition, the approving official is
responsible for forwarding disputed charge forms for submission to
Citibank for credit. Under the Navy's task order, Citibank allows the Navy
up to 60 days after the statement date to dispute invalid transactions and
request a credit.

Upon receipt of the certified monthly purchase card summary statement, a
DFAS vendor payment clerk is to (1) review the statement and supporting
documents to confirm that the prompt-payment certification form has been
properly completed and (2) subject it to automated and manual validations.
DFAS effectively serves as a payment processing service and relies on the
approving-official certification of the monthly bill as support to make
the payment. The DFAS vendor payment system then batches all of the
certified purchase card payments for that day and generates a tape for a
single payment to Citibank by electronic funds transfer.

Page 59

GAO-04-87G Purchase Card Audit Guide

         APPENDIX IV - EXAMPLE PURCHASE CARD PROGRAM ORGANIZATION CHART

Navy Purchase Card Program Management Structure, September 2001 /

        Source: GAO analysis of Navy purchase card program organization.

Page 60

GAO-04-87G Purchase Card Audit Guide

                       APPENDIX V - EXAMPLE AUDIT PROGRAM

     Government Purchase Card Program Example Internal Control Performance
                                 Audit Program
                                Program Overview
This is an example only audit program, and should be tailored to meet the
requirements of the individual organization's purchase card program. The
approaches, methodologies, and concepts applied in this example, and the
accompanying audit guide, are appropriate for use by management oversight
personnel as well as internal and external auditors. To facilitate ongoing
internal control monitoring efforts by management, sections C and D can be
performed independently of each other, and section D can be applied on a
continuous basis.
         A                       Gain Necessary Understandings                
         A1        Understand the risk of fraudulent, improper, and abusive   
                                           purchases                          
         A2                       Understand internal control                 
         A3              Understand the relevant laws and regulations         
         A4          Understand the organization and purchase card program    
                                          operations                          
         A5            Understand and assess key elements of the control      
                                          environment                         
         B           Preliminarily Assess the Adequacy of Designed Control    
                                          Activities                          
         B1          Identify risks and control activities, and assess the    
                            adequacy of designed control activities           
                   Determine the effects of the assessment on the design of   
         B2          performance tests and the identification of potential    
                                     data-mining criteria                     
         C           Test Adherence to Policies and Performance of Control    
                                          Activities                          
         C1          Obtain transaction data for transaction-level testing    
         C2                    Select purchase card transactions              
         C3        Obtain data evidencing performance of control activities   
         C4                       Test key control activities                 
         D            Pursue Fraudulent, Improper, and Abusive Purchases      
         D1       Data mine to identify potentially fraudulent, improper, and 
                              abusive purchase card transactions              
         D2       Follow-up on selected purchase card transactions and refer  
                                likely fraud for investigation                

Page 61

GAO-04-87G Purchase Card Audit Guide

     Government Purchase Card Program Example Internal Control Performance
                             Audit Program Page of
Sec     #                 Audit Steps              Work Paper Initial/Date 
                                                      Reference  Competed     
                 span of control and financial                   
                 exposure. Document for inclusion in             
                 the work papers the results of the              
         2.2 2.3 evaluation process and the                      
             2.4 preliminary conclusions of the                  
                 effect of these elements of the                 
                 control environment on the                      
                 effectiveness of internal control.              
                 Obtain data from the organization               
                 necessary to perform tests of                   
                 controls for the following key                  
                 elements of the control environment             
                 (see step C3-1.4). Data should be               
                 obtained for each cardholder and                
                 approving official on transactions              
                 selected for control activity                   
                 testing. Test the following key                 
         3.0 3.1 elements of the control environment             
             3.2 in conjunction with tests of                    
                 transaction-level control activities            
                 (see step C4-2.0): training,                    
                 discipline, and purchasing and                  
                 reviewing authorities. Document for             
                 inclusion in the work papers the                
                 results of the evaluation process               
                 and the preliminary conclusions of              
                 the effects of these elements of the            
                 control environment on internal                 
                 control.                                        
                 Upon completion of testing of all               
                 the key elements of the control                 
                 environment, prepare a summary                  
                 memorandum for inclusion in the work            
                 papers on the auditor's conclusion              
             4.0 of the overall effect of tone at the            
                 top, span of control, financial                 
                 exposure, training, discipline, and             
                 purchasing and reviewing authorities            
                 on the control environment, and on              
                 the overall effectiveness of                    
                 internal control.                               

 Page 67 GAO-04-87G Purchase Card Audit Guide Page 72 GAO-04-87G Purchase Card
            Audit Guide Page 75 GAO-04-87G Purchase Card Audit Guide

                  Page 68 GAO-04-87G Purchase Card Audit Guide
                                                                                                                             For each                                                                                                  
                                                                            Identify and list                                significant                                                                                               
                                                                            the significant                                  risk/opportunity                                                                       Consider           
                                                                            risk/opportunities                               identified,                                                                            documenting for    
                                                                            of fraudulent,                                   preliminarily                                                                          the audit work     
                                                                            improper, and                                    assess, as                                                                             papers the         
                                                                            abusive                                          strong, weak, or                                                                       identification of  
                                                                            transactions in                                  ineffective                                                                            each               
                                                                            the organization's                               (including                               For each above                                risk/opportunity,  
                                                                            purchase card            Identify the            nonexistent),                            risk/opportunity                              the related        
                                                             Identify       program. Such            internal control        the likely            Determine the      control activity       For each above         control            
                                                             risks and      risks can be             policies and            effectiveness of      effects of the     relationship           risk/opportunity       activities, the    
                                                              related       control                  procedures              the related           assessment on      evaluated,             control activity       preliminary        
                                                             designed       environment              (control                designed control      the design of      determine its          relationship           assessment of      
                  Audit Work                                  control       related (e.g.,           activities)             activities (if         performance       effect on the          evaluated,             effectiveness,     
            Sec # Steps Paper                            B1 activities, 1.0 span of control,     2.0 designed to         3.0 in place and       B2 tests and the  1.0 design of audit    2.0 consider           3.0 the effects of     
                        Reference                           and assess      training),               prevent or              operating) to         identification     tests for              potential              the assessment on  
                                                                the         purchase                 promptly detect         provide                of potential      adherence to           criteria for           the design of      
                                                            adequacy of     transaction              each above              management with        data-mining       policies and           data mining            tests for          
                                                               those        related (e.g., no        significant             reasonable               criteria        performance of         identified, if         adherence to       
Government                                                  activities      legitimate               risk/opportunity.       assurance that                           control                any.                   control policies   
 Purchase                                                                   government need,                                 significant                              activity.                                     and performance    
Card                                                                     inadequate                                       fraudulent,                                                                            of control         
  Program                                                                   approving official                               improper, and                                                                          activities, and    
  Example                                       B -                         review), or                                      abusive purchase                                                                       the                
 Internal                                  Preliminarily                    related to other                                 card                                                                                   identification of  
  Control                                   Assess the                      significant areas                                transactions                                                                           potential          
Performance                                 Adequacy of                     (e.g.,                                           will be                                                                                data-mining        
Audit                          Initial    Designed                       monitoring).                                     prevented or                                                                           criteria.          
  Program                          / Date     Control                                                                        promptly                                                                                                  
  Page of                         Competed  Activities                                                                       detected.                                                                                                 

                  Page 70 GAO-04-87G Purchase Card Audit Guide
                                                  Coordinate with the organization's              
                                                  purchase card program management and            
                                                  obtain access to program personnel and          
                                                  original documentation evidencing               
                                                  performance of transaction-level and            
                                                  related control activities for each             
            Work                                  selected transaction. The following             
Sec # Audit Paper                                 are examples of such personnel and              
      Steps Reference                             documents. Personnel include:                   
                                                  cardholders for selected transactions,          
                                                  approving officials for selected                
                                  Obtain data     transactions, agency/organization               
                                  for testing     purchase card program coordinator, and          
                      Initial     performance     operations supervisory personnel as             
                       / Date     of control      needed. Documents directly related and          
                      Competed    activities      relevant to selected individual                 
                                                  purchase card transactions include:    
                                                  cardholder monthly billing statement;  
                                                  approving official monthly billing     
                                                  statement; cardholder log (or          
                                                  equivalent) of purchases made;         
                                                  prepurchase request, approval,         
                                                  authorization, or other determination  
                                                  of a legitimate government need;       
                                                  evidence of screening for              
                                              1.0 required/statutory vendors; waiver on  
                                              1.1 required sources of supply, if         
                               C3             1.2 applicable; evidence of bid            
                                              1.3 solicitations and receipt, if          
                                              1.4 applicable; vendor invoice or receipt  
                                                  for goods or services; packing slip;   
                                                  evidence of independent receipt and    
                                                  acceptance; bank dispute/affidavit     
                                                  forms, if transaction disputed;        
                                                  cardholder reconciliation and          
                                                  certification of bill; and approving   
                                                  official review and certification for  
                                                  payment. Additional documents relevant 
                                                  to purchases of accountable property   
                                                  include: cardholder notification to    
                                                  property book, and property book       
                                                  record. Control environment documents  
                                                  evidencing adherence and performance   
                                                  of key elements include (see step A5   
                                                  3.0): cardholder purchase and credit   
                                                  limits authorization, approving        
                                                  official review responsibilities and   
                                                  authorized limits, cardholder training 
                                                  certificates/records, approving        
                                                  official training                      
                                                  certificates/records, cardholder       
                                                  account closure/final bill, if account 
                                                  is closed, and disciplinary actions    
                                                  taken against cardholder or approving  
                                                  official in the last                   
                                                  _____________________________________. 

Sec    #                 Audit Steps              Work Paper   Initial /   
                                                     Reference  Date Competed 
                Document for inclusion in the work              
                papers the results of follow-up and             
                referrals to facilitate summary of              
                the number of transactions                      
            3.2 considered fraudulent, improper, or             
                abusive, and the dollar value of                
                those transactions consistent with              
                the design of the sampling plan                 
                (e.g., by each stratum).                        
                      Analyzing and documenting sample results
                Project the results of the sample               
                transactions tests to the population            
                in accordance with the sampling                 
                plan. If statistical sampling was               
                used, provide the sample test                   
                results to the statistician for                 
                projection to the population, and               
                stratum if appropriate. Obtain a                
                written memorandum from the                     
                statistician of the statistical                 
                results of the projection(s) in                 
                accordance with the sampling plan,              
                recapping the population and the                
                sampling plan used, the control                 
                tests performed by the auditor, the             
                statistical estimates (e.g.,                    
                attribute pass/fail, dollar values)             
                by stratum if appropriate, and the              
                associated confidence intervals.                
                Prepare a summary memorandum, for               
                inclusion in the work papers, that              
        4.0 4.1 incorporates the sample test results            
        4.2 4.3 and the statistician's report,                  
                recaps the rules used to assess the             
                effectiveness of controls, and                  
                documents the auditor's conclusions             
                about the effectiveness of                      
                individual control activities.                  
                Consider the results of                         
                transaction-level and other control             
                tests, and the results of data                  
                mining and follow-up of potentially             
                fraudulent, improper, and abusive               
                transactions, and prepare a                     
                memorandum for inclusion in the work            
                papers documenting the                          
                considerations made and conclusions             
                reached by the auditor on the                   
                overall effectiveness of the design             
                and performance of internal control             
                designed to prevent and detect                  
                potentially fraudulent, improper,               
                and abusive purchase card                       
                transactions.                                   

     Government Purchase Card Program Example Internal Control Performance
                             Audit Program Page of
Sec   #                Audit Steps               Work Paper Initial / Date 
                                                    Reference     Competed    
            statement, vendor invoice(s), follow-up            
            interview(s)). Retain a copy of all                
            referral communications and attachments            
            for the audit work papers. Request                 
        6.1 memorandums of investigations at the               
            end of the audit period detailing the              
            conduct, progress, and status of all               
            such referred purchase card                        
            transactions.                                      

APPENDIX VI - GUIDELINES FOR INITIATING AN INVESTIGATION OF PURCHASE CARD
FRAUD

For purchase card transactions that have been identified as potentially
fraudulent, the investigator should review information provided as part of
the follow-up and referral process and, to the extent necessary, take the
following actions:

o  	Obtain from the organization, auditor, or manager the names of
cardholder(s) for accounts involved with the transaction(s).

o  	Obtain account histories from the bankcard service provider for
specific accounts to identify any patterns of similar or other
questionable transactions and the vendors involved with those
transactions.

o  	Identify the organization's approval process and determine who
requested the goods or services purchased, approved the transactions, and
signed off on the monthly statement indicating that he or she had reviewed
the

transactions.

o  	Obtain from the organization, auditor, or manager documentation
related to the transaction(s), such as invoices, shipping receipts, and
any contact telephone numbers.

o  Determine the organization's policies for accountability for pilferable
and other property.

o  	Interview the individuals involved with requesting the goods or
services and the individuals that reviewed the monthly bank statements to
determine if he or she was aware of (1) the transaction(s) and (2) whether
the cardholder filed a dispute form concerning the transactions.

o  	Interview the cardholder to determine who made the purchases, the
purpose of the purchases, and whether he or she disputed the transactions.

o  	Interview the vendor(s) from which questionable transactions were made
and obtain any documentation relating to the transactions, including
detailed descriptions of

items purchased, serial numbers, or specific services provided; determine
where property was delivered or where the services were provided;
determine whether the vendor records the telephone number from which the
order for

foods or services was made; and determine whether the vendor maintains a
database of purchase card numbers and whether this database has been
compromised.

o  	Interview organization officials responsible for maintaining property
inventory and determine whether the items purchased were included in
inventory and how property delivered to the organization is accounted for.

Page 76

GAO-04-87G Purchase Card Audit Guide

APPENDIX VII - GAO CONTACT AND STAFF ACKNOWLEDGMENTS

GAO Contact

Stephen Wm. Lipscomb, (303) 572-7328

Staff Acknowledgments

In addition to the person named above, David Childress, Francine
DelVecchio, Don Fulwider, Charles R. Hodge, Jeffrey Jacobson, Jason Kelly,
Julia Matta, John Ryan, and Sidney Schwartz made important contributions
to this guide.

Page 77

GAO-04-87G Purchase Card Audit Guide
*** End of document. ***